"CompTIA recently revised its CompTIA PenTest+ certification exam to account for the rapid emergence of new cloud-connected services and applications that are constantly introducing new threat vectors," adds Cynthia Overby, co-founder and president at Key Resources Inc. "Compliance and pen testing are becoming more challenging in this cloud-connected environment, so CompTIA’s update is an important one."
PenTest+
Prerequisites: No specific prereqs, but candidates should have a minimum of 3-4 years of infosec experience. Intended as a follow-on to CompTIA's Security+ cert.
Test format: Two hours and 45 minutes, a maximum of 85 multiple choice and performance-based questions
Cost: $370
Official website: https://www.comptia.org/certifications/pentest
Certifications are just the beginning
While everyone we spoke to saw at least some value in certifications, several emphasized that they're not the only thing hiring managers consider when looking at a candidate—and often aren't the most important.
"The rate of change in this space is rapid—what was useful yesterday is constantly changing," says Pluralsight's Rosenmund. "A lot of these certifications share an informational base and repeat a lot of the same information that isn’t necessarily what is 'fresh and hot.' Certifications in security are good for proof of knowledge in understanding concepts, but won’t keep you fresh for your job."
Moshe Levi, hacking team leader at Cyberint, sees certs as important for those just entering the field. "You almost can’t join a company without experience, which seems ridiculous—because how can you gain experience without an actual job? That's why a certificate can play a significant part in a job interview when the candidate has no experience in real life." However, he adds that "after that breakthrough into the field, the certifications matter less and less, and experience takes over. If I am hiring for my team, experience always wins out over certifications, but the latter can get them in the door—and depending on the pool of potential employees, can land them a job as well."
And even if you lack conventional on-the-job experience, a certification isn't the only way to show your stuff. "Folks who are considering using certifications on their resume should definitely remember to include their own unguided research as well," says Casey Ellis, founder and CTO at Bugcrowd. "A well-stocked GitHub page showing contributions to security tools and projects, a blog talking through security research, their bug bounty or vulnerability disclosure Hall of Fame listings—these are all practical ways to demonstrate and communicate real-world skill to a hiring manager quickly."