Pre-OSCP Certs?

globalenjoi

Hey everyone. I'm looking for some feedback or opinions on my learning track. Earlier this year, I passed my Sec+ exam, and have since received a couple promotions. I'm fresh into an information security role, and I've spent the last month training. I'm going through WAF training now, and I've got the SANS GSEC bootcamp coming up in Baltimore in October. Normally my company would pay for the SANS training, but I'm using my GI bill to cover the costs by doing a graduate certificate, and in return, the company is paying for hotel and airfare for me to attend rather than just doing it all online. Plus it means I get the money from the housing allowance... Pretty sweet deal!

So, back to my cert question! A goal for me is to get to the OSCP and develop some real penetration testing skills. I have GSEC in October, GCIH + NetWars in April (can only attend courses in MD because of GI Bill rules..), and GCIA next fall. I'd like to work on some relevant certs since I'm having to space my SANS stuff out. I was considering trying to knock out the SSCP, since I still have years to go before I can do the CISSP (which wouldn't mean anything without any experience). But I can't decide if it's worth doing, with all of my upcoming SANS courses and certs, and I don't know if it's worth any extra time if the goal is OSCP. I was thinking about paying for the penetration testing course from Offensive Security. I've also seen several recommendations of the eLearnSecurity courses. Is it worth doing both courses if I have zero pentesting experience? Any info is welcome!

NetworkNewb

If your looking to get in Pen Testing I would just focus on Pen Testing certs. If I had to guess an order for pre-OSCP certs:

eJPT -> CEH -> GCIH -> GPEN -> eCPPT -> OSCP

Definitely not saying you would need to get all of them! Just listing ones I thought of.

Kalabaster

I would definitely prune the list to:

eCPPT > OSCP

The SANS courses will definitely be awesome, but the most bang for your buck and time will be the above route, unless you really need that classroom environment. The CEH is just an HR filter, most pen testing, even government ones, will acknowledge the OSCP so significantly that they'll hire you with just that, some relevant experience, and a decent interview with at most a contingency for the CEH or CISSP, for which they will pay the training for. That is only if they have to adhere to 8570 and it's written in the contract. So to reiterate:

For a job
eCPPT > OSCP

For fun and education
GCIH > GPEN

For HR Filters (which aren't a big deal in this specific field
CEH > CISSP

chrisone

Dont be limited in your security skills. All these certs are popular and necessary. All provide valuable insight in the security field. Don't let anyone convince you that any of these certs are useless or just HR screeners.

As a pentester it would be highly valuable to have a CISSP or similar.
As a security officer it would be highly valuable to have a pentesting cert.

Don't bubble/limit yourself because someone else "dislikes" something else.

McxRisley

I somewhat agree with Kalabasters above post. I have seen stories of people with no prior pentesting or even linux knowledge passing the exam. It's all about how much time and effort you put into it. As for the OSCP in the government sector, it is not recognized in the 8500.1(formerly known as 8570). Therefore it holds no weight if you are applying for a government job and I can back this up as I am currently a DoD contractor and have spoken with my companies management and the higher up government people here as I was interested in a Network Security position at one time. Their answer was that I would need the CEH for the position even though people in the net sec and pentest field regard the OSCP as a much better cert, the rules are the rules. So I took an A&A position instead.

globalenjoi

Really the main reason I'm doing the SANS courses is that I was looking for a way to get some technical security training out of my GI bill. I've got 30 months of it left, so I was looking at some online graduate degree programs. If it wasn't going to cost me any out of pocket, the SANS graduate cert seemed like the best choice for some immediate technical training, something probably on a level above anything I'd get from an online masters degree program. When I got promoted, I mentioned that I was going to be doing it. Since my employer was planning to send me to GSEC this fall anyway, they were on board with paying the airfare and hotel for the 3 courses required by the program. Saves them money, and allows me to go in person rather than doing all three courses online. Plus the housing allowance will allow me to easily cover the cost of a pentesting course.

For now, I think the practical skillset would benefit me more, so the eCPPT and OSCP are attractive. I'm not planning to leave my company anytime soon, and I count myself lucky to have shifted into an information security position within a year without any prior IT experience. I'm not opposed to the CISSP, but I'm still 4 years out from even qualifying for the cert, so I'm not really in a rush there. But I was thinking that since most of the SSCP material seems so similar to Sec+ and GSEC, I might be able to snag an extra cert in the process.

As far as the eJPT and eCPPT courses go, is it worth doing them both? Or is it normal to just jump in to the eCPPT course?

NetworkNewb

I had a discussion with a manager of a Pen Testing company at a SANS conference and he said OSCP is pretty much the only one that really matters. Could really careless about other certifications. Can take that for whatever its worth.

The eJPT and eCPPT are good to get familiar with the Pen Testing process and walk you through learning them. If you are completely new maybe eJPT would be the best to start. I wouldn't say it would be a huge thing to just start with the eCPPT though.

TechGromit

Kalabaster wrote: »

I would definitely prune the list to:

For a job
eCPPT > OSCP

Can't say I heard of the eCPPT before, I did a job search, everything within 100 miles of Washington DC, zero hits, OSCP got 22 hits and GPEN 27 hits, what value is the eCPPT? Does it give you base knowledge, (something like a CCENT to pass the CCNA), that will make is easier for you to pass the OSCP? Also a thousand bucks for a training no one recognizes looks pretty steep in my opinion.

MJK9550

It does, I'm going to start the eJPT soon and the eJPPT before the OSCP.

elearnsecurity.com

Check them out.

g33k3r

Although its not widely recognized yet, the elearnsecurity material is great. For the money I haven't found any other options that gives you the depth of content. After all, aren't we searching for knowledge vs. a piece of paper

winona_ryder

The good thing about the OSCP training is that it's quite cheap. If you run out of time, or fail the exam, it's not cost prohibitive to go back and get an extension on your lab connection.
Would other, non security training assist more - like linux or networking courses?