Top 16 OffSec, pen-testing, and ethical hacking certifications

Posted on by

Red team careers are in high demand, with companies seeking professionals skilled in penetration testing, offensive security (OffSec), and ethical hacking.

To stand out in a competitive job market, cybersecurity professionals should consider earning certifications that validate their expertise.

Here’s a look at the top certifications for offensive security today, along with advice on how to choose which certification path is right for you.

How to know which OffSec certification to pursue

While factors like brand recognition and cost are always important, professionals should also evaluate certifications based on three criteria that directly impact their learning experience and career growth.

Experiential learning 

Offensive security can’t be fully mastered through lectures alone. Candidates need hands-on training in lab environments to develop practical skills. Ideally, certification exams should include a practical assessment, such as developing an exploit to compromise a system.

Because individuals learn OffSec techniques, such as penetration testing, in different ways, the most effective certifications offer multiple instructional formats, including instructor-led remote, in-person training, and on-demand videos. Courses should also provide robust resources — again preferably hands-on — such as technical challenges to reinforce learning.

Breadth versus depth

Some certifications cover multiple attack vectors, such as CompTIA PenTest+, which spans cloud security, IoT, and traditional networks. Others are more specialized — for example, Certified Red Team Expert is dedicated to compromising Windows environments, including Active Directory.

There’s no one-size-fits-all approach. Early-career professionals may benefit from a broad certification before specializing, but some may prefer to focus on a specific technology or vendor early on. Offensive security professionals should take an intentional approach, selecting certifications that align with their long-term career goals.

Future-proofing your OffSec skills

Information technology evolves rapidly — and offensive security moves even faster. Because of this, OffSec professionals should carefully evaluate certification syllabi to ensure they cover the latest attack vectors, emerging threats, and advanced offensive security techniques. They should also consider how frequently a certification updates its content to stay relevant.

Another key factor is certification longevity. Some certifications, such as Mobile Application Penetration Testing Professional, have no expiration, allowing professionals to retain their credentials indefinitely. Others, such as GIAC certifications, require continuing education credits — usually within their ecosystem — to maintain validity. While this requirement demands ongoing effort, it also ensures you continuously refine your skills to stay ahead of evolving threats.

Top 16 offensive security certifications

  • Certified Ethical Hacker (C|EH)
  • Certified Penetration Testing Engineer (CPTE)
  • Certified Red Team Expert (CRTE)
  • Certified Web3 Hacker
  • CompTIA Pentest+
  • GIAC Cloud Penetration Tester (GCPN)
  • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
  • GIAC Web Application Penetration Tester (GWAPT)
  • Mobile Application Penetration Testing Professional (eMAPT)
  • Offensive Security Certified Expert (OSCE)
  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Defense Analyst (OSDA)
  • Offensive Security Exploit Developer (OSED)
  • Offensive Security Exploitation Expert (OSEE)
  • Offensive Security Web Assessor (OSWA) 
  • Offensive Security Web Expert (OSWE) 

Certified Ethical Hacker (C|EH)

The EC-Council’s Certified Ethical Hacker (C|EH) teaches the foundations of ethical hacking across 20 modules, beginning with footprinting up to cloud computing and cryptography. The EC-Council recommends professionals with two years of IT security experience; those without can prepare with its free Cyber Security Essentials series. For the C|EH, professionals will learn skills for each stage of ethical hacking: reconnaissance, scanning, gaining and maintaining access, and covering tracks. The cert is ideal for cybersecurity auditors, warning analysts, solution architects, and more. The C|EH exam consists of 125 multiple-choice questions and a practical exam based on various scenarios.

Although there are no official prerequisites, EC-Council recommends two years of relevant experience or its Cybersecurity Essentials Series, which provides foundational knowledge in cybersecurity.

Training and exam fees: US$1,400, exam, on-demand video course, additional resources; live and hybrid training options available coupled with exam vouchers

For more, see “Certified Ethical Hacker (CEH): Certification cost, training, and value.”

Certified Penetration Testing Engineer (CPTE)

Administered by mile2, CPTE is recommended for pen testers, security officers, ethical hackers, and other cybersecurity professionals interested in upper management. Through CPTE, they can demonstrate knowledge of testing and reporting procedures through 13 modules, such as information gathering, automated vulnerability assessment, evasion techniques, networks and sniffing, and report writing. There is also an equivalent number of hands-on labs. The two-hour exam consists of 100 questions; candidates must answer 70 correctly to pass. To renew the CPTE, holders must pass the latest exam version and earn 20 continuing education units before its three-year expiration. There are no enforced prerequisites, but mile2 recommends candidates have one year of networking experience and knowledge of Linux, TCP/IP, PEH, and Microsoft security.

Training and exam fees: US$330, prep guide, practice quiz, two exam attempts; US$717, one-year access to course, additional resources (workbook, lab guide), two exam attempts

Certified Red Team Expert (CRTE)

Altered Security offers the Certified Red Team Expert (CRTE) certification, which focuses on understanding and practicing threats against Windows infrastructure. The course includes 14 hours of video content and a lab environment that teaches candidates how to abuse Active Directory (AD), bypass defenses such as Windows Defender, and attack Azure AD Integration. Students are provided a fully patched AD environment for the exam and must solve challenges by constructing attack paths. To maintain the CRTE, holders can retake the latest exam or complete the Certified Red Team Master certification before the three-year expiry. There are no formal prerequisites for CRTE, but Altered Security recommends understanding penetration testing or security administration in an AD environment and the inclination to think of abuses for AD rather than exploits, both of which can be learned from Altered Security’s beginner certification, Certified Red Team Professional.

Training and exam fees: US$299, exam attempt, lifetime access to course material, 30 days of lab access; US$499 and US$699, same resources with lab access extended to 60 and 90 days, respectively

Certified Web3 Hacker

Administered by 101 Blockchains, one of the lesser-known certifying bodies on this list, Certified Web3 Hacker may be especially timely. The Trump administration is strongly pro-crypto, and crypto businesses, such as Bybit, which lost US$1.5 billion in a February 2025 hack, remain highly vulnerable. Certified Web3 Hacker teaches candidates to understand web3 exploits, resolve threats, and improve security. The curriculum spans multiple areas of web3, including Ethereum Virtual Machine, tokens, and DeFi. This certification is ideal for cybersecurity professionals who wish to build a career as blockchain developers, smart contract auditors, and web3 application security testers. The course may also be helpful to professionals from traditional enterprises that may explore web3 technologies; employees from HSBC, SAP, Cisco, Deloitte, Citibank, and KPMG have all taken the course. The syllabus states that there is a final exam but does not specify the format. There are no mandatory prerequisites, but candidates with prior experience in blockchain security may have an advantage.

Training and exam fees: US$299, course, exam, additional resources

CompTIA Pentest+

CompTIA Pentest+ is administered by top certifying body CompTIA, developed in partnership with Deloitte, Fidelity, GDIT, Secureworks, Zoom, and the US Navy. CompTIA Pentest+ teaches candidates five modules: engagement management, attacks and exploits, reconnaissance and enumeration, post-exploitation and lateral movement, and vulnerability discovery and analysis. The curriculum covers all attack vectors, such as cloud, IoT, and web applications, and it addresses emerging threats like AI. The 165-minute exam consists of performance-based and multiple-choice questions; candidates must score 750 on a 900-point scale to pass. There are no prerequisites, but CompTIA recommends its Network+ or Security+ certifications or three years of experience in a penetration testing role. To renew the Pentest+ certification, holders must earn 60 continuing education units (CEU) every three years.

Training and exam fees: US$404, exam; US$581, exam, retake, and study guide; US$741, exam, retake, study guide, additional exam practice

GIAC Cloud Penetration Tester (GCPN)

Security is a major concern for enterprises that store data in the cloud. Offered by GIAC, which provides more than 40 cybersecurity certifications, the GCPN is ideal for professionals who need to conduct cloud-focused penetration testing, such as vulnerability analysts, risk assessment officers, or DevOps or site reliability engineers. The certification covers cloud penetration testing fundamentals and specific attacks on AWS and Azure. The two-hour exam consists of 75 questions; candidates must score 70% to pass. GCPN holders must renew by taking 36 continuing professional education (CPE) credits every four years. There are no official prerequisites for the GCPN. Still, the affiliated preparatory course recommends students be familiar with Linux bash, Azure and AWS command-line interface tools, networking, and Port Pivots because most labs are executed through the command line.

Training fees: GIAC offers on-demand and in-person options priced at local rates.

Exam fees: US$999; retakes, US$899

GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

More advanced than the GIAC Penetration Tester Certification (GPEN), the GXPN is suited for network and systems penetration testers, incident handlers, and other cybersecurity professionals who must conduct advanced penetration testing and model attackers’ behavior to improve an organization’s security. The GXPN covers eight areas: network- and cryptography-based attacks, restricted environments, shellcode and memory basics, and stack overflows and stack protections for Windows and Linux. Users must score 67% out of 60 questions during the three-hour proctored exam to pass. GXPN holders must also take 36 CPE credits every four years to renew the certification. There are no official prerequisites for the GXPN, but the affiliated preparatory course recommends that candidates have the basics of penetration testing, Linux and Windows, and Python, C, and C++.

Training fees: GIAC offers on-demand and in-person options priced at local rates.

Exam fees: US$999; retakes, US$899

GIAC Web Application Penetration Tester (GWAPT)

The GWAPT is tailored for cybersecurity professionals who wish to specialize in conducting penetration testing on web applications, such as website architects and application developers. The certification covers session management, configuration testing, authentication, SQL injection, and client injection attacks. The three-hour exam consists of 82 questions, and candidates need to achieve 71% to pass. As with the GCPN and GXPN, candidates must complete 36 CPE credits to maintain the validity of their GWAPT. There are no official prerequisites for the GWAPT, but the affiliated preparatory course recommends knowledge of the Linux command line.

Training fees: GIAC offers on-demand and in-person options priced at local rates.

Exam fees: US$999; retakes, US$899

Mobile Application Penetration Testing Professional (eMAPT)

Several certifications on this list touch on mobile as an attack vector, but the Mobile Application Penetration Testing Professional certification offered by INE Security is the only one to focus on the subject. The learning path consists of two pen-testing courses — one for Android and the other for iOS — that span more than 11 hours in video content. Candidates who complete this path will understand how to identify security issues on mobile OSes and use techniques such as information gathering, reverse engineering, and network analysis. For the exam, candidates must analyze, pen-test, and produce a working exploit for an Android application that is manually reviewed by course instructors. eMAPT has no expiration, and INE Security offers another learning path, Advanced Penetration Testing, for holders who want more professional development. While there are no prerequisites, INE Security recommends candidates understand penetration testing, encryption and decryption algorithms, manual exploitation, Android application architecture, security mechanisms, and algorithm analysis.

Training and exam fees: US$400, exam only; US$299 annual subscription for Android and iOS pen-testing courses; US$749 premium annual subscription for additional training content and hands-on labs

Offensive Security Certified Expert (OSCE)

OffSec’s Offensive Security Certified Expert is unique compared to its other certifications on this list. It consists of three courses: Advanced Web Attacks and Exploitation, Advanced Evasion Techniques and Breaching Defenses, and Windows User Mode Exploit Development, each of which awards its own certification. The format for each course exam is the same: Candidates have 48 hours to compromise a given target using various techniques. No formal prerequisites exist for the three courses, though OffSec makes specific knowledge and skill recommendations for each. Candidates who complete the three courses and earn the OSCE also get a challenge coin symbolizing their expertise in offensive security.

Training and exam fees: US$1,749, each course plus exam; US$5,247, total cost for OSCE

Offensive Security Certified Professional (OSCP)

To earn the OffSec Certified Professional certification, candidates must complete the affiliated course, Penetration Testing with Kali Linux, and pass the subsequent exam. The course covers 10 modules, including information gathering, vulnerability scanning, client-side attacks, and fixing exploits. Certificate holders will have shown mastery of penetration testing methodologies ideal for new roles, such as ethical hacker, incident responder, or threat hunter. The OSCP exam is hands-on; test-takers must compromise systems within a lab environment.

OffSec does not enforce prerequisites but recommends candidates be familiar with TCP/IP networking, scripting in Bash and Python, and Linux and Windows, which they can learn through its Network Penetration Testing Essentials Learning Path.

Training and exam fees: US$1,749, Kali Linux course plus exam

Offensive Security Defense Analyst (OSDA)

The course that culminates in the OSDA is Foundational Security Operations and Defensive Analysis, which teaches candidates to defend networks and systems against cyber threats. Specific modules include attack methodology, Windows client- and server-side attacks, Linux attacks, network detections, and antivirus alerts and evasion. Earning the OSDA may open job opportunities as a threat hunter, incident responder, or defensive-focused security engineer. During the exam, students have 24 hours to identify and respond to threats in a lab environment and an additional 24 hours to submit an incident response report. While there are no formal prerequisites to OSDA, OffSec recommends knowledge of TCP/IP networking, Windows and Linux, and general cybersecurity concepts.

Training and exam fees: US$1,749, course plus exam

Offensive Security Exploit Developer (OSED)

The Windows User Mode Exploit Development course culminates in the OSED certification, which attests to the professional’s ability to develop exploits and bypass security defenses. The course syllabus contains modules on stack buffer overflows, overcoming space restrictions, reverse-engineering bugs, and format string specifier attacks. This course targets cybersecurity professionals seeking roles as an exploit developer, malware analyst, or security researcher. During the 48-hour exam, candidates must exploit a simulated live network in a lab environment and provide proof of exploitation. There are no formal prerequisites for OSED, but OffSec recommends candidates be familiar with penetration testing, Windows, debugging tools such as WinDbg, and C and assembly.

Training and exam fees: US$1,749, course plus exam

Offensive Security Exploitation Expert (OSEE)

According to OffSec, Advanced Windows Exploitation — which awards the OSEE certification — is the most challenging of all their courses. Given this difficulty, OffSec offers this class only in an in-person, instructor-led format. Students will learn advanced heap manipulations, bypass of user mode security mitigations and kernel mode security mitigations, and 64-bit Windows Kernel Driver reverse engineering. To prepare, candidates must be familiar with developing Windows exploits, operating a debugger, and WinDBG, x86_64 assembly, IDA Pro, and C/C++ programming. During the 72-hour exam, candidates must develop exploits for several target systems and submit a penetration test report with notes and screenshots.

Training and exam fees: Instructor-led class sessions for Advanced Windows Exploitation are offered at local market rates at major business hubs around the world. Enterprises can also contact OffSec to conduct in-house training for the course.

Offensive Security Web Assessor (OSWA)

The Foundational Web Application Assessments with Kali Linux course focuses on understanding and exploiting common web vulnerabilities through cross-site request forgery, SQL injection, server-side request forgery, and exploiting CORs misconfigurations. Since this course is one of OffSec’s introductory classes, the organization only recommends a basic understanding of Linux, networking, and HTML, CSS, and JavaScript. To pass the OSWA exam, students must compromise a web application in a lab environment within 24 hours and submit a penetration testing report within the day after. Professionals who have earned the OSWA can obtain positions as a web application penetration tester, vulnerability researcher, web-focused security consultant, or bug bounty hunter.

Training and exam fees: US$1,749, course plus exam

Offensive Security Web Expert (OSWE)

OffSec also offers the Offensive Security Web Expert certification, which focuses on penetration testing and exploit development of web applications. The affiliated Advanced Web Attacks and Exploitation course will teach candidates web security tools and methodologies, source code analysis, session hijacking, remote code execution, data exfiltration, and more. The certification is designed for professionals with experience in cybersecurity or penetration testing who want to pursue higher-level roles as a security architect, vulnerability researcher, or product security engineer. The OWSE exam is hands-on: Candidates are provided a test environment and tasked with compromising a web application using techniques from the course. Candidates who fail must observe a cooling-off period before retaking it, with the duration depending on the number of previous attempts. While there are no prerequisites, OffSec strongly recommends candidates know at least one coding language, be able to write simple scripts, have a background in web proxies, be familiar with Linux, and have a general understanding of cyberattacks.

Training and exam fees: US$1,749, course plus exam