PNPT Review
Overview:
The Practical Network Penetration Tester by TCM Security site provides a great summary of what this certification entails, which I will cite below to provide a brief description:
The Practical Network Penetration Tester™ (PNPT) certification is an intermediate-level penetration testing exam experience. This exam will assess a student’s ability to perform a network penetration test at an professional level. Students will have five (5) full days to complete the assessment and an additional two (2) days to write a professional report.
In order to receive the certification, a student must:
Perform Open-Source Intelligence (OSINT) to gather intel on how to properly attack the network
Leverage their Active Directory exploitation skillsets to perform A/V and egress bypassing, lateral and vertical network movements, and ultimately compromise the exam Domain Controller
Provide a detailed, professionally written report
Perform a live 15-minute report debrief in front of our assessors, comprised of all senior penetration testers
Why had I choose this path?
I had just wrapped up my eJPT journey and was quite motivated by my passing. At that moment, I had been eyeing the OSCP, thinking I could tackle it after eJPT. However, after some proper research and deliberation, I was advised to check out this guy called "The Cyber Mentor" and the new PNPT certification.
At first glance, I thought to myself, "Okay? Another guy who's going to try to get me to buy stuff." Nevertheless, I wanted to give this some thought and research. After some investigation, I was dead wrong. Heath, if you find yourself reading this, you're a legend and you really boosted my motivation and aspirations!
Let me divulge a bit more: TCM Security offered courses for literal dollars. Yes, you heard me right, literal dollars for a whole course. This aspect alone baffled me, as I had seen the market just draining bank accounts left and right. Additionally, the exam was $299 with a free retake. Again, yes, you heard me right, a free retake!
As you can see, the choice was fairly easy. I immediately purchased all the necessary courses as well as the exam attempt.
The course material:
The course materials recommended to complete prior to attempting the exam are as follows: Practical Ethical-Hacking, Windows Privilege Escalation for Beginners, Linux Privilege Escalation for Beginners, Open-Source Intelligence (OSINT) Fundamentals, and The External Pentest Playbook.
One item I really want to highlight is Heath's advice before starting the course, where he tells you why you should not become a pentester. He is the only one to date who is very upfront about what he is teaching and what you should truly expect.
Regarding the recommended materials, I had completed all the modules in the course and made "comprehensive" notes on the learning objectives. The material within the course was delivered by Heath himself and was provided in a realistic and concise manner. Every attack and technique is not only demonstrated but also reviewed with proper remediation. The subtle addition of including those recommended remediations was a fairly new concept in my early journey and helped me understand the holistic approach.
As for proper note-taking, which can be a rabbit hole, I would say take notes in your own manner and properly annotate each requirement for each attack. One devastating issue that hindered me during the exam was the poor quality of my notes. During my completion of this course, my note-taking methodology was to take a screenshot and add a comment, which I thought would suffice. DO NOT DO THIS! These courses should assist you in creating your own "Attack Matrix" rather than just checking a box before the exam
Exam time:
Out of respect to TCM team I will not be providing any direct exam details that are not publicly known.
Okay, let me lay down some groundwork before delving into my experience. Fresh from completing the eJPT, I thought I was a "l33t Haxkor" and believed I could easily pass this exam in a few hours. However, I failed the exam four times—yes, you heard me right, four times. It's a bit embarrassing, but it was entirely my own fault. A major takeaway was humbling my ego and focusing on developing a proper methodology.
In retrospect, the exam is fair and a great learning experience. Every necessary methodology is covered in the course. The exam doesn't include any gimmicks or highly specialized methods. There are no flags either, which was another new concept to me, but I think it's a fantastic idea. In real engagements, we don't have magical flags telling us we're doing well or on the right track. The exam emphasizes practicality over complexity. Without going into details, I believe the five-day timeframe is ample and quite fair for achieving the goal of obtaining domain admin.
One aspect that isn't often discussed is the report and debrief sections. Spending two full days writing a detailed pentest report is crucial. Don't underestimate this phase. By this point, I fully understood the importance of the certification process and wrote my report as thoroughly as possible. I think I spent about 40 out of 48 hours on my report.
Once I submitted the report, it was accepted within a day, and I scheduled my debrief. I chose to prepare a presentation for my debrief to ensure I covered all key information. The debrief went smoothly, and the staff were fantastic. Shortly after the debrief concluded, I was awarded my certification within minutes.
Final Thoughts:
- I believe this certification and its course material are excellent for validating whether this path is right for you.
- The staff and community are incredibly kind, and the support is mind-blowing—they responded to simple inquiries after hours, often within minutes.
- This certification is something I believe every aspiring offensive security professional should pursue.