๐ Why You Need to Know This
Honest answer: a certificate is needed for the HR filter. When you apply for a junior position in a large company, your resume is first reviewed by HR โ a non-technical specialist. HR cannot assess skills, but sees certificates. Without a certificate, it's easy to get rejected.
But there's a flip side: bug bounty doesn't ask for certificates, and freelance work rarely does. A really useful certificate is OSCP (costs ~$1600). It pays off in 2 months of working in the industry.
This lesson is about which certificates are really valued and in what order to get them.
๐ OSCP โ The "Gold Standard" of the Industry
๐ฏ In 30 Seconds
OSCP = the main certificate in pentest. If you have it in your resume โ almost a guarantee of a technical interview.
Full name: Offensive Security Certified Professional.
The exam is not about questions. You're given 5 training machines and 48 hours: 24 hours to hack, 24 hours to write a report. This is the most honest certificate in the industry โ no theory, only real work.
| Parameter | OSCP |
|---|
| Price | $1599 (course + 1 attempt) |
| Retake | $249 |
| Pass rate (% who passed on the first try) | ~40% |
| When to take | After 1-2 years of practice + 50+ HTB machines |
| Salary increase | +50-100% to junior salary |
๐ช CPTS โ A Modern Alternative to OSCP
๐ฏ In a Nutshell
CPTS = a young competitor to OSCP from the creators of HackTheBox. Cheaper, recognition is growing every year.
| Parameter | CPTS |
|---|
| Price | $490 |
| Exam | 7 days to hack + report |
| Pass rate | ~50% |
| Focus | Active Directory + web |
| HR recognition in 2024 | Growing, not yet at the level of OSCP |
CPTS is a great alternative to OSCP if the budget is limited. In a large corporate setting, it has less weight, but in startups, it's acceptable.
๐ฏ Other Certificates (Context)
| Certificate | Price | When to get |
|---|
| eJPT | $250 | For warm-up, before OSCP |
| CRTO | $399 | After OSCP โ for Red Team specialization |
| OSWE | $1599 | After OSCP โ deep dive into web |
| CEH | $1199 | HR loves it, little practical value |
| SANS GPEN | $7000+ | Only if the employer pays |
๐ Ideal Order for a Junior
๐ฏ In 30 Seconds
If you're just starting and want to work as a pentester:
- Year 1: only practice. 50+ HTB machines, PortSwigger Web Academy. No certificates.
- Year 1.5-2: first big certificate โ OSCP or CPTS. This opens doors to junior positions.
- Year 2-3: specialization โ CRTO (Red Team) or OSWE (Web).
- Year 3+: optionally expensive certificates like SANS, if the employer pays.
๐ฐ ROI of a Certificate โ Will $1600 for OSCP Pay Off
๐ก Real Numbers (Russia, 2024)
- Junior Pentester without a certificate: ~80-150 thousand โฝ/month
- Junior Pentester with OSCP: ~150-250 thousand โฝ/month
- Difference per year: ~1.2 million โฝ
- OSCP costs ~150 thousand โฝ
Pays off in 2 months of work. This is objectively the best "investment in education".
๐ซ When a Certificate is NOT Needed
- Bug bounty โ no one asks for certificates there. Only reputation matters.
- Freelance pentest โ the client looks at your portfolio, not certificates.
- Internal transfer within your own company (e.g., from developer to AppSec) โ your reputation already works.
- You already have a job offer through acquaintances โ don't waste time on a certificate before starting.
โ
When a Certificate is REALLY Needed
- Cold apply for a junior position โ without a certificate, HR will reject your resume
- Corporations and government (banks, telecom) โ require certificates from contractors
- Emigration โ you need international recognition
- Remote work for Western companies โ OSCP is the standard there
๐ค Simple Test to Check Understanding
- Which certificate is the "gold standard" of the industry? โ OSCP
- What does the OSCP exam include? โ 24 hours to hack 5 machines + 24 hours to write a report
- What is a cheaper alternative to OSCP? โ CPTS from HackTheBox ($490)
- When is a certificate definitely NOT needed? โ If you're going into bug bounty or freelance
- How many months of work will it take for OSCP to pay off in Russia? โ 2 months
๐ You Can Skip This, But It's Interesting
The main "tutorial" for preparing for OSCP is TJnull's OSCP-like list (search on Google). This is a list of ~50 HackTheBox machines that are "similar" to those on the exam. If you've completed this list, you're ready.
Most people who passed OSCP went through this list 2-3 times before the exam.
๐ค Vibe-task: Ask Claude
Open Claude and ask:
I finished the "Hacking from Scratch" course. Completed 5 PortSwigger labs.
I want to pass OSCP in 12 months.
Help me create a preparation plan:
- Months 1-3: what to do each week
- Months 4-6: what to do
- Months 7-9: what to do
- Months 10-12: final preparation
Specifically: which machines (HTB / THM / PortSwigger),
which books, how many hours per week is realistic.
Explain it like you're talking to a 10-year-old. No jargon.
๐ก Main Takeaways of the Lesson
๐ What to Take Away
- OSCP = the main certificate in the industry. $1599, pays off in 2 months of work.
- CPTS = a cheaper alternative ($490), recognition is growing.
- Year 1 โ only practice, no certificates.
- Year 1.5-2 โ first certificate. Opens doors to junior positions.
- Certificate NOT needed: bug bounty, freelance, internal transfer.
- Certificate needed: cold apply, corporations, emigration, remote work for Western companies.
๐ฌ What's Next
Lesson 10.3 โ the final one. How to Get Your First Job. How to format your resume and LinkedIn for security vacancies. Which companies to apply to. How to pass an interview. What to say when they ask you to "tell me about yourself".