This blog post is meant to provide a value assessment and a review of my experience going through the course material and taking the PNPT exam.
What is the PNPT?#
The Practical Network Penetration Tester (PNPT) is a certification, upheld and created by TCM (The Cyber Mentor) security. Their website claims: “the exam will assess a student’s ability to perform a network penetration test at a professional level.” This pretty much describes the qualities/skills this certification is meant to verify. It consists of some video courses with labs and guides that show you how to set up the lab environment - the exam itself is five days for exploitation and two days for reporting.
The PEH Course#
This course is heavily designed to cater to and be a good resource for absolute beginners. I’ve had some CTF experience before and a pretty good amount of Web/API testing under my belt at the time of taking this exam. I imagine the course is great for absolute beginners as it tries to cover a very wide variety of topics and just about briefly covers all of them, although I am not positive whether or not all of them are really needed for the exam.
The course material is almost entirely comprised of videos - which is nice if you like that sort of thing, but this course and others like it have taught me that I do not enjoy video-based courses. I don’t really think the course itself is that bad, just the format of it being video-based makes it very tedious to get clarification or go over points multiple times or even copy commands and outputs over to your notes without running them yourself (this last one isn’t always a bad thing though). There were quite a few moment in the course that I think could have been done without, there are multiple points where the instructors just drone on about things that aren’t really relevant, which wouldn’t be the case as much if this was a written course.
There was one specific thing that drove me up the wall and it was a certain skills assessment/challenge in the web app section of the PEH course about authentication and I want to talk about it briefly because I think it highlights the depth of the course material and how applicable it is. The challenge portion presents you with a login page that you need to bypass and it tells you that the user will be locked out if five unsuccessful login attempts occur. Confronted with this issue, you might think to try and figure out if the lockout counter is based on the host header or if you can try and submit multiple passwords in a single request by duplicating the parameter - both of these techniques are covered in the Portswigger Authentication module on their FREE web security academy.
The indented solution for this lab was to just use a large list of users and spray only four common passwords for each user account. This means that one of those four passwords in your password list have to be correct. It should go without saying that the likelihood of you guessing the right password for any account in four attempts is very unlikely, not to mention the fact that in a real scenario you could very easily lock out users anyways. I found this exploit strategy so unrealistic that I wouldn’t even really put it in the CTF category of faux-realism.
Yes, I am well aware that this course is meant for beginners and that the lab runs on localhost so it may be harder to implement some kind of IP blocking or similar countermeasure. Although I want you to keep in mind that in the course they covered MFA sequencing issues and password brute forcing right before this - so the instructors could have made the challenge portion include an MFA code brute-force that involves some rate-limiting bypass, just like in a HTB machine from a while ago called Coder.
Regardless of this one lab that really pressed my buttons the wrong way - I think this course is a good resource for absolute beginners who just want to find their footing and get comfortable testing and reporting.
How I Prepared#
I prepared by watching and taking notes on all of the course videos (even the Windows Privilege Escalation and Linux Privilege Escalation courses) and following along or solving all the lab challenges. The AD lab setup was interesting and most of the setup tasks were pretty easy to perform, which is in line with a beginner-level certification.
I practiced by playing machines on Hack The Box that were retired and user active directory attacks that were included in the PEH course. The exam doesn’t include anything you haven’t seen in the OSINT and PEH courses, so taking those two alone is sufficient to pass. I would practice pivoting as it is kind of a side note in the PEH course but is very useful for any kind of multi-machine labs.
The Exam#
I was able to get domain administrator within the first day and spend the next two days looking for alternate paths to domain admin. I then wrote my report with the lab still active so I could re-produce and grab any screenshots I was missing and then ended the lab and submitted my report within the same hour on the fourth day. Within an hour I got an email that my report was sufficient and then I scheduled my readout for the following day where I verified my identity and tried to get through my entire 40-ish page report in less than 15 minutes. After this the staff member makes sure that I got my certification via email and then gave me the PNPT role on the TCM discord.
I would just try and take very elaborate notes and a ton of screenshots while you work through the exam to make reporting less complicated and to prevent backtracking. I think this exam is designed to be able to be taken during the time people have after their workday is finished/in their free time which is why the time window is as large as it is. The exam environment was nice and started relatively quickly - although their stop function appeared to be identical to their reset feature even though their support specialist told me that wasn’t the case.
To Summarize#
I want to try and briefly summarize my final thoughts on the course quality, the exam quality, and whether or not I think it is worth your time and money.
Course Quality#
I felt like the course was not worth as much as it is advertised/sold for because most of the information is easy to gather on your own and with competing services out there like HTB academy and THM which are both cheaper and offer more labs and practice material, I think those are better options if your goal is to learn.
The course is good for learning how to pass the exam and know what kinds of things to expect on it and Heath’s anecdotes about performing pentests and such are good, but not worth hundreds of dollars. I’ll re-iterate that if you are an absolute beginner and just want something that says you know a thing or two about network pentesting and want a moderately well-known certification to verify that you know those things, then this is a fine place to get it.
Exam Quality#
I felt like the exam environment wasn’t really realistic despite what I’ve heard many others say. After talking to other people who have passed various versions of the exam in the past it seems like it has gotten easier over time, which in my opinion makes it less valuable. I felt like a good amount of the attacks covered in the course materials were not seen anywhere in the exam when I took it, which was really disappointing as I prepared well and wanted to be able to flex those pentesting muscles I worked hard to strengthen.
I do think that their approach to academic integrity is appreciated, assuming I understand it correctly. I don’t think cheating in technical certifications is that common just because of the effort one would need to go through to cheat and have a clear conscience. (Not to mention a waste of money and time if you spent hours studying just to cheat yourself out of the test of skill anyways.) Some companies like OffSec handle cheating by just proctoring you 24/7 the ENTIRE time you take the exam, which is just an invasion of privacy and basically means that my computer is nothing but an exam machine for days at a time. TCM handles cheating (I assume, I am not sure) by monitoring exam leaks online and modifying their exam accordingly, but the readout portion of the exam process is also a great way to ask questions to the student to verify that they were actually the one who write the report and performed the test.
On this topic of academic honesty though, I think the best way of handling it is to try your hardest to make sure each student has a unique exam experience. This isn’t always the most fair, but if students know that they can be confronted with a hard or easy exam they will likely prepare for the hard one and hope for the easy one. The Burp Suite Certified Practitioner exam is a good example of this, where the exam likely has multiple different versions circulating at a time that a student could take. This way a student couldn’t just fail one month and take the same exact exam a month later - as this wouldn’t be an adequate way to re-test their enumeration and comprehension abilities. I think if TCM opted to change their exam every other month in some drastic way ( while still within the scope of the course) they would have not only a tougher exam, but wouldn’t have to worry about cheating as much.
All things considered though, the exam experience was just not all that difficult (at least at the time of writing this blog post) and TCM calling it an “intermediate-level” penetration testing exam experience is definitely an exaggeration of the skill required.
(Of course take all of this with a MASSIVE grain of salt, I am just one person who took one version of one exam. There is a very large amount of personal experience bias flowing into this review)
Is it worth the money?#
I initially bought the course itself way back in 2021 when they had a half-off sale for the Hacker Bundle which included the PEH course along with the Linux and Windows privilege escalation courses. I got through a fair amount of it then and gradually shifted into focusing more on CTFs as I wanted more practice and didn’t really care about the certification itself at the time. I was also a college student and could afford a forty-dollar course but not an exam voucher.
A few years later I graduated and got my first job as a penetration tester where my employer payed for all the new pentesting hires to take the course and get certified. There was no deadline in place so I studied for a few other certifications first before grabbing this one.
Historically this course has costed anywhere from $200 - $400 depending on the time and whether or not it is offered at that price with an exam voucher. Now if you want standalone courses TCM offers a monthly access plan, which I don’t really agree with but hey you can always just record those videos and watch them back later if you are fine with the recordings not being the most up-to-date information.
I don’t really think it is worth the money, as free learning materials like Hacktricks and HTB Academy offer some free learning materials and competitive pricing for training material that I personally find more valuable for each dollar spent. Of course having a certification for a lot of people is the deciding factor for getting a job, but so is having the ability to explain and convey your knowledge and understanding of the topics you already know.