I Completed TryHackMe's Most Popular Pentesting Path

I Completed TryHackMe's Jr Penetration TestI Earned the TryHackMe Jr Pen Tester Certificate

On March 7, 2026, I got a TryHackMe certificate notification that felt more significant than the others. I had earned the Jr Penetration Tester path completion certificate — the one that sits at the top of the beginner-to-intermediate bridge on TryHackMe, covering reconnaissance, exploitation, privilege escalation, and post-exploitation in a way that none of the introductory paths do.

I had started with Pre Security on February 16, 2026 — meaning I completed three full learning paths in roughly three weeks alongside my MCA coursework. That pace was probably too aggressive for someone trying to absorb everything properly, and I'll be honest about what I skimmed and what I genuinely learned in this post.

But first: the path completion is real, the dates are on my public TryHackMe profile at tryhackme.com/p/AmardeepM, and what I learned from it has directly shaped every piece of practical work I've done since — including the bug bounty findings, the home lab setup, and the penetration testing methodology I describe across this blog.

This is the honest account of that experience.

My TryHackMe Certificate Timeline

Feb 16, 2026 →

Pre Security (Legacy) — Certificate Earned Networking, Linux, web fundamentals. The foundation everything else sits on.

Mar 7, 2026 →

Jr Penetration Tester (Legacy) — Certificate Earned Recon, exploitation, privilege escalation, post-exploitation, web attacks. The main event.

Apr 22, 2026 →

Web Fundamentals (Legacy) — Certificate Earned Web application security pathway — OWASP, Burp Suite, web attacks in depth.

May 15, 2026 →

Cyber Security 101 — Certificate Earned Comprehensive intro to offensive and defensive security career paths.

What this covers:

Why I started with Pre Security before Jr Pen Tester
The Jr Pen Tester path — module by module honest account
The rooms that were harder than expected
The rooms that changed how I think
What the path doesn't teach you (important gaps)
How it compares to PortSwigger and HackTheBox
What to do after completing it

19Days from Pre Security start to Jr Pen Tester certificate

Top 2%TryHackMe global ranking at time of writing

170+Total TryHackMe rooms completed across all paths

Why I Started With Pre Security First

The Starting Point

I want to be clear about something upfront: I did not go straight into Jr Penetration Tester cold. I started with the Pre Security path on February 16, which I completed before moving to Jr Pen Tester. This matters because the people I've seen struggle most with Jr Pen Tester are the ones who skip the foundation entirely — they jump straight into exploitation rooms and get confused because they don't understand why commands work or why services behave the way they do.

Pre Security covered networking basics (how TCP/IP actually works, what DNS is doing, how HTTP requests travel), Linux fundamentals (terminal commands, file permissions, process management), and web fundamentals (HTTP, cookies, sessions, how browsers communicate with servers). It took me about a week of consistent evening study to complete — roughly 1-2 hours per day alongside my MCA coursework.

My honest assessment of Pre Security: it is the right starting point if you don't have a networking background. If you've done a networking course in your engineering programme, the networking section will be review. The Linux and web sections are valuable regardless of background — particularly the web section, which gave me mental models for HTTP that I still use every time I open Burp Suite.

The Jr Pen Tester Path — Phase by Phase

The Jr Penetration Tester path is structured in modules covering different areas of offensive security. I'll go through the major ones in order, with honest notes on what each taught me and where I struggled.

Pentesting Fundamentals

~2 days

The opening module covers what penetration testing actually is — the legal framework, the types of engagements (black box, grey box, white box), the methodology stages, and the rules of engagement. This is the context-setting module that most people rush through to get to the "real" stuff.

I rushed it. I was impatient to get to exploitation and treated this as administrative content to click through. That was a mistake I recognised about three weeks later when I started doing bug bounty work and realised I had a weak understanding of scope, engagement types, and why methodology structure matters. I went back and re-read this module properly before my first HackerOne submission.

What it covers: Ethics and legality, types of pentesting, methodology overview, scoping concepts
What I'd tell my past self: Read this slowly. The methodology concepts here are more important than the technical rooms that follow

Introduction to Web Hacking

~5 days

The web hacking introduction module covers the OWASP Top 10 vulnerabilities through guided labs — SQL injection, XSS, command injection, IDOR, SSRF, authentication bypasses, and more. Each vulnerability gets a theoretical explanation followed by a practical lab where you exploit it in a controlled environment.

This was the module where Jr Pen Tester earned my full attention. The IDOR room in particular — where you manipulate object references in URLs and API calls to access data belonging to other users — was the first time I understood an attack not just conceptually but mechanically. I replicated the exact same technique in a real bug bounty programme six weeks later and found a valid Medium-severity finding.

What it covers: Walking Application Content, SQL injection, authentication, SSRF, XSS, command injection, IDOR
The room that changed everything for me: IDOR — a technique I had read about became something I understood at a level where I could find it in the wild
Gap I noticed: The SQL injection coverage here is introductory. PortSwigger Web Security Academy goes significantly deeper on this specific topic

Burp Suite

~3 days

The Burp Suite module introduces the tool that every web application pentester uses — the HTTP proxy that intercepts traffic between your browser and the target, letting you inspect and modify every request and response. The module covers setup, proxy configuration, the Repeater tool, the Intruder tool for fuzzing, and the Decoder.

I had tried to use Burp Suite before starting TryHackMe and found it confusing. The documentation is dense and assumes you know what you're trying to do. The TryHackMe Burp Suite rooms explain it in the right order — why each feature exists, what problem it solves — before showing you how to use it. That pedagogical approach made a tool I had previously found frustrating become one I use comfortably in every web testing session.

The Moment It Clicked

The Burp Suite Repeater room — where you capture a request, send it to Repeater, and modify parameters to test different inputs — was the first time I felt genuinely in control of what I was doing in a web security context. Before this, I had been following steps. After this, I was making deliberate choices about what to test and why. That shift from instruction-following to deliberate testing is what the Burp Suite module gave me.

Network Security — Nmap, Protocols, and Services

~4 days

The network security section covers Nmap in detail — every scan type, timing options, NSE scripts, output formats — followed by rooms on specific protocols and services: FTP, SSH, Telnet, email services (SMTP, POP3, IMAP), database services (MySQL, MSSQL). Each service room teaches you how the service works and common attack vectors against it.

The Nmap room was straightforward because I had been using the tool in my home lab. The service-specific rooms were more educational — particularly the database services rooms, which taught me how MySQL databases respond to enumeration and how SQL credentials exposed through misconfigured services lead to direct data access. Understanding databases at this level later helped me write more targeted SQL injection payloads on PortSwigger's Practitioner labs.

Hardest room in this section: Active Directory basics — introduced the concept but didn't go deep enough for me to feel confident with it. This remains a gap in my knowledge
Most practically useful: Nmap NSE scripts — I hadn't realised how much scripting capability was built into Nmap until this room

Metasploit Framework

~3 days

The Metasploit module covers the exploitation framework that most beginners have heard about but few actually understand properly. It covers the architecture (exploit modules, payloads, auxiliary modules), msfconsole navigation, searching for and configuring modules, the difference between staged and stageless payloads, and Meterpreter post-exploitation.

I want to be honest about something here: Metasploit is powerful, and learning to use it properly is valuable — but it's also a crutch if you don't understand what's happening underneath. The TryHackMe module teaches you how to use it. It doesn't teach you why the exploits work. I deliberately supplemented this by looking up the CVE for every exploit I used in the module — understanding the actual vulnerability, not just the tool that exploits it.

Advice I wish someone had given me earlier: For every Metasploit module you run in a lab, look up the CVE it's exploiting. Find the vulnerability description, understand why the code is exploitable, read the patch notes. This doubles the learning per room and prevents Metasploit from becoming a magic box you don't understand.

Privilege Escalation — Linux and Windows

~4 days

The privilege escalation rooms — separately for Linux and Windows — were the hardest and most educational part of the entire path for me. Privilege escalation is the process of going from a limited foothold on a system to full administrator/root access, using misconfigurations, weak permissions, unpatched vulnerabilities, or credential exposure.

The Linux PrivEsc room teaches a systematic enumeration methodology: check SUID binaries, check sudo permissions, look for cron jobs running as root, look for writable files in sensitive locations, check environment variables and PATH manipulation. Each technique has a room section where you apply it. Working through all of them took two full evenings.

The Windows PrivEsc room covers a parallel set of techniques: service misconfigurations, unquoted service paths, registry autoruns, stored credentials, token impersonation. Windows PrivEsc was harder for me because I had less Windows experience than Linux. I completed the room but returned to it two weeks later and worked through it again more carefully.

The Room That Changed How I Think

The Linux PrivEsc room's SUID section — where a binary with the SUID bit set runs with the file owner's permissions regardless of who executes it — made something click about how permission models actually work. Every permission misconfiguration I've found since has been recognisable because of that section. The conceptual shift from "here's how to run this command" to "here's why the operating system allows this to happen" happened here for me.

The Rooms That Were Harder Than Expected

Hardest

Active Directory Basics

~2 evenings

Active Directory is the identity and access management system used in almost every corporate Windows environment. The TryHackMe room introduces the concepts — domains, trees, forests, users, groups, Group Policy Objects — but stops well short of the attack techniques that make AD knowledge valuable for real penetration testing.

I found this room frustrating in a specific way: it taught me enough to know that I needed to know more, but not enough to actually do anything with the knowledge. The concepts are abstract without hands-on practice against a real AD environment.

What I struggled with: The conceptual model of nested groups, trust relationships between domains, and Kerberos authentication flow. These are not intuitive without a visual diagram and several re-reads.

What I'm doing to fill this gap: Setting up a Windows Server VM with Active Directory in my home lab — the only way to really understand AD is to configure it yourself, break it, and then attack it. This is my current major project.

Hard

Shells and Payloads

~3 evenings

The shells and payloads room covers the difference between bind shells and reverse shells, different shell types (web shells, TTY shells, fully interactive shells), payload generation with msfvenom, and shell stabilisation techniques. This room assumes comfort with networking concepts and Linux that took me most of the first evening to refresh before the room made sense.

The specific stumbling block: understanding why a reverse shell works the way it does — your machine listens, the target connects back to you — required me to draw a diagram of the connection flow before it clicked. The room explains it but the explanation is brief. If you're confused by this, draw it out.

What I struggled with: Shell stabilisation — the multi-step process of upgrading a basic netcat shell to a fully interactive TTY shell using Python, stty commands, and background processes. I had to work through this four or five times before it became automatic.

What it built: Once I understood shell stabilisation properly, the entire post-exploitation phase of any lab became cleaner. A properly stabilised shell with tab completion and proper terminal control is a significantly better working environment than a raw netcat connection.

Medium

Advanced Exploitation Topics

~2 evenings

The rooms covering advanced exploitation — file inclusion vulnerabilities (LFI/RFI), SSRF in depth, and some of the more complex web vulnerabilities — required significantly more re-reading than the earlier rooms. These topics assume comfort with how web servers execute code, which is a level of web architecture understanding that the earlier foundation rooms don't fully build.

What I struggled with: Local File Inclusion chaining — using LFI to read log files, then poisoning those logs with PHP code to achieve Remote Code Execution. The multi-step nature of this attack chain means one misunderstood step breaks the whole exploit. Took me three separate attempts across two days.

What it built: A much deeper appreciation for how web servers process file paths and how that processing can be manipulated. The LFI attack chain is directly relevant to a class of real vulnerabilities that still appear in bug bounty programmes.

The Rooms That Changed How I Think

Favourite

IDOR — Insecure Direct Object References

~1 evening

IDOR is a vulnerability where an application uses user-controlled references (like a numeric ID in a URL) to access objects, without verifying the requesting user is authorised to access that specific object. The TryHackMe room explains this through a series of escalating examples — parameter manipulation in URLs, then in POST body data, then in cookies, then in encoded values.

This room was the direct cause of my first valid bug bounty finding. Six weeks after completing it, I was testing an e-commerce platform on HackerOne and noticed an order ID in an API endpoint. I modified the ID. I saw another user's order details — delivery address, email, order contents. Submitted as Medium severity. Accepted. That real-world connection between a TryHackMe room and a verified real vulnerability is exactly what the platform is supposed to provide, and this room delivered it for me.

What it built: Systematic thinking about every place an application uses a reference to identify a resource. Once you understand IDOR, you see potential IDOR everywhere — every numeric ID, every username in a URL, every object reference becomes something to test.

Favourite

Nmap — Network Scanning in Depth

~2 evenings

I had used Nmap before this room. After this room, I understood it. The distinction matters. The TryHackMe Nmap rooms go through every scan type (SYN scan, UDP scan, NULL scan, FIN scan, Xmas scan), timing options, output formats, host discovery, and crucially — the NSE (Nmap Scripting Engine) that lets you run scripts against discovered services to automate enumeration.

The realisation that Nmap is not just a port scanner but a scriptable platform for service-specific enumeration — that nmap -sC -sV runs the default script category against discovered services, and that there are scripts for detecting specific CVEs, for pulling SSL certificate information, for enumerating SMB shares — changed how I approach the reconnaissance phase of any assessment.

Command I use in every lab session since this room: nmap -sC -sV -oA initial_scan [target] — service version detection, default scripts, output in all formats for documentation. This came directly from the methodology taught in this room.

What the Path Doesn't Teach You — Important Gaps

Honest Assessment — The Gaps

Active Directory in any practical depth. The room introduces the concepts but doesn't cover AD attack techniques (Kerberoasting, AS-REP Roasting, Pass-the-Hash, BloodHound enumeration). These techniques are central to real corporate penetration testing and are absent from Jr Pen Tester. TryHackMe's separate Active Directory module covers them — it should be your next stop after completing this path if you're targeting pentesting roles.

Report writing. The path includes a brief section on penetration testing reports, but it doesn't give you practice actually writing one. Professional pentest reports are a significant skill — clear vulnerability descriptions, reproduction steps, impact ratings, remediation recommendations. The only way to develop this is to document your own lab work the way a report would. I started doing this from my 10th TryHackMe machine onward.

Real-world application complexity. TryHackMe labs are designed to be exploitable. Real applications have WAFs, rate limiting, input validation, and defensive configurations that labs typically don't simulate. The gap between lab success and bug bounty success is exactly this — and it's a gap you only close by spending time on real targets through bug bounty programmes.

Evasion and OPSEC. How to avoid detection, clear logs, maintain persistence carefully — the offensive security skills that matter for red team work specifically are not covered in Jr Pen Tester. These come later in the learning journey.

How Jr Pen Tester Compares to PortSwigger and HackTheBox

Aspect	TryHackMe Jr Pen Tester	PortSwigger Academy	HackTheBox
Best for	Structured beginner-to-intermediate roadmap	Web application security depth	Realistic challenge machines
Guidance level	High — step-by-step instructions	Medium — theory + lab, some hints	Low — figure it out yourself
Web security depth	Introductory — good breadth	Deep — the best free resource	Applied in challenge context
Network pentesting	Good — Nmap, Metasploit, services	Not covered	Excellent — realistic targets
Cost	Free tier (limited time) or ~$14/month	100% free	Free tier (limited) or ~$14/month
Right order	Start here	Do alongside or after	After TryHackMe foundation
My honest verdict	Best structured beginner path available	Essential for web security	Where you level up after foundations

My actual workflow after completing Jr Pen Tester: PortSwigger Web Security Academy in parallel with HackTheBox Starting Point machines. TryHackMe gave me the methodology. PortSwigger deepened my web security knowledge. HackTheBox is where I test whether I can apply both without guidance.

What to Do After Completing Jr Pen Tester

This is the question I had the day I got the certificate notification. I'd completed the path — now what? Here's what I actually did, in order:

Immediately: Started PortSwigger Web Security Academy from the beginning. The overlap with Jr Pen Tester's web content reinforced it, and PortSwigger goes significantly deeper on every topic.
Week 1 after certificate: Set up my home lab — Kali Linux + Metasploitable 2 + DVWA in VirtualBox. The first time I practiced everything I'd learned against systems I fully controlled, not guided lab environments. Full setup guide: I Built a Hacking Lab for ₹0.
Month 1 after certificate: First HackerOne bug bounty submissions. The IDOR technique from Jr Pen Tester's web hacking module went directly into real-world practice here. Three months later: 6 valid findings including 2 Medium IDOR vulnerabilities.

The single most important thing I did after getting the certificate: I started documenting everything publicly. GitHub writeups, this blog, the TryHackMe public profile. The certificate is private knowledge until it's verified by public evidence. The public evidence is what employers, interviewers, and program managers on HackerOne can actually evaluate. Don't just complete paths — document that you completed them and what you learned.

Was It Worth It? My Honest Final Assessment

Yes — with the right expectations. The Jr Penetration Tester path is not a substitute for real-world experience, and it doesn't pretend to be. It is the best structured introduction to offensive security methodology that I've found at any price point, including paid courses that charge significantly more.

What it gave me: a methodology framework I think in, practical familiarity with tools I use every day (Nmap, Burp Suite, Metasploit), web security knowledge that directly translated to real bug bounty findings, and enough comfort with Linux to stop second-guessing every terminal command.

What it didn't give me: Active Directory depth, evasion skills, the ability to compromise a real HackTheBox machine without hints, or the report writing skills that professional pentesting requires. Those came from what I did after the path, not from the path itself.

If you're at the beginning of a cybersecurity journey: Pre Security → Jr Penetration Tester → PortSwigger Web Security Academy in parallel with HackTheBox → home lab → bug bounty. That sequence worked for me. The certificate on March 7 was a milestone in the middle of a longer road, not the destination.

About the Author

Amardeep Maroli

MCA (Master of Computer Applications) — PES University, Bengaluru
Cybersecurity Intern — Inhok Technologies
TryHackMe — Top 2% Globally (160+ completed labs, Jr Penetration Tester certified)
Certifications: CTIGA, CRTOM, CSEDP

Hands-on experience with SIEM tools (Wazuh, ELK Stack, Splunk), cloud security, and network penetration testing. I document my cybersecurity research at TechWithAmardeep.

All Posts | TryHackMe Profile | Portfolio | GitHub | LinkedIn

TryHackMe Jr Pen Tester — FAQs

How long does the Jr Penetration Tester path actually take?

TryHackMe estimates 64 hours for the full path. I completed it in approximately 19 days (Feb 16 to Mar 7) while doing MCA coursework alongside it — so roughly 2-3 hours per day on average, with some longer weekend sessions and some days where I only completed one room. If you're studying full-time with 4-5 hours per day, 2-3 weeks is realistic. If you're studying part-time alongside work or university, 4-6 weeks is more comfortable. I'd recommend the slower pace — I rushed through the Pentesting Fundamentals module and had to go back and re-read it later. Understanding each module properly the first time saves more time than rushing through it.

Do I need to pay for TryHackMe to complete Jr Penetration Tester?

The Jr Penetration Tester path is available on the free tier, but TryHackMe free accounts have a daily machine time limit — you get a limited number of hours per day on the AttackBox (the browser-based Kali Linux environment). If you're using your own Kali Linux setup over the VPN connection (download the TryHackMe VPN config and connect your own machine), there's no time limit. I used my own Kali VM over VPN for most rooms after the first week, which removed the free tier limitation entirely. TryHackMe Premium ($14/month) removes all limits if you prefer the browser-based approach. For a path of this length, having your own Kali setup is worth the one-time configuration effort.

Is Jr Penetration Tester enough to get a cybersecurity job?

The certificate alone is not enough for most positions — but completing the path genuinely builds skills that show in interviews. The distinction matters: employers don't care about the TryHackMe certificate in isolation, but the knowledge and practical ability the path builds is directly relevant to entry-level security roles. What I found in my job applications: listing "Completed TryHackMe Jr Penetration Tester path" on its own got no responses. Listing it alongside my public TryHackMe profile link (showing my rank and completion history), my GitHub portfolio, and my HackerOne findings got responses. The path builds skills; the public profile and portfolio evidence proves those skills. You need both.

Should I do the Legacy version or the updated Jr Penetration Tester path?

I completed the Legacy version (as shown on my certificate — "Jr Penetration Tester Legacy"). TryHackMe has released an updated version of the path with more current content. If you're starting now, do the updated version — it has better coverage of modern attack techniques and updated tooling. The Legacy version still counts as a valid completion and the core methodology content is the same, but new learners should take the current version. The certificate I earned is Legacy because I completed it before the updated version was the default — both are recognised on the platform and both teach the same fundamental skills.

What should I do after completing Jr Penetration Tester?

Based on my experience: (1) PortSwigger Web Security Academy for deeper web security — the Jr Pen Tester web content is introductory, PortSwigger goes much deeper on every topic; (2) Set up a home lab with Kali + Metasploitable for practicing everything you learned without guided prompts; (3) Start HackTheBox Starting Point machines — these are harder than TryHackMe rooms and don't tell you what to do; (4) Consider CompTIA Security+ for the certification credential that Jr Pen Tester knowledge directly supports; (5) Start bug bounty on HackerOne with the IDOR and web attack techniques the path taught you. That sequence is what I followed and it worked. Don't stay on TryHackMe indefinitely — at some point you need real targets.

Search This Blog

API Security Guide