I just challenged these since I didn't feel like I'd get much out of paying $3500/course for these. You don't get the official resources, but I figure at $900/exam and $150/retake, I'd still come out ahead even if a stumbled once or twice. I'm definitely glad I went this route.

I did the GSEC first. It is 180 questions, and you are given five hours. I got 170 correct and finished in an hour. Then I moved on to the serious one. The GPEN is 150 questions and you're given four hours. I got 136 in that one, and again finished in an hour. I actually only had ten wrong, but the java-based connection to a virtual machine was so slow that I just guessed on those because I had clearly already passed.

I do like that they tell you whether or not you got the previous question right or not, so you always know where you stand. I'd gladly give up the ability to review for that. I do find it humorous that they end the exam immediately if you ever get to the point where it's no longer possible to pass. Plus, I imagine it helps maintain the integrity of exams.

The questions were probably more straight-forward than any other exam I've ever taken. I wouldn't recommend challenging these unless you're well versed with the material. I've already done MCSE:S, Linux+, CCNA, CWNA, CWSP, etc. I've also gone through everything for the OSCP and CISSP, and regularly do pen testing, IT audits, risk assessments, vulnerability assessments, social engineering, etc. Needless to say, this was basically all review.

I might challenge the GWAPT next since I've been dabbling with web development since I was 13 and am familiar with all the common attacks. I might have to get the courses for GCIH and GCIA since those are further outside my realm of expertise. I'll see how I feel after I get through Counterhack Reloaded (supposedly close to the IH material) and the new Wireshark book. A quality Snort resource or two should put me in pretty good shape. I'm hoping to make a GSE attempt in the fall of 2011, and getting all those under my belt will make me eligible.

I'll worry about that later though. I only have a couple weeks to prepare for the CISSP, and I'm not even through the AIO book yet...

I didn't really get to prepare for these since I was so busy with work, so I never got around to taking the practice exams. I've already given one of the GSEC exams away, but I have one more of those and both for GPEN. My expiration for taking the GPEN was April 3th, and I'm not sure if the practice exams expire then or not. You must be an active/contributing member to apply. Sorry, no lurkers

Edit: GPEN practice exams are good until 6/2/2010, and GSEC exams are good until 9/22/2010.

Actually, I had allocated that first GSEC practice exam to you since we discussed it in that other thread, so there's still one more for someone else PM me your email address.

GSEC is a prereq for the GSE, and I had a good feeling I could get through it easily, having already done the other certs I have. You can substitute GCUX and GCWN for the GSEC, but I don't know if I could get through those without the course materials. It was simply the cheapest and easiest way to fulfill that requirement.

Honestly, I thought the GPEN was a lot easier CEH. I hated the wording in the CEH, and it was ridiculously broad (there are no questions about terrorists and GPS on the GPEN). Keep in mind, I also do GPEN-level work every day, so that factors into the equation as well. I wouldn't lump it in with the A+ or anything

If the powers that be can forgive a link to another forum, my CEH experience is here.

Thanks! I appreciate the advice.

Some of us at the office made the "mistake" of getting it signed. The non-signed copies showed up awhile ago while we're still waiting


So, are you volunteering?

A coworker of mine is also going to give it a shot. We're probably going to do terribly since it's not what we do day-to-day. I think we're each just going to setup a lab and take turns attacking each other's stuff and see what we come up with. Oh well, it's a challenge and something to work towards. I'd definitely like to move more into the IA/IH/forensics side of things sooner or later.

That totally depends on your experience. I know someone that actually took the course, and the way the course goes is that they dedicate one day to Windows, one to Linux, one to Networking, and so on (I don't remember the designations for the others).

Here are the exam objectives: http://www.giac.org/certbulletin/gsec.php

I've already done MCSE:S, CCNA, CEH, CWSP, Linux+, etc., so hardly any of that was new to me. I think the majority of the ones I got wrong were related to VOIP since I have no experience with that.

I wouldn't say the exam is significantly harder than the Security+. It just covers a lot more material, and making sure you have all your bases covered is going to be the most problematic aspect of going the self-study route. The Network Security Bible (2nd) will be a great resource to get you started. It was actually written by one of the GSEC authors. After that, I suppose you could just see how you do on the practice test questions, take notes about what you need to research further, and repeat.


Nope, that's what I meant when I said you don't get the official resources. I'd challenge every one if they provided those to you. I'm not ragging on the courses; they sound awesome. I'm just having to pay for these out-of-pocket, and I have a difficult enough time coming up with $900 for an exam, let alone $3500 for a course.

Also, see if you can get in their work-study programs. You essentially help out during one of the courses and get to tag along. It's still $800 or $900, but that's a steal for training. I actually got accepted to do the GCIH in New Orleans last January, but my work schedule conflicted with it.

I've also heard you can sometimes pick up extra copies of the course material if you go to the conference and see if they have any they can spare. I remember the cost being something like $400. It's not cheap, but might be a viable option if you're on a budget.

No problem. No mention of the GCIH though? That's supposed to be extremely hot right now. I wouldn't expect to see a lot for the certs in more niche areas, like the GPEN, GWAPT, etc.


That's an excellent plan. You don't want your certs to vastly outpace your experience. You can always learn a programming language or something if you need to fill your free time

You really can't go wrong with starting out with C or Python. It totally depends on what you want to do though. If you're just going to do web app work, maybe PHP and Java would be better. However, once you get a good handle on one, others (save for something like assembly) aren't too bad to transition over into. I'd encourage you to work on something. It'll come in handy even if you just use it to parse log files or automate some other menial tasks. I haven't done any serious programming for awhile, but all the reverse engineering talk I've seen going on here has piqued my interests again.

Any particular videos or tutorials on RE that you would like to see, just shout and I'm sure I could do something up. Get your interest back up again