GX-PT: A Review

My reflections on taking the new Applied Knowledge certification for SANS.

My reflections on taking the new GIAC Applied Knowledge Certification - the GX-PT. I had the honor of being able to beta test the exam, twice. First, back in July, where I and everyone else who took it failed 😆, and most recently this past week.

A quick overview of the exam - it's a 25 "Cyber Live" questions, which is SANS-speak for hands on keyboard questions in a virtual environment. The questions vary from multiple choice, with 6+ options, or some questions even require a text entry. You're allotted 4 hours, though they are monitoring the connection you have to the VMs, and add time for connectivity issues automatically. Most importantly, there is no internet allowed (bum bum bummmmmm!). You are however, allowed to bring any book or notes into the exam.

SANS recommends a few methods of preparing for the exam, including SEC560 as the "primary fit course", which makes sense given that's their enterprise network penetration testing course. I came into the exam having the GPEN, GCIH, GCIA, GCWN, GCUX, GCPN, and GFACT. I also have taken the SEC542 course. I've averaged over a 90% on all of those exams. So needless to say I've had a large amount of overlap with their affiliate training. Not saying this to flex, but more give context to the overall review. Additionally, I have practical work experience, as a network penetration tester. Particularly one who regularly pentests airgapped networks. I can't say I felt like a fish in water pentesting without internet, but my second beta GX-PT felt a lot better than the first, after I had accrued some of that real world experience. That being said, I don't think you necessarily need all of that experience or training in order to pass.

Thoughts on the Exam

Questions are Intuitive... Maybe?

The questions are worded in a way that I would say are intuitive to know what you need to do if you have pentesting experience. That being said, I don't think it would be necessarily easy to pass the exam if you've solely taken SEC560. I would say it's fair to say that the Cyber Live questions for GPEN align very closely to the labs in the courseware. Functioning with that assumption, I'd say the questions on the GX-PT are slightly more complex. They don't explicitly tell you what you need to do, but give strong hints, particularly for the more complex questions.

Budget Your Time, and Budget More Time

Overall, I'd say the exam was challenging. I used the entirety of the 4 hours. It's 25 questions in 4 hours. If you do the math, that's less than 10 minutes per question. That means limited time to flail around and guess what the answer might be. I mean... enumerate 😏. On one hand, that's an advantage, the questions tend to be more direct. It's not like the OSCP, where you are only given a target IP address. However, it's more complex than the practioner exam's Cyber Live questions. There are plenty of questions that provide multiple potential avenues to solve, and if you choose the wrong path, you waste precious time.

It's also important to note, I actually used closer to 4-1/2 hours, when you factor in the additional time the computer automatically allocated for lags in spinning up VMs, and connectivity issues. I mention this just so you book plenty of time to take the exam. Don't make plans immediately after 😄

Bring Notes

The first time I took the exam, I didn't bring enough notes. I didn't realize how much I relied on Hacktricks, PayloadsAllTheThings, or even just a quick google search to get what I need. It's fairly obvious that not having internet would mean needing to print out notes. Not sure if a book like RTFM would help, but you want to have everything handy. My first exam attempt made me truly realize how much I typically rely on the standard image of my pentesting latptop with tools (more on this in a bit) and resources auto installed. You don't BYOD to the exam - at least connecting it to the virtual environment. Review your typical procedures and methodologies, maybe even do a few HTB, Proving Grounds or Vulnhub. Try to use as few internet resources as possible, or if you do, document what tools and methods you used, and assess if you might need to make a cheat sheet to bring to the exam.

If you've taken SANS courses, hopefully you've done the Pancakes method for studying/index creation. The method recommends documenting an important command in a separate worksheet. I took all of the commands/files that I've collected over the various courses and put it into one document. In lieu of documenting the book and page it originated, I included what course it came from, to provide some context that might be useful when if it would be useful for the question.

Tools in the Toolbox

Given the lack of internet, be comfortable using different tools to accomplish the exam objectives. There are a handful of different VMs that are provided to answer all of the questions. You'll only have access to one VM to answer the question. So you'll have to be comfortable solving questions via the CLI, GUI, or using other tools than your go-to. Usually use ffuf to enumerate directories for websites? How about trying to do it via some command line kung fu and standard linux binaries? Used to enumerating a web page with Burp? Used to using CME for password spraying? What other tools or methods could be used for it? Do you always try to find a web shell using seclists? How about having notes of one-liners instead?

tl;dr - don't expect every tool to be on the VM, or even the most likely/easiest tool to be on it. There for sure is at least one tool on there. But be comfortable having multiple methods to perform the tasks listed within the certification objectives.

Demo Questions?

SANS offers practice/demo questions, which can be purchased for $40 (as of April 2024). It includes 45 minutes, and access to 3 questions. Given my personal experiences, which were also validated by others who I spoke with who took the demo questions - they may not be worth it. When I took the demo questions for GX-PT, many other folks and myself had a poor experience with the demo experience. The lab environment for the demo questions were extremely lagging. I had to reset the VM for each question multiple times. I would enter a keystroke, which wouldn't appear on the VM, only to then be entered 10x after a 5 second delay. I would say the demo environment is not up to the SANS/GIAC standard. Of the 45 minutes I was given, probably half of that was spent waiting for the VM to respond, or restarting the environment. To add insult to injury, I was only given about an additional 5 minutes of the exam time.

On the flip side, I would say it did provide a bit of an opportunity to understand the question format. I also used it as an opportunity to brush up on certain areas that I was rusty on. As well as do some research online for some cheat sheets and ask ChatGPT for succinct resources that I brought with me to the exam. I can't say I used any of those resources during the exam or not. But trying some questions with the crutch of still having an internet connection may have given me some solace knowing what I was getting into going into the exam.

Overall, The exam experience is much better, but I cant say for certain if the juice is worth the squeeze for the demo questions.

Exam or Not to Exam?

It all comes down to your personal goals. I'm not sure how well these new Applied Knowledge certs are recognized within the industry. I haven't seen many job listings in the past which even ask for GSE (GIAC Security Expert Certification), or the new GSP (GIAC Security Professional Certification). These AK certs are fairly new, only having been released in the last year, so it may take some time to be recognized within the community. However, I'm not sure it's worth taking unless you're aiming for the GSP/GSE route. Perhaps SANS/GIAC will do a better job of socializing the gravity of these certs, but until that occurs, you may get more value of completing other certs - even more advanced SANS courses like 600 or 700 SEC level courses.

Personally, I've had it a goal to get GSE certified over the past few years, I've taken enough SANS course sand have the necessary "Practitioner Certs" - aka the regular GIAC certs - that it makes sense for me. SANS has also mentioned they will roll out plans on how to consolidate and streamline renewals of certs once you're GSE certified. Presumably that will come with cheaper costs to renew the certs.

That being said, it's a fairly new/updated certification process. It appears this new method of certification gives each person the flexibility to provide their specific skillset, and value to being "GSE Certified". To me, that makes a lot more sense, particularly compared to the old process where various cyber roles (i.e. IR, pentester/red teamer, blue team) all had the same exams. This provides a bit more flexibility and pragmatism to the certification process.

It also goes without saying, the regular SANS trainings, and general GIAC Practitioner Certs and highly sought after by companies, and the courses aligned with these certs are incredible - albeit also expensive. SANS' pedagogy is some of the best in the industry, and while they're expensive, I always encourage anyone who asks to take a course. There are a few methods on ways to make the courses more affordable - my favorite method being the SANS Workstudy program. Pursuing an GIAC Applied Knowledge can help showcase that you're a well rounded technical SME with a depth a breadth of knowledge.