GPEN vs CPT/CEPT

I'm trying to figure out if I should get one or the other or both. I still have a long ways to go, just doing my homework. Let's assume I have A+, Sec+, LPIC-2, MCITP-EA, CCNP-Sec, CEH, CHFI, and GSEC. Let's also assume I have a few years working as a network admin/engineer and I'm wanting to get into pen testing. Also, after the GPEN or CEPT, I plan on challenging the OSCP as well and getting the CISSP once I have enough work experience.

I'm finding that the GPEN is more valuable in obtaining employment.(It appears in more results when searching for pen testing jobs on dice, indeed, etc.) Is this accurate?

How about practicality, which would provide the best knowledge for an aspiring pen tester? (keep in mind that I'm going for OSCP directly after) Thanks for any insight!

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

docrice

I don't know much about the CPT or CEPT. GIAC certs seem to be growing in popularity based on job board searches, but as we've discussed on this forum countless of times, being a pentester requires a lot more than just "hacking knowledge." You need to understand systems, networking, apps, databases, etc. at least at a decent level enough to be familiar with the nuances of the ecosystem in order to slip through the cracks. Certs hold only so much water once you're qualified enough to be a pentester. Couldn't hurt, of course.

I have never taken the Penetration Testing with BackTrack course or gone through the OSCP challenge. That said, I've gone through their OSWP so I can take a guess at the PWB experience. SANS training is great, but it's more geared towards spoonfeeding you the concepts and tool usage through lecture slides and some labs. I've taken a number of their courses and always left happy. As a matter of fact, I just starting their 542 course (Web App Penetration Testing and Ethical Hacking).

However, Offensive Security seems more than just, "Here's what you can do, now try it out." They provide foundation, but an integral part of the experience is searching for new ways beyond what's in the basic textbook. That's how the hacker / pentesting experience really is - being creative and trying variations on something and ultimately finding a way in. This is where the "Try harder" mantra comes in because in the real world, Google isn't going to give you all the answers. Then from a professional standpoint, you have to be able to translate that into a complete written report stating the issues and backing it up with evidence.

Although I've taken neither SANS 560 (and obtained the GPEN) nor PWB (and challenged the OSCP), I have a strong feeling that the latter will be 1) more cost-effective and 2) be closer to the real-life experience. I'm guessing the OSCP will also be harder to obtain than the GPEN since Offensive Security's exams are actual simulations whereas GIAC exams are multiple choice. I think they both serve slightly different purposes, but I have the impression that I'm going to fall flat on my face when I eventually get around to doing the PWB course.

The downside to the OSCP is that from an HR standpoint, there doesn't seem to be a lot of recognition for it yet, unfortunately. They're still looking for the coveted "CISSP" which isn't directly related to pentesting. They might recognize the GPEN, assuming they know about GIAC certs. Even then they might be just directly keyword searching for "GSEC." It sounds lame, but I was actually talking to a manager a while back who was hiring me into a security position in the same company and when he wrote up a job description just as an HR formality, he jotted a bunch of security certification acronyms that he found on some job boards because they "sounded good." Yes, it's just like that sometimes.

CoolAsAFan

Thanks for the informative post doc. I agree that I will have much more to learn to get into pen testing, but I know I can do it, have nothing but time. I'm hoping to learn all the fundamentals I need at WGU, then afterwards I can really start my endeavor into pen testing.

I read that OSCP is definitely harder than GPEN, that's why I wanted to challenge GPEN first then OSCP. I'm starting to see more job postings requesting OSCP too, but certainly not as much as GPEN, and not even close to CISSP. I'm mainly curious to if I get my GPEN and OSCP, would the CPT/CEPT track be a waste of time/money, or could I take something of value away that wouldn't be covered in GPEN/OSCP. Some job postings request CEPT, but again not as much as GPEN so I don't think there is much value when HR is concerned, please correct me if I'm wrong.

Also, would you guys suggest doing 502, 503, 504, before GPEN?

docrice

502, 503, and 504 will teach you how to look at things from the defensive side which as a pentester you should also know.

Also check out:
https://media.defcon.org/dc-19/presentations/Engebretson-Pauli/DEFCON-19-Engebretson-Pauli-Pen-Testing.pdf

rogue2shadow

+1 with doc.

Having gone through the CPT exam I can definitely say its a great step towards strengthening your foundations in penetration testing/vulnerability assessment. If you haven't heard the official run down, essentially the test is administered in two parts. Part one is the written where you will be given 50 questions and if you pass, this you will be granted access to the practical/lab portion of the test which is due 60 days from receiving the required materials. In the lab, you are tasked with compromising x amount of machines and fully documenting your penetration test findings and methodology. Given that you have CEH and CHFI, you could technically skip this in lieu of getting offensive labbing done on a rather consistent basis.

In regards to the OSCP, I am currently a student and am finding it exactly as docrice put it thus far (only a couple modules in); you are taught the basics of "x" skill but deep down you know you will be required to go 10x further in the future and they anticipate you will prepare yourself adequately. Your mileage will vary as to the degree of "good pain" you will feel in doing this but everyone I know that has come out of it has learned a lot and it has greatly improved their thoughts on offensive and defensive security.

http://www.techexams.net/forums/security-certifications/72621-calling-all-penetration-testing-backtrack-pwb-oscp-students.html <-- Great thread that just started up a little bit ago.

In regards to the CEPT (I will hopefully be taking this before fall), you are once again tasked with a written and this time your reward for passing is you must write a properly functioning Windows exploit, Linux exploit, and reverse engineer a binary. I've have also seen very few postings with CEPT as a requirement but for those that I have, they have been for either senior security positions or for reverse-engineers (go figure :P).

ROI is relative to what you seek to gain. If its monetary, I'd probably take a crack at the CISSP first (note: domains are changing on Jan 1st) and grab the associate designation; it'll be out of the way and you can focus 100% on your red studies.

Overall in comparing the OSCP vs. CEPT vs. GPEN, they are honestly all completely different types of animals. If you feel you have a strong enough foundation, hit up the OSCP first then the other two.

CoolAsAFan

Thank you very much for the information rogue. I was wondering if I should get the CISSP out of the way before concentrating on my red hat studies. I'm just not so sure if I'll have the 4 years required work experience before I am ready to start my pen testing path. This is probably a dumb question but will working at a NOC while doing nothing really pertaining to security count towards work experience for the CISSP? Again, thanks for the information!

rogue2shadow

CoolAsAFan wrote: »

Thank you very much for the information rogue. I was wondering if I should get the CISSP out of the way before concentrating on my red hat studies. I'm just not so sure if I'll have the 4 years required work experience before I am ready to start my pen testing path. This is probably a dumb question but will working at a NOC while doing nothing really pertaining to security count towards work experience for the CISSP? Again, thanks for the information!

Np man. In the end, its up to the ISC2 Auditor (they probably have some other formal name) to decide whether they accept your endorsement package or not (even if someone else endorses you). People who have gone through the full endorsement process might be better off to answer this. I'm still waiting a couple months before I can get fully endorsed.

In the meantime, I'd say take a look at your official job posting and see what elements in there may be verified and classified as security detail work (eg. that you perform on a full time basis); maybe creating acls, creating user accounts, modifying acls; access control or telecomm domains are right there.

beads

SANS is just going to beat you with pure marketing muscle at this point and time. Its a large accredited organization and as the joke goes: "Is run by a bunch of Harvard MBAs..."

Odd but true.

- beads