PNPT: Practical Network Penetration Tester Review

6 min readNov 23, 2022

Haven’t blogged in a minute but what better way to start back than to review the best certification I have done thus far in my cyber security journey? Let’s get into it.

Background

So, this was a debate with myself for a while on whether to do eCPPTv2 or PNPT. I read various blogs of people who did both and reached out to connections on LinkedIn or any other platform to get their feedback. The result?

“it is an eCPPTv2 with steroids and much better”

“eCPPTv2 is almost on par with it”

“sits somewhere between the eCPPTv2 and the OSCP”

“eJPT < eCPPTv2 < PNPT < CRTP”

I could go on and on but regardless of your level in the cyber security space, it is a certification that seems to eclipse the eCPPTv2. It is a must-have cert!

What is PNPT?

PNPT is offered by the TCM Security Team which is spearheaded by Heath Adams. He is well respected in the cyber security industry and he and his team must be commended on the excellent course material they put together to ensure individuals can pass.

The courses are put together in such a way that it is easy to digest and you end up getting a lot of value from them. I signed up for the all-access pass, as the returns I have reaped from having access to all of the courses are nothing short of fantastic! If you want more information on the exam, you can view it on their website.

The exam

So I opted for the voucher as I already had the access path. You are given a free retake so it does ease the pressure off a bit on test takers I would think. Usually, you would receive a hint if you should fail your first exam but as of November 23, 2022, the TCM Team advised individuals that the hint portion of the exam will be retired.

At the start of the exam or up to 10 minutes after the exam start time, you will receive your VPN credentials and Rules of Engagement. I got mine 30 mins late as my testing environment was giving issues.

As you you can see above, you have five days of testing and two days of report writing. I would say it mirrors a typical penetration test I would do in my day-to-day job. Kudos to their team for being clear in their rules of engagement as it comes on to scoping and what is allowed vs. what is not. Felt like a real client engagement.

The experience

It must be said, the customer support was top of the line, really impressed me that no matter the odd hours, I still got a response in less than 5 minutes. Whether it be silly questions to just asking for a reset of the environment. The TCM Team must be commended for the support provided. 😀

I started the exam on a Friday night at around 10:30 pm and the aim was to finish this exam before the start of the work week on Monday as I wouldn't have that time to focus on the exam. First up was OSINT, this was fun and I was finished with it in less than thirty minutes, this was when I was confident I had all I needed to move on. Once that was done I chained my findings together and was in the internal network in a matter of hours. I must say I fell into about three rabbit holes, the first one taking the bulk of my time, I was on it up until the following day! Looking back it was so clear what I was to do, still upset with myself about that 😤. I must say the TCM Team did throw some curveballs. At times I thought I had a clear shot at compromising the Domain Controller after figuring something out until reality hit and I wasn’t even close.

The exam really does test your ability to think creatively and chain findings that even though you may think they are insignificant, they aren’t. I successfully compromised the Domain Controller at approximately 2:00 pm on Sunday and did my report and submitted it at around 7:40 pm. I met my target of finishing before Monday successfully. 😎

Without all the fluff, my report was around 38 pages long:

I got an email the day after that I passed the written portion and now I was invited to be debriefed by the TCM Team:

I didn’t do a PowerPoint, which I had read test takers would usually do. I went with using the PDF report as I would typically do in exit meetings on projects. From a certification point of view, this was new to me and impressive how much this exam mirrors real-life client engagements. After I presented my findings I was notified that I had passed and I was added to the TCM discord server that had other PNPT holders.

Conclusion

If you are excited about doing this certification, I would say these are some ways to guarantee a pass on the first attempt:

Do the PEH course as the bare minimum. I think the OSINT and External Playbook also add value. Don’t stress about the Windows and Linux Privilege Escalation techniques. Unless you’re a try-hard on the exam, it’s not mandatory in my view.
Know Active Directory. Eat, sleep, drink it.
Familiarize yourself with a proxy tool ie. Burp, Zap, etc.
Take breaks, you will be amazed at the fresh approach your brain takes when you do this.
Do not make things complicated, stick to the basics and you should be fine.
Take notes! You will need to reference notes at different intervals from beginning to end.
Learn pivoting outside the PEH course, this is essential. There is a pivoting course on TCM. You can also brush up on TryHackMe in a room called wreath. As a bonus, attempt the box on Hack The Box called active.

I 100% recommend this certification! I had a fun experience and found myself laughing and smiling while doing it(despite moments of frustration). I will stress the fact that it does indeed mirror the real world and I did come upon situations I have faced while on engagements. I recommend this to everyone interested in Cyber Security. You will not be disappointed.

All the best with taking this exam, look out for my next blog after I take on the CRTP!