Absolutely everything on this blog pertaining to the term “hacking” is meant for training and educational purposes only. WE DO NOT ENGAGE IN NOR PROMOTE ANY FORM OF ILLEGAL ACTIVITY!

First of all let’s get this part out front- I love TCM Security. If you follow Grey Hat Developer you know that we’ve been using their training for years and we 100% recommend them. This is in no way an article to bash or send shots at the company.  

That being said….

A few years ago I set out on the journey to obtain the Professional Network Penetration Tester certification. I had already racked up more than a few unsuccessful attempts and before I had another opportunity to test, there were variables shifted in my business and personal life that caused me to recategorize my priorities. Thus far, I’ve yet to get back to my PNPT grind.

A few days ago I came across something online that truly disturbed me? This discovery literally rocked me to my core. I knew this would eventually happen as it has with a few of the other prominent hacking certifications in the past, but I honestly held out hope for the PNPT. 

But as my grandmother would say to me time and time again throughout my lifetime, “If you put your faith in man, he’ll let you down every time”. And that’s what happened here. 

Around 14 years ago when I first became curious and committed to “hacking” and how to break into the field of ethical hacking, I naively thought that a very key instrument in turning this into a reality was getting the Certified Ethical Hacking certification. Mind you, I was transitioning from not only an entirely different  industry, but also lifestyle. 

Well, the longer I stuck around the industry, the more certifications I began hearing about. Then of course I’d discover these discussions about which was better, which to get first, which one was employers looking for? Etcetera. 

One of the things I’ve always heard floating around the hacking community was that certifications were useless, and certification providers were all about the bottom line. (doesn’t prove the candidate knows what they’re doing is one of the traits that falls under the “useless” tag.)

But simultaneously there were and has always been a few “exceptions” to this throughout the hacking community and those are: The OSCP, The eCPPT, and most recently The PNPT. 

 I’m sure everyone has their reasons as to why they say one, some, or all of these are the exceptions. I’ve never trained with any official OSCP material. I trained for the eCPPT way back when the company first came out and was called Elearn Security (think Armando Romeo.) Since then I’ve obtained the eJPT but not the Pro with INE. 

So although I can’t compare apples to apples across the table here, in comparison to the dozen or so certs I had before training with TCM, I vote practicality as being the reason I grant them my notable exception.

Something else that I noticed along my certification journey was that the answers to the exams sooner or later started popping up on the internet. Mind you, I’m not saying that in the sense that if you know how to do good research on the internet you usually can find the answers to what you’re looking for. No, I’m referring to someone intentionally uploading the answers to the web and thereby compromising the integrity of the exam. 

But I’ve always held out hope for the PNPT. There’s been an extremely strong community and camaraderie built among hackers that centered around the PNPT. And I earnestly believed this evolution would be solid and transformative enough to uphold the integrity of the exam. So imagine my disappointment upon discovering that the integrity of the PNPT had also fallen victim to this practice. 

The following are a few screenshots of the discovery that I pulled offline:

Absolutely, disheartening. 

Now. While I realize that one monkey don’t stop no show, nor should we let it, it’s just that the personal incentive to get the PNPT has now been zapped. For the most part, in the past I’d take the certs because an external entity required it or it was just an extra step I’d take to validate for myself that I fully grasped the coursework and am able to execute the skills the training intended to instill in me as a candidate. 

And with the PNPT, the practicality of the exam offers an invaluable opportunity to grab real live hands-on experience that would potentially otherwise continue to be illusive in my career due to the uniqueness that my background brings to the penetration testing space. But at this point in my career…. the current trajectory doesn’t warrant the exam to be worthy enough. As for the skills the training imparts, I can say with confidence that I’m good there. Which, the skill set is what ultimately matters in the end. 

But What Will Potential Clients and Hiring Managers Think?

In closing, to anyone who does the certification route with the intention of impressing a future client or hiring manager, outside of having the information in your own notes for reference, one way to have a dog in this fight against this type of shady practice is to blog, vlog, reel, etc. your entire journey. By doing this you at least show anyone who invests the time to research your portfolio of projects that you’ve invested the time training and figuring stuff out. 

Think about it. Could this shady practice of posting assessment solutions online, blatantly violating any traces of an NDA be one of the main reasons we hear in the cybersecurity industry that “certifications are useless when it comes to being hired”? The probability of your client or a hiring manager being familiar with this practice is very high. Knowing this, all other things being equal among all potential candidates, the candidate that has the receipts of their time spent training for the certs listed on their resume probably has a better shot over the others with the same certs listed on theirs without any receipts. 

At the end of the day, everyone must decide what’s worth it to themselves on a personal level. As for my PNPT retake voucher, what would be awesome is if TCM treated this as a disclosure and awarded me the PNPT for sincere commitment to the community. 

Until next time, realize and recognize that you have to keep hope alive. Never take your eyes off of the prize because YOU ONLY HAVE ONE LIFE TO LIVE! #yolo

Hack On, Ladz & Gentz!

Read more about my grind towards the PNPT in these posts where we attack Black Pearl and here where we are escalating privileges in Windows.