CEH vs GPEN? Similar or Totally Different Certs?

roninkaironinkai Member Posts: 307 ■■■■□□□□□□
I'm curious if an attempt at GPEN right after CEH would be a good idea because the information is fresh. Are these very similar in nature, just different vendors, or is GPEN much harder than CEH. GPEN isn't really on my radar right now, but I may have a small gap in between beginning my CISSP studies. Wondering if all my CEH prep would be a two for 1 deal if I sat for this exam too.
浪人 MSISA:WGU
ICP-FDO ▪ CISSP ▪ ECES ▪ CHFI ▪ CNDA ▪ CEH ▪ MCSA/MCITP ▪ MCTS ▪ S+
2020 Level Up Goals: (1) DevSecOps Learning Path (2) OSCP

Comments

  • OctalDumpOctalDump Member Posts: 1,722
    Only replying because no one else has. It seems that GPEN is more mid level than CEH. CEH is very much entry level. The EC Council offers a path of CEH -> ECSA -> LPT, where LPT is intended very much for people working as penetration testers.
    GPEN is worthwhile, and does offer a route to the far more serious (aimed at researchers developing new exploits) GXPN. GIAC also offers GWAPT aimed squarely at web pen testing.
    The other option, is to go down the Offensive Security route, getting OSCP. OSCE is aimed again more at researchers and is roughly analogous to GXPN. They also offer 'advanced' programs target to wireless, windows and web specialities.

    The Offensive Security route is much more hands on, and the exams are live tests rather multiple choice.

    If you are planning on going into pen testing as an area of focus, then it seems that the OSCP is a kind of minimum proof of competency. However, if you are just looking to round out your security knowledge and focus on another area then GPEN or CEH should be 'good enough'.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • roninkaironinkai Member Posts: 307 ■■■■□□□□□□
    Thanks for the reply. I think after CISSP, some Linux Academy and some python courses, I'll do OSCP. I like the hands on aspect. With CEH I simply feel like I'm reading about how to drive a car, but no actually getting behind the wheel. Perhaps the GIAC courses will follow some time after that if needed, but at some point you probably get diminishing returns on certs.
    浪人 MSISA:WGU
    ICP-FDO ▪ CISSP ▪ ECES ▪ CHFI ▪ CNDA ▪ CEH ▪ MCSA/MCITP ▪ MCTS ▪ S+
    2020 Level Up Goals: (1) DevSecOps Learning Path (2) OSCP
  • MitchRappMitchRapp Member Posts: 5 ■□□□□□□□□□
    ECSA and LPT are now version 9. Both have been reworked and reconstructed. ECSA now requires a Pen Test, submission of a written report (according to industry standards), and upon EC-Council accepting the written report and issuing a passing grade, the student then takes a multiple choice test. If they pass that they earn the ECSA credential. After that they can try to tackle LPT Master V9. And make no mistake, it takes pen testing to a new level. Good luck with whichever path you choose.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Try CEH -> GCIH instead of GPEN, it has more overlapping content.
  • supasecuritybrosupasecuritybro Member Posts: 206 ■■■■□□□□□□
    If going to SANS is a viable option for you, skip the CEH and go to the GCIH. Save your money.
    Completed: CISSP, GPEN, GWAPT, CCSA R80, eJPT, CySA+, M.S. Information Security
    Current Goal: CCSE
    Continuous Education Plan:​ AWS-SAA, OSCP, CISM
    Book/CBT/Study Material:​ Max Power
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Sorry I got to rephrase myself as I may have misunderstands TC question.

    If going for self study and company is reimbursing exams.
    CEH -> GCIH is good because CEH sets the foundation for GCIH.

    If company is paying for courses
    GPEN is much worth it, go for the live course to get the hands on. I think from another forum user, they have vpn labs set for up students going for vlive; either way both good give a good amount of hands on.

    If company is not paying for courses.
    SANS work study option is viable, pick up GPEN as mention from the above point. Or go straight for OSCP.

    If you are doing self study, and company is not reimbursing for exams; supasecuritybro would be right as GCIH is more valuable than CEH.
  • BillV_BillV_ Member Posts: 114 ■□□□□□□□□□
    LionelTeo wrote: »
    Sorry I got to rephrase myself as I may have misunderstands TC question. If going for self study and company is reimbursing exams. CEH -> GCIH is good because CEH sets the foundation for GCIH. If company is paying for courses GPEN is much worth it, go for the live course to get the hands on. I think from another forum user, they have vpn labs set for up students going for vlive; either way both good give a good amount of hands on. If company is not paying for courses. SANS work study option is viable, pick up GPEN as mention from the above point. Or go straight for OSCP. If you are doing self study, and company is not reimbursing for exams; supasecuritybro would be right as GCIH is more valuable than CEH.
    That last statement is kind of ironic. On the SANS Advisory Board, someone was just complaining recently how CEH is more in demand on the job boards in comparison to GIAC. The larger topic was how many GIAC certification holders are choosing to allow their certifications to expire due to the way the continuing education system works.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Sure in job listing for CEH will land more hits than GIAC certs, that doesn't justify the quality of the certification. When it comes to job boards, CEH definitely wins over OSCP and GPEN, I wouldn't disagree with that. The purpose of the certification its to give assurance that the candidate would be capable of performing the work, anyone in infosec easily knows the level of assurance regarding the capability of a candidate to pentest from a CEH is still far away from GPEN/OSCP.

    Getting the most hits in job boards in a good thing, having a powerful certification that empowers the candidate to able to jump straight into a pentesting field doing the real work is another. I had wrote extensive response on other threads regarding the maturity of pentesting career in each city/states that can affect the pentesting work done. To summarize, plenty of company in immature cities are confused between performing a vulnerability scanning and doing the real thing. Not saying these are the companies who look for CEH because they are confused. But good tell tale signs a company is looking for serious pentester are those that specifically stated OSCP, GIAC to some extent and web penetration testers.

    A certification getting least hit or lesser hit on job board doesn't mean that the certification is not valuable. GSE, GSE-M, GSE-C, OSWE or OSEE are those that most HR had not heard of, but hiring manager who are serious in hiring candidates would know that there is less than 300 people on the globe holding those certs.

    I wouldn't say CEH is bad, EC-Council had definitely done a great deal of marketing to have it made known to HR. I had also check EC courses these few days and was quite impress that they are moving towards enforcing lab lessons and forcing candidate to do lab reports. However, CEH had left a not so good impression for those who is well informed in infosec certification community, with people not able to pentest being granted CEH and some not even able to use linux. To be fair, that was from the CEHv7 and v8 era, but it had already left an impression with regards to CEH that EC would take sometime to build it back. One work around some organization does is to rebrand the product to regain confidence from the public.

    Back to GIAC continuing education system, it was pretty fair. Although it would cost 399 USD for either options to renew the certifications, SANS would send the new updated course materials and labs to whoever who want to renew those certification. Those course materials would cost up to 5.6k USD each and are being given out for 399 USD during renewal. That is one generous aspect from SANS with regards to GIAC certification renewal.
  • BillV_BillV_ Member Posts: 114 ■□□□□□□□□□
    Yes, $399 for materials + time to study + taking and passing the exam again. That, or you essentially shell out $6K for another course. They are working to update their CE system though. In my opinion, a certification holding value is similar to determining the "worth" of anything else - it's only worth what someone else is willing to pay. If earning a certification provides me some benefit, pays me more money, or is a requirement, then it holds value. Otherwise, if I'm a GSE and no one in my area knows what it is and isn't willing to pay me what I feel they should for having gone through the requirements to earn it, then what value does it hold for me? The only solution is to uproot myself and move at that point (which may or may not be worth it). But that's just playing devils advocate. I fully understand where you're coming from and agree with most of it. I wasn't trying to say that hits on job boards was better, or even mattered, just that it was ironic someone else complaining about that, in a conversation specifically about letting GIAC certifications lapse because of lack of options for maintenance.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    The time to study wouldn't take long. I only took less than 30 days to finish my course book for GCED certification, re-certification is only a refresher of skills which is necessary, and will take less than half the time. 10-15 days is reasonable for any candidate to keep themselves updated on latest skill sets of the certification topic.

    To add on, re-certification for one time would give a total of 8 years, it would be sufficient for anyone who which to focus more time on family to settle down for a good job.
    Otherwise, if I'm a GSE and no one in my area knows what it is and isn't willing to pay me what I feel they should for having gone through the requirements to earn it, then what value does it hold for me? The only solution is to uproot myself and move at that point (which may or may not be worth it).

    It is true that the maturity of each infosec area would affect the jobs. This fact doesn't just applies to people holding GSE, this fact applies to various other niche fields in infosec such as pentest, forensics and maware reverse engineering. However, it is not quite right to put down the value by "saying that no one is willing to pay for what you feel they should". You should be well aware that SANS held courses on various country at specific time of the year, companies recognize the values of SANS courses, and some of the bigger companies is sending 5-10 people to SANS courses every year. If they are willing to pay people for SANS courses, they would naturally be willing to hire candidates holding certs like GSE at a competitive price. GSE isn't going to be listed at any job posting, since there is so few people who had it. However, if a company had this amount of budget to send candidates to SANS courses, they will have the budget for to hire skilled candidate as well.
    I wasn't trying to say that hits on job boards was better, or even mattered, just that it was ironic someone else complaining about that, in a conversation specifically about letting GIAC certifications lapse because of lack of options for maintenance.

    I may had misread something back then. I agree the options for maintenance wasn't fantastic. But if someone had a good amount GIAC certification, chances are he will be with a company that recognize the value of it. The company would send the candidate to more SANS courses, together with the certification would net a total of 72 CPE; which can be used to renew two certifications.
  • OctalDumpOctalDump Member Posts: 1,722
    BillV_ wrote: »
    If earning a certification provides me some benefit, pays me more money, or is a requirement, then it holds value. Otherwise, if I'm a GSE and no one in my area knows what it is and isn't willing to pay me what I feel they should for having gone through the requirements to earn it, then what value does it hold for me?

    I'd add something to this, that the certification can have personal value beyond its instrumental value to earn more money. It does, ultimately, represent learning - learning that has been more or less objectively evaluated. So, it is an achievement in itself, and for some of us that alone is enough to justify the time, effort and money.
    The other thing is that you can use even a relatively unknown certification as a selling point, it will just require more effort on your part to explain the value of the certification, what it represents - more an interview situation than a resume situation, though.
    And whatever you learn, it inevitably shows some benefit in unexpected areas.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    I often see that certification are listed as a bonus and not a requirement.
    They use certificates to show that a person has a great interest in the field and with a field suck as info sec you are expected/have to follow whats going on in the industry in your off hours. Getting and holding certs is a way of showing you just don't show up 9-5 follow some SOPs and go home at the end of the day.

    Many people in the Pen-testing field have no certs and no relevant post secondary educations.

    The exception being DoD work requires you to have certain certs.
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    GPEN vs CEH.

    I have not taken any SANS training.

    The objectives seem very similar to me:
    GIAC GPEN Certification | Network Penetration Testing Certification
    Ethical Hacking and Countermeasures Course Outline | EC-Council

    In my option CEH is the better certification and GPEN is the better training to have.

    I have not attended and SANS training but I do follow many of the people in the info sec field considered to be some of the most knowledgeable and they are all SANS instructors (as full as holding down other jobs).

    I imagine SANS is paying them very well and why the course costs so much.

    Why do i think CEH is the better cert?
    To work in:
    Computer Network Defense Analyst you must have CEH or GCIA
    Computer Network Defense Infrastructure Support you must have CEH
    Computer Network Defense Incident Responder you must have CEH or GCIH
    Computer Network Defense Auditor you must have CEH or GSNA
  • OctalDumpOctalDump Member Posts: 1,722
    IronmanX wrote: »
    Why do i think CEH is the better cert?
    To work in:
    Computer Network Defense Analyst you must have CEH or GCIA
    Computer Network Defense Infrastructure Support you must have CEH
    Computer Network Defense Incident Responder you must have CEH or GCIH
    Computer Network Defense Auditor you must have CEH or GSNA

    This is the odd thing. EC Council offer the ENSA which is explicitly aimed at network defence, but has almost no visibility - so much so that Google assumes you mean ECSA if you google it.

    To quote from EC Council:
    "The EC-Council's ENSA certification looks at the network security in defensive view while the CEH certification program looks at the security in offensive mode. "

    I think (or hope) that things will get better as Info Sec and the subspecialties develop, and employers will choose more targeted certification and there will also be some rationalisation in the number and variety of certs. EC Council and GIAC seem to want to have a certification for everything.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    The objectives between GPEN and CEH may seems similar, but from experience, GCIH is a lot more closer than CEH.

    True that an additional CEH may allow you to get in a job. After all, GCIH with CEH sounds a lot more better with simply GCIH, or CEH. I took that advantage to bundle GCIH, CEH and GPEN when looking for jobs three years back in my career.

    While getting a job is important, it is also important to get a good job that allowed you to enhance your skill. HR may pass your resume to the interviewer, in a environment where skilled professional is required, the knowledge you gain from CEH is simply not enough to get into such environment. Hence, it is very important to constantly work on individual skills in order to get into a good environment that can provide a better experience.
  • IronmanXIronmanX Member Posts: 323 ■■■□□□□□□□
    LionelTeo wrote: »
    The objectives between GPEN and CEH may seems similar, but from experience, GCIH is a lot more closer than CEH.

    While getting a job is important, it is also important to get a good job that allowed you to enhance your skill. HR may pass your resume to the interviewer, in a environment where skilled professional is required, the knowledge you gain from CEH is simply not enough to get into such environment. Hence, it is very important to constantly work on individual skills in order to get into a good environment that can provide a better experience.

    "very important to constantly work on individual skills"
    Well I think that is important for all certs not just CEH.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    Can't disagree with that. But some certs would represents a better assurance to employers. OSCP is one of them.
  • ITforyearsITforyears Member Posts: 35 ■■□□□□□□□□
    I just passed CEH and I had my GPEN cert since last year. Obviously, being able to use your books during an exam helps much than just recalling from memory/knowledge. But yes, I see CEH as predecessor to GPEN.
  • Networking_StudentNetworking_Student Member Posts: 55 ■■□□□□□□□□
    Can you really use a book while taking the CEH?
    Working on my MCSD: Windows Store Apps
    WGU-Software Development Student
  • OctalDumpOctalDump Member Posts: 1,722
    Can you really use a book while taking the CEH?

    No. The GIAC exams are open book. So, I assume that ITforyears meant that they used books in the GPEN exam.
    2017 Goals - Something Cisco, Something Linux, Agile PM
Sign In or Register to comment.