I recently completed the Junior Penetration Tester certification, provided by eLearnSecurity. There are a number of reasons as to why I did this, but the main one is that I was felt myself losing motivation. Work and general life has been extremely busy for me lately, and I have struggled to find the time or energy required to make meaningful improvements on my way to the OSCP. I needed something more concrete and immediately attainable to work towards, to refocus and increase the number of hours spent studying. I guess you could say I’ve been in a bit of a rut, and needed to commit myself to something more short term to get out of it. I’m happy to report that after a couple of weeks of study, I was able to pass successfully. I would even say I found the exam to be very easy, requiring significantly less time than given to pass with 19/20.
For helpful resources and commands you may need to actually pass the eJPT exam, have a look at my accompanying post titled How to Pass the eJPT.
The course itself, titled Penetration Testing Student (PTS), is presented in written, video and practical form. To gain access to the video and lab environment, you need to pay for the ‘full’ version of the course. The slides/written component are available for free. After reading through the written component and taking solid notes, I felt comfortable enough that I knew pretty much everything covered in the PTS already. Deciding to just give the exam a try, I purchased an exam voucher and passed in just over 3 hours. There are 20 questions to answer in 72 hours, and 15 correct answers are required to pass. eLearnSecurity are definitely overly generous with the allocated time, as I didn’t require anything close to that – but your mileage may vary. The questions themselves are also straightforward, being easy to understand and answer. This really is an entry level certification aimed towards “juniors”, so keep this in mind when considering whether or not the course is worth it for you personally.
I’ll break this review of the course and exam down into the following sections:
Material – The breadth and depth of the material covered.
Tools and Processes – what tools and process you learn about.
Relevance – how relevant and up-to-date the course is compared to modern pentesting.
Readability – how easy to understand and comprehend the course is.
The material covered by this course is extremely broad, but does often lack depth at times. eLearnSecurity have clearly gone for a shotgun approach here, trying to cover as many techniques as possible whilst still keeping the overall length of the course brief. While I can appreciate that students with little exposure to penetration testing may gain some value out of this approach, I do feel that the lack of depth hurts the eJPT in the long run. For example, SQL injection is an extremely deep and complex area of web application testing, but the course barely scratches the surface of how it actually works. It almost immediately introduces SQLMap, a tool that automates the whole process anyway, making manual SQL injection largely irrelevant. This could have negative side effects on students who become too reliant on these types of automated tools. After all, they may not always work when compared to doing it the manual way.
Despite this, the range of material covered is very good. It provides a solid foundation for students to continue to learn on their own after passing this certification, which is largely the point of this course in the first place.
Material Rating: 7/10
Tools and Processes
Being a practical course and exam, the eJPT does a good job introducing a range of tools and processes to the student. In fact, the entire course is almost exclusively based around tools and how or when to use them. The practical aspect of the course (if you choose to purchase it) would then have you actually use these tools in a lab environment, giving you experience that is then directly tested in the exam. This hands on approach is my preferred way to learn penetration testing, as I feel that the underlying logic and math behind attacks is better suited to more advanced practitioners. The eJPT simply introduces a concept, presents the relevant tool and/or process, then provides examples of them in use. Like my complaint above, there just isn’t enough depth here. For example, Nmap is a tool that has a huge range of features beyond simple port scanning. However, the course really only goes into the very basic usage of Nmap and neglects it’s other features or use cases. With that said, the tools they do introduce in the course are all useful and I have no real complaints about the choices they have made here.
Tools and Processes Rating: 8/10
eLearnSecurity are a relatively new company and the course does not feel at all out of date. Unlike other security courses or books, the eJPT feels fresh and the skills gained in this course will be directly applicable to other learning platforms.
One other factor to consider is how relevant the certification itself is. From what I have heard and read online, the eJPT (or other eLearnSecurity) certifications do not currently carry much weight in the infosec community. HR employees or hiring managers are unlikely to have heard of this certification, which does hurt it’s overall relevance. Compared to some of the more ubiquitous certifications that exist in the infosec landscape, this one will not do you any favors. For people who are looking to boost the status of their CV, you’re probably better off looking into the CEH. For people who are looking to gain relevant skills, the eJPT is far superior.
Relevance Score: 7/10
This is the strongest aspect of both the PTS course and the eJPT exam. It is very clearly presented and easy to understand. There are multiple ways for students to study the material and have these concepts reinforced through text, video or practical exercises. In addition, the text course I studied contained plenty of examples to clearly illustrate how commands would be used.
The exam is also very easy to setup and understand. It is a practical exam with questions that require you to actually attack the machines to find the required answers. Similar in approach to a CTF, with the addition that the questions here provide enough direction so you know exactly what you are looking for and how to find the answer.
I genuinely think eLearnSecurity have done an amazing job with the way they have presented their course and exam, and have no complaints here.
Readability Score: 10/10
There is an argument to be made that I wasted my time with the eJPT. I was already comfortable with everything in the scope of the course and I breezed through the exam with little issue. Having mulled this over myself, I ultimately don’t regret studying and achieving this certification. I learned some things – particularly around routing and web application attacks – gained some confidence, and re-motivated myself. It’s clear now that the eJPT wasn’t really meant for me, and as such I didn’t get too much value out of it. Who it is for are beginners looking for a place to start.
To those in that boat, I would highly recommend giving the eJPT a try. It is a fully practical exam, with a practical lab environment available that will expose you to some of the core concepts, tools and attacks used in penetration testing. It is well presented and easy to understand, with up to date course material that will surely be useful for anyone looking to get started in penetration testing.
If you do decide to start working toward this certification, make sure to check out my How to Pass the eJPT post for a collection of useful commands and resources.