CompTIA PenTest+ (PT0-003) Practice Exam

What the CompTIA PenTest+ (PT0-003) exam covers

• Planning and Scoping44 questions
• Information Gathering and Vulnerability Scanning73 questions
• Attacks and Exploits124 questions
• Reporting and Communication51 questions
• Post-exploitation and Lateral Movement6 questions

Free CompTIA PenTest+ (PT0-003) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 298.

1. Question 1Planning and Scoping

   Before a penetration test begins, which document defines what systems may be tested and the boundaries?

   • AThe scope / rules of engagement (and authorization)Correct
   • BThe exploit payload
   • CThe patch notes
   • DThe final report
   ✓ Correct answer: A

   Before a penetration test begins, the scope document and rules of engagement (RoE) serve as the foundational legal and operational contract. This document explicitly defines which IP addresses, domains, applications, and infrastructure are authorized for testing, along with any systems explicitly excluded. Without a signed scope and RoE, a tester has no legal protection and no clear boundary for their activities, which could result in unauthorized access charges under laws such as the Computer Fraud and Abuse Act (CFAA).

   Why the other options are wrong

   • BThe exploit payload is incorrect because it is a technical artifact used during testing, not a document that defines authorization or scope boundaries.
   • CThe patch notes is incorrect because patch notes describe software changes or vulnerability fixes applied by vendors, not the permissions or boundaries of a penetration test.
   • DThe final report is incorrect because the final report is produced after testing is complete and documents findings; it does not authorize or define what may be tested.
2. Question 2Attacks and Exploits

   Which technique extracts credentials from Windows memory using a tool like Mimikatz?

   • APort knocking
   • BDNS zone transfer
   • CCredential dumping from LSASSCorrect
   • DA SYN scan
   ✓ Correct answer: C

   The Windows Local Security Authority Subsystem Service (LSASS) process handles authentication for the operating system and caches credentials in memory in various forms, including NTLM hashes, Kerberos tickets, and in older configurations, plaintext passwords. Mimikatz exploits this by reading the LSASS process memory using the Windows Debug API or by injecting into the process to extract these cached credentials. The sekurlsa::logonpasswords module is the most commonly used command for this purpose, and the extracted credentials can then be used for lateral movement via pass-the-hash or pass-the-ticket.

   Why the other options are wrong

   • APort knocking is incorrect because port knocking is a technique where a sequence of connection attempts to specific closed ports triggers a firewall rule to open a desired port; it is an authentication-through-obscurity mechanism unrelated to dumping credentials from Windows memory.
   • BDNS zone transfer is incorrect because a DNS zone transfer (AXFR) is a reconnaissance technique used to retrieve all DNS records from a name server; while useful for mapping a target's infrastructure, it extracts DNS data, not Windows authentication credentials from memory.
   • DA SYN scan is incorrect because a SYN scan is an Nmap port scanning technique that sends TCP SYN packets to enumerate open ports on a target host; it discovers network services rather than extracting credential material from a running Windows authentication process.
3. Question 3Post-exploitation and Lateral Movement

   Why should an authorized tester document and securely store all evidence and actions taken?

   • ATo leave persistent access
   • BTo avoid writing a report
   • CTo sell the data later
   • DTo support an accurate report, reproducibility, and accountability for what was done within scopeCorrect
   ✓ Correct answer: D

   Comprehensive documentation of all actions taken during a penetration test serves multiple critical purposes. Detailed logs, screenshots, and timestamped records support an accurate final report by providing the evidence needed to substantiate each finding and demonstrate its exploitability. Documentation enables reproducibility so that the client's team can independently verify findings and test proposed fixes. It also establishes accountability—if any unintended impact occurs during testing (such as an unexpected crash), detailed records demonstrate exactly what actions were taken, protecting the tester legally and allowing root cause analysis.

   Why the other options are wrong

   • ATo leave persistent access is incorrect because establishing and maintaining persistent access is a test-phase activity that must be documented and then removed; documentation is not created to preserve unauthorized access but to record what was done within authorized scope so it can be properly cleaned up.
   • BTo avoid writing a report is incorrect because documentation of evidence and actions is the foundational input that makes writing the final report possible; documentation and reporting are complementary obligations, not alternatives.
   • CTo sell the data later is incorrect because selling client data is a severe breach of professional ethics, violates non-disclosure agreements, may constitute criminal data theft, and represents a fundamental betrayal of the trust relationship that is the basis of every authorized penetration testing engagement.
4. Question 4Planning and Scoping

   Which staffing/scheduling choice typically optimizes both cost and quality for a defined-scope test?

   • ARotating in new untrained testers every day
   • BAssigning the largest possible team regardless of scope
   • CUsing one tester with no time limit and no checkpoints
   • DMatching tester skill and team size to the scope and timeboxing the effortCorrect
   ✓ Correct answer: D

   Optimizing cost and quality for a penetration test requires right-sizing the engagement. A single highly skilled tester can efficiently cover a well-defined small-to-medium scope—such as testing a single web application or a specific network segment—without the coordination overhead of a large team. Conversely, a broad red-team engagement against a large enterprise may benefit from specialization, with team members covering web application testing, Active Directory attacks, and physical security simultaneously. Timeboxing the effort with defined milestones ensures the work stays within budget while maintaining quality by focusing effort on the highest-priority areas within the allocated time.

   Why the other options are wrong

   • ARotating in new untrained testers every day is incorrect because constantly changing the personnel on an engagement prevents testers from developing the contextual knowledge needed to explore discovered attack paths effectively, wastes hours on repeated onboarding, produces lower quality findings, and is generally more expensive than a stable skilled team.
   • BAssigning the largest possible team regardless of scope is incorrect because an oversized team creates significant coordination overhead, duplicates effort across testers, inflates cost dramatically beyond what the scope justifies, and does not proportionally increase finding quality for a well-defined limited scope.
   • CUsing one tester with no time limit and no checkpoints is incorrect because an open-ended engagement with no timeboxing or progress reviews creates uncontrolled costs, allows the tester to pursue interesting rabbit holes of limited business value indefinitely, and removes the project management visibility needed to ensure the client's priorities are being addressed within budget.
5. Question 5Planning and ScopingSelect all that apply

   Which TWO architectural considerations should shape the rules of engagement for testing a production Kubernetes cluster? (Choose TWO)

   • AWhether testing actions could trigger autoscaling or pod evictions that affect availabilityCorrect
   • BWhether the cluster's shared control plane could be impacted by aggressive enumerationCorrect
   • CThe color theme of the cluster dashboard
   • DThe brand of laptops used by developers
   ✓ Correct answer: A, B

   Kubernetes production clusters have unique operational characteristics that must shape the rules of engagement. Kubernetes has autoscaling mechanisms (Horizontal Pod Autoscaler, Cluster Autoscaler) that respond to resource consumption; if testing generates unexpected load, it could trigger unintended autoscaling events that inflate infrastructure costs or cause pod evictions that disrupt running workloads. Kubernetes clusters also share a single control plane (kube-apiserver, etcd, controller-manager, scheduler) whose availability is critical to all workloads in the cluster; aggressive enumeration of the API server could overwhelm it, causing widespread application disruptions across all tenants and namespaces.

   Why the other options are wrong

   • CThe color theme of the cluster dashboard is incorrect because the visual appearance of the Kubernetes dashboard interface has no bearing on security testing safety, availability risks, or operational constraints that must be addressed in the rules of engagement.
   • DThe brand of laptops used by developers is incorrect because developer hardware choices have no impact on Kubernetes cluster security testing scope, the risk of triggering autoscaling events, or the potential for testing to disrupt the shared control plane.
6. Question 6Planning and Scoping

   During scoping for a cloud-hosted application, why must the tester review the cloud provider's penetration testing policy?

   • AIt guarantees no false positives
   • BIt removes the need for client authorization
   • Csome provider actions (e.g., DoS/DDoS, scanning shared infrastructure) are prohibited or require provider notification regardless of client authorizationCorrect
   • DThe provider pays for the engagement
   ✓ Correct answer: C

   Cloud providers such as AWS, Azure, and GCP maintain their own acceptable-use and penetration-testing policies that apply to all customers regardless of what the client permits. Certain tests—particularly denial-of-service simulations, load-testing above agreed thresholds, and scanning shared multi-tenant infrastructure—are explicitly prohibited or require advance notification because they can affect other tenants on the same physical or virtual infrastructure. Failing to review and comply with these policies exposes the tester to legal liability and may violate the provider's terms of service.

   Why the other options are wrong

   • AIt guarantees no false positives is incorrect because reviewing a provider policy has no effect on scan accuracy or false positive rates. It removes the need for client authorization is incorrect because client authorization is still required; the provider policy is an additional layer, not a substitute.
   • BEven with written client authorization, a tester operating outside the cloud provider's policy may be acting unlawfully against a third party.
   • DThe provider pays for the engagement is incorrect because cloud providers do not fund penetration test engagements conducted by the client's hired testers.
7. Question 7Information Gathering and Vulnerability Scanning

   Which Windows event log records successful and failed logon attempts that a tester should review to detect monitoring of their activity?

   • AThe Forwarded Events log
   • BThe Security event logCorrect
   • CThe Application event log
   • DThe Setup event log
   ✓ Correct answer: B

   Windows maintains several specialized event logs, each recording different categories of system activity. The Security event log is the designated repository for security-related events configured through Windows audit policy, including logon success (Event ID 4624), logon failure (Event ID 4625), account lockout (Event ID 4740), privilege use, object access, and policy changes. A tester who wishes to determine whether their activities are being detected and logged should check the Security event log on target systems for entries corresponding to their source IP, username, or timing of actions. This log is the primary data source fed into SIEMs for security monitoring and incident detection in Windows environments.

   Why the other options are wrong

   • AThe Forwarded Events log is incorrect because the Forwarded Events log collects events that have been pushed from remote systems via Windows Event Forwarding subscriptions; it aggregates events but is not itself the source of authentication event recording.
   • CThe Application event log is incorrect because the Application event log records events generated by applications and programs rather than operating-system-level security events such as logon attempts.
   • DThe Setup event log is incorrect because the Setup event log records events related to Windows installation and component configuration, not authentication or security activity.
8. Question 8Planning and Scoping

   Before testing assets hosted on a third-party SaaS platform, what authorization is typically required in addition to the client's permission?

   • ANothing, the client's word always covers shared infrastructure
   • BA public blog post announcing the test
   • COnly a verbal okay from a developer
   • DThe cloud/SaaS provider's testing authorization or notification per their terms of serviceCorrect
   ✓ Correct answer: D

   SaaS platforms are shared multi-tenant environments where the provider owns and operates the underlying infrastructure. The client organization uses the service but does not own the platform. Testing a SaaS application can generate traffic that affects other tenants on the shared infrastructure, triggers the provider's own intrusion detection systems, or violates the provider's terms of service. Most major SaaS and cloud providers have published penetration testing policies that require customers to submit a testing notification or request, obtain pre-authorization, and agree to scope restrictions (such as prohibitions on denial-of-service or social engineering against provider employees). A client's authorization alone cannot override the provider's third-party rights over their own infrastructure.

   Why the other options are wrong

   • ANothing, the client's word always covers shared infrastructure is incorrect because the client owns the tenancy or subscription but does not own the provider's infrastructure; their authorization cannot bind a third party that hosts the service.
   • BA public blog post announcing the test is incorrect because publicly announcing an upcoming test provides no legal authorization from the provider and may alert attackers to the testing window.
   • COnly a verbal okay from a developer is incorrect because a developer cannot grant authorization on behalf of the SaaS provider organization; written authorization from the appropriate stakeholder at the provider is required.
9. Question 9Planning and Scoping

   Mid-engagement, the client asks you to also test a SaaS CRM they subscribe to but do not host. What is the correct action?

   • ATest it passively only, which never requires authorization
   • BBegin testing immediately since the client requested it
   • CDecline all cloud testing as inherently illegal
   • DObtain written authorization from the SaaS provider (or confirm the client has it) before testing that third partyCorrect
   ✓ Correct answer: D

   A client's authorization to test their own systems does not extend to third-party platforms the client subscribes to but does not own or operate. The SaaS provider maintains control over their shared infrastructure and must separately consent to any testing that affects their platform. Most major SaaS providers have published penetration testing policies that require customers to submit a request form or obtain explicit written permission before testing their tenancy. Proceeding with testing before obtaining this authorization could violate the SaaS provider's terms of service, result in account suspension, and potentially constitute unauthorized computer access of a third-party system. The tester must pause the SaaS testing component until proper authorization is confirmed.

   Why the other options are wrong

   • ATest it passively only, which never requires authorization is incorrect because even passive testing that involves sending requests to a SaaS platform generates traffic that the provider can observe and may prohibit; passive reconnaissance of third-party systems is not universally exempt from authorization requirements.
   • BBegin testing immediately since the client requested it is incorrect because the client can only authorize access to systems they own; client authorization does not bind the SaaS provider who owns and operates the platform.
   • CDecline all cloud testing as inherently illegal is incorrect because cloud and SaaS testing is legal and common when properly authorized; the issue is authorization, not a categorical prohibition on cloud testing.
10. Question 10Planning and Scoping

    Which agreement specifically protects the confidentiality of sensitive client data the tester may access during an engagement?

    • AA non-disclosure agreement (NDA)Correct
    • BA purchase order
    • CA service-level agreement (SLA)
    • DA statement of work (SOW) only
    ✓ Correct answer: A

    A non-disclosure agreement is a legally binding contract that specifically addresses the protection of confidential information shared between parties. During a penetration test, testers routinely access sensitive data including network architecture details, vulnerability information, credentials, and potentially regulated data such as PII or financial records. The NDA establishes clear legal obligations for the tester to protect this information from unauthorized disclosure, specifies the duration of the confidentiality obligation, and defines the consequences of a breach. Without an NDA, the client has limited legal recourse if the tester mishandles or discloses sensitive information discovered during the engagement.

    Why the other options are wrong

    • BA purchase order is incorrect because a purchase order is a financial document authorizing a transaction and specifying payment terms, with no provisions for protecting confidential information.
    • CA service-level agreement (SLA) is incorrect because an SLA defines performance metrics, uptime guarantees, and response time commitments for ongoing services, not confidentiality obligations for sensitive data.
    • DA statement of work (SOW) only is incorrect because while an SOW defines the scope, deliverables, and timeline of the engagement, it does not by itself establish the legal protections for confidential information that an NDA provides.

CompTIA PenTest+ (PT0-003) practice exam FAQ