Certifications you need to have in order to be a Pen Tester.

[Root]

I want to be a Penetration tester, but I don't know much about all the certifications that you can get.

If anyone could make a "list" of the certifications that you need in order to become a Penetration tester, I would be very glad.

Like what certifications to take first and so on. 1,2,3 etc.

My experience:
I started my hacking "hobbies" on Hackforums.net back in 2009. There I learned all the basic App injections. There's not much to come for on that site.

I've been trough the CEHv7 material. It was kinda basic in my option.

Well, I hope that someone can help me a little, just to get started.

Regards,
-Root.

[ajohnson]

You don't need certs to be a pen tester, but they do help you differentiate yourself from other applicants when looking for a job.

Offensive Security and SANS both have reputable certifications. OSCP and GPEN would be good starting places from Offensive Security and SANS, respectively. They both have more niche and advanced certifications related to pen testing, but those are the staples. eLearn's eCPPT is a nice bridge between CEH and OSCP if you feel that the OSCP material might be too advanced for you.

CEH is a bit fluffy, but it is nice to have since it one of the more well-known ethical hacking/pen testing certs.

The CISSP is another one that's more of a personal marketing certification and not related to pen testing, but it is often expected/required for more advanced infosec roles.

Sil's put together a fairly comprehensive list of infosec certs here: http://infiltrated.net/TechnicalSecurityRoadmap.html That may be a bit overwhelming if you're not familiar with many of them, but it will at least give you a starting point for research.

eCPPT or OSCP will probably be the next best step for you, unless you have a budget large enough for a SANS course/cert.

Welcome to the forums, and let us know if you have any other questions.

[Root]

Thank you very much.
The information that you gave me was very helpful.
And the link, it's a great help.

Regards
-Root.

[MaXe]

In the Asian region of the world, you will often need to be CEH certified. In the UK (England), you will need to be CREST and/or CHECK certified (sometimes both), and in Australia, you will need CREST in the near future if the current situation here evolves.

In all countries, depending on the security level of your work, you may be required to be cleared for e.g. "SECRET" or "TOP SECRET", such as when you are working for the police, the military and federal agencies.

If you go to another country, there will most likely be certain jobs you cannot do which requires certain security clearances, as they often require you to be a citizen of that country and thus, hold a citizenship in that country.

Note: Some job offers, requires or asks for CISSP, but it is not a "requirement" for the actual job being performed, as CISSP won't prove whether you are a penetration tester or not. (Some CISSP and CEH certified professionals, actually remove these certifications from their CV's as the reputation can easily taint your image.)

[ambient]

In the Asian region of the world, you will often need to be CEH certified. In the UK (England), you will need to be CREST and/or CHECK certified (sometimes both), and in Australia, you will need CREST in the near future if the current situation here evolves.

In the Asian region, the qualification which is often referred to is C|EH, but it's not mandatory. SANS or OSCP is not well known for HR. In several countries, you need to be their citizens as a prerequisite.   

[MaXe]

In the Asian region of the world, you will often need to be CEH certified. In the UK (England), you will need to be CREST and/or CHECK certified (sometimes both), and in Australia, you will need CREST in the near future if the current situation here evolves.

In the Asian region, the qualification which is often referred to is C|EH, but it's not mandatory. SANS or OSCP is not well known for HR. In several countries, you need to be their citizens as a prerequisite.  

CEH in common tongue however, is often removed from resumes by most serious penetration testers in developed Information Security countries such as Australia, England and USA, as it is frowned upon in the more serious infosec community. Some of my colleagues are "CEH" because they needed it to get the jobs they had, in e.g. India and other countries nearby. As they don't need to display it, they removed it from their LinkedIn profiles, as it is still seen as a joke (no offence intended) to many people.

So it may not be mandatory where you are currently located and working, but from what I heard from my colleagues that travelled and worked in most of the countries in the Asian region, they needed the certification, even though they didn't want it. (They would rather obtain Offensive Security certifications, which are less recognized in especially undeveloped information security countries, but also "SANS certifications" as well. (Actually it's GIAC providing certifications, as SANS only provides) courses.)

[Andrew Waite]

Not wanting to hi-jack the thread but I'm not sure I understand the logic behind removing certifications from CV's or LinedIn. I've achieved more respected and advanced certifications since gaining C|EH, but C|EH still holds a mention on my resume.

Regardless of opinions of particular certs, surely having a questionable (in some people's eyes, discussion for another thread) cert like C|EH is still better than an empty space in it's place?

Admittedly I sat C|EH with it's reputation in mind as a way to bypass HR filters rather than 'prove' technical capabilities, but I still sat the cert for a purpose. If you're not going to display a cert, why take in the first place?

To answer Root's original question: you don't necessarily need certs to to be a pentester, but if you want to find work you will likely need to be able to by-pass HR filters and pass minimum requirements in particular industries. Using the UK as an example, C|EH can often achieve the first, with CREST/CHECK providing the second (as MaXe has already stated). YMWV depending on location/business sector though.

[Root]

Thank you for all the great comments.

Well, my plan is to make a company myself, penetration testing company.

I live in the Faroe Islands. It's right between Iceland and England.
Only 50.000 people live there.

So, I don't really need a certification, right?

[MaXe]

Thank you for all the great comments.

Well, my plan is to make a company myself, penetration testing company.

I live in the Faroe Islands. It's right between Iceland and England.
Only 50.000 people live there.

So, I don't really need a certification, right?

You don't need any information security certifications there, you just need to make sure you don't get into any legal trouble. For (some or all) PCI assessments you need insurance though. But that's not really penetration testing though.

I know where it is as one of my best friends is from there, plus I am from Denmark as well  

As the Faroe Islands and the rest of Scandinavia is not _that_ evolved in information security, you may find it hard to find clients in those countries as the big companies are already selling to those that actually wants to buy information security services. A lot of the companies in Denmark doesn't get external penetration tests done, as they haven't been hacked yet, so why should they? Insanity at high level  

Anyway, you can still create a penetration testing company and get clients in almost any country if you just meet their legal requirements if there is any, and if you are good at selling your services.

Keep in mind, that if you are going to do this alone, you will have to spend a lot of time on sales, management, etc., over penetration testing and the most important but also less interesting, reporting.  

Not wanting to hi-jack the thread but I'm not sure I understand the logic behind removing certifications from CV's or LinedIn. I've achieved more respected and advanced certifications since gaining C|EH, but C|EH still holds a mention on my resume.

Regardless of opinions of particular certs, surely having a questionable (in some people's eyes, discussion for another thread) cert like C|EH is still better than an empty space in it's place?

I would say it depends on the company you are applying at, if you only got CEH, and it's a highly technical and very serious company, they might think you're joking. No offence intended.

[Andrew Waite]

Regardless of opinions of particular certs, surely having a questionable (in some people's eyes, discussion for another thread) cert like C|EH is still better than an empty space in it's place?

I would say it depends on the company you are applying at, if you only got CEH, and it's a highly technical and very serious company, they might think you're joking. No offence intended.

If you've not got the certs/experience/skills for any position, your application won't be successful, that's true of any industry. What I don't understand is people that have C|EH and higher/more advanced certifications dropping C|EH.

At a minimum it shows your development path to get to where you are now. All else being equal I'd hire a CHECK/CREST and C|EH applicant over 'just' a CHECK/CREST applicant.

Root, as Maxe states be aware of non-technical workload if working alone. A general truism for consultancy type roles seems to be 1/3 of your time chasing new work, 1/3 doing admin/paperwork and a 1/3 actual billable work. Just make sure you work the excess into your billable prices Good luck