Penetration testing certification is an attestation that a tester has the necessary knowledge and capability to carry out penetration testing without any explicit training. The number and level of a tester’s certifications (and the aggregate qualifications across a team) can influence the cost of a pen test. Organizations should expect to pay more, the higher the expertise.
But glancing through one pen test proposal after another, accreditation acronyms can blur into one.
How does one pen test certification compare to another? What do they really say about a tester’s skill and experience? How do you know if the certs are even up to date?
This article will examine the process of pen testing certification, compare the most popular certifications available and describe how they should be evaluated in the process of engaging penetration testing services.
(IMPORTANT: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)
- How Do Pen Testers Obtain Certification?
- How Often Must They Be Updated?
- The Top Penetration Testing Certifications Ranked
- 1) Certified Ethical Hacker (CEH) certification
- 2) GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- 3) GIAC Penetration Tester (GPEN) certification
- 4) Licensed Penetration Tester Master (LPT) Certification
- 5) CompTIA Pentest+ certification
- 6) Offensive Security Certified Professional (OSCP)
- 7) GIAC Web Application Penetration Tester (GWAPT) certification
- Knowing Who Exactly is Certified
- How Do You Weigh Experience?
- And Communication?
- Other Certifications Not Mentioned
How Do Pen Testers Obtain Certification?
A small number of well-known institutions offer cybersecurity certifications that are obtained by completing courses and passing examinations. Some institutions are known better within domestic or continental borders while others are recognized globally. The most recognized of these institutions are EC-Council, Global Information Assurance Certification (GIAC), CompTIA, Offensive Security, and the Information Assurance Certification Review Board (IACRB).
Entry-level penetration testing exams include basic methodologies like vulnerability scanning, & analysis, identifying security flaws, and leading comprehensive vulnerability assessments. While the entry-level exams do require thorough knowledge, it is generally considered that they are not difficult to pass if the tester has had even a small amount of experience working in an infosec field.
Advanced-level certifications include advanced fuzzing techniques, skills to identify technical security flaws that can lead to business risks, and identifying attack vectors that can cause vulnerabilities to critical infrastructure components. Advanced-level certification exams have prerequisites. Typically they require years of hands-on experience in the field of information security and as such they are much more difficult to pass.
How Often Must They Be Updated?
Cybersecurity certifications typically offer two or three years of validity.
These best certification exams are updated regularly and are referred to by version numbers. For instance, the current version of the Certified Ethical Hacker (CEH) is version 11 or CEH v11.
TIP: This means that a pen tester being CEH certified may not paint a complete picture of their skills. If their CEH is version 5, they may not be educated on the most current tools or threats.
Organizations and hiring managers can usually confirm the recency of certification by checking the latest version from the institution’s website.
When talking to penetration testing providers, it’s worth discussing the team’s qualifications and how they balance updating certifications with in-house talent development. If the testers that will work on your project have credentials that haven’t been updated, it may not matter if they’ve been building testing experience in the real world and progressing in the organization.
The Top Penetration Testing Certifications Ranked
While there’s no single “best” certification, we prepared a ranking of the major certifications by comparing their industry usage, importance, and likely impact on a prospective tester’s abilities.
The ranking is as follows:
1) Certified Ethical Hacker (CEH) certification
Certified Ethical Hacker (CEH) is offered by the EC council which is accepted and recognized by organizations across the globe. It is renowned for the depth of its training. In industry circles, it is a recognized first step for those wishing to build a career in penetration testing, and infosec more broadly.
Some of the items in the course include malware analysis, hacking challenges, learning about emerging threats, and building case studies. The exam itself is knowledge-based, lasting around 4 hours with 125 questions.
With EC Council’s strong brand name recognition and the popularity of the certification, it is priced at $1200 USD.
From the perspective of an organization contracting cybersecurity services, the CEH is nice to see but does not, in itself, convey a high level of skill or expertise in penetration testing.
2) GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
By comparison, the GXPN is an advanced certification that is much more difficult to crack. The skill required includes exploiting windows and Linux and performing penetration testing, attacking networks, cryptography, and getting comfortable with technologies and terminologies like python, scapy, and fuzzing.
Candidates will also be able to perform custom-fuzzing test sequences after rigorous training. Individuals who clear this certification can simulate and report on security threats professionally.
The GXPN certificate is awarded after passing a 3 hour, 60 question exam, but, more than a knowledge test, the tasks require extensive prior training and experience. A beginning pen tester will not have the skills to pass this exam. GIAC certifications usually cost around $2,500 USD.
From the perspective of an organization contracting pentest services, seeing a GXPN on the listed credentials of more than 1 member of a team is a stronger indicator of the team’s skill and experience.
3) GIAC Penetration Tester (GPEN) certification
Another exam from GIAC, the GPEN is a penetration testing certificate that you might expect to see on members of a blue team or red team during a penetration test.
The GPEN is still a certification for those with hands-on experience, usually active penetration testers within an organization. In the GIAC’s own words, “Candidates are asked practical questions that require performance of real-world-like tasks that mimic specialized job roles.”
This certificate is also priced at $2,500 USD.
As far as hiring goes, decision-makers can classify the GPEN as slightly more significant than the CEH but carrying less weight than the GXPN.
4) Licensed Penetration Tester Master (LPT) Certification
The EC Council’s Licensed Penetration Tester Master is the most advanced penetration tester certification on our list. It demonstrates the highest level of expertise across the broadest range of testing skills and scenarios.
The LPT Master proves the candidate has mastered the deployment of advanced testing skills, including OS vulnerability exploits, SSH tunneling, multi-level pivoting, various host-based application exploits, web application exploits such as SQL injection, and parameter manipulation.
Different from all certifications mentioned thus far, the LPT has no exam component and is conducted entirely in virtual environments with real code, so the candidate must demonstrate experience via simulation scenarios based on real-life threats. Despite costing only $500 to obtain, the LPT is rare due to its difficulty.
It will be rare to encounter a team of testers with more than one LPT Master in it. Look for this qualification in a lead developer or test manager, and be impressed if any other members of a prospective team have it.
5) CompTIA Pentest+ certification
CompTIA offers a solid entry-level penetration testing certificate that is recognized by organizations across continents. The wide recognition is due to a comprehensive exam syllabus that covers all penetration testing stages from planning and scoping, to gathering and understanding legal requirements, to conducting vulnerability scanning and trying out various penetration testing tools.
Pentest+ recipients also learn how to produce an analysis report with technical recommendations. Every security operations team will require their staff members to be trained in the above techniques to perform daily chores during their tenure as security analysts and penetration testers.
CompTIA Pentest+ is a basic, affordable pentesting certification priced at around $370 USD. For the purposes of assessing skill in a team, seeing Comptia Pentest+ isn’t especially helpful. A developer without this certification but with a couple of years of testing experience may prove just as valuable to your project.
6) Offensive Security Certified Professional (OSCP)
This certification is offered by Offensive Security and introduces test takers to advanced penetration testing techniques with Kali Linux in an interactive lab/simulation environment specifically designed for the exam.
The longest exam on our list, passing the OSCP can take up to 48 hours and requires hacking into various devices remotely while being monitored by a virtual webcam.
Compared to the Comptia Pentest+ the OSCP is more specialized and suits developers who will work on pentest red teams. The OSCP does not cover the scoping or reporting aspects of penetration testing like the Pentest+.
This OSCP is priced at around $800 USD. It will make the most sense to see the OSCP credentials in intermediate-level developers in a team and will carry the most weight if you know your infrastructure will be tested with Kali Linux.
7) GIAC Web Application Penetration Tester (GWAPT) certification
This is the only certification on the list that is solely dedicated to the penetration testing of web applications. If you are contracting for a test of a web app, the more GWAPTs you see in the team’s credentials, the better.
GWAPT is priced at around $2,000 USD. Cybersecurity vendors who invest in this certification have done so to demonstrate their specific ability in web app testing.
Knowing Who Exactly is Certified
Technical leads on your pentest will ideally hold more than one of the certifications above. Developers on a team should hold at least one. If it’s not clear which certifications are held by the developers working on a team, you can ask for this information.
Be aware, a common practice for cybersecurity vendors is to advertise credentials like the ones above even if they are only held by the team lead. If only the team lead has the appropriate credentials, you must ensure that the same lead will be intimately involved in your test, not just overseeing a team of much less experienced developers who will do the most important work.
How Do You Weigh Experience?
While these credentials are undoubtedly valuable, choosing a vendor based solely on credentials is unwise. If the credentials of a pentest team look relatively slim, but they’ve come recommended, you can try to assess their experience by asking about similar projects this team has worked on, either in your industry or for companies of your type and size.
You can ask to review sanitized versions of reports they’ve written for past pen tests. This can give you a sense of the level of depth of their testing as well as the quality of their reporting.
You can ask generally about the types of tests they’ve worked on recently. One place you may notice the difference in experience between penetration testers is in their explanation of the reasons why. One tester may be able to tell you that they will run a particular test with a particular method in search of a particular vulnerability. A better tester will be able to tell you why that particular method is important, and why it’s worthwhile to search for that particular vulnerability over others.
As far as quantifying experience, there is some sense in which raw number of years does matter. Threat environments are constantly changing, and pen testers who have been active in the field for 5+ years will have a depth of perspective and a level of foresight that newer testers will not. This experience may not even show itself in the test process itself, but become very clear in the quality of the recommendations for remediation and structural improvement that are made once the test is complete.
The communication skill and style of a testing team is the most underrated feature of their service. When it goes right, your test can run smoothly and the test report can be actioned effectively. Unfortunately, no pen test certification will demonstrate your tester’s ability to communicate clearly, either with your in-house team during a test or in their reporting afterward.
Assessing a vendor’s ability to communicate their processes and findings can be done by reviewing sanitized versions of testing reports they’ve prepared for other companies. In these, you will sense both the depth of their communication and the clarity. Are technical concepts explained simply? Are test results described as well as their business implications?
In assessing this you can also enquire as to the who and how of communication in a pentest company. Who on their team will write the test report and make recommendations? How will they communicate with your team during a test, and will this fit with your team’s workflow? How will unexpected issues be dealt with?
The more of these blanks you can fill in with a vendor pre-engagement, the smoother your pentest is likely to run.
Other Certifications Not Mentioned
This overview has focused on the most common and important penetration testing certifications but it has not covered them all. A final couple worth noting include:
CEPT: Certified Expert Penetration Tester from the Infosec Institute
This is a short, intermediate-level certification that focuses most on network penetration testing methodologies. Testers with a CEPT have proven their ability to use Metasploit’s interchangeable payloads, how to write exploits, and use both manual and automatic techniques to uncover vulnerabilities. The CEPT is available as a bundle of training courses through the Infosec institute for as low as $599/year.
The Certified Security Analyst is a penetration testing certification that demonstrates a broad, but not deep experience with penetration testing techniques for networks, web apps, cloud services (eg AWS penetration testing) , and databases. It includes in-person training and is available for $749.
(REMEMBER: This free PDF report shows pricing data from 10 real penetration testing contracts so your firm can gauge costs and avoid overpaying for your own tests.)