Professional penetration testing, also known as ethical hacking, is among the most exciting IT jobs any person can be involved in. You are literally getting paid to keep up with the latest technology and get to “break in” to computers without the threat of being arrested. There’s almost no downside. As long as you do a competent job, the person who hired you will be happy with the outcome of your work. If you find a way to break into their resources, they get a chance to close the holes before the bad guys find them. If you fail to break into the customer’s computers…well, that makes them even happier because they get to claim defense superiority. It’s the only job I know of that when you “fail” you still make everyone happy. Win-win!
I did professional penetration testing for over 10 years and it remains the most favorite job I ever did. You not only get to do something fun, but pen testers often are seen with an aura of extra coolness that comes from everyone knowing they could break into almost any computer at will. Although now long turned legit, the world’s former most notorious uber hacker, Kevin Mitnick, told me that he gets the exact same emotional thrill out of being paid to legally break into places as he did for all those years of illegal hacking. Mitnick said, the only difference “is the report writing.”
Most professional penetration testers become “pen testers” one of two ways. Either they learn hacking skills on their own or they take formal education classes. Many, like me, did both. Although sometimes mocked by self-learners, ethical hacking classes and certifications are often the gateway to a good paying job as a full-time penetration tester.
Today’s IT security education curriculum is full of courses and certifications that teach someone how to be an ethical hacker. For most of the certification exams you can self-study and bring your own experience to the testing center or take an approved education course. While you don’t need an ethical hacking certification to get employed as professional penetration tester, it can’t hurt.
As CBT Nuggets trainer, Keith Barker said, “I think the opportunity to have certified ethical “anything” on your resume can only be a good thing, but it’s more of an entry way into more study. Plus, if companies see that you are certified in ethical hacking, they know you have seen and agreed to a particular code of ethics. If an employer is looking at resumes and they see someone who has an ethical hacking certification and someone that didn't, it’s got to help.”
Even though they teach the same skill every ethical hacking course and certification is different. Here are the things you'll want to research and question when deciding to take an ethical hacking course or cert:
Does an ethical hacking course lead to certification?
Certification is not always necessary to learn a skill, but gaining a certification shows potential employers that you learned enough about a curriculum and passed a knowledge test about the material. People sitting in a non-certification class are often checking email, surfing the web, and not paying attention. People sitting in certification classes are usually paying attention, listening, and asking questions. Employers know the difference.
If it does lead to a certification, is the test hard to pass and is certification respected? Some, like the Certificate Ethical Hacker (CEH) are very well known. Others, like the SANS GIAC Penetration Tester (GPEN) and the Offensive Security Certified Professional (OSCP) are better esteemed by other ethical hackers, but potentially not as recognizable by some employers. Some employers prefer or require particular certifications for particular positions. For example, see the DOD’s requirements for internal auditors.
[ Related: How to be an ethical hacker ]
Does ethical hacking certification require prior experience?
Does the certification testing process require you to have a certain amount of years of verifiable computer security experience or take a particular course to sit for the exam? Most have courses you can take, but don’t require that you take one to sit for the exam.
What platforms do ethical hacking courses or certifications cover?
Are those same platforms represented in your current environment or future expected environment? Is the course mostly focused on Microsoft Windows, Linux, Apple, or some combination? Does it cover hacking only traditional computers or cover newer, mobile devices and platforms? Does it cover web site pen testing (sometimes an entire discipline unto itself), database hacking, cloud attacks, malware writing, or social engineering?
If it covers website hacking, is it against Microsoft’s Internet Information Service (IIS) or open source’s Apache? If it covers database hacking, does it only cover SQL, or does it cover Oracle, Postgres, MySQL, NoSQL, MongoDB, or any of the other popular open source database platforms? Is application penetration testing one module or the focus of the course? Does it cover wireless hacking, and if so, what types of wireless?
Does the course offer or require hands-on experience with hacking tools and scenarios? It’s one thing to talk about how to hack and another thing to hack something. Ed Skoudis, Pen Testing Curriculum Lead, Instructor, and Fellow for the SANS Institute, loves to recommend Aman Hardikar’s list of “hack this website” and “download this hackable target image” places on the internet. “Aman Hardikar’s site is an absolutely amazing mind map [of hacking practice resources]. There’s so much useful stuff there for building skills,” says Skoudis.
How much does ethical hacking certification cost?
Cost is also something to be considered. The cost of a single course can easily be many thousands of dollars and a single exam many hundreds to a thousand. If your organization has many people to train, many training vendors offer discounts for multiple students or onsite training.
What should I look for in an ethical hacking instructor?
Lastly, I wouldn’t take an ethical hacking course from someone who didn’t have years of experience as penetration tester, unless they were an otherwise top-notch instructor with years of experience in teaching penetration testing. The instructor, and their knowledge and experience, will make or break the class. Someone who has been in the trenches and been tested, or has taught the course for many years, is the person you want to get educated by. Being the guinea pig student for a new instructor is not the class you want to take.
5 top ethical hacking courses and certifications
1. Certified Ethical Hacker
The EC-Council’s Certificate Ethical Hacker (CEH) is easily the oldest and most popular penetration course and certification. The official course, which can be taken online or with a live in-person instructor, contains 18 different subject domains including traditional hacking subjects, plus modules on malware, wireless, cloud and mobile platforms. The full remote course is offered for $1,850, and includes six months of access to the online Cyber Range iLab, which will allow students to practice over 100 hacking skills. For comparison, CBT Nuggets offers CEH training for $80 per month, which includes many other possible exam preparations. EC-Council offers myriad other courses and certifications.
Sitting for the CEH certification requires taking an official course or, if self-study, proof of two years of relevant experience or education. It runs $950 with a $100 application fee. It contains 125 multiple-choice questions with a four-hour time limit. Taking the exam requires accepting the EC-Council’s Code of Ethics, which was one of the first required codes of ethics required of computer security test takers. The courseware and testing is routinely updated.
2. SANS GPEN
SysAdmin, Networking, and Security (SANS) Institute is a highly respected training organization, and anything they teach along with their certifications are greatly respected by IT security practitioners. SANS offers multiple pen testing courses and certifications, but its base GIAC Penetration Tester (GPEN) is one of the most popular.
The official course for the GPEN, SEC560: Network Penetration Testing and Ethical Hacking, can be taken online ($5,910) or live in-person ($6,260). The GPEN exam is $1,699 per exam attempt. It has 115 questions, a three-hour time limit, and requires a 74 percent score to pass. No specific training is required for any GIAC exam. The GPEN is covered on GIAC’s general code of ethics, which they take very seriously as attested to by a running count of exam passers who have been disqualified for violating the code.
“I like how [the GPEN exam] ties to practical skills that penetration testers need to have to do their jobs every day,” says Skoudis. “It covers everything from detailed technical approaches to testing all the way up through scoping, rules of engagement, and reporting. The exam is very scenario focused, so it will present a given penetration test scenario and ask which is the best way forward. Or, it’ll show you the output from a tool, and ask what the tool is telling you and what you should do next. I appreciate that so much, as it measures real-world skills better. The exam doesn’t have a lot of questions that are merely definitional, where they have a sentence that is missing one word and ask you which of the following words best fill in the sentence. That’s not a particularly good way of measuring skills.”
3. Offensive Security Certified Professional
The Offensive Security Certified Professional (OSCP) course and certification has been around for just over 10 years and has gained a well-earned reputation for toughness with a very hands-on learning structure and exam. The official online, self-paced $800 training course is called Penetration Testing with Kali Linux and includes 30 days of lab access. Because it relies on Kali Linux (the successor to pen testers' previous favorite Linux distro, BackTrack), participants need to have a basic understanding of how to use Linux, bash shells and scripts.
The OSCP is known for pushing its students and exam takers harder than other pen testing paths. For example, the OSCP course teaches, and the exam requires, the ability to obtain, modify and use publicly obtained exploit code. For the “exam”, the participant is given instructions to remotely attach to a virtual environment where they are expected to compromise multiple operating systems and devices within 24-hours, and thoroughly document how they did it. Offensive Security also offers even more advanced pen testing courses and exams (e.g., including involving web, wireless, and advanced Windows exploitation). Readers may want to take advantage of their free, online basic Metasploit tool course.
4. Foundstone Ultimate Hacking
McAfee’s Foundstone business unit (which I worked for over 10 years ago) was one of the first hands-on penetration testing courses available. Its series of Ultimate Hacking courses and books led the field for a long time. They covered Windows, Linux, Solaris, web, SQL, and a host of advanced hacker techniques (such as tunneling). Unfortunately, Ultimate Hacking courses don’t have formal exams and certifications.
Today, Foundstone offers a host of training options well beyond just pen testing, including forensics and incident response (as do many of the other players in this article). Additionally, Foundstone offers training in hacking internet of things (IoT), firmware, industrial control security systems, Bluetooth, and RFID. This list of additional platforms isn’t mimicked elsewhere. Foundstone instructors are often real-life pen testers and security consultants, although many, if not most, of the training courses are handled by partners.
Internationally, the not-for-profit CREST information assurance accreditation and certification body’s pen test courses and exams are commonly accepted in many countries, including the United Kingdom, Australia, Europe, and Asia. CREST’s mission is to educate and certify quality pen testers. All CREST-approved exams have been reviewed and approved by the UK’s Government Communication Headquarters (GCHQ), which is analogous to the United States’ NSA.
CREST’s basic pen testing exam is known as the CREST Registered Tester (or CRT), and there are exams for web and infrastructure pen testers. Exams and costs vary by country, but in Australia, for example, the CRT exam cost $1,000. CREST test takers must review and acknowledge the CREST Code of Conduct. The Offensive Security OSCP certification can be used to obtain the CRT.
All the instructors I spoke to believed that the courses they taught were just a beginning. Barker of CBT Nuggets said, “[Certification exams] are a great entry point and exposure to all the foundations that you can then go onto more.”
“Each [of our classes] is not just a standalone class someone takes for six days and then disappears,” says Skoudis. "Instead, our classes are more like an ecosystem, centered around that 6 days of training, but with webcasts and follow up blogs for continued learning going forward. Also, we’ve been super fortunate to have our previous students contributing to this ecosystem through their own blogs and tool development, giving back to the community. It’s really a beautiful virtuous cycle, and I’m so thankful to be a little part of it.”
More on ethical hacking and pen testing:
- Hackers wanted
- Should companies hire criminal hackers?
- 10 steps to managing a successful network penetration test
- What makes a good application pen test? Metrics
- Vulnerability management basics: Pen testing techniques
- Social engineering in penetration tests: 6 tips for ethical (and legal) use
- A pen test a day keeps hackers away
- Penetration testing on the cheap and not so cheap