A Complete Offensive Security Certification Guide
| training | certification paths - David Brown

A Complete Offensive Security Certification Guide

Offensive Security certification exams are more than a test of technical prowess. They are clearly a test of endurance as well. The stamina that it takes to complete 24-hour, 48-hour, or 72-hour hands-on security testing means that Offensive Security Certification is not for everyone. The exams are proctored online by video.

Network security is one of the most important aspects of information technology. That's because there are so many bad guys who don't mind infiltrating and pilfering vulnerable networks if they can. Security certifications like Offensive Security, which focuses on ethical hacking, arose in response to the growing worldwide threats to IT infrastructure.

IT certifications are a way to demonstrate that you have certain knowledge and skills in a particular area of technology. Both aspiring and experienced IT professionals pursue certifications to advance their careers and improve their abilities to do their jobs. Offensive Security certification, however, differs from other certifications because it takes a hands-on approach. It's not so much what you know that matters. The real test is what you can do with it in real-world environments.

Offensive Security Ltd. was established in 2006 by Matt Aharoni. Penetration testing is at the heart of Offensive Security's certification program — and Kali Linux is their favorite tool. Kali Linux is an offshoot of Debian Linux, created by Aharoni and his team for their penetration testing services and training. The internet consensus is that Offensive Security certifications are among the most difficult and highly respected in the business. These professional certifications will improve your IT security resume and show prospective employers that you know something about combating security threats — and that you can do something about it.

As the company's website puts it, Offensive Security exams "rely entirely on demonstrated ability and merit." These are not your standard multiple choice certification exams. During the marathon exams, candidates are expected to clearly demonstrate that they can identify threats and secure networks. Offensive Security offers five cybersecurity certifications:

  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Certified Expert (OSCE)
  • Offensive Security Web Expert (OSWE)
  • Offensive Security Wireless Professional (OSWP)
  • Offensive Security Exploitation Expert (OSEE)

The Offensive Security certification path is not necessarily tiered. You could take each one individually as long as you complete the required course first, and none of the certifications has another exam as a prerequisite. That said, you might consider the OSCP the "entry-level" exam, and the OSEE as the most advanced. Kali Linux certification is another good option for those who want to brush up on their Linux skills and learn the particulars of the Kali distribution.

These exams are not handled by an external testing company. Offensive Security handles them all themselves. In fact, they package the required training and exam together for each certification. The Offensive Security Certified Professional costs $800, and the others (except OSEE) range from $450 to $1,400. The cost for the OSEE is not listed on the website. Obviously, you will have to work with Offensive Security on that one.

Along with the required training, Offensive Security provides something called the Proving Grounds (PG). This is a virtual network environment in which students can practice their white-hat hacking techniques. Following the training, students can purchase additional PG time with an Offensive Security lab extension. Prices range from $200 to $650 for an additional 15 to 90 days. Of course, Offensive Security training reviews are available online so that you can see what other students thought of the course and exam.

We will be discussing below a number of topics about getting certified in Offensive Security. We will look at individual exams, and we will offer comparisons between Offensive Security and competitors CEH and CISSP.

We will also help you consider Offensive Security Certified Professional salary potential and related job opportunities. And finally, we will discuss training options, including those offered by CBT Nuggets. Here is what's included:

  • Offensive Security Certification Guide
  • What is an Offensive Security Certification?
  • What is Kali Linux?
  • Offensive Security Certified Professional
  • Offensive Security Certified Expert
  • Offensive Security Web Expert
  • Offensive Security Wireless Professional
  • Offensive Security Exploitation Expert
  • OSCP vs CEH
  • OSCP vs CISSP
  • How Much Does It Cost to Get Offensive Security Certified?
  • Offensive Security Recertification and Renewal
  • Penetration Tester Salary and Career Information

What is an Offensive Security Certification?

The Offensive Security certification program includes five hands-on tests that require candidates to show they can handle real-world problems. The Offensive Security Certified Professional (OSCP) certification covers general security issues and is usually the entry exam for test-takers. Two exams approach security from different angles: cracking the perimeter and Windows exploitation. The two others deal with specific areas, web attacks, and wireless security.

What is Kali Linux?

Most Offensive Security certifications recommend knowledge of Kali Linux. Kali Linux is a Debian-based distribution of the Linux operating system that is focused on penetration testing and ethical hacking. The distribution was developed by founder Matt Aharoni and two of his colleagues, and first released in March 2013. It includes hundreds of tools that an IT professional performing penetration testing might need. For instance, Nmap is a piece of software that scans ports, and Wireshark is a network packet analyzer. Categories of tools listed on the Kali website include:

  • Information Gathering
  • Vulnerability Analysis
  • Wireless Attacks
  • Web Applications
  • Stress Testing
  • Forensics Tools
  • Sniffing & Spoofing
  • Password Attacks

There is nothing special about the Kali Linux distribution. That is to say, everything on it — the Linux kernel, the utilities, the applications — is available on the open-source market. It's just that Kali Linux is a curated distribution that includes a certain set of software tools for white-hat hackers. (Now, whether these can be used for nefarious purposes is not the subject of this article.)

Kali Linux is an integral part of the Offensive Security certification training and testing program. Candidates will need to be thoroughly familiar with it for the grueling exam sessions. So, it may be a good idea to play around with it before starting the training.

Offensive Security Certified Professional (OSCP)

The Offensive Security Certified Professional (OSCP) certification is designed for network security professionals who want to demonstrate how well they deal with network security vulnerabilities. It is essentially a penetration testing (pentesting) exercise in which the candidate acts as a white-hat hacker to identify weaknesses in a network system.

The OSCP certification validates a candidate's ability to execute these methods and attacks:

  • Use multiple operating systems and services to gather and enumerate targets
  • Write basic scripts and tools to aid in pentesting
  • Analyze, correct, modify, cross-compile and port exploit code
  • Conduct remote and client-side attacks
  • Exploit XSS, SQL injection, and other web application vulnerabilities
  • Deploy tunneling techniques to bypass firewalls

Required exam: Earning the OSCP certification requires passing one exam — the 24-hour, proctored OSCP exam.

Prerequisite: Prior to attempting this certification, Offensive Security requires taking the Penetration Testing with Kali Linux (PwK) course, which is included in the OSCP course bundle.

Recommended experience: Offensive Security recommends reasonable Linux skills, familiarity with Bash scripting, basic Perl or Python skills, and a solid understanding of TCP/IP and networking prior to attempting this exam.

Offensive Security Certified Expert (OSCE)

The Offensive Security Certified Expert (OSCE) certification is designed for network security professionals who want to demonstrate how well they can deal with network security vulnerabilities, including some of the most troublesome exploits. While the OSCP focuses on pentesting, the OSCE takes an in-depth look at many of the specific exploits that hackers use to infiltrate systems. These include buffer overflows and the types of issues covered in the OWASP Top Ten list.

The OSCE exam may be considered more advanced than the OSCP, although there is no clear tiered structure. The OSCE certification validates a candidate's ability to execute these methods and attacks:

  • Intelligent fuzz-testing
  • Analyze, correct, modify, and port exploit code
  • Craft binaries to evade antivirus software

Required exam: Earning the OSCE certification requires passing one exam — the 28-hour, proctored OSCE exam.

Prerequisite: Prior to attempting this certification, Offensive Security requires taking the Cracking the Perimeter (CTP) course, which is included in the OSCE course bundle.

Recommended experience: Offensive Security recommends reasonable Linux skills, familiarity with Bash scripting, basic Perl or Python skills, and a solid understanding of TCP/IP and networking prior to attempting this exam.

Offensive Security Web Expert (OSWE)

The Offensive Security Web Expert (OSWE) certification is designed for network security professionals who want to demonstrate proficiency in auditing of web application code for vulnerabilities, and it is meant to test a candidate's ability to recognize and thwart various web application exploits. This is the newest exam in the Offensive Security portfolio.

The OSWE certification validates a candidate's ability to execute these methods and attacks:

  • Web application code auditing
  • Audit code to find vulnerabilities
  • Develop exploits for vulnerable web applications
  • Analyze of public exploit code
  • Bypass sanitization filters

Required exam: Earning the OSEE certification requires passing one exam — the 48-hour, proctored OSWE exam.

Prerequisite: Prior to attempting this certification, Offensive Security requires taking the Advanced Web Attacks and Exploitation (AWAE) course, which is included in the OSWE course bundle.

Recommended experience: Offensive Security recommends an understanding of web applications, reasonable Linux skills, familiarity with Bash scripting, basic Perl or Python skills, and a solid understanding of TCP/IP and networking prior to attempting this exam.

Offensive Security Wireless Professional (OSWP)

The Offensive Security Wireless Professional certification is designed for network security professionals who want to demonstrate their ability to audit 802.11 wireless networks and identify vulnerabilities. Candidates should also be able to simulate attacks themselves.

The OSWP certification validates a candidate's ability to execute these methods and attacks:

  • Wireless information gathering
  • Circumvention wireless network access restrictions
  • Cracking WEP, WPA, and WPA2 implementations
  • Man-in-the-Middle attacks

Required exam: Earning the OSWP certification requires passing one exam — the 4-hour, proctored OSWP exam.

Prerequisite: Prior to attempting this certification, Offensive Security requires taking the Offensive Security Wireless Attacks (WiFu) course, which is included in the OSWP course bundle.

Recommended experience: Offensive Security recommends a good understanding of 802.11 wireless networking, reasonable Linux skills, familiarity with Bash scripting, basic Perl or Python skills, and a solid understanding of TCP/IP and networking prior to attempting this exam.

Offensive Security Exploitation Expert (OSEE)

The Offensive Security Exploitation Expert (OSEE) certification is designed for network security professionals who want to demonstrate their ability to research and create exploits through reverse engineering, assembly, and disassembly. In other words, candidates need to be able to hack into Windows machines themselves during the exam. They need to know how to breach a vulnerable system themselves so that they will be able to handle attackers who do the same.

The OSEE certification validates a candidate's ability to execute these methods and attacks:

  • Develop sophisticated exploits
  • Create custom shellcode
  • Evade DEP and ASLR protections
  • Perform precision heap sprays
  • 64 and 32 Bit Windows Kernel Driver Exploitation
  • Kernel Pool Exploitation
  • NX/ASLR Bypass
  • Disarming EMET Mitigations to gain reliable code execution

Required exam: Earning the OSEE certification requires passing one exam — the 72-hour, proctored OSEE exam.

Prerequisite: Prior to attempting this certification, Offensive Security requires taking the live, hands-on Advanced Windows Exploitation (AWE) course, which administered every year at the Black Hat USA conference.

Recommended experience: Offensive Security recommends an expert-level understanding of Windows, reasonable Linux skills, familiarity with Bash scripting, basic Perl or Python skills, and a solid understanding of TCP/IP and networking prior to attempting this exam.

OSCP vs. CEH

Offensive Security is not the only penetration testing certification on the market. One competitor is the Certified Ethical Hacker (CEH) certification, which is offered through offered through EC-Council (The International Council of E-Commerce Consultants). To take the CEH certification exam, you would need to take an approved training course or have two years experience in IT security.

The CEH exam lasts four hours, and it covers 19 domains, which are covered during the course. Some of the topics are ethical hacking basics, network scanning, sniffers, cryptography, and penetration testing. But unlike Offensive Security, this is a multiple choice test with 125 questions with 70 percent required to pass.

Both the CEH and the OSCP are focused on penetration testing. But of course, the OSCP is a hands-on exam. If you are looking to do penetration testing, then Offensive Security is probably your best bet. If you want to work for the government, you will need to consider CEH because its DoD-approved. If you want a lifetime certification, go for OSCP, because CEH must be renewed every three years.

According to Payscale.com/, the average salary for a CEH-certified professional is $78,979. That's somewhat lower than Offensive Security. Your choice between Offensive Security and CEH certification will largely depend on your particular career goals.

OSCP vs. CISSP

Another security certification to consider is Certified Information Systems Security Professional (CISSP). This is offered by an organization called the International Information System Security Certification Consortium, or (ISC)², Those are a lot of words, but you just need to remember CISSP and (ISC)² (pronounced "eye-ess-cee squared").

CISSP is not the only certification offered by (ISC)². They also offer SSCP (security administration) and CCSP (cloud security), among others. The CISSP focuses on leadership and operations, according to the (ISC)² brief. They call it "The World's Premier Cybersecurity Certification." The job titles listed for potential CISSP candidates tell us a lot about the exam:

  • Chief Information Security Officer
  • Chief Information Officer
  • Director of Security
  • IT Director/Manager
  • Security Systems Engineer
  • Security Analyst
  • Security Manager
  • Security Auditor
  • Security Architect
  • Security Consultant
  • Network Architect

You can see that many of these roles are in upper management or higher level engineering. (ISC)² says that the CISSP is not for everyone. You may want to think about their other certification options. In addition to the SSCP and CCSP, they have one certification that deals with security assessment, one that targets secure software development, and another one that focuses on healthcare security.

Obviously, the CISSP is not for the gritty pen tester who does all-nighters to solve security problems. The CISSP targets those who look at security from a higher level. Then again, like CEH, CISSP can help land you a cushy government job. Probably no all-nighters there. Again, the choice here has a lot to do with the kind of career you are looking for.

How Much Does It Cost to Get Certified?

Offensive Security certification cost is all wrapped up in packages. Training and testing are purchased as one unit. It's not possible to take a course at an external provider, or sit for the test at an external testing company. Offensive Security certification exam cost is $800 for OSCP, $1,200 for OSCE, $1,400 for OSWE, and $450 for OSWP. The cost for OSEE is not specified on the website.

Offensive Security Recertification and Renewal

Offensive Security does not address this directly on their website, but the consensus from reputable sources on the internet is that their certifications do not expire and do not need renewal. Part of the reason may be that the course and exam deal with methods and strategies in security mitigation rather than specific technologies that may change from year to year.

Penetration Tester Salary and Career Information

The average OSCP salary according to Payscale is $91,000 (USD). They list the following roles and salaries for OSCP-certified IT professionals (in USD):

  • Penetration Tester: $90,262
  • Security Engineer: $97,151
  • Security Consultant (Computing / Networking / Information Technology): $79,456
  • Information Security Analyst: $74,950
  • Cyber Security Engineer: $97,727
  • Information Security Engineer: $98,870
  • Senior Security Consultant: $107,351

For an average penetration testing salary, Indeed puts the figure at $116,272. They write, "Salary estimated from 191 employees, users, and past and present job advertisements on Indeed in the past 36 months. Last updated: August 7, 2019." During preparation of this guide, a search in the Indeed job website showed 966 results for the search parameter "oscp or osce or osee or oswp or oswe." Even better, a search on "penetration testing" yielded 4,366 jobs.

So the earnings potential and job opportunities for a penetration tester in general, and an Offensive Security-certified individual in particular, both look pretty good. Getting an OSCP cert may be just the right option for you. But you might want to ask yourself, of course: Is this the kind of IT job that you imagine for yourself?

Doing shift work in IT helpdesk or NOC jobs can be grueling enough. But from what these marathon exams look like, the penetration testing profession must be pretty demanding. You may be expected to get "wired in" and stay with an issue until you figure it out. What about sleep, you ask? Sleep's for babies they say — obviously not for dedicated penetration testers.

Now that you know a bit more about how to become a penetration tester with Offensive Security, you might consider additional training options with CBT Nuggets. There is a lot to learn, and our training will be an auxiliary to anything that you learn in the official course.

Offensive Security Training

As of August 2019, CBT Nuggets doesn't offer Offensive Security certification training. Please note, we are constantly updating our training library, so learners should check regularly for new training. CBT Nuggets trainer Keith Barker has created the following Kali Linux training:

All CBT Nuggets training either provides learners with custom virtual labs or supplemental files to learn technical concepts alongside the video training. Virtual labs were designed by experts to help learners gain hands-on experience in a sandbox environment. NuggetLab supplemental files include practice IOS commands, configuration files, and network diagrams — everything a learner needs to study for certification exams.

CBT Nuggets learners should also take advantage of the Kaplan® IT Training Practice Exams included with a subscription to CBT Nuggets. Practice exams can either be taken timed or untimed, and provide a good baseline for learners to test their knowledge. Additionally, Kaplan® IT Training Practice Exams evaluate a learner's strengths and weaknesses, so they know where to focus their attention while studying.

Being successful taking certification exams requires quality instruction, hands-on experience, and practice with the exam itself. CBT Nuggets provides every element a learner needs to pass IT certification exams.

Download

Download

Ultimate Security Cert Guide

A 62-page guide to every Palo Alto, Offensive Security, (ISC)2, Check Point, CompTIA, and Cisco certification, and how they fit into your career.

I have read and understood the privacy policy, and am able to consent to it.