Information Security Certification path CEH OR OSCP OR GPEN?

kashifranakashifrana Member Posts: 5 ■□□□□□□□□□
Hello folks

I hope you are doing good. I have good experience with multi vendor security products and routing, switching as well. I am CCIE-SEC, JNCIE-SEC.

I would like to pursue information security certifications:

1- To understand concepts of information security in more depth
2- To get true hands on with how to do attacks on web applications, database etc with tools and with scripting/programming

I really would appreciate if you could give me your expert inputs what would be the good path to start with. Should I start with CISSP, CEH, OSCP, GPEN, CISA, CISM etc

Really appreciate and thanks


  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    The recommended first information security certification is CompTIA Security+. However, with the CCIE-SEC and JNCIE-SEC, you already have a good technical background in security, so you should start by looking seriously at the CEH for the offensive side of InfoSec. GPEN and OCSP would then come next.
  • xaxxax Member Posts: 41 ■■□□□□□□□□
    Between CEH and OSCP I think that eCPPT is a good cert. I think eCPPT's course has a good material.
  • rogue2shadowrogue2shadow Member Posts: 1,501 ■■■■■■■■□□
    I agree with JD and xax. The CEH did provide a basic structure for pentesting but didn't go all that deep beyond "here's the methodology -> here's a tool -> here's a screenshot -> next tool" when I took it. The OSCP is definitely a leap into the deep end (from a first time pentesting perspective) but you will quickly gain experience attacking all types of technologies. It is definitely not for the faint of heart and the "Try Harder" slogan is 100% on the money when it comes to being successful in the lab and exam. The lab and exam are hands-on and also require documentation which gives you experience in writing a debrief report for a client post-engagement. I would highly recommend the course after some exploration into the field.

    The eCPPT web material served as an excellent introduction to the OWASP 10 and the Collesium labs definitely helped reinforce the concepts involved with exploiting each vulnerability type.

    If were to do it again, I would probably follow the same path: Sec+, CISSP, CEH, OSCP, GPEN, etc.

    I think overall it comes down to how you learn best, funding, and what the outlook of your cert path is intended to be (pentester vs security analyst vs malware reverse engineer etc).
  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    Having competed two of the three - here's an easy guide.

    C|EH - "The Tour of Tools"
    GPEN - Journeyman level cert. Very good.
    OSCP - Master's level penetration testing exam. Pass this and you have my respect!

    - B Eads
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    beads wrote: »
    Having competed two of the three - here's an easy guide.

    C|EH - "The Tour of Tools"
    GPEN - Journeyman level cert. Very good.
    OSCP - Master's level penetration testing exam. Pass this and you have my respect!

    - B Eads

    I agree with your perspective on CEH. Can't speak for GPEN, as I haven't done it (SANS is too expensive). But OSCP is not a Master level course. OSCP is an entry level certification. Its only more difficult than CEH because it requires hands-on demonstration of skills as opposed to just knowledge.

    Don't get me wrong...its a GREAT course, but if you want to get a job as a professional pentester, you better at least have skills at the OSCP level, but really, your kung fu needs to be a lot stronger than that.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    @OP - It looks like you have a solid Juniper and Cisco background, so you know both command-line tools and TCP/IP routing and switching. The only other ingredient you'll need is determination. If you have that, I'd say jump right in with OSCP, and I think you'll do fine.
  • kashifranakashifrana Member Posts: 5 ■□□□□□□□□□
    Thank you very much guys. Really appreciated your inputs. Could you please guide me also which course could grow my skills better in terms of writing scripts on paython etc for doing exploitation/attacks on web application/database etc, instead just using of tools. Also comparing eCPPT with CEH, which course should I go for and then following by OSCP/OSCE.

    Thanks !
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    SPSE - SecurityTube Python Scripting Expert is a good course on security related python scripting.

    Its a toss up between CEH and eCPPT. Both are fairly easy programs. CEH is more well-known. But eCPPT will get you started with hands on. So I guess it depends on what you value more. eCPPT will probably be better prep for OSCP.
  • kashifranakashifrana Member Posts: 5 ■□□□□□□□□□
    Thanks NovaHax. Appreciated. Now I think I can easily decide for the choice of offensive security courses. One more thing I would like to ask,

    CISSP, CISA, CISM, CRISC courses are helpful for what field either for pentester or only security analyst or just for management? I mean after doing the offensive certifications, these certifications make sense?

  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    I got CISSP because of the title and added value to my resume. I don't really know if it helped get my PenTesting job, but it certainly didn't hurt. But don't expect to get much technical value out of it. Its a high level management certification. It demonstrates knowledge of security theory...but not much else.
  • r0ckm4nr0ckm4n Member Posts: 63 ■■□□□□□□□□
    My vote is also for the OSCP. The course is an awesome value and I learned more from it than any course I have ever taken.
  • redzredz Member Posts: 265 ■■■□□□□□□□
    kashifrana wrote: »
    Should I start with CISSP, CEH, OSCP, GPEN, CISA, CISM

    1- This depends on what concepts you mean. The basis for everything? Maybe a CRISC. I've heard that hits risk management pretty hard. Resume builder and low level of knowledge across the board? CISSP.
    2- If you're talking only about an offensive perspective (hacking), I would definitely do C|EH -> OSCP if you don't have any basis in hacking methodology or fundamentals. If you do have that basis in hacking methodology, just go OSCP. Now, I've heard great things about eLearnSecurity, as well, you may want to check them out.
  • mithuuu85mithuuu85 Member Posts: 14 ■□□□□□□□□□

    Have you completed course in information security(CEH,OSCP,CISSP) , i need your advice on this, I have experience in security products and routing, switching as well. I am JNCIE-SEC, i need to go ahead further on security domain , but confused on deciding which course to take , i based on your experience can you suggest which is apt to take .

    Midhun P.K
  • Dr. FluxxDr. Fluxx Member Posts: 98 ■■□□□□□□□□
    The OSCP is not your typical entry level course.
    This isn't like net+ or say an advanced entry level course, I theres such a thing.
Sign In or Register to comment.