eJPT Review; The Hands on Compliment to Pentest+

  • You took CompTIA Pentest+ and you want to do a hands on complement to it
  • You want to learn
  • You love learning via hands on
  • You love a bargain when it comes to certs
  • You are just trying to fluff a resume
  • You are trying to hit an HR filter
  • Kali in general (how to get around in BASH, modify files, set permissions, etc)
  • Nmap in general (mostly how to scan both individual targets & subnets for host discovery)
  • Metasploit in general (how to search for modules, run exploits, handle reverse shells, etc)
  • At least some netcat familiarity
  • How to perform simple password cracking with John and/or Hashcat
  • How to perform simple online brute force attacks with Hydra
  • Some knowledge of common CTFy network services like ftp, telnet, etc
  • Simple vulnerability scanning & familiarity with typical vulnerabilities
  • Basic Linux privilege escalation
  • Basic webapp scanning with tools like dirb, DirBuster, Gobuster, nikto, etc
  • Passing familiarity with interception proxies like Burp Suite
  • Take the exam when you have 3 days off work and plan on using it all. You will probably finish in much less time, but having that much makes it a low stress event. It is meant to be hands on, educational, and fun.
  • Take copious notes during the INE and THM labs. I saved mine in simple *.txt files, named by topic, such as ‘upgrading a Linux shell’ or ‘webshells’.
  • Do not be ashamed to ask CW6 Google for help during the exam! Much like CRTP, eJPT is open book, open notes, open Google, hell some people even said they pulled the INE labs back up looking for something they missed in the walkthroughs. eJPT is about actually putting your hands on the keyboard and finding the answer in an environment, not rote memorization.
  • INE recommends using Kali and they show you how to use specific tools, however you are not limited in what you can use. Conceivably you could take the exam from a Windows VM if you really wanted to. The exam is about understanding the concepts, not memorizing a specific tool.
  • There is no IDS, SIEM, etc in the exam environment. Being sneaky does not get you extra credit. The focus is on host discovery, scanning, enumerating, finding vulnerabilities, etc. Don’t be afraid to use the intrusive nmap scripts or throw Metasploit payloads at things that you find.
  • Most of all, relax and have fun! This is NOT meant to be a stressful exam.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.