Domain 1.0: Planning and Scoping
Foundation of successful penetration testing
This domain covers the foundation of a penetration test: understanding legal and compliance requirements, defining the scope of the engagement, and demonstrating professional conduct throughout the process. Proper planning and scoping are critical to a successful penetration test and ensure legal protection for both the tester and the client.
1.1 Governance, Risk, and Compliance (GRC)
- Legal considerations and regulatory compliance (SOX, PCI DSS, HIPAA)
- Risk management frameworks (NIST, ISO 27001, COBIT)
- Rules of engagement and legal agreements
- Industry standards and best practices
- Data classification and handling procedures
1.2 Scoping and Requirements
- Target determination and asset inventory
- Budget considerations and resource allocation
- Timeline development and milestone planning
- Communication requirements and escalation procedures
- Testing methodologies (OWASP, NIST, PTES)
- Environmental considerations and impact assessment
1.3 Ethical Hacking and Professionalism
- Professional ethics and code of conduct
- Confidentiality and non-disclosure agreements
- Proper documentation and evidence handling
- Client communication and expectation management
- Incident response and emergency procedures
📚 Study Resources
2.0 Information Gathering and Vulnerability Scanning – 22%
This domain focuses on reconnaissance techniques, both passive and active, and the tools and methods used to identify vulnerabilities in systems, networks, and applications. Information gathering is the foundation of any successful penetration test and directly influences the effectiveness of subsequent attacks.
2.1 Passive Reconnaissance
- OSINT (Open Source Intelligence) gathering techniques
- DNS enumeration and zone transfers
- Whois and domain information research
- Social media intelligence and people search
- Website analysis and technology fingerprinting
- Search engine reconnaissance (Google dorking)
- Shodan and IoT device discovery
2.2 Active Reconnaissance
- Network scanning and port enumeration (Nmap, Masscan)
- Service identification and version detection
- Web application discovery and crawling
- SMTP, SNMP, and other protocol enumeration
- Banner grabbing and service fingerprinting
- Directory and file brute forcing
- Wireless network discovery and analysis
2.3 Reconnaissance Analysis
- Data correlation and threat modeling
- Attack surface mapping and documentation
- Target prioritization and risk assessment
- Technology stack identification
- Potential attack vectors and entry points
- Intelligence reporting and documentation
2.4 Vulnerability Scanning
- Automated vulnerability scanners (Nessus, OpenVAS, Qualys)
- Web application scanners (Burp Suite, OWASP ZAP)
- Database vulnerability assessment
- Network infrastructure scanning
- Wireless security assessment tools
- Static and dynamic code analysis
- Configuration compliance scanning
- False positive identification and validation
🛠️ Essential Tools & Resources
3.0 Attacks and Exploits – 30%
This is the largest domain and includes conducting various types of attacks on networks, wireless systems, applications, cloud environments, and specialized devices. It also includes social engineering and post-exploitation tasks. This domain represents the core practical skills of penetration testing.
3.1 Network Attacks
- ARP spoofing and poisoning attacks
- DNS poisoning and cache attacks
- Man-in-the-middle (MITM) attacks
- Network protocol exploitation (SMB, RDP, SSH)
- VLAN hopping and network segmentation bypass
- Credential harvesting and pass-the-hash attacks
- Privilege escalation techniques
3.2 Wireless Attacks
- WEP, WPA, and WPA2/3 cracking techniques
- Evil twin and rogue access point attacks
- Bluetooth attacks and exploitation
- RFID and NFC security testing
- Wireless deauthentication attacks
- Captive portal bypass techniques
3.3 Application-Based Attacks
- SQL injection (UNION, Blind, Time-based)
- Cross-site scripting (XSS) - Stored, Reflected, DOM
- Cross-site request forgery (CSRF)
- Local and remote file inclusion (LFI/RFI)
- Command injection and OS exploitation
- XML External Entity (XXE) attacks
- Server-side request forgery (SSRF)
- Insecure deserialization exploitation
3.4 Cloud Technology Attacks
- AWS, Azure, GCP misconfigurations
- Container escape and Docker exploitation
- Kubernetes security testing
- Serverless function attacks
- Identity and access management (IAM) exploitation
- Cloud storage bucket enumeration
3.5 Specialized Systems
- IoT device security testing
- SCADA and industrial control systems
- Mobile application security (iOS/Android)
- Embedded system exploitation
- Point-of-sale (POS) system attacks
3.6 Social Engineering & Physical
- Phishing and spear phishing campaigns
- Pretexting and impersonation techniques
- Physical security bypass methods
- USB drops and BadUSB attacks
- Tailgating and badge cloning
- Dumpster diving and OSINT correlation
3.7 Post-Exploitation
- Lateral movement and pivoting techniques
- Persistence mechanisms and backdoors
- Data exfiltration methods
- Covering tracks and log evasion
- Credential dumping and privilege escalation
- Network tunneling and port forwarding
⚔️ Attack Resources & Practice
Internal Resources:
4.0 Reporting and Communication – 18%
After testing, professionals must communicate results clearly. This domain covers report writing, explaining findings, recommending remediation, and following up appropriately with clients. Effective communication is critical for ensuring that security findings are understood and acted upon by stakeholders.
4.1 Written Report Components
- Executive summary for management audience
- Technical findings and vulnerability details
- Risk assessment and CVSS scoring
- Evidence documentation and screenshots
- Methodology and scope description
- Attack narratives and exploitation paths
- Appendices and supporting documentation
4.2 Findings Analysis & Remediation
- Vulnerability classification and prioritization
- Business impact assessment
- Remediation recommendations and timelines
- Compensating controls and workarounds
- Cost-benefit analysis for security improvements
- Compliance mapping (PCI DSS, HIPAA, SOX)
4.3 Communication During Testing
- Status updates and progress reporting
- Critical finding escalation procedures
- Client point of contact management
- Emergency communication protocols
- Documentation standards and evidence handling
- Stakeholder expectations management
4.4 Post-Report Activities
- Report presentation and walkthrough sessions
- Remediation validation and retesting
- Attestation and compliance certification
- Knowledge transfer and training recommendations
- Lessons learned documentation
- Long-term security roadmap planning
📋 Reporting Best Practices
Internal Resources:
5.0 Tools and Code Analysis – 16%
This domain covers tools commonly used during penetration testing and how to analyze and interpret simple scripts and code to understand exploits and vulnerabilities. Mastery of these tools and the ability to analyze code are essential skills for effective penetration testing.
5.1 Scripting and Automation
- Python scripting for security testing
- PowerShell for Windows exploitation
- Bash scripting for Linux environments
- Custom payload development
- Automation of repetitive testing tasks
- API interaction and web scraping
- Regular expressions for data parsing
5.2 Penetration Testing Tools
- Network Tools: Nmap, Masscan, Wireshark, tcpdump
- Web Application: Burp Suite, OWASP ZAP, SQLmap, dirb/dirbuster
- Exploitation: Metasploit, Cobalt Strike, Empire, PowerSploit
- Post-Exploitation: Mimikatz, BloodHound, CrackMapExec
- Wireless: Aircrack-ng, Reaver, Wifite, Kismet
- Social Engineering: SET, Gophish, BeEF
5.3 Code Analysis Techniques
- Static code analysis and vulnerability identification
- Dynamic analysis and runtime behavior
- Reverse engineering and binary analysis
- Malware analysis and behavior understanding
- Exploit code modification and customization
- Shellcode analysis and development
- Assembly language basics for security
5.4 Operating System and Command Line
- Linux command line mastery (grep, awk, sed, netstat)
- Windows PowerShell and CMD proficiency
- File system navigation and analysis
- Process monitoring and system analysis
- Log analysis and forensic examination
- Network troubleshooting and analysis
🔧 Tools & Development Resources
📖 Official Exam Information
For complete and up-to-date exam objectives, visit the official CompTIA PenTest+ exam objectives (PT0-002) ↗
Frequently Asked Questions
Everything you need to know about the PenTest+ certification
What is the CompTIA PenTest+ certification?
CompTIA PenTest+ (PT0-002) is an intermediate-level cybersecurity certification that validates the hands-on skills required to perform penetration testing, vulnerability assessment, and management. It covers planning, scoping, reconnaissance, exploitation, post-exploitation, and reporting.
How long does it take to prepare for the PenTest+ exam?
Most candidates study for 8-12 weeks, dedicating 10-15 hours per week. If you have experience with Security+ or CEH, you might need 6-8 weeks. Beginners should plan for 12-16 weeks with hands-on lab practice being essential.
What are the prerequisites for PenTest+?
While there are no mandatory prerequisites, CompTIA recommends having Network+ and Security+ certifications (or equivalent knowledge) plus 3-4 years of hands-on IT security and networking experience before attempting PenTest+.
What is the exam format and passing score?
The PT0-002 exam consists of up to 85 questions (multiple choice and performance-based) with a 165-minute time limit. The passing score is 750 on a scale of 100-900. The exam costs $392 USD and is available at Pearson VUE testing centers worldwide.
What tools should I know for the PenTest+ exam?
Key tools include: Nmap, Metasploit, Burp Suite, Wireshark, Nessus, OpenVAS, Hydra, John the Ripper, Hashcat, SQLmap, Nikto, OWASP ZAP, and various scripting languages (Python, Bash, PowerShell). Hands-on experience with Kali Linux is essential.
How does PenTest+ compare to CEH or OSCP?
PenTest+ is vendor-neutral and focuses on practical penetration testing skills. It's more hands-on than CEH but less intense than OSCP. PenTest+ is ideal for those seeking intermediate-level validation, while OSCP is for advanced practitioners. CEH covers broader theoretical knowledge.
🎯 Exam Preparation Strategy
Your roadmap to PenTest+ success
📅 Study Timeline (8-12 weeks)
- Weeks 1-2: Planning & Scoping + Ethics
- Weeks 3-4: Information Gathering & Recon
- Weeks 5-7: Attacks & Exploits (30% focus)
- Weeks 8-9: Reporting & Communication
- Weeks 10-11: Tools & Code Analysis
- Week 12: Practice exams & review
🏆 Success Tips
- • Get hands-on experience with virtual labs
- • Practice with TryHackMe and Hack The Box
- • Study real penetration testing reports
- • Understand legal and ethical considerations
- • Master the tools listed in each domain
- • Take practice exams to identify gaps
Essential Penetration Testing Tools
Official documentation and download links for key PenTest+ tools
Reconnaissance
Vulnerability Scanning
Exploitation
Web Application
Password Cracking
Important: Only use these tools on systems you own or have explicit written permission to test. Unauthorized access is illegal and unethical.