Yesterday, I passed the PCNSA exam.
I previously did the PCCSA/PCCET exam, which was more of a general overview about security concepts and the Palo Alto product range. By contrast, the PCNSA is more practical, so it’s aimed at people who do hands-on tasks with a Palo Alto firewall. In particular, it’s mostly focussed on PAN-OS, with a bit of Panorama; the other cloud-based services (e.g. Prisma) have separate certifications.
(more…)I did my first (vocational) IT exam in 1999. This was after an annual appraisal from my (then) manager, who said “I’ve spoken to lots of people, and they’re all very impressed with your work. However, there’s no way for me to quantify your performance, so you don’t get a pay rise.” Based on that, I decided that it would be useful to have some objective evidence of my abilities from a neutral 3rd party, so I took the Visual Basic 5.0 exam and became a Microsoft Certified Professional.
Fast forward to 2023: I’ve now passed 41 exams and earned 50 certifications. In all honesty, this process has been a bit haphazard; I’ve picked certifications based on what looked interesting at the time, or what related to a skill I’d been using at work, rather than having a clear roadmap of where I wanted my career to go. I’ve also sometimes leant towards the Pokémon approach of “gotta collect them all!” So, I think it’s time to look back and review which of these were worthwhile, and which I’d recommend to other people.
NB I’m not including my university degrees in this list, because they’re academic rather than vocational. I’m also not including the European Computer Driving License (ECDL), because that’s aimed at end users rather than IT professionals.
(more…)In March 2023, I passed the OSCP exam, to become an OffSec Certified Professional. Combined with the CPSA, this also made me a CREST Registered Penetration Tester (CRT).
The OSCP is sometimes described as an “entry level” pen testing certification, which can be a bit confusing. It’s certainly not aimed at beginners to IT! For context, I’ve passed 40 other IT exams on my first attempt; this is by far the hardest exam I’ve taken, and it took me 3 attempts to pass, after 6 months of full-time study.
However, the OSCP is entry level for pen testing, in the sense that it’s a de facto standard. There are lots of job adverts which list the OSCP or CRT as requirements. I’ve previously done the PenTest+, OSWP, and eJPT: those are all easier exams (i.e. more accessible to beginners) but none of them helped me to get any job interviews.
The OSCP is also entry level in the sense that there are more advanced certifications out there, e.g. the OSEP (OffSec Experienced Pentester). So, this certainly isn’t the end of my learning journey; it’s a new beginning.
Before I dig into details, just a general note. There have been various changes over the past few years, e.g. the exam format changed in Jan 2022, and the syllabus changed in Mar 2023. So, if you’re looking at blog posts, Reddit threads, YouTube videos, etc. then keep an eye on when they were published; the information might have been true at the time, but no longer relevant. (That also applies to this post.)
Also, at the risk of stating the obvious, I’m not going to share anything that would breach the non-disclosure agreement. In particular, I’m not going to reveal any details about my exam machines, so please don’t ask!
(more…)I recently passed the OSCP exam, on my third attempt. OffSec’s slogan used to be Try Harder, and I’ve been thinking about what that means. (The slogan has recently been replaced by a 5-step learning approach: trial, failure, adaptation, growth, and triumph.)
I’m quite active on the OffSec Discord server, and I’ve spent a lot of time helping other people out with exercises. That’s partly because I like to be kind, partly to “pay it forward” (after other people have helped me), and partly to reinforce my own learning. There’s a phrase I heard a while back: you don’t truly understand something until you can explain it to someone else.
However, I do sometimes despair at the lack of initiative I see from other people. There’s a hint bot on the server, and pinned messages in each channel, and you can search for previous messages about a particular topic. Even after all that, the same questions come up over and over again. I blocked one person after they outright refused to do a search: they said that they’d get the answer more quickly by asking the question, i.e. they wanted other people to do the work for them. That’s an example of someone who certainly could try harder.
I think the slogan is most relevant when it comes to a “black box” machine, e.g. one of the PEN-200 lab VMs. That’s where you’re simply given an IP address, and you have to figure everything else out for yourself. How long should you bash your head against the wall before you look for hints/walkthroughs?
(more…)In Feb 2023, I took CompTIA’s CASP+ (Advanced Security Practioner) exam, and I passed first time.
I used Jason Dion’s Udemy course to prepare for this. That was the only specific training that I did for this exam, but I also spent the previous 6 months preparing for the OSCP, and I have prior knowledge/experience.
(more…)In May 2022, I took the CREST Practitioner Security Analyst exam. This is a multiple choice theory test, which is a pre-requisite to become a CREST Registered Penetration Tester (CRT); the basic idea is to do a theory test and a practical test, similar to getting a driving licence.
There are various organisations offering training courses. However, I used self-study, and this was a tricky exam to prepare for. With most vocational exams, there are study guides and/or Udemy courses available, but that’s not the case here. CREST publish a general reading list, but those books don’t cover everything you need and some of the content is beyond the scope of the exam. This seems to be deliberate, based on the examination FAQs:
“Unlike some areas of academia, CREST exams are usually vocational; they are not designed to be achievable by a candidate whose sole focus is passing them through isolated study. They are designed to measure an individual’s capability to operate within the industry and identify those who can demonstrate the skills required.”
I’m bound by the NDA (like all exams I take), but I’ll try to offer some advice here to help people prepare and judge when they’re ready to take the exam. Each exam attempt costs £275 (+VAT), so it would be a shame to waste your first attempt just to get an idea of what’s involved.
In brief, it took me about 2 weeks to prepare for this exam (in the evenings after work), but that was building on various other exams, training courses, and work experience. It’s described as “entry level”, but I’d say that this is a bit more difficult than PenTest+ (which in turn was more difficult than Security+). Conversely, I found this a lot easier than the OSCP.
(more…)In April 2022, I did a beta exam for Project+. The beta exam was PK1-005, and then the “real” exam was released as PK0-005 (which is what shows on my exam history at CertMetrics).
Beta exams aren’t free, but they’re significantly cheaper than a normal exam. In this case, it cost me £30 rather than £212 (both prices exclude VAT). There are two main drawbacks:
a) There won’t be any training material ready for the new exam.
b) You’ll have to wait a long time to get your results. (In this case, I took the exam on 4th April, but I didn’t get the results until 11th October, i.e. there was a 6 month delay.)
This certification wasn’t on my “to do” list until I saw the email about the beta program, and I don’t have any intention of becoming a project manager. However, I’ve worked with project managers in a few organisations, so I thought that it would be useful to “speak the same language” (i.e. share the same specialised vocabulary). If I failed the exam, it wouldn’t really cause me any problems, so I could take a fairly relaxed view towards it. I think some of this material might also be relevant for personal projects, e.g. a house renovation with dependencies between various tasks.
NB This certification is “good for life”, i.e. it’s not part of the CE (Continuing Education) program where you have to repeat the exam after 3 years.
(more…)In March 2022, I passed the CISMP-V9 exam, and gained the BCS Foundation Certificate in Information Security Management Principles.
As the name suggests, this is related to setting up an ISMS (Information Security Management System). Basically, it falls under GRC (Governance, Risk, and Compliance) rather than hands-on technical skills.
So, who’s the target audience for this certification? I’d recommend the Security+ to anyone who works in IT, but the CISMP is only relevant to a smaller group. Be aware that this won’t teach you how to set up an ISMS from scratch. It’s a foundation certification, so it’s really just laying the groundwork, by introducing concepts.
When I was looking at a QA training course for the CPSA, they recommended the CISMP as a pre-requisite. Now that I’ve done both exams, I’d say that the CISMP isn’t really relevant to the CPSA at all! However, I did find the CISMP useful for IASME Cyber Assurance.
The CISMP meets the requirements for Accredited Affiliate membership of the CIISec (Chartered Institute of Information Security). However, the Security+ also meets the CIISec requirements (along with various other certifications), and that’s more widely recognised. So, I wouldn’t recommend doing the CISMP just for this, but if you get the CISMP then you might want to look at CIISec membership as a fringe benefit.
TSG Training did a 40 minute webinar about the CISMP:
BCS CISMP Webinar : 15th April 2021 – YouTube
I think that video is worth watching, and the key point they emphasise is that this isn’t a difficult exam.
NB The sound quality is a bit iffy for the first minute or so, but it gets a lot better when they switch over to the main presenter.
In July 2021, I took the Microsoft Security, Compliance, and Identity Fundamentals (SC-900) exam.
NB The exam content has changed since then, so some of the specifics in this blog post might be out of date.
According to the exam description:
“Candidates should be familiar with Microsoft Azure and Microsoft 365 and want to understand how Microsoft security, compliance, and identity solutions can span across these solution areas to provide a holistic and end-to-end solution.”
I’ve previously taken MS-900 (Microsoft 365 Fundamentals) and AZ-900 (Azure Fundamentals), and I’d recommend them as a starting point to address the prerequisites.
In May 2021, I took the Microsoft Azure Fundamentals (AZ-900) exam. This is similar to Microsoft 365 Fundamentals (MS-900), i.e. it’s asking about what the technology does rather than how you use it. However, I thought this was a better exam than MS-900, i.e. it was more relevant to what you actually need to know for a job, and it’s not just acting as a marketing brochure. This isn’t a formal prerequisite for any other Azure exams (e.g. at associate level), but it seems like a good place to start.
This is also a good exam if you’re on a budget: the training and the exam itself were free of charge! More precisely, I attended a Microsoft Azure virtual training day. The name is a slight misnomer: it was 2½ hours on 2 consecutive days. That training isn’t enough to prepare you for the exam on its own, but it’s useful as a high level overview. When I booked the exam, I entered the email address that I used to book the virtual training day, then that address was linked to my Microsoft certification account, and I was credited with a voucher for the full cost of the exam. I did the exam at home (via online proctoring); I’m not sure whether the voucher is also valid if you attend a Pearson Vue test centre.
(more…)