Practical Network Penetration Tester (PNPT) Review

Ibad Altaf
3 min readMay 12


PNPT Certified Badge

A couple of weeks ago, I had the chance to give the CRTO exam and clear it. I wanted to move on to CRTO 2 next. However, I have been interested in clearing TCM’s PNPT exam for a while now, I’d probably say more than a year now. I finally cleared it today on the 12th of May, 2023.

PNPT Content & Preparation

The PNPT exam is built around a real-world penetration testing engagement, it requires one to conduct Passive & Active Reconnaissance (which includes OSINT), and then conducting External Penetration test and moving laterally to the Internal Network with some aspects of pivoting.

To prepare for the PNPT exam, TCM recommends the following five courses:

  1. Practical Ethical Hacking
  2. Open-Source Intelligence Fundamentals
  3. The External Pentest Playbook
  4. Windows Privilege Escalation
  5. Linux Privilege Escalation

All of the courses are worth the price and include great content and techniques. However, with my prior experience, I felt that PEH and EPP courses were enough for me. For pivoting, I did one of the pivoting rooms from TryHackMe.

The PEH course was really fun as it had all aspects of penetration testing in it. From Active & Passive enumeration to exploitation of standalone machines to exploiting an Active Directory network to Web Application exploitation to Report Writing, it had it all! The Active Directory section was my favourite, because it had techniques that aren’t usually taught in other courses so it was something new that I got to learn.

The EPP course was really fun as well as it has helped me at my work as well, learning about different techniques to get access to login portals. After PEH, I would recommend EPP, not just for the exam, but just to learn different techniques and know what type of methodology one should implement when dealing with an external environment.


I will be honest; when people used to say that the exam emulates a real-world engagement and is not a CTF, I used to call cap on that. I did not believe that an exam environment could be emulated like a real-world engagement. However, I was proven wrong, the exam was almost as close to a real-world engagement as it could. I have done various certifications in the past; CRTP, CRTO being among them, but they were both CTF-style certifications so I expected PNPT to be as such as well. I really had to get rid of my CTF mentality and treat the exam as a real client, when I switched my methodology based on this factor, I started making progress during the exam. The exam was a really fun experience, from start to finish. I hope we can get “PNPT 2” at some point with some advanced techniques being taught.

Kudos to the TCM team for providing such an affordable and fun platform!

What’s next?

I’m not planning on doing CRTO 2. I’m really excited about this course as this course will teach not just how to bypass Antivirus, but also other security controls and most importantly EDRs. Very excited to learn to create my own tools and use it to bypass EDRs. I’ll hopefully be back with another blog about CRTO review in a couple of months. And then I’d like to end the year with being OSCP certified as well.



Ibad Altaf

Penetration tester and a red teamer. Love to learn techniques to bypass various security solutions. Find me at