CompTIA PenTest+ Course: Complete Study Guide for the PT0-003 Exam
Table of Contents
The CompTIA PenTest+ (PT0-003) certification validates the hands-on skills you need to plan, scope, and execute penetration tests, then report findings to stakeholders. This course covers all five exam domains so you build practical offensive security skills and pass the exam. CompTIA recommends 3 to 4 years in a penetration tester job role before attempting this exam.
| Domain | Title | Exam Weight |
|---|---|---|
| 1.0 | Engagement Management | 13% |
| 2.0 | Reconnaissance and Enumeration | 21% |
| 3.0 | Vulnerability Discovery and Analysis | 17% |
| 4.0 | Attacks and Exploits | 35% |
| 5.0 | Post-exploitation and Lateral Movement | 14% |
Exam details: Maximum of 90 questions, multiple-choice and performance-based, 165 minutes, passing score of 750.
Resources
- Tips for Passing CompTIA Exams
- CompTIA PenTest+ Practice Test - Test your readiness
- Official PT0-003 Exam Objectives
- Cybersecurity Career Playbook
- CompTIA Security+ Course - Recommended prerequisite knowledge
- Additional Learning Resources
Domain 1: Engagement Management (13%)
Engagement Management
- Summarize pre-engagement activities, including scope definition, rules of engagement, and target selection
- Compare agreement types, including NDA, MSA, SoW, and ToS
- Apply the shared responsibility model across hosting provider, customer, penetration tester, and third-party responsibilities
- Address legal and ethical considerations, including authorization letters, mandatory reporting requirements, and risk to the tester
- Explain collaboration and communication activities, including peer review, stakeholder alignment, escalation path, and secure distribution
- Compare testing frameworks and methodologies, including OSSTMM, CREST, PTES, MITRE ATT&CK, OWASP Top 10, OWASP MASVS, and the Purdue model
- Apply threat modeling frameworks, including DREAD, STRIDE, and OCTAVE
- Explain the components of a penetration test report, including executive summary, methodology, detailed findings, attack narrative, and recommendations
- Recommend remediation through technical, administrative, operational, and physical controls
Domain 2: Reconnaissance and Enumeration (21%)
Reconnaissance and Enumeration
- Apply information gathering techniques using active and passive reconnaissance
- Perform OSINT against social media, job boards, code repositories, DNS lookups, cached pages, and password dumps
- Conduct network reconnaissance through protocol scanning, certificate transparency logs, banner grabbing, and HTML scraping
- Apply enumeration techniques, including OS fingerprinting, service discovery, DNS enumeration, host discovery, and share enumeration
- Perform secrets enumeration for cloud access keys, passwords, API keys, and session tokens
- Modify scripts for reconnaissance and enumeration using Bash, Python, and PowerShell logic constructs
- Use the appropriate tools, including the Wayback Machine, Maltego, Recon-ng, Shodan, SpiderFoot, WHOIS, nslookup/dig, Amass, Nmap, and theHarvester
This domain pairs closely with vulnerability discovery , so good enumeration data feeds better scans.
Domain 3: Vulnerability Discovery and Analysis (17%)
Vulnerability Discovery and Analysis
- Conduct vulnerability discovery using container scans, application scans (DAST, IAST, SCA, SAST), network scans, and host-based scans
- Differentiate authenticated vs. unauthenticated scans and perform secrets scanning
- Perform industrial control system (ICS) vulnerability assessment, including manual assessment and port mirroring
- Use vulnerability tools, including Nikto, OpenVAS, TruffleHog, BloodHound, Nessus, PowerSploit, Grype, Trivy, and Kube-hunter
- Analyze output from reconnaissance, scanning, and enumeration to validate true positives, false positives, and false negatives
- Explain physical security concepts, including tailgating, site surveys, USB drops, badge cloning, and lock picking
- Prioritize and prepare attacks using CVSS, CVE, CWE, and EPSS, end-of-life systems, default configurations, and running services
Domain 4: Attacks and Exploits (35%)
Attacks and Exploits
- Perform network attacks, including default credentials, on-path attacks, VLAN hopping, relay attacks, and packet crafting with Metasploit, Netcat, Nmap, Impacket, CrackMapExec, Responder, and Hydra
- Perform host-based attacks, including privilege escalation, credential dumping, process hollowing, and shell escapes using Mimikatz, Rubeus, Evil-WinRM, PsExec, and LOLbins
- Perform web application attacks, including SQL injection, XSS, CSRF, SSRF, deserialization, JWT manipulation, and API abuse using Burp Suite, ZAP, sqlmap, Gobuster, and WPScan
- Perform authentication attacks, including pass-the-hash, pass-the-ticket, Kerberos attacks, password spraying, and credential stuffing using hashcat, John the Ripper, and BloodHound
- Perform wireless attacks, including wardriving, evil twin, deauthentication, and WPS PIN attacks using Aircrack-ng and Kismet
- Perform social engineering attacks, including phishing, vishing, spearphishing, impersonation, and credential harvesting using SET, Gophish, and Evilginx
- Perform cloud-based attacks, including metadata service attacks, IAM misconfigurations, container escape, and supply chain attacks using Pacu, Prowler, and ScoutSuite
- Explain attacks against specialized systems, including mobile attacks, AI attacks (prompt injection, model manipulation), and OT attacks
- Use scripting to automate attacks with PowerShell, Bash, and Python, plus breach and attack simulation tools
At 35% this is the largest domain, so build a home lab and practice these exploits hands-on.
Domain 5: Post-exploitation and Lateral Movement (14%)
Post-exploitation and Lateral Movement
- Establish and maintain persistence using scheduled tasks, reverse and bind shells, new accounts, registry keys, C2 frameworks, rootkits, and backdoors
- Perform lateral movement through pivoting, relay creation, credential dumping, and service discovery across SMB, RDP, SSH, LDAP, and RPC
- Use lateral movement tools, including LOLBins, CrackMapExec, Impacket, Netcat, sshuttle, Proxychains, Metasploit, PsExec, and Mimikatz
- Summarize staging and exfiltration, including file encryption, covert channels (DNS, ICMP, HTTPS), steganography, and cloud storage
- Explain cleanup and restoration activities, including removing persistence mechanisms, reverting configuration changes, removing tools, preserving artifacts, and secure data destruction
Work through all five domains, build a practice lab with intentionally vulnerable targets, then test your knowledge with the CompTIA PenTest+ Practice Test before exam day. For more certifications and guided learning paths, see Courses and Playbooks .
