eJPT Review

As of October 7th, I am officially eJPT certified. I’d be remissed if I didn’t write about my experience, and want to share my takeaways and where I plan on going from here.

I was really nervous going into this exam. I’ve never considered myself a “hacker” and I’m not particularly advanced when it comes to offensive cybersecurity. I became interested in cybersecurity at the beginning of 2021 and have steadily progressed in my skills and developing my interests. Being new, the eJPT was brought to my attention since it’s an entry-level certification that is hands-on so it can provide a more realistic assessment of someone’s skill. Compared to the A+ which I passed at the beginning of this year, I actually found this to be easier. On the one hand, eJPT is “open book” and you have the internet at your disposal, as opposed to the A+ where you have to memorize a small textbook worth of information; on the other hand, you have to actually have an idea of what’s going on so you can at least figure out where to look (both within the exam and outside) as opposed to having a set list of things you need to memorize.

But I’m getting ahead of myself.

I started my exam the morning of October 6th. Based on how my co-workers did, I estimated that it would take me about two days including meal breaks and regular sleep. I did the bulk of everything on the first day, and probably could have stopped then and still passed. Without giving too much away, I had actually compromised everything I needed to compromise but of course wasn’t certain there wasn’t more out in the network somewhere. Because I wasn’t confident, I spent about five hours on day two combing through everything to see if there was something I missed, and to try and find the last two questions I couldn’t find the answers to. After I was more confident that there was nothing else to discover and I only needed to gather more information from what I had, I spent a couple of hours going through everything to try and find even a hint of what the last two answers were. Unfortunately I never found them and tried to use the process of elimination to figure it out. Ultimately, I ended up getting a 95% (19/20) so I must have gotten one of them right. (Afterwards, I spoke with my co-worker who had also taken and passed the exam and he told me where I went wrong. And of course, I can’t believe I missed it!)

Leading up to the exam, I’d say what was most beneficial for learning what I needed is actually the first part of The Cyber Mentor’s Practical Ethicial Hacking course. Because he’s released the first 12 or so hours for free on YouTube, that to me is a no-brainer. I also completed a variety of rooms in TryHackMe; if you have time (and maybe money, I don’t know what’s free there and what’s not), I think everything you need to know is found within the “Pre Security,” “Complete Beginner,” and “Jr Penetration Tester” learning paths. While I do know for certain that you could also use the Penetration Tester Student course from INE (I used v2), because I had already gone through the aforementioned material I didn’t find a lot of use in PTS for preparation.

During the exam, however, having access to PTS was great. Whenever I got stuck but had an idea of what I needed, I just went back to the course, watched the video and/or completed the lab, and that gave me enough information to get through that hurdle in the exam. The two things I used the most however, without question, would be The Hacker Methodology Handbook for referencing common tool usage, and https://www.infosecmatter.com for both the Metasploit module library and the nmap NSE library. Ultimately, there’s not a tool I needed that was not in that book, and access to a searchable database for Metasploit and nmap was a huge time saver.

I really overhyped how difficult this exam would be and as a result became unnecessarily stressed a couple of days before. But once I sat down, turned on some music and sipped my coffee while my first nmap scan was kicking off, I really started to enjoy it. eJPT may not be as widely known or accepted for resumes as some of the Big Name Certs like OSCP or Security+, but because I already have a security job I didn’t feel like I needed it to get a job or even just need it in general, but I wanted to prove to myself that I could and that I actually knew things. And I can check both of those boxes now.

Moving forward, I’m looking at defensive/Blue Team certifications. Because I have access to INE from work, that will be the bulk of it. In order, I’ll do Threat Hunting, Incident Response, Malware Analysis, and Digital Forensics. (They also recently came out with the Enterprise Defense Administrator course but not the certification, so we’ll see where I’m at when that gets released.) I also really want to take the Security Blue Team’s Blue Team Level 1 so I’ll push for taking that next year as well.

I’m not completely abandoning Red Team and offensive testing either. While my job has me geared towards defense and so that’s where I’m really more interested, I still will spend time on THM and HTB. For Red Team structured training (that may or may not result in a certification), I really want to finish the TCM PEH course (and potentially take the PNPT if I finish the other recommended TCM courses). I also wouldn’t mind taking the INE courses for professional penetration tester and exploit developer, but I don’t think I’d take certifications for those. But who knows what the future holds.

I also want to give a shout-out to Twitter for being generally encouraging; @GrahamHelton3 and @_0xBEN_ have been super helpful and encouraging when it comes to me trying new techie stuff, and @seclilc (and her eJPT blog) was also an inspiration for me to know that even a warehouse worker like myself could actually make my way into cybersecurity.