In the past, I've found that the certification exams do a pretty good job of meeting the outcomes stated at the top of the exam guide regardless of the material that is presented for the different learning objectives...ie that there is often a difference of interpretations between what gets trained and how it gets tested.
This particular exam and the course material seems to leave a lot of whitespace within the words used to define the outcomes and objectives, and the scope of the objectives (given the number of sub-topics), that a test developer can fill in ... (outcomes and a couple of objectives noted at the bottom of the post)
For example, in Pentest+ 003 what is the definition of phases, ttp's, and laws referenced in the outcomes?
a) phases that the outcomes refer to (note the domains and objectives don't follow any published pentest methodology and seem to conflate phases with tactics in mitre attack)
b) which list of tactics, techniques and procedures are we aligning the attacks, tools and phases with...(note Mitre attack is the only ttp listed but it is not used consistently in the objectives)
c) what laws and compliance/control frameworks should we be aligning the attacks with (note, I don't really see this level of detail reflected in the course material...the objectives just say security and privacy laws in 1.1 and the frameworks in objective 1.3 don't identify any control frameworks beyond the owasp masvs)
...and given the outcomes, 80+ tools and 100+ "attacks", and just 2 of the objectives (noted below), I'm led to believe that the students will need to:
1. Associate each tool with all of the relevant phases, tactics and techniques...note I don't know what the authoritative list/lists of these are
2. Be able to script the commands and switch options for every tool ... and associate those with specific attacks
3. Know the appropriate mitigations for each attack and probable root causes for each control's failure
4. Be able to identify an attack with the control or law you intend to test
so, am I overthinking what my students will need to be capable of or where the test writers may take the exam?
---------exam outcomes and objectives -----------
The exam guide identifies 4 outcomes for Pentest+ 003:
• Plan, scope, and perform information gathering as part of a penetration test.
• Perform attacks that are aligned to and fulfill legal and compliance requirements.
• Perform each phase of a penetration test using and modifying appropriate tools and use the appropriate tactics, techniques, and procedures.
• Analyze the results of each phase of a penetration test to develop a written report, effectively communicate findings to stakeholders and provide practical recommendations.
That said, the 26 objectives (including 15 apply and 3 analyze level of learning) list over 80 pentest tools/platforms/technologies and over 100 attacks/tactics/techniques. Including these two doozies
- Given a scenario, use scripting to automate attacks.
- Given a scenario, analyze the findings and recommend the appropriate remediation within a report.
This particular exam and the course material seems to leave a lot of whitespace within the words used to define the outcomes and objectives, and the scope of the objectives (given the number of sub-topics), that a test developer can fill in ... (outcomes and a couple of objectives noted at the bottom of the post)
For example, in Pentest+ 003 what is the definition of phases, ttp's, and laws referenced in the outcomes?
a) phases that the outcomes refer to (note the domains and objectives don't follow any published pentest methodology and seem to conflate phases with tactics in mitre attack)
b) which list of tactics, techniques and procedures are we aligning the attacks, tools and phases with...(note Mitre attack is the only ttp listed but it is not used consistently in the objectives)
c) what laws and compliance/control frameworks should we be aligning the attacks with (note, I don't really see this level of detail reflected in the course material...the objectives just say security and privacy laws in 1.1 and the frameworks in objective 1.3 don't identify any control frameworks beyond the owasp masvs)
...and given the outcomes, 80+ tools and 100+ "attacks", and just 2 of the objectives (noted below), I'm led to believe that the students will need to:
1. Associate each tool with all of the relevant phases, tactics and techniques...note I don't know what the authoritative list/lists of these are
2. Be able to script the commands and switch options for every tool ... and associate those with specific attacks
3. Know the appropriate mitigations for each attack and probable root causes for each control's failure
4. Be able to identify an attack with the control or law you intend to test
so, am I overthinking what my students will need to be capable of or where the test writers may take the exam?
---------exam outcomes and objectives -----------
The exam guide identifies 4 outcomes for Pentest+ 003:
• Plan, scope, and perform information gathering as part of a penetration test.
• Perform attacks that are aligned to and fulfill legal and compliance requirements.
• Perform each phase of a penetration test using and modifying appropriate tools and use the appropriate tactics, techniques, and procedures.
• Analyze the results of each phase of a penetration test to develop a written report, effectively communicate findings to stakeholders and provide practical recommendations.
That said, the 26 objectives (including 15 apply and 3 analyze level of learning) list over 80 pentest tools/platforms/technologies and over 100 attacks/tactics/techniques. Including these two doozies
- Given a scenario, use scripting to automate attacks.
- Given a scenario, analyze the findings and recommend the appropriate remediation within a report.
