Cybersecurity is like any field of discipline, there are a range of jobs with many different skills you can specialise in. You could be a malware analyst, a pentester, a freelance hacker, and everything in between. But in order to prove your ethical hacking skills and knowledge, you'll need to acquire a couple of industry-backed hacking certifications.
There are loads of ethical hacking certifications out there, and not all going to apply to you and your cybersecurity specialisation — especially when starting out! So to help you save some confusion, I going to explain some of the most popular ethical hacking certifications and which pathways and roles they apply to. Then I'll talk about other ways to certify yourself in the infosec community! Hopefully, with this article, you'll have a clearer idea of how to become a certified ethical hacker.
NOTE: Before we dive in, let me explain the two main categories that differentiate ethical hacking jobs. We have Red Teaming which is the offensive side of hacking, and Blue Teaming which is the defensive side of hacking. Now, this is the first step in your hacking journey, think about where your skills lie and what interests you the most, then choose a side!
Best ethical cybersecurity certifications
Cybersecurity and hacking certifications will be important if you are pursuing a career in the infosec industry. Like I said before, there are a lot of certifications to choose from, and if you’re just starting out you should start with the most important and recognised ethical hacking certifications. I’ll go through the top five cybersecurity certifications and explain a little about what you can expect and who they're for.
At number one, we have the OSCP. This certification is one of the most recognised cybersecurity certifications in the community. If you have successfully completed the examination you’ll be able to prove to employers that you can hack five machines within 24 hours.
Now, it’s not an entry-level certification, you’ll have to be quite prepared and ready to get creative with your problem-solving. I recommend this certification if you are interested in red teaming and more specifically pentesting servers rather than websites.
Who is it for?
Infosec professionals transitioning into penetration testing
Pentesters seeking an industry-leading certification
Other technology professionals
What to expect on the day:
You should have a solid understanding of TCP/IP networking
Reasonable Windows and Linux administration experience
Familiarity with basic Bash and/or Python scripting
So the CEH has garnered a bit of a bad reputation in the past, but recently I think with version 11 the certification has redeemed itself. They’ve made a bunch of updates, now you’ll find a very modern and practical exam that the industry again recognises and appreciates. You can also achieve mastery with the addition of the 6-hour practical examination to further show your hacking proficiency.
The exam for the CEH certification will test your skills in Information Security Threats and Attack Vectors, Attack Detection, Attack Prevention, Procedures, Methodologies, and more. The syllabus looks similar to OSCP but also contains things like Cloud computing and Operation technology. The exam contains 125 questions over the span of 4-hours plus the six-hour practical challenge for those looking to attain mastery. This cybersecurity certification is going to be a requirement for red teaming jobs.
Who is it for?
Information Security Analyst/Administrator
Information Assurance (IA) Security Officer
Information Security Manager/Specialist
Information Systems Security Engineer/Manager
Information Security Professionals/Officers
Information Security/IT Auditors
Network Administrators and Engineers
What to expect on the day:
Number of Questions: 125
Test Duration: 4 Hours
Test Format: Multiple Choice
Test Delivery: ECC EXAM, VUE
Exam Prefix: 312-50 (ECC EXAM), 312-50 (VUE)
At number three we have the first blue team hacking certification. This certification is for hackers who aspire to build structures and systems that other hackers will later attack! The CISSP is an industry recognised program proving you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program.
The exam takes six hours and includes a mix of multiple-choice and advanced innovative questions. You’ll find plenty of training resources to get you prepared for the exam, but just make sure the certification aligns with your career goals, it’s really not for everyone and is targeted for more experienced hackers and cybersecurity professionals.
Who is it for?
Chief Information Security Officer
Chief Information Officer
Director of Security
Security Systems Engineer
Have a minimum of five years’ experience in two or more of the eight CBK domains.
Pass the CISSP examination.
Complete the endorsement process and subscribe to the (ISC)² Code of Ethics.
Maintain certification through continuing professional education (CPE) credits.
What’s cool about this certification is that it’s approved by the US Department of Defence! Coming from a government agency, you can be sure they assess every detail to make sure things are in order and secure.
The exam itself consists of around 90 questions with a duration of 90 minutes. Do not underestimate this certification though. It takes hard work and practice to pass this exam — even though it’s shorter than the other exams mentioned. That being said, this is an entry-level cybersecurity certification for ethical hackers, as it focuses on the core cybersecurity skills needed in the profession. The CompTIA Security+ is for red teamers.
Who is it for?
Helpdesk Manager / Analyst
Network / Cloud Engineer
Security Engineer / Analyst
DevOps / Software Developer
IT Project Manager
What to expect on the day:
Number of Questions: 90
Test duration: 90 minutes
Test Format: Multiple Choice
Passing Score 750 (on a scale of 100-900)
Recommended Experience: CompTIA Network+ and two years of experience in IT administration with a security focus
5. eLearnSecurity Junior Penetration Tester (eJPT)
The eLearnSecurity Junior Penetration Tester is a cybersecurity certificate for beginners. Its main focus is making sure you are comfortable with penetration testing and information security essentials. The great thing about it is that it’s not a theory-based exam instead, you are expected to perform an actual penetration test on a corporate network. So if you successfully complete the exam you’ll be able to prove yourself in the real world.
This cybersecurity certification is usually the first stepping stone for cybersecurity professionals and hackers. All you need to get started is a VPN and a stable internet connection — oh yeah, and $200… This is a red team certification.
Start building your social media presence
It doesn’t matter where you are in your journey, social media is going to be important. While exams and tests certify you on paper, in the real world you'll need to be certified by other people. Social media is a great way to do that! Not only is it great for engaging with the infosec community but it’s a great way to connect with recruiters and future employers. Recruiters are all over social media, having a presence can make you stand out from the crowd or just show your passion and enthusiasm for hacking.
LinkedIn — this is where you’ll find most employers and recruiters. If you don’t already, create a page and make it shine by filling in all those details! Put everything there, even things like community or volunteer work. Make sure to add any of those cybersecurity certifications we just talked about as well, it doesn’t matter if it was a free course or through Udemy, put it up there. Languages are also going to be super attractive to recruiters, even if you’re inexperienced being bilingual will double your chances!
Medium — I don’t know if this is considered a social media site but whatever. Writing and posting about it is a great way to document your journey. It's a paper trail. It’s evidence of social proof which is obviously far better than just saying you know how to do something. It’s also a great way to learn and cement your understanding. Believe it or not, a lot of people have actually found me through my Medium account.
Twitter — Twitter is more about building and engaging with a community. You can use it to network or create an awesome community around you. Again, having a community and being engaged is social proof to a future employer. It doesn’t take a lot of effort, just make sure you post regularly and share information that helps!
YouTube — A good way to show your love for the community is by making videos about the things you learned. It’s one thing to know how to do something and another to be able to explain/teach it. You really need a rock-solid understanding of what you’re talking about. I find that when I make videos it refines my hacking skills and knowledge.
Here is a list of websites I recommend getting an account on to increase your chances of standing out:
LinkedIn - For showing the world who you are and what you know
Blogging - For knowledge sharing in to form of a written blog, usually with more in-depth information than youtube
Youtube - For knowledge sharing in the form of more shallow informational videos
Twitter - For knowledge sharing when posting short tweets or promoting other posts on medium for example
Facebook - For knowledge sharing when posting tips and tricks around hacking
Reddit - For knowledge sharing but be careful to post in the correct subreddit
Github - For storing your projects
3. Community work
Doing any kind of voluntary work shows commitment — if you can relate the work to cybersecurity it’s a bonus. Sometimes I sell course bundles and give 100% of the profit to Brothers Of Solidarity or Innocent Lives Foundation. These guys do a great job at taking care of homeless people in Brussels, which is a huge issue.
When you show this kind of work it indicates to future employers that you are committed to what you do and are willing to go above and beyond to bring out the best version of yourself and others. It doesn’t have to be huge, even small things can make a difference. Collect garbage or volunteer at an animal shelter — get out there and show your human side!
4. Networking is very important
You don’t have to do it all alone. When you are alone you’re easy to push over, when you are part of a bond it’s much harder to fall. As a hacker, you never know when you’ll need someone with a different specialty until you need them!
Networking within the hacking community is easier than ever thanks to social media, forums, and online groups. I joined a Slack group called ‘The W0lf Pack’ and I can honestly say the group has contributed so much to who I am today. I met new friends and joined hacking competitions, I also started my YouTube channel to answer all the questions I kept getting. Since then I’ve moved into some discord channels where we hackers help each other out!
There are so many opportunities to network, you can attend meetups and conventions or stick to the online communities. I’ve met a host of wonderful people at events, most of whom I’m still in contact with 10 years later!
Places you can start networking
A great place to start networking is in the regular events that HackerOne organises both virtually and online.
Another great place to meet similarly minded people is in a hackerspace. A hackerspace can be any room where hackers and tinkerers gather to explore their hobbies and while initially, it might seem daunting, it's worth exploring. Some of the best work I have done is with other hackers found through sites like hackerspace.
Another place you might not think to look is in the free training events in your area! In my area, there are several venues that offer free or heavily discounted courses mostly aimed towards self-improvement and soft skills. Everyone is at these courses to learn, but also to have a good time and support their own network.
If none of these options sound appealing or if you are wondering how you can find more virtual or real-life conferences and meetups, try using Meetup. If you are in a city you'll certainly find a like-minded group!
If you want to stick to online learning and networking, try Discord. There are a bunch of practice groups for newcomers, here are a few to start with:
5. Capture The Flag (CTFs)
CTFs are games where hackers fight to see who can solve different challenges first. It’s a great way to put your skill to practice and learn from more experienced hackers. You can do it solo but I suggest you join a team and try to participate in some CTFs, who knows you might even rank! It’s great fun plus employers are sure as hell to notice.
While participating in a CTF you can come across any hacking challenge relating to a web application or server. There’s a hell of a lot you can learn in these real-world learning challenges plus it shows a hunger to grow in your role!
Make your resume stand out!
I can't stress this enough! In my role, I also have the pleasure of assessing resumes that land on my desk. And I hate it when I see just a list of cybersecurity certifications and places they’ve worked — I don’t care if it’s flashy. I personally don’t think a resume needs to look fancy as soon as you can show me something interesting from your background. Do you have a website or YouTube channel? It's not always about being a certified ethical hacker, there are other great ways to stand out from the crowd even if you don't have a lot of experience.