Menu
Request Free Security Consult

It Took Blood, Sweat, and Tears, But I Finally Collected All of TCM Security’s Academic Certs!

/ Certifications

I finally did it! I’ve successfully obtained all the academic certifications from TCM Security.

Well, almost all of them. There’s still one left, the PCRP, but I’ll explain in a bit why I’ve chosen not to pursue it for now.

In this article, I’m going to review all the academic certifications from TCM Security that I’ve passed. Let’s dive into what each one is like!

A Little About TCM Security

TCM Security is a cybersecurity company that primarily provides Penetration Testing, Cybersecurity Training (for both Red and Blue Teams), and Compliance Services to help protect the data and systems of various organizations, ranging from Fortune 500 companies to government agencies and educational institutions.

The part we’re interested in is the cybersecurity training. Simply put, this service offers various courses paired with certification exams. A key feature of TCM Security is its emphasis on 100% practical application. The exams have no multiple-choice questions; you have to perform real tasks and submit a report, just like a real-world job.

Types of Certifications

Certifications from TCM Security are divided into three tiers:

  • Associate: Entry-level certifications. The course content and exams are not overly difficult. The exam tasks are straightforward. If you understand the fundamentals and are observant, you’ll pass with ease. This group includes the PHDA, PIPA, PJPT, PWPA, PMPA, and PSAA.
  • Professional: Professional-level certifications. The course material builds on the Associate tier. The exams are more intense, requiring more complex processes and a greater application of learned knowledge. This group includes the PNPT, PORP, PMRP, and PWPP.
  • Expert: The newest and most advanced tier in the TCM Security lineup. It is considered the most difficult and complex. The course content expands on the previous two tiers, incorporating modern features and techniques. Currently, there is only one certification in this group: the PWPE.

Now, I thought for a while about how to order my review of each cert. Reviewing them by tier felt too ordinary. So, I’m going to review them based on my personal preference, ranking them by a mix of difficulty and enjoyment. I won’t be revealing any specific exam details, just sharing my experience.

My TCM Security Certification Journey: A Quick Review

Category: A Walk in the Park

This group includes exams that are not difficult at all. Just complete the course, practice a little, and the fundamental knowledge you’ve learned will be more than enough.

  • Practical Help Desk Associate (PHDA)

This certification is designed for those interested in IT Support. The course covers basic computer knowledge for both Windows and Linux, as well as user account management within an organization. The exam content is quite diverse. The Linux part was a bit tricky, but the Windows section was extremely fun and not difficult at all. My long experience with Extreme IT paid off, as I got to fully apply my computer knowledge.

  • Practical IoT Pentest Associate (PIPA)

This cert is all about pentesting IoT devices, with a heavy focus on Wi-Fi. This was a completely new field for me. I was used to web pentesting, but here I had to learn how to find vulnerabilities in firmware, APIs, and even perform buffer overflows. It sounds difficult, but the content is quite simple, and the exam wasn’t as hard as I thought. Study the course well and practice a bit to grasp the pentesting concepts, and you’ll pass easily.

  • Practical Mobile Pentest Associate (PMPA)

I stumbled into taking this exam. At the time, I needed to help a junior compete in a CTF, and I had almost no background in mobile pentesting. So, I enrolled in this course, which focuses heavily on Android pentesting. The course was very enjoyable and also included iOS pentesting. The exam itself was quite easy (I could even say very easy). I was able to wrap it up quickly and write the report. I remember submitting the exam in the morning and receiving the passing result by the evening.

Category: Mostly Easy, But with a Catch

The exams in this group are genuinely easy, but they have sections that require extra observation and some additional learning before you dive in. It’s like 90% simple and 10% not so much.

  • Practical SOC Analyst Associate (PSAA)

This is a Blue Team cert for those preparing for a Tier 1 SOC (Security Operation Center) role. The course content is intense and provides a really solid foundation for becoming a SOC analyst, covering topics like phishing analysis, incident response, threat intelligence, network monitoring/detection, endpoint monitoring/detection, and SIEM. I found the exam to be manageable; most of it was straightforward.

However, the harder parts required some extra practice. I can’t say what was difficult, but I can say that practicing with the course material is sufficient to pass.

  • Practical Junior Penetration Tester (PJPT)

This was my very first penetration testing certification. The content is heavily focused on Active Directory (AD) pentesting. This is where you’ll build your foundational pentesting skills. Even though the exam is easy, the tricky part I mentioned is where you need to be meticulous. Sometimes, a tiny mistake can cause you to fail TCM Security’s requirements. Overall, though, it’s an easy exam.

  • Practical Web Pentest Associate (PWPA)

This was the starting point of my web pentesting journey and the reason I’ve loved it ever since. The PWPA comes with a bug bounty course that teaches all the fundamental web pentesting knowledge a beginner needs. Honestly, if you want to start web bug hunting, this course and cert are the perfect place to begin.

However, even though the exam was easy and I was sure I had a passing score, I had to take the PWPA twice. The reason was that I “missed a critical finding.” There was a specific vulnerability I didn’t find, and it seemed to be a key factor in TCM’s pass/fail decision. But don’t worry; if you fail, TCM provides a small hint. If you analyze the hint, you will definitely pass on the next attempt.

Category: Challenging But Fun

This group features exams that are difficult and intense, but I had a blast while taking them. The difficulty level was perfectly matched with the content.

  • Practical Web Pentest Professional (PWPP)

After the PWPA, I was still fired up and immediately bought the PWPP course to continue learning. I wanted to dive deeper into web pentesting, and the PWPP added content on advanced web hacking and API hacking. This really opened up my world.

As for the exam, I’d say it was more moderate than difficult. You can find basic vulnerabilities easily by building on your PWPA knowledge. The fun part is finding advanced vulnerabilities and chaining them to create a higher-impact exploit. Overall, I consider the PWPP to be a top-tier web pentesting exam that I highly recommend.

  • Practical Network Penetration Tester (PNPT)

Alright, let’s talk about the star of the show. It’s not the most difficult cert from TCM Security, but it is the most recognized worldwide: the PNPT. The PNPT exam combines all the essential skills a standard penetration tester should have. It doesn’t focus purely on web pentesting, which I love, but it required me to use all the skills I had learned.

Coincidentally, the PNPT was the last cert I took. The fun came from being able to pour all my accumulated knowledge into this one exam. In terms of difficulty, I’d still place it in the moderate range—not overwhelmingly hard, but not a simple pass either. Each vulnerability requires a keen eye and great attention to detail.

But the meticulousness doesn’t end there. The report grading for the PNPT is, in my opinion, quite strict. You have to write a comprehensive report covering every detail. Importantly, there’s also a debrief, where you present your findings from the pentest, simulating a presentation to a client. That’s what makes the PNPT a legendary certification from TCM Security.

Category: Hard Until It Clicks

This one is genuinely tough—both the learning material and the exam. At first, I could barely find anything. But once you find that one key insight, it’s a straight path to passing.

 

Practical Web Pentest Expert (PWPE)

 

This is the only Expert-level certification from TCM Security and the pinnacle of difficulty in their web pentesting lineup. The Advanced Web Hacking course content was filled with unfamiliar topics like GraphQL, Prototype Pollution, Cache Poisoning, and more. While some may be familiar with these, for someone like me with no professional experience in the field, it was truly difficult.

As for the exam, when I say it was hard, I mean I initially found absolutely nothing. I submitted my first report feeling hopeless, and of course, I failed. I had to go back and rethink everything until I found one point that made me think, “This might be worth a try.” I immediately started a new exam attempt to test my theory. And bingo!

That single thing I had overlooked made the most difficult exam suddenly become much, much easier. It felt like a huge weight was lifted off my shoulders. And an important note about the PWPE: I am the first person in Thailand and the fourth person in the world to pass this certification! Yay!

Category: Brutally Difficult

Exams in this group are insanely hard. They are difficult, extensive, and filled with countless tiny details. You can’t just finish the course and take the exam; you need to build up your skills significantly.

  • Practical Malware Research Professional (PMRP)

If you don’t believe me, I dare you to try it. At first, I wondered if it felt so hard just because it was the very first cert I attempted. But looking back now with more cybersecurity experience, I still think the PMRP is genuinely tough.

The Malware Analysis course for PMRP is fantastic—truly top-quality. It teaches the fundamentals so well and provides a great foundation for anyone wanting to study further. I really recommend the course.

As for the exam, it’s quite hard because there are many different malware samples to analyze, plus a highly detailed report to write. Passing on the first attempt is a serious challenge. Still, it’s one of the certifications I’m most proud of because, despite its difficulty, I passed it on my first try.

Category: Don’t Try This Unless You Have Time to Kill

I can’t say this one is purely “difficult,” but it’s so detail-oriented that it feels like a massive time sink. If you don’t have the time to look for a needle in a haystack, you’re better off spending your time on something else.

  • Practical OSINT Research Professional (PORP)

Okay, this last one. I had no initial intention of taking it. However, I had set a goal to clear all of TCM’s academic certs, which forced me to take the PORP somewhat reluctantly. Is it hard? It has its own kind of difficulty. You have to act like Natasha Romanoff, meticulously gathering information based on the given objectives and then writing a full narrative report. But what goes beyond the difficulty is the sheer volume of work.

Each task has so many tiny details that I seriously considered whether to continue or just quit. Even the PMRP, which I thought was extensive, has nothing on the PORP. I have to bow down to it. And I’ll confess right here: I didn’t even complete all the objectives.

Normally, I’m a completionist, but for the PORP, I did just enough to pass because the workload was beyond description. So, who is the PORP for? If you enjoy digging up your friend’s crush’s Facebook profile, you might just be perfect for this cert.

Final Thoughts: Hoping for More Recognition in Thailand

And that’s my small review, with a little bit of ranting mixed in, of my journey through the TCM Security certifications. It took a lot of effort (and money!), from February to this October, to finally complete all 11. I hope this will be useful for anyone looking for inspiration to study cybersecurity.

More than anything, I hope that organizations in Thailand will start to recognize these certifications more. I believe a skill we often lack is report writing. No matter how good you are at hacking, if you can’t write a good report and communicate your findings effectively, it’s useless to the business and the organization.

Because TCM Security designs its exams to be 100% practical and include mandatory report writing, I truly encourage everyone to give their certifications a try.

P.S. TCM Security has one more certification, the PCRP, which can only be purchased after passing the PNPT. This cert isn’t about learning pentesting or blue team skills; it’s a simulation to prepare you for job interviews in the cybersecurity field. Since I’m not planning to switch careers to cybersecurity, I don’t have any plans to take the PCRP for now.