OSCP for relative newbie in industry?

While I'm new to the infosec industry, I've got a decade of IT experience under my belt. This experience is wrapped around several different facets of IT. My focus has been in networking but I've done systems, development (mostly web), data center, and much more.
I've always been interested in information security and so I took a position working as a SOC Analyst for a media company. It's mostly ticket pushing, but I have to start somewhere. My interest is in pentesting and security consulting so I've been looking at certifications that align with that goal.
I've always been cynical of certifications. I've worked with many people that hold high level certs and almost always question how they got them. I know brain **** exist and I know people use them. This is what interests me in the OSCP, it's not something you can brain ****. However, I have very limited hands on experience.
I have a strong understanding of security principles and theory but running exploits and recognizing common attack vectors isn't something I have a lot of experience in.
So, for the question. Is the OSCP something I should attempt or would I be wasting my money?

Find more posts tagged with

Comments

9emin1

I am roughly in the same situation as you buddy. I have far, far less experience. I know where is my interest and passion, and I've decided to go ahead and attempt it. Even if I were to fail, I know that I'll learn a lot

TeKniques

Well ... right from the horse's mouth here's what Offensive-Security says about what will be helpful to be successful:

"Penetration Testing with Kali Linux is a foundational security course, but still requires students to have certain knowledge prior to attending the online training class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus."

Good luck!

renacido

I say yes yes yes go for it, for all the reasons you mentioned.

You're new to infosec, but you have good depth of IT experience which IMO is the foundation of a good infosec career.

If you become a pentester, you'll have something that many new pentesters don't have - that IT experience. It is extremely valuable to a professional pentester and a lot of freshers don't realize this. Why? Freshers seem to think that what makes a great pentester is how skilled they are at rooting a box without using tools. But what is actually valuable to a professional pentester is how efficient you were (time is money) and what you were able to find/do POST-EXPLOIT and the quality of your reports. Thing is, what clients care about, you know the business owners who hire pentesters, is not how you wrote a custom exploit or all the stuff you found in your nmap scans. They care about what damage an attacker could do, and actionable steps they can follow to harden their systems to prevent real-world attacks in the future. Having 10 years in IT ops, you probably know where to look for the crown jewels. Someone who can pop a box but doesn't know what to do post-exploit or how to help the client harden their network is of limited value to a client.

You're interested in pentesting and this course is targeted right at pentesters, though it's good for anyone in infosec.

Go for it.

towentum

Renacido, that was very well put! Thank you. I will go for it, probably going to start closer to October though for budgetary reasons. Unfortunately, I don't think my employer will cover the cost at this time.

tedjames

I may get to start on this sometime this year. Just waiting to see if the money will come through. Meanwhile, I've downloaded the syllabus and am creating a study plan based on that. But before I register for OSCP, I'm going to do some self-training based on the syllabus using free and low cost courses in Cybrary, Udemy, YouTube, etc. I want to be prepared to take the OSCP training and do it right.

invictus_123

towentum wrote: »

While I'm new to the infosec industry, I've got a decade of IT experience under my belt. This experience is wrapped around several different facets of IT. My focus has been in networking but I've done systems, development (mostly web), data center, and much more.
I've always been interested in information security and so I took a position working as a SOC Analyst for a media company. It's mostly ticket pushing, but I have to start somewhere. My interest is in pentesting and security consulting so I've been looking at certifications that align with that goal.
I've always been cynical of certifications. I've worked with many people that hold high level certs and almost always question how they got them. I know brain **** exist and I know people use them. This is what interests me in the OSCP, it's not something you can brain ****. However, I have very limited hands on experience.
I have a strong understanding of security principles and theory but running exploits and recognizing common attack vectors isn't something I have a lot of experience in.
So, for the question. Is the OSCP something I should attempt or would I be wasting my money?

I had no industry experience and passed recently

To give you an idea of my knowledge prior to taking the course, I knew C, Python and Java, done some CTF's, and could write basic exploits for simple buffer overflows.

None of this was really that beneficial for OSCP, it's much better to have the sort of experience it sounds like you have. Knowing how domains work, networking knowledge, stuff like that.

I vote take the course