ISACA CSX Practitioner Exam Experience

thegoodbye

A few days ago I took and passed the ISACA CSX Practitioner (CSXP) exam. I haven’t seen any write-ups on Techexams for this, so I thought I’d share my experience.

For those who don’t know what the CSXP is, it’s a relatively new certification from ISACA that is entirely hands-on. There are no multiple choice questions to answer. You receive a virtual environment with multiple virtual machines and you have various incident response related tasks that need to be completed. This can vary from scanning for hosts on a net block and comparing the output to a list of known good hosts, to using Wireshark to detect malicious activity, and even blocking a malicious host at the firewall. You have 3.5 hours to complete the various tasks and it’s no joke.

To prepare for the exam, you really need to know your stuff. ISACA lists the various tools one should be familiar with at https://cybersecurity.isaca.org/csx-certifications/csx-practitioner-certification#4-certification-exam . That said, if you don’t have experience with pfSense, Kali, Security Onion (including Snorby/Snort), Wireshark, and Nmap, you will probably have a hard time with the exam. It looks like ISACA also offers training in the form of a one week Bootcamp and other training, but I can’t speak to those, as I didn’t take them.

The certification itself is one of the more difficult tests I’ve taken in my career. You can’t study for this cert the week before and expect to pass. Passing this certification shows that you can walk the walk. I’ve had the opportunity to interview candidates for info sec jobs in the past 5 years and I’ve seen my share of candidates that look great on paper, but have little to no hands-on skills. You can’t braindump this cert. You have to prove your capabilities. I’m not sure I’d go as far as saying that the CSXP is the OSCP equivalent cert for Incident Response, but it’s the closest cert I’ve seen to it. I’ll definitely be putting CSXP preferred in the job postings for my company moving forward.

636-555-3226

Nice! I've seen ISACA advertise the cert(s) a lot, but never heard of anybody actually going through them. Given this feedback I may add this to my list of suggested certs for my newbies to look into as I prefer the hands-on stuff rather than straight by-the-books knowledge which doesn't get you very far when you sit down and start trying to actually do something.

Remedymp

My exam is scheduled for July after I take CISA in June. This is definitely on my to do list. Thanks for sharing. The 3 modules for practice are on their portal as well.

And to think the Specialist exam isn't out yet and is going to be harder!

Itrimble

Where are the 3 practice modules ?

Remedymp

Itrimble wrote: »

Where are the 3 practice modules ?

Performance practice modules to help you gear up for the exam as the exam is performance based. But, if you've never worked with the tools and applications, it's actually very good to get comfortable with a new job.

princesamus

Did you take the 3 lab modules, 500$ each? Or is there any documentation to purchase for the exam? The exam looks challenging and a bit similar to eNPD from elearnsecurity.

thegoodbye

princesamus wrote: »

Did you take the 3 lab modules, 500$ each? Or is there any documentation to purchase for the exam? The exam looks challenging and a bit similar to eNPD from elearnsecurity.

Yes. It seems they've changed some of their pricing around since I was in the labs, but it's very similar. Having dedicated labs for 6 months is definitely worth it. The environment ISACA provides is also a dedicated one. You won't be sharing VM's with other students and the problems that arise from other students restarting VM's in the middle of your work.

If you're preparing for the exam, my advice is to be able to do all the labs and comprehensive without looking at any of the step-by-step instructions. I believe there are either PDF's or Power Points that come with this course, however, they're not needed to pass the 100% hands-on part of the exam. The step-by-step instructions for the labs are all built into the VM environment that loads in your browser.

For example, a task on the lab/exam may request that you "Identify all hosts on the 10.0.0.x network that are missing patch KBXXXXXX and apply the patch as necessary". There are accompanying PowerPoint slide sections that reinforce this learning, explaining why patches are necessary and they mostly align with the NIST Cybersecurity Framework. Hopefully that makes sense.

temya

Hello "thegoodbye",

I hope you are doing well.

Firstly, I must say that you are one of the first person I have met who has achieved OSCP as well as CSXP. Kudos to you and I am sure it must have taken some phenomenal efforts to achieve it.

I had a question for you in terms of the amount of efforts involved, amount of learning learnt, which amongst these two would you suggest to consider first?

My background is such that I need to have expertise of both, although I do not have Penetration Testing background. Having said that, it is more from my eagerness to learn it and I have already completed my training on Linux and Python as was suggested on OSCP site. I was about to start with some basic Kali Linux training (prior to enrolling for actual course), when I learnt about CSXP and currently in a dilemma as to which amongst this is good to consider first both bein gfrom perspective of learning.

Thanks in advance.

thegoodbye

The CSXP is easier and less time consuming than the OSCP. The CSXP is focused on IR, not PT. There is some minor overlap as some of the CSXP labs cover basic exploitation. Both online virtual environments align well with the exam environment. If you can complete the CSXP labs without needing to look through the step-by-step instructions, you should be able to pass the exam.

How much time you spend on either certification will depend on your previous knowledge/skills, and how quickly you can attain new information and apply it hands-on. If you're new to IT and/or IT security in general, I'd advise against the OSCP, as you'll likely find it overwhelming. The CSXP will hold your hand on the labs, aside from the comprehensive. Additionally, for most people, I recommend having the Security+ & Network+ certifications or equivalent foundational knowledge before attempting the CSXP or OSCP.

Please also understand that the CSXP is a newer certification and most individuals in the field haven't heard of it. Few job postings will list the CSXP until it gains more market penetration. Many that play the certification game have heard of the OSCP and it's highly respected and sought after.

temya

Thank you for your quick response.

This certainly help. I am currently working as an Information Security Auditor and have completed my CISSP, CISA and CCNA. I guess I should have mentioned it earlier but the earlier post came more from the heart as I truly keen to get some hands on exam done.

Having said that, yes, I am more interested in learning vs certification and considering my background, I too have some proximity towards CSXP first and will then consider OSCP later.

Thank you once again and will stay in touch !!

N1sh1ta

Hello "thegoodbye"

Thank you for throwing some light on the newer certification - CSXP.

I am an auditor, and mainly working on SOX and ITGC. Have a fair theoretical background on Information Security processes and various frameworks like NIST, SOX, etc. and have CISA and ISO LA certification. I don't have technical hands on experience. How much practice is required?

thegoodbye

When you sign up for the course, you'll have 6 months lab time, which will allow you to access the virtual environment. Once you're able to do all of the labs without following the step-by-step instructions, you're ready. If you're not technical, this may take a few hundred hours, as this is a very technical focused exam.

cissp2015

Hi thegoodbye,

There are 3 courses according to the ISACA website;
1- Identification and Protection
2- Detection
3- Respond and Recover

Do you pay $500 per lab for each course? $1500 for 3 courses or $500 for all 3 courses above?
May CSX Practitioner Labs(6 months $500 per lab) used as the only studying material for the exam?
Do the Labs come with a course material to learn and understand the each subject?

Thanks

Remedymp

cissp2015 wrote: »

Hi thegoodbye,

There are 3 courses according to the ISACA website;
1- Identification and Protection
2- Detection
3- Respond and Recover

Do you pay $500 per lab for each course? $1500 for 3 courses or $500 for all 3 courses above?
May CSX Practitioner Labs(6 months $500 per lab) used as the only studying material for the exam?
Do the Labs come with a course material to learn and understand the each subject?

Thanks

It's actually $1400 if you buy all three. However, it's everything you need for the exam.

cissp2015

Thanks for the reply Remedymp,

In which format is the training material delivered(PDF, PPT, embedded content in the browser which cannot be downloaded, etc...)? I understand that the Labs are valid for 6 months but how long does it take to complete them? How was your exam experience?

thegoodbye

You'll receive training material in two ways.
1. PDF's with the theory surrounding the course. This is good information to know, however, won't really apply to the test.
2. Step-by-step instructions that are embedded into the virtual lab machine environment. This is all loaded in the browser when you launch the course. You can also download these instructions I believe. An example of instructions might be, "Create a Windows firewall rule by doing X, Y, Z".

How much time you need to go through the labs will depend on your experience in IR. There are about 70 labs that take around an hour each. If you're familiar with an area, it may only take you 15 - 30 minutes to complete it. There may be other areas that you want to go back and revisit until you're comfortable with them. If you're not familiar with linux command line, expect to take longer to learn some basics.

The exam is challenging, but mostly straight forward. You're asked to apply the knowledge from the labs in a "real world" scenario. No multiple choice questions, just actions to complete. An example question may be something like, "Your team has identified that external host x.x.x.x is conducting malicious activity against x.x.x.x. Block it the external host at the firewall." There are multiple ways to complete this, including command line & GUI. How you complete it is up to you.

Danielm7

This looks very interesting, wondering if anyone else has taken the training or exams?

rkv

Nice information, brother is there any alternative to practice the labs. I do not want to buy due to lack of money. I want to do this certification and having idea of all modules of CSX. I am in security penetration tester since 2 years. Can you suggest any alternative to practice this exam.

temya

Has anyone else booked the CSXP exam? I am possibly going to book it on 14th Feb depending upon my approval on the certification course from my organization.

temya

Hi rkv,

Considering that your background is in penetration testing, maybe you can think of OSCP. You can follow the JollyFrog's tale thread in techexam.net.

rkv

Thanks Temya,
I will do but after some time as it require lot of time to practice.

temya

Hey All,

I have finally enrolled for the labs of CSXP . Although I am yet to prepare a plan and how to go about it, I will keep everyon posted in weeks to follow. I did not purchase the exam voucher though and will do so after a few months.

temya

Hey All,

I have completed the pdf and the Lab for "Identification". Overall, I think it is really a great course designed by ISACA.

I would certainly say that just doing the labs would not be sufficient and you would need to experiment more by doing multiple tasks. As an example, there may be a task to run nmap and you can follow the labs to complete the task. However, at the same time, it would be how curious you are to explore all the options of nmap and utlizing the labs to the fullest.

So far, I am targeting just to stick to basics, complete the pdf and then complete the labs. Once done, I will start exploring more and more options within the labs, VirtualBox and open source web content.

Back to studies now .. will keep you all posted !!

idrus

Hi guys may I know in which region did you take the exam because those who took the exam in Singapore say that the bandwidth connection to he exam server is very slow and hence cannot complete the exam

SteveLavoie

CSXP seem interesting cert to get... and it will be easy to sell to my boss. He believe a lot into ISACA org..

princesamus

I'm also on the CSXP journey and just started labs, which are good.
The PDF is theoretical but is following NIST framework so makes sense I guess.

temya

Hi idrus,

I am currently preparing for the exam from US. The only thing I had heard was that there were few issues from China. I would suggest reachin gout to the support team for any clarifications. CSXP has a very good responsive team.

temya

Yes itz truly interesting, but slightly costlier. However, the amount of learning you can obtain depends upon how you take the learnings further. It is yet to get the market reach which generally exist for some gold standards like CISSP/CISA, but its truly a hands-on exam and seems good to me so far.

I would not say its as much as OSCP, but definitely on its way !!

temya

Hi princesamus,

That's awesome. I have taken a break of a couple of weeks, but will soon start. I am done with Identification & Protection though I need re-practise the labs before I register for detection. We can be in touch !!

rgrinnell2015

Does the CSX-Practitioner require you to have the CSX-Foundation cert? Does the CSX-Specialist require you to have the Practitioner cert?
I'm trying to coordinate my cert ascent to CSX-Expert (when it becomes available) and don't wish to waste time/money on the beginner exams if not required. There is much crossover, but my goal is to obtain the most advanced cert from each of the major organizations (GIAC, ISACA, Offensive Security, ISC2, and EC-Council). Between them, whomever is hiring will surely find a cert they can respect (One presumes I will also have the skillz to back up the cert)

cissp2015

1- How many questions/scenarios do we get in the exam?
2- The questions related to Nmap/pfSense/Snorby/Splunk, do we need to know more than what the labs are teaching us? For example, do we need to know each CLI parameter, menu options and settings of these tools inside out or limited to what is shown in the labs?

Thank you.