Help me choose next cert

I'm going down the path of penetration testing. I currently hold: BS in IS, A+, MCSE: SI, CCNA: R&S, and should have Linux+/LPIC-1 by the end of the month.

I am wanting to go down the route of pen testing. I have IT experience on the Sys Admin side, but little on the infosec side. I want to start pursuing Security certs, but this is where I am "torn".

I believe I should go for one of these first:

- Security+: Entry level, reasonable cost, but nothing else from CompTIA is really beneficial for this field.
- CEH: Not well respected but good to get through HR with. Educational value per $ not high.
- OSCP: Doesn't help me get through HR but probably a requirement at some point and I will probably gain the most skills from this Cert. Will be very difficult, but well respected and worth the investment.
- GSEC: Entry level, but certs from GIAC seem more respected than CompTIA. Many more great certs to pursue from the same organization.

The main issue I have with CEH is the cost. My employer reimburses for costs of certs but will not reimburse for training. I'm not sure I can get around the 2 year infosec experience requirement, so that bumps the cost up to well over $1k.

Therefore, I'm thinking GSEC or Sec+ then OSCP? Is CEH really that important to get through HR with? A LOT of jobs have CEH listed but very few seem to have OSCP listed. It's like a catch-22...

Am I way out of line here?

Find more posts tagged with

Comments

OM602

We have similar certs, and was in the same situation. I decided to move forward to CEH, I used, CBT, Matt Walkers AIO bundle and Boson to prepare. Totaal cost 650 or so.
I did this mainly to give myself past HR, but in all honesty I'm not a pentester, so I learned also some stuff during study, playing with the tools.

I will now continue pursing CISSP and OSCP. CISSP to get past HR and OSCP to improve my skills.
GSEC is, if you choose to do the training as well, by far the most expensive option.
COMPTIA is not highly regarded here in Yurp...not sure if I ever saw it on a resume or job advertisement. Is this different in US?

So it's up to you but since you first need to land that job in pentesting, it would be wise to do the CEH IMO.

zaaa

OM602 wrote: »

We have similar certs, and was in the same situation. I decided to move forward to CEH, I used, CBT, Matt Walkers AIO bundle and Boson to prepare. Totaal cost 650 or so.

Were you able to get around the two year requirement I assume? I just figured I wouldn't be able to bypass it. I have over 10 years in IT with the last two being in a Sys Admin role. I'm not sure how much I can quantify as "infosec".

OM602

Well if you look on the EC council site, there are not strict domains like for CISSP. It just says:
"In order to be considered for the EC-Council certification exam without attending official training, candidate must:
Have at least two years of information security related experience."

So I took the CISSP CBK domains as a example. Every sysadmin has to deal with Security operations and Identity Access Management. Maybe not full-time but with 10 years of experience surely you have sufficient experience. Just have your manager fill in the paperwork

mokaz

I agree, CISSP, CEH and OSCP i think it's the best shot at infosec for the time being... Got the 1st two and working on the latter

Also, take into account that OSCP allows one to claim 40 CPEs which if you make the math is probably worth at getting after your CISSP in order to claim the CPE...

zaaa

@OM602: Gotcha. I'll try that route. I have Identity and Access Management covered as well as some bits and pieces from the other domains.

@mokaz: Unfortunately, I am positive I don't have the domains covered for a long enough period of time for CISSP. I could get the Associate, and probably get the full CISSP after two more years (+ using my BS for my 5th year) at my current job since I think I can reasonably justify coverage of two domains with my current job. CEH and OSCP is where I'm leaning.

So it looks like I may go for CEH then OSCP, skipping Sec+. I could go for CISSP later if I wanted.

MrAgent

Go hard, or go home.
+1 for OSCP.