Bootcamps for cybersecurity?

Now, this is just gonna be a quick venting on what I heard today. It is for all the folks just starting in cybersecurity, and seems to be endemic to the US. The thing I’m talking about is bootcamps.

I have never attended a bootcamp, I just attended specific courses (Active directory) or on-demand courses (OSWP). The AD course was actually labelled a “bootcamp”, but I thought it was just a general term for getting from zero to something for a specific skill. I heard loads about “Python bootcamps,” “Hacking bootcamps,” basically [INSERT_NAME] bootcamp. And all was well.

My biggest issues with these courses

As someone who does not have a US salary, I have to explain the following: An average person from my part of the world makes roughly $21K a year. Back in 2019, average wage in the US was 65K. This means that if I’m making US average pay, I’m living very well in my country. And before you say “Oh, but you’re in IT, you gotta make loads more than average!” I have to say this: I make more than average… by $3000.

Knowing that, you might see my biggest issue with the courses: They are fucking expensive for my salary. I had to save up for months to get the OSWP wireless hacking certificate, a course I was well prepared for (as many of my neighbours can confirm). At that point, the cert was basically a $450-badge to show I know what I’m doing. Still, it was not a negligible amount of money.

Knowing this, let’s jump into the meat of things…

Bootcamps in the US: An awakening

Today I learned that bootcamps are a big thing in the US. Plenty of companies/groups that provide training for people who want to “start out” in a certain field, be it coding, security, or something like project management (looking at you, six sigma). All of these courses have varying levels of pricing and popularity among people, but these come at a price. I thought that price would move in the hundreds of dollars, maybe a thousand (this tier should have sexual favours included). However, what I heard today was that these courses can run for as high as $9000. No, I did not press zero one too many times, nine thousand.

And I thought I was paying too much! Hell, I thought my company was charging too much! And these are not prices per a group of 10-20 people, that is per person. I’m not going to question the execution quality of these, since they may be really nice for the money (1-on-1 coaching, 24/7 support, etc). Generally, though, I believe there is a lot more we can get for that kind of money.

Consider the following: Bootcamps may give you a nice certificate of completion, but with all the groups out there, what chance do you have that you come into an interview and when mentioning the bootcamp, the interviewers go: “Oh yeah, I know that one!”

Yeah, not a high chance. Compare that to something like Offensive security, where the price is also high for my liking (2500$ for a year’s subscription), but you get access to labs, course material, and having OS-ANYTHING on your resume will push you a lot further, since it’s so well known.

Story from my first interview

I got my OSWP. WiFi-specific, not much more. Sure, it taught me specifics on MAC addresses, IP addresses, but I didn’t think much of it in regards to general security. Sure, I had something, but it was, I thought, “only wifi.”

A few months after that, I got into an interview for a SOC analyst position. Couldn’t be further from the cert I got, I thought. Oh boy, how wrong I was!

The conversation went something like this:

“Okay, you’re going to university. What are you studying?”
“Okay, cool.” (They were not impressed, even when I explained what I was doing there)
“Oh, I see in your resume that you got an OSWP. Who paid for that?”
“I did, out of my pocket” (I was an English teacher at the time)
“Okay, cool!”

Following that sentence, they took their questionnaires and crossed out something like half the questions. Studying at a university meant almost nothing, but something as small as the OSWP cut my interview time in half.

Why was that, I guess?

Why do we get certs?

Certifications and courses are useful in several ways:

  1. We get specific knowledge on a subject (be it WiFi, networks, programming, etc.)
  2. We keep that knowledge (if your employer pays for a course, consider it a work bonus, since it is in your name and stays with you)
  3. Every interviewer can look up what the certification is about, and the syllabus will tell them what skills you had to develop to obtain that certification.

Bootcamps will get 2 of these right, you gain knowledge and keep it with you forever (unless it’s a shitty course and/or you get a lobotomy). The third part, however, can be tricky: The syllabus may be vague or not accessible unless you enroll. In that case, no interviewer will know what the course entails unless they enroll themselves and check it out.

Back to the question: Let us assume I have $5000 to burn (a big saving in my parts, might be pocket money for you). What can we do with it to maximize our efforts? Most of what I will list here can apply to you, however if you don’t have the money to spend (or don’t want to), there are multiple other ways to go.

Sources to learn cybersecurity

Let’s start with the basics. Let us assume you’re someone with average salary, maybe a job where you have lulls (I was lucky to have a teaching job, since I had afternoons off). Let’s also assume you have basic skills in computing.

Where I would have (and should have) started is the following:

TryHackMe - honestly one of the best free sources. You get walkthrough and CTF boxes, so you can either learn (with hand-holding, step-by-step), or you can have boxes where you only get “enter result here.” The subscription (not necessary when starting out) is about 10$ a month, which in my opinion, is money well spent.

HackTheBox - This is next level. To get an invite, you actually need to have the skills to hack the invite form and get a code. They cannot be bought (although you may be able to find a tutorial online). This is pure CTF, you get a box, no information about it, and two fields: User flag and root flag. This is a good preparation for some of the courses out there. Paid subscription (~10$ a month) also gives you access to outdated machines where someone made a writeup, so they’re really helpful.

YouTube - You may know about this site, I understand it’s quite popular. Jokes aside, there are channels you may want to check out for your learning:

John Hammond - This is the channel you can learn a LOT from. John does TryHackMe and HackTheBox walkthroughs, so if you’re lost at some point, you can follow along. John also makes it a point to explain what he does, and if you’re lost, he gives good pointers and keywords you can look up and learn more about.

TheCyberMentor - Another great channel with good writeups/walkthroughs. CyberMentor also runs his own on-demand courses (on his site or on udemy)

Udemy - Udemy has often sales for different courses, so you can find a good on-demand video course for anything between 10-20$. These can span dozens of hours, so bring popcorn.

Google. Plain and simple. In cybersecurity (as with any IT work), you are not expected to know the complete grammar of python or know every possible program by heart. You will be expected to google for answers, and knowing how and what to google for is paramount to being a good security person. Train as you work. Don’t get discouraged by the fact that these walkthroughs show step 1 - step 2 - step 3 with nothing inbetween. Usually, whenever you go to pop a box on HTB or THM, it’s more like 30% exploiting and 70% researching what you’re up against. My workflow is more like a 10-90 split, but your mileage may vary ;-)

Using your money wisely

After you have done some of these in your spare time, you may find that you want a course. Not just learning on your own, but a proper, well-curated course focusing on what you’re likely to use in your work. This is but a small subset of them, but I have experience with each of these (or at least know someone who went through one):

Offensive Security - The golden standard. Recently, they ditched their single-course theme for a subscription (either 1-year or multi-year). The benefit is that this is an all-you-can-eat arrangement: If you pay for learnOne ($2500), you get access to the OSCP, OSWP, and many other courses, such as SOC course, web course, etc. This is an industry standard. I know many companies and have met clients who demand OSCP as their bare minimum. Why? They know what it takes to be OffSec certified, and they know what the courses contain.

  • Price: 2500$ for a year of on-demand videos/texts and labs. Multiple courses under one price.

eLearnSecurity - Another company providing pentesting training. They have specific trainings, but they offer a number of different specifications (web, networks, wifi), all with a security focus. A colleague of mine said the eJPT may be useless, since the eCPPT is similar and easy enough. Be prepared to answer some questions, since eLearnSecurity is not as well-known or highly regarded as OffSec. Lately, they have also started a subscription program, but it is cheaper than OffSec (and way cheaper than bootcamps)

  • Price: $49 per month, $749 for a premium subscription

PentesterAcademy - The last on my list, they offer lab access, mainly, but also writeups and courses. These are in the $250-$500 price range and they include 4 sessions (usually) with an instructor and very in-depth knowledge. I had an AD course there and I can recommend them. I failed my exam, unfortunately, but I still got a lot out of just the course.

  • Price: $69 a month (nice) or $249 a year (at the time of writing)

Aside from the online sources, if you like the smell of paper, you can buy those things called books. NoStarchPress or Packt are good sources, also check out HumbleBundle if you want some great sales (you can get a bunch of books on different topics for a very good price, often less than one print book!)

In closing

Now that I have written my hands bare, I can summarize: If you need training, you can start for free. Just go to YouTube or find google for “XYZ security.” Just that search may provide more answers than you think. Once you get into the tryhackme grind, you may find more questions, which can go into google, which will answer some of those, that will lead to more questions, more learning, more googling, more questions… your stopping point may depend on you, but if your nose is bleeding, stop and take a break.

Take this information, if this helps you or someone close to you, pass it on.