Pen testers from Germany and Europe please infos

@Anonymus said:

That kind of sucks to be supervised like you don’t know what you are doing and they are supervising you. If they know better why don’t they do it? Maybe I am wrong to say that but it feels undermining.

Every organisation varies, but the supervision doesn’t tend to be down to watching the commands, more a case of making sure that the scope is maintained and that as soon as anything is discovered they can start dealing with it.

Type your comment> @TazWake said:

Every organisation varies, but the supervision doesn’t tend to be down to watching the commands, more a case of making sure that the scope is maintained and that as soon as anything is discovered they can start dealing with it.

When you put it that way it sounds nicer :slight_smile:

What are your thoughts about the salaries?

@Anonymus said:

When you put it that way it sounds nicer :slight_smile:

:smile:

What are your thoughts about the salaries?

They vary wildly.

Generally, I’ve seen brand new pentesters with little to no experience start around £35-40k in the UK.

An experienced pentester would probably be asking for around £55-60k (regional variations are HUGE and if you work for big consultancies it is generally less).

A very good pentester, or one with specialist knowledge, is probably looking at ~£70-90k.

£35-40k before taxes is also nothing… :frowning:

@Anonymus said:

£35-40k before taxes is also nothing… :frowning:

So that depends on your perspective.

If you are 21 years old, straight out of University it is roughly double what you will get anywhere else. I wouldn’t take a role at that salary but then I wouldn’t take an entry level role.

The median salary for everyone in the UK working full time is about £30k, so for an entry-level pentester to start in the top half of salaries is pretty good. If the same person was a medical doctor, they’d be looking at about £23k to start.

@sparkla Working at the customer’s site is pretty much a must. You can usually negotiate the amount of traveling (e.g 30% of your overall working time, or less or more), but that will affect your salary. It’s not necessarily that the customer doesn’t trust you, but they usually don’t want to expose everything to the internet. And VPN often is no option, too, simply due to regulatory reasons. And for infrastructure/OT tests over VPN, you simply would die from all the latency that will increase testing time by 200% or even more.
Getting several benefits will definitely be the case. Especially in larger companies. But then again, those tend to pay less. And when they are “too large”, you will have a lot of (ancient) processes involved that also might lower the steps for raises (like, e.g. “no more than 5%/year, since that’s as we always did it”).
You want to work from home 100% of the time, then why on earth should any company provide a company-sponsored car to you? Also, you’d have to pay taxes for that, too.
Flexible working hours are getting more common, yet still will it often be the case that you are only allowed to perform your tests during your customer’s (extended) business hours. Simply because someone will have to restart/fix what you break. And trust me, it will break by the time the other side is on lunch break, or otherwise unavailable. But that highly depends on the target and scope.

@everyone else in here, whining about the salaries: How about some cheese. Or at least a pint of realism. You get into that job as a beginner (at least that is what the discussion originally was about), and no, you are NOT the 31337 pentest sup4h4xx0r that you might imagine yourself.
Yes, maybe the image from outside suggests pentesters being the InfoSec Rockstars. Sorry, but that’s far from reality. It’s a job you’re getting paid to do. It might coincidentally be your passion. But that’s as much as it will get. Why exactly should you get paid a lot more than e.g. a nurse/doctor/engineer?
You might start the job with some experience. That’s great, and it will definitely get you to the upper bounds of a beginner’s salary. But that doesn’t even remotely justify a senior’s or subject matter expert’s salary.

Another thing is regional differences, as @TazWake already mentioned: Salaries vary a lot between different locations. In bigger cities like Munich, Hamburg, Berlin, the average rent (and other “life expenses”) are a lot higher than e.g. in Rostock, Halle, Buxtehude, Bochum, etc. So, naturally, you’ll get a fair amount more in those cities. But then again, a lot less will remain for savings/spare-time/etc.

Moaning about taxes: “Switzerland has a max of 40% taxes”. Sure, and those 2% more in Germany make a difference of 100€ per month with an annual netto income of 60k. The additional solidarity tax of 5.5% will be quit for 90% of all employees, next year.
Yes, the US also have a lower taxes and (almost) no social security taxes. but they also don’t really have a social security system. And I would definitely NOT want to exchange a slightly higher salary for having to pay all my health expenses on my own :wink:

I wouldn’t work for less than 5000/month after taxes
Great. Good luck finding a company that will pay a beginner 120k/year. Trust me, that will never happen.

@HomeSen said:

Yes, the US also have a lower taxes and (almost) no social security taxes. but they also don’t really have a social security system. And I would definitely NOT want to exchange a slightly higher salary for having to pay all my health expenses on my own

I think this is the most significant difference, and why people are slightly misled by what they see as super well-paid jobs in places like major US cities. (note some regions of the US have pentesters earning US$60k and being comfortable vs ones in LA struggling on US$100k)

Everything is a trade off - we can pay less tax and pay more for personal solutions, or more tax and know that the environment around us is there when we need it. For most people, it is generally cheaper to get the economy of scale by the state paying for things.

Some people have the idea they are immortal and will never get sick, so object to paying towards nationalised solutions. I feel that ignores the reality of life.

I also think there is an issue around the idea of what makes you “rich”. I’ve met rich Germans, so it must be possible. I’ve also met poor Germans who are significantly richer than middle-class people in Sierra Leone and have better healthcare, life expectancy and “life comfort” than large swathes of the US.

There is a social contract to be considered. If you have grown up with access to hospitals and doctors, roads which allow you to travel to and from work, police who reduce crimes against your & your property, a military which defends your life, fire service ready to save you in an emergency, municipal services who take away waste, a government that sets standards to make sure you have clean, drinkable water and can trust trivial things like food labels etc., then this has to be paid for.

It is a shame lots of people claim to be “entrepreneurs” (etc) but basically take advantage of the state support for the first 22 years of their life, then run before they have to pay anything back into the pot.

< / rant>

Rants are my favourite bit of the Off-Topic section. I wish more people would do them.

@HomeSen said:

@sparkla Working at the customer’s site is pretty much a must. You can usually negotiate the amount of traveling (e.g 30% of your overall working time, or less or more), but that will affect your salary. It’s not necessarily that the customer doesn’t trust you, but they usually don’t want to expose everything to the internet. And VPN often is no option, too, simply due to regulatory reasons. And for infrastructure/OT tests over VPN, you simply would die from all the latency that will increase testing time by 200% or even more.
Getting several benefits will definitely be the case. Especially in larger companies. But then again, those tend to pay less. And when they are “too large”, you will have a lot of (ancient) processes involved that also might lower the steps for raises (like, e.g. “no more than 5%/year, since that’s as we always did it”).
You want to work from home 100% of the time, then why on earth should any company provide a company-sponsored car to you? Also, you’d have to pay taxes for that, too.
Flexible working hours are getting more common, yet still will it often be the case that you are only allowed to perform your tests during your customer’s (extended) business hours. Simply because someone will have to restart/fix what you break. And trust me, it will break by the time the other side is on lunch break, or otherwise unavailable. But that highly depends on the target and scope.

@everyone else in here, whining about the salaries: How about some cheese. Or at least a pint of realism. You get into that job as a beginner (at least that is what the discussion originally was about), and no, you are NOT the 31337 pentest sup4h4xx0r that you might imagine yourself.
Yes, maybe the image from outside suggests pentesters being the InfoSec Rockstars. Sorry, but that’s far from reality. It’s a job you’re getting paid to do. It might coincidentally be your passion. But that’s as much as it will get. Why exactly should you get paid a lot more than e.g. a nurse/doctor/engineer?
You might start the job with some experience. That’s great, and it will definitely get you to the upper bounds of a beginner’s salary. But that doesn’t even remotely justify a senior’s or subject matter expert’s salary.

Another thing is regional differences, as @TazWake already mentioned: Salaries vary a lot between different locations. In bigger cities like Munich, Hamburg, Berlin, the average rent (and other “life expenses”) are a lot higher than e.g. in Rostock, Halle, Buxtehude, Bochum, etc. So, naturally, you’ll get a fair amount more in those cities. But then again, a lot less will remain for savings/spare-time/etc.

Moaning about taxes: “Switzerland has a max of 40% taxes”. Sure, and those 2% more in Germany make a difference of 100€ per month with an annual netto income of 60k. The additional solidarity tax of 5.5% will be quit for 90% of all employees, next year.
Yes, the US also have a lower taxes and (almost) no social security taxes. but they also don’t really have a social security system. And I would definitely NOT want to exchange a slightly higher salary for having to pay all my health expenses on my own :wink:

I wouldn’t work for less than 5000/month after taxes
Great. Good luck finding a company that will pay a beginner 120k/year. Trust me, that will never happen.

Ok, I will answer this with a question. Are you gonna be honest and say, do you work for a salary of 5000 a month before taxes in Germany? - I don’t think so. So why putting people down with implying that pentesters in Germany have like less then 2000e after taxes?
Why we should get more then doctors/nurses, etc…? Nobody said that we should.
But if you look at the statistics in USA, it is a big difference. If you are young it is awesome but if you have a family its not a lot. You may go work any other job that does not require any knowledge what so ever. By your words sys admin have more money then a pentester?! I hope people will not believe in that… But thanks for sharing anyway

@Anonymus said:

Ok, I will answer this with a question. Are you gonna be honest and say, do you work for a salary of 5000 a month before taxes in Germany?

I cant speak for @HomeSen but I can add my take.

First off, the comment was about a beginner. A good security architect with a solid background in multiple platforms and lots of business experience can be earning about £100 - 120k a year in the UK. An entry-level pentester is earning about £35 - 45k.

For better or worse, pentesters are not the best-paid roles in infosec for most of their careers.

It is especially frustrating when you realise the pentest company is charging them out at £1500+ per day, but paying the tester about £150.

  • I don’t think so. So why putting people down with implying that pentesters in Germany have like less then 2000e after taxes?

I might have misunderstood this, but I suspect most pentesters in the UK are taking home about £3k per month before tax, simply because the number of entry level pentesters is pretty high vs the number of experienced CTL types.

Why we should get more then doctors/nurses, etc…? Nobody said that we should.

Starting salary for a Doctor in the UK is £23k rising to £28 in the second year.

Starting salary for a pentester in the UK is £35k+.

Seems like pentesters are rich.

But if you look at the statistics in USA, it is a big difference.

You cant compare between countries. Like I said, a pentester in LA is going to need 4 - 5 times what a pentester in Nowhere, North Dakota earns.

If you live somewhere that costs US$2300 for a one-bed appt (LA), your salary is always going to be different than somewhere costing US$800 (Fargo, ND).

Likewise, paying US$588 a month in healthcare (average in California) vs US$410 (average in ND) changes the balance.

If you are paying US$400 a month for healthcare, you might want to reflect on how that alone is half the total tax paid by someone in the UK earning £50k who gets fully free healthcare (no deductibles) and doesn’t have to pay state taxes.

If you are young it is awesome but if you have a family its not a lot. You may go work any other job that does not require any knowledge what so ever.

What job are you using as an example that pays more than this without any knowledge whatsoever?

The junior pentesters who you believe are woefully underpaid earn more than junior doctors who have to have a degree first. The junior pentester might have done a one week CEH, or several weeks self-study to pass OSCP, but equally might be entirely self taught from CTFs.

By your words sys admin have more money then a pentester?!

You’ve compared apples with fish there. I would go out on a limb and say a SysAdmin on £55k a year has a larger income than a junior pentester on £35k a year. That seems fairly simple maths.

Is a senior pentester with specialised skill earning more than your typical SysAdmin, yes. But that is a meaningless comparison. A senior sysadmin with specialised knowledge (especially of critical OT systems or mainframes) can easily be earning more than a typical pentester.

I hope people will not believe in that… But thanks for sharing anyway

Well, I kind of hope people here are good enough at basic maths to not need to believe it but YMMV.

Type your comment> @TazWake said:

@Anonymus said:

Ok, I will answer this with a question. Are you gonna be honest and say, do you work for a salary of 5000 a month before taxes in Germany?

I cant speak for @HomeSen but I can add my take.

First off, the comment was about a beginner. A good security architect with a solid background in multiple platforms and lots of business experience can be earning about £100 - 120k a year in the UK. An entry-level pentester is earning about £35 - 45k.

For better or worse, pentesters are not the best-paid roles in infosec for most of their careers.

It is especially frustrating when you realise the pentest company is charging them out at £1500+ per day, but paying the tester about £150.

  • I don’t think so. So why putting people down with implying that pentesters in Germany have like less then 2000e after taxes?

I might have misunderstood this, but I suspect most pentesters in the UK are taking home about £3k per month before tax, simply because the number of entry level pentesters is pretty high vs the number of experienced CTL types.

Why we should get more then doctors/nurses, etc…? Nobody said that we should.

Starting salary for a Doctor in the UK is £23k rising to £28 in the second year.

Starting salary for a pentester in the UK is £35k+.

Seems like pentesters are rich.

But if you look at the statistics in USA, it is a big difference.

You cant compare between countries. Like I said, a pentester in LA is going to need 4 - 5 times what a pentester in Nowhere, North Dakota earns.

If you live somewhere that costs US$2300 for a one-bed appt (LA), your salary is always going to be different than somewhere costing US$800 (Fargo, ND).

Likewise, paying US$588 a month in healthcare (average in California) vs US$410 (average in ND) changes the balance.

If you are paying US$400 a month for healthcare, you might want to reflect on how that alone is half the total tax paid by someone in the UK earning £50k who gets fully free healthcare (no deductibles) and doesn’t have to pay state taxes.

If you are young it is awesome but if you have a family its not a lot. You may go work any other job that does not require any knowledge what so ever.

What job are you using as an example that pays more than this without any knowledge whatsoever?

The junior pentesters who you believe are woefully underpaid earn more than junior doctors who have to have a degree first. The junior pentester might have done a one week CEH, or several weeks self-study to pass OSCP, but equally might be entirely self taught from CTFs.

By your words sys admin have more money then a pentester?!

You’ve compared apples with fish there. I would go out on a limb and say a SysAdmin on £55k a year has a larger income than a junior pentester on £35k a year. That seems fairly simple maths.

Is a senior pentester with specialised skill earning more than your typical SysAdmin, yes. But that is a meaningless comparison. A senior sysadmin with specialised knowledge (especially of critical OT systems or mainframes) can easily be earning more than a typical pentester.

I hope people will not believe in that… But thanks for sharing anyway

Well, I kind of hope people here are good enough at basic maths to not need to believe it but YMMV.

@TazWake I highly respect you as a professional and you are always nice and helpful so I will take your word for it, and thanks a lot for sharing.
You obviously know better then we who are not working in the field… Doctors are earning a lot more here as far as I know.
But never mind I think we all got the picture now and we have to decide if we gonna take it or not…
I know I definitely wont change my job for that salary, only if, God forbid , I am forced to…

But I will do the certs anyway because it is fun and I wish to learn. It is addictive :slight_smile:

Thank you for informing us about what to expect, that is what this topic was all about.

@Anonymus said:

@TazWake I highly respect you as a professional and you are always nice and helpful so I will take your word for it, and thanks a lot for sharing.

Thank you.

You obviously know better then we who are not working in the field…

With the caveat that outside the UK and parts of the US, my knowledge is simply from googling open jobs.

Doctors are earning a lot more here as far as I know.

But that brings us back to the apples vs overcoats comparisons.

In the UK, a specialist surgeon working in the private sector with 15 years experience will be earning orders of magnitude more than an entry-level pentester or entry-level doctor.

It is a bit of a mistake to try and compare things which aren’t similar. If you have 15 years experience as a security consultant with specialisations in niche, yet required, areas, you will probably be the same as the specialist surgeon. But you probably wont refer to yourself as a pentester any more. The ground is less certain though.

I have a friend who worked as a pentester from about 2005 onwards. In 2011 he was very much ahead of the curve with mobile application security and was being paid well above averages by financial services organisations who were racing to develop secure applications. He wasn’t being paid to pentest them, he was being paid for his in-depth security knowledge which he developed through pentesting.

Sadly, once people realise this was earning around £1000 a day (vs £150-300 for pentesters), lots of people flocked to it, and they came up with frameworks to make it easier for everyone and now, you wont get a single penny extra for this “specialisation”.

But never mind I think we all got the picture now and we have to decide if we gonna take it or not…

Awesome. As a “profession”, it isn’t for everyone and, despite what training providers claim, I am not convinced there is a skill shortage either.

I know I definitely wont change my job for that salary, only if, God forbid , I am forced to…

That’s fine and a perfectly valid decision. The hash reality is changing any job into a brand new profession with a view to earning more money is a bit mistaken.

I am very well paid as DFIR investigator. If I thought I wanted to follow a new passion and become a Solicitor I would need to reconcile the fact that my income would plummet for the first 10 - 15 years. It is almost certain that a solicitor specialised in corporate law with 20 years experience will be earning more than I am, but it will take 20 years for me to get to that point.

There are elements in which the progress can be short-circuited (for example, I already have corprate experience and know how to read legal documents) but it isn’t a significant reduction.

If a Solicitor is earning £100k a year and they decide to be a pentester, they will probably never get back to the same income in their working life.

Just to reiterate though - the better paid infosec jobs aren’t pentester roles. The real money comes from management, leadership, strategy, boardroom experience etc. There is nothing to stop pentesters going down this path, but it really is a different role. (And for better or worse, there is no requirement for any pentester experience for most well paid infosec jobs).

But I will do the certs anyway because it is fun and I wish to learn. It is addictive :slight_smile:

And that is super important. Earning well really does matter but if you spend 80 hours a week doing a job you hate, your life passes you by very, very quickly.

As an example, 10 years ago I could have decided to become a security architect and push into cloud designs, TOGAF and other good stuff. This is arguably better paid than DFIR by about 20% and there are lots more job opportunities.

However I detest it. I have tried reading the TOGAF documents and I fall asleep at the first page. It could pay £1m a second and I would still hate and still be very, very bad at it.

Thank you for informing us about what to expect, that is what this topic was all about.

You are welcome. I love the off-topic discussions because we all get to share our knowledge, ideas, hopes and experiences.

I feel the need to add something - most of what we are talking about here is based on averages. If you truly believe you can circumvent things and position yourself differently, then it will be different for you. But if this is the case, then you need to work out your different path - if you have to ask others, then you will be on the same path as everyone else.

Most of the examples we are talking about here are based on getting a job with a standard pentesting company with no pentesting background. This is why time matters. It’s like me applying for a sysadmin job with no sysadmin experience, I’d be expected to start at the bottom and work up.

You might have a way to do it differently.

You might, for example, decide you can specialise in pentesting home security systems for super-high-net-worth people. If you can turn this into work, you may well be earning €2000 per day, let alone per month. But you need to work out how to turn this into work. You might have some idea of how to combine your pentesting experience with some other knowledge you have and be able to turn this into a good income. If you can do any of this, all bets are off regarding income.

And as a last point - if you do find yourself earning €2000 for super-high-net-worth people, please consider my company if you ever need DFIR services :smile:

@sparkla said:

Thanks @TazWake for putting out some numbers I was looking for, I won’t say which but you’ll probably know. :wink: Additional info welcome, also via PM if it’s confidential to your biz.

I am always pleased to be of some assistance to people :smile:

Your martial arts example is a very good and pretty relevant one.

  • Become a trainer yourself: Bottom line here is that it’s the same problem as anything nowadays, there’s 3 martial arts schools around every corner and most trainers will tell you they can’t make a living from it.

100% agree. I can find 4 - 5 Karate Dojos within a 20 minute drive of where I live and there are more Ninjutsu schools than hardware stores.

Every one of the instructors at these places does it as a side job. Most actually work as builders, but that might just be a weird co-incidence.

The Cyber angle is pretty similar. Teaching cyber skills to other people is currently reasonably profitable but in the last 3 years I’ve seen massive downward pressures on what people are prepared to pay.

In 2015 I worked at an org which didn’t think twice of paying £1500 a day for a “mentor” for their CISO (not me, sadly). Last year I discovered they were now capped at £200 per day for their latest CISO.

( note I have no idea why they dont hire a CISO who doesn’t need mentorship, but despite being a massive multinational, they dont).

  • Become a bodyguard:

In the UK, this is very “popular” for ex-military types. Largely because there are dozens of companies that offer bodyguard training for free to the learner as part of the forces resettlement training programs.

Few people earn good money in the role though, despite literally risking their lives.

My question is: Is that a thing in Cybersec? Do people hire their own “private hacker” for protection?

I don’t know but I see no reason why it couldn’t be sold to them. All you need to do is find one and convince them why they should pay you good money to do things for them.

A lot of this circles round the problem - to make good money, new ground needs to be broken. For example, if there was already a large demand for super-high-net-worth people hiring security people, then the consultancies would have already moved in to saturate the market - taking £10k a day and paying the pentester £50 a day.

However if you can think of a way to be more agile (faster, more personalised etc) than the consultancies and a way you can approach the potential customers, then it has the potential to be profitable. Really it has unlimited potential.

I would love to be able to offer specialised digital forensics, cyber threat hunting or incident response services to bazillionaires at super high rates, but I have no idea how to get the first customer. If anyone solves this, I would be more than happy to subcontract :smile:

Again I must interfere.
Isn’t money side effect of your good work within some company or freelance?
If you are not payed well, for long period of time, one should ask him self if he is doing that work good or not.
When good company is found they will value your work.

I think that no one got rich in infosec. Just normal, slice above average.
With these prices of properties in whole world, even taking a loan from bank is not an option, where for example in Serbia you have to give 30% in front to the bank of the property price.

@solid5n4k3 said:

Again I must interfere.

Good - I love to see more and more opinions here.

Isn’t money side effect of your good work within some company or freelance?

Within limits, I agree with this and think it is true. However, every industry has limits.

You can be the best working hotel maid in the world and you are probably going to be earning less than £30 per hour.

You can be the worst solicitor in the world but as long as you can scrape through to be employable, you will be earning more.

Good work can maximise the potential you have within the range that is open to you. If people want to break outside that, then I truly believe they need to think of something which changes the rules. (For example, our best hotel maid might decide to form a company offering outsourced chambermaid services to increase their income - the industry may seem the same, but they are no longer a hotel maid ).

I think that no one got rich in infosec. Just normal, slice above average.

I think some have, but largely because they’ve redefined the rules. For example, Kevin Mandia and Jeremiah Grossman have done very well out of infosec but I would strongly argue they haven’t worked in “Infosec Roles” for quite some time.

I don’t know of any people who got rich without branching out from their core “infosec” discipline.

Type your comment> @sparkla said:

In my world a salary of 100k / year is pretty ■■■■ rich…

In my world 30k / year is pretty rich. :slight_smile:

That’s kind of why it’s generally a bad idea to compare salaries from different places.

Type your comment> @TazWake said:

That’s kind of why it’s generally a bad idea to compare salaries from different places.

It’s comparing apples with tomatoes. And if you want to earn more money, you have to grow and step up. It’s possible to earn 100K EUR in Germany as a Principal Architect or Development Manager + 10-20% Bonus. But usually, in this space, you would lead a team of developers.

With your OSCP, you can start as a Junior Pentester, by putting a finger in the air: maybe a bit higher than a junior java dev with some first project experience.

Seeing the dates, I surely hope all went well for everyone in this post. Due to an injury, I’m having to switch careers completely. I’d like to say I’m in the beginning stages. I’m also in Germany.