Introduction:

I'm excited to share a recent milestone in my cybersecurity career: I've earned the GPEN certification! For those unfamiliar with GPEN, it stands for "GIAC Penetration Tester" and is a certification that focuses on the skills required to conduct penetration tests. While yes, I have the OSCP as well, I wanted to get the GPEN in addition. While there's some overlap between GPEN and OSCP, both certifications have unique strengths. The OSCP's hands-on approach gave me practical skills and confidence in real-world penetration testing scenarios. On the other hand, GPEN provided a broader understanding of vulnerabilities and reinforced my theoretical knowledge. Together, they've given me a comprehensive skill set in penetration testing.

Studying Techniques

My studying methodology includes watching every single video the course has to offer. I do this section by section, and at the end of each section I go back through the videos and follow along while doing the labs to ensure that I understand what the instructor is demonstrating. After all of the sections are completed, I will then go and try to take a practice exam completely from memory. This means no notes, no internet searches, no books, just my brain and the practice test. From there I will gauge what I need to work on for my memory sake. I will give myself another week or two to review my weak areas and then I will take the second practice exam approximately one week before my scheduled exam. I then study up what I'm weak on again, and then try the exam.

Forgoing the Traditional Index and Trusting My Memory:

A popular strategy among GPEN aspirants is creating an extensive index to quickly reference during the open-book exam. While I see the value in this method, I took a different route for my preparation.

Why I Skipped the Index:

1. Confidence in Class Content Retention: The lessons and material from the class had resonated deeply with me. I felt a strong sense of familiarity with the topics and believed in my ability to recall essential details during the test.

2. Intuitive Learning: Rather than relying on an external reference, I aimed to internalize the content. This helped me build an innate sense of understanding, where I could approach questions more instinctively.

3. Memory Reinforcement through Practice Tests: Instead of spending hours indexing, I channeled my energy into taking practice tests. Each practice session was a testament to my memory and understanding of the content. It helped me identify areas of strength and weakness, enabling targeted revision.

The Outcome:

Relying solely on memory was undoubtedly a gamble, but it was a calculated one. The practice tests were instrumental in reinforcing my confidence. Every correct answer on these tests bolstered my belief in my approach, and every mistake was an opportunity to revisit and solidify my understanding.

Would I Recommend This Approach?:

Every learner is different. While my method worked for me, it might not suit everyone. If you're someone who trusts their memory and can recall information under pressure, this approach might resonate with you. However, if you find comfort in having a structured reference during exams, the traditional indexing method is invaluable. My personal opinion in this concept is that you would be more likely to brain dump everything from this exam if you're just relying on the books and an index. Technically, if your index is good enough, you wouldn't even need to do labs, watch videos, etc., to pass the exam. I'm deeply dedicated to learning as much as I can in this area and wanted to be sure I could replicate everything that was shown.

Test Day

I like to schedule my exams around 11 AM in my local time. The reason for this is because it allows me time to sleep in a bit, and once I wake up, I'm not rushed into trying to get my computer situated and logging in for the exam. I can take my time, get a good breakfast, and take my time getting everything ready.

Once I sat down for this test, the nerves started hitting me, but due to my study methods, and knowing I could use the books, I knew there was no way for me to fail as I KNEW the material. I logged in and got started with the proctor. I had to show my ID's, scan the room, show them where my phone was located, show under the desk, and then show them that I was only using one monitor with a mirror. Once I was done with that I read some terms and conditions and started my test.

The questions, while they weren't too terribly difficult for me personally, were much different than what I was expecting. I can't go into detail of specifics, but some of the questions were quite challenging and while I had the correct answer, I used my books to confirm that I had the correct answer. I didn't rush the exam. I try to use up almost all of the time I have. Even if I knew the answer immediately, I would still double check the answer and use process of elimination as well as looking at the book to ensure that it was not a trick question, or that I was reading it incorrectly. I finished the exam with about 15 minutes left on my timer. The next screen showed me my score and I was ecstatic to see "PASSED" on that page!

Overall I didn't think the exam was too terribly difficult, but the journey did teach me quite a bit of new concepts, new tricks, and new attack vectors that my previous certifications have not shown me. The instructor, Tim Medin was amazing and was very easy to follow and listen to. I'm sure some people will ask the classic question of OSCP or GPEN? If you're having to pay out of pocket, or you want a lot of hands on to learn how to hack, then choose OSCP. If someone else is paying for it and you learn better from classroom work and less labs, then go with GPEN. Both have their own unique approaches.

Onto the next cert for me, which will be GCPN (GIAC Cloud Penetration Tester). I'm looking forward to it!

-Sam