CompTIA PenTest+ (PT0‑003) Practice Exams
About the CompTIA PenTest+ PT0-003 exam
Exam at a glance
CompTIA's intermediate offensive-security credential, released December 17, 2024 (replacing PT0-002, which retired June 17, 2025).
Who it's for
Penetration testers, red teamers, vulnerability assessment engineers, and security consultants. Approved under DoD Directive 8140.03 for offensive cybersecurity work roles.
Domain weighting
- Engagement Management: ~13%
- Reconnaissance and Enumeration: ~21%
- Vulnerability Discovery and Analysis: ~17%
- Attacks and Exploits: ~35%
- Post-Exploitation and Lateral Movement: ~14%
Prerequisites
No formal prerequisites. CompTIA recommends Network+ and Security+ plus 3–4 years of hands-on information security or penetration-testing experience. Realistically, candidates also benefit from prior CySA+ exposure and comfort with Kali Linux and Burp Suite.
Why take this certification
- Vendor-neutral offensive credential. PenTest+ is one of the few widely-recognized offensive-security certifications that is both ANSI/ISO 17024 accredited and DoD 8140.03 approved — making it valuable across federal contracting, regulated industries, and commercial red-team roles.
- Strong salary positioning. Certified penetration testers in the U.S. earn an average of $103,000–$120,000 USD per year (source: PayScale, 2025), with senior red-team operators routinely exceeding $140,000.
- Complements OSCP. Where OSCP proves you can break in, PenTest+ proves you understand the methodology, scoping, legal frameworks, and reporting workflow employers actually need. Many shops require both.
- Covers the full engagement lifecycle. Unlike pure-technical certs, PT0-003 tests scoping, Rules of Engagement, statement of work, CVSS scoring, MITRE ATT&CK mapping, and executive-vs-technical reporting — the business-communication skills that separate junior testers from senior consultants.
What you'll learn in the PenTest+ PT0-003 exam
PT0-003 validates that you can plan, execute, and document a professional penetration test end-to-end. The exam blends conceptual questions with performance-based scenarios that require you to interpret tool output, sequence attack steps, or analyze simulated engagement artifacts.
Engagement and scoping
- Rules of Engagement (RoE), statement of work, master service agreements — what's in scope, prohibited targets, escalation contacts.
- Legal and compliance frameworks — GDPR, PCI DSS, HIPAA, CMMC, GLBA — and how each shapes engagement constraints.
- Authorization letters, "get out of jail" documentation, third-party vendor coordination.
Reconnaissance and enumeration
- OSINT — ASN lookups, WHOIS, certificate transparency logs, Shodan, theHarvester, Maltego.
- Subdomain enumeration — DNS brute forcing, certificate-based discovery, GitHub dorking.
- Active scanning — deep Nmap usage (scripting engine, service fingerprinting, evasion), Masscan for high-speed sweeps.
Vulnerability discovery and analysis
- Vulnerability scanners — Nessus, OpenVAS, Nuclei, Nikto — output interpretation and false-positive triage.
- CVSS scoring (v3.1 and v4.0), exploitability vs impact assessment, prioritization frameworks.
Attacks and exploits (largest domain at ~35%)
- Web app attacks — OWASP Top 10: injection (SQL, command, LDAP), broken access control, SSRF, deserialization, XXE, prototype pollution.
- Network attacks — MITM, ARP poisoning, DNS poisoning, LLMNR/NBT-NS spoofing, password spraying, Kerberoasting, NTLM relay.
- Cloud-specific attacks — IAM misconfiguration, over-permissive policies, cloud storage public exposure (S3 buckets, blobs), container escape concepts, IMDSv1 abuse.
- Wireless attacks — WPA2/3 PMK extraction, evil twin, KARMA, deauthentication, captive portal bypass.
- Social engineering — phishing payload delivery, pretexting, vishing, USB drops, BEC patterns.
- OT/ICS considerations — safe testing methodology for industrial control systems and SCADA environments.
Post-exploitation and lateral movement
- Privilege escalation — Linux (SUID, sudo misconfig, kernel exploits, cron) and Windows (UAC bypass, token impersonation, unquoted service paths).
- Persistence — scheduled tasks, registry run keys, systemd services, web shells.
- Lateral movement — Pass-the-Hash, Pass-the-Ticket, Golden Ticket, Silver Ticket, DCSync, BloodHound for AD attack paths.
- Exfiltration patterns — DNS tunneling, HTTPS C2 channels, steganography.
Reporting and communication
- Executive summary vs technical findings — audience-appropriate writing.
- MITRE ATT&CK mapping for finding contextualization.
- Remediation recommendations, retest planning, evidence handling and chain of custody.
How the practice exams help
Each free question and every premium exam mirrors the multi-step scenario format PT0-003 uses — long stems describing engagement artifacts (Nmap output, Burp captures, AD enumeration results) with detailed explanations covering not just why the right answer is right, but why the distractors are wrong. You learn the trade-offs and tool choices, not just the answer letter.
How to prepare for the PT0-003 exam
A successful PenTest+ preparation strategy combines theoretical study, intensive hands-on lab work, and exam simulation. Recommended approach for experienced security professionals:
- Study the exam objectives (3–4 weeks). Download the official PT0-003 exam objectives and work through CompTIA CertMaster Learn + Practice. Focus first on Attacks and Exploits (~35%) and Reconnaissance and Enumeration (~21%) — together they're more than half the exam.
- Intensive hands-on labs (4–6 weeks). Hands-on fluency is non-negotiable for PenTest+. Work through HackTheBox Starting Point + active boxes, TryHackMe Jr Penetration Tester and Red Team paths, and the full PortSwigger Web Security Academy for web app coverage. Tool familiarity required: Kali Linux, Nmap, Burp Suite, Metasploit, BloodHound, Hashcat, Hydra, Wireshark.
- Review engagement and reporting topics (1 week). The business-communication side of PenTest+ trips up technical candidates. Read sample penetration-test reports, study CVSS v3.1/v4.0 scoring rubrics, and review the MITRE ATT&CK framework for tactics and techniques mapping.
- Performance-based question practice (1–2 weeks). PBQs are where most candidates lose points. Practice interpreting Nmap output, reading Wireshark captures, sequencing exploitation steps, and analyzing simulated AD environments under time pressure. Take timed practice tests to identify weak areas. Aim for consistent 80%+ scores before scheduling your exam.
Recommended timeline
12–16 weeks of focused study (10–15 hours per week) for experienced security professionals with Security+ background. Candidates without prior offensive lab time should expect 20+ weeks.
Helpful prior certifications
The realistic preparation stack: Network+ → Security+ → CySA+ (defensive complement) → PenTest+. Candidates aiming for the senior offensive track often follow PenTest+ with OSCP for hands-on practical validation.
Official resources
Download the official PT0-003 exam objectives and review CompTIA's PenTest+ training resources before starting your preparation.
Frequently asked questions
Are these actual exam questions?
No. All Nex Arc CompTIA PenTest+ PT0-003 practice questions are original content based on the provider's published exam blueprint, official documentation, and real-world scenarios across every topic the exam covers. We do not offer brain dumps, leaked questions, or actual exam content. Using or distributing real exam questions violates certification provider agreements and can result in certification revocation.
How many questions are in the CompTIA PenTest+ PT0-003 exam?
The PT0-003 exam contains a maximum of 90 questions delivered in 165 minutes. The format mixes traditional multiple-choice questions with performance-based questions (PBQs) that require you to work through simulated environments — analyzing tool output, configuring scans, or sequencing exploitation steps.
What's the PT0-003 passing score?
The passing score is 750 on a scaled 100–900 score scale. CompTIA does not publish raw-to-scaled conversion tables, but performance-based questions typically weigh more heavily than multiple-choice items. Focus on hands-on tool fluency rather than memorization.
How do I access the full PT0-003 practice exam?
Click on the Buy Now button in the sidebar to purchase the complete CompTIA PenTest+ course. After payment, you'll have instant access to 12 practice exams with detailed explanations and lifetime access.
What are the prerequisites for the PT0-003 exam?
There are no formal prerequisites, but CompTIA recommends 3–4 years of hands-on penetration-testing or offensive-security experience, plus Network+ and Security+ or equivalent knowledge. Realistically, candidates also benefit from prior CySA+ exposure and comfort with Kali Linux, Burp Suite, Nmap, Metasploit, and a scripting language (Python or Bash). PenTest+ is not a beginner exam — it assumes you can already read packet captures, write basic exploits, and operate a command-line attack toolkit.
How long is the PT0-003 certification valid?
PenTest+ is valid for three years from the date you pass. You can renew either by earning 60 Continuing Education Units (CEUs) through CompTIA's CE program — activities include attending conferences, publishing articles, completing higher-level training, or earning a higher CompTIA cert — or by retaking the current exam version. The CE path is significantly cheaper than a retake for most candidates and renews all your CompTIA certs at the same level or below simultaneously.
What's the exam cost and can I retake it if I fail?
The PT0-003 exam costs $404 USD at the standard list price; discounted vouchers are routinely available through CompTIA Academic partners, student bundles, and the CompTIA Marketplace. The exam is delivered through Pearson VUE at testing centers or via online proctoring. You can retake the exam immediately after a first failure with no waiting period. After a second failure, CompTIA imposes a 14-day cooldown before each subsequent attempt. Each attempt requires a new voucher.
How does PenTest+ compare to OSCP?
They validate different skills and are often paired rather than substituted. PenTest+ PT0-003 is a proctored exam combining multiple-choice, performance-based questions, and business-communication scenarios (scoping, reporting, RoE) — it covers the full engagement lifecycle including the soft-skill and compliance side. OSCP is a 24-hour hands-on practical exam where you must compromise live machines and produce a professional report. PenTest+ proves you understand the methodology and can communicate with stakeholders; OSCP proves you can actually break in under time pressure. Many pentesters earn PenTest+ first to learn the framework, then OSCP to prove technical depth.
What's new in PT0-003 versus the previous PT0-002 version?
PT0-003 (released December 17, 2024) reorganizes the exam into five domains with heavy emphasis on Attacks and Exploits (~35%) and Reconnaissance and Enumeration (~21%). It expands coverage of cloud-specific attacks (IAM misconfiguration, container escape concepts, cloud storage exposure), modern AD attack chains (Kerberoasting, Pass-the-Hash, BloodHound), and MITRE ATT&CK mapping in reporting. PBQs now include more realistic scoping and engagement-management scenarios. Operational Technology (OT) and Industrial Control Systems (ICS) testing receives expanded coverage. PT0-002 retired June 17, 2025 — all new candidates should test against PT0-003.
Is PenTest+ approved for U.S. Department of Defense roles?
Yes. PenTest+ is approved under DoD Directive 8140.03 for offensive cybersecurity work roles, replacing the older 8570.01-M baseline. This makes the certification valuable for U.S. government contractors and military personnel in red-team or vulnerability-assessment positions. The cert is also ANSI/ISO 17024 accredited and ISO/IEC 17024 compliant, which carries weight with regulated industries and federal agencies worldwide.