Advice Needed: Have OSCP and unsure where to go from here.

Hi,
I've had my OSCP for about a year now. The OSCP was my first InfoSec cert and honestly was my introduction to the InfoSec world (you can read my OSCP testimonial for more details https://theitninja.wordpress.com/). I wasn't aware of how big a jump I took going straight for OSCP with no professional experience in security until I started talking with other InfoSec guys in my area. I'm wanting to obtain more certifications for my resume while I'm looking for the right place to sharpen my new skills, and I'm confused on where to go from here. I'm running into problems where I don't have a lot of experience yet and some recruiters just don't recognize the OSCP. Should I take a step back and obtain the entry level certs like CEH or Security + that's recognized by more recruiters, or should I progress to something else?

Find more posts tagged with

Comments

H3||scr3am

CEH, and CISSP are always great resume fodder, I'd suggest looking into them. with your lack of experience an SSCP might be more necessary. also consider the GSEC, although new and expensive, it's in demand by employers.

overthetop

what you said is 100% correct Mr. Ninja. I just put in OSCP in Indeed and got 279 hits. Ok Look at those job posting and see what other certifications compliment OSCP. Yes, CISSP is going to be on every security related job position listed in the entire world we all know that. I also see CEH and Security+, which might be "easier" to obtain and get you in the door with a job.

mjsinhsv

Depends on what your goals are really.
Have you been working as a Pen tester?

The CISSP is well respected and reading your blog it sounds like you have enough experience to take it.
I wouldn't think the Security+ would do much for you.
The CISA might help if you want to stick with Pen testing and audits.

docrice

The GSEC isn't new (although the exam is expensive). GIAC certifications have been around for a long time.

SaSkiller

I see this constantly, people ask for a cert recommendation for IT Sec and get sent to the OSCP. Its not good. OP isn't the first in this situation. Its always best to build a firm security foundation prior to going for an impactful cert like OSCP. I also advise avoiding the CISSP at this point. Start getting some experience, maybe do some security work on the side and do stuff on your blog, prove that you can apply the principles you learned in the OSCP and use all of this in your resume.

TheITNinja

I was actually thinking about that as well SaSkiller. Use the time to apply what I've learned in my practice labs and then write up proof of concept and general security awareness articles instead of getting another cert.

impelse

You got one that it is good, now the complement would be Security+, CEH and CISSP. I would go in that order.

Also try to do project on the side like OpenVAS, exploit development,etc, Like if it is your job and getting experience.

NovaHax

Yeah...unfortunately sometimes you have to play the HR game. While anyone in the industry knows that OSCP is far more impressive than Sec+ or CEH...the first person you interview with (the HR rep) doesn't know. Despite how impressive OSCP is, you are still WAY more likely to see Sec+ or CEH on a job description...and all that HR rep is looking for is someone that meets that description.

ramrunner800

I disagree with those who say it's a mistake to go OSCP first. The hard skills you develop in that course are awesome, and will help you be a rock star wherever you end up. They will really help you get through technical interviews with hiring managers as well. You just need some things on your resume to help you get past the HR drones so you can get into that interview. I think you're thinking along the right lines with CEH. As soon as I put CEH on my resume I started getting called for interviews.

markosk

I work as a pen tester for a large security firm and I can tell you that the OSCP is something that gives you some street cred immediately. We require this cert within 6 months of starting. If you want to become a pen tester, firms that know something about something will always appreciate what Offensive Security certs prove.

If you liked the exploit development part of it, go on to OSCE or the GXPN. If the web apps were enjoyable, do the GWAPT. The OSWE is a huge leap from OSCP so unless you already have some very strong web hacking skills, I would avoid that for now.

We tend to kind of laugh off the CEH for no other reason than a pen testing cert without labs of any kind don't mean a whole lot.

Just my 2 cents based on interviewing more than 40 people for my team in the last year.

MrAgent

I would suggest getting the CEH. While its kind of a joke of a certification, it'll get you more calls/emails from recruiters.
OP: Where are you located?

the_Grinch

What do you currently do? At this point you'll probably need to really tailor your resume to push what you learned in the OSCP and then you'll start getting some hits. You'll probably need to apply to a lot of jobs, but the right one will see it and snag you.