A lot of people are asking about the CompTIA PenTest+ and how it stacks up to more established penetration testing style certifications, such as the OSCP from Offensive Security. Sometimes, these certifications are so different that it’s actually easier to talk about how they don’t compare, which can certainly be the case for the PenTest+ and the OSCP. In this article, I’ll provide seven ways in which these two certifications don’t even compare.
Why You Can’t Compare the OSCP and PenTest+
These two certifications are based on penetration testing and ethical hacking, and both are worth the time and effort it takes to earn them, but the commonalities between the OSCP and PenTest+ end there. Here are seven of the most important ways in which they are so different.
Ready to Start Your Cybersecurity Career?
Get my FREE 5-part series "Strategies for New Cyber Careers". These strategies can help you get your cyber career started. I'll also send you my weekly newsletter every Wednesday with resources that every cyber professional needs to know.
If you’ve looked into the Offensive Security Certified Professional (OSCP) before, one thing will certainly stand out, and that is the exam length. The OSCP is an up-to-48 hour exam that you can take remotely from home, in which you’ll be tasked with hacking into a number of devices during a 24-hour period, after which you’ll have the successive 24 hours to write up a report on your findings.
Compare that to the CompTIA PenTest+ length, which is a relatively brief exam that lasts at most less than three hours, and at most has up to 85 questions in a mostly multiple-choice format.
The difference here is tremendous. With the PenTest+, you can schedule an afternoon exam time, and on the day of your exam eat your lunch, sneak out of work early, take your test, and still be home in time for dinner. With the OSCP, you need to get a 48 hour supply of food, water, and coffee, arrange an undisturbed, quiet area of your house to take the exam, schedule to take off of work for two days, arrange any notes or resources, verify your internet connection, and tell your family you’ll see them in two days.
The format of these two exams couldn’t be any different as well. With the CompTIA PenTest+, you’ll have up to 85 questions served up, one after another, with a few of them being PBQ, or performance-based questions, and the remainder being multiple choice.
The OSCP is an actual practical lab. You remote VPN into a simulated network environment, the arrangement and topology of which you can’t predict, and then you’ll work to exploit (and document) as many of the devices on the network as possible in the time given. You can use any number of resources to do that, with certain tools being regarded as off-limits.
The OSCP is proctored, where you are monitored remotely via a webcam setup. After the 24-hour exploit session, you then spend the next 24-hours (sleeping somewhere in between if you need) writing up your findings in the precise format that the Offensive Security organization prescribes.
The difference in format isn’t even close to comparison. With the PenTest+, even a person that knows nothing about penetration testing can guess at the multiple-choice questions and get some of them correct by random luck. With the OSCP, if you’re not a skilled penetration tester with strong networking and Linux skills, you won’t even know where to start.
The OSCP is really a strictly penetration testing certification, focusing on the red team aspects of this cybersecurity niche. Through the exam, you are really only tested on your ability to exploit those particular devices which are presented to you.
The PenTest+ from CompTIA is certainly not as deep as the OSCP when it comes to exploiting, but it doesn’t make up for it by going wider into other areas that are important in the field. For example, the PenTest+ will test you on all of the phases of a penetration test, from planning and scoping, information gathering, and reporting, as well as penetration testing tools. Additionally, the format of the PenTest+ exam allows for CompTIA to expand out further than the OSCP can, into areas such as cloud and mobile device exploits, managerial tasks, and vulnerability assessments.
Level of Difficulty
As you’ve probably guessed by now, the level of difficulty is different for these two certifications. While CompTIA calls their PenTest+ an intermediate level exam, some real-life pentesters consider it a good entry-level penetration testing exam. This is different than the OSCP, which CompTIA themselves considers to be an “intermediate/advanced” certification exam.
Don’t underestimate the differences in the level of difficulty between these two exams. While neither exam is easy, in theory, an individual could self-study for the PenTest+ exam and have a shot of passing it, even without having any formal background in penetration testing or having ever worked in a lab environment.
This isn’t the case for the OSCP. With that certification, you’ll need to take the Penetration Testing With Kali course, which comes with a minimum of 30 days of access in Offensive Security’s online lab environment, which was made specifically to help prepare you for the OSCP exam. It is unlikely that someone would be able to pass the OSCP without serious time in this lab environment or some real penetration testing experience. And that isn’t the case with the PenTest+.
The reputation of these two exams is quite different from each other as well. While that’s not exactly fair to the PenTest+ since it is still somewhat new, the PenTest+ isn’t often requested on job postings, and many hiring managers don’t know much about it or know anyone that has earned it. While this will change over time, the OSCP has the benefit of being well known in the pentesting community, and therefore well known by the managers that hire them.
Don’t get me wrong here: The PenTest+ is certainly a great certification to earn. It’s just that the OSCP may open a few more doors for you, or you may have to explain in an interview what the PenTest+ is if you were to run into an interviewer that wasn’t that familiar with it. And that’s okay, but you’ll probably see less of that with the OSCP.
This is probably the most important factor since the point of any certification is to help you get a job or get a better one. We need to ask what these two certifications will do for you. What will the end result be?
I think that in general, it’s unlikely that the PenTest+ alone, with no penetration testing experience, will get you into a true penetration testing job unless it’s entry-level. This may not be true if you’re already working at a company and you have the opportunity to move into a penetration testing job within the same company, since they already know you and the PenTest+ may provide them with enough validation. But otherwise, the PenTest+ doesn’t seem like it would be enough to land you a penetration testing job on it’s own.
With the OSCP, you should be able, without too much difficulty, to land penetration testing interviews and jobs. Employers that hire penetration testers should know enough to know that you have at least a basic penetration testing skillset if you’ve passed the OSCP.
The recertification process is different for these two certifications as well. For the PenTest+, like most other certifications from CompTIA, the certification is good for three years. To maintain it beyond that, you’ll need to go to a higher level certification or complete 60 CEUs during that three-year time frame.
This isn’t a big deal, since it’s so common, especially for CompTIA certifications, but it is different than Offensive Security’s policy for the OSCP. With the OSCP, once you earn it, it is a lifetime certification, meaning that you never need to complete anything in order to maintain it. Even though this is unusual for technology certifications, I like the angle here that Offensive Security seems to be using, which is that if you’re good enough to pass their exam, you’re obviously a professional in the field and will continue to be so.
Which Exam Should You Take?
As I mentioned above, we think highly of both exams and feel both certifications have their place in the cybersecurity field. If you’re a seasoned penetration tester, you already know which one will benefit you the most. And you may already be in a situation where the PenTest+ can be earned fairly easily without much preparation.
If you are not a penetration tester, however, the PenTest+ might help you start to establish that skill set and may help you to start moving in that direction. And it can even benefit existing cybersecurity analysts that typically work in a defensive role because it can help us to understand how the adversary thinks and operates.