Hexworth Prime/ House of the Dark Arts/ Careers
House of the Dark Arts, Kevin Mitnick

Careers in Offensive Security

Dark Arts trains the people organizations hire to break into their own systems, then write the report that makes the systems harder to break. This page lists the job roles, salary bands in 2026 USD, the certifications that gate them, and what a typical day on the job actually looks like.

11 representative roles, entry through executive. Salaries reflect United States markets, mid-2026 ranges.

Career framing, not how-to. This page describes offensive security as a profession (job duties, deliverables, certifications, compensation). All work in this field is performed under written authorization, within scoped engagements, and reported to the asset owner. Unauthorized access is a crime everywhere this curriculum is delivered.

Entry tier, zero to two years

Apprentice phase. You learn the methodology, the tooling, and the reporting standard before you ever lead an engagement.

Junior Penetration Tester
Entry$65K to $90K

Support vulnerability assessments and network tests under a senior tester. Run scoped scans, document findings, and learn the consulting workflow.

Key certifications
CompTIA PenTest+ PT0-003eJPTCEH v12
Core skills
Nmap and Burp SuiteBasic scripting (Python, Bash)Linux command lineReport writing
A day in the life

Stand up a scan environment for an authorized assessment, work the testing checklist, document evidence with screenshots, sit in on a client kickoff call, draft the findings section of a report for a senior to review.

Bug Bounty Hunter
EntryBounty-paid, $20K to $250K typical range

Independent contributor on platforms such as HackerOne and Bugcrowd. Hunt for vulnerabilities inside published scopes, file reports, and earn per-finding bounties. Often a side income before becoming a primary role.

Key certifications
HTB Certified Bug Bounty HunterCompTIA PenTest+ PT0-003eWPT
Core skills
Web application testing (OWASP Top 10)Reading scope rules carefullyClear write-ups with reproduction stepsPatience
A day in the life

Pick a program from your watchlist, read the latest scope changes, work a feature you have not tested yet, draft a write-up with severity and impact, respond to triage questions on yesterday's submission.

Mid tier, two to five years

Specialization phase. You own engagements end to end and start to choose a discipline: network, web, wireless, social, or mobile.

Penetration Tester
Mid$95K to $140K

Run full penetration tests across networks, applications, and cloud environments. Lead client communication during an engagement and own the deliverable.

Key certifications
OSCPGIAC GPENeCPPT
Core skills
Exploit identificationPrivilege escalation (Windows and Linux)Active Directory assessmentWeb application testingClient-ready reporting
A day in the life

Scope an engagement with the client, execute the test plan, capture evidence, debrief the client on critical findings same-day if needed, write the executive summary and the technical detail sections of the report.

Application Security Pentester
Mid$110K to $160K

Specialist in web, API, and mobile application testing. Combine source code review with dynamic testing to surface logic flaws scanners miss.

Key certifications
OSWEGIAC GWAPTBurp Suite Certified Practitioner
Core skills
Code review (Java, JavaScript, Python, Go)API testing (REST and GraphQL)Mobile testing (iOS and Android)Authentication and session analysis
A day in the life

Read source for an authentication flow, build a focused test harness, validate a suspected IDOR, write a technical proof-of-concept for the report, brief the engineering team on the root cause.

Wireless Pentester
Mid$100K to $145K

Specialist in Wi-Fi, Bluetooth, cellular, and RF assessments. Often an on-site role.

Key certifications
Offensive Security Wireless Professional (OSWP)GIAC GAWNCompTIA PenTest+ PT0-003
Core skills
802.11 protocol analysisWPA2 and WPA3 assessmentRF survey toolingBluetooth Low Energy review
A day in the life

Survey a client site, capture authorized traffic, validate guest network segmentation, document signal leakage outside the building, brief facilities on antenna placement findings.

Social Engineering Specialist
Mid$100K to $145K

Plan and execute authorized phishing, vishing, and physical entry engagements. Translate findings into security awareness improvements and process changes.

Key certifications
SANS SEC567 (Social Engineering for Security Professionals)CompTIA PenTest+ PT0-003CEH v12
Core skills
Pretext designPhishing campaign engineeringPhysical entry tradecraft (under authorization)Awareness program design
A day in the life

Plan a phishing wave inside the agreed scope, coordinate with the client's blue team on rules of engagement, send the campaign, monitor responses, debrief stakeholders on what worked and what to fix.

Senior tier, five to ten years

You lead engagements, mentor juniors, and shape methodology. Many people in this tier also publish research.

Senior Penetration Tester, Red Team Lead
Senior$140K to $185K

Lead multi-week adversary simulations. Develop custom tradecraft, coordinate operators, and run the post-engagement debrief with the defense team.

Key certifications
OSEPCRTO (Certified Red Team Operator)GIAC GXPN
Core skills
C2 framework operationCustom toolingEvasion methodologyEngagement leadershipPurple-team debriefing
A day in the life

Plan a multi-phase simulation against agreed objectives, coordinate operators on a shared timeline, review evidence, brief the blue team on what they detected and missed, write the improvement roadmap.

Red Team Operator
Senior$135K to $175K

Hands-on operator on a red team. Execute long-running, threat-actor-aligned engagements while the lead handles client coordination.

Key certifications
OSEPCRTOCRTO IIOSED
Core skills
Initial access tradecraftEndpoint and network evasionActive Directory abuseOperational security discipline
A day in the life

Work the current phase of an authorized engagement against agreed objectives, log every action for the deliverable, swap tradecraft when the blue team starts catching patterns, contribute to the post-op report.

Vulnerability Researcher, Exploit Developer
Senior$160K to $260K (higher in government and vendor research labs)

Deep technical role. Reverse engineer software, find new vulnerabilities, build proof-of-concept exploits, and publish or disclose responsibly.

Key certifications
OSCE3 (OSEP, OSED, OSWE)GIAC GREMOSEE
Core skills
Reverse engineering (Ghidra, IDA, Binary Ninja)FuzzingMemory corruption analysisMitigation bypass researchCoordinated disclosure process
A day in the life

Reverse a binary you have been hunting in, refine a fuzzer harness, triage a crash, build a working proof-of-concept, draft a disclosure to the affected vendor, mentor a junior researcher.

Executive tier, ten plus years

You run the program, set methodology, and own the customer relationship at the leadership level.

Director of Offensive Security
Executive$180K to $260K

Lead a multi-team offensive function inside an enterprise or large consultancy. Set methodology, hire, and represent the team to leadership.

Key certifications
CISSPOSCPOSEPCRTO
Core skills
Program managementHiring and talent developmentMethodology governanceCross-team executive communication
A day in the life

Review the engagement pipeline, sit in on a senior operator's debrief, approve a methodology update, brief the CISO on systemic findings across the year, mentor a team lead.

VP of Offensive Security
Executive$220K to $350K and up

Build and lead offensive security at the executive level. Set strategy, advise the board on threat-informed defense, and steer customer relationships at a consultancy.

Key certifications
CISSPOSEECREST CRTNACD Cyber-Risk Oversight
Core skills
StrategyBoard communicationCustomer relationship leadershipProgram building from scratch
A day in the life

Board update on annual threat findings, customer executive briefing, hiring strategy review, regulatory engagement on disclosure norms, methodology direction for the next year.

Certification ladder, offensive track

A practical sequence used by most working pentesters and red teamers. Pick the branch (network, web, red team, research) once you have the foundation.

Foundation
Entry

Two certifications most hiring managers expect on day one.

CompTIA PenTest+ PT0-003CEH v12eJPT
Working pentester
Mid

Demonstrate full kill-chain ability under time pressure.

OSCPGIAC GPENeCPPT
Web application branch
Mid

For testers who specialize in web, API, and modern application stacks.

OSWEGIAC GWAPTBurp Suite Certified Practitioner
Red team branch
Senior

For multi-week adversary simulation work.

OSEPCRTOCRTO IIeCPTXGIAC GXPN
Research branch
Senior

For exploit developers and vulnerability researchers.

OSEDOSCE3OSEEGIAC GREM
Back to House of the Dark Arts All cybersecurity career resources