eLearnSecurity Junior Penetration Tester (eJPT) – Course Review

I recently completed the Junior Penetration Tester certification, provided by eLearnSecurity. There are a number of reasons as to why I did this, but the main one is that I was felt myself losing motivation. Work and general life has been extremely busy for me lately, and I have struggled to find the time or energy required to make meaningful improvements on my way to the OSCP. I needed something more concrete and immediately attainable to work towards, to refocus and increase the number of hours spent studying. I guess you could say I’ve been in a bit of a rut, and needed to commit myself to something more short term to get out of it. I’m happy to report that after a couple of weeks of study, I was able to pass successfully. I would even say I found the exam to be very easy, requiring significantly less time than given to pass with 19/20.

For helpful resources and commands you may need to actually pass the eJPT exam, have a look at my accompanying post titled How to Pass the eJPT.

Course Overview

The course itself, titled Penetration Testing Student (PTS), is presented in written, video and practical form. To gain access to the video and lab environment, you need to pay for the ‘full’ version of the course. The slides/written component are available for free. After reading through the written component and taking solid notes, I felt comfortable enough that I knew pretty much everything covered in the PTS already. Deciding to just give the exam a try, I purchased an exam voucher and passed in just over 3 hours. There are 20 questions to answer in 72 hours, and 15 correct answers are required to pass. eLearnSecurity are definitely overly generous with the allocated time, as I didn’t require anything close to that – but your mileage may vary. The questions themselves are also straightforward, being easy to understand and answer. This really is an entry level certification aimed towards “juniors”, so keep this in mind when considering whether or not the course is worth it for you personally.

I’ll break this review of the course and exam down into the following sections:
Material – The breadth and depth of the material covered.
Tools and Processes – what tools and process you learn about.
Relevance – how relevant and up-to-date the course is compared to modern pentesting.
Readability – how easy to understand and comprehend the course is.

Material

The material covered by this course is extremely broad, but does often lack depth at times. eLearnSecurity have clearly gone for a shotgun approach here, trying to cover as many techniques as possible whilst still keeping the overall length of the course brief. While I can appreciate that students with little exposure to penetration testing may gain some value out of this approach, I do feel that the lack of depth hurts the eJPT in the long run. For example, SQL injection is an extremely deep and complex area of web application testing, but the course barely scratches the surface of how it actually works. It almost immediately introduces SQLMap, a tool that automates the whole process anyway, making manual SQL injection largely irrelevant. This could have negative side effects on students who become too reliant on these types of automated tools. After all, they may not always work when compared to doing it the manual way.
Despite this, the range of material covered is very good. It provides a solid foundation for students to continue to learn on their own after passing this certification, which is largely the point of this course in the first place.

Material Rating: 7/10

Tools and Processes

Being a practical course and exam, the eJPT does a good job introducing a range of tools and processes to the student. In fact, the entire course is almost exclusively based around tools and how or when to use them. The practical aspect of the course (if you choose to purchase it) would then have you actually use these tools in a lab environment, giving you experience that is then directly tested in the exam. This hands on approach is my preferred way to learn penetration testing, as I feel that the underlying logic and math behind attacks is better suited to more advanced practitioners. The eJPT simply introduces a concept, presents the relevant tool and/or process, then provides examples of them in use. Like my complaint above, there just isn’t enough depth here. For example, Nmap is a tool that has a huge range of features beyond simple port scanning. However, the course really only goes into the very basic usage of Nmap and neglects it’s other features or use cases. With that said, the tools they do introduce in the course are all useful and I have no real complaints about the choices they have made here.

Tools and Processes Rating: 8/10

Relevance

eLearnSecurity are a relatively new company and the course does not feel at all out of date. Unlike other security courses or books, the eJPT feels fresh and the skills gained in this course will be directly applicable to other learning platforms.
One other factor to consider is how relevant the certification itself is. From what I have heard and read online, the eJPT (or other eLearnSecurity) certifications do not currently carry much weight in the infosec community. HR employees or hiring managers are unlikely to have heard of this certification, which does hurt it’s overall relevance. Compared to some of the more ubiquitous certifications that exist in the infosec landscape, this one will not do you any favors. For people who are looking to boost the status of their CV, you’re probably better off looking into the CEH. For people who are looking to gain relevant skills, the eJPT is far superior.

Relevance Score: 7/10

Readability

This is the strongest aspect of both the PTS course and the eJPT exam. It is very clearly presented and easy to understand. There are multiple ways for students to study the material and have these concepts reinforced through text, video or practical exercises. In addition, the text course I studied contained plenty of examples to clearly illustrate how commands would be used.
The exam is also very easy to setup and understand. It is a practical exam with questions that require you to actually attack the machines to find the required answers. Similar in approach to a CTF, with the addition that the questions here provide enough direction so you know exactly what you are looking for and how to find the answer.
I genuinely think eLearnSecurity have done an amazing job with the way they have presented their course and exam, and have no complaints here.

Readability Score: 10/10

Conclusion

There is an argument to be made that I wasted my time with the eJPT. I was already comfortable with everything in the scope of the course and I breezed through the exam with little issue. Having mulled this over myself, I ultimately don’t regret studying and achieving this certification. I learned some things – particularly around routing and web application attacks – gained some confidence, and re-motivated myself. It’s clear now that the eJPT wasn’t really meant for me, and as such I didn’t get too much value out of it. Who it is for are beginners looking for a place to start.

To those in that boat, I would highly recommend giving the eJPT a try. It is a fully practical exam, with a practical lab environment available that will expose you to some of the core concepts, tools and attacks used in penetration testing. It is well presented and easy to understand, with up to date course material that will surely be useful for anyone looking to get started in penetration testing.

If you do decide to start working toward this certification, make sure to check out my How to Pass the eJPT post for a collection of useful commands and resources.

Overall Score: 8/10

4 thoughts on “eLearnSecurity Junior Penetration Tester (eJPT) – Course Review

  1. Hi KentoSec,

    Long time reader, first time poster. Do you think that automated tools are a problem in the security industry?

    Regards,

    gobackn

    Like

    1. Hey gobackn,

      This is an interesting question, and I could write a whole post on this (maybe I will one day!). I personally think it depends on the perspective with which you view the ‘security industry’.
      The more advanced and widespread automated tools become, the easier it is for companies or users to identify vulnerabilities and ultimately work toward a stronger security posture. To this end, automated tools can and do improve security in a more general sense, which I see as a positive thing.
      For those working in the security industry, particularly as pen testers, I think over reliance on automated tools may be an issue. Zero days are not typically discovered through the use of automated tools. I think it’s vital that a niche community of security practitioners can continue to identify and remediate these types of vulnerabilities. To keep this sustainable, the newer generation of security practitioners cannot cut corners by relying on automated tools to do the heavy lifting while they are still learning.

      At least that’s my current view on it, thanks a lot for your question.

      Kento.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s