(0:00 - 2:53)

It's very real world because there's no flag to capture and there's no multiple choice questions. There's no fill in a blank or nothing. It's like you hack into the thing and you write a report on it and that's how it is in the real world.

So that's why I like TCM a lot because it proves competency better. Hi, I'm Kyser Clark and welcome to The Hacker's The show that decrypts the secrets of offensive security one bite at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners.

If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you. Hello, hello. Welcome to The Hacker's Cache.

My name is Kyser Clark. I have over six years of experience in cyber security and I currently work as a full-time penetration tester, also known as an ethical hacker, and I'm here to help you grow your hacking and cyber security knowledge. Today we have another Q&A episode.

These episodes happen only once per month. It is the third Wednesday of every month I am releasing a Q&A episode. And the way these work is anybody who watches and listens to the show and even people who don't listen to the show can ask questions and then get them featured on the show.

The way you ask questions, there's three ways. You can join my discord server and you can ask questions there. There's a dedicated section made specifically for asking questions for this podcast for the Q&A episodes.

The second way is by asking your questions on this episode of The Hacker's Cache on the YouTube channel. And then you can also ask questions on other videos that isn't a Q&A episode. If you ask a question that is on the Q&A episodes on YouTube, those are more likely to be featured in the next Q&A episode or a future Q&A episode.

If you ask a question on a different video of mine, that is less likely to be featured. However, it's still eligible. If I think it's a good question, I will bring it into the show.

And the third and final way you can ask questions for the show is by emailing me at KyserKyserClark.com. And if you want it to be featured on the show, all you have to do is say, hey, this is for the Q&A and we'll make it happen. If it's a good question. So I have to be very selective with these because I get a lot of questions and I can only pick four or five questions per episode.

So the better the question, the more likely it will be featured on the show. So hopefully I see some more questions from you guys because there's a lot of good ones out there and I look forward to these episodes and I look forward to answering your questions. That being said, let's go ahead and dive into the first question of today's episode.

(2:54 - 4:20)

Here it is. Question number one. Do you still like the CISSP in 2024 slash 2025? Would you say that the biggest needle mover out there of all the search to get offers? That last part of the question is a little, I think he's asking or she's asking, what would you say is the biggest needle mover out of all the search to get job offers? And so this is a two part question.

So the first part is about the CISSP. Is it still relevant? And the answer is yes. I still like the CISSP going into 2025 because the CISSP is the most in demand certification on the job market.

If you go to Indeed, ZipRecruiter, LinkedIn, it is the number one certification employers are asking for. Furthermore, it has the most recognition out of any certification. There's people who aren't even in the field that will recognize the CISSP because it's that recognized.

So the CISSP is definitely worth it. It's worth your time and your money. And honestly, it's got a huge bang for your buck because it's relatively inexpensive compared to some of the other big needle movers out there.

So I think it's a no brainer to go after the CISSP when you're ready. And that's key when you are ready, because the CISSP is no joke. It is very difficult.

(4:21 - 6:18)

It is probably the hardest multiple choice certification you can do, in my opinion. And it's not easy. My brain literally hurt when I walked out of the exam center.

I had my pass and I was driving out of the back home and my head hurt like I had a headache, like because it requires so much thinking and the questions are very long. Their answers are very long. All the answers are correct.

And your goal is to pick the best answer. That's what makes it very hard, because all the all the answers are correct. So that being said, it's definitely worth getting it if you're ready.

So you need to do some things to prepare yourself for that. Without going into too much detail, I honestly think you should get a certification or two before at the least before you get CISSP. The CISSP was my fourth certification and I had I passed my first try, but it wasn't easy.

And I took a lot of hours and a lot of practice. And I put a lot of time into that. And I passed on my first try because I put in so much time and effort.

So don't think it's it's going to be like other multiple choice certifications are way harder than like CompTIA certs and honestly harder than Cisco certs. So just know that before going into it. Furthermore, the last thing I will say about the CISSP is you can't even have a CISSP until you have five years of experience, unless you have another certification or a college degree in cybersecurity.

If you have that, if you have an approved degree or an approved certification, then you can waive one year of experience. You can get your CISSP at your four year mark. Personally, I got mine at the four and a half year mark of my career because I had other certifications that were eligible to waive a year of the experience requirement.

(6:19 - 11:08)

So it's not something you're going to want to get right off the rip anyways, because you need to have experience to have it. Now you can pass the exam before you meet the experience and you are a CISSP associate, which means you pass the exam, but you don't have the experience behind it. And that's a valid option.

And a lot of employers treat that as an equal to a CISSP. But what employers are looking for, they're just looking for that CISSP knowledge, which is basically a huge book of terms and definitions and vocabulary. And anybody who has a CISSP, they can speak the lingo of cybersecurity at least a little bit across the entire spectrum.

So it's a common saying out there that the CISSP is a mile wide and an inch deep. And that's exactly what it is. You're going to cover literally everything, all aspects of cybersecurity, but you're not going to go very deep on anything in particular.

So just know that with the CISSP, it's a lot. It's a very broad range of knowledge and vocabulary that you have to know. And that's what makes it valuable because you can kind of go in any environment and you can have at least some familiarity with pretty much anything you're dealing with.

And like I said, it is number one most in-demand certification, at least at the time of this recording. And if you are looking to get into a certain role, then you definitely need to check out what are employers looking for in those roles. And they'll list certifications.

CISSP is typically almost always on the list. So it is worth getting in 2025 if you are ready for it. And then the second part of that question, which was, what would you say is the biggest needle mover out of all the search to get job offers? It depends on the job, honestly.

So for the hackers cache, I would say most of us are aspiring pen testers or red teamers. And if that's you, then I would say that the CISSP is less relevant. You don't need a CISSP to be a pen tester.

Most pen testers don't have it. And quite honestly, I don't really, I don't think you need it. So if you're trying to be a pen tester, the CISSP is not the biggest needle mover.

Now, I think the CISSP is a great addition to all your other certs that you should have or should aspire to have for a pen testing position. And that's why I have it because I think it's a good icing on the cake for a pen tester. For a pen tester, the number one most in-demand certification is OSCP.

That's what employers are asking for. So that's a huge needle mover for pen testers. Cybersecurity analysts, you're going to want to get something like the CompTSC YSA Plus, and you're going to want to pair that with some hands-on certification with like TCM Security or Hack the Box or Ofsec.

Ofsec also has some blue team certifications, or you can get like the blue team level one, which is also hands-on certification. So you want to get some kind of hands-on certification paired with like a CompTSC YSA Plus, in my opinion, and then get a CISSP on top of that. Now, you don't need a CISSP to be a cybersecurity analyst either.

I have a really good friend who is a cybersecurity analyst and he's crushing it right now. And he has no desire to get a CISSP because his employer honestly doesn't value it. And his employer didn't hire him for his certification.

So it depends on the employer and it depends on who you're trying to impress. I guess the best way to put it, you know, whether that's a client or an employer or a customer. So you got to evaluate who are you trying to look good for.

And because that's what certifications are used for a lot. Now, me, I like to use them just to build my knowledge in any way, shape, or form. And if it's you, then, you know, the more the merrier.

You can't have too many certifications, in my opinion. But yeah, basically, it definitely depends on your job role that you're going for. And CISSP is really good for like GRC roles.

It's government risk compliances or like non-technical roles. If you want to do that kind of work, or you want to get into management, then the CISSP is a huge needle mover in the right direction. Next question.

Question number two. I am currently studying for the CPTS exam. It's the certified pen tester specialist.

I think it's a penetration tester specialist from Heidenbach. That's what that acronym stands for. I have been told by various people that the CPTS is harder and better than OSCP is.

I would like to know if after getting my CPTS, I could skip OSCP and go straight to OSEP. I was planning on doing all the OSCP boxes on Proving Grounds practice before diving into OSEP. Do you think that is a good idea? So it's a multi-stage question as well.

(11:11 - 11:24)

And I would say, so I don't have the CPTS to be fully transparent. I don't have that certification. I've only done a small amount of the training for that certification.

(11:25 - 12:21)

I haven't stopped for the exam yet because you have to complete all the training to even sit for the exam. So with that in mind, what I know from what other people have been saying, the CPTS is harder than OSCP. It does cover everything and more than OSCP.

So in that way, it is better than OSCP. However, the OSCP is still the number one most in-demand certification for pen testing positions in the industry. And the CPTS isn't recognized by all recruiters or all hiring managers because it is fairly new.

I think it's only like two, maybe three years old. It's not very old. Whereas the OSCP, honestly, I don't even know how old it is, but I want to say it's like over a decade, maybe a little less, maybe a little more.

I don't know. So we'll call it a decade, give or take a couple of years. OSCP has been around for a lot longer.

(12:22 - 12:40)

And that's why it's recognized more often than the CPTS. I think with time, the CPTS is going to build up a reputation for itself. It already has been building up a huge reputation for itself, but it's going to take more time for it to overtake the OSCP.

(12:42 - 14:18)

But more importantly is, you got to keep in mind, we're talking about certifications and we do like talking about certifications a lot. You don't need a certification to be in the field most of the time. There's some employees that are going to requirement, but there's some employers that don't care.

And there's some employers that are like, it's a nice to have, not a set in stone requirement. And I know plenty of pen testers who do not have an OSCP who are killing it, slaying it in the real world as a pen tester. So you definitely don't need OSCP to land a job and you don't need OSCP to do good on the job.

However, it does help. So the more training you do, the better, the more the merrier, I always say. So the next part of your question is, I would like to know after getting my CPTS, can I skip OSCP and go straight into OSEP? I would say, yeah, I think that's, I think it's a fair thing to say because from what I hear CPTS is harder than OSCP.

And the OSCP is a, it's not a mandatory prereq, but it's just a good recommendation to do before OSEP. That's the Offset Experience Penetration Tester. So I would say, yeah, if you want to go for the OSEP, then yeah, CPTS is a good prereq for that.

And you can skip OSCP for that. I was planning on doing all the OSCP boxes on Proving Grounds practice before diving to OSEP. Do you think it's a good idea? Yeah.

Yeah. The more practice you can do before OSEP, the better because OSEP is, it's in my opinion, very difficult. I have done that course.

(14:18 - 14:23)

Well, I did the course. I didn't complete the challenge labs. I didn't sit for the exam.

(14:23 - 15:47)

And the reason why I didn't do the challenge labs is because I got, I stopped to pursue the OSWA, which I passed recently. And I want to go in OSEP in the future, but I'm working on some other things instead. But OSEP, I have done the training and it's, in my opinion, quite difficult to grasp on because it's a lot of malware development and you got to know how to code and C sharp.

And it's pretty difficult. So the more practice you get, the better in my opinion. But honestly, once you get CPTS, you can skip the OSCP boxes and in the Proving Grounds, in my opinion, like once you get CPTS, you can probably go straight to OSEP and you can probably find success that way.

But it might be a little bit harder. If you want to make it a little bit easier than yeah, doing the Proving Grounds practice will make your OSEP journey a little bit easier, in my opinion, moving on to the next question. Question number three, is OSCP still a gatekeeper to get into the industry without any prior experience? So we kind of lightly touched on this and it's yes and no.

So a lot of people will say, yeah, it's a gatekeeper certification. It helps you get your foot in the door. And that's true.

(15:47 - 17:19)

That is true, but it's not the end all be all. Like I said, I know plenty of people who do not have an OSCP and they're thriving as pen testers. They still landed a job and they're doing great on the job.

So it helps, but it's absolutely not a hard requirement. So do that information as you will. If you think it will elevate your career, then definitely go get it.

But if you would rather do something else or another certification or another training, then do that too. The OSCP while it is the most in-demand certification, absolutely not a hard requirement for any employer really in the pen testing space that I know of. I mean, maybe some, maybe some require, but honestly, there's plenty of jobs out there that doesn't have it as a hard requirement, but it does open a lot of doors for you.

And that's the route I took. I went the OSCP route and it worked for me. So it will work for me.

It might not work for you, but OSCP has worked for many people, but like I said, not all people have it and they're doing fine without it. Next question. Question number four, while we're speeding to these, I just finished the PEH from TCM course, but I wanted to get the EJPT because that has better value on the market.

(17:19 - 22:47)

What do you think? Besides how long do you think it would take me to finish the EJPT after I already finished the PEH course? Thanks. So in my opinion, I don't think the EJPT is better value than the PEH from TCM. So TCM, their junior pen tester, I think it's called the practical junior pen tester, PJPT.

And of course that's the PEH, the practical ethical hacker course. And I, yeah, I haven't completed that course and I don't have that certification. However, I do have the practical web tester associate, the PWPA.

I recently got that and I was very impressed with the way that exam and the way the requirements are to pass that certification. It wasn't easy. I actually failed in the first trial.

I'm actually going to make a video in the future about this and explain more about it, but in a nutshell, it is highly realistic and it is not easy. And I have an EJPT. So seeing how INE security, who is the, who is the vendor of the EJPT, seeing how their training works at the junior level compared to the TCM training works at the, it used to be the junior level.

It's now called the associate level. Actually, they didn't change the name of the practical junior pen tester to pen tester associate, but they changed all their other junior certs to associate. Fun fact, if you did not, if you didn't know that, but having done both their junior slash associate level courses, I think TCM is way better value, way, way, way better value.

I think they have the same amount of industry clout. EJPT has been around a lot longer. INE security bought out E-Learn security, who is the former owners of the EJPT.

I just think, I honestly think they have the same industry recognition, even though, even though the EJPT has been around a little bit longer, TCM security is probably the same reputation for me, in my opinion. And the courses, I would say, honestly, I really liked the EJPT course. I really did.

But the exam is where I have problems with it, with it, because the exam has a lot of multiple choice questions. Now you can't get the answers unless you actually do a hands-on activity, but there are multiple choices questions nonetheless. And you can guess your way through it.

In theory, it's very, very unlikely because you can't get the right answer unless you actually do the hands-on activity. You can't get the answer by reading a book. You can't get the answer by Googling.

You have to hack into something and grab some kind of information. And that's how you get the answer. And there's also, you know, fill in the blank and capture the flag type stuff.

But overall it is, I would say it's very CTFE, you know, and whereas TCM is not CTFE at all. It's very, very hands-on. It's very real world because there's no flag to capture and there's no multiple choice questions.

There's no fill in a blank or nothing. It's like you hack into the thing and you write a report on it. And that's how it is in the real world.

So that's why I like TCM really a lot because it proves competency better. Even though I thought the I&E training was very good, I just thought the exam was not as practical, not as practical. And furthermore, the other thing about TCM compared to I&E security is that TCM certifications are good for life and I&E security certifications are not good for life.

They expire after three years. And that's one of the things I'm really sorry about because when I passed EJPT, it was a good for life cert. And then they changed it out of nowhere.

So I asked them like, Hey, how do I renew this? Can I take a higher level certification? Which most certification bodies like CompTIA, for example, like if you get a high level certification, it renews, you know, your certification at the lower level. And they told me that, no, you have to pass the same certification exam again in order to renew it. And another way you can renew certifications with ISC2 is like they accept credits.

Like if you go learn, you know, if you go read a cybersecurity book, you get credits for that. If you do a talk, you get credits for that. If you make a YouTube video, which is what I'm doing now, you get credits for that.

If you get another certification, you get credits for that. CompTIA is kind of similar where you get credits for doing various activities and they don't accept any kind of credits. It's like, you have to pass the exam again.

And I'm just like, that's annoying because I can easily pass the exam again at my skill level now, but it's like, I don't want to pay $200 to renew a junior level certification. It doesn't make sense. So I'm probably going to let my INA security junior pen tester cert expire.

Now, had I had a junior pen tester certification from TCM security, the practical junior pen tester, then that would be good for life. I wouldn't even have this conundrum at all. So that's why I recommend going for TCM.

(22:48 - 23:29)

And like I said, I don't have the PJPT, but I do have the PWPA, the practical web pen test associate, which is the web app pen testing equivalent to the PJPT. So I can say good things about TCM security. So I don't think the EJPT, that's a long way of saying that I don't think the EJPT has more value than the PH core from TCM, even though the training is debatable.

It might be better, probably about the same to be honest with you. The certification exam is way more realistic and it's good for life and it might even be cheaper. It's probably about the same price.

(23:29 - 24:40)

I don't know. You have to double check that, but I think TCM has way better value at the junior level there. And then there's a second part of this question.

How long do you think it takes me to finish the EJPT after I already finished the PH course? Well, if you go through the whole entire EJPT course, then it might take you, it depends on how many times, how many hours you study, honestly, like, like everyone's like, how long will it take me to do this, sir? How long will it take me to get this training done? And the answer is, it depends on how many hours you put in into the training, right? Which is why I don't like to tell people, oh, it took me three months to get this. Oh, it took me two months to get this. I like to tell people like, yeah, it took me 400 hours to get OSCP.

You know, I try to, I try to put it down in hours, but EJPT, let's think here. I think I put in probably a little over a hundred hours for the EJPT. Personally, I was doing three to four hours every day.

And I think it took me like a month to do roughly. So I'm skipping almost no days. So I would say maybe slightly over a hundred hours for the EJPT.

(24:40 - 25:53)

That's how long it took me, but I didn't do the PH course in TCM beforehand. Matter of fact, TCM certifications didn't, or the PJPT course didn't exist. Otherwise I would have went that route when I was doing EJPT.

But yeah, I didn't do that course prior to the only experience I had. I had a Pentest Plus from CompTIA and I had a lot of tri-hacking rooms completed. And that was my prereq to the EJPT and ended up getting it in a, I think slightly over a month with, you know, three to five hours of studying every single day.

Overall, I think it was like a hundred, in between a hundred, 120 hours, I would say for the EJPT for me. But like I said, it depends on you. Not only depends on like, you know, how many hours you study every day, but how, how much knowledge you already have, which if you already have the PH and you're going to have a lot of familiarity with all of this stuff.

So it's going to speed up the process for sure. And you know, some people get concepts a lot faster than others, right? So some people learn faster than others really. It's just sort of hard to pin down how long it's going to take you.

(25:54 - 26:31)

But if you really focus, I think most people can get it in a couple of months. If you, if you dedicate your time to it. Hey, I wanted to tell you about my new cyber security insider list, where you get raw unfiltered cybersecurity advice, tips, and hot takes, plus exclusive first looks at my content delivered directly to your inbox every single week.

No flow for spam, just valuable content. Head over to Kyserclark.com slash newsletter and level up your cybersecurity knowledge today. Once again, that's Kyserclark.com slash newsletter.

(26:31 - 27:44)

There's also a link in the description. All right, now back to the show. All right.

So that is all the questions and answers that I have for you today. Today was a little bit of a shorter episode because these questions didn't take me too much time to answer. And I couldn't ramble on long enough to make this as long as I normally make my episodes.

So if you enjoy the shorter episode, let me know. If you hate the short episode, let me know. And I'll take that feedback in and apply it to future Q&A episodes.

And, you know, maybe throw in like five or six questions in for future episodes. If you want the length to be longer, if you like the short, let me know and we'll keep them short. It's all for you guys.

So let me know what you like. Do you like shorter? Do you like longer? Thank you so much for watching. Thanks for listening.

And if you want to get your questions answered, definitely ask them in the ways I mentioned earlier in the episode. And I look forward to seeing your question. I look forward to replying to those questions on a future Q&A episode.

So once again, thanks for watching. Thanks for listening. Hopefully I see you in the next episode.

Until then, this is Kyser signing off.