TCM Security's Practical Network Penetration Tester (PNPT) Certification - Seven Days of Authentic Penetration Testing

TCM Security's PNPT Certification (Certificate Ingo Kleiber)

I recently took a few holiday days and gave the newly released and very well-received Practical Network Penetration Tester (PNPT) certification by TCM Security a shot.

In this article, I will be sharing my experience and provide a short review of the exam as well as the certification process. In addition, I am going to briefly discuss the accompanying courses offered via TCM Academy.

Important Note: I’ve earned the PNPT as an Early Adopter (i.e., one of the first 100 certifications), and both the courses as well as the exam will change somewhat in the future. That said, I am convinced that it will only get better over time!

The PNPT certification (formerly briefly known as CPEH) is the brainchild of Heath Adams (@thecybermentor) and has recently entered the already quite crowded space of security, more specifically penetration testing, certifications. In contrast to many existing certifications, the PNPT is unapologetically practical and simulates an authentic penetration test as closely as possible. More on that later!

As the certification is closely linked to the newly launched TCM Academy, which has replaced TCM’s very popular Udemy courses, I will briefly talk about the training before going into the exam and certification itself.

In short, one can currently (as of August 2021) take the “Standalone Exam” for $299 or opt for the bundle that includes five courses for $399. I can already tell you that both of these options are still, for marketing reasons, significantly underpriced and that the bundle is an absolute steal!

My Background

To make reading and interpreting this review easier for you, I will say a few short words about me and my background. While security, that is IT/cyber security is part of my job, I do not work in security, and I specifically do not work as a penetration tester.

Primarily, I work in (digital) education, and I consider hacking to be a productive hobby that I’ve been following for about 15 years now. That’s also why I will specifically look at this certification from an educational point of view. While I hold other IT certifications, in terms of penetration testing, I’m currently only eJPT (and PNPT) certified. That said, I have a good understanding of the certification landscape, and I have taken training, without certification attempts, by various vendors.

TCM Academy (Courses in Preparation of PNPT)

Heath Adams, aka. TheCyberMentor, is a well-known figure in the IT security education space. If you’ve been around, you certainly have come across the Practical Ethical Hacking course or his introduction to simple Buffer Overflows, which is a staple for OSCP preparation.

Relatively recently, he and his team, including Joe Helle aka. TheMayor, have started to offer their courses through TCM Academy instead of Udemy. This also means that the old courses on Udemy will receive very little to no updates while the courses on the new platform will be continuously updated.

TCM Academy Courses as of August 2021

While there are already other highly interesting courses available, I will focus on the five courses currently bundled with the PNPT exam:

Practical Ethical Hacking (This is THE foundational course for PNPT. Think about a clever and modern combination of ELS/iNE’s PTS and PTP learning paths.)
Linux Privilege Escalation for Beginners
Windows Privilege Escalation for Beginners
Open Source Intelligence (OSINT) Fundamentals
External Pentest Playbook

These courses, first and foremost the Practical Ethical Hacking course, are also the foundation for the certification. While it might be a little bit of a stretch, TCM Security’s claim that one can pass the PNPT exam based just on these courses, overall, holds true.

Before going into any more details, I already want to point out that this is a key benefit of this certification. If one truly engages with the training as well as the additional material, the certification exam works as a fairly comprehensive, quite challenging, summative assessment for the learning path. In contrast to the courses, which will lead to a regular PDF certificate of completion, the PNPT is accredited via Accredible.

As this is not a review of TCM Academy or these courses per se, I will keep it brief. Please keep in mind that the TCM team is constantly updating and changing the courses. For example, very recently, they replaced a number of HTB/THM labs with new, custom-built ones. While this is awesome for students taking these classes, it makes reviewing them quite hard. As a side note, I want to really commend them for documenting all of the changes via Discord!

So far, the courses have only gotten better, and I would suggest you should assume the same! Furthermore, keep in mind that these courses, at roughly $35 if bought individually, are significantly cheaper than basically everything else comparable on the market. In terms of raw price-performance ratio, it is VERY hard to beat TCM Academy right now. Overall, including discounts for veterans, first responders, and students, TCM Security needs to be commended for making these classes as accessible as possible.

Overall, the courses are structured and delivered in a very traditional and straightforward way. The courses, in general, present students with a set of videos, additional ressources, and exercises (Labs) that are to be taken in a linear fashion. The videos are very engaging, and students defintely don’t face any death by PowerPoint or PDF as can be the case with, for example, eLearnSecurity/iNE courses.

Here and there, students will also find activities targeted towards formative assessment. For example, in the (fantastic) OSINT course, students are invited to perform some OSINT tasks on their own. The labs, especially the new ones, are really good, and students also get access to walkthrough videos that, in great detail, go over the labs and how to approach them.

Both the material as well as the delivery don’t leave much to be desired. The content is up-to-date, and TCM did a fantastic job of focusing on relevant topics that clearly serve a purpose in the world of real information security. Furthermore, looking at the course catalog, TCM Academy does a great job tackling some topics that are less prominently featured by other providers (e.g., OSINT and Privilege Escalation).

That said, the courses I’ve seen so far could all significantly benefit from a more sophisticated approach to (e)learning. Going beyond what is essentially a playlist of very good videos would really separate these courses from the competition even more. For example, I would love to see less linear learning paths, more formative assessment, more exercises, as well as more diverse learning activities.

In addition, it would be lovely to see a more student-centric approach to learning. While this introduces a whole new set of challenges, many of the topics covered in these courses would lend themselves to various social activities as well as, for example, peer assessment.

While teach:able, the platform currently powering all courses, is relatively limited with regards to course design; even adding a few quizzes here and there could help break up the playlisty nature of the courses. That said, the platform is very stable, and the user experience, also on mobile, is simply very good.

Aside from the courses themselves, I also want to point out that there’s a very active and helpful Discord community associated with TCM Security which features, for example, study rooms and support channels for each of the courses.

Overall, while being too linear and too teacher-centric in my opinion, these courses are fantastic and an absolute steal. What impresses me most is how all of these courses strike a very good balance between teaching current, very practical skills and building fundamental as well as methodological competencies.

PNPT Certification Exam

Having talked about TCM Academy for way too long, we are now going to look at the Practical Network Penetration Tester certification exam.

In the following, I will first provide my perspective on the exam as well as the process in general. Afterward, I am going to discuss two more specific issues: How the PNPT relates to other certifications as well as the (non-)proctoring policy.

On a very high level, the PNPT exam is a seven-day (!!) long simulated penetration testing assignment. Once the exam period has started, students will be tasked with performing a penetration test - both external and internal - on a fictitious company. The exam, according to TCM Security, has been modeled after actual real-world pentests they have conducted in the past. Very cool! With very few exceptions, the exam manages to stay within this narrative of a company/client having ordered a penetration test. Hence, the exam naturally starts with a Rules of Engagement document and ends with the student debriefing the ‘client’ in an actual interview.

More concretely, in order to pass the exam, students need to:

Perform OSINT on the client (yes, you actually have to do actual research)
Perform an external penetration test
Perform an internal penetration test with a strong focus on Active Directory (Goal: Compromise a Domain Controller)
Establish persistence in the internal network
Write a detailed penetration testing report for the client. This involves a detailed account of all findings, mitigation strategies, etc.
Debrief the ‘client’ (i.e., a TCM staff member) in a 15-minute long video call

Doing this, students have five days for the actual penetration test as well as two additional days for the report. Based on my experience, this is a very fair time frame that allows you to take the exam even if you have other responsibilities. Fortunately, this is not an endurance test but a simulated professional assignment. Of course, your previous knowledge and experience will determine how stressful these five or seven days will ultimately be.

Even before going through the process, I absolutely loved seeing a certification that heavily leans into the idea of authentic, complex scenario-based assessment. This exam truly is not about poppin’ shells and owning boxes, but about understanding, assessing, documenting, and communicating the security stance of a small organization.

While a key goal is DC compromise, the PNPT assesses far more than just technical abilities. As there is a strong focus on report writing as well as the face-to-face debrief, students have to demonstrate competencies across the whole penetration testing lifecycle, not just their ability to exploit vulnerable systems. This holistic approach, taking into account non-technical skills as well, is what clearly sets the PNPT apart from other certifications, including those who have some sort of report writing (e.g., OSCP, eCPPT).

Strictly following this practical, real-world approach to assessment, the exam does not artificially limit students in any way. As long as one takes the exam on their own and stays in scope (as per the Rules of Engagement), all tools are fair game, and students are free to utilize their five days at their own discretion.

That said, I would recommend approaching the exam as an actual penetration testing assignment. To me, this includes being a responsible tester and treating the environment with care, for example, not running attacks that could seriously compromise the environment. This is also a perspective that is strongly encouraged and taught in the five courses accompanying the PNPT.

While I cannot reveal any details about the environment, I want to point out that the team did a tremendous job creating the exam environment. It is, with some exceptions, believable given the narrative, allows for a variety of approaches, and even features an underlying narrative. While the machines and network aren’t entirely realistic, they clearly mirror practices found in the wild. They also fit together, and you don’t necessarily have the feeling of just going from machine to machine, making movement a lot more interesting. There’s also quite a bit of humor which really helps when getting stuck - something that will happen!

While some reviewers have argued that there are quite a few rabbit holes, I would disagree. While there are plenty of interesting and challenging things that will not get you closer to compromising the Domain Controller, these “rabbit holes” will lead to more findings that are relevant for the hypothetical client. Well, maybe I’ve also overdone it a little with the role-playing…

I consider exams to be learning opportunities - at least they should be! If you consider the PNPT a CTF-like thing, you might still pass, but you will miss out on a lot of learnings for sure.

As the exam essentially throws you into an organization’s environment, you will face both the challenge and the opportunity to explore and assess without going on the hunt for flags. While this adds to the difficulty of the exam as you don’t have a clear indication of when you are done, it mimics a real-life scenario in which it is your job to, ideally, find most or even all problems.

As per the certification FAQ, “the exam will be difficult and may require additional training” if you are a junior penetration tester. For a mid to senior-level penetration tester, they say, “the exam will be of moderate difficulty.”

For me, strictly looking at this from a learning perspective, the level of difficulty was perfect. Taking a lot of breaks and forcing me to relax, the exam took me the full five days. While I made very good progress in the beginning, the exam was very challenging for me down the line! Especially the Active Directory portion, which I had the least experience with, was very difficult for me. I got stuck, I got stuck a lot!

IngoKleiber on Discord: "That's why it's great that we have a free retake! My exam will end in 7 hours, and I'm probably going to fail as well - very close in front of the finishing line, but still. Next time hopefully is going to be the charm ;)

Seven hours before my deadline, I was stuck again and pretty sure to fail. Looking at all of these mistakes, I was apparently stressed and exhausted as well.

Having said all of that, the exam was expertly crafted when it comes to balancing motivation and challenging tasks. Given my level of competency and prior experience, I received an almost perfect exam experience. While the exam challenged me to the point of almost giving up, I was never completely lost or disheartend. The exam continuously pushed me to go slightly beyond what I already knew or was capable of.

I was constantly trying to figure something out, and I truly felt challenged in the best possible way throughout the whole week. From a learning perspective, this was an incredible experience! Of course, this will differ greatly based on your experience! If you are a seasoned Active Directory professional, you will most likely face other challenges than I did.

Following the technical portion of the exam, I had to write my report as well as finish the debriefing. Being much more aligned with my day-to-day, I actually enjoyed this part of the exam as well. I learned a lot about good technical report writing, and I thoroughly enjoyed the short face-to-face debriefing in which I had to run an expert - in my case Heath himself - through my report. Writing the report, I also thought and learned a lot about existing frameworks and standards. This is something I did not anticipate going into this, but greatly appreciated!

Overall, I cannot overstate the benefit of going through this whole process - from contract to debrief - during the exam. As someone with very little experience doing this professionally, this experience definitely opened my eyes to challenges and opportunities far beyond the technical aspects of breaking into networks or defending them.

I also very strongly believe that the community will benefit from an extremely practical certification that focuses on ALL competencies involved in a penetration test. This might also be highly motivating for those who have their strengths primarily outside of the purely technical aspects.

Aside from these major points I wanted to make, I also need to point out that:

the exam environment, including multiple Windows machines, was extremely stable and snappy. I engaged with the network for five days straight without any issues whatsoever!
the support team is excellent! Early on, I had a suspicion that I broke a part of the environment and the TCM team handled my panicked request fantastically.
TCM Security offers a free retake on the exam “because a training company’s revenue model shouldn’t rely on student’s failures (Heath Adams)”. This includes feedback on your first attempt based on your report. It’s hard to state how awesome that is!
The whole process, from booking the exam until finishing the debrief, was fantastic and seamless.
After passing the exam, you will get access to a special Discord channel for exam holders.

PNPT and Other Certifications

As I said in in the very beginning, the IT/cyber security space is rather crowded with vendors, training providers, and certifications. As the PNPT is still very young, it’s pretty hard to discuss its place within the wider landscape, and only time and experience will tell. Nevertheless, I want to give it a shot!

Looking at the widely referenced “Security Certification Roadmap” by Paul Jerimy, the PNPT is a “Penetration Testing” certification that sits somewhere between the eCPPTv2 and the OSCP. But, of course, this does not tell us the whole story at all.

The PNPT, as I tried to outline above, tries to replicate an authentic pentest including all of the necessary competencies, the methodology, as well as the timeframe. In doing so quite successfully, it’s just fundamentally different from most other available exams. While the PNPT, arguably, is less technically challenging than some other exams, it will require you to get out of the CTF mindset and perform in a face-to-face debrief. While the five/seven days are more relaxed than a 24-hour marathon ~~hazing ritual~~, the point is not to “own a couple of boxes” but to fully understand and assess a small organization in terms of its security stance.

While the PNPT in many ways is a certification for beginners that is aligned with the courses discussed above, I would not necessarily recommend the PNPT as someone’s first certification. While the exam can be passed by someone with no or not much prior experience, I believe that those who already have a solid foundation will benefit a lot more from the exam and the process. Given how both the courses and the exam are designed, how much someone is going to take away (putting the certification aside) depends on their prior experience and the approach they are taking.

Aside from all of this, it is worth mentioning that there are currently not many certification exams available that actually go into OSINT as well as Active Directory. While this is quite strange given the extreme real-life importance of these topics, the PNPT is a great way of getting these skills under your belt.

Proctoring and Cheating Prevention

Certifications, just as degrees, first and foremost, are a way of effectively assessing and communicating some of the competencies and skills a person has. For this to work, it’s important to establish trust that the person in question has truly earned the credential, i.e., the certification. In many cases, this is achieved - or rather approximated - by proctoring. For example, during the OSCP, candidates will be watched and monitored for the whole duration of the exam.

The PNPT, as it stands right now, is an unproctored exam. This, of course, does not mean that there aren’t mechanisms that make cheating harder. For example, for the PNPT, the network will be monitored by TCM Security. Nevertheless, not having a proctor makes cheating, usually by having someone else taking the exam, a lot easier.

Despite the fact that it would be incredibly hard to proctor a five-day exam, I am happy that the PNPT is not actively proctored. Aside from some obvious issues with proctoring (e.g., cost, privacy, effectiveness, …), a proctored version of the PNPT would take away the feeling of this being an actual assignment which you are performing on your own time.

In addition to that, I believe that the oral face-to-face debrief is a very powerful alternative to proctoring. If the debrief is taken seriously, cheaters would need to make a significant effort in order to be able to run an examiner through their penetration test and report convincingly. While this will not necessarily stop all cheating attempts, it will make cheating significantly harder without introducing expensive privacy- and immersion-breaking proctoring.

As there recently has been a cheating attempt, Heath Adams has announced that there will be identity checks during the exam debrief as well as a stronger focus on exam environments.

Conclusions

Overall, I can confidently say that the PNPT has been the best certification exam I have taken so far. The exam, especially combining a scenario-based practical assessment with a written report and an oral exam (debrief), is a showpiece of how to do a meaningful summative assessment that is a learning experience in itself. The fact that all of this is being done online is only adding to my excitement!

Of course, one has to address the elephant in the room: TCM Security’s PNPT is not yet a well-established certification, and its “market value,” thinking strictly in terms of CVs, is still more or less neglectable. However, if the announced changes will be implemented and the quality is kept despite this type of exam being much harder to scale, I strongly believe that the certification will gain a lot of traction.

Of course, at $399, the training and exam bundle are currently ridiculously underpriced. If you are thinking about going on this PNPT journey, to use some common OSCP lingo, do it now!

Don’t Just Take My Word for It

As always, it’s good to get a second, third, fourth, nth opinion on things! Fortunately, there are already a number of other reviews on the PNPT out there.

Review (Blog/YouTube) by Infinite Logins
Review (YouTube) by Mike Dame aka. HackstoHack
Review (YouTube) by Binary Security
Review (YouTube) by ScriptKiddieHub aka. _mtrill_
Review (Blog) by Matt Schmidt
Review (Blog) by TheInfoSecPhoenix
Review (Blog) by 4t0m / Allan Jay Dumanhug
Review (Blog) by Shaun Whorton
Review (Blog) by PrivacyMonk3y
Review (Blog) by Aaron Moorcroft aka CyberZombi3
Discussion of PNPT (YouTube) by Daniel Lowrie

(List as of late January, 2022)

Please be aware that I’m most likely not going to keep this list updated. Have a look for yourself; as the PNPT will become more widely known, I am sure more and even better reviews will come out!