There’s a post making rounds in the pen testing community that’s sparking strong reactions.
Someone without an OSCP, in a country where it costs as much as a car, decided they weren’t going to wait for permission to start pen testing. They grabbed the certifications they could afford (CompTIA PenTest+, PJPT, PWPA), practiced on TryHackMe, and started a pen testing business targeting small local companies.
They’re offering phishing campaigns, WiFi testing, basic website assessments, limited network reviews, physical security tests, and security awareness training. They acknowledge their limitations. They’re charging reasonable rates and making enough to save toward the OSCP certification.
The community reaction has been… mixed.
Some applaud the initiative. Others are horrified. Both sides have valid points that anyone trying to break into pen testing needs to understand.
Â
The Catch-22 of Security Experience
Let’s acknowledge the problem this person is trying to solve: getting pen testing experience is nearly impossible without already having it.
Entry-level pen testing jobs require 2-5 years of security experience. But how do you get security experience without a security job? It’s the classic employment paradox, amplified in a field where mistakes can have serious consequences.
Add to this the certification barrier. The OSCP, often considered the minimum credential for professional pen testing, costs around $1,600 USD for the course and exam.
So what’s someone supposed to do? Keep sending job applications that go nowhere? Wait years while working unrelated jobs, hoping to eventually afford the credentials that might get them hired?
The frustration is real. The desire to be proactive rather than passive makes sense. And the instinct to offer services you can actually provide while learning and building toward bigger certifications is understandable.
But there are serious risks here that can’t be ignored.
Â
The Risks Nobody Wants to Talk About
Here’s what keeps experienced pen testers up at night about this approach:
You Don’t Know What You Don’t Know
The most dangerous situation in pen testing is when you think you know what you’re doing but don’t realize what you’re missing.
You test a network and declare it secure because you didn’t find anything. But you missed the authentication bypass that a more experienced tester would have caught. The client believes they’re secure based on your assessment. Then they get breached through the vulnerability you missed.
Now what? You provided professional security services, charged for them, and gave assurance that proved false. The consequences of your inexperience became their problem.
This isn’t theoretical. It happens constantly with inexperienced testers who don’t realize the gaps in their knowledge.
The Liability Exposure Is Real
Those legal documents your lawyer friend drafted? They help, but they don’t eliminate liability; they just define it.
If your WiFi testing accidentally takes down the client’s network during business hours, you’re liable for business interruption. If your website testing triggers a vulnerability that gets exploited before the client can patch it, you’re potentially liable for the breach. If your phishing campaign causes a legitimate security incident because you didn’t coordinate properly with IT, you’re liable for the response costs.
Do you have errors and omissions insurance to cover these scenarios? Most individual pen testers starting out don’t, because it’s expensive, often several thousand dollars annually.
One serious mistake could bankrupt you before your business even gets started.
You’re Setting a Dangerous Precedent
When someone with minimal credentials and experience starts selling pen testing services, it undermines the professionalism the industry has spent decades building.
Clients learn that “pen testing” can be cheap and easy, just hire the person with some certifications and TryHackMe practice. Why pay experienced professionals when this cheaper option exists?
Then, when those clients get breached because the testing was inadequate, they blame “pen testing” rather than recognizing they got what they paid for. This damages the field for everyone and creates distrust in security testing generally.
The Pressure to Overextend
You’re explicitly limiting your network testing to basics because you “realize your limits.” That’s responsible in theory.
But what happens when a client asks you to go deeper? They’re paying you. They want more thorough testing, but they don’t understand why you’re limiting the scope.
The pressure to deliver more than you’re qualified for is intense. And it’s easy to convince yourself that you can handle just a little more than you should. That’s how incidents happen.
What This Person Is Doing Right
Despite the risks, this approach has some things going for it:
- They’re being honest about limitations.
- They’re targeting appropriate clients.
- They’re building real-world experience.
- They got proper legal documentation.
- They’re reinvesting in professional development.
- They’re being proactive rather than passive.
Â
The Better Path Forward
If you’re trying to break into pen testing without traditional credentials or experience, here are approaches that build skills without the liability and ethical risks:
Bug Bounty Programs
Platforms like HackerOne, Bugcrowd, and Synack let you test real applications with explicit permission, get paid for findings, and build a verifiable reputation.
You’re testing with clear legal protection, and working on real targets, not labs. You’re getting validation from security teams at major companies. And successful findings build a portfolio that demonstrates capability to potential employers.
This is real pen testing experience without the liability of running your own consulting business before you’re ready.
Capture the Flag Competitions
Regular CTF competitions provide challenging scenarios, teach new techniques, and let you compare your skills against others in the field.
Top performers in well-known CTFs get noticed by employers. It’s a legitimate path to pen testing jobs that doesn’t require years of prior experience.
Open Source Security Contributions
Contributing to security tools, finding vulnerabilities in open source software, or writing security-focused code demonstrates both technical skill and community commitment.
Many pen testing firms place a high value on open-source contributions when evaluating candidates. It shows initiative and real capability.
Internships and Entry-Level Security Roles
Yes, these are competitive. Yes, they often pay less than you’d like. But they provide supervised learning where your mistakes don’t harm clients.
You get mentorship from experienced professionals, learn proper methodology, and build credentials that lead to pen testing roles.
The path takes longer, but it’s lower risk and builds a stronger foundation.
Get Mentorship Before Going Solo
Find experienced pen testers willing to mentor. Join security communities and participate in forums and Discord servers where professionals hang out.
Learn from people who’ve been doing this for years before trying to sell services independently. The knowledge gap you don’t know exists is what creates problems.
Â
The Honest Conversation About Breaking In
The pen testing job market is tough right now. There are more people trying to break in than there are entry-level positions. Certifications are expensive, and experience requirements seem impossible.
But starting a consulting business before you’re qualified isn’t the solution. It’s trading short-term income for long-term risk, to yourself, your clients, and the industry.
Pen testing requires expertise that takes time to develop. There’s no shortcut. The person with basic certifications and TryHackMe practice is not equivalent to someone with years of professional experience and advanced credentials, no matter how much hustle and initiative they have.
Should OSCP be more affordable globally? Absolutely. Should there be better pathways for people without traditional backgrounds to break into the security field? Yes. Is the experience Catch-22 frustrating? Completely.
But those systemic problems don’t justify selling services you’re not qualified to provide.
Â
For Those Hiring Cheap Pen Testing
If you’re a small business considering cheap pen testing from someone without extensive experience, understand what you’re getting:
You’re getting a basic security review that might catch obvious issues. You’re not getting comprehensive testing that finds sophisticated vulnerabilities. You’re not getting the expertise to understand risk in context or provide strategic security guidance.
That might be worth it for you. Maybe a basic security review is better than nothing. Maybe you can’t afford professional pen testing firms, and this is your only option.
Just don’t confuse it with comprehensive security testing. Don’t assume you’re secure because someone ran some tests and didn’t find much. And understand that you get what you pay for.
The testing might help, or it might miss critical vulnerabilities that lead to breaches.
Â
The Bottom Line
Breaking into pen testing is hard. The barriers are real, and the frustration is valid. And the instinct to create your own opportunity rather than wait for permission is admirable.
But selling pen testing services before you’re qualified creates risks for clients, for yourself, and for the industry.
The expertise required to do penetration testing safely and effectively takes years to develop. Certifications matter not because they’re magic credentials, but because they validate that you’ve learned methodologies, understand tools deeply, and can think like an attacker while operating professionally.
If you’re trying to break into the field:
- Use bug bounty programs to build real-world experience safely
- Participate in CTF competitions to develop and demonstrate skills
- Contribute to open source security projects
- Volunteer for non-profits that need security help
- Get mentorship from experienced professionals
- Take the entry-level security jobs that lead to pen testing roles
These paths take longer. They’re less immediately lucrative. But they build real expertise without putting clients at risk and without undermining professional standards.
The pen testing field needs new people with diverse backgrounds and fresh perspectives. But it needs them to be qualified first.
Hustle is admirable. Initiative is valuable. But expertise takes time to build, and there’s no shortcut that doesn’t create risk.
Â
MainNerve: Where Experience Actually Matters
MainNerve’s penetration testing is conducted by experienced professionals with years in the field, advanced certifications, and deep expertise across multiple domains.
We’ve seen what happens when inexperienced testers miss critical vulnerabilities because they don’t know what to look for. We’ve cleaned up after inadequate security assessments that gave false confidence.
Our testing isn’t just running tools and reporting results. It’s understanding your environment, thinking creatively about attack paths, testing what automation misses, and providing professional judgment about risk.
Because pen testing isn’t just about technical skills. It’s expertise, experience, and professional judgment that develops over years of doing this work.
Ready for penetration testing from people who’ve been doing this long enough to know what they don’t know, and to find what matters? Contact MainNerve to discuss security testing that provides the assurance you need.
Because good intentions and hustle aren’t enough when the stakes are your security.
