Where to start? The women? The money? The fame?

While an information risk consultant might do some ethical hacking, I would expect that role to be focused mostly on risk management. Terminology varies quite a bit in this industry though, so review the responsibilities/qualifications for such a role. "Penetration tester" is the title that's most synonymous with ethical hacker. My official title is "Information Security Analyst," but I also do more than just penetration testing.

Money ranges based on skill. I know some people that make six figures while some of the unskilled newbies we mold right of college make help-desk wages.

I do remote work (i.e. external penetration test) out of our office, and I regularly go on-site (2-3 weeks per month) for the variety of on-site services we perform. I have friends at different companies and they do remote work from home and also go on-site. I wouldn't expect anyone to work professionally from a coffee shop or other semi-public network as there would likely be legal risks involved with that.

As far as the work itself goes, once a penetration test is assigned to me, I work with the client to verify IP address ranges, setup scheduling, address any special needs, etc. Once we're all squared away, the actual testing begins with information gathering, mapping, and so on. Upon completion of the test, I write a detailed report explaining the issues found, what the consequences were, and provide general direction for remediation.  This last part is where I see a lot of people struggle and become unhappy. It's definitely not fun, but it's a necessary evil for a quality test. I spend a significant portion of my time writing reports, so be sure you're able/willing to handle that aspect of the job as well.

Anytime! Welcome to the forums, btw 


Like I said, titles are all over the place and are not consistent at all. I wouldn't necessarily define an Information Security Analyst that way. I also do risk assessments, IT audits, social engineering, and security awareness training. Penetration tester is just one of the hats I wear.


It's usually pretty difficult to go right into a security role. IMHO, you end up selling yourself a bit short even if you can manage it. You'll more than likely have to get started doing systems and/or network administration and work you way into the security side of things from there. As always, you can't secure what you don't understand.

I would say it's a leap up from anything you'd do in school. I spend hours a day outside of work just trying to keep current and learn things I feel I'm weak in. You really have to enjoy learning and working with this type of stuff as a hobby to really take things to the next level.

It really depends on the person. I think it's great for me. YMMV.

As far as jobs go, this field seems to be increasingly more popular. It seems like it will stay that way for the foreseeable future.


Like I mentioned before, you really need to be passionate about the material and enjoy working with it. If it's just appealing because you're after a big check or it seems exotic, you're not going to last. It's going to take a lot of time outside of business hours. I would wager that most of us are ok with that because we also consider it to be a hobby.

I also see others get frustrated and quit because they're not willing to put in the time mastering the fundamentals and want to do exciting work right off the bat. Like I said, you'll more than likely have to put in some time as a systems and/or network administrator. You're only going to be able to do a half-assed job (at best) if you don't develop a solid understanding of  TCP/IP first.

What appeals to me is the fact that things are constantly changing, and I'm constantly learning. As you can see, what may be considered a con to some people is a pro to me. That's why the answer to a lot of your questions are going to be, "it depends." I enjoy doing challenging work and having to think critically. Some want a job that's slower-paced with less pressure. I think you get the idea...