The PNPT Exam Has Been Conquered.

The PNPT Exam Has Been Conquered.

Embarking on a thrilling journey from IT Administration to the high-stakes world of Cybersecurity, I found my true calling amidst the adrenaline-fueled realm of Red Teaming and Penetration Testing. The security aspects of my previous roles always intrigued me, but it was witnessing a professional pentest at my former company that truly ignited my passion. The sheer skill, strategy, and potential impact of these cyber experts' actions - especially if replicated by malicious actors - was a revelation. This pivotal experience propelled me onto a new path, beginning with the challenging yet rewarding pursuit of the PNPT (Practical Network Penetration Tester) certification from TCM Security.

What Is The PNPT

Here is the direct quote from TCM's website to answer this question.

The PNPT certification exam is a one-of-a-kind ethical hacking certification exam that assesses a student’s ability to perform an external and internal network penetration test at a professional level.  Students will have five (5) full days to complete the assessment and an additional two (2) days to write a professional report.

What does that mean though? Most of the exams in this field are not set up to what a true penetration test is. What I mean by that is there are no flags to capture to know that you completed a box. You just must know that you have everything you need from a machine before moving on. There are also no multiple-choice questions. This is the closest exam to what you will be doing as an actual Penetration Tester.

The Training

The training for the PNPT is either included in the PNPT exam bundle or part of their All-Access Membership. The courses are:

  • Practical Ethical Hacker (PEH)
  • Open-Source Intelligence (OSINT)
  • Windows Privilege Escalation (WPE)
  • Linux Privilege Escalation (LPE)
  • External Pentest Playbook (EPP)

I would also recommend the Linux 101 course if you are new to the field or need a refresher on Linux.

To be honest, after completing all of these, the most critical courses are PEH, OSINT, and EPP. With those three courses you should have a solid foundation for the exam. I will say pay attention to everything in these courses. Even if the section appears purely informational, pay attention to it.

Accelerated Course

I participated in the first PNPT accelerated course and I will say it was a great way to organize my learning and have great feedback with direct access to the instructors. If you want to read about that experience you can find that here.

Training and resources outside of TCM Security

One of the major questions I get asked is what outside resources did I use for the exam.

I know I said outside of TCM Security, but the Practical Junior Penetration Tester (PJPT) was a great primer for me to feel confident attempting the PNPT. It allows you to see what the environment is like and how the TCM Team does their exams. Plus, it is a great confidence boost in your skills.


The Hack the Box Academy has a great Active Directory course. It really helps to build your knowledge and methodology with Active Directory in general.


Another great CTF style platform is TryHackMe specifically their Wreath network is terrific. The major take-away from this network is the pivoting portion. Pivoting is covered in the PEH but it is not as robust as I feel it should be. Wreath does a great job of teaching a few different pivoting tools and methods.


Discord communities were very helpful to me.

The TCM Security Discord which was invaluable to my studies. The TCM staff is great at answering questions in a quick manner. Make sure to check the pinned comments and use discord search feature before asking. I guarantee 90% of the time someone else has asked the question and it has been answered.

The F0xhunt Discord is full of amazing folks that are working in the industry or trying to break into the industry. There are many helpful individuals as well as conducting a PJPT study session weekly.

Trash Puppy

Trash Puppy is currently studying for their PNPT and streams to Twitch many times a week. They are either working on a coding project or working on a HTB room. I found it helpful to watch them go through the HTB rooms to see their process and methodology. Trash Puppy takes notes in Obsidian and provides their notes on Github for free for anyone to use. These are a great basis for someone to build on. I highly recommend hopping into one of Trash Puppy's streams and combining your notes with the ones provided, it will give you a leg up.

You could also find many other CyberSecurity Twitch streamers here.

The Exam

Taking the exam is a super simple process. Logging into TCM Security's exam platform and clicking start exam. The environment is spun up and you are provided with your VPN Key. There is no need to schedule it, no need to wait for a certain time. I started one of my exam attempts at 9pm PST and there was no problems. You get Five full days to complete the exam and a free retake so do not try and speed run it. If you cannot complete the exam in the five days turn in your report anyway and the TCM team will provide you with a hint for your next step.

You get your ROE (Rules of Engagement) and you're off to the races. Take your time and follow the methodology you've developed throughout the courses and studies.



Enumerate everything. One of the largest tips given in the TCM Discord is that the major reason for failing the exam is not enough enumeration. Use your note taking skills to document everything you enumerate to save you time on testing things more than needed. From OSINT to Domain Admin enumeration is key.


Take screenshots of everything you do that leads to forward or lateral movement. Make sure you capture the command run and the output. Normally you would obfuscate PII that you find during a pentest. In this case do not obfuscate so that the graders can ensure you are finding the correct info.

Use What You Have Been Given

The exam is open book, and open note. This means the course material can be used. Your notes can be used. Google can be used. Use everything to your advantage.  If you think an attack vector is plausible but can’t remember how to use it, pull up the video about it in the PEH as a refresher.


My report ended up being 40 pages. From my looking around that seems to be the around the average of length. I used the template found here. Ensure you spend the time to make the report readable and provide your steps taken from OSINT to compromising the Domain.

The exam details say the report review can take up to 7 days to come back but in my experience with the PJPT and a few attempts at the PNPT the exam review turn around is much faster than that. The longest wait I had on an report review I believe was 5 hours.


Once you have completed your report and it is accepted you will be provided with a link to schedule your debrief. You are 95% of the way completed with this. I know many people sweat the debrief because it is the first time they are doing something like this but trust in yourself you've already done the hardest part. Some people choose to schedule their debrief right away, some take some time to compile a PowerPoint presentation. I chose to just take a day to decompress and use my report as my visual aid as everything was already in there and hey, we all hate Death by PowerPoint.

During the debrief you will be required to show a copy of your government issued Identification. Driver’s License, Passport, or something issued to you by the government with your name and picture. The person I was debriefing kept their camera off, which I am sure is helpful to most people, but I like to see the people I am talking to. You are then asked to step through your process from start to finish in 15 minutes. I felt like I was speed talking while walking through my steps and handing out the remediations as I went and in seven minutes I was done. I asked if they had any questions for me and they did not. The person in charge of your debrief will tell you then and there if you passed or not. They then ensure you can get your certificate (it goes to a lot of spam folders), they ask if you are on the TCM Discord and your username to add you to the special PNPT group and you're done.


You've done it. Share your accomplishments on LinkedIn, post about it in Discord. You just did something not everyone can do, and you should be proud of it. Congratulations I hope you tag me in your “Celebrating a New Certification” post so that I can celebrate with you.