As more organizations turn to penetration testing for identifying gaps in their defense systems, the demand for skilled penetration testers has been growing. While other types of security practitioners can probe information systems and networks for their vulnerabilities, pentesters are highly specialized, trained to think like hackers when exploiting security weaknesses.
CyberSeek (a project of the National Initiative for Cybersecurity Education) included vulnerability analysts/penetration testers on its list of top nine most-in-demand cybersecurity job titles in 2019-2020 for the United States. According to CyberSeek, there were a total of 15,386 total job listings in this field between from June 2019 to May 2020 (out of a total of 507,924). For comparison, there were 33,432 openings for cybersecurity analysts — another mid-level security job that’s historically been one of the highest in demand.
While there’s a shortage of cybersecurity talent in general, penetration testing is one of the jobs that companies seem to have especially difficulty hiring. The (ISC)2 2019 cybersecurity workforce study showed that penetration testing was one of eight areas where organizations with 500 or more employees were understaffed.
If you’re interested in a career path as a penetration tester, you will need a mix of technical hands-on skills and broad cybersecurity knowledge. Obtaining a specialized certification is one way to gain the technical skills while at the same time proving those skills to a potential employer. Here are some of the options for pursuing a pentesting certification.
EC-Council Certified Ethical Hacker (CEH)
The EC-Council (International Council of E-Commerce Consultants) bills itself as the “world’s largest cybersecurity technical certification body.” Their Certified Ethical Hacker cert is a comprehensive certification that is designed to teach you to think like a hacker. The cert is valid for three years.
To be eligible for the four-hour certification exam, candidates must either attend official training or be approved via an application process. You also need two years of experience in the information security field.
The official CEH training program includes 20 modules covering different security domains and more than 300 attack technologies. The program includes more than 140 labs that mimic real-time scenarios and access to more than 2,200 commonly used hacking tools.
The goals of program are to help you to:
- Master an ethical hacking methodology
- Grasp complex security concepts
- Learn how to scan, hack, test and secure an organization’s information systems
EC-Council Licensed Penetration Tester (LPT) Master
Licensed Penetration Tester Master is an expert-level EC-Council certification (by comparison, CEH is considered core, or beginner). Unlike the CEH certification, LPT Master doesn’t have a predetermined eligibility criteria for candidates. Recertification is required every three years.
The purpose of LPT Master is, in the words of EC-Council, “to differentiate the experts from the novices in penetration testing.” Accordingly, the exam itself is 18 hours long. Here’s an overview of the exam:
- You progress through three different levels, each containing three challenges, in real-life scenarios involving a hardened infrastructure. Each level is a six-hour exam
- You have a limited time to work against a multi-layered network architecture that has defense-in-depth controls
- You must make multiple decisions related to what exploits and approaches to use as you maneuver through the network and web applications in an attempt to exfiltrate data
IACRB Certified Penetration Tester (CPT)
The Information Assurance Certification Review Board (IACRB) is an industry standard organization that offers a variety of certifications. Certified Penetration Tester is a two-hour exam designed to demonstrate working knowledge and skills for pentesting.
CPT focuses on nine domains:
- Pentesting methodologies
- Network protocol attacks
- Network recon
- Vulnerability identification
- Windows exploits
- Unix and Linux exploits
- Covert channels and rootkits
- Wireless security flaws
- Web app vulnerabilities
Like other certs from the IACRB, CPT is valid for four years.
Certified Expert Penetration Tester (CEPT)
Another IACRB cert, Certified Expert Penetration Tester demonstrates expert knowledge in the pentesting field. The IACRB defines an expert pentester as “a person who is highly skilled in methods of evaluating the security of a computer systems, networks and software by simulating attacks by a malicious user.”
The definition goes on to say: “The process involves an active analysis of the system for any potential vulnerabilities that may result from poor or improper system configuration, known or unknown hardware or software flaws, or operational weaknesses in process or technical countermeasures. An expert penetration tester should additionally possess the ability to discover and reliably exploit unknown vulnerabilities in targeted software and systems.”
Like the CPT, the two-hour CEPT exam includes nine domains. However, most of these domains are different from the CPT ones. The CEPT domains are:
- Pentesting methodologies
- Network attacks
- Network recon
- Windows shellcode
- Linux and Unix shellcode
- Memory corruption and buffer overflow vulnerabilities
- Exploit creation for Windows architecture
- Exploit creation for Linux and Unix architecture
Certified Mobile and Web Application Penetration Tester (CMWAPT)
Certified Mobile and Web Application Penetration Tester, offered by the IACRB, includes eight domains that are specific to mobile operating systems and web apps. The two-hour exam focuses on:
- Mobile and web application pentesting process and methodology
- Web app vulnerabilities
- Web app attacks
- Android app components
- Android app attacks
- Components of IoS apps
- Attacks of IoS apps
- Secure coding principles
Certified Red Team Operations Professional (CRTOP)
Red Teams are similar to pentesting, but typically require a larger-scale approach involving more people who are digging a lot deeper than typical pentesters. IACRB offers the Certified Red Team Operations Professional cert for those who want to demonstrate their skills at performing a comprehensive Red Team assessment.
The two-hour exam covers seven domains:
- The roles and responsibilities of the Red Team
- Assessment methodology for Red Teams
- Physical recon tools and techniques
- Digital recon tools and techniques
- Vulnerability identification and mapping
- Social engineering
- Red Team assessment reporting
CompTIA’s PenTest+ is a relative newcomer to pentesting certs, but it’s well known in the industry for a host of other IT and security credentials. PenTest+ is designed to test “the latest penetration testing and vulnerability assessment and management skills that IT professionals need to run a successful, responsible penetration testing program,” according to CompTIA.
As with other CompTIA exams, PenTest+ is a combination of multiple-choice questions and hands-on, performance-based ones. The exam covers five basic areas:
- Planning and scoping: Key aspects of compliance-based assessments and planning
- Pentesting tools: Working with Bash, Python, PowerShell and Ruby scripts
- Info-gathering and vulnerabilities identification: Performing a vulnerability scan and analyzing the results in preparation for exploitation
- Attacks and exploits: Exploiting different types of networks, apps and other vulnerabilities
- Reporting and communication: Creating reports and recommending mitigation techniques based on best practices
Global Information Assurance Certification (GIAC) Penetration Tester (GPEN)
The GIAC Penetration Tester (GPEN) credential is one of the pentesting certifications offered by GIAC. Part of SANS, GIAC is considered a leading authority for a variety of certs. GPEN focuses on pentesting methodologies and best practices, as well as legal issues around pentesting. The cert is valid for four years.
During the three-hour exam, candidates must demonstrate knowledge in the following areas:
- Advanced password attacks
- Advanced password hashes
- Exploitation fundamentals
- Escalation and exploitation
- Metasploit framework
- Moving files with exploits
- Password attacks
- Password formats and hashes
- Pentesting planning
- Pentesting using Windows PowerShell
- Scanning and host discovery
- Vulnerability scanning
- Web app injections
- Web app recon
- XSS and CSRF attacks
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
A higher-level credential from GIAC when compared to GPEN, the GIAC Exploit Researcher and Advanced Penetration Tester doesn’t require specific training or practical knowledge to take the exam. You need to demonstrate that you can conduct advanced pentesting and can model advanced attackers in uncovering significant security flaws. Candidates also need to demonstrate how these security flaws translate into business risks.
The exam focuses on areas such as accessing the network, using advanced fuzzing techniques, exploiting clients and networks, identifying common crypto weaknesses, manipulating networks and using shellcode and Python scripts.
Offensive Security Certified Professional (OSCP)
Offensive Security specializes in pentesting training and certifications. The Offensive Security Certified Professional Credential demonstrates a comprehensive mastery and practical understanding of pentesting.
Unlike most other certs, OSCP is 100 percent hands-on and can only be obtained by taking a course from Offensive Security, “Penetration Testing with Kali Linux.” After course completion, candidates take a 24-hour exam that simulates a real-world scenario. The exam consists of a virtual network with different targets that have various operating systems and configurations; candidates are expected to research the network, identify vulnerabilities, execute attacks and then present a pentesting report.
How to choose a certification
This is only a sample of the options available for pentesting credentials, rather than a comprehensive list. As with any security certifications, you should research all your choices carefully before deciding which one is the best for you. While your skill level may limit which programs you qualify for, other criteria you may want to consider (outside of costs) are recertification requirements, rigor and the industry validation of the credentialing body.
- The Life and Times of Cybersecurity Professionals, ESG/ISSA
- The 3 most in-demand cybersecurity jobs in 2017, TechRepublic
- Application Eligibility Process, EC-Council
- Certified Ethical Hacker Certification, EC-Council
- Licensed Penetration Tester Master Certification, E-Council
- Certified Penetration Tester Certification, IACRB
- Certified Expert Penetration Tester Certification, IACRB
- GIAC Penetration Tester (GPEN), GIAC
- Certified Mobile and Web Application Tester Certification, IACRB
- Certified Red Team Operations Professional (CRTOP) Certification, IACRB
- CompTIA PenTest+, CompTIA
- GIAC Exploit Researcher and Advanced Penetration Tester, GIAC
- Offensive Security Certified Professional Overview, Offensive Security