What is the wisest choice for a series of certifications for pentesting.

I'm interested in pentesting and was wondering what would be the wisest choice of certifications. I see a lot of people have CompTia A+, Network+, Sec+, if I'm interested only in pentesting do I need all three or is CompTia Sec+ sufficient? And after that is done should I go for the Sans pentesting of something else? And what is the most coveted pentesting cert?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

hiddenknight821

Stochastic13 wrote: »

I'm interested in pentesting and was wondering what would be the wisest choice of certifications. I see a lot of people have CompTia A+, Network+, Sec+, if I'm interested only in pentesting do I need all three or is CompTia Sec+ sufficient? And after that is done should I go for the Sans pentesting of something else? And what is the most coveted pentesting cert?

I think you ought to check out this thread. The creator of this thread would loathe you for asking this. You can't just learn how to pen-test by cert books or bootcamp. There isn't even a formal education program that can teach you how to pen-test. You need to become an expert on the networking basic in order to be able to get started on pentesting.

xenodamus

Yea, you can't really jump into IT and "only do pentesting". That's really an area that you graduate to after becoming a good System/Network Admin and gaining tons of knowledge about both. All 3 of the CompTia exams you mention are good material for entry level knowledge, though.

I would pick a more generic path toward Systems or Network Administration, and once you have some higher level experience start looking toward specializing further.

Stochastic13

Thanks for the thread, it really puts things in perspective.

Bl8ckr0uter

xenodamus wrote: »

Yea, you can't really jump into IT and "only do pentesting". That's really an area that you graduate to after becoming a good System/Network Admin and gaining tons of knowledge about both. All 3 of the CompTia exams you mention are good material for entry level knowledge, though.

I would pick a more generic path toward Systems or Network Administration, and once you have some higher level experience start looking toward specializing further.

I am going to be the black sheep here. If you have a ton of knowledge and skill and "aim" you career the correct way, possibly pick up a MS in CS or InfoSec and catch a few breaks you *could* become a pentester without going through the helpdesk>admin>security>pentest path*. Many pen testing jobs I have seen only want a few (like 2-3) years of experience.

*I don't even think this path will be possible for much longer due to outsourcing/off shoring and compartmentalization of skills/people/roles. People on the helpdesk will live and die there and mid level admins will either die, go to consulting, or play the job hop game until they can break into the big leagues.

I don't think a CEH, offensive security or even a GPEN will "make" you a pentester but they might be good places to start (after other certs like Security+/SSCP/GSEC and the like). More than anything you need a deep understanding of operating systems, networking, and a decent grasp of a scripting or programming language or two and some creativity. There is a very, very good post by a beast of an infosec pro here that will help guide you:

http://www.infiltrated.net/pentesting101.html

Read it. He writes here from time to time.

Stochastic13

Thanks, that sounds a whole lot better than the traditional route that starts with help desk. I'm majoring in computer science with specialization in computer security, should I get a MS or a PHD after I get my BS, or should I do the two year sequence that was described in the link that you provided? Also I was thinking about taking the CompTia certs but since I'll be in school for 4 years more and they expire in three does it make sense to do so?

shaqazoolu

I clicked over and saw Sexion's wall of text in the other thread and I am too tired to read it so I will just say this...get your CCNA and buy Laura Chappell's Wireshark Network Analysis book. CCDA probably wouldn't hurt either. Read the Wireshark book cover to cover. By the time you finish this, you should have a pretty good understanding of the different network layers and how communications work. I thought the CCNA was a huge snoozefest and the Wireshark stuff has its ups and downs but you will HAVE to have this knowledge to be a pen tester.

After that, buy access to the eLearn Security material. By the time you finish the eLearn material, you'll probably have a much better idea of which direction you want to go in and will probably know what to research to figure out what your next steps are on your own. This material is really good.

This is a really simplistic view of where to head IMO. This is actually probably a good 2 years worth of work at the very least so don't take it lightly.