Ethical hacking, or penetration testing, attracts people who like the idea of legally breaking into systems and finding vulnerabilities before criminals do. The reality differs from the Hollywood version. It's a consultancy career that demands technical skill, clear communication, and careful documentation.

If you're considering this path in the UK, this guide covers what the job actually involves, the skills and certifications you'll need, realistic salary expectations, and practical steps to land your first role.

What Ethical Hackers Actually Do

Forget hackers in dark rooms typing furiously while dramatic music plays. The National Cyber Security Centre defines penetration testing as "a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."

Your working life will involve scoping and planning before any testing begins, working with clients to define what's in scope, agreeing on testing windows, and establishing rules of engagement. Reconnaissance and enumeration are time-intensive. You'll map networks, identify services, and research potential attack vectors systematically.

Then comes exploitation, the part most people imagine when they think of hacking. You'll attempt to exploit vulnerabilities, escalate privileges, and demonstrate real-world impact. But documentation and reporting is where much of your time actually goes. A penetration test is only valuable if the client can understand and act on the findings. You'll write detailed technical findings for engineers and executive summaries for senior stakeholders. Client debriefs, clarification calls, and sometimes defending your findings when clients push back are all part of the job.

The role is intellectually demanding but requires patience. Some days you'll find critical vulnerabilities. Others, you'll spend hours on enumeration with nothing to show for it.

Essential Skills

Technical Foundations

Before you can break systems, you need to understand how they work.

Networking comes first. A solid grasp of TCP/IP, DNS, HTTP/HTTPS, routing, and common protocols is essential since most vulnerabilities involve network communication at some level. You'll need proficiency in both Linux and Windows. Linux (often Kali or Parrot) serves as your primary testing platform while Windows environments are frequent targets.

Understanding how web applications function is critical given how much testing focuses on web apps. This includes HTML, JavaScript, APIs, authentication mechanisms, and common frameworks. Cloud knowledge matters too. As organisations move infrastructure to AWS, Azure, and GCP, familiarity with cloud architectures and their security models is increasingly valuable.

Python and Bash are the most commonly used languages for automating tasks, writing custom exploits, and parsing output. PowerShell helps with Windows-focused work.

Soft Skills

Technical ability alone won't make you successful. Penetration testing is client-facing consultancy work.

Your report is the deliverable. If you can't explain a vulnerability clearly and recommend practical remediation, the technical work loses value. You'll present findings to technical teams and executives, answer questions, and sometimes explain why a finding matters to sceptical stakeholders. Navigating scope changes, handling sensitive findings, and maintaining professional relationships are all part of the job. Testing engagements have fixed timeframes, so you need to prioritise effectively and know when to move on from a rabbit hole.

UK Certifications and Their Value

Certifications matter in the UK market, but not all carry equal weight.

CREST

CREST is particularly important because it underpins the NCSC's CHECK scheme, required for penetration testing of government and public sector systems.

The CREST Registered Penetration Tester (CRT) is the entry-level professional certification recognised by NCSC for CHECK team members. Many UK employers list it as a requirement or strong preference. The CREST Certified Tester (CCT) is the senior-level certification covering infrastructure or application testing. CCT holders can lead CHECK engagements.

If you're interested in public sector work or joining a CHECK-approved company, CREST certifications are often essential. You can find CREST-certified firms on pentestingcompanies.co.uk.

Offensive Security

OSCP is widely respected for its hands-on, practical exam format. Many job adverts list it as desirable, and it demonstrates genuine technical ability. CREST offers an equivalency pathway, though you'll still need to pass the CRT exam for CHECK eligibility. OSWE is a specialist certification focused on web application security, valued for roles with a web app focus.

CEH

The CEH from EC-Council is well-known and frequently appears in job descriptions. It's generally viewed as introductory rather than proof of practical consultancy skills. It may help you get past HR filters but carries less weight with technical hiring managers.

A Practical Certification Strategy

For UK careers, consider starting with foundational IT certifications if you're new to the field (CompTIA Security+, Network+). Pursue OSCP to demonstrate hands-on capability. Obtain CRT for UK market relevance and CHECK eligibility, then progress to CCT as you gain experience.

Educational Pathways

There's no single route into penetration testing. The industry values demonstrable skills, and employers increasingly care more about what you can do than how you learned it.

A computer science or cybersecurity degree provides a structured foundation and can help you get past initial CV screening at larger consultancies. But a degree alone won't make you job-ready.

The UK offers cybersecurity apprenticeships at various levels, including Level 6 degree apprenticeships. These combine paid work with structured learning and can provide a direct route into the industry.

Many successful penetration testers are self-taught, using platforms like TryHackMe and Hack The Box for interactive challenges, PortSwigger Web Security Academy for free web application security training, and the OSCP coursework itself. The self-taught route requires discipline, but it's entirely viable.

Cybersecurity bootcamps offer intensive, short-term training. Quality varies significantly, so research thoroughly before committing.

Career Progression

The Standard Path

You'll likely start as a junior or associate penetration tester, working under supervision, handling simpler engagements, and learning from senior testers. As a mid-level penetration tester, you'll take on engagements independently and produce reports without heavy oversight. Senior consultants lead complex engagements, mentor junior staff, and handle challenging client relationships. Team leads manage quality across multiple engagements and get involved in business development. Technical directors or heads of offensive security take responsibility for service delivery, team growth, and strategic direction.

Specialisation

Some testers specialise rather than moving into management. Red teaming involves simulating realistic adversary attacks, often including physical and social engineering elements. Others focus on web application security, mobile security, cloud security for AWS, Azure, or GCP, or OT/ICS security for industrial control systems. Specialisation can command premium rates but may limit the range of available roles.

UK Salary Expectations

Data from IT Jobs Watch (February 2026) provides useful benchmarks:

Entry-level or junior roles sit around £38,750. The median is approximately £60,000. Senior or specialist roles reach approximately £81,875.

Location matters. The London median is around £57,500, while the UK excluding London sits at approximately £47,500.

Contractors and those with niche specialisations may command higher rates. Senior leadership roles at larger consultancies can exceed £100,000, though such positions are competitive.

When evaluating offers, consider the full package. Training budgets, certification support, conference attendance, and remote working flexibility all add value.

Building a Portfolio and Getting Your First Role

Breaking into penetration testing without experience is challenging.

CTF competitions provide practical experience and demonstrate problem-solving ability. Platforms like Hack The Box, TryHackMe, and PicoCTF offer ongoing challenges. Document your solutions in write-ups to show you can communicate findings clearly.

Bug bounty programmes on HackerOne and Bugcrowd let you legally test real applications. Even modest findings demonstrate practical skills. Be aware that bug bounty hunting can be time-intensive with uncertain returns.

Build a home lab to practise in a controlled environment. Set up vulnerable virtual machines (DVWA, Metasploitable, VulnHub images) and practise exploitation techniques safely. Document your learning process.

When applying for junior roles, lead with relevant certifications and practical experience. Include links to write-ups, GitHub repositories, or a personal blog. Mention any responsibly disclosed vulnerabilities and demonstrate report-writing ability.

Consider adjacent roles as stepping stones: SOC analyst, IT support, systems administration, or security compliance. These provide relevant experience while you build penetration testing skills.

Legal and Ethical Boundaries

Understanding legal boundaries isn't optional.

The Computer Misuse Act 1990

This is the primary UK legislation governing unauthorised access to computer systems. Key offences include unauthorised access to computer material, unauthorised access with intent to commit further offences, and unauthorised acts with intent to impair operation of a computer.

As a penetration tester, you avoid liability by operating under explicit written authorisation. Every engagement must have documented, signed rules of engagement specifying exactly what you're permitted to test. Never test systems outside the agreed scope, even if you discover they're connected. Respect agreed testing periods.

Responsible Disclosure

If you discover vulnerabilities outside formal engagements, report to the organisation through appropriate channels. Allow reasonable time for remediation before any public disclosure. Don't access data beyond what's necessary to demonstrate the vulnerability.

Data Protection

UK GDPR applies to any personal data you encounter during testing. Handle it appropriately and ensure your own practices comply.

Practical Next Steps

If you're serious about this career, assess your current skills honestly. Start learning practically on TryHackMe or Hack The Box. Build a home lab and document your experiments. Plan your certification path with CRT requirements in mind. Follow UK security professionals on social media, attend local meetups or conferences like BSides. Look for junior roles or apprenticeships at consultancies, and consider adjacent roles as entry points.

The path requires sustained effort, but it's achievable with dedication. Focus on building genuine skills, document your progress, and remember that every experienced tester started somewhere.