Note (added October 26th, 2020): All of eLearnSecurity’s content has recently been integrated into INE’s subscription-based model. While the content will stay the same, course, lab, and exam delivery will change. Have a look at both JSON Sec’s fantastic video as well as John Hammond’s take which discuss all of the changes in more detail.
A key interest of mine has always been how e-learning courses and programs, especially self-paced ones, can be made more engaging and impactful. With regard to this, I strongly believe that to design better courses, educators have to keep on experiencing courses, materials, exams, etc. themselves. Therefore, and because I have been interested in information security and penetration testing for a long time, I decided to try out eLearnSecurity’s Penetration Testing Student (PTS) course. Of course, I also had a go at their eLearnSecurity Junior Penetration Tester (eJPT) certification, which the PTS prepares you for.
While there are many interesting security certifications around, it was pointed out to me by various people that eLearnSecurity (ELS) is doing a really good job from an educational perspective. Having taken the class and the exam myself, I can only agree! This definitely, especially from an educational standpoint, was one of the best online courses or programs I have done so far - it is really straightforward, but great!
Before going into some more details, there will be a short primer of IT certifications for those who have no experience with this model. Feel free to skip this!
A Primer on IT Certifications
Certifications are a staple of the IT industry and often the gateway to getting a position. The idea is that professionals, usually in addition to their ‘regular’ education, will earn certifications (either vendor-specific or vendor-neutral) to prove their knowledge in a particular field/product and the fact that they are staying up-to-date. In a certain way, this is the industry’s way of enforcing and encouraging lifelong learning.
In most cases, these certifications - which are often also quite expensive - are linked to specific training programs and classes preparing students for the examination. Of course, there is also a whole industry behind providing training for these certifications, but that is another article!
In the following, I will use ELS as an example of how this looks in reality. eLearnSecurity (Caendra Inc.) is a vendor-neutral education provider. In comparison, many companies have their own-product specific certifications available. Similarly to many other providers, they offer a variety of training paths and certification tracks.
For example, ELS’s “Network Pentester” (Red Teaming) learning path contains three courses, each leading to the respective certification: Penetration Testing Student (currently: PTSv4) leads to the eLearnSecurity Junior Penetration Tester (eJPT) certification. Then, the Penetration Testing Professional (currently: PTPv5) course leads to the eLearnSecurity Certified Professional Penetration Tester (eCPPTv2) certification. Finally, you would take the Penetration Testing eXtreme (currently: PTXv2) course to qualify for the eLearnSecurity Certified Penetration Tester eXtreme (eCPTX) certification.
In addition to this, there are always lively debates in the community on how the various certificatioons rank against each other and which certifications carry the most weight. For example, in penetration testing, Offensive Security’s OSCP is the current gold standard against all other certifications are measured.
While ELS is quite lenient with regards to pre-requisites, it is often necessary to go through the paths steps by step or compensate with years of industry experience. Ultimately, these learning paths, in most cases, are also somewhat aligned with a usual career progression.
Taking the concept of lifelong learning seriously, most IT certifications need to be renewed every so often - usually after three to five years. In most cases, this can either be achieved by retaking the exam or collecting a certain amount of so-called Continuing Education Units (CEUs/CECs) for activities such as taking classes, publishing material, speaking at conferences, etc. ELS deviates from this model and offers lifelong certifications that do not need to be renewed. However, with ELS, your certification is clearly tied to the version of the exam you have taken. Therefore, even though you will not need to renew your certification, once a newer version has been released, you might want to get certified again.
When it comes to the actual exam, there are two widespread models. The first one being rather traditional exams (e.g., multiple-choice questions) whereas the second one relies on practical exercises and tasks-/performance-based assessment. In many cases, these exams are also heavily proctored.
eLearnSecurity’s PTS and eJPT
In the following, I am going to discuss the PTS and the eJPT. In doing this, I will have to be rather vague as there are, understandably, some fairly heavy NDAs at play.
According to eLearnSecurity, the PTS is “a self-paced training course built for anyone with little to no background in IT Security that wants to enter the penetration testing field.” In the same notion, the eJPT is absolutely a beginner’s certification that is best understood as a stepping stone towards more advanced programs and certifications such as the PTP/eCPPT or the PWK/OSCP. At the same time, penetration testing could be considered an advanced topic itself. Therefore, even if this is a beginner’s certificate, students are required to have a fair amount of previous knowledge when it comes to computers.
Personally, having some practical pentesting experience in the past but definitely doing security as a hobby now, the PTS/eJPT was not really a challenge, but definitely interesting and heaps of fun. That being said, someone with no or little prior experience will definitely greatly benefit from the course because it, first and foremost, introduces methodology and core concepts that will get you a long way.
I also believe that the PTS/eJPT could be a fantastic starting point for anyone who wants to transition into information security. Also, since the eJPT is a practical, performance-based exam, it might demonstrates a different skillset than a certification based on just a traditional exam such as CompTIA’s Security+.
As I said before, I am very impressed with this e-learning offer, and I believe that there is a lot to be learned from this course and exam. Of course, there are also a few issues, but I will discuss these a bit later.
Similarly to all other ELS courses, the PTS is presented through ELS’s own Learning Management System. It’s quite basic, but it works very well and the user experience is absolutely fine, both on desktop and mobile.
The syllabus (openly available) follows a clear and logical structure. The course, fundamentally, is structured into three sections: (1) Preliminary Skills - Prerequisite, (2) Preliminary Skills - Programming, and (3) Penetration Testing. Eeach of these sections is then further divided into learning modules.
The first section, containing four modules, is introducing you to both basic penetration testing methodology as well as some fundamentals in networking, web applications, and computer science. While not being super comprehensive, this section really gets you up to speed. That said, this is clearly targeted towards people without (much) prior experience in networking and web applications.
The second section also has four modules and provides, after a general introduction into programming, an overview of C++, Python, and Command Line Scripting. Obviously, you will not be a developer afterward, but the modules do a very good job at making students able to read and understand code. In some sense, this is a ‘bonus’ section since writing your own scripts and tools, while very helpful and allowed, is not a key part of the exam. I think it really needs to be pointed out that ELS goes beyond just preparing your for the exam here!
Finally, the last section, containing seven modules, is all about penetration testing, various tools, approaches, and methodology. Thoughtfully, the modules follow the methodology introduced in the introduction. Overall, this section introduces core concepts of penetration testing based on selected examples and common - sometimes slightly outdated - attack vectors.
Having the general structure out of the way, we can focus on the individual modules. Each module has three parts that work closely together: A slide-based introduction, one or more video presentations, and one or more labs.
While the videos, mostly practical demonstrations of concepts taught before, are done really well, the slide-based introductions are borderline “death by PowerPoint”. However, the slides are also done very well and they work - the might not be the most exciting thing one could do, but they are very well structured and also work very well as a reference.
The labs are certainly the most exciting part of these modules. For the labs, ELS grants you access to a virtual private network in which you can practice what you have learned in the module. The machines and the network are real, and there are basically no restrictions as to what you can and cannot do. While this is not an uncommon approach (think HackTheBox, TryHackMe, and others), ELS’s Hera Labs work fantastic, are tailored specifically to the modules, and allow you to experiment without anyone else interfering. For each lab, students are provided with a lab guide that poses some challenges and also provides a thorough walkthrough in case someone struggles. The guide work really well, and the tasks and challenges are for the most part thoughtful and try to resemble real scenarios. However, the great thing about these labs is that they allow you to approach the task from various angles. This offers a great opportunity for exploration and learning. In addition, this also gives you reason to go back to previous labs in order to experiment with new tools and approaches.
I particularly liked the modules because the individual parts (slides, videos, and labs) interact very well. While the slides and videos prepare students for the labs really well, the challenges in the labs often require you to do your own research and go beyond what has been taught before. This, of course, reflects the fact that this is a discipline that fundamentally requires you to do your own research all the time. At the same time, the provided walkthroughs ensure that you will never feel completely lost (looking at you, PWK/OSCP).
While the learning curve, especially for beginners, is quite steep, the course regularly gives you a sense of achievement. The labs and some of the material can be challenging but never to the point where you would feel disheartened.
From an educational standpoint, ELS has done a fantastic job finding a good balance between holding students’ hands and providing them ample opportunity to explore, make mistakes, and learn independently. In addition, the ELS community is great, and having access to the ELS forums is a great additional resource to the course. I can also highly recommend the inoffical ELS Discord.
After all of this praise, there is one issue with this course that has to be mentioned. Unfortunately, but understandably, some of the material is not perfectly aligned with the current versions of some tools anymore. Essentially, the course material and especially the videos are based on Offensive Security’s Kali Linux 2017. If you take the class using a modern distribution (e.g, Kali 2020, Parrot Security), a few of the examples will not work out of the box. While this is not a big deal, and there are solutions available in the forums, these hiccups could potentially confuse students. On the other hand, dealing with these kinds of problems is part of the very thing this course is trying to teach.
Another thing I would have liked to see is a precursor to the report writing necessary for the eCPPT. Report writing and documentation is a key part of penetration testing, and it is a skill that needs to be acquired. While I understand why the PTS/eJPT does not focus on this, it would have been nice to at least get an introduction into creating good reports and notes.
Assessment / eJPT Exam
While one can take the PTS course on its own, it is definitely meant as preparation for the eJPT certification exam. Actually, buying the PTS will also get you a voucher to take the exam. Therefore, I will consider this exam the assessment linked to the course.
The exam, following the course, is fantastic and actually a fun experience. Contrary to traditional exams, the eJPT is a completely practical, applied take-home exam. After starting the exam, students receive access to an exam network as well as a set of questions. These questions, however, are not knowledge-based but require you to gain access to the network and machines, to apply your knowledge, and to understand as well as analyze data. In order to do this, you have three days, and there are no restrictions on what you can and cannot do (aside from doing the exam on your own).
This, again, is where ELS truly shines. Although some of the challenges are potentially a little less realistic than others, the exam works similar to a real-world engagement. There are no arbitrary restrictions, and you are free to “solve” the engagement as you see fit. This open format, of course, also allows you to put your methodology and your tools to the test.
The exam is quite hard but extremely fair and well aligned with what has been taught in the PTS course. Similarly to the labs, the eJPT is a challenge, but - given enough preparation - never frustrating. If you fail the exam, ELS allows you to do a retake for free - that takes out a lot of the pressure. The exam itself is not proctored. While this introduces a few issues, it also allows for the three day exam time.
Value for Money
Of course, neither the PTS nor the eJPT are free. As of August 2020, the PTS, including an exam voucher, is 400 or 500 USD, depending on the package/tier. If you are living in the EU, you will have to add VAT to this. It is important to mention that the different tiers (Barebone, Full, Elite) make a big difference. Personally, I believe that having the extra lab time as well as PDFs of the material was worth the additional money for the Elite tier, but your mileage might vary.
Personally, I strongly believe that this is a very good value for money. The course materials are great - although not perfect - and the labs (as well as the exam) give you ample of space to experiment and learn. That said, it is important to assess your own level and which course is right for you. As I said, I primarily took the PTS out of curiosity, knowing that it is most likely a little bit too basic for me.
As I said before, I really enjoyed eLearnSecurity’s course and exam a lot. The fact that I enjoyed a certification exam for the first time probably says a lot on its own. If the PTS/eJPT is indicative of ELS’s other courses, I can only recommend having a look at them as well. While I currently do not have the spare time to pursue the PTP/eCPPT for fun, I really would like to do so!
From an educational standpoint, I think there are at least three lessons that one can take away from this. First, ELS has demonstrated, at least to me, that a rather basic, but well-executed, approach to eLearning - slides, videos, fantastic exercises/labs - can work really well. There’s nothing out of the ordinary or super flashy here. However, the material is very well crafted, well integrated, and well-supported by the community and ELS’s staff.
Secondly, ELS’s Hera Labs are outstanding and clearly demonstrate the power of giving students the opportunity to freely experiment and explore. The openness of the labs combined with thorough scaffolding provide a fantastic starting point for safe exploration that allows students of different levels to enjoy the exercises.
Finally, the take-home exam demonstrated the power of (semi) realistic, unhindered performance-based assessment. While the exam’s openness might makes comparing students harder, it also allows for different approaches to applying the knowledge gained. For example, using automation and some custom tools, the exam becomes significantly easier. However, in order to do this, students need to acquire the skills to do so on their own. Therefore, leaving the issue of proctoring aside, the eJPT exam tests whether you have the competencies and skills to solve the challenges and not wehther you have memorized the exact methodology proposed by the course. While I absolutely love this approach, I do understand that, especially from an HR perspective, more standardized and controlled exam formats have their merits.
Finally, I want to reiterate that one the best things about the PTS/eJPT is the fact that it teaches and reinforces core competencies and skills needed by (IT) (security) professionals such as strong methodology, research literacy, curiosity, critical thinking, and creativity. From this point of view, the PTS/eJPT is not just a great starting point for those wanting to continue, but also a great course for those who want to just gain a high-level understanding of how penetration testing works.