The OSCP used to be the only certification that mattered for penetration testers. Then TCM Security released the PNPT and changed the conversation.

In 2026, the PNPT has become one of the most respected entry-to-mid-level certifications in offensive security — not because of brand recognition, but because of what the exam actually tests. This is a full review of whether it belongs in your certification roadmap.

What Is the PNPT?

The Practical Network Penetration Tester (PNPT) is a certification from TCM Security, created by Heath Adams (The Cyber Mentor). It’s a fully practical exam — no multiple choice, no CTF flags, no memorization.

You’re given a simulated corporate network and 5 days to compromise it. Then 2 additional days to write a professional penetration test report. Then a live 15-minute debrief in front of TCM Security’s senior pentesters.

That debrief is what sets PNPT apart from almost every other certification. You have to actually explain what you found, how you found it, and why it matters — to people who know exactly what they’re looking at.

Price: ~$400 USD (includes course materials + one free retake) Exam window: 5 days assessment + 2 days reporting Retake policy: One free retake included — TCM’s stated philosophy is they don’t want to profit on failure

What the Exam Actually Tests

The PNPT is centered on a real-world internal network penetration test scenario. To pass you need to:

  1. Perform OSINT — gather intelligence on the simulated target organization
  2. Compromise Active Directory — the core of the exam. You need to fully compromise the domain controller
  3. Bypass defenses — AV evasion, egress bypassing, lateral and vertical movement
  4. Write a professional report — not just a list of findings; a full deliverable suitable for a real client
  5. Present your findings live — the debrief in front of assessors

No flags. No hints. No artificial puzzle mechanics. This is as close to a real engagement as a certification exam gets.

Who It’s For

Ideal candidate:

  • 6-12 months of self-study or hands-on practice (HTB, TryHackMe, home lab)
  • Comfortable with basic AD enumeration and exploitation concepts
  • Looking for a first serious offensive security certification
  • Budget-conscious — can’t justify $1,500+ for OSCP right now

Not ideal if:

  • You have zero Active Directory experience — you’ll struggle significantly
  • You’re targeting senior or specialized roles where OSCP/OSED/OSEP carry more weight
  • You’re in a market where employers specifically require OffSec certifications

PNPT vs OSCP: Honest Comparison

PNPTOSCP
Price~$400~$1,499
Exam format5-day network + report + debrief24-hour exam + 24-hour report
FocusActive Directory, real-world networkBroader scope, buffer overflows (legacy), web, AD
DifficultyMid — accessible for junior practitionersHard — significant preparation required
Industry recognitionGrowing rapidly, especially smaller firmsStill the gold standard at enterprise level
Retake1 free retake included$249/attempt
Materials includedYes — full course accessYes — lab access for exam prep period

The honest take: OSCP carries more weight at enterprise companies and in government/defense. PNPT is more respected at smaller firms, consultancies, and among practitioners who actually understand what each exam tests.

If you have the budget and experience, OSCP still opens more doors. But PNPT proves you can do the job — and at $400 with a free retake, the risk/reward is exceptional.

The Active Directory Focus

This is the PNPT’s biggest strength and the thing that makes it genuinely useful in 2026.

The real world is Active Directory. Most internal penetration tests involve compromising Windows environments, abusing Kerberos, lateral movement through domain-joined machines, and ultimately reaching Domain Admin. The PNPT tests exactly this.

Core AD concepts you need to know:

  • LLMNR/NBT-NS poisoning (Responder)
  • SMB relay attacks
  • Kerberoasting and AS-REP roasting
  • Pass-the-hash / pass-the-ticket
  • BloodHound / SharpHound enumeration
  • DCSync and credential dumping
  • Basic AV evasion with common C2 frameworks

TCM’s own courses — particularly Practical Ethical Hacking — are the recommended prep path and cover all of this directly.

The Report and Debrief

Most certifications ignore reporting. The PNPT doesn’t.

A real penetration test deliverable requires:

  • Executive summary for non-technical stakeholders
  • Technical findings with clear reproduction steps
  • Risk ratings that map to business impact
  • Remediation recommendations that are actually actionable

The PNPT forces you to write this. And then defend it live. That skill — explaining technical findings to an audience — is something you’ll use on every engagement for the rest of your career. No other entry-level certification even comes close to testing this.

Preparation Path

TCM Security’s own courses are the clearest path:

  • Practical Ethical Hacking — covers the AD attack chain end-to-end
  • Open-Source Intelligence (OSINT) Fundamentals — covers the recon phase
  • Linux Privilege Escalation and Windows Privilege Escalation — useful supplements

Supplementary resources:

  • The Hacker Playbook 3 — covers real-world AD attack methodology in depth; highly recommended alongside PNPT prep
  • HTB Academy’s Active Directory module — solid free-tier content for AD fundamentals
  • Practice in a home lab — build a basic AD environment (2 Windows VMs, one DC) and run through the attack chain manually

Time to prepare: 2-4 months for someone with basic Linux/networking knowledge and no prior AD experience. Faster if you’ve already been doing HTB or similar.

Is It Worth It in 2026?

Yes — with context.

The PNPT is the best value certification in offensive security right now. At $400 with a free retake and included course materials, the economics are clear. The exam tests skills that map directly to real junior pentest roles. The report and debrief requirement means you walk out with actual deliverable experience, not just a passing score.

Where it falls short: brand recognition at large enterprises and government/defense contracts. If you’re targeting those roles specifically, you’ll likely need OSCP eventually. But PNPT is an excellent stepping stone — and for many roles, it’s sufficient on its own.

Bottom line:

  • First certification in offensive security? PNPT is the right call.
  • Already have OSCP, targeting senior roles? PNPT adds limited marginal value.
  • Mid-level practitioner wanting to validate AD skills affordably? PNPT is worth it.

Also see our OSCP Review 2026 and Best Cybersecurity Certifications 2026 for a broader look at the cert landscape.