3 posts tagged with "Certification"

In March 2026, I completed the in-person 6-day SANS SEC504 (Hacker Tools, Techniques, and Incident Handling) training course. After almost 2 months of study I then passed the GIAC Certified Incident Handler (GCIH) exam with a score of 98%. This article serves as a review of my experience (and tips during) the SEC504 training course / GIAC GCIH Certification.

The Course - SEC504:​

SEC504 is SANS' self-described "flagship incident handling course", designed to provide the essential skills required to detect, respond to, and neutralise threats across Windows, Linux, and Cloud platforms (Source: SANS). What sets it apart from a purely defensive course is its two-sided approach. Rather than studying offensive techniques and defensive response in isolation with two different courses, each concept is taught together. The course teaches how to execute a technique as an attacker, and then immediately how to detect, respond and prevent it. This builds a much deeper understanding than either perspective could offer alone.

The course runs over 6 days, with each day dedicated to a new section and its accompanying course book. Day 1 sets the foundation everything else builds on, covering the incident response process and methodology, as well as live, network and malware analysis (Source: SANS, SEC504 Syllabus). Days 2-5 then went through attacks from an offensive perspective, paired with the defensive counterparts a responder needs to know. Day 6 is a Capture the Flag exercise that brings everything together, giving you the chance to apply the weeks techniques in a simulated environment. It's a satisfying way to close out the week and a good check on how well the content has actually landed.

The final day CTF competition involved splitting into teams, and thanks to working alongside some incredibly talented people, our team took out first place with each of us earning the SEC504 SANS Offensive Operations Challenge Coin!

I found the course to be more updated than I had expected walking into it, covering concepts such as bypassing M365 authentication defenses, bypassing AI guardrails and integrating attacks with AI using Model Context Protocol (MCP) (Source: SANS, SEC504 Syllabus).

The Exam - GIAC GCIH:​

The GIAC GCIH exam is a proctored 4 hour exam consisting of 106 questions (Source: GIAC). An undisclosed number of questions in the exam are referred to as "CyberLive" questions in which a virtual machine is spun up for performance (practical) based challenges (Source: GIAC). In my experience, the CyberLive VMs where ready to go in seconds and with almost no input delay, which was a relief as I wasn't wasting exam time waiting for machines and their services to boot up.

It's also important to note that GIAC exams are open book. All printed books, notes, and study guides are allowed (no digital items) (Source: GIAC).

I passed on my first attempt with a score of 98% - which also got me an invite to the GIAC Advisory Board, and my honest take is that the exam is very manageable if you've put the work in. Below are my tips:

1. During the 6-day course, try to suck in as much information as possible. If you've fallen behind on a practical lab and the class is moving on, leave it. You can complete the labs later. Listen to the content.
2. After the course, take about a week break to refresh your mind.
3. Re-read the course books and re-complete the labs (I spent about 1 day a week on average per book). As you're going through the content, write your index and command notes (see below).
4. Do a practice test (under exam conditions)! On my practice test I scored 99%, only a 1% difference to what I got on my real exam.
5. Depending on your score you'll now either know if you're ready, or if not, which areas to focus on.
6. I gifted away my second practice exam voucher, but doing the second practice would be a great chance to reassess yourself if there were areas that needed more focus.
7. Sit the real exam! (You've made your index, notes, and done 2 practice exams. There shouldn't be any big surprises!)

An important part of the studying process is creating your index. An index is a guide that allows you to match key terms or concepts to the page(s) that those are referred to in the books. I've heard that some people like to alphabetically sort all the terms, however I preferred to keep them all in the order they were presented through the material. My index format looked something like below:

I also created a reference guide of tools/commands. The format of these notes looked something like the below:

Overall​

SEC504 and the GCIH certification are (in my opinion) genuinely excellent. The course is well-structured, consistently updated, and the dual offensive/defensive teaching approach makes it one of the most effective ways to build real incident handling skills quickly. The CTF on day 6 is a great way to close out the week, and the exam (if you've put the work in) is very achievable.

That said, I'd be doing you a disservice if I didn't mention the cost. SANS courses are expensive, and SEC504 is no exception. If your employer is sponsoring you, it's a no-brainer (and can have a strong ROI for a large business). If you're a self-funding student though, it's worth being honest with yourself. There are cheaper paths. Platforms like HTB cover a lot of ground (not all), though you'll likely get there a lot slower, with a lot more headaches, and a lot less guidance but you will get there. The benefit of SANS then, is the structure and speed in which you can develop your skills, which is on another level. Their promise of "Everyone who completes SANS training can apply the skills and knowledge they’ve learned the day they return to work." (Source: SANS) holds true in my experience and I'm looking forward to being able to complete another SANS course in the future to further develop my skills.

In August 2025, Hack The Box (HTB) announced that their Bug Bounty Hunter certification would be overhauled and rebranded as the Certified Web Exploitation Specialist (HTB CWES). While the core curriculum does not appear to have significant changes (beyond 4 modules being added/updated), the rebrand aims to better reflect real-world job roles and the broader scope of modern web application security testing.

Summary CBBH Review:​

In my CBBH review from last year, I stated that I would absolutely recommend the course material to anyone wanting to learn web penetration testing. The labs were realistic, platform polished and the coverage of vulnerabilities was both broad and practical. However, I struggled to recommend purchasing the exam and obtaining the full certification. This was due to 2 main concerns:

1. Recognition - The certification wasn't as widely recognised as other web application penetration testing certifications.
2. Branding - The name “Bug Bounty” felt limiting, especially for candidates aiming for traditional pentesting or AppSec roles. Despite these concerns I still recommended sitting the exam if you wanted to test your skills in a practical, hands-on assessment.

Has HTB Fixed This?​

HTB mentions that the change is to better align the certification with modern jobs roles, and I believe they did this well. It’s too early to tell how widely HTB CWES will appear on job postings, but the name itself is far more professional and transferable than the previous. I expect this change to have a more positive impact on employers views.

Has My Recommendation Changed?​

The certification has been renamed, but the core content remains largely the same with the addition of four new modules and several incremental updates and refinements. Because of this, my recommendation has not drastically changed but it has slightly improved.

If you’re looking to learn web exploitation through practice, HTB CWES is an excellent option. The rebrand fixes one of my biggest concerns with the original CBBH, and the added content makes the certification feel more complete.

I would confidently recommend:

• The course content to anyone pursuing web pentesting or AppSec.
• The exam and certification to those who value testing their skills practically (and don't mind the cost + lower recognition compared to other certs).

While it may not yet rival the most established web certifications in terms of recognition, HTB CWES is now much better positioned to grow into those roles.

For my full review of CBBH from last year, check out: HTB CBBH Certification (Exam Review).

In early 2022 Hack The Box (HTB) released their first certification - the Certified Bug Bounty Hunter. They claim that "certification holders will possess technical competency in the bug bounty hunting and web application penetration testing domains at an intermediate level".

No - you don't need a certification to be bug bounty hunter, so the certification is essentially for junior web application penetration testers or web developers who want to understand the web penetration testing domains up to an intermediate level.

Since I was already familiar with HTB, I decided to give it a shot and started the pathway a few months ago. At this time, there was little information about the certification online, although it appears to be picking up in popularity recently - so I decided to share my experience with the exam with the hopes that it could answer a question someone may have about the process.

The Course Content:​

HTB estimates that completing the course contents will take around 144 hours. If you're very committed to it, you could complete the content within a month but this will only hurt you when you take the exam if you're rushing through it. I would recommend 2-3 months if you're able to dedicate time to the content, or a little longer if you're planning to just pick away at it or are completely new to web apps.

The course covers the following content:

The course material is completely text based, combined with many practical tasks. I'm a big fan of how they presented the material, but I know text-based content isn't for everyone - so keep that in mind.

The Exam:​

Once you complete the course content and obtain all the flags in the exercise machines, you'll be able to activate an exam voucher.

Once you activate your voucher, a letter of engagement will be provided which will outline the requirements to pass. You will have 7 days to complete the exam.

To pass the exam you must:

1. Obtain enough points (by submitting found flags on the exam lab’s page - the number of points required to pass will be shared only upon starting the exam).
2. Submit a commercial-grade report which includes the identified vulnerabilities and remediation advice (a template is provided once the exam is started). This is evaluated against quality requirements.

You should receive the results within 20 business days. If you fail, that's fine, because the exam voucher includes a free retake.

5 Exam Tips:​

1. The exam is different to the course labs. The exam simulates multiple real-world applications and to obtain a flag, you'll need to think outside the box and chain multiple vulnerabilities together. Going into the exam - I did not expect to be chaining vulnerabilities together, so I had to quickly adapt my mindset and think outside the box in order to obtain them. Once I understood this, I started to obtain them. The exam is therefore not easy, but it is fair.
2. Have an in-depth understanding on how the covered vulnerabilities work, as well as how to manually exploit them. Pointing a readily available tool at the web app and expecting RCE in return likely won't work. You'll need to manually poke the application and understand it's responses in order to discover vulnerabilities. And again, may need to chain multiple vulnerabilities together.
3. Everything you need to pass is covered in the provided material. However, don't expect to just run an exploit tool or copy and paste a payload. Again, you'll need to think outside the box and chain multiple techniques together in order to pass.
4. Enumerate, enumerate, enumerate. And when you gain a foot hold, enumerate even more!
5. Approach the exam methodically (ensure you make a methodology while studying the content!) and take your time. You have 7 days after all (14 if you include the free retake). If you feel stuck, take a break to clear your head and give it another go. It was more then once that I got stuck on a section for hours, only to take a break and solve it within a few minutes of sitting back down.

Would I Recommend it?​

The course - 100%! And especially if you're a student. The $8 USD/month price is incredible value for such a high quality course. If you're not a student, the pricing gets a bit more complicated as they use "cubes" to unlock modules. The entire course costs 1410 cubes. Which can be purchased for about $110 USD (as you gain some cubes along the way while obtaining the flags). There are also monthly/yearly subscriptions available which may benefit you more. Either way, I'd still highly recommend the course for those that want to understand web-app penetration testing. Also keep in mind that by completing the CBBH course, you'll already be almost 1/3 through the HTB CPTS course!

The exam - well, it depends. The certification isn't as recognised as other web-app penetration testing certifications so this makes it more difficult to recommend. The decision of calling it "Bug Bounty" and not "Junior Web-App Penetration Tester" also raises the question of "why have a bug bounty certification?". At the price of $210 USD (about $375 AUD with taxes), I find it hard to recommend for everyone at this stage. But if you're like me and wanted to get it to practice a little, to test your skill level before moving onto other, more advanced certifications - then go for it! I did greatly enjoy the exam after all and am looking forward to trying other HTB certs in the future :)