This blog post is inspired by a chain of tweets I wrote today. “Inspired” by companies that are selling overpriced bootcamps while offering financing options with a cool 25% interest rate, I decided to do a write-up of all the education I followed so far in my Cyber Security career.
But before I introduce you to the education I followed, I want to do a PSA for everyone out there. There is no realistic pathway into cyber security that’ll allow you to take shortcuts to a well paid job. Anyone who tells you differently, is likely trying to sell you a $10,000 boot camp ticket that’ll lead you nowhere. Why? Because no sane recruiter would hire someone with only a few months of experience for a 6-digit salary. Sorry to burst that bubble, buddy. You’ll need to climb the ranks just like the rest of us. So why not use that $10,000 smarter or not even spend it at all?
That being said, I’m going to share the courses I took during my journey so far. This is by no means a “roadmap” of courses you should follow but just a list of bullshit of things I’ve done in the past.
EJPT
The very first course I followed was the online course that leads to the EJPT exam. I don’t remember how much I paid for the course, but i can’t have been more than $500 for both the exam and the course. In exchange, I was presented with a very practical course that gave me a solid foundation for my future pentesting career.
As Henry McNeil pointed out, you can take the course for free and only pay for the exam. That way, you’ll only be spending $200 on your very first certificate.
OSCP
I paid closely to $1500 on this course, making this the most expensive course. It was also the one I regret taking the most. In retrospect I wasn’t ready and OSCP isn’t the most “I’m still figuring things out” exam out there. I should have known better, but mistakes are made when you’ve got to develop your own learning plan. The short timeframe and the exam absolutely sucked and I don’t see me taking either again until I’m absolutely ready.
Various courses on Pluralsight
I paid / am paying about $450 a year for access to Pluralsight’s excellent collection of courses. They have some great courses on cyber security fundamentals taught by skilled teachers that are interesting to follow. They also offer courses that prepare you for certification exams like the Pentest+. Value wise this is one of the better purchases that I made. They cover a wide variety of tech topics, from development to cloud solutions and so on.
INE subscription
More expensive than the Pluralsight subscription, INE lured me in as they bought ELearnSecurity and took over their portfolio of courses. However, after taking the eJPT things didn’t really “click” with the other courses they’re offering. A subscription allows you to access all courses and offers you a discount for the exams, but personally I pivoted towards other learning resources.
I should really remember to cancel my subscription next year because if I had to choose between this subscription and the Pluralsight subscription I would choose Pluralsight any given day.
Free resources
After OSCP dunked on my confidence in my pentesting skills I started to pay more attention to web app pentesting since that’s closer to home for me. As it turns out, there’s a lot of excellent (and free) resources that you can use. For example, OWASP, PortSwigger, YouTube and various other resources helped me understand the concepts without having to spend any more money.
This is, of course, also true if you want to do network based pentesting. If this is a field that interests you, start by looking for free resources first and see if you get a grasp of a concepts – and if this is actually something you want to do for your career.
TCM Course
The list wouldn’t be complete without mentioning that I’ve purchased a few lifetime subscriptions of TCM’s cyber security courses. Personally I haven’t tried them yet, but I take comfort in the fact that they come recommended by people I respect and that they didn’t cost me $10,000 to purchase.
TryHackMe and HackTheBox
I wanted to get back into Cyber Security and was looking for a practical approach to things. I found that in both HackTheBox and TryHackMe. I’m paying about $20 a month for both combined which comes down to $250 per year. HackTheBox is a bit more CTF oriented, whereas TryHackMe focuses more on offering courses on nearly all topics Cyber Security. If you are looking to learn, you can’t go wrong with a TryHackMe subscription. You’ll get both the theory and the exercise to grown into your role.
Pentest+
I took on the Pentest+ on my employers request. Since the certificate is recognized by bodies such as the U.S.A’s D.O.D for most of their cyber job roles, this can be a valuable certificate to hold – just like most Comptia certificates which have a great reputation.
Since my employer was a Comptia Partner I followed their own online course. Their coursework was a little “dry”. Technically I didn’t pay anything, but that doesn’t help you, of course. You can find online courses that cover the Pentest+ coursework or you can choose to purchase the book – whichever suits your learning style. I paid about $200 for the exam.
Security+
At some point on my path I realized I don’t want to commit to pentesting full time. So I started on the Security+ to get a broader understanding of the field and maybe pivot into another direction. So far my expenses have been pretty low. This time I decided to buy the Security+ book on Amazon for less than $40. We’ll see what the future brings, exam-wise.
Total spent
I’m about three years into my pivot towards Cyber Security. All in all I’ve spend about $2500 on various learning resources and $4000 if you include the very costly OSCP – which I wouldn’t be spending money on again if I would be restarting.
For that $2500 I am mostly buying subscriptions, which give me access to a wide variety of courses. I’m not limited to just Cyber Security but can tackle other topics like programming, networking and the likes. But if you want to save money, you can also find free alternatives to some of the courses I followed online. There is plenty of (great) and free content out there.
What did I get out of this path?
- The ejPT certificate
- The Pentest+ Certificate
- A lot of theoretical and practical skills on a wide range of topics – and cyber security of course!
Am I making $100,000 a year or more? No, in fact I’m currently unemployed (because I had different ideas about my career than my former employer). but then again, neither would someone who followed a 90 day bootcamp. As a company owner, I would never hire someone for a top salary whose only experience is “I followed a bootcamp, bro!”. In fact, I would worry that you are the type who is trying to cut corners in his career and that’s not something that we need in this field that is already sensitive to people “cutting corners.”
TL;DR Don’t spend $10,000 on a boot camp. Spend way less for more value.