If you’re looking for a role in cyber security, be sure to apply for Upward Spiral or checkout what we’re about.
One of the most common questions I get while helping job seekers find a role is “what certification do I need?” It’s not surprising.
In the last year or two, every man and his dog who has heard the ‘How I made my first million’ podcast on the money-making potential of your own certification has created their own course and polluted the industry with uncertainty.
What really matters is working out what you need to demonstrate to hiring managers (internal or external) that you can take on the role and cause minimal disruption.
This pen testing focused blog will be the first in a series of posts where I will break down infosec roles and walk through the certifications hiring managers are looking for at each phase of your career.
This post isn’t intended to disqualify all self-paced learning outside these certifications. It is to highlight the learning that will help aspiring professionals progress in their career.
Your starting point for hands-on experience should be Heath Adams’ ‘Linux Essentials for Ethical Hackers.’ In this course you will be introduced to everything you need to start any of the following hands-on exercise platforms that will build a foundation for your cyber career.
After this, there are a number of free hands-on resources for you to hone your skills. Platforms like the Mosse Cyber Security Institute, TryHackMe and Hacker101 are guided hands-on hacking opportunities to introduce you to the foundational concepts you will need through your career.
You can progress to less ‘guided’ training platforms like HacktheBox, root-me, HackthisSite, and AttackDefense. Once you’re comfortable with the level of these resources, you can start looking into entry- and junior level penetration testing roles.
If you’re looking for your first role as a pen tester, focus your attention on PEH by TCM. This is the bar for entry-level penetration tester roles. If you have this most employers will feel confident that you are job-ready for an entry-level pentester role.
The course will cost you ~USD$30.00 (you can find it for free with appropriate googling) and compliments any university degree or TAFE certificate.
Alternatively you could pursue the eJPT. This certificate comes with slightly more weight in terms of job-seeking credibility but the fee is marginally higher. Is it worth it? We think so. PEH leaves you in a strong position in your job search, but we feel eJPT better sets you up for success long-term. It is also the precursor to the eCPPT (which we talk about in a moment) which you might want later in your career.
As a final possibility, the CompTIA PenTest+ is widely recognised within the industry for entry- and junior penetration testing positions. We tend to lean away from this certificate as the materials - we feel - do not prepare you for the role as well as the previously mentioned certificates. It also comes with an incredibly high price tag at ~USD$370 and we cannot find any reason to justify this cost.
The next step penetration testers have taken in their career, historically, has been the Offensive Security Certified Professional (OSCP), or PEN-200. This ethical hacking course is online and self-paced. It introduces more advanced penetration testing tools and techniques via hands-on experience. PEN-200 focuses on the skills and mindset required to be a successful penetration tester. It assesses you through a multiple choice exam.
The PEN-200 certification will set you back ~$999 to $1,350 for the materials and your first attempt at the exam.
An alternative to the OSCP, is the eCPPT. This certificate is less well known but we believe the materials are more valuable. The teaching concepts are far more advanced t han the OSCP and eCPPT is startin to increase in popularity as a result.
Rather than a multiple choice exam that will test your knowledge and - loosely - ability to keep notes, the eCPPT is built around building your experience while applying skills in a hands-on testing environment.
The best path to achieve the eCPPT is to purchase a subscription with INE and follow the Pen Tester learning path. Most companies will be willing to pay for your INE subscription. If they aren’t willing, access to a full year is a very reasonable $749 or $49 monthly. Your subscription will also provide access to a number of other incredibly useful learning materials that you can browse here.
Late in your career it used to be as simple as pursuing the OSCE. Unfortunately, this has since been retired. However, if you’re looking to really establish yourself as an expert in the field there are plenty of opportunities to specialise.
Too many for us to list here.
However, by this stage you have likely identified your preferred learning platform. For us, it has become INE. Through their platform they offer no shortage of opportunities to specialise in cloud, web applications, networking and other areas for the same fee discussed above.