I recently passed the INE Security Junior Penetration Tester (eJPT) exam (INE Security was formerly known as eLearnSecurity), and I now officially hold the certification. In this article, I will go over everything you want to know about eJPT. This includes:
What is the eJPT?
How does eJPT stack up to other hacking certifications?
Who should go for eJPT?
Recommended Prerequisites
Study Material
Is the eJPT "worth it?"
Exam Tips
Summary
The INE Security Junior Penetration Tester (eJPT) certification exam validates an individual's knowledge and skills in fulfilling an entry-level penetration testing role.
The eJPT is for those who want to prove their basic hacking skills, but it's not for beginners, as it requires a solid understanding of TCP/IP networking, reasonable Windows and Linux administration experience, and familiarity with basic Bash and/or Python scripting.
The eJPT is an intermediate-level cybersecurity certification, and it's more hands-on than the CompTIA PenTest+ and EC-Council Certified Ethical Hacker (CEH) certifications. It is also much more challenging than PenTest+ and CEH.
In terms of demand, the CEH is still the second most listed certification in job postings for penetration testing roles, but the eJPT and PenTest+ are hardly ever listed on job postings, unfortunately.
The eJPT is a great certification for those who want to gain confidence in preparing for the Offensive Security Certified Professional (OSCP) certification, but by itself, it may not be enough to land a first penetration tester job.
What is the eJPT?
INE can tell you what their certification is best, so I'm taking this quote directly from the eJPT web page.
"INE Security’s eJPT is for entry-level Penetration testers that validates that the individual has the knowledge, skills, and abilities required to fulfill a role as a junior penetration tester.
This certification exam covers Assessment Methodologies, Host and Network Auditing, Host and Network Penetration Testing, and Web Application Penetration Testing.
This exam is designed to be the first milestone certification for someone with little to no experience in cybersecurity, simulating the skills utilized during a real-world engagement. This exam truly shows that the candidate has what it takes to be part of a high-performing penetration testing team."
I agree with this statement almost entirely. However, I respectfully disagree that the eJPT is for people with no experience. The Penetration Tester Student learning path by INE is excellent; I learned a lot from it. However, they tell you that you should have networking and Linux skills before going down the learning path.
The course does not cover Linux, Windows, networking, and cybersecurity fundamentals. You need all these skills to succeed during the Penetration Tester Student course and the eJPT exam itself. Because the course does not cover the basics, I can not call the eJPT an "entry-level" cybersecurity certification. In my humble opinion, it is an intermediate cybersecurity certification, and I agree with its placement on Paul Jerimy's Security Certification Roadmap.
How does the eJPT stack up against other hacking certifications?
At the time of this writing, my only red team-focused certifications are the CompTIA PenTest+ and the EC-Council Certified Ethical Hacker (CEH). This is nice because these two certifications are the primary competitors to the eJPT. Interestingly enough, INE no longer considers the CEH a competitor since they removed the CEH from the "How does the eJPT Stack Up?" section on the eJPT webpage. Leaving the PenTest+ as the only comparison on the webpage. The comparison section on their webpage is 100% accurate. However, I will say that the eJPT is much more hands-on than the PenTest+ exam. I also think the eJPT is much more difficult to pass than PenTest+ and CEH. The CEH is not hands-on at all. The eJPT proves hands-on skills much better than the CEH and PenTest+. However, eJPT doesn't test your knowledge of scoping, reporting, rules of engagement, and ethics as the PenTest+ does. CEH hardly touches these topics as well.
Regarding demand, the CEH blows the eJPT and PentTest+ out of the water. For some reason, the CEH is still the second most listed certification in job postings for penetration testing roles. The PenTest+ and eJPT are hardly ever listed on job postings, unfortunately. I hope this changes, as I think the PenTest+ and the eJPT are more valuable than the CEH.
If I were looking to build a penetration testing team, and there were three people, one with eJPT, one with CEH, and one with PenTest+ (with everything else being equal), I would not hesitate to choose the person with the eJPT. The eJPT is, without a doubt, the best indicator of hands-on technical skills out of the three. PenTest+ is second, and I'd give last place to CEH.
Who is the eJPT exam for?
The short answer: Anyone who wants to prove basic hacking skills should obtain the eJPT. The reason for proving hacking skills will vary from person to person.
My reason for going for the eJPT was to prove my basic hacking skills to myself. Which ultimately was to get a headstart and gain confidence in preparing for the Offensive Security Certified Professional (OSCP) certification—the gold standard in hacking certifications. The number one certification listed on penetration tester roles on job postings. And I think the eJPT did a great job at that. The eJPT exam is very challenging yet very enjoyable; it introduced me to the "try harder" mindset. It taught me to be persistent and not to give up. In addition, it taught me a lot of tools and techniques I never saw before despite having eight other certifications and being in the top 0.4% on TryHackMe.
Unfortunately, I don't think the eJPT by itself is enough to land your first penetration tester job due to the lack of demand via job postings. Once again, I really hope this changes in the future. However, the eJPT shines because it shows a person has a lot of potential to become a full-time penetration tester. I also think the eJPT is suitable for blue teamers and other cybersecurity professionals who wish to understand their adversaries' tools, techniques, and mindset without dedicating the time to becoming an expert hacker.
Who is the eJPT not for?
If you have a red (Penetration Testing/Exploitation) certification above the eJPT on Paul Jerimy's Security Certification Roadmap, you should pass on the eJPT since you already have equivalent or higher skills.
As mentioned earlier, I don't think the eJPT is "entry-level, " meaning I do not believe the certification is for beginners. Instead, I think you should have at least a year of experience in cybersecurity before taking the penetration tester student course.
Recommended Prerequisites
So what experience do I recommend before starting the Penetration Tester Student course?
At a minimum, you should be comfortable with the following:
Linux
Windows
Command line navigation
Networking (TCP/IP)
Cybersecurity fundamentals
Basic Programming/scripting/coding skills
Some examples of minimum experience I recommend
Any one of the following (or equivalent):
PenTest+
CEH
Any two combinations of the following (or equivalent):
Offensive Pentesting TryHackMe Path
Jr Penetration Tester TryHackMe Path
CompTIA Pentest+ TryHackMe Path
(ISC)² Certified Information Systems Security Professional (CISSP)
Four-year cybersecurity degree
Any two from the next list (i.e., anything from this list plus any two from the list below)
Any three combinations of the following (or equivalent):
CompTIA Network+ or Cisco Certified Network Associate (CCNA)
Complete Beginner TryHackMe Path
Web Fundamentals TryHackMe Path
Pre-Security TryHackMe Path
To put this in perspective, I have everything above and still found the eJPT exam pretty tricky to pass.
Some other things that I don't have at the time of this writing that I can comfortably say will be "enough" prior experience before starting the Penetration Tester Student course:
Three or more Hack The Box full compromises.
Any red (Penetration Testing/Exploitation) certification on the same level or above the eJPT on Paul Jerimy's Security Certification Roadmap.
Remember that even though you have something much higher than the eJPT on the certification roadmap (such as CISSP), that doesn't mean you'll find success easily in the eJPT exam. For example, the CISSP is an excellent certification, and it's extremely difficult in its own way, but it doesn't touch on Linux or command lines at all. This is how something way lower on the roadmap, like PenTest+, can be "enough" experience alone, while the CISSP is not enough experience alone.
Lastly, it would help if you understood how to read and modify scripts in any programming language before starting the Penetration Tester Student course.
Study Material
The only thing you need to use to study for the eJPT exam is the Penetration Tester Student course by INE.
Capture the Flag (CTF) challenge sites such as TryHackMe, Hack the Box Academy, Vulnhub, and picoCTF are excellent compliments to the course.
I wouldn't get caught up in any other material if you met the prerequisites mentioned in the above section. However, if you're lacking in a particular area or struggling during the course, then pause the course and get those skills before moving further.
Is the eJPT "worth it?"
Short answer: YES!
For only $200 for an exam voucher and a $39 subscription per month, this is easily the most budget-friendly certification out there. You can complete the Penetration Tester Student course in about 150 hours if you have all the prerequisites above. This means you can knock out the certification in 1-2 months if you spend a lot of time studying after school/work. On the other hand, if you don't work or go to school full time, you can quickly get the certification in under a month if you focus. Of course, the longer you take to complete the course, the more months you have to pay for the subscription. Regardless, if you subscribe for one month or six months, you're getting a lot of bang for your buck.
As I already mentioned, I learned many new things within the Penetration Tester Student course. The instructors cover every step of the penetration test and then some. The course also goes over essential information multiple times, which gives you the repetition you need for a successful exam pass. Furthermore, the labs are private to only you and are incredibly responsive and stable. Leaving you with a great environment to focus on sharpening your hacking skills. Lastly, you get two exam attempts included with a voucher purchase, making the $200 price tag that much sweeter. Simply put, the eJPT is all around a great value. I highly recommend it to anyone getting started with penetration testing and hacking.
Exam Tips
Take a lot of detailed notes during the course so you can easily replicate commands during the exam.
Read all instructions and questions carefully.
Take notes during the exam so you don't have to re-run commands to see the output.
Frequently go back into your notes when you can't find a way into the machine. Your notes should have all the commands you tried. Don't waste time re-running commands.
The test is going to take a lot of time. Take breaks, eat, sleep, and drink plenty of water during the exam.
Read all the exam questions before diving into the lab environment. That way, you know what to look for while you are enumerating.
Frequently go back to the questions to remind yourself what you are looking for.
Spend a lot of time enumerating. You never know what piece of information will help you progress in your penetration test.
Don't spend too much time on one machine. If you can't gain initial access to a machine within 2 hours, move on to another. Come back to the machine later. You might find something on one machine that can help you break into another machine.
Don't worry about answering the questions in order, and don't worry about compromising the hosts in a particular order.
Some hosts will have more exam questions related to it than others. So focus your effort on the hosts with more related questions.
Cleaning up is very important in real-world penetration tests, but not during your eJPT exam. Don't worry about leaving files and configuration changes behind. You're not being evaluated on that. The only thing that matters is the questions you are being asked.
If you break your lab, don't worry. Just reset it. Your questions will be saved.
Don't store your notes on the Kali Linux VM. Store your notes on your local machine. That way, you still have your notes if you break your lab or lose connectivity. All files you add to the lab environment will be gone upon a reboot. The lab will be rebuilt in the same configuration, minus the dynamic flags. The dynamic flags don't need to be resubmitted if you reset the lab. The exam dashboard will tell you this.
Stay persistent, and don't give up.
Conclusion
The eLearnSecurity Junior Penetration Tester (eJPT) certification is a great way to validate one's basic penetration testing skills and to gain confidence before moving on to more advanced certifications like the Offensive Security Certified Professional (OSCP). While the eJPT is marketed as an entry-level certification, it requires a solid understanding of TCP/IP networking, Linux and Windows administration, and basic Bash and/or Python scripting, making it an intermediate-level certification in practice. The eJPT stands out from other red team-focused certifications like the PenTest+ and the Certified Ethical Hacker (CEH) due to its hands-on approach and its ability to test hands-on technical skills. While it may not be enough to land one's first penetration testing job, it does demonstrate a lot of potential to become a full-time penetration tester.
Disclaimer: All links to Hack The Box and Hack The Box Academy in this post are affiliate links. This means that if you make a purchase through these links, I may receive a commission at no additional cost to you.Furthermore, all links to TryHackMe in this post is my referral link. Signing up to TryHackMe through my referral link saves you $5 on your subscription and also saves me $5 on my next year's subscription.
Your support through these purchases helps me continue providing valuable content. Thank you!