Top 10 Hacking Certifications

The hardest ethical hacking certifications are, in descending order, Offensive Security Exploitation Expert, Offensive Security Certified Expert 3, and GIAC Exploit Researcher and Advanced Penetration Tester. That is according to our VP of Hacking, who's got over 20 years of experience in cybersecurity and holds more than 25 certifications. In this blog post, we briefly describe not only those three but the top 10 hardest certifications.

We kick off this list with the only certification in it that mainly puts to the test your use of a specific toolset. BSCP by PortSwigger's Web Security Academy demands a skilled use of Burp Suite Professional to find and exploit vulnerabilities. Apart from the certification, the Academy offers free online material and labs.

The BSCP exam requires working up to four hours to analyze two web applications and identify and leverage vulnerabilities such as XSS, SQL injection and SSRF. It's a good thing that an official practice exam is readily available, since the actual thing requires flawless execution in very limited time. Even seasoned pen testers may fail several times.

eCPPT is awarded after correctly providing proof of the weaknesses in a corporate network plus a thorough penetration testing report. The latter must include recommendations to strengthen that network. Targets in the exam include web applications and Windows and Linux systems.

Some holders of eCPPT have commented on the lack of Active Directory in this certification, along with current trends. It would benefit from a revamp. On the bright side, holders may agree (e.g., here and here) that the material in the training perfectly prepares you for the exam, and they definitely recommend going for it. Other remarkable features are that you are given plenty of time to complete practice and reporting (7 days deadline for each), and that the experience is quite realistic.

A bonus point is eCPPT is listed as one of the certifications that in Europe attest for the quality of red teaming providers. So, if you're planning to work in Europe, eCPPT is a good credential to boost your employability.

OffSec is arguably the top hacking certification issuer, as both the entries in number 1 and 2 in this list are by it. Its OSCP certification is awarded after completion of the course Penetration Testing with Kali Linux and a 24-hour exam. We have mentioned OSCP elsewhere as one of the certifications to earn so you can advance your skills and show employers your commitment to hacking.

Your goal in the OSCP exam is to gain admin access to the machines in the network. In a previous post, apart from a critique of CEH certifications, you can find some features of OSCP, its difficulty among them. It demands a strong knowledge of tools to perform scanning, enumeration and privilege escalation. Skill in writing reports with sufficient evidence also goes a long way.

With the 7th place we introduce another leading hacking certification issuer: Altered Security (formerly, Pentester Academy). They mainly offer certifications on red teaming. And, according to information in their website, they have trained more than 10,000 individuals in over 400 organizations. Among their clients, they list the DOJ and the NSA.

CRTE focuses on understanding and exploiting threats to Windows Active Directory. Your goal in the lab would be to abuse domain features to go from a non-admin user account in the domain to admin of multiple forests. The 48-hour exam requires you to enumerate an unknown Windows environment and carefully construct attack paths. A former member of our hacking team has highlighted this objective as a difference between CRTE and OSCP. Namely, the latter focuses on looking for public vulnerabilities while CRTE focuses on (often overlooked) misconfigurations in components of an active directory.

The CRTM bundles cost more than those for CRTE, starting at USD 399 up to 749 at the time of this writing.

Our VP of Hacking, Andres Roldan, has posted a review of Red Team Lead with much detail (and given some tips for the exam). Therefore, we will be brief here.

The issuer is Zero-Point Security, who offers red teaming and programming courses. The course leading up to Red Team Lead is Red Team Ops II, which focuses on advanced tactics, such as bypassing modern enterprise Windows endpoint controls.

We had anticipated another certification by INE Security in this top 10. It is the hardest web application pentesting certification offered by this issuer.

To complete eWPTX you must use advanced methodologies and have skill in creating exploits that modern tools couldn't fathom. (One account by one eWPTX holder says that scanners could't even find the vulnerabilities.) Moreover, the issuer puts once again great emphasis on the quality of the pentesting report.

One review recommends training hard to treat those weak spots you may have in "Java Deserialization RCEs, Server Side Template Injections, PHP Object Injections, advanced SQLmap usage or the ability to chain vulnerabilities together." Then it goes on to list free resources to get better on the mentioned, plus more, vulnerabilities. As with eCPPT, you are given 7 days to complete the exam and another 7 for reporting.

On the downside, some people who have taken it have reported (e.g., here, here and here) that the exam may be "full of bugs" and not work correctly, which can be perplexing. You will find the general advice to reset the environment when things seem to not be working.

GXPN is all about being able to write and customize attack tools to help you leverage vulnerabilities in Windows and Linux. The targets are several, including network access control systems, memory management and cryptographic implementations.

The material for the exam is diverse and complex, so you have to be quite organized to properly study all of it. The exam, as can be previewed in the much recommended practice tests, requires that you possess a polished time management strategy. You need to distribute your very limited time (3 hours) between the theoretical questions and the hands-on questions and think about what to speed up.

One of the required certifications is OffSec Experienced Penetration Tester (OSEP). The goal is to bypass security mechanisms designed to block attacks in Windows and Linux. It may be considered as the step that follows having earned OSCP.

Another required certification is OffSec Web Expert (OSWE). This one requires exploiting front-facing web applications. You have to prove your skill in manually analyzing decompiled source code, finding flaws that scanners cannot find, combining logical vulnerabilities to create a proof of concept, etc.

And the third required certification is OffSec Exploit Developer (OSED). It requires writing Windows shellcode and other custom exploits. Moreover, as one holder's account says, you would need to be comfortable with 32-bit assembly code and reverse engineering.

By earning all three certifications you earn OSCE3 automatically.

OSCE3 was created after retiring the OSCE certification, which almost three years ago we had placed as second only to the one that is first in this very list.

As we had anticipated, the first place goes to OSEE. Our VP of Hacking said of the course leading up to this certification that it is "the most advanced, difficult and insane Windows exploitation training on the market." As for the 72-hour exam, he qualified it as "grueling." To read his review, go to his blog post "OSEE, an Unexpected Journey."

The course teaches you how to perform a full chain exploit and involves, in the words of Roldan, "using mind-blowing techniques." The tips to succeed include reading the material front and back, completing as many of each modules' extra miles as you can, repeating the above over again, and joining the OffSec Discord server to enjoy some support from the community and the OffSec personnel. To learn about the topics in the course, check the review.

Fluid Attacks' hacking team has earned all these certifications. If you're here to find out what our team can be capable of to help you secure your software through our Continuous Hacking Advanced plan, we hope this post has been useful. If you have any questions, contact us.