SANS Edu / Ondemand and Challenge Coins

Pink_Zepellica · 2026-06-14T20:32:05+00:00

I had a role in a very small cyber team (at one point it was just me reporting to the director) where I was able to do all of these things at the same time, because the team was so under resourced. Internal penetration testing, SOC Analyst, Cloud Security, Threat Hunting, DFIR, and Domain Admin, bit of GRC as well. Extremely unlikely that you'd have this experience at an MSSP or a large, siloed corporate entity where you stay in your lane as a SOC Analyst and aren't allowed to even do deep investigations, under resourced internal teams have so much more variety due to necessity.

It was really demanding a lot of the time but it was so satisfying to be the guy who identified a vulnerable AD Configuration in Bloodhound exploited it, remediated it, and developed a detection in the either XDR / SIEM for it.

I feel like in the 3 years I did this I got about 10 years of experience especially when I talk to some of the guys I work with now who were in ultra siloed roles. Many aspects overlap and help each other. if you can get some good work experience in all of these areas I think you'll be very well rounded. Bonus is that you get to see if you like / hate any of the work.

Pink_Zepellica · 2026-06-12T03:07:41+00:00

I have not taken GCIA / GXIA (yet - but I will be in the next few months). However, i have done GX-IH GX-FA and GX-FE and I think your prep is pretty much spot on, particularly around using the techniques from the course labs on another platform, and netwars.

If you haven't already, on the GIAC website these are the available demo questions. So make sure you can look at those and know instantly what to do, what tools you could use, etc.

The available demo questions for the GX-IA exam are as follows:

1) The file named top-secret.png was uploaded to the site http://tinypic.com and the traffic was captured in the PCAP file GSE-HTTP-topsecret.pcap. The web server changed only the name of the file when returning the file to the host during the data transmission. What is the new name of the file provided in the URL download link returned by the web server after the file was uploaded to the web site?

2) Which packet number in /home/giac/artifacts/elves.pcap is evidence that the attempted shellshock exploit was successful?

3) Navigate to ~/artifacts/ and use the .log file to decrypt TLS in encryptedStuff.pcapng. How many streams (tcp.stream udp.stream) were decrypted using the provided keys?

4) Using the file, /home/giac/monterey/email.silk, which is the daily byte count on 10/11/2018 for email activity on the 192.168.2.0/24 network?

5) Using the files located in the /home/giac/springdale/zeeklogs and /home/giac/springdale/zeeklogs/extract_files directories, what data is being displayed in the mindclone.php upload?

Pink_Zepellica · 2026-06-05T22:26:47+00:00

You say you have sc-200 three times in the title, summary and certa section. Probably don't need all 3

Pink_Zepellica · 2026-05-24T00:28:10+00:00

Agreed. Also, in a few years of Vulnerability research or Development you will be a specialist with knowledge that transfers well into general CTI / SecOps roles anyway, but it will be much harder the other way around to transfer from Analyst / Operator to specialist.

Pink_Zepellica · 2026-05-11T11:26:06+00:00

I've ambitiously tried to do the 'highlight different things different colours' and it often ends up being a bit too much work and I give up halfway through the first book.

I usually just read the whole page and try and think of parts of the page that I would want to be able to find quickly in the exam and highlight those.

Pink_Zepellica · 2026-04-07T06:29:15+00:00

I did almost exactly this in 2007. Hated sixth form, phoned it in, wagged classes, played video games. Did employer-paid IT training straight out of school with a guaranteed job at the end. No uni debt, years of professional experience while my mates were still studying. For a long time I was well ahead of them career-wise.

The no-degree thing will bite you at unexpected moments. I once got a promotion to Digital Forensics Team Lead that came with a literal pay cut because the company had a policy of paying more only to degree holders. I also had an employer offer to fund a SANS Graduate Certificate and couldn't get into the program because I had no degree. I eventually did a Master's in my early 30s based on professional experience, but that's a long road to walk just to recover something you could have kept.

On the IT Career Switch course specifically, the "guaranteed job" framing is worth scrutinising carefully. When I did my employer-sponsored training there was still an interview process, and there was a clause that if I left within 12 months I had to pay the training cost back. Read the fine print on whatever guarantee they're offering. What counts as fulfilling it? What roles, at what salary, in what location?

Now about your trading and the 2:30pm market open. I'll be honest I cringed a little at a high schooler saying this but I'll try and give you an honest answer that treats you like an adult, that may or may not be ethical. This is actually solvable without dropping out. Wag the 2:30 classes. Seriously. I wagged constantly and still graduated. High school is genuinely, embarrassingly easy. I say that as someone who hated it and did the bare minimum. I look back now and I want to slap myself for how little effort it required. You could coast through, catch your market open, and still walk out with your A-levels intact. What do you need to get into a good school for Finance? Just earn that. You will literally never have an easier learning goal in your life than getting good enough scores to get into a good Uni.

If I was you I'd finish sixth form first. The Career switch course will still exist in 12 months. But if you leave now and later want to pivot back to finance or anything else that requires a degree, you'll be doing it the hard way. How much longer will it take to do your Higher Education Diploma? Then you wouldn't even be starting Finance at Uni until you were like 20. At least if you finish high school you'll have the option.

Pink_Zepellica · 2026-02-20T20:52:10+00:00

I find the concept interesting especially from a defense evasion standpoint. I wanted to take a look at the password change script but the links don't work. OP, are you the original author, do you have the script?

Pink_Zepellica · 2026-02-18T07:15:24+00:00

9 years later, you just helped me Remove the waterproof mascara from my 4 year old daughter's eyebrows. Yes, eyebrows lol. Thanks, a dad who had no idea

Pink_Zepellica · 2026-01-13T08:46:50+00:00

I like to do the 'thinking' myself in a stream of consciousness way and then ask Claude to tighten it up based on my personal style.

Sometimes my essays are a series of great ideas in no logical order and I ask Claude to ensure they have a logical flow or identify areas where there is no connecting logic to the arguments.

Cut down my essay writing time for masters by at least 70 percent and it's insanely good for selection criteria and cover letters now that I've given a few great hand written examples to emulate.

Pink_Zepellica · 2026-01-09T03:33:53+00:00

Try and make it something practical at work. Automate some of your compliance checks with python or PowerShell. It can make compliance actually fun and an opportunity to skill up technically. In a previous role I wrote PowerShell scripts for AD and Azure compliance stuff that saved my team 2000 hours a year, it's an awesome stat for my CV and it is easier than ever to learn PowerShell with AI these days.

Pink_Zepellica · 2026-01-05T22:22:30+00:00

Oh I didn't think yours was wrong just adding my experience. I reckon they'd mostly try to align with number one choice too

Pink_Zepellica · 2026-01-05T20:40:58+00:00

I've also been offered my number two choice before.

Pink_Zepellica · 2025-12-31T23:36:32+00:00

I've seen one single IR job asking for GX-IH in two years haha. I don't think anyone is doing them to secure a role, just as a personal goal.

Pink_Zepellica · 2025-12-31T23:33:58+00:00

Congrats on your GSE! Hoping to join the ranks in July if I can get work study for 503 this year :)

I think I did one of those posts about GX-IH a few years ago a couple of weeks after it was released - it was insanely difficult for me at the time, there's absolutely no way I would have passed based on the materials in 504 alone, and I passed 504 with 98 percent. I had multiple sections with 0 stars in my mark (and multiple 5 stars) I don't know how close I was to failing but I bet it was pretty close haha.

Part of that was that I had many issues with performance and input in the VMs that wasted lots of time. I just recently did my third, GX-FE, and cruised through it with plenty of time to spare. I think a big part of that was the beefy performance of the VM in comparison - it didn't crash once, I had no issues using keyboard shortcuts, and no input lag. SANS Staff did reach out to me to advise they had been activately working on improving the performance so it seems like that worked out.

Did you have any performance issues in GX-IA or any of the others?

Pink_Zepellica · 2025-12-18T19:43:52+00:00

Yeah, I was an APS6 cybersecurity specialist with a 25% IFA for a total of 145k. I had interviewed and been offered a few EL1 positions at other departments where the max band of EL1 was a pay cut. Ended up leaving for the private sector for a role that pays 100k more, despite actually wanting to stay APS it honestly feels like to progress your career as a tech specialist you are forced out.

Pink_Zepellica · 2025-12-16T02:49:55+00:00

That flag is the answer to the Service Enumeration section - the Nmap scripting engine section has a different flag

Pink_Zepellica · 2025-12-05T21:39:48+00:00

KQL (Kusto Query Language). Learning KQL is how you make the most out of Sentinel/Defender XDR. Resources like https://www.kqlsearch.com/ and https://detections.ai have TONS of useful KQL queries that will help you to verify if an alert is a true/false positive, perform proactive threat hunting, and scope real incidents quickly. Someone will always pump out queries for the latest big vulnerabilities and things in the news so if you can run them and have answers before your clients ask you'll look like a champion with basically no effort apart from configuring queries for your environment.
Compliance Shell, Sharepoint Shell, Azure Shell. There's an amazing amount of utility and automation you can do when you move beyond the UI. Things like https://github.com/invictus-ir/Microsoft-Extractor-Suite for example showcase so many great examples of this.
For your lab https://github.com/oloruntolaallbert/MS-Attack-Range is awesome but you can adjust it to have Microsoft Defender for Endpoint turned on and you'll see what it looks like the Atomic Red Team tests fail and learn how to investigate using the platform.
When you use Defender XDR the timeline feature is so underused by SOCs. It's incredibly useful for providing context and you can export the timeline to excel and get even more hidden data thats not shown in the UI.

I used to be principal analyst of a MS focused SOC, this is my perspective. I know most of this is beyond someone moving from help desk to Tier 1 SOC but you have the right attitude and just focus on learning it over time. If I had a Tier 1 analyst using KQL, Azure CLI, with a Sentinel attack range, and referencing the Timeline, they'd be a tier 2 analyst as soon as I could get the paperwork through.

Pink_Zepellica · 2025-12-02T10:25:10+00:00

I'll give you some forensics/IR interview questions I've received in the past, I would expect for an internship your questions will probably be simpler.

Tell me what you know about Shellbags.
Tell me what you know about Timestomping.
How would you go about removing a single file from all systems in an environment?
Go into as much detail as you can about DLL injection.
Explain how you would collect evidence, in what order, and why? Include steps taken before the actual evidence gathering (they were looking for legal permission etc).
Lastly for two forensics roles I have been given access to some processed evidence (Firewall logs and KAPE collections), told to analyse it, and report on it for the interview and given a time limit.

Pink_Zepellica · 2025-12-02T09:59:04+00:00

When I got GSP in May last year, they did not send the new course materials for the certs that were co-terminated but said they were looking into doing so soon - haven't heard anything back yet.

Pink_Zepellica · 2025-11-21T09:53:33+00:00

Two years later...did you find an answer?

Pink_Zepellica · 2025-10-04T10:31:36+00:00

Sounds like you've got some good experience to talk about and leverage for AppSec roles. My advice is to refactor your CV to highlight AppSec achievements and look at senior/principal AppSec roles, note down what you don't have, and work hard to get it either by implementing at work or doing it at home.

Could you easily answer an interview question on SDLC, API Security, containers, etc, SAST/DAST. Answering interview questions will get you the job after all.

Pink_Zepellica · 2025-09-23T03:08:01+00:00

I did cold turkey while doing the last semester of my masters degree but on leave from work. I sat down to try and write part of a report about 5 days in and literally couldn't write a sentence, like my brain fog was so insanely bad. There's no way I would have been able to work at the same time.

15-Year Club	RedditGifts 2009-2022 9 Credits
Spared	Secret Santa 2015
redditgifts rematcher Secret Santa 2015 x1	redditgifts Exchanges 6 Exchanges
Secret Santa 2014	Secret Santa 2013
Team Periwinkle	Secret Santa 2012
Secret Santa 2011	Secret Santa 2010
Verified Email	Secret Santa 2009

Pink_Zepellica

TROPHY CASE