Two certifications dominate the entry-to-mid level penetration testing conversation, and they are not equivalents. CompTIA PenTest+ is a multiple-choice exam that tests your knowledge about penetration testing. OSCP is a 24-hour hands-on exam where you actually compromise machines or you don't pass. That single distinction — knowledge versus execution — determines everything about preparation, cost, career impact, and which one is right for your situation.
Most candidates who debate this question should be debating something else: whether they're ready for OSCP yet, and what they need to do to get there.
What Each Certification Actually Tests
CompTIA PenTest+ (PT0-002): Knowledge-Based Assessment
PenTest+ (PT0-002) — CompTIA's penetration testing certification, testing whether candidates understand penetration testing concepts, methodology, tooling, and professional practices through multiple-choice and limited performance-based questions.
The five exam domains:
| Domain | Weight | What It Covers |
|---|---|---|
| Planning and Scoping | 14% | Rules of engagement, legal considerations, scope definition |
| Information Gathering and Vulnerability Scanning | 22% | Reconnaissance techniques, vulnerability scanner output analysis |
| Attacks and Exploits | 30% | Attack categories, tool selection, exploitation scenarios |
| Reporting and Communication | 18% | Executive vs technical reporting, vulnerability findings documentation |
| Tools and Code Analysis | 16% | Identifying what scripts do, tool output interpretation |
Attacks and Exploits at 30% is the highest-weighted domain. The exam presents scenarios — "A penetration tester discovers a web form that passes user input directly to a SQL query. What tool should they use to automate exploitation of this vulnerability?" — and tests whether you can identify the correct approach and tooling.
What PenTest+ knowledge looks like in practice: the exam tests recognition and recall. You must know what SQLMap does, when Burp Suite is appropriate, what Mimikatz extracts, and what BloodHound maps. You don't need to run any of these tools against a live target to pass the exam.
Tool categories tested on PenTest+:
| Category | Tools Tested |
|---|---|
| Network scanning | Nmap, Masscan |
| Web application | Burp Suite, SQLMap, OWASP ZAP, Nikto |
| Exploitation | Metasploit Framework |
| Password attacks | Hashcat, John the Ripper, Hydra, CrackMapExec |
| Post-exploitation | Mimikatz, BloodHound, PowerView |
| Wireless | Aircrack-ng, Kismet |
Code analysis: PenTest+ includes questions requiring you to read short Python, Bash, or PowerShell snippets and identify what they do — reverse shell, port scanner, credential harvester. Scripting literacy is required; coding ability is not.
OSCP (Offensive Security Certified Professional): Hands-On Execution
OSCP — Offensive Security's flagship penetration testing certification, requiring candidates to compromise machines in a live lab environment during a 24-hour proctored exam and document their findings in a professional penetration test report.
The exam structure:
- 24 hours to attempt exploitation of target machines
- 3 standalone machines worth 10-20 points each (independent targets)
- 1 Active Directory domain with 3 machines worth 40 points total
- 70 points required to pass out of 100 total available
- 24 hours after the exam to submit a professional penetration test report
What "rooting" means: achieving highest privilege on each target — root on Linux, NT AUTHORITY\SYSTEM or a local administrator on Windows. For each compromised machine, you submit a screenshot of the proof file (proof.txt) and document your exploitation steps in the report.
The Active Directory set: the 2023 OSCP+ update made the AD domain worth 40 points — the single largest component of the exam. The AD set requires: initial foothold on the first machine, credential harvesting or hash extraction, lateral movement to the second machine, privilege escalation, and domain controller compromise. Missing the AD set while passing standalone machines is a common failure mode.
What's allowed during the exam: your own notes, tools pre-installed on Kali Linux, and PEN-200 course materials. No AI assistance, no internet searching, no external help. Metasploit is severely restricted — allowed against only one machine for the entire exam.
Preparation Requirements: The Real Difference
PenTest+ Preparation: 6-10 Weeks
Candidates with Security+ background and basic networking knowledge can prepare for PenTest+ in 6-10 weeks. Standard preparation:
- Jason Dion's PenTest+ (PT0-002) course on Udemy — most comprehensive video preparation available
- Darril Gibson's PenTest+ study guide — textbook option for domain-by-domain coverage
- CompTIA's official practice tests — question style familiarization
- Practice exams from Dion Training — broader question volume
Technical hands-on practice: helpful but not required to pass. Candidates who've run Nmap and Metasploit understand the tools better, but candidates without hands-on experience can still pass PenTest+ by studying tool descriptions and question patterns.
OSCP Preparation: 3-12+ Months
OSCP's prerequisite knowledge is substantial. The PEN-200 (Penetration Testing with Kali Linux) course and 90 days of lab access ($1,499) is required, but the course assumes you arrive with:
- Linux command line proficiency (navigation, scripting, file permissions, process management)
- Basic networking (TCP/IP, DNS, HTTP, HTTPS, common ports and services)
- Basic programming literacy (read and modify Python and Bash scripts)
- Familiarity with web application vulnerabilities (at minimum, understanding what SQL injection and directory traversal are)
Typical preparation sequence for candidates without this background:
TryHackMe Jr Penetration Tester path (2-3 months): guided rooms covering Linux fundamentals, web app basics, and introductory offensive techniques. The most structured beginner preparation available.
HackTheBox easy machines from the TJNull OSCP-like list (1-2 months): unguided machines that require applying techniques without step-by-step instructions. This builds the "try harder" mindset OSCP demands.
PEN-200 with 90-day lab access (3 months): the official OSCP preparation material. Complete the module exercises first (worth 10 bonus points if you complete 80%+ of exercises + 30 machines). Work through lab machines increasing in difficulty.
Proving Grounds Practice (before the exam): Offensive Security's dedicated practice platform with machines specifically calibrated to OSCP difficulty.
The total investment: $1,499 for PEN-200/OSCP + $149/month for TryHackMe + HackTheBox subscription or free tier. Budget $1,800-$2,500 total for first attempt including preparation tools.
Career Impact: The Honest Comparison
PenTest+ in the Job Market
PenTest+ is DoD 8570/8140 approved at CSSP Infrastructure Support and CSSP Incident Responder categories. This is its primary career value: for candidates in DoD contracting roles that require 8570 compliance, PenTest+ satisfies requirements that OSCP doesn't (OSCP is not on the 8570 list).
What PenTest+ doesn't do: it doesn't signal hands-on penetration testing capability to technical hiring managers at security firms. Penetration testing companies — Rapid7, Bishop Fox, NCC Group, boutique firms — consistently list OSCP as required or strongly preferred for penetration testing roles. PenTest+ rarely appears.
The practical reality: PenTest+ alone is insufficient for most penetration testing roles. It's a validation of methodology knowledge, not demonstrated execution capability.
OSCP in the Job Market
OSCP is the gold standard for demonstrating practical penetration testing ability. The 24-hour hands-on format is credible to technical hiring managers in a way multiple-choice certifications cannot be — there is no path to passing OSCP without actually compromising machines.
Job posting analysis: OSCP appears in 65-70% of penetration testing and red team job postings at security-focused firms. PenTest+ appears in 15-20% of the same postings, typically listed alongside or below OSCP.
Salary differential: penetration testers with OSCP command $90,000-$130,000 for mid-level roles in most US markets. Roles listing PenTest+ as the primary credential typically start at $70,000-$90,000.
"I've reviewed hundreds of penetration testing applications. OSCP on a resume tells me the candidate can execute under pressure — they've compromised machines in a live environment against a time limit. PenTest+ tells me they understand the methodology. Both have value, but for a junior pen tester role at our firm, OSCP is what I'm looking for as the primary signal." — TjNull, HackTheBox HTB Pro Hacker and OSCP holder, penetration tester
Who Should Take Which
Take PenTest+ if:
- Your role in a DoD environment requires 8570 CSSP compliance and PenTest+ satisfies it
- You're a security analyst or defender who wants methodology knowledge without pursuing a penetration testing career
- You're building toward OSCP and want a validated milestone and credential while you develop prerequisite skills
- Time or budget constraints prevent the OSCP timeline ($1,499 + months of preparation)
- You're studying for Security+ or CySA+ and want to extend in the offensive direction without a full pivot
Take OSCP if:
- Your target is a penetration testing or red team role at a security-focused firm
- You want a credential that technical hiring managers recognize as genuinely difficult and hands-on
- You have 6+ months for serious preparation and the budget ($1,499+ for PEN-200)
- You're already comfortable with Linux, basic networking, and some scripting
Take both if:
- You're in a DoD contracting role that requires PenTest+ for 8570 compliance AND you want OSCP for technical credibility in the penetration testing market
- You want to satisfy HR-defined certification requirements while demonstrating hands-on capability to technical evaluators
The Bridge: eJPT and PNPT
Between PenTest+ and OSCP, two certifications serve as practical intermediate steps for candidates who aren't ready for OSCP's timeline:
eJPT (eLearnSecurity Junior Penetration Tester): INE Security's entry-level, hands-on certification with a 72-hour lab environment and 35 questions that require actual network exploitation to answer. $249, no multiple choice shortcuts. Validates genuine entry-level offensive skills.
PNPT (Practical Network Penetration Tester): TCM Security's mid-level certification requiring a 5-day practical exam plus a professional penetration test report. $399. Specifically designed as OSCP preparation — the Active Directory coverage prepares directly for OSCP's 40-point AD domain.
The sequence that produces strong OSCP preparation: PenTest+ (optional, for DoD compliance) → eJPT → PNPT → OSCP.
The Practical Preparation Reality for OSCP
Candidates who attempt OSCP without the right background experience one of the most demoralizing failures in IT certification — not because the exam is unfair, but because the gap between where they are and where they need to be is so large that the 24-hour clock runs out before they can demonstrate the skills they're working toward.
The prerequisite assessment: before enrolling in PEN-200, you should be able to answer yes to all of these:
- Can you navigate a Linux filesystem without documentation, manage services and processes, and write basic bash scripts?
- Can you run an Nmap scan, interpret the results, and identify which ports and services might be exploitable?
- Do you understand the HTTP request/response cycle well enough to manually interact with a web application using Burp Suite?
- Can you read a Python script and understand what it does, even if you couldn't have written it yourself?
- Have you completed at least 10 unguided CTF machines or HackTheBox machines where you found the path yourself?
If you answered no to two or more, TryHackMe is the right first step — not PEN-200.
The PEN-200 lab structure: the lab environment contains machines organized into different network segments. Some are accessible directly; others require pivoting through compromised machines. The lab is specifically designed to build the methodology of enumeration → exploitation → privilege escalation → documentation that the exam demands.
The 10 bonus points: completing 80% of PEN-200 course exercises plus 30 lab machines earns 10 bonus points on the exam. These points can be the difference between passing and failing. Treat exercises as required, not optional.
The exam report requirement: the 24 hours after the lab exam are for report writing. Many candidates underestimate this step. The report must include: working screenshots of every exploitation step, proof file contents, and enough methodology documentation for an independent analyst to reproduce each compromise. Candidates who skip screenshots during the exam often spend the first hour of the report period trying to recreate evidence they should have captured live.
The Specific OSCP Failure Modes
Understanding why candidates fail OSCP helps you prepare to pass it.
Failure mode 1 — Not completing the AD set: the Active Directory domain is worth 40 points. Candidates who can't get the initial foothold or can't complete the chain to domain admin lose 40 points before they've attempted a single standalone machine. This failure mode is addressed by deliberate AD preparation: practice Kerberoasting, Pass-the-Hash, BloodHound enumeration, and lateral movement on dedicated AD practice environments (HackTheBox's Active Directory machines, Offensive Security Proving Grounds).
Failure mode 2 — Privilege escalation gaps: every machine requires privilege escalation from initial access to root/SYSTEM. Candidates who can find initial access but can't escalate fail machines they've already partially compromised. TCM Security's Practical Ethical Hacking course includes dedicated Windows and Linux privilege escalation modules — these are the most commonly recommended resources for filling this gap.
Failure mode 3 — Buffer overflow confidence (legacy but relevant): the exam has historically included buffer overflow machines. Manual buffer overflow development — fuzzing, finding the offset, controlling EIP, generating shellcode — must be practiced until reflexive. Candidates who understand the theory but haven't done it repeatedly under time pressure fail these machines consistently.
Failure mode 4 — Rabbit holes: spending 3 hours on a single path that leads nowhere is an OSCP-specific failure mode. The correct response when stuck is to document your current state, try two more different approaches, and if still stuck — move to another machine. Return with fresh perspective. Candidates who fail OSCP often had enough knowledge to pass but spent 8+ hours on two machines while leaving three others unexamined.
Failure mode 5 — Running out of time on the report: scheduling the exam and immediately starting lab work means you'll have 24 hours of work documented at the end. Writing a complete OSCP report from detailed notes and screenshots takes 8-12 hours. Practice this during lab preparation — complete a lab machine, then write a full professional report documenting it as if it were an exam submission.
The screenshot discipline: every successful exploitation step needs a screenshot: the proof of initial access, each privilege escalation, the final proof.txt file contents showing your username and the machine's hostname. Screenshots taken during the exam cannot be retroactively recreated — candidates who compromise a machine and forget to screenshot are awarded zero points for it regardless of the exploitation. Build the screenshot habit in lab practice until it's automatic.
See also: OSCP preparation strategy: from beginner to passing, CompTIA Security+: the most important cert in IT security
References
- CompTIA. PT0-002 CompTIA PenTest+ Exam Objectives Version 2.0. CompTIA, 2021. https://www.comptia.org/certifications/pentest
- Offensive Security. PEN-200: Penetration Testing with Kali Linux — Course Overview. Offensive Security, 2024. https://www.offsec.com/courses/pen-200/ (Official OSCP preparation course)
- Offensive Security. OSCP Exam Guide — Updated 2023 for OSCP+. Offensive Security, 2023. https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide (Official exam format documentation including 2023 AD changes)
- Dion, Jason. CompTIA PenTest+ PT0-002 Complete Course and Practice Exam. Udemy, 2024. (Most widely used PenTest+ preparation course with 100,000+ students)
- TryHackMe. Jr Penetration Tester Learning Path. TryHackMe, 2024. https://tryhackme.com/path/outline/jrpenetrationtester (Guided OSCP prerequisite preparation)
- U.S. Department of Defense. DoD 8570/8140 Approved Baseline Certifications. DoD, 2024. https://public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/ (PenTest+ DoD compliance documentation)
Frequently Asked Questions
Is PenTest+ sufficient for a penetration testing career?
Generally no. Most penetration testing roles at quality firms require demonstrated practical skill — OSCP or equivalent. PenTest+ demonstrates methodology knowledge via multiple choice; OSCP demonstrates practical exploitation skill via a 24-hour live exam. Technical hiring managers treat them very differently.
How long is the OSCP exam?
24 hours to complete the penetration testing (compromising target machines) plus 24 additional hours to submit the penetration test report. The exam includes 5 machines: 3 standalone and a 2-machine Active Directory domain. 70 points out of 100 are required to pass.
How should I prepare for OSCP?
Start with 3-6 months on TryHackMe (Jr Penetration Tester path) or HackTheBox Academy to build foundational skills. Then purchase Offensive Security's PEN-200 course with 90-day lab access ($1,499+). Root a majority of lab machines before attempting the exam. Focus heavily on privilege escalation and Active Directory attacks.
Does PenTest+ satisfy any DoD 8570 requirements?
Yes. PenTest+ satisfies DoD 8570 CSSP Infrastructure Support and CSSP Incident Responder baseline requirements. If you're in a government or defense role needing these specific 8570 positions, PenTest+ has direct compliance value independent of OSCP.
What is the cost difference between PenTest+ and OSCP?
PenTest+ exam costs \(509. OSCP (via PEN-200 course with 90-day lab access and one exam attempt) costs \)1,499. Retake attempts are approximately \(249 each. The total investment for OSCP including typical preparation resources runs \)1,500-\(2,000+ vs \)509-$700 for PenTest+ including study materials.