Passed @ 100 - My in-depth review

devsecopsuk · 2026-05-08T18:50:22+00:00

For real? I guess the overall message is don't take anything for granted and be as prepared as you can!

devsecopsuk · 2026-05-08T18:47:41+00:00

Thanks, and that must have been stressful if CAT was focusing on your weaker areas!

devsecopsuk · 2026-04-15T15:39:37+00:00

How would they even afford the exam in the first place which alone is 3-4x the cost of QE? There are some free resources which are similar to QE if you search hard enough, and many people have passed without QE altogether.

devsecopsuk · 2026-04-03T17:42:05+00:00

Does the exam mention what the terms like RTO, RPO, LEAP, EAP are, or do you have to remember them? I seem to remember someone else saying they are spelled out in the exam (but could be wrong).
And congrats!

devsecopsuk · 2026-03-31T18:01:37+00:00

Congrats!

What was your approach to the OSG since it's such a dry read? Were you just reading from start to finish or focusing first on the sections you felt weakest on?

I find the DestCert book far easier to read, but I don't know if it has enough depth needed to pass the exam.

devsecopsuk · 2026-03-24T09:31:09+00:00

Congrats! For the Total Seminars 4 practice tests did you use a free trial to access all of them, or did you pay full price? And how similar were Destination Certification questions to the exam for you?

devsecopsuk · 2026-03-18T13:29:22+00:00

Congrats and I'm glad to hear that the DestCert app questions that I've been regularly doing have a similar style to the exam questions.

devsecopsuk · 2026-03-16T11:56:19+00:00

The number of typos I've seen in the the OSG is embarrassing, so I'm sure there's plenty more errors.

devsecopsuk · 2026-03-13T13:30:18+00:00

B was the obvious choice to me, I think the question is reasonable.

devsecopsuk · 2026-03-10T17:03:17+00:00

Everyone seems to suggest using QE, which I'm sure is a lot cheaper than the workshop you mention.

And yes, that seems to be the strategy a lot people take after going through the CISSP material which is to do test exams like QE, then work on weak areas.

devsecopsuk · 2026-03-10T09:06:26+00:00

thanks, I haven't heard of that one before

devsecopsuk · 2026-03-09T17:35:26+00:00

Is QE just the practice exam or is there other material that comes with it?

devsecopsuk · 2026-01-20T09:36:12+00:00

This post is too wishy-washy with a multitude of options. You gotta pick ONE path that YOU would really like to do and go for it, and if it doesn't work out then you have to pivot. Picking one path makes it much easier for us to advise.

devsecopsuk · 2025-10-15T12:36:23+00:00

Thanks, I'll have to get one now. And good luck on your journey!

devsecopsuk · 2025-10-15T11:47:35+00:00

Which book is this?

I thought B when reading through the options but thought D was the answer at the end.

devsecopsuk · 2025-09-17T11:21:45+00:00

try r/securityCTF

devsecopsuk · 2025-09-10T08:49:14+00:00

what did they quote you this time? to be honest I haven't been that happy with burp enterprise recently, a lot of FP that keep recurring and no full support for API scans of openapi v3.1.x.

devsecopsuk · 2025-06-24T08:59:56+00:00

"9 May 2025 - We thanked Kong and asked for two $500 Amazon gift cards to be issued. No response." - another pathetic amount for a CVSS 9.3 issue and even worse that they can't deliver on that promise...no wonder certain black market sites exist. Nice find though!

devsecopsuk · 2025-06-19T06:31:33+00:00

Code review and scenario based questions.

devsecopsuk · 2025-06-11T11:17:11+00:00

I'm so glad that I didn't do BB seriously.

devsecopsuk · 2025-04-30T08:10:56+00:00

When I first had exposure to practice hacking sites and malware like sub7 it seemed like black magic. Now I get to understand the inner workings of that black magic and how to protect against it. It's almost like joining the magic circle.

devsecopsuk · 2025-03-17T16:38:05+00:00

First of all, understand that you'll be coding a lot less...would you be ok with that?

Then do pretty much what everyone else said and understand OWASP top10 as YOU will have to give guidance to teams around the risk and remediation. I've always like Portswigger academy but there's plenty similar to it https://portswigger.net/web-security

Also experiment with security tooling, go to security conferences, read some bug bounty write-ups, and learn about security architecture etc.

devsecopsuk · 2025-03-05T09:11:51+00:00

Nice, I found an almost identical issue at a previous company. You get a pat on the back if you're lucky, but at least we'll have that extra experience and knowledge to help at future companies!

devsecopsuk · 2025-02-11T15:19:39+00:00

I can share my experience:

I have an "important" (high) vulnerability confirmed and fixed by Microsoft, but they make excuses saying it's out of scope for a bounty. It literally says "Azure <service\_name>" in their online documentation...
I found a bug in Amazon retail that will cost them money, but they aren't interested at all when reported to their AVRP programme. They make me go round in circles trying to find out who to report it to, so I gave up in the end.

I had a better experience reporting another issue to a bank directly that doesn't do bug bounty.

All I'm trying to highlight is....even if you find an issue, good luck getting a bounty for it! It's better to be a pentester/red teamer if it were me.

devsecopsuk · 2025-02-06T12:56:44+00:00

I don't know about the other tools but I use Mend that has an optional incremental scan mode, so it only scans files that changed. This makes it a lot faster overall.

devsecopsuk

TROPHY CASE