This isn’t an official review or comparison — plenty of those exist already. This is how I actually approached it, including the moments where I thought I was going to blow it.

Why TCM Security?

I’d already spent some time playing on Hack The Box and TryHackMe, I passed a Micro-Credential on Ethical Hacking, but I wanted something that felt like real work. TCM has a reputation for practical courses and exams that resemble actual pentests. No multiple choice, no theory questions, no flag — just a website, a scope, and you.

That sounded exactly like the kind of exam I wanted.

PWPA — Practical Web Pentest Associate

What it is

PWPA is the beginner-level cert for web pentesting. It covers a lot of basic vulnerabilities and how to exploit them. But more importantly, Alex doesn’t just hand you a checklist — he teaches a methodology you can immediately put into practice with the labs. He strongly encourages keeping your notes updated throughout the process.

Contrary to what I thought at first, pentesters don’t know everything by heart. Hackers in movies type at insane speeds, bypassing the firewall and hacking into the mainframe. That’s not real life. Having someone explain a clear methodology lowers the bar for getting started in hacking.

The course

The Bug Bounty Hunter course is made up of different sections, ranging from enumeration (a fancy word for looking for hidden stuff in a website) to exploiting your first Cross-Site Scripting vulnerability (a fancy way of saying you can make the website do something it’s not supposed to do).

If at this point you’re thinking, “What?”, don’t worry. Everything is explained step by step, and you’re not expected to understand everything right away. For example, when I started, I couldn’t script anything, yet the very first section is about scripting. By the end, you end up with a script you can use for all your engagements. You don’t need to know every detail about how it works. Honestly, I only took a Python course after passing PWPP. So trust me when I say: you’re fine.

The exam

Before starting the exam, you’re reminded that you can’t share exam details, so I’m definitely not going to spoil anything. Everything you need to know is in the Rules of Engagement (RoE) you receive when you click “Start Exam.” This document explains what you should look for, who to contact if something goes wrong, and what you’re not allowed to do. Read it. Then re-read it. It’s important.

After reviewing the RoE, it’s just you, your tools, and the techniques you’ve learned. And that’s all you need. There’s no reason to look for things you weren’t taught or use techniques outside the course. What matters is opening the website, getting overwhelmed for a minute or two, then opening your notes and following your methodology.

Don’t forget to set a timer: one hour hacking, five-minute break, and a longer break after three cycles.

My exam

I started and couldn’t find anything for two straight hours. After a break, I slowed down, put my notes on a second screen, and began working through the methodology I had practiced so many times. I had summarized the entire course into a document I called my “Sanity Check,” and I strongly recommend having something like that. Once I followed it, the vulnerabilities presented themselves.

A big thing about this exam is that they don’t try to trick you. It’s just a pentest.

My approach was to screenshot everything, paste it into Notion with a short explanation, and move on.

Quick tip: having something that tracks your clipboard history is incredibly useful. I had to dig for screenshots I knew I took but forgot to paste.

After about seven hours, I had found some interesting things. Then I shut down my computer, picked up my kids from school, and had a great evening with them. After they went to bed, I watched a movie with my wife and went to sleep.

That paragraph isn’t a flex — it’s essential. If you’ve worked all day, you need rest. You’ll run out of ideas long before you run out of time. After dropping my kids off at school the next morning, I grabbed a coffee and started hacking again. Don’t think, “I have enough points; I’ll just wing it.” Take it seriously and try everything you can. Right after lunch, I found another major vulnerability, and I was genuinely excited.

Eventually, I ran out of ideas. I reviewed the vulnerabilities I found and didn’t know what else to test, so I started writing my report. I didn’t close my exam yet, because if I needed extra screenshots or wanted to try a different payload, I still had the option. Luckily, I didn’t need extra lab time, and I finished my report around the same time my lab expired.

After finishing the report, I closed my laptop again and spent time with my family. The next morning, after a good night’s sleep, I re-read the report in detail. I made a few edits, read it one last time, exported it as a PDF, and submitted it.

Then I braced myself for a long wait… but only two hours later, a notification from TCM popped up with the link to my certification.

Verdict

A great and fun exam. Challenging enough to test your abilities, but not so hard that it feels impossible. If you do the lab work and avoid shortcuts, you’ll succeed.

Result: First attempt pass.

PWPP — Practical Web Pentest Professional

The step up

This is a professional-level certification, meaning you need to know a thing or two about performing an assessment and finding vulnerabilities. The techniques taught in PWPA are necessary to understand the more complex attacks in this course. Just like in PWPA, Alex’s approach is all about keeping your notes updated along the way. If you followed PWPA, you’ll definitely revisit some things before diving into the deeper material.

The course

The course is split into two parts: one focused on API hacking, and one focused on web hacking. Both parts work hand in hand, but I think it’s beneficial to start with the API section.

The exam

Same deal — everything you need to know is in the RoE. Read it. Then read it again.

After reviewing the RoE, it’s just you, your tools, and the techniques you’ve learned. There’s no reason to look for things you weren’t taught or to use techniques outside the course.

My exam

When I opened my exam, I saw functionality that clearly matched an attack taught in the course. But instead of getting a quick win, I forgot once again to slow down. After a while (a bit too long), I found the exploit, and it turned out to be much easier than what I was trying. Like I already mentioned: there’s no need to look for attacks you didn’t learn. Stick to the coursework.

My “Sanity Check” from PWPA had a major update after doing PWPP, and for the rest of the exam I really found and kept my flow using it.

Because you know more techniques now, it’s important to track what, how, and where you test. Don’t distract yourself with “I’ll test this endpoint on X and Y” but then get sidetracked by something else. Be strict with yourself and focus on one thing at a time.

Like with PWPA, I didn’t work more than seven hours on the first day, and I took my breaks. I felt good by the end of the day, did family stuff, and went to bed.

The second day, I was fully in the zone. A bit too much, actually. I forgot my breaks, forgot to drink, and barely ate. I fell straight into a rabbit hole and couldn’t get out. And that’s something I want to warn you about: falling into a rabbit hole is normal, and you do have to test it, but set a timer for problems. I was convinced there was something there, but I couldn’t find it because it simply wasn’t there.

My advice changed after that experience: hack away, but when you get stuck, set a timer and stick to it. I probably would have lost only an hour or two, but if I had taken my break, I would have realized sooner that it wasn’t worth pursuing.

After realizing I went too deep, I took a long break, forgot about it, and moved on to other problems. I did some extra hours that day but still got enough rest.

By the middle of the third day, I was out of ideas. So, just like in PWPA, I left my environment open and started my report. I had already taken screenshots throughout the exam and saved them in Notion with comments. With my report template prepared, it was mostly copy, paste, done.

I read it, re-read it, saved it to PDF, re-read it once more, and before my lab time was up, the report was ready. I ended my environment, uploaded the report, hung out with the kids, and went to bed. The next morning, I already saw three notifications with “TCM Sec…” in my inbox. I opened the latest one, and my certification link was available.

Verdict

This exam was really fun and taught me something valuable. You have to stay open enough to let an exam teach you something, even without an instructor guiding you. The biggest lesson for me was the rabbit hole. I’ll try to recognize it faster next time.

It’s understandable that in an exam you want to find things, but even during an exam, you have to know when to stop. And that might be the most valuable lesson PWPP taught me.

Result: First attempt pass.

PWPE — Practical Web Pentest Expert

This was different

PWPE is the follow-up to PWPP. It’s an expert-level exam that will push you to look further and deeper than you ever did with PWPA or PWPP. To pass this exam, you’re going to need every trick in your book. So make sure your notes are up to date.

A very big difference between PWPE and the previous two certs: you don’t really know what you’re looking for. Obviously you look at the things you learned during the course, but unlike PWPA and PWPP, you will not pass with only the things from the Advanced Web Hacking course. You’ll need a profound knowledge of the basics. On top of that, you’ll need to develop a spidey sense for things that are a bit weird and be able to look those things up. The exam isn’t designed to trick you, but it is designed to be expert-level.

The course

The course covers the quality you’ve come to expect from Alex’s material. Topics include:

• Prototype pollution
• GraphQL
• Code review
• Code (de)obfuscation
• OAuth
• Cache poisoning

Each topic starts with a theoretical explanation, and as always, Alex walks you through some examples. Then you have a shot at doing some capstones on your own at the end of each module.

The exam

Read the RoE with even more care than you did for any other TCM cert. Once you read it, just read it again, to make sure you saw it all.

My exam

After reading and rereading the RoE, it was time to navigate to the start URL. Personally, I found this exam was a bit less overwhelming than PWPP. Still a lot of functionality to go through, but it felt calmer.

Once the exam started, I did what I always do — went through the app and clicked everything I saw. Then it was time to open up my proxy and inspect the traffic. Like Alex said in one of his reviews, your task is to identify small vulnerabilities and chain them together. So don’t expect to find an obvious XSS.

After going through the traffic, I decided that a particular functionality would be my first thing to test. I had to peel the onion layer by layer, and I kept track of everything I saw that could possibly be of use later. And sure enough, after only a few hours I chained some low-level things together and was able to drop a payload that could be considered high risk.

On that high, I continued my testing and found some small issues, but I could not for the life of me chain anything together that was worth noting down. That’s when the panic started to set in. I decided to leave it, and went to bed.

When I opened up the app the next day, I had enough time to reflect on what I found. I started to really hit those endpoints with everything I had, but nothing — and I mean absolutely nothing — worked. I remembered the valuable lesson from PWPP about rabbit holes and moved away from the endpoint I was so sure was the entry point for a critical vulnerability.

That’s when the expert-level exam became the expert-level exam for me.

I had the low-hanging fruit, but that wasn’t enough to pass. I needed something critical. And it’s at that point that the exam tests if you have the endurance and insight to go look for the right things. It took a loooooooooong time, and multiple “It’s not gonna be in here, right?!” moments — when my eye caught something small, yet so obvious that I needed to test it. My first test returned absolutely nothing. Another dead end? Or maybe not — let’s try this… And that got me somewhere. That result led me to use Google and look something up. It was strange, I had never seen it, but every part of my body was screaming that I was getting somewhere if I could just crack this little thing. And yeah, that was the critical thing I was looking for. Good old Google to the rescue.

So with a day of testing to spare, I could start writing my report. I managed to have two high-value vulnerabilities and some minor issues. I had my template ready to go, but because this exam is all about chaining, I needed to adjust the template. I submitted my report at the end of that day after reading it a dozen times.

Then, totally unexpected, another hard part came. My PWPA and PWPP came back in less than a day, but I had to wait a week for the PWPE results. But when they came back, I was glad I was able to knock this one out of the park on my first try too.

Verdict

This was a fun exam. It was hard, and maybe you’ll need a bit of luck, but the answer isn’t some niche and weird “Gotcha!” CTF-moment — it will be right there for you. My advice is simply to show that you have perseverance to do what needs to be done. Expert-level doesn’t mean flashy. It means you don’t quit when things get quiet.

Fatigue is the best friend of missed vulnerabilities.

Result: First attempt pass.

What I learned

The five lessons

1. Sleep. Not optional. You see more rested than after 6 hours of grinding.
2. Screenshot while you test. Have a tool that retains your screenshots should you forget to paste them somewhere.
3. Don’t test for too long. A rabbit hole is there for a reason. To make you test it and move on.
4. Use your methodology. Follow your notes, you spend a lot of time creating them, might as well use them.
5. Slow down. You’ll run out of ideas long before your time runs out! No need to rush your testing, keep calm so you don’t miss something obvious.

Do not learn how to hack, hack to learn.