4 Alternatives to the OSCP

We're been on a security kick here on the blog — particularly with offensive security and penetration testing certifications like the OSCP. For good reasons, too: infosec is red hot right now, and getting paid to legally hack things is a lot of fun! Pen testing can be a hard field to break into, especially without specific experience. Any amount of general IT experience is a great start, especially in server and network administration, but not many companies want to train pen testers from scratch.

Anyone who's been in IT for any amount of time knows where to go from here: devour every blog you can find on the topic, build a home lab to play in, and dig into certifications. As a field with little established protocol on formal training, self-driven learning should be high on any list of what leads to a successful IT career. Pen testing is no exception, and with a smorgasbord of content and vulnerable-by-design systems to consume online, the self-learner seeking to pivot into pen testing has no shortage of resources.

But any good resume will still require that formal seal of approval that comes from a certification. The OSCP is a gold standard to which any pen tester should aspire, however, it is a super lofty goal. The time commitment is significant, as is the expense. Maybe you just don't have enough hours in the day between your job, family, and social commitments to study (15-20 hours a week for three months is not unheard of to prepare). Maybe the sticker shock of the requisite PWK course send you reeling — $1,150 USD for three months of lab access.

No worries! Let's check out three certs and one course that will scratch that pen testing itch — without turning you into a broke hermit.

Certified Ethical Hacker

The CEH cert is administered by EC-Council and certifies your skills in finding "weaknesses and vulnerabilities in target systems…to assess the security posture of a target system(s)." It costs $100 (USD) to apply, then an additional $950 to test, so this might not be the cert to pursue if you have the free time, but not the dough.

Unfortunately that high price tag does not include any training or courseware, unlike the OSCP. They offer separate training, but it is not cheap. You can go the self-training route with CBT Nuggets, but to test as a self-trainer you must be approved first, which is very odd (go here and scroll down to "Eligibility Requirements" for the details).

Prepping for the CEH will "provide you with the tools and techniques used by hackers and information security professionals alike to break into any computer system." They emphasize learning about the "hacker mindset," so you can know how your enemy thinks both to attack and defend your networks with systematic processes. Specifically, you'll cover the five phases of ethical hacking: reconnaissance, gaining access, enumeration, maintaining access, and covering your tracks.

While this sounds on par with the OSCP's content, it's worth noting that the exam comprises multiple choice questions only. A big selling point of the OSCP is that it's a very practical, hands-on exam where you must hack machines and write a report.

Holding that up as a standard, a multiple-choice exam around pen testing in the vein of a CompTIA or Microsoft exam seems not quite as exciting. You will learn valuable content, just maybe not how to actually do pen testing. Here's how to put your new skills to work.

So Who Is This Cert for Exactly?

EC-Council brags about being "ANSI 17024 compliant," which is just a very general accreditation for awarding certifications in any field, not just infosec. It is also an "approved baseline certification" for certain U.S. Department of Defense positions and is recognized training for GCHQ, the UK equivalent of the U.S. NSA. Together, this paints the CEH as a cert for those in high-level organizations like the government, military and their contractors, but also tightly regulated fields like finance and IT auditing.

Are you trying to break into infosec in industries like those? The CEH is probably a cert that will give you a leg up. It might end up being only a box that HR needs to check off for you to get an interview, but, if so, that's an important box. But maybe your goal is to become a pen tester for a private company, with a slightly lower price tag than the CEH?

eLearnSecurity Certified Professional Penetration Tester

The eCPPTv2 is 1) a mouthful even as an acronym and 2) not as well known of a certification as many others are. eLearnSecurity is a small but growing force in the infosec training and certification world, with word spreading about how excellent of a resource it is — not only for pen testing but also incident handling, digital forensics, and a variety of other red and blue team areas.

The first thing you need to know about the eCPPT cert: it's only $400 (USD). So, it's much more accessible than the CEH. Plus, like the OSCP, your exam is a mock pen test in a lab, with your final pass or fail coming from the quality of your findings and the report you write up about them.

The areas covered are also similar to the OSCP: target enumeration, finding vulnerabilities, web app exploitation, privilege escalation, and exploiting with Metasploit. One negative though: like the CEH, no courseware or training is included. eLearnSecurity's course for this cert, the PTP, while highly regarded, starts at $1,199 (USD). Then tack on at least $100 (USD) for access to their labs. Ouch.

But for a highly motivated self-learner, this cert can be a great start to the journey into pen testing, including preparation for the OSCP. A recent article we did on OSCP prep contained some pre-gaming strategies before starting the OSCP course. They would be perfect if you wanted to work toward taking the eCPPTv2 on a budget.

Virtual Hacking Labs

The CEH and eCPPTv2 sound great, but man oh man they aren't cheap, especially if you want some quality courseware to learn from. What if there was a course that, while it didn't provide certification, provided a great foundation of pen testing knowledge with an appropriate level of hand-holding for the absolute n00b aspiring pen tester? Look no further than the Virtual Hacking Labs!

At $99 (USD) for one month and $249 (USD) for three months of lab access, this is a steal for someone wanting desperately to learn, not too concerned with earning a cert, on a budget, and perhaps aspiring to the OSCP some day. You are provided with some excellent coursework that isn't super in-depth, but is exactly what you need to know when starting out on Day 1 of your pen test journey.

The lab access lets you test your new skills, attempting to infiltrate a variety of Windows and Linux machines. You also have the option when you're done writing up a report on 20 compromised machines to earn a certificate of completion, so maybe we'll call it a Cert Lite. Maybe once you've earned that, you can hone your skills with a little friendly competition.

A perfect one-two-three punch of pen test preparedness on a budget could definitely look like this: conquering the Virtual Hacking Labs, getting some extra practice in on a hacking platform like Hack the Box, and then taking on the eCPPTv2.

GIAC Certified Penetration Tester

GIAC is the certification wing of the IT training warhorse, the SANS Institute. If you know SANS, you know they 1) have been around forever, 2) offer rock solid training usually through boot camps and 3) require a second mortgage to pay your own way and attend any of their training sessions. Seriously, they are the best of the best, but for the GIAC Certified Penetration Tester (or GPEN) week long course and exam, expect to pay over $7,000 (USD).

So if anything else we've discussed today seems out of budget, forget this. You can, of course, sit for the test without taking the training, but that'll still put you back $1,899 (USD). But if you want to do pen testing and don't think highly of the OSCP, you can't go wrong with the GPEN. To quote one amazing infosec blog:

I've recommended SANS / GIAC line of certifications in the past because I find their training and tests some of the most legitimate. Their certifications are some of the most technically respected to have on a technical resume…If you can easily afford a SANS course and GIAC certification, absolutely take one applicable to your field…If you can't, don't take it to heart – wait until an employer makes them financially available to you.

That last line brings up a great point: most people aren't paying their own way to a SANS course, their employer is. Also, like the CEH, the US DoD has certified many SANS courses. If the employer paying a student's way is the U.S. government, then maybe that high price tag makes a little more sense.

Final Thoughts

While the OSCP is highly regarded, it's not the only option for offensive security training and certification. Hopefully, you don't leave disheartened, because none of these options are cheap, at least when combined with their corresponding training. Like they say though, investing in yourself can yield some of the biggest returns. Plan your infosec career carefully and it will pay off in the long run for you. Start with CBT Nuggets today!