The PNPT certification has earned its reputation as one of the most realistic penetration testing exams available. Unlike certifications that test your ability to memorize facts or solve CTF-style puzzles, TCM Security's Practical Network Penetration Tester exam puts you through an actual simulated engagement, complete with a professional debrief where you present your findings to senior pentesters.
This guide covers everything you need to know about the PNPT exam in 2026: what it tests, how much it costs, how to prepare, and whether it's the right certification for your career path. We'll also compare PNPT vs OSCP to help you decide which certification makes sense for your situation.
📊 PNPT Quick Answers
📑 In This Guide
🎯 What is the PNPT Certification?
The Practical Network Penetration Tester (PNPT) is a professional-level certification offered by TCM Security, founded by Heath Adams, better known in the security community as TheCyberMentor. Unlike traditional certifications that rely on multiple-choice questions or CTF-style flag hunting, PNPT tests your ability to conduct a complete penetration test from start to finish.
The exam simulates a real client engagement. You'll perform OSINT reconnaissance, compromise an Active Directory domain controller, document your findings professionally, and then present your results in a live 15-minute debrief with TCM's senior penetration testers. This debrief component is what truly sets PNPT apart. It mirrors what you'd actually do after a real engagement: explain your findings to stakeholders and answer their questions.
Since April 2023, the PNPT certification no longer expires. Once you earn it, it's yours for life. Your credential is issued through Accredible, providing verifiable proof of your achievement that employers can confirm.
Key differentiator: The live debrief requirement forces you to develop communication skills alongside technical abilities. Many technically skilled professionals struggle to explain their findings to non-technical stakeholders. PNPT ensures you can do both.
📋 PNPT Exam Format and Requirements
Understanding the exam structure helps you prepare effectively. The PNPT exam is designed to replicate a realistic penetration testing engagement rather than an artificial test scenario.
Exam Timeline
You have a total of seven days to complete the PNPT exam, broken into two phases:
- 5 days for the assessment Conduct your penetration test against the exam network. No artificial time pressure means you can work methodically, just like a real engagement.
- 2 days for report writing Document your findings in a professional penetration testing report. Include executive summary, technical findings, evidence, and remediation recommendations.
- 15-minute live debrief After submitting your report, schedule a video call with TCM assessors to present your findings and answer questions about your methodology.
What You Must Demonstrate
The PNPT exam tests the complete penetration testing methodology. You'll need to demonstrate proficiency in these areas:
- OSINT and reconnaissance Gather intelligence on the target organization using open source techniques before engaging the network directly.
- Network penetration Enumerate services, identify vulnerabilities, and gain initial access to systems within the target environment.
- Active Directory exploitation Navigate the AD environment, escalate privileges, and ultimately compromise the Domain Controller. This is the core technical requirement.
- Antivirus and egress bypassing Work around security controls to maintain access and exfiltrate data as needed for your assessment.
- Professional report writing Document everything in a format suitable for both technical teams and executive stakeholders.
- Client debrief presentation Explain your findings clearly and professionally, answering questions from senior assessors.
Exam Policies
The PNPT is unproctored, meaning no invasive monitoring software watches you during the exam. You're free to use any tools you prefer, including Linpeas, custom scripts, or Metasploit. The exam simulates a real engagement where tool restrictions don't exist. Every exam voucher includes one free retake, reducing financial risk compared to certifications that charge hundreds of dollars per additional attempt.
💰 PNPT Pricing and Training Options
TCM Security offers several paths to PNPT certification. The pricing is straightforward compared to some competitors, with training included rather than sold separately.
| Option | Price | What's Included |
|---|---|---|
| PNPT Voucher + Training | $499 | Exam voucher, 1 free retake, 12 months training access (45+ hours) |
| Ethical Hacker Bootcamp | $2,999 | Live instruction, PJPT + PORP + PNPT vouchers, 50 hours lab time |
| Professional Pentester Bundle | ~$1,500 | PJPT, PNPT, PORP, PWPA, PWPP (5 certs + 24 months training) |
Available Discounts
TCM Security offers 20% off for eligible groups. Email certifications@tcm-sec.com with proof of status if you qualify:
- Current students and educators
- Active duty and former military personnel
- First responders (police, fire, EMS)
Included Training Courses (45+ hours)
- Practical Ethical Hacking - Core pentesting methodology
- Windows Privilege Escalation - Token manipulation, service exploits
- Linux Privilege Escalation - SUID, cron, sudo abuse
- OSINT Fundamentals - Reconnaissance techniques
- External Pentest Playbook - Real-world methodology
Voucher validity: 12 months from purchase. Training access is also 12 months.
👤 Who Should Take the PNPT?
The PNPT is positioned as a professional-level certification. It's not designed for complete beginners, but it's also not as intimidating as some advanced certifications. Here's who benefits most from pursuing PNPT.
Ideal Candidates
- Aspiring pentesters wanting practical validation before job hunting
- Junior security professionals needing credentials without OSCP's cost
- IT professionals transitioning from sysadmin/dev to offensive security
- CTF enthusiasts with home lab experience seeking formal recognition
Prerequisites
While there are no formal prerequisites, TCM Security recommends the following before attempting PNPT:
- Basic networking knowledge (TCP/IP, DNS, routing)
- Linux command line proficiency
- Understanding of Windows and Active Directory environments
- Familiarity with basic exploitation concepts
Not Recommended For
If you're a complete beginner with no IT background, start with TCM's PJPT (Practical Junior Penetration Tester) first. PJPT covers foundational skills needed for PNPT's more advanced challenges. Those looking for a quick certification to pad a resume should look elsewhere. PNPT requires genuine skills with no shortcuts or brain dumps to help.
⚔️ PNPT vs OSCP vs CPTS: Which Certification?
The PNPT vs OSCP comparison dominates certification discussions, but HTB's CPTS is now a serious contender. Here's how all three compare for aspiring pentesters.
| Aspect | PNPT | OSCP | CPTS |
|---|---|---|---|
| Provider | TCM Security | Offensive Security | Hack The Box |
| Price (with training) | $499 | $1,749+ | ~$700 |
| Exam Duration | 5+2 days | 24 hours | 10+10 days |
| Format | Real pentest + debrief | CTF-style machines | Multi-host network |
| Free Retake | 1 included | None | None |
| Proctoring | Unproctored | Proctored | Unproctored |
| Expiration | Never | 3 years | Never |
| Recognition | Growing | Gold standard | Growing |
Who Should Choose What
- Choose PNPT if: You want realistic methodology + client skills at lowest cost
- Choose OSCP if: You need maximum HR recognition and can afford $1,749+
- Choose CPTS if: You prefer structured modules and HTB's training style
The Trifecta Strategy
Many professionals pursue PNPT first ($499, realistic methodology), then add OSCP for resume recognition, then CPTS for depth. This path maximizes skills while spreading costs over time.
📚 How to Prepare for the PNPT Exam
Success on the PNPT requires systematic preparation across multiple skill areas. Here's a structured approach to get you exam-ready in 4-6 months.
Preparation Timeline
| Timeline | Focus Area |
|---|---|
| Months 1-2 | Complete TCM's Practical Ethical Hacking course. Build your foundational methodology. |
| Month 3 | Windows and Linux Privilege Escalation courses. Practice on lab machines. |
| Month 4 | OSINT Fundamentals and External Pentest Playbook. Develop reconnaissance skills. |
| Month 5 | Active Directory deep dive. Practice full attack chains from initial access to DC compromise. |
| Month 6 | Mock assessments, report writing practice, review weak areas. Schedule exam. |
Essential Skills to Master
The PNPT tests a broad range of penetration testing skills. Focus your preparation on these core areas:
OSINT and Reconnaissance
The exam begins with an OSINT phase. Practice subdomain enumeration, email harvesting, LinkedIn intelligence, document metadata analysis, and breach data searching through legitimate sources.
Network Scanning and Enumeration
Thorough enumeration is critical. You should be comfortable with Nmap's full capabilities, service-specific enumeration techniques, and understanding what services reveal about potential attack vectors. Check out our Nmap cheat sheet for a quick reference during your preparation.
Active Directory Exploitation
Compromising the Domain Controller is the core exam objective. You must understand these AD attack techniques inside and out:
- Kerberoasting: Request and crack service account tickets
- AS-REP Roasting: Target accounts without pre-authentication
- Pass-the-Hash / Pass-the-Ticket: Authenticate with stolen credentials
- BloodHound: Map attack paths through AD relationships
- DCSync: Replicate credentials from Domain Controllers
Privilege Escalation
Both Windows and Linux privilege escalation are essential. You'll need to escalate from initial low-privilege access to administrative control on multiple systems.
- Windows: Token impersonation, service misconfigurations, unquoted paths, registry exploits
- Linux: SUID binaries, cron job abuse, sudo misconfigurations, capabilities
Professional Report Writing
Your report must communicate findings to both technical teams and executives. Practice writing executive summaries, technical findings with reproduction steps, risk ratings, and remediation recommendations.
Recommended Practice Resources
- HackerDNA Labs - Guided pentesting with hints when stuck
- TCM's included labs - Complete every exercise in the training
- Proving Grounds - TJ Null's list for OSCP-like practice
- Home AD lab - Build your own Active Directory environment
See our TryHackMe vs HackTheBox comparison for choosing practice platforms.
🎯 PNPT Exam Day Tips
The five-day assessment period gives you flexibility, but smart time management still matters. Here's how to approach exam day (and the following days) effectively.
Before the Exam
- Ensure stable internet (have mobile hotspot backup)
- Prepare your VM with all tools pre-installed and tested
- Set up note-taking (CherryTree, Obsidian, etc.)
- Create a report template in advance
- Get good sleep. You have 5 days, so pace yourself
During the Assessment
- Document everything. Screenshot findings immediately
- Take methodical notes. Future-you will thank present-you
- Work systematically. Follow your methodology
- If stuck, enumerate more. The answer is usually something you missed
- Take breaks. Fresh eyes catch things tired eyes miss
Report Writing and Debrief
The two-day report window is sufficient if you documented well during the assessment. Include an executive summary, technical findings with evidence, reproduction steps, risk ratings, and remediation recommendations.
After submitting your report, you'll schedule a 15-minute video debrief with TCM's assessors. Prepare a concise presentation of key findings, focus on business impact, and be ready to answer methodology questions. Treat it like a real client meeting.
Common mistakes to avoid: Rushing through enumeration, poor documentation that makes report writing painful, forgetting to screenshot evidence before moving on, and underestimating the debrief preparation. The debrief isn't just a formality. It's part of the assessment.
📄 Report Requirements and Evaluation
Your penetration testing report is a significant part of the PNPT evaluation. A technically successful compromise with a poor report can still result in failure.
What Your Report Must Include
- Executive Summary: Non-technical overview of findings, business impact, and overall risk posture
- Methodology: High-level description of your approach and tools used
- Technical Findings: Each vulnerability with description, evidence, severity rating, and reproduction steps
- Evidence: Screenshots showing exploitation, commands executed, and proof of access
- Remediation: Specific, actionable recommendations for each finding
Live Debrief Evaluation
The 15-minute debrief tests skills beyond technical exploitation:
- Communication: Can you explain complex attacks to varied audiences?
- Prioritization: Do you understand which findings matter most to the business?
- Methodology: Can you justify your approach and explain alternative paths?
- Professionalism: Would a client trust your findings and recommendations?
Pro tip: Prepare your debrief presentation before finishing the report. Structure it as: scope recap, critical findings, attack path summary, remediation priorities. Practice explaining technical attacks in business terms.
📜 Exam Rules and Constraints
Understanding the rules of engagement prevents disqualification and mirrors real-world pentesting professionalism.
What's Allowed
- All tools (Metasploit, Linpeas, BloodHound, custom scripts, etc.)
- Internet access for research and tool downloads
- Note-taking applications and documentation tools
- Multiple VMs and your preferred pentesting setup
What's Not Allowed
- Sharing exam details, network information, or solutions publicly
- Receiving help from others during the exam
- Attacking infrastructure outside the defined scope
- Using denial-of-service attacks that disrupt the exam environment
If Something Breaks
If you encounter technical issues with the exam environment, contact TCM Security support immediately. Document the issue with screenshots. The exam timer can be paused for legitimate infrastructure problems. Don't panic if a machine becomes unresponsive. Environment resets are available if needed.
💎 Is the PNPT Certification Worth It?
With so many certifications available, you need to evaluate whether PNPT provides genuine career value. Here's an honest assessment of the pros, cons, and who benefits most.
The Good
- Realistic exam: Simulates actual client engagements, not CTF puzzles
- Affordable: $499 vs $1,749+ for OSCP, includes free retake
- Live debrief: Builds client communication skills most certs ignore
- Quality training: 45+ hours of well-regarded content included
- Never expires: No recertification fees or requirements
- Growing recognition: Increasingly valued by hiring managers
The Limitations
- Less name recognition than OSCP - Some HR departments still filter specifically for OSCP
- Not suitable for complete beginners - Requires foundational skills; consider PJPT first
- Requires significant time commitment - 7 full days for the exam plus months of preparation
- Relatively new certification - Doesn't have decades of industry reputation like OSCP
Career Impact
PNPT demonstrates that you can perform an actual penetration test, not just answer questions about one. For hiring managers who understand practical skills, this matters significantly. The certification shows:
- You can conduct a complete engagement from reconnaissance to reporting
- You have professional communication skills (demonstrated in the debrief)
- You understand real-world methodology, not just CTF tricks
- You can document findings professionally
Industry Recognition
PNPT is increasingly accepted by security teams and consulting firms that prioritize practical skills. While OSCP still dominates HR filters at large enterprises, PNPT gains ground quickly. Many hiring managers at boutique security firms and internal red teams now list PNPT as an acceptable credential. TCM Security maintains a list of recognizing organizations on their certification page.
The verdict: If you want to prove you can actually do the job, not just pass a test, PNPT is one of the best investments in your pentesting career. For maximum market appeal, consider pairing it with OSCP later when budget allows.
❓ Frequently Asked Questions
How much does the PNPT cost?
The PNPT certification costs $499, which includes the exam voucher, one free retake, and 12 months of access to 45+ hours of training courses from TCM Academy. Students, military, and first responders receive 20% off.
How long is the PNPT exam?
You have 5 full days to complete the penetration test assessment and an additional 2 days to write your professional report. After submitting your report, you schedule a 15-minute live debrief with TCM assessors to present your findings.
Does the PNPT certification expire?
No. As of April 17, 2023, the PNPT certification does not expire. Once you earn it, it's yours for life with no recertification requirements.
Is the PNPT exam proctored?
No, the PNPT is not proctored. There are no invasive monitoring tools to install on your system. However, TCM Security monitors network traffic within the exam environment to ensure integrity.
Can I use any tools on the PNPT exam?
Yes. All tools are allowed, including Linpeas, Metasploit, custom scripts, and anything else in your arsenal. The exam simulates a real engagement where tool restrictions don't apply.
Is PNPT easier than OSCP?
The PNPT is generally considered more accessible due to its 5-day timeline (vs OSCP's 24 hours), included training, and free retake. However, it still requires genuine pentesting skills. There are no shortcuts or brain dumps that help you pass.
Should I get PJPT before PNPT?
TCM Security recommends completing the PJPT first if you don't have professional pentesting experience. PJPT is associate-level while PNPT is professional-level. If you're completely new to security, starting with CTF fundamentals builds essential skills before pursuing any certification.
What happens if I fail the PNPT?
You get one free retake included with your voucher. If you need additional attempts after using your free retake, you can purchase retake vouchers separately from TCM Security.
⚖️ Legal and Ethical Considerations
The skills you develop preparing for PNPT are powerful. Use them responsibly. Penetration testing without authorization is illegal, regardless of your intentions.
Critical reminder: Always get explicit written authorization before testing any system. Unauthorized access is illegal and can result in criminal prosecution, fines, and permanent career damage. "I was just practicing" is not a legal defense.
- Only test systems you own or have written permission to test. Verbal agreements aren't enough for professional engagements. Get signed authorization.
- Use legal practice environments. HackerDNA Labs, TCM's exam environment, and home labs you build yourself are all legal options.
- Practice responsible disclosure. If you discover vulnerabilities during authorized testing or accidentally, report them through proper channels without exploitation.
- Respect scope boundaries. During real engagements, stay within the defined scope. Just because you can pivot to other systems doesn't mean you should.
- Protect client data. Handle any data you encounter during testing with appropriate care. Never retain or exploit sensitive information.
🚀 Your Next Steps
The PNPT certification offers a practical, affordable path to proving your penetration testing skills. The realistic exam format, included training, and live debrief create an experience that genuinely prepares you for professional engagements.
Your roadmap: Build foundational skills first, complete TCM's included training courses, practice in hands-on lab environments, develop your methodology, and master Active Directory attacks. When you can consistently compromise AD environments and write professional reports, you're ready for the exam.
Start Here Based on Your Level
- Complete beginner Start with foundational skills through HackerDNA's Ethical Hacking course before attempting any certification.
- Some CTF experience Jump into TCM's training package. The included courses will fill gaps and build your methodology.
- Working security professional Review the exam objectives, practice AD exploitation, and schedule your exam. You may be closer to ready than you think.
The path to PNPT isn't about memorizing facts or gaming a test. It's about developing real skills that translate directly to professional work. Start practicing today, stay consistent, and you'll earn a certification that actually means something.