Today, I submitted my eJPTv2 beta exam for review. Per INE, it will take about two to three months to review everyone’s exam submission. During this time, they will also decide if they want to tweak the exam based on the feedback.
For obvious reasons, I cannot disclose any of the questions I saw on the exam. I can, however, discuss whatever is public knowledge. Without further ado, here is some information about the exam:
- 35 questions
- 50 hours to complete
- Dynamic exam
- Hands-on exam
The course is massive compared to the previous one. According to the course page, it has over 140 hours of content. Though, I feel like they could have shortened it because some of the contents were a repeat from another section.
The course’s main sections are the following:
- Assessment Methodologies
- Host and Network Penetration Testing
- Host and Network Auditing
- Web Application Penetration Testing
The previous Penetration Testing Student (PTS) course was death by PowerPoint. This new version is death by videos. I rushed through the content because we only had about 30 days to take the beta exam before they closed it.
There were overlaps between the old and new PTS. The new PTS is an improvement since they explained more details about the concepts. These foundational concepts are always vital in any job, so knowing more about them is key to one’s successful career.
I did learn new tools from this course, which I thought were a valuable addition to one’s toolset as a penetration tester, I would imagine. Also, I learned more about post-exploitation concepts and methodologies. These are helpful in privilege escalation scenarios.
As you might probably know, I passed eJPT last year and talked about it here. I thought the exam was, in a lot of ways, similar. While the new version has more questions, getting the answers will require the same steps.
As you may have noticed, they shortened the amount of time you can spend on the exam from three to two days. I think two days is a good amount to spend on this exam. I believe that one would not feel pressed for time. Then again, this is coming from someone who has some CTF experience and has taken offensive security-related courses and exams.
I believe the exam’s level of difficulty increased. Though, I do not think it is at the same level as the black-box penetration test labs. In the previous exam, I took less than six hours to finish the exam. This time around, it took me about 44 hours, officially. I say “officially” because I could’ve ended it sooner, but I wanted to verify my answers in the morning and also leave feedback.
Some questions have dynamic answers. Essentially, it means that every time you start the lab, the virtual machines generate a different flag each time. In theory, nobody can have the same answers to these questions. I assume this is to counter cheating. In my opinion, it is not a perfect solution.
I have mixed feelings about my exam experience. The bad experience revolves around the attacker’s machine and how the exam detects lab activity.
With the old exam, you connect to the lab environment via VPN. The advantage of this method is that you can customize your machine. With the new exam, you are stuck with whatever they installed on it. Since it has no Internet connectivity, you cannot install the tools you want.
eJPTv2 exam has been released!
Get your exam voucher with 3 months of INE Fundamentals Monthly for free!
I do not understand the lab activity detection they put in place. Sometimes, my machine is in the middle of an attack, but the exam will “stop” the lab. The lab environment does not really stop, but the exam thinks it is. I believe this disconnect will affect your dynamic answers, but I have no proof.
Since the exam detected no lab activity and “stopped” the lab environment, I did not trust some of the information I collected and had to redo it again. Eventually, I noticed they were the same, so I did not need to redo the information gathering steps again. Though, it was frustrating to redo them.
As previously mentioned, I cannot discuss the specific exam questions. However, I want to point out that the exam is essentially the summary of all the labs included in the PTSv2 course. If you understood and did all the labs, you should be able to answer the eJPTv2 exam questions.
INE addressed some of the things I mentioned in my eJPT post. They refreshed the content, reduced the hours allotted for the exam, and even made it a bit harder. Overall, I think the changes are positive.
The one thing they still have not addressed, and I believe folks would want, as well, is the digital badges from Credly. I think folks would welcome this change. While not necessary, having all your digital badges in one place is good.
You might like to read
BUY ME COFFEE ☕