15 Penetration Testing Certification Options to Know
Penetration testing is a lot like hacking. Both involve scanning devices, software and wireless networks for tiny security vulnerabilities. The only difference is the underlying intentions: penetration testers work for tech companies, reporting any cybersecurity issues so they can get patched. Hackers intend to hack, and penetration testers intend to help.
The line between the two is porous, though. A multitude of hackers have parlayed major hacks into job offers. Take Charlie Miller and Chris Valasek — back in 2015, they hacked a Jeep Cherokee while it was on the highway, hijacking the windshield wipers, blasting the radio and then cutting the transmission entirely. (The driver was a Wired writer, who was in on the stunt and unharmed.)
Top Penetration Testing Certifications
- GIAC Certified Penetration Tester (GPEN)
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- EC-Council Certified Ethical Hacker (CEH)
- EC-Council Licensed Penetration Tester — Master (LPT)
- Certified Penetration Tester (CPT)
- CompTIA PenTest+
- Offensive Security Certified Professional (OSCP)
The hack prompted a recall of more than a million Jeep Cherokees, and shortly afterwards, Uber hired Miller and Valasek to help the company develop self-driving cars. What better way to prove you’ll be a strong penetration tester than to actually penetrate a high-profile, allegedly “secure” system?
Well — there actually might be a better way. A history of hacking shows talent but seeds trust issues. Penetration testing certificates offer another path — a way to show practical ability, but in a simulated environment that doesn’t embarrass prospective employers (or slow down highway traffic). Below, we’ve rounded up the 15 top penetration testing certificate options.
The Global Information Assurance Certification, or GIAC, offers a variety of penetration testing certifications that range from general to hyper-specialized. Each one requires participants to pass a proctored exam, available at Pearson VUE’s 3,500 testing centers worldwide. (Students can also find their own proctors.) To prepare, students can enroll in GIAC prep courses at the SANS Institute, a prominent cybersecurity training institution.
GIAC Certified Incident Handler (GCIH)
This certification covers a mix of security strategies and penetration testing fundamentals. The exam requires an understanding of the mechanics of denial-of-service attacks, client attacks and other popular attack modes, plus the specific techniques and tools hackers use to execute them. At the same time, test-takers should know how to prevent and contain these attacks. All told, the certification exam takes four hours and consists of over 100 questions — some multiple choice, others lab-based.
GIAC Enterprise Vulnerability Assessor (GEVA)
This certification focuses on cybersecurity for enterprise IT systems, whose size, scale and 24/7 activity require unique assessment methods. The two-hour, 75-question certification exam focuses on assessment techniques like network scanning and PowerShell scripting, plus appropriate vulnerability assessment frameworks. Test-takers should also know how to appropriately resolve and report security issues when they occur.
GIAC Assessing and Auditing Wireless Networks (GAWN)
This certification means a penetration tester can exploit the slightest gap in wireless network security with fuzzing attacks, bluetooth attacks, high-frequency RFID attacks and much more. The certification exam requires not only familiarity with how these attacks work, but also expertise on how to identify and defend against them. The certification exam consists of 75 questions and takes two hours.
GIAC Mobile Device Security Analyst (GMOB)
This certification focuses on smartphone, tablet and app security, a complicated and still-evolving field. (Even on relatively secure iPhones, apps can feed data to thousands of third-party trackers in a single week.) To pass the 75-question exam, which lasts two hours, test-takers should know how hackers unlock and root mobile devices on various operating systems. They should also know how to protect data on stolen and malware-infected devices.
GIAC Web Application Penetration Tester (GWAPT)
This certification focuses on the unique challenges of web apps. Not quite mobile apps, and not quite traditional websites, these responsive creations adapt to the user’s device and often face attacks like cross-site request forgery, client injections, authentication attacks and more. To pass the two-hour, 75-question certification exam, users need deep knowledge of possible attacks and related penetration testing techniques.
GIAC Certified Penetration Tester (GPEN)
This certification assesses general penetration testing expertise, with an emphasis on process. The three-hour certification exam covers the three key stages of an exploit: reconnaissance, attack and escalation. The questions cover a handful of specific attack styles, too, like password attacks and web application injection attacks. Altogether, the exam can contain as many as 115 questions, which may be multiple choice or lab-based.
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
This certification focuses on advanced penetration testing techniques — think fuzzing, shellcode scripting and exploiting stack overflows. Composed of up to 75 multiple choice and hands-on lab questions, the three-hour certification exam focuses primarily on network exploits and attacks on Linux and Windows systems. It also touches on the ability of penetration testers to communicate the value of what they do in business terms.
The EC-Council, also known as the International Council of E-Commerce Consultants, has certified more than 20,000 tech professionals working at companies like Microsoft and IBM, and received endorsements from federal agencies including the NSA. Students can take their certification exams at a variety of testing centers, and prep for them in digital and in-person training sessions administered by the council.
Certified Ethical Hacker (CEH)
This certification requires test-takers to pass a four-hour, multiple-choice exam on the fundamentals of penetration testing. Though the test is never the same twice — the 125 questions are always pulled randomly from a variety of question banks — it can cover topics like malware, session hijacking, SQL injection, cryptography and more. The exam can be taken in a physical testing center, or remotely with a digital proctor. To be eligible for it, students either need to have taken the EC-Council prep course or have two years of on-the-job cybersecurity experience.
Certified Ethical Hacker — Master (CEH Master)
To attain this certification, people who have already passed the Certified Ethical Hacker exam must pass an additional six-hour practical exam. It consists of 20 timed, hands-on challenges, which could involve packet sniffing, OS banner grabbing and leveraging of computer worms and malware. Test-takers must complete their challenges on live networks almost indistinguishable from real enterprise networks. An extra dose of realism: the exam, like life, is open-book.
Licensed Penetration Tester — Master (LPT)
This certification, the most rigorous the EC-Council offers, takes multiple days. All told, the exam lasts eighteen hours and comes with minimal instruction. Test-takers are set loose in a variety of sophisticated, multi-layered networks, all rooted in impressive hardware: 180 machines with more than 4,000 GB of storage. The exam consists of nine challenges in which test-takers must use techniques like multi-level pivoting, SSH tunneling and privilege escalation to evade the elaborate security and militarized zones.
The Information Assurance Certification Review Board, a non-profit certification body, hosts certification exams in five locations across the U.S. (Groups of at least ten test-takers can also arrange for tests in other locations.) Each exam blends a hands-on challenge with a multiple-choice element. Though IACRB doesn’t offer prep courses, they accredit various training centers, including Intense School.
Certified Penetration Tester (CPT)
This certification covers nine core areas of penetration testing, including penetration methodologies, exploits in Windows and Linux operating systems, web application vulnerabilities and wireless network security. Overall, the two-hour exam involves 50 multiple-choice questions selected randomly from a master list.
Cost: $399 and up
Certified Expert Penetration Tester (CEPT)
This certification also covers nine central subjects, but they require more ingenuity from test-takers. This reflects the IASCB’s definition of an expert penetration tester — someone who can create sophisticated attack simulations and discover previously unknown cyber-weaknesses. Topics covered include reverse engineering, memory corruption and exploit creation in Windows and Linux OSes. Composed of 50 multiple choice questions, this test takes two hours.
Cost: $399 and up
Certified Red Team Operations Professional (CRTOP)
This certification in Red Team operations follows the same format as the other IASCB exams: 50 multiple-choice questions and a two-hour runtime. The focus is slightly different, though, because Red Teams focus on a particularly stealthy subfield of penetration testing. Found at major firms like Microsoft, these in-house teams don’t just identify cybersecurity issues — they often sneakily exploit them with techniques like social engineering, in an effort test breach-detection systems. In that spirit, the exam covers topics like Red Team roles, responsibilities and reporting, plus in-person and digital reconnaissance.
Cost: $399 and up
This certification’s 165-minute exam requires an impressive breadth of penetration testing knowledge. Composed of up to 85 questions, it asks test-takers to pinpoint security vulnerabilities in traditional desktops and servers as well as mobile and Cloud environments. Practical skills emphasized throughout include the ability to analyze Python and Bash code, or exploit vulnerabilities in apps and Bluetooth connections.
Offensive Security Certified Professional (OSCP)
This certification in penetration testing with Kali Linux culminates in a grueling practical exam. Just like some real-world cybersecurity crises, it lasts a full 24 hours and focuses on a simulated penetration test on Offensive Security’s isolated VPN. To pass, test-takers must demonstrate knowledge of client-side and remote attacks. Along the way, they might need to exploit buffer overflow, evade antivirus protections and tunnel through firewalls. Ultimately, though, like most penetration testing simulations, this exam rewards quick and creative thinking.
Cost: $800 and up