Introduction
With the influx of penetration testing/red teaming jobs becoming available, there has also been an influx of eager, talented individuals looking to acquire credentials that will make them a high-valued candidate. Sure, there are plenty of reputable companies developing practical, industry-level certifications (eLearnSecurity, Pentester Academy, Zero Point Security), but I’m sure by now every one trying to get in the industry has their eye on two certifications:
Practical Network Penetration Tester by TCM Security
Offensive Security Certified Professional by Offensive Security
I’ve had the pleasure of experiencing and passing both exams in their current (Active Directory focused) state and wanted to provide some (hopefully) helpful insight as well as an un-biased comparison for those indecisive on which one to prepare for first. I’ll try not to be long-winded.
Assuming you have done your research on both, I won’t bother going through a full break-down of each exam. However, if you’re interested, feel free to watch my in-depth review of the PNPT here. Give me about a week from the time you read this article to create a similar video discussing the OSCP.
To make this easier to digest, I’ve decided to create a Venn diagram as it relates to 4 categories I think we all prioritize: Cost, Exam Duration, Realism, and Employer Qualification.
The Important Part
Personal Experience — Why PNPT?
After reviewing the information above, I think the most important question to ask yourself is “What am I looking to gain?”. Earlier this year, I had just acquired my Certified Ethical Hacker certification and had a desire to learn more about exploiting current industry environments. In addition, I wanted to be able to articulate some of the current methodologies I was familiar with in job interviews. The PNPT allowed me to do just that — at a fraction of the cost. I wasn’t pressured to speed through time-based lab environments while preparing, or passing the exam on my first try (because I knew I had a free retake). In addition, 5 full days to take the exam is more than enough time. I was able to sleep a full 8 hours and come back with a refresh mindset in case I ever got stuck — which I did, multiple times. If you have a CTF background, you may find the direction unclear initially because there aren’t any flags to capture. However, after your initial foothold, thing should become a bit more clear. The environment was stable throughout the entire duration and TCM support was always available in case I had any questions. It felt great debriefing with Heath at the end of the process and being told I had successfully passed. Overall, given my lack of experience with AD exploitation, it took me about 3.5 days to complete the technical portion and another full day to write the report — I’d rate the exam difficulty at a 7 out of 10.
Interview Experience — Post PNPT
Disclaimer: Take my experiences with a grain of salt. I applied to all major companies to try to gather an understanding of how “valuable” of a candidate I would be. I have ~4 years in the industry and have never worked in an offensive security role. Safe to say your job hunting experience, interview process and results could be totally different than mine depending on your level of expertise and a companies needs.
Immediately after passing my PNPT, I revised my resume and applied to a few Offensive Security roles. I would say out of ~7 roles I had applied for, I received 4 calls for interviews and immediate rejections from the other 3. During my interviews, I was able to articulate the answers to some of the technical questions very well (In my bias opinion, lol), however, it seemed like all of the employers were focused on whether or not I planned on taking the OSCP and if so, when. From there, followed rejection letters from all of the companies which was a clear indication of what I needed to do next.
Personal Experience — Why OSCP?
As stated in the Personal Experience — PNPT section, it’s important to know what it is you want out of the process. My motivation was get into the Offensive Security industry. It just seemed like the OSCP was the “golden ticket” into the industry. Once again, all of our experiences will differ — in fact, I’ve read articles from others stating that they’ve acquired multiple other certifications in addition to the OSCP and still had issues finding a job. Then you have the opposite side of the spectrum — people with barely any certifications at all that just so happened to find their way in the door.
Despite dreading the 1500$ I was about to spend, my mind was made on taking the OSCP. Luckily (and conveniently), I was able to take part in the Blacks in Cyber Security: Red Team Development cohort. Through a series of interviews, I would eventually become a RTD student and have the exam cost+training sponsored for me. I can’t thank BIC enough for the opportunity. That being said, I immediately began preparing — solving PG, HTB, THM rooms as well as watching YouTube videos from The Mayor, Hackersploit, and Ippsec to gain a deeper understanding and better familiarity with Windows/Linux exploitation and privilege escalation techniques. This behavior was already some-what of a hobby for me, so there was no need to “prepare” myself mentally. The OSCP training modules/labs were very similar to what I experienced in TCM’s Practical Ethical Hacker course, so it was more of a refresher.
Exam day came quick. Before I knew it I was logging into my OffSec portal and connecting to the VPN. I was able to compromise 2/3 of the standalone machines about 6 hours. At that point I decided to get some rest (very important) and focused only on the AD set. Factoring exam time + rest, I managed to complete the technical portion of the exam in about 16 hours. I took full advantage of the extra day given for reporting. In a little less than 24 hours, I received my notification of passing :).
Interview Experience — Post OSCP
It’s been about a week since my passing and I haven’t had the time to revise my resume and apply for jobs, but I’ll definitely keep you guys updated on my interview processes and whether or not the certification has it’s benefits. In addition, I’ll be writing a full-exam break down on how I approached the exam, the study resources I used as well as my note taking process.
Conclusion
This is my first article — I hope it was helpful!
If you have any questions, feel free to connect with me on:
Twitter: https://twitter.com/whoisPremier
Discord Server: https://discord.gg/5q5PmCRmBA
-0xP
