This post is a repost from my old blog, originally published on March 31, 2022. The English has been lightly polished; the content is unchanged.

My long-term goal is to earn the Offensive Security Certified Professional (OSCP) certification. Ever since I started looking into cybersecurity, the OSCP has always popped up as the certification to obtain. It is meant to demonstrate enough knowledge and expertise in penetration testing to easily land any related job (or so I wish to believe). Even though recent years have seen competitors propose excellent alternatives said to be more “real-world” realistic, even though the “try harder” motto of the OSCP is getting a bad rap all over the place, and even though it is on the expensive side of the certifications market, I have set my mind on obtaining the OSCP one day. That is non-negotiable. I have equated the OSCP to a martial arts black belt: you deserve it once you have been through many years of training, you can’t claim to be good at it without it, but it is only from there that the actual journey starts. It is a goal and a stepping stone at the same time. So regardless of its actual value, it is still a valid and reasonable objective to go after. The problem, though, is that I have no IT experience.

A little bit of background: discovering CompTIA

Even though I tinkered a bit with Linux in my college years and helped some friends and family members clean their Windows installations (back in the days when defragmenting was the solution to everything), I didn’t have any proper IT education and absolutely no real experience that could help me in my quest for the OSCP. Also, my college studies and my job had nothing to do with IT. So how would I go from almost digitally illiterate to cyber-wizard? For quite a long time, I thought it was just a silly dream and I didn’t seriously try to pursue it.

In 2013-2014, I was still interested in the topic, but without knowing what to do, I started learning some Python, created a few simple programs, and gave up after six months, as I got stuck and didn’t see how it would help me anyway. It was around that time that I first heard about the Computing Technology Industry Association (CompTIA), a vendor-neutral IT certification body. They offer many different certifications related to IT, ranging from computer hardware and software to networking, security, and more. In other words, I had finally found something that made sense. I don’t remember exactly how it was presented back then, but nowadays they have a clear roadmap of all the certifications they create, which makes it easier for people like me to know where to go, what to learn, and in which order.

At the time, I decided I would start with the Network+ certification, because I thought that learning about computer networks would be more interesting and useful than learning about computers in general. Even if the A+ certification is supposed to be the first one to get, I went in a different direction. Looking at the resources available, I chose Mike Meyers’ All-in-One Exam Guide (I link all the resources I used at the bottom of this article). I don’t remember whether that was all that was available to me in my region then, or whether I was just very bad at researching information, but I somehow believed it was the only option. So, I started reading the book and took notes as I progressed. It was difficult for three reasons: first, English is not my mother tongue and I was not that fluent back then; second, I really lacked basic IT knowledge, and many concepts were hard to grasp, especially without any real-world practice; and third, I was reading late at night, after exhausting and never-ending days at work. I read a bit more than half the book, and then had to give it up…

Jumping a few years ahead, I discovered IppSec on YouTube. That was eye-opening. Magic was not something out of this world — it was real. I was watching it. Actual wizardry. I didn’t understand anything of what he was doing, but I knew for sure that I wanted to be able to do the same. That is when I looked back at my All-in-One Exam Guide and understood that I wasn’t going to be able to do that if I didn’t go through the proper trials. This is when I decided to give it another try. My new lifestyle allowed for a better work-life balance, which meant more time to properly study. But this time, having learned from my mistakes, I went for the A+ first, and expanded the breadth of my sources.

Going after the CompTIA A+ not exactly the right way

After more research on the web, I got the latest A+ All-in-One Exam Guide, bought the corresponding Udemy courses, and discovered another bald guy who provides CompTIA-related teaching, for free: Professor Messer (teaser: there’s actually a third bald guy who comes in later, but as far as I know, they don’t end up walking into a bar). Retrospectively, the A+ certification was probably the hardest to obtain, just because of how wide the range of topics is. This is probably why CompTIA made it a two-part certification, the first focusing on everything related to hardware, the second on software. You need to pass both to be A+ certified.

I did say before that I had been playing with computers ever since I was young, but nothing at the level, or at the depth, required by this certification: I had to learn how CPUs work exactly, how the different kinds of printers print, what computer screens used to be (and are) made of, how data is saved in RAM versus on an SSD and how it moves around, what is in the Windows Event Viewer and how to retrieve useful information from it, basic Terminal commands for everyday maintenance, safety measures when dealing with specific hardware, and so on. Everything to make you the best computer repair person around. And the above barely scratches the surface.

Looking at the list of exam objectives, I knew it was going to be a long ride. I started my learning with the Mike Meyers Udemy courses. Mike Meyers is a great teacher: he keeps the student engaged, he is funny, and he makes all the concepts very easy to understand. It all clicks very quickly. But the downside of his videos is that they are somewhat superficial and lack quite a bit of the detail and nuance actually required for the exam.

That is all covered in his book. His All-in-One Exam Guide is phone-book huge, and it does contain everything that needs to be learned for the exam, and more. It mixes both the hardware and software parts of the certification, along with historical background and extra pieces of information relevant to future IT technicians but not so much to the exam itself. It is useful to contextualize a lot of the content and to make it more actionable on the job too. I focused on the hardware sections of the book first, since I was going to take the first part of the exam before the other. It took me quite a while to read through everything, take notes, and make sure I didn’t miss anything.

Finally, I watched Professor Messer’s videos to review the topics and have them presented in a different light. Professor Messer’s tone is way drier than Meyers’, but it is so much more to the point: he teaches what is on the exam objectives, exactly, in order, nothing more, nothing less. It was very useful to confirm what was really necessary to know for the exam and to trim down a bit from the mountain of details from Meyers.

At that point, I took a few practice exams on Udemy and on Messer’s site, and felt relatively confident with the results. I booked my test for August 2019 and went for it at an exam center. I hadn’t taken a real test in a while and I remember being very stressed about it. The exam was rough: all my preparation had been based on acquiring knowledge, not so much on practicing. So, the so-called Performance-Based Questions (PBQs) were much harder than I expected. As everyone recommends, I skipped them and did them last. But just looking at them on the way to the Multiple Choice Questions (MCQs) made me worried. The MCQs didn’t help either, and I felt I was failing throughout the exam. The wording is tricky and most of the answers either seem to be the right answer, or none of them. After two hours, I reached the end of the countdown (being a non-native English speaker in a non-English speaking country, I get an extra 30 minutes, so two hours in total). I clicked to continue, my heart was racing, and… before giving you the results, they make you go through a demographics questionnaire, which I wasn’t expecting. I was so anxious about seeing my result that I didn’t notice how many questions there were, and I was frantically clicking away when suddenly the results appeared and I didn’t realize it wasn’t another demographics question. And I had passed! I felt immense relief, and even though it was the very first step of my journey, it amounted to a big accomplishment for me.

So much so that I was extremely exhausted, mostly because I had erroneously given myself only about one month to study. I studied until way too late every day, and that wasn’t healthy or really effective. And it pretty much burnt me out for a while. I wanted to continue right away with the second part of the A+ certification, and I did for a few days, but then my motivation went away… I had just spent so much time and energy that my body told me to stop. And I listened, for about a year and a half…

Completing the A+ with a slightly better approach

At the beginning of 2021, new resolutions and all, I decided it was time to finish what I had started. I drafted a study plan that would take me two months to complete this time, giving me a bit more breathing room, which was very necessary after my first run at it. Even though I should have adjusted more, I continued with the same overall method that worked the first time: started with Meyers’ Udemy courses, followed up with his book and by taking notes, and rounded it all off with Messer’s videos. Because I paced myself better, and also because the content had more to do with software than hardware, it felt less foreign to me and easier to learn. I also started using Quizlet, which allows learners to create their own flashcards. It helped a lot to review everything in an efficient way. I ended up with 570 cards, which was quite a lot to create and go through (wait until we get to Security+…), but very helpful.

After two months of going through all this material, I booked the exam. This time, because of COVID, I had no choice but to take the exam at home. I thought it would be more relaxing, being in the comfort of my own place; it didn’t exactly go that way. Pearson’s OnVUE system is used for this, and the software was pretty smooth. However, on the day of the exam, as per the instructions on their website, there is a whole verification process that was way more complicated than I expected: I had to show my entire room through my webcam, which is of course stuck to my laptop, so not the most comfortable way of doing so; they made me take a picture of my ID, but their application didn’t allow switching cameras on my phone (so I had to take a full picture of my passport in selfie mode); and then they said they can call you in case something is wrong, but you are not allowed to have your phone with you, nor to make any sound, so you never know if they’re calling you or not. And then you wait…

Until, finally, the exam is loaded into the software and it starts. The webcam has to be on at all times, and it is recommended not to move, to keep your eyes on the screen, not to read the questions out loud, and so on. Some people seem to have had very bad experiences with them, but for me — except for the registration process, which can really be improved and caused me unnecessary stress — the rest of it went very smoothly, at least in terms of the “taking your exam at home” experience. The questions themselves were quite on par with the first exam, and even though I thought that I knew software a bit better than hardware, the exam ended up being harder than the first one. I remember that I had no idea what to do for one PBQ and another one was very shady. Nonetheless, at the end of the two hours, my heart raced again, but I remembered the demographics questions, so I knew I wasn’t going to get my result right away. Ultimately, the good news was delivered: at the beginning of March 2021, I was now officially A+ certified!

Yet, again, I felt burnt out. Two months was not enough time, at my level, to absorb all the A+ content properly, and it led me to take another six months off any kind of real studying. More than that, I still failed to see any relevance to IT security. I had studied so many concepts, but only a few of them really seemed to bring me in the right direction… As I kept watching IppSec on YouTube, I was wondering how anything I had learned was relevant. However, what I also started to realize is that the more I watched him, the more I understood (still very little), and some parts here and there were actually mentioned in the A+ content. So, I guess it wasn’t so bad after all.

Going after the Network+ with the arrival of a third teacher

In September 2021, I decided it was time to jump back on the horse and bring the cavalcade to Network+. I was still reading about other people studying, passing, or failing the exam, and one name came up quite a bit: Jason Dion, the third part of the CBT (not Computer-Based Training, but the CompTIA Bald Trinity) (unofficial term). Everyone was praising how good his practice exams were, so I wanted to give his content a try. I ended up getting his full course on his website (instead of the Udemy course), because it had simulations. Seeing how the PBQs were problematic for me, this could be a good solution to practice. His course was easy to understand and follow, as it is organized in a logical way and progresses incrementally, building up on concepts seen previously. The simulations were a bit disappointing, however — a bit slow, and some of them didn’t seem relevant for the exam; some others, though, were really good. Overall, they did teach me some practical concepts about networking, and complemented with the rest of the videos, that was a good experience.

That being said, looking at the exam objectives provided by CompTIA, it looked like some points were not really touched on, or only too briefly. So, I went back to Professor Messer to review the entire course once again, through his methodical per-objective lessons, which once again really helped refine my understanding. As I watched his videos, I took notes directly into Quizlet, and if something seemed off, I went back to Dion’s videos to update them. This time, I didn’t take notes while reading the Network+ All-in-One Exam Guide, but I did read it, a little bit every night before bed. This was actually a huge improvement in my studying method: it took less time, and my notes were more to the point and accurate.

I also discovered the Pocket Prep “IT & Security” app (Apple Store), which has many different questions related to various certifications, including the main CompTIA ones. Their questions are not worded exactly like the questions from the exam, but rather focused on making sure that the little nuances between similar terms or concepts are well understood. It was very useful for understanding the networking notions better. I did 20 questions a day for a month.

I finished with Meyers’ Udemy course, to review the overall concepts, and it was still very pleasant to see him goof around while making complex topics very easy to understand. This helps cool things down a bit, while making sure the main core of the exam is well grasped. I then took Dion’s and Meyers’ practice exams (Messer didn’t have any), and was rather satisfied with the results, so I booked my exam for mid-November. This time, I went back to the exam center.

The exam went great. Even though it was still tricky and the wording of some questions was really head-banging, the majority of the questions seemed rather easy. Dion’s practice exams had questions very similar to those in the actual exam (either in wording or in substance), which helped a lot. Conversely, Meyers’ practice tests are always a bit sub-par and seem to recycle questions from previous versions of the exam. Anyway, for once, I was quite confident that it went well. And it did, as I passed with more than 850 points (out of 900), which was even better than all the practice tests I had taken. After three exams successfully passed on my first try, there was only one left: Security+.

This time, I had given myself about two and a half months to study and review my notes. The content of Network+ was very interesting and I could see how a good part of it was relevant to cybersecurity. So, this time, I stayed quite motivated and decided I shouldn’t wait too long before taking the Security+ certification. I just gave myself about a month, and right at the beginning of January 2022, I started my study plan for Security+.

The final boss (Security+) and my definitive study recommendations for the CompTIA Trifecta

After reflecting quite a bit on my past methods, I decided to make the following plan for the Security+. It is also what I would actually recommend anyone do for any of the Trifecta certifications, as it gave me the best results and the healthiest way to retain the knowledge:

  1. Start with Professor Messer’s lessons. They are dry, they don’t go in any logical order, but it doesn’t matter. This is what is required to know for the exam, and it follows closely the official exam objectives to make sure that every item is covered. If you learn just that, you are already well prepared.

  2. Take notes in Quizlet, for each of the lessons and concepts above. That way, when you need to review something from the exam objectives, you know right away where to look.

  3. Continue with Jason Dion’s course. It does cover pretty much every item too, but in a logical order, which helps contextualize the different concepts. The simulations were also much more interesting than for Network+, and I recommend them, as they were quite helpful this time. He also mentions what is necessary to remember and what can be skipped: most of the time, the indications seemed to be accurate (but no need to learn all the port numbers — just the main ones from Network+ are enough).

  4. Jump into Mike Meyers’ Udemy course. Unfortunately, it is not just Mike Meyers in this course, and his colleague, while very knowledgeable and professional, doesn’t have the same goofy tone that Mike Meyers does. Some people might prefer that, but after watching Messer’s and Dion’s, something less monotone would have been nice. Nonetheless, the content quality is quite high, and it helped complete the Quizlet notes wherever necessary.

  5. While doing 1, 2, 3, and 4, I also read Meyers’ Security+ All-in-One Exam Guide at night, ten pages a day, including the exam objectives and the Index sections. Once again, this was extremely detailed, going into all the nuances necessary for the exam, and beyond. The last parts of the book were a good help to make sure that no acronym or name was left unknown.

  6. While doing 1, 2, 3, 4, and 5, I used the Pocket Prep “IT & Security” app again, and as with Network+, it was a good way to make the distinction between different but closely related terms. Ten questions a day for two months — that was a good pace.

  7. Go through the official CompTIA exam objectives one more time and make sure to read about all the acronyms too. The first part seems to have become obvious for most people, but I haven’t seen many people talk about the acronyms. While there is no actual question in the exam asking what a particular acronym stands for, they still use them as if they were all known. It threw me off for a few questions in the past. After reviewing each term, either through my Quizlet notes or via a quick Google search, I was actually able to find the answers to two questions in the exam that I wouldn’t have caught by just going through the other courses.

  8. Finish with reviewing the Quizlet notes (this time, a good 991 cards!) while taking as many practice exams as possible. I recommend, in order, Messer’s, Dion’s, and then Meyers’. Messer’s and Dion’s are the closest to the actual exam and they really helped. Meyers’, as always, are not that necessary, but still good to have for another angle, to make sure the concepts are well mastered.

The above took me a little less than three months, and I never felt that I was rushed or doing too much at once. For me, that was the ideal order and the ideal pace. I had booked my exam after the end of step 4. After successfully passing the first two parts of the Trifecta, I worried that I would trip up now, so close to the finish line. The last few days were quite stressful. I knew the exam was going to throw me some curveballs, with their annoying wording, but at least I was expecting it. Back to the exam center, I looked briefly at the PBQs and saw that at least there was nothing unfamiliar, so I jumped right into the MCQs. Overall, some very easy ones, and as always, some where the different choices could all have been correct too. I went back to the PBQs at the end, and did two out of three pretty easily; the third one not so much, but that was my own fault for not reviewing how to practice that particular point. Anyhow, after all this, I thought that it felt similar to the experience I had taking the practice exams in the weeks before this, and expected to have a similar positive result. And I wasn’t wrong — I passed with exactly 800 points out of 900.

Phew! Finally! I discovered CompTIA back in 2014, and eight years later, I finally accomplished the CompTIA Trifecta: A+, Network+, and Security+. I don’t think they will help me get a job per se (and I don’t need one right now, I already have one), but I wanted to take them mostly for the knowledge that comes with them. It gradually went from content that seemed quite far off to really on point with cybersecurity. That feels great!

Now when I watch IppSec, I’m not entirely lost anymore, and the magic starts to make more sense to me: I understand more or less what he is doing or what he is talking about. And taking the three CompTIA certifications certainly had a huge role in that. Now, at the same time, I have to admit that 90% of that content is theoretical: I know of cybersecurity a bit more, but I can’t do it yet.

This is why, before going further down the cybersecurity rabbit hole, and in order to continue establishing some solid core competencies, I will (re)learn Linux more in depth, as it will be the main tool used for pentesting down the road. It will also be a good way for me to review and further my knowledge of Bash scripting, which doesn’t seem to be too superfluous in that industry. After that, I will also restart my learning of Python and start building some tools. After the very theoretical exams, I want to do something more practical now. That is why the rest of 2022 will be dedicated to Linux first, and then Python. I don’t expect to be “fluent” by the end of the year, but to know enough to keep learning as I then move into concrete penetration testing learning. But that will be for 2023.

  1. Take Professor Messer’s courses and practice exams
  2. Take notes as Quizlet flashcards for each exam objective (or any other similar app)
  3. Take Jason Dion’s courses (with simulations) and practice exams (also available on Udemy)
  4. Take Mike Meyers’ courses and (optionally) practice exams
  5. Read Mike Meyers’ All-in-One Exam Guides
  6. Download the Pocket Prep “IT & Security” app (or any other similar app)
  7. Review thoroughly all the official exam objectives