General security

The CPT certification and exam

Daniel Brecht
May 6, 2019 by
Daniel Brecht

An introduction to the Certified Penetration Tester (CPT) Certification

So you want to be among the next generation of information security professionals and make your contribution to ensure the Confidentiality, Integrity and Availability (CIA) of online systems? Are you interested in the safeguard of digital assets, in protecting corporate networks and apps and advising business managers on how to better secure their IT infrastructure and devices? Than you might want to consider "ethical hacking" as a career for carrying out penetration testing and security assessments.

These white-hat hacker professionals test companies’ security measures and procedures by employing many of the same tactics that malicious intruders use in attacking systems. By utilizing tools and methods such as penetration testing, they are able to give a true measure of the overall safety of the company’s IT environment.

With the system owner’s permission, they take full control of computers on the network to check for security holes that could be exploited. They then advise on safeguards that the organization should establish to protect devices and critical data before they become compromised and used illegally. Growing concern about security means that companies need certified penetration testers (CPTs) to help keep their information safe.

This is sometimes thought to be one of the most frustrating jobs in the information security field. Penetration testers need to have the right mix of hands-on, practical skills and formal knowledge to understand the unique requirements of each system analyzed. That said, you may very well have what it takes to become a CPT.

Getting started

There are many different places to start on a journey towards becoming an ethical hacker. To steer your career exactly where you would like it to go in the penetration testing specialty, a great start is preparing for and obtaining an industry-recognized credential. This will help you identify, acquire and prove valuable job role skills.

In fact, a certification can give professionals a blueprint of which topics to cover in order to best prepare for the job. It can also give employers a measure of their ability and readiness as an ethical hacker, as it shows that they’re opting to use their abilities for good rather than evil.

With a shortage of talented people with these skills to fill such roles, now it is the right time to enter the field and start this rewarding career. The Infosec Institute (Infosec Institute), an industry standard organization formed by information security professionals, offers the type of training and certification (including practical examination and lab practica) to become a Certified Penetration Tester (CPT). Infosec Institute uses the CPT exam to test the students’ abilities in pentesting positions by putting their knowledge into practice and get their hands on actual hacking attacks.

The CPT exam

How does one attain the CPT credential? The first step is passing a 50-question online test in two hours. The pass rate for this multiple-choice test is 70%. Successful candidates are then tested through a hands-on practicum, a take-home exam that needs to be completed within 60 days. Candidates will have to successfully complete three penetration challenges in order to become certified. A passing score is at least 70%.

Infosec Institute’s Certified Penetration Tester Exam deals with pentesting domains such as network protocol attacks, Windows/Unix/Linux exploits and wireless security. In particular, it focuses on the following nine domains:

  • Pentesting methodologies
  • Network protocol attacks
  • Network recon
  • Vulnerability identification
  • Windows exploits
  • Unix and Linux exploits
  • Covert channels and rootkits
  • Wireless security flaws
  • Web app vulnerabilities

It is clear how this certification requires professionals to demonstrate their knowledge of theories and concepts as well as hands-on skills. Penetration testers do come from many different walks of life and such a credential can help demonstrate their real-world abilities regardless of their career history.

Taking the CPT test is possible through three options:

  • Test locations throughout the world
  • On-site proctoring for groups of 10 or more testers
  • Online for individuals in member organizations

Candidates can Check Test Status online. All communications are normally conducted via email. Once logged in, students have access to certification attempts as well as study files, if applicable.

To be a CPT, exam candidates will need to pay a flat fee of $499 per exam and $399 per voucher for on-site proctored exams. A CPT certification is valid for four years. To recertify, candidates will be taking the same exams as professionals currently trying to certify, which is through the same exam engine system. The recertification will become available for registration one year in advance of the certification expiration.

What is the best way to prepare for the CPT exam?

As the road to pentesting varies from professional to professional, there is no one way to prepare for such a career. Many pentesters do not hold specialized degrees, and job experience often supersedes the need of cybersecurity formal studies. It is important, then, that professionals follow a structured developmental training and be able to hold a formal credential that verifies their abilities.

Essential skill sets to learn in pursuing a CPT certification include:

For a valuable, immersive experience, Infosec’s 5-day Penetration and Testing Boot Camp is available to give students in-depth training into techniques used by hackers with real life exercises.

What should I expect from a penetration testing career?

A career in penetration testing means that you will be tasked with performing threat assessments and formulating analytic responses to relay findings to infrastructure and development security teams. Therefore, it helps to think like a criminal or hacker when exploiting security weaknesses, but it is also necessary to be able to identify the proper countermeasures. It’s also important to be able to tune and optimize both a company’s cybersecurity program and the technologies deployed, in order to implement the right strategies to protect critical assets and infrastructure.

Professionals certified in pentesting can give company managers the assurance they will look for weak points in less traditional ways and make a realistic assessment of a company’s “cybersecurity posture” by scanning and penetrating their network (with the consent of the organization) while still acting in ways that ensure the confidentiality, integrity and availability of the environment and its data.

Security experts predict there will be a great demand for penetration testing services and that is a good reason to enter the profession. This also means there are and will be many employment opportunities in the field. It is a career you can expect to hear plenty more about in the near future, as many businesses are looking for an adaptive security strategy.

The value of this type of position is that it opens doors for candidates who might not necessarily follow the same channels used by other IT and information security professionals (specialized degrees, years of work experience starting from entry-level jobs), but nevertheless have a passion or a talent for the work. They’re people who have a passion for cybersecurity crime investigation, a knack for finding exploits and backdoors, and knowledge acquired independently through the most varied means: self-study and practice, participation in a hacking group and more.

These days, such in-demand professionals with technical/practical skills are in short supply, as seen on the job market, and employers have vacancies for the right pentesters to help probe and improve their networks, applications, and other computer systems.

Conclusion

There is no doubt a lucrative career option for information security professionals is in penetration testing. However, it might be difficult to excel as a pentester without finding ways to prove abilities that are normally not acquired through formal education (or, at least, solely through formal education). To be considered for such a position or role will compel pros to have the right qualifications, certifications or designations. Candidates can be creative in how to obtain this knowledge, but it can be a great help to study for pentesting-related certifications that give an idea of what is required to excel in the field.

In addition to the many courses available from reputable training institutes, there are also self-study options through books. Another option is attending any of the related conferences, such as the Black Hat USA 2019 in Las Vegas. There, pentesting courses and briefings will be available in Basic Infrastructure Hacking, Hands-On Hacking Fundamentals - Beginner Level, Exploit Development for Beginners and more.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

 

Sources

  1. So You Wanna Be A Pen Tester?, Dark Reading
  2. Become a Penetration Tester, CyberDegrees.org
  3. How to Become an Ethical Hacker, PCWorld
  4. How To Become A White Hat Hacker, Business News Daily
  5. Average Penetration Tester Salary, PayScale
  6. Penetration Testing Is a Reference Point, Not a Strategy, CI Security
  7. Why Is Penetration Testing Critical to the Security of the Organization?, Tripwire
  8. Cyber Security Training and Certifications have Expanded Rapidly, Where Should you Focus?, infosecurity-magazine.com
  9. What is the Difference Between Black, White and Grey Hat Hackers?, Symantec Corporation
Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.