We have decided to make another blog post around this topic as we receive a lot of questions daily around Pentesting Certifications from students, college grads and other IT consultants. Now if you want to offer Penetration Testing services, which certifications should I possess?

The answer is tricky. There is no international standard like with vendor certifications from Cisco, Juniper and the likes. The main question is, where do you want to conduct Pentests / where are your customers?

United States

The EC Council and the relevant certifications Certified Ethical Hacker (CEH) and Licensed Penetration Tester (LPT) are usually required for US engagements. We have also seen that companies recognise the value of the Offensive Security Certifications (OSCP, OSWP etc.) because those certs really show practical skills and the exams are 100% hands on. Mile 2, GIAC/GPEN are also gaining momentum in the US. As the US typically sets the benchmark for IT innovation and certification, those exams are a good starting point for Pentesters. As for exam fees, the CEH is around $500 USD for the exam, Offsec around $1200 for the training, lab access and the exam.

Rest of the world (Latin America, Africa, Asia, Oceania and Europe (except the UK)

The certifications which are typically asked for anywhere else in the world are the CEH and LPT from EC Council. Offensive Security also gets more and more attention outside North America.

UK

Unfortunately they run their own country specific certification program called CREST. The content is very much alike the one from the EC Council but it’s a UK certification only. The problem with CREST is that a lot of the UK businesses require that certification for a Pentest engagement, whilst it’s completely unknown and unrecognised anywhere else in the world except for Australia. So if you are a Pentester in the UK, you have to get CREST certs for UK work and the other international ones in case you want to do engagements in mainland Europe, North America or elsewhere. We recently wanted to engage a highly skilled CREST certified contractor from the UK for a US client with offices in Europe, but the customer did not accept CREST, so we had to swap consultants on this engagement. Also the pricing is very expensive ranging from around $600 USD to $2500 USD per single exam.

Summary

It’s not as straight forward as with vendor certifications or internationally accepted certs like the CISSP. Like with all certifications, nothing beats real world experience but you need to have some certifications under the belt to give customers and employers a comfort blanket. Personally we think that the Offensive Security Certifications are the best ones in the field, as they are really touch hands-on exams rather than multiple choice questions.

Share
 

Comments are closed.