How to Start Pentesting in 2026 — Complete Beginner's Guide

1. What is penetration testing?

Penetration testing (pentesting) is the practice of simulating cyberattacks against systems, networks, or applications to identify security vulnerabilities before malicious hackers do. It is a core component of offensive security and is legally performed under a written agreement with the target organization.

Pentesters use the same tools and techniques as real attackers — but ethically and with authorization. The goal is to find and report weaknesses so they can be fixed.

Types of pentesting

• Network pentesting — Testing internal/external network infrastructure, firewalls, routers
• Web application testing — Finding vulnerabilities in websites and APIs (OWASP Top 10)
• Mobile application testing — Testing Android/iOS apps for security flaws
• Wireless testing — Assessing Wi-Fi security, evil twin attacks, WPA cracking
• Social engineering — Phishing campaigns, vishing, physical access testing
• Red teaming — Full-scope adversary simulation over weeks/months

2. Prerequisites & skills you need

You don't need a computer science degree, but you do need a solid foundation. Here's what to learn first:

Networking (essential)

• TCP/IP model, OSI layers, and how packets travel
• DNS, DHCP, ARP, and common protocols (HTTP, FTP, SSH, SMB)
• Subnetting, routing, and firewall basics
• Wireshark for packet analysis

Linux (essential)

• Command line navigation, file permissions, process management
• Bash scripting for automation
• Service management (systemd, cron)
• Package management (apt, yum)

Programming (helpful)

• Python — Scripting, exploit development, automation (most important)
• Bash — Linux automation and one-liners
• JavaScript — Understanding XSS and web vulnerabilities
• SQL — Understanding injection attacks

3. Your 90-day learning roadmap

The biggest mistake beginners make is jumping straight into tools without a structured plan. Here is a proven 90-day roadmap that takes you from zero to your first real penetration test.

Days 1–30: Build the foundation

• Week 1–2 — Networking: Complete TryHackMe's "Pre-Security" path. Study TCP/IP, DNS, HTTP, subnetting. Use Wireshark to analyze real traffic.
• Week 3 — Linux: Complete TryHackMe's "Linux Fundamentals" (3 parts). Practice navigation, permissions, bash scripting, cron.
• Week 4 — First tools: Install Kali in a VM. Learn nmap (scan types, NSE scripts), gobuster, and Burp Suite Community. Complete TryHackMe's "Intro to Offensive Security".

Days 31–60: Core skills

• Week 5–6 — Web vulnerabilities: PortSwigger Web Security Academy labs on SQLi, XSS, CSRF, IDOR, SSRF. These are free and interactive.
• Week 7 — Exploitation: TryHackMe "Metasploit" room. Practice exploiting Metasploitable in your local lab. Learn searchsploit.
• Week 8 — Privilege escalation: TryHackMe "Linux PrivEsc" and "Windows PrivEsc" rooms. Use LinPEAS/WinPEAS, GTFOBins, and PayloadsAllTheThings.

Days 61–90: Real practice

• Week 9–10 — First HTB machines: Solve 5 retired HackTheBox machines (Easy tier). Write a writeup for each — this forces you to deeply understand what you did.
• Week 11 — CTF competition: Join a CTF event on CTFtime.org. Even if you solve only one challenge, the experience is invaluable.
• Week 12 — Review and plan: Assess your weaknesses. Choose your next certification (eJPT for beginners, OSCP if ready). Build a GitHub portfolio with your notes and writeups.

4. Setting up your pentesting lab

A home lab is essential for safe, legal practice. Here's the minimum setup:

Your attacking machine

• Kali Linux — The most popular pentesting distribution, pre-loaded with 600+ tools
• Parrot OS — Lightweight alternative to Kali
• Run it in a VM (VirtualBox or VMware) with at least 4GB RAM and 50GB disk

Vulnerable targets to practice on

5. The 5-phase pentesting methodology

Every penetration test follows a structured methodology. Here are the 5 essential phases:

Phase 1: Reconnaissance

Gather information about the target: domains, subdomains, IPs, emails, technologies used. This is both passive (OSINT) and active (scanning).

Key tools: nmap, subfinder, amass, theHarvester, Shodan, whois

Phase 2: Scanning & enumeration

Probe discovered services for version info, open ports, configurations. Enumerate users, shares, and exposed data.

Key tools: nmap (scripts), Nessus, nikto, enum4linux, gobuster

Phase 3: Exploitation

Use discovered vulnerabilities to gain access. This could be exploiting a web vulnerability, cracking a weak password, or leveraging a known CVE.

Key tools: Metasploit, Burp Suite, sqlmap, Hydra, searchsploit

Phase 4: Post-exploitation

After gaining initial access: escalate privileges, pivot to other systems, extract sensitive data, and maintain access.

Key tools: LinPEAS, WinPEAS, BloodHound, Mimikatz, Chisel

Phase 5: Reporting

Document everything: vulnerabilities found, exploitation steps, evidence, impact assessment, and remediation recommendations. The report is the deliverable.

6. Essential pentesting tools

Every pentester needs to master these core tools. They are organized by pentesting phase:

Reconnaissance

Web testing

Exploitation & post-exploitation

7. Where to practice

Theory alone won't make you a pentester. Here are the best platforms to practice legally:

Free platforms

• TryHackMe — Guided learning paths, perfect for beginners. Free tier available.
• HackTheBox — Realistic machines to hack. Free tier with retired machines.
• PortSwigger Web Security Academy — The best free resource for web application security.
• PicoCTF — Beginner-friendly CTF by Carnegie Mellon University.
• CyberDefenders — Blue team challenges (great for understanding the defender's perspective).

Paid platforms

• HackTheBox VIP — Access to all machines including active ones.
• Offensive Security — PWK course and OSCP labs.
• SANS — Enterprise-grade training (expensive but excellent).

8. Certifications & career path

Certifications validate your skills and open doors. Here are the most recognized ones:

Recommended career path

1. Start: Security+ or eJPT → get your first SOC/junior security role
2. Grow: OSCP → move into dedicated pentesting roles
3. Specialize: OSWE/OSEP/CRTO → specialize in web, AD, or red teaming

9. Common beginner mistakes (and how to avoid them)

After observing hundreds of beginners, these are the patterns that consistently slow people down:

1. Tutorial paralysis — watching instead of doing

Watching 50 hours of YouTube courses feels productive, but it is not. You learn pentesting by pentesting. After every concept, immediately practice it in your lab or on TryHackMe. If you cannot exploit something yourself, you have not learned it.

2. Skipping the fundamentals

Many beginners jump straight to Metasploit and hacking tools before understanding what a TCP handshake is. This creates a fragile skillset. Spend time on networking (TCP/IP, DNS, HTTP) and Linux before touching offensive tools — it will save you months of confusion later.

3. Not taking notes

Every command you run, every vulnerability you exploit, every technique you learn — write it down. Use Obsidian, CherryTree, or Notion. Pentesters with strong notes are 10x faster than those relying on memory. Your notes become your personal cheatsheet and the foundation for future reports.

4. Giving up after the first hard machine

Every serious pentester has spent days stuck on a single machine. This is normal and part of the process. If you are stuck for more than 2 hours: revisit your enumeration (you probably missed something), read a hint (not the full writeup), and come back fresh after a break. Persistence is the most important skill in pentesting.

5. Ignoring the reporting side

Professional pentesters spend 30-50% of their engagement time writing reports. A great exploit with a poor report is worthless to a client. Practice writing clear findings with evidence, impact statements, and actionable remediation recommendations from day one — even for your CTF writeups.

6. Testing without authorization

Never test systems you do not own or have explicit written permission to test. This includes your ISP's network, random websites that "look vulnerable," or your neighbor's WiFi. Stick to your local lab, authorized platforms (HackTheBox, TryHackMe), and bug bounty programs with defined scopes.

10. Frequently asked questions

How long does it take to learn pentesting?

With consistent daily practice, most people can perform basic penetration tests within 3-6 months. Reaching a professional level typically takes 1-2 years of dedicated study and practice.

Do I need a degree to become a pentester?

No. Many successful pentesters are self-taught. Certifications like OSCP, practical experience from CTFs, and a strong portfolio matter more than a formal degree in most hiring decisions.

What are the best free resources?

TryHackMe (free tier), PortSwigger Web Security Academy (100% free), HackTheBox (free tier), CyberDefenders, PicoCTF, and OWASP WebGoat are excellent free resources to learn pentesting.

Is pentesting legal?

Only with written authorization. Always get explicit permission before testing any system. Unauthorized testing is a criminal offense in most countries (CFAA in the US, art. 323-1 in France, Computer Misuse Act in the UK). Practice in your own lab or on authorized CTF platforms.

What is the difference between pentesting and a bug bounty?

A penetration test is a time-boxed engagement with a defined scope, performed under contract for a specific client, with a formal report as deliverable. A bug bounty is an ongoing program where researchers independently find and report vulnerabilities for a reward. Pentesting pays more consistently; bug bounties have no guaranteed income but offer more flexibility.

Do I need to know how to code to become a pentester?

You do not need to be a software developer, but basic scripting is essential. Focus on Python for automation and exploit modification, Bash for Linux one-liners, and enough JavaScript to understand XSS and prototype pollution. You will rarely write exploits from scratch — you will mostly read, modify, and understand existing code.

What laptop/computer do I need for pentesting?

Any modern laptop with at least 16GB RAM, 4 CPU cores, and 256GB SSD will work. You will run Kali Linux in a virtual machine alongside your main OS, which requires the extra RAM. A good WiFi adapter that supports monitor mode (Alfa AWUS036ACH) is useful for wireless testing. macOS and Windows both work as host operating systems — Linux as a host is a bonus but not required.

How much does a pentester earn?

Salaries vary widely by location and experience. In Western Europe and North America: junior pentesters typically earn €40,000–€65,000/year, mid-level €65,000–€95,000, and senior/specialized €95,000–€150,000+. Freelance pentesters and red team operators can earn significantly more. Certifications like OSCP and CRTO have a direct impact on salary negotiation.

What is the OSCP and should I go for it?

The OSCP (Offensive Security Certified Professional) by OffSec is the most recognized practical pentesting certification in the industry. It involves 90 days of lab access and a 24-hour hands-on exam where you must compromise machines and write a professional report. It is challenging, expensive (~$1,600), and widely respected by employers. Prerequisite: be comfortable with Linux, networking basics, and basic exploitation before buying the course. TryHackMe + HackTheBox (10–20 machines) first is strongly recommended.