Penetration Testing & Red Teaming
Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.
What is Penetration Testing & Red Teaming?
Penetration testing and red teaming are the most honest assessments of whether security controls actually work under pressure. While defensive security builds walls, offensive security tests them — using the same techniques, tools, and mindset as real adversaries to find vulnerabilities before attackers do.
Penetration testing follows structured methodologies (OWASP, PTES, OSSTMM) to systematically identify vulnerabilities in networks, applications, and infrastructure. Red teaming goes further — simulating full adversary campaigns including social engineering, physical access, and multi-stage attack chains to test an organization's detection and response capabilities.
The field is being transformed by AI-assisted reconnaissance, automated exploitation tools, and the growing need for AI system red teaming. Purple teaming — the collaborative integration of offensive and defensive teams — is becoming the gold standard for continuous security improvement.
Why it matters
You don't know if your defenses work until someone tests them. Pentesting and red teaming provide ground truth about security posture that no compliance audit or vulnerability scan can deliver.
Offensive security validates every other security domain. It tests whether the controls built by security engineers, the policies written by GRC, and the detections built by SOC analysts actually hold up against real attack techniques.
Detect, Test & Respond
Watch, hunt, attack ethically, analyse, and respond — classical and AI.
Other domains in this layer
Key topics
People shaping this field
Researchers and practitioners worth following in this space.
Social engineering expert and red teamer
Penetration tester and author of Penetration Testing
Hardware hacker and physical security tester
Curated resources
Authoritative sources we ground Penetration Testing & Red Teaming questions in — frameworks, research, guides, and tools.
CREST Penetration Testing Guide
UK/international pen test certification body. Their guides cover methodology, reporting standards, and ethics. Useful for questions on professional standards in offensive security.
Black Hat / DEF CON Archives
Conference presentations covering novel attack techniques and defensive research. Essential for cutting-edge offensive/defensive questions. AI Village talks particularly relevant for Pillars B and C.
NIST SP 800-115 — Technical Guide to Information Security Testing
Federal methodology for security assessments: target identification, vulnerability analysis, validation. Underpins both penetration testing and exposure management programs.
OSSTMM — Open Source Security Testing Methodology
Peer-reviewed methodology for performing security tests. Provides a scientific approach to security testing with measurable results.
Metasploit Framework
The world's most used penetration testing framework. Provides exploit development, payload generation, and post-exploitation capabilities.
Burp Suite Community Edition
Web application security testing tool. Industry standard for manual and automated web vulnerability assessment.
Roles where this matters
Career paths where this domain shows up as core or recommended.
Ethically hack systems to find vulnerabilities before attackers do. Offensive security requires deep technical knowledge.
Embed security into the software development lifecycle. Shift left to catch vulnerabilities before they reach production.
Owns the end-to-end find → prioritize → fix → verify loop at scale, now increasingly AI-driven.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
Portswigger Burp Suite Certified Practioner
Portswigger Burp Suite Certified Practioner
Mile2 Certified Professional Ethical Hacker
Mile2 Certified Professional Ethical Hacker
Mile2 Certified Powershell Hacker
Mile2 Certified Powershell Hacker
Mile2 Certified Penetration Testing Consultant
Mile2 Certified Penetration Testing Consultant
Mile2 Certified Penetration Testing Engineer
Mile2 Certified Penetration Testing Engineer
Mile2 Certified Vulnerability Assessor
Mile2 Certified Vulnerability Assessor
The SecurityOps Group Certified Cloud Pentesting eXpert-AWS
The SecurityOps Group Certified Cloud Pentesting eXpert-AWS
Certified Ethical Hacker
Offensive-concepts breadth; light on hands-on rigor compared to OSCP.
ISECOM Certified Hacker Analyst Trainer
ISECOM Certified Hacker Analyst Trainer
Mile2 Certified Master Intrusion Prevention Specialist
Mile2 Certified Master Intrusion Prevention Specialist
EC Council Certified Penetration Testing Professional
EC Council Certified Penetration Testing Professional
CREST Certified Simulated Attack Specialist
CREST Certified Simulated Attack Specialist
CREST Certified Web Application Tester
CREST Certified Web Application Tester
CREST Certified Threat Intelligence Manager
CREST Certified Threat Intelligence Manager
CREST Certified Infrastructure Tester
CREST Certified Infrastructure Tester
CREST Practitioner Security Analyst
CREST Practitioner Security Analyst
CREST Registered Penetration Tester
The CREST Registered Penetration Tester is a practical, UK-oriented certification that has established itself as an important industry standard for penetration testers, particularly in the UK market and for organizations with CHECK requirements. Unlike purely theory-based certifications, the CRT exam includes a technical, partially practical component in a controlled test environment. The combination of multiple-choice, flags, and short answers distinguishes CRT from pure CTF formats like OSCP. Outside the UK and Australia, market penetration is limited; internationally, OSCP is significantly better known. However, for testers seeking to work in the UK public sector or at CREST-accredited firms, CRT is effectively mandatory.
Certified Red Team Expert
Multi-forest AD compromise — cross-trust abuse, advanced delegation, and persistence in hardened enterprise environments.
Zero Point Security Certified Red Team Operator
The CRTO from Zero-Point Security has established itself as one of the most practice-oriented red team certifications on the market. The associated course 'Red Team Ops' focuses on Cobalt Strike, Active Directory attacks, and realistic adversary simulation with OPSEC considerations. The exam format is purely practical and evaluates not only objective achievement but also operational behavior – points are deducted for triggered detections. Particularly attractive is the price-performance ratio compared to SANS certifications, as the course and exam are significantly more affordable. For experienced pentesters looking to develop towards red teaming and C2 deployment, the CRTO is a highly relevant qualification.
Zero Point Security Red Team Operator II
Zero Point Security Red Team Operator II
Certified Red Team Professional
Hands-on Active Directory attacker — Kerberos abuse, trust attacks, and lateral movement against a real multi-domain forest.
Dark Vortex Malware on Steroids
Dark Vortex Malware on Steroids
Dark Vortex Offensive Tool Development
Dark Vortex Offensive Tool Development
Dark Vortex Red Team & Operational Security
Dark Vortex Red Team & Operational Security
eLearnSecurity Certified Professional Penetration Tester
eLearnSecurity Certified Professional Penetration Tester
eLearnSecurity Junior Penetration Tester
Entry-level pentest — good first offensive signal.
eLearnSecurity Mobile Application Penetration Tester
eLearnSecurity Mobile Application Penetration Tester
eLearnSecurity Web Application Penetration Tester
eLearnSecurity Web Application Penetration Tester
eLearnSecurity Web Application Penetration Tester eXtreme
eLearnSecurity Web Application Penetration Tester eXtreme
GIAC Assessing Wireless Networks
GIAC Assessing Wireless Networks
GIAC Penetration Tester
Penetration testing methodology + documentation.
GIAC Web Application Penetration Tester
GIAC Web Application Penetration Tester
GIAC Experienced Penetration Tester
GIAC Experienced Penetration Tester
GIAC Exploit Researcher and Advanced Penetration Tester
GIAC Exploit Researcher and Advanced Penetration Tester
Hack the Box Certified Bug Bounty Hunter
Hack the Box Certified Bug Bounty Hunter
Hack the Box Certified Penetration Testing Specialist
Hack the Box Certified Penetration Testing Specialist
Hack the Box Certified Web Exploitation Expert
Hack the Box Certified Web Exploitation Expert
Kali Linux Certified Professional
Kali Linux Certified Professional
EC Council Licensed Penetration Tester
EC Council Licensed Penetration Tester
MITRE ATT&CK Defender — Adversary Emulation Methodology
The most hands-on intensive MAD20 track: Adversary Emulation based on ATT&CK. 30 lectures, 7 hands-on labs, 60+ range scenarios via the ARENAS platform. Covers planning, development and execution of adversary emulation plans. Badge upon completion (21 CPE hours).
MITRE ATT&CK Defender — Purple Teaming
MAD20 track for Purple Teaming with ATT&CK methodology. 32 lectures, planning and execution walkthroughs. Covers coordination between red and blue teams using the ATT&CK framework. Badge upon completion (13 CPE hours).
ISECOM OSSTMM Professional Security Tester
ISECOM OSSTMM Professional Security Tester
Offensive Security Certified Expert 3
Offensive Security Certified Expert 3
Offensive Security Certified Professional
Hands-on penetration testing — exploitation, privilege escalation, AD attacks.
Offensive Security Exploit Developer
Offensive Security Exploit Developer
Offensive Security Exploitation Expert
Offensive Security Exploitation Expert
Offensive Security Experienced Penetration Tester
The OffSec Experienced Penetration Tester (OSEP) is based on the PEN-300 course and addresses advanced techniques around antivirus evasion, Active Directory attacks, and living-off-the-land methods. The fully practical 48-hour exam (47:45 hrs exam + 24 hrs report) in a simulated enterprise environment is the key difference from knowledge-based certifications—it tests real attack capabilities. OSEP is considered credible proof of high-level offensive competence in red team circles, but requires solid OSCP knowledge. Together with OSED and OSWE, OSEP forms the OSCE³ trio.
Offensive Security MacOS Researcher
Offensive Security MacOS Researcher
Offensive Security Web Assessor
Offensive Security Web Assessor
Offensive Security Web Expert
Advanced web application exploitation — whitebox review, vulnerability chain construction.
Offensive Security Wireless Professional
Offensive Security Wireless Professional
Pentester Academy Certified Enterprise Security Specialist
Pentester Academy Certified Enterprise Security Specialist
Practical Junior Malware Researcher
Practical Junior Malware Researcher
Practical Network Penetration Tester
Hands-on network + AD pentesting with OSINT + reporting.
SECO Certified Ethical Hacker Leader
SECO Certified Ethical Hacker Leader
SECO Ethical Hacking Practitioner
SECO Ethical Hacking Practitioner
The SecOps Group Certified AppSec Pentester
The SecOps Group Certified AppSec Pentester
The SecurityOps Group Certified AppSec Pentesting eXpert
The SecurityOps Group Certified AppSec Pentesting eXpert
The SecOps Group Certified Mobile Pentester - Android
The SecOps Group Certified Mobile Pentester - Android
The SecOps Group Certified Mobile Pentester - iOS
The SecOps Group Certified Mobile Pentester - iOS
The SecOps Group Certified Network Pentester
The SecOps Group Certified Network Pentester
Also touched
Certified Information Systems Security Professional
Breadth across security engineering, architecture, operations, and governance at senior-IC / manager level. The default senior-generalist signal.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
More in Cybersecurity
Test what you know about Penetration Testing & Red Teaming
42 questions available. Beginner to expert questions, scored against the global leaderboard.