Last updated: July 11, 2026
By Mike Carter, Workforce Solutions Leader, KORE1
Hiring a penetration tester in 2026 means deciding first whether you need a full-time employee, a contractor, or a single scoped engagement, then budgeting $120,000 to $200,000 in base pay for staff or $5,000 to $25,000 for most one-off tests. That one decision, staff versus engagement, changes everything downstream. It changes the budget you need approved, the timeline you can promise your CISO, the certifications that matter, and the fundamental kind of person you should even be talking to in the first place.
Here is the part almost nobody tells you before you spend the money. A lot of what gets sold as a “penetration test” is a vulnerability scan with a nicer cover page. Someone runs Nessus or Qualys against your IP range, exports the raw findings, sorts them by color, and hands you a 90-page PDF stuffed with medium-severity noise that no attacker would ever bother to chain into anything real. No exploitation. No chained attack path. No proof that any of it actually matters. You paid for a human adversary and got a report generator. It happens constantly, and the buyer usually cannot tell the difference until a real attacker does.
So this guide is not really about job boards. It is about telling the real thing from the expensive-looking thing, whether that thing is a resume or an engagement quote.
Quick disclosure before you weigh a word of it. I run partnership work at KORE1, and our recruiters fill security roles every week through our cybersecurity staffing practice, which runs a dedicated penetration tester staffing desk. We earn a fee when you hire someone we send. So yes, I have skin in this. I have also written the parts below where the honest answer is “you do not need to hire anyone yet,” because clients who feel oversold do not come back, and the people we place stay past their first year about 92% of the time, which only happens when a match is right rather than rushed. We have been doing this since 2005 on exactly that principle.
A story, because it is the most common version of this call. Last spring a Series B fintech near Austin came to us four months after a “$6,000 pen test” cleared them for a customer security review. The customer’s own team then poked at the same app and pulled 40,000 user records in an afternoon through an authorization bug the scanner never flagged. The first vendor had run a tool. Nobody had actually tried to break in. That gap, tool versus adversary, is the whole game, and it is what you are really buying.

Employee, Contractor, or One Test? Decide the Shape Before Anything Else
Most hiring managers start by writing a job description. Wrong first move. The first question is whether you need a person on payroll at all.
Penetration testing is spiky work. You do not need someone breaking your systems every day of the year. You need it before a big launch, after a major architecture change, when a customer or auditor demands it, and on a regular cadence for compliance. That shape, intense then quiet, is why so many companies get the engagement model wrong and pay for a full-time seat that sits idle two quarters out of four.
Three ways to buy it, and they are not interchangeable.
A single scoped engagement. You hire a firm or an independent consultant to test a defined target over a defined window. Two to four weeks, a report, a retest, done. This is the right call for most companies under a few hundred employees, and it is almost always the right call for your first-ever test, the one option I end up recommending far more often than new clients expect me to. You are buying an outcome, not a headcount.
A contractor on a recurring basis. Same person or small team, booked a few times a year. They learn your environment, so each test goes deeper than the last. We staff a lot of these on project-based and contract terms because the work genuinely is project-shaped. If you are testing quarterly but cannot justify a salary, this is your lane.
A full-time hire. It is worth it when offensive security is genuinely continuous, meaning a product company shipping code every week, a business running its own internal red team, or a shop with enough attack surface that a single tester stays busy for all twelve months of the year. Below that threshold, a direct hire is a $160,000 salary spent on a talented person who genuinely runs out of things to break by March and then spends the rest of the year writing internal wikis nobody reads.
I steer more first-time buyers toward an engagement than toward a hire. That is me arguing against my own bigger invoice, and I will do it again before this is over. Get the shape right and the rest of the decisions get easy. Get it wrong and you either overpay for idle talent or underscope a launch that needed a real adversary.
What You Are Actually Hiring Them to Break
“Penetration test” is a category, not a job. A tester who lives in web applications may have never touched an Active Directory forest. The person who owns your internal network in an afternoon might freeze in front of an iOS binary. Ask a candidate or a firm to do all of it at a senior level and you have described someone who mostly does not exist.
Name the target first. It decides the skill set, the cost, and who you should even be talking to.
| Test Type | What It Targets | When You Need It |
|---|---|---|
| External network | Internet-facing IPs, VPNs, exposed services | Baseline for almost everyone; annual minimum |
| Internal network | What an attacker does once inside, lateral movement, AD | After the perimeter, or post-breach readiness |
| Web and API application | Your product, auth flows, business logic, the OWASP Top 10 | SaaS and any app holding customer data |
| Cloud | AWS, Azure, or GCP identity, config, and privilege paths | When most of your risk lives in cloud accounts |
| Mobile | iOS and Android binaries, local storage, API traffic | Consumer or fintech apps on the app stores |
| Social engineering | Phishing, pretext calls, the human layer | When people, not servers, are your soft spot |
| Red team | Everything at once, no scope warning, goal-driven | Mature programs testing detection, not just holes |
One caution on red team. Teams ask for it because it sounds serious. Most are not ready. A red team measures whether your detection and response actually fire when someone is inside, and if you have no detection to speak of, you are paying red team prices to learn what a cheaper vulnerability assessment would have told you for a fifth of the cost. Walk before you run. If your team cannot yet see an attacker on the network, test to find the holes, not to grade a response capability you have not built.
What It Costs
Two cost models, because there are two ways to buy this. Salary if you hire. Project fee if you do not. Confusing the two is how budgets blow up.
Start with salary. Penetration testers sit inside the Bureau of Labor Statistics category for information security analysts, which reported a median wage of $124,910 in 2024, with the top 10% clearing $186,420. Offense pays a premium over that median, and the aggregators show real spread. ZipRecruiter puts the average base near $120,000. Glassdoor lands closer to $154,000 in total pay, though that figure folds in bonuses and runs high. Where a given candidate lands inside that band depends on their specialization, whether they hold an active clearance, the city they work in, and the single thing that matters most, whether they can actually exploit and chain flaws or only run a scanner and read the output.
| Level | Typical Base (2026) | What They Can Do |
|---|---|---|
| Junior / Associate | $75,000 to $105,000 | Runs the methodology under supervision, strong on tooling |
| Mid-level | $105,000 to $140,000 | Tests independently, exploits and chains, writes the report |
| Senior | $140,000 to $185,000 | Owns hard targets, mentors, scopes engagements |
| Lead / Principal / Red team operator | $185,000 to $250,000+ | Builds the program, runs full-scope operations, rare |
Clearance moves these numbers. A tester with an active TS/SCI doing work in Northern Virginia commands a premium that has nothing to do with skill and everything to do with the fact that the government cannot hire fast enough. If you want a benchmark for your own market and stack, our salary benchmark tool will get you closer than a national average ever will.
Now the other model. If you are buying an engagement instead of a person, you are paying for scope and days, not a salary. Here is what the market tends to quote in 2026.
| Engagement | Typical Range |
|---|---|
| External network test | $4,000 to $15,000 |
| Internal network test | $5,000 to $20,000 |
| Web or API application test | $5,000 to $25,000 |
| Cloud review and test | $8,000 to $30,000 |
| Full red team engagement | $20,000 to $100,000+ |
A number that is suspiciously low is telling you something. A $2,000 “web app pen test” is a scan. Nobody spends a real week of a senior tester’s time for that. If you want a fuller breakdown of the staffing side of these numbers, we walk through it in our guide on the cost to hire a cybersecurity engineer, and the logic carries over.

The Certifications That Mean Something, and the One That Doesn’t
Certs are a shortcut, not a verdict. They tell you someone sat an exam. They do not tell you the person is good. But some exams are genuinely hard and hands-on, and those are worth weighting.
The one to look for is the OSCP. It runs a 24-hour practical where the candidate has to actually compromise machines and write it up, and it shows up as a hard requirement in most serious pen tester job postings for a reason. It is not a trivia test. Someone who holds it has, at minimum, proven they can break into something under a clock.
Below and beyond it, a few worth knowing by name. The eJPT and the PNPT are both solid entry and junior signals, genuinely hands-on rather than multiple choice, and a candidate who cleared the PNPT has already written a professional report as part of passing it. GPEN and CRTP show up on capable mid-level resumes. Then the hard end. OSEP for evasion and post-exploitation, OSWE for web, and CREST certifications, which carry real weight in the UK and increasingly here. See those and you are looking at someone who invests in the craft.
Now the caveat everyone in this field will nod at. The CEH, the Certified Ethical Hacker, is the one to read carefully. It is widely recognized, HR filters love it, and it is largely multiple choice. It proves familiarity, not the ability to own a box. A CEH with a real portfolio behind it is fine. A CEH standing alone as your only signal is not proof of anything you actually care about. Do not screen candidates in on it, and do not screen good ones out for lacking it.
One more tell, and it is a small one that catches a lot. For web application work, ask what they use. If a tester talks about their craft without mentioning Burp Suite Pro, that is odd enough to dig into. It is the standard tool for the job. Its absence is not disqualifying, but it is a thread worth pulling.
How to Tell a Real Tester From a Report Generator
This is the part that saves you. A resume full of certs and tool names proves nothing on its own. You have to make them show you.
Ask for a sanitized sample report. Every credible tester or firm has one, with client details stripped. What you are reading it for is not the vulnerabilities. It is the writing. Can a developer take a finding and reproduce it from the steps given? Does the report translate each finding into business impact a non-technical executive can grasp, or does it just paste a CVSS score, a screenshot, and a stock remediation paragraph and move on to the next line item? A finding nobody can reproduce is a finding nobody will fix. The report is the actual product you are buying, and most buyers never ask to see one before they sign.
Then give them something to break. A short practical beats an hour of interview questions. Stand up a deliberately vulnerable box, point them at a HackTheBox or TryHackMe machine you both agree on, or hand them a small target in a sandbox, and then just watch how they actually work through it. Do they think in attack paths or in scanner output? When the obvious door is locked, do they find a window or do they stall? A tester who reaches for a manual exploit when the tool comes up empty is worth more than one who only knows what Metasploit hands them.
Here is the ratio that matters. Real testing is mostly manual. Scanners find the front door. Humans find the way in that nobody documented, the logic flaw, the trust relationship between two systems that individually look fine. If a candidate describes their process as running a tool and reading the output, keep interviewing. If you want a fuller question bank for the conversation itself, our security engineer interview questions translate directly to offensive roles.
Red flags that should slow you down, and they are not all the same weight. A refusal to share any sample work. Pricing so far below market it can only be a scan. A methodology described entirely as a list of tools. No professional liability insurance for an outside firm. And the quiet one that burns people. When a firm says “we assign whoever is available,” the senior name in the sales meeting is not the person who touches your systems. Ask who specifically does the work. Get the name in writing.

Where the Good Ones Are, and Why They Are Hard to Land
Supply is the problem. It has been for years, and it is not easing.
The 2025 ISC2 Cybersecurity Workforce Study put the global talent gap at roughly 4.8 million people. Employment of information security analysts is projected by the Bureau of Labor Statistics to grow 29% from 2024 to 2034, several times the average for all jobs, with about 16,000 openings a year. Offensive security is the thin slice at the top of an already thin field. Good testers are almost never on the job market. They are working, and they get recruited past you.
There is a wrinkle worth naming, because it cuts against the shortage story. The 2025 ISC2 study also found that, for the first time, budget pressure has overtaken talent scarcity as the top reason security roles sit open. Read that plainly. Companies are not only failing to find people. They are failing to fund the seats. If your req has been open for five months, it is worth asking honestly whether the market is the problem or the salary band is.
When you do go looking, the good ones cluster in a few places. The bug bounty platforms, HackerOne and Bugcrowd, are full of testers who prove their skill in public against real targets, and a strong bounty profile is a portfolio you can actually read. The CTF and conference world, DEF CON and the regional BSides events, is where a lot of this talent socializes. And cleared talent, the testers holding an active Secret or TS/SCI, concentrates heavily in and around Northern Virginia and the wider DC metro, where federal and defense demand never once lets up and a clearance alone can add tens of thousands to a salary. If you need someone who has already broken into things that look like yours, adjacent hiring guides help too, since the skill sets overlap. Our walkthroughs on how to hire a security engineer and a cloud security engineer cover the neighboring roles you may end up filling alongside this one.
Set Scope and Rules of Engagement Before Anyone Touches Production
Do not skip this part because it is boring. It is the part that keeps a test from becoming an incident.
Before a single packet flies, you and the tester agree on the rules. The federal standard for this, NIST Special Publication 800-115, has been the reference for years, and any serious tester already works to something like it. The essentials are not complicated. Define exactly what is in scope and what is off-limits. Set the testing window. Name a point of contact who can be reached at 2 a.m. if something breaks. Agree in advance on how a critical finding gets escalated the moment it is discovered, so a tester who owns your domain admin at 11 p.m. calls your point of contact that night instead of quietly saving it for a report you read three weeks later. And sign the rules of engagement and the statement of work before anyone starts, so authorization is never in question.
Two things buyers forget, and both cost money. First, whitelist the tester in your WAF and IDS if you want the test to reach your actual application instead of your blocking layer, or leave them in place on purpose if testing detection is the point. Decide which, on purpose. Second, confirm retesting is included. A finding you fix but never re-verify is a finding you are trusting on faith. The good engagements bake a retest in. Ask.
Questions Hiring Managers Actually Ask
Do I need a penetration tester on staff, or should I just hire a firm?
For most companies, a scoped engagement or a recurring contractor is the right answer, not a full-time hire. A salaried tester only pays off when offensive work is genuinely continuous, which in practice means a product company shipping code every week or a business large enough to run its own internal red team around the calendar. Below that, you are paying for idle time.
Isn’t a penetration test just a vulnerability scan?
A scan lists possible weaknesses; a penetration test proves which ones an attacker can actually exploit. The scan is automated and cheap. The test is a human trying to break in, chaining flaws into a real attack path and showing you the damage. Paying pen test prices for scan output is the single most common mistake here.
Is a pen tester the same thing as an ethical hacker?
Roughly yes, with a boundary. “Ethical hacker” is the broad label for anyone hacking with permission. “Penetration tester” is the specific job, testing a defined scope under a signed agreement and delivering a report. All pen testers are ethical hackers. Not every self-described ethical hacker does structured, documented, authorized testing.
How much should a first web application test cost?
Budget $5,000 to $25,000 for a real one, with most mid-sized apps landing in the low-to-mid teens. The wide range comes from scope, meaning the number of user roles, the size of the application, and whether the tester gets credentials and source access. A quote near $2,000 is a scan wearing a pen test label.
Does the OSCP actually matter, or is it hype?
It matters, because it is one of the few certifications that requires proving hands-on compromise under a time limit. It does not guarantee a great tester, and plenty of excellent ones hold other credentials or none. Treat it as a strong positive signal, not a gate. What the person can do in a live practical still beats any line on a resume.
How fast can we get a test scheduled and done?
Two to six weeks from decision to report is normal for a scoped engagement, longer for red team work. Good testers book out, so the calendar, not the testing, is usually the delay. If you have a hard compliance deadline, start the conversation early. We have moved faster than this when a deal depended on it, but plan for the normal case.
Can KORE1 help if we are not sure which of these we even need?
Yes, and the intake call is free. We place security talent across contract, project, and direct hire, so we have no reason to push you toward a full-time seat you do not need. Sometimes the right answer is a single engagement and a name to call again next year. When that is the case, we will tell you.
The Short Version
Decide the shape before the search. Employee, contractor, or one test. Name the target you want broken, set the right budget for the model you chose, and then screen for proof over paperwork, a sample report a developer can act on plus a practical where you watch them work. The certs help. The hands-on evidence decides.
If you want a second opinion on which model fits your situation, or a shortlist of testers who have already broken into things that look like your stack, talk to a KORE1 recruiter. We will point you at the cheapest thing that solves your problem, even when it is not us.
