PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CompTIA PenTest+ Practice Questions

Pass your CompTIA PenTest+ (Exam PT0-003) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A tester connects to TCP port 25 with Netcat and issues `VRFY jdoe` to learn whether a username exists. Which service is being enumerated and what is the goal?

A
B
C
D
to track
Same family resources

Explore More CompTIA Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CompTIA A+

Practice QuestionsStudy GuideCheat SheetFlashcards1 video4 blogs

CompTIA Security+

Practice QuestionsStudy GuideCheat SheetFlashcards3 videos4 blogs

CompTIA Network+

Practice QuestionsStudy GuideCheat SheetFlashcards1 video2 blogs

CompTIA CySA+

Practice QuestionsStudy GuideCheat SheetFlashcards1 blog

CompTIA Cloud+

Practice Questions1 blog

CompTIA PenTest+

Practice Questions1 blog

More From This Family

Videos and articles for deeper review.

VideoBest Cable Testers for Network Technicians in 2026: Klein VDV526-200 vs Fluke vs TRENDnetVideoCompTIA A+ Core 1 vs Core 2: Which Is Harder? (2026)VideoFREE Cisco CCST Cybersecurity (100-160) Exam Guide 2026: Pass First TryVideoFREE Fortinet NSE 4 Exam Guide 2026: FortiOS 7.6, FCP Rebrand, Pass First TryArticleFREE Fortinet NSE 4 Exam Guide 2026: FortiOS 7.6, FCP Rebrand, Pass First Try22 min readArticleFREE Cisco CCST Cybersecurity (100-160) Exam Guide 2026: Pass First Try20 min readArticleIs CompTIA Security+ Worth It in 2026? Jobs, Salary, DoD 814015 min readArticleCompTIA PenTest+ Exam Guide 2026: PT0-003 Prep Beyond Tool Names4 min read
2026 Statistics

Key Facts: CompTIA PenTest+ Exam

$425

Exam Fee (USD)

CompTIA

750/900

Passing Score

CompTIA

165 min

Exam Duration

CompTIA

Max 90

Question Count

CompTIA

35%

Attacks and Exploits domain weight

CompTIA PT0-003 objectives

3 years

Certification Validity

CompTIA (CE renewal)

CompTIA PenTest+ (PT0-003) is an intermediate penetration-testing certification delivered through Pearson VUE for a $425 USD fee, with a 750/900 passing score and up to 90 multiple-choice and performance-based questions in 165 minutes. The five domains are Engagement Management (13%), Reconnaissance and Enumeration (21%), Vulnerability Discovery and Analysis (17%), Attacks and Exploits (35%), and Post-Exploitation and Lateral Movement (14%). The credential is valid for three years and renewable through CompTIA continuing education.

Sample CompTIA PenTest+ Practice Questions

Try these sample questions to test your CompTIA PenTest+ exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A penetration tester is finalizing the pre-engagement paperwork. Which document specifically defines the targets, timing windows, allowed techniques, exclusions, and the escalation contact for a single test?
A.Rules of engagement (RoE)
B.Master service agreement (MSA)
C.Non-disclosure agreement (NDA)
D.Statement of work (SOW)
Explanation: The rules of engagement (RoE) document defines the operational boundaries of a specific test: in-scope and out-of-scope targets, the testing window, permitted and prohibited techniques, and how to escalate if something goes wrong. It is the tester's day-to-day authorization reference.
2During scoping, a client states that the assessment must validate compliance with the protection of cardholder data. Which regulatory framework most directly drives the requirement for an annual penetration test of the cardholder data environment?
A.GDPR
B.PCI DSS
C.HIPAA
D.SOX
Explanation: PCI DSS (Payment Card Industry Data Security Standard) requirement 11 mandates penetration testing of the cardholder data environment at least annually and after significant changes, including segmentation checks. It is the framework that explicitly drives card-data pentests.
3A tester wants to systematically enumerate potential threats to a web application by walking through Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. Which threat modeling methodology is being used?
A.OCTAVE
B.DREAD
C.STRIDE
D.PASTA
Explanation: STRIDE is a Microsoft-developed threat modeling framework whose acronym maps directly to six threat categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. It is used to enumerate threats against a system or component.
4While testing a web server, a tester discovers evidence of an active, prior compromise by a real attacker. According to standard rules of engagement, what is the MOST appropriate immediate action?
A.Continue testing and document it in the final report
B.Remove the attacker's backdoor to remediate the issue
C.Begin collecting forensic evidence of the intrusion
D.Stop and follow the engagement's escalation/communication path to notify the client
Explanation: Discovery of an indicator of a prior or active compromise is an emergency-escalation event. The tester should immediately invoke the agreed escalation/communication path to notify the client point of contact so the organization can engage incident response. Acting unilaterally exceeds the engagement's authority.
5A penetration test report assigns a severity to each finding using a 0.0 to 10.0 numeric score derived from base, temporal, and environmental metrics. Which scoring system is being used?
A.CVSS
B.CWE
C.CPE
D.OWASP Risk Rating only
Explanation: The Common Vulnerability Scoring System (CVSS) produces a 0.0-10.0 severity score from Base, Temporal, and Environmental metric groups. Pentest reports commonly use CVSS to prioritize findings for remediation.
6A client's executive team will receive the penetration test report. Which report component is written specifically for a non-technical audience and summarizes business risk and overall posture without command output?
A.Attack narrative
B.Executive summary
C.Technical findings appendix
D.Methodology section
Explanation: The executive summary is the business-facing portion of the report. It conveys overall risk posture, key findings, and strategic recommendations in plain language so leadership can make funding and remediation decisions without reading raw exploit output.
7A finding recommends "implement parameterized queries and input validation." In remediation terminology, what category of control is this?
A.Administrative control
B.Physical control
C.Technical (technical/logical) control
D.Detective control only
Explanation: Parameterized queries and input validation are technical (also called logical) controls because they are implemented in the technology stack to prevent exploitation, such as stopping SQL injection. Technical controls operate within hardware, software, or firmware.
8An organization wants the testers to have NO prior knowledge of the environment and to attack as an external adversary would, with no credentials or network diagrams provided. Which test type is this?
A.White-box (full knowledge) test
B.Gray-box (partial knowledge) test
C.Compliance audit
D.Black-box (unknown environment) test
Explanation: A black-box (also called unknown-environment) test gives the tester no internal information, credentials, or documentation. It most closely simulates an external attacker who must perform full reconnaissance, at the cost of taking longer and possibly missing internal issues.
9A penetration testing firm and a new client are establishing a multi-year relationship and want one overarching contract that sets the general legal terms for all future engagements. Which document serves this purpose?
A.Master service agreement (MSA)
B.Rules of engagement (RoE)
C.Statement of work (SOW)
D.Authorization-to-test letter
Explanation: A master service agreement (MSA) is the umbrella contract that defines the general legal and business terms governing the ongoing relationship. Individual engagements are then defined by their own SOW and RoE under the MSA.
10Before any active testing begins, why does a professional penetration tester insist on a signed authorization document (sometimes called a get-out-of-jail-free letter)?
A.It guarantees the test will find no false positives
B.It provides written legal authorization, protecting the tester from unauthorized-access liability
C.It replaces the need for an NDA
D.It defines the CVSS scoring rubric
Explanation: Penetration testing involves activities that would otherwise violate anti-hacking laws such as the U.S. Computer Fraud and Abuse Act. A signed authorization-to-test letter from someone with authority provides documented legal permission, protecting the tester from claims of unauthorized access.

About the CompTIA PenTest+ Exam

CompTIA PenTest+ (PT0-003) is an intermediate cybersecurity certification that validates the hands-on skills required to plan and scope a penetration test, gather information, discover and analyze vulnerabilities, exploit systems, and report findings. The current PT0-003 version launched on 17 December 2024 and replaced PT0-002, retired in June 2025, adding deeper coverage of modern attack surfaces including cloud, web applications, and Active Directory. The exam presents a maximum of 90 multiple-choice and performance-based questions in 165 minutes and requires a score of 750 on a 100-900 scale to pass. Its five domains are Engagement Management (13%), Reconnaissance and Enumeration (21%), Vulnerability Discovery and Analysis (17%), Attacks and Exploits (35%), and Post-Exploitation and Lateral Movement (14%).

Questions

90 scored questions

Time Limit

165 minutes

Passing Score

750 on a scale of 100-900

Exam Fee

$425 (CompTIA)

CompTIA PenTest+ Exam Content Outline

13%

Engagement Management

Plan and scope engagements with rules of engagement, SOW, MSA, and NDA; align testing to compliance drivers such as PCI DSS, GDPR, and HIPAA; apply threat-modeling frameworks (STRIDE, DREAD, OCTAVE); and write reports that score findings with CVSS and recommend technical, administrative, and physical remediation.

21%

Reconnaissance and Enumeration

Perform passive OSINT with theHarvester, Recon-ng, Shodan, Maltego, WHOIS, DNS records, and certificate transparency logs, then move to active scanning and enumeration using Nmap and the NSE, plus SMB, SNMP, LDAP, and SMTP enumeration and web content discovery.

17%

Vulnerability Discovery and Analysis

Run credentialed and non-credentialed scans with Nessus, OpenVAS, and Nikto; map detected services to CVE and CWE records; prioritize with CVSS base, temporal, and environmental metrics; fuzz inputs; and manually validate findings to remove false positives.

35%

Attacks and Exploits

Execute web attacks (SQL injection, XSS, SSRF, CSRF, file inclusion, command injection, insecure deserialization, IDOR), network and on-path attacks, wireless attacks (evil twin, deauth, WPA2 cracking), cloud attacks (metadata SSRF, IAM and storage misconfigurations), password and social-engineering attacks, and AV/EDR evasion using Metasploit, Burp Suite, sqlmap, Hydra, Hashcat, Responder, and Aircrack-ng.

14%

Post-Exploitation and Lateral Movement

Pivot and tunnel with proxychains and SOCKS proxies, harvest credentials with mimikatz and Impacket secretsdump, perform pass-the-hash and Kerberoasting, map attack paths with BloodHound, establish persistence, exfiltrate data over covert channels, clean up artifacts, and automate with Python, Bash, and PowerShell.

How to Pass the CompTIA PenTest+ Exam

What You Need to Know

  • Passing score: 750 on a scale of 100-900
  • Exam length: 90 questions
  • Time limit: 165 minutes
  • Exam fee: $425

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CompTIA PenTest+ Study Tips from Top Performers

1Spend the most prep time on Attacks and Exploits (35%): web attacks like SQLi, XSS, SSRF, and command injection, plus wireless, cloud, and password attacks, since this domain alone is over a third of the exam.
2Build a home lab and practice real tools: Nmap and NSE, Metasploit and msfvenom, Burp Suite, sqlmap, Responder, Hydra, Hashcat, mimikatz, Impacket, and BloodHound.
3Memorize the engagement paperwork hierarchy: MSA sets the relationship, SOW scopes a project, RoE defines operational boundaries, and the NDA protects confidentiality.
4Know the difference between scan types: passive OSINT versus active scanning, credentialed versus non-credentialed scans, and SYN (-sS) versus connect (-sT) versus UDP (-sU) Nmap scans.
5Practice the Active Directory attack chain end to end: enumeration with BloodHound, Kerberoasting, pass-the-hash, secretsdump, and golden tickets, since AD content expanded in PT0-003.
6Prepare for performance-based questions by practicing real command syntax and reading tool output, not just memorizing definitions; PBQs reward hands-on familiarity.

Frequently Asked Questions

What are the current exam facts for CompTIA PenTest+ PT0-003?

PT0-003 costs $425 USD, has a maximum of 90 multiple-choice and performance-based questions, runs 165 minutes, and requires a score of 750 on a 100-900 scale to pass. It is delivered through Pearson VUE online or at a test center.

What is the difference between PT0-002 and PT0-003?

PT0-003 launched on 17 December 2024 and replaced PT0-002, which retired in June 2025. PT0-003 restructured the domains and expanded coverage of cloud, web application, and Active Directory attacks, and it separates Vulnerability Discovery and Analysis as its own 17% domain.

Which domain carries the most weight on PT0-003?

Attacks and Exploits is the largest domain at 35%, covering web, network, wireless, and cloud attacks, password cracking, social engineering, and AV/EDR evasion. Reconnaissance and Enumeration is next at 21%.

Are there prerequisites for PenTest+?

There are no mandatory prerequisites. CompTIA recommends Network+ and Security+ certifications plus 3-4 years of hands-on information security or penetration testing experience before attempting PT0-003.

How long is the PenTest+ certification valid?

The PenTest+ certification is valid for three years from the date you pass. You can renew it through CompTIA's Continuing Education (CE) program by earning CEUs or passing a higher-level certification.

What is the best way to prepare for PT0-003?

Get hands-on in a lab with real tools such as Nmap, Metasploit, Burp Suite, sqlmap, Responder, mimikatz, and BloodHound, and practice the performance-based question style. Then drill the heaviest domains, Attacks and Exploits and Reconnaissance, until each tool and technique feels routine.