I am interested in advancing my career in penetration testing and want to know which certifications are most valuable in the industry.
Industry-recognized certifications for penetration testers include the Offensive Security Certified Professional (OSCP), which is a hands-on certification requiring candidates to demonstrate practical penetration testing skills by successfully attacking and penetrating live machines in a controlled environment. Another notable certification is the GIAC Penetration Tester (GPEN) offered by the Global Information Assurance Certification (GIAC), which focuses on assessing a candidate's ability to conduct effective penetration testing. Additionally, CompTIA offers the PenTest+ certification, which is an intermediate-level credential covering risk analysis, threat detection, penetration testing, and ethical hacking methodologies. For those interested in any CompTIA certification, utilizing a CompTIA practice test by P2PExams is essential for successful exam preparation. These certifications are widely recognized in the cybersecurity industry and can enhance a professional's credentials in the field.
@marinahart Thank you. I have never heard anything bad about the OSCP or eJPT. My employer does not recognize them but does not recognize any certification without a continuing education component. ISC2 did have the CCFP for a while but retired it and was probably more theory than hands on. SANS certifications are recognized but are way too expensive for an individual to want to spend and sometimes have odd renewal requirements. We usually have our folks do PenTest+. I do recommend to them to also do CySA+ because CompTIA says that they share 30% of the same material. I think that helps if they understand the defensive side as well. The sad part is that people want those positions, but there are very few of them. It does not help the profit margin unless work at a company that is hired as a third party to do it for others. I do appreciate the one omission. I do not even like seeing that acronym anymore and would never recommend it.
@williamxavier I'm not a pentester, but from my friends who are, these are the certs they mention.
*OSCP certs et al from Offensive Security, the folks behind Kali Linux. However, I've been hearing things that some have issues with them.
* Hack the Box certs. This is a new group doing pentest certs, but have been hearing more and more about them, and some feeling they are BETTER then OSCP.
* GPEN from SANS/GIAC. Yes, SANS courses are expensive (there are ways to get around it), but certainly the quality and respectability is there for this one. And this one IS DOD approved, so if they approve it, so will other government agencies....
*Pentest+ from CompTIA. I wasn't certain about this one, because let's face it, CompTIA is NOT an infosec org. But I've heard good things about it, just be aware this is an entry level cert and if you can get any of the above, that would be better.
That said, there are several other groups out there doing pentest certs. Am just not certain their reputation. And keep in mind, its often NOT your peers you need these certs for, but HR/hiring managers.
Hope this helps.
Hmmm. Hadn't heard of this OSCP+.
I see that this is identical to the OSCP, but expires after 3 years and requires CPEs to maintain.
This makes me think they might be pursuing ANSI/ISO/IEC 17024 certification for the OSCP, as these are standard requirements for that. They don't say they are doing that, but it makes me think they are. Doing so would allow the OSCP+ to be including on the DoD 8140 list, making it one of the required certs, and once there, other government agencies would also be asking for it. CompTIA went thru this several years ago, as originally their certs did not expire, but they changed to expiring/requiring CPEs, and this was done for the same reason. Now that CompTIA certs are 17024 certified, they are on the DoD list.
Time will tell on this.
(for what its worth, many of the certs from CompTIA, ISC2, ISACA, SANS/GIAC, and EC-Council are 17024 certified and thus on the DoD list)