PenTest+ (PT0-001)

In April 2019, I took CompTIA’s PenTest+ exam. Along with CySA+, this bridges the gap between Security+ and CASP. As the name suggests, it’s all about penetration testing.

This is a relatively new exam, and it’s still on the first release (PT0-001). Because of that, it’s not very well known, so I haven’t seen any job adverts asking for it. Personally, I took the Security+ exam in November 2016, so that was due to expire in November 2019 (along with the A+ and Network+). Doing this exam was a good way to renew all of my existing CompTIA certifications, while learning some new skills, so I don’t regret it. However, I mainly see it as a stepping stone towards a more useful certification.

Pen testing exams generally fall into two categories: theory and practical. Like the other CompTIA exams, PenTest+ is (primarily) multiple choice. This has the advantage that it can be graded automatically by the testing software. However, it also has the downside that it’s less realistic, because it’s more fragmented. It’s entirely possible to pass this exam without ever actually doing a penetration test, which makes the certification less valuable to employers.

As an analogy, think of a driving test. Normally, you would drive around the area for a while to demonstrate your general ability, then the examiner would ask you to perform a few manoeuvres (e.g. parallel parking). Imagine instead that the examiner drove you to a suitable location, then you swapped seats so that you could do a manoeuvre, then you swapped seats again so that they could drive you to the next location. PenTest+ feels a bit like this, e.g. they might ask you how you would set up a reverse shell but you won’t need to choose when to do that.

On the CompTIA website (blog), they ask: “How does CompTIA PenTest+ compare to EC-Council’s Certified Ethical Hacker (CEH) certification?” Unsurprisingly, they conclude that PenTest+ is better, but I agree with their logic. Aside from anything else, PenTest+ is significantly cheaper! That said, I’m not sure that this is the best comparison. CEH is well known, but the EC-Council blog says that “the C|EH is not a penetration testing certification”; it’s a foundation course, so I’d say that CEH is closer to Security+.

Looking at the Continuing Education section of the CompTIA website, they seem to agree. If you want to use an EC-Council certification to renew a CompTIA certification, you can use CEH, ECSA, or LPT to renew the Security+ but you can only use ECSA or LPT to renew PenTest+ and CySA+. Based on that, I think that PenTest+ is somewhere between CEH and ECSA.

Normally I use a textbook to prepare for an exam. However, none of them had been published when I did this exam, so I used Jason Dion’s Udemy course as my primary resource. Here’s my review of the course:

I think the course does a good job of covering the syllabus, and the demos are particularly useful: it’s easier to see how software works in a video than by reading a book.

I’m glad that he omitted some stuff (e.g. a description of rainbow tables) on the basis that we should already know that from the Security+ exam; that way, he could focus on what’s new. At the same time, it’s also useful that he went into some stuff that isn’t on the exam but will be relevant in real life. The key difference is that the extra content is specifically relevant to penetration testing, rather than being general networking principles etc.

On the downside, I noticed that there are a few mistakes in the course. Sometimes this is just a typo or a slip of the tongue, e.g. writing “structered” instead of “structured”. Some of them are a bit misleading, e.g. when he mentions that Wannacry exploited a vulnerability in SMB but didn’t mention that this is specific to SMB 1.0; later versions of SMB don’t have that problem. There are also some bits that are flat out wrong, e.g. when he said that PowerShell doesn’t put a dash before comparison operators; you actually need to type “-eq” rather than just “eq”. (Curiously, the printed slide was correct but the spoken description was wrong.)

It’s also a bit odd that so many of the examples use Windows XP or Windows 7. In particular, he recommends using the “at” command to create scheduled tasks, but that has been deprecated in Windows 10 and you need to use schtasks.exe instead. To be fair, I know there are still some organisations using Windows 7, and it’s possible that some people are still using XP (although I hope not); however, since this course was created in July 2018, it would be nice if it was a bit more up to date.

Overall, Jason Dion freely admits that this course won’t prepare you for the exam on its own: you actually need some hands-on experience using the tools. I think it’s a good starting point, to identify any gaps in your knowledge which you can then investigate in more detail.

Aside from Jason Dion’s course, I also installed Kali Linux in a virtual machine and went through the (free) Metasploit Unleashed course, which gives a decent overview of Metasploit and Meterpreter.

The CompTIA website also has some practice questions, but they’re far easier than the actual exam! I got all of them correct before I’d started Jason Dion’s course, but when I took the real exam (after I’d finished his course), it was the hardest CompTIA exam that I’ve done so far. As an intermediate exam, you should expect it to be harder than the A+, Network+, and Security+. In theory, it’s equal to the CySA+, but I personally thought the PenTest+ was harder.
NB Just to emphasise the point, it’s harder than (some) other CompTIA exams, but it’s significantly easier than some exams from other organisations (e.g. the OSCP).

As always, you should get the exam objectives from the CompTIA website, then do further study on anything you’re not sure about. However, in this case I found them a bit misleading. In particular, section 4.1 lists particular parameters for Nmap, but the exam asked about other parameters which weren’t on that list. Similarly, section 4.2 lists various tools, and explicitly says “The intent of this objective is NOT to test specific vendor feature sets.” For the most part, that’s true: they want you to know what each tool does (e.g. you should know that Burp Suite is a web proxy) but you don’t need to know how to use them. However, I found that the exam required you to know about nc and hashcat parameters. Obviously I’m restricted by the non-disclosure agreement, so I can’t be any more specific than that, but I advise you to spend some time on the Nmap website. Even if some of the info is beyond the scope of this exam, it will be useful to you in the long run (assuming that you pursue a career in penetration testing).

When you book the exam, I recommend buying a voucher from the CompTIA store, then redeeming that voucher on the Pearson Vue website. The main benefit is that you can use a discount code in the CompTIA store: Jason Dion included a 10% discount with his course, but I got a 15% discount as an ACM member.

Pearson Vue allocated 210 minutes (3½ hours) for my appointment: that includes 165 minutes (2h45m) for the exam itself and another 45m for “overhead” (e.g. the demo and survey). Personally, I was in the test centre for about 2½ hours: I had enough time to review all my answers, and I still finished a bit early, but I didn’t have loads of time left over. So, I’d say the allocated time is about right.

I took the exam on Friday afternoon. I then received the email confirmation from CompTIA the following day (Saturday evening); I think they have an automated task that runs once every 24 hours, after the various databases have had time to synchronise. As usual, I then logged into their website and updated my “intent level” on the CE dashboard.

Passing this exam also gave me a stackable certification: Network Vulnerability Assessment Professional (Security+ and PenTest+).

Join the conversation

3 Comments

  1. Hi there John,
    Thanks for writing this review.
    I have just started a few training courses for the PenTest+ including Jason Dion’s course on Udemy and perhaps later, the CompTIA certmaster learn – have you used the certmaster learn before? If so do you recommend?

    However, I haven’t taken the Security+ exam and wasn’t going to because I thought about learning it without taking the exam and then after the PenTest+ take the OSCP. Do you think this is a wise move? I passed the Network+ in 2014 and over the years have learnt a few in depth pentesting tools.

    I have read other reviews of the PenTest+ being really difficult and I am intrigued as to what exactly is the hard part? Is it the way the questions are phrased or that it asks you things that were not in the learning material or is it the practical simulation stuff?

    Thanks again.

    1. Hi Georgina,

      I’ve done a few other exams that I haven’t finished blog posts for, so think of this comment as a sneak preview 🙂

      In brief, I wouldn’t really recommend the PenTest+. I’d advise you to do the eJPT exam instead. You can get the “barebones” course free of charge if you register at the Ethical Hacker website. They also sent me a voucher for $100 off the full/elite versions of the course, so I effectively paid $200 for the exam and $99 for the training (including labs). There isn’t much demand for this as a certification in its own right, but I think it’s a good stepping stone towards the OSCP. (I’m starting the PWK course next weekend.)

      The eJPT and PenTest+ are both multiple choice exams. However, the eJPT actually involves a pen test. For instance, they might ask “how many services are configured for automatic startup on this server?” and the only way to answer that question is to hack into the server and look at the list. Also, the eJPT is open book, so you can look up the syntax etc. By contrast, the PenTest+ exam is much more about memorising the parameters for various command line tools; there’s very little in the way of practical simulation.

      For me personally, the main benefit of PenTest+ is that it renewed my existing CompTIA certifications (A+, Network+, Security+). Since then, I’ve done CySA+ (which was more useful); anything that renews that will also renew PenTest+, so I’ll keep it now that I’ve got it. I might even use the PenTest+ to renew the rest, if I’m sufficiently familiar with the tools from OSCP etc. Since you haven’t done it yet, my advice is to skip it.

      Is your Network+ still valid or did it lapse? I assume that it would originally have been valid from 2014-2017; if you renewed it, it would then be valid from 2017-2020. If you need to renew it this year then it might be worth taking one of the CompTIA exams, but I’d actually recommend Security+ over PenTest+ for that (if only because it’s cheaper). However, if the Network+ has lapsed then that won’t be a factor.

      I’ve never done any of the Certmaster courses, so I can’t really comment on them. Since they come from CompTIA, I’d hope that they’re a close match for the syllabus. However, they’re also quite expensive, as compared to a textbook (typically about £40) or a Udemy course (typically about £10 if you get them on sale). If you do go with Certmaster, it would make sense to get a bundle (training material and exam together) to save some money.

      1. Hi John,

        Thanks, I’m already doing the PTS course with eLearnSecurity – the only problem is I’m in the UK so this cert is not seemingly recognised by employers, yet the CompTIA is, plus the OSCP of course. To also go forward with the PTP is quite expensive too.

        Huh that’s a pity about the Pentest+, I’ve just ordered the book! My Network+ isn’t valid so yes I do need to renew it hence the Pentest+ but may now go for the Security+ or the CySA+ now you recommend it. Having said this, I don’t mind too much having to just memorise the answers for the PenTest+ exam for various reasons. I was hoping to go purely for pentest certs as I have a good window of time to study at the moment and didn’t want to waste the time engaged in certs I’m not too interested in, even though they’re related.

        All the best with the OSCP, I hope you do a review for it. 😉

Leave a comment

Leave a Reply to John C. Kirk Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.