So "pentesting" often kinda defaults to "network pentesting" which is closer to an IT job than a software engineering job and its salary range (in general, as you specialize pay goes up regardless).

But there is "application penetration testing" and just application security in general which tends to pay competitively with software engineering. And of course plenty of people do both at the same job.

So pentesting can be competitive but it depends on definitions a bit. That said on the upper end, software dev tends to have more chances to get a big exit by being part of building something. In security you might be with a consulting firm where you have a slight chance at that, but its not common for a security guy to have that sort of big exit.

One thing that made me really reevaluate being a penteater was when I talked with someone who'd been a pentester for years and when I asked him about it he said it was basically just a mean type of QA.

That being said right now security is becoming a very lucrative field and you know what to do to make money in a gold rush especially if you're a software engineer.

Pentesting related to national security or gov work can pay really well with a clearance (and the workload can be really light). I don't know if the private sector does pentesting pay better than engineering pay.

I found most of the pentesting salaries came in lower than engineering ones, and I felt that pentesting was the more difficult job.

More code results in more bugs. You need to throw money at software developers to build something, anything really. Only then do you hire a 3rd party pen-testing company for a few days. That's the way it works in our shop anyway. It's unfortunate, but sometimes the expected velocity to achieve MVP glosses over best security practices.

I’m a pentester. US salaries are about 20-30% less than very competitive dev salaries. Security engineers make a bit more than pentesters, but both are typically less than well-paid dev work.