I will give this article a twist. I think PNPT is a great certification, no doubt about it. But is this something for a security leader? Is this a certificate that would add value, or something a security leader should go after? This is a pretty broad question, as leadership comes in many different forms. I will get back to this one later on in the article. And why I put in this twist here is due to that I mainly work these days with security leadership and management. My goal with this article is to try to inspire and influence other “security leaders” to get a bit more curious about offensive security.
Yes, I know, and many out there say that a security leader doesn’t need to know hands-on stuff. Some say they do, i.e. they need to know at least a little bit about their shit and how shit is done in practice. Personally, I think it will always favor you as a leader if you are capable of pulling up your sleeves and contributing to your team by getting your hands dirty. Doing the work. Knowing a bit or two. You don’t need to be the best one at the stuff, but your team will almost always appreciate it if you know how things are done. I think it is very low probability that you, as a security leader, will face this statement:
”We want a security leader who doesn’t know how things are done in reality or who has experience from the trenches.”
I haven’t been faced with that form of feedback at least. This sounds like a one-man survey thing right now, but I think you understand what I’m saying.
In this article, I will take you with me on my thoughts about offensive security and whether this is something security leaders should spend their time on. From the ingress above, you might already have figured out what I think. And if you have read my other articles about the subject, you might have a feeling for where this article will take you. But there is that twist again. In this article, I will put my thoughts related to offensive security for security leaders and what can be learned from the PNPT (Practical network penetration tester) certification from TCM (The cyber mentor) Security.
TERMS & DEFINITIONS
Below are terms and definitions that will be used several times in this article:
TCM – The cyber mentor (TCM) is the organization that provides the PNPT certification .
PNPT – Practical network penetration tester (PNPT). This certificate is targeted toward those who want to demonstrate their knowledge of how to conduct a penetration test consisting of OSINT (Open Source Intelligence), external penetration testing, internal penetration testing, report writing, and customer debriefing.
A little bla bla bla about myself
These days, I mainly work with security leadership and management with a focus on the subjects of strategy and governance. This is to a certain extent the diametral opposite of offensive security. Security strategy and governance are very much about the high-level things, i.e., “the bigger picture”. As some people say, “the fluffy stuff”. Offensive security is very much the opposite; it’s about the details. It’s about actual hands-on things. It’s about identifying weaknesses. It’s about looking at things from an attacker’s point of view. You get it, I guess.
I love to do the fluffy things and architect the bigger picture that improves an organization’s security posture and resilience from a strategic and tactical viewpoint. And at the same time, I love to think and experience security from the lens of an attacker. Why I personally spend time in the offensive security landscape is mainly due to that I find it very interesting, stimulating, and fun. And as an added benefit, this also helps me to increase my XP-level as a security leader (at least how I see it). I get a broader perspective and understanding of how things work, and this is something I personally like.
SECURITY LEADERSHIP
I think that a security leader should have strong leadership skills, added to technical security skills, independent of what kind of technical security skills they have. A security leader should know their stuff. Not be an expert but understand how shit works, whether it’s GRC, defensive, offensive, or architectural. What I’m a strong believer in is that to become a security leader, you should also have a broad understanding and perspective of security. This is more applicable to you as a security leader if your responsibility is to drive company-wide security improvements and more of those tactical & strategic decisions.
And yes, you can be a security leader in a niche field not requiring that broad understanding and perspective. It will, though, very few times, be to your disadvantage as a security leader to be well diverse. This is my personal opinion and belief around security leadership, not something fancy smanchy from a leadership textbook or theory. And I’m totally fine if all people out there do not agree with me.
I’m not here to convince others to say that “This is what security leadership is about, and there are no other ways!”. Leadership comes in many different forms. Simple as that. How I operate as a security leader will differ from how others do, and there is nothing wrong with it. And I’m totally fine with this. What works for me might not be something that works for you. But what I can do is to share my thoughts and let you pick a thing or two from them, test them out, see if they work, and add them to your arsenal.
And what does all this have to do with offensive security and PNPT from TCM security specifically?
I have written it before, and I write it again: I think that a security leader would benefit from understanding how attacks are carried out. If you are a security leader who works with offensive or defensive security, you most likely already have a pretty good understanding of this part. If you work in a role with less hands-on focus on technology, this usually, but by no means in absolute terms, means one has probably less understanding of how cyber attacks are carried out in real life. I’m generalizing, but to a high extent, this is how it is. One interesting aspect that I think contributes to this statement and outcome is how many organizations structure their security teams and the work they do. This may sound like a bit of a rant, but this is actually very true, which is often observed in many organizations:
- GRC folks do GRC things, often less hands-on things and technical stuff. Policies, risk assessments, compliance, awareness, and data privacy.
- Operational security teams do the operational things, ie, defensive, offensive, engineering etc. Security event and incident management, detection and response management, operational engineering, and improvement.
And what fascinates me is that these teams many times don’t cooperate or rotate people between them. They don’t really practice together or do things together. They exist in the same team and context with the same mission, but do their own things. Think about this one: Like an ice hockey team where there are both defensive and offensive players, but they don’t practice together. How sick wouldn’t that be? Yes, the corporate world is not and can’t be compared to the sports world. But I think there is, for sure, a mental aspect that more or less can be directly translated from the sports world to the corporate world, and it is very close to what security is about. It’s a team sport. Sounds cliche and cheesy, but this is my very truth.
“The GRC people don’t understand how security attacks work!”
“The SecOps team doesn’t understand what, why, or how security governance works!”
Two classics I’ve seen thrown around several times, and most likely not the last time
Ok, enough about that stuff for now, but a last recommendation from me to you as a security leader. Don’t aim to become that person or form a team where people build up fictive walls between them. Security is a team sport. Your goal is the same whether you work with security governance, risk management, compliance, defensive/blue team, offensive/red team, or engineering. Back to PNPT.
PNPT – What you can learn from it
The thing that I think is most valuable with PNPT from TCM security is the examination, which provides a very realistic perspective of a penetration test from start to finish.
The exam experience is unique as it highly replicates how a penetration testing engagement is carried out. It starts with rules of engagement (RoE), followed by OSINT and a penetration test in relation to the scope, report writing of the findings, and ends with a debrief to the “customer”.
And to pass the PNPT examination, you need to be able to demonstrate and conduct a successful:
- Open source intelligence (OSINT) gathering
- External penetration test
- Internal penetration test
- Report writing of findings
- Debrief
The exam is unsupervised, and you, as an exam taker, have 5 full days to conduct the penetration test. There are, of course, positive and negative things to say about unsupervised exams. I haven’t myself taken a supervised offensive security exam, for example, OSCP and OSEP from OffSec. But I have plenty of people around me who have taken these forms of tests. And I’m fortunate that one of my closest friends has taken on a bunch of them and explained how it works. All I can say is that I have huge respect for people doing these forms of examinations, as for many, these form of tests adds a couple of more dimensions. Let’s call them stressors. Just being supervised for 24 hours straight can be a stress in itself. Doing something where your skills are tested at the same time also adds to it. You get it. Some people just roll with this and take it as cool as drinking a beer, and don’t get stressed at all. Personally, I’m very sure I would feel the stress level go up a couple of notches.
In the PNPT exam, you are free to use whatever tools you want; there are no restrictions, but there are some things out of scope for the engagement/exam found in the RoE. This is also one aspect that highly reflects the realism of the exam in relation to real-world penetration testing engagements. Do it the way that suits you, but stay within the agreement of the assignment.
And if you think about this and let yourself take on the exam with this mindset, you get a truly unique experience and exposure. The exam is not a CTF or boot2root thing. Sure, you can and will most likely benefit from having done CTFs in the past, but this is not how you should approach the exam. Doing so, you will put yourself in a less favorable position, not saying you will end up with a negative result, though. A penetration test is not a CTF; some people out there think it is the same. You, as an exam taker of PNPT, are not looking for flag.txt located in a specific folder.
Good things to think about around PNPT
If you come from a less technical background or role, the exam will most likely challenge you. This is not something absolute, but if you haven’t had time in front of Kali Linux and pushed the buttons, you will probably be a bit lost. I personally think it’s very hard to substitute for the time in front of the screen when it comes to offensive security, as it is a highly practical discipline. It’s hard to “hide” the knowledge you potentially lack when being practically tested on a subject. PNPT is not a multiple-choice exam; it’s the opposite.
The PNPT exam is by no means meant to be easy. It is meant to test the student and put the student in a very irl compared environment, all the way from the first start through the whole exam. The exam is meant to be challenging, simple a that. And you will most likely feel that during the examination as well. I think that seasoned penetration testers and red teamers will most likely experience the exam as less challenging but find many similarities to IRL penetration tests. I appreciated the exam being challenging. I appreciated that I needed to struggle from time to time during the exam. And this struggle is, as I see it, a very good learning. Can you embrace the struggle? If you can, you will benefit from it. Yes, it can be stressful and taxing, but this is a part of it…and this is a part of life. There is no vaccine out there for struggle or stress.
What I think the PNPT exam premieres and what is also communicated during the course material is “methodology” over being an expert on specific tools. Sure, you need to know how the tools work to be able to carry out your testing, but think about this one —> Tools will change. Switches in the tools will change. New tools will be introduced. Tools will be deprecated. You can accomplish the same result with a bunch of tools. Yada yada yada. If you have a methodology you feel confident with, that methodology will most likely support whatever tool you need to use or throw at it. This is, at least to my philosophy, how it should be. And this is not something unique to offensive security or PNPT. This is also one of the very powerful learnings you can get from the studies and by taking the PNPT exam —> methodology. Find your own way to craft your methodology. And I think this philosophy is applicable to security in general.
”Methodology” is also something that becomes highly evident in security/penetration testing as results and feedback are more or less instant from the moment you execute your testing, i.e. click those buttons on the keyboard. Did it work or not? Did your methodology help you accomplish the desired outcome? Sure, here and there you will rabbit hole. But, when it comes to offensive security, you often don’t need to wait for 3 to 12 months to see the result to be announced or realized, like, for example, compared to tactical and strategic security initiatives. Sure, the mitigations from that penetration/security testing report might take 3 to 12 months to get fixed. Or, as in many cases, they never get fixed. They reached the report, but nothing more happened. This is also a very sad fact that happens shit too often.
Learnings from security and penetration testing also have something even more interesting to provide. Or at least how I see it. It can learn you how an actual attack could be carried out towards a specific attack vector that is being tested. How a bad guy might break into, log in, destroy, and circumvent security measures.
The learnings from PNPT and other penetration testing examinations for that purpose can help you to understand and gain knowledge of how real cybersecurity attacks are carried out by adversaries. And if you and your organization want to get an attacker’s viewpoint to understand the weaknesses in your security posture, I think it is a smart move to know a thing or two about offensive security. Sure, every organization doesn’t have the capacity to insource these forms of capabilities, but I am a strong believer that at least some form of capabilities (like, for example, knowledge and practical skills) should be accessible in-house. There is no right or wrong how you choose to do things, but I am a firm believer that if you truly want to create protection and resilience for your organization, you need to have an understanding of both defensive and offensive security disciplines. And in the best of the world, you also have the capabilities in-house. If you can’t “see”, understand, or identify the weaknesses in your organization leaves one perspective out of the equation when it comes to security.
I know that some people think offensive security goes into the category of unethical security, and here and there is equivalent to crime. Yes, this can be a correct statement, but it all depends and comes down to how the stuff is carried out. And at the same time, this is also how the security landscape and universe look. It consists of defensive and offensive things. I know it’s not totally fair, but if you put security into the perspective of game theory, there are for sure some interesting findings that can be derived from that form of thinking. For example. The game, ie, security, is asymmetric. The bad guys have fewer obligations compared to an organization doing business. The game is unsolved, meaning there is not one single solution or something that ensures 100% protection…if we categorize 100% protection as the solution to the game that solves it…but this is the thing, 100% protection doesn’t exist. There are no unicorn solutions out there that accomplish this state. Sorry to break it to you. I could go on with a couple more examples and include permutations to those examples, but this is not the point of this article.
And no, PNPT is not the solution either; that will make sure you find all those blind spots in your organization. But if you start to equip yourself as a security leader and your team with offensive security skills, the overall knowledge for understanding how attacks work and how potential weaknesses in your organization may be exploited will increase. You and your team will reduce the asymmetry of the game through the knowledge you have gained. Sure, weaknesses/vulnerabilities/risks may still exist, but if you gain a better understanding and knowledge of how things in your environment may be exploited, it’s kind of one of the first steps to put yourself in the shoes of an attacker going against your organization’s environment. This is what you can learn from PNPT. Not by clicking through the study material and doing the exam without thinking. Not by chasing that badge or certificate that comes with PNPT. If you contemplate what you are being taught and also what you come across during the exam, there is very much you can learn from the “patterns” you will identify (or at least should identify). Pay attention to what you are being taught and what you observe. Each day after I ended my exam sessions, I spent time reflecting on what I’d experienced. Putting it into scenarios I’ve experienced in the past and potential ones I might experience in the future. Mental reps are not for free; they for sure cost energy, but I find them very valuable, independent of what I put myself into and want to become good at, understand, improve, learn, and so on.
When it comes to PNPT, you will learn how common attack vectors applicable to almost any company can be exploited. Sounds like I’m making a bold statement here, but this is based on the fact that the knowledge you will gain from PNPT is to a high extent focused on on-prem Active Directory (AD). Almost every organization out there, besides those who are “born in the cloud” or have decommissioned their AD and transferred to Entra/Azure AD or other identity solutions, has an on-prem AD if they are using Windows clients and servers. I will skip the deep dive explanations of what an AD is and just give you the one-liner explanation: An Active Directory is a database that stores users, passwords, access, groups, and computers in a Windows environment.
Fun fact: when dinosaurs walked on the planet earth…hummm I’m not that old…but let’s say +20 years back, I specialized my skills around designing and securing Active Directory environments. The subject AD in relation to PNPT as such was nothing new to me…but these days I do somewhat less of technical hands-on things. As I said in the ingress, I’m one of those security dudes who do the fluffy stuff. The security strategy and governance jazz. It was over a decade ago, and if I were to take a spontaneous guess, I think it was ~15 years ago, I did something hands-on related to AD in a production environment. I’ve done some designing and security architecture stuff here and there, but don’t make these count as hands-on, as these things are less about clicking the buttons.
What I’m trying to say here is that the skills I gained from my period of working with AD infrastructure & security, and networking, definitely came to help me during the PNPT examination. And what this said, if you have a background in infrastructure and networking, that will not be to any disadvantage but rather the opposite. People with technical knowledge will benefit from it. People who know ISO 27001/<insert framework/standard here> page to page but don’t know so much about how technical things or know how to operate an offensive security OS (Kali Linux, Parrot etc.) will most likely be less successful during the PNPT examination.
I’ve said it before and say it again. If you want to become good at attacking, I am a strong believer in knowing and understanding the defensive side. This by no means is a must to become good at offensive security, but it will help you to understand how things are interrelated and work IRL. And I also think this is something that would be helpful if you are new and at an early stage in your career, and want to pursue the path of offensive security. But, this is by no means a must. I have close friends who have done the opposite and are crushing it in the offensive security field. There is surely more than one way forward to become good at something or to break into a certain field. What works for one person might not work for another. Pick the way forward that works for you.
It will, though, never hurt you if you have a foundational understanding of infrastructure and networking as a penetration tester. But, I’m not an offensive or defensive security end boss, so this is just my belief. Having an understanding of both the defensive and offensive sides will benefit you. And I have huge respect for those who understand both sides. I know a thing or two about each side, but don’t consider myself a master or pro in any of the areas. I rarely compare myself with others, but if doing so in the specificity of Offensive Security with people around me and in the field, I am a n00b, and I’m 100% comfortable with it. But I don’t compete with others or actively compare my knowledge with others. I know there are loads of people waaaaaaaaaaaaaay more skilled than me when it comes to offensive security. What I do is that I take inspiration from these people. And this is also what I recommend others do. Focus on yourself and your own journey. Spend your energy and time on yourself. Be thankful if you have more skilled people around you. Take inspiration from them and learn from them.
And as one of my closest friends has learned me is to approach things with a “student first mindset”. His way of doing things in life has inspired me enormously. He is not only a brilliant and intelligent dude but also a fantastic coach and a beautiful human. I hope everyone has a least one person like this in their corner. I am fortunate to have a few and these persons, and I’m very careful of them. They will learn you so much not only bout topics they are on top of but also about yourself. If you have people like this around you, be very careful of them and thankful. They are rare. And bro, you know who you are. You are an end boss, and thank you for everything you learned me in life.
Back to PNPT. The PNPT study material and exam will introduce you to foundational concepts related to infrastructure and networking. This will, though, be a bit on a surface level. I would say that it is up to you as a student to make sure you deepen your knowledge. The same goes for the offensive part. You will not learn every attack vector or kill chain related to network and infrastructure penetration testing. That is not the purpose of PNPT. You will, as I said before, be exposed and gain experience of how a networking penetration test is conducted from start time to finish, which replicates a real-life scenario very well. And the things you will be exposed to during the exam, in terms of weaknesses in attack vectors, are highly realistic. The exam has bits of a red team element within it, but I would say the focus is on penetration testing. And the same goes for the study material. I would, though, love to see TCM in the future come with certification with a focus on red teaming. That would make up an interesting continuation from PNPT.
Back again at PNPT. Compare the PNPT studies, learnings, and examination to getting a driving license. If you practice the theory, go through the practical lessons, and pass the exam means you know how to drive a car. But you will not be the expert on driving a car. But you have the foundational knowledge, and now it’s up to you to practice and become better. The same goes for PNPT. You don’t become master Yoda in penetration testing after passing the PNPT exam or any other penetration testing exam, for that matter. The same goes for other security disciplines and exams as well, like defensive, GRC, and leadership. You get the point. It is very hard to compare an examination or the knowledge gained from a certification or certificate to the real world. For many certifications or certificates, this is not even the purpose; it’s rather about demonstrating knowledge in relation to the subject the exam taker is being tested on. A multiple-choice exam has its limitations, for sure, but they have a place as well. The learning aspect up to that multiple-choice exam is what I think makes the difference. Clicking through the exam questions and passing the exam is just a validation. It’s a snapshot in time. I think, though, that many security management certifications and certificates could be tested in a practical way. For example, through solving a problem for a fictive company where the results need to be presented verbally (communication), visually (presentation), and in text (report). Personally, I would love this form of an examination as this is also very close to replicating how things are done in security management and GRC-land. The scenarios are endless and could also reflect an actual case within the exam taker’s organization. And there are some organizations out there that provide security management training that have approached this style, creds to them!
Epilogue
Is PNPT for you? The answer to this question is absolutely for you to answer. I can say and think whatever I want about how good PNPT is, and the knowledge you will gain from it.
If you are curious about offensive security and network penetration testing, this certification is for you. But as I said before, this is not an easy one, and it is meant to be challenging. I think, though, that PNPT might be a bit too much for absolute beginners in offensive security. For seasoned persons, it will most likely be an easy one. This, on the other hand, doesn’t mean that if you are a beginner will not be able to pass it. The course material is enough to pass the exam. If you are a complete beginner, it would make sense to start at another point, though.
This could, for example, be an entry-level certificate in penetration testing, or even better, to start doing some studies on the defensive side. This, for example, could translate to network and Active Directory infrastructure. And yes, some say PNPT is entry level, and that could absolutely apply, but I think there are some other pathways offering a bit more friendly exposure. Like, for example, eJPT from Ine or CRTA from CyberWarfareLabs. Both these exams have been updated since I took them, though, but I’m pretty sure saying these two exams will be on the easier end compared to PNPT. In the end, knowledge is subjective and relative to the student. And the same kind of applies to how people learn things or find their way forward.
If you have come this far in this article, and if you are a security leader or not, with a background in hands-on technical security stuff and interested in offensive security and penetration testing, I think you should take a look at what PNPT has to offer. Personally, I would love to see more security management and leadership people have skills in offensive security. It’s not necessary for a security leader to know offensive security to become successful, but I strongly think it adds value.
If you want to put yourself in the shoes of a penetration tester, this examination will give you that perspective and experience. You will get a very fair perspective of how a penetration tester takes on a security testing engagement. It will be challenging, you will learn lots of new things, and you will have fun. Go for it, you can do it!
Henrik Parkkinen
Henrik Parkkinen 