Penetration testing, sometimes called ethical hacking or red team hacking, is an exciting career path in which you simulate cyberattacks on target systems in order to test (and, ultimately, improve) their security. It’s a job that lots of people currently working in infosec would like to have, and one that can be tricky to get as competition heats up.
“It used to be the best way to grow a career in attack and penetration was through hands-on experience,” says Matthew Eidelberg, technical manager for threat management at Optiv. “It’s becoming harder and harder to break into pen testing as a beginner, because these roles are no longer considered niche. They are in high demand. As a result, a lot of effort has gone into certifications based on training and real-world lab simulations for both students and professionals.”
In fact, a range of penetration testing certifications are now available from various companies and industry organizations—and earning these certs can boost your career prospects, says Ron Delfine, director of career services at Carnegie Mellon University’s Heinz College. “Depending on what skills an organization is seeking,” he says, “certification holders may have a competitive advantage related to career advancement, as they have already been through a proven process requiring them to display evidence of strong penetration testing skills through the certification and recertification process.”
Top penetration testing certifications
How can you pick the best penetration testing certification for you? We spoke to a number of pen testing pros to see how different certifications have helped their careers or helped them find good candidates when they were hiring. In general, most of the people we spoke to grouped certs offered by the same orgs together, so that’s how we’ll treat them here too.
- Offensive Security Certified Professional (OSCP):
- Offensive Security Wireless Professional (OSWP):
- Offensive Security Experienced Penetration Tester (OSEP):
- GIAC Penetration Tester (GPEN):
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN):
- EC-Council Certified Ethical Hacker (CEH):
- EC-Council Certified Penetration Testing Professional (CPENT)/Licensed Penetration Tester (LPT Master):
- CompTIA PenTest+:
Certifications from Offensive Security received almost universal praise from the experts we talked to, who emphasized their rigorous and hands-on nature. The company’s most widely known cert is the Offensive Security Certified Professional (OSCP)—it’s “the standout cert in this area right now,” says Aaron Rosenmund, director of security research and curriculum at Pluralsight. But the company also offers Offensive Security Experienced Penetration Tester (OSEP), a more advanced certification, as well as Offensive Security Wireless Professional (OSWP), which as the name implies focuses on wireless networks.
“People really value the OSCP,” says Connor McGarr, red team consultant at CrowdStrike, who credits the certification for helping him gain entry into the pen testing field despite his lack of experience. “Things are just put in a way that it forces you to think outside of the box. That creativity—’this is not working, now what’s my game plan’—that’s the mindset that is so valuable.”
“These certifications stand out in the workplace,” says Optiv’s Eidelberg. “Professionals—namely, practice directors and hiring managers—know they’re backed by hands-on lab environments and live exams, as opposed to multiple-choice tests.” Those exams have a reputation as tough, but as Chris Elgee, senior penetration tester at Counter Hack Challenges, puts it, “the tenacity required to pass demonstrates a passion for the field. Professionals with an OSCP have shown the aptitude and grit required to grind through difficult offensive engagements.”
Offensive Security Certified Professional (OSCP):
Prerequisites: Candidates should come in with a solid understanding of TCP/IP networking, Windows and Linux administration experience, and basic bash and/or Python scripting. To be certified, you must take Offensive Security’s PEN-200 course, Penetration Testing With Kali Linux, and then pass its exam.
Test format: An online practical lab course that you take over 24 hours.
Cost: $999 pays for the course, the exam, and 30 days of lab access. More lab time, additional study content, and additional test retakes are available for a higher fee.
Official website: https://www.offensive-security.com/pwk-oscp/
Offensive Security Wireless Professional (OSWP):
Prerequisites: Candidates should come in with a solid understanding of TCP/IP and the OSI model as well as familiarity with Linux, and will need a computer that can boot and run Kali Linux, along with other specific hardware. To be certified, you must take Offensive Security’s PEN-210 course, Wireless Attacks, and then pass its exam.
Test format: A four-hour online practical lab course in which you break into a simulated wireless network.
Cost: $1,999, which includes the course, a year’s worth of lab access and two exam attempts; other more expansive packages are available for a higher price.
Official website: https://www.offensive-security.com/wifu-oswp/
Offensive Security Experienced Penetration Tester (OSEP):
Prerequisites: Candidates should have a solid ability to enumerate targets to identify vulnerabilities; be able to identify and exploit vulnerabilities like SQL injection, file inclusion, and local privilege escalation; and have an understanding of Active Directory and knowledge of basic AD attacks. To be certified, you must take Offensive Security’s PEN-300 course, Evasion Techniques and Breaching Defenses, and then pass its exam.
Test format: An online practical lab course that you take over 48 hours.
Cost: $1,299 pays for the course, the exam, and 60 days of lab access. More lab time, additional study content, and additional test retakes are available for a higher fee.
Official website: https://www.offensive-security.com/pen300-osep/
GIAC (Global Information Assurance Certification) is an organization created by the SANS Institute specifically to administer certifications tied to SANS courses, though you can take the exams to earn the certs without taking a SANS training. GIAC offers two pen testing certifications: GIAC Penetration Tester (GPEN) and the more advanced GIAC Exploit Researcher and Advanced Penetration Tester (GXPN). These also received high praise from the pros we talked to from a job-hunting and hiring perspective alike.
“I have found that my GIAC certs help open the door to get the interview and past HR gatekeepers,” says Xena Olsen, a senior cyber threat hunter at a Fortune 500 company. Even though she works on the “blue team” threat hunting side of things, she says that “the GXPN was an amazing growth experience—and helps me stand out from the other blue applicants.”
Jason Nickola, chief operating officer and senior security consultant at Pulsar Security, praises the broad range of knowledge that goes into the GPEN certification: “As a hiring manager, GPEN means contributing to pen test engagements on day 1.” He calls the GXPN “a real beast of a certification. Everything here is advanced and shows that cert holders have much more than just the basic skills to be a penetration tester, but are instead able to push the envelope with custom, bespoke exploits of their own design.”
While Quentin Rhoads-Herrera, director of professional services at critical start, praised the training material that backs up the GIAC certs, he notes that “SANS is still heavily reliant on open book multiple choice,” which is a strike against it in his mind. “Since our work is very creative and hands-on,” he says, “it is imperative that a certification exam proves that the student can leverage the hacker’s mindset to work through complex problems.”
GIAC Penetration Tester (GPEN):
Prerequisites: Candidates should have a firm understanding of Windows and Linux OSes and command-line tools, computer networking and TCP/IP protocols, and a basic understanding of cryptography.
Test format: Three-hour web-based proctored exam with 82 questions; you must answer 75% correctly in order to pass.
Cost: You can “challenge” the GPEN exam—that is, take the test without any accompanying paid training—for $2,499. GPEN training courses like the one from the SANS Institute—generally include a voucher to take the exam, and can cost $7,000 or more.
Official website: https://www.giac.org/certifications/penetration-tester-gpen/
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN):
Prerequisites: Candidates should already be familiar with fundamentals of pen testing experience, programming (preferably in Python and C/C++) and networking before even beginning to prepare for this certification.
Test format: Three-hour web-based proctored exam with 60 questions; you must answer 67% correctly in order to pass. The “CyberLive” testing takes place in a lab environment where test takers prove their skills using live code on virtual machines.
Cost: You can “challenge” the GXPN exam—that is, take the test without any accompanying paid training—for $2,499. XPN training courses like the one from the SANS Institute—generally include a voucher to take the exam, and can cost $7,000 or more.
Official website: https://www.giac.org/certifications/exploit-researcher-advanced-penetration-tester-gxpn/
The EC-Council is a cybersecurity education and training nonprofit founded in the wake of the 9/11 attacks, and Certified Ethical Hacker (CEH) is perhaps their highest-profile cert—in fact, it’s one of the best-known certifications in the field. The EC-Council recently launched a twinned pair of certs, Certified Penetration Testing Professional (CPENT) and Licensed Penetration Tester (LPT Master), that are based on the same training material and exam, with the LPT Master going to those who score best on the test.
CEH is relatively well known, and the security pros we spoke to note that it has its place in the field, but they were less enthusiastic about it than they were about certs from GIAC or Offensive Security. “I would note CEH as a ‘foot-in-the-door’ certification for a pen testing internship or in preparation for additional study,” says Melissa Miller, managing security consultant at NetSPI. Critical Start’s Rhoads-Herrera calls it “valuable as a good way to get past HR screeners” but adds that “the course work is not up to par with other certifications.”
“CEH does qualify you for a number of contracts by virtue of being one of the oldest in the game,” says Pluralsight’s Rosenmund, “but doesn’t necessarily ensure from an employer perspective that you are ready to do the job.” Counter Hack Challenges’ Elgee gives a specific example: “CEH is most valuable for checking specific certification boxes, especially in US government,” but says it “otherwise has a low value to price ratio.”
Certified Ethical Hacker (CEH):
Prerequisites: You must either take an EC-Council-approved CEH training course or establish that you have at least two years of professional infosec experience before you can take the exam.
Test format: Four hours, 125 multiple choice questions. If you pass this exam, you can also take the Certified Ethical Hacker Practical exam—six hours, 20 practical challenges—in order to earn CEH Master certification.
Cost: The exam costs $1,199 plus $100 for remote proctoring; there is a $100 nonrefundable application fee, and official training courses can cost anywhere from $850 to $2,999.
Official website: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
Certified Penetration Testing Professional (CPENT)/Licensed Penetration Tester (LPT Master):
Prerequisites: Candidates must have already received CEH and Certified Security Analyst certs from the EC-Council, and submit an application that includes a criminal background check. The exam is meant to follow on from the EC-Council’s CPENT training course, although experienced pen testers can request to “challenge” the exam based on their existing skills.
Test format: A 24-hour online practical exam in which you deploy advanced pen-testing techniques. A 90% score or above earns you the LPT certification, while 70-90% scores you a CPENT.
Cost: The CPENT course is $2,199, which includes the exam and access to the EC-Council’s practice range and other content. There is also a $500 application fee (which covers the background check.)
Official website: https://www.eccouncil.org/programs/licensed-penetration-tester-lpt-master/
The final certification org we’ll discuss is CompTIA, a nonprofit best known for its “plus” series of mostly early-career certs. CompTIA rolled out a penetration testing certification, PenTest+, in 2018, and the experts we spoke to were generally positive about it. Ben Sadeghipour, Hacker and Manager of Hacker Education at HackerOne, calls PenTest+ one of the “most helpful” certifications in the field. “This certification teaches you about the legality and compliance aspect of a pen test, how to plan and scope out penetration testing, how to perform vulnerability scanning and testing, and how to write and communicate your findings with the customer’s management team,” he says.