The eJPT costs $249, runs on a 72-hour browser-based lab, and asks 35 questions about a live network you're actively attacking. The PNPT costs $399, gives you 5 days to compromise a realistic corporate network, and requires a written professional pentest report plus a 15-minute oral defense. Neither of these is OSCP. That's exactly why they exist — and why they're useful.
The eJPT: what it tests and what it doesn't
The eJPT (eLearnSecurity Junior Penetration Tester) is offered by INE Security (formerly eLearnSecurity). As of 2024, the exam and course materials are bundled into INE's Starter Pass ($49/month) or sold as a standalone exam voucher ($249).
eJPT exam format
The eJPT gives you access to a live network in a browser-based lab environment. The exam runs for 72 hours — not 72 continuous hours, but a 72-hour window in which you can start, stop, and return as needed. You answer 35 multiple-choice questions about the network you're attacking.
The questions require you to actually compromise the network to answer correctly:
What is the hostname of the machine at 192.168.x.x?
What is the value of the flag in
/root/flag.txt?What port is running SMB on the internal network?
This design eliminates the brain dump problem. You cannot memorize the answers — you have to find them by running tools against the lab.
| Characteristic | eJPT |
|---|---|
| Cost | $249 exam voucher (or included in INE subscription) |
| Duration | 72-hour window |
| Format | 35 multiple choice questions on a live lab network |
| Passing score | 70% (25/35 questions) |
| Prerequisites | None |
| Validity | Does not expire |
| Retake | Included in purchase |
eJPT time management tips
The 72-hour window is generous, but poor time management still trips candidates up. Effective strategies:
Spend the first 2 hours doing complete network discovery before attempting any exploitation
Use
nmap -sV -sC -p- <target>for thorough scanning; don't rush to the next target before reading the full outputTake notes on every service version you find — many questions ask specific version numbers
Don't spend more than 45 minutes on any single machine before moving to the next; come back with fresh eyes
Answer the questions you can confirm first, then return to unconfirmed ones with remaining time
The pivoting questions (routing to an internal network) are typically the hardest — practice setting up routes with
ip route addand verify connectivity before attempting exploitation
What eJPT covers
The course material for eJPT covers:
Networking fundamentals (TCP/IP, routing, subnetting)
Web application basics (HTTP, directory enumeration, basic injection concepts)
Host and network penetration testing fundamentals
Reconnaissance with Nmap, Metasploit, and manual tools
Basic exploitation of known vulnerabilities
Pivoting through networks using routing and port forwarding
The eJPT does not cover Active Directory exploitation, advanced web application attacks (SSRF, XXE, deserialization), privilege escalation beyond basic techniques, or report writing. It's genuinely entry-level.
The PNPT: what makes it different from every other entry cert
The PNPT (Practical Network Penetration Tester) is offered by TCM Security, the company founded by Heath Adams (known online as The Cyber Mentor). The exam costs $399 and includes one free retake.
PNPT exam format
The PNPT gives you a full 5 days (120 hours) to compromise a realistic corporate network. After the 5-day hacking window, you have 2 additional days to write a professional penetration testing report documenting your findings. You then schedule a 15-minute live screen-share call with a TCM Security reviewer where you walk through your report and answer questions.
The oral defense component is what makes the PNPT unique among entry-level certifications. You cannot fake understanding — a reviewer asks you to explain your methodology, and if you followed a walkthrough without understanding what you were doing, that becomes obvious in the conversation.
| Characteristic | PNPT |
|---|---|
| Cost | $399 (includes one free retake) |
| Duration | 5 days hacking + 2 days report writing |
| Format | Live lab + professional report + 15-min oral defense |
| Prerequisites | None (but TCM Security courses strongly recommended) |
| Validity | Does not expire |
| Network type | Active Directory corporate network simulation |
The PNPT lab network topology
The PNPT lab simulates a corporate network environment that includes:
External-facing targets accessible from the attacker machine
Internal corporate network requiring pivot from external compromise
Active Directory domain with multiple machines and user accounts
Web application attack vectors (login pages, file upload functions, application enumeration)
Internal services accessible only after establishing foothold
The specific topology changes between exam instances, so there's no fixed enumeration path. Candidates who've only practiced against static HackTheBox-style machines without AD experience find the PNPT significantly harder than those who've done dedicated Active Directory practice.
What the PNPT report must include
The professional pentest report is evaluated alongside your oral defense. OffSec's OSCP report standard influenced the PNPT format, and the expected components are:
Executive Summary — 1-2 paragraphs describing the engagement scope, overall risk rating, and most critical findings in non-technical language suitable for a CEO or board member
Scope and methodology — what was tested, how, and with what authorization
Findings — each vulnerability documented with: Finding title and severity rating
CVSS score (Common Vulnerability Scoring System score, ranging 0-10, with Critical = 9.0-10.0, High = 7.0-8.9)
Description of the vulnerability
Evidence (screenshots showing exploitation)
Business impact
Remediation recommendations — specific, actionable steps to fix the vulnerability
Appendix — tools used, raw scan output if relevant
Candidates who skip the CVSS scoring or write generic remediation recommendations ("patch the system") typically fail the report evaluation. Specific recommendations ("upgrade to Apache version 2.4.54 or later and disable the mod_status module on external-facing instances") are what the reviewers expect.
TCM Security's Practical Ethical Hacking course: the primary PNPT preparation
Practical Ethical Hacking (PEH) — Heath Adams' flagship course offered through TCM Security Academy. As of 2024, the PEH course costs approximately $30 as a standalone purchase through TCM Security's platform, or is included in a subscription.
The PEH course is specifically designed as the primary preparation material for the PNPT. Its content covers:
Networking and lab setup fundamentals
Information gathering and reconnaissance
Scanning and enumeration
Exploitation with Metasploit and manual methods
Active Directory attack methodology: initial enumeration, Kerberoasting, AS-REP roasting, Pass-the-Hash, Pass-the-Ticket, Golden Ticket attacks
Post-exploitation and pivoting
Web application testing fundamentals
Report writing — the course includes a dedicated module on professional report writing
The AD attack chain coverage is the most valuable section for PNPT preparation. Candidates who understand how to go from external reconnaissance to domain admin using BloodHound enumeration, Kerberoasting, and lateral movement are well-prepared for the PNPT's corporate AD environment.
"The PNPT report requirement is what I recommend to everyone who asks me about getting into offensive security. Writing a real pentest report for a fake engagement teaches you more about what this job actually is than most security courses. It's not just about hacking — it's about communicating what you found." — Heath Adams, Founder TCM Security and The Cyber Mentor
Comparison: eJPT vs PNPT
| Factor | eJPT | PNPT |
|---|---|---|
| Cost | $249 | $399 |
| Format | Questions on live lab | Report + oral defense |
| AD coverage | No | Yes |
| Report writing required | No | Yes |
| Oral defense | No | Yes |
| Difficulty | Beginner | Intermediate |
| OSCP preparation value | Moderate | High |
| Employer recognition | Growing | Growing |
Which one first: eJPT or PNPT?
The recommended sequence is eJPT first, then PNPT. Here's why that ordering makes sense:
eJPT forces you to build core reconnaissance and exploitation fundamentals without the pressure of a report deadline or oral defense
Passing eJPT gives you confidence that you can actually compromise targets in a live environment before spending 5 days on the PNPT
The eJPT course material from INE covers networking fundamentals that the PNPT assumes
However, candidates who've completed TCM Security's Practical Ethical Hacking course sometimes skip directly to PNPT. The PEH course is more comprehensive than the eJPT course material, and candidates who've completed it are typically ready for PNPT directly.
How each cert maps to job market entry roles
The eJPT on a resume signals that a candidate has done basic hands-on security work against a live target. At entry level, it's more credible than purely theoretical certifications because the format prevents brain dumps. Roles that recognize eJPT: SOC analyst Tier 1-2 at companies with offensive security awareness, junior security analyst, and entry-level vulnerability assessment roles.
The PNPT on a resume signals something closer to OSCP at a lower price point. Boutique pentest firms have begun listing PNPT as an acceptable alternative to OSCP for junior hire consideration. The oral defense component specifically gets mentions in hiring discussions — it forces candidates to explain their methodology, which separates those who understood their attack from those who followed a checklist.
Why PNPT specifically prepares you for OSCP
The OSCP exam requires three components that PNPT directly develops:
- Live exploitation of an Active Directory domain: PNPT's corporate network simulation includes an Active Directory environment. OSCP's 40-point AD component is where many candidates fail. PNPT familiarity with AD attack chains (Kerberoasting, Pass-the-Hash, BloodHound enumeration) directly prepares you for this.
- Professional pentest report writing: OSCP requires a 24-hour report after the exam. The PNPT report requirement forces you to develop a reporting workflow before you're under OSCP pressure.
- Oral communication about methodology: OSCP doesn't have an oral component, but the PNPT oral defense requirement forces you to be able to explain your attack chain clearly. This depth of understanding is exactly what OSCP report reviewers look for.
Marcus, a help desk technician for three years, started his offensive security path with TryHackMe rooms, then completed TCM Security's Practical Ethical Hacking course, passed eJPT, then PNPT, and used both credentials on his resume when applying for junior penetration testing roles. He received callbacks at two boutique pentest firms where the PNPT specifically was recognized by the hiring manager. Priya came from a network engineering background and skipped eJPT to go directly to PNPT after completing TCM Security's course. She passed PNPT on her first attempt and used the report she wrote for PNPT as a template she refined for OSCP reporting style.
See also: OSCP exam strategy: the 24-hour lab and report methodology, CEH vs OSCP: which certification proves more to employers
References
INE Security. (2024). eJPT Certification. https://security.ine.com/certifications/ejpt-certification/
TCM Security. (2024). PNPT Certification. https://certifications.tcm-sec.com/pnpt/
Adams, H. (2023). Practical Ethical Hacking Course. TCM Security. https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course
TCM Security. (2023). PNPT Exam Requirements and Format. https://certifications.tcm-sec.com/pnpt/
INE Security. (2023). eJPT Exam Blueprint. https://security.ine.com/certifications/ejpt-certification/
Kennedy, D., O'Gorman, J., & Kearns, D. (2021). Metasploit: The Penetration Tester's Guide, 2nd Edition. No Starch Press. ISBN: 978-1718501775
Frequently Asked Questions
Is the eJPT worth it for beginners?
Yes. The eJPT's live-lab format means you must actually compromise a network to answer questions, eliminating brain dump concerns. At $249 with a free retake included, it's an affordable way to validate foundational penetration testing skills and build confidence before pursuing more demanding certifications like PNPT or OSCP.
What makes the PNPT different from other entry-level certifications?
The PNPT requires a professional penetration testing report and a 15-minute live oral defense with a TCM Security reviewer. This combination means you must understand your methodology well enough to explain it verbally, not just complete the technical task. The Active Directory component also makes it more realistic than most entry-level certifications.
Does PNPT prepare you for OSCP?
PNPT is widely considered the best OSCP preparation available at the entry level. The Active Directory exploitation practice, report writing experience, and methodology explanation required by the oral defense all directly address skills tested by the OSCP exam. Many candidates complete PNPT as their final preparation step before purchasing OSCP lab access.
How long does it take to prepare for eJPT?
With consistent study using INE's course material, most beginners are ready for eJPT in 4-8 weeks studying 10-15 hours per week. Candidates with networking backgrounds may be ready faster. The 72-hour exam window means you have ample time to work through the lab at a comfortable pace.
Can you get a job with just eJPT or PNPT?
PNPT is recognized by some boutique penetration testing firms and IT security teams as evidence of hands-on capability, particularly combined with portfolio work and technical projects. eJPT alone is typically not sufficient for a penetration testing job but demonstrates commitment and foundational skills. Both are most effective as part of a broader portfolio that includes OSCP or practical experience.