June 8, 2025 by @DKob & @MrAlphaQ

A seasoned hacker once said: “Every expert was once a beginner with a terminal and a dream.” Today, we review how the **PT1 certification** exam ****from TryHackMe offers aspiring junior cybersecurity professionals their first real foothold into the world of penetration testing.

⚠️ - This review is NOT sponsored by TryHackMe and is entirely independent.

Quoted from: Working At THM isn’t for everyone

<aside> <img src="attachment:e11b4347-5d7e-4622-96b1-241632fac9e7:1652897717959.jpeg" alt="attachment:e11b4347-5d7e-4622-96b1-241632fac9e7:1652897717959.jpeg" width="40px" />

"The faster we deliver new value to our users, the better we help solve their problems before someone else does it better.”

~ Ben Spring

</aside>

Table of contents

[PT1 breakdown by Tinus Green - Sr. Content Engineer @THM](https://www.youtube.com/watch?v=P7QnE4OGY24&ab_channel=TryHackMe)

PT1 breakdown by Tinus Green - Sr. Content Engineer @THM

State of the market

In today’s cyberworld, the proliferation of low-value certifications has become a pressing concern. Many companies are churning out credentials at an alarming pace, prioritizing profit over meaningful skill development. This commodification of learning leaves individuals paying for titles that do little to advance their careers or solve real-world problems. As Ben Spring aptly puts it, “The faster we deliver real value, the better we solve users' problems—before someone else does it.” That principle was the driving force behind the launch of PT1, a direct challenge to the current trend of superficial certifications. Instead of joining the race to produce more paper credentials, PT1 was designed to offer immediate, practical value -empowering users with skills that actually matter.

Our Backgrounds

Before we dive into the PT1 Exam review, it’s important to provide some context about our backgrounds so you understand the perspective from which this review is being written. (Beginners? Professionals?) This is a joint article authored by myself, DKob, and my friend, Mr. AlphaQ — both of us bringing distinct but complementary experiences to offer a well-rounded and honest assessment of the PT1 certification.

https://tryhackme.com/api/v2/badges/public-profile?userPublicId=3014755

<aside> <img src="attachment:c3bb3099-436e-4042-ab2d-9696c89c228c:Avatar_Upscaled.png" alt="attachment:c3bb3099-436e-4042-ab2d-9696c89c228c:Avatar_Upscaled.png" width="40px" />

"By the time I took the PT1, I had already earned certifications like the eJPTv2 and eCPPTv3, and had completed most of the offensive learning paths available on TryHackMe. I also work full-time in Cybersecurity - not in an offensive role, but my daily responsibilities revolve heavily around Windows environments, Active Directory, and everything related to authentication and authorization security.”

~ Dragkob

</aside>

https://tryhackme.com/api/v2/badges/public-profile?userPublicId=1044875

<aside> <img src="attachment:37266f5b-cea4-412b-8f02-b3d9b94f1e17:624ce64d85b50400a403dfa5-1749120940561.png" alt="attachment:37266f5b-cea4-412b-8f02-b3d9b94f1e17:624ce64d85b50400a403dfa5-1749120940561.png" width="40px" />

“I hold OSCP, CRTE, and eMAPT certifications. Fun fact: OSCP was my first certification and I was fortunate enough to pass it in just 6 hours! Currently, I work full-time in cybersecurity as an engineer, primarily focused on the offensive side. My daily responsibilities revolve heavily around Red Teaming, penetration testing, and participating in CTF competitions worldwide.”

~ Mr AlphaQ

</aside>

The Exam

• The exam consists of a hands-on penetration test and a detailed report, all to be completed within a 48-hour time limit. This duration is more than sufficient to assess and exploit the various targets within the network. Additionally, one free retake is included — this also applies if you received a free PT1 voucher through the eJPT, PJPT, or OSCP giveaway.
• The exam environment is unique for each candidate. A randomized pool of vulnerabilities is used to dynamically generate your specific exam scenario for each attempt. While resetting your lab will not change the assigned vulnerabilities or flags, they will change on your next attempt, should a retake be necessary.
• Once the exam begins, the 48-hour timer cannot be paused, so it's important to manage your time effectively and plan ahead.
• Finally, the exam can be completed either through the provided AttackBox or from the comfort of your own Kali machine. If you choose to use your local setup, an .ovpn configuration file will be provided, allowing you to securely connect to the internal exam network via OpenVPN.

What’s in the exam?

The practical portion of the exam is divided into 3 main components, each involving multiple machines to compromise:

• AppSec/WebApp: 4 vulnerabilities and 4 flags to be found on one Web Application.

  • It's worth noting that you may discover more than four vulnerabilities — in our experience, we found over eight, but only four will yield flags necessary for the exam.
  • For this section of the exam, it is strongly advised to be proficient with Burp Suite (don’t forget to have the FoxyProxy extension installed and properly configured on FireFox**)**, as success heavily relies on your ability to manipulate and analyze various types of requests.
  • Adopting a penetration tester’s mindset, one rooted in curiosity, WILL add significant value. It's essential to test all possibilities, even in areas that may initially seem insignificant. Often, the most critical vulnerabilities are discovered in the least expected places.

• Active Directory: 2 Hosts to compromise & 2 flags to submit.

  • This section of the exam revolves around a domain-joined workstation and a Domain Controller. (1 Flag each)
  • You'll be expected to identify misconfigurations, and exploit authentication or privilege-related weaknesses within the domain context.
  • For this section, the most important piece of advice is simple: enumeration is key. Without proper enumeration, progressing through this part will be difficult. Take your time, map out the environment carefully, and let the information guide your next steps.
  • We strongly recommend becoming comfortable with a range of tools that are essential for Active Directory environments. These include: CrackMapExec/NetExec, BloodHound along with BloodHound-python, Mimikatz/Kiwi, BloodyAD, Ligolo-ng or Chisel, and Evil-WinRM.

Source: PT1 Breakdown

• NetSec: 2 Hosts to compromise & 4 flags to submit.
  • Although the name suggests a focus on Network Security, this section of the exam closely resembles many Boot2Root and CTF-style challenges. However, it stands out by placing a stronger emphasis on enumeration, research, and manual exploitation techniques, making it a more comprehensive assessment of practical skills.
  • While many consider this section to be the easiest part of the exam, it should not be underestimated. Simply achieving root access is not sufficient. This is not a CTF challenge. You must demonstrate a clear understanding of the underlying processes and be able to explain them thoroughly in your report. If you rely on automated tools like Metasploit for exploits, shells, or privilege escalation, you are expected to fully comprehend how each step works. Running automated privilege escalation commands without the ability to clearly articulate how a service was exploited will result in penalties from the exam’s AI evaluation.
  • Don’t hesitate to use the internet during the exam. Research is not only allowed, it's encouraged, as emphasized by Marta Strzelec - Head of Content Engineering @THM, during the official PT1 breakdown linked at the beginning of this article. Looking up potential exploits, techniques, and relevant documentation is a crucial part of the process, just as it is in real-world scenarios.