How to Pass CompTIA PenTest+ PT0-002: Offensive Security Exam Strategy

PenTest+: The Practical Offensive Cert

CompTIA PenTest+ bridges the gap between Security+ and OSCP. It tests both the methodology and the tools of penetration testing without requiring you to pop shells in a live lab (that is OSCP's territory). PenTest+ validates that you understand the full pentest lifecycle from scoping to reporting.

The PT0-002 exam has up to 85 questions in 165 minutes with a passing score of 750/900. It covers five domains and includes performance-based questions.

Domain-by-Domain Strategy

Domain 1: Planning and Scoping (14%)

Covers engagement planning, rules of engagement, scope definition, and legal/compliance considerations.

Key concepts: Types of penetration tests: black box (no knowledge), gray box (partial knowledge), white box (full knowledge). Rules of engagement documentation: scope boundaries, authorized targets, testing windows, emergency contacts, data handling. Legal considerations: written authorization is mandatory, understand laws like CFAA (Computer Fraud and Abuse Act). Compliance-driven testing: PCI DSS Requirement 11.3, regulatory pentest requirements.

The scoping questions test whether you understand what is and is not allowed during a pentest. If a question describes a situation where the tester encounters something outside scope, the answer is always "stop and contact the client."

Domain 2: Information Gathering and Vulnerability Scanning (22%)

Covers reconnaissance and vulnerability identification.

Key concepts: Passive reconnaissance: OSINT, WHOIS, DNS records, Google dorking, Shodan, social media analysis, certificate transparency logs. Active reconnaissance: port scanning (Nmap), service enumeration, OS fingerprinting. Vulnerability scanning: Nessus, OpenVAS, Nikto, Burp Suite scanner. The critical skill is knowing which tool to use for each scenario.

Nmap knowledge is essential: Know scan types (SYN -sS, TCP connect -sT, UDP -sU, version detection -sV, OS detection -O, aggressive -A). Know how to interpret Nmap output and what each port state means (open, closed, filtered, unfiltered).

Domain 3: Attacks and Exploits (30%)

The highest-weighted domain. Covers network attacks, web application attacks, wireless attacks, cloud attacks, and social engineering.

Key concepts:

Network attacks: ARP poisoning, LLMNR/NBT-NS poisoning (Responder), relay attacks (ntlmrelayx), password spraying, Kerberoasting, AS-REP roasting, pass-the-hash, pass-the-ticket.

Web attacks: SQL injection (all types), XSS (stored, reflected, DOM), command injection, directory traversal, file inclusion (LFI/RFI), SSRF, deserialization attacks, authentication bypass.

Wireless: Evil twin attacks, deauthentication attacks, WPA2 cracking (4-way handshake capture + dictionary attack), WPS PIN brute force.

Post-exploitation: Privilege escalation (SUID binaries on Linux, unquoted service paths on Windows, DLL hijacking), lateral movement (PsExec, WMI, PowerShell remoting), persistence mechanisms (scheduled tasks, registry run keys, cron jobs, web shells), data exfiltration techniques.

Domain 4: Reporting and Communication (18%)

Covers pentest report writing and communicating findings to stakeholders.

Key concepts: Report structure: executive summary, methodology, findings (with CVSS scores), evidence (screenshots, tool output), remediation recommendations, risk ratings. Finding classification: critical, high, medium, low, informational. Each finding must include: description, affected systems, evidence of exploitation, business impact, and remediation steps.

Communication during the test: when to escalate immediately (evidence of prior compromise, critical vulnerability in production, sensitive data exposure). Post-test: debrief with the client, remediation consultation, retest planning.

Domain 5: Tools and Code Analysis (16%)

Covers penetration testing tools and basic scripting/code review.

Key concepts: You do not need to be a programmer, but you need to read and understand basic scripts in Bash, Python, PowerShell, and Ruby. Common tasks: modify an exploit script, identify a vulnerability in source code, write a simple automation script.

Essential tools by category:

PBQ Focus Areas

PenTest+ PBQs often require you to:

Study Plan (8 Weeks)

Weeks 1-2: Domain 2 (Reconnaissance) — foundational skills.

Weeks 3-5: Domain 3 (Attacks) — largest domain, hands-on labs essential.

Week 6: Domain 5 (Tools and Code Analysis).

Week 7: Domain 1 (Scoping) and Domain 4 (Reporting).

Week 8: Practice exams and PBQ practice.

Practice with CyberCertPrep's PenTest+ question bank featuring tool-specific scenarios, code analysis questions, and attack methodology problems.