Posted on 2023-03-01 by Nathan Jarvie in Industry
Recently I have encountered a few people in various channels ask about how to approach certifications. Common questions like:
- How/Why do you study?
- Should I do this exam?
- How long will it take me to study for X exam?
- How many attempts did it take you to pass?
- I hear this exam is difficult. How difficult is it?
And other questions that are near impossible to answer in a universally accurate way. I want to address these questions as they are often less helpful than people think.
I like certifications. I know I am weird. I really enjoy the pursuit of new knowledge and skills, and then testing those skills with an exam. Passing a new cert is a great motivator and self-esteem boost. It is not uncommon for me to finish one and start a new one shortly after leading to the inevitable “Really?! Another one? You just did one!” from my friends, family and colleagues.
But I understand they are not for everyone, and should absolutely not be the method by which people are measured. I’m looking at you, HR people, and your obsession with only hiring people with OSCP!
Obtaining certifications is one of the ways I combat my own imposter syndrome. Working in InfoSec is difficult. There are so many amazingly talented people in this industry that it is hard not to compare yourself to them. So working towards certifications is a way that I can help boost my own confidence in my abilities.
However, once you get a certification, it is not uncommon to get a DM asking about it. Typically these are one of two types:
- Can you help me with my exam? (No)
- How did you do it?
The second is generally a variant of the same questions over and over, and I try to give a helpful answer each time but there really is no way to answer them accurately.
So I have thought about how to answer these questions to help people of any level for any exam. While my answers are generally focused around penetration testing certifications, the information should help for any industry.
How do you study?
I approach my studies in a simple way:
I do what I can, whenever I can do it.
There are a lot of things that can impact your study efforts.
- Time constraints
- Mental energy
- Bad juju
Taking this into account, I believe that a little study every day is better than none at all. Doing 4 hours a night is great but it takes a lot of brain power on top of personal and work commitments. If you can only do 10 minutes, do 10 minutes. If you can do more, do more.
Don’t get me wrong, there are days when I cannot be bothered and would rather play video games; but I often find that if I am tired and am in a lazy mood, the hardest part is starting to study. Once I have done a few minutes I am generally able to do more than I thought. Some study is better than no study, and each step you take is incremental on the last. So lets say for argument’s sake that you only have a few minutes to study. You have two options:
- Why bother? It’s only a few minutes. What is that going to achieve?
- Some is better than none.
Now consider this little maths comparison:
1.00^365 = 1
1.01^365 = 37.78
A small amount of increase each time will eventually lead to something a lot bigger than not doing anything.
In saying that, I think that if you want to do well in an exam, you have to want it. You have to decide in your own mind that this is something you want to do and achieve. Doing a certification course of any kind because your boss wants you to or because you feel like you have to is going to end poorly. So choose a certification that interests you and aligns to your goals.
Should I do this certification?
No one wants to spend months studying for a certification that will give them no benefit. It is also a common mistake that people place a lot of focus on the certification itself and not the skills taught along the way. So when people ask if they should take a course I have completed, my answer is always:
If the course content aligns with your personal or professional goals.
While obtaining a certification is a great way to advertise skills you have acquired, your focus as the student should always be on the course content, and whether that content will help you to achieve your goals.
Consider why you would want to do a certification in the first place.
- To get into the industry
- To get past the resume gatekeepers
- To upskill in a particular topic or area of expertise
- To compliment a different skill set
Once you have determined WHY you want to do a certification, the next question is which one. The markets are saturated with offerings which may be free or only cost a few dollars (such as LinkedIn or Udemy), to major course providers (like OffSec and SANS) which charge in the thousands for their content, and everything in between. Each one is going to have a great blurb on why their course is amazing trying to separate your wallet from its contents.
So where should you spend your money?
We first need to break down our goals and look for certifications that help us to achieve them. This involves research, which takes time. Time no one wants to spend. It is not uncommon for people to skip this step, jump on Twitter or Discord and just spam everyone with “What course should I do?”. But what this shows is a lack of effort on your part and blind trust in the opinions of strangers who have no idea on your goals. Ever wondered why all advertisements for insurance end with “This advice is general and may not take your personal situation into account, please read the PDS….”? Because there is no universally correct answer.
Researching a certification takes some effort but can be the difference between a great sense of achievement and career progression, or a huge letdown. I have made this mistake before, multiple times, and I have the useless certifications to prove it.
Researching the course syllabus is an excellent starting point. It will list the topics covered in the course and provide a valuable basis from which you can make decision on whether to research it further or discard it.
If it looks like it’s the right one for you the next step is reading community blogs (like this one), certification reviews, videos, Twitter and LinkedIn posts, etc about it by people who passed. These are great resources to find information that you can relate to your goals.
- Do the people who have this certification work in the role you are aiming for?
- Did they review the certification favourably?
- Did they learn something from it, even though they are experienced?
- Does the certification have any value in the community?
Lesser known certifications are not necessarily less valuable. It is true that you may have to work a little harder to explain to a recruiter that they are valuable, but they may cover the content in a way that is better suited to you and your learning style, which will ultimately lead to better results for you.
Lastly, you need to evaluate whether the course content is targeted at your level of knowledge and skill. There is no point going directly for the highest level certification if you are just starting out in the industry. Be honest with yourself about your skills and knowledge. Sometimes taking multiple certifications at the same level can be hugely beneficial. The content may have a lot of overlap but the way the topic is described in one course may be better suited to your learning style than another. It can also help to reinforce those skills.
So now you have your study/work ethic and you have researched and picked our certification. You’re ready to start but…
How long will it take me?
The best and most accurate answer here is:
As long as it takes for you personally to understand the content in its entirety.
Comparing yourself to others just leads to problems and disappointment. Setting your own timelines, goals, and milestones is the best way to approach new content.
As a general rule, certification providers will provide a syllabus of the content covered in their course. Reading over this syllabus, comparing it with your own experience and knowledge is the key to determining an approximate time budget. This will work a lot better for you than thinking “Well Alice and Bob did it in 2-3 months so I need to do that too or I am too slow”.
As a hypothetical example:
A course claims to have approximately 50 hours of video content. If you add in time it will take for you to:
- Pause the video and take notes
- Go back and edit those notes because you paused too early and missed something critical that now makes the topic make sense
- Practicing the skills - Challenges, quizzes, relevant content (like HackTheBox or TryHackme)
- Additional study of concepts you don’t understand - Blogs, whitepapers, tools, etc
Then a 50 hour course is more like 100-130 hours of work for most people. So how long would it take you to get through 130 hours of content? 2 weeks? 6 months?
Now consider that some people:
- Can study 8-10 hours a day where others may only get 1 hour a day at best due to work/life commitments
- Learn in different ways and take more or less time to understand content
- Are already in the industry or have real world experience they can use
- Have an established support network or study group they can use to get more help
- Have completed similar certifications previously
- Are exceptionally skilled or even over qualified
There are so many variables to consider when asking this question that you cannot ever really get an accurate answer.
There are people who take over 6 months to be ready for an exam and others who have skipped the training and just done the exam and passed. You might think that 6 months is too long but comparing yourself to the latter does not help you to succeed either.
Generally, I budget 2-3 months per certification, but that is not a hard and fast rule. My last one took me 7 months. Not because I didn’t understand it but because life and work got in the way leaving long periods with little or no study. When I did get time to study I had to backtrack a lot. I will admit that I was disappointed that it took me so long but I kept working at it when I had the time and in the end, I did get the cert and I enjoyed the course immensely, and that’s all that matters.
How many attempts does it take to pass?
Lets answer this one straight away:
It takes as many attempts as is required for you to overcome your own challenges.
Like asking how long it takes to study for the exam, everyone is different and deals with the pressure of exams differently. Certification exams are designed to test your knowledge and mastery of the course materials. While some will make you reach a bit outside of the course, or make you find creative ways to use the skills that were covered, they will all be tied to the content in the course.
The most important thing to remember is that once you have the cert, no one cares how many attempts it took you to get it. The fact that you got your certification after 6 attempts does not make it any less valuable than someone who got it first try; or if it took you a year when someone else got it in a week. It is only bragging and does not help anyone. This is a major reason why OffSec do not release their statistics on Pass/Fail rates. Whether this helps or hinders the industry is up for debate but the point is, once you have the cert it doesn’t matter how long it took you to get it.
I have friends that have attempted OSCP 4+ times before succeeding. Others who have not passed at all after multiple attempts. They are professional pentesters and are very very good at their job. So the amount of attempts people take to get through a certification is no real indication of how skilled someone is, or how much they understand the content. Just bragging.
However, there is a difference between a student who has taken a certification exam multiple times and learned something each time that helps them become better at that subject, and someone who just wants the certification but doesn’t really care how they get it. The latter are a problem for any industry. Not only do they damage the integrity of the certification by diluting its value, they also do themselves a disservice as they will inevitably be caught out later when queried on the topics.
So long as you come out of each attempt thinking “Well I didn’t get it this time but I know what I need to work on to get there next time” you are doing fine. Take as many attempts as you need. This is part of the reason that hints (read: feedback) were re-introduced into the PNPT exam recently.
But if they think “Ahh screw it, if I fail, they will give me a hint and I can just use hints until I pass” then no one wins.
I find self-reflection on how I missed something is more important than what I missed. This is a lesson that those who pay-to win (or Pay Harder) never learn.
The difference is attitude and self respect.
Is it difficult?
Another difficult question, but one worth discussing. Here is my answer before I go into why.
Most exams are not artificially difficult, but people tend to overthink and overcomplicate when under pressure so it may feel more difficult than it was.
I find that when I look back on an exam I have passed, it is always obvious that there was a simpler route. Hindsight is annoying that way. But it does show why people who passed will mostly say “Look just don’t overthink it and you will be fine”. What they don’t add in is “Don’t overthink it like I did…”
When I don’t have a great exam experience, reflection on where I went wrong is normally the best course of action.
Most exam takers overcomplicate the tasks instead of thinking “What did I learn in the course and how can it apply here”. For most certifications, all the knowledge and skills you need to pass is in the coursework. There are notable exceptions to this rule (I am talking about you OSCP…), but If you are trying a technique they didn’t mention, you are probably out of bounds. Keep it simple.
The main problem is that you often cannot copy/paste straight from the coursework and people don’t spend enough time before their exam testing and modifying their techniques, thoughts or tools (e.g applying the correct year to their wordlists when password spraying or brute forcing) and just expect it to work. Understanding how to make these changes is not something you want to be learning while in the exam environment.
When overthinking and exam pressures combine it can lead to mental blocks that are impossible to get out of. Ensuring you have great notes, are well rested, and take your time will make the situation easier for you. If the exam permits, take breaks, go for a walk, and come back to try again with a fresh head and clear eyes.
However, it is still common to hear “This exam is so difficult it needs to be fixed” when people fail. When students read these comments it’s hard not to feel disheartened which leads to not trusting their own abilities and skill, and instead falling back to “I hear it’s hard so I don’t want to do it”. Exams are supposed to be challenging. They are not testing whether you can read and copy/paste; they are testing your full understanding of the topics including how you may use them creatively.
Naturally, where there is an exam there are cheaters. People who either don’t care or are so stuck they look for a different avenue, any avenue, to pass. The problem is that exam leaks (or brain dumps or exam dumps) are often out of date or incorrect. Out of curiousity I checked recently the exam dumps for a CompTIA exam I completed a long time ago and most, if not all of the answers were completely incorrect or misleading. Worse still are the people who make it obvious they are cheating. This is evident by the amount of people being caught out by sending DM’s to certificate holders or emails to support mid-exam saying “I know the password for userX should be (insert password from 6 months ago here) but it’s not working”, then getting upset when no one gives them an answer they want.
When people overthink due to exam pressures and cheating doesn’t work, the answer must be that the exam is too hard. But it’s not true. The old mantra of Keep It Simple Stupid (KISS) is still accurate and should be kept in mind throughout the process.
Trust yourself and do not listen to people who complain the exam is too hard. Look to the people who passed it and what advice they have to offer. It is generally going to be the same:
- Enumerate (for pentesters)
- Don’t overthink
- Check your notes
- Check the coursework
- Stay within the bounds of the course
- Seriously, don’t overthink it
If you do fail, take the opportunity to review the notes you made during the exam, and outputs you saved, and see if there is anything that jumps out now that the pressure is off. Then you may put yourself in a better position for your next attempt.
If you take anything away from this blog, I really hope that it is this:
Your journey is your own. Comparing yourself to others will never help you to grow. Just enjoy the experience and take it one step at a time. Be proud of what you achieve on the way.
Certifications aren’t for everyone, but for those who pursue them (or collect them like Pokémon) take the time to enjoy the experience and reflect on what you learn while doing it.
About the author
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.