CompTIA PenTest+ (PT0-003) Study Guide — From Theory to Hands-On Red Team

PenTest+ is the cert that proves you can actually find vulnerabilities, not just identify them. Here's the PT0-003 breakdown, the tools you have to know cold, and a 7-week plan that gets you exam-ready.

The Cert Climb TeamEditorial team
6 min read

CompTIA PenTest+ is the offensive-security cert that sits between Security+ (foundation) and OSCP (deep, painful, transformative). It's hands-on enough to prove you can run a real assessment, but vendor-neutral and shorter than OSCP — making it a strong choice for analysts pivoting to red team or for consultants who need a recognized credential without the OSCP commitment.

The current version is PT0-003, released late 2024.

Who should take PenTest+

This cert fits if you're:

  • A SOC analyst who wants to "see the other side" and move into red team
  • A junior pentester who needs a recognized credential before OSCP
  • A consultant or compliance engineer who runs assessments and wants official validation
  • Pursuing DoD 8140 / 8570 — PenTest+ is approved for several CSSP roles

If your goal is cyber-defense or SOC, CySA+ is more directly relevant. If you want pure cyber breadth, Security+ is enough.

Exam structure

  • Up to 90 questions in 165 minutes
  • Multiple choice and performance-based questions (PBQs)
  • Passing score: 750 / 900
  • Five domains:
Domain Weight
1. Engagement Management 13%
2. Reconnaissance & Enumeration 21%
3. Vulnerability Discovery & Analysis 17%
4. Attacks & Exploits 35%
5. Post-Exploitation & Lateral Movement 14%

Domain 4 (Attacks & Exploits) is the heaviest at 35%. PBQs cluster here. Expect command-line drag-drop, exploit-stage ordering, and tool-output interpretation.

What PT0-003 added

Compared to PT0-002:

  • Cloud and IoT testing got more weight. AWS S3 misconfigurations, OAuth abuse, container escapes are all in scope.
  • Post-exploitation and lateral movement is now its own domain instead of being folded under "Attacks & Exploits."
  • Engagement management picked up emphasis on rules of engagement, scope, legal authority, and reporting — soft skills that real engagements live or die by.
  • AI/ML attack surface got introduced — prompt injection, model poisoning concepts, ML supply chain.

The tools you must know cold

PenTest+ doesn't require you to be a master of every tool, but it expects you to recognize output and pick the right one for a scenario:

Recon

  • nmap — every flag, every NSE script category. -sS SYN scan, -sV version detection, -O OS fingerprinting, -sC default scripts, -A aggressive, -p- all ports. Read sample output until you can spot a service from a banner.
  • Shodan / Censys — internet-wide scan databases. Know what queries return what.
  • theHarvester, Maltego, Recon-ng — OSINT collection.
  • Wireshark, tcpdump — packet capture and analysis.

Enumeration

  • Gobuster / Dirb / ffuf — directory brute force on web apps.
  • enum4linux, smbclient, rpcclient — Windows / SMB enumeration.
  • Bloodhound, SharpHound — Active Directory attack-path mapping. Critical for the post-exploitation domain.

Exploitation

  • Metasploit Framework — modules, payloads, meterpreter. Know the workflow even if you don't memorize commands.
  • Burp Suite (community + pro) — web app proxy, intruder, repeater. Know the OWASP Top 10 attack workflows.
  • sqlmap — automated SQL injection.
  • Hydra, Medusa, Hashcat, John the Ripper — credential attacks.

Post-Exploitation

  • Mimikatz — credential extraction (LSASS dump, golden ticket, silver ticket).
  • CrackMapExec / Impacket suite — psexec.py, secretsdump.py, smbexec.py.
  • PowerShell Empire / Covenant / Cobalt Strike concepts — C2 framework awareness.

You don't need expert-level tool mastery for the exam — you need recognition. Given a snippet of nmap output, you should know what the target is. Given a Mimikatz error, you should know what to try next.

The OWASP Top 10 — required reading

Web app vulnerabilities will be ~10–15% of your exam. Memorize the current OWASP Top 10:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection (SQLi, command, LDAP)
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable & Outdated Components
  7. Identification & Authentication Failures
  8. Software & Data Integrity Failures
  9. Security Logging & Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

For each: know what it is, give an example, name a tool that finds it, name a remediation.

A 7-week plan

Assumes Security+ is done. Adjust if you have CySA+ already (cut to 5 weeks) or if you have zero security background (add 4 weeks of Sec+ study first).

Week 1: Engagement management + recon

Read the PenTest+ exam objectives front to back. Study scope, rules of engagement, MSA / SOW / NDA, legal authorities (Computer Fraud and Abuse Act, GDPR considerations). Set up a Kali VM and run nmap against legal lab targets (TryHackMe, HackTheBox).

Week 2: Recon deep dive

Master nmap. Study DNS reconnaissance, OSINT workflows, banner grabbing, and how to read Wireshark captures. Daily TryHackMe room.

Week 3: Vulnerability discovery

Nessus / OpenVAS scans, web app scanning with Burp and OWASP ZAP, manual identification of injection vulns, file inclusion, IDOR, and authentication bypass. CVSS scoring practice.

Week 4: Exploitation (heavy week)

SQL injection (manual + sqlmap), XSS (reflected/stored/DOM), command injection, file upload bypasses, deserialization basics. Buffer overflow concepts (you don't need to write shellcode, but recognize the workflow). Daily HackTheBox machines.

Week 5: Post-exploitation + lateral movement

Active Directory attacks: Kerberoasting, AS-REP roasting, pass-the-hash, pass-the-ticket, golden/silver tickets. Persistence mechanisms (registry, scheduled tasks, services, WMI). Privilege escalation on Windows and Linux (PEAS scripts).

Week 6: Cloud + reporting

AWS/Azure/GCP misconfigurations, container escapes, IAM abuse. Write a sample pentest report — at least the executive summary, methodology, findings, and recommendations sections. The exam tests reporting structure.

Week 7: Mixed review + practice exams

Two full-length timed practices. Review every wrong answer. Run a final HackTheBox or PortSwigger Web Security Academy room daily for tool muscle memory. Book the real exam when you score 80%+.

Pitfalls that cost candidates the pass

  • Treating it as theoretical. PenTest+ has more "what does this output mean" questions than any other CompTIA exam. Skip the labs at your peril.
  • Ignoring engagement management. 13% of the exam is contracts, scope, and reporting. It's the easiest 13% if you read it; it's the easiest to fail if you don't.
  • Studying only Linux tools. A solid quarter of post-exploitation is Active Directory. If you've never touched AD, install one in a VM.
  • Underestimating cloud questions. PT0-003 added cloud weight. AWS S3 bucket policies, IAM role chaining, EC2 metadata service exploitation — all fair game.

After PenTest+

The progression depends on commitment level:

  • Validate offensive depth → OSCP is the next-level credential. Painful, expensive, life-changing if you commit.
  • Stay broad → CompTIA SecurityX (CASP+) for senior practitioner breadth.
  • Web app specialty → PortSwigger's Burp Suite Certified Practitioner, then maybe OSWE.
  • Cloud red team → AWS Security Specialty + a SANS SEC588.
  • Exploit dev → OSED — for the masochists. PenTest+ won't prepare you for it, but it'll show you the door.

Frequently asked questions

Is PenTest+ a substitute for OSCP?

No. PenTest+ is multiple-choice and PBQ-based; OSCP is a 24-hour hands-on hacking exam followed by a 24-hour report. They test different things and most senior pentesters have both. PenTest+ is the easier first step.

How much does PenTest+ cost in 2026?

Voucher is around $425 USD from CompTIA. Lab platforms (TryHackMe Premium, HackTheBox) are an additional $10–$20/month while you study.

Do I need a hacking background to pass PenTest+?

You need some hands-on experience. If you've done 30+ TryHackMe / HackTheBox rooms or have day-job pentesting experience, you have what you need. Pure book study without lab time will get you to 60% of a passing score.

CySA+ or PenTest+ — which one first?

CySA+ if you want a defensive job (more roles available); PenTest+ if you want offensive. Doing both in either order is the gold-standard "blue + red" stack.

Yes, but the exam will feel abstract. Get into a legal lab platform — TryHackMe, HackTheBox, PortSwigger Web Security Academy, OWASP Juice Shop — before sitting the exam.

Test the waters. Run 30 free questions on CompTIA PenTest+ — see whether the offensive path actually clicks for you.