Career Employer

FREE CompTIA PenTest+ Study Guide 2026 (PT0-003)

The most important things the CompTIA PenTest+ PT0-003 exam tests — an interactive study guide with built-in quizzes and flashcards, organized by all 5 official domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer PenTest+

By

This free CompTIA PenTest+ study guide covers every domain the current PT0-003 exam tests, organized to CompTIA’s official exam objectives.[2] PenTest+ is CompTIA’s hands-on penetration testing certification — it validates the skills to plan and scope an engagement, perform reconnaissance, find and exploit vulnerabilities, move through a network, and report findings with clear remediation.

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.

The PenTest+ PT0-003 exam has five domains, and we teach each one as its own module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official objectives — not a full offensive-security textbook.

CompTIA PenTest+ is one of the 14 CompTIA certifications — explore our CompTIA study guides to compare and prep across the whole family.

PenTest+ (PT0-003) Exam Snapshot

CompTIA PenTest+ PT0-003 exam at a glance
DetailPenTest+ (PT0-003)
QuestionsMaximum of 90
FormatMultiple-choice + performance-based (PBQs)
Time165 minutes
Passing score750 (on a scale of 100–900; scaled scoring)
Exam codePT0-003 (launched December 17, 2024)
Delivered byPearson VUE (test center or OnVUE online proctored)
Certifying bodyCompTIA
Recommended prepNetwork+ and Security+, plus ~3–4 years offensive-security experience (not required)
Cost≈ $404 USD (single voucher; verify current price)
Valid for3 years — renew with CEUs (CompTIA CE program)

One domain dominates. Attacks & Exploits (35%) is over a third of the exam by itself — together with Reconnaissance & Enumeration (21%) it is more than half of your score.[2] Study by weight:

PenTest+ PT0-003 weighting by domain (CompTIA exam objectives)
4.0 Attacks & Exploits35% · biggest domain
2.0 Reconnaissance & Enumeration21%
3.0 Vulnerability Discovery & Analysis17%
5.0 Post-exploitation & Lateral Movement14%
1.0 Engagement Management13%

CompTIA numbers the domains 1.0 through 5.0 (Engagement Management is officially Domain 1.0). We teach them by exam weight — but the work itself follows a natural order, so we start the guide with Engagement Management (scoping and authorization come first in any real test), then move through recon, vulnerability analysis, exploitation, and post-exploitation. The whole methodology looks like this:

Module 1 · Engagement Management

Domain 1.0 — 13% of the exam. Before a single packet is sent, the engagement has to be scoped, authorized, and governed. This domain is the “business and legal” side of penetration testing — it is less technical but absolutely tested, and getting it wrong can be illegal.

1.1 Scoping & Rules of Engagement

Every engagement begins with — the explicit boundary of which IP ranges, domains, applications, and facilities are in or out of bounds. The (RoE) then define exactly what the tester may do: timing windows, allowed techniques (is or denial of service permitted?), and a communication and escalation plan with a defined stop point (a condition that halts testing immediately).[3]

Engagements are also classified by how much the tester knows: a test gives no information (the realistic outsider), a test gives full information (the most thorough), and a test sits in between with limited information such as a standard user account.

Key engagement documents
DocumentWhat it covers
Rules of Engagement (RoE)What the tester may do — scope, timing, techniques, escalation
Authorization letterSigned permission proving the test is legal ('get-out-of-jail' letter)
Statement of Work (SOW)Deliverables, timeline, and tasks of the engagement
Master Service Agreement (MSA)Overarching terms for an ongoing relationship
Non-Disclosure Agreement (NDA)Confidentiality of client data and findings

1.2 Legal, Compliance & Ethics

Penetration testing lives or dies on permission. Beyond the client’s sign-off, you must respect third-party ownership — a hosting provider or cloud platform may own the underlying infrastructure, so the client cannot authorize you to attack it without the provider’s rules and permission. Compliance-driven tests (PCI DSS, HIPAA) have their scope and required checks dictated by the regulation, not just the client.

Industry methodologies give the engagement structure: (seven phases), , and OSSTMM. They all share the same plan → test → report shape, and provides a common language for the adversary techniques you emulate.[6]

Standards and methodologies
ReferenceWhat it is
PTESPenetration Testing Execution Standard — 7 phases, pre-engagement to reporting
NIST SP 800-115Technical guide: planning, discovery, attack, and reporting phases
OSSTMMOpen Source Security Testing Methodology Manual — metric-based testing
MITRE ATT&CKKnowledge base of real-world adversary tactics and techniques
OWASP WSTGWeb Security Testing Guide — methodology for web app testing

1.3 Reporting & Remediation

The deliverable that pays the bill is the report. A strong report serves two audiences: an executive summary for leadership (business risk, in plain language) and detailed technical findings for the staff who will fix them — each finding with evidence, a severity rating, and a clear, prioritized remediation recommendation.[3] Findings are prioritized by risk (severity combined with exploitability and business impact), not by score alone.

Anatomy of a penetration test report
SectionPurpose
Executive summaryBusiness-level risk and recommendations for leadership
Methodology & scopeWhat was tested, how, and within what boundaries
FindingsEach vulnerability with evidence, severity, and impact
RemediationPrioritized, actionable fixes for each finding
AppendicesRaw evidence, tool output, and reproduction steps

Checkpoint · Engagement Management

Question 1 of 10

In the context of penetration testing, what is the primary purpose of defining a Rules of Engagement (RoE) document?

Module 2 · Reconnaissance & Enumeration

Domain 2.0 — 21% of the exam, the second-largest domain. You can’t attack what you haven’t found. Reconnaissance builds a map of the target’s attack surface, and enumeration extracts the detail — users, shares, versions — that the exploitation phase depends on.

2.1 Passive Recon & OSINT

gathers information without ever touching the target — so the target sees nothing. This is (Open-Source Intelligence): WHOIS records, DNS lookups, search engines, certificate transparency logs, social media, job postings, and leaked credentials. It feeds both technical targeting (subdomains, IPs) and social engineering (employee names and email formats).[3]

Common OSINT / passive recon sources & tools
Source / toolWhat it reveals
WHOISDomain registrar, dates, and (if not redacted) contacts and name servers
dig / nslookupDNS records (A, MX, NS, TXT); a zone transfer can dump every host
theHarvester / Recon-ngEmails, subdomains, hosts, and names from public sources
MaltegoGraphical link analysis of people, domains, and infrastructure
Shodan / CensysInternet-exposed devices and services by banner
Google dorkingExposed files, login pages, and indexed sensitive data

2.2 Active Scanning & Enumeration

directly probes the target — and the workhorse is . A SYN scan (-sS) is fast and stealthy; -sV identifies service versions; -O guesses the OS; and the Nmap Scripting Engine (NSE) automates discovery and even vulnerability checks. and then pin down the exact software so attacks can be matched to known weaknesses.

goes deeper into discovered services: SMB shares and users (enum4linux), SNMP (often with the default community string public), LDAP/Active Directory, and SMTP user enumeration. and tcpdump capture traffic — sometimes revealing credentials in clear text.

Active recon & enumeration techniques
Technique / toolPurpose
Nmap SYN scan (-sS)Fast, stealthy half-open TCP port discovery
Nmap -sV / -OService/version detection and OS fingerprinting
MasscanInternet-scale port scanning for huge IP ranges
enum4linuxEnumerate Windows/Samba shares, users, and policy over SMB
SNMP enumerationPull system info via SNMP (watch for 'public')
Wireshark / tcpdumpCapture and analyze traffic; extract clear-text data

2.3 Reconnaissance Tooling

PT0-003 references more than 80 tools, and the performance-based questions test whether you know which tool for which job. For recon and enumeration, group them by purpose: OSINT collection, network scanning, web/content discovery, and traffic capture.

Reconnaissance tools by purpose
PurposeTools
OSINT collectiontheHarvester, Recon-ng, Maltego, Spiderfoot, Shodan, Censys
Network scanningNmap, Masscan, arp-scan
Subdomain / DNSAmass, Sublist3r, dig, certificate transparency (crt.sh)
Web content discoveryGobuster, dirb, ffuf, Wappalyzer/WhatWeb
Traffic captureWireshark, tcpdump

Checkpoint · Reconnaissance & Enumeration

Question 1 of 10

Which technique is most effective for identifying live hosts on a network during a penetration test?

Module 3 · Vulnerability Discovery & Analysis

Domain 3.0 — 17% of the exam. Between finding the attack surface and attacking it, you identify weaknesses and decide which are real and worth exploiting. This domain is about scanning, then the human judgment of validating and prioritizing what the scanner reports.

3.1 Vulnerability Scanning

A automatically checks systems against a database of known weaknesses to produce a prioritized findings list — but it does not exploit anything (that’s what makes it different from a penetration test). Network scanners include and OpenVAS; web scanners include Nikto, Wapiti, OWASP ZAP, and WPScan; and sends malformed input to provoke crashes and bugs.[5]

A credentialed scan logs in to inspect patch levels and configuration from the inside — far more accurate, with fewer false positives, than an external non-credentialed scan. Always tune scan intensity for fragile systems (ICS/SCADA, legacy hosts) to avoid causing an outage.

Vulnerability scanning tools
ToolTargetWhat it does
NessusNetworks & hostsCommercial scanner; thousands of vulnerability/config checks
OpenVAS / GreenboneNetworks & hostsOpen-source networked vulnerability scanning
NiktoWeb serversChecks for dangerous files, outdated software, misconfigs
Wapiti / OWASP ZAPWeb appsBlack-box crawling and injection testing
sqlmapWeb apps (DB)Detects and exploits SQL injection automatically
WPScanWordPressEnumerates plugins, themes, users, and known flaws

3.2 Analyzing & Validating Results

Scanners are noisy. A is a flagged vulnerability that isn’t real or exploitable; a is a real one the scanner missed. — manually confirming a finding is real and exploitable — is what separates a credible report from a raw scan dump. Look up findings by in the NVD and check Exploit-DB (with searchsploit) for a working exploit.

Prioritize with (0.0–10.0 severity) — but remember that priority is not the same as severity: the final order weighs exploitability and business context, too.[7] Automated scans also miss business-logic flaws (e.g., skipping a payment step), which only manual testing finds.

Reading a scan: the four outcomes
ResultMeaningAction
True positiveReal, confirmed vulnerabilityValidate impact, then report and remediate
False positiveFlagged but not real/exploitableVerify and remove from the report
False negativeReal, but the scanner missed itCatch with manual testing
InformationalLow/no direct riskNote for context, deprioritize

Checkpoint · Vulnerability Discovery & Analysis

Question 1 of 10

Which tool is primarily used for automated vulnerability scanning in a network penetration testing scenario?

Module 4 · Attacks & Exploits

Domain 4.0 — 35% of the exam, by far the single largest domain. This is the heart of PenTest+: actually exploiting weaknesses across five attack surfaces — network/host, web application, wireless, cloud, and the human (social engineering). Spend the most time here.

4.1 Network & Host Attacks

On the wire, the classic is the (formerly man-in-the-middle): an attacker relays or alters traffic between two parties, often via ARP poisoning or a rogue access point. Other high-yield attacks: DNS poisoning, replay, SMB relay (mitigated by SMB signing), and LLMNR/NBT-NS poisoning with Responder to capture NTLM hashes. Host-level flaws include the (overwriting memory to run code) and the (no patch exists yet).

4.2 Web Application Attacks

Web apps are a huge part of the exam, anchored by the OWASP Top 10.[4] The headliners: (input becomes database commands — fix with parameterized queries), (script runs in another user’s browser — fix with output encoding and CSP), (forged state-changing request — fix with anti-CSRF tokens), and (the server is tricked into requesting internal resources, often a cloud metadata endpoint). Watch also for IDOR/broken access control, command injection, and directory traversal.

High-yield web attacks and their fix
AttackWhat it doesPrimary mitigation
SQL injection (SQLi)Input becomes SQL the DB runsParameterized queries + input validation
Cross-site scripting (XSS)Script runs in another user's browserOutput encoding + Content Security Policy
Cross-site request forgery (CSRF)Forces a state-changing requestAnti-CSRF tokens + SameSite cookies
Server-side request forgery (SSRF)Server requests internal resourcesAllow-list outbound URLs
IDOR / broken access controlAccess another user's object by changing an IDEnforce per-object authorization
Command injectionInput becomes OS commandsAvoid shell calls; validate/escape input

4.3 Wireless, Cloud & Social Engineering

Wireless: capture the WPA/WPA2 handshake (airodump-ng) and crack it offline (aircrack-ng or hashcat), stand up an rogue AP, or run a deauth attack to force reconnections. WPA3’s SAE resists the offline cracking that works on WPA2-PSK.

Cloud: the big wins are abusing the instance metadata service (e.g., via SSRF) to steal temporary credentials, misconfigured public storage buckets, and over-permissive IAM that allows privilege escalation. Social engineering attacks the human with (and vishing, smishing, spear phishing, whaling), pretexting, tailgating, and USB drops — the Social-Engineer Toolkit (SET) helps build the lures.[8]

Wireless, cloud & social-engineering attacks
SurfaceAttackKey idea
WirelessHandshake capture + offline crackCapture WPA2 4-way handshake, crack with a wordlist
WirelessEvil twin / deauthRogue AP impersonates the SSID; deauth forces reconnects
CloudMetadata service abuse (SSRF)Steal temporary instance credentials from 169.254.169.254
CloudPublic storage / IAM misconfigOpen buckets and over-permissive roles enable escalation
SocialPhishing / vishing / smishingTrick a human into credentials or running a payload
SocialTailgating / USB dropPhysical access via following in or a dropped device

4.4 Tools, Payloads & Password Attacks

is the central exploitation framework: it delivers an and a , the most popular being . A connects from the victim back to the attacker (beating inbound firewalls); a bind shell listens on the victim. Password attacks split into online (Hydra/Medusa against live services, plus password spraying and credential stuffing) and offline cracking of captured hashes (John the Ripper, Hashcat, defeated salting with rainbow tables).

Exploitation & password-attack tools
ToolUse
Metasploit / msfvenomDeliver exploits and generate payloads (e.g., reverse shells)
Burp SuiteIntercept, modify, and fuzz web traffic (Repeater, Intruder)
Hydra / MedusaOnline brute-force of login services (SSH, RDP, HTTP)
John the Ripper / HashcatOffline cracking of captured password hashes
aircrack-ng suiteWireless monitoring, capture, injection, and WPA cracking
NetcatRaw TCP/UDP — banner grabbing, transfers, simple shells

Checkpoint · Attacks & Exploits

Question 1 of 10

In penetration testing, what is the primary use of a tool like SQLmap?

Module 5 · Post-exploitation & Lateral Movement

Domain 5.0 — 14% of the exam. Initial access is just the . This domain is everything you do afterward to deepen and expand control — and, on an authorized test, how you clean up so the environment is returned to its original state.

5.1 Privilege Escalation & Persistence

climbs from a low-privilege account to admin/root — vertically (more rights) or horizontally (another user). On Linux, look for SUID binaries (GTFOBins), weak sudo rules, and writable services; on Windows, look for unquoted service paths, weak permissions, and UAC-bypass paths.

Enumeration scripts (linPEAS/winPEAS) surface these automatically. then keeps your access across reboots — scheduled tasks, services, Run keys (Windows), cron jobs and SSH keys (Linux), or a backdoor account.

Persistence mechanisms by platform
PlatformMechanism
WindowsScheduled task, new service, Run/RunOnce registry key
WindowsNew (often hidden) local administrator account
LinuxCron job, SSH key in authorized_keys
BothLiving off the land (PowerShell, WMI) to evade detection

5.2 Lateral Movement & Pivoting

uses one compromised host to reach others. The Windows/AD techniques are high-yield: (authenticate with an NTLM hash directly), pass-the-ticket and (Kerberos abuse), and remote execution with PsExec, WMI, or RDP.

maps Active Directory to find the shortest path to Domain Admin. then routes your traffic through a compromised host (a SOCKS proxy via ssh -D, ProxyChains, or chisel) to reach networks you can’t touch directly.

Lateral movement & pivoting techniques
TechniqueWhat it does
Pass-the-hashAuthenticate with a captured NTLM hash (no cracking)
Pass-the-ticket / KerberoastingAbuse Kerberos tickets to impersonate or crack accounts
PsExec / WMI / RDPExecute commands or log in on remote Windows hosts
BloodHoundMap AD relationships to find the path to Domain Admin
SSH tunnel / ProxyChains / chiselPivot traffic through a compromised host to hidden networks

5.3 Credential Harvesting & Cleanup

On Windows, (and Impacket’s secretsdump.py) dumps plaintext passwords, hashes, and Kerberos tickets from LSASS, the SAM, or a domain controller’s NTDS.dit — fuel for more lateral movement. Finally, the ethical difference that PenTest+ stresses: a real attacker clears logs, but an authorized tester documents actions and timestamps and then performs cleanup — removing tools, payloads, accounts, and persistence to restore the environment.

Credential sources & cleanup checklist
ItemDetail
LSASS memoryMimikatz dumps live credentials, hashes, and tickets
SAM / NTDS.ditLocal and domain hashes for offline cracking or pass-the-hash
CleanupRemove payloads, accounts, tasks, services, and persistence
DocumentationRecord actions and timestamps so the blue team can correlate

Checkpoint · Post-exploitation & Lateral Movement

Question 1 of 10

In the context of penetration testing, what is 'privilege escalation'?

How to Use This PenTest+ Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Attacks & Exploits (35%) and Reconnaissance & Enumeration (21%) are over half the exam — invest there first, then Vulnerability Analysis, Post-exploitation, and Engagement Management.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Practice the PBQs in a lab. Performance-based questions reward hands-on skill — build a home lab and practice with Nmap, Metasploit, and Burp Suite against intentionally vulnerable targets.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 750.

PenTest+ Concept Questions

Core PenTest+ concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

PenTest+ Glossary

The high-yield PenTest+ terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

Active reconnaissance
Directly interacting with the target — port scanning, banner grabbing, enumeration. More detail, but detectable.
Authorization
Written, signed permission from someone with authority over the target, proving the testing is legal and approved.
Banner grabbing
Reading a service's response banner to reveal the software and version, identifying likely vulnerabilities.
Black-box testing
An unknown-environment test where the tester is given no prior internal information — simulates an external attacker.
BloodHound
A tool that maps Active Directory relationships to find the shortest attack paths to Domain Admin.
Buffer overflow
Writing more data than a buffer holds, overwriting adjacent memory to redirect execution to attacker code.
Bug bounty
An ongoing program that pays external researchers for responsibly disclosed vulnerabilities, within defined scope.
Burp Suite
An intercepting web proxy used to capture, modify, and replay HTTP/S traffic and scan web apps for flaws.
Cross-site request forgery
Tricking an authenticated user's browser into sending an unwanted state-changing request; fixed with anti-CSRF tokens.
Cross-site scripting
Injecting script into a trusted site that runs in another user's browser (stored, reflected, or DOM-based).
CVE
Common Vulnerabilities and Exposures — a public catalog assigning a unique ID to each known, disclosed vulnerability.
CVSS
Common Vulnerability Scoring System — a 0.0–10.0 open standard (maintained by FIRST) rating vulnerability severity.
Enumeration
Actively extracting detailed information from discovered services — usernames, shares, software versions — to plan exploitation.
Evil twin
A fake Wi-Fi access point impersonating a legitimate SSID to capture credentials or perform on-path attacks.
Exploit
Code or a technique that takes advantage of a specific vulnerability to make a system behave unexpectedly.
False negative
A real vulnerability the scanner missed — the more dangerous error, addressed with manual testing.
False positive
A scanner flagging a vulnerability that doesn't exist or isn't exploitable; testers validate before reporting.
Fingerprinting
Analyzing responses to determine the exact OS or service version, so attacks can be matched to known weaknesses.
Foothold
The initial access point an attacker establishes on a target network, the base for escalation and movement.
Fuzzing
Sending malformed or unexpected input to an application to trigger crashes or behavior that reveal vulnerabilities.
Gray-box testing
A partially-known test where the tester is given limited information, such as a standard user account.
Kerberoasting
Requesting Kerberos service tickets for SPN accounts, then cracking them offline for the service password.
Lateral movement
Using a compromised host to reach and compromise other systems on the internal network.
Living off the land
Using built-in, trusted tools (PowerShell, WMI, certutil) instead of malware to evade detection.
Master Service Agreement
An overarching contract setting the general terms and conditions for an ongoing client relationship.
Metasploit
An exploitation framework bundling exploits, payloads, and post-exploitation modules to deliver and manage attacks.
Meterpreter
Metasploit's advanced, in-memory payload providing file access, privilege escalation, pivoting, and credential dumping.
Mimikatz
A Windows post-exploitation tool that dumps plaintext passwords, hashes, and Kerberos tickets from memory.
MITRE ATT&CK
A globally available knowledge base of real-world adversary tactics and techniques used to model and map attacks.
Nessus
A widely used commercial vulnerability scanner (Tenable) that checks hosts and apps against thousands of checks.
NIST SP 800-115
NIST's Technical Guide to Information Security Testing and Assessment, defining planning, discovery, attack, and reporting phases.
Nmap
The de facto network scanner — discovers hosts, ports, services, and OS fingerprints. Core to recon and enumeration.
Non-Disclosure Agreement
A legal agreement binding the tester to keep client data, findings, and vulnerabilities confidential.
On-path attack
An attacker secretly relaying or altering traffic between two parties (formerly 'man-in-the-middle').
OSINT
Open-Source Intelligence — collecting publicly available data (sites, social media, leaked credentials, records) to profile a target.
OWASP
Open Worldwide Application Security Project — a nonprofit producing the OWASP Top 10 and the Web Security Testing Guide.
Pass-the-hash
Authenticating to a Windows system using a captured NTLM hash directly, without cracking the plaintext password.
Passive reconnaissance
Gathering information without directly touching the target — OSINT, WHOIS, DNS, and search engines. Undetectable.
Payload
The code delivered and executed after a successful exploit — e.g., a reverse shell or a Meterpreter session.
Penetration test
An authorized, simulated attack on systems to find and exploit weaknesses before real attackers do, then report them with remediation.
Persistence
Establishing a way to keep access across reboots and credential changes — tasks, services, cron, keys, or accounts.
Phishing
A fraudulent message (usually email) that tricks the victim into revealing credentials or running malware.
Pivoting
Routing traffic through a compromised host to reach networks the attacker can't access directly.
Post-exploitation
Everything after initial access: privilege escalation, persistence, credential harvesting, and lateral movement.
Privilege escalation
Gaining higher rights than granted — vertical (to admin/root) or horizontal (to another user).
PTES
Penetration Testing Execution Standard — a methodology defining seven phases from pre-engagement through reporting.
Reverse shell
A shell that connects from the victim back to the attacker, bypassing inbound firewall rules.
Rules of Engagement
The agreed document defining what a tester may do — scope, timing, allowed techniques, and communication/escalation paths.
Scope
The explicit boundary of an engagement: which IP ranges, domains, applications, and facilities are in or out of bounds.
Server-side request forgery
Tricking a server into making requests to internal resources, often to reach cloud metadata endpoints.
Shodan
A search engine for Internet-connected devices that finds exposed servers, cameras, and ICS by their service banners.
Social engineering
Manipulating people into revealing information or taking actions that compromise security — the human attack vector.
SQL injection
Inserting malicious SQL into input so the database runs unintended commands; fixed with parameterized queries.
Statement of Work
The contract section defining the deliverables, timeline, and tasks of an engagement.
Validation
Manually confirming a scanner finding is real and exploitable before including it in the report.
Vulnerability scan
Automated checking against a database of known weaknesses to produce a prioritized findings list (no exploitation).
White-box testing
A known-environment test where the tester is given full information (source, architecture, credentials) for the most thorough assessment.
Wireshark
A GUI packet capture and protocol analyzer used to inspect traffic and extract clear-text credentials.
Zero-day
A vulnerability unknown to the vendor (no patch yet) that attackers can exploit.

PenTest+ Tools by Phase

One last reference — the tools PenTest+ tests, mapped to the phase you use them in. The performance-based questions test exactly this: which tool for which job.

PenTest+ Study Guide FAQ

The PenTest+ PT0-003 exam has a maximum of 90 questions — a mix of multiple-choice and performance-based questions (PBQs) — and you get 165 minutes to complete it. The PBQs place you in simulated environments where you must select and apply the correct penetration testing tools and techniques.

References

  1. 1.CompTIA. “CompTIA PenTest+ (PT0-003) Certification.” comptia.org.
  2. 2.CompTIA. “PenTest+ (PT0-003) Exam Objectives / Content Guide.” comptia.org.
  3. 3.National Institute of Standards and Technology. “SP 800-115, Technical Guide to Information Security Testing and Assessment.” csrc.nist.gov.
  4. 4.Open Worldwide Application Security Project. “OWASP Top 10.” owasp.org.
  5. 5.Open Worldwide Application Security Project. “Web Security Testing Guide (WSTG).” owasp.org.
  6. 6.The MITRE Corporation. “MITRE ATT&CK Knowledge Base.” attack.mitre.org.
  7. 7.Forum of Incident Response and Security Teams. “Common Vulnerability Scoring System (CVSS).” first.org.
  8. 8.Cybersecurity and Infrastructure Security Agency. “Recognize and Report Phishing.” cisa.gov.
  9. 101.National Institute of Standards and Technology (NIST). “Reconnaissance (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  10. 102.National Institute of Standards and Technology (NIST). “Port Scanning (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  11. 103.National Institute of Standards and Technology (NIST). “Vulnerability (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  12. 104.Open Worldwide Application Security Project (OWASP). “SQL Injection.” owasp.org, accessed 19 June 2026.
  13. 105.Open Worldwide Application Security Project (OWASP). “Cross Site Scripting (XSS).” owasp.org, accessed 19 June 2026.
  14. 106.National Institute of Standards and Technology (NIST). “Privilege Escalation (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  15. 107.National Institute of Standards and Technology (NIST). “Lateral Movement (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.