| 8 min read
Table of contents
The hardest ethical hacking certifications are, in descending order, Offensive Security Exploitation Expert, Offensive Security Certified Expert 3, and GIAC Exploit Researcher and Advanced Penetration Tester. That is according to our VP of Hacking, who's got over 20 years of experience in cybersecurity and holds more than 25 certifications. In this blog post, we briefly describe not only those three but the top 10 hardest certifications.
10 - Burp Suite Certified Practitioner (BSCP)
We kick off this list with the only certification in it that mainly puts to the test your use of a specific toolset. BSCP by PortSwigger's Web Security Academy demands a skilled use of Burp Suite Professional to find and exploit vulnerabilities. Apart from the certification, the Academy offers free online material and labs.
The BSCP exam requires working up to four hours to analyze two web applications and identify and leverage vulnerabilities such as XSS, SQL injection and SSRF. It's a good thing that an official practice exam is readily available, since the actual thing requires flawless execution in very limited time. Even seasoned pen testers may fail several times.
Common comments about BSCP are that the free training material is very useful, thorough and organized.
Costing only USD 99 at the time of this writing, BSCP is available for an affordable price. You do need to have a Burp Suite Professional subscription though, and that is USD 449 a year.
9 - Certified Professional Penetration Tester (eCPPT)
This is a certification by INE Security, formerly eLearnSecurity (thus the lowercase "e" in their offerings' names), one of the top certifying companies. This issuer boasts a varied repertoire of practical training and exams, which include those enabling the achievement of an entry-level certification (eJPT) and of one that is harder (eWPTX) than this one in spot 9.
eCPPT is awarded after correctly providing proof of the weaknesses in a corporate network plus a thorough penetration testing report. The latter must include recommendations to strengthen that network. Targets in the exam include web applications and Windows and Linux systems.
Some holders of eCPPT have commented on the lack of Active Directory in this certification, along with current trends. It would benefit from a revamp. On the bright side, holders may agree (e.g., here and here) that the material in the training perfectly prepares you for the exam, and they definitely recommend going for it. Other remarkable features are that you are given plenty of time to complete practice and reporting (7 days deadline for each), and that the experience is quite realistic.
A bonus point is eCPPT is listed as one of the certifications that in Europe attest for the quality of red teaming providers. So, if you're planning to work in Europe, eCPPT is a good credential to boost your employability.
The cost of eCPPT was USD 400 at the time of this writing.
8 - Offensive Security Certified Professional (OSCP)
OffSec is arguably the top hacking certification issuer, as both the entries in number 1 and 2 in this list are by it. Its OSCP certification is awarded after completion of the course Penetration Testing with Kali Linux and a 24-hour exam. We have mentioned OSCP elsewhere as one of the certifications to earn so you can advance your skills and show employers your commitment to hacking.
Your goal in the OSCP exam is to gain admin access to the machines in the network. In a previous post, apart from a critique of CEH certifications, you can find some features of OSCP, its difficulty among them. It demands a strong knowledge of tools to perform scanning, enumeration and privilege escalation. Skill in writing reports with sufficient evidence also goes a long way.
OSCP's price is a bit higher than average at USD 1,649 at the time of this writing.
7 - Certified Red Team Expert (CRTE)
With the 7th place we introduce another leading hacking certification issuer: Altered Security (formerly, Pentester Academy). They mainly offer certifications on red teaming. And, according to information in their website, they have trained more than 10,000 individuals in over 400 organizations. Among their clients, they list the DOJ and the NSA.
CRTE focuses on understanding and exploiting threats to Windows Active Directory. Your goal in the lab would be to abuse domain features to go from a non-admin user account in the domain to admin of multiple forests. The 48-hour exam requires you to enumerate an unknown Windows environment and carefully construct attack paths. A former member of our hacking team has highlighted this objective as a difference between CRTE and OSCP. Namely, the latter focuses on looking for public vulnerabilities while CRTE focuses on (often overlooked) misconfigurations in components of an active directory.
At the time of this writing, the price of CRTE bundles that include one exam attempt, access to materials that doesn't expire and temporary lab access ranged from USD 299 to 699. The figure depends on the length of lab access.
6 - Certified Red Team Master (CRTM)
This is another certification by Altered Security. Its lab presents a simulation of a financial institution's network where you have to bypass many recommended defense mechanisms (e.g., LAPS, WDAC, ASR, CLM). The 48-hour exam does not only involve attacking but also defending. You have to compromise multiple forests trying not to raise alerts. And you have to apply security controls or best practices to a forest where you have full access from the start. Plus, you must hand in all evidence of your work in a detailed report.
The CRTM bundles cost more than those for CRTE, starting at USD 399 up to 749 at the time of this writing.
5 - Red Team Lead
Our VP of Hacking, Andres Roldan, has posted a review of Red Team Lead with much detail (and given some tips for the exam). Therefore, we will be brief here.
The issuer is Zero-Point Security, who offers red teaming and programming courses. The course leading up to Red Team Lead is Red Team Ops II, which focuses on advanced tactics, such as bypassing modern enterprise Windows endpoint controls.
This certification sets itself apart from others with its chapters on attack surface reduction and application control on Windows Defender. The exam requires you to obtain at least five out of six flags on a given set of machines of an AD environment (the number of flags and passing criteria have changed since the time of the review). You have eight days to complete it and may not spend more than 96 hours on it (the time also increased since the review). This one does not ask for a report.
Red Team Lead demands lots of skill, as the review points out, not only on defense evasion and advanced OPSEC tactics, but also "AD enumeration, pivoting, lateral movement, user impersonation, Kerberos attacks, [...] and [...] using Cobalt Strike." Tips to have in mind are to concentrate a great effort in enumeration and reconnaissance in your performance and practice hard in the lab, among others.
At the time of this writing, the course Red Team Ops II costs £399 (around USD 500). Options with lab time go from £429 (USD 538) to £489 (USD 613). All options, even just the course, come with one free exam attempt.
4 - Web application Penetration Tester eXtreme (eWPTX)
We had anticipated another certification by INE Security in this top 10. It is the hardest web application pentesting certification offered by this issuer.
To complete eWPTX you must use advanced methodologies and have skill in creating exploits that modern tools couldn't fathom. (One account by one eWPTX holder says that scanners could't even find the vulnerabilities.) Moreover, the issuer puts once again great emphasis on the quality of the pentesting report.
One review recommends training hard to treat those weak spots you may have in "Java Deserialization RCEs, Server Side Template Injections, PHP Object Injections, advanced SQLmap usage or the ability to chain vulnerabilities together." Then it goes on to list free resources to get better on the mentioned, plus more, vulnerabilities. As with eCPPT, you are given 7 days to complete the exam and another 7 for reporting.
On the downside, some people who have taken it have reported (e.g., here, here and here) that the exam may be "full of bugs" and not work correctly, which can be perplexing. You will find the general advice to reset the environment when things seem to not be working.
eWPTX cost USD 400 at the time of this writing.
3 - GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
Finally we enter the top 3. This certification is the creation of GIAC Certifications (formerly, Global Information Assurance Certification). That is, the certification body founded in 1999 by the prestigious SANS Institute known as the pioneer in technical InfoSec certifications. Notably, it has issued around 174,000 certifications.
GXPN is all about being able to write and customize attack tools to help you leverage vulnerabilities in Windows and Linux. The targets are several, including network access control systems, memory management and cryptographic implementations.
The material for the exam is diverse and complex, so you have to be quite organized to properly study all of it. The exam, as can be previewed in the much recommended practice tests, requires that you possess a polished time management strategy. You need to distribute your very limited time (3 hours) between the theoretical questions and the hands-on questions and think about what to speed up.
The cost of GXPN approached the upper registry at USD 1,299 at the time of this writing.
2 - Offensive Security Certified Expert 3 (OSCE3)
In second place is a certification that actually requires you to get three certifications by OffSec. You may think this is kind of a cheat on our side, cramming them all in a single place. But it kinda isn't. Think of it as a certification requiring success in three expert-level exams (each taking up to 48 hours).
One of the required certifications is OffSec Experienced Penetration Tester (OSEP). The goal is to bypass security mechanisms designed to block attacks in Windows and Linux. It may be considered as the step that follows having earned OSCP.
Another required certification is OffSec Web Expert (OSWE). This one requires exploiting front-facing web applications. You have to prove your skill in manually analyzing decompiled source code, finding flaws that scanners cannot find, combining logical vulnerabilities to create a proof of concept, etc.
And the third required certification is OffSec Exploit Developer (OSED). It requires writing Windows shellcode and other custom exploits. Moreover, as one holder's account says, you would need to be comfortable with 32-bit assembly code and reverse engineering.
By earning all three certifications you earn OSCE3 automatically.
OSCE3 was created after retiring the OSCE certification, which almost three years ago we had placed as second only to the one that is first in this very list.
Each of these certifications with their corresponding courses have a price of USD 1,649. This can easily be the second most expensive certification of this top 10.
1 - OffSec Exploitation Expert (OSEE)
As we had anticipated, the first place goes to OSEE. Our VP of Hacking said of the course leading up to this certification that it is "the most advanced, difficult and insane Windows exploitation training on the market." As for the 72-hour exam, he qualified it as "grueling." To read his review, go to his blog post "OSEE, an Unexpected Journey."
The course teaches you how to perform a full chain exploit and involves, in the words of Roldan, "using mind-blowing techniques." The tips to succeed include reading the material front and back, completing as many of each modules' extra miles as you can, repeating the above over again, and joining the OffSec Discord server to enjoy some support from the community and the OffSec personnel. To learn about the topics in the course, check the review.
The OSEE exam requires you to complete two challenges: escape a sandbox and exploit Windows Kernel. Then, you have 24 hours to upload a report. As argued in the review, the challenges appropriately address the course material and the time given to complete them is enough. If there's some criticism, it's that the current Windows OS versions may protect against the techniques learnt in the course, and therefore it's up to you to find out how to exploit these versions out of the course.
The Advanced Windows Exploitation course at Black Hat Middle East and Africa was USD 12,375, and in London it cost £9,385 (around USD 11,794) at the time of this writing. That's a lot! But according to Roldan, what you learn during the course "is worth every penny."
Fluid Attacks' hacking team has earned all these certifications. If you're here to find out what our team can be capable of to help you secure your software through our Continuous Hacking Advanced plan, we hope this post has been useful. If you have any questions, contact us.
Table of contents
Share
Recommended blog posts
You might be interested in the following related posts.
Challenges, threats, and best practices for retailers
Be more secure by increasing trust in your software
How it works and how it improves your security posture
Sophisticated web-based attacks and proactive measures
The importance of API security in this app-driven world
Protecting your cloud-based apps from cyber threats
Details on this trend and related data privacy concerns