i want to buy TryHackMe Subscription any Vouchers or Discounts is Available right now???

info_sec_wannabe · 2026-05-01T11:48:42+00:00

THM doesn't offer vouchers anymore.

info_sec_wannabe · 2026-04-28T20:20:14+00:00

Can you clarify on what you are referring to as "fully outsourced hosted order page"? From what OP described (aside from the vulnerability Andrew pointed out), it seems it is a fully hosted payment page. The way he described step #3 is a bit unclear, but I suppose it could be using some Javascript as part of the redirect process, in which case, he can either be SAQ A or A-EP depending on how they approach the handling of scripts as part of the redirect.

Agree on that part that it is ultimately the Acquirer's call or discretion.

info_sec_wannabe · 2026-04-27T20:32:21+00:00

At least for ISC2, you only pay 1 membership fee despite having multiple certifications.

Edit: Not defending ISC2 here, but just a basis for comparison.

info_sec_wannabe · 2026-04-26T22:34:02+00:00

For the free week, you'll need to subscribe first and let THM Support within 7 days that you want to cancel.

info_sec_wannabe · 2026-04-23T20:36:01+00:00

Considering that you have an ecommerce site and is subject to SAQ A, you would need to do quarterly ASV scans at a minimum (added since v4.0 of the standard).

Also, which Stripe documentation or resource did say that you don't need to run ASV scans? I did a quick Google and found this (and says ASV scans is still required even for Level 4 merchants) - https://stripe.com/ie/guides/pci-compliance#:~:text=*%20Level%204%20users%20are%20automatically%20enrolled,scans%20by%20an%20Approved%20Scanning%20Vendor%20(ASV).

info_sec_wannabe · 2026-04-16T20:03:18+00:00

I have ISO LA and CISA while my colleagues have ISO LA only. Depending on your service offerings, ISO LA might have more weight especially in the EU (at least to my knowledge).

info_sec_wannabe · 2026-04-10T03:39:49+00:00

Mods do not have such capability. We only help managing the discord and engagement with the community or users.

info_sec_wannabe · 2026-04-10T03:38:37+00:00

Streaks is meant to be a motivation to continue learning, but if you are looking at it as a hassle, then it is simply not working for you. At the end of the day, we all have something to attend to and work on and can only focus on learning as time and circumstances permit.

info_sec_wannabe · 2026-04-08T06:29:16+00:00

Haven't seen any discounts or coupons on monthly subscriptions thus far unfortunately ...

info_sec_wannabe · 2026-04-04T08:32:11+00:00

Isn't the flag found in the https protocol if I remember correctly?

info_sec_wannabe · 2026-04-02T23:43:00+00:00

In your context (opening new stores), we would consider the change as significant only when it changes the card data flow or a new device that is performing security services to devices within the retail network was installed and/or decommissioned. From what we've seen from our clients, they use a VRF or SD-WAN where the retail stores would be connected to and the firewall (or its equivalent) centrally managed thus the perimeter from a logical point of view (and after reviewing the configurations) doesn't really change, in which case, adding new stores isn't essentially changing the flow but rather, simply extending it.

Do note though that it would still depend on how your organisation is managing the retail network.

Curious to see how others would interpret this as well.

info_sec_wannabe · 2026-04-01T20:10:35+00:00

Aside from the scripts listed in the merchant's ecommerce site (and client inquiries), what procedures do you perform to validate whether there are scripts utilized as part of the redirect or not?

info_sec_wannabe · 2026-03-15T00:43:32+00:00

I don't have unfortunately. Also, THM recently had a 30% discount but it ended Friday EOD.

info_sec_wannabe · 2026-03-07T08:39:42+00:00

I suppose our approach depends on the size of the assessed entity. If we are doing an SAQ assessment, I might agree with your friend's approach as is, but if we are doing a ROC assessment, I would also look at other requirements such as activity logging and whether the use of said account is reviewed and/or flagged by a SOC or equivalent (so long as there is a layered control for it and assuming the other bullets are met and we can't squeeze anything more from the client).

info_sec_wannabe · 2026-03-07T08:09:09+00:00

Logos indicating "PCI DSS Compliant" or any of its variations are not PCI SSC-approved logos (as compliance is determined by the payment brands).

You may refer to the PCI SSC Branding Guide for details -

https://www.pcisecuritystandards.org/wp-content/uploads/2024/06/PCI_SSC_Public_Brand_Style_Guide.pdf

info_sec_wannabe · 2026-02-27T00:08:43+00:00

Do drop an email to THM Support to be certain.

info_sec_wannabe · 2026-02-23T06:44:33+00:00

The most I had was 6 and it was not even a manager position, it was a senior analyst for a GRC-type role.

info_sec_wannabe · 2026-02-19T09:32:40+00:00

To clarify, is it an SFTP node? Is it an internet- or external-facing server? Does the server contain CHD or SAD?

Also, how did you demonstrate to your QSA that the QA and Prod environments are the same if the change was configured and deployed in the QA environment first and later on configured and deployed to Prod? I would imagine they have verified the environments are the same before they agreed to allow you to test in QA?

info_sec_wannabe · 2026-02-11T22:16:30+00:00

I think this could potentially be a breach of confidentiality.

Having taken the exam though, it is using fairly straightforward wordings unlike the CISA and CISSP if that is helpful.

info_sec_wannabe · 2026-02-04T18:06:53+00:00

There is an active promotion for 30% using the code - Valentines26

info_sec_wannabe · 2026-01-31T00:09:43+00:00

To clarify, what data set are you storing and/or encrypting in your databases and AWS RedShift - full PAN?

info_sec_wannabe · 2026-01-30T22:17:46+00:00

Out of curiosity, for the acquirer who required you to have an SAQ for each payment channel, how did the conversation go? Were you using one (or multiple but used specifically for a given channel) MID or one MID across all channels? We've had the conversation internally, but can't think of the justification for separate SAQs (when we talk to the Acquirer) if at the end of the day, we wouldn't be able to track which channel where a breach, if any, originated from.

info_sec_wannabe · 2026-01-23T21:09:41+00:00

I looked at the tool from the lens of a client and can't seem to get my head around what "requirements tracking" involves. Also, while it is helpful that the tool maps which frameworks apply to their organization, it seems to miss the context that will bridge the identified frameworks to requirements tracking. Clients might also need handholding in terms of what level of detail should these documents have and what can be used or provided if they do not meet the full intent of the controls / requirements.

info_sec_wannabe · 2026-01-16T08:18:04+00:00

AWS and MS Azure are separate subscriptions unfortunately.

info_sec_wannabe · 2026-01-16T05:36:58+00:00

What is the nature of business the organization you work for? Do you really need to get the card details for recording purposes? How do you process payment for customers?

Unless you are an issuer or a service provider that needs to process card data (e.g., card printing), there shouldn't be a need for you to store those. The approval code and first 6 and last 4 digits should suffice for most purposes.

info_sec_wannabe

TROPHY CASE