eCPPT vs OSCP Certifications

Well, as it has come up a few times, I’ve finally decided to do a comparison of the eCPPT vs OSCP certifications and courses.

While the eCPPT and OSCP are both penetration testing certifications, they differ a bit with their as the course material, labs, support, and exams.

eCPPT

Pros

  • More teaching oriented labs
  • Slightly more realistic exam/report
  • Very helpful admins
  • Important Web App vulns covered (CSRF, XSS, etc.)
  • Cheaper (generally)

Cons

  • Not as much industry recognition
  • Obviously still some QA improvements to be made
  • Easier to drag it out with extensions
  • Only slides, no PDF for course material

OSCP

Pros

  • Industry recognition
  • Awesome lab environment
  • More emphasis on self learning
  • PDF and videos for course material
  • Wide variety of machines, exploits, and vulnerabilities

Cons

  • Can be difficult and frustrating at times
  • More emphasis on self learning (yup, both a pro and a con)
  • Generally less helpful admins (regarding the coursework)
  • Videos and PDF mostly repeat the same information
  • DIY labs/lab environment

While they both have their pros and cons, I’d say that it depends on your financial, career, and personal situation as far as to what you should do.

If you plan on doing both eventually, then I definitely recommend starting with the eCPPT then moving on to the OSCP.

If you want to get into Penetration Testing as soon as possible, and can only get one, then I’d recommend the OSCP.

If you are already in Penetration Testing, and just want to brush up, then I’d recommend the OSCP.

If you are new to the field entirely, then I’d recommend the eCPPT (at least to see if you are still interested).

That said, they say a picture says a thousand words, so here is a picture of the cert that I actually have framed.

eCPPT vs OSCP - Framed OSCP

Even though my OSCP is the one framed, and the one that I’m slightly biased towards, I still think eLearnSecurity is a great company, and I hope that they get a bit more industry recognition in the coming years.

I am myself torn between doing the eLearn 4 in a box bundle (WAPT, WAPTX, MASPT, and ARES) vs. the OSCE next. If work is paying for it, then I will do the eLearn first since it costs more, but if not, I will probably start with the OSCE and go from there.

One last thing that I like about eLearn is their number of online course offerings. When it comes to Offensive Security, the only choices are the OSCP, OSCE, and WiFu. eLearnSecurity at least lets you pick from the eCPPT, eCRE, eJPT, eMAPT, eNDP, eWDP, eWPT, and eWPTX.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

16 Comments

Filed under Security Not Included

16 Responses to eCPPT vs OSCP Certifications

  1. jack

    Hi Ray,

    I really appreciated your analysis and comparison between the two certificates.
    I’m still actually thinking about what to do and which certificate to get.
    I don’t have any certificates yet. I heard about CEH (for starting?), Security+ and many others. Then I read (and I’m still reading) about OSCP and eCPPT.
    I am really into IT security and I’ve read some books, forums, websites and so on. I can’t tell you which my level is.
    Would you go for CEH and then think about OSCP/eCPPT or would you rather skip the first step going straight to OSCP/eCCPT?
    Any other thought / suggestion on my situation will be appreaciated.
    Thanks in advance!

    • Hi Jack,

      Glad that you found it informative, and hopefully I can provide you with some suggestions or direction.

      As far as CEH is concerned, I wouldn’t say that it is terribly useful at this time. It is mostly a tool based, regurgitation exam that will only help with HR filters or DoD 8140.

      If you aren’t quite sure what your level is, then I’d probably start with the eLearnSecurity courses. They are a bit less self directed, and the labs are more straightforward. You will be able to improve your methodology and thought process a bit before being thrown into the OSCP.

      If you aren’t fully confident in your abilities, but you definitely want to try a Penetration Testing certification, then you could also try the Penetration Testing Student course. This should be even lower level than the eCPPT, which would then let you decide if you want to go into Penetration Testing and what to try next (though PTS -> eCPPT -> OSCP is a nice and linear growth).

      Let me know if you have any other questions or issues, or if you want other suggestions or ideas (for self learning, etc.)!

      • jack

        Hey Doyler,

        thanks for answering to me so fast and for all the information you gave to me.

        I will definitely look at the PTS and see if it fits better to me.
        Just to be clear, I don’t do this as my job (even if I’ve done my master thesis on web security) but there is a possibility that my company will pay for the courses/exams.
        From what I can see, I already have much of the knowledge of PTS, so maybe I could look directly at eCPPT.

        I know this is a difficult question to answer because it depends on tons of aspects, but would you be able to give me an idea of how much time will require to me to prepare an exam like eCPPT? The thing is that I am gonna ask my company time for studying and preparing that exam but I have no idea how much time it will take to me.

        I would also appreciate if you could give me some hints for self learning, like you said. I like cybrary.it and null-byte.wonderhowto.com. What do you think about those two? Do you have any other? Would you suggest me some great book to read?

        Thanks very much, again!

  2. Fabio Baroni

    I agree with your review. Just a quick note: the barebone plan doesn’t include pdf (only slides) but the full and elite plans do include pdf.

    • Ah yea, good point, and thanks for that Fabio. Back when I signed up there wasn’t the option for the barebones plan. That said, I actually ended up using the slides more than anything else.

  3. Pingback: Homepage

  4. T

    Hi Doyler,

    I couldn’t agree more, I passed the eCPPT in August and OSCP in December 2017. Your help on eCPPT post helped kick start my journey, much appreciated!

    Thanks,
    T

    • Awesome, congratulations on both!

      I’m so glad that I was able to help kick-start you on the eCPPT, and awesome job with the OSCP!

      Thanks for coming back and letting me know, and good luck with whatever is next.

  5. SHurst

    Hi Doyler,
    I want to break into the security field i currently doing the CCNA Cyberops the road map is a bit blur for me at this time, i want to do defense but because i want to have lots of training and certs i am all over the place what would you suggest would be a good road map..

    • That’s awesome, and good luck!

      Unfortunately, I’ve never had a blue team role. That said, the road map isn’t too dissimilar from a red team role.

      • Learn the applications, techniques, and procedures that you’d like to be using in your role.
      • Work on certifications (if necessary or desired).
      • Begin building an online presence if you have no experience (Twitter, blogging, etc.)
      • Network with people in the field. This helps for possible positions as well as experience

      From a road map perspective, it will really depend on what you’d like to get into. That said, with some experience in basic networking you could get an entry level networking role and go from there. Alternatively, you could setup something like Snort in your own lab, and work towards a Junior SOC Analyst role.

      Good luck!

  6. thegghunt3r

    I have some questions if you kindly could help, email please.

    • Hi! I saw your message on the eLearn forums, but that’s not the best place if you’re looking for hints 😛

      That said, remember that it is a real penetration test! Your goal is to find every vulnerability possible. If you can’t exploit a system in a penetration test, then you can’t exploit a system. Though root on the DMZ server is a necessary, but not sufficient, requirement for passing.

      Good luck!

      • thegghunt3r

        Thanks for your response.

        I can see that you properly inherited the habit of “Try Harder..” from your previous OSCP experience :). Speaking of the devil, I might go for the OSCP by the end of this year if I managed to pass the eCPPT one. If you have diamond advice for preparing for the OSCP, please PM me.

        Best of luck for you as well man!

        • Hmm, I think the two biggest pieces of advice I have for the OSCP are:

          • ALWAYS follow your process (info gathering -> enumeration -> exploitation -> post exploitation -> exfiltration)
          • Understand and follow the buffer overflow steps, and it’ll be a breeze

          Good luck, and let me know how they both go!

  7. Rahul

    I was also confused for last few months. Was finding it difficult to prepare for OSCP directly. I thought of doing some ground work before i enroll for the Labs. Coming from a Software development background its not that easy for me to get into Penetration Testing right away. So was wondering how do i go about it. Just read this post of yours and now i know my path.

    Thanks a lot mate.

    • It’s definitely possible to jump straight into the OSCP from a developer background, but I wouldn’t necessarily recommend it.

      The eCPPT (or even eJPT if you think you aren’t ready) should be a great stepping stone!

      Best of luck, and let me know how it goes.

Leave a Reply

Your email address will not be published. Required fields are marked *

*