Everything You Want To Know About eJPTv2
I recently passed the eLearnSecurity Junior Penetration Tester v2 (eJPTv2) exam, and I now officially hold the certification. In this article, I will go over everything you want to know about eJPTv2. This includes:
What is the eJPT?
How does eJPT stack up to other hacking certifications?
Who should go for eJPT?
Is the eJPT "worth it?"
The eLearnSecurity Junior Penetration Tester v2 (eJPTv2) is a certification exam that validates an individual's knowledge and skills in fulfilling an entry-level penetration testing role.
The eJPTv2 is for those who want to prove their basic hacking skills, but it's not for beginners, as it requires a solid understanding of TCP/IP networking, reasonable Windows and Linux administration experience, and familiarity with basic Bash and/or Python scripting.
The eJPTv2 is an intermediate-level cybersecurity certification, and it's more hands-on than the CompTIA PenTest+ and EC-Council Certified Ethical Hacker (CEH) certifications. It is also much more challenging than PenTest+ and CEH.
In terms of demand, the CEH is still the second most listed certification in job postings for penetration testing roles, but the eJPT and PenTest+ are hardly ever listed on job postings, unfortunately.
The eJPT is a great certification for those who want to gain confidence in preparing for the Offensive Security Certified Professional (OSCP) certification, but by itself, it may not be enough to land a first penetration tester job.
What is the eJPT?
INE can tell you what their certification is best, so I'm taking this quote directly from the eJPTv2 web page.
"The eLearnSecurity Junior Penetration Tester exam (eJPTv2) validates that an individual has the knowledge and skills needed to fulfill a role as an entry-level penetration tester. This certification covers essential penetration testing skills and concepts, including Assessment Methodologies and Enterprise Auditing with Host, Network, and Web Application Penetration Testing. The eJPTv2 is designed to be the first milestone for someone with little to no experience in cyber security, simulating the skills penetration testers utilize during real-world engagement in a hands-on testing atmosphere. This exam truly indicates that you have what it takes to be part of a winning penetration testing team!"
I agree with this statement almost entirely. However, I respectfully disagree that the eJPT is for people with no experience. The Penetration Tester Student v2 course by INE is excellent; I learned a lot from it. However, they tell you that you should have networking and Linux skills before going down the learning path. Furthermore, on the same webpage as their introduction quote, they say the prerequisites for eJPTv2 are "Solid understanding of TCP/IP networking, reasonable Windows and Linux administration experience, and familiarity with basic Bash and/or Python scripting." These are all things I would not expect a beginner to know.
The course does not cover Linux, Windows, networking, and cybersecurity fundamentals. You need all these skills to succeed during the Penetration Tester Student v2 course and the eJPTv2 exam itself. Because the course does not cover the basics, I can not call the eJPT an "entry-level" cybersecurity certification. In my humble opinion, it is an intermediate cybersecurity certification, and I agree with its placement on Paul Jerimy's Security Certification Roadmap.
How does the eJPT stack up against other hacking certifications?
At the time of this writing, the only red team focused certifications I hold are the CompTIA PenTest+ and the EC-Council Certified Ethical Hacker (CEH). This is nice because these two certifications are the primary competitors to the eJPT. Interestingly enough, INE no longer considers the CEH a competitor since they removed the CEH from the "How does the eJPTv2 Stack Up?" section on the eJPTv2 webpage. Leaving the PenTest+ as the only comparison on the webpage. The comparison section on their webpage is 100% accurate. However, I will say that the eJPTv2 is much more hands than the PenTest+ exam. I also think the eJPT is much more difficult to pass than PenTest+ and CEH. The CEH is not hands-on at all. Overall, I think the eJPTv2 proves hands-on skills much better than both the CEH and PenTest+. However, eJPT doesn't test your knowledge of scoping, reporting, rules of engagement, and ethics as the PenTest+ does. CEH hardly touches these topics as well.
Regarding demand, the CEH blows the eJPT and PentTest+ out of the water. For some reason, the CEH is still the second most listed certification in job postings for penetration testing roles. The PenTest+ and eJPT are hardly ever listed on job postings, unfortunately. I hope this changes, as I think the PenTest+ and the eJPT are more valuable than the CEH.
If I was looking to build a penetration testing team, and there were three people, one with eJPT, one with CEH, and one with PenTest+ (with everything else being equal), I would not hesitate to choose the person with the eJPT. The eJPT is, without a doubt, the best indicator of hands-on technical skills out of the three. PenTest+ is second, and I'd give last place to CEH.
Who is the eJPT exam for?
The short answer: Anyone who wants to prove basic hacking skills should obtain the eJPT. The reason for proving hacking skills will vary from person to person.
My reason for going for the eJPT was to prove my basic hacking skills to myself. Which ultimately was to get a headstart and gain confidence in preparing for the Offensive Security Certified Professional (OSCP) certification—the gold standard in hacking certifications. The number one certification listed on penetration tester roles on job postings. And I think the eJPT did a great job at that. The eJPT exam is very challenging yet very enjoyable; it introduced me to the "try harder" mindset. It taught me to be persistent and not to give up. In addition, it taught me a lot of tools and techniques I never saw before despite having eight other certifications and being in the top 0.4% on TryHackMe.
Unfortunately, I don't think the eJPT by itself is enough to land your first penetration tester job due to the lack of demand via job postings. Once again, I really hope this changes in the future. However, where the eJPT shines is that it shows a person has a lot of potential to become a full-time penetration tester. I also think the eJPT is suitable for blue teamers and other cybersecurity professionals who wish to understand their adversaries' tools, techniques, and mindset without dedicating the time to becoming an expert hacker.
Who is the eJPT not for?
If you have a red (Penetration Testing/Exploitation) certification above the eJPT on Paul Jerimy's Security Certification Roadmap, you should pass on the eJPT since you already have equivalent or higher skills.
As mentioned earlier, I don't think the eJPT is "entry-level, " meaning I do not believe the certification is for beginners. Instead, I think you should have a few years of experience in cybersecurity before taking the penetration tester student v2 course.
So what experience do I recommend before starting the Penetration Tester Student v2 course?
At a minimum, you should be comfortable with the following:
Command line navigation
Basic Programming/scripting/coding skills
Some examples of minimum experience I recommend
Any one of the following (or equivalent):
Any two combinations of the following (or equivalent):
Offensive Pentesting TryHackMe Path
Jr Penetration Tester TryHackMe Path
CompTIA Pentest+ TryHackMe Path
(ISC)² Certified Information Systems Security Professional (CISSP)
Four-year cybersecurity degree
Any two from the next list (i.e., anything from this list plus any two from the list below)
Any three combinations of the following (or equivalent):
CompTIA Network+ or Cisco Certified Network Associate (CCNA)
Complete Beginner TryHackMe Path
Web Fundamentals TryHackMe Path
Pre-Security TryHackMe Path
To put this in perspective, I have everything above, and I still found the eJPT exam pretty tricky to pass.
Some other things that I don't have that I can comfortably say will be "enough" prior experience before starting the Penetration Tester Student v2 course:
Three or more easy-medium Hack The Box full compromises without using walkthroughs or guides.
Any red (Penetration Testing/Exploitation) certification on the same level or above the eJPT on Paul Jerimy's Security Certification Roadmap.
Remember that even though you have something much higher than the eJPT on the certification roadmap (such as CISSP), that doesn't mean you'll find success easily in the eJPTv2 exam. For example, the CISSP is an excellent certification, and it's extremely difficult in its own way, but it doesn't touch on Linux or command lines at all. This is how something way lower on the roadmap, like PenTest+, can be "enough" experience alone, while the CISSP is not enough experience alone.
Lastly, it would help if you understood how to read and modify scripts in any programming language before starting the Penetration Tester Student v2 course.
The only thing you need to use to study for the eJPTv2 exam is the Penetration Tester Student v2 course by INE.
Capture the Flag (CTF) challenge sites such as TryHackMe, Hack the Box, Vulnhub, and picoCTF are excellent compliments to the course.
I wouldn't get caught up in any other material if you met the prerequisites mentioned in the above section. However, if you're lacking in a particular area or struggling during the course, then pause the course and get those skills before moving further.
Is the eJPT "worth it?"
Short answer: YES!
For only $200 for an exam voucher, and a $39 subscription per month, this is easily the most budget-friendly certification out there. You can complete the Penetration Tester Student v2 course in about 150 hours if you have all the prerequisites above. This means you can knock out the certification in 1-2 months if you spend a lot of time studying after school/work. On the other hand, if you don't work or go to school full time, you can quickly get the certification in under a month if you focus. Of course, the longer you take to complete the course, the more months you have to pay for the subscription. Regardless, if you subscribe for one month or six months, you're getting a lot of bang for your buck.
As I already mentioned, I learned many new things within the Penetration Tester Student v2 course. The instructors cover every step of the penetration test and then some. The course also goes over essential information multiple times, which gives you the repetition you need for a successful exam pass. Furthermore, the labs are private to only you and are incredibly responsive and stable. Leaving you with a great environment to focus on sharpening your hacking skills. Lastly, you get two exam attempts included with a voucher purchase, making the $200 price tag that much sweeter. Simply put, the eJPT is all around a great value. I highly recommend it to anyone getting started with penetration testing and hacking.
Take a lot of detailed notes during the course so you can easily replicate commands during the exam.
Read all instructions and questions carefully.
Take notes during the exam so you don't have to re-run commands to see the output.
Frequently go back into your notes when you can't find a way into the machine. Your notes should have all the commands you tried. Don't waste time re-running commands.
The test is going to take a lot of time. Take breaks, eat, sleep, and drink plenty of water during the exam.
Read all the exam questions before diving into the lab environment. That way, you know what to look for while you are enumerating.
Frequently go back to the questions to remind yourself what you are looking for.
Spend a lot of time enumerating. You never know what piece of information will help you progress in your penetration test.
Don't spend too much time on one machine. If you can't gain initial access to a machine within 2 hours, move on to another. Come back to the machine later. You might find something on one machine that can help you break into another machine.
Don't worry about answering the questions in order, and don't worry about compromising the hosts in a particular order.
Some hosts will have more exam questions related to it than others. So focus your effort on the hosts with more related questions.
Cleaning up is very important in real-world penetration tests, but not during your eJPT exam. Don't worry about leaving files and configuration changes behind. You're not being evaluated on that. The only thing that matters is the questions you are being asked.
If you break your lab, don't worry. Just reset it. Your questions will be saved.
Don't store your notes on the Kali Linux VM. Store your notes on your local machine. That way, you still have your notes if you break your lab or lose connectivity. All files you add to the lab environment will be gone upon a reboot. The lab will be rebuilt in the same configuration, minus the dynamic flags. The dynamic flags don't need to be resubmitted if you reset the lab. The exam dashboard will tell you this.
Stay persistent, and don't give up.
The eLearnSecurity Junior Penetration Tester v2 (eJPTv2) certification is a great way to validate one's basic penetration testing skills and to gain confidence before moving on to more advanced certifications like the Offensive Security Certified Professional (OSCP). While the eJPTv2 is marketed as an entry-level certification, it requires a solid understanding of TCP/IP networking, Linux and Windows administration, and basic Bash and/or Python scripting, making it an intermediate-level certification in practice. The eJPTv2 stands out from other red team-focused certifications like the PenTest+ and the Certified Ethical Hacker (CEH) due to its hands-on approach and its ability to test hands-on technical skills. While it may not be enough to land one's first penetration testing job, it does demonstrate a lot of potential to become a full-time penetration tester.