This free CompTIA PenTest+ study guide covers every domain the current PT0-003 exam tests, organized to CompTIA’s official exam objectives.[2] PenTest+ is CompTIA’s hands-on penetration testing certification — it validates the skills to plan and scope an engagement, perform reconnaissance, find and exploit vulnerabilities, move through a network, and report findings with clear remediation.
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.
The PenTest+ PT0-003 exam has five domains, and we teach each one as its own module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official objectives — not a full offensive-security textbook.
CompTIA PenTest+ is one of the 14 CompTIA certifications — explore our CompTIA study guides to compare and prep across the whole family.
PenTest+ (PT0-003) Exam Snapshot
| Detail | PenTest+ (PT0-003) |
|---|---|
| Questions | Maximum of 90 |
| Format | Multiple-choice + performance-based (PBQs) |
| Time | 165 minutes |
| Passing score | 750 (on a scale of 100–900; scaled scoring) |
| Exam code | PT0-003 (launched December 17, 2024) |
| Delivered by | Pearson VUE (test center or OnVUE online proctored) |
| Certifying body | CompTIA |
| Recommended prep | Network+ and Security+, plus ~3–4 years offensive-security experience (not required) |
| Cost | ≈ $404 USD (single voucher; verify current price) |
| Valid for | 3 years — renew with CEUs (CompTIA CE program) |
One domain dominates. Attacks & Exploits (35%) is over a third of the exam by itself — together with Reconnaissance & Enumeration (21%) it is more than half of your score.[2] Study by weight:
CompTIA numbers the domains 1.0 through 5.0 (Engagement Management is officially Domain 1.0). We teach them by exam weight — but the work itself follows a natural order, so we start the guide with Engagement Management (scoping and authorization come first in any real test), then move through recon, vulnerability analysis, exploitation, and post-exploitation. The whole methodology looks like this:
- 1
1. Planning & Scoping (Engagement Management)
Agree the scope, Rules of Engagement, authorization, and timing. Define goals and constraints before any technical work.
- 2
2. Reconnaissance
Gather information — passive OSINT (WHOIS, DNS, search engines) and, once active recon is authorized, scanning and enumeration.
- 3
3. Vulnerability Discovery & Analysis
Scan systems and web apps, then manually validate findings, removing false positives and rating exploitability.
- 4
4. Exploitation (Attacks & Exploits)
Exploit validated weaknesses — network, host, web, wireless, cloud, and social-engineering attacks — to gain access.
- 5
5. Post-Exploitation & Lateral Movement
Escalate privileges, establish persistence, harvest credentials, and pivot to reach high-value internal systems.
- 6
6. Reporting
Document findings, evidence, risk, and prioritized remediation — an executive summary plus technical detail.
- 7
7. Cleanup & Retest
Remove tools, accounts, and persistence to restore the environment; retest after the client remediates.
Module 1 · Engagement Management
Domain 1.0 — 13% of the exam. Before a single packet is sent, the engagement has to be scoped, authorized, and governed. This domain is the “business and legal” side of penetration testing — it is less technical but absolutely tested, and getting it wrong can be illegal.
1.1 Scoping & Rules of Engagement
Every engagement begins with — the explicit boundary of which IP ranges, domains, applications, and facilities are in or out of bounds. The (RoE) then define exactly what the tester may do: timing windows, allowed techniques (is or denial of service permitted?), and a communication and escalation plan with a defined stop point (a condition that halts testing immediately).[3]
Engagements are also classified by how much the tester knows: a test gives no information (the realistic outsider), a test gives full information (the most thorough), and a test sits in between with limited information such as a standard user account.
Black-box (unknown)
No prior information. Most realistic outsider view; slowest and may miss internal issues.
Gray-box (partially known)
Limited information — e.g., a standard user account. Balances realism and coverage.
White-box (known)
Full information — source, architecture, credentials. Most thorough and efficient.
| Document | What it covers |
|---|---|
| Rules of Engagement (RoE) | What the tester may do — scope, timing, techniques, escalation |
| Authorization letter | Signed permission proving the test is legal ('get-out-of-jail' letter) |
| Statement of Work (SOW) | Deliverables, timeline, and tasks of the engagement |
| Master Service Agreement (MSA) | Overarching terms for an ongoing relationship |
| Non-Disclosure Agreement (NDA) | Confidentiality of client data and findings |
1.2 Legal, Compliance & Ethics
Penetration testing lives or dies on permission. Beyond the client’s sign-off, you must respect third-party ownership — a hosting provider or cloud platform may own the underlying infrastructure, so the client cannot authorize you to attack it without the provider’s rules and permission. Compliance-driven tests (PCI DSS, HIPAA) have their scope and required checks dictated by the regulation, not just the client.
Industry methodologies give the engagement structure: (seven phases), , and OSSTMM. They all share the same plan → test → report shape, and provides a common language for the adversary techniques you emulate.[6]
| Reference | What it is |
|---|---|
| PTES | Penetration Testing Execution Standard — 7 phases, pre-engagement to reporting |
| NIST SP 800-115 | Technical guide: planning, discovery, attack, and reporting phases |
| OSSTMM | Open Source Security Testing Methodology Manual — metric-based testing |
| MITRE ATT&CK | Knowledge base of real-world adversary tactics and techniques |
| OWASP WSTG | Web Security Testing Guide — methodology for web app testing |
1.3 Reporting & Remediation
The deliverable that pays the bill is the report. A strong report serves two audiences: an executive summary for leadership (business risk, in plain language) and detailed technical findings for the staff who will fix them — each finding with evidence, a severity rating, and a clear, prioritized remediation recommendation.[3] Findings are prioritized by risk (severity combined with exploitability and business impact), not by score alone.
| Section | Purpose |
|---|---|
| Executive summary | Business-level risk and recommendations for leadership |
| Methodology & scope | What was tested, how, and within what boundaries |
| Findings | Each vulnerability with evidence, severity, and impact |
| Remediation | Prioritized, actionable fixes for each finding |
| Appendices | Raw evidence, tool output, and reproduction steps |
Checkpoint · Engagement Management
Question 1 of 10
In the context of penetration testing, what is the primary purpose of defining a Rules of Engagement (RoE) document?
Module 2 · Reconnaissance & Enumeration
Domain 2.0 — 21% of the exam, the second-largest domain. You can’t attack what you haven’t found. Reconnaissance builds a map of the target’s attack surface, and enumeration extracts the detail — users, shares, versions — that the exploitation phase depends on.
2.1 Passive Recon & OSINT
gathers information without ever touching the target — so the target sees nothing. This is (Open-Source Intelligence): WHOIS records, DNS lookups, search engines, certificate transparency logs, social media, job postings, and leaked credentials. It feeds both technical targeting (subdomains, IPs) and social engineering (employee names and email formats).[3]
Passive reconnaissance
Undetectable, lower detail
No direct contact with the target. OSINT, WHOIS, DNS records, search engines, certificate transparency, social media.
Active reconnaissance
Detectable, higher detail
Directly interacts with the target. Port scanning, banner grabbing, service/OS fingerprinting, enumeration.
| Source / tool | What it reveals |
|---|---|
| WHOIS | Domain registrar, dates, and (if not redacted) contacts and name servers |
| dig / nslookup | DNS records (A, MX, NS, TXT); a zone transfer can dump every host |
| theHarvester / Recon-ng | Emails, subdomains, hosts, and names from public sources |
| Maltego | Graphical link analysis of people, domains, and infrastructure |
| Shodan / Censys | Internet-exposed devices and services by banner |
| Google dorking | Exposed files, login pages, and indexed sensitive data |
2.2 Active Scanning & Enumeration
directly probes the target — and the workhorse is . A SYN scan (-sS) is fast and stealthy; -sV identifies service versions; -O guesses the OS; and the Nmap Scripting Engine (NSE) automates discovery and even vulnerability checks. and then pin down the exact software so attacks can be matched to known weaknesses.
goes deeper into discovered services: SMB shares and users (enum4linux), SNMP (often with the default community string public), LDAP/Active Directory, and SMTP user enumeration. and tcpdump capture traffic — sometimes revealing credentials in clear text.
| Technique / tool | Purpose |
|---|---|
| Nmap SYN scan (-sS) | Fast, stealthy half-open TCP port discovery |
| Nmap -sV / -O | Service/version detection and OS fingerprinting |
| Masscan | Internet-scale port scanning for huge IP ranges |
| enum4linux | Enumerate Windows/Samba shares, users, and policy over SMB |
| SNMP enumeration | Pull system info via SNMP (watch for 'public') |
| Wireshark / tcpdump | Capture and analyze traffic; extract clear-text data |
2.3 Reconnaissance Tooling
PT0-003 references more than 80 tools, and the performance-based questions test whether you know which tool for which job. For recon and enumeration, group them by purpose: OSINT collection, network scanning, web/content discovery, and traffic capture.
| Purpose | Tools |
|---|---|
| OSINT collection | theHarvester, Recon-ng, Maltego, Spiderfoot, Shodan, Censys |
| Network scanning | Nmap, Masscan, arp-scan |
| Subdomain / DNS | Amass, Sublist3r, dig, certificate transparency (crt.sh) |
| Web content discovery | Gobuster, dirb, ffuf, Wappalyzer/WhatWeb |
| Traffic capture | Wireshark, tcpdump |
Checkpoint · Reconnaissance & Enumeration
Question 1 of 10
Which technique is most effective for identifying live hosts on a network during a penetration test?
Module 3 · Vulnerability Discovery & Analysis
Domain 3.0 — 17% of the exam. Between finding the attack surface and attacking it, you identify weaknesses and decide which are real and worth exploiting. This domain is about scanning, then the human judgment of validating and prioritizing what the scanner reports.
3.1 Vulnerability Scanning
A automatically checks systems against a database of known weaknesses to produce a prioritized findings list — but it does not exploit anything (that’s what makes it different from a penetration test). Network scanners include and OpenVAS; web scanners include Nikto, Wapiti, OWASP ZAP, and WPScan; and sends malformed input to provoke crashes and bugs.[5]
A credentialed scan logs in to inspect patch levels and configuration from the inside — far more accurate, with fewer false positives, than an external non-credentialed scan. Always tune scan intensity for fragile systems (ICS/SCADA, legacy hosts) to avoid causing an outage.
| Tool | Target | What it does |
|---|---|---|
| Nessus | Networks & hosts | Commercial scanner; thousands of vulnerability/config checks |
| OpenVAS / Greenbone | Networks & hosts | Open-source networked vulnerability scanning |
| Nikto | Web servers | Checks for dangerous files, outdated software, misconfigs |
| Wapiti / OWASP ZAP | Web apps | Black-box crawling and injection testing |
| sqlmap | Web apps (DB) | Detects and exploits SQL injection automatically |
| WPScan | WordPress | Enumerates plugins, themes, users, and known flaws |
3.2 Analyzing & Validating Results
Scanners are noisy. A is a flagged vulnerability that isn’t real or exploitable; a is a real one the scanner missed. — manually confirming a finding is real and exploitable — is what separates a credible report from a raw scan dump. Look up findings by in the NVD and check Exploit-DB (with searchsploit) for a working exploit.
Prioritize with (0.0–10.0 severity) — but remember that priority is not the same as severity: the final order weighs exploitability and business context, too.[7] Automated scans also miss business-logic flaws (e.g., skipping a payment step), which only manual testing finds.
| Result | Meaning | Action |
|---|---|---|
| True positive | Real, confirmed vulnerability | Validate impact, then report and remediate |
| False positive | Flagged but not real/exploitable | Verify and remove from the report |
| False negative | Real, but the scanner missed it | Catch with manual testing |
| Informational | Low/no direct risk | Note for context, deprioritize |
Checkpoint · Vulnerability Discovery & Analysis
Question 1 of 10
Which tool is primarily used for automated vulnerability scanning in a network penetration testing scenario?
Module 4 · Attacks & Exploits
Domain 4.0 — 35% of the exam, by far the single largest domain. This is the heart of PenTest+: actually exploiting weaknesses across five attack surfaces — network/host, web application, wireless, cloud, and the human (social engineering). Spend the most time here.
Network & host
On-path/MITM, ARP & DNS poisoning, password attacks, SMB relay, service exploits.
Web application
SQL injection, XSS, CSRF, SSRF, command injection, path traversal, IDOR, file inclusion.
Wireless
Evil twin / rogue AP, deauth attacks, WPA handshake capture and offline cracking, WPS attacks.
Cloud
Metadata-service abuse (often via SSRF), exposed storage buckets, IAM privilege escalation.
Social engineering
Phishing, vishing, smishing, pretexting, tailgating, USB drops — attacking the human.
4.1 Network & Host Attacks
On the wire, the classic is the (formerly man-in-the-middle): an attacker relays or alters traffic between two parties, often via ARP poisoning or a rogue access point. Other high-yield attacks: DNS poisoning, replay, SMB relay (mitigated by SMB signing), and LLMNR/NBT-NS poisoning with Responder to capture NTLM hashes. Host-level flaws include the (overwriting memory to run code) and the (no patch exists yet).
4.2 Web Application Attacks
Web apps are a huge part of the exam, anchored by the OWASP Top 10.[4] The headliners: (input becomes database commands — fix with parameterized queries), (script runs in another user’s browser — fix with output encoding and CSP), (forged state-changing request — fix with anti-CSRF tokens), and (the server is tricked into requesting internal resources, often a cloud metadata endpoint). Watch also for IDOR/broken access control, command injection, and directory traversal.
| Attack | What it does | Primary mitigation |
|---|---|---|
| SQL injection (SQLi) | Input becomes SQL the DB runs | Parameterized queries + input validation |
| Cross-site scripting (XSS) | Script runs in another user's browser | Output encoding + Content Security Policy |
| Cross-site request forgery (CSRF) | Forces a state-changing request | Anti-CSRF tokens + SameSite cookies |
| Server-side request forgery (SSRF) | Server requests internal resources | Allow-list outbound URLs |
| IDOR / broken access control | Access another user's object by changing an ID | Enforce per-object authorization |
| Command injection | Input becomes OS commands | Avoid shell calls; validate/escape input |
4.3 Wireless, Cloud & Social Engineering
Wireless: capture the WPA/WPA2 handshake (airodump-ng) and crack it offline (aircrack-ng or hashcat), stand up an rogue AP, or run a deauth attack to force reconnections. WPA3’s SAE resists the offline cracking that works on WPA2-PSK.
Cloud: the big wins are abusing the instance metadata service (e.g., via SSRF) to steal temporary credentials, misconfigured public storage buckets, and over-permissive IAM that allows privilege escalation. Social engineering attacks the human with (and vishing, smishing, spear phishing, whaling), pretexting, tailgating, and USB drops — the Social-Engineer Toolkit (SET) helps build the lures.[8]
| Surface | Attack | Key idea |
|---|---|---|
| Wireless | Handshake capture + offline crack | Capture WPA2 4-way handshake, crack with a wordlist |
| Wireless | Evil twin / deauth | Rogue AP impersonates the SSID; deauth forces reconnects |
| Cloud | Metadata service abuse (SSRF) | Steal temporary instance credentials from 169.254.169.254 |
| Cloud | Public storage / IAM misconfig | Open buckets and over-permissive roles enable escalation |
| Social | Phishing / vishing / smishing | Trick a human into credentials or running a payload |
| Social | Tailgating / USB drop | Physical access via following in or a dropped device |
4.4 Tools, Payloads & Password Attacks
is the central exploitation framework: it delivers an and a , the most popular being . A connects from the victim back to the attacker (beating inbound firewalls); a bind shell listens on the victim. Password attacks split into online (Hydra/Medusa against live services, plus password spraying and credential stuffing) and offline cracking of captured hashes (John the Ripper, Hashcat, defeated salting with rainbow tables).
| Tool | Use |
|---|---|
| Metasploit / msfvenom | Deliver exploits and generate payloads (e.g., reverse shells) |
| Burp Suite | Intercept, modify, and fuzz web traffic (Repeater, Intruder) |
| Hydra / Medusa | Online brute-force of login services (SSH, RDP, HTTP) |
| John the Ripper / Hashcat | Offline cracking of captured password hashes |
| aircrack-ng suite | Wireless monitoring, capture, injection, and WPA cracking |
| Netcat | Raw TCP/UDP — banner grabbing, transfers, simple shells |
Checkpoint · Attacks & Exploits
Question 1 of 10
In penetration testing, what is the primary use of a tool like SQLmap?
Module 5 · Post-exploitation & Lateral Movement
Domain 5.0 — 14% of the exam. Initial access is just the . This domain is everything you do afterward to deepen and expand control — and, on an authorized test, how you clean up so the environment is returned to its original state.
Privilege escalation
Climb from a low-privilege user to admin/root — vertically (more rights) or horizontally (another user).
Persistence
Keep access across reboots and password changes — scheduled tasks, services, cron, SSH keys, new accounts.
Credential harvesting
Dump hashes/tickets from memory and files (Mimikatz, LSASS, NTDS.dit) to fuel lateral movement.
Lateral movement
Reach new hosts with pass-the-hash, pass-the-ticket, PsExec, WMI, RDP, or SSH reuse.
Pivoting
Route traffic through a compromised host (SOCKS proxy, SSH tunnel, ProxyChains) to reach hidden networks.
Cleanup
Remove tools, payloads, accounts, and persistence to restore the environment after the engagement.
5.1 Privilege Escalation & Persistence
climbs from a low-privilege account to admin/root — vertically (more rights) or horizontally (another user). On Linux, look for SUID binaries (GTFOBins), weak sudo rules, and writable services; on Windows, look for unquoted service paths, weak permissions, and UAC-bypass paths.
Enumeration scripts (linPEAS/winPEAS) surface these automatically. then keeps your access across reboots — scheduled tasks, services, Run keys (Windows), cron jobs and SSH keys (Linux), or a backdoor account.
| Platform | Mechanism |
|---|---|
| Windows | Scheduled task, new service, Run/RunOnce registry key |
| Windows | New (often hidden) local administrator account |
| Linux | Cron job, SSH key in authorized_keys |
| Both | Living off the land (PowerShell, WMI) to evade detection |
5.2 Lateral Movement & Pivoting
uses one compromised host to reach others. The Windows/AD techniques are high-yield: (authenticate with an NTLM hash directly), pass-the-ticket and (Kerberos abuse), and remote execution with PsExec, WMI, or RDP.
maps Active Directory to find the shortest path to Domain Admin. then routes your traffic through a compromised host (a SOCKS proxy via ssh -D, ProxyChains, or chisel) to reach networks you can’t touch directly.
| Technique | What it does |
|---|---|
| Pass-the-hash | Authenticate with a captured NTLM hash (no cracking) |
| Pass-the-ticket / Kerberoasting | Abuse Kerberos tickets to impersonate or crack accounts |
| PsExec / WMI / RDP | Execute commands or log in on remote Windows hosts |
| BloodHound | Map AD relationships to find the path to Domain Admin |
| SSH tunnel / ProxyChains / chisel | Pivot traffic through a compromised host to hidden networks |
5.3 Credential Harvesting & Cleanup
On Windows, (and Impacket’s secretsdump.py) dumps plaintext passwords, hashes, and Kerberos tickets from LSASS, the SAM, or a domain controller’s NTDS.dit — fuel for more lateral movement. Finally, the ethical difference that PenTest+ stresses: a real attacker clears logs, but an authorized tester documents actions and timestamps and then performs cleanup — removing tools, payloads, accounts, and persistence to restore the environment.
| Item | Detail |
|---|---|
| LSASS memory | Mimikatz dumps live credentials, hashes, and tickets |
| SAM / NTDS.dit | Local and domain hashes for offline cracking or pass-the-hash |
| Cleanup | Remove payloads, accounts, tasks, services, and persistence |
| Documentation | Record actions and timestamps so the blue team can correlate |
Checkpoint · Post-exploitation & Lateral Movement
Question 1 of 10
In the context of penetration testing, what is 'privilege escalation'?
How to Use This PenTest+ Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. Attacks & Exploits (35%) and Reconnaissance & Enumeration (21%) are over half the exam — invest there first, then Vulnerability Analysis, Post-exploitation, and Engagement Management.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Practice the PBQs in a lab. Performance-based questions reward hands-on skill — build a home lab and practice with Nmap, Metasploit, and Burp Suite against intentionally vulnerable targets.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 750.
PenTest+ Concept Questions
Core PenTest+ concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
PenTest+ Glossary
The high-yield PenTest+ terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- Active reconnaissance
- Directly interacting with the target — port scanning, banner grabbing, enumeration. More detail, but detectable.
- Authorization
- Written, signed permission from someone with authority over the target, proving the testing is legal and approved.
- Banner grabbing
- Reading a service's response banner to reveal the software and version, identifying likely vulnerabilities.
- Black-box testing
- An unknown-environment test where the tester is given no prior internal information — simulates an external attacker.
- BloodHound
- A tool that maps Active Directory relationships to find the shortest attack paths to Domain Admin.
- Buffer overflow
- Writing more data than a buffer holds, overwriting adjacent memory to redirect execution to attacker code.
- Bug bounty
- An ongoing program that pays external researchers for responsibly disclosed vulnerabilities, within defined scope.
- Burp Suite
- An intercepting web proxy used to capture, modify, and replay HTTP/S traffic and scan web apps for flaws.
- Cross-site request forgery
- Tricking an authenticated user's browser into sending an unwanted state-changing request; fixed with anti-CSRF tokens.
- Cross-site scripting
- Injecting script into a trusted site that runs in another user's browser (stored, reflected, or DOM-based).
- CVE
- Common Vulnerabilities and Exposures — a public catalog assigning a unique ID to each known, disclosed vulnerability.
- CVSS
- Common Vulnerability Scoring System — a 0.0–10.0 open standard (maintained by FIRST) rating vulnerability severity.
- Enumeration
- Actively extracting detailed information from discovered services — usernames, shares, software versions — to plan exploitation.
- Evil twin
- A fake Wi-Fi access point impersonating a legitimate SSID to capture credentials or perform on-path attacks.
- Exploit
- Code or a technique that takes advantage of a specific vulnerability to make a system behave unexpectedly.
- False negative
- A real vulnerability the scanner missed — the more dangerous error, addressed with manual testing.
- False positive
- A scanner flagging a vulnerability that doesn't exist or isn't exploitable; testers validate before reporting.
- Fingerprinting
- Analyzing responses to determine the exact OS or service version, so attacks can be matched to known weaknesses.
- Foothold
- The initial access point an attacker establishes on a target network, the base for escalation and movement.
- Fuzzing
- Sending malformed or unexpected input to an application to trigger crashes or behavior that reveal vulnerabilities.
- Gray-box testing
- A partially-known test where the tester is given limited information, such as a standard user account.
- Kerberoasting
- Requesting Kerberos service tickets for SPN accounts, then cracking them offline for the service password.
- Lateral movement
- Using a compromised host to reach and compromise other systems on the internal network.
- Living off the land
- Using built-in, trusted tools (PowerShell, WMI, certutil) instead of malware to evade detection.
- Master Service Agreement
- An overarching contract setting the general terms and conditions for an ongoing client relationship.
- Metasploit
- An exploitation framework bundling exploits, payloads, and post-exploitation modules to deliver and manage attacks.
- Meterpreter
- Metasploit's advanced, in-memory payload providing file access, privilege escalation, pivoting, and credential dumping.
- Mimikatz
- A Windows post-exploitation tool that dumps plaintext passwords, hashes, and Kerberos tickets from memory.
- MITRE ATT&CK
- A globally available knowledge base of real-world adversary tactics and techniques used to model and map attacks.
- Nessus
- A widely used commercial vulnerability scanner (Tenable) that checks hosts and apps against thousands of checks.
- NIST SP 800-115
- NIST's Technical Guide to Information Security Testing and Assessment, defining planning, discovery, attack, and reporting phases.
- Nmap
- The de facto network scanner — discovers hosts, ports, services, and OS fingerprints. Core to recon and enumeration.
- Non-Disclosure Agreement
- A legal agreement binding the tester to keep client data, findings, and vulnerabilities confidential.
- On-path attack
- An attacker secretly relaying or altering traffic between two parties (formerly 'man-in-the-middle').
- OSINT
- Open-Source Intelligence — collecting publicly available data (sites, social media, leaked credentials, records) to profile a target.
- OWASP
- Open Worldwide Application Security Project — a nonprofit producing the OWASP Top 10 and the Web Security Testing Guide.
- Pass-the-hash
- Authenticating to a Windows system using a captured NTLM hash directly, without cracking the plaintext password.
- Passive reconnaissance
- Gathering information without directly touching the target — OSINT, WHOIS, DNS, and search engines. Undetectable.
- Payload
- The code delivered and executed after a successful exploit — e.g., a reverse shell or a Meterpreter session.
- Penetration test
- An authorized, simulated attack on systems to find and exploit weaknesses before real attackers do, then report them with remediation.
- Persistence
- Establishing a way to keep access across reboots and credential changes — tasks, services, cron, keys, or accounts.
- Phishing
- A fraudulent message (usually email) that tricks the victim into revealing credentials or running malware.
- Pivoting
- Routing traffic through a compromised host to reach networks the attacker can't access directly.
- Post-exploitation
- Everything after initial access: privilege escalation, persistence, credential harvesting, and lateral movement.
- Privilege escalation
- Gaining higher rights than granted — vertical (to admin/root) or horizontal (to another user).
- PTES
- Penetration Testing Execution Standard — a methodology defining seven phases from pre-engagement through reporting.
- Reverse shell
- A shell that connects from the victim back to the attacker, bypassing inbound firewall rules.
- Rules of Engagement
- The agreed document defining what a tester may do — scope, timing, allowed techniques, and communication/escalation paths.
- Scope
- The explicit boundary of an engagement: which IP ranges, domains, applications, and facilities are in or out of bounds.
- Server-side request forgery
- Tricking a server into making requests to internal resources, often to reach cloud metadata endpoints.
- Shodan
- A search engine for Internet-connected devices that finds exposed servers, cameras, and ICS by their service banners.
- Social engineering
- Manipulating people into revealing information or taking actions that compromise security — the human attack vector.
- SQL injection
- Inserting malicious SQL into input so the database runs unintended commands; fixed with parameterized queries.
- Statement of Work
- The contract section defining the deliverables, timeline, and tasks of an engagement.
- Validation
- Manually confirming a scanner finding is real and exploitable before including it in the report.
- Vulnerability scan
- Automated checking against a database of known weaknesses to produce a prioritized findings list (no exploitation).
- White-box testing
- A known-environment test where the tester is given full information (source, architecture, credentials) for the most thorough assessment.
- Wireshark
- A GUI packet capture and protocol analyzer used to inspect traffic and extract clear-text credentials.
- Zero-day
- A vulnerability unknown to the vendor (no patch yet) that attackers can exploit.
PenTest+ Tools by Phase
One last reference — the tools PenTest+ tests, mapped to the phase you use them in. The performance-based questions test exactly this: which tool for which job.
Reconnaissance & enumeration
Nmap, Masscan, Wireshark, theHarvester, Recon-ng, Maltego, Shodan, dig, enum4linux
Vulnerability discovery & analysis
Nessus, OpenVAS, Nikto, Wapiti, OWASP ZAP, WPScan, sqlmap, searchsploit
Exploitation (attacks & exploits)
Metasploit, Burp Suite, Hydra, Hashcat, John the Ripper, aircrack-ng, SET, Responder
Post-exploitation & lateral movement
Mimikatz, Impacket, CrackMapExec/NetExec, BloodHound, PsExec, ProxyChains, chisel
PenTest+ Study Guide FAQ
The PenTest+ PT0-003 exam has a maximum of 90 questions — a mix of multiple-choice and performance-based questions (PBQs) — and you get 165 minutes to complete it. The PBQs place you in simulated environments where you must select and apply the correct penetration testing tools and techniques.
You need a scaled score of 750 on a scale of 100 to 900. Because it's a scaled score, 750 does not equal a fixed percentage correct, and performance-based questions can carry more weight than standard multiple-choice questions. Results are reported as pass or fail right after the exam.
There are five domains: Attacks and Exploits (35%), Reconnaissance and Enumeration (21%), Vulnerability Discovery and Analysis (17%), Post-exploitation and Lateral Movement (14%), and Engagement Management (13%). Attacks and Exploits is by far the largest domain. These weights come from CompTIA's official PT0-003 objectives.
Study by weight. Attacks and Exploits (35%) is over a third of the exam, so master it first, followed by Reconnaissance and Enumeration (21%). Read each module, take the checkpoint quiz, then drill gaps with our free practice test and flashcards. Because PBQs are hands-on, build a home lab and practice with Nmap, Metasploit, and Burp Suite.
A single PenTest+ voucher is approximately $404 USD, though pricing varies by region and promotion. Always confirm the current price on CompTIA's store before you buy, as voucher-plus-training bundles and discounts change.
The certification is valid for three years. You renew it through CompTIA's Continuing Education (CE) program by earning continuing education units (CEUs), completing higher-level certifications, or other approved activities within the three-year cycle.
There are no mandatory prerequisites. CompTIA recommends — but does not require — Network+ and Security+ (or equivalent knowledge) plus roughly three to four years of hands-on experience in a penetration tester or related offensive-security role before sitting PT0-003.
PenTest+ is an intermediate-to-advanced, hands-on exam. The objectives reference more than 80 tools and over 100 attacks and techniques, and the PBQs require applying the right tooling against a target under time pressure. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are all 100% free with no account required.
The current version is exam code PT0-003 (V3), which launched December 17, 2024 and replaced PT0-002. PenTest+ is administered by CompTIA and delivered through Pearson VUE, either at a test center or online via OnVUE proctoring. It is ISO/ANSI accredited and DoD 8140-aligned.
References
- 1.CompTIA. “CompTIA PenTest+ (PT0-003) Certification.” comptia.org. ↑
- 2.CompTIA. “PenTest+ (PT0-003) Exam Objectives / Content Guide.” comptia.org. ↑
- 3.National Institute of Standards and Technology. “SP 800-115, Technical Guide to Information Security Testing and Assessment.” csrc.nist.gov. ↑
- 4.Open Worldwide Application Security Project. “OWASP Top 10.” owasp.org. ↑
- 5.Open Worldwide Application Security Project. “Web Security Testing Guide (WSTG).” owasp.org. ↑
- 6.The MITRE Corporation. “MITRE ATT&CK Knowledge Base.” attack.mitre.org. ↑
- 7.Forum of Incident Response and Security Teams. “Common Vulnerability Scoring System (CVSS).” first.org. ↑
- 8.Cybersecurity and Infrastructure Security Agency. “Recognize and Report Phishing.” cisa.gov. ↑
- 101.National Institute of Standards and Technology (NIST). “Reconnaissance (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 102.National Institute of Standards and Technology (NIST). “Port Scanning (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 103.National Institute of Standards and Technology (NIST). “Vulnerability (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 104.Open Worldwide Application Security Project (OWASP). “SQL Injection.” owasp.org, accessed 19 June 2026. ↑
- 105.Open Worldwide Application Security Project (OWASP). “Cross Site Scripting (XSS).” owasp.org, accessed 19 June 2026. ↑
- 106.National Institute of Standards and Technology (NIST). “Privilege Escalation (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 107.National Institute of Standards and Technology (NIST). “Lateral Movement (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
