TCM Security PNPT Exam / Certification Review (Updated: 2/1/2022)

Update (2/1/2022): I’ve made some small updates and changes to this article since originally posting. 1) Updated CPEH > PNPT. 2) Expanded on realism of exam vs. actual penetration tests. 3) Updated the bottom line. 4) Updated cert badge and certificate at bottom.

Quick Facts:

  • Practical exam, no multiple choice
  • Use any tool you want, seriously
  • 5 days for testing, 2 days report writing
  • $299 standalone exam
  • $399 exam with training
  • Veteran and student discounts available

What is the PNPT?

Practical Network Penetration Tester (PNPT) is a fully practical examination which requires the student to prove their proficiency in the realistic facets of conducting a penetration test. The training and exam seek to provide students with a baseline of knowledge which is expected of a professional seeking a career in penetration testing. The goal is to perform a full front-to-back assessment of a companies assets as provided in the scoping information with the ultimate goal of compromising the exam Domain Controller. This includes Open Source Intelligence (OSINT) gathering, gaining internal network access from the external perimeter, moving laterally from within the internal network, and exploiting common attack vectors within Active Directory.


Heath Adams (@thecybermentor) reached out to myself and others to take the beta version of the exam. While it was in beta mode, it was essentially in it’s completed format. All he asked for was honest feedback and to let him know if any issues were encountered.

The Exam

Rules of Engagement (ROE)

Since the exam is made to replicate an actual penetration test, students are sent a Rules of Engagement (ROE) document to the email they enrolled in the course with. This Rules of Engagement document clearly outlines the purpose of the engagement, the scope of the engagement, points of contact, assessment dates, etc.

I found the Rules of Engagement document to be similar to what I’ve seen in the past in my career. Unlike eLearnSecurity’s WAPTv3 exam where I felt there was some ambiguity in the scope, PNPT scoping was very clear and concise. I knew exactly what I can attack and what is off-limits. This is very important because a Penetration Tester should be fully aware of what they are about to target and attack. eLearnSecurity being ambiguous could potentially breed bad habits. Not the case with PNPT.


Open Source Intelligence (OSINT) gathering is an important part of the exam. This is clearly stated multiple times on the TCM Security certification page as well as the ROE. This will test the student in their attention to detail, as well as drive home the importance of enumeration and gathering any and all information which may prove beneficial to compromising an in-scope asset. There have been several times where I have found myself gaining an important foothold on a target based on good OSINT I conducted. Thoroughness is key!

External Penetration Test

Part of the exam will test the students ability to identify external perimeter assets and then find a valid attack vector to gain internal network access. Without giving out hints or answers, I can simply just say refer to everything you’ve identified thus far in the exam. Enumeration is always very important to identify the full attack surface. And taking good notes is crucial to your success.

Is it realistic? Yes. You will be expected to conduct very routine attacks that you any competent penetration testing firm should be carrying out. Again — not giving any hints out here, so think very carefully of what you have learned so far from the course material. Students who successfully gain a foothold here should mention this step on an interview!

Edit: Someone on LinkedIn asked a great question regarding the External portion of the exam. You will not scan an actual external range. You are given the “external range” in the ROE document which is only accessible via a VPN.

Internal Network Penetration Test

Again, as clearly stated, you will be tested on your internal network / active directory penetration testing skills. I found this part of the exam to be the most challenging, yet fun. To navigate your way through the internal network, you’ll be challenged with pivoting, escalating privileges, taking advantage of windows services, observing lazy user habits (definitely realistic), and gathering loot.

Is it realistic? YES! The tools and techniques you use to compromise the internal network are what you will use on a real internal penetration test. Seriously…like every time.

I will refer again to what I believe is crucial to a students success — taking good notes! If and when you get stuck, it’s important to look back at what you’ve already attempted, what information you’ve gathered thus far, and what you’ve exploited. Go back to every step and think if there is something else you could do, see if there is something you may have missed, and do some research on what you can do with the current permissions you have.

Bottom Line

Update (2/1/2022): From the time of initially writing this post until updating it now, the PNPT is now my #1 recommended certification to pursue when taking an interest in Penetration Testing. I honestly believe any student who passes the PNPT would outshine any OSCP holder with the same level of experience.

The exam mimics a real penetration test from start to finish. You have 5 days to complete the assessment which is absolutely fair, and then an additional 2 days to write up a professional penetration test report to provide to the “client” along with a 15-minute debrief. At a price point of $299 for the standalone exam, I feel this is an excellent certification and exam for anyone who is looking to gain the fundamental knowledge to get into penetration testing.

Update (2/1/2022): The text below is no longer relevant in my opinion. PNPT is quickly gaining traction and showing up frequently on job postings for large corporations and smaller pentest firms alike. It is gaining industry recognition very quickly.

As of writing this post, the certification is very new. This means it currently does not have the industry recognition among HR folks and likely most hiring managers. However, that does not mean it should be looked past.

I wish this exam existed when I was starting my career as a penetration tester because it fills in the gaps of knowledge that I don’t believe other certifications are currently providing. I can say with complete confidence that the experience gained from performing this exam would have helped greatly in my interviewing when seeking that initial employment as a penetration tester.

Related Post