Penetration testing is a lot like hacking. Both involve scanning devices, software and wireless networks for tiny security vulnerabilities. The only difference is the underlying intentions: penetration testers work for tech companies, reporting any cybersecurity issues so they can get patched. Hackers intend to hack, and penetration testers intend to help.
The line between the two is porous though. A multitude of hackers have parlayed major hacks into job offers. What better way to prove you’ll be a strong penetration tester than to actually penetrate a high-profile, allegedly “secure” system?
Top Penetration Testing Certifications
- GIAC Certified Penetration Tester (GPEN)
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- EC-Council Certified Ethical Hacker (CEH)
- EC-Council Licensed Penetration Tester — Master (LPT)
- CompTIA PenTest+
- Offensive Security Certified Professional (OSCP)
Well — there actually might be a better way. A history of hacking shows talent but seeds trust issues. A penetration testing certification offers another path — a way to show practical ability, but in a simulated environment that doesn’t embarrass prospective employers. Below, we’ve rounded up the 12 top penetration testing certification options.
GIAC Penetration Testing Certifications
The Global Information Assurance Certification, or GIAC, offers a variety of penetration tester certifications that range from general to hyper-specialized. Each one requires participants to pass a proctored exam, available at Pearson VUE’s 3,500 testing centers worldwide. (Students can also find their own proctors.) To prepare, students can enroll in GIAC prep courses at the SANS Institute, a prominent cybersecurity training institution.
GIAC Certified Incident Handler (GCIH)
This pentest certification covers a mix of security strategies and penetration testing fundamentals. The exam requires an understanding of the mechanics of denial-of-service attacks, client attacks and other popular attack modes, plus the specific techniques and tools hackers use to execute them. At the same time, test-takers should know how to prevent and contain these attacks. All told, the certification exam takes four hours and consists of over 100 questions — some multiple choice, others lab-based.
Cost: $949 and up
- Covers a mix of popular cybersecurity attacks.
- Tests knowledge of the steps for digital investigations of network data.
- Ensures test-takers have a detailed understanding of password-cracking methods.
GIAC Enterprise Vulnerability Assessor (GEVA)
This certification focuses on cybersecurity for enterprise IT systems, whose size, scale and 24/7 activity require unique assessment methods. The two-hour, 75-question certification exam focuses on assessment techniques like network scanning and PowerShell scripting, plus appropriate vulnerability assessment frameworks. Test-takers should also know how to appropriately resolve and report security issues when they occur.
Cost: $949 and up
- Focuses on cybersecurity for enterprise IT.
- Test-takers need to know how to perform and apply intelligence and threat modeling within a vulnerability assessment.
- Checks knowledge of vulnerability validation techniques and value.
GIAC Assessing and Auditing Wireless Networks (GAWN)
This certification means a penetration tester can exploit the slightest gap in wireless network security with fuzzing attacks, bluetooth attacks, high-frequency RFID attacks and much more. The certification exam requires not only familiarity with how these attacks work, but also expertise on how to identify and defend against them. The certification exam consists of 75 questions and takes two hours.
Cost: $949 and up
- Tests familiarity with common wireless threats and current wireless network standards.
- Requires understanding of Bluetooth weaknesses and ability to perform basic fuzzing attacks.
GIAC Mobile Device Security Analyst (GMOB)
This penetration testing certification focuses on smartphone, tablet and app security, a complicated and still-evolving field. (Even on relatively secure iPhones, apps can feed data to thousands of third-party trackers in a single week.) To pass the 75-question exam, which lasts two hours, test-takers should know how hackers unlock and root mobile devices on various operating systems. They should also know how to protect data on stolen and malware-infected devices.
Cost: $949 and up
- Focuses on smartphone, tablet and app security.
- Must have an understanding of how to mitigate malware for mobile devices.
- Ensures test-takers can assess app security in terms of privacy, data protection and undesirable application behavior.
GIAC Web Application Penetration Tester (GWAPT)
This certification focuses on the unique challenges of web apps. Not quite mobile apps, and not quite traditional websites, these responsive creations adapt to the user’s device and often face attacks like cross-site request forgery, client injections, authentication attacks and more. The exam runs two to three hours with as few as 82 and as many as 115 questions. Users need deep knowledge of possible attacks and related penetration testing techniques.
Cost: $949 and up
- Centers around web app security.
- Test-takers should have an understanding of Cross Site Request Forgery, Cross Site Scripting and Client Injection attacks.
- Tests for familiarity with secure web applications by authentication.
GIAC Certified Penetration Tester (GPEN)
This certification assesses general penetration testing expertise, with an emphasis on process. The three-hour certification exam covers the three key stages of an exploit: reconnaissance, attack and escalation. The questions cover a handful of specific attack styles, too, like password attacks and web application injection attacks. The exam lasts three hours and contains 82 questions.
Cost: $949 and up
- Asses general penetration testing expertise.
- Tests on the fundamental concepts associated with the pentest exploitation phase.
- Ensures test-takers can conduct and analyze the results of vulnerability scans.
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
This pentest certification focuses on advanced penetration testing techniques — think fuzzing, shellcode scripting and exploiting stack overflows. Composed of 60 questions, the three-hour certification exam focuses primarily on network exploits and attacks on Linux and Windows systems. It also touches on the ability of penetration testers to communicate the value of what they do in business terms.
Cost: $949 and up
- Aimed at advanced penetration testing techniques.
- Must know how to bypass network access control systems.
- Needs to be able to write basic exploits against stack overflow vulnerabilities.
EC-Council Penetration Testing Certifications
The EC-Council, also known as the International Council of E-Commerce Consultants, has certified more than 20,000 tech professionals working at companies like Microsoft and IBM, and received endorsements from federal agencies including the NSA. Students can take their penetration tester certification exams at a variety of testing centers and prep for them in digital and in-person training sessions administered by the council.
Certified Ethical Hacker (CEH)
This certification requires test-takers to pass a four-hour, multiple-choice exam on the fundamentals of penetration testing. Though the test is never the same twice — the 125 questions are always pulled randomly from a variety of question banks — it can cover topics like malware, session hijacking, SQL injection, cryptography and more. The exam can be taken in a physical testing center, or remotely with a digital proctor. To be eligible for it, students either need to have taken the EC-Council prep course or have two years of on-the-job cybersecurity experience.
- 125-question multiple choice exam focused on pentest fundamentals.
- Tests are never the same twice.
- Preparation course includes extensive hands-on lab components.
Certified Ethical Hacker — Master (CEH Master)
To attain this penetration tester certification, people who have already passed the Certified Ethical Hacker exam must pass an additional six-hour practical exam. It consists of 20 timed, hands-on challenges, which could involve packet sniffing, OS banner grabbing and leveraging of computer worms and malware. Test-takers must complete their challenges on live networks almost indistinguishable from real enterprise networks. An extra dose of realism: the exam, like life, is open-book.
- Next level that builds on the EC-Council’s Certified Ethical Hacker exam.
- Mimics a corporate network, giving test-takers various scenarios that require them to apply what they’ve learned to real-life challenges.
Licensed Penetration Tester — Master (LPT)
This certification, the most rigorous the EC-Council offers, takes multiple days. Test-takers can opt for either a 24-hour exam or to take the exam in two 12-hour components. They are set loose in a variety of sophisticated, multi-layered networks, all rooted in impressive hardware: 180 machines with more than 4,000 GB of storage. The exam consists of nine challenges in which test-takers must use techniques like multi-level pivoting, SSH tunneling and privilege escalation to evade the elaborate security and militarized zones.
- Test-takers can choose to complete one 24-hour exam or two 12-hour exam components.
- Must be able to demonstrate mastery of advanced pentesting techniques and tools.
- Designed by experts with more than two decades of professional security testing experience.
Other Penetration Testing Certifications
This certification’s 165-minute exam requires an impressive breadth of penetration testing knowledge. Composed of up to 85 questions, it asks test-takers to pinpoint security vulnerabilities in traditional desktops and servers as well as mobile and cloud environments. Practical skills emphasized throughout include the ability to analyze Python and Bash code, or exploit vulnerabilities in apps and Bluetooth connections.
- Requires ability to pinpoint security vulnerabilities in traditional desktops and servers as well as mobile and cloud environments.
- Must be able to perform and analyze the results of vulnerability scanning and penetration testing.
Offensive Security Certified Professional (OSCP)
This certification in penetration testing with Kali Linux culminates in a grueling practical exam. Just like some real-world cybersecurity crises, it lasts a full 24 hours and focuses on a simulated penetration test on Offensive Security’s isolated VPN. To pass, test-takers must demonstrate knowledge of client-side and remote attacks. Along the way, they might need to exploit buffer overflow, evade antivirus protections and tunnel through firewalls. Ultimately, though, like most penetration testing simulations, this exam rewards quick and creative thinking.
Cost: $1,499 and up
- Exam runs for 24 hours and involves a simulation on a private VPN.
- Requires test-takers to demonstrate knowledge of client-side and remote attacks.
- Preparation course teaches basic scripts and tools for use in penetration testing.