Gloria Chow

Senior Security Engineer @ Japan Computer Vision (Softbank Group)

I passed my PNPT Exam!

13 minute read

(EN/JA) Last week, I passed the PNPT (Practical Network Penetration Tester) exam! This certification is hands-down, the best that I have taken so far but it is still fairly unknown in the industry. I decided to write this article to share my experience and hopefully help spread word about this amazing certification!

My shiny new certificate!

What is PNPT?

PNPT (Practical Network Penetration Tester) is a certification offered by TCM Security. The company is a startup created by Heath Adams, who you probably better know as “The Cyber Mentor”. He is a famous Youtuber with over 424k subscribers, creating videos on a variety of cybersecurity topics like ethical hacking, penetration testing, OSINT, and more. His videos are high-quality and easy to understand- I’ve learned so much from watching them so if you aren’t following him yet, I’d highly recommend it! (No, I’m not being paid to advertise for him. I’m just a fan LOL)

The Cyber Mentor’s Youtube channel

The certification is commonly compared with OSCP because in terms of content, they are quite similar. Both test penetration testing skills involving web applications, Linux and Windows machines, and active directory (AD). There are some key differences though; I will do a detailed comparison in my next blog post so stay tuned!

For now, you can think of PNPT as an easier version of OSCP, catered more towards beginners so if you are aiming for OSCP at some point in the future but don’t feel quite confident yet, PNPT would make a great stepping stone.

My motivation for taking PNPT

I first became interested in PNPT precisely for the reason stated above- I want to get OSCP at some point but after having attempted the exam once and failing miserably, I started thinking of ways to practice, especially in an exam-like environment.

I don’t know if anyone else can relate with me on this but I took the official OSCP training course (also known as PEN-200 or PWK) and found it absolutely…terrible. The course costs a whopping USD $1499 and comes with video tutorials, a huge PDF textbook, 3 months of lab access for practicing hands-on skills and one exam attempt, but I have so many complaints about it that I can probably write a separate article on this topic later on. For now, let’s just say that the OSCP training course was very unhelpful for me so I looked for other places to supplement my studies.

In late 2021, OSCP changed their exam to heavily focus on active directory. The course materials weren’t particularly good to begin with and since it’s difficult to find a place to practice hacking active directory (it requires setting up a mini network of machines), I felt even more unconfident about passing the exam. This is when I did some research online and discovered TCM Security Academy’s Practical Ethical Hacking training course.

It seems strange to buy one cert’s training course in order to study for another cert, but that is exactly what I did. I ended up buying TCM’s training course to supplement my OSCP studies because they explained the content far better than PWK did. However, I still ended up failing OSCP and it was then that I decided to pass PNPT first as a way to practice my skills and deepen my understanding of AD before attempting to try OSCP again.

The exam

A common criticism about OSCP is that it lacks practicality- in the real world, you will (hopefully) never have only 24 hours for an engagement! OSCP’s time crunch makes the exam much harder than it should be because most likely you will have to operate on little to no sleep. The live proctoring (you will be watched through webcam the entire time) also adds to the stress so in the end, it feels more like the exam is testing your mental strength rather than your technical skill.

PNPT takes an entirely different approach than OSCP- it gives you a generous five days for the exam and two days for report-writing, making the whole exam one week long. There is no exam proctoring so you can log on and off freely. This lets you take the exam at your own pace without sacrificing sleep or rest time. However, if you are a full-time student or employee, this can make it harder to schedule the exam since you need to ensure that you can take at least five days off in a row.

The exam is quite a bit longer than OSCP because it has five parts:

Days 1-5

  1. OSINT: You will start with a Letter of Engagement from a fictional client company. You must research the company and gather information that will help you in the actual penetration testing.
  2. External pentest: Using the information you gathered, you will discover external target(s) that can be compromised.
  3. Internal pentest: After gaining control of the external target(s), you will pivot into an internal network. Your goal is to navigate through the network to get to the domain controller (DC) and compromise the Domain Admin account. Once you are able to log into the DC as the Domain Admin, you have completed the exam’s hands-on portion.

After the hands-on portion, there are two additional tasks for house-keeping.

Days 6-7

  1. Report-writing: As with OSCP, you will need to submit a formal pentest report. TCM Security offers this template but you can use other templates or make your own, as long as it contains all of the expected information.

About one week later

  1. Client debriefing: You will schedule a 15-minute video call with a TCM Security staff member to simulate a debriefing meeting with the client. You will go over your findings and suggest ways for the client to improve their company’s security. The meeting occurs over Google Meet so you can just share your report on screen, or you can create a simple Powerpoint presentation if you want.

After the debriefing meeting, you will receive your shiny certificate through email on the same day!

The exam timeline

After reading the five steps above, you might have thought, “This sounds so much like an actual pentesting engagement!” and that is precisely why I especially recommend PNPT for junior-level pentesters with little to no industry experience. From the beginning of the exam to the end, it mimics a real-life pentesting engagement with a client. You will learn the process, mindset, and skills needed to be successful as a professional pentester- even down to the writing and presentation skills!

I believe that PNPT is currently the only exam that carries you from the start to the end of an engagement like this so it is truly a unique experience.

For more information, you can find the official exam syllabus here.

My journey

I officially starting aiming for PNPT after I failed OSCP in March 2022, so it took me about 8 months from start to pass.

Study materials

Official training courses

The PNPT covers the following five courses from TCM Academy:

Yes, each course is only USD $30! It’s a total steal!

I completed them all and would easily rate them 100/10. The courses are affordable, the material is easy to understand, and the best thing- Heath delivers the content in an interesting way and even includes memes (personally, I think that’s a must!).

Prior OSCP prep

Hack the Box & Offsec Proving Grounds

In preparing for OSCP, like everyone else, I used TJNull’s famous list of OSCP-like boxes.

I bought the VIP plan for both Hack the Box and Offsec Proving Grounds, and then I did a combination of the following:

  • When I had time, I picked boxes randomly from the list and tried to do them on my own
  • When I didn’t have time, I picked boxes randomly from the list, read their walkthroughs, and noted down common attack vectors and commands to use

TryHackMe “Wreath”

It’s hard to get practice for hacking AD environments because platforms like Hack the Box, Try Hack Me, and Offsec Proving Grounds mostly operate individual boxes.

After doing some research, I found TryHackMe’s Wreath room, which is basically a small AD network where your goal is to compromise the DC. I wrote about my experience previously in the Twitter post below. Overall, I think it is an expensive but good learning resource because you will come out as a pro in pivoting and double pivoting- skills that you normally don’t get much chance to practice!

A Twitter thread I wrote about the “Wreath” room

Failed attempts

Health Adams has publicly stated before that some (the estimated number I saw on Reddit is around 30%) students pass on their first try, and almost all will pass on their second try.

Me? I passed on my third try. I honestly thought that I would never pass.

  • 1st attempt: May 1 - 5 (full five days but failed)
  • 2nd attempt: May 14 - 19 (full five days again but still failed…)
  • 3rd attempt: Nov 19 - 20 (two days and PASSED!!!)

The exam for my 3rd attempt was slightly different, probably due to the gap in between my attempts but as you can see, my 3rd attempt went much more smoothly.

I think there are two reasons for that. Every time you fail a PNPT exam, if you submit a report of what you did and what you wanted to try, you can receive a small hint. The things I learned from my failed attempts, along with the small hints and some additional studying, made the 3rd attempt much smoother so I don’t regret failing. If anything, it was all a good learning experience in the end!

Edit: As of November 23, 2022, the hint system has been deprecated so you will no longer receive hints for submitting reports after failed attempts. Don’t be discouraged though; my failed attempts honestly taught me far more than the hints did so I’m sure you will pass on retakes even without hints!

Overall rating

My overall rating for PNPT is as follows:

My rating for PNPT

Cost: 10/10

This one is easily a full score because PNPT is one of the cheapest certifications (if not the absolute cheapest) in this field. Below is a price comparison with its rival, OSCP.

OSCP

  • Exam voucher + all training material: USD $1499
  • Exam retake (I believe it’s not possible to take the exam without taking the course first): USD $249

PNPT

  • Exam voucher + all five training courses: USD $399
  • Exam voucher by itself (includes one free retake!): USD $299
  • Exam retake (from the third attempt onwards because the second attempt is free): USD $100

It’s insane that you can achieve this certification with less than USD $400, while OSCP is in the thousands!

Value: 10/10

This one is also easily a full score because the price of the training course + exam package is about 25% of the price of OSCP’s, but the quality of the course material is far greater. Heath’s videos are high quality and easy to understand, whilst OSCP’s were so monotone and dry that I actually gave up on watching them. The huge PDF textbook wasn’t particularly helpful either. PNPT easily wins in value. (No, I swear I’m not a paid sponsor LOL)

Difficulty: 6.5/10

If OSCP is 10/10 in difficulty, then I would say that PNPT is around 6 or 7 (significantly easier).

PNPT also has a lot of rabbit holes but in general, the path you should take is much clearer. The exam is indeed a bit longer since there is the debriefing presentation you need to prepare for and the hands-on portion of the exam itself is longer than OSCP’s, but the generous five-day time-frame made it feel easy.

Realism: 7/10

Although the boxes in this exam are much more real than OSCP’s, they’re still very obviously set up. For example, the contents and applications on the machines are not realistic for the situation and the fictional company. I guess this is unavoidable since it’s meant to simplify the exam.

Reputation: 4/10

Unfortunately, PNPT is still relatively unknown in the industry and will lose to certs like OSCP and eCPPT in terms of name value on the resume. It’s possible that you, my dear reader, have never even heard of it before you saw this blog post. PNPT has been gaining attention slowly so I hope that it will continue to grow in popularity over the next few years. It definitely is one of the best certs I’ve ever taken, and I think it deserves more recognition.

Practicality: 8/10

OSCP, Hack the Box, etc. tend to focus on rooting as many boxes as possible, but PNPT doesn’t have flags, scores, or any of those gamified elements so it feels a lot closer to the real world. You will discover boxes as you move through the AD network, but you don’t necessarily have to root every single one. Your goal is to get to the DC so you need to keep your goal in mind and decide whether you actually need root access as you investigate each machine. This mindset is much more applicable to the real work of pentesters- stay flexible and adapt to the environment while keeping your objective in mind. Live off the land.

Also, while OSCP, Hack the Box, etc. tend to have very old and obscure vulnerabilities, all of the issues found in PNPT are very real-life scenarios so the skills you learn from taking this cert will definitely be helpful in the industry.

That being said, the reason why I gave 8/10 instead of full score is because this exam was fairly easy, definitely easier than what I would expect a real-life engagement to be. I’m a bit skeptical about whether this exam has prepared me enough to move into a career of Red Teaming or penetration testing but we should remember that this is meant to be an entry-level exam.

Enjoyment: 10/10

I have over ten certifications and PNPT is hands-down, the funnest one I’ve taken so far! As I moved through the machines, there were jokes and memes which made it fun, and the generous amount of time given made this exam feel less stressful than any other exam I’ve taken so far. Overall, I enjoyed my journey and actually wish that I could take this exam again, just for the fun of it!

Tips

I would like to share three tips for people intending to take the PNPT exam:

  • Take screenshots and write your report as you go along. As with OSCP, after your exam ends, you cannot go back to your exam environment. I would recommend writing your report (including inserting the screenshots into their appropriate places) as you go along so that you can avoid having to dig through all the screenshots later, and to avoid forgetting important details.
  • Write down everything that you try and track all of your progress. If you fail the exam, you can submit this as an appendix in your report. The exam grader will read what you did and give you a small hint to point you in the right direction for your retake. (Edit: As of November 23, 2022, the hint system has been deprecated but taking detailed notes is a good habit to have and it will help you in retakes and report-writing, so you should do it anyway.)
  • Relax and don’t give up. Looking back, five days is definitely enough time to take many breaks to refresh your mind, and it is definitely enough time for this exam. Sometimes, the solution was right in front of me but I couldn’t see it because I was too mentally exhausted. Stay calm, write down your ideas, make a strategy, and go through each point one by one methodically. As long as you don’t give up, you’ll definitely make it!

Final thoughts

PNPT may be a lesser-known certification but in terms of quality, I believe it is far superior to OSCP. I learned so much from my journey and would highly recommend it to anyone who is interested in moving into pentesting, Red Teaming, or other branches of offensive security as a future career.

To learn more about the PNPT exam, see the homepage here.

In the future, I plan to write about my failed OSCP attempt, and I’ll also do a more detailed comparison between the two certs so stay tuned!

You may also enjoy

Farewell, Japan Computer Vision!

5 minute read

(EN/JA/ZH) Last week was my last working day at Japan Computer Vision (JCV), a Softbank subsidiary that develops facial recognition AI products. I joined in ...

What Does Probation Period Really Mean?

6 minute read

(EN/JA) This month, I officially finished my three-month probation period at Japan Computer Vision. This is my third company- therefore my third time going t...

Six Signs A Company Has Good Work-Life Balance

6 minute read

(EN/JA) Recently, work-life balance has been something that I’ve been thinking about a lot because things at work have been busy and sometimes it feels like ...

I graduated from Mercari!

11 minute read

(EN/JA/ZH) Last month, I resigned from Mercari where I worked for almost five years!