Practical Network Penetration Tester (PNPT): Real-life Penetration Testing exam – Tips & Tricks to pass the exam

Seeing how this evolved, I wanted to provide you with a thorough review of The Cyber Mentor‘s new certification: The Practical Network Penetration Tester (PNPT). Are you wondering why this certification might be the best fit for you as a junior in the Cybersecurity field? Keep scrolling because you’ll find out soon why this is a must-have certification and how it might change the cybersecurity world.

  1. Intro
  2. Why PNPT and the Pricing
  3. PNPT Live
  4. Exam
    1. OSINT and External Pentesting
    2. Internal Pentesting
    3. Reporting
    4. Debriefing
  5. Closing Thoughts


The PNPT certification exam is a one-of-a-kind ethical hacking certification exam that assesses the ability to perform an external and internal network penetration test at a professional level. You will have five (5) full days to complete the assessment and an additional two (2) days to write a professional report. That being said, let’s just jump right in.

Why PNPT and the Pricing

If you are a beginner in this field or you only want to consolidate your skills, this certification is what you need right now. In order to complete the PNPT, you are required to provide advanced skills and that you fully understand how the external and internal pentesting works.

The course is available as a standalone exam at $299 – This includes a free retake and no time limit for when you must use it.

As this might sound good, there is another available option, the one that I took and recommend, which is “With Training” for $399. This option has the same benefits as the standalone exam, but it comes with the following five courses:

  • Practical Ethical Hacking
  • Linux Privilege Escalation for Beginners
  • Windows Privilege Escalation for Beginners
  • Open Source Intelligence (OSINT) Fundamentals
  • External Pentest Playbook

These courses bring so much value, and Heath is trying to offer you good quality content, updated regularly to include the newest exploits and vulnerabilities.

If you somehow were not able to finish the exam or if you failed, write the report of the current status anyway and upload it. After the TCMS review it, you’ll get a hint of what you should do next for your free retake, which is pretty awesome.

Furthermore, they are giving away discounts on different occasions, so it is worth checking their Twitter.

You can buy the certification or any other courses using the following link.


To be closer to its students, Heath created a fully 25 weeks plan of free live PNPT training. What does that mean? It means that you can learn and develop your skill through its Twitch channel, where he will go deeper with the courses for free.

In effort to keep education affordable and obtainable by everyone, we have decided to live stream the entirety of our Practical Network Penetration Tester exam training for FREE on Twitch!

TCM Security

More details can be found here.


In order to receive the certification, you must:

  • Perform Open-Source Intelligence (OSINT) to gather intel on how to properly attack the network
  • Leverage their Active Directory exploitation skillsets to perform A/V and egress bypassing, lateral and vertical network movements, and ultimately compromise the exam Domain Controller
  • Provide a detailed, professionally written report
  • Perform a live 15-minute report debrief in front of the TCMS assessors, comprised of all senior penetration testers

That being said, I want to offer you an idea of how the experience was for me. When I booked the exam for November 2021, I got the Letter of Engagement and the VPN credentials on the starting day. Once everything was set up, ran smoothly, and after I read the LoE, I started testing as it was a real-world Penetration Test. As this testing is done in the BlackBox scenario (without knowledge about the assets in scope), I started with the OSINT phase.

OSINT and External Pentesting

During the OSINT (Open Source INTelligence) phase, you are required to gather as much information as you can in order to create a mindmap of the target in-scope. This included, but was not limited to gathering usernames, passwords, emails, google dorks, Twitter accounts, and so on. Keep in mind that maybe you should dig a little bit deeper if something is not in front of your eyes.

The external attack phase was extremely well documented in the External Pentest Playbook course, and you should follow the steps presented there. But I warn you, be prepared to think out of the box and think as an attacker might do. If something might not work from the first try, try harder and read everything carefully again.

Internal Pentesting

After gaining the initial foothold, you are landing in the internal network. Now, this is the most challenging part for me as I enjoy doing Internal assessments and learning how Active Directory works. Heath did a great job explaining the internals of the Active Directory, but as I was already familiar with this type of assessment, I just skimmed the material. For a beginner, I really do recommend going through the course once or twice to be able to fully understand how the AD works. Remember that the Crown Jewel for an attacker is to gain Domain Admin, so as you are acting as a malicious user, your target is to obtain Domain Admin and create persistence so you don’t lose access in case something happens. If you feel stuck during this step, you should take a step back and examine all your gathered information. Don’t forget to analyze every machine you encounter during your test and take note of every vulnerability you discover. This exam is not a Capture the Flag type-of-thing, but a real-world assessment in which you should present to the client every vulnerability that might appear in their network.


After you cracked the Domain Controller, gained Domain Admin, and are confident that you identified almost all issues, the next step requires you to send a detailed report containing your findings. The report should be professionally written, and if you have never written a report before, don’t worry, TCM provides you with a template that you can use to document your findings. My report was 67 pages long, containing detailed information about the vulnerability, the affected assets, and recommendations for the client to fix the discovered issues. It took me almost 8 hours, including formatting, and that was because I had the descriptions, risks, and recommendations of the majority of issues from my day-to-day job.


The last step involves the client Debrief in which you are presenting the client with the discovered issues in not-so-technical language. The Debrief took almost 15 minutes, and I prepared a short presentation with the main findings and how I was able to exploit the Active Directory. It started with a quick identification check. When the checking process was complete, I start explaining everything I did in their environment. I was a little bit nervous at first, but Heath was so cool, and everything went smoothly after that. At the end of the debrief, I got my award, which is the actual certification with the Early Adopter (first 100 students that took this certification) badge.

Closing Thoughts

I had a great experience with this real-world certification and I enjoyed every second of it. Heath and his team at TCM Security were able to deliver a real-world scenario in a very stable environment, with security measures in place that would make you think out of the box. Overall, those five courses were well structured, and the fact that they get constant updates makes them a good investment.

I cannot compare the PNPT with the OSCP as I did not take it (and not planning to take it soon), nor the eCPPT exam as the last one does not contain any Active Directory. What I do recommend is to take both certifications as everyone teaches you different techniques and methods that would help you grow.

At the end of the day, doing even a little bit is better than doing nothing!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s