Career Path · Updated April 2026

Pentester Roadmap: 4 certs to OSCP, 18–24 months, the honest version

Last reviewed Apr 27, 2026 · ~14 min read · No OffSec or HTB affiliate revenue

4Certifications

18–24 moRealistic timeline

~600 hTotal study + lab

$80–110kJunior base (US)

TL;DR — the 30-second version

The path is Network+ → Security+ → PenTest+ → OSCP, in that order. Network+ and Security+ are the foundation that lets the offensive material make sense. PenTest+ teaches the methodology and gets you past some ATS filters. OSCP is the gate — until you have it, most pentesting job applications go unread.

Pentesting is the IT career with the highest "skill check" requirement. The certs are the price of admission, but a strong HackTheBox / TryHackMe record and a public CTF history matter as much as the paper. Plan 200+ hours of pure lab time on top of cert study. Budget money for OSCP — ~$1,600 minimum.

Who this path is for

This roadmap is built for someone targeting a Junior Penetration Tester / Pentester I / Offensive Security Analyst role at a consultancy (Bishop Fox, NCC, Trustwave, regional firms) or in-house red team at a tech-forward enterprise. The job involves scoping engagements, running enumeration and exploitation against client networks, exploiting web apps, writing detailed findings reports, and gradually moving toward AD-heavy or web-heavy specialization.

It is not the right path if your target is:

SOC / blue team — see the SOC Analyst roadmap; it's defensive.
Bug bounty as a primary income — CompTIA path doesn't apply; jump straight to PortSwigger Web Security Academy + HackerOne CTF.
Cloud security architect — AZ-500 / AWS SCS-C02 are the right shape, not OSCP.

The 4-step path, in order

CompTIA Network+ N10-008

4–6 weeks ~70 hours Foundation

Why here: you cannot exploit networks you don't understand. Subnetting, routing, NAT, ARP, and how DNS actually works are non-negotiable for pentesting. Skip Network+ and you'll memorize OSCP commands without understanding why they work.

TCP/IPSubnettingRoutingNATDNSWirelessOSI model

Network+ practice pack 5-Q quiz

Checkpoint · before moving on You should be able to subnet a /24 into /26s on paper, read a Wireshark capture of a TCP handshake, and explain the difference between an ARP request and an ICMP echo. If those are fuzzy, do another week of Network+ before Security+.

CompTIA Security+ SY0-701

6–8 weeks ~110 hours Defensive context

Why here: a pentester who doesn't understand the defensive side is a script kiddie. Security+ teaches you what your findings actually mean to the client — why a SQLi is severity Critical, what compensating controls exist, why scope matters legally. This is the section most candidates underestimate.

Threat actorsCryptoIAMNetwork defenseIR fundamentalsRisk & compliancePKI

Open Security+ course 5-Q quiz

Checkpoint · start HackTheBox or TryHackMe now Don't wait until OSCP prep. Start now, do the easy boxes (Lame, Legacy, Blue), and build a notebook of techniques. The OSCP isn't a study cert; it's a muscle-memory cert. Six months of casual lab time before you start OSCP saves you four months during.

CompTIA PenTest+ PT0-002

8–10 weeks ~120 hours Methodology

Why here: PenTest+ teaches the full engagement lifecycle — scoping, rules of engagement, methodology, reporting. It's the cert that makes you legally and procedurally sound, not just technically capable. Some employers require PenTest+ specifically for DoD 8570 compliance.

PenTest+ is multiple-choice + PBQs, no full lab. Don't expect it to feel like OSCP. Treat it as the bridge: methodology framework on top of your hands-on practice.

Engagement scopingReconnaissanceEnumerationExploitation basicsWeb testingReportingTooling

Open PenTest+ course 5-Q quiz

OffSec Certified Professional (OSCP)

4–8 months ~300 hours The gate

Why here: OSCP is the cert most pentest job postings list as required or strongly preferred. The 23h45 hands-on exam (forensic isolation, no Metasploit on most boxes, full report) makes it the only commercial cert hiring managers genuinely respect. Without OSCP, expect cold-applying to be a dead end.

Cost reality: ~$1,600 for the PEN-200 course + 90 days of lab + one exam attempt. Most candidates need at least one re-attempt, so budget $2,000+. Time reality: the median first-attempt taker has 12–18 months of prior lab time before passing.

Manual exploitationAD attacksPrivilege escalationBuffer overflowsWeb exploitationPivotingReport writing

OffSec PEN-200 (external) PenTest+ quiz refresher

What you'll be able to do at the end

Walk into an internal-network engagement, enumerate AD, find a kerberoastable account, and chain a privilege escalation to Domain Admin within a working day.
Write a finding for a SQL injection that includes the impact, business risk, reproduction steps, and concrete remediation — not just the payload.
Pivot through a multi-subnet network with SSH tunneling, chisel, or socat without having to look up the syntax mid-engagement.
Read a web app, identify the most likely bug class given the stack, and reach RCE within 4 hours on a fair target.
Understand when a finding is "interesting" vs. "noise," and prioritize the report by client risk, not by how hard the bug was to find.

What this path is worth

Snapshot of the junior pentester market in 2026 (US). Verify against current postings before negotiating.

Junior base (US)

$80k–$110k

Regional firms at the lower end. Top-tier consulting (Bishop Fox, NCC, Mandiant) at the upper.

Mid-level after 2–3 yrs

$120k–$165k

Senior pentester or red-team operator. Adds OSEP / OSEE / CRTO / GIAC GPEN.

Open postings (US)

~6,500

Smaller field than SOC or cloud. Demand exceeds qualified supply — OSCP is genuinely scarce.

Top hiring sectors

Consulting · FinServ · Tech

Boutique consultancies hire most juniors. In-house red teams hire selectively, usually with 2+ years of consulting first.

Common mistakes that cost candidates offers

Rushing into OSCP. The single biggest mistake. OSCP failure rates are high precisely because candidates start before they have 200+ hours of HTB/THM under their belt. Patience here saves money and morale.
Skipping report writing. Pentesting jobs are 50% writing. Practice on retired HTB boxes — write a full client-style report, not a HTB walkthrough. Hiring managers ask to see one.
Hoping CEH replaces OSCP. It doesn't. CEH gets you past HR. OSCP gets you past the technical interview. You need both for some federal roles, and only OSCP for most commercial.
No public profile. A barren GitHub and zero CTF presence makes hiring managers nervous, OSCP or no. Solve weekly CTFs. Write blog posts on retired boxes. Build a Hack The Box profile.
Underestimating the 23h45 exam. Sleep. Eat. Don't forget your report. Candidates fail on the report, not the boxes — the proof.txt without a screenshot doesn't count.

Start step 1 right now — no signup

Network+, Security+, and PenTest+ have free practice packs on CertQuests with engineer-written explanations on every question. OSCP itself is on OffSec's site (paid).

Network+ — 5-Q quiz Security+ — 5-Q quiz PenTest+ — 5-Q quiz

Frequently asked questions

How long does it take to become a pentester?

Realistic range: 18–24 months. The first three certs take 12–14 months part-time. OSCP alone takes 4–8 months of dedicated lab time. Most candidates underestimate OSCP and end up taking 12+ months on it. Plan generously.

Is OSCP really required?

Functionally, yes. OSCP is the cert most pentesting job postings list, and it's the cert most hiring managers respect because the exam is hands-on and brutal. PenTest+ alone gets you past some ATS filters but rarely converts to interviews. OSCP is the gate.

Can I skip Security+ and go straight to PenTest+?

Functionally you can — PenTest+ doesn't require Security+ — but you'll struggle with the defensive context (why do orgs care about this finding?) and the legal/ethical sections. Most pentesters who skipped Security+ regret it during their first client engagement.

What about CEH?

CEH (EC-Council) is recognized by HR and DoD 8570 but not respected by working pentesters because the exam is multiple-choice only. You can substitute it for PenTest+ if your target employer specifically requires it (some federal contractors do). Otherwise PenTest+ is the cleaner path.

What does a junior pentester earn?

US median for junior pentester in 2026 is roughly $80,000–$110,000 base, with major metros (NYC, SF, DC) pushing 20–30% higher. With OSCP plus 1–2 years of experience, $130k+ is realistic. Top-tier consulting firms (Bishop Fox, NCC, Mandiant) pay considerably more for senior roles.

Do I need a degree?

Less than for most IT roles. Pentesting is one of the few fields where a strong CTF history, OSCP, and a public bug-bounty record can fully replace a degree. Some federal and clearance-required roles still want a degree on paper, but commercial pentesting hires on demonstrated skill.

How much hands-on practice do I need?

A lot. Budget HackTheBox + TryHackMe seriously: 200+ hours for OSCP alone. Goal: be able to enumerate, exploit, and write up a full machine in under 8 hours. The OSCP exam is 23h45 across multiple machines — only achievable with reflexive enumeration and pivoting muscle memory.

How we wrote this roadmap

No OffSec, HackTheBox, or training-vendor revenue. We don't take money from OffSec, INE, HackTheBox, TCM Security, or any cert vendor mentioned. The sequence is based on what pentesting job descriptions actually require vs. prefer, plus interviews with hiring managers across consultancies and in-house red teams in 2025–2026.

What we'll change without being asked: if OSCP changes its exam structure (it has before), or if a new credential like CRTO becomes the new floor, we'll re-sequence within days. Tell us what you'd change. Last reviewed: April 27, 2026.