Penetration Tester Resume: Complete 2026 Guide

From the author

Emmanuel Gendre, ex-Google recruiter

My experience with Penetration Tester resumes

Twelve years recruiting in tech, with a long run inside Google, and the Penetration Tester resume is the one where real offensive work most often reads as a list of certifications and tools on the page. The actual job is breaking in: the external recon, the internal pivot, the Active Directory path to domain admin, the web flaw that exfils customer data, the report that lands on the CISO's desk Monday morning. The drafts that hit my desk hand it over as a wall of badges and acronyms.

What hiring teams in 2026 want is the engagement story behind the certification wall, and a Penetration Tester resume reading as "OSCP, OSEP, Burp, Metasploit" without an engagement count, a critical finding you surfaced, a domain admin time-to-compromise, or a custom tool you authored never makes it to a screening call.

Closing that gap is what this guide is for. We walk the 5 sections that decide a Penetration Tester screen, with one outcome in mind: screening calls landing in your inbox again, market softness or not.

Want it written for you? My Tech Resume Writing Service rebuilds it from a blank page. Already have a draft? Send it in for a free review; the notes come back from me.

Let's put your Penetration Tester resume back on recruiters' desks. Ready?

What the Penetration Tester resume guide covers

How I rewrite a Penetration Tester resume

Penetration Tester drafts hit my resume writing service intake most weeks, and I rework each line until the offensive work shows clearly to a recruiter who has never pivoted through Active Directory. The bit nobody says out loud: only a small handful of sections actually decide whether the screening call lands. Doing the rewrite solo? Sort these 5 first. The rest of the page barely moves the dial, so we keep that part brief.

We walk each one below, in order. Treat it as a checklist, run top to bottom, and the resume that comes out the other side is far stronger. Here's the structure:

Want to see the full method? My step-by-step tech resume rewrite process covers everything else.

Step 1 · Penetration Tester Resume Format

The format to use for a
Penetration Tester resume

Easy first step: a layout an ATS handles cleanly without crashing on it.

Nothing complicated at this stage, whatever the internet keeps trying to sell you. The aim: the software hands your content and structure back out to the reviewer in the same shape you typed them in.

Keyword work happens later, in the filtering step (Technical Skills, Step 5). Right now: when the parser fails on the file, you're already eliminated from 95% of openings before any reviewer touches the page.

Just 3 rules at this step:

Use a text editor (Word, Google Docs)

ATS systems read text, not the rendered picture of it. Put the resume through Canva, Figma, or any other design tool, and the words leave the file as a flat image. The parser sees nothing where your security stack should sit, and the application that reaches the recruiter shows up blank.

Single column, plain layout

Skip two-column templates outright. Sidebars, tables, and icons fall into the same bucket. Even in 2026, parsers still mangle every one of them, and it's the single biggest reason resumes fail the scan, on the order of one in three drafts that hit my desk. Move to a clean one-column layout flowing top to bottom, and most of the failures vanish.

Simple section titles

Label them Profile Summary, Technical Skills, Work Experience, Education. Not "Security Posture", not "Compliance Track". ATS parsers and human readers both look for those exact standard names; a creative rename pulls you straight out of the running. Fold any fuzzy headings into the same buckets: "Core Competencies" goes under Profile Summary or Technical Skills, and "Selected Projects" under Work Experience.

Want to see how yours fares? Drop it into the ATS resume checker and read what the parser hands back. If the output comes back garbled, the layout broke the read, not the words you typed, which is the whole story behind how ATS systems really work.

Starting from a blank file and want clean parsing on save one? Begin from the Penetration Tester resume template.

Step 2 · Penetration Tester Profile Summary

Writing a profile summary
for a Penetration Tester

Plenty of Penetration Testers skip past the Profile Summary as filler. It runs the other way: this is the first block a recruiter lands on the page.

If yours is thin or missing entirely, fixing it is the fastest gain you can put on the page today.

I broke the mechanics down in how recruiters screen resumes. Short version: a two-pass read. Pass one drops anyone who doesn't register as a match for the role; pass two builds the shortlist out of whoever survives.

That first pass is the recruiter ripping through the stack at seconds per resume, which is where the "10-second screen" phrase comes from.

The Profile Summary is your one window to land the exact details a recruiter screens for inside those seconds, which is what earns the page a deeper read.

Each bullet has one job. Below: the order I work through, what each bullet carries, and a worked example for a Penetration Tester profile summary.

Target job title, overall experience & engagement scope

Bullet 1 sets the marker: the role you're aiming at, your seniority, plus the engagement scope you carry (engagements per year, client industries served, in-house vs consulting). Add a top certification (OSCP, OSEP, CRTO) and a known employer if either lifts weight. Read this sentence as the page's top headline: a recruiter clocks it before anything else, and on rushed days it is sometimes the only line they reach.

Info for recruiters Target job title Years of experience Engagement scope Industries served

Example Senior Penetration Tester 8 years 38 engagements/year, OSCP + OSEP

Domain expertise

Bullet 2 covers your domain expertise: the slots that make up the Security role profile (laid out in Step 3, Penetration Tester Work Experience). For this role those slots are CI/CD security integration, secrets management and key rotation, container and supply-chain security, infrastructure and cloud security, and policy-as-code and compliance automation. A non-technical screener walks that scorecard line by line and ticks off your entries. Treat this bullet as your own scorecard and leave no row empty.

Info for recruiters CI/CD security Secrets & PKI Supply chain IaC & cloud security Policy as code

Example SAST/SCA in CI Vault secrets program Cosign & SBOM Checkov on IaC OPA admission

Your tech stack

Bullet 3 names your daily stack: the scanners, the secrets manager, the policy engine, and the cloud-security tooling you actually run. The full inventory lands further down under "Technical Skills" (covered in Step 5, Security Engineer Technical Skills); up here you only call out the daily drivers. For a Penetration Tester that means: SAST/SCA scanners, secrets layer, container and supply-chain tooling, IaC scanners, and the policy-as-code engine that backs admission.

Info for recruiters Scanners Secrets Supply chain IaC scanning Policy

Example Snyk, Semgrep, Trivy Vault, AWS Secrets Manager Cosign, Syft, in-toto Checkov, tfsec OPA, Kyverno

Collaboration

Bullet 4 covers your cross-functional partnership. Security work sits between Platform Engineering, Application Engineering, SecOps, and Compliance; the controls you wire in are what every service team ships through, so the threat model, the security review, the audit evidence, and the developer-friction feedback loop all live across those handoffs. A hiring manager checks you carry the security side cleanly without slowing down delivery, so call out the partner teams and what they get from your program.

Info for recruiters Partner teams Security contracts Audit support

Example Platform Engineering App Engineering SecOps Compliance SOC 2 evidence

Leadership

Bullet 5 surfaces your technical leadership. Even pure-IC Security Engineers have a line worth showing here. Leadership runs through the security program and the people: chairing threat-modeling sessions, owning the secrets and policy standard, running secure-code office hours, and coaching engineers new to shift-left practices.

Info for recruiters Standards you define Engineers you coach Reviews you chair

Example Threat-modeling reviews Secrets & policy standard Secure-code office hours

Penetration Tester Profile Summary Example

Senior, 38 engagements/year across fintech + healthcare + SaaS

Profile Summary

Senior Penetration Tester with 8 years leading 38 engagements per year for fintech, healthcare, and SaaS clients, OSCP + OSEP + CRTO certified.
Strong on External Network Testing, Internal & Active Directory Exploitation, Web Application Testing, Red Team & Adversary Emulation, and Reporting & Remediation Guidance.
Day-to-day across Network/OS (Nmap, Metasploit, Nessus), Web/API (Burp Suite Pro, Caido), AD & post-ex (BloodHound, Impacket, NetExec, Mimikatz), C2 (Cobalt Strike, Sliver), and Cloud (Pacu, ScoutSuite, Prowler).
Client-facing partner working with CISOs, Blue Team, and Product Engineering, taking an engagement from kickoff to executive readout with concrete remediation paths.
Authors a custom AD enumeration tool used firm-wide, owns the internal pen-test methodology, published 3 CVEs, and mentors junior testers on report writing and exploit chains.

Want more depth? My fuller writeup on how to write a killer profile summary walks the same idea line by line.

Want a recruiter's read on your Penetration Tester resume?

Months in the queue with zero interviews, zero feedback.
No employer owes you the reason, leaving you to guess what's off about the draft. Keep guessing, or hand it to someone who screened thousands of Security and security-engineering resumes at Google.

Pass it over and I'll take it apart.

I'll run a simulated recruiter screen over your Penetration Tester resume and send back a short list of what to repair. Free, inside 12 hours.

Want to read more first? See how the resume review works →

Step 3 · Penetration Tester Work Experience

Work experience on a
Penetration Tester resume

This is where the second pass actually plays out, the last gate before an interview hits your inbox. The recruiter slows down right here, and even then your current role still drives around 95% of the decision.

Makes sense: nothing tells a hiring team what you can run in production right now the way your current job does. To clear that "yes", this section has to walk the full Penetration Tester role profile, one bullet per slot you listed in Domain Expertise above. Every bullet has to come off something you actually held in production, not a Jira card that wandered past your queue.

External Network Penetration Testing

The flagship work of the role. Show the external recon you run, the perimeter exposure you chained into a foothold (exposed admin panel, vulnerable VPN appliance, leaked credentials in a paste), and the report that landed it for the client. Name the engagement type and the foothold, not "tested external".

Techniques OSINT & ASM Service enumeration Credential discovery Initial-access chains

Tools Nmap, Masscan, RustScan Amass, Subfinder, httpx Shodan, Censys, GitHub dorking

Metrics External engagements/year Footholds achieved Critical findings

Internal Network & Active Directory Exploitation

The bread and butter of internal engagements. Show the path you walked from low-privilege user to domain admin: BloodHound graph, Kerberoasting, AS-REP roasting, NTLM relay, ADCS abuse, GPO abuse, ACL paths. Name the chain and the time-to-DA, not "exploited AD".

Techniques Kerberoasting & AS-REP NTLM relay & coerced auth ADCS abuse (ESC1-13) ACL & GPO paths

Tools BloodHound, SharpHound Impacket, NetExec, Rubeus Certify, Certipy, Mimikatz

Metrics Domain admin time-to-compromise Internal engagements/year Critical AD findings

Web Application Penetration Testing

Where business-logic chains beat scanners. Show the OWASP Top 10 and Top 10 LLM coverage, the authentication-and-authorization flaws you found (IDOR, JWT bypass, OAuth misconfig), the SSRF or deserialization that gave you a foothold, and the GraphQL or API quirks you exploited. Name the flaw class and the impact, not "tested web apps".

Techniques OWASP Top 10 + Top 10 LLM AuthN/AuthZ chains SSRF, RCE, deserialization GraphQL & API testing

Tools Burp Suite Pro, Caido OWASP ZAP, sqlmap Postman, Insomnia, ffuf

Metrics Web engagements/year Critical web findings Auth-bypass chains

Mobile, API & Cloud Penetration Testing

The surfaces that grow every year. Show the iOS and Android testing you do (Frida hooks, cert pinning bypass, insecure local storage), the cloud-config flaws you chained (IAM paths, S3 misconfig, metadata exfil), and the misconfigured IAM role that gave you data exfil. Name the cloud and the path, not "tested mobile/cloud".

Techniques Mobile dynamic analysis Cloud IAM path mining S3 / blob misconfig Metadata service abuse

Tools Frida, Objection, MobSF Pacu, CloudSploit, Prowler ScoutSuite, weirdAAL

Metrics Mobile/cloud engagements/year Cloud-priv-esc paths found Sensitive data exfil chains

Red Team & Adversary Emulation

What separates a pen test from a goal-oriented red team. Show the C2 tradecraft you operate (OPSEC discipline, AV/EDR evasion, payload delivery), the long-haul engagement mapped to a TIBER or specific TTP set, and the objective achieved (crown jewels, insider impersonation, supply-chain pivot). Name the objective and the technique, not "did red-team work".

Techniques C2 OPSEC tradecraft EDR & AV evasion Adversary emulation (ATT&CK) Purple-team collaboration

Tools Cobalt Strike, Sliver, Mythic Havoc, Brute Ratel Atomic Red Team, CALDERA

Metrics Red-team engagements/year Objectives achieved EDR-evasion success rate

Social Engineering & Phishing Campaigns

How most real intrusions start. Show the targeted phishing pretext you built, the credential-harvest landing page, the MFA-fatigue or token-stealing payload, and the vish or in-person social engagement. Name the pretext and the click-through or credential-rate, not "ran phishing".

Techniques Pretext design Credential harvest Token theft / MFA fatigue Vishing & on-site

Tools GoPhish, Evilginx, Modlishka SET, ResponderForge SpiderFoot, Maltego

Metrics Campaigns run Credential rate Footholds via SE

Reporting, Remediation & Client Briefing

What turns a finding into a fixed control. Show the report structure (executive summary plus technical findings with reproducible steps and remediation), the readout you gave the CISO, the developer-actionable fix guidance, and the retest you ran to validate the close. Name the deliverable and the remediation rate, not "wrote reports".

Techniques Executive + technical report CVSS / OWASP risk scoring Remediation guidance Retest & close-out

Tools PlexTrac, Dradis, Sysreptor Markdown + LaTeX pipelines Confluence, Notion, Jira

Metrics Remediation rate Reports delivered on schedule Client NPS

Tooling & Workflow

The setup that lets a small Security team serve hundreds of developers without becoming a ticket queue. Show the internal CLI or runbook library you maintain, the secure-by-default templates you ship, and the docs that cut secure-code onboarding ramp. Name the workflow, not "a modern stack".

Techniques Secure-by-default templates Internal CLI / runbooks Inner sourcing Self-serve docs

Tools Git, GitHub Bash, Python, Go Backstage TechDocs

Metrics Templates maintained PR cycle time Secure-onboarding ramp cut

Done right, your current role can easily run to 8 or 10 lines. Perfectly fine, whatever the one-page mantra LinkedIn keeps pushing. Recruiters don't care about length; two pages of real platform work beat one bloated page outright. What a recruiter will not read is empty filler. Cutting that is what comes next.

Step 4 · Penetration Tester Bullet Points

Bullet points for a
Penetration Tester resume

Bullet points carry the bulk of the rewrite, so I built them their own dedicated framework: the Level System.

Nothing magic about it: it picks up where Google's XYZ formula stops and adds a few tiers tuned for technical engineering resumes. The full breakdown lives in my guide on how to write resume bullet points.

Fastest way to learn it: take a flat Security-resume bullet and walk it up. There are 5 tiers in all; each one asks a single question, and the answer you give slides in as the next fragment of the bullet.

Climb all five and a bare "built a deploy pipeline" line turns into a shipped delivery platform with real numbers attached, which is the kind of line that puts a DevOps Engineer on the shortlist.

1 Task “What did I work on?” What you did
2 + Engineering Techniques “How did I do it?” How you did it
3 + Tools “What tools did I use?” Test tools, C2 frameworks, scripting
4 + Method “What method did I follow?” Named methodology
5 + Metric “What was the result?” Quantified impact

Level 1, Just the task. Open with a security program or control that was yours to ship across the company. This is the opening phrase, not the finale; most resumes stop right here on the bullet, which is exactly why so many wash out at this point.

Level 1
Just the task

Led 38 penetration testing engagements per year.
Level 2, Add the techniques. Name the specific engineering practices the work used: the testing types, rendering modes, scaling tactics, design patterns. This is where the bullet starts proving you understand how the work was done, not just that it shipped.

Level 2
+ Engineering Techniques

Led 38 penetration testing engagements per year using red-team operations and hypothesis-led scoping.
Level 3, Add the tools. Drop in the named products and versions you used: the framework, the database, the build tool. Recruiters search resumes with technology queries, so the bullet stays invisible without the named stack.

Level 3
+ Tools

Led 38 penetration testing engagements per year using red-team operations and hypothesis-led scoping with Burp Suite Pro, Metasploit, BloodHound, and Cobalt Strike.
Level 4, Add the method. Name the methodology, framework, or design pattern that guided the work: TDD, DDD, BDD, GitOps, MVVM, CQRS, progressive enhancement, and so on. The hiring manager is usually the one enforcing the methodology on the team, so naming yours shows you fit how they actually operate.

Level 4
+ Method

Adopted the Penetration Testing Execution Standard (PTES) to lead 38 engagements per year using red-team operations and hypothesis-led scoping with Burp Suite Pro, Metasploit, BloodHound, and Cobalt Strike.
Level 5, Add the metric. The number is the lever that pushes a bullet into top-tier territory. For Penetration Tester work, reach for figures the client cares about: critical findings, domain admin time-to-compromise, remediation rate, engagement count, CVEs published. Skip the metric and the line sits flat alongside every other resume whose author stopped at "ran tests".

Level 5
+ Metric

Adopted the Penetration Testing Execution Standard (PTES) to lead 38 engagements per year using red-team operations and hypothesis-led scoping with Burp Suite Pro, Metasploit, BloodHound, and Cobalt Strike, surfacing 14 critical findings (RCE, domain admin, data exfil) over the year.

My longer piece on writing resume bullet points works the rewrite tier by tier and shows how to pull figures out of work that looked like it had none. Most Penetration Testers already know the numbers; they sit in the engagement tracker, the PlexTrac history, or the QBR with the firm. Nobody ever told them that engagement counts, critical findings, domain admin time-to-compromise, remediation rate, and CVEs published belong on a resume.

Step 5 · Penetration Tester Technical Skills

Technical skills for a Penetration Tester resume

The Technical Skills section is where most ATS setups run their keyword filtering, so the wording here should mirror the JD you're after: identity platform, SIEM, EDR, vulnerability tooling, and cloud-security stack named, not just "Security" on its own.

This is the final 10%. Cleaning it up helps the resume slip past the automated screen and the recruiter's quick skim, but the real lift still comes from your Profile Summary, Work Experience, and Bullet Points upstream.

Either way, keywords compound across the page, and knowing the exact ones a parser and a recruiter look for is worth the time. The list below covers the Penetration Tester must-haves the way recruiters in 2026 actually scan for them.

Network & OS Exploitation

Nmap, Masscan, RustScan Metasploit Framework, Pro Nessus, OpenVAS Linux internals, Windows internals Responder, Inveigh CrackMapExec, NetExec Hashcat, John the Ripper
Web & API Testing

Burp Suite Professional Caido, OWASP ZAP sqlmap, NoSQLMap Postman, Insomnia ffuf, gobuster, feroxbuster OWASP Top 10 + Top 10 LLM GraphQL testing, JWT analysis
Active Directory & Post-Exploitation

BloodHound, SharpHound Impacket, NetExec Rubeus, Certify, Certipy Mimikatz, lsassy PowerView, PowerSploit Cobalt Strike, Sliver, Mythic Havoc, Brute Ratel
Cloud, Mobile & Wireless

Pacu, ScoutSuite, weirdAAL CloudSploit, Prowler AWS, Azure, GCP attack paths Frida, Objection, MobSF Aircrack-ng, Bettercap Kismet, WiFi Pineapple Atomic Red Team, CALDERA
Reporting & Tradecraft

OSCP, OSEP, OSED CRTO, CRTE, CRTP GPEN, GXPN, GWAPT PTES, OWASP WSTG, NIST 800-115 MITRE ATT&CK PlexTrac, Dradis, Sysreptor Python, Go, PowerShell, C

Stop guessing. Ask a recruiter directly.

You now have the format, the profile summary template, the role profile, the bullet system, and the skills categories. All that's left between your draft and the interview is a set of eyes that screened thousands of Penetration Tester and red-team resumes telling you what to fix.

That is the free review.

Drop the draft in. Back come a simulated recruiter screen, a graded checklist, plus a specific action list. Free, inside 12 hours.

Want to read more first? How the resume review works →

Frequently asked

Penetration Tester resume FAQ

How long should a Penetration Tester resume be?

Just into the field, hold it to one page. Once you have run real client engagements end to end, achieved domain admin on internal engagements, found critical web findings, and led a red-team objective, two pages start earning their keep: the second sheet gets read when the engagement work behind it actually holds up. The blanket one-page rule misses that a senior Penetration Tester career covers a long line of engagements led, critical findings surfaced, and CVEs published worth showing. Save three pages for principal or red-team lead level where that track really fills them.

Should it be one page?

Comes down to what engagements are actually running with your name on them, not a fixed rule. New to the role: one page covers it. A few years in, with critical findings you surfaced, domain admin compromises you owned, and custom tools you authored, squeezing it all onto a single sheet cuts the very numbers earning the screen. Engagement track beats page count on this resume.

What is the most important section?

Your current role, by a long way. Roughly 95% of the read sits there, since that is where the recruiter checks whether you have actually run engagements at the technical depth this team needs. The profile summary lands one beat earlier, and the recruiter uses that line as the lens over everything below.

How do I get my resume past ATS?

A plain layout: one column, no graphics, no sidebars, no icons. Use the standard labels (Profile Summary, Technical Skills, Work Experience, Education); export PDF, not DOCX. Then run the file through my free ATS parser tool and check that Burp Suite, Metasploit, Nmap, BloodHound, Cobalt Strike, OSCP, OSEP, and the rest of your pen-test stack parse cleanly. If any of those drop out, the layout broke the read, not your keyword list.

What keywords should I include?

For a 2026 Penetration Tester search the must-haves are network testing tools (Nmap, Metasploit, Nessus), Burp Suite Professional for web testing, an Active Directory exploitation kit (BloodHound, Impacket, NetExec, Rubeus), a C2 framework (Cobalt Strike, Sliver, or Mythic), MITRE ATT&CK fluency, and at least one industry methodology (PTES, OWASP WSTG, NIST 800-115). Strong backups: cloud testing tooling (Pacu, ScoutSuite, Prowler), mobile testing (Frida, Objection, MobSF), reporting platforms (PlexTrac, Dradis), and Python or PowerShell for custom tooling. At least one top-tier certification (OSCP, OSEP, CRTO, GPEN, GXPN) is expected past 2 years on the job. The full list, each paired with a sample bullet, sits in the Technical Skills section above.

Should I lead with engagement count or critical findings?

Lead with both. Engagement count proves you have shipped real client work at scale (30+ engagements a year is a number a hiring manager respects). Critical findings prove you went past report-padding and surfaced things that actually moved a client's risk register (RCEs, domain admin chains, data-exfil paths). A resume with only counts reads as "rotated through scope"; a resume with only findings reads as "cherry-picked the easy ones". The shortlist goes to the candidate who shows both: the volume you delivered plus the depth you found on top of it.

Do I need OSCP to land Penetration Tester roles in 2026?

For entry- and mid-level roles, yes, OSCP (or an equivalent: PNPT, eCPPT, CRTP for AD-focused) is the de-facto floor. It is the certification recruiters search for and the one that gets your resume past the first filter. Past 3-4 years on the job, the engagement track outweighs the badge: 38 engagements per year with 14 critical findings and a published CVE beats OSCP on its own. Stack OSCP early; layer OSEP, OSED, CRTO, or GIAC GPEN/GXPN later as you specialize. List what you have, do not stall the job search waiting on more.

How long should my profile summary be?

Five or six bullets, no more. A heavy paragraph forces slow reading at the moment the recruiter intends to skim, and on a Penetration Tester role what they scan for is the engagement scope, the network and web stack, the AD and post-exploitation kit, the C2 framework, and the certifications you carry. As bullets the recruiter can match you against the role at a glance and decide whether the rest of the page is worth more time.

Who wrote this

Built by an ex-Google recruiter

Emmanuel Gendre

Former Google recruiter · 12 years · 1,500+ tech resumes rewritten

I read Penetration Tester resumes the way I learned to at Google: through the role profile, against the JD, against the bar real hiring managers actually use during the loop. Everything in this guide is the playbook I run with my own clients.

Read my full story →

More resources

Other Penetration Tester Resume Resources

Service

Penetration Tester Resume:
The Complete 2026 Guide

My experience with Penetration Tester resumes

How I rewrite a Penetration Tester resume