I have been using tools like Burp Suite, Acunetix and OpenVAS for some time, in conjunction with Kali and Fedora Security Spin to help build a picture of the vulnerabilities in systems.
As mentioned elsewhere, I have the Certified Ethical Hacker and Certified Computer Hacking Forensic Investigator qualifications from the EC Council.
I am currently working towards getting the Offensive Security Certified Professional, Penetration Testing with Kali (OSCP PWK) qualification.
I got a taste for cleaning WordPress sites in my previous role as Director of the Managed Services in Newcastle, where we had a number of customers with hacked WordPress sites. It made me realise how much of a problem this is and gave me a taste for running penetration tests against WordPress sites to help work out how they were being compromised. This led me on to the work I now do with Defiant and the Wordfence plugin/
In my current role with Defiant, we work with developers and site owners to harden their web applications. I also work with teams of developers to improve their security and carry out digital forensics on applications that have already been compromised.
As well as using our own tools, we sometimes use tools like WP Scan to analyse sites for vulnerabilities, or tools like Burp Suite to test Proof of Concept for exploits we are investigating.
One of the best pieces of advice I could give to people wanting to get a feel for this field, is to make sure you know the legal and ethical implications of what you are doing. Only work on your own test networks and applications, or those systems where you have the written permission of the owners of those applications in the form of proper Terms of Engagement. There are plenty of options of test networks available.