I began studying for the HTB CDSA (Certified Defensive Security Analyst) exam shortly after completing the CPTS. HTB has proven again and again to be a worthwhile time investment and a quick way to learn.
Again, there’s no reason to detail what the exam is. No idea why so many other blog posters do this useless action.
I completed 19/20 technical questions of the first incident within the first 8 hours. I never found the last flag; this one will forever haunt me. I was able to write the majority of the report for this section within the second day. It took me another 8 hours to finish finding evidence on the second attack. It took about another 5 hours to finish that report, and I submitted my test with 3 days and 20 hours to spare. The report spanned 49 pages, using the syspreptor template.
Here is what helped me the most to complete this exam.
Complete the HTB Sherlock pathway for CDSA on the main platform. Also, complete one or two of these blind without any hints to go off of. Try to retrace one of those attacks from scratch. This will give you the closest possible setup to the actual exam. Also, use my repo here to convert all logs to ELK so you get more practice using the ELK stack.
Complete Splunk’s BOTS, either by configuring it by self-hosting or using their online setup (self-hosting is WAY cooler!!). I completed V1 only. The second scenario is much more important to complete than the first. If you can solve ~75 percent of these challenges without hints, you are ready for the exam.
I only completed 20 HTB Sherlock challenges in preparation for this exam. Also, I had some experience running a honeypot and tracing attacks back, which definitely helped. Furthermore, the CPTS definitely aided me in the comprehension of this topic.
Of course, it is important to take good notes. My notes consisted of many copied Splunk queries, which turned out to be useless. Instead, write down what to search for. I had a separate section of notes where I simply wrote down event codes to search for if certain attacks are suspected, and this turned out to be much more useful than obscure queries that didn’t even work on these sourcetypes.
Good luck, fellow students!