This is my first posting here but I do feel the need to pitch in a bit on this topic to share my experience on pentesting and those certs.
After I did my CEH & ECSA certifications, I did find that opportunities in IT Sec opened up for me.
Got my first pen testing job bcoz of the certs (the client wanted pentesters with a CEH) ... though it didn't prepare me enough for the real-life pentest situation.
I can't really disclose the details (signed an NDA) but my team and I had to pentest more than 50 servers for an organization, and though the certs did give tools and methodology on pentesting, I had to read and learn and learn and learn on my own ... especially when it came to report writing. After 5 hectic 10-hour days of pentesting plus another 5 days for report-writing, thankfully we managed to complete the pentest...
The experience was excellent though coz it was real-life, not a lab and definitely not answering multiple choice. Had to do the whole drill - war driving, black-box pentesting, social engineering, testing & mapping the network, pwning the servers ... even to the point of DOSing 3 of them, though thankfully they weren't critical services.
So is it enough to have the 2 certs? Not really. after completing the certs, it's best to continue learning and reading up on security, latest vulnerabilities, new exploits, zero-days, etc ...
I consider the certs as a foundation to IT Sec and will continue to learn... whether the learning will lead to another certification or more practical experience ... it doesn't matter. Important thing is, you continue to update your knowledge.
Pentesting of course is not just pentesting servers, some clients might want you to test their websites, web applications, their mobile apps ... so be prepared ... no two pentests are the same ... which is what makes it thrilling ...
So my advice to the OP, yeah go get ur certs ... but don't stop learning. You can't be a pentester by answering multiple choice Qs only.
You've got to actually DO the pentest ... if ur given a small pentest job to start with, even if it's testing the security of your friend's new app ... go for it... do it, learn from it ... and you'll get better and be ready for the next pentest job.
So what's next for me?
Maybe get one of those cloud security certs and of course, the coveted OSCP.
I hack the phish, phryed and c9f0f895fb98ab9159f51fd0297e236d it.