We founded Pentestingexams.com with clear objectives. We aimed to avoid the traditional model adopted by many certification providers. In this blog, we will share our analysis of what we believe is the best way forward for the cyber certification industry and why existing providers should adopt this model as well. We will also compare our Network Pentesting certification, CNPen, with the industry-leading OSCP certification, to help users make an informed choice.
Exam vs Training
Most certification bodies today provide well-structured training materials along with dedicated practice labs. We see this as a slight conflict of interest, akin to marking your own homework. If you teach students five ways to hack, and then ask them in the exam to reproduce one of those same methods, is everyone really being tested — or is everyone expected to win? 🤔
Our philosophy is different. We are an independent examining body. Like CREST, we do not offer official training. Instead, we publish a detailed syllabus for each certification.
Why is that a good thing?
- It keeps certification costs low.
- We are not forcing users to take our training.
- Most people in our industry highly value an un-structured self learning path.
They’re (pentestingexams.com) merely testing your skills. This means that you don’t get cookie-cutter penetration testers who have all followed the same path. We always need creativity in this field!
Exam format
The OSCP exam is 24 hours long. A normal pentest day is 8 hours. If you cannot assess a candidate’s ability across various pentesting skills within a reasonable timeframe, the model needs to change. Our professional exams are 4-hours practical assessment, and our eXpert exams run for 7 hours. We are evaluating real pentesting skills, not endurance or combat warfare.😂
Report Submission
OSCP still requires candidates to submit a lengthy report. In the past, report writing was a key skill in consultancy. Around 20 years ago, almost everyone had their special vuln-dump and relied on MS Word macros to manually create reports. At that time, soft skills were extremely important, and writing executive summaries was a manual process. Nowadays, report writing is largely automated. There are advanced reporting tools—both commercial and open-source—that streamline the process. Most pentesting companies also have dedicated QA teams to ensure only high-quality reports are delivered to clients. Our exams do not assess soft skills or require report submissions. We focus solely on evaluating a candidate’s practical hacking ability.
Pricing
We are focused on serving the community and keeping our certification affordable. We also run a number of giveaways to give back to the community. Our Professional and eXpert exams include 1 FREE retake (should you need it).
With the above context in mind, we now present how our CNPen certification stacks up against the OSCP offered by Offensive Security. Below is a brief comparison of both certifications.
| Aspect |  CNPen (PentestingExams.com) |  OSCP (Offensive Security) |
|---|---|---|
| Cost | £250 (often cheaper with discount codes) | £1,250 GBP ~$1,700 USD |
| Course Bundle Cost | No official course; self-study recommended and learning resources (Free+Paid) provided | The cost includes practice lab access and video walkthroughs ● $1,699 USD (1 exam attempt – no labs) ● $1,749 (90 days labs + 1 exam) ● $2,749/year (1 year access + 2 exams) |
| Exam Duration | 4 hours | 24 hours practical exam + 24 hours reporting |
| Exam Format | ● Practical, 15 challenges to be completed ● VPN access provided. ● No report submission required. | ● Practical: 3 standalone machines to be compromised + 1 AD Lab (assumed breach scenario), ● Detailed PDF report submission required. |
| Online/On-Demand | Yes, anytime from anywhere | Online but not on-demand. Candidates need to pre-book their timeslots for the exam. |
| Result | Immediately after completing the exam | Takes 5-7 working days after submitting the report |
| Retakes | 1 free retake included (If you fail in first attempt) | Extra fee ($250 per attempt); bundles may include 1 more retake |
| Syllabus Focus | ● Real-world scenarios related to Active Directory (On-prem and AWS cloud), internal network pentest ● Lateral movement and pivoting ● Privilege escalation ● Docker-related scenarios ● OSINT and cloud-related scenarios For web-related challenges consider CAPen exam | ● Real-world scenarios related to Active Directory, internal network pentest ● Lateral movement and pivoting ● Privilege escalation ● Web-related attacks such as SQLi, XSS, RFI, LFI, file uploads, etc. |
| Tools Restriction | Much like a real world pentest scenario, candidates are allowed to run any pentest tool of their choice. Candidates can install any tool of their choice. Outbound internet access in provided | Use of many pentesting tools is restricted. Only specific pentest tools are allowed and only in certain scenarios. Candidates are not allowed to install any new pentesting tools. |
| Pass Criteria | 60% pass, 75%+ merit | 70% |
