CompTIA PenTest+

GPEN vs. PenTest+: Which certification is better?

Greg Belding
May 19, 2022 by
Greg Belding

Essential training and education for some areas of cybersecurity involve earning a respected professional certification. This is because there are no degree programs that adequately cover this material. In addition, certifications can be earned fairly quickly in comparison to a degree, allowing professional information security skill sets to grow fast. 

This article will compare and contrast two certifications for penetration testers — the GIAC Penetration Tester (GPEN) certification and CompTIA’s PenTest+ certification. Both certifications will be separately examined and will explore their prerequisites, the material that they cover and the exam details, and will conclude with a verdict on which certification you should choose for yourself.

Earn your PenTest+, guaranteed!

Earn your PenTest+, guaranteed!

Enroll in a PenTest+ Boot Camp and earn one of the industry’s most respected certifications — guaranteed.

GPEN

This vendor-neutral penetration testing certification is one of the most popular penetration testing certifications available today. This certification was created to help certify the knowledge and skills required of information security professionals who are tasked with finding security vulnerabilities within organization networks. 

The certification does a thorough job of covering the pentesting methodologies and technologies a professional will frequently use, as well as the non-technical and legal issues surrounding this sub-discipline of cybersecurity. 

GPEN prerequisites

Unlike many other certifications, GPEN does not have strictly enforced prerequisites. With that said, GPEN candidates will still need a firm understanding of Windows operating systems, Linux (including command line), networking (including TCP/IP protocols) and cryptography. 

Material covered by GPEN

Unlike many other certifications, GPEN’s material is separated by topic areas instead of domains of knowledge. The topic areas GPEN covers are:

  • Advanced password attacks
  • Advanced password hashes
  • Azure applications and attack strategies
  • Azure overview, attacks and AD integration
  • Domain escalation and persistence attacks
  • Escalation and exploitation
  • Exploitation fundamentals
  • Kerberos attacks
  • Metasploit framework
  • Moving files with exploits
  • Password attacks
  • Password formats and hashes
  • Pentesting planning
  • Pentesting using Windows PowerShell and Windows Command Line
  • Reconnaissance
  • Scanning and host discovery
  • Vulnerability scanning

GPEN exam details

Certification candidates are required to pass a certification exam before they can earn this certification. Online registration is required before a candidate can sit for the exam, which carries a hefty exam fee with it. 

The certification exam contains 82 questions and candidates will have three hours to take it. A passing score is 75%. Certification holders will have to renew their certification every four years.

CompTIA PenTest+

GPEN’s opponent in this contest is CompTIA’s PenTest+ certification. PenTest+. Like GPEN, PenTest+ is vendor-neutral and designed by Subject Matter Experts (SME) in pentesting and ethical hacking. What makes PenTest+ unique is that it is partly based upon cybersecurity industry survey results. This gives PenTest+ heightened real-world applicability compared to other certifications.

PenTest+ prerequisites

CompTIA says that there are no “required” prerequisites for this certification, but it certainly carries some strong recommendations. Certification candidates should have already earned Network+ and Security+ (or at least have the requisite knowledge) and have three to four years of hands-on information security experience. (I would say the years of hands-on experience are the most important because of the hands-on aspect of the certification exam.) This makes PenTest+ an intermediate pentesting certification.

Material covered by PenTest+

PenTest+ divides the material it covers into five domains of knowledge. These domains are:

  1. Planning and scoping: Explores compliance-based planning and assessments and focuses on the key aspects of each
  2. Information gathering and vulnerability identification: Includes performing vulnerability scans and analysis of scan results to prepare for exploits
  3. Attacks and exploits: Examines exploits for network, app and other vulnerabilities 
  4. Reporting and communication: Includes best practices-based mitigation techniques
  5. Tools and code analysis: Tools covered include Python, Bash, PowerShell and Ruby scripts

This certification does not just focus on the technical aspects of pentesting, but rather focuses on the entire process of pentesting. The material covered also includes vulnerability assessment and management skills that other certifications tend to overlook.

PenTest+ exam details

PenTest+ certification candidates must pass a certification exam composed of multiple-choice questions and hands-on, performance-based questions. The exam lasts 165 minutes and contains 85 questions, and candidates will need to earn 750 points on a scale of 100-900 to pass. The registration fee is relatively paltry compared to other certification exams (but is standard for CompTIA). 

Conclusion

To be fair, both certifications would be great career-boosting credentials for information security professionals. However, given the differences of both certifications, I feel PenTest+ is the stronger certification, particularly for those who are paying for their own certifications and can't afford to build their career around GIAC credentials.

In terms of material covered, PenTest+ does a better job by covering the entire pentesting process with the addition of vulnerability assessment and management knowledge and skills, as well as the industry insight that pentesters will need. PenTest+ also technically recommends a few more years of experience than GPEN. This can be good or bad, depending on your career level and your goals.

Earn your PenTest+, guaranteed!

Earn your PenTest+, guaranteed!

Enroll in a PenTest+ Boot Camp and earn one of the industry’s most respected certifications — guaranteed.

Sources

  1. Cyber Security Certification: GPEN, GIAC
  2. 5 Reasons Cybersecurity Experts Love CompTIA PenTest+, CompTIA
  3. CompTIA PenTest+, CompTIA
  4. CompTIA PenTest+ Certification Exam Objectives, CompTIA
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.