How many questions is the PenTest+ PT0-003 exam and how long is it?

The PT0-003 exam has a maximum of 90 questions and a 165-minute time limit. Questions are multiple-choice plus performance-based questions (PBQs) drawn from real penetration-testing scenarios.

Does PT0-003 include performance-based questions?

Yes. Alongside multiple-choice items, the exam includes performance-based questions such as reading scanner output, sequencing an attack chain, and choosing the right exploitation step.

How hard is the PenTest+ exam?

It is an intermediate, hands-on offensive-security exam. The hardest parts for most candidates are chaining attacks, Active Directory exploitation, and reading real tool output — all of which reward hands-on practice.

CompTIA PenTest+ (PT0-003) Study Guide — Domains, Plan & Cheat Sheet

Q: Are these practice questions real exam questions?

No. Every question is original, written against the publicly available PT0-003 objectives and checked against primary sources. Real exam content is under CompTIA's NDA; using leaked dumps can void your certification.

Exam at a glance

The CompTIA PenTest+ (PT0-003) validates the hands-on skills to plan and scope an engagement, find and exploit weaknesses, move through a network, and report findings to stakeholders. Here are the numbers that shape how you should study.

Questions

90 max

Time limit

165 minutes

Passing score

750 / 100–900

Question types

MCQ + PBQs

With up to 90 questions in 165 minutes, the performance-based questions are heavy: you may have to read scanner output, sequence an attack chain, or pick the right exploitation step. The exam is weighted across five domains, and Attacks and Exploits alone is 35% of the exam — more than a third — so it deserves the most study time, with Reconnaissance and Enumeration (21%) close behind.

Domains & weighting

Engagement Management Domain 113% Reconnaissance and Enumeration Domain 221% Vulnerability Discovery and Analysis Domain 317% Attacks and Exploits Domain 435% Post-exploitation and Lateral Movement Domain 514%

Where to spend your hours: a sensible split mirrors the weights — most time on Attacks and Exploits and Reconnaissance and Enumeration, then Vulnerability Discovery and Post-exploitation, and least on Engagement Management (small, but easy marks if you know the process).

The five domains

What each domain covers, with the topics it drills and a link to the matching practice set. Expand a domain to dig in.

1Engagement ManagementThe setup — scoping, rules of engagement, legal/ethical, and the report13%

This domain is the professional discipline around a test: agreeing scope and rules of engagement, choosing the assessment type, respecting legal and ethical limits, communicating with the client, and writing a clear, prioritized report. It is small but easy points if you know the process.

Pre-engagement & scopeRules of engagementAssessment typesShared responsibilityLegal & ethicalCommunication pathsReport structureExecutive summary

Drill Engagement Management

2Reconnaissance and EnumerationThe map — passive vs active recon, OSINT, enumeration, tooling, scripts21%

The second-largest domain is about building the target picture: passive reconnaissance (OSINT, DNS, WHOIS, certificate transparency) versus active scanning, then enumerating hosts, services, OS versions, shares, and users — and using the right tools (Nmap, Recon-ng, Maltego, Censys, Wireshark) and scripts (Bash, Python, PowerShell, NSE).

Passive recon / OSINTActive scanningDNS enumerationHost/service discoveryOS fingerprintingRecon-ng & MaltegoCensys & WiresharkScript modification

Drill Reconnaissance and Enumeration

3Vulnerability Discovery and AnalysisThe findings — scanning, reading output, CVSS, and validating17%

Here you find weaknesses and prove they are real: choosing authenticated vs unauthenticated and static vs dynamic scans, reading scanner output, interpreting CVSS metric groups (including v4.0), and validating findings to rule out false positives before they reach the report. Tools include Nessus, OpenVAS/Greenbone, and sqlmap.

Authenticated scansSAST vs DASTWeb-app scanningCVSS metric groupsCVSS v4.0False positives/negativesPrioritizationNessus / OpenVAS / sqlmap

Drill Vulnerability Discovery and Analysis

4Attacks and ExploitsThe core — network, auth, host, app, wireless, cloud, social-engineering35%

By far the largest domain at over a third of the exam. Expect scenario questions on network attacks (ARP/name-resolution poisoning, on-path, relay, VLAN hopping), authentication attacks (spraying, Kerberoasting, pass-the-hash/ticket), host and application attacks (privilege escalation, credential dumping, injection, XSS, CSRF, SSRF), and wireless, cloud/API, and social-engineering attacks. Over-invest here.

Network attacksPassword sprayingKerberoastingPass-the-hash/ticketPrivilege escalationInjection / XSS / SSRFWireless attacksCloud & API attacks

Drill Attacks and Exploits

5Post-exploitation and Lateral MovementThe aftermath — persistence, pivoting, exfiltration, and cleanup14%

What you do after the foothold: establishing persistence (accounts, run keys, scheduled tasks, services), moving laterally and pivoting (pass-the-hash/ticket, remote services, tunneling), enumerating internal hosts and Active Directory attack paths, simulating exfiltration — and then cleaning up: removing artifacts, timestomping awareness, and documenting every change.

PersistenceLateral movementPivoting / tunnelingAD attack pathsInternal enumerationData exfiltrationArtifact removalChange documentation

Drill Post-exploitation and Lateral Movement

A 4-week study plan

A realistic schedule at roughly 10–12 hours per week. Adjust to your experience — but keep the heaviest week on Attacks and Exploits, since it is over a third of the exam.

Week 1

Engagement Management & Reconnaissance (Domains 1–2)

Pre-engagement, scope, rules of engagement, assessment types, and the report — then passive vs active recon, OSINT, and enumeration of hosts, services, and users with the core tooling.

Week 2

Vulnerability Discovery and Analysis (Domain 3)

Scan types (authenticated, SAST/DAST, web-app), reading Nessus/OpenVAS/sqlmap output, CVSS metric groups including v4.0, and validating findings to kill false positives.

Week 3

Attacks and Exploits (Domain 4)

The biggest week: network, authentication, host, and application attacks — spraying, Kerberoasting, pass-the-hash/ticket, privilege escalation, injection, XSS, SSRF — plus wireless, cloud/API, and social engineering.

Week 4

Post-exploitation + full tests (Domain 5)

Persistence, lateral movement, pivoting, AD attack paths, exfiltration, and cleanup. Then take full timed mocks, use the per-domain breakdown to find weak areas, and re-drill them. Keep the last days light.

Practice the chain, not just the trivia. PenTest+ rewards knowing which technique fits a scenario and what mitigates it. When you miss one, read why each wrong option is wrong — that's where the real learning is.

Cheat sheet

The reference tables worth memorizing cold — CVSS severity, common Active Directory attacks, recon tooling, scan types, and engagement essentials. Bookmark this.

CVSS v3.1 severity ratings

Rating	Base score range	What it tells you
None	0.0	No measurable impact
Low	0.1 – 3.9	Limited impact or hard to exploit
Medium	4.0 – 6.9	Moderate impact; remediate on schedule
High	7.0 – 8.9	Serious; expedite remediation
Critical	9.0 – 10.0	Severe; treat as urgent

The CVSS base metric is intrinsic severity; temporal adjusts for exploit maturity; environmental tailors it to your target. PT0-003 also tests CVSS v4.0 metric groups — know Base, Threat, Environmental, and Supplemental.

Common Active Directory attacks

Attack	What it does	Defense
Kerberoasting	Crack service-ticket hashes offline for service-account passwords	Strong, long service passwords; gMSA
AS-REP roasting	Crack accounts with pre-auth disabled	Require Kerberos pre-authentication
Pass-the-hash	Authenticate with an NTLM hash, no password	LAPS, credential guard, tiering
Pass-the-ticket	Reuse a stolen/forged Kerberos ticket	Limit admin reuse; monitor ticket anomalies
Password spraying	One common password across many accounts	MFA, lockout, strong password policy

Reconnaissance & enumeration tools

Tool	Use it for
Nmap (+ NSE)	Host discovery, port/service/version scanning, scripted enumeration
Recon-ng	Modular OSINT framework for automated passive recon
Maltego	Link analysis and visual mapping of OSINT relationships
Censys / Shodan	Internet-wide asset and exposed-service discovery
Wireshark	Packet capture and protocol analysis during active recon

Scan types at a glance

Choice	Trade-off
Authenticated vs unauthenticated	Credentialed scans see deeper config/patch detail; unauthenticated mimics an outside attacker
Active vs passive	Active probes targets (can disrupt); passive only observes (no impact)
SAST vs DAST	Static reads source code at rest; dynamic tests the running application
Internal vs external	Inside view finds lateral-movement risk; outside view shows the attack surface

Engagement essentials

Item	Why it matters
Authorization	Written permission makes testing legal; without it, testing is a crime
Rules of engagement	Defines targets, timing, allowed techniques, and escalation paths
Scope	The in-bounds systems; anything outside is off-limits
Shared responsibility	Determines what you may legally probe on cloud targets
Report & cleanup	Prioritized findings, remediation, and restoring the environment

Frequently asked questions

How many questions is the exam, and how long?

Up to 90 questions in 165 minutes. Expect multiple-choice (single and multiple response) plus performance-based questions — reading scanner output, sequencing an attack, or choosing the right exploitation step — which take longer, so manage your pace.

What's the passing score?

750 on a scale of 100–900. It's a scaled score, not a simple percentage, so treat ~85% on practice tests as a confident range rather than an exact cut line.

How long should I study?

CompTIA suggests Network+ and Security+ plus 3–4 years of hands-on security experience before PenTest+. With that background, most candidates need 5–8 weeks of focused study; the 4-week plan above assumes about 10–12 hours per week.

How hard is the PenTest+?

It's an intermediate, hands-on offensive-security exam. The parts most people find hardest — chaining attacks, Active Directory exploitation, and reading tool output — reward practice over memorization, which is exactly what these practice tests are built for.

Are these practice questions real exam questions?

No — and that's deliberate. Every question is original, written against the public PT0-003 objectives and checked against primary sources. Real exam content is under CompTIA's NDA; using leaked "dumps" can get your certification revoked.

How this guide is sourced. Domain names and weights, the question count, time limit, passing score, and question formats are taken from CompTIA's publicly published PT0-003 exam objectives and official exam details. Every practice question is drawn from our question bank and checked against primary references (NIST, MITRE, OWASP, and vendor documentation), with the source shown on each. This is an independent study resource — certpracticelab is not affiliated with or endorsed by CompTIA.

CompTIA — PenTest+ (PT0-003) certification & exam details · comptia.org
NIST — Computer Security Resource Center glossary & publications · csrc.nist.gov
MITRE ATT&CK — adversary tactics and techniques · attack.mitre.org

CompTIA PenTest+ (PT0-003) Study Guide

Exam at a glance

Domains & weighting

The five domains

A 4-week study plan

Readiness checklist

Domain 1 · Engagement Management

Domain 2 · Reconnaissance and Enumeration

Domain 3 · Vulnerability Discovery and Analysis

Domain 4 · Attacks and Exploits

Domain 5 · Post-exploitation and Lateral Movement

Cheat sheet

CVSS v3.1 severity ratings

Common Active Directory attacks

Reconnaissance & enumeration tools

Scan types at a glance

Engagement essentials

Frequently asked questions

You've reviewed the map — now find your weak spots.