The platform is the product. Your education is a convenient side effect. And when training becomes a commodity, there’s a good chance the skill set is in its final demand stages.
Before the Gold Rush
Back in 2009 when I made the jump from shoddy game hacking to - ahem - hacktivism (no, I will not elaborate further), the only well known certification of ability was the Certified Ethical Hacker (CEH) from EC-Council. They claimed the honor (opens in new tab) of creating the “first performance based ethical hacker certification”.
Whether that was accurate or not will have to be verified by truer veterans, but it certainly wouldn’t stay “performance based” for very long. The exam eventually got shorter and there was nothing practical about it, at least not when I took it in 2016.
CEH existed but was irrelevant to me. As a broke middle-schooler discovering computer hacking, one meager year after the release of the infamous Hacking: The Art of Exploitation, 2nd Edition, any money I had to my name was going to Lego sets and airsoft. All my learning took place in forums and IRC channels, the logical successors of the post-BBS online hacking scene.
I learned how to use Nmap by reading the documentation (opens in new tab).
I learned SQL injection after learning SQL first, how to use Linux by setting up file shares and web servers for my friends, and how to write malware by convincing the right people that I was worth sharing source code with.
Then came the OSCP. The certification that proved you knew your shit.
24 hours in a lab with machines to hack, points to earn, and a report to write with what little energy you had left. It was a badge of honor that demanded respect, and few people had it. But enshittification comes for all, and once the OSCP landed in a job posting under “preferred qualifications” for the first time, our journey as an industry to where we are now officially began.
The OSCP became a nigh-invincible staple for recruiters in the 2010s. Offensive Security, the company who designed the course and proctored the exam, realized they could make it a revenue engine — and so began what would eventually become a certification “ecosystem.”
Soon came other certifications like the original OSCE, a more advanced version of the OSCP that placed heavy emphasis on binary exploitation, as well as web and Wi-Fi oriented courses, all of which became household names for security professionals across the world.
OffSec had struck a gold mine, but they weren’t going to get away with keeping it to themselves.
The Disruptions That Learned Nothing
See, the value of the certification itself had gone up. Now there was demand for it in the job market. When you purchased Penetration Testing with Kali Linux, the companion course for the OSCP, it came with an exam voucher. The certification itself was the value holder, not the course content, since it was what proved you knew what you were doing.
With the demand increase came rising costs, and the price hikes made room for disrupters. HackTheBox and TryHackMe undercut the education piece for a fraction of the cost by removing the credential from the equation — with a far more accessible format than OffSec’s do-it-yourself PDF and lab approach.
In a single, polished web platform where much of the content was completely free, the early chapters of the penetration testing methodological corpus had been effectively democratized. However, though they had decoupled the credentials from the coursework and made education more accessible, the signal was starting to get lost in the noise.
The inevitable convergence of democratized training and credentials that boosted hirability was not far off: PNPT, eJPT, and others, where previously only CEH had any sway against the OSCP (not much, for obvious reasons).
The skill set that had previously derived its value from context and pre-existing technical background was now modularized, packaged, and sold in shiny bundles built on publicly available resources. Credentials attached, resume parsers happy.
The VC Deal That Always Ends the Same Way
Running training platforms costs money. You can’t just have hundreds of thousands of aspiring hackers spinning up little virtual machines to run Nmap against 24/7 without bleeding money. Luckily, there’s a whole industry that has made capital hemorrhaging their modus operandi: venture capital.
Taking on external funding meant adopting the same primary directive as every Silicon Valley unicorn that came before that always ends the same way: make more money so we can all exit handsomely.
Investors need recurring revenue more than life itself. And it has to go up, of course, so training platforms and companies turned to creating their own certification ecosystems, leaderboards, all while keeping the dream of employment alive, hoping to ride on the success of OSCP with HR reps reviewing job applications.
HackTheBox introduced “VIP” that allowed you to hack on your own target machine instead of the public ones that were getting reset all the time. TryHackMe added premium learning paths that you could access with a subscription.
One by one, they switched to recurring “all access” models — one easy platform, a stack of acronyms, and a promise that it’s all you need to land your dream hacking job.
The AI Pivot Is Just the Latest Version of This
TryHackMe founder Ben Spring has a new company. NoScope sells an AI-powered pentesting platform — not to practitioners, but to the companies that hire them.
I’ve seen many reactions, the gist of which seems to be that a company that made its name educating people to do actual work has potentially used training data from people to build NoScope.
I get it - to an extent. There are approaches to practitioner augmentation that are like Praetorian’s, releasing (opens in new tab) what I imagine are open-source versions of internal tooling. Then, there are profit-seeking approaches like NoScope, which sell their AI augmentation tooling to companies for a fee.
This dichotomy has always existed. Sliver and Cobalt Strike, Nuclei and Nessus - the open-source vs. paid divide has always been with us. What’s different now is who is doing the buying and what they’re being told it replaces.
AI “autonomous pentesting” — and even worse, “autonomous red team” — is poised to be the next thing companies, not practitioners, want to see. The race to a profitable exit is blatant, and it’s not going to change.
Those two things are being sold to people who buy tools, not use them. I’ll give you one guess which group is most upset by it.
What To Do About It
The goal is money. It is almost always money.
If you learn genuinely useful tradecraft and grab a cert along the way, great. But your professional development is not the primary purpose of any flashy training platform — especially one backed by venture capital or private equity.
So it’s up to you. Instead of outsourcing your education to companies that don’t actually care about it, take it upon yourself to explore.
Set up a home lab. Augment your own workflow (you do have a documented methodology, don’t you?) with open-source agentic tooling. Use it to make yourself a force multiplier that can stand up one day in the future and show a customer exactly why buying an expensive AI pentesting tool was a risk calculation error.
Or, you know, don’t. Just don’t be surprised when you’re staring at the back of the industry’s head as it flies away on this rocket ship.