Penetration Testing Experts: Certifications vs Real-World Experience

What do certifications in penetration testing prove?

Certifications provide a structured way to assess knowledge and signal that a specialist has met certain industry standards. However, it is important to understand what these certifications actually represent and, just as importantly, what they do not.

Top 5 most recognized penetration testing certifications

There are several widely recognised certifications in the penetration testing and cyber security field, each focusing on different aspects of security knowledge and practice. Some of the most common include:

• CEH (Certified Ethical Hacker) – focuses on understanding common attack techniques and tools.
• ‍OSCP (Offensive Security Certified Professional) – a highly practical certification that requires hands-on exploitation skills.
• ‍CISSP (Certified Information Systems Security Professional) – covers broader security management and governance.
• ‍CISA (Certified Information Systems Auditor) – focuses on auditing, control, and risk management.
• ‍CompTIA PenTest+ – validates intermediate-level penetration testing skills.

These certifications help establish a baseline. They show that a tester understands security concepts, methodologies, and tools. In some cases, especially with more practical certifications like OSCP, they also demonstrate the ability to apply those skills in controlled environments.

The limitations of certifications

While certifications are valuable, they do not always reflect how a tester performs in real-world scenarios. Exams are often structured, time-bound, and based on predefined challenges. Real systems, however, are far more complex. As our Head of Information Security, Gabrielius Vinciunas says:

‘Certifications can show that a person understands the theory, but they don’t always prove real competence. It depends on how that certification was achieved. If someone simply learns how to pass the exam, that does not mean they can handle real systems. What matters is whether they actually understand the methodology and can apply it in practice.’

As highlighted in practice, a tester may hold multiple certifications and still struggle when faced with:

• Complex, interconnected systems.
• Undocumented integrations.
• Unexpected edge cases.
• Business logic vulnerabilities that require deeper understanding.

This is why certifications are an important indicator of commitment and foundational knowledge, but they should always be evaluated alongside practical experience.

Why Real-World Experience Matters

For the best cyber security companies like Baltic Amadeus, certifications provide a strong foundation, but in penetration testing, real-world experience is what determines the quality of the outcome. Modern IT environments are complex, interconnected, and often unpredictable. This is where theoretical knowledge alone is no longer enough.

This complexity is also reflected in current risk trends. Generative AI is now ranked as the most concerning IT risk for organisations worldwide, largely due to its misuse potential, while supply chain and third-party risks follow closely, with around 40% of organisations highlighting them as a major concern. As systems become more interconnected, these risks continue to grow.

Experienced penetration testers analyse how systems behave in real conditions, identify unexpected weaknesses, and understand how different vulnerabilities can be combined to create real attack scenarios.

As our CISO explains:

‘In penetration testing, experience is almost always more important than certifications. Certifications are often needed for credibility, but real value comes from hands-on work. That is where you learn how systems actually behave and where most of the important insights come from.’

Working with complex, regulated environments

Real-world experience becomes especially important in regulated industries such as finance, where systems must meet strict security and compliance requirements. These environments often include multiple integrations, sensitive data flows, and evolving regulatory frameworks.

For example, in our collaboration with the international payment institution ArcaPay, Baltic Amadeus provided CISO services to strengthen the organisation’s overall security posture. Rather than focusing on isolated technical checks, our team worked across governance, risk management, compliance, and incident response.

This included reviewing security policies, guiding the implementation of an Information Security Management System (ISMS), and supporting business continuity planning. The engagement required not only technical expertise, but also a deep understanding of regulatory requirements and how security processes operate in practice.

Beyond technical skills

Experience in real projects also means understanding that vulnerabilities are not limited to code or infrastructure. They can arise from weak processes, misconfigured access controls, or gaps in organisational practices.

A tester who has worked in real environments is more likely to:

• Identify vulnerabilities that are not visible through automated tools.
• Understand how systems interact beyond documentation.
• Prioritise risks based on real business impact.
• Provide recommendations that are practical, not just theoretical.

This is what ultimately separates a basic penetration test from one that delivers real value.

5 Questions to Ask Your Penetration Testing Vendor

Choosing a penetration testing provider is not just about comparing prices or checking a list of certifications. It is also important to ask the right questions before making a decision. These questions can help you move beyond surface-level indicators and evaluate the actual capability of the team.

Here are some of the key questions you should ask:

• What certifications do your testers hold?
  Certifications can indicate a strong foundation, but it is important to understand whether they are practical or theoretical and how recently they were obtained.
• ‍How many real projects have they worked on?
  Experience across different systems and industries is often a stronger indicator of capability than certifications alone.
• ‍Have they worked in regulated industries?
  Experience in sectors such as finance, telecom, or government shows the ability to handle complex environments and strict compliance requirements.
• ‍Do they perform manual testing, or rely mainly on automated tools?
  A strong penetration testing approach always includes manual validation and deeper analysis, not just automated scanning.
• ‍Can they explain real attack scenarios based on their findings?
  It is not enough to list vulnerabilities. A reliable team should be able to show how those vulnerabilities could be exploited and what the real impact would be.

‘What matters is whether the person can actually demonstrate practical knowledge and explain how they approach real-world problems,’ our CISO highlights.

Asking these questions helps ensure that you are not just buying a report, but investing in a service that provides real security value.

Baltic Amadeus Approach to Penetration Testing

At Baltic Amadeus, penetration testing combines certified expertise with hands-on experience across complex and regulated environments.

Our cyber security team includes specialists with internationally recognised certifications such as CISSP, CISA, CEH, OSCP, CREST, and CompTIA Security+. However, we place equal importance on continuous learning and real project experience, as this is what allows our team to adapt to evolving threats and technologies.

We have worked with organisations in finance, telecom, government, and other industries where security is critical. These projects often involve not only identifying vulnerabilities, but also understanding how systems interact, how risks impact the business, and how to prioritise actions effectively.

For example, in our collaboration with Orion Securities, Baltic Amadeus conducted authorised penetration testing as part of an independent IT security audit.

Our team assessed frontend and backend systems, APIs, and internal infrastructure, identifying risks such as privilege escalation and potential data exposure. We also performed OSINT analysis to evaluate external exposure and combined it with vulnerability assessment across internal and external systems.

Following the testing, the client received a clear, prioritised report with practical recommendations, enabling their team to strengthen security controls. The project was delivered by certified cyber security experts, demonstrating how certifications, combined with real-world experience, create real value.

As Gabrielius Vinciunas, notes:

‘If you’re doing a proper penetration test, it’s not one person running a tool. It’s usually a team, because different people bring different expertise and perspectives.’

As a top cyber security company, Baltic Amadeus focuses on delivering results that go beyond compliance. We help organisations identify real risks, understand their impact, and take practical steps to reduce them. Reach out to us with your project.