Penetration Testing mailing list archives
Re: Pentest exams
From: Curt Shaffer <cshaffer () gmail com>
Date: Mon, 05 Oct 2009 07:11:45 -0400
Steve, You are more than welcome to this opinion. The requester of the information should hear many sides to the conversation. They way I look at these prices is different than you do. Yes it is not cheap. I am a trainer for quite a number of companies in all areas other than SANS and I can say that it is a little more expensive, but no real training is cheap. With that said, I have two things to bring up. The first is that the quality of instruction is the best I have seen from many companies. The second is that I find the cost as a small investment in my future. I have foot the bill for my SANS course and exams. It was not easy, but I do believe that it was worth it because I have a higher paying job now and skills that I feel are marketable. You can price out going all the way through the GSE with SANS and yes the cost is that of a degree from some schools after all of the time, materials, tests etc. I do believe that the quality you learn from such a track is by far better than anything you will find in a college at this time. Note that I am talking purely from an IT Security perspective and nothing else here. That is not to say that colleges will not step up. I just haven't seen a curriculum of IT security that I have been impressed with yet. On 10/5/09 6:56 AM, "Stephen Mullins" <steve.mullins.work () gmail com> wrote:
There is no way to justify paying what SANS charges for a 5 day class. They are an unaccredited for profit business that charge more than Harvard tuition. Their rates are set to be paid by Fortune 500 corporations and the government, not the average Joe. Steve On Thu, Sep 24, 2009 at 10:16 AM, Scott <opiesan () gmail com> wrote:Those are great points Curt. Proper methodology is a hugely important area to learn and I didn't feel like I picked up on that during the OSCP course. The barrier for me (and I assume many other people) is the difference in cost. SANS courses in general are a few thousand dollars just for the class (plus travel costs unless you're taking it over the web) and my employer has no training budget for it. They are worth the money but that doesn't make it appear in my wallet any faster. Conversely, the online/self study version of PWB is only $550 for the materials, 30 days of lab access, and the certification attempt. That still isn't chump change but when you're footing the bill yourself it's an easier price point to attain. Personally I'd take the GPEN if I could. Having both the GPEN and OSCP would be a dynamic duo of pen testing certs. Scott On Fri, Sep 18, 2009 at 7:30 AM, Curt Shaffer <cshaffer () gmail com> wrote:I may be a little biased being GPEN certified myself as well as a mentor for the class, but I wouldn't take back my choice for one second. I'm not saying there aren't other good classes and certs out there but I learned sooo much from the GPEN that has helped me in many ways, even beyond just penetration testing. The instructors for the GPEN course are the cream of the crop in my opinion. These guys are out there in the thick of it, learning what works and what doesn't. They are giving talks on deep topics in the security area at all of the major and minor cons out there. It's nice to know that your instructors are known by major players in the industry due to their contributions. That is worth it by itself. Beyond that what I found just looking over materials for difference choices when I wanted to become certified in penetration testing is the professional aspect. Sure it's cool to have a class to learn a bunch of new tools and techniques to get into systems. What was probably more important, and a large focus on the GPEN, was methodology. We had full days of class based on rules of engagement, scope, laws to consider when pen testing and report generation. These are the things that a lot of people in the field don't get trained on and that is what can make a good pentester great. It's more than just popping the box, it's about letting the client know what that means to them and what they can do about it. With that said, the SANS GPEN was the only one that I saw that really fit that bill fully. Again, I don't want to discredit anyone else's training or certs, just my half a nickel :) If you have specific question on this course feel free to hit me up off list. Curt On 9/17/09 4:04 PM, "Scott" <opiesan () gmail com> wrote:You should also consider the OSCP from Offensive Security (www.offensive-security.com). It's a lab based cert exam and worth looking into when comparing the certs you mentioned. Scott On Wed, Sep 16, 2009 at 9:15 AM, Chris <troncarter80 () gmail com> wrote:I'm looking to get certification as a penetration tester but, I'm torn between which would be the best fit. I work for a large company that deals with about 70% DoD, 20% military and 10% commercial. Although I'm not doing cleared work currently, a lot of our contracts involve TS/TS with a Full Scope. I'm currently looking at ECSA from EC-Council and GPEN from SANS. I've looked over some of the actual material briefly from EC and it seems decent. Any help would be greatly appreciated. There may be more certs out there that are just as worthy, I'm just not aware of them. Thank you ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org -------------------------------------------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Pentest exams Stephen Mullins (Oct 05)
- Re: Pentest exams Curt Shaffer (Oct 05)
- Re: Pentest exams Stephen Mullins (Oct 05)
- Re: Pentest exams Tony Turner (Oct 06)
- Message not available
- Re: Pentest exams Eric Kollmann (Oct 06)
- Re: Pentest exams Paul Deasy (Oct 06)
- Re: Pentest exams Robert Portvliet (Oct 09)
- Re: Pentest exams Pedro Drimel (Oct 13)
- Re: Pentest exams Kevin L. Shaw, CISSP, GCIH (Oct 13)
- Re: Pentest exams Stephen Mullins (Oct 05)
- Re: Pentest exams Curt Shaffer (Oct 05)