Clueless (Unhirable)

• You really want a any job in IT but are unsure how to transition into an IT job from your current position.
• You don't understand computing fundaments, code, networking, web technology, or how anything works beyond a very basic fundamental level.
• Most technical things you've done are operating system installations, virus scans, and putting together a computer from scratch.

Newbie ($30k - $50k)

• Already working as IT Support Specialist, IT Consultant, PC Repair Technician, etc.
• Start here if you are not yet a penetration tester!
• Can troubleshoot PC problems, backup data, run RJ45 cables, and fix issues with email clients such as Outlook.
• You might understand a little bit about the Linux CLI, basic BASH Scripting, etc.
• You will struggle but can likely code your own static Website using HTML, CSS, and some JavaScript.
• Understands how to troubleshoot computer and network issues.
• May have an idea or recently discovered the OWASP Top 10, and maybe they've done a few walkthroughs regarding SQL Injection, XSS, and CSRF.
• Gets the gist of encryption but doesn't understand it fully. "It has keys and stuff..?"
• Understands the CIA Triad, generally understands the differences between encryption, hashing, and encoding.
• Mr. Robot is your favorite TV Series.

Associate ($80k - $90k)

• Associate Security Consultant, Junior-Level Penetration Tester
• Understands the OWASP Top 10 and probably recently learned about CORS, OOB-XXE, JWT bugs, Cache Poisoning, OAuth2, and NoSQL Databases.
• Can do basic code review, but will likely struggle to find more granular vulnerabilities that require fuzzing and advanced debugging.
• Can build basic tools with Sockets, Regular Expressions, Web Scrapping Libraries, etc.
• You've played with Web Frameworks and MVC Web Applications. You are fluent in HTML, CSS, and JavaScript.
• Proficient with web technologies, understands low-level networking, and is in the process of learning Memory Management in C/C++ and Assembly.
• Can do a basic stack-based buffer overflow CTF, but will likely fail to bypass DEP, ASLR, etc.
• May know a slight amount about Mobile Technology but not enough to do a security assessment.
• Can be hired as a security professional and work professionally but will likely need to be supervised.
• Might get stumped when trying to bypass certain protections such as firewalls, Content Security Policy, etc.

Mid-Level ($95k - $120k)

• Security Consultant, Security Engineer, Penetration Tester
• Can perform code review and work alone in most cases.
• Proficient enough to work full-time remotely, requires very little oversight.
• Understands "The Big 4" - Web Applications, Binary Exploitation, Mobile Applications, and Network-Based Attacks.
• Understands how to Fuzz an application, Heap Spray, do Power Analysis, and enumerate more granular vulnerabilities like Race Conditions, etc.
• Can build a basic application using services from cloud providers. (AWS, GCP, Azure).
• Understands how to bypass most protections effectively.
• Routinely challenges themselves with more complicated CTFs, Labs, and Projects.
• Can likely develop their own malware or at least script enough to exfilrate the data they want.
• Enough knowledge to write a fairly useful guide or book on penetration testing.

Senior ($120k+)

• Senior Security Consultant, Senior Security Engineer, etc.
• Works very close to the metal.
• Has attended their fair share of hacker conventions and conferences.
• Can bypass modern binary protection mechanisms such as DEP, ASLR, Canaries, CFI, Isolated Heaps, etc.
• Has specialized knowledge in specific technologies. (Vehicles, IoT Devices, Firmware, etc)
• Can be found writing papers and providing talks at hacker conventions.
• May have knowledge in Malware Analysis and deobfuscating hardened malware.