So i'm going to take the Pentest+

Long story short, I started a MSc in Security which was 3 years long, however, I found that the support was a bit lacking and it wasn't really tailored to what I do in my day to day job. So my plan is to quit it before I get too far in, then get the Pentest+ and then the WAPT. I got my OSCP back in 2015 but I only landed my first penetration tester role in 2019, so I need to regain the mindset. The Pentest+ looks very infrastructure focused which is a shame, i'd have liked to have seen more web app stuff, but either way, it's a new challenge and I think I should be able to pass it without too many hiccups along the way.

Find more posts tagged with

Comments

UnixGuy

congrats on your pentest role, I remember your journey in forensics then a change to a support role. I hope you're enjoying the pentesting role

All the best to you!

Have you thought of challenging the GPEN since you have the knowledge?

JDMurray

Pentesting can be network-focused, device-focused, or application-focused. You are looking for flaws in the design, implementation, or configuration of something. It's all under the heading of Vulnerability Management.

jeremy_dfir

Taking into consideration the latest threat landscape, i would go for a certification that includes as many pentesting aspects (infra, web, device) as possible.

si20

UnixGuy said:

congrats on your pentest role, I remember your journey in forensics then a change to a support role. I hope you're enjoying the pentesting role

All the best to you!

Have you thought of challenging the GPEN since you have the knowledge?

Thanks, you've pretty much followed me since the beginning! I finally after all these years landed a Pentester role and it is focused on web-app which is great. I'm finally getting to learn and use my skills - and dare I say it ....enjoy my job. After years of being stuck in SOC jobs, a stint in forensics/service desk, I managed to land a great one.

I've not looked at the GPEN, but I think i'll go Pentest+, WAPT and possibly GPEN (i'll go away and research it now).

My company are paying for the Pentest+ and WAPT, so seems silly not to do them. As for the GPEN, if it's affordable, i'll fund that myself. Hope you're doing well by the way!

yoba222

Pentest+ sounds like a good way to regain the mindset and sharpen your skills. As for the GPEN being affordable, it's not.

si20

It's been a while but here goes. I'm back on it!

Since I posted this thread, I passed the WAPT, started the AWAE but decided the AWAE is beyond my skill level. So I'm going to finish what I started with the Pentest+. I'll update this thread regularly until the exam date, which I've set approx 10 weeks from now.

I've finished the Jason Dion course on Udemy (Pentest+)

I've got the All-in-One exam study guide
I've paid for Certmaster (CompTIA's official question pack to help train you up).

I need to go through the study guide again, hammer certmaster and hope for the best. Certmaster has been showing me what a hard exam this is going to be. But hey, I'm up for a challenge....!

si20

Sunday update: the questions are HARD. Well, some of them are. Some questions are extremely basic: "What port is FTP?" And then the next question may say: "What is LLMNR and what is the best way to exploit it?" Whoah. Without having practical on-the-job experience of various things like LLMNR and only knowing about it from a theoretical point of view, that's where the Pentest+ difficulty lies.

I'm hammering sample questions and collating a list of things I'm weak on e.g powershell and various post-exploit tools. I'm planning to delve into them a little before the exam to get a practical sense of them.

si20

I intended to give an update yesterday (Sunday), however I got caught up. But still studying this one and still hoping to take the exam within 7 weeks now.

I definitely think it's doable, although man, I thought the Security+ was a mile wide and an inch deep......the Pentest+ is 10 miles wide and 3 inches deep. It's a weird one. One sample question might be: "what is port 80 commonly used for?" and the next: "You're cracking a wifi network and you wish to perform a fragmentation attack. What switches would you use to call the attack, log the results and crack the pcap." followed by 4 similar-ish commands.

If the exam is anything like the Certmaster prep, it's going to be a close one. It's saying I've got 74% knowledge at the moment and I think you need 80% to pass? Does that sound about right? Going to read the book in these 7 weeks, run through the book's sample Q's, maybe run through the Udemy course again and finish the whole of certmaster. It's gonna be a busy 7 weeks!

stryder144

It seems to me that most CompTIA exams sit at the 80% range to pass, so I typically go for about a 90% in my practice questions. That is, until I get exhausted trying to hit that mark and then I just pull the trigger and see if I pass or not. So far, my method has worked pretty well for me.

charismaticx

I would of figured the content from OSCP is a lot harder than PenTest +. Jason Dion’s course was all I used to prep for the exam. I think the hardest part that trips people up during the exam is the remediation action after the vulnerability is identified. Good luck with the exam, but I think you’re light years ahead of all of us.

si20

Passed the pentest+ yesterday. It was a pretty damn hard exam. I got some extremely specific questions relating to certain security tools...

My advice for anyone taking it is simply know the content inside out and back to front. Passing mark is 750, I got 763. So I just scraped through it.

I didn't fully read the book, and used Jason Dion's course/pdf. To be honest, his course didn't come in very useful. His pdf however saved my bacon. He provides a pdf with his course which details key points. I read all 71 pages prior to the exam and I think this is what pushed me over the pass mark.

yoba222

How many hours did you study?
Also, and I don't mean this to be a loaded question and out of curiosity, how much do you feel that your pentest knowledge has grown, comparing when you began studying for Pentest+ and now that you've passed the exam? How would you compare that to the same situation, but with OSCP? It kind of sounds like you passed mainly by prior experience, so maybe my questions aren't really applicable.

si20

yoba222 said:

How many hours did you study?
Also, and I don't mean this to be a loaded question and out of curiosity, how much do you feel that your pentest knowledge has grown, comparing when you began studying for Pentest+ and now that you've passed the exam? How would you compare that to the same situation, but with OSCP? It kind of sounds like you passed mainly by prior experience, so maybe my questions aren't really applicable.

I probably studied for about 15 hours (but I've got OSCP, OSWP, Sec+, Linux+) and have been a pentester for almost 2 years now.

That being said...I only just scraped the pass. I am probably not a good use-case for this particular exam because you're right, I answered (mostly) from experience.

It's probably too difficult to compare with the OSCP. The OSCP was very, very practical. The Pentest+ expects you to know topics from MiTM attacks, to statement of work (SoW), to subnetting. It's almost as if the Pentest+ is trying to harvest your knowledge from the Network+, Sec+ and Pentest+ all at the same time.

I certainly felt as if I could fail the Pentest+. The killer questions for me were along the lines of: "Which of the following is the BEST choice....". Those totally crushed me. They're subjective and I truly wish CompTIA would eliminate them from their exams. One company might choose A and another might choose B....and as a pentester, I might choose C. I just wish CompTIA would stick to questions with factual answers, rather than subjective answers.

TL;DR - You can gain a lot of knowledge from the Pentest+, if you apply it practically. I think ultimately, CompTIA really need to start providing labs so students can practice skills.