Re: Pentest exams



You make good points as well Scott. I really think your last point is the
best. If you can, take both or maybe even more! As I said there is plenty of
good training out there. I can relate to your concern about cost. I am on
the GSE track with SANS and until I find that right employer, I will
probably be footing every GIAC cert and gold attempt out of pocket.

Curt


On 9/24/09 10:16 AM, "Scott" <opiesan@xxxxxxxxx> wrote:

Those are great points Curt. Proper methodology is a hugely important
area to learn and I didn't feel like I picked up on that during the
OSCP course. The barrier for me (and I assume many other people) is
the difference in cost. SANS courses in general are a few thousand
dollars just for the class (plus travel costs unless you're taking it
over the web) and my employer has no training budget for it. They are
worth the money but that doesn't make it appear in my wallet any
faster.

Conversely, the online/self study version of PWB is only $550 for the
materials, 30 days of lab access, and the certification attempt. That
still isn't chump change but when you're footing the bill yourself
it's an easier price point to attain.

Personally I'd take the GPEN if I could. Having both the GPEN and OSCP
would be a dynamic duo of pen testing certs.

Scott


On Fri, Sep 18, 2009 at 7:30 AM, Curt Shaffer <cshaffer@xxxxxxxxx> wrote:
I may be a little biased being GPEN certified myself as well as a mentor for
the class, but I wouldn't take back my choice for one second. I'm not saying
there aren't other good classes and certs out there but I learned sooo much
from the GPEN that has helped me in many ways, even beyond just penetration
testing. The instructors for the GPEN course are the cream of the crop in my
opinion. These guys are out there in the thick of it, learning what works
and what doesn't. They are giving talks on deep topics in the security area
at all of the major and minor cons out there. It's nice to know that your
instructors are known by major players in the industry due to their
contributions. That is worth it by itself.

Beyond that what I found just looking over materials for difference choices
when I wanted to become certified in penetration testing is the professional
aspect. Sure it's cool to have a class to learn a bunch of new tools and
techniques to get into systems. What was probably more important, and a
large focus on the GPEN, was methodology.

We had full days of class based on rules of engagement, scope, laws to
consider when pen testing and report generation. These are the things that a
lot of people in the field don't get trained on and that is what can make a
good pentester great. It's more than just popping the box, it's about
letting the client know what that means to them and what they can do about
it.

With that said, the SANS GPEN was the only one that I saw that really fit
that bill fully. Again, I don't want to discredit anyone else's training or
certs, just my half a nickel :)

If you have specific question on this course feel free to hit me up off
list.

Curt
On 9/17/09 4:04 PM, "Scott" <opiesan@xxxxxxxxx> wrote:

You should also consider the OSCP from Offensive Security
(www.offensive-security.com).  It's a lab based cert exam and worth
looking into when comparing the certs you mentioned.

Scott

On Wed, Sep 16, 2009 at 9:15 AM, Chris <troncarter80@xxxxxxxxx> wrote:
I'm looking to get certification as a penetration tester but, I'm torn
between which would be the best fit.  I work for a large company that
deals with about 70% DoD, 20% military and 10% commercial.  Although
I'm not doing cleared work currently, a lot of our contracts involve
TS/TS with a Full Scope.  I'm currently looking at ECSA from
EC-Council and GPEN from SANS.  I've looked over some of the actual
material briefly from EC and it seems decent.  Any help would be
greatly appreciated.  There may be more certs out there that are just
as worthy, I'm just not aware of them.

Thank you

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


--
?



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



--
?



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Pentest exams
    ... There is no way to justify paying what SANS charges for a 5 day class. ... would be a dynamic duo of pen testing certs. ... Information Assurance Certification Review Board ... do a proper penetration test. ...
    (Pen-Test)
  • Re: Pentest exams
    ... would be a dynamic duo of pen testing certs. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually ... do a proper penetration test. ...
    (Pen-Test)
  • Re: Evaluating pentesters
    ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: Pentest exams
    ... would be a dynamic duo of pen testing certs. ... Prove to peers and potential employers without a doubt that you can ... do a proper penetration test. ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: proposed pen-test
    ... social networking site by using the program on the enclosed usb stick. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)