Passed eJPT

On Friday, I passed the eJPT certification exam. Since then, I’ve had a few people asked me about my experience. Instead of answering them one by one, I decided to write a post about my preparation and exam experience.

Cert info

According to this security certification roadmap, this cert is a tad higher than CompTIA PenTest+. If I had to speculate on why it’s rated higher than PenTest+, it’s probably because this cert is 100% practical. Sure, it’s a multiple-choice certification exam, but you need to perform tasks to get the answers. The format is similar to the old CCNP TSHOOT exam, which I truly enjoyed.

When I bought the course, the cert did not have HR recognition. It seems that it hasn’t changed much. For a quick experiment, I searched eJPT on Indeed.com, and my search yielded only four jobs compared to 200+ with the PenTest+ keyword. These results were for the whole US. Your mileage may vary.

If you’re after HR recognition, then you might want to look at something else. If you appreciate hands-on learning, then you might want to investigate the course and certification a bit more. The Penetration Testing Student (PTS) course is free, so definitely check it out!

Purchase

Hold up! You said it’s free! At the time of my purchase, eLearnSecurity (eLS) or Caendra Inc. was not part of INE. That said, it wasn’t always free. There were times that they gave away Barebones edition, though.

I purchased the Penetration Testing Student (PTS) Elite edition in May 2019 for $349 – regularly priced at $499. The Elite edition came with the complete course materials (PDFs, videos, lab materials, and access to Hera labs for 60 hours), and an exam voucher (with a free retake) that does not expire.

When I bought the course, I knew full well that it would take me a while before I could start reading and doing labs. Sure enough, I started reading the material and doing labs in January 2020.

Around the same time, we started getting more multicloud-related projects, and I wanted to be involved in that. As a result, I decided to drop the eJPT certification pursuit to learn more about the cloud.

Course

The course is death by PowerPoint, but they have some videos that you can watch which demonstrate the software or theory that they introduced in the slides. However, the number of slides outnumbered the number of videos included in the course.

eLearnSecurity divided the PTS course into three sections and modules, as can be seen below.

Preliminary Skills – Prerequisites

• Introduction
• Networking
• Web Applications
• Penetration Testing

Preliminary Skills – Programming

• Introduction
• C++
• Python
• Command Line Scripting

Penetration Testing

• Information Gathering
• Footprinting & Scanning
• Vulnerability Assessment
• Web Attacks
• System Attacks
• Network Attacks
• Next Steps

As you may already know, the eJPT exam doesn’t require you to go through the programming section. I chose to skip this section but have plans to go back to it once I learn how to code.

eLS packed the course with good information, but it’s showing its age. Don’t let that deter you from taking it because I really think they did a great job with the hands-on part of the course.

That brings me to the labs included with each module. Those labs are the meat and potatoes of the course. If you are a novice like me in the offensive security field, you will definitely learn a lot from it.

Preparation

From January 2020 to May 2021, I’ve participated in a few capture-the-flag (CTF) events. One of them was our first-ever internal CTF. One of the categories, Kaos Corp, was related to offensive security. Since I haven’t gone through the whole course yet, I had to use Google a lot. That CTF gave me some tactics and techniques that helped with the course and exam.

Unfortunately, I didn’t get the flags in time. Had I remembered where the image was, I would’ve gotten at least one of the flags. I knew I wanted to go back and try it again, so after several weeks, I went back and worked on it until I got the flags.

I meant to write walkthroughs of those, but life got in the way. Furthermore, I wanted to concentrate on the pentest aspect of it and not just a matter of getting the flags. In retrospect, that CTF category was somewhat similar to the eJPT exam.

Other than CTFs, I used the PTS as the only material I used to prep for the eJPT exam. I believe that the course is enough to pass the exam on the first attempt. Your mileage may vary.

Exam

A week before Friday, I knew I’d finished all the slides, videos, and labs two to three days before my long Memorial Day weekend. By Thursday, I decided that I will start the exam the next day. I prefer this method rather than Pearson Vue’s method, where I have to schedule my exam ahead of time.

I want to mention that the three black-box penetration test labs intimidated me because they were hard. Since I had a free exam retake with the purchase of the Elite package, I decided to push it through and get the feel of it.

I started my exam at 7:53 AM. After starting, I downloaded an OpenVPN file to connect to the exam environment. Once connected, I was confused about what the next steps were. All I knew was I needed the letter of engagement, and I couldn’t find it. After poking around, I finally found the packaged file (RAR).

Upon extraction, it contained the letter of engagement and other files. I used all of these files for the duration of the exam.

As you may already know, once the exam has started, you have 72 hours to submit your answers. Depending on your level of understanding of the material, you don’t need all of those hours. I finished my exam at 1:12 PM on the same day. All in all, it took me 5 hours and 19 minutes to complete the exam.

Here are some of the reasons why it took me that long:

• I answered an important call.
• Answering some emails.
• I ate lunch.
• And many more.

Honestly, it doesn’t matter if you take the whole 72 hours or finished it in four hours or less. Everyone’s journey is different, so don’t try to compare yourself with other folks.

While I didn’t get 100% on the exam, I think the exam is easy. It is nowhere near the same level of difficulty as the black-box penetration test labs. I seriously thought it was going to be that hard.

Tips

I think it’s safe to say that people read these posts to get some tips for the exam. I can only tell you stuff that I believe is not against eLS’ terms and conditions, so don’t expect me to reveal anything specific about the exam.

Without further ado, below are my tips to pass the exam on the first attempt.

• Avoid distractions as much as possible.
• Read the letter of engagement carefully.
• Make sure you have a good grasp of the course.
• Have a good understanding of networking concepts.
• Know how to analyze packet captures.
• Effectively enumerate ports, services, etc.
• Understand how the tools will help with your attack methodologies.
• Do the labs twice if you’re new to IT.
• You do not have to do the black-box pentest labs twice.
• Create notes as you’re going through the slides, videos, and labs.
• The exam is not a CTF. Do not overthink it.

Final thoughts

While I think the PTS course and eJPT are good, I think there’s an opportunity to make it better. For one, I think they need to refresh the course because some of the tools covered are outdated. Though, those tools still work just fine.

Furthermore, I think they need to reduce the number of hours allotted to the exam or make it harder, like their black-box penetration test labs. Though, this might require a bit more course content.

I think INE needs to improve the certification’s recognition in the HR community. The eJPT has been around longer than the CompTIA PenTest+, but it doesn’t seem to have the same status.

Moreover, I think they need to work with Credly to get digital certification badges. They’re behind the up-and-coming companies in the cybersecurity training and certification business.

You might like to read