Essential training and education for some areas of cybersecurity involves earning a respected professional certification. This is because there are no degree programs that adequately cover this material. In addition, certifications can be earned fairly quickly in comparison to a degree, allowing professional information security skill sets to grow fast.
This article will compare and contrast two certifications for penetration testers — the GIAC Penetration Tester (GPEN) certification and CompTIA’s PenTest+ certification. Both certifications will be separately examined and will explore their prerequisites, the material that they cover and the exam details, and will conclude with a verdict on which certification you should choose for yourself.
This vendor-neutral penetration testing certification is one of the most popular penetration testing certifications available today. This certification was created to help certify the knowledge and skills required of information security professionals who are tasked with finding security vulnerabilities within organization networks.
The certification does a thorough job of covering the pentesting methodologies and technologies a professional will frequently use, as well as the non-technical and legal issues surrounding this sub-discipline of cybersecurity.
Unlike many other certifications, GPEN does not have strictly enforced prerequisites. With that said, GPEN candidates will still need a firm understanding of Windows operating systems, Linux (including command line), networking (including TCP/IP protocols) and cryptography.
Material covered by GPEN
Unlike many other certifications, GPEN’s material is separated by topic areas instead of domains of knowledge. The topic areas GPEN covers are:
- Advanced password attacks
- Advanced password hashes
- Exploitation fundamentals
- Escalation and exploitation
- Metasploit framework
- Moving files with exploits
- Password attacks
- Password formats and hashes
- Pentesting planning
- Pentesting using Windows PowerShell
- Scanning and host discovery
- Vulnerability scanning
- Web app injections
- Web app recon
- XSS and CSRF attacks
GPEN exam details
Certification candidates are required to pass a certification exam before they can earn this certification. Online registration is required before a candidate can sit for the exam, which carries a hefty exam fee with it.
The certification exam contains 115 questions and candidates will have three hours to take it. A passing score is 74%. Certification holders will have to renew their certification every four years.
GPEN’s opponent in this contest is CompTIA’s PenTest+ certification. PenTest+ is still a relatively new certification, meaning this may be some candidates’ first encounter with this certificate.
Like GPEN, PenTest+ is vendor-neutral and designed by Subject Matter Experts (SME) in pentesting and ethical hacking. What makes PenTest+ unique is that it is partly based upon cybersecurity industry survey results. This gives PenTest+ heightened real-world applicability compared to other certifications.
CompTIA says that there are no “required” prerequisites for this certification, but it certainly carries some strong recommendations. Certification candidates should have already earned Network+ and Security+ (or at least have the requisite knowledge) and have three to four years of hands-on information security experience. (I would say the years of hands-on experience are the most important because of the hands-on aspect of the certification exam.) This makes PenTest+ an intermediate pentesting certification.
Material covered by PenTest+
PenTest+ divides the material it covers into five domains of knowledge. These domains are:
- Planning and scoping: Explores compliance-based planning and assessments and focuses on the key aspects of each
- Penetration testing tools: Tools covered include Python, Bash, PowerShell and Ruby scripts
- Information gathering and vulnerability identification: Includes performing vulnerability scans and analysis of scan results to prepare for exploits
- Attacks and exploits: Examines exploits for network, app and other vulnerabilities
- Reporting and communication: Includes best practices-based mitigation techniques
This certification does not just focus on the technical aspects of pentesting, but rather focuses on the entire process of pentesting. The material covered also includes vulnerability assessment and management skills that other certifications tend to overlook.
PenTest+ exam details
PenTest+ certification candidates must pass a certification exam composed of multiple-choice questions and hands-on, performance-based questions. The exam lasts 165 minutes and contains 85 questions, and candidates will need to earn 750 points on a scale of 100-900 to pass. The registration fee is relatively paltry compared to other certification exams (but is standard for CompTIA).
To be fair, both certifications would be great career-boosting credentials for information security professionals. However, given the differences of both certifications, PenTest+ is the stronger certification.
First, GPEN has no prerequisites, which means that a highly competent pentester with no experience could earn the certification, unlike PenTest+. In terms of material covered, PenTest+ does a better job by covering the entire pentesting process with the addition of vulnerability assessment and management knowledge and skills, as well as the industry insight that pentesters will need.
Finally, PenTest+ technically requires a few more years of experience than GPEN. This can be argued as strengthening the certification, as it is for information security professionals with a little more experience.