lucky4lifelucky4life Registered Users Posts: 9 ■■□□□□□□□□
I'm sure it has been discussed before, but I am throwing this out there.  My next SANS training (due to increased workload) is to be GPEN or GWAPT....but I have no idea which one to pick. I already have my GCIH.
My boss currently holds the GPEN cert, and my co-worker currently holds GWAPT.

Both are beneficial to the work we can/will be doing.  I've heard that there is some overlap of GCIH in GPEN, so I am kinda leaning more towards GPEN. Can anyone offer some advice as to which one is more difficult, or which way you would lean?  Thanks in advance!


  • mikey88mikey88 Member Posts: 495 ■■■■■■□□□□
    You want to write wat with a Pen?
    Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux

  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    You could try to borrow and flip through the books from your corkers. :)

    Difficulty is going to be different for each person and what they bring to the table as far as interest, experience, and skills. I would suggest googling "GPEN review" and "GWAPT review" for additional stories on experiences from other students.

    It also depends on what you want to do. GWAPT is entirely web app pen testing for *new* pen testers. It helps if you go in with a little Burp Suite knowledge (find some tutorials to follow) and some experience hosting, adminning, or writing web pages to any degree. Bonus if you're already familiar or have performed some web app attacks.

    I have not taken GPEN, but I believe it leans into the network penetration testing side of the house. Probably enumeration and firing off exploits via Metasploit or manually.

    For me, I passed OSCP a few years ago. After doing so, I decided I probably don't need GPEN as there seems to be lots of overlap. I took GWAPT earlier this year, and I have to say I already knew most of material and didn't learn too much new. If web app testing is entirely new, you'll learn a lot more than I did.

    Personally? You can get GPEN by spending less and having more fun with OSCP pursuits. With GWAPT, same thing applies, and add in some HTB work, and you can get that experience for free from those and other sources. I'd pick whatever one you think will be harder to understand and acquire on your own. :)  (I'd choose GPEN, with full hindsight.)

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    Difficulty will vary depending on the individual.  Do you want to do network penetration testing or webapp penetration testing?  That's what it boils down to.  Also, 560 does contain a webapp day.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
Sign In or Register to comment.