In a previous article I talked about all the money that I’ve invested into myself over the years. I have a saying, “I won’t ask a company to pay for something that I’m not willing to pay for myself,” and one of the things I would never ask a company to pay for is a SANS course.
So why is it that I’ll never take a SANS course? Well, there’s several reasons and it’s not all to do with money. The cost is indeed expensive and seems to only go up with time but it’s more than that. A SANS course is typically lectures and labs for several days with the final day an exam that consists of filling out a bubble sheet.
The first problem is the lecture time. Typically, it’s only for a week. So you’re in front of the computer day after day, listening to somebody lecturing about a topic. You might have some labs/hands-on experience to break the day apart, but that’s it, a week. Now, all SANS instructors are top of the industry. These people push the envelope, develop and build things for the community to level up. I can’t say spending a week with them will level me up though.
Now, I would like to use an analogy. If you wanted to improve your golf game, what would you do? Maybe you go to the range and hit some balls, play on the golf course every weekend, or get a teacher. Of course, real-time feedback will probably impact your game the most, so you go with a teacher. Now you have a choice… Do you go with an intense boot camp week with Tiger Woods, where he’ll teach you everything he knows, or will you have one lesson once a week for a year with Hank Haney? Now it might be tempting to get that bootcamp with Tiger, I mean, it’s Tiger; who wouldn’t want to spend a week learning from the best? Me. I wouldn’t. I would take those lessons from Tiger’s coach Hank once a week for a year over spending any time with Tiger. I want to get better and a week of bootcamp isn’t going to help. Yes, I might pick up tips and tricks, but will this actually improve my overall golf game? No. Getting lessons with Hank each week, I can pick up a tip, practice during the week, and then work with problems I faced with the tip or move on. This is how you improve. Now, why would I think it’s any different with SANS courses? Yes, you get to work with the top in the field, but will doing so help you make changes in your security game? Probably not long term.
The second problem I have with getting SANS certified is the exam. As much as I didn’t care for the material given for eLearnSecurity, the exams really pushed me. When I took the eCTHP I felt like I was a threat hunter in an environment needing to determine if there were issues or not. The eCPPT, I felt like I was hired to do a pentest on a company and had a week for the engagement. In both exams I felt like I was doing the job that the certification was asking for. Could you imagine getting a boot camp from Tiger Woods, but the final day wasn’t a day on the golf course actually playing, but you’re in the clubhouse filling out a piece of paper? I don’t know why this would be acceptable for a SANS certification.
Lastly is the cost. I left this to the last because if the above problems were addressed and these courses really taught and guided people to excel at these jobs, then cost wouldn’t be a thing for me. As I mentioned in a previous blog post, I don’t mind investing money into myself. I look at the syllabus for SANS courses and then look at eLearnSecurity, Offensive Security, or random Udemy courses, and I can’t say SANS courses are worth the price tag.
Right now, at the time of this writing, the course and certification exam attempt for GIAC Penetration Tester (GPEN) is $7,270 USD, and the exam is GPEN Certification +$849, roughly 8k. Now let’s see what else you can get for that 8k. You can get a year’s subscription to INE, which is $800, and then, let’s say, take 6 certifications at $400 apiece, so that gets us to $3,200. Then let’s throw in a year’s subscription to Hack The Box, TryHackMe, Blue Team Labs and Pentesterlab, altogether roughly $750. So now we’re at $4,000. What else can we do? Well, just to fill the gap to get to the cost of a SANS course/exam, I’ll just add up all 10 of Chris Sanders’ courses together, which is $4,400. So, looking at all the coursework you can use over the whole year, where you can practice actual tactics or techniques, it’s pretty daunting, and for most people, it’s not realistic to do all that in one year. Or, you can take a course that lasts a week and fill out a bubble sheet.
I’ve never taken a SANS course/exam because I couldn’t justify the cost based on other people’s reviews and compare what I could get with the same amount of money. I know everybody’s mileage will vary, but the people that I’ve talked to have said things like: “It was great! But things were moving pretty fast, and it was hard to keep up.” “I feel like you need to know the topic pretty well before taking the course.” I’ve even seen somebody who passed the GWAPT (Web Application Penetration Tester) ask, “What’s a good web shell that runs on IIS?” I’m curious about what that course actually covered. I believe it’s a waste of company money for these SANS courses and they don’t provide a good ROI for the company or employee taking the course.
Editor: Emily Domedion