The opinions expressed in this material are solely my own and do not express the views or opinions of people, institutions, or organizations that I may or may not be associated with in a professional or personal capacity unless explicitly stated.
It has been five fantastic years since I jumped into this challenging career! To celebrate (or do something about it), I decided to write my honest impressions on the certifications and the accompanying training I took during those five years.
Cybersecurity is a vast field. It moves at a rapid pace. Tomorrow, there will be a new technology that needs to be secured, a new vulnerability to patch, a new way to detect a technique, a new way to bypass endpoint detection, a new WAF bypass, etc. How do you keep yourself updated and relevant? How do you stay sharp? How do you expand your skillset to make yourself future-proof and not be replaced by AI?
My answer to that is to take training and certifications. I love learning and conquering exams! The fact that I conquered known certifications sky-rocketed my growth and opened doors of opportunities I did not imagine possible 3–5 years ago. I am blessed enough to be with employers that fully support my development (almost all; there is one that.. we don’t talk about that here).
Most of the certifications I took were either free or paid out of pocket. I invested in this, as I believe that one of the best investments is yourself. Also, companies have their priorities (good or bad), and sometimes, equipping individuals with the necessary training barely makes the cut. So, I have made it a point that the main enabling factor of my career growth should be myself. Sure, having them send me to training is very welcome, and I expect that during my early years. Now, I don’t. I guess I became more independent.
I have spent the last four years of my career doing offensive security-related work. I have worked on several vulnerability assessments, pentests (web app, network, wifi, mobile), security code reviews, threat modeling, security architecture, etc. However, the first year of my career focused on defending systems and incident response. I still have that skillset up my sleeve and continue to practice it (and take training for it) even though I am doing pentesting full-time. You will see evidence of that progression in this whole “writeup.”
I have earned 12 industry certifications from GIAC, Offsec, CompTIA, EC-Council, Altered Security, and Cisco as of this writing. The sections below should describe my experience and takeaways after contemplating TODAY. The way I looked at these things years back (such as when I was taking training) is most likely different from how it is today. So please consider that while reading.
CCNA CyberOps
Overview
CCNA CyberOps is my first industry security certification. Cisco launched a global scholarship to address the workforce gap, as addressed in their blog. I got into the program. The training and exam preparation process helped me build my blue team fundamentals as this cert prepares you to become an L1 SOC analyst. Cisco Authorized Learning Partners delivered the whole program, which provided mentoring and coaching. It was my first experience of having “classmates” from different countries.
The program included two self-paced courses: “Understanding Cisco Cybersecurity Fundamentals” (SECFND) and “Implementing Cisco Cybersecurity Operations” (SECOPS), each costing $300. I got this for free due to being on the scholarship.
Takeaways
This was my first taste of the following concepts: network-based analysis, host-based analysis, cryptography, operating systems (Linux and Windows), security monitoring, attacker techniques, vulnerability scoring, and a LOT more. When I look at the topics covered here, I can say it is similar to CompTIA’s CySA+ certification.
I believe that version of the certification is no longer offered, and Cisco has released a newer version. I have not reviewed its contents and have not read many public reviews from it.
Exam Experience
To earn the CCNA CyberOps certification, you need to pass two multiple-choice exams. I had to go to a Pearson-accredited testing center. The exam experience depends on the Pearson testing center you will go to. You will know your results once you complete the exam. There is a new version now, and I believe only one exam is needed to pass. The current cost of the exam attempt is $300.
Final Thoughts
I have not found a job posting explicitly looking for this cert. Therefore, I do not recommend taking it unless there is a solid need to (employer or customer requires it). You might be better off taking CySA+ if you want to get a cert related to SOC operations around the same budget.
CEH (Practical)
Overview
EC-Council is known for its CEH certification. If there is one ethical hacking certification the HR knows, it is CEH. That exam is multiple-choice. The CEH (Practical) is hands-on, where you use a Kali virtual machine and use hacking tools. They say this is the next step after passing the multiple-choice exam.
I signed up for this two-fold: there was an ongoing scholarship, and I wanted to have CEH as a credential because it is famous and would help me bypass HR filters if I ever look for a new opportunity. Also, HRs do not know the difference between CEH and CEH (Practical). They will assume you passed the multiple-choice exam, not the hands-on one.
The scholarship I referred to above is called “EC-Council Ethical Hacking Scholarship 2020”. It is a scholarship, so I was under the assumption it was free — so I signed up. However, when you got in, there was a catch! I had to pay a processing fee of $99. Well played EC-Council! I paid for this out of pocket. The current exam cost is $550.
Exam Experience
The exam is proctored and can be taken remotely. You will perform tasks related to ethical hacking. The proctoring experience is underwhelming. It was the worst exam experience I’ve ever had. Overall, the exam was OK. I was familiar with the tools since it’s the standard Kali VM machine.
However, the virtual environment was slow and outdated. Scanning took some time, applications were clunky, and the version running on the Kali VM was two years old. I was actually fighting the environment most of the time rather than focusing on the questions of the exam.
Takeaways
I did not learn anything significant while preparing for this certification exam since when I reviewed the exam objectives; I felt that I had the skillset in place. To be honest, I did not prepare at all aside from checking the exam objectives. The takeaways would probably be the obscure tools you might use in the exam that I have not heard of before.
Final Thoughts
CEH is one of the most popular pentesting / ethical hacking certifications. It introduces hacking tools and techniques, and I consider this a beginner certification for those trying to get into pentesting.
I can recommend taking this certification to comply with job posting requirements. However, do not fall under the assumption that after passing this, you are fully qualified to do pentesting work (at least on a standard that brings value to your customer). You should be looking at GPEN or OSCP. However, if you aim to get your first hands-on certification related to pentesting, I recommend eLearnSecurity’s eJPT.
CRTP (Certified Red Team Professional)
Overview
The CRTP exam was initially offered under Pentester Academy (before INE acquired them). Now, they operate under Altered Security. The accompanying training for the CRTP exam is called “Attacking & Defending Active Directory.” The course developer and instructor is still Nikhil. He congratulated me and asked for feedback when I passed the exam, which I believe is a great gesture. He’s a great guy, and the content of the course is equally great.
Before, when you purchase the course, you get videos, PDF, and VPN access. Now, they offer boot camps where you can take the class live. I have not tried that yet. The current cost for 30-day lab access + lifetime access to course material + one certification attempt is $249. I paid for this course out of pocket.
Takeaways
The lab and the exam were phenomenal. The content of the course, supplemented by the labs, helped me tremendously in understanding how to compromise and defend Active Directory environments. It teaches the attacks and how you can detect them. From describing what is an OU (Organizational Unit) in Active Directory to Cross Trust attacks, this course covers everything that is AD-related.
The tradecraft in this course is heavily focused on PowerShell. That was the case when I took it. Though there are a lot of controls in place today to prevent/detect PowerShell, you will still find environments where that is not heavily implemented. Also, learning PowerShell before transitioning to .NET (which is quite old tradecraft as well) is paramount as you build your career to being a red teamer. If you are looking for a certification to prepare you on how to do a pentest on an enterprise, CRTP should be on your list.
Exam Experience
You can take the exam remotely and start anytime; it is not proctored. You will be given 24 hours to compromise the environment and write a report. You will know of the results within 48 hours. I had no issues during the exam. The environment was stable.
Final Thoughts
I highly recommend this course if you want training that builds your AD fundamentals (offensive and defensive) and PowerShell tradecraft. Don’t fall under the assumption that after you earn this certification, you are ready to conduct a full-scale red team assessment. It teaches you how to dominate a domain AFTER getting access. That is very important. Techniques such as lateral movement, dumping credentials, and all those good stuff are covered well in the course.
However, it does not cover how to get access (which IMO is the most challenging part of a red team assessment) and how you can write a “service offering ready” report.
Offsec Certified Professional (OSCP)
Overview
The OSCP certification is very well-known in the industry. Some say it is one of the most challenging exams (they are partially wrong; it is difficult, but definitely not the hardest). The “Penetration Testing with Kali Linux” by Offsec is the training that prepares you for it. It has undergone significant changes, such as incorporating Active Directory in the course content in the last few years. The current cost of the course and cert bundle is $1599. You can take it via their Learn One offering (which IMO is better) at $2500.
I wrote about my journey to being an OSCP. You can check it out for further details on how I prepared. My employer at that time paid for this course.
Takeaways
Passing this certification is critical to my pentesting career. The content, lab, and exam provided an experience that forever shaped my skills. It taught me how to research. What if the PoC in exploit-db doesn’t work? You look at the code and make the necessary modifications. Does the exploit match the architecture? Is the shellcode in the PoC for x64 or is it for x86?
The capability to research and understand why something doesn’t work is a vital skill in infosec. I further enhanced that skill when I was preparing for this. The training will help you build skills you will never forget.
When I was taking the training, I was under the assumption that I could rush through everything without taking a rest. That was my mindset when I was young. Many young people do that. As I aged, I realized that is not true.
When you do infosec for a living, it’s mostly an 8–5 work. You have to take breaks in between. One of the key takeaways I realized when I took the exam was the magic of taking a break. I apply that now. If I am in a dead slump during my assessment, I stand up, take a break, and occasionally take a walk.
Exam Experience
The exam is proctored. Your camera will be open throughout the exam. You can sleep and take breaks! You need to inform the proctor before doing so. It is essential to take breaks.
The objective of the exam is to gain 70 points. You have 24 hours to complete the exam and another 24 hours to write a report. You will not know your score. It’s either a PASS or a FAIL. Refer to the OSCP Exam FAQ for other questions.
Final Thoughts
If you want to get into pentesting (and be hired by larger firms), I highly recommend attempting the OSCP. The experience and struggles are worth it. Do note that it’s not for the faint of heart, and I understand it’s not for everyone. Some say it’s too CTF-y. A lot of people have failed this exam. You might be surprised that even those well-known in the industry have failed several times. Eventually, they passed. It is a challenging exam.
A friend once said passing the OSCP awakens your “Sharingan” (a Naruto reference). You will be a different person when you pass the exam. The cert will also open opportunities for you globally. One thing I have observed (at least from my experienece) is OSCP is the baseline (or if you have similar skill) of known pentesting firms.
OffSec Experienced Penetration Tester (OSEP)
Overview
The OSEP certification is one of the more recent certifications released by Offsec. It is a logical continuation of the OSCP. The training “PEN-300: Advanced Evasion Techniques and Breaching Defenses”, focused on client-side attacks used in initial access (phishing with macros). There is also a heavy focus on AD lateral movement and exploitation. A lot of Kerberos and delegation attacks are covered here! Just refer to the details on the site of what they cover in the course. The current cost of the course and cert bundle is $1599. You can also take it via their Learn One offering (which IMO is better) at $2500. I paid for this course out of pocket. When this course was released, I signed up for it as early as possible.
Takeaways
One of my main takeaways here includes a deep understanding of client-side attacks (macros, Jscript), process injection, bypassing application allowlisting, and endpoint detection evasion. Understanding how to create obfuscated malware and the idea of the “cat and mouse game” played by the offense and defense resonates heavily during the course. I have heard that some of the techniques in the course will not work today. I am uncertain which ones are. I recommend you join the Offsec Discord server and ask around there. The content on process injection and migration was exceptional as well. You will also learn how to create your own tooling. One of the starting points to bypassing detection is writing your own tools. You will learn the fundamentals here. One example is creating a binary to inject shellcode into a remote process. Though Meterpreter can do that, writing code that does that for you is satisfying.
Another major takeaway from the course is lateral movement. When you do the labs, lateral movement in a Windows environment becomes second nature. You get Administrator on a box; you bypass endpoint detection, you dump creds, and you do pass-the-hash. Rinse and repeat. The process becomes so natural that seeing NTLM hashes becomes a normal thing to you. One last thing: You will also learn how to exploit Microsoft SQL links. That topic is covered in CRTP as well. However, I believe it is more in-depth here.
Exam Experience
The exam is proctored. Your camera will be open throughout the exam. You can sleep and take breaks! You need to inform the proctor before doing so. It is essential to take breaks.
You have 48 hours to complete the exam and another 24 hours to write a report. You need to achieve the objective or earn enough points to pass the exam. I highly suggest you refer to the OSEP Exam FAQ for other details. When I prepared, the FAQ answered all of my questions.
Final Thoughts
This training escalates you to a better pentester. You learn here that sometimes, pentests can be successful without compromising the whole domain or environment. That is the truth in real life. If you want to further improve your network pentesting skills, I highly recommend taking the course and challenging the certification.
Note that though the course covers a lot of “red team” concepts, I have heard that the actual code samples do not work on modern systems. It worked fine when I took the course (1Q 2021). I wouldn’t mind that so much, though, as bypasses will be caught. However, the understanding and practicing evasion techniques covered here will get you far.
Part 2: Very Soon!
I will start writing Part 2 when the time permits. I will cover Pentest+, GSEC, CISSP, GMOB, and GPEN there. Additionally, I will cover GIAC’s new “Applied Knowledge” exams that I passed recently: GX-CS and GX-IH. Stay tuned!
