π Real Market Numbers
According to hh.ru for Q4 2024: a typical Junior Pentester in Moscow receives 80-180k β½/month as a starting salary. Mid (2-3 years of experience) β 200-400k β½. Senior (5+ years, OSCP) β 400-700k β½.
According to Positive Technologies (report "Personnel in Cybersecurity" 2024): there is a shortage of specialists in Russia of ~15,000 people. Juniors are actively hired even without a diploma β a portfolio on HackTheBox / Standoff365 is valued higher than a diploma.
Worldwide β tens of thousands of similar positions. One of the most famous public examples β Santiago Lopez (Argentina), the first bug bounty millionaire: by the age of 19, he earned $1M on HackerOne without a diploma (see Wikipedia).
πΊοΈ Career Path
0
Newbie β This Course
Where you are now. Completed 1-3 modules. Understand the basics. Salary: 0.
Goal: finish the course, solve 20 machines on HTB / our platform.
1
Junior Pentester / Security Analyst
When: 6-12 months of active practice after the course.
What you do: assist a senior on a pentest. Run scanners (nmap, Burp). Write draft reports. Learn.
Salary in Russia: 80-180k β½/month (Moscow, Positive Technologies, Group-IB, Bi.Zone, Kaspersky).
Salary in Europe: β¬30-50k/year (Germany, Poland, Czech Republic).
Salary in the USA (remote): $50-80k/year.
Bug bounty bonus: $200-2000/month if you're good.
2
Mid Pentester
When: 2-3 years of experience + 1-2 certifications (OSCP, CRTO).
What you do: lead a pentest yourself with a junior assistant. Find complex vulnerabilities (chain exploitation, AD attacks). Present to the client.
Salary in Russia: 200-400k β½/month.
Salary in Europe: β¬50-80k/year.
Salary in the USA: $80-130k/year.
Bug bounty: $1000-10,000/month for active ones.
3
Senior Pentester / Red Team
When: 4-6 years + certifications (OSCP, OSEP, OSWE, GPEN).
What you do: lead complex projects. Phishing campaigns. Red team operations (simulating an APT attack on a company). Mentor juniors.
Salary in Russia: 400-700k β½/month.
Salary in Europe: β¬80-130k/year.
Salary in the USA: $130-200k/year.
Bonuses: company shares, options, performance bonuses.
4
Principal Security Engineer / CISO
When: 8+ years in the industry.
What you do: lead the company's security strategy. Manage a team of 5-50 people. Less technical work, more architecture and people management.
Salary in the USA / FAANG: $200-500k/year + RSU. According to levels.fyi in 2024: Principal Security Engineer at Apple = $400-700k total comp (base + stock + bonus).
In Russia: according to hh.ru / RBC in 2024: CISO of an average company = 800k-2 million β½/month.
π― 4 Different Career Paths
1. Corporate Pentester
Where: Pentest companies (Positive Tech, Group-IB, Bi.Zone, NCC Group, Bishop Fox).
Pros: stable salary, training, different clients, travel (often paid).
Cons: a lot of routine (reports), time is limited (1-2 weeks per project).
Better for: those who like structure, training, travel.
2. In-house Security in a Large Company
Where: Yandex, VK, Sber, Tinkoff, Google, Meta.
Pros: huge salaries (especially FAANG), deep dive into one infrastructure, status.
Cons: less diversity, bureaucracy, politics.
Better for: those who like depth, corporate processes.
3. Bug Bounty Hunter (Freelancer)
Where: HackerOne, Bugcrowd, Intigriti, private programs.
Pros: complete freedom (work when you want), unlimited salary ceiling (top hunters according to HackerOne Hacker-Powered Security Report 2024 earn $300-500k+/year+), no boss.
Cons: no stable income, need to be very good, huge competition.
Better for: experienced hackers (3+ years) who want freedom.
Real examples (public HackerOne profiles): Santiago Lopez (Argentina, @try_to_hack) β the first bug bounty millionaire, $1M by the age of 19 (Wikipedia). Mark Litchfield, Frans RosΓ©n, Yassine Aboukir β all are in the public HackerOne All-Time Leaderboard with lifetime earnings $500k+.
4. Security Consultant / Own Company
Where: your own firm / freelance.
Pros: rate $100-500/hour, choose clients, scale.
Cons: sales, business, legal liability.
Better for: 5+ years of experience + entrepreneurial mindset.
π Comparison with Regular IT Salaries (Russia)
| Profession | Junior | Mid | Senior |
|---|
| Pentester (security) | 120-180k β½ | 250-400k β½ | 500-700k β½ |
| Backend developer | 100-150k β½ | 200-300k β½ | 400-600k β½ |
| Frontend developer | 80-130k β½ | 180-260k β½ | 350-500k β½ |
| QA Engineer | 60-100k β½ | 150-200k β½ | 300-400k β½ |
| DevOps | 120-170k β½ | 220-320k β½ | 450-650k β½ |
Source: hh.ru, ZP Russia 2024. Pentester salaries are 15-30% higher at each level. Reason: shortage of specialists. According to Positive Tech, there is a shortage of ~15,000 pentesters in Russia.
π‘ Main Conclusion of Module 1
Hacking is NOT a hobby. It's a profession with a clear growth map and real money.
Junior $180k β½ β Senior $700k β½ in 4-6 years. Bug bounty hunters earn $300k+/year. And it's all legal. The course is your starting point. Next β practice and perseverance.
π¬ Module 1 Completed. What's Next
Module 2: Linux for Hacker. Install Kali Linux in VirtualBox (30 minutes). First commands in the terminal. Claude helps. At the end β your first hacker "workstation".