Intro
I’ve worked in Cyber Security for about 8 years out of my 12-year IT career. So I thought it might be helpful to recap the certificates I’ve done to go from Performance Engineer to Security Manager during that time.
This isn’t just a list of exam-based certifications. I’ve also included courses that don’t have exams because, at the end of the day, learning is for you. While certifications can help demonstrate your knowledge, what matters most is that you’re actually growing.
Let’s kick off with the very beginning.
Bachelor of IT
This 3-year degree set me back about $30k AUD and covered the basics: programming, networking, math, system design, and more. While the content itself wasn’t worth the time or financial investment in hindsight, it was a crucial step in starting my career. Less important now, but at the time, necessary.
2018: eWPTX – Web Application Penetration Testing Extreme (INE)
Probably a bad move going straight into this one. I wanted a challenge, but I skipped a lot of prerequisite knowledge I had to fill in myself. The course focused on filter evasion for common web attacks. It was arbitrarily difficult at times, but it really forced me to think outside the box. A tough but doable exam.
2019: eCPPT – Penetration Testing Professional (INE)
This was a great course. It covered everything from start to finish: network, system, and web basics. It solidified my understanding of pen testing fundamentals. Challenging but not overwhelming.
2020: OSCP – Offensive Security Certified Professional (OffSec)
What more can I say? OSCP was the definitive certificate at the time. It pushed me hard and sharpened my skills. I wasn’t a fan of the “try harder” culture, but the process helped me develop a solid workflow and a deeper understanding of exploitation and post-exploitation.
2022: CRTO – Red Team Operator (Zero-Point Security)
PTSD from OSCP made me take a two-year break from studying, but CRTO was a brilliant way back in. It deepened my red teaming skills, especially around Active Directory. What I really appreciated was how it approached OPSEC and gave insight into how defenders think. Highly recommend for aspiring red teamers. The exam was straightforward but still challenging.
2023: Sektor7 – Malware Development Essentials and Intermediate
I’d heard good things about Sektor7 and they didn’t disappoint. These courses focus on malware development and obfuscation techniques. Great content for learning how to bypass EDR, and I liked that you get a standalone VM and course material you own forever. No subscription needed.
2024: Red Team Ops II – Zero-Point Security
After another break, I picked up Red Team Ops II. While detailed and technically solid, it didn’t quite have the magic of the first. It leaned more into implant development, which isn’t my focus. I skipped the exam but still found value in the content, especially for those going deeper into tooling and evasion.
2024: Enterprise Defense Administrator (INE)
After years of working defensively, I wanted a formal perspective on blue team strategy. The course covered the essentials of defensive security. I didn’t learn a whole lot, but it was helpful to see how defenders structure their approach. The exam was basic and I passed without needing to study.
2024: HTB Dante Pro Lab
While not a course in the traditional sense, HTB’s pro labs give you a cert of completion. Dante is beginner-friendly and reminded me of OSCP’s PWK labs. Multiple network segments, pivoting, and light exploit dev. It was fun, but I didn’t learn anything groundbreaking.
2024: eCTHP and eCIR – INE
I took these to sharpen my blue team skills. Both focused heavily on SIEMs (Splunk and ELK), and eCTHP had some light memory forensics. Great for learning threat hunting and IR workflows. I didn’t take the exams because the course updates never landed during my subscription.
2025: eDFCP – Digital Forensics Professional (INE)
I tackled this next as INE’s hardest defensive cert. The course delivery is starting to show its age with too much PowerPoint, but the content was still good. I learned a lot about disk forensics and Windows artifacts. Oddly, memory forensics wasn’t included. The exam was tough but manageable. I made it harder than it needed to be by neglecting the timelining section.
2025: TryHackMe – SOC1, SOC2, Security Engineer, and DevSecOps Paths
After getting fed up with outdated INE content, I decided to try TryHackMe’s more modern paths. These were a great mix of educational material, hands-on labs, and challenges. SOC1 in particular stood out for its structure and content. I didn’t do the cert exams. I just wanted the knowledge. The SOC simulator was a fun bonus.
2025: TryHackMe – Offensive Paths
To keep my offensive skills sharp and assess the value for others, I completed THM’s offensive learning paths. The Junior Pen Tester path was solid for beginners, but not enough to solve CTFs solo. The web paths lacked depth and challenge. The Red Team path mirrored the CRTO syllabus but didn’t have the same impact. These could benefit from more hands-on challenges to lock in the learning.
2025: TryHackMe – PreSecurity and Security 101 Paths
Honestly, I did these for the dopamine hits. The content wasn’t a challenge, but I’m a big believer in revisiting the basics. Great starter content for anyone breaking into cyber, and it never hurts to reinforce good habits.
So What’s Next?
I’ll stick with TryHackMe a little longer to finish off the AWS and Azure add-on content and see if they’re worth the cost. After that, I’m considering CISSP or CISM as I move deeper into security management. Architecture, strategy, and leadership are becoming more of a focus.
I’d also like to spend more time experimenting with less spoonfed content. I want to make more things, break more things, and keep enjoying the ride.
Final Thoughts
The best learning platform is the one you actually enjoy. If it’s fun, you’ll stick with it. Certifications are useful, but don’t chase paper for its own sake. Challenge yourself, fail fast, learn, and keep going.
{ JSON:SEC } 
Leave a comment