Pen testers from Germany and Europe please infos

Hello guys, I am am on my way to OSCP and I am planing to switch my current job(not IT related) to penetration tester, I just love it and planing a lot of certificates.
My question is about the job itself and the money. I do not know anyone who is in this field in Germany or don’t know someone who knows someone :slight_smile:

So I would really like if people could share here or DM, please. How is the job like, do you work remote, how much you work on a daily basis, how is one working day look like, etc.

I know you will all say "the money depends from your experience, company, certificates, knowledge, etc…) I get that. But if I get infos from 3-4 people I can make an estimate in my head. Please DM.

It would really help me to get some realistic point of view.

Thanks in advance.

Thanks @Anonymus for sharing this post. Exactly the same info which i was also looking for.

I am currently trying to switch my job from 3.5 years of pentesting and red teaming.

Would appreciate the community can help us here.

Hi there.

As already mentioned else-where, I am a penetration tester (and forensicator) in Germany. First off: I obviously can’t speak about salary, but I found the following (German) blog post quite accurate: https://www.prosec-networks.com/blog/der-job-als-penetration-tester/ Those figures are pre-tax, of course.

The last paragraph of that blog is bollocks, in my experience, but it might be different in other companies.
For me, there is no such thing as a typical day (usually), but rather a typical week. Most of the engagements last 1 or 2 weeks. Sometimes more. So, the usual weeks start with getting an overview on the test target, followed by (in my case) device or infrastructure tests (I don’t like web, and IMO only know some basic stuff, there ^^ ) and trying to document/write the report along the way. But most of time I just take quick notes, and then spend 1-2 days with actually documenting results and writing the actual report. Long-lasting projects are rather rare, since customers usually want/need results by yesterday. So, for complex tests, several testers get thrown at the target, to keep test frames short (and customers happy).
For me, switching to pentesting was making a profession from my passion. Of course, there are days you “hate” the job or certain tasks, but that’s why it’s a job. And in the end, you get paid for also doing the “less-enjoyable” stuff :wink:

If these are actually the salaries then it is very very sad… In USA is like $120.000 a year.

HomeSen: What kind of vulnerabilities/results do you find typically? Is it just a scan stating this is an old version of bla bla which could be used by an adversary etc…? Or do you find something and priv esc, pivot and stuff like this?

@k4wld said:

HomeSen: What kind of vulnerabilities/results do you find typically? Is it just a scan stating this is an old version of bla bla which could be used by an adversary etc…? Or do you find something and priv esc, pivot and stuff like this?

This depends on the actual engagement :wink:
Sometimes, customers just want (to pay for) simple vulnerability scans. But most of the times, they rather prefer an actual penetration test which can still involve running Nessus against the network (mostly to get a rough overview on larger networks), but also actively attacking devices and services, trying to escalate privileges and move from one host to the next :smiley:

Type your comment> @sparkla said:

Are these salaries for real? I know electricians and UPS drivers who make more that this. Isn’t Germany one of the richest Countries in the world?

I really wonder if they make up the numbers for the staff they try to hire. :smiley: Just joking…

That is what I told in other post, I think on your subject, when I asked for 2500euros for Pentesting job in Berlin, they said that is even too much for Germany.

I saw some job add for Cybersecurity team leader in Germany with 10+ experience they are giving 95k bruto per year which is ~5k neto per month.

Type your comment> @sparkla said:

Are these salaries for real? I know electricians and UPS drivers who make more that this. Isn’t Germany one of the richest Countries in the world?

I really wonder if they make up the numbers for the staff they try to hire. :smiley: Just joking…

I honestly think this is not true. If you go on some shitty work you are gonna earn more. Here is another link I found but it is also not encouraging.

https://www.gehalt.de/beruf/penetration-tester

I mean this is brutto and netto is maybe 4000 - 4500e, but this is also kind of small.

@solid5n4k3 said:
That is what I told in other post, I think on your subject, when I asked for 2500euros for Pentesting job in Berlin, they said that is even too much for Germany.

I saw some job add for Cybersecurity team leader in Germany with 10+ experience they are giving 95k bruto per year which is ~5k neto per month.

I honestly hope it is not like that. I have a friend working as a software developer in Switzerland, he is earning 120.000 a year. So I cant accept that Germany gives 4 times less for what we do or are gonna do. If you are from Serbia then you know that there is people in Serbia working as a software developers remote or for foreign companies earning 1500e + in Serbia, which is super good considering that the people are working for like 400e there. So something is wierd about that and unfortunately we dont have anyone who is gonna be honest and really say how it is…

@sparkla said:
I think I made close to this (the junior salaries from the link) in my best years as a freelancer. That was one of the reasons I switched to sec, cause I worked my a** off day and night and couldn’t even afford a car or save some money for when I’m old.

Now I worked my a** off even harder to get into sec and get my first cert. I would not work for this kind of money, who does this? How can it be that we work harder and smarter than anyone else and get offered such a sh*ty salary? Then why do this? Don’t give me that “I love my job and do it for passion” again. There’s thousands of doctors out there, they work day and night even harder than us, and I bet most are very passionate about saving lives. Yet I also bet if they got payed that little there wouldn’t be so many doctors anymore. Are doctors earning as little in Germany? I think some German companies want to keep people small, keep them hustling so they don’t act up and question things. Or maybe IT isn’t going so well in Germany, heard that somewhere.

You are absolutely 100% right. Germany will take as much as it can from you . It wants you to look small, it does not give a lot opportunities to be rich. I dont wanna start on this topic because Germany is always watching LOL
Anyways back to the salary, I honestly hope it is not like that. But if it is I am not changing my job never ever. Pentesting is gonna be my last resort. But I wanna do the cert for myself because its fun and I already started lol

Type your comment> @Anonymus said:

I honestly hope it is not like that. I have a friend working as a software developer in Switzerland, he is earning 120.000 a year. So I cant accept that Germany gives 4 times less for what we do or are gonna do. If you are from Serbia then you know that there is people in Serbia working as a software developers remote or for foreign companies earning 1500e + in Serbia, which is super good considering that the people are working for like 400e there. So something is wierd about that and unfortunately we dont have anyone who is gonna be honest and really say how it is…

Yes I am from Serbia :D.
That was my experience, I would also like it wasn’t true.

Swiss is 2-3 times more expensive then Germany, people living near the boarder goes to Germany to buy groceries.

So I’ve never worked as a pentester or in Germany so take anything I say here with that in mind.

In the UK, most posts with “average salaries” are wildly inaccurate and cover an average between shockingly badly paid interns and senior directors. It’s also pretty irrelevant if there isn’t a job offering you that salary, it just makes you feel like you’ve been cheated or overpaid.

Because it is a wildly moving target, for me the only way to get a feel is to search for the job adverts and see what people are willing to offer.

Checking now, lots seem to show up with ranges like €50000 - 90000 per year which isn’t really helpful for getting an idea of what is normal.

Type your comment> @TazWake said:

So I’ve never worked as a pentester or in Germany so take anything I say here with that in mind.

In the UK, most posts with “average salaries” are wildly inaccurate and cover an average between shockingly badly paid interns and senior directors. It’s also pretty irrelevant if there isn’t a job offering you that salary, it just makes you feel like you’ve been cheated or overpaid.

Because it is a wildly moving target, for me the only way to get a feel is to search for the job adverts and see what people are willing to offer.

Checking now, lots seem to show up with ranges like €50000 - 90000 per year which isn’t really helpful for getting an idea of what is normal.

I think everything 7000e+ is ok. After Germany rips you off you end up with a decent salary :slight_smile:

Type your comment> @sparkla said:

I can say from experience, Switz isn’t 2x more expensive than Germany. The reason why people on the border shop in the other country is for fun, to have a trip and a good time, some new foods and that stuff. It depends a little on current exchange rates, so yeah the Switz frank can buy a little more if shopping in a € country, but that’s about like 5%. I’ve been to both Countries, but what is true is that lots of Germans try to work in Switz simply because the pay is better, and that is simply because Switz companies got more money than German.

And because taxes are smaller.

This is just insane what Germany does:

Income tax in Germany is progressive, starting at 1% and rising incrementally to 42% or for very high incomes, 45%. The tax rate of 42% applies to taxable income above €55,960 for 2019. As well as income tax, everyone has to pay solidarity tax (Solidaritätszuschlag or “Soli”), which is capped at 5.5% of income tax

And in Switzerland is Personal Income Tax Rate is 40%.

Germany does not allow you to be rich… Insane…

Type your comment> @Anonymus said:

Hello guys, I am am on my way to OSCP and I am planing to switch my current job(not IT related) to penetration tester, I just love it and planing a lot of certificates.

I’m in the same boat as you, so if you happen to be around Munich and you’re looking for a study partner, send me a PM.

Type your comment> @sparkla said:

I would be ok with lower pay, if the rest is ok. If I’m:

  • treated like a human being
  • respected for the amount of work I put into my education
  • allowed to work from home 100%
  • given an unlimited contract in terms of duration
  • offered real increments on salary (not like: “maybe in a few years you get 2 bags of potato chips extra”)
  • getting flexibel working hours
  • receiving real benefits and incentives, like a good company car, and not a fkin bus ticket + access to the fruit flatrate (whenever I read that I run away instantly. It’s like: “We totally care about your health and the environment” - Oh really? I’m fructose and bs intolerant)
  • having an interesting position according to my skills and chances to move up and not “Here’s your junior assistant role in a cubicle, you also need to make all customer support and take care about monetizing your projects”
  • in a friendly working environment and not everyone elbowing the next guy from day one
    … (yeah, there’s a lot more like this)

But still not for 25k after tax. :smiley:

You are absolutely right, but I would also not work under 5000e after taxes and that would be just if I have no other option :slight_smile:
But to find a company that treats you with respect and as a human being and not as a number is very hard. Basically with everything you wrote you described 99.9% of the companies, unfortunately.

allowed to work from home 100%

That maybe possible currently due to the pandemic but a lot of pen testing jobs require you to go onsite, especially internal infrastructure gigs.

@sparkla said:

@sm4sh0ps Strange enough that pretty much all billboard become-a-pentester ads say the exact opposite.

I wouldn’t trust the adverts. Webapps may tend to be remote pentests but nearly all tests are carried out against environments which are not exposed to the internet/public.

Most places I’ve seen expect the pentesters (even webapp ones) to turn up on site and be supervised by the security team.

I’ve seen places do this for tests against AWS infrastructure… I cant say why, it just happens.

@sparkla in the UK going onsite and living in hotels is just considered part of the job. Pen testers are expected to do assessments on web apps and infrastructure that is not remotely accessible.

Type your comment> @TazWake said:

expect the pentesters (even webapp ones) to turn up on site and be supervised by the security team.

That kind of sucks to be supervised like you don’t know what you are doing and they are supervising you. If they know better why don’t they do it? Maybe I am wrong to say that but it feels undermining.

@Anonymus said:

That kind of sucks to be supervised like you don’t know what you are doing and they are supervising you. If they know better why don’t they do it? Maybe I am wrong to say that but it feels undermining.

Every organisation varies, but the supervision doesn’t tend to be down to watching the commands, more a case of making sure that the scope is maintained and that as soon as anything is discovered they can start dealing with it.

Type your comment> @TazWake said:

Every organisation varies, but the supervision doesn’t tend to be down to watching the commands, more a case of making sure that the scope is maintained and that as soon as anything is discovered they can start dealing with it.

When you put it that way it sounds nicer :slight_smile:

What are your thoughts about the salaries?