CompTIA Certification

CompTIA PenTest+ Practice Test

Prepare for the CompTIA PenTest+ (PT0-003) exam with free practice tests aligned to the real exam format. Each test has 20 questions with a proportional timer matching the actual exam pace of approximately 1.8 minutes per question.

10Practice Tests
200Total Questions
5Domains Covered
100%Free Forever

Mixed Set — CompTIA PenTest+ Practice Tests

Questions distributed across all 5 domains according to the official CompTIA PT0-003 exam objectives. The highest-weighted domain — Attacks and Exploits — appears most frequently, just like the real exam.

01
PenTest+ Practice Test 1
20 Qs · ~37 min
Start Test →
02
PenTest+ Practice Test 2
20 Qs · ~37 min
Start Test →
03
PenTest+ Practice Test 3
20 Qs · ~37 min
Start Test →
04
PenTest+ Practice Test 4
20 Qs · ~37 min
Start Test →
05
PenTest+ Practice Test 5
20 Qs · ~37 min
Start Test →

Domain Wise — CompTIA PenTest+ Mock Tests

Target individual PenTest+ domains with focused practice. Each mock test covers 20 questions from a single domain to help you build hands-on mastery across the full penetration testing lifecycle tested in the PT0-003 exam.

D1
Engagement Management
Pre-engagement activities, scoping and rules of engagement, legal concepts and authorization, compliance requirements, communication and reporting, remediation recommendations, and post-engagement cleanup
13% Exam Weight Start Test →
D2
Reconnaissance and Enumeration
Passive reconnaissance (OSINT, WHOIS, DNS, social media), active reconnaissance (Nmap, port scanning), service and version enumeration, web application fingerprinting, and attack surface mapping
21% Exam Weight Start Test →
D3
Vulnerability Discovery and Analysis
Vulnerability scanning tools and techniques, analyzing scan results, identifying misconfigurations, web application vulnerabilities (OWASP Top 10), cloud and API vulnerability identification, and CVE analysis
17% Exam Weight Start Test →
D4
Attacks and Exploits
Network attacks, web application exploitation, social engineering, wireless attacks, cloud and API exploitation, AI-based attack techniques, scripting and automation (Python, Bash, PowerShell), and evasion techniques
35% Exam Weight Start Test →
D5
Post-exploitation and Lateral Movement
Persistence mechanisms, privilege escalation (Windows and Linux), credential harvesting, lateral movement techniques, pivoting and tunneling, data exfiltration, covering tracks, and C2 communication
14% Exam Weight Start Test →

About the CompTIA PenTest+ Certification Exam

Everything you need to know about the PT0-003 exam format, who it is for, and why PenTest+ is the leading intermediate credential for penetration testers and offensive security professionals.

What Is CompTIA PenTest+?

CompTIA PenTest+ (exam code PT0-003) is an intermediate-level cybersecurity certification that validates the knowledge and skills required to plan, scope, conduct, and report on penetration testing engagements across networks, systems, web applications, cloud environments, and APIs. The current version — PT0-003 — launched on December 17, 2024, replacing the previous PT0-002 which retired on June 17, 2025. PT0-003 updates coverage to include AI-based attack techniques, expanded cloud and API exploitation, IoT security, and modern post-exploitation methods, making it the most current vendor-neutral penetration testing certification available from CompTIA.

PenTest+ sits at the intermediate tier of CompTIA's cybersecurity pathway, positioned after Security+ and alongside CySA+ as its offensive counterpart. It is the red team credential to CySA+'s blue team focus. PenTest+ is approved under U.S. DoD Directive 8140 (formerly 8570) and aligned with the NICE Framework, making it valued across both government and commercial sectors. Typical roles for PenTest+ holders include Penetration Tester, Ethical Hacker, Vulnerability Analyst, Security Consultant, and Red Team Operator, with salaries commonly ranging from $85,000 to $130,000+ depending on experience and location.

Exam Format (2026)

Exam code: PT0-003 (launched December 17, 2024; PT0-002 retired June 17, 2025).

Testing method: Computer-based at Pearson VUE authorized centers or via OnVUE online proctoring.

Questions: Maximum of 90 questions per exam.

Duration: 165 minutes (approximately 1.8 minutes per question).

Question types: Multiple-choice and performance-based questions (PBQs) simulating real penetration testing tasks.

Passing score: 750 on a scaled score of 100–900.

Exam fee: $404–$425 USD via Pearson VUE (regional pricing variation).

Eligibility Requirements

No formal prerequisites: There are no mandatory prerequisites to register for the PenTest+ exam.

Recommended experience: CompTIA recommends 3 to 4 years of hands-on experience in a penetration tester or information security role before attempting the exam.

Suggested foundation: CompTIA Security+ or equivalent knowledge is widely recommended as a starting point before pursuing PenTest+. Candidates should be comfortable with networking fundamentals, basic security concepts, and command-line interfaces.

Renewal: PenTest+ is valid for 3 years. Renew by earning 60 Continuing Education Units (CEUs), with activities related to the exam objectives. Passing a higher-level CompTIA certification can also satisfy the renewal requirement.

Retakes: No mandatory waiting period between attempts. Each retake requires full payment of the exam fee.

CompTIA PenTest+ Domain Weights — PT0-003 Exam Objectives

The PT0-003 exam maps directly to the penetration testing engagement lifecycle across five domains. Domain 4 (Attacks and Exploits) dominates at 35% — more than a third of the entire exam — making it the single most critical area of preparation.

DomainTopicWeight
Domain 1Engagement Management13%
Domain 2Reconnaissance and Enumeration21%
Domain 3Vulnerability Discovery and Analysis17%
Domain 4Attacks and Exploits35%
Domain 5Post-exploitation and Lateral Movement14%

How Our Practice Tests Are Designed

Offensive security question style — Every PenTest+ practice question is written to reflect the scenario-based, applied style used on the real PT0-003 exam. You encounter situations that test your ability to choose the right tool for a given recon phase, identify the correct exploit type for a described vulnerability, interpret tool output from Nmap or Metasploit, or determine the next step in a post-exploitation scenario — the kind of decision-making CompTIA tests throughout the engagement lifecycle.

Blueprint-aligned mixed sets — Mixed practice tests distribute questions proportionally across all 5 PT0-003 domains per the official CompTIA exam objectives. Domain 4 (Attacks and Exploits) at 35% dominates — more than one in three questions in every mixed set reflects the real exam's heavy emphasis on exploitation techniques, consistent with the actual exam distribution.

Proportional timer — The real PenTest+ exam allows 165 minutes for up to 90 questions, approximately 1.8 minutes per question. Each 20-question practice test is timed at about 37 minutes to match this pace and build the time management discipline needed for the full exam session, particularly given the presence of performance-based questions that can consume more time than standard multiple-choice items.

Domain-specific deep dives — Use the five domain-wise tests to concentrate on areas needing the most reinforcement. This approach is particularly effective for candidates who are strong in recon and scanning (Domains 2 and 3) but need additional depth in exploitation techniques and post-exploitation tactics (Domains 4 and 5), which together represent nearly half the exam.

CompTIA PenTest+ Exam Preparation Tips

Study Strategy

Prioritize Domain 4 — it is one-third of the exam: Attacks and Exploits at 35% is the single largest domain on PenTest+. Dedicate at minimum a third of your total study time to mastering network attacks, web application exploitation (OWASP Top 10), wireless attack techniques, cloud and API exploitation, social engineering methods, and the new AI-based attack scenarios added in PT0-003.

Build a hands-on lab: PenTest+ performance-based questions require practical skill — not just theoretical knowledge. Set up a home lab using Kali Linux in a virtualization environment (VMware or VirtualBox) against intentionally vulnerable targets. Platforms like TryHackMe's Offensive Pentesting path and HackTheBox closely align with PenTest+ curriculum. Practice running Nmap, Metasploit, Burp Suite, and Netcat regularly so tool output is instantly recognizable on exam day.

Learn to read and interpret scripts: PT0-003 includes questions where you analyze blocks of Bash, Python, or PowerShell code and determine what they do. You do not need to write code from scratch, but you must understand what common penetration testing scripts accomplish — particularly automation of scanning, exploitation, and exfiltration tasks.

Test-Taking Strategy

Triage performance-based questions at the start: PBQs typically appear at the beginning of the exam and simulate real tasks in virtual environments. Quickly assess each PBQ's objective, apply the correct approach efficiently, and move on. Do not spend more than a few minutes on a single PBQ — you can always flag complex ones and return after completing the multiple-choice questions.

Pace yourself at 1.8 minutes per question: With up to 90 questions in 165 minutes, you have roughly 110 seconds per item. Use our 37-minute timed practice sessions to internalize this pace. Candidates who invest too much time in early PBQs often find themselves rushing through the exploitation and post-exploitation questions where they know the material well.

Follow the pen testing methodology in scenario questions: When a scenario asks "what should the tester do next?" or "what is the most appropriate action?" — always answer based on the correct phase sequence: scoping → recon → scanning → exploitation → post-exploitation → reporting. CompTIA consistently rewards answers that follow proper methodology, even when shortcuts seem more technically appealing.

Frequently Asked Questions

How many questions are on the real PenTest+ exam?+
The PenTest+ PT0-003 exam contains a maximum of 90 questions. Not all questions count toward your score — some are unscored pilot questions that CompTIA uses to evaluate content for future exams. Questions include both multiple-choice items and performance-based questions (PBQs) that simulate real-world penetration testing tasks in a virtual environment. You have 165 minutes to complete the full exam.
What is the passing score for the PenTest+ PT0-003 exam?+
You need a scaled score of 750 on a scale of 100 to 900 to pass. CompTIA uses scaled scoring, which means your raw number of correct answers is converted to a standardized value that accounts for varying question difficulty. The 750 threshold does not correspond to answering a fixed percentage of questions correctly — the scale adjusts based on the difficulty level of the specific questions you received.
What is PT0-003 and how is it different from PT0-002?+
PT0-003 is the current version of CompTIA PenTest+, launched December 17, 2024. It replaced PT0-002, which retired June 17, 2025. PT0-003 introduces several significant updates: coverage of AI-based attack techniques including prompt injection, expanded cloud and API exploitation scenarios, IoT penetration testing, and modern post-exploitation methods. The domain structure was also reorganized — most notably renaming and reweighting domains to better reflect the current pen testing workflow. If you are studying now, ensure all your materials reference PT0-003 objectives.
Are these PenTest+ practice tests free?+
Yes. All CompTIA PenTest+ practice tests on Security Practice Test are completely free with no account or sign-up required. Select any mixed set or domain-wise test and begin immediately — there are no subscriptions, paywalls, or hidden fees of any kind.
Do I need coding or scripting skills for the PenTest+ exam?+
You do not need to write complete programs from scratch. However, you must be able to read and interpret basic scripts in Bash, Python, and PowerShell. Exam questions will present you with a block of code and ask what it does, what vulnerability it exploits, or what output it would produce. Focus on understanding the logic of common penetration testing scripts — scanning loops, reverse shells, credential harvesting scripts, and automation tasks — rather than memorizing syntax.
How does PenTest+ compare to CEH (Certified Ethical Hacker)?+
Both PenTest+ and CEH target penetration testing and ethical hacking skills, but they differ in approach and recognition. PenTest+ is vendor-neutral, accredited by ANSI to ISO 17024, and approved under DoD 8140 — making it particularly strong in U.S. government and defense contracting contexts. CEH is offered by EC-Council and is widely recognized globally, with a strong brand in commercial markets. PenTest+ includes hands-on performance-based questions that test practical execution; CEH is primarily multiple-choice. Many organizations and recruiters accept either, and some professionals hold both credentials.
How long should I study for the PenTest+ exam?+
Most candidates with Security+ or equivalent experience prepare in 8 to 12 weeks at 8 to 12 hours per week, combining study materials with hands-on lab practice. Those with active penetration testing experience may be ready in 4 to 6 weeks. Candidates without a strong networking and security foundation may need 12 to 16 weeks. Hands-on practice in a lab environment is not optional — the performance-based questions cannot be passed through study materials alone.
What tools should I know for the PenTest+ exam?+
CompTIA PenTest+ tests your knowledge of a broad range of penetration testing tools across the engagement lifecycle. Key tools to know include: Nmap (network scanning and enumeration), Metasploit (exploitation framework), Burp Suite (web application testing), Nikto (web server vulnerability scanning), Netcat (network utility), Wireshark (packet analysis), Hydra and John the Ripper (password attacks), BloodHound (Active Directory enumeration), Mimikatz (credential harvesting), and scripting languages including Bash, Python, and PowerShell. You should be comfortable interpreting output from all of these tools.

Ready to Test Your PenTest+ Knowledge?

Start with a mixed set to benchmark your readiness across all five domains, then use domain-wise tests to sharpen your weakest areas before exam day.

Start PenTest+ Practice Test 1 →

Authors

  • Security Practice Test Editorial Team
    : Author

    Security Practice Test Editorial Team is the expert content team at SecurityPracticeTest.com dedicated to producing authoritative cybersecurity certification exam-prep resources. We create comprehensive practice tests, study materials, and exam-focused content for top security certifications including CompTIA Security+, SecurityX, PenTest+, CISSP, CCSP, SSCP, Certified in Cybersecurity (CC), CGRC, CISM, SC-900, SC-200, AZ-500, AWS Certified Security - Specialty, Professional Cloud Security Engineer, OSCP+, GIAC certifications, CREST certifications, Check Point, Cisco, Fortinet, and Palo Alto Networks exams. Our content is developed through careful review of official exam objectives, cybersecurity knowledge domains, and practical job-relevant concepts to help learners build confidence, strengthen understanding, and prepare effectively for certification success.
  • Sudhanshu Thakur - Reviewer
    : Reviewer

    Enterprise Technology and Digital Transformation Professional with 18+ years of experience in enterprise software, SaaS, industrial automation, and business consulting. Formerly associated with Rockwell Automation, Tech Mahindra, Emerson, ABB, L&T Infotech, and Hewlett Packard Enterprise.