The OSCP and GPEN are on every beginner's radar, but these overlooked certifications have proved even more valuable to my career…

Throughout my career in cybersecurity and penetration testing, I have taken numerous certifications, but a few have truly stood out in shaping my success as a pentester.

This is especially true for 3 certifications that have been more specialized than the more well-known certs like OSCP and GPEN that tries to cover all of the pentest field in one course.

In my opinion, this makes much more sense for certifications, and it is also much easier to digest the learning material when it is focused on one specific type of penetration testing.

Let's get straight into it, starting with the most valuable certification.

1. CRTP: Certified Red Team Professional

Vendor: Altered Security Pricing: $249 for 30 Days LAB + Course Material + Exam Renewal: Every 3 years. Course access and one renewal exam attempt is included. $149 for 30 days if you want LAB access for practice.

None
Certification Logo, from Altered Security's website

If you want to master Active Directory testing, CRTP is the obvious certification for you.

This certification is by far the most value I have ever gotten from any certification. The course material is hyper-focused on testing Active Directory, and in my opinion teaches you everything you need to know to perform Active Directory assessments at an acceptable level.

It is also taught as an "assumed breach" assessment starting from a low-privileged account, which is my favorite type of penetration test as well. The exam environment features a fully patched Windows infrastructure with several domains and forests.

Similar to the OSCP you get 24 hours to finish the exam. The exam only uses 1 exam set, so if you fail the first time you can easily know what you need to improve on. That said, successfully completing this exam is nowhere near the difficulty of the OSCP, as it is much more focused and anything that is thrown at you is taught in the learning material.

None
Image of the LAB in the course, from Altered Security's website

If you are worried about the AD parts in the OSCP, this certification will make you blast through that part, especially as the new OSCP+ exam will feature an assume breach scenario for the AD as well.

The learning material goes through the following sections:

1. Active Directory Enumeration 2. Local Privilege Escalation 3. Domain Privilege Escalation 4. Domain Persistence and Dominance 5. Cross Trust Attacks 6. Forest Persistence and Dominance 7. Defenses — Monitoring 8. Defenses and Bypass — Architecture and Work Culture Changes 9. Defenses and Bypass — Deception 10. Defenses and Bypass — PowerShell

It took me way too long to take this course, and I took the long way by self-teaching me the various techniques and tools to enumerate and abuse misconfigurations in Active Directory.

I even used many of the tools from the Git Repo belonging to the author Nikhil Mittal for several years: Nishang.

I 100% recommend this for anyone that will touch Active Directory during their penetration tests.

2. BSCP: Burp Suite Certified Practitioner

Vendor: PortSwigger Pricing: $99 for the exam attempt (course material + LABS are free) Prerequisites: Requires Burp Suite Professional license, $449 Renewal: Certification does not have an expiration date

None
Certification Logo, from the PortSwigger website

This certification is another of my favorites, and probably the best certification to take if you are starting out as a penetration tester today. This is because it is teaching you web penetration testing, which is in my experience the most in-demand specialization within penetration testing today.

The Burp Suite, which this certification focuses on, is the #1 tool used by penetration testers for web testing, and the LABS are the best for web testing that I have ever experienced. They are tailored to fit very well together with the Burp Suite browser, and lowers the amount of time you need to get them to work to nearly zero.

This means that you can quickly get in 15 minutes of LABs now and then by taking a challenge, as it only takes you 1 minute to have the challenge and Burp up and running.

None
Certification Logo, from PortSwigger's website

This exam is probably the hardest of the three I mention in this article, mostly due to the time constraints of 4 hours. This is somewhat negated by the low price of $99, but most people should probably expect to need 2–4 tries to complete the exam.

The good thing though, is that when you have completed the Web Security Academy, the name of the PortSwigger Labs, you have all the skills you need to perform web penetration tests, but also begin your bug bounty journey.

None
Screenshot of exam requirements, from PortSwigger's website

One of the only downsides to this certification, is that it requires an active subscription of Burp Suite Professional to be able to take the exam. However, if you are doing either bug bounty or web pentest work, this license is very useful, and something you will get sooner or later anyways.

This is probably a requirement to justify the very low price of the exam itself, and the free LABs.

3. CARTP: Certified Azure Red Team Professional

Vendor: Altered Security Pricing: $449 For 30 days LAB + Exam Renewal: Every 3 years. Course access and one renewal exam attempt is included. $269 for 30 days if you want LAB access for practice.

None
Certification Logo, from Altered Security's website

While this is the last certification in my list, it is still a very valuable certification to take. This is because it teaches you a growing specialization within pentesting: Cloud penetration testing. Azure is also very common, so you will most likely encounter customers that need an assessment of their Azure infrastructure quite often.

None
Image of the LAB in CARTP, from Altered Security's website

Above you can see an overview of the lab used in the CARTP course. One warning I have to give, is that the LAB and course material is a bit disorganized. The course follows 3 different attack paths, and jumps between them quite a bit.

This could however be negated by taking good notes, and separating the three attack paths from each other in your notes. Also remember to save any tokens/passwords you gain access to, so you don't have to run through the whole attack path every time you are starting a new section.

This exam is the easiest of the three mentioned in this article, probably by a rather big margin. Everything you need to know is taught in the learning material, and you also have 24 hours to complete this exam, even though the exam set is much smaller than the one used in CRTP.

That does not mean you should take it lightly, especially not if you are very unexperienced with cloud infrastructure. It is easy to get stuck because you have no idea what you are looking for, or what misconfigured permissions looked like.

I recommend this certification for anyone that will perform cloud penetration tests in their work.

Conclusion

In a field as competitive as penetration testing, the certifications you choose can significantly impact your career. While highly recognizable certifications like OSCP and GPEN are great for any penetration tester, specializing in areas such as Active Directory, web application testing, and cloud penetration testing can set you apart from the crowd.

The CRTP, BSCP, and CARTP have not only deepened my technical expertise, but also opened new doors for professional growth. Each of them has made me comfortable with performing penetration tests on AD, web and cloud, and have been very helpful to make me a well-rounded penetration tester.

If you're looking to gain a competitive edge in pentesting, specialized certifications such as these are invaluable additions to your skillset. I only regret that I didn't take them sooner, it would have made me progress even faster than I have done today.