CompTIA PenTest+ (PT0-002) Review

Intro

A few months ago, I attended the Malaysia Cybersecurity Camp 2024 (MCC2024). Luckily, I was awarded the L337 Award by the organizer and given the chance to receive a sponsorship for the CompTIA PenTest+ eLearning and Certification kit (still surprised to this day, and wonder why they chose me T-T).

So I decided to prepare myself for the examination right after the 2024/2025 (1) semester ends, because I found out my version of PenTest+ (PT0-002) will be discontinued/retired on June 17th, therefore they won’t be accepting people taking PT0-002 exams after that date. I might be wrong though.

Exam Format

The exam questions are separated into two categories:

1. PBQs (4 sets of Performance Based Questions)
2. MCQs (68 Multiple Choice Questions)

If you might be wondering what PBQs look like, the image below is one great example. It is basically a fill-in-the-blank type of question.

The duration of the examination is quite long, around 2 hours and 30 minutes, which is really plenty of time I would say, so no need to rush. Plus, there are extra 30 minutes given for reading the instructions and familiarizing yourself with the rules and requirements of the exam, but you can just skip it really.

Preparation

CertMaster Learn

In the learning kit, it is included with CertMaster Learn which is a self-paced eLearning platform by CompTIA. I would say it helps me a lot with building a solid theoretical foundation for every chapter that will be covered in PenTest+ questions. Even though there are labs included in this platform, I don’t think it provides sufficient preparation for the technical questions in my opinion huhu.

Lessons

Most of the “slides” are located inside the lessons section and it is separated into 20 lessons. I reviewed these lessons at least twice because I don’t really have any basic foundation in pentesting as I barely have any experience in it (I never played HTB machines at all; I’m not sure if the one in MCC counts as an HTB machine though). All this time, I’ve focused solely on web application penetration testing, not realizing that pentesting is a broad field, and there is more than just web exploitation :O

I would advise those who will take this exam to focus on the materials in here; it really helps me to answer most of the questions. Understand every function of the tools that is presented inside it. For example, knowing that brute force is for password cracking isn’t enough. You need to identify the actual purpose of each technique and understand their differences. For instance, what’s the difference between a brute force attack and a dictionary attack? This level of detailed understanding is essential for success on the exam.

Don’t forget that the compliance and legal documents are also as important as the technical stuff that you’ll learn in the course.

PBQs

The PBQs in this platform only help you to get used to the PBQs format and recall some of the things that you have learned from the lesson. If you are wondering whether these PBQs will be recycled inside the actual examination, the answer will be no :)

Lab

The labs only show a portion of the tools you’ll learn in the lessons. You don’t need to use your own Virtual Machine setup, as there will be an instance running in the website for you to use. I highly recommend you finish every lab in the course since pentesting is a really technical field, so getting hands-on experience is essential.

TryHackMe

Apart from theoretical knowledge which is mostly covered in CertMaster, I’ve noticed that this exam also covers a couple of technical aspects after reading some Reddit posts:

1. https://www.reddit.com/r/CompTIA/comments/1fuw6hh/passed_pentest/
2. https://www.reddit.com/r/CompTIA/comments/1crc37l/passed_pentest_advice/
3. https://www.reddit.com/r/CompTIA/comments/1h66sxr/pentest_passed/

Most of the technical questions consist of web vulnerabilities, nmap scans, reconnaissance tools, attacking tools, scripting (bash & python), and persistence using netcat.

Luckily, in TryHackMe there is a PenTest+ Path which covers almost every technical aspect in the PenTest+ examination. However, I did not complete the whole path. I only picked and chose which rooms I had interest in (web vuln, metasploit, python, and bash), or the ones where I had skill issues (persistence, lateral movement, active directory, and privesc).

Practice Exam

CertMaster

For practice exams, you can actually use the one in CertMaster; the pattern of questions in it is almost identical to the real exam. However, it is only limited to 1 set of practice exam though.

Jason Dion

Jason Dion on Udemy has around 6 sets of practice exams. It is always on sale so you don’t need to buy at the original price. The questions in it aren’t that identical to the ones in the real exam; in fact, I think they are slightly harder. However, they help you test if you are ready before taking the actual exam.

Should you take PenTest+?

In my opinion, you should take PenTest+ if:

1. You are looking for a theory-focused and easier version of eJPT, since it’s essentially eJPT without the technical components (I think).
2. Your employer is paying for it, you’ve secured sponsorship, or you’re willing to purchase both the course (Jason Dion offers a more affordable option) and the exam.