From PNPT to OSCP: My Journey to the Gold Standard Certification of Penetration Testing

Written By Winton
TCM Security PNPT Certified

I became PNPT certified on September, 2024.

Passing the Practical Network Penetration Tester (PNPT) certification was a significant milestone in my cybersecurity journey. The only other certifications I had related to penetration testing were the CompTIA Pentest+ (not practical) and the INE eJPTv2, which was a fruitful experience as my first hands-on practical ethical hacking exam. As I reflect on this achievement and look forward to my next goals, I want to share my experience and future plans to help others who might be struggling with impostor syndrome in the ethical hacking field.

Conquering the PNPT

My preparation for the PNPT was multifaceted, but I found the most value in focusing on the core materials provided by TCM Security. The Practical Ethical Hacker course served as my foundation, supplemented by the External Pentest course, Linux Privilege Escalation, and OSINT modules. While I did explore additional resources on YouTube and Reddit, I found that sticking closely to TCM’s curriculum was the most effective strategy. The external resources kept saying that the way that they passed was to “utilize the course, as it was all that you needed”. They were right. Stop looking for other ways to win! Seriously!

My Secret Weapon: Obsidian

One of the key factors in my success was my note-taking strategy using Obsidian. This offline note-taking tool proved faster and more efficient than online alternatives like Notion. I organized my notes into a second brain, categorized by three main folders:

  1. All My Steps: This folder contained a detailed record of every action I took, allowing me to backtrack or repeat processes as needed.

  2. Loot: Here, I stored valuable information gathered during reconnaissance and OSINT phases. This was a bit messy, and that was ok. I made sure to highlight each bit of important information with brackets so they would stand out for later use.

  3. Machine Info: This high-level overview helped me quickly identify overlooked steps and potential avenues for further exploration. Thinking of it as a summary of what I did for each box, I would later use this for my report and live debrief.

  4. Screenshots: I used flameshot to take screenshots of the notable findings, organized into a folder by simply using the time filter to see what I found in chronological order. Naming your files is crucial so you don’t have to waste time knowing what you did, reducing report creation time significantly.

Focusing on the Essentials

Another crucial aspect of my preparation was paying close attention to the rules of engagement and specific passing criteria. This allowed me to streamline my approach, focusing on what was truly necessary to succeed in the exam. I didn’t think about performing extraneous OSINT (though I did fall into a bit of a rabbit hole in the beginning), since OSINT was a small portion of the passing criteria. Every time I got stuck, I thought of a few things:

  1. Did I have enough information to proceed?

  2. Did I perform the correct methodology in the correct order?

  3. Were my scripts and commands accurate (attacking the correct targets, with the correct flags, with the appropriate access, with the VPN turned on, etc.)

  4. When you’re in doubt… ask yourself questions. If you can answer them correctly, you’re on the right path.

HTB Certified Penetration Testing Specialist

HTB CPTS: The “unofficial” gold standard certification of ethical hacking, perhaps overtaking the OSCP in terms of difficulty, breadth, and depth.

Looking Ahead: CPTS and OSCP

With the PNPT under my belt, I’m now setting my sights on two more challenging certifications: the Certified Penetration Testing Specialist (CPTS) and the Offensive Security Certified Professional (OSCP). And although I love hacking, these are two certifications on a separate fork in the road as I continue to appreciate the world of cyber for what it is, meaning that I am indeed seeking other certifications as well (AWS, Azure, CISM, CISA, CISSP, etc.)

CPTS Game Plan

My strategy for tackling the CPTS is as follows:

  1. Complete the HackTheBox CPTS course (estimated 40–50 days).

  2. Review and consolidate notes, focusing on key methodologies and scripts.

  3. Take on the Dante Pro Lab.

  4. Complete 5–10 additional HackTheBox machines for extra practice. Maybe more. We’ll see.

  5. Attempt the CPTS exam.

If I don’t succeed on my first try, I’ll analyze my performance, identify areas for improvement, and tackle more boxes before reattempting.

The Road to OSCP

Once I’ve earned my CPTS, I’ll shift my focus to the OSCP:

  1. Start with OffSec’s Proving Grounds, aiming to complete 50 boxes.

  2. Assess my confidence level.

  3. If I feel ready, attempt the OSCP exam.

  4. If not, complete an additional 50 boxes before trying.

OSCP

The OSCP (now OSCP+) remains the gold standard due to its “real-world-ness”. Basically, it opens the doors to HR because it’s the most recognized (and has been for awhile). It’s also the only proctored exam in this entire blog post.

Overcoming Impostor Syndrome

As I progress through these certifications, I’m actively working to combat impostor syndrome. Each successful exam and completed box serves as a tangible reminder of my growing skills and knowledge. By setting clear goals and methodically working towards them, I’m gradually building the confidence to call myself an ethical hacker without hesitation. Remember, everyone’s journey is different. What matters most is consistent effort and a willingness to learn from both successes and failures. If you’re feeling like an impostor, know that you’re not alone — and that with persistence and dedication, you too can build the skills and confidence to succeed in the world of ethical hacking. Special thanks to everyone who has supported me through this journey so far.

Medium.com

Winton
Next

How to Conduct an Effective Internal Security Assessment: A Comprehensive Guide