200+ Free PenTest+ Practice Questions

Pass your CompTIA PenTest+ (PT0-003) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65-70% Pass Rate

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

A penetration tester is preparing a proposal for a client that requires testing of a web application handling PCI DSS data. Which compliance requirement must be explicitly addressed in the Rules of Engagement?

SOX compliance for financial reporting

PCI DSS scoping and segmentation validation requirements

HIPAA breach notification procedures

GDPR data subject consent documentation

to track

2026 Statistics

Key Facts: PenTest+ Exam

~65-70%

Est. Pass Rate

Industry estimate

750/900

Passing Score

CompTIA

$104,000

Avg Salary

CompTIA 2024

DoD 8570

Approved

CSSP Technical

$404

Exam Fee

CompTIA

165 min

Exam Duration

CompTIA

CompTIA PenTest+ (PT0-003) is an intermediate-level penetration testing certification launched December 2024. The exam has up to 90 questions in 165 minutes, requiring 750/900 to pass. PenTest+ covers engagement management (13%), reconnaissance (21%), vulnerability discovery (17%), attacks and exploits (35%), and post-exploitation (14%). It is DoD 8570 approved for CSSP Technical roles.

Sample PenTest+ Practice Questions

Try these sample questions to test your PenTest+ exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1A penetration tester is preparing a proposal for a client that requires testing of a web application handling PCI DSS data. Which compliance requirement must be explicitly addressed in the Rules of Engagement?

A.SOX compliance for financial reporting

B.PCI DSS scoping and segmentation validation requirements

C.HIPAA breach notification procedures

D.GDPR data subject consent documentation

Explanation: When testing environments that process payment card data, the Rules of Engagement must address PCI DSS requirements. This includes validating network segmentation that isolates cardholder data environments and ensuring testing does not violate PCI DSS restrictions. SOX applies to financial reporting, HIPAA to healthcare, and GDPR to EU personal data.

2During a penetration test, the tester discovers evidence of an active insider threat. According to standard engagement protocols, what is the appropriate immediate action?

A.Document the finding and continue testing without alerting the client

B.Immediately stop all testing activities and contact law enforcement

C.Notify the client's designated point of contact through the established escalation channel

D.Exploit the insider's access to gather more evidence

Explanation: The Rules of Engagement should define escalation procedures for critical findings. When discovering active criminal activity or insider threats, the tester must notify the designated client contact through agreed-upon channels. Stopping all testing or contacting law enforcement without client direction typically violates engagement terms.

3A client requests a penetration test but cannot provide written authorization for three weeks. The project timeline is urgent. What is the appropriate response?

A.Begin passive reconnaissance only while waiting for authorization

B.Proceed with the test using verbal authorization from the IT manager

C.Decline to begin any testing activities until written authorization is received

D.Start with non-invasive scanning that won't affect production systems

Explanation: Written authorization is mandatory before any penetration testing activities. Testing without proper authorization is illegal and may violate computer fraud laws. Even passive reconnaissance without written consent can create legal liability. The tester must wait for documented authorization regardless of timeline pressures.

4Which document specifies the technical boundaries of a penetration test, including approved IP ranges, excluded systems, and testing timeframes?

A.Master Service Agreement (MSA)

B.Statement of Work (SOW)

C.Rules of Engagement (ROE)

D.Non-Disclosure Agreement (NDA)

Explanation: The Rules of Engagement (ROE) defines the technical boundaries and operational parameters of the penetration test. It includes specific IP ranges, excluded systems, testing windows, authorized techniques, and emergency contacts. The SOW covers business terms, while the ROE covers technical testing boundaries.

5A penetration testing firm is assessing the risk of testing a client's critical production environment. Which factor represents the highest potential business impact risk?

A.Testing during off-peak hours

B.Testing systems without a proper backup plan in place

C.Using automated scanning tools with safe checks enabled

D.Testing with read-only access credentials

Explanation: Testing production systems without verified backups represents the highest business impact risk. If testing causes system failure or data corruption without recovery options, the business could suffer significant downtime and financial loss. Testing during off-peak hours and using safe scan options actually reduces risk.

6In a penetration test proposal, which component best helps the client understand the value and expected outcomes of the engagement?

A.Detailed CVs of all assigned testers

B.A clear statement of objectives and deliverables including risk ratings

C.The history of similar tests performed by the firm

D.Technical specifications of testing tools to be used

Explanation: A clear statement of objectives and deliverables helps clients understand what they will receive and how it addresses their security concerns. Including risk rating methodologies demonstrates how findings will be prioritized. While tester qualifications matter, the client primarily needs to understand the business value and expected outcomes.

7A tester runs the command: `host -t mx example.com`. What information is being gathered?

A.The IP address of the web server

B.The Mail Exchange servers for the domain

C.The DNS nameservers for the domain

D.The TXT records for SPF configuration

Explanation: The `host -t mx` command queries DNS for Mail Exchange (MX) records. These records identify the mail servers responsible for accepting email for the domain. This information is valuable for understanding the email infrastructure and potential attack vectors like mail server vulnerabilities or phishing campaign preparation.

8During reconnaissance, a tester discovers that a company's website uses WordPress 5.8.1 based on generator meta tags. Which OSINT technique was primarily used?

A.Network scanning

B.Source code analysis and fingerprinting

C.Social engineering

D.WHOIS lookup

Explanation: Discovering WordPress version through generator meta tags involves analyzing the HTML source code of web pages. This is a passive reconnaissance technique that fingerprint the web application platform and version without sending any probe traffic to the target network.

9A penetration tester uses theHarvester tool with the following command: `theHarvester -d target.com -b google,linkedin`. What is the primary purpose of this command?

A.To scan for open ports on target.com

B.To gather email addresses and employee names from Google and LinkedIn

C.To perform DNS enumeration using multiple resolvers

D.To test for SQL injection vulnerabilities

Explanation: theHarvester is an OSINT tool designed to gather email addresses, subdomains, hosts, employee names, and open ports from different public sources. The -d flag specifies the domain and -b specifies the data sources (Google and LinkedIn in this case) to search for organizational information.

10When performing active reconnaissance with Nmap, which timing template option provides the slowest scan to avoid detection?

A.-T0 (Paranoid)

B.-T1 (Sneaky)

C.-T3 (Normal)

D.-T5 (Insane)

Explanation: Nmap timing templates range from -T0 (Paranoid) to -T5 (Insane). -T0 is the slowest, inserting delays between probes to evade intrusion detection systems. -T5 is the fastest but most easily detected. For stealthy reconnaissance, -T0 or -T1 are preferred despite taking significantly longer.

About the PenTest+ Exam

The CompTIA PenTest+ (PT0-003) certification validates intermediate-level penetration testing and vulnerability assessment skills. It covers planning and scoping, information gathering, vulnerability discovery, exploitation, and post-exploitation activities. PenTest+ is the only penetration testing exam that includes both hands-on performance-based questions and multiple-choice questions.

Questions

90 scored questions

Time Limit

165 minutes

Passing Score

750/900

Exam Fee

$404 (CompTIA)

PenTest+ Exam Content Outline

13%

Engagement Management

Penetration testing planning, scoping, legal considerations, compliance requirements, rules of engagement, contracts, communication, and reporting

21%

Reconnaissance and Enumeration

Passive reconnaissance, OSINT, active scanning, network mapping, service enumeration, DNS/SNMP/SMTP enumeration, host discovery

17%

Vulnerability Discovery and Analysis

Vulnerability scanning, validation, prioritization, CVSS scoring, false positive analysis, credential harvesting, configuration weaknesses

35%

Attacks and Exploits

Network attacks, web application attacks (SQLi, XSS, CSRF), API attacks, wireless attacks, cloud attacks, social engineering, physical security, AI/ML attacks

14%

Post-Exploitation and Lateral Movement

Persistence techniques, privilege escalation, lateral movement, pivoting, data exfiltration, evidence collection, cleanup and restoration

How to Pass the PenTest+ Exam

What You Need to Know

Passing score: 750/900
Exam length: 90 questions
Time limit: 165 minutes
Exam fee: $404

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

PenTest+ Study Tips from Top Performers

1Focus on Attacks and Exploits (35%) and Reconnaissance (21%) — together they make up over half the exam

2Build a home lab with virtual machines to practice hands-on exploitation techniques

3Master Nmap scanning techniques: SYN scans, version detection, OS fingerprinting, and NSE scripts

4Practice web application attacks: SQL injection types (union, blind, error-based), XSS (reflected, stored, DOM), CSRF, and command injection

5Understand privilege escalation techniques for both Windows (token manipulation, UAC bypass) and Linux (SUID, sudo abuse, kernel exploits)

6Learn Active Directory attack techniques: Kerberoasting, AS-REP Roasting, Pass-the-Hash, and lateral movement

7Familiarize yourself with CVSS v3.1 scoring for vulnerability prioritization

8Complete 200+ practice questions including performance-based scenarios before scheduling

Frequently Asked Questions

What is the PenTest+ PT0-003 exam format?

The PenTest+ PT0-003 exam has up to 90 questions with a 165-minute time limit. Question types include multiple choice and performance-based questions (PBQs). You need a score of 750 on a scale of 100-900 to pass. The exam fee is $404 USD. PT0-003 launched December 17, 2024 and PT0-002 retired June 17, 2025.

What are the prerequisites for PenTest+?

CompTIA recommends 3-4 years of hands-on information security or related experience, along with Network+ and Security+ or equivalent knowledge. However, many candidates with 2-3 years of penetration testing, vulnerability assessment, or red team experience successfully pass with dedicated study. Hands-on lab practice is essential for this exam.

What changed in PT0-003 vs PT0-002?

PT0-003 (released December 2024) includes new content on cloud penetration testing, AI/ML attacks, API security testing, and modern web application vulnerabilities. The exam emphasizes hands-on exploitation skills and includes performance-based questions simulating real penetration testing scenarios. PT0-002 retired on June 17, 2025.

Is PenTest+ DoD approved?

Yes, CompTIA PenTest+ is approved under DoD Directive 8570/8140 for CSSP Technical positions. This makes it valuable for government and defense contractor roles requiring penetration testing and vulnerability assessment expertise.

How long should I study for PenTest+?

Plan for 80-120 hours of study over 8-12 weeks. Focus on Attacks and Exploits (35% of exam) and Reconnaissance (21%). Hands-on lab practice is critical — use platforms like TryHackMe, Hack The Box, or build your own lab. Complete 200+ practice questions and score 80%+ consistently before scheduling.

What jobs does PenTest+ qualify me for?

PenTest+ prepares candidates for roles including Penetration Tester, Vulnerability Assessment Analyst, Security Consultant, Red Team Operator, Ethical Hacker, and Cybersecurity Specialist. Average salaries range from $85,000-$100,000 for entry-level to $130,000-$170,000+ for experienced penetration testers.

What tools should I know for PenTest+?

Key tools tested: Nmap (port scanning, OS fingerprinting), Metasploit (exploitation), Burp Suite (web app testing), Wireshark (packet analysis), Gobuster/Dirb (directory enumeration), SQLMap (SQL injection), BloodHound (Active Directory), Mimikatz (credential dumping), Hashcat/John (password cracking), and common Kali Linux tools.