Stay in pentesting or pivot? (Career Advice. USA Based.)

iHateCamelCaseiHateCamelCase Member Posts: 2 ■■□□□□□□□□

Which occupation generally will have a higher salary ceiling and which is the more "futureproof":

Penetration Testing vs Blue Teaming (Hunt, Data Science)

Side note: By blue teaming I mean more hunt activities (searching/designing new detections) and data science. I realize data science is its own thing thing and doesn't necessarily have to be related to security. I'm in sec so it's just easiest for me to enter it from that context.

Came from a sys/network/cloud admin background previous to current place. I've been here just over 4-5 yrs.  At current spot I have three+ years of blue teaming (splunk, writing custom alerts, hunting, launching new controls (custom NAC solutions, blackholes, etc) and over two on a red team doing internal pentesting. After much research I noticed that my salary is under market for my skill sets. I'm seeing coworkers leaving and making at least 20k-30k more on average. Even my manager is suggesting I go find something that pays better. The majority of them are moving into blue/purple style positions whether they were pentesting or blue team. This is starting to lead me to conclude that blue style positions pay more on average than pure pentesting.

I have the opportunity to move into the hunt/blue world or stay in red teaming. I may also have the option to do a rotation with our data science team if I want to. Honestly I'm kind of over the whole "sexy" aspect to pentesting and I'm more concerned about which pays better. It helps that I enjoy both worlds as long as it's not just crunching endless alert tickets from a queue. I also love programming and am actively developing open source stuff that I'm putting on github.  Have people suggesting that I start pentesting on the side but I have no idea how to do contracting paperwork.

Any input is appreciated.



  • yoba222yoba222 Senior Member Member Posts: 1,087 ■■■■■■■■□□
    Everybody wants to do pentesting because it's so sexy right now. Which worries me because I do infosec and occasional pentesting by day. I think the grass is greener in data science from my side of the fence, and sometimes wonder if I should have gone down that path. I mean things are good right now, but I worry about a race to the bottom once everyone learns how to pentest.
    2017: GCIH | LFCS
    2018: CySA+ | PenTest+ |CCNA CyberOps
    2019: VHL 20 boxes
    2020: OSCP 2020
  • iHateCamelCaseiHateCamelCase Member Posts: 2 ■■□□□□□□□□
    Yeah I'm concerned that in-house pentesters/red teaming will significantly decrease and automated platforms and outside consultants preside. I'm going to dip my toes in with our data science crew and see how I like it. Can't hurt to try.
  • MooseboostMooseboost Senior Member Member Posts: 775 ■■■■□□□□□□
    edited June 2019
    I don’t see the need for testers going away anytime soon, especially in orgs that are heavy in compliance requirements. What I do see however, is the bar being raised as the market demands more skills for the same pay. As more folks move into testing (as-a-service and internal red teaming) and more automation gets built in, the checkbox skills are not going to be enough. I think the market is going to be more harsh for junior folks and the “I don’t understand Cloud” mid/senior guys. The landscape is changing and complex networks/applications are still going to require experienced testers but there is going to be a shift in the skill set demands. Being involved in DevOps and Cloud is going to start becoming more common as a requirement (it kind of already is) 

    On the blue side of the house, automation is absolutely going to reduce the need for butts in seats. In my last blue position (threat hunter) we were beginning to deploy Demisto. While it slightly increased the engineering requirements, it was going to significantly reduce the need for analysts. Watching machine learning (drink) in action changed my opinion on automation in security. Blue teams are going to be able to do more with less analysts and with less skilled analysts. It doesn’t eliminate the need for senior analysts, low level incident response, etc.. but it does mean you can cut a significant amount of staff overhead (which arguably you might need to do to pay for that automation platform). 

    I don’t think either side of the house is going to change overnight. And again, I think junior guys are going to get the brunt of the blow. 

    I do agree that data science is going to be the greener path. Being the gear that drives the automation is good place to be. 
    2020 Certification Goals: OSCE GXPN
Sign In or Register to comment.