01
π
Pre-engagement and scope
Written agreement, clear definition of which domains and applications are in or out, time window, authorized techniques and rules of engagement. Without this, no professional pentest starts.
100% online training
β’
Professional methodology
β’
Real labs
Pentesting Course.
From junior to auditor with professional methodology.
Learn pentesting with a methodological approach: real audit phases, professional tools and labs that reproduce real work scenarios. You don't memorize commands β you learn to audit.
What is pentesting?
Reproducible security auditing, with professional judgment
Pentesting (penetration testing) is the methodology by which an authorized professional simulates a controlled attack against systems, applications or networks with the goal of identifying real vulnerabilities, validating their impact and documenting them so the client can fix them. It's the difference between "running a scanner" and "knowing how to audit for real".
Unlike automated analysis, a pentest requires judgment at every step: what to test, what to discard, how to chain small findings to demonstrate a major compromise, and how to prioritize by effective business impact. That's why a real pentesting course doesn't focus on tools: it focuses on method.
At SixHack Academy we teach pentesting following recognized methodologies such as OWASP WSTG (Web Security Testing Guide), PTES (Penetration Testing Execution Standard) and NIST 800-115. You don't memorize steps: you understand why each phase is where it is, what information you need to advance, and how everything connects in a final report that serves the client.
Methodology
The 6 phases of a professional pentest
The full cycle, from signed contract to final delivery.
02
π
Reconnaissance and intelligence
Gathering information about the target within scope: domains, subdomains, technologies, employees, infrastructure. Passive (no contact) and active (minimal interaction).
03
πΊοΈ
Enumeration and mapping
Mapping the attack surface: endpoints, parameters, business logic, authentication, authorization. Here you decide which parts of the application deserve deep analysis.
04
π
Identification and exploitation
Detecting real vulnerabilities (not false positives), exploiting them to confirm impact and capturing reproducible evidence. The full OWASP Top 10 applied with judgment.
05
π
Post-exploitation and impact analysis
Evaluating what an attacker achieves with each finding: scope of compromise, accessible data, business risk. Calculating realistic CVSS and prioritizing by effective impact.
06
π
Professional reporting
Executive summary for management, technical detail with evidence for developers, prioritized remediation recommendations. The part the client actually sees.
Specialties
Specialties in professional pentesting
The most in-demand attack surfaces in today's market.
Web pentesting
Auditing HTTP/HTTPS applications, REST and GraphQL APIs. The most in-demand specialty and the most natural entry point to the profession. Covered by WXJ and WXE.
Mobile pentesting
Static and dynamic analysis of Android and iOS apps, API communication, insecure storage. Highly demanded by banks and fintechs. Covered by MXS.
Infrastructure pentesting
Auditing internal networks, exposed services, Active Directory, privilege escalation on Windows and Linux. Common with on-premise clients.
Cloud pentesting
Auditing configurations on AWS, Azure and GCP: IAM, S3, Lambdas, Kubernetes. Growing specialty as companies migrate to cloud.
Red team
Full adversarial simulation against an organization: phishing, pivoting, EDR evasion. Long, complex operations. Usually requires 3+ years of prior experience.
IoT and hardware pentesting
Auditing physical devices, firmware, radio protocols, wireless communications. Very technical niche specialty, but with high salary ceiling.
Profession
What a pentester's day really looks like
What actually fills the time of a professional auditor.
The popular image of the pentester spending the day exploiting vulnerabilities is unrealistic. In professional auditing, most of the time goes into understanding the application: reading endpoints, mapping business logic, identifying which parts are critical, what data they handle, and how authentication and authorization flows fit together.
Pure exploitation occupies a smaller but intense window: when you already know where to look and why, you find bugs fast. After comes the most underrated and most differentiating work: validating and documenting. Capturing reproducible evidence, calculating realistic impact, writing the finding in professional format so developers can fix it and management can understand it.
That's why a senior pentester earns what they earn: not because they exploit faster, but because they have the judgment to prioritize well and write reports that close projects and build trust. That view of professional work is what we teach in the path: not training people who know how to launch commands, but auditors who deliver value.
Curriculum path
The SixHack Academy path
Three progressive pentesting courses, connected to build real skill.
Active
WXJ
Web eXploitation Junior
The entry point to pentesting. Assumes zero experience. Covers networking, HTTP/HTTPS, Burp Suite, applied pentest phases, OWASP Top 10 and professional reporting. When you finish you have the criteria to audit web applications at junior pentester level.
Active
WXE
Web eXploitation Expert
Continuation of WXJ. Advanced web pentesting techniques, complex exploitation chains and real auditing scenarios. For those who already master the basics and want to step up to mid-senior pentester level with real audits.
Active
MXS
Mobile eXploitation Specialist
Mobile application pentesting. Static and dynamic analysis, common flaws and platform-specific techniques on Android and iOS. Complements the web track with the full mobile ecosystem β one of the best paid specialties.
Career paths and salary ranges
Pentesting is one of the most in-demand profiles in tech. The most direct paths are pentester at security consultancies, internal teams at large companies, application security engineer at tech companies, independent bug bounty hunter and freelance consultant.
Typical salary ranges in Spain at the end of 2025: junior pentester β¬25,000-35,000 gross, mid-level β¬35,000-50,000, senior β¬50,000-75,000, and specialized or red team profiles can exceed β¬80,000-100,000. Salaries differ across countries (the US generally pays significantly higher). Bug bounty can add variable income on top.
Practice pentesting free with CTF Labs
Before signing up for any course, you can train for free with our CTF Labs: real web pentesting challenges with multiple difficulty levels, global ranking and free access after a quick sign-up. A direct way to check the methodology before investing in training.
SQL injection, XSS, IDOR, SSRF and other OWASP techniques in a controlled and legal environment.
FAQ
Frequently asked questions about pentesting
The most common questions before starting professional training.
What is pentesting?
It's a security auditing methodology by which an authorized professional simulates
a controlled attack against systems to identify real vulnerabilities and document
their impact. It differs from automated scanners in that the pentester validates
each finding and prioritizes by effective impact.
What are the phases of a pentest?
Pre-engagement and scope, reconnaissance and intelligence, enumeration and mapping,
identification and exploitation, post-exploitation and impact analysis, final
reporting. It's a reproducible process that follows methodologies like OWASP WSTG,
PTES or NIST 800-115.
What types of pentesting exist?
Web (HTTP/HTTPS apps and APIs), mobile (Android and iOS), infrastructure (networks
and services), cloud (AWS, Azure, GCP), red team (adversarial simulation) and
IoT/hardware. SixHack Academy focuses on web and mobile because they're the most
in demand in professional auditing.
Do I need to be a programmer?
Not essential. It does help to understand HTTP, JSON and how a request is built β
basics covered by WXJ from scratch. As you progress, reading code (PHP, JS, Python)
becomes increasingly useful to understand what an application does.
What tools does a pentester use?
In web: Burp Suite (main), DevTools, curl, ffuf, gobuster, exploitation frameworks.
In mobile: Frida, MobSF, static and dynamic analysis tools. The rule is that tools
are means, not ends: what matters is method.
How much does a pentester earn?
Spain end-2025 ranges: junior β¬25,000-35,000 gross, mid-level β¬35,000-50,000,
senior β¬50,000-75,000, specialized (red team, cloud, hardware) β¬80,000-100,000+.
Other countries differ (US typically pays significantly more).
What makes a good pentesting report?
Three parts: clear executive summary for management, technical detail with
reproducible evidence and CVSS per finding, actionable remediation recommendations.
The report is what the client actually sees: a good pentest poorly reported is
worth little professionally.
Start your pentesting journey
WXJ is the entry point: solid fundamentals, methodology and professional reporting.