Putting The Pieces Together: My CDSA Certification Journey

Created in March 21, 2026

2026   ·   certification   cdsa   study   career   blue-team   ·   certification   career


Link


The Reasoning

Well, I had just transferred to the Blue Team out of the Red Team and wanted to be a good team player. So, I figured that I would get a quality blue team certification to show that I take the transition seriously. CDSA was a stand-out choice as the perfect certification. Hands-on, rigorous, and strong HTB reputation was the perfect next certiciation to tackle and take down. Plus, the hands-on nature means I can add great content for this portfolio here and I can demonstrate applied knowledge instead of theoretical. Finally, it also gives me the opportunity to expertly, productively procrastinate the CISSP certification, which I convinced myself that I need.


The Learning Path

The journey has actually taken over two years to get believe it or not. I should know because I had to pay for the ‘Silver’ annual learning subscriptions three times before I even attempted the exam. The learning path took me oh so long to complete. Oh so long. The first time that I tried to get through the learning path I got ~60% through the exam. Shortly after the Windows’ Attacks and Defenses. I wandered off to find something else to sink my teeth into learning. I was on the Red Team at the time, just learning the attacks of the course, and figured it was all down hill from there. That has got to be the most interesting part.


Learning Path, Part 2

Then, my manager at the time, pulled me aside and suggested I give it another go. The whole blue team is taking it so it would just be good if everyone had it and we’re all on the same page. So, I signed up for another year-long annual ‘Silver’ subscription and decided to take another crack at it. With my malware experience, sections like the the malware module and the sigma/yara module made more sense to me. So, I kept churning through until I finally got that sweet internet completion badge. Where I proptly convinced myself that this was sufficient to satisfy work again again and promptly wandered off…again. Then, I noticed that the autorenewal ticked over when I forgot to cancel. Suddenly, I found a swelling of motivation to finally buckle down and take the exam.


The Practice Track

So, if you don’t know, HackTheBox has a convenient Sherlock track speficically for preparing for this exam. The first Sherlock that I tried to tackle was Unit42, which was a Very Easy box just to get the blood pumping and into the grind of Sherlocks. The second box in my sight was Campfire-1, another Very Easy box trounced in no time flat. Time to step it up to the Easy Sherlocks by taking on Recollection and took it down. Then, being bolstered by Easy and Very Easy wins felt the time has come to throw caution into the wind an register for the exam. It will give me a feel for the exam so I can guide my studies and I have a retake.


The Exam Experience

Taking a week-long hands-on exam while working full-time is pretty brutal, not going to lie. After a full days work, I get home just to grind out incident investigations. Plus, I don’t know how it works for you, but whenever I first get into an exam, I have a minor freakout. I am convinced that I don’t know anything I am going to definately fail. It takes me an hour or two, reading and rereading the problem statements, mapping out a plan of attack, and getting a couple of wins before I start to settle in and feel comfortable with what I am doing. And it happens every single time I take an exam — no matter how prepared I am for it.


The Wait

The wait took about 3 weeks. This is no shade to HackTheBox as they said that the exam will come in 20 business days. They also said that it should come in quicker, which to their credit, it did. That, however, did not stop me from refreshing the exam page four times a day checking if the results are in yet. Also, messaging any friend that will listen to me whinge that the results are taking forever to get posted. When they wouldn’t listen, asking ChatGPT how many business day have passed since I submitted the exam.


What’s next

Well, right now, I am working on some AI-assisted programming to build some tools for my workflow. You can see one of the tools in my ‘Projects’ section to see more about it. I am also planning on making a vulnerable network with some defensive tools, possibly in the cloud, and then hacking into them. After this, I can triage my own incident. This will give me some experience across a bunch of different domains and experience that I think will be good for me. Plus, a chance to create some reports for the project section, as well, as think they are good demos of what I can do – and what I can do for you if you hire me.


Lessons Learned

My biggest takeaway from this I would think is actual hands-on experience with SIEMs, DFIR tools, and investigation techniques. It is one thing to parse a .pcap to answer a couple Sherlock questions. It is quite another, however, to try and figure out full attack, document it, and report it. To make it even more fun, the only experience I had with some of the tools was as a part of the learning path. So, double learning opportunities as I struggled with the interface and the process. Neat. Overal, I think it was pretty good change to apply some of the concepts from the class, which in my opinion, solidifies the learning in my brain.


Reflections

My biggest takeaway: track where you are in your investigation. So, attacks can usually tracked using the Lockheed Martin Cyber Kill Chain. So, when you are on a victim machine, you can check connection out to figure out. This will show you lateral/privilege movement, potential C2 connections, and start to work out the attacker’s objectives. You can also find connection into the machine. This could give identify lateral movement into the current machine, possible reconnaissance, and exploitation. Keep iterating every time you identify a new machine as a part of the attack. And if you get lost, remember where you are and where you can go.

What helped me most:

Track where you are. Don’t lose track of the attack.


Similar Content:

  • Coming Soon!

Feel free to reach out to me and let me know about your journey. I would love to hear!