eNDP Ingo Kleiber

The Network Defense Professional (eNDP) is (one of) eLearnSecurity’s (ELS) foundational defensive or “blue” certifications. It is by far not as popular as other eLearnSecurity certifications (e.g., eJPT or eCPPT) and by now quite old; the course as well as the exam have not been updated since 2014. In this review, I am going to discuss the course(s), the certification exam(s), and specifically whether it still makes sense eight years later.

Before going into the eNDP, I will have to say a few words about INE and eLearnSecurity. This is not a review or discussion of INE, but it is important to understand the situation. In 2020, INE acquired eLearnSecurity and all of ELS’s courses where migrated into INE’s subscription-based platform. A similar thing has now happened with Pentester Academy.

The exams themselves are still managed by eLearnSecurity, but they are now merely the certification authority. Furthermore, while INE is actively promoting ELS certificates, their status and position within INE’s portfolio is a topic of ongoing debate. This is particularly fueled by INE’s new certificates, little updates to existing ELS courses, and a new general direction INE is taking.

That said, I am a satisfied INE subscriber and I genuienly enjoy what they are offering and how much new content is available for learners! Nevertheless, especially looking at older and less popular ELS certificates, it is important to mention and recognize the fact that eLearnSecurity is not eLearnSecurity anymore.

With that out of the way, let’s have a look at the eNDP. According to eLearnSecurity/INE, the Network Defense Professional (eNDP) certification “[t]ests candidates on their understanding of the theoretical aspects behind securing a network and hardening endpoints” and “ensures that candidates can practically remediate security issues and harden a network.”

These learning objectives are assessed using a combination of a theoretical multiple-choice exam as well as a practical simulation in which a network, including a series of endpoints, needs to be evaluated, hardened, and documented. To do so, learners have four days of lab access as well as ten days for report writing.

To better understand the “positioning” of the eNDP course(s) and certificate, it’s worthwile to have a look at eLearnSecurity’s legacy training paths. Please be aware that there used to be more than these two!

eLearnSecurity Legacy Training Paths Two of eLearnSecurity’s Legacy Training Path

As we can see, the eNDP was originally positioned as a possible “blue” counterpart to the extremely liked eJPT. This is also one of the reasons why I wanted to give the certification a chance! Furthermore, especially in a market that still has signficantly fewer “blue” than “red” certificates, I wanted to have a look at a foundational course and exam. Lastely, also compared to many other defensive certifications, the eNDP nicely bridges the gap between security and administration.

Now, with the original “training paths” gone, INE proposes the Incident Handling & Response Professional learning path (leading to eCIR) as the “recommended next” after the Network Defense Professional path. To me, that seems to make sense and ultimately leads to a useful combination of the old “Enterprise Defender” and “Incident Responder” paths.

The Learning Path / Courses

While it is not as obvious now as it used to be, for each ELS certificate, there is a course leading up to it. In the case of the eNDP this used to be the PND course, which now has been rebranded as the Network Defense Professional Learning Path. Keeping the exact same material and overall structure, INE has split the PND course into three individual courses organized as a learning path. These courses correspond to the old PND “sections,” which had the same names as the new individual courses.

INE's Network Defense Professional Learning Path INE’s Network Defense Professional Learning Path (© INE)

This split, to me, gererally makes sense as the sections teach quite different skills.

From a content perspective, the learning path offers a very nice blend of administration and security skills. To a certain extend, it is a highly security-focused introduction to (Windows) network and system administration. This would also make the eNDP an interesting choice for those who want to move into the security field.

Of course, you can have a look at the syllabus online, but for me it came down to four key areas:

  • Secure network design with a focus on firewalls, ACLs, and VPNs
  • Fundamentals of (Windows) endpoint security
  • Analyzing networks and systems for common security issues and mitigating them (including some basic vulnerability management)
  • Windows network and Active Directory administration (including patch management)

The courses themselves consist mainly of slide decks as well as some videos which mostly demonstrate technical concepts and configuration procedures. Next to these materials, there are ten guided labs that are well-designed and guide learners through building and configuring secure systems. For example, there is a very nice lab where students are guided through configuring a pfSense firewall and appropriate ACLs in a small network.

While the courses, at least not for me, are by far not as engaging as the eJPT ones, they are well designed and teach valuable fundamentals as well as best practices. The labs are not necessarily exciting, but they meaningfully reinforce the materials and guide learners through common producers such as setting up Group Policies or managing patches.

Overall, I would argue that the Network Defense Professional learning path is not exciting but a highly useful introduction to network and Active Directory administration. I also want to point out that eLearnSecurity did a really great job demonstrating different technologies. For example, the labs are based on pfSense, but the course also demonstrates key firewall issues using the commercial paloalto firewall.

This all sounds rather promising! Nevertheless, I cannot glance over the fact the material is old and lacks any hints or comments regarding its outdatedness. The course was released in 2014, and it shows. In the course and the labs you will work with outdated software, and some of the tools and methods taught are simply not applicable anymore. A particularly clear example of this is a whole chapter in the learning path devoted to the Enhanced Mitigation Experience Toolkit (EMET). While EMET was a very clever solution at the time, it has reached EoL in early 2018 and has been completely replaced by Windows Defender.

The learning path clearly suffers from the fact that the material is more than eight years old by now. Furthermore, the material does not acknowledge this fact in any way; a simple modification that would help learners contextualize the material better.

That said, most of the fundamentals and best practices have not changed that much and are still extremely useful. For example, configuring Active Directory policies still works, more or less, the same! Furthermore, as demonstrated with the pfSense and paloalto example above, the courses have a focus on more general principles rather than one specific technology.

Unfortunately, all of this does not help with the somewhat bitter feeling of working through labs based on “ancient” technology and setting up systems, such as EMET, that should not exist in modern environments anymore.

Ultimately, I believe that the learning path still has a tremendous amount of value. It teaches great fundamentals, and it provides a lovely introduction to both firewalls and Active Directory. However, these remarkable “bones” make me wish for an updated or refreshed version all the more.

While the content leaves us with a somewhat ambiguous perspective, the learning platform, unfortunately, does not.

In 2020, I quite favorably wrote about the eJPT and described ELS’s Learning Management System as follows: “It’s quite basic, but it works very well, and the user experience is absolutely fine, both on desktop and mobile.”

Unfortunately, and I really mean it, the same cannot be said for the migrated ELS courses on the INE platform. Sadly, the migration to INE’s platform led to a significant loss of usability and overall quality. While INE’s platform looks and feels more modern, the experience – strictly looking at the old ELS courses – has gotten signficantly worse.

Screenshot from "Network Defense: Network Security" Lab 10 OpenVPN Screenshot from “Network Defense: Network Security” Lab 10 OpenVPN (as of Feb. 13th, 2022) (© INE)

For example, in the screenshot above, we can see a visualization that has most likely been taken from the old material without consideration for the new platform’s design. While this is a small mistake, it arguably says something about the quality control that the course underwent after the migration.

To name a few of my issues:

  • The course material can no longer be downloaded.
  • The slides can only be viewed in a JavaScript/image-based player that does not support copy and paste. This is also horrible from an accessibility perspective.
  • The labs (guides and solutions) contain spelling and significant formatting errors.
  • The labs have not been updated at all, and compatibility with current versions of, for example, Kali is sometimes problematic. As discussed above, some additional hints and comments would really help in this department!
  • For me, the platform is less clear, and I am having a harder time understanding my progress as well as the next steps. This, however, might be very subjective!

Overall, it seems to me as if the content migration simply was done rather carelessly. The issues mentioned are not overly significant, but it is sad to see that the learning experience as well as the accessibility, strictly comparing it to before, got worse.

Having said that, I do understand INE’s attempts to protect their IP (i.e., no downloads) and their focus on new and exciting content. Also, the really lovely support is very quick at fixing issues once pointed out! Nevertheless, especially for someone who knows the old platform and designs learning experiences for living, not being able to copy a command, for example, is mildly infuriating.

Bottom line: While I appreciate the time spent on new content and features, older courses, especially if they are still being actively marketed and sold for full price, deserve some attention and care. This especially bugs me as some small and simple changes and quality-of-life updates would make the learning experience much better! For example, simply removing or replacing dead references and adding some remarks regarding what has changed since the release of the course would be a fantastic addition.

The Certification Exams

While I have my issues with the learning path and course delivery as it stands at the time of writing, the actual eNDP certification exam is fantastic!

The exam follows a simple but effective design that is very common to ELS exams. The first stage is compromised of a theoretical multiple-choice exam featuring 45 questions. Based on my exam attempt, this test is well-designed and successfully assesses the basic knowledge taught in the learning path. It also almost serves as a formative assessment, helping students evaluate whether they are ready for the lengthy practical portion.

Once this first stage is passed, learners can enter the second, practical stage. Here, you are given access to an existing network for four whole days. Over the course of these four days, a number of tasks outlined in a very clearly written “Letter of Engagement” need to be finished.

In my case, the exam environment was stable and decently fast. Given that one has to interact with various Windows hosts via RDP, more powerfull VMs would have made the experience better but it was fine.

Without saying too much, the network is comprised of a good number of different systems, features an interesting architecture, and the goals vary from rather simple configuration tasks to more analytical ones. Also, the exam encourages you to work on different systems (e.g., servers, clients, network appliances) and requires learners to have a good understanding of the whole network and how individual systems are working together.

After working on the network, learners have ten days to write a detailed report describing the network and possible security issues as well as what they have done to mitigate them. This real-world inspired report also needs to contain, for example, an executive summary as well as further remediation steps and recommendations.

The provided time is very generous and having quite some experience, I was able to go through the exam without feeling pressured. Of course, your mileage may vary, but the exam definitely is not meant to put you under time pressure.

As an educator, I really liked the exam and its objectives. It is not unnecessarily hard or unfair, but it effectively assesses whether the learning objectives have been met. While a few technical challenges in my environment needed troubleshooting, the whole experience felt quite realistic, and there were no obvious “traps.” In addition, the report writing, which ELS manually grades, is a great addition and assesses essential non-technical competencies.

Of course, as with the learning path, the exam environment is clearly outdated. This sometimes leads to a rather unpleasant situation in which you have to crawl through outdated materials and documentation in order to configure legacy systems or solve technical problems. Well, maybe that’s a useful skill in itself!

Ultimately the argument is the same: While a lot of the details have changed over the years, many of the fundamentals are exactly the same, and the exam requires you, just as in real life, to adapt your skills to different situations.


It is not easy for me to conclude what I’ve tried to discuss above. I will start by assuming that money is of no object and that we are simply looking at this from a learning perspective.

Having completed both the learning path as well as the exam, I believe that the eNDP, from a learning perspective, still have a lot of value for learners in 2022 and beyond.

Both the courses and the exam – which is a great learning experience – teach valuable lessons, and passing the exam signals a good understanding of network, AD, and endpoint security and documentation. Furthermore, the eNDP, featuring highly practical administration tasks, introduces learners to the perspective of a system/network administrator. This might also be very interesting for those identifying more strongly with the “red” side of things!

While the material is in dire need of an update, the course teaches a lot of valuable best practices and serves as a neat security-minded introduction to Windows/AD administration.

Overall, the value of the eNDP, as it currently stands, comes down to how you value general methodology and best practices in comparison to experience with state-of-the-art systems. I believe that as technology is constantly changing at a rapid pace, courses focused on general methodology and concepts are often more useful than short-lived specialized introductions to particular technologies. That said, the eNDP, unfortunately, tries or tried to do a bit of both, which weakens my argument for it.

Ultimately, if you can live with the fact that you will learn about some older technologies, the courses and the exam are still more than worthwhile!

Of course, I also truly hope that INE will continue to make the learning experience, especially for older courses, better.

Unfortunately, if we consider the financial side, the story changes a bit! Given the subscription model, the cost of the learning path itself is hard to evaluate. If you have an INE subscription, I would definitely recommend having a look at the courses! That said, I would not recommend a subscription just for the sake of this learning path. Of course, this is also not what the INE model is all about!

Now for the bad news: The eNDP exam is $400; less if you invest your INE subscription discount on the exam. While I understand the pricing – taking exam environments and grading into account – this is a lot of money for an unpopular and arguably outdated certification. While I strongly believe that there would be room for an eNDPv2, I would recommend investing the money, for example, into setting up your own virtual AD lab environment.

Don’t Take My Word for It

Naturally, this review only provides my perspective on the certification, the learning path, and their value. While there are not too many other reviews, I would encourage you to have a look at what others are saying.

  • Review (2020) by Iulian (Blog)
  • Review (2019) by Arnav Tripathy (Medium)
  • Review (2016) by Marek Chmel (YouTube)
  • Review (Arabic) by Mohammed Alshammari (Blog)

I am sure that this list list is not complete. Please let me know if you found or written another review!