Compare the PenTest+ and OSCP- Many people are curious about the CompTIA PenTest+ and how it compares to more well-known penetration testing certifications like the Offensive Security OSCP. It’s sometimes easier to talk about how these certifications don’t compare since they’re so distinct, which is absolutely the case with the PenTest+ and the OSCP. In this essay, I’ll show you seven reasons that these two qualifications aren’t even close to being comparable.
Why Can’t the OSCP and PenTest+ Be Compared?
The OSCP and PenTest+ are both based on penetration testing and ethical hacking, and both are well worth the time and work it takes to earn them, but that’s where the similarities end. Here are seven of the most significant differences between them.
Exam Duration
If you’ve done any research on the Offensive Security Certified Professional (OSCP), one thing that stands out is the exam length. The OSCP is a 48-hour exam that you can take from home, in which you’ll be tasked with hacking into a number of devices over the course of 24 hours, then writing up a report on your findings over the next 24 hours.
When compared to the CompTIA PenTest+, which is a very short exam that lasts no more than three hours and has up to 85 questions in a primarily multiple-choice format, the CompTIA PenTest+ is a much shorter exam.
There is a huge difference here. With the PenTest+, you can schedule an afternoon exam, have your lunch, sneak out of work early, take your test, and still be home in time for dinner on the day of your exam. With the OSCP, you’ll need to prepare a 48-hour supply of food, water, and coffee, find a peaceful, undisturbed place in your house to take the exam, plan two days off work, gather any notes or resources, check your internet connection, and inform your family that you’ll see them in two days.
Exam Structure
The format of these two exams could hardly be more dissimilar. With the CompTIA PenTest+, you’ll be presented with up to 85 questions, one after the other, some of which will be PBQs (performance-based questions), and the rest will be multiple choice.
The OSCP is a real-life laboratory. You’ll remote VPN into a simulated network environment whose configuration and topology you can’t foresee, and then work to exploit (and record) as many of the network’s devices as possible in the time allotted. You can do this using a variety of resources, with some tools considered off-limits.
The OSCP is proctored, which means you’ll be watched via the internet via a webcam. After the 24-hour exploit session, you spend the next 24-hours (sleeping in between if necessary) writing up your findings in the format prescribed by the Offensive Security group.
The format difference isn’t even close to being comparable. Even someone who understands nothing about penetration testing can use the PenTest+ to guess at multiple-choice questions and get some of them right by chance. If you aren’t a skilled penetration tester with good networking and Linux expertise, you won’t know where to begin with the OSCP.
Exam Concentration
The OSCP is primarily a penetration testing certification that focuses on the red team side of cybersecurity. Throughout the exam, you are mostly assessed on your ability to use the devices that are presented to you.
When it comes to exploiting, the CompTIA PenTest+ isn’t as comprehensive as the OSCP, but it doesn’t make up for it by covering more ground in other areas that are crucial in the industry. The PenTest+, for example, will put you through all aspects of a penetration test, including planning and scoping, information collection, and reporting, as well as penetration testing tools. Furthermore, the PenTest+ exam style allows CompTIA to go beyond the OSCP in areas like cloud and mobile device exploits, administrative responsibilities, and vulnerability assessments, which are not covered by the OSCP.
Difficulty Level
As you may have anticipated, the level of difficulty for these two certifications differs. While CompTIA labels its PenTest+ an intermediate-level certification, some real-world penetration testers consider it a decent entry-level exam. The OSCP, on the other hand, is classified as a “intermediate/advanced” certification exam by CompTIA.
Don’t be fooled by the similarities in difficulty between these two examinations. While neither exam is easy, an individual with no formal background in penetration testing or experience working in a lab environment might theoretically self-study for the PenTest+ exam and pass it.
In the case of the OSCP, however, this is not the case. You’ll need to do the Penetration Testing With Kali course, which includes at least 30 days of access to Offensive Security’s online lab environment, which was created particularly to help you prepare for the OSCP exam. It’s unlikely that someone who hasn’t spent a lot of time in this lab or hasn’t done any genuine penetration testing will be able to pass the OSCP. With the PenTest+, however, this is not the case.
Reputation
These two tests’ reputations are also fairly distinct from one another. While this isn’t entirely fair to the PenTest+ because it is still relatively new, it isn’t frequently requested on job listings, and many hiring managers have no knowledge of it or know anyone who has earned it. While this may change in the future, the OSCP has the advantage of being well-known in the pentesting community, and thus well-known by the hiring managers.
Don’t get me wrong: the PenTest+ is an excellent certification to achieve. It’s simply that the OSCP might open a few more doors for you, or you might have to explain what the PenTest+ is in an interview if you run into someone who isn’t familiar with it. That’s OK, but with the OSCP, you’ll probably see less of it.
Positions Available
This is perhaps the most crucial factor, as the goal of any certification is to assist you in obtaining a career or improving your current one. We must inquire as to what these two qualifications will accomplish for you. What will the final outcome be?
In general, I believe that unless you have prior penetration testing expertise, the PenTest+ alone will not get you into a legitimate penetration testing job unless it is entry-level. This may not be the case if you’re currently employed and have the possibility to transfer into a penetration testing position within the same organisation, since they will already be familiar with you and the PenTest+ may give sufficient validation. However, the PenTest+ does not appear to be sufficient in and of itself to secure you a penetration testing job.
With the OSCP, you should be able to secure penetration testing interviews and positions with relative ease. Employers who hire penetration testers should be aware that if you pass the OSCP, you have at least a basic penetration testing skill set.
Recertification
The recertification process for these two credentials is also distinct. The PenTest+ certification, like most other CompTIA certifications, is valid for three years. To keep it after that, you’ll need to upgrade to a higher level of certification or earn 60 CEUs over the three-year period.
This isn’t a major thing because it happens all the time, especially with CompTIA certifications, but it’s not the case with Offensive Security’s OSCP policy. Once you’ve earned the OSCP, it’s a lifetime certification, which means you’ll never have to do anything to keep it up to date. Despite the fact that this is unusual for technological credentials, I like the approach that Offensive Security appears to be taking here, which is that if you pass their exam, you’re clearly a professional in the industry and will remain such.
Which Exam Do You Have to Take?
As I previously stated, both examinations are highly regarded by us, and we believe both certifications have a place in the cybersecurity profession. You already know which one will benefit you the most if you’re a seasoned penetration tester. And you might already be in a scenario where the PenTest+ can be won quickly and with little effort.
If you’re not already a penetration tester, the PenTest+ may be able to assist you in establishing that skill set and advancing in that direction. It can also help existing cybersecurity analysts who normally work in a defensive role to better understand how the enemy thinks and operates.
