Back to Blog

Penetration Tester Salary Guide 2026

CybersecurityInformation TechnologyIT Salary

Last updated: July 14, 2026

By Tom Kenaley, Senior Partner and President, KORE1

In 2026, U.S. penetration testers earn a median base near $130,000, with most offers landing between $95,000 and $180,000, and senior red-team operators who can prove real exploitation clearing $200,000 in total pay. One job title, and hiding under it a pay range that would make your eyes water. The resume says “penetration tester.” What it almost never tells you is whether this person has chained a phishing click into domain admin on a live client network, or just pointed a scanner at an IP range and reformatted the PDF it spat out. Both call themselves pentesters. The market does not pay them anything close to the same.

I’m Tom Kenaley. I run the IT side of KORE1, and I’ve sat across the table from a lot of security leaders trying to price this exact hire. Offensive security fools more budgets than almost any role we recruit for. Here is the trap. The skill is easy to claim and brutally hard to verify from a resume. Painfully hard, actually. A vulnerability scanner does most of the visible work on a bad pentest, and the report looks roughly the same either way. The difference only shows up when a real attacker, or a real auditor, tests whether the finding was actually true.

Search “penetration tester salary” and you’ll get numbers from the high $80,000s to well past $250,000, and every one of those sites is telling the truth about somebody. They’re just counting different people. A junior running authenticated web scans through Burp Suite and a principal red teamer writing custom implants to beat an EDR both file their taxes as penetration testers. The pay is a different universe, and it should be.

Here’s my bias, stated plainly before you read a single band. KORE1 fills these roles through our cybersecurity staffing desk and our wider IT staffing practice, and we only collect a fee when you actually hire. A guide that talked your budget up would pad my own invoice. So notice the two spots below where I tell you to spend less, or to hire a plainer title that covers the real need. That isn’t charity. Clients we oversell leave inside a year, and the accounts we’ve kept since 2005 got kept by saying the thing that cost us the quick upsell.

Two penetration testers reviewing security assessment findings on a dual-monitor workstation in a modern office

Penetration Tester Pay in 2026, at a Glance

A penetration tester is hired to break into systems on purpose, with permission, and then explain in writing exactly how they did it and how to shut the door. In practice that splits into jobs that look nothing alike: scanning external networks against a checklist, testing web and API applications by hand, simulating a full adversary against a mature blue team, or probing cloud configs and industrial control systems most testers never touch. Same two words on the job post. Very different money underneath.

The bands below blend public salary data with what KORE1 has actually placed over the last two years, across the 30-plus metros where we run technical searches. Base pay first. Then total compensation where a real bonus or equity is on the table. Read the specialist row at the bottom against the senior row above it. Look hard at that gap. It is where most offensive-security budgets quietly go wrong.

LevelTypical ExperienceBase Range (US)Total Comp With Bonus / Equity
Junior / Associate Penetration Tester0 to 2 years$80,000 – $105,000$85,000 – $115,000
Mid-Level Penetration Tester3 to 5 years$110,000 – $140,000$120,000 – $160,000
Senior Penetration Tester6 to 9 years$140,000 – $180,000$160,000 – $215,000
Lead / Principal / Red Team Operator10+ years$175,000 – $220,000$200,000 – $300,000+
Cloud / OT-ICS / Hardware Specialist6+ years$170,000 – $215,000$200,000 – $290,000

Before you screenshot that bottom-right cell, one caveat. That total-comp figure is a product-security team at a big tech company, or a defense contractor bidding for a cleared operator, stock and retention money counted in. A regional bank that needs its annual PCI test done well is not paying it, and doesn’t have to in order to hire someone genuinely good. The same title stretches across those two worlds, and that stretch is the reason no two salary trackers will ever agree on one tidy number for you.

Why One Site Says $96K and Another Says $265K

The spread on this role is wide enough to be comic, and it isn’t sloppiness. Each source surveys a different crowd doing a different flavor of offensive work, and for penetration testing those crowds sit unusually far apart, because the word covers a first-year scanner operator and a principal exploit developer at the same time.

Start at the floor. The Bureau of Labor Statistics doesn’t track “penetration tester” as its own occupation, so information security analysts is the honest stand-in, with a May 2024 median wage of $124,910. The bottom tenth earns under $69,660. The top tenth clears $186,420. That’s a broad security bucket with defenders and analysts mixed in, so read it as the gravity the field is pulled toward, not as pentest pay specifically. A floor. Offensive roles tend to sit a step above that median once the skills are proven.

Then the trackers scatter. Glassdoor reports an average total pay near $154,700, with the middle half running $117,000 to $207,000 and top earners past $265,000. ZipRecruiter, pulling from job postings, lands lower at about $119,900 on average, with most listings between $96,000 and $141,000. Same two words. A gap you could buy a house with, decided mostly by who filled out which survey and whether bonus got counted.

Then the total-comp picture opens up. Levels.fyi, which counts stock at companies that pay in it, puts senior security engineering packages well into the low $200,000s, and offensive specialists on elite product-security teams higher still. The Stack Overflow 2025 Developer Survey keeps security professionals among its better-paid technical respondents. All honest numbers. Each is just photographing a different corner of one very large room.

So which figure is real? All of them, each for the company it happens to describe. A mid-market shop writing a base offer should anchor near the BLS and ZipRecruiter midpoints. A company recruiting against a top consultancy or a FAANG product-security team is already staring at the Levels.fyi package, because that number is sitting in the candidate’s inbox as a counteroffer. Price against your real competition. Not your wish list. That one habit saves offers.

Penetration Tester Salary by Experience Level

An average tells you almost nothing here. It’s a blur. What goes into an actual budget line depends on where the person sits on the ladder, and offensive security has a strange ladder, because the bottom rung is thin and the certifications matter more than the years.

Junior, 0 to 2 years

Junior penetration testers run $80,000 to $105,000 in base pay, and the honest entry point keeps climbing. A few years ago you could break in with a home lab and enthusiasm. Now most hiring managers want the Offensive Security Certified Professional, the OSCP, on the resume before the first call, because it proves the candidate can actually exploit a box under a clock instead of just reading about it. Juniors here shadow senior testers, own the smaller external and web engagements, and write up findings under review. Bright, hungry, and cheaper than they will ever be again. Hire two if you can.

Mid-level, 3 to 5 years

Mid-level pay runs $110,000 to $140,000, and this band holds most of the working testers in the country. This is the person who runs a full web-app or internal-network engagement solo, knows Burp Suite and Metasploit cold, has pivoted through an Active Directory environment with BloodHound, and writes a report a client can actually act on. The reporting matters more than juniors expect. Way more. A brilliant finding buried in an unreadable document gets ignored, and the remediation never happens. Testers who write clearly get promoted faster than testers who only pop shells.

Senior, 6 to 9 years

Senior penetration testers run $140,000 to $180,000 base, with total comp past $200,000 where a bonus or equity is real. The jump from mid isn’t another certification. It’s judgment under fire. A senior walks into a scoping call and knows within ten minutes whether the client wants a compliance checkbox or an honest adversary, and prices and plans accordingly. They chain findings other testers file as low severity into a full compromise. They keep a nervous client calm when the test lands on something ugly. That composure is a lot of what the money buys. Not the tooling. The nerve.

Lead, principal, and red team, 10+ years

At lead and principal, base runs $175,000 to $220,000, with total packages clearing $300,000 for red-team operators at the top consultancies or on in-house adversary-simulation teams. You aren’t paying for volume of tests anymore. You’re paying for the person who designs a full-scope operation against a mature blue team, writes tooling to slip past an EDR that flags everything off the shelf, and can brief a board on real risk without either crying wolf or soft-pedaling a genuine fire. Rare skill. Rarer still is the one who can also lead a team while doing it.

Technology hiring manager reviewing penetration tester compensation documents at a desk with an orange lamp

Penetration Tester Pay by City

Remote work loosened the map for this role more than most. Offensive testing is done over a VPN and a laptop, so geography matters less than it used to. Less, not none. And one metro breaks the usual pattern entirely. Below are directional 2026 reference points, blended from public data and our own placements, measured against a national penetration tester base near $130,000. Treat them as arrows, since the pentest-specific sample thins out fast at the city level.

MetroAverage Base (2026)vs. National
San Francisco Bay Area, CA$168,000+29%
Washington, DC / Northern Virginia$158,000+22%
New York City, NY$152,000+17%
Seattle, WA$150,000+15%
Austin, TX$135,000+4%
Denver, CO$132,000+2%
Atlanta, GA$126,000-3%
Dallas-Fort Worth, TX$123,000-5%

The Bay Area, New York, and Seattle lead for the reason they always do. That’s where the product-security teams and the money sit. The one that surprises people is Washington, DC. Northern Virginia and the broader Beltway run second in the country for offensive-security pay, and clearances are why. A tester who holds an active TS/SCI, and who can prove red-team skill on top of it, sits in the tightest talent pool we recruit anywhere. The tightest. Nothing else is close. Defense integrators and federal contractors bid each other up for that exact person, and an entry-level cleared role often out-pays an uncleared senior one three time zones away.

A quick note for the Southern California companies we work with most, since KORE1 is based in Orange County. Testing roles around Irvine, Costa Mesa, and Newport Beach tend to price a little under the Bay Area figure while pulling from a candidate pool that would rather not cover San Francisco rent. If you’re a remote-friendly mid-market employer down here, that trade is a genuine edge. You can land a strong senior tester without going dollar for dollar against a hyperscaler’s product-security budget.

The Specialty Sets the Penetration Tester Salary

Here’s the part no salary tracker can see, and where pentest budgets quietly detonate. Two testers, both with “penetration tester” on the resume. One runs external network scans and confirms the findings by hand. The other simulates a nation-state actor against a company that has a real detection team hunting for them. Fifty, sixty thousand dollars can sit between them. Same title. The work sets the price, every time.

Network and infrastructure testing is the floor. External and internal scans, service enumeration, confirming what the vulnerability scanner flagged, the annual test a compliance framework demands. Honest work, and someone has to do it well. No glamour in it, though. It’s also the most commoditized corner of the field, the first thing a company hands to a boutique firm on a fixed fee or an offshore team, and the part automation keeps chipping away at. If a yearly PCI test against a stable environment is truly your need, don’t let anyone sell you a principal red teamer to run it.

Web and API application testing pays a step up and stays busy. Every company ships software, and most of it is a browser away from the internet. Testers who live in Burp Suite, understand authentication flows, and can find the logic flaw a scanner will never see stay booked solid. This is the steadiest demand in the whole field, propped up by PCI DSS, SOC 2, and customers who now write a pentest clause into their contracts. Steady work. It rarely dries up.

Cloud testing is climbing fast. Misconfigured AWS, Azure, and GCP environments are where breaches actually happen now, and testing them well means understanding IAM, identity federation, and the provider’s own quirks, not just running old network playbooks against an EC2 instance. A tester who can attack a cloud identity plane the way an intruder would is one of the more sought-after profiles we place, and the pay reflects the shortage. Real shortage. Not a fad.

The ceiling belongs to red teaming, adversary simulation, and the deep specialties. Full-scope operations with Cobalt Strike or a custom command-and-control channel, EDR evasion, assumed-breach exercises, plus the rare corners: OT and industrial control systems, hardware and embedded, exploit development. Add a cleared, red-team-capable operator in the DC market and the pay stops following any published band. The pool who can do this work and prove it is small enough that the number is set by whoever else is bidding, not by a survey. Tiny pool. Loud bidding.

Penetration Tester vs the Titles It Blurs Into

Pay confusion follows title confusion, so here’s the untangle. A security analyst or SOC analyst plays defense, watching for and responding to attacks, and generally prices below an offensive tester. A security engineer builds and hardens the defenses, an adjacent skill set that overlaps at the edges but is a different daily job. A red team operator is a senior penetration tester with a full-scope, stealth-focused mandate, and usually sits at the top of the pay range. An exploit developer, who writes the offensive tooling itself, is rarer again and priced accordingly. Different jobs. Different numbers.

The practical version is short. Don’t post a red team req when the job is a quarterly web-app test, and don’t hand a compliance-scanning req to a principal operator who will be bored and gone in a quarter. We had a fintech last spring burn four months hunting a “senior red teamer” for what the scope actually described as recurring Burp Suite work on three applications. Wrong title, roughly double the budget, no hire. We downgraded the req to a strong mid-level web tester and filled it in about two weeks. Two weeks. Not four months. If you already know a pentest hire is coming and just need the search run right, our guide to hiring a penetration tester walks through screening for the skills a resume tends to hide.

Base, Bonus, and the Certifications That Set the Number

Base pay is where a candidate starts the mental math, and for offensive security it isn’t the whole story. Two things bend it hard. Bonus structure on one side, certifications on the other.

Bonus and equity split by employer type. At a consultancy, pay often ties to utilization and billable engagements, with a target bonus in the 10 to 20 percent range. At a product company, an in-house tester may get real equity that vests on a schedule, more like an engineering package. At a public tech firm, that stock can rival the cash bonus outright. Know which kind of offer you’re actually making before you say “total comp,” because a seasoned tester has already done the math on what your equity is really worth.

Certifications move offensive pay more than they move almost any other technical role, because the skill is so hard to verify otherwise. The OSCP is the price of admission for most serious roles. Full stop. No asterisk. Above it, the OffSec chain of OSEP, OSWE, and OSED, or the SANS and GIAC track of GPEN, GWAPT, and the harder GXPN, each signals a real specialty and lifts the band. CRTO has become the credential red teamers reach for. CEH, by contrast, gets a resume past an HR filter and not much further with the people doing the hiring. When you see three or four hard certifications paired with production engagements a candidate can describe in detail, you’re looking at the top of the range, and it’s usually earned. You can pressure-test your own bands against our salary benchmark assistant before you carry a figure into a budget meeting.

Contract and Freelance Penetration Testing Rates

Not every testing need is a full-time hire, and pentest lends itself to project work better than almost any security role. A scoped engagement has a clear start, a clear finish, and a deliverable. Clean edges. Easy to buy. For a one-time web-app test, an annual compliance engagement, or a red-team exercise before a big audit, contract is often the cleaner path. Blended contractor averages sit near $60 an hour on the job boards, but that number buries the real market. Senior independent testers on our desk generally run $120 to $250 an hour, and boutique offensive-security firms bill day rates from roughly $2,000 to $3,500 for a named senior consultant. Offshore listings advertise far lower, sometimes $30 to $60 an hour, and some of that talent is excellent. Sorting the excellent from the merely cheap is the part that eats the hours a security lead doesn’t have, and for anything touching regulated data the vetting cannot be skipped.

We staff testing work on contract and on direct hire both, and often as a contract-to-hire start. For a company building its first in-house offensive capability and unsure how senior it even needs to go, sixty to ninety days of real engagements tells you far more than any interview loop. It also caps the downside on what is usually a six-figure bet.

What Actually Closes a Penetration Tester Offer Right Now

A few things from the desk, current to mid-2026, that the salary sites are always the last to notice.

Speed wins more of these than money does, and it catches hiring managers off guard every time. Speed. Not salary. Strong offensive testers are running two or three processes at once, and they’re off the market inside a month. Our IT desk averages about 17 days to hire, and that isn’t a marketing line. It’s most of the game. The company that moves lands the tester while the one running a six-week, five-round gauntlet keeps losing to an offer that was ten grand lighter and three weeks faster.

The quieter killer is paying last year’s number. Offensive base pay moved up hard while supply stayed tight, and budgets written eighteen months ago keep drawing polite declines for reasons the hiring manager can’t see from their seat. The pattern barely varies. A run of rejected offers, then a tense budget conversation, then a corrected band and a signed candidate within a couple of weeks. Everything before the correction was time and goodwill spent chasing offers that were never going to land. Our 92 percent twelve-month retention rate comes from an unglamorous habit: level the person to the work they can genuinely do, pay the band that fits it, and they’re still on the team a year later. Dull habit. It holds. We’ve run that across 30-plus metros and eight verticals since 2005.

Questions Companies Ask Us About Penetration Tester Pay

What should a penetration tester actually cost me in 2026?

Budget a base near $130,000 for a solid mid-to-senior tester, with most real offers between $95,000 and $180,000 by level and specialty. Senior red-team operators and cleared specialists clear $200,000 base, and more again in total comp where a real bonus or equity is on the table.

Why do two salary sites disagree by fifty grand on this role?

Different crowds, different math. ZipRecruiter’s posting-based average sits near $120,000. Glassdoor, counting bonus and additional pay, reports over $154,000. Both are accurate for the group each one samples. Neither is the number for your specific opening, which depends on the exact kind of testing you need.

Is the OSCP worth paying more for, or is it just a badge?

Worth it, with a caveat. The OSCP proves a candidate can actually exploit systems under time pressure, not just talk about it, and it’s the effective floor for serious offensive roles now. Pair it with real engagements a tester can describe in detail and you’re looking at a strong hire. The badge alone, with no scars behind it, is only a starting point.

Penetration tester or red team operator, what’s the pay gap?

Roughly 20 to 35 percent at the same seniority. A red team operator is a senior tester with a stealth, full-scope, adversary-simulation mandate, and that skill is scarcer and priced higher. A standard tester runs scoped engagements against a defined target; a red teamer tries to beat a live detection team without getting caught. The second is a harder, rarer job.

Do I need a full-time tester, or is a project engagement enough?

Most companies don’t need one on payroll. If your requirement is an annual compliance test or a pre-audit engagement, a scoped contract is cheaper and sharper. A full-time hire earns its keep once you’re testing continuously, running an internal red team, or shipping enough software that quarterly reviews leave dangerous gaps.

What does a freelance penetration test actually run?

A scoped external or web-app engagement from a reputable independent or boutique firm typically runs $8,000 to $30,000, depending on size and depth. Senior contractors bill $120 to $250 an hour; boutique day rates land near $2,000 to $3,500. A cheap “$3,000 pentest” is usually a scan with a cover page, and you get what you pay for.

Where does the real penetration testing premium sit?

Two places. Cleared red-team work in the DC market, and deep specialties like cloud, OT and industrial control systems, and exploit development. Those pools are tiny, and the pay stops following any published band. Commodity network scanning sits at the other end, closest to a standard security-analyst salary and shrinking as automation improves.

How fast can we realistically hire one?

Faster than most companies expect, if the band is right. Our IT desk averages about 17 days to hire. The delay is almost never the search itself. It’s a stale budget or a five-round interview loop that lets a quicker competitor sign your candidate first. Fix those two things and good testers close quickly.

Putting These Numbers to Work

Start with the specialty, because it moves the number more than anything else. Then adjust for seniority, then for the metro or for a remote posting, and weigh clearances separately if the work needs them. Anchor a mid-market base near the BLS and ZipRecruiter midpoints. Write a bonus, an equity figure, or a cleared premium next to it if you’re bidding against consultancies, product-security teams, or defense integrators. Don’t let the fattest screenshot you find set your number. Don’t let the skinniest one set it either. Judgment does the rest.

Want a second read on a band, or a short list of penetration testers who fit your stack, your compliance needs, and your budget? Talk to a recruiter who actually works this market. We staff these roles through our cybersecurity and IT desks, and we earn the fee only when you can’t fill the seat on your own. I would rather help you hire the right tester at an honest number than a decorated resume at a premium you’ll question later. And if you’re mapping the whole security career ladder, our CISO salary guide shows where this path can lead.

Leave a Comment