My Review of the EJPTv2
The EJPTv2 is a junior-level penetration test certification provided by eLearnSecurity/INE. It’s the second iteration of the eJPT certification and is a practical, hands-on assessment of penetration testing skills.
The eJPT is often looked to within the hacking community as a major step into the world of professional ethical hacking. It’s also commonly regarded as a foothold for obtaining more advanced certifications like the OSCP the PNPT.
I obtained the EJPTv2 a few weeks ago (in April 2023), and am excited to share my review of the certification as well as the course that comes with it, PTSv2.
This review will cover my thoughts on the EJPTv2 as well as PTSv2, a detailed breakdown of what I did (and what I should have done!) in terms of preparing for the exam, and some general recommendations for the exam itself and preparation. There will, of course, be zero spoilers of the exam or solutions of any kind, but I hope that my notes and recommendations will be helpful to others out there looking to tackle this awesome certification.
Everything You Need to Know About EJPTv2
I want to briefly cover what the EJPTv2 is from the perspective of a student who has recently earned the certification.
eJPTv2 stands for ‘eLearnSecurity Junior Penetration Tester, version 2’. As mentioned, it’s the second version of the original eJPT certification.
In order to get the certification, you have to pay for it – let’s start there.
Paying for the EJPTv2
One of the things that really stands out about the eJPTv2 is the cost/benefit ratio. Currently, you can get a standalone exam voucher for $200, and optionally pay per month for the training at $39/month.
However, I think the Fundamentals Annual is the best option: for $299 you get vouchers for both the eJPTv2 and ICCA and a training package that includes everything you need for both.
Any way you decide to pay for it, the eJPTv2 is a great deal. It’s a steal compared with many certifications that cost $1k-10k for training + certification. And if you’re totally new to cybersecurity, or want to get the additional ICCA certification, the Fundamentals Annual is phenomenal because it includes much more training that PTSv2 and an ICCA voucher. Just make sure to cancel the plan when you’re done with it so that you don’t get billed for another year unnecessarily.
Once you’ve purchased the exam, the next step is to start training!
The Training Course: PTSv2
PTSv2 stands for ‘Penetration Testing Student, Version 2’ and is the official training course for the eJPTv2. Completing the PTSv2 isn’t mandatory to obtain the certification, but it is packed with great videos and labs.
I didn’t take the original eJPT, but I did complete most of the original PTS course. Many reviewers have said that PTSv2 is better than the original, and I agree.
PTSv2 covers a huge range of topics. It’s about 150 hours long, and I found that to be the case for me. I worked on it for 1-2 hours a day, and it took me a few months to get through.
In general, I thought that the training was great. It was engaging, comprehensive, and filled with useful demonstrations that corresponded well with the labs. I really enjoyed the lessons by Alexis Ahmed, and his tutorage was a selling point for me because I am a big fan of his YouTube content as HackerSploit.
Personally, I could have used a more CTF-style to the labs themselves. A lot of the labs consisted of following instructions for performing specific activities. This was invaluable – but – I personally learn better (and retain more) when there’s a challenge involved.
Before I give my feelings about the EJPTv2 exam, I want to briefly talk about what EJPTv2 is and isn’t. This is because it’s commonly recommended as a first penetration testing certification (which I agree with) but I think it’s important to keep in mind what this really means, and what will be required during the exam.
What Isn’t the EJPTv2?
I want to stress that even though the eJPTv2 is a ‘junior’ level penetration testing certification, it is (in my opinion) not an introductory cert within the field of IT or cybersecurity.
Let’s use CompTIA certifications as a reference. If you’re completely new to IT and want to get to the junior pentesting level, you might earn the following certifications:
A+ => Network+ => Security+ => Linux+ => Pentest+
I am not recommending this path; just using it as a reference. My point is that before getting the Pentest+ certification, they recommend getting a number of helpful certs along the way. And the Pentest+ is generally considered to be significantly easier from a practical hacking perspective than the eJPTv2 (at least according to Reddit users).
You don’t need to earn the above (or any) CompTIA certifications, but you will need to acquire the fundamental knowledge represented by them in order to fully understand the materials in PTSv2 and do well on the eJPTv2.
The great thing about hacking is that it really makes this learning process fun! Instead of studying for multiple-choice exam, you can follow the learning paths on sites like INE, TryHackMe, or HackTheBox. You’ll learn the fundamentals you need and have a great time doing it.
But my point here is that you won’t get all of these fundamentals from PTSv2 alone. Do some fundamentals work and then go for the eJPTv2. It’ll go quicker than you think, and you can thank me later 😉
I mentioned earlier that I bought the ‘Fundamentals Annual’ plan, which included my eJPTv2 voucher. This plan also includes fundamentals courses on networking and a CCNA path which should be more than enough to prepare a totally-new-to IT student.
Now that we’ve covered what eJPTv2 isn’t, we can better understand what it is.
Ok, So What’s the eJPTv2?
The eJPTv2 is a great first certification in the world of offensive cybersecurity and penetration testing. It covers many important parts of a penetration test, including scanning and enumeration, service enumeration and gaining a foothold, privilege escalation, and pivoting.
The exam itself is a 48-hour assessment. You are given access to a VM running Kali Linux from which you must work. In order to pass, you have to get a 70% score on a 35-question exam consisting of multiple-choice and fill-in-the-blank style questions. It seems like each question is weighted evenly, but I haven’t confirmed this. The exam uses ‘dynamic flags’, which just means that you have to answer questions that are unique to your instance of the exam. It’s important to fill these in when you’re sure that you have the answer because they can change if the exam environment is reset.
It’s important to realize that the exam takes place in a network environment. This means that it gives you practical experience in assessing a network (rather than just a single host). It also means that you need to prepare to hack a network – not just a single host.
To me, this is where the eJPT presents the greatest challenge: the PTSv2 training materials will teach you how to do a pentest, and the labs will get your hands on the keyboard so you know how to execute on the things you’ve learned. But even after all that, it’s up to you to learn the skills and tools sufficiently to be able to hack a network in a limited window of time.
My Experience During the eJPTv2 Exam
This section will be omit specific details because I really don’t want to accidentally reveal anything about the exam in any way.
I started my exam on Friday at about noon and worked steadily until about 8PM. I made great progress throughout the day and was able to answer about 1/3 of the questions based on my findings. I felt really good about this and decided to get a good night’s sleep.
Saturday morning I slept in a bit, letting my cat wake me up at about 8:00 AM. I made continuous progress throughout the day, being sure to take nice 10-15 minute breaks every couple of hours. By about 8PM I was starting to have difficulty focusing, but I had answered 32 of the 35 questions at this point. Again I felt good about my progress and spent the late evening relaxing. However, doubt started to creep in regarding the weight of different questions and how good was I really doing?
The next morning was the only frustrating part of my exam experience. I woke up and quickly made some progress, but ended up getting bogged down on the last two questions. By the time I finished, I was able to answer all but one of the questions. In the end, I submitted a few minutes before the end of my 48-hour window and found out that I had passed!
What I Liked About the eJPTv2
There is so much to love about both the PTSv2 course and the eJPTv2 certification exam. The training is great and the exam is the right mix of challenging but still fun.
- The exam is entirely hands-on and practical. Everything you learn and perform is totally standard in the world of pentesting. The exam ensures that you’ve actually learned it well and can apply it quickly, in a time-restrictive environment.
- I really liked the ability to browse through and flag questions. This made it easy to answer questions and identify (flag) questions that I wasn’t 100% sure about on first reading.
- One of my favorite things about the exam is the fact that it takes place in a network environment. I don’t work professionally as a pentester and have limited experience with networks on platforms like TryHackMe. I loved this aspect because it presents realistic challenges that you don’t face in most CTFs or training materials. Instead of hacking one host with a single set of services, you need to hack them all… It also means that the eJPT is great preparation for more advanced certifications like the PNPT, OSCP, or eCPPT.
- I personally enjoyed the fact that it gave me the feeling of being fully immersed in a multi-day hacking challenge. For me, there was very little ‘scan…and wait’. As soon as I started the exam, the challenge was on, and it demanded more than I was expecting. I learned a ton during the 48-hour exam window, and am looking forward to my next cert for the same reason.
- The ability to start the exam on demand with a single click. I ended up starting it about two hours before I intended, because I had gotten done what I needed to that day already and the time was perfect.
- The exam voucher comes with a free retake. This definitely reduced the pressure around the exam.
What I Didn’t Like About the eJPTv2
Although I loved the experience as a whole, there were some things that I didn’t like or thought could be improved about the eJPTv2:
- The Guacamole VM. This is a common complaint but I think it’s legitimate. Not only did I waste a lot of time copying and pasting back and forth, there were times that the VM seemed to stall and was a little slower than I’d like, especially during more intensive scanning and brute forcing. In general, this wasn’t a deal breaker but it needs to be said. At one point, my machine was very slow and I decided to reset the machine. This meant that I needed to repeat a bunch of steps but it did seem more responsive after the reboot.
- Lack of internet access on the VM. There were times when I didn’t have access to a tool that I wanted to use, including some that are standard for Kali. This wasn’t a major issue during the exam because there are always other ways to get things done. But to me, the lack of internet access can artificially make the exam more difficult.
- Possible ambiguity in question wording/grammar. I don’t want to go into details because I don’t want to give anything away, but I do feel that this is an area where an unproctored multiple choice exam might be more frustrating than a proctored exam featuring a report. What if you’ve rooted a machine but aren’t 100% sure what the question is looking for? I definitely spent some time trying to figure out what some of the questions were asking, and trying different approaches ‘just in case they are looking for something else’. Again, I felt that this was a minor issue because you only need to get a score of 70% to pass. But it was a bit of a stressor during the exam itself.
I want to reiterate that while these complaints did cause me a bit of stress during the exam, they are very minor in the context of the awesomeness of both the exam and training course.
Recommendations For Taking the eJPTv2
I’ve split my recommendations into two parts: (1) training recommendations and (2) exam-day recommendations.
Training recommendations:
- Don’t underestimate the exam. You’re better off over-training than under-training.
- Make sure you understand IT and Networking fundamentals before starting PTSv2.
- Apply the concepts and tools you learn in CTFs, not just in the labs. This ensures that you can use your tools under a live-fire environment.
- I really recommend practicing with a network before taking the exam. The Wreath network on TryHackMe is a great option for this.
Exam-day recommendations:
- Have your notes and INE content ready to go, and be able to quickly move through them.
- Go through all of the questions early on during the exam.
- Return to the questions anytime you complete a major action (like compromising a machine) to ensure that you are answering all of the pertinent questions related to the action that you just performed.
- Choose your timing to suit yourself. I started the exam at about noon. This gave me the rest of the first day, a full day the next day, and the morning on the third day to continue working on it. I felt that this really maximized the time I had available, and I’ve never been one to turn in a test early even if I felt confident.
- Keep calm and carry on. You’ve got this.
A Super Subjective Note About the eJPT
I think an entry-level penetration testing certificate like the eJPT can be a bit of a double-edged sword for those are new to the field. There are so many positives about the eJPT, and I hope that I have already conveyed them above; the entire training and exam experience are 100% well worth the price.
On the other hand, I think it can be easy to underestimate the exam itself. I definitely underestimated it, and as a result I didn’t do any actual ‘training’ for it after going through the PTS course; I just relied on the skills that I had developed up to that point.
This worked out for me, but I definitely would have had an easier time on the exam if I had treated it more seriously and trained hard for a few days. I also recommend spending time in a network environment (such as any of the networks on TryHackMe or Hack The Box) to get used to functioning in a network vs. having a single target or multiple standalone targets. I definitely don’t think that the PTSv2 labs alone will get you through the exam unless you’re treating them as black box tests and doing them without resorting to the notes that they come with.
If you look around on Reddit, you might see some people who have failed the eJPT and are distraught by their experience; an entry-level cert is supposed to buoy you upward to greater success, not make you feel like a failure. That’s why my advice is to take it more seriously than you think you need to; finish the PTS course and then do some additional training, returning to your notes and the course videos as needed. In the event that you do fail your first attempt, remember how much you’ve learned along the way; the goal isn’t to ‘pass’ any specific certification but to get better every day.
What’s Next For Me
Passing the eJPT gave me a great foundation and filled me with confidence and drive to continue to advance in the field of penetration testing. Following the exam, I immediately completed the ICCA (INE Certified Cloud Associate) certification, which is part of the Fundamentals Annual package.
I am currently working hard toward the PNPT (TCM’s Professional Network Penetration Tester) certification and hope to complete it in a month or so. I’m really enjoying it because the foundation that I built while doing the eJPTv2 is allowing me to truly soak up all of the juicy details in the PNPT training. I really think doing the eJPT before the PNPT is a great way to go and I’m grateful that it’s how I chose to learn.
Summary of My eJPTv2 Review
In short, I think the eJPTv2 is awesome. If you’re thinking about it, just go for it. Like anything, it has some small areas where it could be improved but honestly it’s just a great experience from beginning to end. Here’s why:
- Both the training and certification are an amazing value.
- The eJPTv2 is approachable for beginners in offensive cybersecurity. The additional training offered in basic IT and networking as part of the Fundamentals membership, makes it approachable for beginners in IT.
- The exam is challenging but fun.
- Passing the exam gives confidence to learn more and train for more difficult certifications.
- When you pass, you will be certified as a Junior Penetration Tester. How awesome is that?