Introduction to the Certified Expert Penetration Tester Certification

Are you looking to advance your pentesting career? Then a certification might be the right option, especially one that offers both practical, hands-on experience and a strong focus on ethical hacking. Professionals with expert testing skills can be a great asset for a company. A penetration test or simulated attack performed by experienced and trained professionals finds vulnerabilities and exploits in systems and can produce valuable insights into the effectiveness of security controls in a much more efficient way than through the simple use of specific testing software.

The Information Assurance Certification Review Board (IACRB) has a program called CEPT: Certified Expert Penetration Tester. This is one of the most comprehensive training and certification curricula available in this line of work, and it can properly prepare security professionals for a successful career in pentesting. IACRB is a not-for-profit industry standard organization that offers certifications able to demonstrate the information assurance knowledge and hands-on ability of candidates, as well as establishing requirements to identify a baseline skill level for sought-after technical positions.

Exploring the CEPT certification: an overview

CEPT is a certification that goes deeper into network attacks and recon, shellcodes, memory corruption and more, as easily seen from the domains it covers. In order to earn the CEPT credential, candidates need to pass a 50-question multiple-choice test followed by a hands-on practicum in which candidates have to successfully complete three penetration challenges in order to become certified. A passing score is at least 70%.

The CEPT certification process is designed specifically to test not only the applicant’s technical understanding but also his or her problem-solving ability. The focus of the certification is on pentesting and, specifically, the identification of the knowledge and skills an “expert penetration tester” must possess. IACRB states: “A person who is highly skilled in methods of evaluating the security of a computer systems, networks and software by simulating an attack by a malicious user. The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known and/or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. An expert penetration tester should additionally possess the ability to discover and reliably exploit unknown vulnerabilities in targeted software and systems.”

The CEPT exam

The IACRB CEPT program starts by testing the candidate’s knowledge through a standard multiple-choice exam that consists of 50 questions randomly pulled from a master list. Candidates have two hours to answer all questions and achieve a passing score of 70%.

Questions focus on nine domains:

  • Penetration Testing Methodologies
  • Network Attacks
  • Network Recon
  • Windows Shellcode
  • Linux and Unix Shellcode
  • Reverse Engineering
  • Memory Corruption/Buffer Overflow Vulnerabilities
  • Exploit Creation — Windows Architecture
  • Exploit Creation — Linux/Unix Architecture Web Application Vulnerabilities

Candidates can take the test online if employed at a member organization or they can take the test at any of the training partner’s locations throughout the world. There is also the option to test at a chosen site when part of a group of at least 10 participating professionals.

When ready to take the exam and be certified, professionals can schedule the test by contacting an IACRB representative via email at exams@iacertification.org or via phone at 1-708-660-0721. Otherwise, they can call 1-708-689-0550 or use the online form here. Once candidates log in, they will have links for certification attempts and/or self-study files as appropriate to their registration.

To be a CEPT, exam candidates will need to pay a flat fee of $499 per exam and $399 per voucher for on-site proctored exams. A CEPT certification is valid for four years. Recertification is done through the same exam engine system, but no fees are charged.

Is the CEPT certification worth the effort?

Who should earn the CEPT certification? Any ethical or “white-hat” hacker, and those who are part of “Tiger teams” or form “Red Teams.” The CEPT certification is significant for those who are well-versed in system examination, penetration testing and executing network analysis in order to guarantee the safety and integrity of a company’s information system environment.

The certification is valuable thanks to its challenging practical section that can really prove the hands-on abilities of credential holders. Therefore, it’s a great stepping stone for professionals  looking to give their penetration tester career a boost, but it also represents a meaningful personal achievement for any IT professional interested in information security.

A CEPT credential can even help increase salary potential especially at a time when companies are more interested than ever in acquiring penetration testing services. Many employers in fact are relying more and more on expert testers to perform holistic security assessment that provides a baseline for the integrity state of a network and digital assets as well as the security of systems and procedures. Penetration testing has become a critical part of middle-to-large-size company’s security programs, where it is meant to help ensure that the proper countermeasures are in place to avoid attacks.

What is the best way to prepare for the CEPT exam?

The CEPT exam focuses on and tests the ability to apply formal knowledge and skills in practice. Therefore, it is important to prepare not only by reviewing theory but also by getting valuable hands-on practice. The Information Assurances Certification Review Board (IACRB) offers an IACRB Training and Certification with practical examination, lab practica and hands-on exercises for mastering pentesting. However, this is definitely not the only available option for test takers. Great courses are also available from Infosec, an IACRB-approved training provider that offers a wide range of opportunities.

What’s more, “the Certified Expert Penetration Tester (CEPT) certification [learning] path teaches advanced hacking tools and techniques. Professionals will learn how to find and exploit vulnerabilities in software, how to circumvent common security controls and how to defend their organization against advanced persistent threats,” thanks to a series of mini-courses.

Conclusion

It’s a great time to pursue a career in pentesting: there is a global shortage of experienced and talented professionals capable of using hacking techniques to find system flaws in a targeted environment. Pentesters come from many different walks of life but all share the same passion for investigation and discovery as well as excellent technical skills. Proving their expertise to potential employers can be tricky, and a credential like CEPT or other related certifications can be a valuable proof of the professionals’ appropriate job experience and right skill set.

To gain such skills, training is key. Professionals preparing for CEPT can look for books  for formal knowledge as well as attend related conferences, such as Black Hat USA 2019. These are great occasions to meet like-minded professionals and keep abreast with the latest in the field. A number of training courses are also widely available.

 

Sources

Insider’s View of Certified Expert Penetration Tester (CEPT), The Ethical Hacker Network

Average Penetration Tester Salary, PayScale

Cyber Security Training and Certifications have Expanded Rapidly, Where Should you Focus?, Infosecurity