PT1 Review - Dragkob

"The faster we deliver new value to our users, the better we help solve their problems before someone else does it better."
Table of contents

"The faster we deliver new value to our users, the better we help solve their problems before someone else does it better."
State of the market
In today's cyberworld, the proliferation of low-value certifications has become a pressing concern. Many companies are churning out credentials at an alarming pace, prioritizing profit over meaningful skill development. This commodification of learning leaves individuals paying for titles that do little to advance their careers or solve real-world problems.
As Ben Spring aptly puts it, "The faster we deliver real value, the better we solve users' problems - before someone else does it." That principle was the driving force behind the launch of PT1, a direct challenge to the current trend of superficial certifications.
Instead of joining the race to produce more paper credentials, PT1 was designed to offer immediate, practical value - empowering users with skills that actually matter.
Our Backgrounds
Before we dive into the PT1 Exam review, it's important to provide some context about our backgrounds so you understand the perspective from which this review is being written. (Beginners? Professionals?) This is a joint article authored by myself, DKob, and my friend, Mr. AlphaQ - both of us bringing distinct but complementary experiences to offer a well-rounded and honest assessment of the PT1 certification.
"By the time I took the PT1, I had already earned certifications like the eJPTv2 and eCPPTv3, and had completed most of the offensive learning paths available on TryHackMe. I also work full-time in Cybersecurity - not in an offensive role, but my daily responsibilities revolve heavily around Windows environments, Active Directory, and everything related to authentication and authorization security."
"I hold OSCP, CRTE, and eMAPT certifications. Fun fact: OSCP was my first certification and I was fortunate enough to pass it in just 6 hours! Currently, I work full-time in cybersecurity as an engineer, primarily focused on the offensive side. My daily responsibilities revolve heavily around Red Teaming, penetration testing, and participating in CTF competitions worldwide."
The Exam
- The exam consists of a hands-on penetration test and a detailed report, all to be completed within a 48-hour time limit. This duration is more than sufficient to assess and exploit the various targets within the network. Additionally, one free retake is included - this also applies if you received a free PT1 voucher through the eJPT, PJPT, or OSCP giveaway.
- The exam environment is unique for each candidate. A randomized pool of vulnerabilities is used to dynamically generate your specific exam scenario for each attempt. While resetting your lab will not change the assigned vulnerabilities or flags, they will change on your next attempt, should a retake be necessary.
- Once the exam begins, the 48-hour timer cannot be paused, so it's important to manage your time effectively and plan ahead.
- Finally, the exam can be completed either through the provided AttackBox or from the comfort of your own Kali machine. If you choose to use your local setup, an
.ovpnconfiguration file will be provided, allowing you to securely connect to the internal exam network via OpenVPN.
What's in the exam?
The practical portion of the exam is divided into 3 main components, each involving multiple machines to compromise:
AppSec/WebApp
4 vulnerabilities and 4 flags to be found on one Web Application.
- It's worth noting that you may discover more than four vulnerabilities - in our experience, we found over eight, but only four will yield flags necessary for the exam.
- For this section of the exam, it is strongly advised to be proficient with Burp Suite (don't forget to have the FoxyProxy extension installed and properly configured on FireFox), as success heavily relies on your ability to manipulate and analyze various types of requests.
- Adopting a penetration tester's mindset, one rooted in curiosity, WILL add significant value. It's essential to test all possibilities, even in areas that may initially seem insignificant. Often, the most critical vulnerabilities are discovered in the least expected places.
Active Directory
2 Hosts to compromise & 2 flags to submit.
- This section of the exam revolves around a domain-joined workstation and a Domain Controller. (1 Flag each)
- You'll be expected to identify misconfigurations, and exploit authentication or privilege-related weaknesses within the domain context.
- For this section, the most important piece of advice is simple: enumeration is key. Without proper enumeration, progressing through this part will be difficult. Take your time, map out the environment carefully, and let the information guide your next steps.
- We strongly recommend becoming comfortable with a range of tools that are essential for Active Directory environments. These include: CrackMapExec/NetExec, BloodHound along with BloodHound-python, Mimikatz/Kiwi, BloodyAD, Ligolo-ng or Chisel, and Evil-WinRM.
NetSec
2 Hosts to compromise & 4 flags to submit.
- Although the name suggests a focus on Network Security, this section of the exam closely resembles many Boot2Root and CTF-style challenges. However, it stands out by placing a stronger emphasis on enumeration, research, and manual exploitation techniques, making it a more comprehensive assessment of practical skills.
- While many consider this section to be the easiest part of the exam, it should not be underestimated. Simply achieving root access is not sufficient. This is not a CTF challenge. You must demonstrate a clear understanding of the underlying processes and be able to explain them thoroughly in your report. If you rely on automated tools like Metasploit for exploits, shells, or privilege escalation, you are expected to fully comprehend how each step works. Running automated privilege escalation commands without the ability to clearly articulate how a service was exploited will result in penalties from the exam's AI evaluation.
- Don't hesitate to use the internet during the exam. Research is not only allowed, it's encouraged, as emphasized by Marta Strzelec - Head of Content Engineering @THM, during the official PT1 breakdown linked at the beginning of this article. Looking up potential exploits, techniques, and relevant documentation is a crucial part of the process, just as it is in real-world scenarios.

Is AI allowed in the exam?
"We also had questions if AI is allowed during the exam. (..) Yes, AI is allowed. You are expected to use modern tooling in your workflow. For anyone feeling insecure about the quality of your english grammar, I would recommend to try fixing it up with AI and ensure that you are still giving factual information that you have found during your pentest. But, if you're just worried about grammar, have an agent like ChatGPT fix it for you and that should cover it perfectly."
~ Marta S. | Head of Content Engineering @THM | Source
Reporting
The reporting experience was, without a doubt, one of the highlights of the exam. TryHackMe has done an excellent job designing a reporting interface that is intuitive, streamlined, and purpose-built. The UI is clean and efficient, allowing us to focus on communicating our findings clearly without unnecessary complexity.
The report format follows a structured and professional layout:
- Summary: Includes an Overview, Scope, Impact, and Conclusion of the issue.
- Security Issue Selection: Choose the vulnerability type from a predefined dropdown list (e.g., SQLi, XSS, Business Logic, etc.).
- CVSS Score: Select a severity level using predefined radio buttons.
- Flag Submission: Enter your flag in a dedicated textbox.
- Vulnerability Description: Provide a detailed explanation of the vulnerability, including how it was discovered and how to reproduce it.
- Remediations: Offer clear and actionable recommendations to fix or mitigate the issue.
The Good
- One of the strongest aspects of the PT1 exam is how deeply hands-on and realistic it is - for the most part. The Active Directory section, while approachable for those familiar with common ACL misconfigurations and who have completed multiple AD-focused rooms, still reflects real-world complexity. Unlike traditional labs or CTFs where navigation between targets is linear, the PT1 exam introduces scenarios such as segmented networks and layered access, mimicking the real-life challenges of pivoting, network segmentation, and restricted access paths behind firewalls. It's a meaningful simulation of what professionals face in the field.
- The web application segment stands out as the true highlight of the exam. As Tinus Green has rightly pointed out, many older attacks are becoming obsolete while new classes of vulnerabilities continue to emerge. PT1 captures this shift well, focusing on modern web application flaws, logic abuses, and request manipulation, which are central to today's threat landscape. This section demands creativity and a deep understanding of how web applications are built and broken. It's a real test of modern offensive skill sets.

- The reporting process couldn't have been better executed. The interface is clean, intuitive, and purposefully designed. A good example of modern platforms like Sysreptor. Rather than the outdated method of pulling up a blank Word document and crafting a report from scratch, TryHackMe has embraced a structured, fill-in-the-blanks approach, enabling users to focus on quality of content over formatting. It's exactly what you'd expect from a tool built for modern practitioners. However, it's important to note that in real-life assessments, clients may expect a custom-made report that includes their branding and information specific to their environment. Therefore, this skill should not be overlooked, but actively practiced.
- Most importantly, this exam goes beyond the CTF model. (Finally, and thankfully) - Traditional CTFs typically focus on capturing a "user" and "root" flag, and that's where it ends. PT1 establishes a clear scope of engagement, sets realistic boundaries, and emphasizes non-disruptive testing, just as a real client engagement would. Moreover, it demands that users understand and explain the vulnerabilities they find, the tools they use, and the impact of their findings. It's not about grabbing flags - it's about conducting a realistic, value-driven penetration test. The objective is to uncover as many legitimate vulnerabilities as possible and to communicate them professionally, not just to "win the game."
- The addition of a VPN option (
.ovpn) in the PT1 exam is a significant improvement and deserves recognition. Many candidates prefer to use their own Kali setups, where they've tuned their tools, scripts, and wordlists to match their workflow. Removing the stress of navigating an unfamiliar system, where key utilities might be missing, misconfigured, or buried in unknown directories (Talking from experience), allows candidates to focus on the assessment itself rather than fighting with the tooling. This flexibility is a huge plus and aligns closely with how professionals work in the field. - The AI grading system delivers your results in under a minute, along with a detailed report highlighting your strengths and areas for improvement.


The Bad
- The Network Security section was very much imbalanced. The distribution pool gave 2 sorts of boxes: Either too easy or too hard. Both scenarios felt highly unrealistic when compared to real-life engagements.
- While this was not our personal experience, it's worth noting that a significant number of users have reported instability issues with the Network Security portion of the exam on the official THM discord server. After speaking directly with several of these individuals, it became clear that many of them were assigned the same set of NetSec boxes, each featuring the same core challenge. The common thread across these reports was frustration over alleged bugs or unstable behavior within those environments. To date, TryHackMe has not released any official statement addressing the concerns specific to these boxes. And to preserve the confidentiality and integrity of the exam, we won't disclose details about the challenge itself. Whether this was an actual technical bug or simply a particularly difficult and misunderstood scenario remains unclear. Should TryHackMe provide any formal clarification or updates on the matter, we will revisit and update this section accordingly.
- One important observation is that the TryHackMe training, being largely CTF-based, doesn't fully prepare candidates for the mindset shift required in the PT1 exam - particularly in the web application section, which is not CTF-oriented at all. Unlike traditional CTFs, there are no explicit user or root flags to capture. Instead, the focus is on identifying real vulnerabilities, understanding their impact, and reporting them professionally. While this won't pose a challenge for experienced pentesters or those who can easily switch between CTF and real-world assessment modes, it may be confusing for beginners - the very audience this certification is targeting. Newer users often default to the CTF mindset: gain access, escalate privileges, get the flag. The exam is designed to reflect practical penetration testing, where the goal is not to compromise every system, but to discover, understand, and document vulnerabilities that matter in real-world environments.
- A final, albeit minor, point of critique lies in the marketing of the PT1 as "the certification that gets you hired." While this is an aspirational and motivating message, the reality (as of the writing of this article) is more nuanced. The OSCP still holds the dominant position in the industry when it comes to hiring credibility, and no junior-level certification, including PT1, currently guarantees a job. That said, PT1 does offer strong practical value and real-world relevance, and it has the potential to gain more industry recognition over time. We certainly hope it lives up to the promise in the near future, but it's important for candidates to approach it with realistic expectations.
The polemic around AI grading
- Long story short: the AI grading system in the PT1 exam is better than people give it credit for. While it has received its share of criticism, our experience showed that the AI is generally fair, and capable of evaluating technical content with reasonable accuracy. That said, the AI definitely requires a lot of improvements and fine-tuning.
- We took the time to carefully analyze the feedback and grading provided by the AI, and we shared a detailed report with a TryHackMe staff member - Shoutout to @am03bam4n - who was very receptive and promptly passed it along to the responsible team.
- The AI appears to grade reports based on a general penetration testing lifecycle, which includes steps like passive reconnaissance, rather than assessing what's relevant to the specific context of the exam. However, passive reconnaissance is not applicable within the scope of the PT1 exam, yet the AI still deducted points for its absence - an inconsistency that highlights the need for more context aware evaluation.
- Rest assured, though: the AI will not "make you fail." It's not overly rigid or punitive, and it does leave space for solid, well-explained answers to be recognized. With continued iteration, it could become one of the exam's greatest strengths.
"We're double-checking and analyzing pretty much all reports manually for now, while it's early days for PT1." & "We pull all the data, do data/trend analysis for points awarded, and cross-check with human reviewers for edge cases. Also, in case it wasn't clear, the AI grader only grades the reports, the flags/severity/vuln ID is all exact match."
~ Marta S. | Head of Content Engineering @THM | Source 1 | Source 2
Is the course enough?
- If you're a total beginner with no prior experience, it's important to understand that simply completing the required learning path (Jr. Pentest Path + Web Fundamentals) likely won't be enough to pass the PT1 exam confidently. While the core material is well-structured, it assumes a certain level of familiarity with basic tools, methodologies, and real world thinking. To bridge that gap, you'll need to supplement your learning with a significant amount of practice, particularly through boxes.
- If you've already been working through easy boxes and have tackled a few medium ones, you're likely on the right track. However, don't get too confident and make sure you've covered every exam topic in depth during your preparation. The recommended learning path does include medium to hard-level boxes, and we strongly encourage completing them. They offer valuable exposure to realistic scenarios and will ensure you're ready to handle anything the exam throws at you.
- Rule of thumb: Junior ≠ Easy ≠ Beginner
"The most powerful lesson in life is that overpreparation is never wasted. The hours spent practicing, the extra effort no one sees - they don't just prepare you for the test. They build resilience, sharpen instincts, and create confidence under pressure. When the unexpected happens - and it always does - it's not luck that carries you through, but the quiet work you did when no one was watching."
~ Unknown
PT1, eJPT or PJPT?
TryHackMe presents its perspective on the junior certification market as follows:
Our perspective on the junior certification market is the following:

- The PT1 clearly surpasses the eJPT in terms of exam quality - by a significant margin.
- The eJPT offers a stronger course component, featuring 150 hours of video content that explains everything in detail from the ground up.
- The PJPT is the strongest competitor to the PT1, due to the quality of its course. However, we believe that PT1's web application section is offering a more modern, and hands-on approach that gives it a distinct edge.
- The final decision ultimately depends on your goals, but based on our experience with all three certifications, we recommend the PT1 for its hands-on exam and the eJPT for its comprehensive course material. The PJPT, while valuable when it comes to AD, feels more like a preparatory step toward the PNPT rather than a standalone milestone.
The Future
We would like to conclude by saying that the future looks very promising for TryHackMe certifications. SAL1 stands out as a unique offering with its practical focus on EDR scenarios, while the PT1 brings much-needed attention to modern web vulnerabilities, reflecting real-world challenges that today's professionals face.
A piece of advice for this exam - and any you may take in the future: take regular breaks and remember to breathe. If you ever feel stuck, don't hesitate to take a step back and reassess the situation. And one important tip for your career: a Junior Penetration Tester is not a beginner. Approach the role with confidence, professionalism and skills.

