🧠 My True Opinion on the PORP by TCM Security

What I Wish I Knew Before Taking the Exam — And Why It Was Worth It

Why I Wrote This

When I started preparing for the Practical OSINT Research Professional (PORP) exam, I couldn’t find a single detailed blog post or real exam experience that answered my questions. No roadmap, no practical tips — just vague outlines or “marketing-style” blurbs.

So I wrote this, hoping it becomes the go-to for anyone who wants to understand what PORP is really about, how to prepare for it, and whether it’s worth your time and money.

A Word on OSINT (Open-Source Intelligence)

OSINT is the art and science of collecting intelligence from publicly available sources — whether it’s social media, public records, exposed devices, breached databases, or domain metadata.

Before I even knew what network security was, and long before certifications like OSCP entered my radar, I was doing OSINT challenges for fun. To me, it felt like solving internet-based puzzles with unknown paths and hidden answers. It was fascinating, and addictive.

Now, after years in red teaming and offensive security, I can confidently say this:

I’ve personally seen OSINT uncover valid credentials for externally exposed RDP, forgotten subdomains, and internal document leaks — all of which led to immediate initial access.

And I’ve seen analysts skip OSINT entirely, only to spend hours grinding away on complicated technical exploits just to reach the same point.

So no — OSINT isn’t just “nice to have.” It’s a critical part of the attack lifecycle, especially in the reconnaissance phase. If you skip it, you’re skipping opportunities.

What is PORP?

The Practical OSINT Research Professional (PORP) is a certification by TCM Security that tests your ability to collect, analyze, and report on real-world OSINT findings.

• 🧠 No multiple choice — only practical, real-world questions

• ⏳ 72-hour live exam

• 📝 Professional report required

• 🎓 Includes 12 months of access to the "Open‑Source Intelligence Fundamentals" course (~9+ hours)

• 🔁 One free exam retake included

My Background

Before PORP, I had:

• 2+ years as a cybersecurity analyst / security researcher

• OSCP and other hands-on offensive security certs

• Daily OSINT use in real-world recon and red teaming

• Familiarity with tools like Spiderfoot, theHarvester, Maltego, Google dorking, etc.

• Comfort working in Linux and automating recon workflows

So Why Did I Take PORP?

Honestly? I didn’t need it.

I already had a full resume, a solid cert stack, and field experience.

But two things pushed me:

1. My company gifted me the course

2. I genuinely enjoy OSINT — I see it as a craft, a mindset. So when I got free access, I told myself: "Let’s see if it teaches me something new — and if the exam can actually challenge me."

   
   

Spoiler: it did.

Why PORP Matters

• 📚 Great for beginners — solid foundation in real-world OSINT methods

• 🧩 Useful for red teamers — especially in recon and pre-engagement stages

• 🪜 Good stepping stone to PNPT — which includes OSINT as a major component

• 💯 No fluff — this exam is about methodical research, not remembering tool flags

• 🧠 Develops your analyst mindset — teaches you to investigate, pivot, and document like a pro

How I Prepared (in Just 2 Weeks)

Even though I was already familiar with the subject, I didn’t want to underestimate it. So I did the prep seriously:

• 📘 Completed TCM’s OSINT Fundamentals course

• ✅ Answered all practice questions provided

• 🧠 Took notes, organized my approach, and practiced documentation

• 🧪 Simulated small challenges (like fake profiles, dorking exercises, metadata hunting)

To be honest — that’s more than enough to pass, if you take the course seriously and don’t skip exercises.

Exam Day — February 12, 2025

Result: ✅ PASS on First AttemptTime Spent: ~8–10 hours a day for 2 days + half a day final review

My Winning Strategy

• ✅ Start with the easy wins — rack up points early to ease stress

• 📸 Document everything live — screenshots + notes + sources

• 🔁 Skip & return — don’t get stuck on one question too long

• 📝 Built the report as I went — no cramming report-writing on the last day

• 🔍 Last 6 hours — went full QA mode: formatting, checking evidence, cleaning up report

Was the Exam Hard?

It was harder than I expected, especially some questions that required out-of-the-box thinking and correlating small bits of info. Even for someone experienced in OSINT, this wasn’t a walk in the park.

But that’s what made it fun.

Is PORP Worth It?

Yes — without a doubt.

• 💡 The exam format is solid — practical, real, and relevant

• 📊 The reporting aspect is a real skill you’ll use in red teaming / threat research

• 🔗 The price is fair, especially considering the course + exam + retake

• 🧠 Even for experienced analysts, it offers new ways to think, hunt, and pivot

Final Words

If you're serious about becoming an effective offensive operator or threat analyst, OSINT is non-negotiable. It’s not just a phase in the kill chain — it’s a mindset.

PORP is one of the few certifications that actually tests that mindset in a realistic, hands-on way.

So whether you're just starting or already deep in this field:🧠 Refine your thinking. Train your eyes. Build your report. And enjoy the hunt.

Thanks for reading — I hope this post helps someone who was in the same position I was.

Happy hunting. 🕵️‍♂️