There are folks that go one direction or another, and there are folks who are more rounded and do both.  I'd suggest, at least initially, that you explore both, but focus your time in whichever area is your 'strong suit', then, once you get a feel for things, decide whether to be a generalist, or continue to focus in a specific area.

I consider myself a solid / strong generalist, but I have no issue teaming with folks whom I know are specialists in a given realm, if it means that A.) I'm free to focus on certain areas for a given test, and B.) the overall result can be more detailed and 'all inclusive' for certain engagements.

Hope that makes sense. 

Thank you for your answers and Happy New Year. I am currently an (web) application developer considering moving into security, so the application side is much easier for me to understand but I'll definitely try to learn the basics of both.

In my limited experience, the level of specialization required of a pentester is directly proportional to the size of the consulting firm you work for. The bigger the firm, the more specialization you can have. Smaller firms tend to need consultants that can do a lot of things well.

Hi there,
This is Amol Here,
I done CEH,RHCE,RHCA,RHCSS. Having 8 years exp in Linux Security & Application Security.
Though this is my first post, I am member of EH from 2007.

According to me
Pentester is Professional Entity which knows everything about Network/Infrastructure/Application/Physical Security for a client. And knows nothing about that client for outsider.

And for many of us, "pleasure" turned to "pain" before going back to "pleasure" again... 

All jokes aside, Amidamaru is right: if you don't love it, you can't spend the required effort into it. You just need to go one bite at a time. You're interested in wifi? Have fun for a few weeks exploring that. Then switch your interest on whatever interests you at that time. I think it's a nice way of not getting overwelm by all the materials that needs to be learn...

Often they specialize in application (i.e. program) security or web application security, where network security is another part as well. There are of course, those who specialize in network security only, but they are often security engineers and not penetration testers, unless they attack the protocols themselves.

In my current job, we have people in those 3 fields, plus other mandatory fields for everyone, such as but not limited to wireless security, physical security (social engineering), PCI (that's another team), etc.

So yeah, I forgot to mention people specialize in PCI as well, but that's not penetration testing though, even though some parts of it is related somewhat when you have to check whether a client is in PCI scope or not.


It is impossible to know "everything". No matter how many years, no matter how much experience you got, there will always be old, perhaps extremely old, new, or very new things, even current things you will not know about.

I often see people extremely skilled in application security (reverse engineering, buffer overflows, heap overflows, dep, rop, aslr, etc), who are brilliant in this field, but lacks knowledge in web application security. (Often crucial and specialist understanding of how everything can be tied together, including many of the possible attack vectors. Knowing the most basic ways can be taught to anyone, even non-hackers.)