In Oct 2023, I took the CCSA exam. In Dec 2024, I followed this up with the CCSE exam.
NB You have to pass the CCSA before the CCSE, but it doesn’t have to be active. I.e. it still qualifies after it’s expired, as long as it’s for a recent version. In my case, I did the R81.20 version of both exams.
(more…)Back in March, I did Palo Alto’s PCNSA exam. Since then I’ve been working with Check Point firewalls, so I decided to do their CCSA exam (for R81.20).
Normally, I would start by looking at the exam objectives. However, in this case I can’t, because they’re behind a paywall! The nearest thing that’s publicly available is the course overview. This is unusual: I haven’t seen any other exams that do this. It’s also notable that Palo Alto give out a free study guide (pdf), whereas Check Point ask you to pay $3250 for their course; I’m not sure whether that includes the exam itself ($250). However, you can book the exam without doing their course, and that’s what I did.
As with any certification, it’s worth asking a couple of questions:
In other words, what does this certification actually measure? What does it tell you about the person who has it? In brief, I’d say that a lot of the questions will be very easy if you have hands-on experience, and very difficult if you’ve just seen someone else do it in a video.
I can’t discuss specific exam questions because of the Non-Disclosure Agreement (NDA), so I’ll use London Underground (aka the Tube) as an analogy. If you’ve lived or worked in central London for a while, you’ll probably be familiar with the tube map, e.g. you’ll know that the Central line is red and the Circle line is yellow. That isn’t something you’d specifically sit down and memorise, but you’ll pick it up by repeated exposure. So, if I asked you which line is green on the map, that should be pretty easy.
On the other hand, suppose that I asked you what time the last train runs each night (from a station that you use regularly). Some people will know the answer by heart, because they often end up running for that train. Other people might be in bed by 10pm every night, so they’ve never needed to know.
Coming back to Check Point, there are some situations which will come up on a daily basis, and other situations which are less common. So, you might need to go out of your way to practice those scenarios, e.g. in a lab environment.
Now that I’ve got the CCSA, I’m going to start studying for the Check Point Certified Security Expert (CCSE). This includes some additional topics, such as High Availability (ClusterXL).
NB You need to be CCSA certified before you can get the CCSE. (Cisco used to have a similar policy, e.g. you needed CCNA before CCNP, but they’ve relaxed that now to just say that you need equivalent knowledge.) I think the CCSE will be more useful, but the CCSA is a necessary step along the way.
(more…)Yesterday, I passed the PCNSA exam.
I previously did the PCCSA/PCCET exam, which was more of a general overview about security concepts and the Palo Alto product range. By contrast, the PCNSA is more practical, so it’s aimed at people who do hands-on tasks with a Palo Alto firewall. In particular, it’s mostly focussed on PAN-OS, with a bit of Panorama; the other cloud-based services (e.g. Prisma) have separate certifications.
(more…)I did my first (vocational) IT exam in 1999. This was after an annual appraisal from my (then) manager, who said “I’ve spoken to lots of people, and they’re all very impressed with your work. However, there’s no way for me to quantify your performance, so you don’t get a pay rise.” Based on that, I decided that it would be useful to have some objective evidence of my abilities from a neutral 3rd party, so I took the Visual Basic 5.0 exam and became a Microsoft Certified Professional.
Fast forward to 2023: I’ve now passed 41 exams and earned 50 certifications. In all honesty, this process has been a bit haphazard; I’ve picked certifications based on what looked interesting at the time, or what related to a skill I’d been using at work, rather than having a clear roadmap of where I wanted my career to go. I’ve also sometimes leant towards the Pokémon approach of “gotta collect them all!” So, I think it’s time to look back and review which of these were worthwhile, and which I’d recommend to other people.
NB I’m not including my university degrees in this list, because they’re academic rather than vocational. I’m also not including the European Computer Driving License (ECDL), because that’s aimed at end users rather than IT professionals.
(more…)In March 2023, I passed the OSCP exam, to become an OffSec Certified Professional. Combined with the CPSA, this also made me a CREST Registered Penetration Tester (CRT).
The OSCP is sometimes described as an “entry level” pen testing certification, which can be a bit confusing. It’s certainly not aimed at beginners to IT! For context, I’ve passed 40 other IT exams on my first attempt; this is by far the hardest exam I’ve taken, and it took me 3 attempts to pass, after 6 months of full-time study.
However, the OSCP is entry level for pen testing, in the sense that it’s a de facto standard. There are lots of job adverts which list the OSCP or CRT as requirements. I’ve previously done the PenTest+, OSWP, and eJPT: those are all easier exams (i.e. more accessible to beginners) but none of them helped me to get any job interviews.
The OSCP is also entry level in the sense that there are more advanced certifications out there, e.g. the OSEP (OffSec Experienced Pentester). So, this certainly isn’t the end of my learning journey; it’s a new beginning.
Before I dig into details, just a general note. There have been various changes over the past few years, e.g. the exam format changed in Jan 2022, and the syllabus changed in Mar 2023. So, if you’re looking at blog posts, Reddit threads, YouTube videos, etc. then keep an eye on when they were published; the information might have been true at the time, but no longer relevant. (That also applies to this post.)
Also, at the risk of stating the obvious, I’m not going to share anything that would breach the non-disclosure agreement. In particular, I’m not going to reveal any details about my exam machines, so please don’t ask!
(more…)I recently passed the OSCP exam, on my third attempt. OffSec’s slogan used to be Try Harder, and I’ve been thinking about what that means. (The slogan has recently been replaced by a 5-step learning approach: trial, failure, adaptation, growth, and triumph.)
I’m quite active on the OffSec Discord server, and I’ve spent a lot of time helping other people out with exercises. That’s partly because I like to be kind, partly to “pay it forward” (after other people have helped me), and partly to reinforce my own learning. There’s a phrase I heard a while back: you don’t truly understand something until you can explain it to someone else.
However, I do sometimes despair at the lack of initiative I see from other people. There’s a hint bot on the server, and pinned messages in each channel, and you can search for previous messages about a particular topic. Even after all that, the same questions come up over and over again. I blocked one person after they outright refused to do a search: they said that they’d get the answer more quickly by asking the question, i.e. they wanted other people to do the work for them. That’s an example of someone who certainly could try harder.
I think the slogan is most relevant when it comes to a “black box” machine, e.g. one of the PEN-200 lab VMs. That’s where you’re simply given an IP address, and you have to figure everything else out for yourself. How long should you bash your head against the wall before you look for hints/walkthroughs?
(more…)In Feb 2023, I took CompTIA’s CASP+ (Advanced Security Practioner) exam, and I passed first time.
I used Jason Dion’s Udemy course to prepare for this. That was the only specific training that I did for this exam, but I also spent the previous 6 months preparing for the OSCP, and I have prior knowledge/experience.
(more…)In May 2022, I took the CREST Practitioner Security Analyst exam. This is a multiple choice theory test, which is a pre-requisite to become a CREST Registered Penetration Tester (CRT); the basic idea is to do a theory test and a practical test, similar to getting a driving licence.
There are various organisations offering training courses. However, I used self-study, and this was a tricky exam to prepare for. With most vocational exams, there are study guides and/or Udemy courses available, but that’s not the case here. CREST publish a general reading list, but those books don’t cover everything you need and some of the content is beyond the scope of the exam. This seems to be deliberate, based on the examination FAQs:
“Unlike some areas of academia, CREST exams are usually vocational; they are not designed to be achievable by a candidate whose sole focus is passing them through isolated study. They are designed to measure an individual’s capability to operate within the industry and identify those who can demonstrate the skills required.”
I’m bound by the NDA (like all exams I take), but I’ll try to offer some advice here to help people prepare and judge when they’re ready to take the exam. Each exam attempt costs £275 (+VAT), so it would be a shame to waste your first attempt just to get an idea of what’s involved.
In brief, it took me about 2 weeks to prepare for this exam (in the evenings after work), but that was building on various other exams, training courses, and work experience. It’s described as “entry level”, but I’d say that this is a bit more difficult than PenTest+ (which in turn was more difficult than Security+). Conversely, I found this a lot easier than the OSCP.
(more…)In April 2022, I did a beta exam for Project+. The beta exam was PK1-005, and then the “real” exam was released as PK0-005 (which is what shows on my exam history at CertMetrics).
Beta exams aren’t free, but they’re significantly cheaper than a normal exam. In this case, it cost me £30 rather than £212 (both prices exclude VAT). There are two main drawbacks:
a) There won’t be any training material ready for the new exam.
b) You’ll have to wait a long time to get your results. (In this case, I took the exam on 4th April, but I didn’t get the results until 11th October, i.e. there was a 6 month delay.)
This certification wasn’t on my “to do” list until I saw the email about the beta program, and I don’t have any intention of becoming a project manager. However, I’ve worked with project managers in a few organisations, so I thought that it would be useful to “speak the same language” (i.e. share the same specialised vocabulary). If I failed the exam, it wouldn’t really cause me any problems, so I could take a fairly relaxed view towards it. I think some of this material might also be relevant for personal projects, e.g. a house renovation with dependencies between various tasks.
NB This certification is “good for life”, i.e. it’s not part of the CE (Continuing Education) program where you have to repeat the exam after 3 years.
(more…)In March 2022, I passed the CISMP-V9 exam, and gained the BCS Foundation Certificate in Information Security Management Principles.
As the name suggests, this is related to setting up an ISMS (Information Security Management System). Basically, it falls under GRC (Governance, Risk, and Compliance) rather than hands-on technical skills.
So, who’s the target audience for this certification? I’d recommend the Security+ to anyone who works in IT, but the CISMP is only relevant to a smaller group. Be aware that this won’t teach you how to set up an ISMS from scratch. It’s a foundation certification, so it’s really just laying the groundwork, by introducing concepts.
When I was looking at a QA training course for the CPSA, they recommended the CISMP as a pre-requisite. Now that I’ve done both exams, I’d say that the CISMP isn’t really relevant to the CPSA at all! However, I did find the CISMP useful for IASME Cyber Assurance.
The CISMP meets the requirements for Accredited Affiliate membership of the CIISec (Chartered Institute of Information Security). However, the Security+ also meets the CIISec requirements (along with various other certifications), and that’s more widely recognised. So, I wouldn’t recommend doing the CISMP just for this, but if you get the CISMP then you might want to look at CIISec membership as a fringe benefit.
TSG Training did a 40 minute webinar about the CISMP:
BCS CISMP Webinar : 15th April 2021 – YouTube
I think that video is worth watching, and the key point they emphasise is that this isn’t a difficult exam.
NB The sound quality is a bit iffy for the first minute or so, but it gets a lot better when they switch over to the main presenter.