In 2020 I passed two CompTIA certificates: PenTest+ and CySA+. Quite a number of people were curious about the experience so I decided to put it all in a blog post.
- I passed both of these in autumn 2020 and don’t know if anything has changed since (it could have);
- I did not pay for the exams on my own; I won vouchers for CySA+, PenTest+ and Security+ at Cybersecurity Challenge UK in 2018 and it was time to use them (by this I mean they were about to expire).
I started with PenTest+ as I felt the least comfortable with this one and wanted to get it out the way. Apart from one module at university and a CTF here and there my pentesting skills are not very advanced. However, PenTest+ is no OSCP and – importantly – does not have a practical component, so I decided it’s doable and having broader knowledge can’t hurt.
I studied from Jason Dion’s Udemy course and read bits and bobs from various books, however I also am a bachelor of engineering in cyber security so am not really sure what was the most helpful factor. However, word has it you can’t pass PenTest+ without practical experience: I disagree. OK, you need to understand commands and be able to understand outputs of various tools like nmap, but you do not need to be able to hack boxes to pass this. I can’t do that and with a strong theoretical background I still passed.
This one was my absolute favourite and to be very honest, reignited my love for security at a time when I was stuck in devops-heavy job and inspired me even further to find a gig closer to what I specialised in.
I studied from this book (click) and I can 100% recommend it; it read like a page turner, although that might be just me being a nerd. It helped me zoom out and see security more holistically which is exactly what CySA+ is all about. I have also worked with Jason Dion’s course on this one, but it was 4x longer than the PenTest+ one (32 hours of video vs 8 hours for PenTest+) so I picked and chose topics I was less familiar with rather than going through the whole thing.
- Before you do anything else (even decide on a course or book to go with), check out the exam’s syllabus; it’s a list of all covered topics and acronyms you are required to know.
- When taking the exam, make sure to initially skip the simulation questions and go through multiple choice first. Then come back to the 3-4 difficult ones they serve you at the very beginning. Trust me; every single book and course I touched on either of the CompTIA exams stressed this.
- [PenTest+] Having practical experience (Vulnhub, Hack The Box, etc) is not 100% necessary to pass this exam. Of course, if you’re planning to become a pentester you should be doing these things anyway, but that’s not what this post is about. I would put the most focus and attention to tools, commands and interpretation of their outputs – you do need to know this by heart on the exam.
Due to the pandemic I was taking the exam at home as opposed to your usual examination centre. Having heard quite a number of horror stories of at-home exam taking I was stressed but determined to make it work. I set up shop in my bedroom, sitting on the floor and placing the laptop on an ottoman. Authentication and photographing the exam space went smoothly but that’s where the positives end.
CompTIA’s process for online examinations is clearly imperfect and causes unnecessary stress to the candidate. Starting with contradictions such as: you can’t have a phone within your arm’s reach, but if there’s a problem, we will call you and you need to answer; but also you can never leave the view of the camera or else we will void the exam attempt altogether (even though you haven’t even seen the questions yet). Contradictory messaging on whether or not you are allowed to have water by your side; the website says you can, pre-exam screen says no, you end up sitting there like a common criminal with your illegal glass of water next to you (and you can’t move or get up to put it away or anything).
The worst thing about these exams though was the flow: while you check in, a surprise screen pops up and tells you that THIS IS THE MOMENT FROM WHICH YOU CAN’T LEAVE THE CAMERA VIEW OR ELSE YOU’LL FAIL. Because CompTIA advises to check in at least 30 minutes in advance to your scheduled exam time, but also says that the proctor ‘aims to be with you within 15 minutes’ of the start of your exam slot, I ended up having to sit still, doing nothing, looking straight into a camera waiting for my proctor for 45 minutes prior to the exam. Needless to say that was less than ideal for an exam which is already over two hours long. The whole setup feels pretty precarious, with various problems on proctors’ side – I also attempted Security+ but even though everything worked on my end, my exam was force-ended because a proctor had trouble seeing me. I got a voucher valid for a year to take the exam again but I have not bothered yet as I’ve already passed the other two which are more advanced.
Hope this helps anyone in their preparation for CompTIA+ exams – if that’s you, good luck!