Engineered by Hackers. Presented by Professionals.
We are inviting EC-Council certified members to participate in the Item writing initiative. Click here for more details.

Certified Penetration testing Professional CPENT

About the CPENT

EC-Council is rewriting the standards of penetration testing skill development with the Certified Penetration Testing Professional, the CPENT certification program. What makes this program unique is our approach that allows you to attain two certifications with just one exam. The key philosophy behind the CPENT is simple – a penetration tester is as good as their skills; that’s why we urge you to go beyond Kali Linux and go beyond tools.

Not that we don’t believe in the OS or tools, but candidates with an over-reliance on Kali tools find it incredibly difficult to adapt to the multi-disciplinary approach of the real-world penetration testing engagements. We urge you to go beyond and explore the vast horizons of penetration testing that differentiate the great from the good. Ergo, the knowledge, skills, and abilities you learn from the CPENT program will allow you to challenge network types and not just one or two specialties. What makes the CPENT different is the requirement to display skills across multiple disciplines, forcing the candidate to “think on their feet.” It makes CPENT the first of its kind in the list of Pen testing programs! Our research shows that knowledge-based certifications alone do not necessarily equate to well-rounded skillsets when the candidates are put on a complex cyber range. In fact, many do not even have the skills to create routing tables, which is the first step to pivot invisible networks. Without the use of an automated tool, most pen testers struggled, then when simple stateless filtering was present, the few that had added the correct networking details stalled, and only a few ever got past the first hurdle. In short, no one made it through all of the hurdles, leading to the creation of the CPENT.

The Purpose of the CPENT

Years of research showed us that most pentesting candidates have gaps in their skills when it comes to multiple disciplines. Furthermore, the metrics revealed that when the targets are not located on either the same or a directly connected and reachable segment, a few can perform as well as they do it when on a direct or a flat network.

That’s why, for the first time in the industry, the assessment for the Certified Penetration Tester (CPENT) will be about multiple disciplines and not just one or two specialty types. Everything presented in the course is through an enterprise network environment that must be attacked, exploited, evaded, and defended. EC-Council’s CPENT provides the industry with the capability to assess a Pentester’s skills across a broad spectrum of “network zones.” What makes the CPENT different is the requirement to be provided a variety of different scopes of work so that the candidate can “think on their feet.” The result of this is that different zones represent various types of testing. Anyone attempting the test will have to perform their assessment against these different zones.


  • Penetration Testers
  • Ethical Hackers
  • Information security Consultant
  • Security Testers
  • Security Analysts
  • Security Engineers
  • Network Server Administrators
  • Firewall Administrators
  • System Administrators
  • Risk Assessment Professionals
There are no predefined eligibility criteria for those interested in attempting the CPENT exam. You can purchase the exam dashboard code here

CPENT is a fully online, remotely proctored practical exam, which challenges candidates through a grueling 24-hour performance-based, hands-on exam, categorized into 2 practical exams of 12-hours each, which will test your perseverance and focus by forcing you to outdo yourself with each new challenge. Candidates have the option to choose either two 12-hour exams or one 24-hour exam depending on how straining they would want the exam to be.

\"CPENT\"

Exam features:

  • Cheating isn’t an option since EC-Council specialists proctor the entire exam.
  • Choose your challenge! Either two 12-hour sessions or a single 24-hour exam!
  • Score over 70% and become a CPENT!
  • Join the league of extraordinary pen testers by scoring more than 90% and becoming an LPT (Master)!

We strongly recommend candidates to attempt the CEH (Practical) and/ or ECSA (Practical) prior to attempting the CPENT Challenge.

Blue Print

Clause: Age Requirements and Policies Concerning Minors

The age requirement for attending the training or the exam is restricted to any candidate that is permitted by his/her country of origin/residency.

If the candidate is under the legal age as permitted by his/her country of origin/residency, they are not eligible to attend the official training or eligible to attempt the certification exam unless they provide the accredited training center/EC-Council a written consent/indemnity of their parent/legal guardian and a supporting letter from their institution of higher learning. Only candidates from a nationally accredited institution of higher learning shall be considered.

Disclaimer: EC-Council reserves the right to impose additional restrictions to comply with the policy. Failure to act in accordance with this clause shall render the authorized training center in violation of their agreement with EC-Council. EC-Council reserves the right to revoke the certification of any person in breach of this requirement.

What are the eligibility criteria to apply for the CPENT exam?
  • There are no predefined eligibility criteria for those interested in attempting the CPENT exam. You can purchase the exam dashboard code here
What will I receive as part of my purchase towards the CPENT exam?
  • You will receive access to practice range and Exam access code.
What is the access validity of practice range?
  • You can purchase the access validity in either 30 days, 60 days, and 90 days at the time of purchase.
What is the access period of basic videos?
  • 30 days from the date of activation.
What is Aspen Dashboard?
  • It is an EC-Council portal where you can access your package inclusions. All the EC-Council practical exams can be scheduled and launched from this portal.
For how long is the Aspen Dashboard access code valid for?
  • The Aspen Dashboard access code is valid for 1 Year from the date of receipt. You have to redeem the code within this period.
Post dashboard activation, how long is the access valid for?
  • The Aspen Dashboard access is valid for 30 days from the day it is unlocked.
What if I’m unable to submit the report within 30 days?
  • You can request for a 7 days extension by paying USD100.
What does the Dashboard consist of?

The Dashboard consists of:

  • Detailed Instruction guide.
  • Exam scheduling service.
  • Exam launching service.
  • Exam progress tracking.
  • Sample report templates.
  • Report submission.
  • Status of the report.
What is the structure of the exam?
  • The CPENT exam is a 100% practical exam. The candidate is required to submit the pen-testing report to complete the exam.
Is CPENT an open book exam?
  • Yes, it\’s an open book exam.
What is the duration of the exam?
  • The exam duration is 24 hours. You can opt either for two sessions of 12 hours each or one session for 24 hours.
What is the passing percentage for the exam?
  • The candidate needs to score a minimum of 70% in order to pass the CPENT exam.
What are the criteria for certification?
  • If your score ranges between 70-89%, you will be certified as CPENT, and 90% and above, you will be certified as CPENT and LPT (Master).
Will I get two certifications if I score 90% and above?
  • Yes, you will get two certifications CPENT and LPT (Master) in your Aspen account.
What is the notice period required to book the exam session?
  • Sessions should be booked at least 3 days in advance of the desired exam date.
Is the CPENT exam available at the EC-Council Authorized Training Centers?
  • No, the CPENT exam sessions are proctored by the EC-Council directly through the RPS (Remote Proctoring Services).
What are the important things to keep in mind before I schedule my exam?

Once you are ready to proceed with your exam, you need to ensure you understand the below points:

  • Cancellation requests are to be made 24 hours in advance.
  • Rescheduling is possible 72 hours before the exam session.
  • Candidate has a grace period of 15 minutes to show up for the exam session.
  • After three no-show cases, the candidate will be required to seek special permission from the Director of Certification in order to proceed with their next attempt.
  • If you need technical support or assistance, please contact us at [email protected]
  • FAQs on exam proctoring will be available at https://proctor.examspecialists.com/User/FAQ.aspx
How do I schedule the CPENT exam for any Special Accommodations?
What is the retake policy?
  • Retake exam requests can only be purchased by writing to [email protected], should a candidate fail the exam.
Is the CPENT a part of the EC-Council Continuing Education Scheme?
What is the validity of the CPENT certification?
  • The CPENT certification is valid for three years from the date of certification.
What is the annual membership fee of CPENT certification?
  • USD 250 per annum.
I hold both CPENT and LPT(Master) certifications. Do I need to pay the membership fee for each individually?
  • No
What will happen to my ECSA v10 certificate post retiring of the exam?
  • It will not be affected. The existing certified members will continue to be certified as long as they maintain the ECE credits in their Aspen account and pay the annual membership fee.
I am ECSAv10 Certified, how do I upgrade to CPENT?
  • These are two different programs. You will have to purchase the CPENT program separately.
Till when I can take the ECSAv10 exam?
  • ECSAv10 exam will remain available for the next 6 months from the date of C|PENT launch i.e. till end of 15th May 2021.
How do I test to see my VPN is working?
  • You can use a ping test which should have a result of 10.100.1.4. If you cannot ping this then disconnect and re-connect to the VPN. Also, ensure you’re connected on the machine that your tools are on and not on the virtual host machine.
Something is wrong, I cannot find targets and I cannot even ping?
  • If you can ping the 10.100.1.4 address, then the network is connected properly. The CPENT consists of a challenging network environment which means you have to let the packets show you the way. Read the network, what is it telling you? Analyze it and Go Deeper. This environment requires you to review the packets and use them as your guide. Again, as long as you can ping the address then the network is functioning as it should.
My scans are taking a very long time?
  • In the CPENT, you have to let the network show you the way. If you are running default scans and intense scans of all ports, then the scans could take a long time. Ensure you review what the network is telling you and let the packets show you the way. Go Deeper and get past the challenges that are between you and the scan results. If you follow best practices of scanning against a filtered environment, you will be able to get the required results.
I am not sure what to do?
  • Let the packets show you the way. Analyze it. Go Deeper and follow the scanning methodology. Testing is a systematic process, so make sure to follow the process. Refer to the scope of work for each zone and proceed as you would in a real test. Determine the best path to follow to get the results you need.
I cannot get any response to my live systems scan?
  • You have to let the packets show you the way. Analyze it, then Go Deeper. If you aren’t getting results from a system scan, then change your mindset and look at what the network is telling you. This requires you to analyze it. The best method is to observe the network traffic using a protocol analyzer and read the network, then take what the network gives.
Why are my scans returning hardly any ports open?
  • In a highly filtered environment you have to let the packets show you the way. Analyze the protocols and see if this matches what you expect. Once you have done that Go Deeper and look for weaknesses. Once you discover that, leverage it to gain access
I am having problems with my binary exploitation. I have exploited the application, but have not been able to escalate the privileges. Why is this?
  • There are protections in place that prevent the effective ID from gaining you root privileges, so you have to write a program or change the shell code to bypass the protections. Look at the escalation process and Go Deeper.
I cannot get the answer for the OT network registers?
  • To solve this you have to identify the PLC, then the communication stream and interpret it. Let the packets show you the way. Analyze it and Go Deeper! The first step is to get access to the OT network.
How do I attack the Active Directory network zone?
  • As with any network you have to identify the targets, then ask “what would I see in Active Directory environment?” Once you have done, that Go Deeper and analyze it. Take what the network can give. Then look for Kerberos weaknesses and see if you can compromise a ticket.
I am unable to extract the firmware in my IOT zone
  • Check the syntax and make sure you have entered the options correctly. Ensure you have privileges to write to the folder that you are extracting the firmware file system to. Review the error message and see if you can figure it out, then Go Deeper.
I am unable to get the firmware to mount and boot
  • This is not required to get the answers to the questions. You can obtain them without booting the image and corresponding file system. In other words, you can do static analysis and get the required information to score points.
The servers reject all packets to my IP (and filter all host port except web server), by these reason I can\’t get a shell to privilege escalation (with a simple rce it\’s not possible to get root). Is this part of the exam correct?
  • You need to notice the ports that you are using. The egress ports need to be ports that are not normally proxied, so the question to ask is what ports are going to egress out? The ports 80 and 443 are poor choices since they are normally proxied. Again, Go Deeper!
I cannot find any live systems on some of the 192.168 addresses
  • The zones include a directly connected zone which is the 172.25.X.X network. When it is a 192.168.X.X network it should have a DMZ where the servers/machine reside. Like most zones there is one or more weaknesses that have to be discovered by mapping the attack surface through the filter which is step one. The firewall only allows a certain number of ports and that is where you need to start. The ICMP protocol should not be allowed in an enterprise from the outside world. The key is to determine the ports that are allowed and then use that to map the attack surface. From there, look for other networks from that position and for a way to gain access. You accomplish this by reading what the packets tell you and taking what the network provides and Go Deeper. Not all subnets are visible from the 172.25.X.X network, some will require access to a 192.168.X.X first.
\”The user says that for the OT range i would like to check if the target is up? i cannot identify the target may i have the objective of the OT range it seems unclear to me\” for the OT range, I would like to check if the target is up?,i cannot identify the target, may i have the objective of the OT range, it seems unclear to me.
  • The OT network is NEVER reachable, so you have to find the weak machine in the IT network and use it to access the OT network. There is one weak machine that is connected to the OT network where an operator uses it to monitor the dashboards of the OT network. Once you gain access to that machine you can do recon FROM that machine to see the OT network traffic between the sensors and the PLC. No ICMP is allowed across the public to the other networks and limited ports for attack surface. In an enterprise level OT network there should never be traffic allowed from the OT network out. Read the network packets and take what it gives then, Go Deeper to obtain the required data.
192.168.110.230 and 172.25.100.105 these are not reachable I have reverted also but not reachable
  • You have to read what the network is telling you, then you can identify the targets. As mentioned in the scope and guide, in an enterprise there will be some type of filtering in place, so you have to read the results and Go Deeper to extract information. Since this is the OT scope, you also have to think of how an OT network is designed. In the scenario it is explained that there is one machine on the IT side that an engineer is using to get data from the OT side, so once you identify that then you have to look for the network communication from the OT network.
in the AD part, I can\’t reach the hosts (I have done multiple scans, even with -Pn and not a single open port appears). I also tried to see if traceroute could reach them, but no luck.
  • In the AD zone, there is one or more weak machine and that is the vector by which you need to gain access. Once you gain access by discovering and finding a weakness in a machine, the AD forest will be there. Again, this is basic defense for an AD environment; therefore, you have to take what the network provides and “Go Deeper” to gain access.
In the Active Directory challenge I need to compromise the machine 172.25.170.20, this machine is down. The only machine that is up is the 172.25.170.250, but all the ports are closed
  • It is not down. You have to find the weak machine and then from that machine you can see the forest. Think how a network is designed; the Domain Controller should not be directly reachable, this is defined in the exam guide. There should be more machines up, but if you cannot ping them, you have to Go Deeper and use other methods.