2009
12.05

OSCP vs PTF

I recently completed 2 security related certifications. The first is Offensive-security’s “OSCP” (Pentesting With Backtrack) and the other is Heorot’s PTF (Pentesting Fundamentals).

Here is where you can find more information on both certifications:
Pentesting Fundamentals: Heorot
OSCP : Offsec

The point of this blog is not to “bash” or “flame” one certification. Both are challenging and interesting in their own way. It’s just that, depending on how you look at it, one is more advanced then the other. Seeing that difficulty is very relative to each individual person, if I refer one as being more “difficult” keep in mind it’s my opinion.

Let’s start off by describing each training course, let’s talk about Heorot’s PTF.
Once a student starts the course, he receives an e-mail with links and access codes to the online training material. This is comprised of videos, slides and documents. Also, 2 live CD images are needed for the course. The first CD is the first De-ICE live CD used during the course itself. The second is the vulnerable system which is your target to complete the course. You get to run a mock pentest on this system following the methodology (based on the ISSAF) learned in the course. Once you’ve finished, you write up your report as explained in the ISSAF and send it on it’s way for review/grading.

Offensive-Security’s PWB takes a different approach. Once the course starts (classes start on a saturday), the student gets an e-mail with access to the course material (video and PDF) and access to an online lab. Through out the course, the student gets to follow the teacher and practice on live hosts (in secure and legal environment). Students get the chance to run scans, exploits and other techniques on various operating systems. Once all the exercises completed, an exam is scheduled. Upon completion of the exam, the fail or pass e-mail is sent within 72 hours.

So in a nutshell, they are both courses that teach you about penetration testing. One is more documentation/methodology driven, and the other has a more “hands on” approach.
So which is better ?
Which one should you take ?
Which one should you take first ?
Which one is harder/easier ?
Which one is worth it ?

Well.. The answer to all those questions really depend on one’s personal skill level and experience. When I started OSCP, I had no prior experience with exploits/metasploit and other info-sec related activities. I did however have a pretty good knowledge of the Linux operating system, networking and programming. Even with all that, I found the course extremely challenging if not out of my league at times. Still with some effort and research, I still managed to pass the 24 hour exam and receive my certification.

After doing all that, I waited a few months and tried my hand with Heorot’s fundamentals course. Being a fundamentals course, and documentation/methodology driven, the penetration and exploitation of the target system was easy in comparison to OSCP. The goal in PTF is not to see if you can “pop a box”, but properly produce a penetration report following certain guidelines.

As you can see, depending on what you already know (or don’t know) both certifications can have a strong learning curve. For me, well PTF was a bit of a disappointment seeing the cost and time it’s taking to grade my report.
[as of today it’s been over a week and still no news]

So for the cost, in my opinion, if you already have experience with vulnerability scanners, frameworks such as Metasploit / w3af etc, go for OSCP. Once you’ve done that, nothing stops you from downloading the ISSAF methodology documentation free from their website. If you don’t have any prior experience, then PTF would be a good place to start. You get to learn the basic tools, such as nmap & hydra, and properly conduct a pentest from A to Z.

The answers to all my previous questions above all comes down to this:
It depends on you….

Thanks for reading.