How valuable/useful are SANS certs?

HCPS123

I apologize in advance for my inexperience and if I came across as disrespectful towards SANs certs. It's just that every time I hear someone mention a SANs cert it's always immediately followed with a warning about the price so it's hard for me to gauge the actually value of the cert. I'm interested in the GPEN field but I don't want to get it if it's like CEH (name recognition by HR but doesn't actually teach you useful information that you couldn't have learned from cheaper/better certs). For the record I place value on certs based on the following.

1. Education - The most important factor in my mind. Does this cert teach me things no other cert does? Are these things actually useful out in the real world? Is the corresponding class/study material easy/reasonable to follow? Can I build off this information/use it to help prepare me for other certs?

2. Recognition - In a perfect world I'd just need the actual skill in order to land me that high paying job to live off. We don't live in a perfect world so name recognition is pretty important, hence why I'm still getting CEH despite it's questionable education value.

3. Price - The least important. Only really on here because we don't live in a perfect world and I have to pay for these certs somehow. Really it's only a detracting value since it's not like I'm just going to buy a cert because it's cheap and all high level certs are going to end up costing me an arm and a leg. With that being said if the education and or name recognition is there I'll find a way to pay for it (starving/private loans are on the table if I have no other choice).

So with those factors in mind how would you rate the SANs GPEN cert path?

Danielm7

SANS is great training, and respected, but the price isn't really set for individuals but more large businesses and government. There is work study as an option for way less, but you have to be local, get picked and then get selected for the course you actually want, which is like winning the lottery in some areas. As you mentioned, the HR name recognition is a double edged sword, the CEH is known by many HR folks and hiring managers, but for people who actually do pen testing it's also known as pointless.

When you mention the "GPEN cert path" I'm assuming you mean just the course and exam itself. Because SANS also has recommended paths, like for pen testing it starts with the GCIH, then the GPEN, so you'd be at 12-13K before travel, hotels, food.

The CEH is now up to $950 before any study material. From what I understand you can also buy one book and study it and pass it, so at least the material isn't too costly. You might get past an HR screen but also probably wouldn't be able to actually do the job or pass a technical screen. You can do the PWK/OSCP for 1200'ish for 3 months, work your butt off during those 3 months and pass a really practical/respected exam.

Here is where the double edged sword comes into play, more companies know of and ask for the CEH, but it doesn't fill the #1 requirement on your list. Really, you can do the CEH as resume fodder and the OSCP for the companies that actually know what it means and you'll learn way more doing that for about 1/3 of the cost of 1 SANS course.

In the end, it's the security field, and without knowing your background / education / IT experience, that's going to count for a lot too. If someone comes to me with 8 years as a sysadmin who is used to hardening systems and knows configurations who has been learning pen testing for years but doesn't have a cert but knows what they're doing it's going to carry a world more weight than someone who has no background but passed the CEH exam in a few weeks.

/Sunday morning ramble over.

TechGuru80

1. The major benefit is that the SANS books have a lot of the best information combined together. It’s not a magic pill that you couldn’t get elsewhere but it would take you a lot of time to learn everything without taking the course.

2. SANS / GIAC is very well respected and generally out of reach if a company isn’t paying for it. As far as InfoSec departments are concerned, SANS would be much more desired than a CEH if they know what they are talking about. Unfortunately, HR loves CEH and probably are less likely to know what GIAC is...not always true though.

3. For just the course and certification attempt, you are looking at about $6,500. That cost could be higher if you want to do an in person class that requires travel, otherwise that’s the cost of OnDemand. You can also look into the work study program (you do not have to be local as Daniel incorrectly said). The cost of the course is then $1,100, and if you have to travel assume around $3,000 for hotel and everything. The work study option requires you to help out with some basic stuff to make the conference successful.

A few other notes:
-you don’t have to take GCIH to take GPEN.
-OSCP is respected but as far as the material provided to you, it’s pretty bare bones....basically you have to research and self study a lot. NOT FOR BEGINNERS.
-Not sure if you are U.S. but if you are and have any intention working for the govt, CEH fulfills a lot more of the 8570 than GPEN...and OSCP isn’t even on the list.

[Deleted User]

Agree with TechGuru80. GIAC is well respected in InfoSec community. My advice if you want to pursue GIAC exams on the best deal is wait for SANS to have the special where they include a Free GIAC exam attempt with the course purchase via OnDemand. Don't fall for the free iPad or Laptop junk. I think they have the offer for the Free GIAC exam when you buy an OnDemand course once every month or once every few months. Just keep an eye out and when you see it, jump on it. I'm waiting to take SANS 660 (GXPN) until I save up the money and they have that offer for the free GIAC exam. The GIAC exam cost by itself without the course is $1,700 or if you buy the course and exam together when that promo is not going on it's an additional $700 I think something like that.

*Update, looks like SANS has that same promotion going on now as of today 10/15.*
Probably the best deal GIAC offers imo.

gespenstern

1. SANS has the best material and training in the industry, period.
2. Not so much, but IMO undervalued among HR and recruiters and therefore have potential. Their exams are rather weak, not as convoluted as CISSP for example and are open book. I say not worth challenging them without taking a training, as SANS training is of the most value.
3. Have the employer paying for them, that's what pretty much everyone here does. Another option is work-study program, still wouldn't pay with my money though.

Danielm7

TechGuru80 wrote: »

1. You can also look into the work study program (you do not have to be local as Daniel incorrectly said). The cost of the course is then $1,100, and if you have to travel assume around $3,000 for hotel and everything. The work study option requires you to help out with some basic stuff to make the conference successful.

See that couple thousand dollars you added for "hotel and everything" that's what I'm talking about when I said it's 1100, and you have to be local.

TechGuru80

Danielm7 wrote: »

See that couple thousand dollars you added for "hotel and everything" that's what I'm talking about when I said it's 1100, and you have to be local.

Ah I see where you were going with that...to make it equal to OSCP in terms of cost.

If somebody is willing to pay the $3,000 or the $1,100...it kind of comes down to how you learn best. If you are willing to beat your head against a brick wall for a while and not quit...OSCP is great because they give you the basics and expect you to continue. SANS is more hand holding, but they give you topics that are vital and can only cram so much into a short period of time. There is also something to be said for a known research entity (SANS), versus a newer hacker community in terms of quality content...not that OSCP doesn't give you some good basic fundamentals but SANS give you more background on topics.

TechGromit

My advise, you need to get your Security+ first, you need some base level knowledge before you start taking GIAC certifications. As for breaking into the Cyber Security field, after you get your Security+, the next certification you should be looking to get is the GCIH. While almost any GIAC cert is valuable, the GCIH is highly desirable by employers, a quick search on Indeed, I get over 1,300 hits for GCIH where the GPEN gets 460 hits. While either one is good to have, to break into the field you want the certification that has the greatest chance of landing that first Infosec job, once you get your foot in the door, then you could pursue the GPEN. As for myself I never did get a Security+, I got the GSEC instead, but my employer footed the bill, if your considering paying for this yourself, even with a work study, you want to go the most economical route possible.

HCPS123

TechGromit wrote: »

What the goal here? To get a job in the cyber security field? Or are you already employed in the field and looking to get into Pen-testing?

I'm employed in the IT field and looking to get into Pen-testing.

ZzBloopzZ

I do believe the TRAINING part of SANS Certs is top notch. However, I just do not believe it is worth the cost unless your company is footing the bill.

There is one particular exception and that is the GWAPT. There is simply no equivalent to the GWAPT (Web App Penetration Testing) in terms of recognition in the the niche of web app testing. Many have not heard of eLearnSecurity let alone the eWAPT. After putting the GWAPT on my LinkedIn profile I get quite a few messages per week.

Also, CEH is great if you are in the DC area since it marks a few check boxes for 8570.

beads

HCPS123 wrote: »

I'm employed in the IT field and looking to get into Pen-testing.

If you have a developer background and like doing lots of research, frankly penetration testing involves a great deal of research anyway, do the OSCP and see if you have the stomach, interest and most importantly - the talent.

No doubt SANS has best training and feels really good to pass the exams but only if the company is paying for it. I do spend my own money to the tune of $6,000 per class but I've been doing this work since before it was cool or anyone cared. Today, I will not or no longer pay for these classes. Really the return isn't going to make me more marketable in my area. Geeks and nerds know SANS but HR and business aren't the right audience.

So you may have tens of thousands into training that you have an interest but no experience? Tread lightly on your wallet before investing and go OSCP which is cheap in comparison.

Personally, I can put you in touch with a half dozen or so burned out "pen-testers" as well.

- b/eads

UnixGuy

beads wrote: »

Personally, I can put you in touch with a half dozen or so burned out "pen-testers" as well.

- b/eads

In your experience, do you find pentesters burn out more than, say, blue team?

TechGuru80

A lot of pentester jobs are at consulting companies that require a lot of travel and loads of documentation so I could definitely see burnout happening.

Hornswoggler

1. SANS is the absolute BEST training I have ever received. The course authors are top notch. Spend a week at a SANS conference and you'll come back to work with a much broader perspective. They explain the history, the theory, the business sense (scope, reporting, legal issues), the tools, lots of labs (504 and 560 is my experience), real world stories, and practical stuff you can apply immediately. If work is paying, this is a great choice. Attend a conference where you can also participate in NetWars. I'm a very hands-on learner and appreciate the practice applying what I have learned.


Comparing 560/GPEN to PWK/OSCP, PWK is teaching me to become a better hacker but SEC560 taught me to be a pentesting professional. There is overlap in both. I still picked up tech tidbits from 560 that PWK doesn't cover (more netcat, scapy, powershell, wmic). Even the overlapping parts can be different (scripting, pivoting) so I'm glad to get both and also thankful I did 560 before PWK. They compliment each other very well.


2. SANS certs are respected but I don't get the sense that GPEN is as valued in the pentesting industry as OSCP. Job searches will reflect that. Some ads will say GIAC certs instead of listing any specific ones. To learn the subject and pass a test on it is good, but I also respect the tall challenge in OSCP to actully pull it off in a simulated environment. I enjoy them both in different ways.


3. Price. If work is paying, it could make economic sense for them to fly you out for a week and have you come back more productive. SANS courses don't waste much time and it can feel like drinking from a firehose. You'll come back to work with useful ideas. On your own dollar there are cheaper ways to obtain a similar level of understanding but it will take time, resources, and discipline to setup your own lab and follow a book or online course. Stuff gets outdated so commands in a book may not work today and so on. If you can work through the frustrating parts you can learn a ton from cheaper or free resources. cybrary.it, udemy, Georgia Weidman's book, eLearnSecurity, and others are reasonably priced. Build on this stuff until you are ready for the OSCP.

HCPS123

So from what I can gather, SANS is aimed more towards corporations rather than individuals. What I mean by that is that if a company wants to offer free certs/train for a new department or something like that, they go to SANS who I assume offers them some kind of deal for getting certs through them. But SANS isn't really meant for an individual trying to get certs on their own without the backing of a company (their prices simply can't justify themselves).

Thank you everyone for the feedback!