For years, Offensive Security (OffSec) certifications have been held as one of the gold standards in the ethical hacking/penetration testing community. Their certification exams have been praised for their difficulty and their “real-world” feel as testers are required to hack to gain their certification instead of the traditional multiple choice test. Having an OffSec certification meant you had a good baseline of hacking knowledge and were well-prepared to handle a real-world job. However, in my opinion (and having two OffSec certifications), the certifications just aren’t worth the money any more. Let me explain why.
The major flaw with OffSec certifications, at this point in time, is a severe lack of updates to their certification material. As I dig deeper into several of the certifications later on, you will begin to see this claim as factual. At a high level, OffSec is still offering certifications such as the OSWP, where the training focuses on wireless network hacking techniques, but the protocols taught are mainly a decade old and no longer used in most households or production environments. Outdated material such as this is hindering OffSec from being the elite training company they once were.
Certifications, in my opinion, are meant to show that an individual has met a baseline of knowledge regarding a specific topic. From a hiring manager perspective, I would want to know that a certification on the resume holds some merit. Moving forward, it will be hard to trust OffSec certifications on a resume as anything other than a person having the ability to persevere through a tough environment. Is that a desirable trait? Yes. However, just because the certification is hard to obtain and shows some good personality traits by obtaining it, it does not mean that the certification provides the baseline of knowledge needed to work in a particular field. This is where OffSec is beginning to fail.
Let’s briefly dig into each of the main online OffSec training offerings.
Starting with the OSCP certification, which is a certification I have myself. What the certification training does well is teach you common hacking tools as well as give you a good run down on the hacking methodology. It also teaches an individual to have a tough mindset when it comes to overcoming difficult situations. OffSec also provides a robust set of labs that give students 50 or so unique machines to attack. Yet, the labs rarely get updated, nor does the training material.
For example, you encounter operating systems as old as Windows XP in their lab environment and exploits that are so old, they aren’t even relevant anymore. Now, am I saying that there are not Windows XP machines running out there? No, of course not. However, if you’re being prepped for a realistic environment, OffSec’s labs just are not going to cut it.
The majority of corporate environments today are running Windows 7 or later and are using some sort of Active Directory internally. Additionally, it is highly unlikely (though, not improbable), that you are going to use any of the privilege escalation tactics that you learn in the labs on any machine in the real world. It’s also highly unlikely that you’ll ever be crafting manual exploits and modifying shellcode on an assessment either.
What’s more likely is that you will be using AD privilege escalation tactics that are not taught by OffSec. You’ll be using Metasploit and other “auto pwn” tools. No, this does not make you a script kiddie. This makes you a penetration tester. It would not be difficult to create a testing environment that emulated a difficult real-world corporate environment, but that would require OffSec to perform updates, which they just don’t do.
Having gone through the interview gauntlet not that long ago, I can assure you that companies are moving towards simulated penetration tests as a feature of their hiring process. On top of this, technical questions dive deep into AD environments as those are 90% of what a penetration tester will see on an engagement. The OSCP will not prepare you for these types of interviews. Yes, you will have a foundation of understanding in terms of methodology with the OSCP, but you will get rocked by these types of assessments.
In my opinion, one would gain equal value by strictly working on simulation sites such as Hack The Box. The machines can be pretty complicated, but you will still learn the hacking process. You’ll still learn to scan, enumerate, and eventually, own boxes. You’ll be allowed to use whatever tools you desire. Hell, looking back, Hack The Box has helped me become a better penetration tester than the OffSec labs ever came close to. It’s $100 for a year vs $1200 for 90 days of labs with OffSec.
Another benefit of Hack The Box is their recent addition of pro labs. The pro labs, at the time of this writing, are currently Offshore and RastaLabs. Both labs focus heavily on realistic AD environments and from what I have heard (I’ve yet to take the labs personally), prepare students for real-world internal penetration tests. Right now, the labs run about 90 Euros a month, with a better deal if you purchase multiple months.
We will touch more on this topic in a bit.
Another certification that really disappointed me was the OSWP. If you want a certification that will literally prepare you to hack wireless routers from ten years ago, then this is the certification for you. Why do I say this? Probably because 90% of the material covers the very deprecated WEP protocol.
If you aren’t aware, WEP was replaced by WPA2 over a decade ago. Yes, there is a period of time where people and even businesses are slow to switch over to a new protocol. It makes sense to teach multiple protocols while the protocols are both in use and that’s exactly what OffSec did many years ago. It’s just that they haven’t bothered to update the material since, but have no issue with taking your money and leading you to believe that you’re going to be certified in hacking wireless networks.
Seriously, you could watch a random course on Udemy or read a blog on WPA2 hacking and it would cover more information than the entire OSWP course does. This is truly disappointing and OffSec should be ashamed. If you’re a leading certification provider and a true gold standard of the industry, then you should be better than this. It’s a slap in the face of the students who pay you hard-earned money and entrust your company to provide them with a good training foundation. OffSec simply cannot provide that anymore.
Moving on to a certification course I almost purchased: the OSCE. The OSCE was once the gold standard of hacking certifications. Back in the day, if I saw someone with the OSCE, it made me instantly appreciate them. The course was difficult, the exam was 48 hours, and the certification was incredibly hard to obtain. The information was also incredibly relevant. Until it wasn’t.
Let’s paint a picture of what the OSCE course teaches you. First, you learn 32-bit assembly code. Okay, that’s a good start. Then it goes into 64-bit right? Nope, that would require updating. Oh, and the whole course is done on a Windows Vista machine. Let me repeat: a Windows Vista machine. On top of all of this, you’re taught dated concepts such as egg hunting, which really doesn’t exist anymore in exploit development.
The entire course is completely archaic and yet, they still charge over $1,000 for it. Over a grand for a course that will prepare you to understand outdated exploit development tactics. Again, a rip off and just not relevant. OffSec, you should be ashamed.
As of right now, I can no longer advocate for OffSec certifications. There needs to be heavy improvement to the certifications if OffSec wants to remain an industry standard. I will add a positive: I have noticed that OffSec is hiring Content Developers on their website. Giving the benefit of the doubt, my hopes is that this is to improve their content moving forward and take care of their updating issues ASAP. I would be happy to update this post if changes are made and I would be happy to advise OffSec on how their courses could improve.
Until then, I must strongly advocate against the OSWP and OSCE per reasons stated earlier. In terms of the OSCP, I will provide this opinion if you are seeking the certification:
The OSCP is outdated and will not prepare you well for a job interview. However, besides the benefits mentioned earlier (teaches methodology, rigor, etc.), it is still a massive HR filter. At this point in time, a resume with an OSCP on it easily has a chance of being put at the top of a pile simply because HR loves the certification. This is a massive benefit that I cannot overlook. In relations to having a better chance of your resume landing on a hiring manager’s desk, the OSCP is still top of the line because there’s nothing out there to compete quite yet.
With that being said, if you want to be a better pentester with an up-to-date skillset, I would advocate for completing some Hack The Box machines and then moving directly into internal AD training. Hack The Box will give you a solid foundation for external penetration tests as the process is very similar (scan, enumerate, exploit). However, it is important to know an AD environment well as this is a topic that a lot of interviews dive deep into. As stated before, I have heard nothing but good things about Offshore and RastaLabs through Hack The Box for AD training, but I must repeat: I have not taken the training myself.
Let’s Do Something About It
This is my call to the community. Let’s call on OffSec to improve the quality of their training and move on until they do. It is near inexcusable to be offering certifications that teach decade old material and do not prepare students for the real-world anymore. For now, let’s start talking about training that actually stays up to date and providers that actually care about preparing a student for their future. If we’re going to spend a lot of money, it should be on training that actually provides quality and content to its students.
As this is an opinion piece, I welcome feedback from the community. What I would truly love is input on security training you received and loved, so that I can share that on this blog. I will update this blog post with content providers that are referred to me so that the community can become aware of these providers. So, if there is fantastic training out there that you really enjoyed, please don’t hesitate to let me know!
I have been fortunate enough to take the Practical Web Application Penetration Testing (PWAPT) course offered by Tim Tomes (@lanmaster53). It was the best hands-on experience I have ever received in terms of web application penetration testing. I can honestly say that I have never learned more on the topic in a shorter period of time than I did with Tim in the course. To top it off, it was my first hands on experience with Burp Suite Pro as most courses have you use ZAP or a free edition of Burp (I’m looking at you SANS). If you’re looking for good web application training, feel free to hit him up on Twitter and see when his next course offering is!
As suggested by others:
I’m really enjoying VirtualHackingLabs which from what I hear is similar to pwk but at a fraction of the cost. Pentesterlab is pretty awesome and Louis is one of the greatest dudes ever.
you forgot to mention
@eLearnSecurity certs which are awesome
Thanks @_Kiewicz for mentioning us! @hmaverickadams To learn more about us, @ethicalhacker is currently giving away one of our course (PTS) for free to all its new members. Check it out if you’re interested. https://www.ethicalhacker.net/register/?sp_source=Social&sp_term=TWregEHNET