Teaching CASP+ next week

I’ve only taught CASP+ once this year, and while there doesn’t seem to be a huge demand for it at the moment, I found incorporating parts of TryHackMe’s SOC Level 1 and 2 into the coursework as homework very beneficial. It provided students with some hands-on experience after class, and I was able to offer guidance where needed. These labs allowed students to apply theoretical knowledge in a practical way, which is often key to solidifying their understanding.

I’ve also noticed that CASP+ attracts students with varying skill levels, as there are no prerequisites for the course. This mix can make teaching both challenging and rewarding, as I’ve had to adjust activities to cater to different abilities. Tailoring exercises based on individual student needs has proven to be effective, ensuring that both novice and more advanced learners remain engaged and get the most out of the course.

I’d be interested to hear more about the specific labs and activities you incorporate into your CASP training. It's always great to exchange ideas and strategies for adding value, especially with such a diverse group of learners.
 
  • Like
Reactions: precious and Yassia
I’ve only taught CASP+ once this year, and while there doesn’t seem to be a huge demand for it at the moment, I found incorporating parts of TryHackMe’s SOC Level 1 and 2 into the coursework as homework very beneficial. It provided students with some hands-on experience after class, and I was able to offer guidance where needed. These labs allowed students to apply theoretical knowledge in a practical way, which is often key to solidifying their understanding.
I only use TryHackMe for PenTest+.

I’ve also noticed that CASP+ attracts students with varying skill levels, as there are no prerequisites for the course. This mix can make teaching both challenging and rewarding, as I’ve had to adjust activities to cater to different abilities. Tailoring exercises based on individual student needs has proven to be effective, ensuring that both novice and more advanced learners remain engaged and get the most out of the course.
I've found that to be true for every CompTIA course. I get people with no technical experience taking CySA+ or beyond. CompTIA should start enforcing prerequisites. Failure to do so is doing a disservice to the students. Too many unscrupulous training companies and salespeople are telling students they can sign up for any class they want, which leaves the trainers stuck with students who can't handle the materials.
 
I only use TryHackMe for PenTest+.


I've found that to be true for every CompTIA course. I get people with no technical experience taking CySA+ or beyond. CompTIA should start enforcing prerequisites. Failure to do so is doing a disservice to the students. Too many unscrupulous training companies and salespeople are telling students they can sign up for any class they want, which leaves the trainers stuck with students who can't handle the materials.
Yes. My experience mirrors exactly what Greg is saying about tech experience. Same for CISSP. CASP+ is incredibly hard for students who don't have any kind of people or staff management experience. I'd go as far as saying CISSP is almost impossible for those folks.

Student screening and checking prerequisites is an near impossible administrative task. It comes down to if the student doesn't have the prerequisite requirements and institution points that out but said student wants to pay for the course; should the registrar stop them?

When I take on clients seeking either CASP+ or CISSP they are people that don't want to sit for a class with others. Either the course meeting times or schedule doesn't work for them or they just don't want to sit with other learners. I have clients complete a survey that asks about all prerequisites and other certification programs. I often see expired certifications (which are easy to check for CompTIA). When I meet with the client I go over those survey answers. But in the end the client is paying me to get them that certification so I tailor the engagement to the client. My clients are always adults who are years or decades away from their last academic experience. I start off with lots of knowledge transfer (they read and study on their own) and then hammer them hard with test taking (they take tests on their own and we review the results). CASP+ engagements almost always go smoothly because the scope of the topics covered is well aligned to many IT jobs. CISSP is a completely different story because the body of knowledge is so broad that no one I've worked with has worked in all of those domains.
 
  • Like
Reactions: MBA and precious
I’ve also noticed that CASP+ attracts students with varying skill levels, as there are no prerequisites for the course. This mix can make teaching both challenging and rewarding, as I’ve had to adjust activities to cater to different abilities. Tailoring exercises based on individual student needs has proven to be effective, ensuring that both novice and more advanced learners remain engaged and get the most out of the course.
In my Pentest+ and CySA+ classes, I’ve encountered students who come in with completely unrealistic expectations, especially those new to the field or making a career change. Some have little to no understanding of the material or the depth of knowledge required, yet expect to be able to conduct professional-level penetration tests or handle complex cybersecurity incidents right after the course. They often don’t realize that certifications like Pentest+ and CySA+ are just foundational steps, not shortcuts to becoming experts. To help manage these expectations, I use TryHackMe to give them hands-on practice and a sense of the real-world challenges they’ll face, but I also have to continuously remind them that they’re at the beginning of a long learning curve. It’s crucial for them to understand that developing the necessary skills, especially in a field as dynamic and demanding as cybersecurity, requires time, effort, and experience far beyond passing the certification exam.
 
Too many unscrupulous training companies and salespeople are telling students they can sign up for any class they want
Yes, some training companies are just trying to sell seats, telling students they can jump into any course without telling them the right background they need to get the most out of the class. It sets them up for failure when they hit the material and realize they’re way over their heads
 
We can verify certifications rather easily. CompTIA, ISACA, ISC2, Microsoft, et. al. keep full information on active certifications.

We can verify work experience. ISACA and ISC2 require documentation and confirmation that a person has a role where their work is covered in the domain objectives for an exam.

I know why we don't. It has to do with time and resources. The only ones currently inconvenienced are the students and the instructor. Enforcing prerequisites would inconvenience other people, such as the ones who work in operations or sales.

I tell all my students the required or recommended prerequisites for every certification. I also tell them that if they don't meet those prerequisites, they will have to work much harder to achieve the certification than those who do. With some students, I have recommended that they delay testing until they cover the recommended prerequisites. I may not have enough time in a course to cover all of Network+ and Security+ when I'm teaching CASP+. Often, the students must address their knowledge gaps on their own.
 
Yes, some training companies are just trying to sell seats, telling students they can jump into any course without telling them the right background they need to get the most out of the class. It sets them up for failure when they hit the material and realize they’re way over their heads
When that happens, I tell the students the truth. They were convinced to sign up for a course that they were not prepared to take.

There are no shortcuts. People have to pay their dues, do the work, and build skills from the ground up. You don't start at the end or the middle; you have to start at the beginning.

I also talk to sales and request that they stop setting the students up for failure.
 
In my Pentest+ and CySA+ classes, I’ve encountered students who come in with completely unrealistic expectations, especially those new to the field or making a career change. Some have little to no understanding of the material or the depth of knowledge required, yet expect to be able to conduct professional-level penetration tests or handle complex cybersecurity incidents right after the course. They often don’t realize that certifications like Pentest+ and CySA+ are just foundational steps, not shortcuts to becoming experts. To help manage these expectations, I use TryHackMe to give them hands-on practice and a sense of the real-world challenges they’ll face, but I also have to continuously remind them that they’re at the beginning of a long learning curve. It’s crucial for them to understand that developing the necessary skills, especially in a field as dynamic and demanding as cybersecurity, requires time, effort, and experience far beyond passing the certification exam.
Agree 100%. I try to find and encourage students to find mentors in the field already to help students gain expertise. That's how I learned about SOC, by shadowing a couple of SOC staffers.
Something that I took away from that experience is developing checklists. I read the boom 'The Checklist Manifesto' and suggested it to one of my mentors. It turns out developing checklists and reading other peoples checklists is a great way to learn in these environments.
 
I have been teaching CASP for many years and am looking forward to the Train the Trainer for CSAP in its newer name SecurityX, I add labs and activities for managers on this course, what do you include when delivering a CASP+ course for added value.
It's great to hear about your experience with CASP+ and the excitement for SecurityX! I also integrate labs into my CASP+ training to provide added value, particularly focusing on real-world scenarios that senior security professionals and managers might encounter, I focus on incorporating hands-on labs and activities that enhance real-world applications. I often use platforms like Hack The Box (HTB) and TryHackMe to create practical scenarios that allow students to apply what they've learned in a safe environment. Additionally, incorporating Capture The Flag (CTF) challenges helps to reinforce skills and foster a competitive spirit among students.

I also find that including discussions on current trends in cybersecurity, such as threat intelligence and incident response strategies, adds significant relevance to the course. It encourages students to think critically and stay updated with the evolving landscape.
Some of the key labs I include are:
  • Incident Response Simulation: This allows students to manage an incident from detection to remediation, practicing decision-making in a fast-paced environment.
  • Cryptography Implementation: I use OpenSSL to guide students through encryption, decryption, and key management with algorithms like AES and RSA, helping them understand the depth of cryptographic solutions.
  • Risk Management Workshops: I present case studies for students to analyze and recommend mitigation strategies, which gets them thinking like CISOs.
Looking forward for SecurityX TTT.
 
  • Like
Reactions: MBA
Yes. My experience mirrors exactly what Greg is saying about tech experience. Same for CISSP. CASP+ is incredibly hard for students who don't have any kind of people or staff management experience. I'd go as far as saying CISSP is almost impossible for those folks.

Student screening and checking prerequisites is an near impossible administrative task. It comes down to if the student doesn't have the prerequisite requirements and institution points that out but said student wants to pay for the course; should the registrar stop them?

When I take on clients seeking either CASP+ or CISSP they are people that don't want to sit for a class with others. Either the course meeting times or schedule doesn't work for them or they just don't want to sit with other learners. I have clients complete a survey that asks about all prerequisites and other certification programs. I often see expired certifications (which are easy to check for CompTIA). When I meet with the client I go over those survey answers. But in the end the client is paying me to get them that certification so I tailor the engagement to the client. My clients are always adults who are years or decades away from their last academic experience. I start off with lots of knowledge transfer (they read and study on their own) and then hammer them hard with test taking (they take tests on their own and we review the results). CASP+ engagements almost always go smoothly because the scope of the topics covered is well aligned to many IT jobs. CISSP is a completely different story because the body of knowledge is so broad that no one I've worked with has worked in all of those domains.
I completely agree with you @Brian Ford about the challenges with CASP+ and CISSP for those lacking management experience. Tailoring your approach and focusing on knowledge transfer seems effective. Aligning content with real-world applications also helps bridge experience gaps. Thanks for sharing!
 
Teaching CASP+ this very week! :cool: What I really look forward to is the crypto/PKI day. Finally a course that allots enough time to cover these subjects in the depth they deserve and not rush through them!
That sounds exciting! Crypto and PKI are such foundational topics for security, and it's great that you have enough time to dive deep into them. Covering asymmetric vs. symmetric encryption, hashing, key management, and certificate authorities in detail really gives learners a solid understanding of secure communication. Plus, it's always fun to see that "aha!" moment when students grasp how all the pieces fit together in a practical security architecture. Do you have any specific labs or demos planned for that day?
 
When that happens, I tell the students the truth. They were convinced to sign up for a course that they were not prepared to take.

There are no shortcuts. People have to pay their dues, do the work, and build skills from the ground up. You don't start at the end or the middle; you have to start at the beginning.

I also talk to sales and request that they stop setting the students up for failure.
I am getting that with my Security+ students. They come into class expecting to digest the Security+ curriculum and then run job hunts, but they do not understand why subnet masks, DNS and VLANs exist. They instead get A+ training and transition to Security+ the following week.. I feel we are committing information overload.
 
I am getting that with my Security+ students. They come into class expecting to digest the Security+ curriculum and then run job hunts, but they do not understand why subnet masks, DNS and VLANs exist. They instead get A+ training and transition to Security+ the following week.. I feel we are committing information overload.
The gap between A+ and Security+ is significant, especially when foundational networking concepts like subnet masks, DNS, and VLANs are not fully understood. Jumping straight into Security+ without that solid base can overwhelm students. It's essential to ensure they have a firm grasp of the fundamentals before tackling more advanced topics to avoid information overload and help them succeed.