GIAC Launches New Cloud Penetration Tester Certification

On Feb. 16, the SANS Institute launched a new penetration testing certification. The new GIAC Cloud Penetration Tester credential, abbreviated GCPN, extends an already formidable lineup of a handful of penetration testing certs to an even half-dozen.

Also, given the overwhelming and still-growing presence and importance of cloud computing to IT as we know it today, such a credential offers great value to prospective candidates at a good time. Here's how a SANS Institute press release describes the new certification offering:

"The NEW GIAC Cloud Penetration Testing (GCPN) certification proves that practitioners have mastered the skills necessary to conduct cloud-focused penetration testing and assess the security of systems, networks, architecture, and cloud technologies. Professionals who obtain the GCPN certification are qualified to assess and report on the risk that an organization faces if their cloud services are left insecure."

Who's the Target Audience, IT Professional-wise?

GIAC calls out penetration testers, vulnerability analysts, and attack- or defense-focused security practitioners as its core audience. Really, however, this is such a hot and growing area that it should also be of interest to aspiring security practitioners of all stripes, as well as those interested in white hat hacking activities, red team exercises, and so forth.

It's fascinating to me that the GIAC team has such an excellent sense of where the security job market is heading, and equally good timing in terms of providing training and certifications to match emerging needs both quickly and accurately. Here's what I said about the SANS Institute and its GIAC penetration testing certs in a GoCertify story I wrote just last month:

"SANS Penetration Testing (PenTest) Courses — The whole SANS GIAC program has a very high and longstanding reputation for hands-on, reality-based certifications taught by a team of world-class industry experts with impeccable credentials. Their offerings are cost-ish, but worth the money and the time they take to earn."

The topics covered in the class, and on the exam, include the following (quoted verbatim from the SEC588 page):

? Cloud penetration testing fundamentals, environment mapping and service discovery
? AWS and Azure Cloud services and attacks
? Cloud native applications with containers and CI/CD pipelines

I am right now in the process of revising a Wiley book for Red Hat about cloud strategy, and I can tell you that course author Moses Frost is clearly and tightly in the loop about what service providers, technology developers, and cloud consumers need to have covered to improve and promote better cloud security.

Enough Kudos — What's the Deal?

SANS requires (or at least strongly recommends) training prior to taking its cert exams, and charges more for those who "challenge" the exam without taking the pre-requisite course or courses. That said, SANS training is renowned for its depth of coverage, real-world applications, and the sheer awesomeness of its instructors.

The GCPN course is SEC588: Cloud Penetration Testing (find OnDemand and Live Online versions of the class, a syllabus, and other info at the afore-linked web page). Candidates must bring (or use) a clean "properly configured laptop system" to participate in the class (see "Laptop Requirements" on the course page).

The on-demand version provides up to four months of access to the course materials and includes virtual office hours with the course author, Moses Frost. The on-demand version costs $7,020 (U.S.) and the exam costs $799 (U.S.) if taken within 7 days of class completion.

I don't see pricing for those who wait longer, but must guess it's at least $200 (U.S.) more to take extra time between class and exam. Costs for the live online version of the class are the same as on-demand for both training and exam.

See the SEC588-GCPN Scheduling Page for information about course dates and instructors, of which I see five sections scheduled between Feb. 28 and May 10. Note further that the class runs between six and eight days, back-to-back, depending on the session.

As I said, this offering is pretty costly. For those with the skills and interest to tackle the subject matter, however, the payback should be swift and impressive in heft. If this floats your boat, then you'll probably want to check it out further.