- Yeah, I've heard so much
negative feedback about it. You guys really bash it. - It's because it's frustrating, right, that is frustrating, our inner
person does not enjoy feeling like they have to be a
walking and encyclopedia. - So I need to, I need to push you because I've got like this
loop that I have to close. What is the number one? What is the, if you could
only choose one cert, what would it be? And I'm sorry to push you. It's just your opinion I think. - Yeah just my opinion.
- What would you choose? - Man. - You're you stuck on an Island, the only way off is to choose one cert. What would you choose?
- If I'm gonna go with one cert I'm gonna go. (upbeat music) - Hey everyone, it's David Bombal back with another
interview but in this case, I've got Daniel. Daniel. I could introduce
you but it's probably better if you do it yourself. So could you tell everyone
a little bit about yourself - Sure David, thanks for having me on this is a real pleasure. Like you've got such a cool
podcast or YouTube channel. You get so much great content. So I'm Daniel Lowrie, I work for ITProtv. I'm what we call an edutainer. - [Narrator] You're watching ITProTV. Hopefully that kind of
gives away (chuckles) the idea behind what I do. I instruct on cybersecurity. That's my specialty, my silo, as it were. And I try to do that in a way that's fun and engaging instead of I'm sure everybody out there has had to at one point deal with
the Voice-over PowerPoint awesomeness that is most online. IT training wasn't a huge fan of that. So my friends got together,
they built this little company and asked me to jump on the ship. I said, hey, what the heck? And here I'm and now I
try to inform the masses of cool IT training that I can give to you
and then get you in there and get you learned up with all the skills that you're gonna need to
get into cybersecurity. I know that's a hot thing right
now and it's a lot of fun. I know, I enjoy it. So, I totally understand the appeal. - But okay Daniel, now I'm gonna push you. Now you're ready for some fire. - All right, I'm gonna take
a sip here, you go for it. - Okay, so you mentioned
a bunch of certifications and there are a bunch out there like Security+, there's CEH, you can go through the basic list again but you tell me now,
okay, what are the most, sorry what are the entry
level certifications and which one would you recommend as the first certification? - That's a, that's a great question, so. - I'm gonna push you,
I'm gonna push you now, - You're gonna push me? This is a good push question because it's very relevant, right? And it is, is the probably the question
people have on their minds. Okay, tell me I'm wrong,
I'm poised to jump. Just tell me where to jump to and I'm gonna go and I'm gonna
tackle it, I'm gonna kill it. I'm gonna get that cert so that I can, I can really start making
some headway into my career. I get that. The answer to that is my opinion probably the best entry
level certification. If you're going toward an
offensive security style, you know this would be for
a SOC analyst or anything like this, would be, I want
to be a Pen Tester one day. I wanna do vulnerability assessments. Ultimately maybe get into real Red Team
Engagement kind of things. I would probably start off
with, with eLearnSecurity. They have, they have great, great certifications, the certification and here, here's what I would
say why I would say that. - Is that the eJPT? - eJPT would be the,
the certification, yes. - Okay, so you actually putting that above like Security+ or CEH or PenTest+, yeah? - Yeah, and I can say that
now, because after having, I do training for Security+,
I think it's, it's great. You gotta understand, like none of these things are, are static. They're they're all dynamic. Everything's always changing
Security+ just finished the update to Security+ with another edutainer here West Brian. He is the SMI on that. I'm just kind of there
to host and support him and give him that because he,
he helps people. (mumbles) - I just wanted to say that for the for people who don't know
ITProTV, what's really nice about the way you guys
do it was like a lot of training. There's always two of you isn't there? And like one person is
like teaching the other which has makes it very
interactive is that right? - I feel like we should be
like, you know, old style - Like rock them, sock them robots. - Yeah, here we go. Right, cause we're trying to
do what we're having right now and then just make that training. Think of how much better you learn just listening to a podcast, to picking up random, you
know, pieces of information. We just try to like move that into a very information rich environment. And that becomes your training instead of, okay, let's go through the five phases of pen
testing for whatever it is. You know what I mean? It's just that that's not fun.
- It gets boring, yeah. - That's not engaging. That is boring. We do, we are not people
that like to be bored here and we don't want you to be bored. We want you guys to have
fun, we want you to learn. We wanna get our hands into stuff. So we like to show things
as often as we possibly can. Of course, there's always gonna be those theory elements
to stuff, but when you, I wanna get into that
- But I need to, I need to push you, sorry
I interrupted you, sorry. So you were saying eJPT is the is the certification of choice. So explain to me why. - I would say, because for two reasons, eJPT is very much a, it basically
is kind of like Security+ and CEH kind of wrapped
up in a ball, right? Without the filler. Now I'm gonna qualify that, that phrase filler here in
just a second, I say filler. Okay, it is, is a very
point is what I mean. It is saying you want to be a pen tester, let's test you on pen testing things. Right? That's their focus. That's their motivation and the exam, I've never come out of an
exam booth before going. That was fun. - That amazing yeah,
because normally it's like, thank goodness it's over. - Yeah. I usually come out going, well, that was fun, (chuckles) Same verbiage, different leg, obviously different meanings there. That experience was great, I enjoyed it. I look forward to doing more e-Learn
Security certifications for myself personally, just
'cause they have a great track. If you're into pen testing it's a phenomenal track to get into. Does that mean that the only game in town or like CEH is out the window and there, there'll be boarding up
shop within six months because eLearnSecurity
hit the hit the scene. No, absolutely not. Because there, CEH, has done a great job
of marketing themselves and making themselves a certification that has
industry recognition. eJPT
- It's like a gate, it's a gatekeeper type, so it isn't? I get your point, its the gate keeper.
- It's totally yeah. I liked that terminology
that this is something that an HR person would
probably put in a offensive or even defensive security. And it does have its place. Because if you look at, I
would say, most people will say one of the big problems with
CEH is how massive it is. So I've got.
- I've heard you say previously that the manner you were surprised that
there's so much content is that right? - Yes, it's tons and
tons of tons of content. So that is, is part of what makes it a difficult certification moderately difficult
certification to pass. Because you gotta know a bit
about a lot of bit, right? So there's, there's tons of stuff and you gotta know
something about everything and they're gonna hammer
you on, on minutiae. They're gonna oh, which end
maps, which does X, Y, or Z. - Yeah, which kind of seems pointless. 'Cause in the real
world, you're not gonna, you gonna, that's why you go Google or you got documentation, yeah. - It's funny you say-- - But I mean Cisco do the same. Well, they used to do the
same, yeah sorry, go on. - Yeah, I would love to see the day when certification exams are. Yeah. you can use anything
you want, you know and I did see that with e-Learn Security, they use anything you want,
use Google, anything you like you don't have an exam proctor because what's the
reason of proctoring it. You can use any resource
you can get your hands on. - Is it like a practical exam? - Yes it is a practical exam, thank you for that clarification. Whereas CEH is a more traditional exam, based off of a body of knowledge. - It's like, multiple guess. (chuckles) - Right, now we're talking about CEH and if you look up CEH is it
worth it, that kind of thing. The exam itself can be a bit
of a bear because it's large, you know, I think it's a hundred something 120 something questions
or something like that. It's a pretty big exam, it takes time. You gotta know minutiae
things that you can't google that you would be like, Oh man if I was in the real world,
that'd be googling this. And these are all
- Exactly. - These are all the negative feedbacks that you hear about CEH. - Yeah, I've heard so much
negative feedback about it. Guys really bash it. - It's because it's frustrating, right. That, is frustrating, our inner person does not enjoy feeling like they to be a walking
encyclopedia of, you know a walking body of knowledge. We all have a walking body of knowledge but maybe not to the depth
where we outsource a lot of that to the internet,
to books, to references instead of keeping it in our head. And that's just, that's just how the world
works now that said, if you look at CEH, what
do they offer right now? If we're judging CEH based off a CEH v10 and not looking at CEH v11,
which is their current standing. - Yeah, I wanted to ask you
about 11 because that's a new that got released a few months ago, yeah. - Right, and that would be doing that wouldn't be fair to
EC-Council to judge them. Not that it doesn't play a
part, but the solely base our, our estimation of what the CEH
11 version is just based off of the prior versions and
the prior performances and the prior people's experience with it. That would not be a
completely fair thing to do. So ISI Council through their credit has seen their competitors. eLearnSecurity, Offensive security, what's the other, there's,
tons of them out there now. There's a lot of, a lot of certifications are starting to pop up. Even CompTIA has gotten in
the game, they got PenTest+ So what are they doing that is
giving them so much success, and they're starting to emulate that. So if I'm, if I'm looking
at CEH v11, I'm looking at the content, I'm now
looking at a much more true comparison, a more
of an apples to apples, apples to oranges with
its competitors out there. Now, maybe not in the way that the exam is administered, right? But they have also come
out with a different, this is where people
get fun with marketing, they're trying to make more money. I get it here, make more money if you can but they have the CEH practical exam. - Yeah, what is that, what is that? Sorry, what is that? - So that's meant to be the
practical performance-based exam that they now offer to say,
okay, you know, we see you, we hear you, everybody out
there wants to get their hands on something and prove that
they can do X, Y, or Z. And probably they were
getting slayed by OSCPs ans eJPTs of the world. So they thought, hey, we can do that too. And so they spun that up and now you have the,
the CEH practical exam. - So you have , so CEH per se is just a theory based type of exam, yeah?
- Yeah. - Like the typical theory, you know I always say multiple guess as a joke. So one of those type of
exams, and then the practical is kind of like eJPT or OSCP. Obviously not the same level as OSCP but it's a practical topic exam. Is that right? - Yes It is a practical non-stop exam. You're gonna log into
some lab environments. I think it might be done via like a web browser kind of thing. I've taken some exams that are like that where you get a web browser you go to the link, you get
a basic, like, well, it looks like an RDP session via the web. - Yeah like a Jump Post hosting there - Yeah, there you go. And, they're gonna give you some, some tasks to perform and you
fill them out, you do that and there you go, you
get your certification if you're able to
actually complete the task they ask you to complete. Which is great, good for them. They saw that, hey,
we're not strong in this. We need to, we need to
come up in the world and show that we are still
a competitor in this space and they're trying to be competitive by offering those things. It's a bolt-on solution
but it's still a solution. They haven't not heard the voices crying in the darkness saying, hey
you know, I got the CEH thing and people are making fun of
me, you know, they're like, okay, yeah, no, let's
help you out with that. Let's get that.
- That is to their credit. - Yeah so, I feel like we do
tend to get a bit tribalistic. Maybe, if that's a good word to use about, you know CEH bad, you know. Oh not my tribe you know, cause-- - People get very black and white and get very vocal about
what they believe, yeah. - You also have to understand
what CEH has meant to do. I don't believe that,
maybe it was when it began but at this point, the
CEH the regular CEH exam is meant to kind of give you that. That's why it's such a
large body of knowledge. You need to know a bit about everything if you're gonna be that security
person that wears that hat plus a system administrator, you're trying to do that. It can be a really good
certification for that, where-- - To give you like a
foundation of knowledge. - Yeah, I don't have to
get Security+, right? I do need to have some understanding of how certain technologies work. There is some pre-work
requisite knowledge there where I need to understand
Windows operating systems. I do need to understand even
some Linux operating system I need to understand mobile technology, maybe some cloud and, and
things of that nature. But now I'm just starting
to, once I go from there I start to dive into the idea of, okay what does security governance look like? 'Cause they, they talk about that kind of stuff
inside the training. They talk about standard
vulnerability assessment and risk management. All part of standard security stuff that you would learn in in Security+. And, so maybe you're like, yeah, I want that Security+ experience
but I'm really interested in the more offensive side of
things, maybe learn a bit more about that world CEH is a
great certification for that. 'Cause it does have a ton of stuff and you've got this, these
huge books that they give you because I think it's like over
3000 pages of information. And now you've got a set
of references that sit on your shelf as they should. Again, we're outsourcing that knowledge. Is it a bear to go in and
take that test and try to remember all those things? Yeah, but you can think
of it as a challenge. Gamify that, right? And, and right, go back
to our previous part of the conversation. It's HR gatekeeper. There is value to that exam. There is value to that certification. There are people out there and
let me put it in these terms. If I go to a job board
and I see on a job that I think is perfect for me
and their qualifications are includes certifications
such as CEH, PenTest+ OSCP eJPT or you know, whatever. And I've got a CEH in my pocket. I will tell you CEH is
an easier exam than OSCP. And if it gets me past
the same wall, right? You start to see. We're hackers, right? Gamify this, it's a game. - I wanna push you, sorry, man. I wanna to push you
now, so first cert eJPT, yeah?
- Yeah. Then you're recommending
a look at CEH to get past the gatekeepers because
from what I've seen the problem with eJPT it's a great cert but it's not well known enough to get past a lot of gatekeeper
type stuff, even though, you know perhaps you
can, you can talk to them and get past it but if
you just want to you know, get past the check boxes and stuff and the recruitment agency CEH is a great way to get past that. Okay so are you saying do those two and then what would you do? Or are you saying, do eJPT and then go to OSCP, sorry,
Daniel, to push you on those. I just wanna try and get a
nice path for people to follow. Like, what would you do today? You know, if you're starting out or I was starting out, what would you do? So eJPT then CEH, is that right? And then maybe OSCP or what would you say? - So, depending on what I wanna do, if you're saying, see this
is where it starts to get down into the minutiae where
it starts to deviate from a here is the way to here
is here is a way, okay. If you're saying, I wanna be a pen tester then I would push you eJPT. If you're saying, I wanna be a general security practitioner with an emphasis in the
offensive side of security then I would say go a CEH. Right?
- Oh, okay. So are you saying, so
let me just clarify that 'cause that's a great way to put it. So if I want to be Red
Team pen tester eJPT is your first cert. But if you wanna be like blue team or just
have general knowledge, then CEH, is that what you're saying? - Right or maybe if you're
running like purple team where you're, you're
kind of doing blue team and Red Team things, that's, that all of that is encompassed
under your job description or that's your role in
some way, shape or form. where you are, the person
that is not only responsible. Well, ultimately people have
to understand that Red Team's job is to, what's the
word I'm looking for? To make the blue team
capabilities more robust, right? Help them, help them find the
flaws and what they're doing so that they can shore
those up, make it stronger, make it faster, make it
leaner, meaner, and tougher for the adversaries out
there that are looking to get into their systems. It's fun to pop shells. It's fun to hack through
a system, but at the end of the day, that's not
my job as a Red Teamer. As an offensive, as a pen tester, as a vulnerability
assessor, that's not my job. My job is to find the
weaknesses in a system, find out whether or not
they're exploitable. Then go back to the people
that built that system and say, hey man, I've some found some weakness in your fence here. Let me show you some
ways in which we can make that work a whole lot better. So the guys like me, can't
fire (mumbles) maybe, might find their way through
that at the end of the day. And I've said this in
conferences, I've said this on countless different ways. At the end of the day, Red Team's job is to make blue team win. Blue team eventually
should be winning the game. Because if its not-- - I like what you said there. - We have to think about these things more philosophically than we do - Because everyone's like,
I wanna hack, I wanna hack but I mean, end of the
day what pays the bills or get you a job is to protect
a company in a lot of care. I mean, obviously there are exceptions but most jobs are protecting
companies. I liked the way you put that down.
- What is the value that you bring to the company? I always tell people like, if you're going Red Team side of things, what is the deliverable? The thing that the company
let's say, you're a, let's say you're a pen tester and you've been hired to do an engagement. What's the deliverable at
the end of that engagement? It's a report or what's in that report. Here's your weaknesses,
here's how we did it. Here's how you fix it. If you need help. You know, maybe that was
a part of our agreement. If it's not, we can bolt that on and come in and help at the end. Maybe even do a reassessment to verify that those security controls
are now working, right. This is the job of a pen
tester, this is what they do. This is their purpose in life. Red Team, real true Red
Team engagements are to kind of even go further than that as far as like, we are
going to be basically become a specific type of threats. We're gonna model ourselves after base off of your organization. And we are gonna act as a true APT against your company and see
if we can't make some way so that you can better threat model what might actually come
down your way, your way, and again for the sole
purpose of the blue team eventually winning the game. So if you think, if you think that, Oh I'm gonna get into Red
Team 'cause I like hacking. Yeah, it's super awesome.
and it is fun to do but that is a small subset of what you. what you do in the
entirety of the business. So do you need to know hacking stuff? Do you need to learn those hacking skills? Absolutely, is that fun? Absolutely, it is so much fun, but if you just want to have a good time and know some hacking stuff,
cool, welcome to the community. You'll grab a CTF, sign
up for Hack The Box and have a good time and enjoy
hacking and popping shells. You can just totally do that. And then maybe as you
mature in your understanding of what that does and
how you can play that, maybe you then start to move
toward that side of things. And as you see, I go, Oh, you know what? I think I could be a
real asset to a company. If I was employing these
skills that I've learned or these certifications
that I've gained you guys. I always think of them
as a challenge, right? I wanna challenge myself. Let me take, let me take some training. Let me see if I can get a cert. If I didn't at the very end of the day, did I'll at least learn something? Did I take something away from that? Did I improve myself? Did I make myself more marketable if that's what I'm trying to do? So I didn't gain the certification, I gained a lot of experience. I can make that experience
a part of my resume. I need to be doing things that aren't certification related as well. Like Hack The Box. - I wanna push on that. 'Cause you mentioned
Hack The Box and stuff. So what's your opinion on
cert versus Hack The Box and you know, TryHackMe stuff like that. Some people are like
really focused on certs. Are you saying like you
should do certs and that all, how would you spend your time basically? - Yeah it is a both end I would say , A because you can get burned out when you're working on certifications you're gonna kind of bounce
in and out of either side of that coin, where
you're going to be like, okay, I gotta work on my certification. So I gotta carve some time out. I wanna get this cert, it has some value in the in the industry. So I wanna do this as a profession. So I'm gonna get that cert. So I'm gonna spend some
time working on gaining the knowledge I need to gain that cert. Depending on the certification
you're working on, doing things like Hack The Box
TryHackMe, VulnHub whatever, can help make that learning experience a true practicum, something that I've not only engaged in with my head but with my person, I've done it. I've got experience in it. It might not be a true
representation of a real world but it was challenged. I had to apply the knowledge
in a real way and use that. So they can definitely
bolster themselves out. A lot of times I find
myself jumping back over to doing things like TryHackMe
or whatever because it's fun. Right? It's, it's kind
of a go back to the idea. I like hacking 'cause it's fun and let's just have a good time. And you know what I find what happens is I learn a ton of stuff out. I do a new challenge, the new, maybe a new box drops on Hack The Box. And I go, oh, I gotta
do some google in here and all of a sudden I'm
taking all those methods that I learned in a maybe
a certification training and I'm applying it to
trying to hack to this. And now I'm taking the
experience that I learned there, I'm going back to my certification goal, Oh that's where this okay. And everything starts to work together. So a lot of times, again,
going back to the Red Team idea that yeah, these things are great partners that they go together like
chocolate and peanut butter a lot of times. There are so many of these great
resources where you're able to take that-- - You must be an American.
- Oh yeah. - Chocolate and peanut butter. - Have you had it? It's awesome. - No, no, no I'm just kidding
but I mean, that's great. So I mean you basically,
those two go together, yeah?
- Yeah. Like certs and the practical stuff. - And not only that.
- Sorry I interrupted you. Go on - No, I was gonna say, well,
I like where you're going with that because it brings
us back around to the idea of it's let me put this way. I'm, I go for a job, right? I apply, I've got a cert. Put the cert of choice in that ball. They go, cool, that's great. What else you got? Well, I got the cert. - Okay, but you know, what
are you doing to show me that-- - You can actually do it. - Right, this is something
that you're engaged in. Something that, like a lot of
people can just hunker down and go I'm gonna go get a cert. Ingest that information,
go take the certification, get the cert and now, now what? You know, the people out
there that I'm seeing are like, before COVID
hit and we were able to actually go face to
face and conferences and do some meet and greet and talk, And even still now, in the
digital way in which we interact, you see the people, they like certs. It helps with, like you
say the HR gatekeeping to get the right people in
front of the right people. But at the end of the day
they wanna see the aptitude. They want to see the passion because they know
- Yeah, the passion the love for it. - Right, that person is gonna
be a phenomenal employee. All you gotta do is give them
the resources that they need and get out of their way
and let them do the job and you're going to be so
happy that's what you did. So put them with somebody that's been doing it for a hot minute. They know the ins and outs of the work. Hey, here's the new person
they're gonna shadow you for the next month. And you're gonna help
them get up to speed. And that's honestly that should be just about any job, right? You need to work under someone
that knows what they're doing because everything's new
to us at one point in time. But understand the concept. You might've even done some of it before but it doesn't mean that's necessarily how we do it here, right? You might need to just
understand their workflow and do it what they say
that's how they like it done. That's cool, go get that done. Work under somebody, I
like that mentorship model even if you're trying to just learn. Somebody that has walked
those steps ahead of you is you'll come to find most people are more than
happy to share that knowledge with anybody that is passionate,
shows a true interest and willingness to do the hard work that's and that's another really great-- - But you make a good point about, you know you mustn't just take any job. I mean, unless you have to,
I like that thing about, you don't wanna be the
cleverest guy in the room. - Oh no.
- Or goal in the room. You wanna be the person
that's a few steps below so that you can learn
from others around you. - Yeah, I wanna grow myself.
- By mentorship yeah, - Yeah, no you're fine. I wanna grow myself. I'm not the smartest guy in
the room in a lot of places. Sometimes I am, sometimes I'm not. And when I am, I'm trying to give that
knowledge to other people. Like if you come to ITProTV-- - Sorry Daniel, I wanna
take you back to the certs 'cause you, you gave us
like sort of two parts like eJPT for Red Team, CEH
is like gatekeepers slash you know more generalist
type of knowledge. Are there any other certs? 'Cause I also wanna push you on Security+ and PenTest+ but I mean what would you,
so let's start with that. What about those certs? Would you recommend not doing those and just going straight to eJPT, CEH and then what comes
after like OSCP perhaps but let's start with, you
know, Security+ PenTest+. Sorry, I wanna push you because
it's nice to get someone of your knowledge and like
put you in the hot seat if you like. - Oh yeah, yeah, yeah, heat it up. Light the fire, right? So I think that we find
ourselves trying to focus in and say, which one it's
not which one, right? It's how do I get all this? Because Security+ has like
Security+ is an 80 8570 compliant for the DOD in the
United States government. That will get you in the door
of a lot of government work. Just having Security+,
if you're in the military and you need to be able to do
X, Y, or Z job, that is a KSA. Right? - And it's cheaper than in CEH isn't it? - Yeah by far, oh my goodness. - And it's easier, I
suppose, because you don't have to, like 3000 pages or
whatever you have to learn - Yeah it's still pretty good
body of knowledge but yeah. It's nowhere near the tome. That is CEH but I don't
just want security. I want Security+, I want PenTest+ I want CEH, I want eJPT, I want them all right? They're like Pokemon to me. You gotta catch them all in because it makes me more marketable. The more that I'm doing the more that I'm engaged
with the community and if that be through
certification showing my passion because I don't wanna
have an air of arrogance like a Security+ it's beneath me, right? It could apply. That might be the thing
that gets me the job. Maybe they're like, oh
man I got the Security+ I know what that is, all
right let's bring them in. You know-- - I like what you said. I mean, it's, I mean, my
counter to you would be time and money, time and money. - Time and money do play
it yes, time and money. - So, you know, that's why
I'm kind of pushing you. Like, you know, if I'm short
on time, short on money, - Short of time, short of money.
- Which do I go? - I would go eJPT 'cause
it's relatively inexpensive by far less, its like
half as expensive as CEH. It's very geared toward pen testing. So if that's where you
wanna go, that's perfect. And would do fine for you
if you were wanting to, if you had to be that security person and know something about
the offensive side of things it would be just fine for that as well. PenTest+ also another
very viable, alternative, very strong showing. Let me put it this way. I didn't hate taking the
PenTest+ certification exam. - (laughs) But you loved eJPT
- I love the JPT, but I didn't hate PenTest+,
I thought it was a great especially for their first
foray into offensive security Red Team side of things. I thought it was a very strong showing for them to come out
of the gate with that. Did a great job. I think it's a very practical exam even though it's not a practical exam. - So which would you choose
a Security+ or PenTest+? Sorry to keep putting you on the spot, It's just time and money you know, give me, give me, give me
like just your opinion. - If I'm just starting
out, I would go Security+, if I was, if I had some,
some time in the grass, I know a bit security. You know, maybe foundationally,
I would go PenTest+. If I, you know, I might not have had a security certification
but I've kinda messed around with it, I know a bit about it. You probably got the
wherewithal to jump into a PenTest+ and be successful. - Okay, here is a nasty question. I'd like to ask this
question, so get ready. - (chuckles) I like it. - (laughs) What is the best cybersecurity ethical hacking certification? Like if you only could pick
one, what would you pick? Is it OSCP? - That's a tough one. So OSCP has a lot of positives. OSCP has industry recognition, HR gatekeeping kind of idea going behind it. It's very practical, I
say very, It is practical. It's probably a top of
the entry-level bottom of the mid tier just from my
experience what I've seen, a lot of people consider OSCP to be an entry-level certification, it is-- - It is interesting that people
say I've heard that as well. People say it's like,
entry-level mid-level. I mean, it's not something
you would recommend as your first cert is that right? - Yeah, I wouldn't recommend it for a lot of people's first cert. It would depend on the person if I was going case by
case but generally no. You do need to understand a lot of they assume a lot of
knowledge right at that point. So, and then you get to the exam itself and
the exam itself is-- - Is a beast. - Well, it's a beast because
it's a big puzzle, right? It's it's five big puzzles. One of the exam boxes. This is all well-known
information from us. So I'm not giving away their
secret sauce or anything but there's going to be a
buffer overflow challenge e that you have to create
a very basic exploit, couple of twists and turns in there that anybody that just
sits there and think, but most of it is designed
to be kind of like a CTF. And CTF are basically like,
little hacking puzzles. And it can be like wicked frustrating, especially when you're under a time crunch and you're like, you've spent some money. You don't wanna fail. So that's probably the
negative aspect of the OSCP. You, it's a rite of passage
almost at that point because it was a really hard thing. You stuck your hands in
the, in the bullet Ant mites and you didn't scream for
24 hours and you came out and you did it good for you, you know? So that's why it's kind of respected. They have started to, they
had at one point a real issue with them being relevant and
their relevancy they've-- - Like guys were saying
it was outdated yeah? - Yeah, It was outdated a bit and I think that they've
since kind of updated things and tried to bring it up more to speed what's going on with relevancy. What was definitely one of the things I liked about
eJPT it was very strict. I wasn't a CTF. It was, here's basically
what may very well be what it looks like for you on your first pen testing engagement. - They've got a web
application, they got this, they got that and you've
gotta try to use these skills that we've taught you answer
questions that only you will be able to answer if
you did it correctly, right. - I like that. So it's not like, what I don't
like about the CTF thing is they're trying to cut you out. Whereas this sounds like it's more like perhaps like what, like you said you'd encountered in the real
world, you have certain tools. It's not like just to
try and it's not a gotcha or trying to get you. - A lot of exams are trying to, or at least it seems like it to me. - Trip you up, yeah. - It was like they're trying to test you on how well you take a test. - Yeah which is pointless. - Which is that's, this is not the job. The job is, do you understand
these technologies? Are you familiar with X, Y, or Z tool? Maybe not to the, you know maybe it's just a basic familiarity. Maybe it's a little more in depth that you understand the switches and where you would use different things within that tool set to
accomplish a goal and that's fine. But don't make it to where it's like was it port, you know, 8839 or 8838? Oh - That's why we have
Google, all right, come on-- - Right, it's exactly right,
that's why we have Google. That's why I'd love to
see all certifications. Just be practical at one point with here's a Google screen,
here's the machines. If you can do the job
then you can do the job. - So I need to, I need to push you because I've got like this loop
that I have to close. If you could only choose
one cert, what would it be? And I'm sorry to push you it's
just your opinion I think. - Yeah, just my opinion.
- What would you choose? - Man, - You're stuck on an
Island, the only way off is to choose one cert. What did you choose
- I gonna go with one cert, I'm gonna go eJPT, - And that's interesting. - I think eLearnSecurity has
really done the right thing. Like their philosophy
on the certification. - I'm amazed that you didn't say OSCP. - I don't say OSCP because, well, there are so many different factors that you have to kind of boil it down to. I'm gonna try to cast as wider
net as possible and OSCP-- - You know, I mean,
Daniel, it's your opinion and you can say whatever you like. - OSCP to me does not cast that net. It's a much more, right? And as you move up the wrong,
even in eLearnSecurity, those nets are gonna get
smaller and smaller and smaller. You're working on very
specific skill sets for and having a very broad
prerequisite set of skills so that you can move into that. So the focus starts to narrow
as you move up in difficulty and things of that nature. So OSCP to me is a little
more like if you had eJPT, that will be a great precursor
to moving into the OSCP and then taking OSCP exam and going, okay, I'm not starting from jump street and trying to work my way up. So again, if you're trying
to hem me into a path, I would go something like,
I would say something like Security+ then maybe
like CEH or PenTest+ and then eJPT, if I'm
building a perfect world here and then OSCP, and then
back to like eCPPT, then maybe back to OSCE, that
kind of stuff and starting to work that way in them
in eWPTX the extreme web or they've got the, there's so many they've got these acronyms
are crazy.(chuckles) - You're talking about like the offset, like the wireless stuff yeah. - So they, they have wireless
and then eLearnSecurity, has their Penetration
Tester eXtreme version two. I think it's the latest version,
which is extremely hard. You've got like a GPEN. Do you think about SANS? They have certifications
as well at the, what I-- - Yeah, it's tough because I mean like I'm pushing it.
- It is. And when you start
talking about the value. I think that's the real-- - Yeah what's the value, yeah? - Is the certification is
gonna have some value itself. But the real to me, right? This is my opinion as
Daniel, take it or leave it. To me, the real value
comes in the training and the experience you
get with that training. And that's why when I teach CEH, one of the major things I heard and experienced when I took CEH was man, they just, they turn a fire hose on and they hammer you with
all this theory and concepts and tools and you've got
to just all this stuff. And then I'm like, oh,
someone turns around and says "Now you teach CEH?" and I go okay, well now that it's my baby, I'll do it the way I want. I'll do it the way I think
would be most effective. And that's why when
you watch my CEH class, it's not just a fire hose and a Deluge. We're gonna get our hands dirty. We're going to apply these things. I also have like, you
know, methodology classes like I built a hands-on
hacking series where, hey, let's take all those
things we learned in CEH or that maybe we're
getting ready to take CEH or OSCP or eJPT or whatever certification that's on that Red Team's side of things. And let's see how we work
our way through this. Let's build a good methodology. that's gonna help us be
successful in those exams. So then, they apply to
everything instead of just, Oh this is the CEH training. You take my PenTest+, it's
gonna be the same thing. I'm not just gonna say,
well, here's the problem with SQL injection is that
you're allowing the execution of transact SQL in the back end through (mumbles) and these mechanisms. Not that you don't need to
know that we go through that. And then I go, now let's do it. Let's, spin something up. Here's my web application right here. And yeah, this is fun. Here's the one you'll see one equals one. I'll look, that worked. But how do we get the database? How do we get, how do how
do we make this a little, a little more? Okay, let's keep going
down the rabbit hole. Let's start with, how do
I find a SQL injection? How do I exploit a SQL injection? How do I use SQL injection to
gain access to the database? How do I use that access to then gain access to the system itself? Maybe getting even a
shell back from the system all through one concept,
which was SQL injection. - So just to make sure I understand that's a course that you've created. That's part of ITProTV, yeah? - Yeah absolutely yes - And what is it called again? - That would be CEH. - Oh, that's CEH. - Yeah we do that in PenTest+ my--. - So in other words, you you've taken the, sorry to interrupt you. You've taken the, the certs
like PenTest+ or Security+, or CEH and you've kind of like
made it practical if you like and that you you're demonstrating stuff rather than just talking about it. I've looked at some of the
security stuff, like Security+ and like the books and some
of the materials out there. And it's like, just concept,
after concept after concept. It's like, after like an hour of that, you like spat out your mind. So I'm really glad to
hear what you've done. - Yeah, you know, that came from me having the exact same experience as that going. I cannot stay engaged with this. This is-- - Death by PowerPoint.
- Oh man, We've all been there and
we've all had to come back from the blink of like going huh, I'm ready to just toss in the towel. This is, this is not fun. - It's terrible, yeah - Right, why can't it be fun? Why can't it be, hey,
run over to volume hub grab this vulnerable machine and let's do this stuff that
we're talking about here. (upbeat music)