[Channa Rajaratne]

I think a lot of people focus a lot on, you know, chasing the new shiny suit and building up their technical skills and, you know, learning so much, but they overlook the soft skills and the report writing side of things if they want to get into pen testing, because that's super important as well. And I think that you don't necessarily need to be the best pen test out there, but if you have like this whole different sets of skills and all the other skills to complement your whatever pen testing experience and certs you have, it goes a long way than just, you know, chasing all the certs, right?

[Kyser Clark]

Hi, I'm Kyser Clark, and welcome to The Hacker's Catch, the show that decrypts the secrets of offensive security one byte at a time. Every week I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you are a penetration tester, bug bounty hunter, red teamer, or blue teamer who wants to better understand the modern hacker mindset, whether you are new or experienced, this show is for you.

Hello, hello. Thank you so much for tuning in today. I have Rajaratne, who has been in cybersecurity for about four and a half years.

He started as a cybersecurity analyst as a tier one and worked his way up to a cybersecurity senior cybersecurity analyst position. Then after that, he transitioned into security research and is currently working as a full-time cybersecurity consultant and penetration tester. For education, he has an advanced diploma in management accounting.

And for certifications, he has the OSCP, the GPEN, the CPTS, the PNPT, the GCIH, that's the GX certified incident handler, the GSEC, and he has the GUIT support and cybersecurity professional certificates. So Channa, thank you so much for stopping in and being here with me today. Go ahead and unpack some of your experience and introduce yourself to the audience.

[Channa Rajaratne]

Thanks for having me. So my name is Channa. I'm from Toronto, Canada, but I actually grew up in a small island, a beautiful island called Sri Lanka.

I've been in security operations, like Kyser said, for about four years, and I was a senior security analyst before switching to pentesting, which was about a year ago now. I don't really have a formal IT background besides what I learned in school. It's all self-taught through certifications and all that.

And besides that, my higher education is actually in business management and finance. Yeah, that's me.

[Kyser Clark]

Yeah. So before we started the recording, you said you didn't have a passion for business management and finance and all that. When you made that transition, what made you want to go into cybersecurity?

[Channa Rajaratne]

Well, growing up in Sri Lanka, all throughout school and all that, I studied business and business management and all that. So it was a natural progression to learn business management, finance, accounting, all that beyond school. So cybersecurity back then wasn't a really big thing.

And I was more a hobbyist in IT than also wanting to make it my career, because cybersecurity wasn't really a thing back then. But I've always been into tech and into the hacker culture and all that. So when an opportunity presented itself to get into cybersecurity, I had all this self-taught knowledge in IT, and it made it really easy to get all the certifications done and get into cybersecurity.

So that was kind of my pathway into cybersecurity.

[Kyser Clark]

Yeah. So with that informal IT background, what was some of the stuff you were doing? Was you building computers?

Was you hacking things you weren't supposed to? What was you doing with your informal training?

[Channa Rajaratne]

It was mostly, I think, it started off kind of playing games, PC gaming, building my own game. Sorry, building my own computers and all of that. That kind of interested me in IT.

And then, of course, back then when piracy was a thing, we had to download stuff and be wary of what we download and get viruses and all that, and fixing all of that was kind of a thing as well. I think that kind of piqued my interest also in cybersecurity. And as far as hacking itself goes, I think through Hack the Box and all these platforms, I kind of gained, I've always kind of been interested in it, but I could gain experience through these platforms like Hack the Box.

So that's where that comes from.

[Kyser Clark]

Nice. Yeah. Mine's pretty similar to that.

I was a huge gamer. We used to talk about video games before we hit the recording. That's one thing we had in common and really did like your pit boy back in the background.

I'm not a huge Fallout fan here. And for the audience, he commented on my Mortal Kombat Scorpion statue. So that love of gaming is what got me into the field and it sounds like it's pretty similar to you as well, because when you become a PC gamer, you kind of just learn how to tinker with your computer.

Because, well, first of all, you want to build your own computer because you want to stretch, you want to get the most performance you can with the least amount of money. And the best way to do that is by buying your own parts and building and assembling it. And then, you know, modifying it in whatever way and troubleshooting it because you're going to something's going to go wrong somewhere on the way.

And you just build up those skills. And that's a really good introduction into IT. And when I was, you know, when I first built my computer, I didn't even know IT was a job.

I graduated high school, still didn't even know IT was a job. I didn't know you get paid to work in computers. And I was working in oil refinery.

My coworker, the conversation me building gaming computers came up, he's like, dude, you should go to college for this stuff. I was like, oh, yeah, I mean, that might be cool and all, but, you know, I'm not that good in math because there was this huge myth that like that you had to be good at math to be in IT or in cybersecurity. And that's one of the worst myths that happened and that, honestly, that made me start my career like four years later than I should have, but better late than never.

[Channa Rajaratne]

I think another myth also is the programming aspect of it. You need to know how to code things and, you know, be really good at coding and programming. But there are a lot of kind of non-tech, there's a non-tech side to, I guess, cybersecurity as well.

[Kyser Clark]

Yeah, I had a friend in high school who was a coder. He was going to school for computer science and he was programming stuff. And he would just tell me about all of the programs he was writing and all the frustrations he had.

I'm like, man, I don't think I'm cut out for that, man. I don't think I am. I eventually did learn how to program because I thought it would make me a better hacker and it did.

[Channa Rajaratne]

It does, yeah.

[Kyser Clark]

But I don't have a passion for coding at all. Like, I just don't. That's why I just do the bare minimum I need to scrape by.

And I don't think I'll ever be a developer, expert developer.

[Channa Rajaratne]

Self-fitting though.

[Kyser Clark]

Yeah, yeah. All right. So great, man.

Thanks for the introduction and yeah, it's good to hear more about your background and how you got into cybersecurity. Before we dive into the meat of the discussion, we're going to dive into the Rappafi questions. So are you ready for the Rappafi round?

I believe so. Let's go. All right.

For those who are new to the show, Channa will have 30 seconds to answer five questions. If he answers all five questions in 30 seconds, he will get a bonus six question unrelated to cybersecurity. Question number one.

On a scale from one to 10, how important is a college degree for a cybersecurity career today? I think five. Most important quality for a hacker?

[Channa Rajaratne]

Being able to learn things quick.

[Kyser Clark]

On a scale from one to 10, how useful are security audits? Uh, four. Is it better to be a specialist or generalist?

[Channa Rajaratne]

Generalist, I think.

[Kyser Clark]

Best hacker alive today?

[Channa Rajaratne]

Alive today? Unknown.

[Kyser Clark]

Love it. Yeah, that was, that's my, the best answer on that last one. The best hacker alive today?

We don't know.

[Channa Rajaratne]

They got away with it.

[Kyser Clark]

You know, um, you know, I liked, it's, there's two, two ways you can go with that. Like, do you want to go with like the criminal hackers who got away with it? Or do you want to go with like someone who's an ethical hacker to actually put their content out there?

For me, the best hacker alive today, man, I strive every day to become John Hammond. That's actually in my role model. And hopefully one day I can get on the show one day.

And if you know John Hammond guys, if you're listening to the show, uh, tell him that I'm interested in getting on the show. Cause that would be, that would be a great guest to have. So he answered, Oh, sorry.

I didn't even tell you your time. I'm sorry. You got 26 seconds.

So you, you beat the time. You beat the buzzer. Awesome.

Let's go ahead and dive into the bonus question. The bonus question, you can explain as much or as low as you want to, uh, or you can just pass it all together. Here is a bonus question.

If you could time travel, but only in one direction, would you go past or future?

[Channa Rajaratne]

Future, I think, because, well, we have an idea of what may have occurred in the past, but we have no clue of what could happen in the future. Right? So I think going into the future and kind of experiencing and exploring that would be cool.

[Kyser Clark]

Yeah. And would you, would you take it like if it was a one way ticket, like if you couldn't come back to the present time, would you take it?

[Channa Rajaratne]

That's, that's, that's, that's a tough one. Uh, I might, I'll go and see how we can adapt to it, but yeah, I still might. I think if I go to the past, could I change anything or just visit the past and like live in that?

[Kyser Clark]

Um, I would say if I was the time wizard, if I was the time Lord, I would say you can't change the past. You can only observe the past. You can't really interact with anything.

You're just kind of observing it. And then you could come back to the future if you want to do, that's how I would do time travel if I was like, cause you don't want to create a paradox and mess up the whole timeline. So I would say you can go to the past and see it and observe it for as long as you want, but you can't interact with anything and you can come back to the present if you want.

Yeah. Uh, with that being said, so you said future, what, where in the future would you go? Like how far in the future would you go?

[Channa Rajaratne]

That's a tough one too. I don't know. Uh, as far into the future as we can before, I guess the sun explodes.

[Kyser Clark]

Nice. Yeah. If I was to choose a future, I would definitely choose a time where I could be a space cowboy did.

Like this cowboy.

[Channa Rajaratne]

That's what I would want to do. But would you know exactly when space cowboys would be a thing and pinpoint that or just randomly press a button 10,000 years into the future?

[Kyser Clark]

Uh, I would try to do some research on like, when it could be the most likely to have, when is the space exploration really kicking off where you, you know, individual people can own a spaceship and just travel the stars that I would want to get in the early days of that. That would be me if I chose a future, cause I think that would be pretty cool. Um, very dangerous, but, uh, that I feel like, yeah, I feel like if I was like in the past, I definitely would have been one of those people that like in the wild west, like that just went west for adventure and for, for wealth and, uh, all the rewards and, and except all the risks.

I think that's what I would have done. Um, obviously it's really not my place on earth to explore anymore. I mean, you can travel and I have traveled a lot and I enjoy it, but you're not really discovering anything.

It's already kind of all been discovered, you know?

[Channa Rajaratne]

Yeah.

[Kyser Clark]

Unless you go to the ocean, but ocean, that's, that's scary, man. I don't think I would rather, I would feel safer in space than the ocean, honestly.

[Channa Rajaratne]

That's interesting. I have my scuba licenses as well and it's, it's, it's a different world underwater.

[Kyser Clark]

Yeah, I did see that you got your scuba license. I've actually done scuba diving twice and man, that was, I loved it. It was the first time I was actually terrified.

The first time I went about, I don't know, I was like 20 feet underwater, uh, and me and my girlfriend at the time, we went scuba diving and the instructor was like, Hey, I'm going to take you guys down one at a time who wants to go first. And I just volunteered to go first cause I was like, you know, I don't want my girlfriend down there by herself. And I went down there and I just remember being down 20 feet in water, like by myself.

And it was, it was very intimidating. I was very, I almost, I almost wanted to come back up. I'm like, and I'm never doing this again.

I was like, that's the thing. I was like, I was like, we're just going to, I can't back out now. I was like, if I back out now, I am, you know, I would definitely let my girlfriend down cause I feel like she's too excited about the scuba diving.

But after I calmed down, one of the greatest experience of my life, and I actually went scuba diving again, second time, not so nervous cause I already went through it. It was just that initial fear of the ocean, I guess.

[Channa Rajaratne]

Yeah.

[Kyser Clark]

But yeah, that's cool, man. Uh, I mean, I mean, you got your, your certification and stuff, so I'm assuming you do it, you scuba diving quite a bit, huh?

[Channa Rajaratne]

I've been doing it a bit. I think the deepest I've gone is 35, 40 meters, so a hundred something feet, I guess. I don't know.

Um, but yeah, you see so many different things like shipwrecks and corals and fish. It's a different world, right? So yeah, it's pretty fun.

[Kyser Clark]

I, I would, I scuba dived at the underwater museum in Cancun. Oh, cool. That was a pretty cool.

Yeah. All right. Well, let's go ahead and dive into our main discussion.

Um, actually, you know what, before we do that, let's talk about, let's talk about your most interesting response to our fire questions and you, let me see your, your, I think the most interesting one that you said, probably on a scale from one to 10, how important is a college degree for cybersecurity career today? And you said five, why did you choose five and yeah, just go ahead and explain like, you know, Five's neither here nor there.

[Channa Rajaratne]

Yeah. Uh, well my personal experience is that like, I don't have a college degree, right? Yeah.

Um, so personal experience, if it were only personal experience, I'd just say zero. It's not important at all. Um, but I know the value of it, that you learn quite a bit through, uh, the years that you can spend in college and get that degree and, and, uh, or university degree.

Um, and it's not just what you learn, it's, um, like the connections you make, the people you meet, um, and all of that, right. And obviously at the end of the day, you get a degree that helps you stand apart, stand out from all the other applicants that applied to the same jobs or something like that. So yeah, I can, I can argue to both sides of it, I guess.

So I went five.

[Kyser Clark]

Yeah. And I just finished my master's degree. I'm not even kidding.

Like a week ago. And I haven't even officially got the degree yet. I should be getting it in the next couple of days for my master's degree in cybersecurity management policy.

And my thing is, is I don't think it's essential at all. It does. It's, it's kind of a nice to have.

[Channa Rajaratne]

It's a nice to have, I think.

[Kyser Clark]

And the, the value for, for me was learning how to write. And I, for, from an employer's perspective, if someone has a master's degree or even a bachelor's degree that tells people that this person can follow instructions and they can turn projects in on time and they can complete tasks. That's that's what a college degree is good for, right?

Yeah.

[Channa Rajaratne]

I think that's my value to it. Sorry to cut you off there, but like the, the value to it, I think also is based on the industry and the degree itself. For cybersecurity specifically, I don't think it's as important as two other industries, right?

[Kyser Clark]

Yeah, I totally agree. I wouldn't be, I couldn't have got a pen testing position with just my college degree, right? That's the certifications and the tri-hackney and the hack-the-box.

Those technical things is what helped me get in my, my role as a full-time pen tester. And the degree, I don't think there's any degree that's really like by itself is going to help you land a position. I do think the best option is to get a degree and multiple certifications.

But if you had, if I had to choose between one or the other, I've definitely learned a lot more from my certifications as far as like the hands-on work goes. And like I said, the degree proves that you can follow instructions and you can complete tasks on time, but it doesn't require, in my opinion, a whole lot of outside the box thinking, right? It's just like, Hey, here's instructions, do what we tell you to do.

And there you go. And there's a little bit of creativity in your paper, but I learned that, you know, early on when I was in college, like the more creative I got in my, in my projects, though, I would lose points for that because I kind of set the outside the bounds of the instructions, you know? And then I just learned like, okay, let's follow these instructions to a T and you can't go wrong, you know?

So I would say college probably kills the outside the box thinking. And that's why I would highly recommend, you know, certifications in, especially like hang the box. Hang the box is the best way, in my opinion, to think on a good hands-on experience, right?

[Channa Rajaratne]

Yeah. I remember when I, I got my offer of admission to a university, like the second biggest university in Canada or whatever. And I thought to myself, you know, do I want to spend the time and the money to go through this and just didn't make sense for me personally.

So yeah, I didn't pursue that.

[Kyser Clark]

Yeah. And that's another good point. You talk about the finance aspect of it.

So I have two degrees because I was in the United States military and I got to the military to pay for my first degree. And then I use my GI bill to pay for the second degree. So I haven't spent a single penny on college at all because of my military service.

If it wasn't for the military, then I wouldn't have the degrees that I have. I don't think I would have pursued them. And I typically tell people like, if you're going to pursue a degree, like make sure you can afford it.

If you can't afford it, like if you've got to go into debt for it, I don't think it's worth it. If you can afford it, if you can pay for it as you go, then comfortably and you're not like really stretching yourself, then I would say go for it. But if you're stretching yourself as far as your finances go, or you got to go in debt, to me it's not worth it, especially in cybersecurity because certifications are better bang for your buck.

[Channa Rajaratne]

Yeah, I agree completely.

[Kyser Clark]

Speaking of bang for your buck, so you wanted to talk about the effectiveness of cybersecurity boot camps. So let's talk about boot camps. Do you think they're effective and what are the pros and cons of boot camps and overall do you like the idea of boot camps?

Are you a hater or how do you feel about boot camps overall?

[Channa Rajaratne]

I think, again, talking through personal experience, I've had extremely good experiences with the boot camps I've done, but it completely depends on what the boot camp is, what you get out of it, how much it costs and all these different things, right? The first kind of entry I got into cybersecurity was after completing a boot camp and getting my GSEC and GCIH certifications and that enabled me to join a company as a security analyst, right? But I've also seen, well, the boot camp I did was heavily subsidized, so I only paid like $500 for two GXs, which is crazy.

That is crazy.

[Kyser Clark]

That is pretty crazy. I'm sorry to interrupt you, but those are like $10,000 certificates, you got two for 500?

[Channa Rajaratne]

Exactly. So it was heavily subsidized and so that boot camp was extremely great for me and they had not just the certifications also, there was support on how to build your profiles, like your LinkedIn profiles, your career, how to push session yourself, how to create your resume and all these different resources all included in that. But I've also seen certification or sorry, boot camps that offer something like the security plus for like $12,000, right?

Those are not worth it at all. That's kind of the opposite end of the spectrum of why they are bad, I guess. But ultimately things like the security plus or other certifications as well, they're good, but it's not $12,000 worth good, right?

So it really depends on what you get out of it. A lot of people really don't also know the different avenues and the different certifications that they can get. So they just join a boot camp and hope that it's the same as all the other boot camps, which they're not.

Yeah. So there are two sides to it.

[Kyser Clark]

Yeah. And I've made a few blog articles talking about how I'm not a big fan of boot camps, but I never done one. So I can't really not get too much.

But just looking at those price tags, I'm like, man, these boot camps are pretty pricey. And that's one of the reasons why I like certifications, because generally speaking, they're pretty affordable. Now there are some like the same search for like $10,000, and those are pretty hard to get.

And even offset search, people complain about those because they're like, you know, $1,700 for an OACP for 90 day lab access. And if you want a year long lab access, you're going to spend well over $2,000 US dollars. And yeah, but generally speaking, I think certifications are more affordable boot camps.

Those price tags are really high. And I just, I've never really recommended to them. So how do you determine if a boot camp is worth it overall, because you said there's good boot camps and bad boot camps, like, how do you determine what's a good or bad boot camp?

[Channa Rajaratne]

I think it really depends on A, the cost of it, of course, and B, what you get out of it, right? If you're not really getting something that you can show that you've completed a boot camp or something that is not recognized, then there's no point to if you just get a certificate saying that you've completed some random boot camp, I don't think that's worth it. I mean, if it's super cheap, then maybe but because you can at least get the knowledge out of it.

But for the same amount of money, you can probably do something like the CPTS or the PNPT if you're interested in pen testing and things like that, right? Like for me, it was a good entry point to cybersecurity. But to progress within it, I did so many other certifications, kind of self studying for those and not through boot camps, right?

So yeah, it's a complicated topic, I guess, but it's ultimately pretty easy of what, how much you spend on it and what you get out of it.

[Kyser Clark]

Yeah. And so that boot camp, I don't, did you mention like what boot camp it was by name? Or is it still available?

The one that you did?

[Channa Rajaratne]

The one I did is, I think it's only for people in Canada. It's called the Rogers Cybersecure Catalyst. That was really good.

I don't think they offer the exact same one that I did. Back then, they have a newer one, I don't know the specifics of it to recommend or not recommend it. But yeah, but at the time I did, it was pretty good.

And I was heavily subsidized by different, you know, partners and the government and things like that.

[Kyser Clark]

Yeah. And it's interesting to hear you have good experience in boot camps, because it was, I don't know, forget the number of episodes, but it was a few episodes ago, someone, one of the guests completely bashed the boot camps. And so it's good to have another perspective.

[Channa Rajaratne]

Did they give a reason why?

[Kyser Clark]

Mostly because, mostly because they're very expensive. And like you said, you didn't get much out of it. So that's, that was the main reason why.

But it sounds like, you know, there are good boot camps out there and I've never made a claim that all boot camps were bad. I say in general, and I haven't really said this on the podcast or my YouTube channel. This is a blog post I wrote a while back, but I just compare it to like, oh, the cost of a certain boot camp, the certs are generally a lot more cheaper.

But the big con with the certs is if you're self-studying, right, some people, some people need that mentorship, you know, me, I'm a self-starter, so I can just self-study for certs all day. I don't need a mentor. And some people really, really do need those mentors.

In that case, a boot camp might be worth looking into. Yeah, I agree with that. All right, moving on to another topic you want to talk about.

So you wanted to compare the CPTS, the OSCP, the PNPT, and the GPEN. And this is a really good discussion because these are, I would say the top four PEN testing certifications on the market right now. And I don't see it changing anytime soon.

[Channa Rajaratne]

I think most popular, I guess.

[Kyser Clark]

Yeah, at least most popular. And out of your list here, I have firsthand experience with the OSCP and the GPEN. Fun fact of the day is I failed the GPEN and the reason why I failed the GPEN is because I didn't study for it because I had, so when I was at the Air Force, the Air Force gives us $4,500 lifetime for certifications.

Well, I had, that's how I got a handful of my certifications and I had some money left over. I had enough money to purchase the GPEN voucher, but I didn't have enough money to purchase the training because it's like, it was $9,000 at the time. I'm like, well, I'm not going to pay for the training.

And I just finished my OSCP. So I was like, you know what? I'm just going to go into GPEN, see if I can pass it.

And actually almost passed it. I got a 70, just over 70%, almost a 71% and you get a 75% to pass. So not too bad for someone who didn't study for it at all.

So I do have firsthand experience with that one, but not the training. And then for the PNPT, I have firsthand experience with the training. I'm currently in that training, haven't done the exam yet.

OSCP I've done, I passed the exam, so I got training in the exam. And then CPTS, I haven't done that exam either. So I guess my biggest question here is if you had to choose one, like if someone wanted to become a pen tester today, if they had to choose one, which one do you think is the most bang for your buck or maybe not even bang for your buck, but which one is most likely to help them land that job, that first job in pen testing?

[Channa Rajaratne]

I think hands down, it's the CPTS, just because of how much you learn in both the course as well as the exam. The exam is the toughest pen testing exam out of the lot that I've done. There are more advanced pen testing certs, of course, but this kind of covers so much kind of initial access, you know, privilege escalation, all of those different things that the others only touch sometimes and also chaining vulnerabilities and chaining different exploits together.

CPTS hands down of the lot.

[Kyser Clark]

And you would say, would you agree with the notion that CPTS is more difficult than the other three?

[Channa Rajaratne]

Yes, I'd say so. I think the only other one that comes close in terms of difficulty is the OSCP, but that's artificially difficult just because of the time constraint and also a limit on the tools that you can use. But the CPTS is proper difficult.

It doesn't require, I guess, as much thinking outside the box. No, that's not true. You require everything from the course to do the CPTS, but you don't require or you require more than what you need or what you are provided in the course for the OSCP, right?

So it really depends on what course you do for which exam, because the one for the OSCP is not adequate, I'd say, for the OSCP exam itself. You need to kind of supplement with other training and all that.

[Kyser Clark]

Yeah, I agree that when I got into OSCP Challenge Labs, like they're recommending me tools. I go to the Discord. Hey, guys, I'm stuck.

What else can I try? Here's what I try. What else can I try?

And like, did you try this one? I didn't. You didn't tell me about that in the course.

I don't want to complain about it. But that's like the first thing I might never heard of this tool. What's what's going on here?

So that is that is a fact. And that is one of the biggest complaints of the OSCP. And that's one of the reasons why it's difficult.

And I think that's why it's so highly sought after, because it requires you to do additional research. But it's kind of what should be. It should be a crime to like have a certification that that's expensive, where it's like, hey, we don't teach you everything you need to know.

[Channa Rajaratne]

Yeah.

[Kyser Clark]

So I can understand why people grieve about that. And I like what you said about the OSCP being artificially difficult, because you're right. OSCP machines by themselves are not difficult.

But when you have to do six machines in 24 hours and you can't use Chagi BT and you can't use Metasploit, then, yeah, it gets hard because you're under that strict time constraint. And yeah, you can't use SQL map. And there's probably a couple of other tools you can't use either.

But overall, like you, you don't have the full arsenal at your disposal in that in that exam environment, which makes it artificially difficult. Like you said, that's a good way of putting it with the other search. So like the PMPT and the GPEN, like where do they stack up in the whole thing?

Do you think all do you think all search are worth it? Do you like if you had to choose to pick them all again, would you do it again?

[Channa Rajaratne]

Well, I think each provide a little bit of information and knowledge that sometimes are not in the other. So it's it's good to have a kind of well-rounded and kind of understand the different attacks and different tools and the different techniques that you can use. Right.

The PMPT is interesting because it's one of the few that you had to do a little bit more OSINT than the other exams. Also, you had to present your report live to somebody at the end just so that they could kind of review and see that you actually did it and you know what you're talking about mediation advice. And that's quite realistic as well in in in the job.

Right. And having debrief, debrief calls and all those things. So that had value in in in terms of the different aspects to it.

The GPAN also had some things that weren't covered in the other three. Right. So everything has some sort of a little bit of information that the others do not cover.

But I think overall, Hack the Box Academy has content that covers everything. It's just not maybe in the Pentester pathway, but overall in the other modules and the other things, it just covers everything that I'd probably ever need in one place. Right.

And it's also constantly updated.

[Kyser Clark]

Yeah, that's good to know. And thanks for sharing all that. And from my perspective, as someone who didn't do the GPAN training and I did the GPAN exam, the toughest questions on that exam for me was like they asked me like these like absurd AWS questions.

Like, like I'm constantly a cloud plus certified, but I don't have an Amazon certification. So they're like asking me. I think it was Amazon.

They were definitely related to the cloud. I'm like, dude, I don't know. I definitely probably missed those ones.

And those aren't covered in the OCP or the PMPT. And for me, my perspective, the PMPT so far, I haven't done the OSINT section, but I do I do know that the OSINT is part of the exam because it's part of the required course material. And there's a whole course on OSINT.

So I do know about the OSINT stuff, even though I haven't gotten that portion of the training yet. And OSCP doesn't require much, probably no OSINT really. Yeah.

And then another thing with PMPT, I thought the Active Directory section was way better than OSCP, man. That's the OSCP Active Directory definitely let me down for sure. And I got into the rest.

That's why I wanted it. That's why I got into the PMPT, because I wanted to learn more of the Active Directory stuff that the OSCP just missed the mark on.

[Channa Rajaratne]

Yeah. Just just go through the CPTS AD sections. It's it's so good.

It's tough, but it's it's amazing. It's next level. And I think they just released a new set called the CAPE Certified Active Directory Expert or something like that.

It's supposed to be even tougher. So maybe I'll look into that in a bit.

[Kyser Clark]

Yeah, it's it's cool because they are making. More certifications and boxes, and honestly, I think with time, my prediction is that it's going to be the gold standard OSCP was. And if each company starts going, it keeps going in the direction that they're going, then I think Activox is going to pass them up.

And I think it's worth getting. I want to get the CPTS eventually. Matter of fact, that's after I get to PMPT, that's that's next on my list, CPTS, because I want to get that Activox cert because everyone who has it's like, yeah, it's like miles better.

People who have the CPTS are like really good pen testers. And that's that's where I want to be. Actually, my last episode was talking about how to be a great pen tester.

And I talk about soft skills a lot, but yeah, we're going to technical skills, too.

[Channa Rajaratne]

Yeah, I think the I did the CPTS before I did any of the other sets. So it made all the other sets so easy. You know what I mean?

Because the CPTS was so tough.

[Kyser Clark]

Yeah. Yeah. It's it's it's pretty interesting.

That's why I'm saving for last. But no, it's so yeah, it's I'm saving for last. I did the OSCP, I did the PMPT and then the CPTS.

And maybe one day if I can get my company to pay for GPEN, I'll take GPEN because I was so close. If I just did a training, you know, I'd probably pass it.

[Channa Rajaratne]

Yeah, the trick with Jack certs is also that everything you'd ever need is in the course, the science course, and it's open book, right? So you can always refer to it. And it's all about the about creating a good index for it.

[Kyser Clark]

I didn't have I didn't have the book. I didn't do the training. So I what I did was I printed off all of my GitHub notes.

So all my all my notes I have on GitHub dot com slash guys at Clark. I printed that off and I took that in an exam. I took all of my like CompTIA cert books and I had a stack of books that were none of them were SANS books.

They were just all the other certs. I was like, well, there's got to be some overlap here. And I actually didn't refer to them that much at all.

Actually, it was like, man, this questions, although I don't think I'm going to find this question in one of these books, because like because they call it indexing where you got to index the book. It's like a whole strategy for the yeah, I'm sure you did it. But I didn't do any of that.

I'm just like, man, by the time I find this is going to be I'm going to be out of exam time. So I didn't even really look at my notes that much.

[Channa Rajaratne]

It's a it's a whole thing, the indexing for GIAC exams, like a lot of people get fancy with it. You know, they put tabs on their books and highlight stuff. I just put everything on Excel, took that sheet with me and my index practically had more answers than the books themselves because I kind of had short notes on my in my index.

Yeah, it's a whole whole thing with GIAC exams.

[Kyser Clark]

Yeah, that's good to know. And yeah, that gives me hope if I do take that exam again and I actually read the book and did the course and actually the proper index, I'd probably be passing, getting 70 percent, just going in there raw with like nothing. But that was that's pretty good, man.

It's pretty good. It is. Yeah.

[Channa Rajaratne]

But the thing also is that you get more. I think I got more value out of the SANS course than I did with the GPEN or whatever. Right.

Because SANS course is a really high quality and the way it's taught and the content in it is pretty good. I don't know if it's worth the full price that they charge for it. I got them quite subsidized.

Yeah. But yeah, they're pretty high quality.

[Kyser Clark]

That's what everyone said. Everyone who has this answer, like I've never heard anything bad from it. Everyone's like, I don't understand why it's so expensive, but if you can afford it, like or if you get to come in and pay for it, totally worth it.

Yeah. All right. Well, unfortunately, we are running out of time, so let's go ahead and do the final question.

Do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share? Anything that we didn't cover that you want to cover for this episode?

[Channa Rajaratne]

I don't know if it's hidden wisdom or even a hot take, but I think a lot of people focus a lot on chasing the new shiny cert and building up their technical skills and learning so much. But they overlook the soft skills and the report writing side of things if they want to get into pentesting, because that's super important as well. And I think that you don't necessarily need to be the best pentest out there, but if you have like this whole different sets of skills and all the other skills to complement your pentesting experience and certs you have, it goes a long way than just chasing all the certs, right?

I think that's just a little bit of tidbits that I have.

[Kyser Clark]

Yeah, that's great advice, and that perfectly aligns with my last episode. So if you guys didn't listen to my last episode and you want to dive more into that, I had an entire almost 40 minute episode. It's the last episode before this one about that.

So check that out if you want to learn more about that. And yeah, I couldn't agree with you more. And I'm not really going to provide any insights because I talked about it in the last episode.

Well, Jonathan, thank you so much for being here. Where can the audience get a hold of you if they want to connect with you?

[Channa Rajaratne]

Yeah, thank you so much for having me. Everybody can find me on LinkedIn. That's probably the best place to find me.

[Kyser Clark]

And audience, LinkedIn is one of the best places to find me as well. And my website, CaptureClerk.com. Audience, thank you so much for watching, listening.

You haven't reviewed the show. If you're on audio on Apple and Apple podcasts and Spotify, give it a five star rating. If you're on YouTube, hit the like button and hit the subscribe button and drop a comment and let me know what your favorite pen testings are.

Hope I see you guys in the next episode. Until then, this is Kyser signing off.