So then summer is here and I am bored right now (this happens all the time.. boreDumb). I was thinking about taking the CREA because I know the instructors are "top notch" when it comes to reversing however, I'm skeptical about it. GREM and GPEN speak for themselves and although I have my personal qualms about anything GIAC for personal reasons... As the saying goes if you can't beat em... Anyhow!?

Still waiting on the results of the CISM which is a drag because it WILL take no less than 5 weeks (test was June12th) and I'm wondering what's next... I *could* study for the CISA but that's on the boring side. Think *rubiks cube"... Which would you do, GPEN, GREM or take a chance with the CREA.

I'm actually hoping I can avoid all of those and waiting for validation on "Assured Exploitation" (http://trailofbits.com/2010/02/25/assured-exploitation-training/) from Sotirov and Dovi this year... I *may* bother Pete Herzog to see when he plans on doing the OPSA/OPST round my parts... If you had your choice of the three mentioned (GPEN/GREM/CREA) though, which would you recommend and why.

Bane, don't know what's next for me. I just want to expand. Pentesting is something I've done for quite a while before it became a hot topic. My logic with GREM, CREA is to learn more about the other aspects of security from the reverse engineering standpoint to mesh it with pentesting experience.

Nah no way bro.. Come on you and PaulBoz have been mopping the floor with me while I've been lallygagging between CCIE on and CCIE off retardation. I hear they *may* rename some of the SANS testing centers to Dynamik Boz Testing Centers

To be honest with you, dynamik... There are a lot of cool people @ TExams and I admire the work and effort put into passing tests. Me... I'm pure technical and don't care for books ADHD ... Two weeks ago, I was amped... CISM I SWORE I would take my time this time. With 4 hours I finished in like 1:05 and I seriously took my time I even decided "No ... Know something not going to do this again... Let me re-check my answers..." 5 minutes later I got bored. I was actually anxious to go home and play with my Juniper SA I suck at exams because I'm too confrontational and am always debating some of the answers since they make little "real world" sense.

I need to play by the books and remember "the answer is what they want it to be" not what I know to be true. In the interim, I forgot about the SANS challenges... I need to spend 3k by November (company paid) so I want to do something worthwhile. GPEN I mentioned just to keep in tune with pentesting... To be honest though I've never even needed the cert on interviews, etc. its more or less 1) appeasing management, 2) boredumb 3) why not... eventually I do learn... 4) I like to annoy with 10+ acronyms on my business cards.

Maybe I should slow down on the certs up the ante and go to either NYU, Polytechnic or something... RPI told me "we h8 you never apply here!" Hows that for slackerness/education. So now I'm in need of more puzzles Challenges... More technical exams! Hence me always studying for the CCIE. My avg on written floats at about the 94% range The lab scares me... Besides the cost of the lab is pretty pricey to be failing... I could get by telling the powers that be in my company "So what I failed... I'm like 8 for 9 with one failed CISM that I don't care for" The cost of the CISM and others pale in comparison to failing the CCIE lab. Pimping "passed CCIE written" means nothing and no, I won't go CCENT, CCNA, CCSP, CCIE Security, why bother if my core focus is CCIE(S). Might as well go hard!

1 1/2 Year Game plan (maybe) ... GPEN||GREM||CREA (will decide soon), JNxxx (because much of my work nowadays is on SSG, SRX, SA), CISA (to annoy), ISRM.

Maybe in terms of putting letters behind our names, but I don't think that is representative of overall technical knowledge. You had a detailed learning path for penetration testing written and published when I was just getting started out, so I'm going to have to respectfully disagree with you with there. I'm flattered you don't consider me a total noob though :p


I totally understand. Honestly, I just chase after certs because they force me to learn things that I may not normally go out of my way for. They're just a challenge and a way to verify that I've retained a small amount of knowledge in whatever subject. Plus, if I learn something, I might as well pad the resume whenever I can.

I feel the ADHD pain as well. I'm lucky if I can get through a paragraph or two without my mind wandering


Ah, ISACA exams, making (ISC)2 exams appear to be straight-forward. I took the CISA on the same day. I couldn't stand to look at that material anymore, no way was I staying around longer to check my answers. That's the only exam I've taken that I am legitimately concerned about. The CISSP wasn't easy, but I left cautiously optimistic. With this one, it was like, "What's the greatest risk? Being set on fire, or having an artery severed?" You could spend all day making arguments either way. I tear the questions apart on exams like those as well.


Like I said, I really don't see you getting a lot out of the GPEN. Any interest in web app or wireless pen testing? The web app one actually falls under their "programming" umbrella, and the guys at the office who have taken both thought the GWAPT was more intense. The wireless one (GAWN) looks insane; I believe that's the highest level course that they offer a certification for. Also, if you just want to learn and aren't too concerned about getting letters behind your name, don't forget that SANS offers a lot of courses that don't have corresponding certifications.

Here are a few that seemed fun:

709 - Developing Exploits for Penetration Testers and Security Researchers
567 - Power Packet Crafting with Scapy (short course)
558 - Network Forensics

A full list is here: http://www.sans.org/security-training/courses.php

Also, what about OffSec's OSCE?


Yea, that sounds like that should keep you busy. I used to try to plan this stuff out far in advance, but I've found that I never stick to it. Like you, I'm kind of fickle about some of these things, and even if I have the perfect plan, something new and interesting always seem to come out of the blue, and my path totally changes. Now I just line up the next challenge and worry about what's next only after I'm done with that.