Skip to main content

CompTIA Secure Infrastructure Expert: Security+ / PenTest+ / CySA+ / CASP+

Recently became CompTIA Security+, Pentest+, CySA+, & CASP certified. Wanting to reflect on the accomplishment and add to the discussion I wrote this 'guide' - tips and tricks, my experience, and some thoughts on the CompTIA Secure Infrastructure Expert stack. 

Tips & Tricks

Get CompTIA certified on the cheap; Never pay full price.

Subscribe to a newsletter or find a GetCertified4Less site. Some are more reputable than others so make sure to do your due diligence. Three options that I heavily utilized:

  1. Workplace Reimbursement
  2. Academic Discount
  3. Beta Exams

Got a job already? Workplace reimbursement may require you working for a certain period of time or may not reimburse if you don't pass. However, they may cover the entire cost of training and the certification voucher if you do pass. I was able to utilize reimbursement for one of mine and that included a bootcamp, textbook, and voucher. Does your work offer tuition reimbursement? That may be able to be applied to certifications too! Go ask HR. Actually, go ask HR if they will send you to a con too.

Student or .edu? Go to the academic marketplace and purchase directly from CompTIA at a STEEP discount! Discounts for the relevant vouchers below but virtual labs, texts, bundles, etc are included too. 

  • Security+ / PenTest+ / CySA+ - 35% Off
  • CASP+ - 28% Off

Don't have a job, not a student, or wanna randomly become certified? Keep an eye out for beta exams! When a cert rolls over to an updated version or before the initial release CompTIA requests people take a HEAVILY discounted pre-release beta of the exam. There's no study material since it's not an 'in-production' cert yet so it's on you to source, study, and learn! Maybe have a look at the previous version's material or find a comparable cert from another vendor. Look at the beta as a practice exam. I took and failed both the PenTest+ and Linux+ betas. I used the beta for the PenTest+ as a practice and became certified a year later. I passed the IT Fundamentals beta too. CompTIA wants your feedback and you want a cheap cert. You might pass, you might fail. Prices for beta exams are/were frequently sub-$100.

Need a physical copy of the PDF you acquired? Check your local used bookstore or find a Half Price Books. Revealing a secret but only after the watering hole is mostly dry already anyway. I've found current cert manuals, plenty of 'Intro to Hacking' books, and even some No Starch Press or Packt at our local Half Price Books. Even found a copy of the biohacking RFID Toys book once. 

I used many of the same sources as everyone else to study so I won't rehash what is already trodden territory. Check Udemy, Dion, Prof. Messer, Sybex, McGraw Hill All-in-One, etc. Many of these sources will have sales making them more worthwhile than paying full price. Considering a bootcamp? Dedicated time to study is nice but the material itself is fundamental enought that a bootcamp isn't likely necessary. Use personal discretion accordingly.

Studied and ready to take the exam? Don't take it at home! Absolutely do not take the exam at home unless you are prepared to have an empty room and your privacy invaded. Likely you'll have a physical location near you that offers Pearson exams. Mine was an Ivy Tech. Bring a coat because it'll be cold. Two forms of ID. Put your stuff in a locker and get photographed. Take the exam. Receive results for standard exams immediately and beta exams take a couple of months. 

Post your newly minted cert on social media and slap it on the fridge!


It's important to reflect on failure as much as success and in the sake of transparency, I thought it interesting to post my exam history. 

I took the A+ in High School; Passed the first half and failed the second. Passed the Security+ after deciding to get out of SysAdmin/Support. Passed the IT Fundamentals beta on the cheap, had fun, and gave some critical feedback. Failed both the Linux+ and PenTest+ beta exams with flying colors! Came back a year later and passed the PenTest+ after studying more and sourcing official material for the in-production exam. Passed both the CySA+ and CASP+ finishing off CompTIA's cybersecurity stack.

CompTIA 'stacks' so after completing relevant certifications of the same category you're 'recognized'. I don't know that anyone in the industry recognizes this or particularly cares but it's nifty so it receives a honorable mention. 


Security+ is the fundamental cybersecurity concepts and skills. Designed for those who want to demonstrate their knowledge of cybersecurity best practices. Covers topics including network security, cryptography, and identity/risk management. Excellent starting point for those new to cybersecurity or wanting to switch careers. Doesn't cover advanced concepts necessary for more comprehensive security assessments. Think you might be interested in a career in 'hacking' or pentesting? Start here.

PenTest+ focuses on penetration testing and vulnerability management. Designed for those who want to specialize in penetration testing, vulnerability assessment and management, planning & scoping, information gathering & vulnerability identification, exploitation & post-exploitation, and reporting and communication. Covers identifying and exploiting vulnerabilities, conducting penetration tests, and providing actionable remediation. Not ready for the OSCP but know you want to do cybsercurity/infosec? Already enjoy hacking? Do this. WARNING: Of the four exams, this was the most difficult. Even after taking the beta. Was heavy on 'what specific tool to use when' questions.

Cybersecurity Analyst (CySA+) focuses on advanced skills including threat & vulnerability management and incident response. Designed for those who want to advance their cybersecurity career or specialize in analysis. Covers various topics including threat & vulnerability management, security architecture & tools, and incident response. Already know how to read a log? Think you might want to do incident response or already work in a SOC? Consider this?

CompTIA Advanced Security Practitioner (CASP+) focuses on cybersecurity management and leadership including enterprise security architecture, risk management, research, and analysis. Designed for for those who want to manage complex environments, develop policies & procedures, and lead security teams. Already have the other three because you don't know when to stop? Hi. NOTE: CASP gets compared to the CISSP a lot. I have zero idea why they appear very disimilar from my research. Maybe because of the managerial focus? Either way, of the four certs, the CASP felt the most re-hased and lacking for new topics and content.

Is there a future out there?

There's a lot of people out there telling other people how to advance their cybersecurity careers. Someone recently told me that it was MANDATORY to get a CISSP even if one had no intentions of becoming a CISO or manager. Because CISSPs only become those two things. 


158 voted. 45% said this was true while 55% said false. People had lots of very interesting thoughts about getting your foot in the door, underrepresentation, and resume filter checks. Go read the thread.

Planning to do the OSCP next.