I Passed the CJCA Exam with a Perfect Score — Here is Everything You Need to Know

By Laziz Ilyosov | Cybersecurity Student, Uzbekistan.

Laziz Ilyosov

~7 min read · April 20, 2026 (Updated: April 20, 2026) · Free: Yes

In March 2026 I passed the HTB Certified Junior Cybersecurity Associate examination with a score of 100 out of 100. The examiner described my penetration testing report as "excellent, well presented, precise, neat, and professional."

I am in 11th grade. I am from Samarkand, Uzbekistan. I taught myself everything through free resources, HTB Academy, and sheer stubbornness.

This post is everything I wish I had read before sitting the exam.

What the CJCA Actually Is

Most people describe the CJCA as an entry-level certification. That is accurate but slightly misleading — it implies the exam is easy. It is not easy. It is approachable, but it demands genuine skill and genuine thinking.

The CJCA is a practical, hands-on examination. There are no multiple choice questions. No memorization of port numbers or protocol names. You are given a realistic environment and a set of objectives and you have to achieve them the same way a real penetration tester would — through enumeration, analysis, exploitation, and documentation.

The two components of the exam are the penetration test itself and the professional report you write documenting your findings. Both matter. Both are assessed. And in my experience, most candidates underestimate the second one completely.

My Background Going Into the Exam

I want to be honest about this because I think it helps people calibrate their own readiness.

Before the CJCA I had completed several HTB Academy learning paths including the Penetration Tester job role path. I had solved retired machines on HackTheBox. I had completed the Web RTA certification from CyberWarFare Labs and the Red-0 program at HAAD TC. I was comfortable with Linux command line, basic network enumeration, web application vulnerabilities, and the overall flow of a penetration test engagement.

What I was less prepared for was the mental shift from practicing on isolated challenge machines to working through a multi-host environment where findings on one system lead to access on another. That connected thinking — realizing that credentials found here unlock something over there — is what the CJCA really tests.

The Exam Experience — What I Can Tell You

HackTheBox takes exam integrity seriously and so do I. I will not describe specific vulnerabilities, targets, or techniques from the exam environment. What I can describe is the experience of sitting it.

The environment feels real. This is the thing that surprised me most. The exam lab is not a series of obviously broken challenge boxes. It feels like a real corporate network — services running for apparent business reasons, configurations that make sense in context, vulnerabilities that are present because of realistic mistakes rather than artificial CTF design. This is simultaneously what makes it harder and what makes it more valuable than any CTF I have done.

The timeline is generous but do not waste it. You have enough time to complete the exam if you work methodically. The candidates who struggle are not the ones who lack technical skill — they are the ones who get stuck on one path and keep pushing instead of stepping back and looking for another approach. Flexibility of thinking matters more than speed.

Document everything as you go. This is the single most important practical advice I can give. Take screenshots at every significant step. Copy command output into your notes immediately. Write a sentence explaining what you found and why it matters before you move on. If you try to reconstruct your methodology from memory after finishing the exploitation phase, your report will be weak and your score will reflect it.

The lateral movement phase is where the exam tests real understanding. Getting initial access is one skill. Pivoting from that foothold to reach other systems — using what you found to go further — is a different and more sophisticated skill. Think carefully about every credential you discover, every service you enumerate, every configuration file you read. Information compounds.

The Report — Where Most People Lose Points

I believe the report is where most CJCA candidates leave points behind. Technical skill gets you the flags. The report is what demonstrates that you understood what you found and can communicate it to a professional audience.

A professional penetration testing report is not a log of what you did. It is a document written for two audiences simultaneously — technical readers who need to reproduce your findings and remediate them, and non-technical stakeholders who need to understand the business risk without reading exploit code.

Here is what I focused on in my report:

Executive summary first. Before any technical detail, I wrote a clear summary of the overall risk, the most critical findings, and the immediate actions the organization should take. This section gets read by people who will not read the rest of the document — it needs to stand alone.

Every finding has the same structure. For each vulnerability I documented: what it is, which system it affects, what the CVSS score is, exactly how I discovered and exploited it including commands and screenshots, what an attacker could realistically do with it, and specific remediation recommendations. Consistency matters — a reader should be able to find the same information in the same place for every finding.

Remediation must be specific and actionable. "Patch the system" is not a remediation recommendation. "Upgrade [software] to version X which addresses CVE-XXXX-XXXX, available at [reference URL]" is a remediation recommendation. The organization reading your report needs to be able to act on it.

Attack chain narrative. One of the most powerful sections in a pentest report is a clear description of the full attack path from initial access to the highest privilege achieved. Not just a list of vulnerabilities but a story of how each finding enabled the next step. This demonstrates that you understand the environment holistically rather than finding isolated issues.

Screenshots with context. Every screenshot should be accompanied by a caption explaining what is shown and why it is significant. A terminal window with no explanation helps no one.

What the Examiner Said

The feedback I received used the words "excellent, well presented, precise, neat, and professional." I want to break down what I think each of those words reflects:

Excellent — the technical findings were correct and complete. This comes from thorough enumeration — not assuming anything is safe to skip.

Well presented — the document had clear structure, consistent formatting, and a logical flow from summary through findings to recommendations.

Precise — every claim was supported by evidence. No vague statements like "the system appeared vulnerable." Specific CVE numbers, specific commands, specific output.

Neat — formatting consistency. Headers at the right levels, tables aligned properly, no screenshot cropped badly, no command output that ran off the page. These things matter more than people think.

Professional — the tone was appropriate for a client-facing document. No casual language, no unexplained jargon, no humor at the client's expense.

Preparation Resources — What Actually Helped

HTB Academy Penetration Tester path. This is the foundation and it is thorough. Do not rush through it. Every module exists for a reason.

Retired HackTheBox machines. Solving retired machines and reading other people's writeups afterward is how you learn approaches you would not have thought of yourself. The methodology matters as much as the technique.

Report writing practice. Before the exam I wrote several practice reports documenting machines I had already solved. Writing about something you have already done is much easier than writing about something you are doing for the first time — so practicing the format separately from the exploitation is worth the time.

Understanding the why. Every technique I practiced I tried to understand at a fundamental level — why does this vulnerability exist, what is the developer assumption it breaks, how would you prevent it. This understanding is what allows you to adapt when the exam environment does not match exactly what you practiced.

Who Should Take the CJCA

The CJCA is the right certification if you have completed foundational learning in HTB Academy or similar platforms and want to validate that you can apply that knowledge in a realistic environment rather than isolated lab exercises.

It is not the right starting point if you are completely new to penetration testing. Spend time with the Academy paths first. Solve ten to fifteen retired machines. Understand the basic methodology before paying for the exam.

It is an excellent stepping stone toward CPTS and eventually OSCP. The exam teaches you the professional documentation skills that the pure technical practice platforms do not — and those skills are what separate a hobbyist from someone who can work in a professional security role.

One Thing I Would Tell Myself Before Starting

Enumerate more than you think you need to. Then enumerate again.

The most common reason people miss findings in penetration tests — real ones and exam ones — is premature exploitation. They find one way into a system, exploit it, get access, and move on. They miss the three other vulnerabilities on the same system because they stopped looking.

Slow down in the enumeration phase. Read every response carefully. Check every service on every port. Look at every file in every directory you have access to. The exam rewards thoroughness more than speed.