GEVA (GIAC Enterprise Vulnerability Assessor) Information

Pmorgan2 · July 2020

Anyone have any information on the new (?) GIAC Enterprise Vulnerability Assessor certification tied to SANS SEC460 training? I'm trying to see where it fits in for penetration testers. Just going off the course numbers, it looks like an advanced course a step below GPEN.

UnixGuy · July 2020

Never heard of it till now, interesting syllabus. Looks like it's focused on vulnerability management which is important, but not too sure I'll invest in it myself.

Are you paying out of pocket or is your employer paying? If I had a choice and I wanted more Pentesting knowledge AND my employer is paying, I'd do GPEN/GWAPT/GPXN/GMOB

Pmorgan2 · August 2020

Employer is paying. My interest in pen testing is mostly from a security architecture point of view so perhaps this new GEVA is more up my alley. But who knows how this new cert will work out?

I'm curious if anyone's done it and had any comments about how it compares to other similar certs.

GIAC has released three other ones in the last year as well:

Danielm7 · August 2020

I've done it, I wouldn't say it really is a precursor to the GPEN at all, and I've done that too. If you're doing vulnerability assessment it could be valuable but really depends on your previous experience. They'd don't really go super deep into testing the vulnerabilities that you find. It's decent for categorizing and prioritizing what you find. You'd have a day of scanning, like Nexpose / a web app scanner, but that's fairly light. I have a lot of experience using Nexpose so that was pretty general review but the basics of the tool are not really that hard either.

I had a mix of experience levels in my class, a lot of compliance type folks who weren't technical at all saying it was kind of hard to keep up, and more technical folks that were kind of bored hoping for more depth.

I did it via work study, appreciated the process and what I learned but I don't think I would have felt the same way if I paid full price just basing it off my existing experience vs what I learned that was new.

jmur116 · August 2020

I found Sec460 to be interesting and worth the time, however I was also running a vulnerability and compliance team for a large organization when I took it. I was fortunate enough to take it in person with Matt Toussain teaching it, so there was a lot of additional content not included in the book. The content is not a precursor to pentesting, it is hyper focused on properly identifying and evaluating vulnerabilities to prioritize and drive remediation. There is a lot of risk methodology discussion for creating a VM program, and there is an attempt to delineate between vulnerability assessment (broad scope) versus pentesting (focused attack scope). There was some value from a pentesting perspective to the class, but if you go in thinking of this as a stepping stone to a deeper pentest class, it isn't. In our class, it was split 50/50 between tech background and compliance / risk. The tech folks tended to be done with the labs and day quickly, while the others had to work to keep up. It all depends on your skill set coming into the class.

As for the exam, I took it as part of the Beta process. I found it to be very straight forward, aligned with the course books, and manageable if you understand the material. When I took the exam, there was still quite a bit of errors in the question (an expected part of the Beta), but even with that it wasn't too bad. I found it more challenging than the GPEN, but not nearly as challenging as the GDSA.

Pmorgan2 · August 2020

Great insight guys. They've listed it like its part of their offensive operations series but the syllabus was ambiguous about that. Personally I think I'll stick with my original plan of going GMON

GEVA (GIAC Enterprise Vulnerability Assessor) Information

Comments