Pentest+ (PT0-001)
Short review
Author: Stefan Waldvogel
Overview
PenTest+ is CompTIA's penetration testing exam. You can get up to 85 questions.
How to prepare
To pass the exam, you need knowledge in basic penetration techniques and the tools, networking, operating systems, and Python. Use the exam objectives! Learn the abbreviations and their meaning. You will see a ton of them.
I recommend starting with Network+ or better CCNA because some questions go very deep into networking beyond eCPPT or OSCP level.
Learn Python before you take the exam. The wanted level is essential, but you have to know how variables work and how a simple program looks.
TryHackMe has a PenTest+ path, and it will help you a lot. Tools like Nmap are heavily questioned on the exam. You can use INE's free Starter Pass to get the tool knowledge. XSS, SQL + command injection, file inclusion... know it and how to mitigate.
As a book, I used the All-In-One series and read it before I went to sleep. If you use it and study the questions, look at the "wrong" answers and understand them. The author didn't want to copy the exam, so the real stuff is explained.
TCM's Security Academy offers the Practical Ethical Hacking course and it is a good starting point, too. This course is hands-on.
How long do you need to get exam ready?
I cannot say that, sorry. I took INE's eCPPT/PTP course before and spend >750 hours for that. For PenTest+ I added maybe 5 hours to know more about the paper and legal stuff.
If you do not have IT experience at all, I guess you need over 100 hours to get exam ready.
Advantages
The questions are straightforward and easy to understand. If you pass the exam, you have theoretical knowledge about a wide but realistic area. You get an idea about the paperwork, and I enjoyed this part the most.
CompTIA offers the exam objectives. This is a huge plus because you have a solid study guide.
The exam is 165 minutes long, but I needed about an hour to answer all questions. -> You have enough time, it is a stress-free exam.
Disadvantages
The exam has some performance-based questions, but mostly you answer questions with 4 or 5 options. If you love hands-on, this exam does not help you.
I took the exam in English, and the needed language level is high. I had to guess at least two key verbs.
PenTest+ is not HR relevant, but most HR people know CompTIA.
Most CompTIA's certifications are valid for 3 years. There are multiple ways to renew but all cost money.
Can you do a full pentest with this exam?
No, not really. It is a good and solid starting point, you get the theoretical knowledge, you learn a lot about the legal factors and the related paperwork. For a real pen test, you need more hands-on.
Price
$359
Alternatives
A cheaper alternative is INE's eJPT. eJPT is a hands-on exam. You can get the knowledge for free with INE's Starter Pass, and the exam is $200. eJPT is not DoD relevant, and if you want to work for the government or big companies, CompTIA's PenTest+ might be the better choice.
What next?
With this exam, you made the first step, now it is time for more hands-on. I would go for TCM's Security Academy (the three priv esc courses) then to INE's PTP/eCPPT, or you can dive into TryHackMe, HackTheBox. After that... OSCP because it is HR relevant.
Conclusion
It is a solid beginner exam, and it is the first step into the world of pen-testing. With this knowledge, you cannot do a pen test (the hands-on part is missing), but you understand enough to see the risks and impacts. You learn how to use basic tools like Nmap. If you want to pick PenTest+ or CEH... -> PenTest+ is, in my opinion, the clear winner because it is affordable and the questions are up to date. Both certs are DoD 8750 relevant: public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/
PenTest+ is CompTIA's penetration testing exam. You can get up to 85 questions.
How to prepare
To pass the exam, you need knowledge in basic penetration techniques and the tools, networking, operating systems, and Python. Use the exam objectives! Learn the abbreviations and their meaning. You will see a ton of them.
I recommend starting with Network+ or better CCNA because some questions go very deep into networking beyond eCPPT or OSCP level.
Learn Python before you take the exam. The wanted level is essential, but you have to know how variables work and how a simple program looks.
TryHackMe has a PenTest+ path, and it will help you a lot. Tools like Nmap are heavily questioned on the exam. You can use INE's free Starter Pass to get the tool knowledge. XSS, SQL + command injection, file inclusion... know it and how to mitigate.
As a book, I used the All-In-One series and read it before I went to sleep. If you use it and study the questions, look at the "wrong" answers and understand them. The author didn't want to copy the exam, so the real stuff is explained.
TCM's Security Academy offers the Practical Ethical Hacking course and it is a good starting point, too. This course is hands-on.
How long do you need to get exam ready?
I cannot say that, sorry. I took INE's eCPPT/PTP course before and spend >750 hours for that. For PenTest+ I added maybe 5 hours to know more about the paper and legal stuff.
If you do not have IT experience at all, I guess you need over 100 hours to get exam ready.
Advantages
The questions are straightforward and easy to understand. If you pass the exam, you have theoretical knowledge about a wide but realistic area. You get an idea about the paperwork, and I enjoyed this part the most.
CompTIA offers the exam objectives. This is a huge plus because you have a solid study guide.
The exam is 165 minutes long, but I needed about an hour to answer all questions. -> You have enough time, it is a stress-free exam.
Disadvantages
The exam has some performance-based questions, but mostly you answer questions with 4 or 5 options. If you love hands-on, this exam does not help you.
I took the exam in English, and the needed language level is high. I had to guess at least two key verbs.
PenTest+ is not HR relevant, but most HR people know CompTIA.
Most CompTIA's certifications are valid for 3 years. There are multiple ways to renew but all cost money.
Can you do a full pentest with this exam?
No, not really. It is a good and solid starting point, you get the theoretical knowledge, you learn a lot about the legal factors and the related paperwork. For a real pen test, you need more hands-on.
Price
$359
Alternatives
A cheaper alternative is INE's eJPT. eJPT is a hands-on exam. You can get the knowledge for free with INE's Starter Pass, and the exam is $200. eJPT is not DoD relevant, and if you want to work for the government or big companies, CompTIA's PenTest+ might be the better choice.
What next?
With this exam, you made the first step, now it is time for more hands-on. I would go for TCM's Security Academy (the three priv esc courses) then to INE's PTP/eCPPT, or you can dive into TryHackMe, HackTheBox. After that... OSCP because it is HR relevant.
Conclusion
It is a solid beginner exam, and it is the first step into the world of pen-testing. With this knowledge, you cannot do a pen test (the hands-on part is missing), but you understand enough to see the risks and impacts. You learn how to use basic tools like Nmap. If you want to pick PenTest+ or CEH... -> PenTest+ is, in my opinion, the clear winner because it is affordable and the questions are up to date. Both certs are DoD 8750 relevant: public.cyber.mil/cw/cwmp/dod-approved-8570-baseline-certifications/
Disclaimer: CompTIA sponsored me this exam, big thanks!
My exam result:
My exam result:
© 2021. This work is licensed under a CC BY-SA 4.0 license