CertQuests
From SOC analyst to pentester in 12 months.
Blue team to red team is the cleanest pivot in security. You already speak the SIEM, IDS, and incident-response languages a pentester has to defeat. The 12-month plan: eJPT to harden methodology, PenTest+ if your employer reimburses, then 6–7 months on OSCP. The salary delta is roughly +$25–40k base, sustained, plus access to consulting bonus structures.
The two failure modes are (1) buying the OSCP voucher in month 1 and burning out by month 4 with no methodology, and (2) collecting certs without ever rooting boxes. The plan below is built to avoid both.
Why this pivot works in 2026
Pentest demand has decoupled from general security hiring. The U.S. Bureau of Labor Statistics projects 33% growth for Information Security Analysts through 2033 (median 2024 pay: $124,910), and inside that bucket offensive-security roles command a 10–20% premium over defensive ones because the supply of OSCP-grade hires is structurally short. SOC analysts are the natural feeder pool: you know detections, log gaps, and the exact telemetry your blue-team peers will see. That intuition is worth real money on a red-team interview.
The 12-month sequence
Three phases of four months. Each phase has one cert plus a tangible artifact (rooted boxes, a write-up portfolio, a CVE PoC). Skip either side and the phase doesn’t count.
Months 1–4 — Methodology (eJPT + 30 HTB boxes)
- Cert: INE Security eJPT v2 ($249, ~80 study hours, fully practical exam). Teaches enumeration, exploitation, and pivoting in the exact methodology OSCP grades on. Treat it as the wax-on/wax-off phase.
- Artifact: 30 retired Hack The Box boxes rooted, with markdown write-ups in a private GitHub repo. The repo becomes proof-of-skill in interviews. Mix easy/medium 60/40.
- What to skip: CEH. It will not move a hiring needle in 2026 and the $1,199 list price is better spent on HTB Academy.
Months 5–8 — The methodology gate (PenTest+ or HTB CPTS)
- Cert: CompTIA PenTest+ PT0-003 ($404, ~100 study hours) if your employer reimburses or you need DoD 8140 II compliance. Otherwise HTB CPTS ($490 with HTB Academy subscription) is the better OSCP precursor in 2026 because the exam mirrors PEN-200 in style and depth.
- Artifact: 50 more HTB boxes (now mixing in hard) plus the full PortSwigger Web Security Academy free track. Web app testing is 30–40% of real engagements; the OSCP exam alone underweights it.
- The burnout month is month 7. Privilege escalation on Windows is where most candidates quit. Plan a one-week pause, then come back to it. Skipping winPEAS practice here costs you the OSCP exam later.
Months 9–12 — OSCP and applications
- Cert: Offensive Security OSCP via the PEN-200 course ($1,599 for 90 days lab + one exam attempt; $2,499 for the Learn One annual). Plan 350–450 lab hours: PEN-200 modules, every PG Practice box at your level, and at least two attempts at the proving-grounds Active Directory chains.
- Artifact: the OSCP itself plus a clean exam report. The report quality matters more than the score — many pentest interviews ask to see a redacted version.
- Apply month 10 onward. 5–8 applications per week, targeting consulting firms (NCC Group, Bishop Fox, Coalfire, TrustedSec) plus internal red teams at large banks and FAANG-adjacent shops. Junior pentester postings expect OSCP or “in progress with exam scheduled.”
- Salary anchor: $95–110k in mid-cost metros, $115–135k coastal/cleared. Below $90k means the role is mislabeled or the employer hasn’t budgeted for actual pentest output; walk away.
The investment math
Cash outlay: eJPT $249 + HTB CPTS or PenTest+ $404–$490 + OSCP $1,599 = ~$2,300, plus $40–$60/month HTB Academy + VPN labs (~$600 over 12 months). Round to $2,900 hard cash. Time investment is roughly 600 focused hours. At a $30/hour SOC opportunity cost, total investment lands near $20,900.
Expected return: a $25–40k base salary increase (call it $30k median), sustained, with consulting roles adding 10–15% utilization-tied bonus on top. Payback is roughly 9–12 months after starting the new role. Five-year cumulative delta usually exceeds $180,000 before counting the typical pentester-track promotion to senior at year 3.
When to deviate from the plan
- You already hold CySA+ and 2+ years SOC. Compress phase 1 to 8 weeks; you have the analysis foundation eJPT introduces.
- You target web app pentest specifically. Replace HTB CPTS in phase 2 with the Burp Suite Certified Practitioner ($99) and weight phase 3 toward OSWE ($1,499) instead of OSCP. Adds ~3 months.
- You are aiming for cleared work in DC. Keep OSCP, then add Security+ if you don’t already hold it (DoD 8140) and target Booz Allen, Mandiant Government, or Leidos. Cleared starting offers run $115–140k.
Bottom line
SOC analyst to pentester in 12 months is logistically tight but well-trodden. Three certs, one box-portfolio, three phases. The candidates who finish are the ones who treat each four-month block as non-negotiable and produce evidence at the end — eJPT badge, write-up repo, OSCP. The ones who don’t finish almost always trip on month 7 (Windows privesc) or skip lab time in month 9. Plan for both.
Start phase 1 right now — no signup
CertQuests has engineer-written practice questions for Security+, CySA+, and PenTest+ with full explanations on every answer. Free, no account required.
Frequently asked questions
Can you really pivot from SOC analyst to pentester in 12 months?
Yes, but only if you already hold Security+ and have at least 12 months of L1/L2 SOC experience. The plan assumes 12–15 hours of focused study per week and a willingness to grind 50–100 boxes on Hack The Box or PortSwigger Web Security Academy. Without the SOC foundation the realistic timeline is 18–24 months.
Is OSCP really required to get a junior pentester job?
It is the de-facto floor for consulting firms (Bishop Fox, NCC Group, TrustedSec, Coalfire) and most boutique pentest shops as of 2026. Internal red teams at FAANG and large banks sometimes hire on OSCP-equivalent skill plus interview performance, but for first pentester roles OSCP clears 70–80% of postings on its own. PenTest+ alone clears about 25%.
Should I do PenTest+ or skip straight to OSCP?
Do PenTest+ if your employer pays for it or you need a DoD 8140 box checked. Otherwise eJPT ($249) and HTB Academy paths give better ROI for $400 less and align tighter with the OSCP exam style. The roadmap above uses eJPT as the bridge cert because it teaches the methodology OSCP actually tests.
What salary should I expect after the pivot?
Junior pentester salaries in 2026 range from $90,000 to $135,000 depending on metro and consulting vs. internal. Mid-cost metros pay $95–110k for first pentester roles; coastal tech and DC-area cleared roles reach $120–135k. Levels.fyi shows OSCP-holding pentesters with 1–2 years of experience clustering around $115k base. SOC L2 medians sit around $78–85k, so the delta is roughly $25–40k base plus typical 10–15% bonus structures.
Do I need to give up my SOC job during the pivot?
No, and you should not. SOC tickets give you exactly the detection-evasion intuition that wins pentest engagements: you know what your blue team peers will alert on. Stay in the SOC role through month 11, apply during months 10–12, and only resign once you have signed an offer. Burning the SOC seat early is the single biggest avoidable mistake.
How we wrote this
No bootcamp or training-vendor revenue. Salary anchors come from the BLS Occupational Outlook Handbook for Information Security Analysts (2024 median $124,910), cross-referenced against junior pentester postings on LinkedIn and Indeed and self-reported offers on Levels.fyi as of Q2 2026. OSCP cost and curriculum reflect the official PEN-200 page as of May 2026. Investment math uses a $30/hour SOC opportunity cost. The 12-month timeline reflects observed pivots in the CertQuests community over 2024–2026; faster timelines exist but are not the median. Tell us what you’d update.
Last reviewed: May 13, 2026.