Security Study Guide

CompTIA PenTest+ (PT0-003) Study Guide

CompTIA PenTest+ (PT0-003) validates hands-on penetration testing and vulnerability management skills across the full engagement lifecycle: planning and scoping, reconnaissance, attacks and exploitation, post-exploitation and lateral movement, and reporting. It targets intermediate cybersecurity professionals (3-4 years of hands-on experience) such as penetration testers, red-team members, and vulnerability analysts. The 165-minute exam has up to 90 multiple-choice and performance-based questions, with a passing score of 750 on a scale of 100-900.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice CompTIA PenTest+ (PT0-003) questions free Create free account

Domain 1: Planning and Scoping

Key concepts you must know · 129 practice questions

Written authorization (signed Statement of Work plus a 'get-out-of-jail-free' authorization letter) is the legal prerequisite for any test; without it, activity violates the Computer Fraud and Abuse Act (CFAA) and equivalent laws.
Rules of Engagement (RoE) define what, when, and how testing occurs: in-scope and out-of-scope targets, test windows, allowed techniques, escalation paths, and emergency contacts.
Scope documents must explicitly list authorized IP ranges, domains, applications, and infrastructure, plus excluded systems, to avoid touching out-of-scope or third-party assets (legal and operational risk).
Black-box testing simulates an external attacker with little to no prior internal knowledge; white-box (full-knowledge) testing provides architecture diagrams and credentials up front; gray-box sits between the two.
If a tester discovers an active or prior breach during an engagement, the correct action is to stop and immediately notify the client per the RoE escalation plan, preserving forensic evidence.
Regulatory frameworks shape scope: PCI DSS governs cardholder data environments, HIPAA governs protected health information, and GDPR governs EU personal data.
Cloud and third-party hosting requires confirming each provider's testing policy; AWS no longer requires pre-authorization for many services but still prohibits certain test types such as DoS and DNS-zone-walking.
Risk-based scoping prioritizes the highest-value, highest-risk assets and recent change areas first, and timeboxes effort by matching tester skill and team size to the scope.
A defined change-control process must govern any mid-engagement scope additions, with rollback/abort procedures and agreed test windows to prevent production outages.
Red teaming optimizes for stealth and goal-based objectives (accepting lower coverage), whereas vulnerability-focused testing optimizes for breadth of findings across many systems.
Threat actors are commonly classified by capability and intent: APTs (nation-state), organized crime, hacktivists, insiders, and script kiddies; threat modeling aligns testing to realistic adversaries.
Scoping cloud-native targets (e.g., Kubernetes) must consider whether aggressive enumeration could trigger autoscaling, pod evictions, or impact the shared control plane affecting availability.
Integrating automated security checks into CI/CD with periodic deeper manual pentests gives continuous coverage; a standalone annual test alone leaves long exposure windows.
Common standards/methodologies referenced for planning include PTES, OSSTMM, NIST SP 800-115, OWASP testing guides, and the MITRE ATT&CK framework.

Domain 2: Information Gathering and Vulnerability Scanning

Key concepts you must know · 148 practice questions

Passive reconnaissance collects data without touching the target: WHOIS, DNS records, certificate transparency logs, job postings, and social media (OSINT); it generates no target traffic.
Active reconnaissance sends packets directly to targets (port scans, banner grabbing) and creates entries in the target's firewall and IDS/IPS logs.
Nmap -sS performs a stealthy SYN (half-open) scan; -sT is a full TCP connect scan; -sU scans UDP; -sn does host discovery (ping sweep) with no port scan.
Nmap -sV detects service and version; -O enables OS detection; -sC runs the default NSE script category; -A combines OS detection, version detection, scripts, and traceroute.
Nmap timing templates range -T0 (paranoid) to -T5 (insane); -T3 is the normal default and -T4 is a common faster choice; rate limits can cap bandwidth (e.g., masscan --rate 1000).
Nmap -Pn treats all hosts as online (skips host discovery), useful when ICMP is blocked; -p specifies ports, e.g., nmap -p 80,443,8080 target.
A DNS zone transfer is attempted with dig axfr example.com @ns1.example.com; misconfigured name servers leak the full record set.
Authenticated (credentialed) scanning logs into targets to reduce false positives, see installed patches/configs, and avoid repeated rescans versus unauthenticated scans.
Common scanners include Nessus, OpenVAS, Qualys, and Nikto (web); they use version comparisons and banner analysis and therefore produce false positives that need manual validation.
Enumeration extracts specifics: SMB shares (enum4linux, smbclient), SNMP (snmpwalk, default community string 'public'), LDAP/AD users, and SMTP VRFY/EXPN.
Large environments are scanned efficiently by grouping assets into scoped batches by subnet/role, reusing a maintained asset inventory to target only deltas, and placing distributed scan engines near each segment.
OSINT tools include theHarvester (emails/subdomains), Shodan and Censys (internet-exposed devices), Maltego (link analysis), and recon-ng; Google dorking finds exposed files.
Misconfigured cloud storage (public S3 buckets, Azure blobs, GCS) frequently exposes sensitive data and is a high-value passive/active recon target.
CVSS scores vulnerabilities 0.0-10.0 (v3.1) using attack vector, complexity, privileges required, user interaction, scope, and CIA impact; testers prioritize by CVSS and exploitability.

Domain 3: Attacks and Exploits

Key concepts you must know · 218 practice questions

Manual validation is required because scanners report false positives; testers confirm exploitability and prioritize the highest-CVSS, most-likely-exploitable findings rather than every flagged item.
Intercepting proxies such as Burp Suite and OWASP ZAP sit between the browser and the app to capture, modify, and replay HTTP/HTTPS requests for injection and logic testing.
SQL injection inserts SQL syntax into unsanitized input (e.g., OR '1'='1', UNION SELECT); the primary defense is parameterized queries/prepared statements; sqlmap automates exploitation.
Cross-site scripting (XSS) injects attacker JavaScript that runs in victims' browsers; types are stored, reflected, and DOM-based; defenses include output encoding and Content Security Policy.
Server-side request forgery (SSRF) coerces a server into making attacker-controlled requests, often used to reach cloud metadata endpoints (169.254.169.254) for credentials.
Password attacks include dictionary, brute force, hybrid, and password spraying (one common password tried slowly across many accounts to avoid lockout); spraying evades lockout thresholds.
Offline cracking uses GPU acceleration with targeted/curated wordlists, rule sets, and mask attacks (Hashcat, John the Ripper) before resorting to raw brute force.
LLMNR/NBT-NS poisoning with Responder captures NTLM hashes on a LAN; SMB relay forwards captured authentication to other hosts that lack SMB signing.
Kerberoasting requests service tickets (TGS) for accounts with SPNs and cracks them offline; AS-REP roasting targets accounts with Kerberos pre-authentication disabled.
Vulnerability chaining combines multiple lower-severity issues (e.g., info disclosure plus weak auth) to achieve a greater impact such as full compromise.
Social engineering vectors include phishing, spear phishing, pretexting/impersonation, vishing, smishing, and physical tactics like tailgating; SET (Social-Engineer Toolkit) assists.
On-path (man-in-the-middle) attacks include ARP spoofing/poisoning, evil twin / rogue access points, and DNS spoofing, threatening confidentiality and integrity of traffic.
Metasploit Framework provides exploit modules, payloads (e.g., windows/meterpreter/reverse_https), and post modules; msfvenom generates standalone payloads.
Wireless attacks include capturing WPA2 4-way handshakes for offline cracking, deauthentication attacks, and exploiting WPS PINs; the OWASP Top 10 frames priority web risks.

Domain 4: Reporting and Communication

Key concepts you must know · 132 practice questions

A complete report contains an executive summary (business risk, non-technical) for leadership and detailed technical findings with reproduction steps for engineers.
Each finding should include a risk rating, evidence (steps, screenshots, requests/responses), impact, clear CVSS rationale, and specific remediation guidance.
Findings are prioritized by risk so the client fixes the highest-impact issues first; severe exposures may warrant immediate (out-of-band) communication before the report is delivered.
Identical findings across many hosts should be deduplicated and mapped to a common root cause (e.g., a missing patch or misconfiguration template) while preserving individual evidence.
For systemic issues, recommend the design-level fix (segmentation/tiering, secure baseline) rather than only listing each compromised host.
Provide both a long-term architectural fix and interim compensating controls so the client can reduce risk while the permanent remediation is implemented.
Document the full attack path/chain showing how combined findings led to compromise, with reproduction steps, so the client understands the real-world impact.
A retest/closure step with stable finding identifiers and a status field per finding confirms remediation effectiveness and tracks closure over time.
CVSS attack vector values (Network, Adjacent, Local, Physical) communicate exploitability; 'Network' means remotely exploitable and typically scores higher.
A formal close-out/readout meeting lets the tester explain findings, answer questions, and align stakeholders on fixes and priorities.
Reports must be handled securely (encrypted at rest and in transit) and distributed only to authorized recipients because they contain a roadmap of exploitable weaknesses.
Common report secure-handling practices include defining a retention/destruction policy and using a secure delivery channel; never email findings in plaintext.
Clear, reproducible, well-prioritized reporting reduces the client's time and cost to remediate and avoids back-and-forth clarification.
Contributing factors for findings include outdated software/missing patches, weak credentials, misconfigurations, and insufficient logging/monitoring; tie each finding to its root cause.

Domain 5: Post-exploitation and Lateral Movement

Key concepts you must know · 81 practice questions

Privilege escalation elevates access beyond what was initially granted: on Linux via permissive sudo rules and SUID root binaries (see GTFOBins), on Windows via weak service permissions, unquoted service paths, and kernel exploits (e.g., PrintNightmare).
Lateral movement pivots from a foothold to additional systems using Pass-the-Hash, Pass-the-Ticket, SMB relay, and remote execution via PsExec, WMI (wmic /node:target process call create), or PowerShell remoting.
Pass-the-Hash reuses a captured NTLM hash to authenticate without the plaintext password; Impacket's psexec.py and CrackMapExec both support PtH syntaxes.
Mimikatz dumps plaintext passwords and NTLM hashes from LSASS memory (sekurlsa::logonpasswords); DCSync (Mimikatz or Impacket secretsdump.py) replicates credentials from a domain controller.
BloodHound with the SharpHound collector maps Active Directory attack paths, revealing the shortest route to Domain Admin and abusable ACLs.
Persistence mechanisms that survive reboot/credential change include new services, scheduled tasks running a stored PowerShell one-liner, Run registry keys, and adding a Linux user with UID 0; authorized testers must document and later remove all of them.
Living-off-the-land binaries (LOLBins) such as certutil, bitsadmin, and rundll32, plus native tools, help evade detection by avoiding dropped malware.
Pivoting reaches segmented networks via SSH port forwarding, a SOCKS proxy over an SSH/Meterpreter tunnel that many tools can reuse, or pivoting through a DMZ host.
Token impersonation/kidnapping (e.g., Potato family exploits) and abusing SeImpersonate privileges can elevate a service account to SYSTEM.
Data exfiltration during testing should be demonstrated with stealthy channels such as encrypted chunked HTTPS transfers and DNS tunneling, exfiltrating only proof-of-concept data.
Cleanup obligations require removing uploaded tools and backdoors, deleting created accounts, reverting configuration changes, and restoring systems to their original state.
Comprehensive, timestamped documentation of every action (logs, screenshots) supports an accurate, reproducible report and provides accountability for what was done within scope.
Windows privilege-escalation gotchas include writable PATH entries letting an attacker plant a malicious C:\Program.exe, and creating a malicious MSI executed via AlwaysInstallElevated to gain SYSTEM.
Common credential locations include LSASS memory, the SAM/SYSTEM registry hives, ntds.dit on a domain controller, and Linux /etc/shadow; /proc/<pid>/environ can leak secrets passed as environment variables.

CompTIA PenTest+ (PT0-003) exam tips

Watch for the 'first/most important step' qualifier in scoping questions - the answer is almost always obtaining written authorization and a signed scope/RoE before any other action.
Memorize Nmap flags cold: -sS, -sT, -sU, -sn, -sV, -O, -sC, -A, -Pn, -p, and the -T0 to -T5 timing templates; performance-based questions often ask you to build or interpret a command.
Map each attack to its category and tool (e.g., Responder for LLMNR poisoning, Hashcat for offline cracking, Burp/ZAP for web, BloodHound for AD paths) so terminology questions are quick wins.
When two answers both look correct, pick the one that is safest, legal, and consistent with the rules of engagement - notifying the client and stopping usually beats continuing.
For reporting questions, match the audience: executive summary equals business risk for leadership, technical findings equal reproduction steps for engineers, and deduplicate identical findings to a common root cause.

Study guide FAQ

What is the difference between PenTest+ PT0-002 and the current PT0-003 exam?

PT0-003 is the current version (PT0-002 retired) and increases emphasis on hands-on attack execution, modern environments (cloud, containers, APIs, and AI/ML systems), and scripting/automation. It keeps the same five domains and lifecycle focus but updates tools and techniques. Always study against PT0-003 objectives.

How is the exam scored and what do I need to pass?

PenTest+ uses a scaled score from 100 to 900, and you need 750 to pass. The 165-minute exam includes up to 90 questions mixing multiple-choice and performance-based (hands-on simulation) items. Performance-based questions are weighted heavily, so practice building commands and analyzing tool output.

Do I need to memorize exact tool syntax and commands?

Yes. Performance-based questions can require you to construct or interpret real commands - Nmap scans, Hashcat cracking, Metasploit/msfvenom payloads, Impacket and CrackMapExec for Pass-the-Hash, and dig for zone transfers. Know the common flags, default ports, and which tool solves which problem.

How much experience should I have before taking PenTest+?

CompTIA recommends 3-4 years of hands-on information security or penetration testing experience and a Network+/Security+ level of foundational knowledge. It is an intermediate certification, so prior comfort with networking, the command line, and basic scripting (Bash, Python, PowerShell) is expected.

Test yourself: 708 CompTIA PenTest+ (PT0-003) practice questions