Have you ever paid for a course out of pocket?

My current company is too small to pay for something as expensive as SANS, so I have thought heavily about paying for SEC560 out of pocket. Its hard for me to justify the cost, but it is definitely good training and GPEN does have some marketability. My company did pay for the OSCP - so would GPEN even be worth going for?

If you have paid out of pocket for the training, do you feel your invested has paid off?

Find more posts tagged with

Comments

scaredoftests

Yes and Yes

UnixGuy

Yes I have paid out of pocket before, but NO I don't recommend paying for GPEN

Nothing in the GPEN course that you can't learn via OSCP/eLearnSecurity... GPEN is a good course if your employer is offering to pay for it, otherwise, I'd stick to eLearnSecurity/OffSec...

636-555-3226

Ditto stick to eLearnSecurity & Offsec. Not worth your own pocket.

TechGuru80

What is your end goal? If you already passed OSCP, perhaps GWAPT or one of the advanced pen testing courses might be some good options.

I have paid for a SANS course (and other trainings) out of pocket and there is no question that SANS is great value, but I would avoid stacking repetitive level certifications (OSCP and GPEN)...of course unless you are trying to get GSE or cyber guardian.

DatabaseHead

Not for a certification.

The problem with me it seems like every 3 - 5 years I organically start to move in another direction, not completely different but enough to get a specialized certification.

E Double U

Paid a few thousand out of pocket for a language course, but I'll leave SANS payments to my employer.

johndoee

Mooseboost wrote: »

My current company is too small to pay for something as expensive as SANS, so I have thought heavily about paying for SEC560 out of pocket. Its hard for me to justify the cost, but it is definitely good training and GPEN does have some marketability. My company did pay for the OSCP - so would GPEN even be worth going for?

If you have paid out of pocket for the training, do you feel your invested has paid off?

I will give you a neutral standpoint.

Some people spend thousands of dollars enhancing cars, trucks, and motorcycles. I know people who have vehicles that have 10,000-20,000 in enhancements. Some people spend money on investments (and lose money on them). Some people spend thousands of dollars on home improvements. Some people spend a great deal of money on clothes and shoes.

Why not invest in yourself? No matter if someone is spending money on wants or needs it's money spent. I don't see how paying for a course out of pocket can be discouraged. People have exhausts and lifts on vehicles that cost more than SANS training. People have the amount of SANS training invested in the engine and superchargers.

So, I would say if financially you can afford SANS training and you believe the cert will have a return of investment..purchase it. I have in the past and I don't regret it. Yes, if the circumstances aligned and I felt a SANS cert would benefit my career AND I was with a company that didn't pay for it (which I am not at the moment) I would pay for SANS training again.

Good Luck

johndoee

Mooseboost wrote: »

My current company is too small to pay for something as expensive as SANS, so I have thought heavily about paying for SEC560 out of pocket. Its hard for me to justify the cost, but it is definitely good training and GPEN does have some marketability. My company did pay for the OSCP - so would GPEN even be worth going for?

If you have paid out of pocket for the training, do you feel your invested has paid off?

eLearn Security is not blowing up the job boards. I respect the cert somewhat to the arena of cyber security training. But, nobody is asking for it really. Spending more money on eLearn Security would be the same as taking a Cyber Security/Hacking course offered through Linkedin...nobody is looking for it--

https://www.linkedin.com/learning/topics/it-security

If I were to pick I would say OSCP from Offensive Security. Honestly, that cert is getting more hits on job boards than any other O Security certification offered. But, the success rate is not high the first go around and it physically and mentally draining.

Other than that SANS training...

BlackBeret

Mooseboost wrote: »

My company did pay for the OSCP - so would GPEN even be worth going for?

If you have paid out of pocket for the training, do you feel your invested has paid off?

I took OSCP, then challenged GPEN paying for the exam out of pocket because it was listed as a requirement for a position I was applying for. I later found out what they wanted was ANY pentesting certification (some of the team members took eJPT just to meet the requirement).

I don't think you would learn anything from taking GPEN if you've already done OSCP, so I wouldn't consider it an investment in knowledge. You would be paying strictly for that specific certification, and from personal experience even when it is listed as a requirement, it's a soft requirement.

As a side note, when challenging a SANS exam, you get two free practice tests. I know for a fact GPEN has been updated since I took it last (at least the 560 course), but at the time it was very tool heavy. I took the first practice test and made a list of all of the tools that were on it, printed the man pages for those tools, and used that as my index. It was mostly methodology and tools/switches.

UnixGuy

johndoee wrote: »

eLearn Security is not blowing up the job boards. I respect the cert somewhat to the arena of cyber security training. But, nobody is asking for it really. Spending more money on eLearn Security would be the same as taking a Cyber Security/Hacking course offered through Linkedin...nobody is looking for it--

Let's end this whole 'if a cert is not on job boards then it's not a good investment'.

If we only did certs because they appeared on job boards, then we'd all be doing A+,CEH, CCNA,MCSE because statistically they appear on most job ads therefore the best investment

And by that (wrong) logic then Ec-Council CEH is better than OSCP because CEH appears more on job boards....

You do eLearnSecurity certs(or course without the exam) for the practical skills that you can use. If you're very concerned about keywords for HR on job boards, then here are keywords from eLearnSecurity that you can put on the CV that appears on job boards:
Scanning, Vulnerability assessment, Nessus, OWASP 10, Web App pentesting, Metasploit, Nessus, nmap

We need to really get out of the whole approach that "lets have a look at job boards key words, if the cert appears there then it must be good"

Also, there is pentesteracademy.com with plenty of Extremely useful courses (sure they include an exam and a cert sometimes). That's a better investment if someone wants to be a penetration tester.

shochan

I have paid for all my certs myself - I don't want to sign a contract that makes me stay with a company if they pay for the cert. It's kinda like a marriage w/ballnchains then. LOL

johndoee

UnixGuy wrote: »

Let's end this whole 'if a cert is not on job boards then it's not a good investment

.

And who are you again? Because you say so right?

Yeahhh....... Do this ->

Mooseboost

Thanks for all the insights!

I was hoping that SEC560 would teach me things I never considered before. I have never had any kind of SANS training before but I hear them spoken about on almost a mythical level. Looking further, I don't think the GPEN would help me land a position over the OSCP.

I'll still mull it over. I may wait to see if I end up in a position that will pay for it or potentially get lucky with the workstudy program and minimize my out of pocket.

LonerVamp

I have not done this, but I know someone who has paid their own way for several SANS courses/certs. It's worth it to them as it moved them to job roles they love and that process also resulted in much higher salary. Ultimately, they could afford it and it was worth it to them.

It comes down to several things.

Can you afford it?
Will you learn from it such that you're bound for greater things? (IE: knowledge that leads to $)
Will the cert pave the way to greater things? (IE: job advancement that leads to $)
And: Are you challenging the cert or purchasing the training first?
And: Are there alternatives?

It's about investing in your career and knowledge, which itself in turns promotes your career. The point of which is happiness and money earned.

That said, it's good to look at what you'll learn and if there are more economical alternatives. I have OSCP, but not GPEN, but from what I've heard, GPEN will very closely overlap what you learned in OSCP such that you should stick to just OSCP if that's what you have. Same for ELS. I feel like you don't need either of them if you have OSCP, but you could still pursue OSCP if you have either of them, if that flow makes sense to you.

For other SANS, it's back to all of those questions. GWAPT may be useful (I'm biased; I want to take that one next year.)

Randy_Randerson

So this is coming from someone who has taken quite a few certs from both GIAC and elsewhere. Take it for what it is, or don't. I do concur with what many have said in here. But I want to break this down a little to hopefully get you some network you feel is worth it.

If you have already taken OSCP, then taking GPEN (imo) is not going to do anything for you. The one thing that I think GPEN provides to the cert holder is that you understand the concepts + methodologies needed to perform an independent pen test. OSCP, from what I've gathered, is more on the hands-on portion. Those who have taken it, please speak up on that one if I'm out of turn -- I just don't know since I have not taken it yet.

So if I were you and you've achieved your OSCP cert, I would look at SANS's SEC660 -- which is the advanced Pen Testing course + cert. I've taken this course and it will open your eyes to things that honestly GPEN isn't going to give you. Not to mention, it feels like a very natural progression from OSCP to get more technical. If you want get specialized, GWAPT is okay (I have to sit for this exam next week) but is still basic. Have not taken their advanced Web App one, but I know a person who teaches it for SANS and he swears by the material being legit. I'm also a big fan of Wireless Auditing and SEC617 is at least updated material unlike Offensive Securities which is still only dabbing into basics.

tl;dr - Take SEC660 if you already have a good foundation for pen testing. Much more worth the bang for your buck. Also -- try to do SANS's work study program so you don't have to pay with your first born.

NetworkNewb

UnixGuy wrote: »

Let's end this whole 'if a cert is not on job boards then it's not a good investment'.

If we only did certs because they appeared on job boards, then we'd all be doing A+,CEH, CCNA,MCSE because statistically they appear on most job ads therefore the best investment

Moving forward, I would only ever do a cert if it were one of the following:

1. Employers were looking for it (job specific not averaged across the industry)
2. Employers were paying for it
3. It came in package and was included with a course I bought

Certs are different than courses and I don't think they are good investment if they don't fit one of the those. I'll definitely take courses where I can learn other skills, but I don't find any value in paying the actual certification if they don't fit one of those. Some may find value in they help them finish the course and it has an end goal though.

Just because companies ask for certain certs don't mean they are better than others, it just means companies are more in demand for people with them. Certs are only a small part of the puzzle and actual skills are another part. Thats where taking the courses come in.

Randy_Randerson

NetworkNewb wrote: »

Moving forward, I would only ever do a cert if it were one of the following:

1. Employers were looking for it (job specific not averaged across the industry)
2. Employers were paying for it
3. It came in package and was included with a course I bought

Certs are different than courses and I don't think they are good investment if they don't fit one of the those. I'll definitely take courses where I can learn other skills, but I don't find any value in paying the actual certification if they don't fit one of those. Some may find value in they help them finish the course and it has an end goal though.

Just because companies ask for certain certs don't mean they are better than others, it just means companies are more in demand for people with them. Certs are only a small part of the puzzle and actual skills are another part. Thats where taking the courses come in.

This doesn't exactly work for those in the freelance world OR those who see court time. Certs are what is going to set you apart from another expert and therefore make you much more trusted to a judge or jury. While classes are there to help, you need to be able to state you have some semblance of mastery in the skillset other than you took a Udemy course.

NetworkNewb

Randy_Randerson wrote: »

This doesn't exactly work for those in the freelance world OR those who see court time.

Exceptions to the norm....

And certs set you apart, but if people don't know what they are they won't mean a thing. That is why it is good to stick to what they are asking for. You'd be surprised how many people in IT don't know what most certs are.

I talked to manager of a pentesting company at a SANS event and he had no clue what eLearnSecurity was and said they only cared about OSCP. If people want bang away at random small certs where people don't know what they are go nuts. I'm just throwing a warning out there from my experience and what I've seen.

Randy_Randerson wrote: »

While classes are there to help, you need to be able to state you have some semblance of mastery in the skillset other than you took a Udemy course.

And thats where the interview comes in and they ask you about those. If you got an OK amount of the experience and certs they are ask for in the job ad. You'll most likely get at least a phone interview from HR imo. As long as your resume is tailored to the position you're applying to as well. HR will see random certs and skim right over them like they weren't even there.

UnixGuy

johndoee wrote: »

And who are you again? Because you say so right? Yeahhh....... Do this ->

I went to sleep instead

UnixGuy

NetworkNewb wrote: »

Moving forward, I would only ever do a cert if it were one of the following:

1. Employers were looking for it (job specific not averaged across the industry)
2. Employers were paying for it
3. It came in package and was included with a course I bought

...

and that's a fair call, it's a personal choice. We do certs for different reasons, one of them being that the cert provides a structured way to learn a certain topic. Employer doesn't have to hear about all the certs, if you want to master a certain topic, then attempting several advanced certs is a good way to obtain to achieve your goal..that coupled with Labbing, and experience.

I've yet to get a certain job because I had a certain keyword/cert on my cv, it was always a mix of my knowledge, interview skills, past experience...multiple factors. I haven't been to a situation where someone was sifting through keywords in my CV (I'm sure some recruiters do that though).

Sometimes we do certs so that if we get laid off, we still have relevant marketable skills, we keep an eye on the market and see what's trending and learn those topics (whether through a cert or not). Also, having something to work on on the side is one way to keep you on top of your game - if you want that.

UnixGuy

Mooseboost wrote: »

...

I was hoping that SEC560 would teach me things I never considered before. I have never had any kind of SANS training before but I hear them spoken about on almost a mythical level....

.

SANS training is really great, specially for topics that can't be covered through different alternatives. For example, if you're paying out of pocket, then SANS FOR 508 (GCFA) is worth it because there is no other place where you can learn all those topics in one place

For Pentesting, the one SANS cert that is worth paying for out of pocket would SANS 660 (GPXN). do that after OSCP as it's very challenging. GPEN is just few steps above eJPT, so you might find it too easy

Randy_Randerson

NetworkNewb wrote: »

Exceptions to the norm....

No, not really if you really break this down in the later stages of your career. If folks are planning on taking GPEN, GCFA or other like minded certs...it is most likely because they will eventually want to lead those teams. Whether that is SOC Manager, CSIRT Director, etc. Guess who will be giving those depositions for your company or being the one who has to speak to Vendor A or Company B when things don't go as planned. You.

NetworkNewb wrote: »

And certs set you apart, but if people don't know what they are they won't mean a thing. That is why it is good to stick to what they are asking for. You'd be surprised how many people in IT don't know what most certs are.

Breaking this statement down into two different rebuttals. The first part is if your IT people don't know what certs are either your mentors or your managers are doing a crappy job setting them up for success. Even something like A+ has its benefits to people to start getting their feet wet with the testing process and preparing them for much more challenging assessments of their skills.

Second, if you don't know what a cert is that you see someone has...why are you not looking it up to see exactly WHAT it is? Google-Fu at least helps you get to know who you may be talking to. As I've said in many other threads on this board, certs are not going to get you paid. What they do is set a precedent to your peers and management what your knowledge level actually is. This field especially benefits much more than almost anything other than probably Finance. Who would you rather have doing your taxes? Someone with a Finance degree or a CPA?

NetworkNewb wrote: »

I talked to manager of a pentesting company at a SANS event and he had no clue what eLearnSecurity was and said they only cared about OSCP. If people want bang away at random small certs where people don't know what they are go nuts. I'm just throwing a warning out there from my experience and what I've seen.

That is one manager my friend -- and depending on that pentesting company they may either expect that based on their own reputation or they haven't done their own research to what other certs are out there. OSCP is a great example. I know F500 hiring manager who don't even know what OSCP even is...let alone respect it because it is an international company that created Kali. These are the same folks who also detest Kali as script kiddie linux. Are they wrong? Absolutely in my opinion. But it goes to show there is very wide swath out there.

NetworkNewb wrote: »

And thats where the interview comes in and they ask you about those. If you got an OK amount of the experience and certs they are ask for in the job ad. You'll most likely get at least a phone interview from HR imo. As long as your resume is tailored to the position you're applying to as well. HR will see random certs and skim right over them like they weren't even there.

Again, you're speaking from your own experience and we all have our own scenarios as they played out. Go look at many postings out there nowadays and GIAC is basically a swath across the entire spectrum (from GSEC to GLEG to GXPN) just to ensure they hit on all the certs out there. That way the hiring manger can make the determination on if the cert is relevant and not HR. Those who don't need to work on their engagement and partnerships within their own Org/Recruiters to make those changes then. Frankly, unless I'm hurting for a job -- I don't want to work with someone who isn't going to recognize that I have put in some hard work to learn aspects of IT that are still very niche, and others that are extremely challenging.

TechGuru80

Randy_Randerson wrote: »

That is one manager my friend -- and depending on that pentesting company they may either expect that based on their own reputation or they haven't done their own research to what other certs are out there. OSCP is a great example. I know F500 hiring manager who don't even know what OSCP even is...let alone respect it because it is an international company that created Kali. These are the same folks who also detest Kali as script kiddie linux. Are they wrong? Absolutely in my opinion. But it goes to show there is very wide swath out there.

Expect eLearnSecurity to have very little traction in pen testing companies, and probably not much in major corporations. I haven't personally taken any of their courses, but if somebody decides to pursue one of their courses they should be doing with the end goal of getting OSCP or GPEN at minimum. You cannot be trying to make a culture shift to accept some of these less known certifications because that is the job of the vendor...you have to get what hiring managers want. When it boils down to it, search indeed and see how many hits come up per certification...that strategy has always done me right.

For general references the major certifications that get noticed in no particular order:

CISSP (maybe CISM but recognized less) (management)
CISA (auditor / management)
GPEN / OSCP .... C|EH if you are DoD or Govt (and HR likes it) (pen testing)
Anything Cisco (network security)
GSEC / Security+ (general security)
GCIH / GCIA (SOC and IR roles)

That isn't to say the requirements aren't dependent on the role, hiring manager, company, and contractual requirements because there are forensics certifications for products like EnCase...but if I was going to give somebody a list of certifications to prioritize that would be it.

Now talking about the F500 manager...if this is an actual InfoSec manager, they better be aware of the full list I provided as these are staple certifications. If the manager is somebody who moved from IT or is very high up in the chain, it is understandable to not know all the nitty gritty. I suppose if a manager was heavy into GRC or Network Security, that might be another ok scenario why they don't know about OSCP...but it has been out for over 5 years and is known in the security community.

I expect an infosec manager and IT manager to not call Kali a script kiddie linux distro. If they actually refer to Kali that way, and aren't high up in the chain (probably VP+), I predict some serious security flaws in your environment. Of course if this person is insane at creating their own tools that is a bit different, but I still don't expect that to be the case. That might make me look elsewhere too because that is a recipe for having a lot of compliance like checklists that are doing security for the sake of doing security.

UnixGuy

TechGuru80 wrote: »

Expect eLearnSecurity to have very little traction in pen testing companies, and probably not much in major corporations. I haven't personally taken any of their courses, but if somebody decides to pursue one of their courses they should be doing with the end goal of getting OSCP or GPEN at minimum. ....

Re-iterating what we've said again....

you do eLearnSecurity because it is cheaper than SANS and the certificate is par with the difficulty of OSCP. Sure you need OSCP (or CREST in some countries) to get your foot in the door, but that doesn't mean that you will not gain skills by doing eLearnSecurity. There are more challenging courses on pentester academy . com than the GPEN (which is a basic introductory cert by the way), they're not useless because they're not on indeed. You can do the Python for pentesters course on Pentesters academy, and then list Python on the CV - it's a key word on indeed. Sure, the name of the cert is not, but you get to put Python on your CV .I haven't met a normal pentesting hiring manager who haven't heard of Python.

looking at jobs on indeed and getting a list of certs is one way of doing things. Sure. By the same token, shall we just assume that buying and reading a book and doing labs is pointless because we don't see list of books on jobs on indeed? Correlation vs causation...

For someone to land a pentesting job these days OSCP has become the minimum, you also need direct pentesting experience. you will also be asked questions in the interview and demonstrate technical knowledge, are the technical knowledge only exist in the GPEN list of objectives? Does the nmap chapters in eLearnSecurity eCPPT immediately irrelevant because it's on a job list on indeed?

Choose whatever path you want to learn, just because a cert isn't listed on job boards doesn't mean it's useless. Just because a book name is not on a job board doesn't mean it's useless. In the real world, a lot of IT professionals don't have a single cert and they do just fine. Investing in a certain, lab, class, book, is not going to hurt you because that book/lab/class/cert is not listed on jobs in indeed. Here we seem to think doing a course or a cert that's not popular on indeed is com is harmful. I'm yet to understand this logic.

I'm still trying to understand how did we come up with the conclusion that the value of a cert is just on having the name of the cert on the CV?

I've also yet to meet that illiterate pentesting hiring manager that only knows keyword and can't differentiate between technologies...we seem to be very interested in impressing those mythical hiring managers.

Imagine a pentesting team lead that's impressed with CEH..........

TechGromit

Mooseboost wrote: »

If you have paid out of pocket for the training, do you feel your invested has paid off?

Technically Yes, but my course consisted of two exam cram books (A+ & Network+), I studied the books and the exams within a month. I don't recall if I got reimbursed for the exam costs, but I got a 3k raise out of it.

So the question is would I pay for a SANS course out of my own pocket? At this point in my career, Yes I would. I wouldn't attend a course every year, and I would try to get my employer to pick up the Travel cost tab at least. As for return on investment, if would depend, I don't think an additional SANS cert on my resume would help too much at this point, but if I need the continue education credits to keep what I have current, it be well worth the investment.

sb97

UnixGuy wrote: »

SANS training is really great, specially for topics that can't be covered through different alternatives. For example, if you're paying out of pocket, then SANS FOR 508 (GCFA) is worth it because there is no other place where you can learn all those topics in one place

For Pentesting, the one SANS cert that is worth paying for out of pocket would SANS 660 (GPXN). do that after OSCP as it's very challenging. GPEN is just few steps above eJPT, so you might find it too easy

Re: For508, I would also list getting the lab environment as another reason to pay. I know SIFT is free and anyone can infect and then image a system to look at a compromise but getting the advanced attacker feel with lateral movement and different persistence mechanisms is tough.

sb97

Also, I would pay out of pocket for a SANS class under the right circumstances.

NetworkNewb

sb97 wrote: »

Also, I would pay out of pocket for a SANS class under the right circumstances.

Like if you won the lottery? That would be my tipping point for me on if I would pay for it out of pocket.

quogue66

I paid for a few parts of SANS courses. I originally took the SEC401 course in 2008. I paid $1000 to challenge the exam in January 2016. Two months later I paid $900 to facilitate FOR408 (now FOR500). A few months after that I paid $629 to cover the exam cost of FOR508. My employer covered the cost of the course but not the exam. I took 5 GIAC exams in 11 months. A few interviewers asked me who paid for the courses. When I told them I paid for part they were very impressed. You don't see many people that pay for training or certs out of their own pocket. Whenever I interview someone that paid for anything out of their own pocket I am equally impressed. This is an added bonus if you think you'll be interviewing anytime in the near future.

Randy_Randerson

NetworkNewb wrote: »

Like if you won the lottery? That would be my tipping point for me on if I would pay for it out of pocket.

That is fair. However, IF I wanted to change roles into something else (let's say web app red teamer) and a company I saw was highly respected and the pay was going to be great, but they would only look at the resume if I had GWAPT or another web app pen testing cert -- I would probably suck it up and take the course.

Outside of that though, ya, totally with your mindset. $7k w/ cert is really pushing boundaries for me too. That is basically more money than the first 3 cars I had combined lol