CompTIA PenTest+ certification: Overview and career path [updated 2022]
Today, penetration testing is a profession in high demand with lucrative job opportunities worldwide. In this position, you will probe the security integrity of a company’s IT infrastructure — from the networks, systems, devices, applications to the operating services — to uncover any potential threats to develop a solution. Penetration testers simulate real-world attacks to identify possible entry points for breaches, weaknesses in systems and organizational structures and deficiencies in policies and training. They aim to ensure an organization takes preventive, corrective and protective measures to safeguard at-risk systems before a malicious attacker attempts to hack them.
Does this sound like a job role for you? Let’s look at how you can join like-minded professionals in the field and how the PenTest+ certification can further your cybersecurity and information technology career.
A career in penetration testing
Pentesters come from very different walks of life. Though they all share technical abilities and passion for IT security, the way they acquired their knowledge differs: from formal college education to self-study or participation in hacking groups for self-interest. But who exactly are these ethical hackers, and can organizations trust them?
Although they often employ the same tactics as their malicious counterparts, pentesters use their hacking skills to improve network security flaws rather than to gain unauthorized access to a computer system to exploit and compromise. These days, it’s a matter of when, not if, threat actors will target organizations. Therefore, ethical hackers who operate as penetration testers are important for companies of any size and industry. However, preparing for these roles is not for everyone. Pentesters need to possess many skills, abilities and knowledge requirements to succeed.
First, they need to have soft skills. They need to be problem solvers with the vision and imagination necessary to anticipate cyber-related attacks and have excellent communication skills to deliver findings and solutions to clients who might not have technical expertise.
Theoretical knowledge is equally important. Gaining a subject matter qualification like CompTIA PenTest+ is a valid option for professionals tasked with penetration testing and vulnerability assessment. The CompTIA PenTest+ enables professionals to take a proactive approach in significantly reducing risks.
The new CompTIA PenTest+ exam
PenTest+ is a vendor-neutral penetration exam designed to test the skills of security professionals involved in penetration testing of IT networks and vulnerability management. The exam demonstrates competency in several areas:
- Knowledge of system vulnerabilities
- Ability to pentest IT systems to uncover cyber threats
- Capacity to discover areas of risks
- Knowhow to classify and set risk levels in alignment with business needs
- Proficiency in the use of data analysis tools
- Complete clear, detailed reports with discoveries and remediation suggestions
- Awareness of legal and compliance requirements
The exam, available at Pearson VUE testing centers and online, consists of 85 multiple-choice and performance-based questions to be completed in 165 minutes. The passing score is 750 (on a scale of 100-900), and the test price is $370. Test takers can purchase a certification exam voucher by visiting the CompTIA Store.
Exam prerequisites (recommended but not mandatory):
- CompTIA Network+
- Security+ or equivalent knowledge
- Minimum of three to four years of hands-on information security or cybersecurity-related experience
The new PenTest+ (PT0-002) exam launched on Oct. 28, 2021, and it covers the latest techniques against expanded attack surfaces for the cloud, hybrid environments, web applications, Internet of Things (IoT) and traditional on-premises systems. The difficulty of the test depends on your existing knowledge and your hands-on intermediate-level security experience.
Here are the changes that have been made in CompTIA PenTest+ PT0-001 to PT0-002:
- Newer techniques for pentesting an expanded attack surface
- Emphasis on demonstrating an ethical hacking mindset given various scenarios
- More focus on the hands-on tasks and automation required for vulnerability management
- More focus on code analysis to emphasize the growing need to identify and analyze code during a penetration test
According to CompTIA, when you’ve earned CompTIA PenTest+, you can be confident in your knowledge and skills required to:
- Plan and scope a penetration testing engagement
- Understand legal and compliance requirements
- Perform vulnerability scanning and penetration testing using appropriate tools and techniques, and then analyze the results
- Produce a written report containing proposed remediation techniques, effectively communicate results to the management team, and provide practical recommendations
CompTIA PenTest+ is the most comprehensive exam covering all penetration testing stages. Candidates will need to be familiar with the following broad categories across five domains:
- Planning and Scoping (14%) — Includes regulatory compliance and legal considerations, standards and methodologies to be used in accordance with customers’ requirements and environment, integrity and professional risks.
- Compare and contrast governance, risk and compliance concepts. Explain key legal concepts
- Explain the importance of scoping and organizational/customer requirements
- Given a scenario, demonstrate an ethical hacking mindset by maintaining professionalism and integrity
- Information Gathering and Vulnerability Scanning (22%) – Includes updated skills on performing vulnerability scanning and passive/active reconnaissance, vulnerability management, and analyzing the results of the reconnaissance exercise
- Given a scenario, perform passive reconnaissance
- Given a scenario, perform active reconnaissance
- Given a scenario, analyze the results of a reconnaissance exercise
- Given a scenario, perform vulnerability scanning
- Attacks and Exploits (30%) — Includes updated approaches to expanded attack surfaces; researching social engineering techniques; performing network, wireless, cloud and application-based attacks; and post-exploitation techniques.
- Given a scenario, research attack vectors and perform network attacks
- Given a scenario, research attack vectors and perform wireless attacks
- Given a scenario, research attack vectors and perform application-based attacks
- Given a scenario, research attack vectors and perform attacks on cloud technologies
- Explain common attacks and vulnerabilities against specialized systems
- Given a scenario, perform a social engineering or physical attack
- Given a scenario, perform post-exploitation techniques
- Reporting and Communication (18%) — Includes the importance of reporting and communication in an increased regulatory environment during the pentesting process through analysis and appropriate remediation recommendations.
- Compare and contrast important components of written reports
- Given a scenario, analyze the findings and recommend the appropriate remediation within a report
- Explain the importance of communication during the penetration testing process
- Explain post-report delivery activities
- Tools and Code Analysis (16%) — Includes updated concepts of identifying scripts in software deployments, analyzing a script or code sample and explaining use cases of pen test tools.
- Explain the basic concepts of scripting and software development
- Given a scenario, analyze a script or code sample for use in a penetration test
- Explain use cases of the following tools during the phases of a penetration test
This is not seen as an exhaustive list of everything you may be tested on. The topics are covered in CompTIA PenTest+ Certification Exam Objectives which can help you better focus your preparation.
Who should earn the CompTIA PenTest+ certification?
The certification is geared towards professionals in a penetration tester role. Still, it is a good option for various other positions, including:
- Network security administrators
- Information security experts
- Cybersecurity managers
- Vulnerability assessment consultants
- Threat hunters or threat investigators
- Cloud security specialists
- Web application security enthusiasts.
In addition, PenTest+ is also a great option for professionals in the other sectors of the IT realm that want to develop additional expertise or that want to change their career and enter the ethical hacking world.
How can I prepare to get PenTest+ certified?
Once you’ve decided that CompTIA PenTest+ is right for you, passing the exam on the first attempt will require a reasonable amount of study time to prepare. There is a range of exam prep tools, instructional web videos, training boot camps and courses offered by several sources and reputable training providers.
CompTIA training is also available for candidates. The Official CompTIA PenTest+ Self-Paced Study Guide (Exam PT0-002) offers complete coverage of all exam objectives and prepares you to:
- Scope organizational/customer requirements
- Define the rules of engagement
- Footprint and gather intelligence
- Evaluate human and physical vulnerabilities
- Prepare the vulnerability scan
- Scan logical vulnerabilities
- Analyze scanning results
- Avoid detection and covering tracks
- Exploit the LAN and Cloud
- Test wireless networks
- Target mobile devices
- Attack specialized systems
- Web application-based attacks
- Perform system hacking
- Script and software development
- Leverage the attack: pivot and penetrate
- Communicate during the pentesting process
- Summarize report components
- Recommend remediation
- Perform post-report delivery activities
The PenTest+ certification definitely covers a lot of topics, so it is essential that you direct your attention on areas you might be weaker in, and use study sources to fill any gaps in preparation.
Expected job outlook
As organizations become more aggressive and proactive when it comes to cybersecurity, they turn to professionals that can certify their skills and knowledge — and whose investigative mindset can assess a modern network’s resiliency against cyberattacks, identify vulnerabilities and mitigate risks before something bad happens.
Employers often search for people who have the PenTest+ certification to get some assurance of the candidate’s up-to-date knowledge and proven skills. Many credential holders earn a good salary and find several job prospects.
CompTIA PenTest+ is aligned to the NICE Workforce Framework (NCWF) describing work roles in the cybersecurity industry and is an asset in the recruitment of highly qualified personnel in these specialty areas:
- 211 Forensics Analysis
- 212 Cyber Defense Forensics Analyst
- 511 Cyber Defense Analyst
- 521 Cyber Defense Infrastructure Support Specialist
- 531 Cyber Defense Incident Responder
- 541 Vulnerability Assessment Analyst
- 612 Security Controls Assessor
The NCWF allows employers to identify their organizational needs and seek candidates who are the right fit for the job. Hiring someone who is CompTIA PenTest+ certified ensures employers that the professional has both offensive and defensive skills and has the practical know-how to assess a company’s overall security posture and create an effective security program that aims to prevent breaches and the protection of data and assets.
PenTest+ is also included in DoD Directive 8570 and represents an important asset for professionals who want to progress in pentesting and ethical hacking in the government’s information assurance workforce. CompTIA PenTest+ has been approved for Cybersecurity Service Provider (CSSP) levels of Analyst, CSSP Incident Responder and CSSP Auditor.