🔴 Executive Offense Issue #12 -The Training Landscape Pt. 1

Notes from the trenches...

Intro

In past issues, we have explored certain subsections of cybersecurity training, most specifically secure coding and, in some places, mobile security, all with a focus on free resources.

This week and next, we will be zooming out a bit to focus on the broader training community and some of the criteria I use to rate training for a modern security program or individual.

Now, I always want to be upfront with you all. The sponsor of Executive Offense for the next five weeks is one of the vendors I'm going to talk about today and is highly rated in my criteria. I can assure you that these two things happened independently. OffSec.com was happy to be included in the entities we're going to discuss today, but I was under no obligation to rate them highly.

So, with that said, let's jump in and discuss some of these AWESOME resources.

The Training Landscape

Training in cybersecurity has exploded over the past three years.

I can remember a time when there were basically only a few vendors in the field, and among those vendors, the topics were very static, mostly clinging to the most sought-after jobs, like penetration testing and offensive security.

But over the past 2-3 years, individual practitioners with high levels of skill have started to create their own standalone trainings as side hustles or deployable labs on several platforms. In addition, there are more and more platforms to choose from these days.

So, what makes me uniquely situated to talk about training in cybersecurity? Well, I have taken almost all of them myself, from some of the big platforms that we're going to talk about today down to the individual classes that I think are disrupting the market. And I myself have started a training company, which I would qualify as a boutique trainer. Some of my closest friends and mentors are world-renowned trainers, and I keep a close eye on the landscape itself. If I havent taken one of the courses on the list, I’ve made a special effort to interview at least two recent students for the training.

Sponsor

My Personal Training Criteria

Need: In the cybersecurity training world, you usually have one of two needs: either you are an individual looking to uplevel your skills and prospects, or you are an organization attempting to uplevel your staff. I wanted to ensure that all of the resources we discuss today cater to both of these needs.

Breadth of Content: These days, it's not enough to be a specialist. Often in cybersecurity, we are multidisciplinary, and modern security programs ask a lot of us. This means I prefer and rate highly sources of training that offer a breadth of content. In the modern security world, it's not always red and blue anymore; there are shades of purple, and skills that extend beyond the bits and bytes.

Live, Real-World Labs: Another section I put emphasis on is real-world application. It's hard these days to land in a role without being able to prove performance. While some people who are just getting their foot in the door might lack this experience, real-world labs help bridge that gap by letting employers know they have the familiarity with the tools and techniques they need.

World-Class Instructors: When I engage in training, I want to know that the instructor teaching the topic is a world-class practitioner. I want all the juicy tips and tricks, stories, context, and opinions that make training more than just book study and labs.

Student-Enabling: Lastly, if I'm thinking about #1 on this list, I also want to make sure that the training has a tangible impact on the career of the learner. This means that certification and recognition of that certification are very important.

Disclaimer: though I'm pretty plugged into the training scene, I'm bound to miss some really great platforms. Even with the best research, if you know of one or I've made an error, please kindly DM me on Twitter or LinkedIn, and I can get it added/corrected.

Now, in no particular order, but with my criteria discussed, let's explore some of the best cybersecurity training companies that I want to talk about in 2024!

The Big Three

TryHackMe

TryHackMe has definitely been on a tear over the past five years, elevating their rooms and their content. They delineate their training into paths full of rooms, each as a bite-sized, modular training. In the NEED category, they offer the platform to both individuals and organizations but seem to cater more towards individuals. Interesting to note, they are also one of the only platforms to offer King of the Hill rooms that exercise live attackers and defenders in real-world labs, which is pretty unique. Their breadth of content covers red, blue, and purple topics, and they have several networks that emulate real-world scenarios.

Many of the training rooms are mostly written instruction and Q&A, so if you are a visual or auditory learner, just know that it might be sparse. One of the things about TryHackMe is that some instruction for a lot of the modules is created by students. This isn't a ding on the students or the TryHackMe room creators, just the note. Since their instruction methods are text only (well they do have a tiny bit of sparse video) they are missing that instructore-led context, stories, tips, tricks, and opinions I love. That isn't to say the content is not good; it is just a notation.

Finally, as far as how a student will be enabled from TryHackMe, well, it's very interesting. TryHackMe has several forms of gamification built into the platform, and I've seen a lot of entry-level cybersecurity applicants reference their TryHackMe stats on their resume. It definitely does not have the pedigree that some certifications have in the industry, but it is gaining traction fast.

OffSec

OffSec (formerly known as Offensive Security) is an absolute titan in the cybersecurity training realm. Originally founded by one of the most elite pentesters in the industry, Muts, it was the only game in town for quite a while, and for good reason. The original training offerings were mostly for offensive security and were the best content that existed as far as penetration testing went. They were also one of the most coveted advanced certifications, especially for those heading into thier advanced topics on exploitation.

The modern look of OffSec, though, has grown. OffSec has both tremendous individual and corporate packages and has branched out into new domains. True to their namesake, they stil have some of the best courses in penetration testing, web application security, and exploit development but, they are also branching out into blue team content, and security operations.

Their live lab infrastructure and cyber ranges are usually ranked and discussed as some of the best in the industry. While their breadth of content is not quite as wide as some of the platforms on this list, their content is world-renowned and taught by hardcore practitioners from the field.

As far as student-enabling goes, an OffSec certification is a gold standard in the cybersecurity scene. HR, recruiters, and interviewers all know to look for OffSec certs. This is primarily due to the comprehensive and in-depth process that is required to attain one of the certifications. OffSec offers a blend of visual (video) and text-based learning, augmented by the real and practical networks in their cyber ranges.

HackTheBox

Among all the platforms that I review today, I think the one that has had one of the most meteoric rises in the last three years has been HackTheBox. While some of the platforms on this list have dominated the scene for quite a while, HackTheBox managed to claw away a significant share of the market with their original offering, which was bite-sized scenario hacking, and now their Academy and Skill Paths.

Admittedly, one of my blind spots was is in the “need” area where I know that HackTheBox offers solutions to enterprises. I met with a them to check out the corporate platform and it offers the “all-you-can” model of Academy and the regular boxes, as well as has some additional custom content like thier cloud pentesting. As far as breadth of content goes, Hack The Box has started to move into a lot more blue team and incident response content as part of their Academy offering. Some of it very good.

Another area of opaqueness was the instructors. Very similar to TryHackMe, were some early administrators who built some of the “box” content and then went on to build “Academy “content and certifications. On top of that some non-Academy content is also user-submitted but reviewed by the team at Hack The Box (including ippsec, who is one of MY favorite content creators). I know these people by reputation to be very skilled. An additional point here is that most of Hack The Box is text-based learning and CTF-style engagement. This, again, lacks in some areas of providing tips and tricks, stories, context, and opinions. Their lab and cyber range content is fantastic. Their certifications and exams are rigorous and respected inside the technical community but not quite at the level of a SANS or OffSec certifications in terms of HR and hiring manager love.

Outro

So, This was already a long one… any many of you may be asking… what about XYZ Training entity? What about newschool individual training outfits?

Well thats why we’re splitting this topic into a few issues, over a few months. On deck:

SANS, Letsdefend, AntiSyphon, TCM, CyberDefenders, Web Security Academy, Pentester Lab, APISec University, ZeroPoint Security, Altered Security, Sektor 7, Xintra, RedSiege, Appsec Engineer, Applied Network Defense, Binary Offense, BreakDev, Cyber Warfare Labs, Cybrary, Dark Vortex, MalDevAcademy, and more! If I missed your training in the above list, and you wish to be included, do not hesitate to contact me at [email protected] 


Until then, happy training!