![[cert_header.png]] # my it certs - tips and tricks I've collected a handful of certifications over the years, and I get asked often enough which ones matter and how to approach them that it made sense to put my honest take in one place. This isn't a list of study schedules to copy. It's what I actually think about each cert's value and the specific things that helped me pass, pulled from my own experience taking them. A few things up front, because they apply to almost everything below. Certs open doors and they force you to learn fundamentals. That's what they're good for. They are not the job, and passing one does not make you good at the work. Treat them as a starting point, not a finish line. My study approach has been roughly the same for every exam, and it's simple. I take handwritten notes, because writing things down helps me retain them far better than typing into a doc. I drive everything off the official exam objectives, and before I sit a test I make sure I can actually explain every objective on the list. And I don't waste time memorizing things that aren't on the objectives. Several of the practice resources I used were guilty of burying you in obscure trivia that never shows up on the actual exam, and chasing that stuff is a good way to feel busy without getting closer to passing. One note on ordering. I did not take these in the conventional order, so don't take the sequence below as a recommended path. I took Security+ first while still in school, picked up CySA+ and PenTest+ next, went back for Network+ later mostly because I figured it'd be easy, and got into GIAC and CISSP once I had real experience behind me. I'll point out where order actually matters as I go. --- ## Security+ My first industry cert, taken with under a year of general IT experience while I was still in university. If you're already working in the field you won't need to study nearly as long as I did. **Worth it?** Yes, unreservedly, as a starting point. Security+ is the baseline cert for getting into security, it's widely recognized, and in a lot of environments (government and defense especially) it's a hard requirement. If you're breaking in, this is the one to get first. **What it actually tests:** Don't let the memorization fool you into thinking it's a flashcard exam. You're expected to take what you've memorized and apply it to scenarios, identifying an attack from a log or a situation rather than just reciting a definition. Specific things worth knowing cold: every malware and attack type in the objectives and how to tell them apart, the difference between hashing and encryption and which algorithms and protocols are deprecated, access control schemes (be able to differentiate MAC from ABAC and the rest), and your authentication protocols, including which one is preferred in a given scenario. Taking Network+ first will help here since it grounds you in the networking and encryption basics, but it isn't required. --- ## CySA+ A blue-team-focused cert I took with around a year and a half of IT experience, after Security+. **Worth it?** It's a reasonable step up from Security+ if you're aiming at analyst or defensive roles, and the skills it pushes you toward are genuinely the right ones for that work. Worth it for the target audience, less essential if you're heading toward offensive or non-analyst roles. **What it actually tests:** This exam lives and dies on log interpretation. There are roughly two dozen questions where you're handed a log from a firewall, IDS/IPS, web server, or similar, plus a scenario, and you have to make a determination. Know how to spot a brute force attack, a port scan, and the other common patterns on sight. More broadly, you need a real blue-team mindset, the ability to look at an alert and reach your own conclusion about what's happening. Threat and vulnerability management made up the bulk of my exam, even more than I expected going in, so be strong there. And know every tool in the objectives well enough to reason about it if it shows up in a question. --- ## PenTest+ The offensive counterpart to CySA+, and the CompTIA exam I scored highest on. Taken after Network+, Security+, and CySA+, originally in early 2020 and renewed since. **Worth it?** If you want a structured introduction to offensive security methodology and a cert to show for it, it does the job. Like the others it's a fundamentals cert, not proof you can pentest, but the methodology focus is solid. **What it actually tests:** Like CySA+, a large portion is scenario-driven, you're dropped into a pentest in progress and asked what you'd do next. ("You compromised a host, you hit X problem trying to pivot, what's your next step?") A strong grasp of offensive methodology matters more than rote knowledge. Specific things that helped: know Python and Bash well enough to read them (I saw no Ruby, one PowerShell question, just be able to tell them apart), know your major Nmap flags cold (-sS, -sT, -O, -A, -p-, --script and a few others), and be ready to spot and remediate browser vulnerabilities for the performance-based questions. The best preparation that isn't strictly exam material: CTFs. Spinning up vulnerable boxes on HackTheBox, TryHackMe, or VulnHub builds the offensive mindset the exam is really testing better than any practice question can. --- ## Network+ I took this one out of order, after Security+ and CySA+, mostly because I assumed it would be easy. It was. **Worth it?** This is the honest one. If you're already past it skill-wise, Network+ is more of a resume line than a learning experience. That said, for someone genuinely starting out, the networking fundamentals it teaches are the foundation everything else in security sits on, and getting them solid early pays off. So: very worth it as a true entry point, more of a box-check if you're already working. **What it actually tests:** Pure networking fundamentals. Know the wireless standards and how they differ (802.11a/b/g/n/etc.), know your cabling cold (the CAT categories and their standards, single-mode vs. multi-mode fiber and the connectors), and know DNS and all the record types. Understand the OSI model layer by layer, not necessarily every detail but the distinctions. Know the major ports (FTP, SSH, Telnet, SMTP, HTTP, HTTPS) without over-memorizing the obscure ones. Subnetting isn't strictly required but it's easy to learn and helps, so learn it. --- ## GPEN (GIAC Penetration Tester) My first GIAC cert, taken about five years into the field, right after I'd built up real experience. I used the SANS on-demand training and lab environment. **Worth it?** Yes, with one big caveat: cost. SANS training plus the GIAC exam is expensive enough to give you pause. If your employer will cover or reimburse it, I'd absolutely recommend it for anyone wanting to get into offensive work. Paying out of pocket is a much harder call. The course is genuinely deep, though if you already have solid practical experience, a fair amount of it will be review. **What it actually tests, and how to pass it:** GIAC exams are open book, which changes everything about how you prepare. The answers are always in your materials, even when they're not stated outright, so your index is the single most important thing you build. Use Voltaire to build it rather than doing it by hand, it's the best tool for the job and took me about a week and a half. A few other things that helped: take detailed notes on whatever you're least familiar with (for me that was Azure), snapshot your Slingshot and Windows VMs clean before the labs since you'll run them at least twice, and take the practice tests under real exam conditions. I rented a study room at my library and sat them like the real thing, once without my index and once with it. --- ## CISSP The big one, taken around five years in, right after GPEN. I studied with the Official Study Guide, Destination Certification, and "How to Think Like a Manager," and I also fed PDFs of the OSG and other guides into an AI tool to generate flashcards and quick domain-specific quizzes I could run whenever I had downtime. **Was it worth it?** Short answer is no, long answer is it's a little bit hard to say. The valuable half is real: it's still a strong HR filter, it carries weight in government and defense work, and the sheer breadth forces you to learn domains you'd otherwise never touch. The oversold half is also real. It's lost some of the prestige it carried five or ten years ago, it's not a technical cert and is clearly built for management-track roles, and the coverage is broad but shallow. If you're chasing it expecting it to make you a better hands-on practitioner, that's not what it's for. If you understand it as a career and breadth credential, it's worth having. **What it actually tests:** Yes, the "think like a manager" advice is real, you should answer from a risk-management, protect-the-business, follow-policy perspective rather than the most technically aggressive option. But it's overstated as a shortcut. The questions are genuinely tricky and demand nuanced thinking, not just a reflexive "pick the manager answer." On mechanics: the exam is computer-adaptive and can end at 100 questions, which is normal and not a bad sign, mine ended there with about 70 minutes to spare. Ignore the rigid "90 seconds per question" advice. In practice some questions took me 30 seconds and others had me re-reading and deliberating for four or five minutes, and that's fine. On the AI study tool: it was a supplement, not a primary resource, but a genuinely useful one. Being able to pull up quick quizzes or have it summarize a domain I was weak on while I was bored somewhere added up over time. --- ## my honest thoughts If there's a theme across all of this, it's that certs got me in the door and taught me the vocabulary, but the analyst years taught me more than any exam did. Every cert on this page was worth something, but none of them is a substitute for actually doing the work, breaking things, reading logs, building detections, and sitting with problems until they make sense. Get the certs you need to get hired and to force yourself through the fundamentals. Then go do the work, because that's where you actually become good at this.