What does the CompTIA PenTest+ exam cover?
The CompTIA PenTest+ PT0-003 exam covers planning and scoping penetration tests, information gathering and vulnerability scanning, exploitation techniques, post-exploitation, reporting, and communication. It is an intermediate-level certification for penetration testers and red team members. The exam costs $392 USD with a passing score of 750 out of 900.
The CompTIA PenTest+ PT0-003 validates the skills required to plan, conduct, and report on penetration testing engagements. It covers the technical attack techniques, tools, and methodologies used by professional penetration testers to identify and exploit vulnerabilities in networks, applications, and systems.
PenTest+ is positioned between Security+ (foundational) and CASP+ (expert architecture), targeting individuals in penetration tester, red team operator, vulnerability analyst, and security consultant roles. The exam costs $392 USD and requires a passing score of 750 out of 900.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | PT0-003 |
| Full Name | CompTIA PenTest+ |
| Number of Questions | Maximum 85 |
| Time Limit | 165 minutes |
| Passing Score | 750/900 |
| Cost | $392 USD |
| Prerequisites | Security+ and CySA+ or equivalent experience recommended |
| Validity | 3 years |
The exam covers five domains:
- Planning and scoping (14%)
- Information gathering and vulnerability scanning (22%)
- Attacks and exploits (30%)
- Reporting and communication (18%)
- Tools and code analysis (16%)
"PenTest+ is the only vendor-neutral penetration testing certification that requires both knowledge and performance. The performance-based questions put you inside a simulated environment and ask you to actually find and exploit vulnerabilities. Candidates who have only read about penetration testing without practicing in lab environments consistently fail these questions." -- penetration testing certification community
Domain 1: Planning and Scoping (14%)
Rules of Engagement
Before any penetration test begins, a formal Rules of Engagement (ROE) document defines:
- Scope: Which systems, networks, applications, and physical locations are included and excluded
- Authorization: Written permission from the system owner authorizing testing
- Testing window: When testing is permitted (business hours only, or 24/7)
- Emergency contacts: Who to call if a critical system is accidentally disrupted
- Communication protocols: How progress, findings, and incidents are reported
Statement of Work (SOW): Contract defining deliverables, timeline, methodology, and payment terms.
Liability: The penetration tester must have explicit written authorization before conducting any testing. Testing without authorization is illegal regardless of intent.
Compliance-Based Testing
- PCI-DSS: Requires annual penetration testing for all organizations handling payment card data
- HIPAA: Does not mandate penetration testing explicitly but is considered a best practice for risk assessment
- NIST RMF: Penetration testing is part of the assessment phase
- Bug bounty programs: Formalized programs where organizations pay researchers for finding vulnerabilities (HackerOne, Bugcrowd)
Domain 2: Information Gathering and Vulnerability Scanning (22%)
Passive Reconnaissance
Passive reconnaissance gathers information without directly interacting with the target:
- OSINT (Open Source Intelligence): Public information from websites, social media, job postings, corporate filings
- DNS reconnaissance: Zone transfers, subdomain enumeration (subfinder, amass), WHOIS records
- Google dorking: Advanced search operators to find sensitive exposed information
- Shodan: Search engine indexing internet-connected devices; reveals exposed services, software versions
Active Reconnaissance
Active reconnaissance directly interacts with target systems:
- Port scanning: Nmap to identify open ports and running services
- Service enumeration: Banner grabbing, version detection (
nmap -sV) - OS fingerprinting: Determining operating system from TCP/IP stack behavior (
nmap -O) - Network mapping: Building a map of the network topology
Vulnerability Scanning
| Tool | Primary Use | Type |
|---|---|---|
| Nessus | General vulnerability scanning | Commercial |
| OpenVAS | General vulnerability scanning | Open source |
| Nikto | Web application scanning | Open source |
| OWASP ZAP | Web application testing | Open source |
| SQLmap | SQL injection testing | Open source |
| Burp Suite | Web application intercepting proxy | Commercial/free |
Domain 3: Attacks and Exploits (30%)
Network-Based Attacks
- ARP poisoning: Using Arpspoof or Ettercap to perform on-path attacks on the local network
- VLAN hopping: Double-tagging attacks to access traffic on unauthorized VLANs
- DHCP starvation: Exhausting DHCP pool then providing rogue DHCP server for traffic interception
- Pass-the-hash: Using captured NTLM hashes to authenticate without knowing the plaintext password
Application-Based Attacks
OWASP Top 10 Web Application Vulnerabilities (2021):
- Broken Access Control
- Cryptographic Failures
- Injection (SQL, command, LDAP)
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
SQL injection types:
- In-band SQLi: Error-based (database errors reveal information) and union-based (combining queries)
- Blind SQLi: Boolean-based (yes/no responses) and time-based (inferring from delay)
- Out-of-band SQLi: Data retrieved through different channels (DNS, HTTP requests from database server)
Post-Exploitation
Post-exploitation activities after gaining initial access:
- Privilege escalation: Elevating from standard user to administrator/root
- Lateral movement: Moving from compromised system to other systems in the network
- Persistence: Establishing mechanisms to maintain access (scheduled tasks, registry run keys, backdoors)
- Data exfiltration: Extracting sensitive data while evading DLP controls
- Pivoting: Using a compromised system as a proxy to reach otherwise inaccessible network segments
Social Engineering Techniques
- Phishing campaigns: Simulated phishing using GoPhish framework
- Pretexting: Creating a fabricated scenario to manipulate targets
- Vishing: Phone-based social engineering targeting IT help desks
Domain 4: Reporting and Communication (18%)
Penetration Test Report Structure
A professional penetration test report includes:
- Executive summary: Business impact summary for non-technical stakeholders
- Scope and methodology: What was tested and how
- Findings summary: Vulnerability count by severity with risk ratings
- Detailed findings: Each vulnerability with description, evidence (screenshots, output), CVSS score, and remediation recommendation
- Appendices: Raw tool output, evidence artifacts
Risk Rating
| Rating | CVSS Range | Remediation Priority |
|---|---|---|
| Critical | 9.0-10.0 | Immediate (within 24-72 hours) |
| High | 7.0-8.9 | Short-term (within 2-4 weeks) |
| Medium | 4.0-6.9 | Medium-term (within 60-90 days) |
| Low | 0.1-3.9 | Long-term (next maintenance cycle) |
| Informational | N/A | No immediate action required |
"The value of a penetration test is not in finding vulnerabilities -- scanners can do that. The value is in providing context: what is the actual business impact of each finding, what is the realistic attack path, and what should the client do first? Reports that present a list of CVEs without business context fail to deliver the value clients are paying for." -- Experienced penetration tester guidance
Domain 5: Tools and Code Analysis (16%)
Core Penetration Testing Tools
- Metasploit Framework: Module-based exploitation framework with thousands of exploits and payloads
- Burp Suite: Web application testing proxy for intercepting, modifying, and replaying HTTP requests
- Nmap: Network scanning and service discovery
- Wireshark: Packet capture and analysis
- John the Ripper / Hashcat: Password cracking using dictionary, rule-based, and brute-force attacks
- Mimikatz: Windows credential extraction from LSASS process memory
- BloodHound: Active Directory attack path visualization
Code Review for Security
PenTest+ includes basic code analysis:
- Identifying SQL injection vulnerabilities in code
- Identifying insecure deserialization
- Identifying hard-coded credentials in code
- Understanding common scripting languages for automation (Python, Bash, PowerShell)
Frequently Asked Questions
How does PenTest+ compare to CEH and OSCP? PenTest+ is vendor-neutral and multiple-choice/performance based; CEH (Certified Ethical Hacker) is EC-Council's equivalent with a similar format; OSCP (Offensive Security Certified Professional) is a fully hands-on 24-hour practical exam considered the gold standard for technical credibility. PenTest+ and CEH are more accessible; OSCP is much harder and more respected by technical employers. Many penetration testers pursue PenTest+ or CEH first, then OSCP.
Do I need programming skills for PenTest+? You need basic scripting skills to read and understand Python, Bash, and PowerShell scripts. You do not need to write complex programs from scratch. The exam presents code snippets and asks you to identify security vulnerabilities or understand what the code does. Familiarity with reading code is more important than being an experienced developer.
What labs are best for practicing for PenTest+? TryHackMe (beginner-friendly, guided paths), Hack The Box (more challenging, community-solved machines), and OWASP WebGoat (deliberately vulnerable web application) are the most popular platforms. For the exam specifically, CompTIA's CertMaster Labs for PenTest+ provides exam-aligned practice scenarios. Setting up a personal lab with Kali Linux in a VM allows safe practice with penetration testing tools.
References
- CompTIA. (2025). CompTIA PenTest+ PT0-003 Exam Objectives. https://www.comptia.org/certifications/pentest
- Oriyano, S. (2023). CompTIA PenTest+ Study Guide. Sybex.
- OWASP Foundation. (2021). OWASP Top 10 Web Application Security Risks. https://owasp.org/www-project-top-ten/
- Offensive Security. (2025). Kali Linux Documentation. https://www.kali.org/docs/
- TryHackMe. (2025). Penetration Testing Learning Paths. https://tryhackme.com/
- PTES. (2025). Penetration Testing Execution Standard. http://www.pentest-standard.org/