OSSTMM Professional Security Analyst Accredited Certification (OPSA)


Do you need to see our Exam and Training Schedule?

The OPSA is a certification of applied knowledge designed to improve the work done as a professional security analyst. This is an important certification for those who want or need to prove they can walk the walk in data network security analysis, the discipline which covers critical security evaluations and decision-making required in both technical and management fields. And it is a critical, eye-opening class for CISOs, CIOs, CSOs, security auditors, system forensics examiners, network engineers, system and network administrators, developers, network architects, security analysts, and truly anyone who works in IT from systems to networks.

OPSA certified personnel are in-demand around the world as the need to assure one can provide security analysis skills and ability grows. This challenging certification is provided in technical schools, colleges, universities, and through training partners, all certified by ISECOM to assure consistency, quality, and focus. For this reason, ISECOM can assure any organization on a certified person's level of applied security analysis knowledge, their interaction with the methods for appropriate scientific security methods of evaluation and metrics as outlined in the OSSTMM, and the appropriate ethical requirements of testers in the OSSTMM's Rules of Engagement.


ISECOM recommends students have good knowledge of how networking works, a good understanding of server operations/administration particularly in daemons and services, and some experience with the design of network architecture.

It is important the student selects a training course right for their skill level. Longer courses will provide a great deal more practice, examples, and coaching while shorter classes are more suited to those with more practical experience. Classes range from as much as 60 hours over 30 days to as short as 8 hours in a single day. Talk with the regional ISECOM Certified Training Partner for assistance in choosing the right length of class.


The general course is designed to teach critical security thinking, the scientific method, security metrics, and the OSSTMM methodology through security analysis exercises with an internet-based test network, log files, and standard tool outputs. While practicing elements of security analysis, the student is prepared to evaluate the daily changes in security knowledge with the fundamentals of critical security thinking.

The general course design is as an all-practice course to support the provided theory. It is to learn how to do security analysis properly, focus on facts, and apply the scientific principle to security through coaching, examples, and skill tests. The scope of the exam requires a deep understanding of security, therefore the student can expect the training to focus on a practice to master security principles and comprehend data network security according to the situation and environment. The class prepares the student for successfully navigating the exam and to successfully apply it immediately on the job or in life.

ISECOM provides certification of course trainers and certification of the students who successfully pass the exam. Courses are provided by certified training partners as well as recognized educational institutions under the ISECOM Academic Alliance program. ISECOM does not influence course schedules, course length, provided materials, or course pricing.


The OPSA exam acknowledges the skill and ability to apply security and IT knowledge in a scientific manner as required for analyzing and measuring data network security according to the OSSTMM as well as certify ones ability to work professionally as an OSSTMM Security Analyst or any other facet within the discipline of security testing or security analysis.

The OPSA exam requires a total of 50 answers within 4 hours. The purpose of the exam is to show the extent of security analysis accuracy while maintaining efficiency. While it is an open book exam, no communication of any type is allowed. Each question is in the format of multiple-choice single-answer. The exam combines paper-based questions with a log files, packet captures, tool outputs, and reports. Each answer requires the accompanied data.


OPSA certification requires a grade of D (60%) or better for certification. Each certificate is accompanied by a transcript which reflects the grade and areas of strengths and weaknesses. The grade of A (90% or better) includes a seal of excellence.

The exam requires mastering the application of the following security skills:

  • Rules of Engagement
    The ability to apply the rules of engagement, as outlined in the latest version of the OSSTMM, to various scenarios.
  • Assessment
    The ability to properly determine the appropriate and legal/regulatory compliant data network security required according to environment, vectors, and channel according to the OSSTMM.
  • Logistics
    The ability to discern forged, incomplete, or poorly collected security information from logs and reports. The ability to quickly assess logs and reports for tampered data, anomalies, flaws or limitations in the network between the tester and the target, calculate measurements on network and service protection techniques and loss controls. The ability to quickly and scientifically design new test types and evaluations to assess uncalculated test responses and anomalies.
  • Metrics
    The ability to accurately calculate and measure scope, protection, and loss controls according to the OSSTMM. The ability to analyze enumeration techniques and discern flaws and fallacies which hinder a thorough test. The ability to build event cases based on flawed, limited, or incomplete data.
  • Correlation
    The ability to correctly and accurately correlate information, differentiate legitimate from forced patterns, substantially minimize bias, and satisfactorily explain anomalies in a scientific manner.
  • Verification
    The ability to discern legitimacy in security by applying scientific critical thinking skills. The ability to discern anecdotal evidence sources from factual sources. The ability to discern that which is necessary publicly available information from that which should remain private.
  • Application
    The ability to analyze required or existing loss controls (ie. encryption, redundancy, authorization banners, protocol types, etc.) according to services, applications, and protocols from logs, reports, and off the wire. The ability to identify the strength of a security application according to operation and environment.
  • Reporting
    The ability to classify new security limitations appropriately. The ability to create an OSSTMM Audit Report.