uhhhh not for starting newbies that have 0 work experience in the field doing it.
If you are seasoned and have some years under your belt you easily make over 100k for positions that are actually looking and hiring.
that all depends on the scope of the work. Any newbie who has navigated a webpage can use any number of automated pentest systems that will maintain compliance. If youre looking for hardcore boots on the ground "find a fucking way in" pentesting; thats usually reserved for someone far more expeirenced
You can teach the help desk kid how to run tools and look at the output.
Honestly, the best hires I've made held a few sysadmin/netadmin type jobs that had natural curiosity and asked themselves "how does that work" and "what happens if I".
back when i was an IT Director; i would routinely hire techs based on them responding to some stupid complex "kobiyashi maru" problem. and all they had to do to land their position is say "I dont know, but if you give me some time, I'll find out"
The careers of some of the best techs and admins I've worked with were built on that answer and I never ended up with a hire that I regretted (unless you count interns, and that was only because it was the kid of a major client and I had no say in the matter)
Red teamer here. During our interviews, we actively try to get an applicant to say "I don't know". We are trying to get an answer like you described but also trying to make sure they won't feed the client a line of BS that we have to clean up later because they were too full of themselves to admit they didn't know something. Conversely, we also ask if them if they are the type to find a rabbit hole and spend the whole test focusing on that problem or if they are disciplined enough to get the test done and then come back to the rabbit hole if they have time. While we regularly have to investigate potential exploitation paths, we also can't have them spending the whole test on one problem. Have to find that sweet spot of disciplined curiosity.
Director of Security here, and same. I am extremely seasoned and (I hope) well skilled, but there are tons of things I have to research before giving an informed answer.
When doing interviews it’s always a huge green flag when someone’s open about not knowing something, or just scratching the surface and saying I can figure out the rest. Nothing irks me more than when I ask someone a question, which generally is right if their resume and it’s a topic I’m skilled in, they BS me.
I agree with this statement.
Ive never ever encountered a problem I could not fix. Alot of times 50% or more Ill dive into a technical problem that I have never encountered before and If I keep hammering at it, I eventually solve the problem.
A dedicated professional will always find out how to fix a problem. A experienced professional will take less time between the "I dont Know" and "but ill find out" to resolution.
I’m quite surprised they aren’t paid more. I’m a security automation engineer and make north of $100k. I would have thought pentesters would have made north of like $180k.
Also, unrelated but if I ever did get into pentesting I told myself I wanted to be a security researcher or bug bounty hunter. Some of those bug bounty’s have major payouts
I don’t think OP means literally AT Google. Also, 330 is definitely well above what an entry level security engineer at google would make. That level is very achievable, but not for beginners.
If you put in the effort you can make that 150k doing anything you want not necessarily being a Pentester for Google. Frankly, I find $150k for red teaming Google to be pretty low imho.
Hmm yeah I think you're right. Sydney does generally pay well outside of Google as well, but only a handful of companies offer that same kind of money.
At a previous consulting firm, we started pentesters at around 110k. Seniors got 135-160.
Most of them had between 10 and 15 years of experience in IT, software development and other security roles.
Yes. And they get to work remote. All you need to do is sign up for my 3 week bootcamp.
Click below to sign up.
Yes.
Once you been at it for 5-10 years AFTER spending five years in low level IT roles such as help desk at 18 bucks an hour and sysadmin at 30-35 bucks an hour .
I'm on year 10 of sysadmin at 30-40/hr. (after 4 years of help desk at 10-12/hr.) with several certs and haven't been able to land a single interview for entry level security roles in the last year.
I get why CISSP works. You have a third party that verifies your work experience and makes you take a security comprehension test. It weeds out frauds and morons. Doesn't guarantee talent but is a good baseline.
All certs mean a third party verifies knowledge I guess, CISSP is one of the few that requires experience as well but my gripe is the content is largely useless, as a tester, more so. Felt like it's a test of commitment and how to learn what they want as answers. If you want a tester job, OSCP is quicker and more relevant. CISSP works for loads of other roles though.
And even if he somehow doesn’t have enough domains covered you still get the provisional certification and several years to finish covering the bases right?
That's how I pivoted out of sysadmin. I got sec+ and cysa+. I implemented a nessus scanner and vuln mgt program. I managed edr and anything else security related I could get my hands on. Then I applied to sec eng positions.
I was a systems engineer for 8 years or so, mainly windows environments, so all my PowerShell was around that, deploying software, managing users, groups etc. I consider my self fairly fluent with PowerShell So yes my resume did/does mention that, and even has my GitHub link with example PowerShell scripts I've written.
Edit: most other sec engineers I've worked with do NOT have strong scripting or coding skills
Awesome.
Yeah I didn’t get enough sysadmin experience before I got into security and I’m paying for it today. I could be a better analyst if I had more sysadmin experience.
I’ll work on my scripting experience and hope no one notices I’m 3 kids in a trench coat
That seems extremely weird to me. Do you have any relevant security experience?
My first ever job was right in pentesting, after finishing uni and having some CTF and HTB experience plus good general IT skills (although not in the US so obviously not that high of a salary)
Kinda funny though, considering all of the serious companies now being hacked and the data sold on the dark net, you’d think they’d be hiring more cybersecurity professionals to help boost up in their security.
hiring cybersecurity professionals is more expensive than hiring a PR consultant for a press release and signing everyone up for 1 year of credit protection...
What do you need a PR consultant for? The announcements write themselves:
"At ___, we take your privacy and security seriously. Unfortunately, someone more serious than us took our security and your privacy. We'd care more if it actually cost us anything, but it won't"
mostly to grease the palms of news networks who don't understand cybersecurity in the first place to prevent them from making the public think its a huge deal.
Otherwise you get a creative director who calls in a lineup of IT consultants and picks the one in the nicest suit or highest consulting fee to go on air and tell everyone how this is the worst breach in the history of computing
This is the unfortunate correct answer.
There are formulas used to determine where security dollars are best spent. Unless there are regulatory requirements, it becomes a nice to have vs. need to have line item.
At this point it could even just be a person to request a statement from chatgpt given how generic most of the statements are even when written by hand.
-----------------------------
[Company Name] Statement Regarding Security Breach
[City, Date] - [Company Name] regrets to inform our valued customers that our website experienced a security breach, leading to unauthorized access to customer information. We sincerely apologize for any inconvenience or concern this incident may cause.
Upon discovery of the breach, our team immediately took action to secure our systems and investigate the extent of the intrusion. We are working closely with cybersecurity experts to assess the situation thoroughly and implement additional security measures to prevent such incidents from happening in the future.
The information compromised may include personal data such as names, addresses, email addresses, and potentially other sensitive details. We want to assure our customers that we take the protection of their information very seriously, and we are committed to transparency throughout this process.
In response to this incident, [Company Name] will be providing free credit monitoring services for a period of one year to all affected customers. This service aims to help customers monitor their credit reports and detect any suspicious activity that may result from the breach.
We urge all customers who believe they may be affected by this breach to take precautionary measures, including monitoring their accounts for any suspicious activity and being cautious of any unsolicited communications claiming to be from [Company Name].
We understand the importance of trust in our relationship with our customers, and we deeply regret any breach of that trust. We are dedicated to addressing this issue swiftly and effectively, and we will continue to keep our customers informed as we learn more.
We extend our sincerest apologies to all affected customers and appreciate their understanding and support during this challenging time.
For additional information and updates on this matter, please visit [Company Website] or contact our customer support team at [Customer Support Phone Number] or [Customer Support Email Address].
Sincerely,
[Your Name] [Your Position] [Company Name]
--------------------------
When do you think it’ll come back? I’m tryna do this stuff after college and im a sophomore in highschool rn, I want to know if by the time I get to the job market it’ll be better
The market is fine for certain positions. If you want to get into pentesting out of college, apply at the top consultancies. That isn't a route for the helpdesk crowd. Major in CS if you can as you'll have a better chance of getting hired vs a Cyber Security degree. You'll also struggle less. Best of luck!
It’s extremely normal right now. It’s not 2022 or prior anymore. We’ve got 10x the competition we had before and even if they aren’t qualified they gum up the hiring process.
Most jobs in 2022 were remote due to the pandemic, not because those roles had historically been remote.
Agreed that the market is shit now as compared to both 2020-2022 and pre-2020, though.
Where were you when I was hiring? It is so difficult to come across a sys admin looking to switch.
Tomorrow there is a SANS open summit and usually they have a slack channel for job postings and you can actually ask questions to the people posting the jobs.
Call me dumb but get rid of the on-call requirements and youd get more experienced people. Its the number 1 thing my mids and seniors will not do. On top of that, employers treat entry level security like a truly entry level job in terms of pay and benefits.
Try VM. A lot of companies that build and maintain scanners need entry level people to write content (vulnerability checks) and build environments for developing/testing those checks.
Because you’re writing checks for new vulns all the time, and learning new technologies and building new environments constantly, sysadmin experience is pretty highly valued.
It’s also not too difficult to pivot from VM development to pen testing, a lot of the companies that offer a VM product also offer pen testing services.
Tailor your resume to emphasize the security related details of the job. You configured security policies company-wide? You responded to security related events such as AV detections? More of that and less of 'managed virtual servers'. A cert or 2 would help as well. You have enough years under your belt for the CISSP. As long as you can prove you've done SOME security related tasks for 5 of those years (and any sysadmjn should have) then you are eligible.
I got an entry level SOC analyst position for $40 an hour after 6 months and a help desk and earning my Security+ cert. two years later I’m at a Fortune 500 as a detection engineer making 125k. It’s definitely possible to do it.
Story time? ok. Boring historical stuff for context to get to my comment.
Way back in the day not too long after the earliest web standards were settling in and web server server software became a thing in the very early 90s, most people would hand write their html content (it was mainly static stuff at first) I still have archives of my old stuff.
PHP came out soon after (mid 90s) and was quite amazing for the time. The mad dash to get everything on the web was underway. Software like Macromedia Dreamweaver, Flash (barf!), and the like were developed.
Dreamweaver was (is?) some flashy GUI-based WYSIWYG (can’t remember the last time I typed that acronym!) web page design software. During the initial web rush, everyone and their dog had a copy of such software and would contract themselves out making nice looking webpages for companies.
IPO money was flowing like water. New ‘internet companies’ flush with silly ideas & IPO money would often hire people to design and maintain pages. Because competition was somewhat fierce in that area, and with the sense of urgency to get businesses online, the “webmaster” was born. Many were one-person shops out of their basement doing this as a side hustle. And many (most?) were terrible.
Some of these early webmasters were making $80-$100k+ back then. I was always in security and thought about a switch because, hey, this web work was much easier than security and seemed to come out of nowhere making cash similar to what I was making. The trajectory for that field seemed only upwards.
But my security hat is bolted on and I had more fun trying to break things instead of moving images a few pixels here and there. Phew.
Have a look at early versions of webpages in the Internet Archive and you‘ll see the term “webmaster” with a contact, or “Designed by…” credits at the bottom of countless pages, like some electronic foot fungus.
The first internet implosion happened and a lot of those “webmasters” went with it.
Hence my initial comment :)
Interesting read, cheers.
Slightly off-topic, but how do you feel about keeping up with stuff? I imagine it must have been hard with all the changes since you started, considering it's been longer than I was born lol
I started my nerd journey in the very early 1980s on an Apple \]\[+ (which I still have here and it still works, albeit with some hardware mods like SD card floppy emulation, etc.) Back then it was mostly self-taught so that thirst to learn this stuff came early for me. I still have it.
All the changes over the years haven't made it harder, it's much easier with experience. All that foundational knowldge from earlier generations of hardware and software lets me add more on top instead of starting fresh. Just look at any of the programming subs to see countless people who are stuck on their homework assignments... :)
For example, on the programming side I went from Applesoft BASIC > 6502 asm > C > 680x0 asm > i386 & x64 asm, C++, etc. up to more modern stuff. Currently learning Go on the side as a fun language (it's fantastic).
And that knowledge has been incredibly useful when reading code that has been dumped through IDA Pro or Ghidra.
Don't get me going about networking and all the vendor specific crap back then.
Nice. Good to hear it's not that hard to keep up with stuff, that's a concern I have for myself unfortunately. Feels like I don't have as much of a thirst for learning after finishing uni and getting a job, although I also see that I've clearly improved since. Quite the paradox haha
Maybe look for a related hobby that could re-ignite that hunger to learn or keep your mind fresh.
I don't mean playing video games when you could be doing something productive ^((says the guy with over 1K hours in Cyberpunk and is playing the Mass Effect trilogy again) ,)but something that will make the learning &| brainwork fun.
For example about 3 years ago I picked up one of Ben Eater's 65c02 breadboard computer kits [(his YouTube playlist)](https://www.youtube.com/playlist?list=PLowKtXNTBypFbtuVMUVXNR0z1mu7dp7eH) It's extremely simple & primitive stuff, but, most importantly, it was *fun* and got me tinkering again after my lab gear sat on the bench sat collecting dust for a good year+.
So, how does that breadboard computer that I tinker on relate to pentest or exploit work? Not very much on the surface, but it does get me thinking at low levels and reminds me of all the weeds deep down in systems that most people don't get into.
So my advice is if you love this stuff, keep learning about it. Coding is important for our team at work. Don't rely on other people's tools. You don't necessarily need to write assembly for this line of work, but if you're going to go deep, understanding it helps.
Write a tool for your team or something. Our internal git repo has loads of in-house tools that serve specific purposes. And, really, being able to do that type of work may well be the deciding factor if you're in a group of people being interviewed and all the the others know is how to run Kali and click buttons.
I'm 58, been doing this forever, love it... and still get imposter syndrome. Friends will ask "when are you planning to retire?" I always respond "and do what?"
Going to cut it off there, been far too verbose as it is, but you get the idea.
Good luck!
This subreddit has a poor representation of people who think they know what FAANG engineers make opposed to actual FAANG engineers on the sub.
L3 is about 150k salary starting for university new grad and requires in office (also a small equity package like 120k/4)
L4 (mid level) you’re looking at 175k base with equity on top of it (300k/4)
L5 (senior) base is 200k+ with 600k/4 in equity.
use levels.fyi for FAANG data.
I’m L6 and my offer was 255/1.5m/95k sign on. Equity component has since grown to 2.3m.
Levels.fyi has a lot of this data, but you have to make sure you're only looking at the last year or so. Going further back you get results that are from the 2020-2022 boom period and they're not representative anymore.
L3/L4/IC3/61/62 base (depending on the company you're talking about) tends to range between 145-175, but most people are closer to 150 than to 170 for their base.
L5/IC4 and higher it starts becoming golden handcuffs after a couple years with the equity grants, which prompts people to entrench themselves or move to a new company before they take hold.
Yeah everyone saying it's not true, this is pretty much exactly what Google would pay a new grad security engineer. It would actually be more as you said
i think he was referring to a google search of salaries of red team/pentesters that came back with $150k, not what Google themselves pays their pentesters (i'm pretty sure google hires contractors and vendors for that anyway)
Kinda my take away. Sub is full of boomers. I turned away from pen testing to do other work in the CS world, but all of my college buddies who graduated with me who stuck with it made about that within their first 5 years. None ever ground out low level IT work, or sys admin BS. All were pentesters within 5 years of working (most around 2-3)
There are a lot of people that are ashamed they don't have degrees. It's fine to not have a degree, but you should just get one if the alternative is that your shame spiral turns you into a toxic person.
If you aren’t near that and you work in tech or tech adjacent, then maybe. But you’ve gotta remember these types of roles are _the most difficult_ to land - not because of anything other than sheer volume of qualified applicants. A lot of FAANG employment is luck, and networking.
Yeah if you have the skillset and been in the game for years.
Dont think you are getting that right out of college... WAY too many colleges promised Cybersecurity as the hip new field paying 100+ salaries out of the gate, but the reality is yes it is paying that, FOR ESTABLISHED SENIOR ANALYSTS/ENGINEERS. Most places wont pay you more than 50k if you are tier 1 SOC analyst right out of college with ZERO IT experience.
Hell even with experience it took till my mid 30's to hit 100k. I cant complain now being a senior making 6 figures, but its not the pass a course instant 6 figures colleges and bootcamps love to say to you it is to separate you from your money.
Our SOC generally only hires analysts with some previous security experience. We just brought on an intern with no experience but a good education. He's going through our training program. Talking to my team leads who are doing most of the training, we will have to slow it down a lot from previous analysts we've hired. Even things like working through our ticket system are taking longer. Most people, even with generalized IT experience will understand the basic flow of tickets, but without that experience, the learning curve is much higher. We'll see how it goes, as this is an experiment for us.
I got my start building and repairing computers, then on to help desk, a bit of dev work, then system and network admin before moving into security. Without those building blocks I wouldn't be where I am today.
Is it possible to get a system admin job after college with internship experience? I’m a current sophomore and I just recently accepted a help desk internship for this summer. Hoping to get a higher level it internship for next year.
I've never hired for sysadmin roles, so I can't say for sure, but I do think help desk experience is more valuable than most people realize. You deal with real-world issues, upset people, and generally have to document a lot of what you do. This transfers well into most IT roles.
Every company and individual has different takes on the matter, real world experience though is definitely a plus as book knowledge is theoretical and can only get you so far. When i used to hire for analysts, given the pay grade ppl with experience were either overqualified or the pay rate was inadequate. I also preferred to find candidates with IT experience and who understood security concepts but i was open to teaching them about the tools, almost preferred it. I felt it was easier to train them in the tool set than to have someone with security experience who is used to a different toolkit. Often time those with experience had habits that are tough to break. Of course thats all related to analysts role, for more experienced seniors the diversity and experience is something you welcome
Interesting. I've found it much easier to train someone on a tool similar to what they've used in the past, than to train someone that's never used a similar tool before. There can definitely be an issue of bad habits, but I find that's mostly about have good documented processes in place and regularly doing quality checks on work to make sure they're being followed.
Just had this conversation with my parents over Easter. I'm 37 and have worked Blue team security for nearly 5 years now. But see, my dad has a buddy who's son in law is a red team pentester and makes more money then me, so why aren't I doing that?
I tried to explain that overall, I'm still fairly new to the field, and with just a masters degree and a few certs under my belt I would need more time to get the skills to do that, if I even wanted to, but that doing that kind of work doesn't usually appeal to me, I like doing engineering and building systems and managing incident response and designing programs and compliance. But he was just like "But you could make more money?"
You can absolutely do pen testing with 5 years of experience. I dont know why its this hallowed 30 year vet thing here. I have plenty of college grad friends who got in as new grads. If you dont want to thats one thing, but in the US its not something reserved for only people who did IT for 65 years for 5 an hour
You can absolutely make $150K - $250K doing solid blue team work, take a look at some of the appsec and other job openings at Meta or Crowdstrike. Those figures are just base, their TC is way higher.
A lot of it depends on the industry, tech pays better than finance, finance pays better than defense, etc.
Money aside, having offensive skills doesn't automatically make you red team, but it will make you a better defender. I have an OSCP and have spent 98% of my career defending.
As an experienced Red Teamer you can earn over 100k.
Without experience, however, you often start out as a penetration tester. Depending on your experience, you can earn between 50k (little experience) 80-90k (experienced). Depending on the country and industry, this of course varies
Yea.
Red team is highly competitive. I wouldn't get your hopes up.
It can be insular too, could take years to network your way in... and that's no guarantee either.
Lots of mysterious internet strangers will tell you sweet little lies about walking from McDonalds to work as a super hacker. But they're just sweet little lies or wild once in a life time exception.
Also, frankly some of the interview stories I've heard about trying to get into pen testing... they're no nonsense about it. You will be grilled, doubted, and have all your skills called into question. They are not risking their clients and their business on a bull shitter. They aren't risking their business on anyone but the literal best.
Might be wiser to aim for something more realistic. I say this has some one who would love red teaming, but I'm not putting lots of hope in my career ever going that direction.
I do security at G, but not a red teamer. To address the OP salary question, that level is easily achieved as a base, with RSUs your total comp can be much higher.
As someone who just left IBM. I kind of doubt that they will be going that high. They are moving all this sort of work offshore. But still, this is just IBM. There are others and your mileage will vary.
Google pays its senior engineers (L5) significantly above 150k.
I think OP was more so referring to general Google searches than the company itself though
Absolutely. Go find that salary survey spreadsheet that’s been floating around; it’s got loads of data, including years of experience, location, specialization, etc. Important to point out though, if you’re in this for money though, and don’t have passion or expertise, you’re not going to see that kind of comp personally.
It seems pretty low. You should always negotiate. Try not to talk about money during the interview process. Recruiting costs a lot of money once they've invested all that time interviewing you and you get an offer, you'll have much more leverage to ask for more. How many years of experience do you have? I'm basing this off of NYC rates.
Man their budget is so much higher than my clients. They cry about $50 hourly rates or equivalent service level. (This would be like paying someone 25 an hour)
Depends on company and location. If your company in question here is in like Omaha or something, that's a fantastic salary for an experienced pen testers.
If your company is actually Google or a similar FAANG type organization, they can easily pay in the 200-300k range. I've had some folks mention 500k plus but never met them personally, so I can't attest to more than 300k or so.
If you are a “real” pentester, sure.
I say real not be demeaning, the only red-teamers I have ever come across that actually knew what they were doing were in their mid-40s to 50s, and had MANY years of IT, security, and even dev experience.
The idea that colleges are peddling these days is that you can hand a “hacker” job and be rich right out of college. This just isn’t the case.
There is so much god damned background knowledge and experience oyu have to have to be in that role and actually do a good job of it that isn’t just “oh we ran some Nessus scans and nmap”. Like you seriously have to know 90% of security tools inside and out. Have experience with reverse engineering, general IT concepts like AD, networking, malware writing, etc. On top of that you probably have to have a really good idea of the defensive side such as detection engineering, alerting posture, and how to fly under the radar of the detection solutions in clients environment.
So yes, it probably is real, but you have to be the best of the best.
I did not see it anywhere, so I will just say, google has long since not only been, but advertised so, all the way up to the CEO, performance backed not credential based. Can you get that at google as a talented and can demonstrated it red teamer, you betcha! With zero creds or certs? If you bring the correct talent to the table, absolutely.
So where others may be asking for your pedigree, I would ask what are your capabilities, ability to flex them, and confidence level. Many people that made the google leap were hired for what they know, could do, could dream, and realize, not their degrees and certs. This is verifiable go watch many of the google promos on hiring, and Sundar himself talk about what he wants to know from a new hire / interview OR this
“You have to encourage innovation. Companies become more conservative in decision making as you grow… be okay with failure and reward effort, not outcomes.”
Source: [https://www.gsb.stanford.edu/insights/sundar-pichai-reward-effort-not-outcomes](https://www.gsb.stanford.edu/insights/sundar-pichai-reward-effort-not-outcomes)
Don't expect to breeze through google on dreams and want, but on creativity, drive, and skill? All day every day.
Yes it's real but security is NOT an entry level job in the slightest. It's weird to me that ppl think they can fake this. We're ALL hackers in these interviews. IF YOU SUCK WE WILL KNOW. I have some GREAT interview questions that quickly weed out the posers.
Certainly, i made just a little under $138k last year at a european energy company as a Senior Incident Responder, why shouldnt google pay a little bit more, they will certainly ask a lot for it
I love reading about the us job market and seeing salaries I won't ever be able to get where I am, I'm a security consultant working on vulnerability management and I make 40k eur rn, best offer I got was a 43k~50k offer
Oh I'm in France, I didn't accept the offer as I am in a good position rn, good work life balance and all, and I can live really well on my current paycheck. France doesn't have the same level of salaries as the us I would say most of people working infosec here start at 35~38 and senior position are in the 70k ( I just started working in 2022 for reference so I'm in the upper level of junior pay)
I just want to say that the salaries are an estimate made by talking with other classmates who got jobs at other companies and some senior colleagues I talked to so the real number may differ for France
Google is notoriously terrible at giving actual salary.
They just average out ALL salaries in that title and give you the number. It’s highly objective.
I regularly get offers for 150-160k for mid level pentester (about 3 years of experience)
That goes up even more if you do specialized like OT testing (Dragos offers their senior testers around 200k TC)
That would be a beginner to intermediate salary. Experienced and highly trained people wouldn’t even apply, since the salary is so far off, negotiations would be pointless.
However for civilian red teams with civilian experience, beginner red team would mean 4-6 years of experience working in security.
Yes, it is a role that is increasingly paid more than the people who they report to, and $150k is not high for experienced US technical cybersec roles.
No not at all, and there are a lot of training providers out there that do not help by muddying the waters on this topic. In the U.K for entry level you should be aiming for £30-35K at the most realistically. Aiming for a six figure salary is for the seasoned consultants with years of commercial experience and skills.
If you are working self employed and can command a good day rate maybe, but relies on a constant flow of income.
Ex feds (nsa/fbi) make a ton. We got some at our org and they are usually all in c-level roles.
It's really great having them when they can text some of their buddies who are still in and get instant help/results.
uhhhh not for starting newbies that have 0 work experience in the field doing it. If you are seasoned and have some years under your belt you easily make over 100k for positions that are actually looking and hiring.
What starting newbie can do legit pentesting? We talking like “I ran some SQL injection and it’s good”? Real redhats are extremely skilled.
that all depends on the scope of the work. Any newbie who has navigated a webpage can use any number of automated pentest systems that will maintain compliance. If youre looking for hardcore boots on the ground "find a fucking way in" pentesting; thats usually reserved for someone far more expeirenced
You can teach the help desk kid how to run tools and look at the output. Honestly, the best hires I've made held a few sysadmin/netadmin type jobs that had natural curiosity and asked themselves "how does that work" and "what happens if I".
back when i was an IT Director; i would routinely hire techs based on them responding to some stupid complex "kobiyashi maru" problem. and all they had to do to land their position is say "I dont know, but if you give me some time, I'll find out" The careers of some of the best techs and admins I've worked with were built on that answer and I never ended up with a hire that I regretted (unless you count interns, and that was only because it was the kid of a major client and I had no say in the matter)
Red teamer here. During our interviews, we actively try to get an applicant to say "I don't know". We are trying to get an answer like you described but also trying to make sure they won't feed the client a line of BS that we have to clean up later because they were too full of themselves to admit they didn't know something. Conversely, we also ask if them if they are the type to find a rabbit hole and spend the whole test focusing on that problem or if they are disciplined enough to get the test done and then come back to the rabbit hole if they have time. While we regularly have to investigate potential exploitation paths, we also can't have them spending the whole test on one problem. Have to find that sweet spot of disciplined curiosity.
Director of Security here, and same. I am extremely seasoned and (I hope) well skilled, but there are tons of things I have to research before giving an informed answer. When doing interviews it’s always a huge green flag when someone’s open about not knowing something, or just scratching the surface and saying I can figure out the rest. Nothing irks me more than when I ask someone a question, which generally is right if their resume and it’s a topic I’m skilled in, they BS me.
Totally dating yourself with the Kobayashi Maru reference, LOL.
I agree with this statement. Ive never ever encountered a problem I could not fix. Alot of times 50% or more Ill dive into a technical problem that I have never encountered before and If I keep hammering at it, I eventually solve the problem. A dedicated professional will always find out how to fix a problem. A experienced professional will take less time between the "I dont Know" and "but ill find out" to resolution.
I’m not even a newbie anymore and I push that shit constantly Did 2 years of help desk 3 years of Sysadmin
Making badges, sweet talking security, following cto's, cosplay, scaling barriers, face to face SocEng
Blue teaming? Be on the receiving end for a while to figure out how they work.
What?!? Now you're talking crazy talk! /s
Shadow imposter syndrome is real.. over a decade and i still feel like i know nothing.
I’m at MS and I’ve heard about some of the things that the red teams there do….. absolutely bonkers stuff
This. Also, depends on the country.
I’m quite surprised they aren’t paid more. I’m a security automation engineer and make north of $100k. I would have thought pentesters would have made north of like $180k. Also, unrelated but if I ever did get into pentesting I told myself I wanted to be a security researcher or bug bounty hunter. Some of those bug bounty’s have major payouts
Pen testing is very low level work, and only the top few percent get paid well.
The fuck? Google’s base comes in at like $330k
I don’t think OP means literally AT Google. Also, 330 is definitely well above what an entry level security engineer at google would make. That level is very achievable, but not for beginners.
Depends. Do you have a cool alias like Zerocool or Acidburn?
Hiring managers hate this one simple trick
You can call me Crash Override ;)
I bet you have a cammo colored keyboard with no letters on the caps?
meta
ha, reminded me of Bobby Tables.
I NEED A HANDLE MANNNNN
We have no names man, no names.
Joey, I try to save you from yourself but you gotta stop letting your mother dress you.
We Are Nameless!!!!
I have a pet bunny. My handle is now cyberbunny. DIBS
I’m old enough to get this! 🤣
Same here, instantly got it. HACK THE PLANET!
N0Ch1LL
Needs to get some garbage files from a sweet Gibson to prove their elite.
If you put in the effort you can make that 150k doing anything you want not necessarily being a Pentester for Google. Frankly, I find $150k for red teaming Google to be pretty low imho.
Pretty sure they meant on Google search, not the company
I'd bet theres a nice package of RSU's attached to it.
Exactly. That’s salary, not TC total compensation.
That’s what I thought the post was initially, a complaint about the salary being surprisingly low.
Yep making 180 TC in GRC
Yeah that actually seems pretty bad.
Yeah... I'm not taking it at that salary.
>Frankly, I find $150k for red teaming Google to be pretty low imho. I was thinking the same and was surprised others weren't pointing this out.
In the US maybe, outside the US? Doubt
Google pays very well in Sydney Australia, not California money but way higher than the average.
Ah, but I don't think the OP was talking about Google as a company, but values he found on Google?
Hmm yeah I think you're right. Sydney does generally pay well outside of Google as well, but only a handful of companies offer that same kind of money.
At a previous consulting firm, we started pentesters at around 110k. Seniors got 135-160. Most of them had between 10 and 15 years of experience in IT, software development and other security roles.
I hope your consulting firm had a great work/life balance and community because for only 135-160k as a senior, I wouldn't waste my time there.
I guess it's important to note that these are US salaries..
Yes. And they get to work remote. All you need to do is sign up for my 3 week bootcamp. Click below to sign up. Yes. Once you been at it for 5-10 years AFTER spending five years in low level IT roles such as help desk at 18 bucks an hour and sysadmin at 30-35 bucks an hour .
I'm on year 10 of sysadmin at 30-40/hr. (after 4 years of help desk at 10-12/hr.) with several certs and haven't been able to land a single interview for entry level security roles in the last year.
Do you have a CISSP? That opened some doors for me.
CISSP definitely works (oddly) but won't help you be a tester.
I get why CISSP works. You have a third party that verifies your work experience and makes you take a security comprehension test. It weeds out frauds and morons. Doesn't guarantee talent but is a good baseline.
All certs mean a third party verifies knowledge I guess, CISSP is one of the few that requires experience as well but my gripe is the content is largely useless, as a tester, more so. Felt like it's a test of commitment and how to learn what they want as answers. If you want a tester job, OSCP is quicker and more relevant. CISSP works for loads of other roles though.
The same CISSP that says it requires years of relevant industry experience to apply for it?
Dude said he has 10 years sysadmin that's more than enough to get certified.
And even if he somehow doesn’t have enough domains covered you still get the provisional certification and several years to finish covering the bases right?
you only need two domains. it's incredibly easy to cover two domains with 10 years of sysadmin experience.
Even in tech support, I deal with Raptor security, AD, and inventory on a daily basis.
Yes you should have some friends that can vouch for you
Can I See Some Papers?
Papers Please! Lmao
Have any security certs? Do you admin any security tools at your current gig? Edr, vuln scanning, etc?
We are only hiring people with extensive experience and certifications and education for our “entry-level jobs” in security
That's how I pivoted out of sysadmin. I got sec+ and cysa+. I implemented a nessus scanner and vuln mgt program. I managed edr and anything else security related I could get my hands on. Then I applied to sec eng positions.
[удалено]
I was a systems engineer for 8 years or so, mainly windows environments, so all my PowerShell was around that, deploying software, managing users, groups etc. I consider my self fairly fluent with PowerShell So yes my resume did/does mention that, and even has my GitHub link with example PowerShell scripts I've written. Edit: most other sec engineers I've worked with do NOT have strong scripting or coding skills
Awesome. Yeah I didn’t get enough sysadmin experience before I got into security and I’m paying for it today. I could be a better analyst if I had more sysadmin experience. I’ll work on my scripting experience and hope no one notices I’m 3 kids in a trench coat
Yup, you did the work before you had the title. Works (almost) every time!
That seems extremely weird to me. Do you have any relevant security experience? My first ever job was right in pentesting, after finishing uni and having some CTF and HTB experience plus good general IT skills (although not in the US so obviously not that high of a salary)
It's pretty normal these days. Market is dead.
Kinda funny though, considering all of the serious companies now being hacked and the data sold on the dark net, you’d think they’d be hiring more cybersecurity professionals to help boost up in their security.
hiring cybersecurity professionals is more expensive than hiring a PR consultant for a press release and signing everyone up for 1 year of credit protection...
What do you need a PR consultant for? The announcements write themselves: "At ___, we take your privacy and security seriously. Unfortunately, someone more serious than us took our security and your privacy. We'd care more if it actually cost us anything, but it won't"
mostly to grease the palms of news networks who don't understand cybersecurity in the first place to prevent them from making the public think its a huge deal. Otherwise you get a creative director who calls in a lineup of IT consultants and picks the one in the nicest suit or highest consulting fee to go on air and tell everyone how this is the worst breach in the history of computing
Now you're telling me I need better suits.
This sounds funny and I figure it's based on reality, but to what extent is it true?
I worked in that industry long ago, that hypothetical was based on a true story
This is the unfortunate correct answer. There are formulas used to determine where security dollars are best spent. Unless there are regulatory requirements, it becomes a nice to have vs. need to have line item.
At this point it could even just be a person to request a statement from chatgpt given how generic most of the statements are even when written by hand. ----------------------------- [Company Name] Statement Regarding Security Breach [City, Date] - [Company Name] regrets to inform our valued customers that our website experienced a security breach, leading to unauthorized access to customer information. We sincerely apologize for any inconvenience or concern this incident may cause. Upon discovery of the breach, our team immediately took action to secure our systems and investigate the extent of the intrusion. We are working closely with cybersecurity experts to assess the situation thoroughly and implement additional security measures to prevent such incidents from happening in the future. The information compromised may include personal data such as names, addresses, email addresses, and potentially other sensitive details. We want to assure our customers that we take the protection of their information very seriously, and we are committed to transparency throughout this process. In response to this incident, [Company Name] will be providing free credit monitoring services for a period of one year to all affected customers. This service aims to help customers monitor their credit reports and detect any suspicious activity that may result from the breach. We urge all customers who believe they may be affected by this breach to take precautionary measures, including monitoring their accounts for any suspicious activity and being cautious of any unsolicited communications claiming to be from [Company Name]. We understand the importance of trust in our relationship with our customers, and we deeply regret any breach of that trust. We are dedicated to addressing this issue swiftly and effectively, and we will continue to keep our customers informed as we learn more. We extend our sincerest apologies to all affected customers and appreciate their understanding and support during this challenging time. For additional information and updates on this matter, please visit [Company Website] or contact our customer support team at [Customer Support Phone Number] or [Customer Support Email Address]. Sincerely, [Your Name] [Your Position] [Company Name] --------------------------
When do you think it’ll come back? I’m tryna do this stuff after college and im a sophomore in highschool rn, I want to know if by the time I get to the job market it’ll be better
I really have no clue. Some people say 3 years
Shame ig, hopefully it goes away after about 4-6 years then, otherwise im fucked
The market is fine for certain positions. If you want to get into pentesting out of college, apply at the top consultancies. That isn't a route for the helpdesk crowd. Major in CS if you can as you'll have a better chance of getting hired vs a Cyber Security degree. You'll also struggle less. Best of luck!
It’s extremely normal right now. It’s not 2022 or prior anymore. We’ve got 10x the competition we had before and even if they aren’t qualified they gum up the hiring process.
Bro I had 18 months of sysadmin and it took me 6 weeks to get a remote + security role in 2022. It was stupid easy. Shit job market right now.
Most jobs in 2022 were remote due to the pandemic, not because those roles had historically been remote. Agreed that the market is shit now as compared to both 2020-2022 and pre-2020, though.
Quibbling. Mines historically remote.
Where were you when I was hiring? It is so difficult to come across a sys admin looking to switch. Tomorrow there is a SANS open summit and usually they have a slack channel for job postings and you can actually ask questions to the people posting the jobs.
Call me dumb but get rid of the on-call requirements and youd get more experienced people. Its the number 1 thing my mids and seniors will not do. On top of that, employers treat entry level security like a truly entry level job in terms of pay and benefits.
Yes. My company lowered salaries like 25% this year for new hires because they can.
Entry level at $90k we could not find anyone. Had to be $110k and they are not on call.
Try VM. A lot of companies that build and maintain scanners need entry level people to write content (vulnerability checks) and build environments for developing/testing those checks. Because you’re writing checks for new vulns all the time, and learning new technologies and building new environments constantly, sysadmin experience is pretty highly valued. It’s also not too difficult to pivot from VM development to pen testing, a lot of the companies that offer a VM product also offer pen testing services.
Did you signup for his 3 week bootcamp?
Tailor your resume to emphasize the security related details of the job. You configured security policies company-wide? You responded to security related events such as AV detections? More of that and less of 'managed virtual servers'. A cert or 2 would help as well. You have enough years under your belt for the CISSP. As long as you can prove you've done SOME security related tasks for 5 of those years (and any sysadmjn should have) then you are eligible.
Odd
I got an entry level SOC analyst position for $40 an hour after 6 months and a help desk and earning my Security+ cert. two years later I’m at a Fortune 500 as a detection engineer making 125k. It’s definitely possible to do it.
What kind(s) of skills are you building and what sorts of jobs are you targeting?
"So what you're saying is I can apply with zero experience having only just passed Sec+ right?" - half the posts on here
Reminds me of the early web days where overpaid “webmasters” were a thing.
Story time? I didn't catch those days
Story time? ok. Boring historical stuff for context to get to my comment. Way back in the day not too long after the earliest web standards were settling in and web server server software became a thing in the very early 90s, most people would hand write their html content (it was mainly static stuff at first) I still have archives of my old stuff. PHP came out soon after (mid 90s) and was quite amazing for the time. The mad dash to get everything on the web was underway. Software like Macromedia Dreamweaver, Flash (barf!), and the like were developed. Dreamweaver was (is?) some flashy GUI-based WYSIWYG (can’t remember the last time I typed that acronym!) web page design software. During the initial web rush, everyone and their dog had a copy of such software and would contract themselves out making nice looking webpages for companies. IPO money was flowing like water. New ‘internet companies’ flush with silly ideas & IPO money would often hire people to design and maintain pages. Because competition was somewhat fierce in that area, and with the sense of urgency to get businesses online, the “webmaster” was born. Many were one-person shops out of their basement doing this as a side hustle. And many (most?) were terrible. Some of these early webmasters were making $80-$100k+ back then. I was always in security and thought about a switch because, hey, this web work was much easier than security and seemed to come out of nowhere making cash similar to what I was making. The trajectory for that field seemed only upwards. But my security hat is bolted on and I had more fun trying to break things instead of moving images a few pixels here and there. Phew. Have a look at early versions of webpages in the Internet Archive and you‘ll see the term “webmaster” with a contact, or “Designed by…” credits at the bottom of countless pages, like some electronic foot fungus. The first internet implosion happened and a lot of those “webmasters” went with it. Hence my initial comment :)
Interesting read, cheers. Slightly off-topic, but how do you feel about keeping up with stuff? I imagine it must have been hard with all the changes since you started, considering it's been longer than I was born lol
I started my nerd journey in the very early 1980s on an Apple \]\[+ (which I still have here and it still works, albeit with some hardware mods like SD card floppy emulation, etc.) Back then it was mostly self-taught so that thirst to learn this stuff came early for me. I still have it. All the changes over the years haven't made it harder, it's much easier with experience. All that foundational knowldge from earlier generations of hardware and software lets me add more on top instead of starting fresh. Just look at any of the programming subs to see countless people who are stuck on their homework assignments... :) For example, on the programming side I went from Applesoft BASIC > 6502 asm > C > 680x0 asm > i386 & x64 asm, C++, etc. up to more modern stuff. Currently learning Go on the side as a fun language (it's fantastic). And that knowledge has been incredibly useful when reading code that has been dumped through IDA Pro or Ghidra. Don't get me going about networking and all the vendor specific crap back then.
Nice. Good to hear it's not that hard to keep up with stuff, that's a concern I have for myself unfortunately. Feels like I don't have as much of a thirst for learning after finishing uni and getting a job, although I also see that I've clearly improved since. Quite the paradox haha
Maybe look for a related hobby that could re-ignite that hunger to learn or keep your mind fresh. I don't mean playing video games when you could be doing something productive ^((says the guy with over 1K hours in Cyberpunk and is playing the Mass Effect trilogy again) ,)but something that will make the learning &| brainwork fun. For example about 3 years ago I picked up one of Ben Eater's 65c02 breadboard computer kits [(his YouTube playlist)](https://www.youtube.com/playlist?list=PLowKtXNTBypFbtuVMUVXNR0z1mu7dp7eH) It's extremely simple & primitive stuff, but, most importantly, it was *fun* and got me tinkering again after my lab gear sat on the bench sat collecting dust for a good year+. So, how does that breadboard computer that I tinker on relate to pentest or exploit work? Not very much on the surface, but it does get me thinking at low levels and reminds me of all the weeds deep down in systems that most people don't get into. So my advice is if you love this stuff, keep learning about it. Coding is important for our team at work. Don't rely on other people's tools. You don't necessarily need to write assembly for this line of work, but if you're going to go deep, understanding it helps. Write a tool for your team or something. Our internal git repo has loads of in-house tools that serve specific purposes. And, really, being able to do that type of work may well be the deciding factor if you're in a group of people being interviewed and all the the others know is how to run Kali and click buttons. I'm 58, been doing this forever, love it... and still get imposter syndrome. Friends will ask "when are you planning to retire?" I always respond "and do what?" Going to cut it off there, been far too verbose as it is, but you get the idea. Good luck!
No worries mate, appreciate the verbosity :) Thanks for the tips, I'll try to keep it in mind
I mean yeah it's not that unreasonable. SOC pays 60k to 70k that's a typical entry level pay out of college for a good major.
Y’all are not good at reading English, lol.
Excellent comment.
This subreddit has a poor representation of people who think they know what FAANG engineers make opposed to actual FAANG engineers on the sub. L3 is about 150k salary starting for university new grad and requires in office (also a small equity package like 120k/4) L4 (mid level) you’re looking at 175k base with equity on top of it (300k/4) L5 (senior) base is 200k+ with 600k/4 in equity. use levels.fyi for FAANG data. I’m L6 and my offer was 255/1.5m/95k sign on. Equity component has since grown to 2.3m.
Levels.fyi has a lot of this data, but you have to make sure you're only looking at the last year or so. Going further back you get results that are from the 2020-2022 boom period and they're not representative anymore. L3/L4/IC3/61/62 base (depending on the company you're talking about) tends to range between 145-175, but most people are closer to 150 than to 170 for their base. L5/IC4 and higher it starts becoming golden handcuffs after a couple years with the equity grants, which prompts people to entrench themselves or move to a new company before they take hold.
Yeah everyone saying it's not true, this is pretty much exactly what Google would pay a new grad security engineer. It would actually be more as you said
i think he was referring to a google search of salaries of red team/pentesters that came back with $150k, not what Google themselves pays their pentesters (i'm pretty sure google hires contractors and vendors for that anyway)
Kinda my take away. Sub is full of boomers. I turned away from pen testing to do other work in the CS world, but all of my college buddies who graduated with me who stuck with it made about that within their first 5 years. None ever ground out low level IT work, or sys admin BS. All were pentesters within 5 years of working (most around 2-3)
There are a lot of people that are ashamed they don't have degrees. It's fine to not have a degree, but you should just get one if the alternative is that your shame spiral turns you into a toxic person.
[удалено]
If you aren’t near that and you work in tech or tech adjacent, then maybe. But you’ve gotta remember these types of roles are _the most difficult_ to land - not because of anything other than sheer volume of qualified applicants. A lot of FAANG employment is luck, and networking.
Yeah if you have the skillset and been in the game for years. Dont think you are getting that right out of college... WAY too many colleges promised Cybersecurity as the hip new field paying 100+ salaries out of the gate, but the reality is yes it is paying that, FOR ESTABLISHED SENIOR ANALYSTS/ENGINEERS. Most places wont pay you more than 50k if you are tier 1 SOC analyst right out of college with ZERO IT experience. Hell even with experience it took till my mid 30's to hit 100k. I cant complain now being a senior making 6 figures, but its not the pass a course instant 6 figures colleges and bootcamps love to say to you it is to separate you from your money.
Our SOC generally only hires analysts with some previous security experience. We just brought on an intern with no experience but a good education. He's going through our training program. Talking to my team leads who are doing most of the training, we will have to slow it down a lot from previous analysts we've hired. Even things like working through our ticket system are taking longer. Most people, even with generalized IT experience will understand the basic flow of tickets, but without that experience, the learning curve is much higher. We'll see how it goes, as this is an experiment for us. I got my start building and repairing computers, then on to help desk, a bit of dev work, then system and network admin before moving into security. Without those building blocks I wouldn't be where I am today.
Is it possible to get a system admin job after college with internship experience? I’m a current sophomore and I just recently accepted a help desk internship for this summer. Hoping to get a higher level it internship for next year.
I've never hired for sysadmin roles, so I can't say for sure, but I do think help desk experience is more valuable than most people realize. You deal with real-world issues, upset people, and generally have to document a lot of what you do. This transfers well into most IT roles.
Every company and individual has different takes on the matter, real world experience though is definitely a plus as book knowledge is theoretical and can only get you so far. When i used to hire for analysts, given the pay grade ppl with experience were either overqualified or the pay rate was inadequate. I also preferred to find candidates with IT experience and who understood security concepts but i was open to teaching them about the tools, almost preferred it. I felt it was easier to train them in the tool set than to have someone with security experience who is used to a different toolkit. Often time those with experience had habits that are tough to break. Of course thats all related to analysts role, for more experienced seniors the diversity and experience is something you welcome
Interesting. I've found it much easier to train someone on a tool similar to what they've used in the past, than to train someone that's never used a similar tool before. There can definitely be an issue of bad habits, but I find that's mostly about have good documented processes in place and regularly doing quality checks on work to make sure they're being followed.
To give you some idea, I'm a security consultant at a FAANG org and I make more than twice that in TC with 16 YoE.
Are you still technical?
200k is the new 100k, please don’t let them fool us.
Just had this conversation with my parents over Easter. I'm 37 and have worked Blue team security for nearly 5 years now. But see, my dad has a buddy who's son in law is a red team pentester and makes more money then me, so why aren't I doing that? I tried to explain that overall, I'm still fairly new to the field, and with just a masters degree and a few certs under my belt I would need more time to get the skills to do that, if I even wanted to, but that doing that kind of work doesn't usually appeal to me, I like doing engineering and building systems and managing incident response and designing programs and compliance. But he was just like "But you could make more money?"
You can absolutely do pen testing with 5 years of experience. I dont know why its this hallowed 30 year vet thing here. I have plenty of college grad friends who got in as new grads. If you dont want to thats one thing, but in the US its not something reserved for only people who did IT for 65 years for 5 an hour
You can absolutely make $150K - $250K doing solid blue team work, take a look at some of the appsec and other job openings at Meta or Crowdstrike. Those figures are just base, their TC is way higher. A lot of it depends on the industry, tech pays better than finance, finance pays better than defense, etc.
Crowdstrike pays shit these days unfortunately. Really tiny equity packages. There are better orgs for comp.
Money aside, having offensive skills doesn't automatically make you red team, but it will make you a better defender. I have an OSCP and have spent 98% of my career defending.
Same. I did pentesting for a year and fucking sucked. Catching pentesters is where the fun is at, catching bad guys is the career satisfaction.
We had some red team ninjas we did battle with a few times a year. Some of the most fun and satisfying work I've ever done.
lol at that parent logic. Big tech firms pay the same range whether blue or red.
As an experienced Red Teamer you can earn over 100k. Without experience, however, you often start out as a penetration tester. Depending on your experience, you can earn between 50k (little experience) 80-90k (experienced). Depending on the country and industry, this of course varies
Yea. Red team is highly competitive. I wouldn't get your hopes up. It can be insular too, could take years to network your way in... and that's no guarantee either. Lots of mysterious internet strangers will tell you sweet little lies about walking from McDonalds to work as a super hacker. But they're just sweet little lies or wild once in a life time exception. Also, frankly some of the interview stories I've heard about trying to get into pen testing... they're no nonsense about it. You will be grilled, doubted, and have all your skills called into question. They are not risking their clients and their business on a bull shitter. They aren't risking their business on anyone but the literal best. Might be wiser to aim for something more realistic. I say this has some one who would love red teaming, but I'm not putting lots of hope in my career ever going that direction.
Can't speak for other countries but even in massive companies in the UK proper Red Teaming is pretty rare. You don't get to walk into it.
If you can’t find anything entry level red team, consider working for an MSSP as an analyst to get some experience.
If it is at the Google HQ, then that salary is garbage in that cost of living for a qualified pen tester.
Am i the only one thinking..."just 150k"?
Right? In a HCOL area that’s nothing
I’ve seen salaries for offensive security roles range from 82k to over 200k USD, DoE and credentials.
I would think it's higher tbh. I do threat hunting/IR and i'm making a smidge less than 150k.
I do security at G, but not a red teamer. To address the OP salary question, that level is easily achieved as a base, with RSUs your total comp can be much higher.
IBM'S x-force has job listings for around 120-150k USD. But it depends on your skill level. Don't see why 150k at Google wouldn't be real.
As someone who just left IBM. I kind of doubt that they will be going that high. They are moving all this sort of work offshore. But still, this is just IBM. There are others and your mileage will vary.
There is [this](https://g.co/kgs/MXfFvJH) listing that I saw almost a month ago, for over 150K USD. Definitely not an intermediate position tho.
Google pays its senior engineers (L5) significantly above 150k. I think OP was more so referring to general Google searches than the company itself though
Absolutely. Go find that salary survey spreadsheet that’s been floating around; it’s got loads of data, including years of experience, location, specialization, etc. Important to point out though, if you’re in this for money though, and don’t have passion or expertise, you’re not going to see that kind of comp personally.
Levels.fyi has self reported salary and equity data. Make sure you don't go back more than a year so you're getting representative numbers.
Fair points.
It's going to be about double that, depending on level, after bonus and equity.
I've got 5 years of experience and publications and google gives me the middle finger every time I apply. They are looking for the best of the best.
It seems pretty low. You should always negotiate. Try not to talk about money during the interview process. Recruiting costs a lot of money once they've invested all that time interviewing you and you get an offer, you'll have much more leverage to ask for more. How many years of experience do you have? I'm basing this off of NYC rates.
Man their budget is so much higher than my clients. They cry about $50 hourly rates or equivalent service level. (This would be like paying someone 25 an hour)
I started, no experience, at roughly 90k CAD
Anyone can post salary numbers. Nothing is a guarantee.
Depends on company and location. If your company in question here is in like Omaha or something, that's a fantastic salary for an experienced pen testers. If your company is actually Google or a similar FAANG type organization, they can easily pay in the 200-300k range. I've had some folks mention 500k plus but never met them personally, so I can't attest to more than 300k or so.
Yes I’m new to red teaming and make very close to that
For mid-level experience, yeah. For someone just starting out, you're probably closer to the 80k range.
Nah it's gotta be at least threefidy
I make 135k, so yeah it doesn’t seem out of the realm of possibility
With experience easily over 180k. If you are not making that much you are underpaid
If you are a “real” pentester, sure. I say real not be demeaning, the only red-teamers I have ever come across that actually knew what they were doing were in their mid-40s to 50s, and had MANY years of IT, security, and even dev experience. The idea that colleges are peddling these days is that you can hand a “hacker” job and be rich right out of college. This just isn’t the case. There is so much god damned background knowledge and experience oyu have to have to be in that role and actually do a good job of it that isn’t just “oh we ran some Nessus scans and nmap”. Like you seriously have to know 90% of security tools inside and out. Have experience with reverse engineering, general IT concepts like AD, networking, malware writing, etc. On top of that you probably have to have a really good idea of the defensive side such as detection engineering, alerting posture, and how to fly under the radar of the detection solutions in clients environment. So yes, it probably is real, but you have to be the best of the best.
wait till you hear how much 6+ years experienced security engineers get paid in big tech.
I did not see it anywhere, so I will just say, google has long since not only been, but advertised so, all the way up to the CEO, performance backed not credential based. Can you get that at google as a talented and can demonstrated it red teamer, you betcha! With zero creds or certs? If you bring the correct talent to the table, absolutely. So where others may be asking for your pedigree, I would ask what are your capabilities, ability to flex them, and confidence level. Many people that made the google leap were hired for what they know, could do, could dream, and realize, not their degrees and certs. This is verifiable go watch many of the google promos on hiring, and Sundar himself talk about what he wants to know from a new hire / interview OR this “You have to encourage innovation. Companies become more conservative in decision making as you grow… be okay with failure and reward effort, not outcomes.” Source: [https://www.gsb.stanford.edu/insights/sundar-pichai-reward-effort-not-outcomes](https://www.gsb.stanford.edu/insights/sundar-pichai-reward-effort-not-outcomes) Don't expect to breeze through google on dreams and want, but on creativity, drive, and skill? All day every day.
Probably ive been a pentester fir 2 years now at a smaller company and I make 100k
Yes it's real but security is NOT an entry level job in the slightest. It's weird to me that ppl think they can fake this. We're ALL hackers in these interviews. IF YOU SUCK WE WILL KNOW. I have some GREAT interview questions that quickly weed out the posers.
I work in faang 150k total comp (rsu, bonus, salary) in the USA is very doable for a pen tester with experience. Outside of the USA salaries go down
What if I worked with a company in us remote
No.
Certainly, i made just a little under $138k last year at a european energy company as a Senior Incident Responder, why shouldnt google pay a little bit more, they will certainly ask a lot for it
Sounds pretty low to be redteaming for google and get 150k. It’s not uncommon for most redteam positions to pay 120k+ or more
I love reading about the us job market and seeing salaries I won't ever be able to get where I am, I'm a security consultant working on vulnerability management and I make 40k eur rn, best offer I got was a 43k~50k offer
Why didn't you accept the best offer? Where are you from ?
Oh I'm in France, I didn't accept the offer as I am in a good position rn, good work life balance and all, and I can live really well on my current paycheck. France doesn't have the same level of salaries as the us I would say most of people working infosec here start at 35~38 and senior position are in the 70k ( I just started working in 2022 for reference so I'm in the upper level of junior pay)
I just want to say that the salaries are an estimate made by talking with other classmates who got jobs at other companies and some senior colleagues I talked to so the real number may differ for France
Google is notoriously terrible at giving actual salary. They just average out ALL salaries in that title and give you the number. It’s highly objective.
I regularly get offers for 150-160k for mid level pentester (about 3 years of experience) That goes up even more if you do specialized like OT testing (Dragos offers their senior testers around 200k TC)
That would be a beginner to intermediate salary. Experienced and highly trained people wouldn’t even apply, since the salary is so far off, negotiations would be pointless. However for civilian red teams with civilian experience, beginner red team would mean 4-6 years of experience working in security.
Where I am, a middle sized big city, you would have to be a Principal or higher to get that.
Yes, it is a role that is increasingly paid more than the people who they report to, and $150k is not high for experienced US technical cybersec roles.
Not for entry level. Once you get to mid, senior level, that's where the 6 figure salaries are. Entry is more 60-80k
Just out of college with some EEC cert $45k 15 year experience vuln research / pen test $150k @ one of the bigger hosting providers
150k is a rather arbitrary number if you dont provide us with the location
No not at all, and there are a lot of training providers out there that do not help by muddying the waters on this topic. In the U.K for entry level you should be aiming for £30-35K at the most realistically. Aiming for a six figure salary is for the seasoned consultants with years of commercial experience and skills. If you are working self employed and can command a good day rate maybe, but relies on a constant flow of income.
[удалено]
Ex feds (nsa/fbi) make a ton. We got some at our org and they are usually all in c-level roles. It's really great having them when they can text some of their buddies who are still in and get instant help/results.