Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Well, as it has come up a few times, I’ve finally decided to do a comparison of the eCPPT vs OSCP certifications and courses.
While the eCPPT and OSCP are both penetration testing certifications, they differ a bit with their as the course material, labs, support, and exams.
eCPPT
Pros
- More teaching oriented labs
- Slightly more realistic exam/report
- Very helpful admins
- Important Web App vulns covered (CSRF, XSS, etc.)
- Cheaper (generally)
Cons
- Not as much industry recognition
- Obviously still some QA improvements to be made
- Easier to drag it out with extensions
- Only slides, no PDF for course material
OSCP
Pros
- Industry recognition
- Awesome lab environment
- More emphasis on self learning
- PDF and videos for course material
- Wide variety of machines, exploits, and vulnerabilities
Cons
- Can be difficult and frustrating at times
- More emphasis on self learning (yup, both a pro and a con)
- Generally less helpful admins (regarding the coursework)
- Videos and PDF mostly repeat the same information
- DIY labs/lab environment
While they both have their pros and cons, I’d say that it depends on your financial, career, and personal situation as far as to what you should do.
If you plan on doing both eventually, then I definitely recommend starting with the eCPPT then moving on to the OSCP.
If you want to get into Penetration Testing as soon as possible, and can only get one, then I’d recommend the OSCP.
If you are already in Penetration Testing, and just want to brush up, then I’d recommend the OSCP.
If you are new to the field entirely, then I’d recommend the eCPPT (at least to see if you are still interested).
That said, they say a picture says a thousand words, so here is a picture of the cert that I actually have framed.
Even though my OSCP is the one framed, and the one that I’m slightly biased towards, I still think eLearnSecurity is a great company, and I hope that they get a bit more industry recognition in the coming years.
I am myself torn between doing the eLearn 4 in a box bundle (WAPT, WAPTX, MASPT, and ARES) vs. the OSCE next. If work is paying for it, then I will do the eLearn first since it costs more, but if not, I will probably start with the OSCE and go from there.
One last thing that I like about eLearn is their number of online course offerings. When it comes to Offensive Security, the only choices are the OSCP, OSCE, and WiFu. eLearnSecurity at least lets you pick from the eCPPT, eCRE, eJPT, eMAPT, eNDP, eWDP, eWPT, and eWPTX.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
20 Comments
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Hi Ray,
I really appreciated your analysis and comparison between the two certificates.
I’m still actually thinking about what to do and which certificate to get.
I don’t have any certificates yet. I heard about CEH (for starting?), Security+ and many others. Then I read (and I’m still reading) about OSCP and eCPPT.
I am really into IT security and I’ve read some books, forums, websites and so on. I can’t tell you which my level is.
Would you go for CEH and then think about OSCP/eCPPT or would you rather skip the first step going straight to OSCP/eCCPT?
Any other thought / suggestion on my situation will be appreaciated.
Thanks in advance!
Hi Jack,
Glad that you found it informative, and hopefully I can provide you with some suggestions or direction.
As far as CEH is concerned, I wouldn’t say that it is terribly useful at this time. It is mostly a tool based, regurgitation exam that will only help with HR filters or DoD 8140.
If you aren’t quite sure what your level is, then I’d probably start with the eLearnSecurity courses. They are a bit less self directed, and the labs are more straightforward. You will be able to improve your methodology and thought process a bit before being thrown into the OSCP.
If you aren’t fully confident in your abilities, but you definitely want to try a Penetration Testing certification, then you could also try the Penetration Testing Student course. This should be even lower level than the eCPPT, which would then let you decide if you want to go into Penetration Testing and what to try next (though PTS -> eCPPT -> OSCP is a nice and linear growth).
Let me know if you have any other questions or issues, or if you want other suggestions or ideas (for self learning, etc.)!
Hey Doyler,
thanks for answering to me so fast and for all the information you gave to me.
I will definitely look at the PTS and see if it fits better to me.
Just to be clear, I don’t do this as my job (even if I’ve done my master thesis on web security) but there is a possibility that my company will pay for the courses/exams.
From what I can see, I already have much of the knowledge of PTS, so maybe I could look directly at eCPPT.
I know this is a difficult question to answer because it depends on tons of aspects, but would you be able to give me an idea of how much time will require to me to prepare an exam like eCPPT? The thing is that I am gonna ask my company time for studying and preparing that exam but I have no idea how much time it will take to me.
I would also appreciate if you could give me some hints for self learning, like you said. I like cybrary.it and null-byte.wonderhowto.com. What do you think about those two? Do you have any other? Would you suggest me some great book to read?
Thanks very much, again!
I agree with your review. Just a quick note: the barebone plan doesn’t include pdf (only slides) but the full and elite plans do include pdf.
Ah yea, good point, and thanks for that Fabio. Back when I signed up there wasn’t the option for the barebones plan. That said, I actually ended up using the slides more than anything else.
… [Trackback]
[…] Read More: doyler.net/security-not-included/ecppt-vs-oscp […]
Hi Doyler,
I couldn’t agree more, I passed the eCPPT in August and OSCP in December 2017. Your help on eCPPT post helped kick start my journey, much appreciated!
Thanks,
T
Awesome, congratulations on both!
I’m so glad that I was able to help kick-start you on the eCPPT, and awesome job with the OSCP!
Thanks for coming back and letting me know, and good luck with whatever is next.
Hi Doyler,
I want to break into the security field i currently doing the CCNA Cyberops the road map is a bit blur for me at this time, i want to do defense but because i want to have lots of training and certs i am all over the place what would you suggest would be a good road map..
That’s awesome, and good luck!
Unfortunately, I’ve never had a blue team role. That said, the road map isn’t too dissimilar from a red team role.
From a road map perspective, it will really depend on what you’d like to get into. That said, with some experience in basic networking you could get an entry level networking role and go from there. Alternatively, you could setup something like Snort in your own lab, and work towards a Junior SOC Analyst role.
Good luck!
I have some questions if you kindly could help, email please.
Hi! I saw your message on the eLearn forums, but that’s not the best place if you’re looking for hints 😛
That said, remember that it is a real penetration test! Your goal is to find every vulnerability possible. If you can’t exploit a system in a penetration test, then you can’t exploit a system. Though root on the DMZ server is a necessary, but not sufficient, requirement for passing.
Good luck!
Thanks for your response.
I can see that you properly inherited the habit of “Try Harder..” from your previous OSCP experience :). Speaking of the devil, I might go for the OSCP by the end of this year if I managed to pass the eCPPT one. If you have diamond advice for preparing for the OSCP, please PM me.
Best of luck for you as well man!
Hmm, I think the two biggest pieces of advice I have for the OSCP are:
Good luck, and let me know how they both go!
I was also confused for last few months. Was finding it difficult to prepare for OSCP directly. I thought of doing some ground work before i enroll for the Labs. Coming from a Software development background its not that easy for me to get into Penetration Testing right away. So was wondering how do i go about it. Just read this post of yours and now i know my path.
Thanks a lot mate.
It’s definitely possible to jump straight into the OSCP from a developer background, but I wouldn’t necessarily recommend it.
The eCPPT (or even eJPT if you think you aren’t ready) should be a great stepping stone!
Best of luck, and let me know how it goes.
Hello,
is it worthy to do penTest+ (comptia) if I am planning to do PTP? Does someone knows teh difference between penTest+ agains PTP?
Is ti go to invest tie and money in both or it is better go for only the PTP?
Thank you
Pentest+ is going to be more of an introductory certification. The only real benefit I could see would be to get past HR filters as it would be more recognized.
That said, the eCPPT is gaining recognition fairly quickly, and I haven’t seen many entry-level positions asking for the Pentest+ anyway.
If it was my own money, I’d skip the Pentest+ for now.
Thank you for your answer. I will take PTP course and next will be OSCP.
My company support me with one last course. What course would your recommend me to take from eLearnSercurity? or other course you have knowledge is good?
MASPTv2: Mobile Application Security and Penetration Testing
DFP: Digital Forensics Professional
IHRP v1: Incident Handling & Response Professional
MAP v1: Malware Analysis Professional
THP v2: Threat Hunting Professional
REP: Reverse engineering professional
Kind regards,
Mauricio
Awesome, good luck on those two!
After that, it will honestly just depend on what you want to go into. I’d also include eWPT if web applications/pentesting is your goal. That said, any of those would be great, it would just depend on your personal interests and career aspirations.