CompTIA · PT0-003
CompTIA PenTest+ validates the skills required to plan, scope, and execute penetration testing engagements across network, web, cloud, and AI environments. It covers the full pentest lifecycle from reconnaissance and exploitation through post-exploitation, reporting, and communication of findings.
Questions
699
Duration
165 minutes
Passing Score
750/900
Difficulty
ProfessionalLast Updated
Mar 2026
Use this PT0-003 practice exam to prepare for CompTIA PenTest+ (PT0-003) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 699 questions for CompTIA PT0-003, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Engagement Management, Reconnaissance and Enumeration, Vulnerability Discovery and Analysis, Attacks and Exploits, and Post-Exploitation and Lateral Movement. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
CompTIA PenTest+ (PT0-003) is a professional-level certification that validates the skills required to plan, scope, and execute penetration testing engagements across diverse environments including networks, web applications, cloud platforms, and AI systems. The certification demonstrates expertise across the full penetration testing lifecycle, from initial reconnaissance and vulnerability discovery through active exploitation, post-exploitation techniques, lateral movement, and comprehensive reporting. The PT0-003 version, launched December 17, 2024, represents the latest iteration of this credential and emphasizes modern attack surfaces and contemporary threat landscapes.
CompTIA PenTest+ is designed for security professionals with 3–4 years of hands-on experience in penetration testing or offensive security roles. Ideal candidates include penetration testers, ethical hackers, security analysts, vulnerability assessment specialists, and security consultants seeking to validate and advance their offensive security expertise. The certification is particularly valuable for professionals working in organizations requiring demonstrated competency in identifying and exploiting system vulnerabilities, as well as those pursuing careers in red team operations, bug bounty programs, or managed security services.
CompTIA recommends that candidates possess a minimum of 3–4 years of practical experience in a penetration testing role. Additionally, candidates should hold CompTIA Network+ and Security+ certifications or demonstrate equivalent knowledge in networking fundamentals, security concepts, and system administration. While formal prerequisites are not strictly enforced, candidates without this background may find the exam challenging, as it assumes proficiency with networking protocols, cryptography, operating systems, and security frameworks. Hands-on experience with penetration testing tools, vulnerability assessment platforms, and exploitation techniques is essential preparation.
The PT0-003 exam consists of a maximum of 90 questions combining multiple-choice and performance-based question types. The exam duration is 165 minutes (2 hours and 45 minutes), allowing approximately 1.8 minutes per question on average. The exam is delivered online through Pearson VUE testing centers worldwide and is available in English, French, Japanese, and Portuguese. Scoring is on a scale of 100–900, with a passing score of 750. The exam includes unscored pretest questions used for item analysis and future exam development. The previous version (PT0-002) retires on June 17, 2025, with PT0-003 estimated to remain current until approximately 2027.
Holding the CompTIA PenTest+ certification significantly enhances career prospects in the cybersecurity field. Penetration testers with this credential command competitive salaries, with median annual earnings around $110,540–$131,970 in the United States, representing 75–175% above the median national wage. The credential is increasingly featured in job postings across the industry and validates expertise required for roles such as Penetration Tester, Security Analyst, Red Team Specialist, and Vulnerability Assessment Specialist. The Bureau of Labor Statistics projects 32% growth in information security analyst positions through 2032, while the U.S. penetration testing market is expected to triple by 2028, indicating strong demand for certified professionals. PenTest+ has gained rapid adoption among employers and is recognized as a credible validation of offensive security skills, particularly in organizations requiring demonstrated competency in vulnerability identification and remediation. The certification positions holders for advancement into senior security roles, management positions, and specialized careers in bug bounty programs and managed security services.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 699 questions.
Preview — answers shown1. A penetration tester is evaluating Infrastructure as Code (IaC) security for Litware's cloud deployment. The tester needs to scan Terraform configurations and Kubernetes manifests for misconfigurations before deployment. Which tools are specifically designed for IaC security scanning? (Select three!)
Multiple correct answersExplanation
Checkov is an open-source static analysis tool built specifically for IaC security, supporting Terraform, CloudFormation, Kubernetes, Dockerfile, and ARM templates. It detects misconfigurations like overly permissive security groups, unencrypted storage, and publicly accessible resources before deployment. Trivy provides comprehensive IaC scanning alongside container image and filesystem scanning, making it a versatile tool for DevSecOps pipelines. KICS supports IaC files written in Terraform, CloudFormation, Docker, Kubernetes, and Ansible with over 1,900 security queries aligned to security standards and CIS benchmarks. Burp Suite is a web application security testing proxy unrelated to IaC. Nessus performs network-based vulnerability scanning against running systems, not static IaC analysis. BloodHound analyzes Active Directory relationships and has no IaC scanning capability.
2. A penetration tester is conducting an external assessment for Contoso Financial. During passive reconnaissance, the tester needs to discover subdomains that may not appear in standard DNS queries, including those used for internal services that were accidentally issued public certificates. Which technique would MOST effectively reveal these hidden subdomains without generating any traffic to the target? (Select one!)
Explanation
Certificate transparency logs maintained by crt.sh contain publicly viewable, append-only records of every SSL/TLS certificate ever issued for a domain. Because organizations often issue certificates for internal services that are temporarily exposed or misconfigured, these logs reveal subdomains that would never appear in a zone transfer or brute-force result. Critically, querying crt.sh generates zero traffic to the target, making it entirely passive. DNS zone transfers require direct interaction with the target's name servers, generating detectable traffic and typically being blocked on modern networks. Gobuster DNS mode actively sends DNS queries to resolvers, which can be logged and detected. Shodan is passive but reveals IP addresses and open ports rather than subdomain enumeration from certificate records.
3. During a penetration test of Adatum's network, a tester captures the following Nmap output showing that ports 80, 443, and 8080 are open and that OS detection identified the target as likely running Linux. The tester used a scan that performed service version detection, default script execution, OS detection, and traceroute in a single command. Which Nmap flag produces all of these capabilities simultaneously? (Select one!)
Explanation
The -A flag in Nmap is the aggressive scan option that bundles four capabilities into a single flag: service version detection (-sV), default NSE script execution (-sC), OS detection (-O), and traceroute (--traceroute). Using -A is equivalent to specifying all four of those flags individually. This is commonly used for comprehensive host assessments when stealth is not a primary concern, as it generates significant network traffic compared to a simple port scan. The combination of -sC and -sV provides service enumeration and default script scanning but explicitly excludes OS detection and traceroute, making it insufficient for the described output. Specifying -O and --traceroute directly without -sV means service versions would not be detected and the scripts would not run. The combination of -sS -sV -O provides SYN scanning with version detection and OS detection but omits traceroute and NSE script execution, making it an incomplete match for all four capabilities described.
4. A red team operator at Adatum Corporation has established a foothold on a Linux web server and needs to configure a persistent reverse shell that automatically reconnects to the attack infrastructure every time the system reboots. The operator wants to leverage the cron daemon for this purpose, consistent with MITRE ATT&CK T1053.003. Which of the following actions would BEST accomplish this objective? (Select one!)
Explanation
Adding a cron job entry in /etc/cron.d/ with the @reboot time specification is the correct approach for MITRE ATT&CK T1053.003 (Scheduled Task/Job: Cron). The @reboot directive instructs the cron daemon to execute the specified command each time the system boots, providing persistent reverse shell connectivity that survives reboots. Files placed in /etc/cron.d/ are read system-wide by the cron daemon, and a root-owned entry ensures the payload executes with elevated privileges. This technique is used by multiple documented threat actor groups including APT38, Rocke, and malware families such as Kinsing and GoldMax. Modifying a Windows registry Run key is a Windows-specific persistence mechanism (MITRE T1547.001) and is entirely inapplicable to a Linux system, which has no Windows registry. Creating a systemd service unit file is a valid Linux persistence method (MITRE T1543.002 - Create or Modify System Process: Systemd Service) and would also achieve reboot persistence, but it does not align with the T1053.003 Cron technique specified in the question. It requires writing a unit file with specific directives such as ExecStart, Type, and WantedBy, making it a distinct persistence category from cron. Inserting code into an .htaccess file is an Apache web server configuration mechanism that controls request handling behavior such as redirects and access control. It does not cause arbitrary command execution at system startup and would only influence web requests if the server process is already running, making it unsuitable as a standalone reboot persistence mechanism.
5. During a code review of Northwind's Git repository, you run TruffleHog and receive results with three different verification statuses. What does each status indicate? (Select three!)
Multiple correct answersExplanation
TruffleHog returns three verification statuses: Verified (credential confirmed as currently active through successful authentication against the service), Unknown (verification attempt failed due to API errors, timeouts, or service unavailability — the credential may still be valid), and Unverified (pattern detected but verification was not performed or is not supported for that credential type). TruffleHog does not have Expired, Pending, or False-Positive as built-in statuses — these classifications would require manual review outside the tool.
CompTIA A+ Core 1 (220-1101)
220-1101 · 700 questions
CompTIA A+ Core 2 (220-1102)
220-1102 · 700 questions
CompTIA Cloud+ (CV0-004)
CV0-004 · 700 questions
CompTIA Cybersecurity Analyst+ (CySA+) (CS0-003)
CS0-003 · 700 questions
CompTIA Data+ (DA0-001)
DA0-001 · 700 questions
CompTIA DataSys+ (DS0-001)
DS0-001 · 700 questions
$17.99
One-time access to this exam