My Problem With IACRB and InfoSec Institute — They Straight Up Lie
So this blog post is crazy late, like six months late, but here it is. I have some serious problems with the “Information Assurance Certification Review Board” (IACRB), and InfoSec Institute, and I wanted to at least write up my thoughts and publicly publish them in case anyone was looking at the courses.
Some Background
In February of 2021 I took InfoSec Institute’s “Advanced Ethical Hacking Boot Camp” which prepares students for the IACRB Certified Penetration Tester, and Certified Expert Penetration Tester exams. I have already written a full review of this course, spoiler alert I did not like it, and so I won’t hit on too much of the course. The main details you need to know is the course straight up lies. It touts ‘nightly CTFs’ when in reality there is not a single night CTF. It also says ‘100s of additional hands-on courses and labs’ of which there again was not a single additional lab outside of the main labs. And, lastly, the instructor Keatron Evans was not at all interested in answering my questions concerning these issues.
Moving past InfoSec’s deceptive course description let’s hone in on the IACRB itself. If you navigate to their website and view their description of their “Certified Expert Penetration Tester (CEPT)” certification there are two major things I want to point out. First off the certification says that it is broken down into two parts. Part 1 is a ‘online multiple choice exam’ and Part 2 is a ‘three step practical examination’. Secondly IACRB identifies three ways to take their exams, first being at a training location, second being a on-site proctored exam, and third being employees of member organizations having access to exams ‘over the internet’.
So what’s the problem with these two points? They’re straight up lies. Let’s address the 2-part exam. Again, taking the AEH bootcamp with InfoSec Institute ‘prepared’ me for the CEPT exam. Meaning my last day of the bootcamp I took the multiple-choice CEPT exam. I passed, and was issued the certification. Closely evaluate what I just said. I took the multiple-choice exam, passed, and was issued the certification. Notice something missing? There is no practical portion to this certification. When I realized this I asked Keatron where the practical portion of this certification was and (paraphrasing) his answer was that the IACRB has not been running the practical portion for quite some time. He even said he helped build the VMs for the practical portion and I could have them if I wanted to test them, interestingly enough I have still not received them. Yet IACRB still touts ‘practical exam’ on their website and on the InfoSec brochure. Secondly, we (the class) took this exam via a basic web browser, with no proctor, and full access to all of our other tabs. Basically anyone can google any answer they want. Although that doesn’t really matter when Keatron basically gave us the exam dump. Seriously, he gave us a PDF with I think over 50 questions and I don’t think a single question on the exam was not directly answered from the PDF.
Look, many, many companies have deceptive business practices and it seems InfoSec Institute and IACRB are no different. So why am I writing this? Well, because I did the course, and I think people deserve to know what they’re getting if they want to take the course as well.
Please do not take this course or put any value in IACRB certifications. Look at better organizations like Offensive Security, eLearnSecurity, GIAC, and more. The bootcamp costed $3,300, and was basically worth the same amount as a good Udemy course.
I won’t spend any more time ranting about this, but I wanted to get this off my chest. I feel better now.
