Certifications in cybersecurity are essential both for job hunting, but also for you as a professional to advance your knowledge in the field.
This is a list of penetration testing certifications, divided by beginner, intermediate and advanced levels, and a few certifications with more focused specializations.
The prices are indicative and may be changed without notice by each vendor. So make sure to check with them first if you are interested in taking any course and exam.
Table of ContentsToggle Table of Content
Beginner-Level Penetration Testing Certifications
We begin this penetration testing certification master list with the certifications which are considered “beginner-level” by the industry.
This doesn’t necessarily mean that the certifications are “easy”. It means that they will probably be the bare minimum employers will ask for from candidates for Red Team and Penetration Testing positions.
The eLearnSecurity Junior Penetration Tester (eJPT) is a 100% practical certification on penetration testing and information security essentials.
The eLearnSecurity Web Application Penetration Tester (eWPT) certification assesses a cyber security professional’s web application penetration testing skills.
A Kali Linux Certified Professional (KLCP) is a power user of the Kali Linux penetration testing platform. Certificate holders have a thorough understanding of the Kali Linux operating system.
GIAC Enterprise Vulnerability Assessor (GEVA) is the premier certification focused on validating technical vulnerability assessment skills and time-tested practical approaches to ensure security across the enterprise. The GEVA-certified practitioner will be capable of handling threat management, comprehensively assessing vulnerabilities, and producing a vigorous defensive strategy from day one.
The two-hour, 75-question certification exam focuses on assessment techniques like network scanning and PowerShell scripting, plus appropriate vulnerability assessment frameworks. Test-takers should also know how to appropriately resolve and report security issues when they occur.
Cost:$949 and up
Mile2’s Vulnerability Assessor course, C)VA provides a solid understanding of the tools an IT engineer needs to review an Information System. In this course, you will learn the importance of vulnerability assessments and how they are used to prevent serious cyber break-ins. Lessons include understanding malware and viruses and how they can infiltrate an organization’s network.
After you take this course, you will be able to assess a company’s security posture and perform a basic vulnerability test. Plus, you will be able to generate reports to guide new security implementation.
The Certified Professional Ethical Hacker CPEH certification course is the foundational training to Mile2’s line of penetration testing courses because it teaches you to think like a hacker. Therefore, you can set up dynamic defenses to prevent intrusion.
First, you will learn the value of vulnerability assessments. Then, you will discover how to use those assessments to make powerful changes in an information system’s security.
Additionally, you will learn how malware and destructive viruses function and how to implement counter-response and preventative measures when it comes to a network hack.
The EXIN Ethical Hacking Foundation (EHF) certification provides IT professionals with a solid understanding and technical knowledge of the principles behind Ethical Hacking.
Wireless Attacks (PEN-210) introduces students to the skills needed to audit and secure wireless devices. It’s a foundational course alongside PEN-200 and would benefit those who would like to gain more skills in network security.
In PEN-210, students will learn to identify vulnerabilities in 802.11 networks and execute organized attacks. Each student will set up a home lab to practice the techniques learned in this online, self-paced course.
Successful completion of the course and exam confers the Offensive Security Wireless Professional (OSWP) certification.
The GAWN certification is designed for technologists who need to assess the security of wireless networks. The certification focuses on the different security mechanisms for wireless networks, the tools and techniques used to evaluate and exploit weaknesses, and the techniques used to analyze wireless networks. Students will not only gain experience using tools to assess wireless networks, but they will also understand how the tools operate and the weaknesses in the protocols that they evaluate.
The certification exam requires not only familiarity with how these attacks work, but also expertise on how to identify and defend against them. The certification exam consists of 75 questions and takes two hours.
Cost:$949 and up
PenTest+ assesses the most up-to-date penetration testing, vulnerability assessment, and management skills necessary to determine the resiliency of the network against attacks. The CompTIA PenTest+ certification exam will verify successful candidates have the knowledge and skills required to:
- Plan and scope a penetration testing engagement
- Understand legal and compliance requirements
- Perform vulnerability scanning and penetration testing using appropriate tools and techniques, and then analyze the results
- Produce a written report containing proposed remediation techniques, effectively communicate results to the management team, and provide practical recommendations
PenTest+ is compliant with ISO 17024 standards and approved by the US DoD to meet directive 8140/8570.01-M requirements. Regulators and governments rely on ANSI accreditation because it provides confidence and trust in the outputs of an accredited program. Over 2.3 million CompTIA ISO/ANSI-accredited exams have been delivered since January 1, 2011.
To earn the CEH Master designation you must successfully demonstrate your knowledge of Ethical Hacking through two distinctly different proving grounds. First, you must attempt and successfully pass the ANSI Accredited Certified Ethical Hacker (CEH) multiple choice exam. Once you complete this first step, you can move on to the second part of earning the CEH Master designation, the CEH Practical Exam.
The CREST Practitioner Security Analyst (CPSA) examination is an entry-level examination that tests a candidate’s knowledge in assessing operating systems and common network services at a basic level below that of the main CRT and CCT qualifications.
The CPSA examination also includes an intermediate level of web application security testing and methods to identify common web application security vulnerabilities. The examination covers a common set of core skills and knowledge.
The candidate must demonstrate that they have the knowledge to perform basic infrastructure and web application vulnerability scans using commonly available tools and interpret the results to locate security vulnerabilities.
Success will confer CREST Practitioner Security Analyst status to the individual.
SECO Ethical Hacking Foundation is a beginner’s certification that validates knowledge and hands-on practice skills as a starting ethical hacker. The exam tests the candidate’s ability to apply this knowledge and practical skills in everyday professional practice.
The Ethical Hacking Foundation certification equips you with the knowledge and skills you need to lay the foundations of a thriving penetration testing career.
By passing the EHF certification exam and earning a SECO-Ethical Hacking Foundation (S-EHF) certificate, you demonstrate your ability to perform basic black-box penetration tests.
The CHA is an introductory, technical, knowledge-based certification designed to accredit students for a well-rounded foundation in professional cybersecurity.
The CHAT is a technical, knowledge-based certification designed to accredit teachers teaching cybersecurity training such as the Certified Hacker Analyst and Hacker Highschool.
The CTA is a knowledge-based certification designed to accredit professionals measuring trust or making trust-based decisions either in a business or security capacity.
The OPSE from ISECOM is an introductory, knowledge-based certification designed to accredit security professionals working with the OSSTMM.
The OPSA from ISECOM is a technical, skills-based certification designed to accredit professional security analysts.
SECO Ethical Hacking Practitioner is an advanced-level certification that validates a professional’s knowledge and hands-on practice skills as a professional ethical hacker. The exam tests the candidate’s ability to apply this knowledge and practical skills in everyday professional practice.
CyberWarFare Labs Certified Red Team Analyst is a hands-on course, designed specifically for beginners having an interest in Red Teaming, future Red Team enthusiasts, and anyone who wants to break through in Offensive Information Security. This course comes with study materials including Practice Lab, Video, and Manuals (PDF), students learn and practice techniques with an adversarial mindset.
The main aim of this course is to help students and employees to understand the mindset of the adversaries and scale the damage caused if an organization is targeted by threat actors. All the tactics and techniques covered in this course will definitely help them in their pathway to becoming a Red Teamer and help organizations secure the boundaries/insider threats.
Intermediate Level Penetration Testing Certifications
The “Penetration Testing Certifications Master List” continues with the “intermediate” level of pentest certifications. These are the next level of difficulty and show your dedication to your profession, and your willingness to learn and progress.
The eCPPT designation stands for eLearnSecurity Certified Professional Penetration Tester. eCPPT is a 100% practical and highly respected Ethical Hacking and Penetration Testing Professional certification counting certified professionals in all seven continents.
The eLearnSecurity Mobile Application Penetration Tester (eMAPT) certification is issued to cyber security experts that display advanced mobile application security knowledge through a scenario-based exam.
The eLearnSecurity Certified eXploit Developer (eCXD) tests a student’s capabilities on Windows and Linux exploit development and software vulnerability identification in general. Exploit developers can prove their advanced skills through a challenging, scenario-based exam that requires both knowledge and critical thinking.
The GFACT certification from SANS validates a practitioner’s knowledge of essential foundational cybersecurity concepts. GFACT-certified professionals are familiar with practical skills in computers, technology, and security fundamentals that are needed to kickstart a career in cybersecurity.
Cost:$949 and up
The GIAC Mobile Device Security Analyst (GMOB) certification ensures that people charged with protecting systems and networks know how to properly secure mobile devices that are accessing vital information.
GMOB certification holders have demonstrated knowledge about assessing and managing mobile device and application security, as well as mitigating against malware and stolen devices.
To pass the 75-question exam, which lasts two hours, test-takers should know how hackers unlock and root mobile devices on various operating systems. They should also know how to protect data on stolen and malware-infected devices.
Cost:$949 and up
The GIAC Incident Handler (GCIH) certification validates a practitioner’s ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills. GCIH certification holders have the knowledge needed to manage security incidents by understanding common attack techniques, vectors, and tools, as well as defend against and respond to such attacks when they occur.
The exam requires an understanding of the mechanics of denial-of-service attacks, client attacks and other popular attack modes, plus the specific techniques and tools hackers use to execute them. At the same time, test-takers should know how to prevent and contain these attacks. All told, the certification exam takes four hours and consists of over 100 questions — some multiple choice, others lab-based.
Cost:$949 and up
The GIAC Penetration Tester (GPEN) certification validates a practitioner’s ability to properly conduct a penetration test, using best practice techniques and methodologies. GPEN certification holders have the knowledge and skills to conduct exploits and engage in detailed reconnaissance, as well as utilize a process-oriented approach to penetration testing projects.
The three-hour certification exam covers the three key stages of an exploit: reconnaissance, attack, and escalation. The questions cover a handful of specific attack styles, too, like password attacks and web application injection attacks. The exam lasts three hours and contains 82 questions.
Cost:$949 and up
The Certified Red Team Professional is a completely hands-on certification. To be certified, a student must solve practical and realistic challenges in our fully patched Windows infrastructure labs containing multiple Windows domains and forests. The certification challenges a student to compromise Active Directory by abusing features and functionalities without relying on patchable exploits. Students will have 24 hours for the hands-on certification exam.
A certification holder has the skills to understand and assess the security of an Active Directory environment.
The PNPT exam is an ethical hacking certification exam that assesses a student’s ability to perform a network penetration test at a professional level.
Students will have five (5) full days to complete the assessment and an additional two (2) days to write a professional report.
In order to receive the certification, a student must:
- Perform Open-Source Intelligence (OSINT) to gather intel on how to attack the network properly
- Leverage their Active Directory exploitation skillsets to perform A/V and egress bypassing, lateral and vertical network movements, and ultimately compromise the exam Domain Controller
- Provide a detailed, professionally written report
- Perform a live 15-minute report debrief in front of our assessors, comprised of all senior penetration testers
Red Team Ops is an online course that teaches the basic principles, tools, and techniques, that are synonymous with red teaming.
Students will first cover the core concepts of adversary simulation, command & control, and how to plan an engagement. They will then learn about each stage of the attack lifecycle from initial compromise to full domain takeover, data hunting, and data exfiltration.
Students will also take various OPSEC concerns into account and learn how to bypass defenses such as Windows Defender, AMSI, and AppLocker. Finally, they will cover reporting and post-engagement activities.
Students have the option to purchase the course by itself or with lab access. A free exam attempt is included with each option.
The GCPN certification validates a practitioner’s ability to conduct cloud-focused penetration testing and assess the security of systems, networks, architecture, and cloud technologies.
Cost:$949 and up
Offensive Security Certified Professional (OSCP) is an ethical hacking certification offered by Offensive Security that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution.
The OSCP is a hands-on penetration testing certification, requiring holders to successfully attack and penetrate various live machines in a safe lab environment.
The CREST Registered Penetration Tester examination is recognized by the NCSC as providing the minimum standard for CHECK Team Member status and is designed to assess a candidate’s ability to carry out basic vulnerability assessment and penetration testing tasks.
The CREST Registered penetration tester exam is a practical assessment where the candidate will be expected to find known vulnerabilities across the common network, application, and database technologies and a multiple choice section aimed at assessing the candidate’s technical knowledge.
The CREST Practitioner Intrusion Analyst (CPIA) examination tests a candidate’s knowledge in three subject areas of network intrusion, host intrusion, and malware reverse engineering.
The CREST Certified Infrastructure Tester examination is a rigorous assessment of the candidate’s ability to assess a network for flaws and vulnerabilities at the network and operating system layer. The exam includes:
- Public domain information sources
- Windows operating systems
- Unix operating systems
- Voice networking
- Wireless networking.
The CREST Certified Web Application Tester examination is an assessment of the candidate’s ability to find vulnerabilities in bespoke web applications. The examination uses specially designed applications running on a variety of web application platforms and now covers a wider scope than purely traditional web applications to include more recent advances in the field of web application technology and security.
The candidate will be expected to demonstrate that they are able to find a range of security flaws and vulnerabilities, including proving the ability to exploit and leverage the flaws to ascertain the impact of the issues found.
The C)PTE exam covers a broad base of Penetration Testing areas to ensure that applicants are able to effectively manage the Penetration Testing process.
In this course you will learn 5 Key Elements of Pen Testing, Information Gathering, Scanning, Enumeration, Exploitation and Reporting. Plus, discover the latest vulnerabilities and the techniques malicious hackers are using to acquire and destroy data. Additionally, you will learn more about the business skills needed to identify protection opportunities, justify testing activities and optimize security controls appropriate to the business needs in order to reduce business risk.
An OPST certified professional from ISECOM, is a penetration tester/ethical hacker who has the skills and knowledge to accurately and efficiently test the
the security posture of a company, network, or product.
An OPSE certified professional from ISECOM, is a security practitioner who can define a thorough security test, manages the parameters for a successful penetration test, outlines security analysis requirements and resources, and understands the function of the OSSTMM as a methodology.
CyberWarFare Labs Certified Red Team Specialist is a 100% hands-on lab, designed specifically for intermediate to advanced professionals having an interest in Red Teaming, seasoned professionals, and experienced in Offensive Information Security. This course comes with 3 unique attack paths Practice Lab, Manuals (PDF), students learn and practice techniques with an adversarial mindset.
Certified Enterprise Security Controls Attack Specialist
Apex Threat Actors having advanced capabilities like leveraging in-memory implants, writing custom codes to evade AVs & EDR, moving laterally with custom made Tools, evading host and network level security solutions for stealthiness, etc are constantly consolidating their attack techniques (and Tactics) against Defensive Teams.
Students will gain enough knowledge of enterprise-grade security controls and how they can be stealthily evaded at Host-level, Network-level, Cloud-Level (EDR), and in a monitored Active Directory network having Health Care Simulation. The class will go through TTP, writing custom toolkit in C#, abusing Windows internals/features and monitoring solutions, writing custom bypasses for evading host & network controls, and bypassing cross-forest restrictions in AD Environment having Windows & Linux platforms in order to better refine detection in an enterprise.
Certified AWS Cloud Red Team Specialist
AWS Cloud Red Team Course provides an in-depth view of AWS core services, Identification of misconfigurations and stealthily abusing them in an Enterprise AWS Cloud Environment. As the cloud shift is real, most of the Fortune 500 enterprises rely on AWS Cloud service providers for scaling their business overseas, with expansion comes the huge responsibility of identifying and mitigating wide loopholes to secure cloud infrastructure.
In this Lab, you will proactively work as a Purple team member, whereas a red team operator will perform different attacks and as a Blue Team member, you will Identify, Detect, Analyze then Respond to those attacks in a real enterprise environment.
The main aim of this Lab is to help the Blue Team to Identify and Detect the latest Techniques and Tools used by Adversary, Analyze and Respond to ongoing attacks and collect the evidence for investigation purposes. However, Red Team will understand the execution of Red Team Operations in stealth mode without detection and be aware of visibility against Blue Team.
Advanced Level Penetration Testing Certifications
We have reached the “Advanced” level of the Penetration Testing Certifications Master List. By earning these certifications, you show your knowledge and expertise and you stand out against your competitors for the job you are persuing.
The Certified Red Teaming Expert is a completely hands-on certification. The certification requires students to solve practical and realistic challenges in our fully patched Windows infrastructure labs containing multiple Windows domains and forests. The certification challenges students to look at the complete infrastructure like a true enterprise network and does not rely only on breaking individual machines. Students will have 48 hours to complete the hands-on certification exam.
A certification holder has the expertise to assess the security of an enterprise windows infrastructure having multiple domains and forests by just abusing the functionality and trust.
To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it.
In case you have to retake the exam, a re-attempt fee of $99 is applicable. There is a cool-down period of one month before a student can appear in the exam again. The student will get an exam environment from the pool of our different exam labs. After total of 3 attempts (1 included with the lab and two additional attempts), a student must wait for a cool-down period of 6 months.
The eCPTX designation stands for eLearnSecurity Certified Penetration Tester eXtreme and it is the most advanced pentesting certification. Prove your advanced skills and get certified in the fastest-growing area of network security.
The eLearnSecurity Web Application Penetration Tester eXtreme (eWAPTX) penetration testing certification is our most advanced web application pentesting certification.
The eWPTX exam requires students to perform an expert-level penetration test that is then assessed by INE’s cyber security instructors. Students are expected to provide a complete report of their findings as they would in the corporate sector in order to pass.
Advanced Web Attacks and Exploitation (WEB-300) is an advanced web application security course. We teach the skills needed to conduct white box web app penetration tests.
With the 2021 update, WEB-300 now features three new modules, updated existing content, new machines, plus refreshed videos.
Students who complete the course and pass the exam earn the Offensive Security Web Expert (OSWE) certification, demonstrating mastery in exploiting front-facing web apps. The OSWE is one of three certifications making up the new OSCE certification, along with the OSEP for advanced pentesting and the OSED for exploit development.
The GIAC Web Application Penetration Tester (GWAPT) certification validates a practitioner’s ability to better secure organizations through penetration testing and a thorough understanding of web application security issues. GWAPT certification holders have demonstrated knowledge of web application exploits and penetration testing methodology.
The exam runs two to three hours with as few as 82 and as many as 115 questions. Users need deep knowledge of possible attacks and related penetration testing techniques.
The GIAC Exploit Researcher and Advanced Penetration Tester certification validate a practitioner’s ability to find and mitigate significant security flaws in systems and networks. GXPN certification holders have the skills to conduct advanced penetration tests and model the behavior of attackers to improve system security, and the knowledge to demonstrate the business risk associated with these behaviors.
Cost:$949 and up
The CREST Certified Simulated Attack Specialist (CCSAS) examination tests candidates’ knowledge and expertise in delivering technical components of a Simulated Attack, specifically exploitation of client vulnerabilities through Trojanised files, phishing campaigns, implant development, evasion skills, and lateral movement within a compromised network.
This exam is considered a specialism to the existing CREST Certified Infrastructure certification, which is a mandatory prerequisite for all candidates wishing to complete this examination. While it is acknowledged that there is significant overlap with the existing Certified Infrastructure exam syllabus this examination is set at a significantly higher level of detail in a number of areas. For the avoidance of doubt, all candidates wishing to sit the CCSAS examination must have a valid certificate for the CREST Certified Infrastructure qualification.
The CREST Certified Simulated Attack Manager (CCSAM) examination tests candidates’ knowledge and expertise in leading a team that specializes in Simulated Attacks. The candidate is expected to have a good breadth of knowledge in all areas of Simulated Attack and proven experience in managing incidents, penetration tests, and simulated attack exercises.
The exam will assess the candidate’s ability to conduct Simulated Attacks in a realistic, legal, and safe manner, ensuring appropriate evidence is collated to provide the customer with actionable intelligence of organizational risks and failings while minimizing the risks to the customer’s staff, data, and systems.
The Certified Penetration Testing Professional (CPENT) program by EC-Council was created to prepare those that want to be recognized as elite penetration testing professionals. Our training has been designed by the best in the industry and is meant to push you to develop the kind of skill that you’ve been waiting to acquire.
LPT (Master) training (via CPENT) is not comfortable (and the exam is even worse!), but filled with intense stress meant to elicit the best from you. Those who prevail will have developed an instinctual response to real-world penetration testing challenges.
In Adversary Tactics: Vulnerability Research for Operators, you will learn an operator-focused approach to find the vulnerabilities needed to escalate privileges, execute arbitrary code, or facilitate lateral movement in Windows environments.
This course covers the vulnerability classes that SpecterOps routinely finds on engagements and dives into their root causes, identification techniques, and exploitation methods.
The Red Team & Operational Security course is designed to help the candidates build the capabilities to simulate a modern adversary. This course will take you through the different stages of an Attacker kill-chain.
To earn the PACES certification, students need to compromise a multi-forest exam lab environment. The 48-hour hands-on exam tests students’ ability to apply both attack and defense concepts. Success in the exam depends on the quality of the report submitted after the exam, forests compromised with minimal alerts, and forests secured.
To keep the certificate updated with changing skills and technologies, there is an expiry time of three years for it.
A PACES holder is a specialist in enterprise AD security. They have the ability to identify, exploit, demonstrate and fix security issues in an enterprise.
They have demonstrated the ability to understand and secure the modern enterprise network by executing a silent red team operation starting from a beachhead leading to the compromise of multiple forests.
Penetration Testing Specialization Certifications
Organizations rely on red team operations to exercise their defensive capabilities and continually hone and strengthen its security posture. As defenses evolve, however, it can be tough for red teams to stay ahead and provide that much-needed adversary for blue teams to practice against. What’s a red teamer to do? How can one keep up with the near-daily changing industry?
Adversary Tactics: Red Team Operations helps close that gap for red teamers, providing practical tradecraft for operators to use on their next test and guidance for how to maintain that edge over time.
Adversary Tactics: Tradecraft Analysis
Red team operators have long enjoyed robust community and commercial tooling to simulate advanced adversary tradecraft in traditional enterprise environments. As organizations have increasingly moved to hybrid, or non-Windows, environments our red team community knowledge has not kept pace. This course focuses on bridging that gap to enable red teamers to operate in increasingly hybridized or macOS-focused environments.
The Offensive Tool Development is the first course which is dedicated to Windows API exploitation to build your own tools for Red Team Engagements. If you have completed the Malware On Steroids course, then you can merge the capabilities you build during this course with the Command & Control built during the MOS course. This helps you to build your own CnC modules, all of which can be run in memory for detection evasion. There are a lot of courses which focus on exploitation, reversing and other offensive stuff, but none of them focus on writing your own tools and brining your own toolkit during an engagement.
Windows User Mode Exploit Development (EXP-301) is an intermediate-level course which teaches students the fundamentals of modern exploit development. It starts with basic buffer overflow attacks and builds into learning the skills needed to crack the critical security mitigations protecting enterprises.
Students who loved buffer overflows in Penetration Testing with Kali Linux (PEN-200) will find that EXP-301 takes those skills to the next level. This course is one of the replacements for Cracking the Perimeter (CTP), which we retired on October 15, 2020.
Those who complete the course and pass the 48-hour exam earn the Offensive Security Exploit Developer (OSED) certification. The OSED is one of three certifications making up the new OSCE3 certification, along with the OSWE for web application security and the OSEP for penetration testing.
The OSEE is the most difficult exploit development certification you can earn. We recommend completing the 300-level certifications before registering for this course.
Students who complete EXP-401 and pass the exam will earn the Offensive Security Exploitation Expert (OSEE) certification. The OSEE exam assesses not only the course content, but also the ability to think laterally and adapt to new challenges.
The virtual lab environment has a limited number of target systems. The software within contains specific, unknown vulnerabilities. Students have 72 hours to develop and document exploits. The exam requires a stable, high-speed internet connection.
You must submit a comprehensive penetration test report as part of the exam. It should contain in-depth notes and screenshots detailing the steps taken and the exploit methods used.
macOS Control Bypasses (EXP-312) is Offensive-Security’s first macOS security course. It’s an offensive logical exploit development course for macOS, focusing on local privilege escalation and bypassing the operating system’s defenses.
EXP-312 is an advanced course that teaches the skills necessary to bypass security controls implemented by macOS, and exploit logic vulnerabilities to perform privilege escalation on macOS systems.
Students who complete the course and pass the exam earn the Offensive Security macOS Researcher (OSMR) certification.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.