More Certifications: BSCP, OSDA, OSMR, and CRTO

It’s been three years since my last update to this website. But here I am, sharing some updates about my cybersecurity certification journey. Over the past few years, I’ve earned the Burp Suite Certified Practitioner (BSCP) from PortSwigger, the Offensive Security Defense Analyst (OSDA) and Offensive Security macOS Researcher (OSMR) from OffSec, and the Certified Red Team Operator (CRTO) from Zero-Point Security.

Here are some quick thoughts about each, in a much more concise format than my previous certification reviews.

BSCP (Burp Suite Certified Practitioner)

If you are trying to find a job as a penetration tester, keep this in mind: the daily routine of application penetration testing is very different from preparing for the OSCP or playing on Hack The Box. You will spend a lot of time in front of Burp Suite, testing application after application, usually in a time-boxed manner. Once you finish one application, you immediately start testing the next. Given this, I’m surprised the BSCP isn’t the single most requested certification for web pentesting roles.

This certification not only covers all web application vulnerability categories, but it also teaches you how to find them and create proofs of concept using Burp Suite, the primary tool you will use on the job. The syllabus is focused, targeting exactly what you need without unnecessary filler. You won’t learn to catch a reverse shell here, but then again, you never do that during real-world web application pentests anyway.

The course and labs are free to access on the PortSwigger Web Security Academy, which is regularly updated with new labs and vulnerability categories. You only pay for the exam itself, which lasts 4 hours and is quite straightforward.

This certification definitely deserves more praise and recognition than it currently gets.

OSDA (Offensive Security Defense Analyst)

This is my only defense-focused certification. It’s a solid introduction to defensive security basics, though it doesn’t go very deep. For me, the course was highly valuable because it complemented my red team experience by showing me what the blue team actually sees. This perspective has visibly improved my offensive approach (and streamlined my payload testing against EDRs).

The learning path is straightforward: do the labs, complete the challenges, and you’re ready for the exam. There’s no need for external research or extensive preparation. The exam itself is only slightly longer than the largest challenge in the labs.

That being said, I actually had to take the exam twice. The first time, I mistakenly thought I had 48 hours and completely mismanaged my time, I even went to sleep thinking I could easily finish it the next morning. It turned out the exam was only 24 hours!

My only advice for the exam: if a log or artifact is missing, it might simply not be there. It’s perfectly fine to fill in the blanks of what the SIEM missed with reasonable assumptions, as long as you state them clearly in your report.

OSMR (Offensive Security macOS Researcher)

This was a really interesting course. I say “was” because OffSec has since retired it. It’s a pity, and while I’m not sure what prompted the decision, I hope it wasn’t my fault (well, I know it wasn’t!).

The course was an overall great introduction to application penetration testing on macOS. It guided you through macOS security architecture and various exploitation techniques for privilege escalation and security mechanism bypasses. Despite having no prior experience with the macOS ecosystem, Objective-C, or many of the other concepts presented, I found the material well-structured and easy to follow. There is also plenty of depth for those who want to go deeper, including modern x64 and ARM64 assembly programming.

However, I took the course during their transition from x64 to ARM64, and the study materials were a bit of a mess. There were no online labs (meaning you needed your own Apple Silicon Mac to follow along), the videos hadn’t been updated to match the new architecture yet, and the PDF guide was essentially being rewritten live as I studied. The exam was fun but chaotic. I actually had to buy a Hopper Disassembler license during the exam after failing to get timely support from OffSec. On top of that, only one of the four objectives was genuinely challenging: one could be bypassed in a completely unintended way, and another was a carbon copy of an exercise already solved in the course materials.

At the end of the course, they asked me for feedback and I sent a very detailed and honest email expressing my disappointment with the course quality. I specifically highlighted that, given OffSec’s usual standards, I expected much better.

If they bring it back with their typical high-quality labs and materials, I would definitely recommend it. It’s not a must-have, but if you like OffSec courses, you will like this one.

CRTO (Certified Red Team Operator)

This one was recommended to me by several colleagues who dislike OffSec’s “try harder” philosophy. However, I have very mixed feelings about this course’s alternative approach.

I approached the CRTO with the same mindset I had for OffSec’s OSEP, which was a mistake. You don’t need to put in much effort to get through the material. While the written content is a good read, the labs feel like playing an old point-and-click adventure game (like Monkey Island): you simply follow a list of instructions, the platform types the command into the terminal for you, and you press enter. Every single click is detailed in a bulleted list in the sidebar. Because of this, the labs require almost zero critical thinking. When I finished, I felt like I hadn’t learned much, and I probably wouldn’t have fully grasped the concepts if I hadn’t already done OSEP.

That said, a better way to look at the CRTO is to view it as the BSCP equivalent for Cobalt Strike. From that perspective, it’s an excellent course for the price. For £399, you get what is essentially a comprehensive cheat sheet for executing a red team engagement using Cobalt Strike. Plus, you get lifetime access to the materials, meaning all future updates are free.

Another interesting aspect is the exam, which differs from others I’ve taken because simply achieving the objective isn’t enough. In an OffSec exam, getting caught by antivirus just means you have to find another bypass. In the CRTO, however, AV detections cost you points, which can cause you to fail even if you compromise the entire network. Honestly, it took me a few attempts to pass, as it doesn’t take many detections to fail.

All in all, it is definitely worth the price. Especially if you or your team use Cobalt Strike daily, it is worth buying just to keep the reference materials handy.

What next?

I’ve already started preparing for the CARTP (Certified Azure Red Team Professional) certification. It’s too early to give a verdict, so I’ll wait to see how the exam goes.