The OSCP has been the suggested “go to” certification for penetration testers since I have been in the infosec field; almost been six years as of this writing. At one time, it was the only pen tester certification around. We used to call it the “hacker high school diploma.”
To this day, I still suggest this to budding practitioners. But the question is, with so many other fish in the pen tester certification pond, is the OSCP still worth the effort or are there better options?
This post will examine the OSCP to determine if it is still the most viable entry-level certification for breaking into the ethical hacking field.
*Fun fact, the certification was release in 2006 under the name “Offensive Security 101.”
What makes a certification good?
Before we get too deep, let’s determine what qualifies a certification as “good.” Without argument in my mind, the top trait is that the certification study process teaches heaps of new information, and the credentials themselves sparkle on the resume. When I say sparkle, I refer to the credential catching the reader’s eye, such as HR managers and interviewers.
Entry-level people and people transitioning between skillsets look at certifications as an excellent way to land an interview. It works to bridge the gap between the experience required and the skills they have obtained. The higher the recognition of the certification quality, the higher the chance of landing an interview. We will look at how well the OSCP is recognized compared to other certification options.
As an entry-level certification, you need something that will set you apart from other candidates. Learning is another facet of the certification process. You need something that will show you have some skill behind the keyboard.
We need to focus on certifications that hit both qualities because your time is limited, and you have so much ground to cover. You can’t afford to waste time studying for one certification that looks good on paper and another that teaches you the knowledge you need.
Let’s talk a little bit more about the learning element. It is my belief that any good technical certification contains a healthy set of lab material. To take that statement further, I think you should spend the majority of your time in the lab with a pen testing certification. Trust me, you can’t do a proper assessment with only a theoretical understanding. You need to, no shit, practice the skills over and over until the methodology and techniques stick. With hacking for a living, the methodology is vital.
Moving on to the certification exam, it should be a hands-on and test that you understand the material. The issue with theoretical exams like CompTIA is easy that just about anyone can memorize concepts. But applying them in real-world settings is another matter. This is why so many pen test interviews involve a mini-CTF. Talk is cheap. Businesses want to know if you can do what you say you can do.
What other options are out there?
Let’s take a look at the competitor landscape!
There are several other training providers out there besides Offensive Security for those of the red inclination. You have SANS, CompTIA, EC-Council, eLearnSecurity/INE, Mosse Cyber Security Institute, Pen Tester Academy, Zero Point Security, Mile2, ISECOM, CREST, IACRB, SEC Institute, GAQM, and TCM. Definitely more than just the OSCP. But, honestly, I’ve only heard of about half of these companies. I love when I learn stuff while researching for my blogs.
If you would like to see the entire list of certification bodies, check out Paul Jerimy’s awesome [cyber] security roadmap. What’s fantastic is that it covers more than just pen testing and is regularly updated. The last update was July 2021. There are just so many now! I am grateful someone is taking the time to keep up with all the certifications out there.
Thank you Paul!
We won’t go through all of these in this post, but I will reference organizations on the list as we discuss the OSCP.
What do certifications tell hiring managers?
One of the benefits of certifications to hiring managers is that the piece of paper tells them that you hit a certain baseline as a candidate. For CompTIA, it tells them you have a conceptual understanding. For CEH, the same. But if you have the OSCP, they know the exam was no small feat.
Successfully completing recognized exams says that you can apply the knowledge you learned and know fundamental penetration testing methodology. That you have a toolbox loaded with basic techniques. And that at a minimum, you can do a basic pen test.
But let’s be real for a moment. A certification will never just get you a job. Most organizations take the approach of, “trust but verify.” You say you have the skills, now show me in a CTF.
Companies will never just rely on certifications before offering you a job because there will always be cheating. Questions of exam integrity have always plagued the certification industry. Expect that most exams are now proctored. This extra step increases the trust that you indeed have the skills associated with your piece of paper.
In reality, exams only tell employers that you likely have a set of skills they are looking for. The interview and practical tests help prove your claim.
How good are the OSCP labs?
Offensive Security definitely takes a unique approach to teach students. You get a bunch of videos, a lab manual, and access to the labs.
Most study processes look like the following:
Sounds scary, but it is a fun ride. Offensive Security’s approach is to teach you self-sufficiency, which is a necessary skill. In the real world, walkthroughs don’t exist. You have to rely on your knowledge and skills.
Honestly, If you understood all the material and got stuck on a machine, the hints were enough to spur you in the right direction. Unlike other certifications, the OSCP is more self-taught. You have to have grit to push through obstacles and keep going when you are completely lost. Hence the motto, “Try Harder.”
For me, this approach works well. I like the self-guided approach to learning and the ability to explore topics that are interesting to me. The ability to listen to videos at times two speed or skip over stuff I already know. It’s just more time-efficient.
As a personal aside, my knowledge went up by a factor of ten during my studies. For reference, before taking the exam, I had already claimed NET+, SEC+, GSEC, GCICH, GWAPT, GPEN, GXPN, SSCP and eJPT. Not to say that you need to but to show that I had a bunch of theoretical knowledge. The OSCP forced me to put it into practice. It put all my prior knowledge together and expanded my understanding.
This style of hands on labs forces you to seriously think about the material you are learning and apply the knowledge in different ways. Forces you to focus on a problem until you solve it without leaning on a lab guide.
I have a problem, and many of you may have the same. If I have a lab guide as a crutch, I am going to use it. This prevents real learning from taking place for me. You aren’t making your brain truly digest the data you are putting in it.
Another benefit of this style of lab is that you are working through a whole problem set. What I mean by this is that you aren’t just learning a single new skill and moving on. The problem set is getting user access and then root. You learn multiple things on each machine, continuously reinforcing old knowledge as you go.
To me, this was the most significant benefit. I began to see how different techniques work together and how knowledge gained from one attack could be chained with another. This was a huge revelation. You don’t get this with SANS or CompTIA.
How do the labs compare to other certifications?
eLearnSecurity/INE does a hybrid-style lab. They teach you one technique at a time in small lab environments. Then provide a few freestyle machines at the end. You can use the last few machines to practice the whole attacker methodology. I am actually a huge fan of eLearnSecurity. I think they strike a nice balance with videos, reading material, and labs. And the quality is pretty solid for the price. You will hear me talk about them all the time on this blog.
Zero Point Security also offers labs with minimal guidance. Forcing you to think through the material and research some. Their certification isn’t really entry-level, though. I consider this as an intermediate-level certification to help develop red team skills and your ability to work more surreptitiously on an engagement. Big fan of them as well 😊. However, this one is out because it is not an entry-level certification.
CompTIA doesn’t have practice labs. You have to rely on a third party to provide these. Like many of their other exams, the PenTest+ tests only theoretical knowledge. Based on the covered material, their exams are out of running. But I am a fan of using the study material as a primer for your hacker soft skills.
EC-Council focuses on individual skills like many of the eLearnSecurity labs. I have no personal experience with their training, but I have several friends who have taken the CEH. According to them, there were not enough labs to cover the skills taught in lectures. However, the CEH isn’t considered an entry-level pen-testing cert. It is more of a primer like the PenTest+. The pentesting certs would be the CPENT and LPT. I don’t know anyone who has these qualifications, so I had to rely on reviews. According to Belly Rachdianto, there isn’t step-by-step guidance for CPENT (entry-level of the two) labs. You have to work through them yourself. Additionally, the exam reads to be skill-driven instead of theoretical.
I think I will come back later with a blog on some of the other options. Perhaps I will even take the courses for fun to provide my own insight. But, these are the certifications I came across the most on job postings.
What certifications are the best according to job boards?
My opinion is that no other certification is held in as high regard for pen testing as the OSCP. So, let’s prove it with job boards. Below is a chart of all certifications under the penetration testing column from Paul’s Jerimy’s road map.
Yes, I know there is a flaw with my approach. The flaw is that I have no way of knowing if the job results are related to pen testing.
I have compensated for this issue in a few ways. If there were only a few pages of results, I would check each job title for a relationship to cyber security. If the first 3 pages had zero results related to cyber security, I marked the results as zero. However, if there were mixed results with other career fields, I calculated a ratio from the first two pages. I then applied the proportion to the total results for an estimated count.
I know this is not the most scientific approach, but this is a blog, not a scientific journal. I suspect we will see overwhelming results for well-recognized certifications.
So what were the results?
Based on these results using the total combined results, CEH is a clear leader with 11,681 results. Second place is CPT and OSCP comes in with the Bronze.
Now let’s interpret these results a little. Remember that not all the results are related to pen tests, and just because CEH is at the top doesn’t mean you should run out and get it. Yes, I am going to steal CEH’s thunder a little bit. CEH actually shows up all over the place for cyber security: analysts, leadership, engineers, etc. Out of the first three pages of job results, only three postings had penetration testing or red team in them. So yes, the certification is well recognized in the cyber security field but maybe not so much but pen testing hiring managers.
The CPT is out of the left field for me. What is weird about the results is that only LinkedIn job posting showed an interest in the certification. I honestly know nothing about the exam or the governing body, IACRB (Information Assurance Certification Review Board). Based on information from their site, all of the exams are multiple-choice. To me, this screams they are like CompTIA and CEH.
Based on the two reviews I read, things are equally unclear. One guy said that the organization was non-profit but his research on IACRB didn’t corroborate their story. The other guy enjoyed the material, stating that the exam was part practical and part hands on. Based on the other search results, not many people have taken the exam and reviewed the course. However, I would love to hear other people’s thoughts. If you have taken the CPT please reach out to me.
I went back to validate my results for CPT on LinkedIn, this time I did two keyword searches: one for “cpt red” and “cpt penetration.”
“cpt red” – 36
“cpt penetration” - 84
These results tell a whole different story. The certification isn’t at the top of the results now, but it is competitive.
I wanted to be fair since I went back and recounted the vote per say. So below are the top 20 with results for the certification acronym and penetration in LinkedIn.
So based on new LinkedIn searches, CEH is holding firm at the top. And the OSCP is up there as well, with three GIAC certs rounding out the rest of the top five. I may have knocked the CEH as not being a quality pen test certification but damn, if it isn’t well recognized.
Summary of findings
Well, I had fun researching this topic. Turns out there are more certification options than I thought. I am interested to see if any others rise to the top. Personally, I am cheering on TheCyberMentor's courses because they have quality material and he seems like a good hearted guy. I suspect they will gain more popularity in the future as he continues to gain recognition.
Based on the results, the OSCP is still king of the entry-level penetration testing certifications. I am happy to still be able to recommend this as the go-to cert and even happier that they have made tons of improvements to the offering over the last year. Offensive Security always provides both practical and theoretical knowledge with a hell of an exam.
Based on my experience and knowledge of the other candidates, I would say that the only other certification that fits our requirement is the eJPT. The material is solid, the exam is hands on, and the certification is pretty well recognized. Personally, I am skeptical of practioners being able to get a job solely with the eJPT certification. Having taken the course and exam, I just don’t think it covers enough topics.
For those of you with minimal pen testing knowledge, starting with the eJPT and then taking on the OSCP would be a perfect game plan. Allowing you to gain confidence and skills without the OSCP crushing your soul immediately.
The other certifications in the top twenty either don’t meet the requirements of a hands-on exam or are not considered entry-level for penetration testers (LTP, OSWE, OSWP, and OSEP).
I would also say if you have the CEH, it isn’t a bad thing. I think it will help you get interviews in a range of specialties and prepare you for other more beneficial studies. And I stand strong that the Certified Ethical Hacker program does not come close to preparing you for a job as a penetration tester. If you are a fan of EC-Council check out their pentest offerings CPENT and LPT.
OSCP available study options
Recently the OSCP has expanded its offering to meet a broader market. They now have three options for study.
If you are more of the explorer type, this may be the one for you. The 30-day increments allow you to save money while learning at a more rapid pace. No one is holding your hand or guiding you.
If you need more guidance you have two options.
One option is to take Offensive Security’s new OffSec Academy. It offers one on one mentoring and small group instructions. Unfortunately, I haven’t taken this training, and there was only one review I could find on Reddit by u/Ninjattitude. But based on the review, he and his team enjoyed it. This will run you a staggering $6,500. Getting up there with SANS institute.
The second option is to use the PWK365 program. This program gives you access to the labs for a year. This can be beneficial for those who don’t have a ton of spare time to study. For a point of reference, it took me about 4 months of studying with a full-time job and a part time kiddo. Those with a full-time family and job may need the whole year. This option also comes with two exam attempts. All for $2,148.
Silverbits is an infosec practitioner who has spent time in the crazy SOC life, at a help desk, as a penetration tester, doing digital forensics and malware analysis. All together, he has over 7 years of experience in Information Technology.