CompTIA CySA+ vs. PenTest+: Which Should You Choose?
This article compares the PenTest+ and CySA+, two newer exams now offered by CompTIA. If you are looking for a comparison between the PenTest+ and the more well known Certified Ethical Hacker, including a video review, you can see our article here. If you are not interested in the certifications but instead are interested in learning the topic of penetration testing, you can see our suggested course of study for penetration testing here. Please keep in mind that these certifications are considered intermediate-level and recommend several years of experience. If you are newer to cybersecurity, you should consider these certifications first before you prepare for the CySA+ or PenTest+.
Both the CompTIA Pentest+ and CySA+ are respected and difficult exams in the cybersecurity and IT fields. When you start to look at both certifications, you will notice that their exam objectives, course content, and even recommended tools are either identical or very similar. Because of this, you may be wondering which certification is better for you, and which one you should take. Let’s dive into that now.
Should you take the CompTIA CySA+ or PenTest+? Both certifications are valuable, but those intending to pursue a career as a cybersecurity analyst or engineer should begin with the CompTIA CySA+, while those interested in careers as a penetration tester should focus on the CompTIA PenTest+.
Let’s take a closer look at the pros and cons of each exam to see what exam fits you better.
Exam Difficulty of the CompTIA CySA+ and PenTest+
You can’t really compare the difficulty of these opposite exams (the exams are opposite in the sense that the PenTest+ is an offensive-focused certification, while the CySA+ focuses more on defensive and preventative security tactics.), as the difficulty of these two exams is very similar and in large part depends on the individual and their specific background. If you want more information on the CySA+ in general, including my full review, you can read my article on that here.
Additionally, it depends on how much study material, lab exercises and software tools you can read, listen to and experiment with. It also depends on how much prior knowledge you have of each subject. For example, if you have a few years of penetration testing experience, the PenTest+ should certainly be easier than the CySA+ because the exam is more in line with your prior knowledge and experience. However, I do want to point out that the exam content overlap is sizable enough that even if you were to go for your CySA+ certification with a few years of penetration testing experience, you certainly would have learned some knowledge of how to patch vulnerabilities, best practices, and more, which while learned as a penetration tester, applies to the CySA+ exam. The bottom-line regarding exam difficulty is that each exam is as difficult as your background experience (or lack thereof) makes it.
Expected Study Time for the PenTest+ and CySA+
Depending upon your background, for each exam, you should expect to study around two months, give or take 2-3 weeks, depending on your experience level. I would expect that even seasoned cybersecurity professionals, including dedicated penetration testers and cybersecurity analysts, will still need a reasonable amount of study time to prepare for these exams, just because of the nature of the questioning that CompTIA provides.
Salaries Associated with the PenTest+ and CySA+
When looking at both the CompTIA Pentest+ and CySA+ and how they align to careers in the market right now, you will see that both certifications can grant you a well-paying job (check out our article on cybersecurity demand here for more information.) According to payscale.com, the average cybersecurity analyst can expect to make around $76,000 per year, while the average penetration testing and expect to make around $81,000 per year. Of course, this heavily depends on your location, the responsibilities of the specific job, and your experience, but this data does indicate to us that the two positions are similarly valued in the cybersecurity marketplace.
Keep in mind that just as with most certifications, they might not have a direct impact on your salary, but they will give you a step up from other potential employees when applying and may give you a potential bargaining chip if you are requesting a raise.
What is on the CompTIA PenTest+ and CySA+ Exams?
Most certifications will have publicly available exam objectives to help you to narrow down your studying. CompTIA is no different; both of their exam objectives being very simple to read and access. The major exam objectives for the CySA+ are threat management, vulnerability management, cyber incident response, and security architecture and toolsets, while the exam objective for the PenTest+ are planning and scoping, information gathering and vulnerability identification, attacks and exploits, penetration testing tools, and reporting and communication.
What is important to point out here is that while these two certification exams don’t share the same objectives, they both share a large amount of background knowledge, with you needing to know about attacks to prevent and ways to attack the defense. For example, when I was reading a book for each exam, each of the books talked about attack types, security controls, policies and procedures and so much more.
Expected Employability for the PenTest+ and CySA+
You also want to make sure that there is a job market out there so that there will be a potential opening for you to fill. The death of many cybersecurity or IT certifications over the years has fallen on the exam topics becoming less important or valuable in the job market.
For the CompTIA CySA+, it mainly focuses around the job title of cybersecurity analyst, which is a very much alive position with an expected 28% increase in the number of jobs between 2016 and 2026 according to the U.S. Bureau of Labor Statistics (source). We have a full description of the cybersecurity analyst career path here, which includes interviews. Interestingly, the Bureau of Labor Statics groups a few other jobs under the title of cybersecurity analyst, including penetration tester.
Which is More Respected: CySA+ or PenTest+?
The amount of respect an exam holds is important when going in for job interviews. This really amounts to the reputation that a certification has built up over time. Of course, the more well-known and respected an exam is, the more weight it holds in the field.
With the PenTest+ being a new exam, it isn’t the most well know certification yet, but it is still well respected because of the difficulty of the test and also that it includes a few hands-on simulations like in other CompTIA exams. If you earn the PenTest+, you very well may be the first applicant that an employer sees with that certification, but in this case that doesn’t mean the certification won’t help you connect with that employer. CompTIA’s backing on the PenTest+ is really helpful in building respect for the certification.
The CompTIA CySA+ has been around for just over a year longer than the Pentest+ and is a well-respected, vendor-neutral certification amongst the blue team (meaning those in a defensive role.) The CySA+ is also an approved DoD 8570 baseline certification while the PenTest+, as of this writing, is still waiting to hear back from the DoD.
CompTIA stated that they expect to hear back in the spring of 2019, but I have been unable to find anything saying if it has been approved or denied so I would double check this if you are researching which exam to take, and the DoD approval is important to you or your career track.
Requirements for the PenTest+ and CySA+
Most exams you take will recommend a minimum amount of training and/or work experience before you should take the exam (You can see our recommended resources for the CySA+ here, and we’ve covered our favorite PenTest+ resources in this article.) Usually, that is the bare minimum that you should have to even think of attempting some of these exams. CompTIA recommends that you have a minimum of 3-4 years of hands-on information security or related experience for each exam. They also recommend that you have the Network+ and Security+ certifications or equivalent knowledge to feel semi-comfortable with the exam material. Take this information to mean that CompTIA is attempting to position these exams as equals, with just different focuses.
Recertification Process for the PenTest+ and CySA+
Most certification will have an “expiration date” for when your certification is no longer valid. CompTIA has stated that both exams are valid for three years each. Importantly, you will have to renew each of them separately (assuming you earn them both) unless you decide to advance to a higher certification and get the CompTIA Advanced Security Practitioner (CASP+) certification, while your first exams are still valid. To renew each exam, you will have to get at least 60 Continuing Education Units (CEUs) in the three years after you passed either exam.
When looking at exams, you tend to look at how much the exam will cost you. For both the CySA+ and the PenTest+, the exams are priced very average compared to other cyber certification. Currently, both exams will cost $349 each for just the exam voucher but also have two bundles. The deluxe bundle includes the exam voucher, CertMaster practice, and the official CompTIA study guide eBook and will cost you $649. For the premier bundle, you get everything in the deluxe bundle as well as an exam voucher retake, but it will cost you 4799. Please note that you may be able to get a discount on some of these voucher costs if you are taking a training course or qualify for a student discount. Do your homework before you buy.
Should You Do the PenTest+ or the CySA+ After the Security+?
Hopefully, you’re planning on one of these exams after you’ve successfully earned the CompTIA Security+ (if you don’t have the Security+ yet, we explain why you need it here.) If so, I would recommend taking either of these exams to help build on the knowledge you learned from the CompTIA Security+ exam. Both are great exams to have when looking at them from the knowledge and employability standpoints. Regardless, I believe that you should definitely take at least one if you are looking to further advance your knowledge and skill set, especially since the Security+ is becoming a more common certification among professionals, and you’ll need something additional to differentiate yourself.
Which of these certifications you should take is dependent upon what you know, what you want to know, and what job you want (if you’re not sure, you can learn more about cybersecurity career paths here.) I would recommend taking both exams, however. With the knowledge you learn in one exam, it can be enhanced by the other. What the CySA+ lacks, the PenTest+ usually ends up filling you in on. For you to be good at either side of network security, you need to know about the other. For you to be good at cyber defense, you need to understand potential attacks that hackers could use to exploit your systems. For you to be good at penetration testing, you need to understand potential exploits for vulnerabilities and what defensive mechanisms they could have. Both exams, and more importantly, having the knowledge that in covered on both exams, is a great benefit to your career.
What is a penetration tester? A penetration tester is someone who performs an offensive security test against a system in an attempt to assess vulnerabilities that a system may have. These tests are done to meet regulatory requirements in some cases, but also provide a preemptive attempt to thwart hacking attempts and security breaches. You can learn about the career of penetration testing, including interviews with penetration testers, here.