There are plenty of consulting businesses that use pentesting as one of their tasks. Usually with a specific person assigned to it. This is mainly so that the person can properly represent themselves when speaking about techniques and findings. Also, the time that is usually involved with pentesting (also depends on the depth of assignment) usually requires that this be the only task for the length of the assignment. As a person gets more experience then they can usually include assessment work but now we are really talking about a team effort.
Currently you are on the right track. Getting your certifications means that you have the basics. Getting real world experience can be a bit of a problem. Do the hacking challenges and keep reading. If you can do some local consulting then start working on it but be careful and ALWAYS get written permission with detailed specifics as to what the job entails (and stick to the specifics outlined in the documents). I am sure that you are currently working some where so see how you can start integrating assessment and penetration testing into their environment (but if they say no then they mean no).
Lastly, really start working on your writing skills. How you write and how you present technical information is key. You may consider finding a college with a masters degree program. SANS offers one but it is not currently an accredited university. You can check the NSA's site as they have certified several programs
http://www.nsa.gov/ia/academia/caemap.cfm?MenuID=10.1.1.2.
Also remember that networking is the key. Getting to know people in the field. Making a name for yourself as a person who is trustworthy, smart, honest, and hard working will get you far. Remember, the majority of the people in this field (or who have gone far in it) are workaholics and tenacious.
Hang in there and good luck.
ADDITION: I also just found this at CIRT.net
http://www.cirt.net/cgi-bin/jobs.pl?method=showjobs&product=Metasploit. Hope that helps.
General Certification : CPT Practical Submission
