BSI-Recognized Certifications for Penetration Tester Competence

In the IT security industry, the term "penetration tester" is not legally protected. For companies, government agencies, and operators of critical infrastructures (KRITIS), an essential question therefore arises when selecting a service provider: How can the actual qualifications of the assigned analysts be objectively measured?

The German Federal Office for Information Security (BSI) creates transparency in this regard through strict certification criteria. For public tenders or audits according to IT-Grundschutz, proof of BSI-recognized certificates is often a mandatory prerequisite. In this guide, we examine the official criteria of the agency and provide an expert assessment of the recognized certifications from our practical perspective.

The BSI maintains an official list of recognized credentials, but explicitly leaves room for modern and equivalent qualifications. Regarding recognition, the agency's core rule states that certificates can be recognized if they are thematically related to the field of penetration testing and contain a verifiable practical component of at least 60%, along with a final exam that also features a high practical component. The core topics and the practical portion must be outlined and justified when submitting the certificates. The BSI then reviews the suitability of an alternative certificate on a case-by-case basis and, if approved, adds it to their official table.

Update note: The official BSI table is continuously updated. The comparison matrix below reflects the current state of our research and does not claim to be exhaustive.

The following certifications are currently recognized by the BSI (as of 06/2026):

Entry-Level Certifications

• Certified Ethical Hacker (Practical) (C|EH)
• CompTIA PenTest+

Advanced All-Rounder Certifications

• PEN-200: Penetration Testing with Kali Linux (OSCP[+])
• HackTheBox Certified Penetration Testing Specialist (CPTS)
• CREST Registered Penetration Tester (CRT)
• GIAC Penetration Tester (GPEN)
• Certified Penetration Testing Professional (CPENT)
• eLearnSecurity Certified Professional Penetration Tester (eCPPT)
• Binsec Academy Certified Pentest Professional (BACPP) - newly officially recognized by the BSI

Web Application Testing Certifications

• WEB-200: Web Attacks with Kali Linux (OSWA)
• WEB-300: Advanced Web Attacks and Exploitation (OSWE)
• eLearnSecurity Certified Web Application Penetration Tester eXtreme (eWPTX)

Infrastructure and Network Penetration Testing Certifications

• PEN-300: Evasion Techniques and Breaching Defenses (OSEP)
• Certified Red Team Operator (CRTO)

Exploit Development & Technical Niches

• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
• PEN-210: Wireless Network Attacks (OSWP)
• eLearnSecurity Certified eXploit Developer (eCXD) {deprecated}