Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pentest exams

From: Curt Shaffer <cshaffer () gmail com>
Date: Mon, 05 Oct 2009 07:11:45 -0400
Steve,

You are more than welcome to this opinion. The requester of the information
should hear many sides to the conversation. They way I look at these prices
is different than you do. Yes it is not cheap. I am a trainer for quite a
number of companies in all areas other than SANS and I can say that it is a
little more expensive, but no real training is cheap. With that said, I have
two things to bring up. The first is that the quality of instruction is the
best I have seen from many companies. The second is that I find the cost as
a small investment in my future. I have foot the bill for my SANS course and
exams. It was not easy, but I do believe that it was worth it because I have
a higher paying job now and skills that I feel are marketable.

You can price out going all the way through the GSE with SANS and yes the
cost is that of a degree from some schools after all of the time, materials,
tests etc. I do believe that the quality you learn from such a track is by
far better than anything you will find in a college at this time. Note that
I am talking purely from an IT Security perspective and nothing else here.

That is not to say that colleges will not step up. I just haven't seen a
curriculum of IT security that I have been impressed with yet.


On 10/5/09 6:56 AM, "Stephen Mullins" <steve.mullins.work () gmail com> wrote:


There is no way to justify paying what SANS charges for a 5 day class.
 They are an unaccredited for profit business that charge more than
Harvard tuition.

Their rates are set to be paid by Fortune 500 corporations and the
government, not the average Joe.

Steve

On Thu, Sep 24, 2009 at 10:16 AM, Scott <opiesan () gmail com> wrote:

Those are great points Curt. Proper methodology is a hugely important
area to learn and I didn't feel like I picked up on that during the
OSCP course. The barrier for me (and I assume many other people) is
the difference in cost. SANS courses in general are a few thousand
dollars just for the class (plus travel costs unless you're taking it
over the web) and my employer has no training budget for it. They are
worth the money but that doesn't make it appear in my wallet any
faster.

Conversely, the online/self study version of PWB is only $550 for the
materials, 30 days of lab access, and the certification attempt. That
still isn't chump change but when you're footing the bill yourself
it's an easier price point to attain.

Personally I'd take the GPEN if I could. Having both the GPEN and OSCP
would be a dynamic duo of pen testing certs.

Scott


On Fri, Sep 18, 2009 at 7:30 AM, Curt Shaffer <cshaffer () gmail com> wrote:

I may be a little biased being GPEN certified myself as well as a mentor for
the class, but I wouldn't take back my choice for one second. I'm not saying
there aren't other good classes and certs out there but I learned sooo much
from the GPEN that has helped me in many ways, even beyond just penetration
testing. The instructors for the GPEN course are the cream of the crop in my
opinion. These guys are out there in the thick of it, learning what works
and what doesn't. They are giving talks on deep topics in the security area
at all of the major and minor cons out there. It's nice to know that your
instructors are known by major players in the industry due to their
contributions. That is worth it by itself.

Beyond that what I found just looking over materials for difference choices
when I wanted to become certified in penetration testing is the professional
aspect. Sure it's cool to have a class to learn a bunch of new tools and
techniques to get into systems. What was probably more important, and a
large focus on the GPEN, was methodology.

We had full days of class based on rules of engagement, scope, laws to
consider when pen testing and report generation. These are the things that a
lot of people in the field don't get trained on and that is what can make a
good pentester great. It's more than just popping the box, it's about
letting the client know what that means to them and what they can do about
it.

With that said, the SANS GPEN was the only one that I saw that really fit
that bill fully. Again, I don't want to discredit anyone else's training or
certs, just my half a nickel :)

If you have specific question on this course feel free to hit me up off
list.

Curt
On 9/17/09 4:04 PM, "Scott" <opiesan () gmail com> wrote:


You should also consider the OSCP from Offensive Security
(www.offensive-security.com).  It's a lab based cert exam and worth
looking into when comparing the certs you mentioned.

Scott

On Wed, Sep 16, 2009 at 9:15 AM, Chris <troncarter80 () gmail com> wrote:

I'm looking to get certification as a penetration tester but, I'm torn
between which would be the best fit.  I work for a large company that
deals with about 70% DoD, 20% military and 10% commercial.  Although
I'm not doing cleared work currently, a lot of our contracts involve
TS/TS with a Full Scope.  I'm currently looking at ECSA from
EC-Council and GPEN from SANS.  I've looked over some of the actual
material briefly from EC and it seems decent.  Any help would be
greatly appreciated.  There may be more certs out there that are just
as worthy, I'm just not aware of them.

Thank you

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



--
€



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




-- 
•



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: