Avoid Joe Mccray/Strategic Security

After some friends complained they also got screwed over, I felt it was finally time to write about a trainer that has wronged many.

While looking for some reasonable training, I found Joe Mccray, Strategic Security, that seemed to be supporting the community and offering inexpensive rates. I even spoke with a local person that had worked with him as a “Security Rookie” who said good things. Despite my better judgement about paying for semi-intro classes, I decided to try a class. I learned to trust my judgement more on training.

I signed up for “Catch Me If You Can: Bypassing AV/HIPS/NIPS Online Workshop” in August of 2013. This was supposed to run noon until 4pm on August 17th and 18th. I confirmed regardless of the errors on the initial email sent as well as the fact video’s of both days would be sent.

At the end of the day, he sent out a txt file with some of the commands used and promised he would send out the videos shortly. He also sent information created by a group called Web Application Security Consortium. These were solid resources albiet being a few years old at the time of distribution.

At the end of the first day, he sent a invite to the second day with the wrong times listed (he had noon until 10pm instead of noon until 4pm). Regardless, I confirmed again the times for the following day and asked when he would release the video for day 1. He confirmed the times for Day 2. An hour before Day 2 was scheduled to start, he sent a email:

“I’m sorry to have to do this on such short notice. But I’m leaving for the airport right now. I have to help a customer with a compromise so I will not be able to run this class today. Please accept my sincerest apology as I know several of you are in other timezones and that makes attending this workshop very difficult. I promise I will make it up to you.

Again, please accept my apology and I’ll see you next week.

BTW…yesterday’s video and class notes I’ll take care of sending to you when I get off the plane and get to my hotel later tonight.”

I was annoyed, but didn’t make a big deal of it as emergencies can happen. He sent out a invite for the following week with again the wrong times (he had noon until 10pm instead of noon until 4pm). On 8/26, the supposed make-up day, he didn’t show up. A few days later, I emailed and again asked for the video’s from day 1 and when the makeup would occur.

Rather then complete the session promised, he decided to replace day 2 with another class he had made. This one on a completely different subject and during the week instead of on the weekend like the original. So two weeks after the class was supposed to have occurred, he never sent out the rest of the info from class 1 and never had class 2. He also had only offered to move into a different class.

The make-up class he offered got pushed back a additional week as well. Then he ended up canceling class one of the days due to a “network outage”.

I still have yet to receive the video from the first class and have long since given up on it. I told him the way things were handled were poor at best with no response. Over the 1.5 years since, dozens of people have told me similar stories of being severely disappointed with his unprofessionalism. One of his own friends went as far as to apologize to me and tell me Joe is a good person, but a “terrible person to do business with”. I have heard numerous stories from friends that he repeatedly cancelled classes, didn’t share materials and was just generally unprofessional considering he is charging money for his trainings. I have encountered numerous trainers that have been significantly more professional in free classes then he was in classes he charges money for.

Additional instances of people publicizing their issues with his content or teaching:

  • A significant portion of the content from a paid webinar were stolen from Exploit Lab without credit or permission (see: http://blog.exploitlab.net/2013/02/defending-our-work-part-2-exploit-lab.html ) as well as covering some of the concepts incorrectly.

    Some of the comments show the kind of person Joe is and the type of work you can expect from him:

    • “msploit12 February 2013 at 12:52
      I’m incredibly happy to hear someone has finally outed strategicsec. Over the past year I’ve watched a lot of things unfold with Joe McCray. You just have to look at his security rookies ‘program’ to understand what hes up to. His unpaid ‘rookies’ have in many cases preformed recon for actual pentests. Hmm unpaid people doing for the benefit of a company, yep thats a violation of labor laws. I also have personal knowledge of Joe linking to and hosting pirated books and courseware for his ‘rookies’ and other people. He also has his ‘illegally unpaid’ rookies put together some of his class material which is sold.”
    • Another former ‘rookie’ commented:
      “throw away13 February 2013 at 00:25
      As a former ‘rookie’ I can attest to this. Under the guise of giving us ‘real world’ experience he is essentially getting free labor and charging the clients for his (really our) time. Rookies are tasked with creating his training material which usually involved him providing a ‘rough draft’ and us fixing errors and importing it to his letterhead. Often, when having to research the problems we found that the material was pirated from SANS reading room, GIAC Gold papers, or other publicly available sources with no attribution to the original source or author. There was some original content generated, but it was far and few between and almost always created by unpaid ‘interns’ that was in turn sold through his training programs.”
  • Another former ‘rookie’ said via Twitter DM when asked about the program:
    “I bailed pretty early. After a couple weeks of working for free, I stopped. It was obvious he was just trying to take advantage.”
  • More Recently, someone commented some more issues ( http://nathanheafner.com/home/2014/02/17/in-depth-and-personal-infosec-training-thats-affordable/ – sadly the comments show mixed results )

    **Update – Nathan’s site seems to have gone offline so I swapped to Wayback Machine

    “Michael • 2 months ago
    You must have got in early. I’m in the middle of taking a class with Joe now (Pentest candidate program). He advertised the classes as being Monday and Wednesday, 7-9pm for December-February. However he has already cancelled 7 classes, and most of the other ones were only about an hour in length. Some members of the class are saying it’s a scam, others are saying he’s just winging it.

    Either way, I would strongly advise anyone against taking classes with Joe.”

  • A friend that was in the Security Rookies program said that Joe used them to write his material and do unpaid work for his company. You can get some experience, but at the cost of being used.

Someone from CarolinaCon adamantly defended Joe as he was criticized on Reddit

While Joe may be knowledgable, I compiled these stories so people understand what they are getting into. If you are looking at the Security Rookies Program, there are people that have gotten a lot from it, but it is at the cost of being used. Some people have had a positive experience… While I am bitter and would never do business with Joe or recommend anyone else do so, he is knowledgable and he has given opportunities to some that are not easily obtained…

A friend just shared another story with me:

On December 1st Strategic Security will launch the Pentest Candidate Program. This program is designed to satisfy the basic requirements to be a penetration tester. The program covers the common technical requirements, common soft skill requirements, and via a partnership with several penetration testing firms the top candidates will be given job interviews at the end of the program for a remote penetrating testing position (remote meaning you can work from home).

If you already have a US Security clearance, currently live in the DC, Maryland, Virginia area and you are one of the top candidates you may be given the opportunity to interview for a cleared penetration testing position.
This is your chance. If you REALLY want to become a penetration tester then this is the perfect combination of training, mentorship, and opportunity.

What is covered in the program?
This program is hard, but rewarding. It covers the following subject areas:

Command-Line Kung Fu
Linux Command-Line Fundamentals
Windows Command-Line Fundamentals

Network Penetration Testing
Scoping a penetration test
Performing a penetration test
Reporting penetration test findings

Web Application Penetration Testing
Scoping a web application penetration test
Performing a web application penetration test
Reporting web application penetration test findings

Python For InfoSec Professionals
Log parsing with Python
Pcap parsing with Python
Network testing with Python
Web App testing with Python

Preparing for a job as a Penetration Tester
Resume assistance
Assistance with building a portfolio based on this program
Mock interview
Interviews with up to 15 Penetration Testing firms for top candidates
Interviews with up to 5 DoD contractors for top cleared candidates

How is the program delivered?
On Monday of each week you will be assigned a set of tasks that required to be completed by Sunday at midnight EST. These tasks usually include:
Required reading
Required videos to watch
Required lab exercises to perform
On Mondays and Wednesdays from 7-9pm EST a live online training session/QA period will be held. The sessions will be recorded each day so you do not have to worry if there are scheduling issues.

The program will run from December to February (3 months) with job interviews for top candidates being held in March.

The program cost is $150 per month for 3 months, or $300 as a 1-time fee for the program.

This class is only $300 so signup now!

Example on how he still cancels classes.

Guys, I am really sorry but I have a family emergency to tend to. I will double the length of tomorrow’s class to cover for tonight.

He claimed he had partnerships in his advertisement email:

The program covers the common technical requirements, common soft skill requirements, and via a partnership with several penetration testing firms the top candidates will be given job interviews at the end of the program for a remote penetrating testing position (remote meaning you can work from home).

Preparing for a job as a Penetration Tester
* Resume assistance
* Assistance with building a portfolio based on this program
* Mock interview
* Interviews with up to 15 Penetration Testing firms for top candidates
* Interviews with up to 5 DoD contractors for top cleared candidates

Participants commentary on that:

As part of the class…he advertised that the students in the DMV area could get jobs afterwards if they performed well in the course. The only thing he did in that regard was have HR professionals present the skills and credentials they look for when hiring infosec people. It didn’t appear that he really had jobs for these students….instead…just provided some information on how to get jobs (which is far from the same thing)

Your first challenge:
Use the OSINT_Innophos doc as a reference and perform/document an OSINT assessment against any one of the following companies:

Exxon Mobil
NewYork-Presbyterian Hospital
Royal Caribbean International

Here are some tools that I think you should consider using for this challenge:

Search Diggity
Firefox PassiveRecon

Now I am not a pen tester, but suggesting people preform OSINT on the NSA is a really bad idea, even passive recon. The last block quote was straight from an email from Joe.

We didn’t receive feedback on their OSINT assignment. I don’t want to assume….but…I would guess that McCray probably rarely hands out feedback (but..thats an assumption and not based on factual evidence)… I help with OSINT report around 12/6-12/14 on a company. Used google docs. I dont know how well we did.

The PPT attachment shows Joe canceling 4 classes (assuming I counted correctly) and he asked the students to help him with one of his *real life pentests* Im assuming he was doing for his business.

The Hangout is a chat with the people in the class. It first starts off with everyone trying to solve problems together and quickly takes a turn where people are asking if class will ever be held again.

No feedback on the sketchy assignment. Canceling ~15% of the classes; 4 classes out of 26. He had excuses each time, but after reading all the various stories, I keep hearing about cancellations including 50% of the classes I had with him.


Update 12/20/2019: I got a twitter DM about a new CEH class story via Security Ninja

I’ve been in a course with Joe McCray this week and came across your blog post. Do you still hear concerns over his material? Some things feel a little fishy and I wanted to reach out.

He gave us access to exam questions he’s purchased on vcetrainer.com. He shared his credentials with the class. This morning he gave us a copy of the exam, while taking the real exam. He instructed us not to finish faster than 90 minutes.

Class is through Security Ninja

If you wish to contribute a story, just submit it as a comment or send it to me, good or bad!

20 thoughts on “Avoid Joe Mccray/Strategic Security

  1. I’m happy I’m not the only one who has experienced this crappy class. It felt like almost every day something either came up, wouldn’t work or he ducked out really early and had us watch SecurityTube videos for homework. Terrible quality training, not really training at all.

    This is not to say the guy is dumb, he seems like he understands and can practice a good depth of knowledge but damn, stop ‘teaching”.

  2. I also felt this training was crappy and left a lot to be desired. Bad info written up, poor directions, not committing to published times, forgetting to turn on recorded sessions for students that could not attend at the stated time. Agree with statement don’t do business with him. I think he goes on quantity not quality.

  3. For what it’s worth, he’s now offering his students 15, 25, or 50% off future courses (honestly, I can’t tell which — too many typos in the e-mail and he misuses the numbers frequently) to post on here and other forums with positive reviews. It’s pretty sad when you have to stoop to that level to get some positive publicity.

  4. I’ve been into pen testing almost since the past 10 years. But, was never confident in my application of the skills. Amidst my career, I enrolled in one of Joe’s courses on basic pen testing skills about 6 years back. Ever since then I’ve been his loyal student.

    Joe opened my mindset for wider possibilities and out-of-the-box thinking. I learned some real skills from Joe. He’s a LEGEND when it comes to his natural unique style of teaching and at times hilarious too.

    I would highly recommend Joe for all levels of pentesters, even if you were one of experienced certified pentester. He is one professional who has deep down knowledge and understanding of Applications (Advanced Web, ERP, Big Data etc.), Networks (Various exploitation frameworks etc.), Systems (reverse engineering, malware analysis etc.)

    Joe really ROCKS!!!!

  5. I have taken a few of his classes in the past and both times it was a painful experience. I never attend the live portion of the training as he always had some “Family emergency” come up and had to reschedule. At the time I just wanted the video material to go through at my own leisure. However once I did receieve the video material the quality was crap and the content wasn’t anything that I was expecting.
    I don’t disagree with the fact that Joe is very knowledgeable. I believe is problem is he takes on too much and then can’t follow through. I don’t know why he doesn’t adapt the same training model as Pentest Academy where all of the training is pre-recorded and on demand training.
    Wake up Joe!!

  6. So, not much has changed. He’s genuinely a nice guy (met in person) and I believe he’s sincere in his desire to teach and share knowledge but there are so many cancellations, excuses galore, emails go unanswered even though he now has an office manager. What I’ve managed to learn from him has been priceless but hard to come by. Quite a bit of the class time is just chit chat between him and former students which is disrespectful to paying students. I agree it seems that he does take on too much. Caveat emptor.

  7. Joseph McCray is an actual thief. He took my money for a pentesting class that was supposed to be via the Web and never sent links to participate, nor the promised videos. He canceled the 1st class and never responded to further emails. My sister is a top respected security analyst who recommended Mr. McCray as she had taken a class with him in 2006. This man should be investigated and I believe all of the reviews here of his dishonest conduct. I am shocked someone has not revoked this person’s security clearance. Disgusting.

  8. Yes, this is why I only did one. I wanted to learn more about infosec so took one of his more beginning courses several years ago. I didn’t have much money and figured $100 was a good deal. The overall objective over the 5 day course (couple hours each night) was to hack into some computers, pivot and get into the next network. I submitted my homework like I was told to do. Did I get any feedback? No. What I did get was him stealing my work and putting it into his own material for handout later, VERBATIM. When I, and others, got stuck on getting some hacks to work, he basically kept saying keep trying; zero guidance or advice like a real teacher should provide. However, there were like 100 people in the class so it was so over sold that the personal attention for help was non-existent. Add to that, the network he had setup was so crappy that it crashed EVERY single night. It was so bad, he said he’d keep it open for another week for people to practice. He never started on time and normally ended early without staying around to answer questions (maybe like 10 minutes he did).

    He was a horrible teacher; effectively a powerpoint reader and honestly he half-assed that. I wish I would have kept the email exchange. I basically told him I felt ripped off because the network was always down and I had small kids. I had scheduled everything around taking that course that week and working late on the related material that week. He didn’t seem to get or care that people have lives and simply cannot readjust their lives on a whim because he can’t get his stuff together. He actually got defensive like I was being a baby about it.

    I never would have thought a $100 info sec course could be a total and complete rip off but alas it was. I still keep the material he gave out, but like others have said. Anything that was good was taken from some other place, not originally created by him.

    Like others have said too. He seems like a real nice guy. I don’t doubt his knowledge either. But this man should never be allowed to teach ANYONE EVER.

  9. Pingback: Noobs Be Wary: NoobSec & InfoSecAddicts.com | Forgotten Security Blog

  10. Pingback: Be Wary: Aaron McBee, NoobSec & InfoSecAddicts.com | Forgotten Security Blog

  11. Glad I found this… I was just about to sign up for a course, but I was a bit unsure about it, given it was marketed by email. Thanks for posting!

  12. I’ve taken several of his classes. Of the criticisms of Joe McCray, I’m not going to argue any of them.

    But for what you pay, you’re getting far more value than you’d receive from any other training vendor I’ve found. I personally do not mind paying $100-300 for a class considering the resources you’re provided. And the $300 Pentester Candidate Program allows you to take all of his classes for 3 months. Do some aspects of the program annoy me, absolutely. But have I become a much better pentester and have I learned more than what I would at a SANS class for only $300, absolutely (lower end SANS classes, not the advanced ones).

    At the end of the day, I’m not going to be too critical of a class I’ve only paid $300 for when I’ve been equally disappointed at classes I’ve paid $5,000 for. I think Joe’s program is ideal for entry and mid-level professionals.

    • Tom B., Your post may be valid if Mr. McCray Actually has the class or would refund money. This man never responded to any of my emails and I never was given any material AT ALL for the $300 online class. So, when a person takes money (any amount) without even having the class or responding to emails or even giving me the materials for the class, it means he is a dishonest piece of garbage and just a scam artist. Your review is just advance rationalization and I warn everyone reading this not to give this man any money. You can not even leave a review on his websites, he deletes them. Go look, this is the only place he can’t “clean” from the web.

  13. Infosecasitcs now offers courseware and videos. Classes can be taken without Mr McCray there. so I guess I did not have this problem.

  14. Sarah Allen maybe you were messaging him directly and not infosec addicts. Their customer support on their website is actually almost instant. Try contacting them again there

  15. So funny to stumble upon this. I had an apparently typical Joe McCray experience at SecureNinja’s facility in Virginia this past Spring. Like most people here, I came away feeling cheated and that he is a thief and a con man. I wrote a long Google Review of SecureNinja, but I’m not sure how to link to it.

  16. Sorry to resurrect this post, but I feel compelled to let people know.

    In 2007, Joe McCray paid me 500 dollars for 3 white papers on infosec. Most notablly he spoke all over the world on “advanced SQL injection”. Plagurized the entire speech, gave me 0 credit. 500 dollars is pretty cheap but when you’re about to be evicted, you get desperate.

    He took advantage of my desperation and fucked me good. As I see he’s been continuing to fuck people to this day.

    What an asshole.

    Thank you for letting me share.

  17. I guess I have to give my two cents now. I see all these people leaving their experience.

    I was an intern around 2009-2010…. I was young and hungry for knowledge. We created all of his classes. I remember creating the documents and labs and telling my close friend at the time, “I don’t think this is right. We are making his material and not getting paid!” But my friend wanted to stay so I stayed for about 9 months. I did learn a lot from him. I will not deny that. The team of Rookies he had helping him, most were extremely smart and I am thankful I met them so young in my life. Things I still use to this day. The experience helped me fly past people my age and put me in the great position I’m in today. But most of the value came from the group I was in, not from Joe himself. Being as young as I was, I feel like he was very knowledgeable, but should have hired a team, maybe one to teach and one to do admin things. I always wondered why he wasn’t wealthy if he had so many skills. That was a red flag for even a young adult. I eventually left and lost contact with most of the group, even though some I still have on social media. I really agree that he’s not a bad person, but one man can’t do it all.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.