Penetration testing involves evaluating a computer system, network, or web app for potential vulnerabilities. It’s the craft of using complex attack scenarios, first to find vulnerabilities and then exploit them toward the goal of moving deeper into the enterprise infrastructure. This guide will introduce you to some of the top penetration tester certifications and help direct your research into which may be the best cert for your situation.In this guide
Gartner says pen testing goes beyond vulnerability scanning to mimic how advanced targeted attacks work. It provides visibility into collections of vulnerabilities and misconfigurations that could enable an attack. At a minimum, security teams can use penetration to prioritize remediation of the highest-risk vulnerabilities.
Holding a professional certification that validates your knowledge and proficiency in conducting pen tests sets you apart from other cybersecurity workers in a meaningful way.
What are the top penetration tester certifications?
The list of certifications relevant to penetration testing presented here is not intended to be exhaustive. There are certainly others that students may want to research on their own. This guide presents the top five pen tester certifications in a format intended to compare critical aspects easily.
Certified Ethical Hacker (CEH): CEH is arguably the best known of all the available EC-Council certifications—there are over 25 of them. EC-Council created the CEH to indicate that the practitioner understands how to look for weaknesses and vulnerabilities in computer systems and is proficient with the tools used by a malicious hacker. Entry-level security practitioners often consider this certification.
GIAC Penetration Tester (GPEN): The GIAC Penetration Tester certification validates a practitioner’s ability to complete a penetration test using best practice methods and techniques. GPEN certification holders demonstrate the knowledge and skills to conduct exploits, engage in detailed surveillance, and use a process-oriented approach to penetration testing projects.
Licensed Penetration Tester (LPT) Master: Another pen tester certification offered by EC-Council is designed to validate top-notch experts in penetrating the most hardened systems in the world. Candidates for this certification will have their pen testing skills challenged against a multi-layered network architecture with defense-in-depth controls. The test will measure their ability to make decisions under immense pressure at critical stages while selecting your approach and exploits.
Offensive Security Certified Professional (OSCP): OSCP is an ethical hacking certification offered by Offensive Security (OffSec). Holding this certification validates a professional’s knowledge of penetration testing methodologies using tools inherent in the Kali Linux distribution. Kali is an open-source, Debian-based Linux distribution that enables security and IT professionals to assess the security of their systems. Ideal candidates are experienced infosec professionals that wish to transition to pen tester.
PenTest+: CompTIA PenTest+ is a comprehensive certification covering the various penetration testing stages. Unlike other penetration certifications, PenTest+ includes aspects of vulnerability management, scanning, and security data analysis. It is well suited for early-to-mid career cybersecurity professionals.
Holding a pen test certification indicates the holder has acquired essential skills required to work in the following roles, among others:
- Security Analyst
- Computer Forensics Analyst
- Security Specialist
- Penetration Tester
- Security Engineer
- Security Code Auditor
- Malware Analyst
- Security Consultant
What are the requirements for certification?
Penetration tester certification requirements, of course, vary for each certification. Not all of them require candidates to have specific work experience or penetration testing prerequisites. Nearly all professional organizations offering these certificates offer formal training courses to prepare students to take their penetration tester certification exam. Private companies also provide pen test preparation classes.
CEH: EC-Council awards CEH certification to candidates that pass the CEH exam. To be eligible to sit for the exam, a candidate must have either a minimum of 2 years of work experience in the InfoSec domain or successfully completed an official EC-Council CEH preparation course. Employers often consider the CEH to be an entry-level certification. Earning a CEH is a great way to begin a career in InfoSec.
GPEN: GIAC is affiliated with the SANS Institute. SANS is the training arm for GIAC certifications. They offer live-online and on-demand courses to meet the specific needs of professionals planning to sit for the GPEN and other credentials. SEC560 is the preferred penetration test course offered by the SANS Institute. SANS expects attendees to have a working knowledge of TCP/IP and a basic knowledge of the Windows and Linux command lines before they come to class. It is important to note that SANS does not require students to be proficient in a programming language for the course.
LPT (Master): There are no predefined eligibility criteria for those interested in attempting the exam. EC-Council strongly recommends candidates try the CEH (Practical) or ECSA (Practical) exam before attempting the LPT challenge. EC-Council promotes this certification as one of the most demanding pen test certifications.
OSCP: OffSec states that candidates for the course leading to OSCP certification should have a solid understanding of TCP/IP networking, reasonable Windows and Linux administration experience, and familiarity with basic Bash or Python scripting.
PenTest+: There are no required prerequisites to be eligible to sit for the PenTest+ exam. However, CompTIA designed this certification to follow their Security+ or Network + or equivalent knowledge with 3-4 years of hands-on experience.
How much do penetration tester certifications cost?
The overall cost of preparing for a penetration tester certification will vary depending on the candidate’s prior knowledge and experience. A candidate with minimum practical expertise and experience can choose a comprehensive course to help them prepare for the exam. In contrast, a seasoned candidate may only need to brush up using a few books or videos.
CEH: All exam applicants have a $100 non-refundable application fee. Once the application is approved, a candidate must buy an exam voucher from the EC-Council Online Store or an authorized training partner. EC-Council does not set a minimum exam voucher price for its authorized partners; however, a voucher costs $1,199.00 from the EC-Council Store.
GPEN: The cost to sit for the GIAC GPEN certification exam is $949. This price includes two practice tests. The recommended SANS SEC560 training course is $7,640.
LPT (Master): The training offered by EC-Council for LPT (Master) and Certified Penetration Testing Professional (CPENT) are the same. Whether the candidate ends up with the LPT (Master) or the CPENT is determined by their score on the exam. The live online training course is $3,499.
OSCP: The exam (labeled PWK) and its certification, the OSCP, are offered by OffSec as part of the PEN-200 training course. The PEN-200 self-guided Individual Course is $1,499. It includes 90-days of lab access and one exam attempt. The Learn One subscription is $2,499/year and provides lab access for one year and two exam attempts. A Learn Unlimited subscription costs $5,499/year and includes all OffSec Training Library courses and unlimited exam attempts.
PenTest+: The cost to sit for the PenTest+ exam is $381. CompTIA offers a PenTest+ exam eLearning Bundle for $949. This bundle includes an exam plus retake voucher and CertMaster Learn + Labs. Other bundles are also available.
Deep dive into penetration tester certification exams
CEH: The CEH exam is a 125-question multiple-choice exam. Candidates have four hours to complete the exam. Since all questions are multiple-choice, test-takers rarely run out of time during the exam. Many candidates report needing only two to three hours to complete this test.
GPEN: The GPEN certification exam is a web-based proctored 82-question test. Candidates have three hours to complete the exam, and a passing score is 75 percent.
LPT (Master): To earn the LPT (Master), candidates must score at least 90 percent on the 24-hour exam. EC-Council acknowledges that making that score is rare. Candidates must show they can deploy advanced pen testing techniques and tools, including multi-level pivoting, OS vulnerabilities exploits, SSH tunneling, host-based application exploits, privilege escalation, and web server and web application exploitation such as arbitrary local and remote file upload, SQL injection, and parameter manipulation. The certification test is timed and under the watchful eye of an online proctor.
As a consolation for those scoring above 70 percent but below the required 90 percent, EC-Council awards the less arduous CPENT.
OSCP: The OSCP test preparation PEN-200 course is unique because it combines traditional course materials with hands-on simulations in a virtual lab environment. The exam simulates a live network in a private VPN containing a small number of vulnerable machines. Candidates have 23 hours and 45 minutes to complete the exam. Once test takers have finished the exam, they have an additional 24 hours to upload the required documentation.
PenTest+: The CompTIA PenTest+ uses a maximum of 85 performance and knowledge based questions to certify the successful candidate has the knowledge and skills required to plan and scope a penetration testing engagement. Candidates have 165 minutes to complete the performance-based and multiple-choice questions. CompTIA awards the PenTest+ certification to candidates with a passing score of 750 on a scale of 100-900.
Penetration tester salary information
The security industry highly values penetration tester professional certifications, and jobs that require or prefer these certifications pay high salaries. A review of the top employment websites shows that wages for positions that often require these certs pay from $75,611 to $172,000.
Security Analyst: Glassdoor estimates total pay for a Security Analyst is $108,453 per year in the United States, with an average salary of $75,611 per year.
Computer Forensics Analyst: ZipRecruiter puts the average annual pay for a Computer Forensics Analyst in the United States is $111,406 a year, with some salaries as high as $172,500.
Security Specialist: Salary.com says the average Security Specialist salary in the United States is $59,452, but the range typically falls between $48,597 and $73,983.
Penetration Tester: According to the job site Indeed, the average salary for a penetration tester is $119,160 per year in the United States.
Security Engineer: Payscale sites the average security engineer salary at $96,327.
Security Code Auditor: ZipRecruiter sees the average annual pay for a Cyber Security Auditor in the United States as $77,800 yearly. The majority of cybersecurity auditors’ salaries range between $65,500 currently. They note some are as high as $117,500 and as low as $35,000.
Malware Analyst: Salary.com says the average Malware Analyst in the United States earns $93,875, but the salary range typically falls between $83,495 and $103,601.
Security Consultant: According to Indeed, the average salary for a security consultant is $77,124 per year in the United States.
The Bureau of Labor Statistics states that the job outlook for Information Security Analysts, a category that often includes penetration testers, is expected to grow 31 percent from 2019 to 2029. This anticipated increase is much faster than the average rate of job growth.
As the introductory paragraph indicates, this guide presents five options for pen tester credentials, not a comprehensive list. As with any professional certification, you should carefully research your choices before choosing which one is the best for you. Your skill level may define which programs you qualify for. There may be other criteria you may want to consider, such as recertification requirements, rigor, and the industry recognition of the credentialing organization.