# Which white-hat hacker certification should you get? [2026 comparison] CEH, OSCP+, Security+, PenTest+, and Registered Security Specialist by purpose

> A comparison of the major white-hat (ethical) hacker certifications, faithful to the latest specs of each issuer (EC-Council / OffSec / CompTIA / (ISC)² / IPA). It organizes CEH v13, OSCP+, Security+ SY0-701, PenTest+ PT0-003, and Japan's national Registered Security Specialist on two axes — 'entry or practical' and 'domestic or global' — and shows, by type (no-experience, offensive, defensive, student), the acquisition order to 'gain trust fastest,' including cost, validity, and renewal obligations.

- Published: 2026-06-28
- Author: 友田 陽大
- Tags: セキュリティ, ホワイトハッカー, 資格, 倫理的ハッキング, キャリア
- URL: https://tomodahinata.com/en/blog/ethical-hacker-certification-comparison-ceh-oscp-security-plus-pentest-plus-toroku-sec-guide
- Category: Intro to ethical hacking
- Pillar guide: https://tomodahinata.com/en/blog/white-hat-hacker-ethical-hacker-how-to-become-certification-roadmap-guide

## Key points

- A certification isn't 'proof of ability' but 'a common language to convey your ability to others.' Neither recruiters nor clients have time to closely read your GitHub. A certification works as that 'shortcut to trust.'
- Choosing is decided on two axes: 'entry (fundamentals) or practical (proof of attack)' × 'effective domestically or globally.' CEH = breadth, OSCP+ = proof of practical skill, Security+/CC = fundamentals, Registered Security Specialist = domestic public proof.
- Pinned to each issuer's latest spec: CEH v13 (knowledge 125 questions/4h + practical 20 tasks/6h), OSCP+ (24h practical, 70 of 100, new 2024/11 format, expires in 3 years), Security+ SY0-701, PenTest+ PT0-003 (pass at 750), Registered Security Specialist (CBT from FY2026).
- The national 'Registered Security Specialist' needs no work experience for the exam itself, and anyone can take it. But after registration, an online course (once/year, 20,000 yen) + a practical course (once/3 years) are obligatory, renewed every 3 years. It's the most effective for domestic employment and bidding.
- A certification alone isn't enough. It becomes market value only combined with 'hands-on track record' from CTF, bug bounty, and self-made tools. A certification is not a destination but a starting point.

---

Let me state the conclusion first. **A white-hat hacker certification is not "proof of ability." It's "a common language to convey your ability to others fastest."**

Neither recruiters nor companies placing orders have time to closely read your GitHub or CTF write-ups one by one. A certification functions as that **shortcut to trust.** So the question in choosing a certification isn't "which is the most impressive" but **"whom do you want to convey what to."** This article compares each certification faithfully to the latest spec of the official documentation, so you can choose the one that fits your purpose.

> This article is a spoke that independently digs into the certification part of [how to become a white-hat hacker [complete roadmap]](/blog/white-hat-hacker-ethical-hacker-how-to-become-certification-roadmap-guide). For the big picture, see the pillar article first, and for the legal premises, [white-hat hackers and the law](/blog/ethical-hacker-law-japan-unauthorized-access-act-active-cyber-defense-disclosure-guide).

---

## 1. Choose certifications on two axes — "entry / practical" × "domestic / global"

Mapping the many certifications on just two axes makes them clear at once.

```text
                  グローバルで効く
                        ▲
          ISC2 CC ●     │     ● OSCP+（実戦の証明・最難関級）
       Security+ ●      │     ● CEH / PenTest+
   （基礎・入口）        │       （攻撃手法・診断実務）
   ───────────────●─────┼─────●───────────────▶ 実戦（攻撃の証明）
   入口（基礎）          │
            登録セキスペ ●（国内の公的証明・国家資格）
                        │     ● 情報処理安全確保支援士＋実務
                  国内で効く
```

- **Horizontal axis (entry ⇄ practical)**: an "entry certification" that systematizes basic knowledge, or a "practical certification" that shows you can actually attack/diagnose.
- **Vertical axis (domestic ⇄ global)**: effective for Japanese employment/bidding/internal evaluation, or valid for jobs worldwide.

Place your purpose on this plane and the certification to get narrows naturally. Below, let's look at each certification accurately by its official spec.

---

## 2. Entry certifications — systematize the fundamentals and step into the ring

### 2-1. ISC2 CC (Certified in Cybersecurity)

[(ISC)²'s CC](https://www.isc2.org/certifications/cc) is a globally common entry-level certification you can take **with zero work experience.** It systematizes 5 security domains broadly and shallowly, suited as the first one for "starting security from now."

- **Positioning**: entry (fundamentals) / global
- **Work experience**: not required
- **Format**: multiple choice
- **Renewal**: a 3-year cycle with the annual maintenance fee (AMF) + continuing education (CPE)

> Note: (ISC)²'s "One Million Certified in Cybersecurity" (free-exam program) has closed new applications, but **already-issued exam codes are usable for the exam until December 31, 2026.** If you have a code, take it early.

### 2-2. CompTIA Security+ (SY0-701)

[CompTIA Security+](https://www.comptia.org/) is the "practical-fundamentals standard" most named on job postings worldwide. You can learn the foundation of both attack and defense without depending on a specific vendor.

- **Positioning**: entry (fundamentals, practical-leaning) / global
- **Current version**: **SY0-701** (started November 7, 2023)
- **Format**: up to 90 questions, 90 minutes (mix of multiple choice + performance-based)
- **Renewal**: a 3-year cycle with continuing education (CE)

For "just one foundation that works globally," Security+ is the leading choice in both cost-effectiveness and recognition.

---

## 3. The most effective national certification domestically — Registered Information Security Specialist (Registered Security Specialist)

If you work in Japan, the **Registered Information Security Specialist (Registered Security Specialist)** is in a class of its own. It's **the only national certification** in the cybersecurity field, and it "works" for bidding requirements, internal evaluation, and job changes. Let me accurately organize the official information (source: [IPA](https://www.ipa.go.jp/jinzai/riss/index.html)).

| Item | Content (official) |
|---|---|
| Positioning | Entry–intermediate, **domestic public proof** (national certification) |
| Work experience for the exam | **Not required** (anyone can take it) |
| FY2026 change | **CBT.** The scope, format (multiple choice + descriptive), and time are unchanged. Subject A / Subject B structure |
| Exam timing (planned) | First exam: around November 2026 / second exam: around February 2027 |
| Registration (to use the title) | After passing the exam, registration is needed. **Only after registering can you call yourself a "Registered Security Specialist"** |

### The "obligation to keep learning" after registration (the decisive difference from other certifications)

The Registered Security Specialist isn't "get it and you're done." After registration, the following courses are obligatory.

| Course | Frequency | Cost |
|---|---|---|
| Online course | Once per year (3 times in 3 years) | **20,000 yen** / time |
| Practical course (IPA / private) | Once per 3 years | Depends on the course |

**The registration validity is 3 years**, and renewal application is up to 60 days before expiry, conditional on having completed all the prescribed courses ([IPA "courses"](https://www.ipa.go.jp/jinzai/riss/forriss/koushu/index.html), [renewal](https://www.ipa.go.jp/jinzai/riss/forriss/koushin.html)).

> **The state's seriousness**: in the [May 2025 "Final summary of the study group for promoting cybersecurity-human-resource development"](https://www.meti.go.jp/press/2025/05/20250514002/20250514002.html), the Ministry of Economy, Trade and Industry set a goal of increasing Registered Security Specialists to **50,000 by 2030** (about 24,000 as of April 2025). For a domestic orientation, it's a certification with a tailwind.

If you aim for domestic employment, SIers, or government projects, the standard is the royal route **Fundamental IT → Applied IT → Registered Security Specialist**, with Security+ added as the global common language.

---

## 4. Practical certifications — prove "you can attack"

Once you've solidified the fundamentals, move to certifications that show your attacking skill. The weight is roughly in the order **CEH < PenTest+ < OSCP+.**

### 4-1. CEH v13 (EC-Council) — "breadth" of attack techniques

[CEH (Certified Ethical Hacker)](https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13-north-america/) is a certification that systematically and comprehensively learns attack techniques. It's well-recognized and often named on job postings.

- **Knowledge exam**: 125 questions, 4 hours
- **CEH Practical (optional)**: [practical 20 tasks, 6 hours](https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-practical/). Pass both the knowledge exam and this for **CEH Master**
- **Renewal**: a 3-year cycle with ECE

While strong as proof of "knowing broadly," as proof of "can actually break in" it yields a step to OSCP+.

### 4-2. CompTIA PenTest+ (PT0-003) — the balanced type of diagnostic practice

[PenTest+](https://www.comptia.org/en-us/certifications/pentest/) is a certification that asks about the series of penetration-testing processes (planning, reconnaissance, attack, reporting) from a practical viewpoint. It helps that **you can take it in Japanese too.**

- **Current version**: **PT0-003** (started December 17, 2024)
- **Format**: up to 90 questions, 165 minutes, pass at **750/900**
- **Recommended experience**: equivalent to 3–4 years in a diagnostic role, knowledge equivalent to Network+/Security+
- **Renewal**: a 3-year cycle with CE

### 4-3. OSCP+ (OffSec PEN-200) — the "certificate" of practical skill

[OSCP+](https://www.offsec.com/courses/pen-200/) is the most weighty practical certification as the "gateway" for white-hat hackers. Not on paper, it proves "you can actually break in" with a **24-hour straight practical** ([OffSec's official exam guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide)).

| Category | Structure | Points |
|---|---|---|
| 3 standalone machines | 20 points per machine (initial breach 10 + privilege escalation 10) | 60 points total |
| Active Directory set (3 machines) | 10 + 10 + 20 points (post-compromise assumed, with ID/PW granted) | 40 points total |
| **Passing line** | Out of 100 points | **70 points** |

- With the **new format from November 1, 2024**, the conventional bonus points are **abolished.** It's judged purely on the practical result.
- **OSCP+ expires 3 years after issuance** (the old OSCP remains indefinite).

To show "practical skill" to the market fastest from no experience, **Security+ → PenTest+ → OSCP+** is the royal road in the balance of cost and difficulty. Beyond that, for managerial/consulting tiers, **[(ISC)² CISSP](https://www.isc2.org/certifications/cissp/cissp-experience-requirements)**, requiring 5 years of work experience, waits as the "ceiling" (up to 1 year of experience can be waived with a degree or an approved certification).

---

## 5. An overview in a table

| Certification | Issuer | Axis | Practical | Work experience | Validity |
|---|---|---|---|---|---|
| ISC2 CC | (ISC)² | Entry, global | × | Not required | 3 years (CPE) |
| CompTIA Security+ | CompTIA | Entry, global | △ | Recommended only | 3 years (CE) |
| Registered Security Specialist | IPA (national) | Domestic, public | × | Exam not required | 3 years (course + renewal) |
| CEH v13 | EC-Council | Practical, global | ○ (optional) | Recommended | 3 years (ECE) |
| PenTest+ | CompTIA | Practical, global | ○ | Recommended 3–4 years | 3 years (CE) |
| OSCP+ | OffSec | Practical, global | ◎ (24h) | Recommended | Expires in 3 years |
| CISSP | (ISC)² | Advanced, management | × | **5 years** | 3 years (CPE) |

> Exam fees are revised. **Always confirm the latest amounts on each official site.** This article intentionally doesn't write fixed amounts (old amounts cause misunderstanding).

---

## 6. "By-purpose" fastest routes

```text
完全未経験・国内就職重視     基本情報 → 応用情報 → 登録セキスペ（＋ Security+ で世界共通語）
攻め（ペンテスト）に進む     ISC2 CC / Security+ → CEH（知識） → PenTest+ → OSCP+（実戦）
守り（防御・監査）に進む     Security+ → 登録セキスペ →（将来）CISSP
学生・若手で“まず1枚”        Security+（世界で通じる・コスパ最良の土台）
```

---

## 7. Think about certifications "with a type" — an engineer-like comparison type

Finally, an engineer-like aside. I manage this site's article clusters and CTA flows all as a single source of truth **constrained by types.** Modeling certification comparison with the same idea lets you handle it without omissions, mechanically. Below is a minimal type-safe model that shows the thinking (TypeScript).

```ts
// certifications.ts — 資格データを“型で”モデル化し、比較の単一の真実源にする。
// as const satisfies で「データの形」をコンパイル時に保証する（型の逃げ道を作らない）。
type Track = "foundation" | "offensive" | "defensive";
type Provider = "EC-Council" | "OffSec" | "CompTIA" | "ISC2" | "IPA";

interface Certification {
  readonly id: string;
  readonly name: string;
  readonly provider: Provider;
  readonly track: Track;
  readonly handsOn: boolean; // 実技試験を含むか
  readonly experienceRequired: boolean; // 受験に実務経験が要るか
  readonly validityYears: number | null; // null = 無期限
}

const CERTIFICATIONS = [
  { id: "cc", name: "ISC2 CC", provider: "ISC2", track: "foundation", handsOn: false, experienceRequired: false, validityYears: 3 },
  { id: "security-plus", name: "Security+ (SY0-701)", provider: "CompTIA", track: "foundation", handsOn: false, experienceRequired: false, validityYears: 3 },
  { id: "toroku-sec", name: "登録セキスペ", provider: "IPA", track: "defensive", handsOn: false, experienceRequired: false, validityYears: 3 },
  { id: "ceh", name: "CEH v13", provider: "EC-Council", track: "offensive", handsOn: true, experienceRequired: false, validityYears: 3 },
  { id: "pentest-plus", name: "PenTest+ (PT0-003)", provider: "CompTIA", track: "offensive", handsOn: true, experienceRequired: false, validityYears: 3 },
  { id: "oscp-plus", name: "OSCP+", provider: "OffSec", track: "offensive", handsOn: true, experienceRequired: false, validityYears: 3 },
] as const satisfies readonly Certification[];

// 目的（トラック）から候補を引く純粋関数。該当なしでも空配列を返し、決して落ちない（総関数）。
export const certificationsByTrack = (track: Track): readonly Certification[] =>
  CERTIFICATIONS.filter((cert) => cert.track === track);
```

This stance — **"fix the shape of data with types and confine judgment to pure functions"** — works equally for choosing certifications and for designing secure apps.

---

## 8. A certification is a starting point, not a destination

Finally, the most important thing. **A certification isn't ability itself.** Even with OSCP+, it's meaningless if your hands don't move on the actual scene, and there are plenty of people producing results in bug bounty without certifications.

The people who get evaluated are, without exception, the multiplication of **certification × "hands-on track record."**

- Rank or write-ups on standing **CTF** platforms (picoCTF / Hack The Box / TryHackMe)
- Confirmed reports in **bug bounty** (HackerOne / Bugcrowd) (→ [getting started with bug bounty](/blog/bug-bounty-getting-started-hackerone-bugcrowd-scope-report-disclosure-guide))
- GitHub of **self-made tools** or vulnerability verification
- Output at study groups, talks, and blogs

How to make that "place to move your hands" is concretely explained in [the self-study roadmap: build a legal lab at home](/blog/ethical-hacking-home-lab-kali-juice-shop-ctf-self-study-roadmap-guide). Step into the ring with a certification and win with track record — don't get this order wrong.

> **For companies:** if you're torn between "developing this talent in-house or having an external expert diagnose it," [white-hat hacker work, salary, and career](/blog/ethical-hacker-career-path-salary-job-roles-freelance-guide) organizes the judgment axis of "hire vs. entrust." If you only need pre-release vulnerability diagnosis/audit, entrusting it externally is faster and more reliable than developing talent.

---

### References (official primary sources)

- [EC-Council CEH v13](https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-v13-north-america/) / [CEH Practical](https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-practical/)
- [OffSec PEN-200 (OSCP+)](https://www.offsec.com/courses/pen-200/) / [OSCP Exam Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide)
- [CompTIA (Security+ / PenTest+)](https://www.comptia.org/)
- [(ISC)² CC / CISSP](https://www.isc2.org/certifications)
- [IPA Registered Information Security Specialist (Registered Security Specialist)](https://www.ipa.go.jp/jinzai/riss/index.html) / [METI human-resource development final summary (May 2025)](https://www.meti.go.jp/press/2025/05/20250514002/20250514002.html)