How I Got 20+ certifications and a MS Degree for Under $7,000
A Lesson in Resourcefulness for Cybersecurity Knowledge / Career Advancement
Okay, I lied. Truthfully, I have only paid about $570 for nearly $9,000 worth of cybersecurity certifications and the MS degree. However, my employer (H2L Solutions) has a generous reimbursement program, which I used to cover roughly $6,500 of the $9,000 total value, over a 3-year span. The other nearly $2,000 in value was wiped out with vendor specials and beta exams. However, even without the reimbursement option, I still could have managed to come out with over 20 certifications and a Master’s degree for under the cost of a typical year of college or a ‘prestigious’ cyber boot camp. In the rest of this blog, I’ll go through what I did to help anyone else who may be looking to learn while reducing costs.
I’m a really big fan of free. Growing up in a blue-collar Appalachian area, it was second nature for me to work hard and always look for ways to minimize costs. My family was conservative with money, and I understood that most resources can go a long way if used properly. Naturally, I’ve really taken to the Internet and researching all the options. I still live by the philosophy that you must not pay for anything until you’ve exhausted all of the free options first. Think of it like an event with free food when you’re a broke college student.
In the case of cybersecurity, continuing education is a fairly big deal (cert vendors are also inflating this concept). In the cybersecurity industry, you can’t go far without seeing talk about certifications (OSCP+ drama anyone), degrees, and boot camps. And even with so much discussion, no one can definitively answer what’s required or best able to help land a cybersecurity job or advance in this profession. The issue is due to multiple reasons, one being that there is no central credential authority such as found in other professions, it is very difficult to validate skills or knowledge, and cybersecurity is big on the concept of “the next big thing”. There are many red team / “hacking” certifications, and in the last few years, multiple blue team / SOC certs have shown up. Each vendor is looking to one-up the other, or copy what someone else is doing. This is why you could seemingly pull a certification vendor from a hat and find the same standard exam choices (red team, blue team, cloud). They will all try to tell you why their exam is better than the rest, but the reality is none really provide more tangible benefits over the others (with the exception to certain government requirements). Variety is good for capitalism, but bad for clarity. Just take a look at Paul Jerimy’s Security Certification Roadmap to understand how crazy the certification industry is in cybersecurity.
After reading the following article From High School to Cyber Ninja—For Free (Almost)! by Carie Roberts, and seeing some of the similarities I share with her recommendations, I thought it’d be useful to share my cybersecurity credential journey, why I did things in the manner I did, and some tips for making the most of your career journey in cybersecurity. Definitey give her article a read as she includes some free training options that I don’t cover here. I do highly recommend TryHackMe or Hack The Box Academy for anyone looking to learn practical skills in cybersecurity. If I’m honest, I’d almost say that these modules offer better value than most colleges when it comes to strictly learning cybersecurity related topics, skills, and ideas.
Now first things first, if you’re going to start down the certification path, it’s wise to make a plan. Of course, a vendor is bound to throw in a special deal at the most inopportune time to shake up that plan, but planning is important nonetheless. Also make sure to consider CPEs beforehand. Having 7 different certification organizations will get tiring, and you’ll probably stop renewing certain certs since they will offer no value in return for the yearly charge and time requirements to fulfill those CPEs. When thinking of cost, do also factor in those yearly charges once the certification is obtained. For example, ISC2 CISSP has a yearly charge of $125, so for the exam and 3 years of charges you’re looking at $1,125. Here is something I made to help me plan and track my certifications and education: Cyber Portfolio Guide. This can be used to track certifications, courses & CPEs, CTFs & Labs, Books, and more since it’s customizable.
Certifications
So I have probably went a little overboard on the certifications, if I’m being honest. But I enjoy achievements, and like to challenge myself / take tests, so it’s only a slight addiction ;). A quick note on certifications, they probably won’t get you a job but they may help you get an interview, and their largest benefit is targeted learning. Certifications allow you to focus on what you want to learn next when swimming in the deep depths of cybersecurity-related information. They don’t really prove that you can perform a job, more that you can complete certain tasks. The ‘requirement’ of holding a certification is really only enforced at the government level, with places like DoD requiring certain roles to possess certain active certifications. It’s well known that some of the best cybersecurity practitioners have next to no certifications, but they have skills and knowledge that is worth a fortune. Here’s a quick breakdown of each certification I obtained, by chronological order.
Below details order/legend: Certification - amount I paid, standard price, reason for discount
Security+ - $220, $404, CompTIA student discount
Pentest+ - $50, $404, beta exam voucher
INE Cloud Fundamentals - $0, $0, beta exam version (discontinued and replaced by ICCA)
CySA+ $0, 404, work reimbursement program
CertNexus CyberSec First Responder (CFR) - 0$, $350, version 4 beta exam voucher
INE ICCA - $0, $99, beta exam voucher since Cloud Fundamentals was held
MITRE ATT&CK Defender (MAD) program - $299, $499, early version special price
MAD Cyber Threat Intelligence
MAD SOC Assessment
MAD Detection Engineering and Threat Hunting
MAD Adversary Emulation Methodology
MAD Purple Teaming Methodology
MSFT SC-900 - $0, $99, free for DoD personnel, contractors, etc.
ISC2 Certified in Cybersecurity (CC) - $0, $0, ISC2 offers this free
MSFT MS-900 - $0, $99, free for DoD personnel, contractors, etc.
MSFT AZ-900 - $0, $99, free for DoD personnel, contractors, etc.
Spunk Certified Cybersecurity Defense Analyst - $0, $130, beta exam voucher
CCSK v4 - $0, $394, got for half price holiday special ($197) and used work reimbursement program
CASP+ - $0, $509, came with WGU degree
Certified Network Security Practioner (CNSP)- $0, $99, vendor special event
CISSP - $0, $749, work reimbursement program
BTL 1 - $0, $515, work reimbursement program
If you analyze some trends above, you’ll see that I took advantage of beta exams and my work reimbursement program to avoid paying full price for even one certification. If there is a beta exam available for a new exam version (and there often is one every three years) go for that first. The discounts are great (up to 90%). Sometimes I would even research when exam versions are set to expire, to get an idea when the beta will show up, if considering an exam to take down the road. Some vendors do not do beta exams, but others like CompTIA almost always do. Also make sure to look into student discounts if you are in college. These can be a bit more difficult to find, but can often save you up to 30% on an exam voucher and many vendors do offer the discount.
Regarding the order, I started with fundamental certifications that covered a broad range of materials (Sec+, PenTest+, INE Cloud, CySA+). Once I covered the basics, I approached items that were relevant to my work and focused on topics of interest (MSFT cloud / security certs, MAD certs, Splunk). After roughly 3 years of work experience, I decided to jump to the advanced certs (CASP+, CISSP) that can actually open up new doors. CISSP does have a 5 year experience requirement, but I went ahead and took the exam at like 2.5 years, then added on the 1 year allowance for a degree.
After that that point, there really wasn’t any cert that would boost my resume, so I have now chosen to take ones that seem fun, unique, or cover good content. BLT 1 was the first 'just for fun’ exam for me, and I have my eyes set on OSCP here soon. You may see that I don’t have any SANS at the moment. I have honestly never been able to justify the cost/benefit for these. HR never requires SANS, and while I’m sure the content is great, I can’t put down 8k on a single cert. This could change in the future if I can find a discounted path (I do love me a challenge coin). If I do, and find it to be better than all the free or cheaper options, I’ll make sure to update this blog.
Another thing I have done, that may or may not be right for you, is that I have made it a point to not pay for vendor training/course prep along with exam vouchers. I have either found free materials on the internet, utilized info that came with the exam voucher free of charge, or simply relied on previous knowledge/experience, for every test I have taken. Some decent free materials include Professor Messer for CompTIA, and YouTube videos like Destination Certification and the FRSecure CISSP training program for the CISSP.
Master’s Degree WGU MSCSIA
For the reasons behind why I choose the Master’s degree program that I did, go check out my previous blog WGU MSCSIA Review. It details why I landed on WGU plus my experience with the courses.
I was able to complete the degree in a single semester, thanks to a few existing certifications + my incredibly good looks and humor. Ok maybe not the good looks or humor, but I did already have a BS in cyber and had worked full time in cyber consulting for over 3 years at that point, so I was able to accelerate the courses. Since one semester of tuition costs $4655 at WGU in 2024, and I receive a yearly education budget of up to $5,000, I would be able to get the entire degree covered if I could complete it in one semester (or two semesters, one in 2023 and one in 2024). I planned to attempt completion in just one semester, and with only requiring 7 courses, decided it’d be doable. I don’t recommend the path for everyone, especially if your employer has a traditional tuition reimbursement plan, or if you enjoy spending your free time doing things that are not cyber related. At that point in my life, I was doing cyber by day and by night.
I don’t regret it at all, but I also went into the program knowing that a MS in cyber would not really enhance my job prospects at all. Experience is king in cybersecurity, so if you have to decide between cyber education or working in something that could include cybersecurity efforts even just a little, choose work every time. You will be more marketable as a system admin or network engineer than having a MS in Cybersecurity.
Final Tips and Tricks
I won’t lie to you and say that being resourceful is the easy way to go. But I would always recommend it. I started this journey back in 2020, the year of our Lord (and covid), when I took the Security+ exam after sitting at home applying to jobs for a few months. Fresh out of undergrad in 2020 was not an easy time, and I needed to make my resources go far. It’d take me five months to finally land a cybersecurity job. But it has been worth it. I truly believe that most people have no clue how useful the internet can be, and just how much can be learned for free. Of course typical learning methods like certifications, CTFs, labs (THM, HTB) are great, but a very underrated learning manner that I have found is reading from those that really know what they’re doing. LinkedIn has helped me learn a lot by just viewing the unvetted thoughts and opinions of others. Getting a glimpse into the minds of security experts at organizations around the globe is priceless. Twitter/X used to be big for infosec, but it’s lost some users as of late. Lots of orgs/training sites also have Discord channels, blogs, or even the random AMA for further communication and learning.
If I can do it, so can you. But please do the research, find information for yourself, don’t think that certs or degrees will save you or change your job prospects, and heavily research any boot camp that you may be considering. I don’t believe that any boot camp is worth the costs when almost all of the information can be found online for free or very low charges. To hear even more about my journey, and some more advice, check out my episode on The Bearded IT Dad.
No one will advocate for your career as much as you do, it is worthwhile to engage in self-learning to put yourself in the best position for future opportunities. If you rely on your current job or an instructor to teach you, you will only go as far as they can support (or your wallet can). Put control of your career in your own hands, learn a lot, and spend minimal $$$.