ISACA CSX Practitioner Exam Experience

A few days ago I took and passed the ISACA CSX Practitioner (CSXP) exam. I haven’t seen any write-ups on Techexams for this, so I thought I’d share my experience.
For those who don’t know what the CSXP is, it’s a relatively new certification from ISACA that is entirely hands-on. There are no multiple choice questions to answer. You receive a virtual environment with multiple virtual machines and you have various incident response related tasks that need to be completed. This can vary from scanning for hosts on a net block and comparing the output to a list of known good hosts, to using Wireshark to detect malicious activity, and even blocking a malicious host at the firewall. You have 3.5 hours to complete the various tasks and it’s no joke.
To prepare for the exam, you really need to know your stuff. ISACA lists the various tools one should be familiar with at https://cybersecurity.isaca.org/csx-certifications/csx-practitioner-certification#4-certification-exam . That said, if you don’t have experience with pfSense, Kali, Security Onion (including Snorby/Snort), Wireshark, and Nmap, you will probably have a hard time with the exam. It looks like ISACA also offers training in the form of a one week Bootcamp and other training, but I can’t speak to those, as I didn’t take them.
The certification itself is one of the more difficult tests I’ve taken in my career. You can’t study for this cert the week before and expect to pass. Passing this certification shows that you can walk the walk. I’ve had the opportunity to interview candidates for info sec jobs in the past 5 years and I’ve seen my share of candidates that look great on paper, but have little to no hands-on skills. You can’t braindump this cert. You have to prove your capabilities. I’m not sure I’d go as far as saying that the CSXP is the OSCP equivalent cert for Incident Response, but it’s the closest cert I’ve seen to it. I’ll definitely be putting CSXP preferred in the job postings for my company moving forward.
For those who don’t know what the CSXP is, it’s a relatively new certification from ISACA that is entirely hands-on. There are no multiple choice questions to answer. You receive a virtual environment with multiple virtual machines and you have various incident response related tasks that need to be completed. This can vary from scanning for hosts on a net block and comparing the output to a list of known good hosts, to using Wireshark to detect malicious activity, and even blocking a malicious host at the firewall. You have 3.5 hours to complete the various tasks and it’s no joke.
To prepare for the exam, you really need to know your stuff. ISACA lists the various tools one should be familiar with at https://cybersecurity.isaca.org/csx-certifications/csx-practitioner-certification#4-certification-exam . That said, if you don’t have experience with pfSense, Kali, Security Onion (including Snorby/Snort), Wireshark, and Nmap, you will probably have a hard time with the exam. It looks like ISACA also offers training in the form of a one week Bootcamp and other training, but I can’t speak to those, as I didn’t take them.
The certification itself is one of the more difficult tests I’ve taken in my career. You can’t study for this cert the week before and expect to pass. Passing this certification shows that you can walk the walk. I’ve had the opportunity to interview candidates for info sec jobs in the past 5 years and I’ve seen my share of candidates that look great on paper, but have little to no hands-on skills. You can’t braindump this cert. You have to prove your capabilities. I’m not sure I’d go as far as saying that the CSXP is the OSCP equivalent cert for Incident Response, but it’s the closest cert I’ve seen to it. I’ll definitely be putting CSXP preferred in the job postings for my company moving forward.
Comments
And to think the Specialist exam isn't out yet and is going to be harder!
Become CCNA, CISSP, CEH, VCP5-10 Certified
Possible Start Masters in Information Security
Performance practice modules to help you gear up for the exam as the exam is performance based. But, if you've never worked with the tools and applications, it's actually very good to get comfortable with a new job.
Yes. It seems they've changed some of their pricing around since I was in the labs, but it's very similar. Having dedicated labs for 6 months is definitely worth it. The environment ISACA provides is also a dedicated one. You won't be sharing VM's with other students and the problems that arise from other students restarting VM's in the middle of your work.
If you're preparing for the exam, my advice is to be able to do all the labs and comprehensive without looking at any of the step-by-step instructions. I believe there are either PDF's or Power Points that come with this course, however, they're not needed to pass the 100% hands-on part of the exam. The step-by-step instructions for the labs are all built into the VM environment that loads in your browser.
For example, a task on the lab/exam may request that you "Identify all hosts on the 10.0.0.x network that are missing patch KBXXXXXX and apply the patch as necessary". There are accompanying PowerPoint slide sections that reinforce this learning, explaining why patches are necessary and they mostly align with the NIST Cybersecurity Framework. Hopefully that makes sense.
I hope you are doing well.
Firstly, I must say that you are one of the first person I have met who has achieved OSCP as well as CSXP. Kudos to you and I am sure it must have taken some phenomenal efforts to achieve it.
I had a question for you in terms of the amount of efforts involved, amount of learning learnt, which amongst these two would you suggest to consider first?
My background is such that I need to have expertise of both, although I do not have Penetration Testing background. Having said that, it is more from my eagerness to learn it and I have already completed my training on Linux and Python as was suggested on OSCP site. I was about to start with some basic Kali Linux training (prior to enrolling for actual course), when I learnt about CSXP and currently in a dilemma as to which amongst this is good to consider first both bein gfrom perspective of learning.
Thanks in advance.
How much time you spend on either certification will depend on your previous knowledge/skills, and how quickly you can attain new information and apply it hands-on. If you're new to IT and/or IT security in general, I'd advise against the OSCP, as you'll likely find it overwhelming. The CSXP will hold your hand on the labs, aside from the comprehensive. Additionally, for most people, I recommend having the Security+ & Network+ certifications or equivalent foundational knowledge before attempting the CSXP or OSCP.
Please also understand that the CSXP is a newer certification and most individuals in the field haven't heard of it. Few job postings will list the CSXP until it gains more market penetration. Many that play the certification game have heard of the OSCP and it's highly respected and sought after.
This certainly help. I am currently working as an Information Security Auditor and have completed my CISSP, CISA and CCNA. I guess I should have mentioned it earlier but the earlier post came more from the heart as I truly keen to get some hands on exam done.
Having said that, yes, I am more interested in learning vs certification and considering my background, I too have some proximity towards CSXP first and will then consider OSCP later.
Thank you once again and will stay in touch !!
Thank you for throwing some light on the newer certification - CSXP.
I am an auditor, and mainly working on SOX and ITGC. Have a fair theoretical background on Information Security processes and various frameworks like NIST, SOX, etc. and have CISA and ISO LA certification. I don't have technical hands on experience. How much practice is required?
There are 3 courses according to the ISACA website;
1- Identification and Protection
2- Detection
3- Respond and Recover
Do you pay $500 per lab for each course? $1500 for 3 courses or $500 for all 3 courses above?
May CSX Practitioner Labs(6 months $500 per lab) used as the only studying material for the exam?
Do the Labs come with a course material to learn and understand the each subject?
Thanks
It's actually $1400 if you buy all three. However, it's everything you need for the exam.
In which format is the training material delivered(PDF, PPT, embedded content in the browser which cannot be downloaded, etc...)? I understand that the Labs are valid for 6 months but how long does it take to complete them? How was your exam experience?
1. PDF's with the theory surrounding the course. This is good information to know, however, won't really apply to the test.
2. Step-by-step instructions that are embedded into the virtual lab machine environment. This is all loaded in the browser when you launch the course. You can also download these instructions I believe. An example of instructions might be, "Create a Windows firewall rule by doing X, Y, Z".
How much time you need to go through the labs will depend on your experience in IR. There are about 70 labs that take around an hour each. If you're familiar with an area, it may only take you 15 - 30 minutes to complete it. There may be other areas that you want to go back and revisit until you're comfortable with them. If you're not familiar with linux command line, expect to take longer to learn some basics.
The exam is challenging, but mostly straight forward. You're asked to apply the knowledge from the labs in a "real world" scenario. No multiple choice questions, just actions to complete. An example question may be something like, "Your team has identified that external host x.x.x.x is conducting malicious activity against x.x.x.x. Block it the external host at the firewall." There are multiple ways to complete this, including command line & GUI. How you complete it is up to you.
Considering that your background is in penetration testing, maybe you can think of OSCP. You can follow the JollyFrog's tale thread in techexam.net.
I will do but after some time as it require lot of time to practice.
I have finally enrolled for the labs of CSXP
I have completed the pdf and the Lab for "Identification". Overall, I think it is really a great course designed by ISACA.
I would certainly say that just doing the labs would not be sufficient and you would need to experiment more by doing multiple tasks. As an example, there may be a task to run nmap and you can follow the labs to complete the task. However, at the same time, it would be how curious you are to explore all the options of nmap and utlizing the labs to the fullest.
So far, I am targeting just to stick to basics, complete the pdf and then complete the labs. Once done, I will start exploring more and more options within the labs, VirtualBox and open source web content.
Back to studies now
The PDF is theoretical but is following NIST framework so makes sense I guess.
I am currently preparing for the exam from US. The only thing I had heard was that there were few issues from China. I would suggest reachin gout to the support team for any clarifications. CSXP has a very good responsive team.
I would not say its as much as OSCP, but definitely on its way !!
That's awesome. I have taken a break of a couple of weeks, but will soon start. I am done with Identification & Protection though I need re-practise the labs before I register for detection. We can be in touch !!
I'm trying to coordinate my cert ascent to CSX-Expert (when it becomes available) and don't wish to waste time/money on the beginner exams if not required. There is much crossover, but my goal is to obtain the most advanced cert from each of the major organizations (GIAC, ISACA, Offensive Security, ISC2, and EC-Council). Between them, whomever is hiring will surely find a cert they can respect (One presumes I will also have the skillz to back up the cert)
2- The questions related to Nmap/pfSense/Snorby/Splunk, do we need to know more than what the labs are teaching us? For example, do we need to know each CLI parameter, menu options and settings of these tools inside out or limited to what is shown in the labs?
Thank you.