Top 9 IT Security Certifications


IMPORTANT ANNOUNCEMENT!

This article was written several years ago.

Please refer to our Cyber Security Course Directory which contains over 300+ courses!

Here’s the link.

If you are looking for a certification in information security then you might be feeling a little confused since there are nearly a dozen internationally recognized certs to choose from. The heavy hitters, or rather the better known security certifications out there tend to revolve around those offered by EC-Council, namely the Certified Ethical Hacker (CEHv8) and CompTIA’s Security+ but there are others!

We have arranged the vendor-neutral certifications into separate sections so you can review the various training and self-study options (along with the associated fees) and we have also put a little test together for you to try! If you pass the real-life multiple choice practice test then you are certainly in a very good place and should consider getting certified. Each test, available in all our four certs, lasts only five minutes and there are ten timed questions. If you need help please contact us by email.

OK, so back to the post! What are other information security certifications?

1. CPTC – Certified Penetration Testing Consultant
2. CPTE – Certified Penetration Testing Engineer
3. CompTIA – Security+
4. CSTA – Certified Security Testing Associate
5. GPEN – GIAC Certified Penetration Tester
6. OSCP – Offensive Security Certified Professional
7. CEH – Certified Ethical Hacker
8. ECSA – EC-Council Certified Security Analyst
9. CEPT – Certified Expert Penetration Tester

Unless otherwise stated these certifications are assessed by multiple choice and they require continuing education.

CPTC and CPTE (first and second on our list)
Taking each of these certifications in order: CPTE and CPTC are very similar – but the CPTC is slightly more geared towards the business end of penetration testing. Mile2 offer both of these security certifications and we have already spoken at length on the differences between CPTE and CPTC. We also have a download that examines CPTE in more detail. In summary Mile2 is becoming rapidly popular due to the US military adopting several of their courses and the fact that they have excellent instructors. For more information please click on the above links within this paragraph.

CompTIA Security+ (also known as SY0-301) (third on our list)
The Security+ is an excellent all-round certification in information security. Having been around for a long time now – CompTIA , as a charity and vendor-free organization, remains a highly venerated IT training body. We have a detailed review and a huge amount of information related to Security+ including: “Why study CompTIA Security+?, How to break into Information Security field, (detailed) Security+ syllabus, exam structure – how is it graded?, practice online exam center (Virtual Test Center), an overview of required acronyms, expected salaries and opportunities in 2013, the CompTIA course pathway, 300 interview questions and 13 interview no-no’s! You can get all of that in a nice pdf format here. Worth re-iterating that we also offer for free a Security+ practice exam with model answers!

However – if you don’t have time to drill down into all of that data here is a list of the modules you would have to learn if you decide to sit for the Security+ exam and certification.

1.0 Network Security
1.1 Explain the security function and purpose of network devices and technologies
1.2 Apply and implement secure network administration principles
1.3 Distinguish and differentiate network design elements and compounds
1.1 Explain the security function and purpose of network devices and technologies
1.4 Implement and use common protocols
1.5 Identify commonly used default network ports
1.6 Implement wireless network in a secure manner
2.0 Compliance and Operational Security
2.1 Explain the security function and purpose of network devices and technologies
2.2 Carry out appropriate risk mitigation strategies
2.3 Explain the security function and purpose of network devices and technologies
2.4 Explain the importance of security related awareness and training
2.5 Compare and contrast aspects of business continuity
2.7 Explain the impact and proper use of environmental controls
2.8 Execute disaster recovery plans and procedures
3.0 Threats and Vulnerabilities
3.1 Analyze and differentiate among types of malware
3.2 Analyze and differentiate among types of attacks
3.3 Analyze and differentiate among types of social engineering
3.4 Analyze and differentiate among types of wireless attacks
3.5 Analyze and differentiate among types of application attacks
3.6 Analyze and differentiate among types of mitigation and deterrent techniques
3.7 Implement assessment tools and techniques to discover security threats and vulnerabilities
3.8 Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning
4.0 Application, Data and Host Security
4.1 Explain the importance of application security
4.2 Carry out appropriate procedures to establish host security
4.3 Explain the importance of data security
5.0 Access Control and Identity Management
5.1 Explain the function and purpose of authentication services
5.2 Explain the fundamental concepts and best practices related to authentication, authorization and access control
5.3 Implement appropriate security controls when performing account management
6.0 Cryptography
6.1 Summarize general cryptography concepts
6.2 Use and apply appropriate cryptographic tools and products
6.3 Explain the core concepts of public key infrastructure
6.4 Implement PKI, certificate management and associated components

CSTA – Certified Security Testing Associate (fourth on our list).
CSTA is maintained by a British organization called 7Safe. CSTA is a four day course and has a syllabus somewhat like the Certified Ethical Hacker by EC-Council. 7Safe have a network of authorized training centers. CTSA is interwoven within lab testing – i.e. the course is very hands-on and practical.

It will be interesting to see the uptake for CSTA. Our hunch is that it will have a difficult time against the strongly established CEHv8 (Certified Ethical Hacker) and Security+. The premise for this security certification is to think and behave like a hacker so that the student will better learn and prepare against attacks. This is all excellent but it just seems very familiar to CEH. Anyways – good luck to them and we will certainly be keeping a close eye on their progress and course acceptance. In their own words, “The CTSA course is suited to system administrators, IT security officers and budding penetration testers.”

We understand that the CSTA is a progression path towards an ultimate goal of becoming a CREST Registered Tester.

OPEN – GIAC Certified Penetration Tester (fifth on our list)
GIAC claims to be the most “methodical pentesting course” that trains the student to seek and destroy security vulnerabilities within weak configurations, unpatched systems, and/ or inherited legacy botched architectures. SANS places emphasis on training the student to work with flawed legacy systems which certainly has appeal in a job interview, especially if the position is to rectify a “broken” network or computer system.

Certainly a very in-depth course GIAC is seeking to covers all elements of successful network penetration testing by training students to improve their enterprise’s security stance. According to the course summary, students learn how to perform detailed reconnaissance, scanning, experimenting with numerous tools in hands-on exercises and exploitation. Similar to CPTC (mile2’s consultancy/ business-leaning cert) GIAC also includes a professional auditing module: i.e. the training includes a module designed to help students understand how to write report that will maximize the value of the penetration test from both a management and technical perspective.

GIAC as you would expect also includes lab work to help the student work with exploitation frameworks and all necessary pentesting tools.

OSCP – Offensive Security Certified Professional (sixth on our list)
The mighty BackTrack pentesting distro is connecting to this IT security certification – meaning that it is the same organization – Offensive Security. (If you are interested in linux pentesting distros we put together a really great list here – which includes our favorite: Backbox).

Relatively new to the stage the “Offensive Security101” training course seems to be maturing well and gaining acceptance. It certainly was a smart move to create such a popular linux distro and then add IT security courses to it – because, naturally, all the tools contained within the distro are precisely what the (and all information security courses) require you to be proficient with.

This course gives a solid understanding of the penetration testing process. If we understand correctly the course is mainly aimed at the CBT market. The registration entitles you to downloadable “Offensive Security 101” course videos. For an additional fee you can opt to take their online lab (30 day access) and certification challenge (similar to mile2’s CBT course program).

CEH – Certified Ethical Hacker (seventh on our list)
The Certified Ethical Hacker certification, offered by EC Council, is a popular cyber security certification. The exam contains 150 multiple choice questions which must be answered within 240 Minutes with a passmark of 70%

The latest version of the Certified Ethical Hacker is Version 8.

Regarding as being content heavy – the CEH still holds sway on our opinion. We think that EC-Council have always believed that to beat a hacker, you need to think like one – and that in our opinion sums up the course perfectly. CEH immerses the student in a hands-on fashion where they are taught how to work, test and audit like a professional ethical hacker. The course starts by instructing students how to breach perimeter defenses and then effectively scan and attack networks. True to the principle that you gotta think bad to do good (i.e. think like a hacker) – students will also learn how to escalate privileges, create a secure shell and what steps can be taken to secure a system. In addition, participants will learn about Intrusion Detection, Social Engineering, DDoS Attacks, Buffer Overflows, Virus Creation and more.

ECSA – EC-Council Certified Security Analyst (eighth on our list)
EC-Council are extremely involved in the community. They organize the Hacker Halted conferences in the US and Asia and have been pioneering some really great IT security certifications. Their courses are either offered online, via their iClass course delivery or Live Instructor Led (i.e. in person). Following from CEH is the ECSA – or CSA.

The ESCA is designed to perform better audits of security systems, in other words, what are the result of the pentest? The ECSA is very similar to mile2’s CPTC in that the course is client focused in being able to present accurate data and post-testing suggestions to employer and/ or clients.

ESCA does follow on from CEH (and indeed EC-Council suggest that you first finish Ethical Hacker) because the post-reporting can only be achieved with an understanding of the processes in the first place. In summary, the ESCA’s purpose is to add value to an experienced security professional by assisting them to analyze the outcomes of their penetration tests.

CEPT – Certified Expert Penetration Tester (ninth on our list)
Like the rest, this certification is assessed by multiple choice (100 questions with a passmark of 80%). This certification is different to the rest because it relies more on programming and understanding the actual code. You really must speak C++, Python and understand compilers/ assemblers before taking this course. Here is a summary of the CEPT syllabus and modules that a student must complete to pass the certification. There are nine modules:

1. Penetration Testing Methodologies
2. Network Attacks
3. Network Recon
4. Shellcode
5. Reverse Engineering
6. Memory Corruption/Buffer Overflow Vulnerabilities
7. Exploit Creation – Windows Architecture
8. Exploit Creation – Linux/Unix Architecture
9. Web Application Vulnerabilities

In Summary!
It is quite a mammoth task to compare and outline 100% accurately all these courses, especially when you factor in bias and industry reputation. It is very easy for this discussion to enter a “is it worth it” angle – but instead we tried just to stay within an academic or better said, training dimension. We are interested in what you actually learn and what the syllabus contains.

In summary – and this is a real basic summary! – we think that CEH is widely known and for HR – it is fast becoming a check-box that helps to get that interview. CPTC and CPTE are similar in that they have a more consultancy and business role to them – which is great if you are already qualified but missing that business client-side to your resume. GIAC looks at penetration testing from a very methodical approach and Security+ is the all-round winner in due to its’ longevity and proof of concept with its’ solid syllabus.

Henry Dalziel

Henry is a serial education entrepreneur, founder of Concise Ac Ltd, online cybersecurity blogger and e-book author. He writes for the Concise-Courses.com blog and has developed numerous cybersecurity continuing education courses and books. Concise Ac Ltd develops and distributes continuing education content [books and courses] for cybersecurity professionals seeking skill enhancement and career advancement. The company was recently accepted onto the UK Trade & Investment's (UKTI) Global Entrepreneur Programme (GEP). For more information please get in contact for possible JV's: https://uk.linkedin.com/in/henrydalziel

57 thoughts on “Top 9 IT Security Certifications

  1. By the “replies” to the informational posts regarding I.T. certifications that I have seen, there is much distress over which certifications are the best, and which are not- yadie yadie.. The fact of the matter is that it really does not matter which are the “best”, but where the people with good, comparable qualifications will fit where, the best. This is the main component any employer will look at in my humble opinion, and not so much as to what tests you have passed. Of course the skills matter! But the person with the “best” certs is not always the “best” fit.

    There are many obvious reasons why companies and individuals alike promote certain certifications (it is a business after all), but the best advice that someone new to the industry could hear would be to pick a certification path, stick with it, LEARN EVERYTHING YOU CAN, and be the BEST you can! -no matter what. That is the real formula for success.

    Who cares what path you take? At the end of the day we are all professionals, but only if we think, act, and conduct ourselves accordingly. Am I wrong?

    1. An excellent comment and thanks very much for sharing your thoughts.

      100% agree with you. To have called our list of certifications ‘best’ should not be regarded as an absolute. We always tell our students that simply getting a certification without any experience will not generally get you the job, rather, experience WITH a specific certification would be more beneficial. Thanks again for your comment.

      1. Your welcome! Just to clear it up, I was referring to people that comment about articles more than your specific article. I believe the article you wrote is well laid out and informative. Thank you for your advice and work on this.

  2. Hey !
    Lets talk about THE OLDEST performance based hands-on Security certifications – since 1999 – 4+years before EC-Council CEH.

    Q/ISP Qualified/ Information Security Professional –

    Q/ISP Certification Program/ WORLD CLASS Graduate and Master Certificate

    4 CyberSecurity Certification + 3 Practicals

    Q/EH Q/SA Q/PTL Q/FE Q/ND
    Q/ISP® Cert Exam CNSS 4011/4012/4013/4015/4016A
    Q/EH® Qualified/ Ethical Hacker Certification
    Q/SA® Qualified/ Security Analyst Pen Tester Cert.
    Q/PTL® Qualified/ Penetration Tester License
    Q/FE® Qualified/ Forensic Expert Certification
    Q/ND® Qualified/ Network Defender Certification

    23,000 students enrolled – US GI Bill approved, ACCET Accredited.

    1. Thanks for this! CEH and the other usual suspects often take all the limelight, and maybe for some solid reasons but it’s good to know that there are others out there.

  3. The new way to monetize the IT industry. I really can’t believe why many people are into certification – well I guess they simply want to propel their salary and probably fool someone that they know the subject matter. I personally lost my confidence with this certiying bodies when I learned that “dump sites” exist and its ok with them. If this certifying bodies truly give pride on their examinations then how come none of them is sending DMCA to take down these websites? Or maybe, they prefer the dollars from the cert fanboys who are continuously fooled.

    Few Google search, compile their searches…voila! We have the course outline and we’re now a certifying body. As if any group of friends can now build some sort of organization and call themselves “standard” of something…yeah right!

    1. Thanks for your comments – they are certainly valid.

      Bottom line is that these vendor-free certifications work by selling exam vouchers and the license fee associated with franchising their courses. Take for example CompTIA which anyone can study for free using brain dumps, YouTube, etc etc, but you still have to pay for the exam voucher – so CompTIA still wins.

      With reference to the course ‘helping’ a career I think that essentially they do. No, you cant get a job by having zero experience and then doing a CEH or CISSP course, but what the cert will do is ‘strengthen’ your job application – especially if you are applying for a security job role within IT. I have heard that many HR people actually view CISSP as a ‘gold standard’ and actively look for people that have that cert. The same HR person might know very little about the usefulness of the CISSP course but the point here is that they are LOOKING for people with that particular certification.

      Final point I’ll make is that demand is outstripping supply when it comes to truly qualified skilled information security specialists – so that is the good news. Lastly – all education should be perceived in a good light. I’m sure you have heard this but here’s a qoute by Henry Ford:

      Anyone who stops learning is old, whether at twenty or eighty. Anyone who keeps learning stays young. The greatest thing in life is to keep your mind young.

      1. Thanks for the reply Henry, I absolutely agree with Henry Ford’s quotation. As a matter fact, the invention of Internet gives everyone the opportunity to learn at their phase. The bad news, some people are somehow brainwashing or creating some sort of norms that people with cert are really skilled. Some HR personnel will immediately jump to the question – do you have certification? And the simple reason behind this, is most of them are not qualified to assess the real skill of the applicant. Same with the owner of a big business who happens to have money and setup an IT company. S/He cannot assess the skill of the applicant but s/he likes to have an IT company, so they will immediately look to someone with certification.

        Good thing, that you also mentioned these vendor-neutral certification because obviously vendor-specific certs is all about money and marketing BUT there are still people who are taking this and passed the exam. These leakage sites or dump sites is not about learning – this is all about memorizing the questions and answers then take the exam. Again, the question is – why none of these certiying body are taking down these websites.

        All the materials are freely available online and all we need to do is study.
        But to be certify and get my money? That’s another story.

        Red Hat Linux is the only remaining credible certification body for me – since they will really put your skill in a real test nott just multiple choice.

      2. I just want to add and maybe this is off the topic.

        You will also notice the encarnation of PCI-DSS, HIPPA, Sabanes-Oxley and other industry certiying bodies.
        Seriously, who are these people (college friends?) – who gave them the right to certify specific industry?
        Most of them are not even sanctioned by the government. Most of them are not even technically inclined but they have the nerve to call themselves auditors…yeah right! Funny when I got the checklist of PCI-DSS, I can’t help not to laugh because the list only consist of common sense. Well, after all common sense is not common – so yeah organization like this are simply taking advantage other people.

        You will also laugh if you read their organizations missions & vision – the main goal is to HELP.
        But hey, we have a good news you need to pay. Obviously, the main and TRUE goal is to EARN.

        Organizations like OWASP, Wikipedia, Open-Source OS and tools are the best example of the people who are truthfully willing to help IT industry and individuals.

    1. Absolutely. CCNA (Cisco Certified Network Professional) is a very popular certification – which focuses on networking. As a vendor-specific cert by Cisco it is considered as being the ‘gold standard’ for their technologies – the certs in our list are mostly vendor neutral information security certs so that’s the difference. CCNA is assessed by a 90 minute exam and as far as I know you don’t need any previous experience – but don’t quote me on that!

      CCNP (Cisco Certified Network Professional) and CCIE (Cisco Certified Internetwork Expert) are also two excellent certifications.

      Good luck! Have you started to study any cert?

      1. CCNA is no longer a general entry level certification since Cisco has restructured their exams. Their CCENT is their entry level certification which allows anyone seeking further Cisco specific certification to do so in a more direct manner – such as down a path of routing/switching, or security, etc. with CCNA, CCNP and CCIE level exams for each. Quite a bit of their prior CCNP R/S material has now for instance made its way down to the ICND2/CCNA R/S exams. While I would add that their IS value in vendor specific certifications to respond to some of what others have said, specifically when said vendor still retains a majority of the current market share within a given industry. With that said, I do believe that anyone looking to be effective in their role especially in the area of IT, and Networking/Security should be prepared to continually learn, truly understand and grasp the fundamentals and ultimately be able to apply them while evolving with the industry, if not staying a head of, when able.

        Also, to discredit a certification because someone can cheap is a ridiculous notion. If someone wants to spend a couple hundred dollars to sit and take an exam for which they utilized materials as noted above in the manner described…. then more power to them. I would pay, should they get hired, to see how long they last. Since if they had to cheat and stoop to such levels to pass the exam they are undeserving of, they will likely not be able to live up to the expectations and needs of the company when asked to completed routine and expected duties.

    1. Very difficult to say – a lot depends on experience (of course) but you with experience you *should* be on at least $65+ – but that is dependent on so many things….where you live is obviously a factor – but experience always plays a vital role.

      The $65+ was based upon me asking our team here (our instructors are all CISSP/ Pentesters, Consultants etc) and that is what they replied with :)

      Good luck and let us know if you need any help or other info.

  4. Could anyone please help me out by suggesting an entry level certification in information security..??
    I have completed my MCA degree and i am planning to do my career in information security auditing and consulting.

    1. Sure! Please get in contact with us if you would like more detailed information.

      Congratulations on your MCA Degree!

      OK…in terms of entry level InfoSec certs, we can only really refer to those offered by EC Council, ISC2, CompTIA and Mile2 since these are our areas of expertise.

      Security+
      There are several entry levels. The one that we like the most is the CompTIA Security+ Certification which is widely recognized and has been around for ages. CompTIA recently updated the syllabus and the exam structure which ought to have the benefit of making it more appreciated by employers. The two good things about Security+ is that it is a recognized cert with an in-depth security syllabus and secondly, that it is very affordable. Our pricing is under $400 and that includes everything – exam voucher, study materials such as books, practice exams etc.

      Network 5, Wireless 5, Security 5, Certified Security Specialist (ECSS) and the Certified e-Business Professional (CEP).
      These are offered by EC Council and are all regarded as entry level certs.

      Our advice would be to take a look at these listed above and then get in touch with us if you have any questions! Good luck.

  5. hi, i have an MCSE degree, CCIE, and now I work Security info. now i am a pentester i have road ceh, sec+, Ecsa , lpt , web app pentes. How can i work from remote , i live in iran and i want to work with international company.

  6. I pretty much disagree with most of your list, form the perspective of a security consultant based out of western Canada with 12 years of experience. Many of those certificates I have never heard of. Absolutely I agree that the certification doesn’t mean anything in a practical sense – I know some talented people with no certs and some utterly useless ones with all the certs. But when I look at job offers and when I meet with recruiters locally, they are all looking for CISSP. They don’t know what it means, but those are the letters they want to see on job applications.

    1. Thanks for your comment.

      Certainly, information security IT certifications are indeed ever-evolving. CISSP does seem to be the most popular from all the certifications in our experience – many even call it the ‘Gold Standard’ – sure there are plenty of critics on either side of the fence – but – what I can tell you is this: if HR/ Recruitment Mangers are seeking people with the CISSP designation; then yes, it will help you get that interview and position.

  7. Was reading other comments but wanted to make a point here, those who criticize cissp they should at least appear to the exam once & face that 250 questions bombarding, specially when you have to decide what that question & up to what level the question is expecting. How can a person criticize cissp certification without ever checking what actually it demands ? :)

  8. what about CISE: “certified information security expert”. Who is the organiser of this exam and what is the standard ?

  9. Hey guys, i’ve just started my path into securities and was wondering what certifications would be handy for entry level, who has no experience. I’m taking my Comptia Network + exam in a couple days, and I’m moving onto Comptia Security +, also my post grad is a program at my local college in Information security Management. What would be another good certification that would be beneficial to get into the market, with 0 experience. Thank you so much for your help in advance.

  10. Hello there. I have studied BCOM information systems management and have mainly specialized in change management. I have been looking after operations security in the last year but have no formal qualification. My work wants me to do a course in Information Security and hells bells, I have no clue which is the appropriate course that will add value. may I kindly ask for some suggestions please.

  11. i am a graduate of comp.sci HND.which of these certifications is best for me as a starter.As I would want to be a computer security guru.
    thank you as i would be expecting your reply ASAP.

  12. This is really great piece of information, thanks for sharing for about it It field is on top now and many of students are turning to it.

  13. Hi. I am working in thr fielld of information security from past 1 and half year.. and conpleted ceh certification.. now i am planning to do nxt level certification in security field. Kindly suggest all the possibe ways. Thanks..

    1. Hi Vin, the fact that you have be working in information security for close to two years means that you are already have necessary experience to apply for middle management. I’d take a look at CISSP if you are interested in taking your career to a more managerial level.

  14. Being money minded and longevity i want to get into a network security domain…I’m planning CCIE security…please help me…i am a Bachelor of Engineering guy….

  15. I’m an ECE final year student . To enter IT security, which certificate would give me more employment opportunities? Which is better among CEH or COMPTIA Security+ ?

  16. I’m an ECE final year student. To enter IT SECURITY field, which certificate would give more employment opportunities? Is CEH or COMPTIA SECURITY + a better certification?

  17. I think from all these certifications , only Offensive Security provides practical exam & i hear its pretty tough. I am an OS guy & i tend to look things from the core to break it from by perspective, the above certification fascinates me.

    But for a company looking for infosec professional, CISSP is very desired positio. I think if you are interested in IT R&D team of infosec, Offensive Security will really help you think differently.

  18. You put Security+ and GPEN above OSCP? FAIL!!! Moving on as this article poorly demonstrates any meaningful analysis in this subject..

  19. Wait, CPTE and SECURITY+ tromps OSCP?

    OK, obviously this was written by someone who clearly doesn’t know what these certifications entail. I smell a skiddie. Security+ is entry level, OSCP is the certification if you want to actually get into systems and know how things work. I won’t even mention the CISSP, that’s the brain cert where you speak business babble but really have no idea what it takes to defend or break into systems.

    1. You are right.

      This list does need to be improved. In the meantime hit our homepage and you will see that we have added a new search directory to seek Cybersecurity Courses and Training Programs – many of which are valid for Continuing Education credits which can be used against ISC2, EC Council etc – and also CompTIA!

    1. Thank you for your comment. Each of the cyber certs listed above are specializing in a particular IT Security Niche – so chose that first (i.e. decide on a cyber niche) then look at certification. Good luck!

  20. Dear Sir,

    Please send me details about the CEH and ICSA certifications ASAP:
    1. Duration of the course
    2. Venue
    3. Who gives certification
    Price of the program

    Regards,
    Sudhakar

  21. Dear sir,
    I want to certificate :
    1) Complete CEH
    2) Exploits Development
    3) VAPT
    4) Android development
    5) Cyber Security & awareness

    Give me details of all program to course with duration.
    I am wait your response.

Leave a Reply

Your email address will not be published.