CompTIAIntermediate Level2026 Updated

CompTIA PenTest+

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — PT0-003

Exam cost

$392 USD

Questions

Maximum 85

Time limit

165 minutes

Passing score

750/900

Valid for

3 years (CE)

Testing

Pearson VUE

Who this exam is for

The CompTIA PenTest+ certification is designed for professionals who work with or want to work with CompTIA technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The PT0-003 exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Engagement Management

16%

Planning and scoping penetration testing engagements, legal agreements (rules of engagement, SOW), compliance considerations, and communication with stakeholders.

Reconnaissance & Enumeration

22%

Passive and active reconnaissance techniques, OSINT methodologies, network enumeration, service fingerprinting, and target profiling.

Attacks & Exploits

28%

Network attacks, web application attacks, wireless attacks, social engineering attacks, cloud attacks, and exploit techniques across multiple target types.

Post-Exploitation

18%

Lateral movement, privilege escalation, persistence mechanisms, pivoting techniques, and covering tracks during authorized engagements.

Reporting & Communication

16%

Writing penetration test reports including executive summaries and technical findings, recommending remediation, and communicating results to different audiences.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Reconnaissance Method Selection

A penetration tester needs to identify all public-facing IP addresses and subdomains for a target without alerting the target. Which technique is MOST appropriate?

Know passive recon tools: Shodan, WHOIS, DNS lookup, Google dorking, Certificate Transparency logs. Active recon (Nmap, Nessus) generates traffic and alerts IDS. PT0-003 tests the distinction carefully.

Cloud Penetration Testing

During a cloud assessment, a tester discovers an S3 bucket with public read permissions containing configuration files. What is the NEXT step after documenting this finding?

PT0-003 added cloud pentesting content. Know AWS/Azure misconfiguration patterns: public S3 buckets, overly permissive IAM policies, exposed metadata endpoints (169.254.169.254), and container escape vectors.

Report Writing Format

A penetration test has concluded. The client's CEO asks for a summary of findings. Which section of the penetration test report should be provided?

PenTest+ tests report structure: Executive Summary (business impact, non-technical), Technical Findings (CVE references, CVSS scores, reproduction steps), and Remediation Recommendations. Know which audience gets which section.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: Engagement Management & Reconnaissance

Study Domain 1: scoping documents (SOW, rules of engagement), legal considerations, and pre-engagement communication
Cover Domain 2: OSINT techniques, passive vs active reconnaissance, and enumeration tools (Nmap, Netcat, Enum4linux)
Practice identifying reconnaissance output in scenario questions — Nmap scan results, DNS records, WHOIS data
Complete 60 practice questions on engagement scoping and reconnaissance phases

Week 2: Attacks & Exploits

Study network attacks: ARP poisoning, VLAN hopping, pass-the-hash, and protocol exploitation
Cover web application attacks: SQLi, XSS, CSRF, XXE, SSRF, and OWASP Top 10 relevance to pentesting
Study PT0-003 new content: cloud attack techniques, AI-assisted reconnaissance, and API testing
Practice 100 attack scenario questions — focus on selecting the right tool and technique for each scenario

Week 3: Post-Exploitation & Reporting

Study Domain 4: lateral movement techniques, privilege escalation paths (Windows/Linux), and persistence mechanisms
Cover post-exploitation tools: Mimikatz concepts, BloodHound for AD enumeration, and pivoting with proxychains
Study Domain 5: report writing structure, CVSS scoring for findings, and remediation recommendation language
Complete 2 full timed mock exams (85 questions, 165 minutes)

Week 4: PBQ Practice & Final Review

Practice PBQ scenarios: analyzing network diagrams, ordering attack phases, and interpreting tool output
Review common CVEs and vulnerability classes — PenTest+ tests recognition of well-known vulnerability types
Focus on cloud pentesting and AI-assisted attack content added in PT0-003 (frequently appears in newer exams)
Review all incorrect practice answers and ensure distinction between active and passive techniques is solid

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Not knowing common CVEs and exploit types

PenTest+ tests recognition of major vulnerability classes and their exploitation techniques. Understand EternalBlue/MS17-010, Log4Shell, ProxyLogon, and general buffer overflow, SQL injection, and authentication bypass classes.

Confusing active and passive reconnaissance

Passive reconnaissance uses publicly available data without touching target systems (OSINT, DNS lookup, Shodan). Active reconnaissance generates network traffic that may alert the target (Nmap scanning, banner grabbing). Wrong classification costs points.

Weak on report writing format

Many candidates study attack techniques but neglect Domain 5. The exam tests executive summary vs technical findings distinction, CVSS score documentation, and remediation recommendation language. A report question answered incorrectly is the same as failing a technical question.

Not studying PT0-003 updated content

PT0-003 (released 2024) added cloud penetration testing, AI-assisted attack tools, and API security testing. Candidates using PT0-002 materials miss these questions. Verify your study materials cover the 003 exam objectives.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

580 PT0-003 questions. AI tutor. 4 mock exams. 7-day free trial.