Zero to Fake Hero

Zero to Fake Hero
Photo by Ahmed Zayan / Unsplash

Real talk:

Let me start off by ripping off the metaphorical band-aid: There is no 'Zero-to-Hero' course, pathway, workshop, or anything similar, and there never will be, so stop looking.

Today's predatory marketing uses the idea of a magical key to get your foot in the industry door, only to leave you to fend for yourself once your time is up. I know it sounds appealing to think that some company offers "The last cyber course you will ever need" or "Zero to hero: pass this mega cert in 1.5 hours", but it's all just about the money in the end.

Now, let's not start boycotting all trainers, as there are some solid companies out there. For example, TCM, Zero Point, and Breakdev are, in my opinion, student-friendly companies. If you're just breaking into the industry and want to dip your toes in the water, I highly recommend checking out TCM, as they are very beginner-friendly overall.

The Lone wanderer:

Now that we've addressed the elephant, let's focus on today's post. I'll outline the beginning of my journey and provide brief reviews of some items I completed before starting my TCM journey.

☠️
Please note that these reviews will be quite simplistic, as the versions of the courses I took are no longer available, and these exams were completed quite some time ago.

The first step:

In the year 2022, I was down on my luck and knew I needed to make a change soon, or I would end up living on the streets. I remembered a company where I had done some non-cyber training that also offered a cyber program, so I thought, 'Why not give it a shot?' The course lasted five weeks and served as a primer for CompTIA exams. The material was great and engaging, and they even provided laptops, which helped a lot.

From this experience and conversations with the instructors, I learned about something called pentesting, which sparked my interest because the idea of legally hacking fascinated me. This was the moment I realized I wanted to pursue this path, but I knew I needed to build a solid foundation first.

A rocky start:

After completing the course, I immediately pursued my A+ certification to establish foundational skills. I took Part 1 of the A+ exam while still in the course; I failed the first attempt but passed on the second try. With no one pushing me but myself, I dedicated 8-10 hours a day to studying and developing my methodology, ensuring I would be well-prepared for the exam.

This rigorous routine paid off, as just two weeks after passing Part 1 of the A+, I successfully passed Part 2, officially becoming A+ certified.

My brief review:
The A+ certification is an excellent entry-level certification for those starting with zero knowledge. However, the material can feel cumbersome at times. Nevertheless, I still find myself using some of the concepts from this certification today. I highly recommend it for anyone without prior experience.

Where is the safety Net?

Riding the wave of success from the A+ certification, I used the momentum and study habits I developed to tackle the Network+ certification. I dedicated 8-10 hours every day to studying this material, with subnetting proving to be particularly challenging and time-consuming to grasp.

About three weeks into my studies, I attempted the exam but unfortunately failed by 15 points. It was disappointing, but I knew I was close. I returned to studying diligently and scheduled a retake for one week later. On my second attempt, I passed with plenty of points to spare, thankfully.

My brief review:
In my opinion, the Network+ certification was challenging, and it's important to have a solid understanding before attempting the exam. I view it as an essential foundation for long-term success.

Just wait a Sec.

After the humbling experience with Network+, I immediately started studying for the Security+ certification. I maintained my daily study habit while also dedicating time to sending out resumes and trying to break into the industry.

I took extra time to prepare for this exam and scheduled it just before Christmas to ensure the holiday wouldn't disrupt my study routine. I sat for the exam early in the morning and fortunately passed on my first attempt with a comfortable margin. This success marked a pivotal moment for me, validating the knowledge and hard work I had put in.

My brief review:
The Security+ course and exam are excellent holistically. The ideas and concepts covered are highly relevant to the real world and have practical applications I use daily. I strongly recommend it to everyone, as even if you don't plan to take the exam, it provides invaluable insight into the realm of cybersecurity.

A CySA cake.

After the holidays, I decided to get back on track and started studying for CySA+. I was in the late stages of an interview for a company, and whenever I wasn't preparing for that, I was studying. Fortunately, I landed the cybersecurity job I was interviewing for while studying.

Knowing my study time would be limited once I started the new job, I intensified my preparations to take the exam before my first day. During my on-the-job training phase, I took the exam one weekend and fortunately passed on my first attempt without any issues.

My brief review:
The CySA+ course and exam are highly focused on blue team operations. However, it felt overly focused on Governance, Risk, and Compliance (GRC) aspects, which detracted from its practical utility in my view. While I use a few basic concepts from the course, they are not as prevalent in my daily work compared to Security+. I recommend CySA+ specifically for GRC-oriented blue team professionals.

Pentest or testing pen?

I took a brief break from intense studying after starting my new job, wanting to establish myself without distractions. It wasn't until about four months later that I resumed my studies, knowing my passion was still in offensive cybersecurity.

Due to work commitments, I could only study for 4-5 hours after work each day at best. Despite this limitation, I persisted and reached a point where I felt ready to attempt the exam.

On a weekend off, I scheduled my test for nighttime and gave it my best effort. Unfortunately, I missed my mark by 7 points. It was disappointing, but I immediately scheduled a retest for the next morning, knowing it was a bold move that could trigger a cooldown period if I failed again.

The next morning, I passed the exam and became Pentest+ certified. This marked the conclusion of my CompTIA journey for the time being.

My brief review:
Pentest+ was a fun course that I thoroughly enjoyed. However, in hindsight, it feels somewhat limited and falls into the common trap of expecting answers to align with their specific perspective rather than promoting a holistic methodology.

I recommend this course for individuals seeking knowledge in the offensive realm.

I Challenge you eJPT!

After passing Pentest+, I decided it was time to gain practical hands-on experience. After some research, I opted for the eJPTv1 as a great starting point—a practical exam that struck a balance between full practical assessments and multiple-choice exams.

The material was concise, and I completed it in about two weeks. After another week of review, I decided to take the exam on a whim. From what I recall, I had 48 hours to answer 15 out of 20 questions correctly. By the 24-hour mark, I had accumulated enough points to pass and submitted my answers, officially passing my first practical exam.

My brief review:
The eJPT was incredibly enjoyable and provided a fantastic beginner exam to build confidence. However, it may give a false sense of knowledge because the exam is quite easy, which could potentially set people up for failure.

Conclusion:

This is simply my journey leading up to challenging the PNPT, which I consider my official first step in my offensive security journey. I hope my pathway and brief reviews provide insight into what can be expected when entering the industry.