Hack The Box Certification

Hack The Box HTB Certified Active Directory Pentesting Expert (HTB CAPE) Practice Test

Prepare for the HTB Certified Active Directory Pentesting Expert exam with free practice tests covering advanced AD enumeration, Kerberos, NTLM relay, DACL abuse, ADCS, trusts, lateral movement, C2 operations, Windows evasion, and enterprise service attacks. Each 20-question set helps you review the concepts behind the hands-on CAPE assessment.

20Practice Tests
400Total Questions
15Modules Covered
100%Free Forever

Mixed Set — HTB CAPE Practice Tests

Use these mixed sets to review the full CAPE skill range across Active Directory enumeration, attack-chain analysis, Windows and Linux tooling, authentication abuse, lateral movement, post-exploitation planning, and report-ready reasoning. The real exam is hands-on and does not include multiple-choice questions, so these timed sets are designed for concept review and exam-readiness reinforcement.

Domain Wise — HTB CAPE Mock Tests

Target focused CAPE topics one at a time. HTB CAPE does not publish conventional MCQ domain weights, so the percentages below show approximate Path Depth based on the HTB Academy Active Directory Penetration Tester path section counts for each module.

D1
Active Directory Enumeration and Attacks
AD architecture, domain objects, common misconfigurations, credentialed and uncredentialed enumeration, and attack-path reasoning
14.2% Path Depth Start Test →
D2
Active Directory LDAP
LDAP fundamentals, directory queries, built-in enumeration methods, object attributes, and practical AD data discovery
4.7% Path Depth Start Test →
D3
Active Directory PowerView
PowerView and SharpView enumeration, user and group discovery, ACL review, trust mapping, and attack-path preparation
3.6% Path Depth Start Test →
D4
Active Directory BloodHound
BloodHound collection, graph analysis, privilege relationships, shortest paths, and interpreting exploitable AD relationships
5.5% Path Depth Start Test →
D5
Windows Lateral Movement
Remote execution concepts, credential use, host-to-host movement, operational security, and defensive visibility considerations
5.5% Path Depth Start Test →
D6
Using CrackMapExec
Protocol-aware enumeration, authentication testing, domain spraying concepts, post-exploitation workflows, and tool output interpretation
10.7% Path Depth Start Test →
D7
Kerberos Attacks
Kerberos authentication flow, tickets, roasting concepts, delegation issues, credential abuse, and protocol-focused attack scenarios
9.1% Path Depth Start Test →
D8
DACL Attacks I
DACL fundamentals, security descriptors, delegated rights, common privilege paths, and misconfiguration identification
2.8% Path Depth Start Test →
D9
DACL Attacks II
Advanced DACL abuse, chained privilege escalation, detection logic, mitigation strategy, and complex rights relationships
3.6% Path Depth Start Test →
D10
NTLM Relay Attacks
NTLM authentication behavior, relay conditions, coercion concepts, protocol exposure, and mitigation-aware testing logic
4.0% Path Depth Start Test →
D11
ADCS Attacks
Active Directory Certificate Services concepts, template misconfigurations, enrollment risk, privilege escalation paths, and remediation
7.5% Path Depth Start Test →
D12
Active Directory Trust Attacks
Intra-forest and cross-forest trust concepts, trust enumeration, abuse paths, domain boundary risk, and hardening considerations
8.3% Path Depth Start Test →
D13
Intro to C2 Operations With Sliver
C2 fundamentals, agent operations, post-exploitation planning, command execution workflow, and controlled engagement communication
7.5% Path Depth Start Test →
D14
Introduction to Windows Evasion Techniques
Windows Defender concepts, payload behavior, detection surfaces, evasion principles, and responsible testing in authorized labs
5.5% Path Depth Start Test →
D15
MSSQL, Exchange, and SCCM Attacks
Enterprise service attack surfaces, MSSQL, Exchange, SCCM, WSUS-adjacent risk, privilege paths, and integrated AD component abuse
7.5% Path Depth Start Test →

About the HTB CAPE Certification Exam

Everything you need to know about the hands-on CAPE format, eligibility, pricing, and the advanced Active Directory penetration testing skills this certification validates.

What Is HTB CAPE?

HTB Certified Active Directory Pentesting Expert is an expert-level Hack The Box Academy certification for practitioners who want to prove advanced capability in Active Directory and Windows penetration testing. Instead of a traditional multiple-choice exam, CAPE validates whether candidates can assess realistic enterprise AD environments, identify complex attack paths, execute sophisticated exploitation chains, capture evidence, and communicate findings in a professional penetration test report.

The certification aligns with the HTB Academy Active Directory Penetration Tester job-role path. It focuses on advanced AD enumeration, Kerberos and NTLM abuse, DACL misconfigurations, ADCS attacks, trust relationships, lateral movement, C2 operations, Windows evasion, and attacks against common enterprise components such as MSSQL, Exchange, and SCCM.

CAPE is suited for penetration testers, red team operators, security consultants, application security testers moving into internal networks, and blue teamers who want to understand realistic AD attack paths. Career demand for security skills remains strong: the U.S. Bureau of Labor Statistics reports a May 2024 median annual wage of $124,910 for information security analysts and projects 29% job growth from 2024 to 2034.

Exam Format (2026)

Testing method: Online hands-on assessment through the Hack The Box Academy platform using lab access, VPN or Pwnbox workflow, and report submission.

Questions: No fixed multiple-choice question count. Candidates complete practical objectives in a realistic Active Directory environment and document evidence.

Duration: HTB describes CAPE as having a 10-day exam window from the time the exam starts.

Question types: Practical AD penetration testing tasks involving enumeration, attack-path discovery, exploitation, lateral movement, post-exploitation, evidence capture, and reporting.

Passing score: HTB describes the goal as earning 90 points by submitting flags and a professional-grade report using the provided template.

Exam fee: HTB lists HTB CAPE at $1260 with 1 exam voucher required. Taxes, regional billing, or Academy plan details may vary.

Eligibility Requirements

Path completion: Candidates should complete the HTB Academy Active Directory Penetration Tester job-role path before attempting the certification exam.

Experience level: CAPE is an expert-level certification and is not intended as a first cybersecurity credential.

Technical background: Helpful skills include Windows and Linux fundamentals, network penetration testing methodology, AD administration concepts, PowerShell, LDAP, Kerberos, NTLM, BloodHound, lateral movement, privilege escalation, and report writing.

Recommended foundation: Prior hands-on experience from CPTS, professional internal penetration testing, red-team lab work, or equivalent AD practice is strongly recommended.

Certification validity: HTB Academy certifications are practical credentials issued by Hack The Box and can be validated through the HTB certificate validation process.

HTB CAPE Module Weights — 2026 Active Directory Penetration Tester Path

HTB CAPE is not a weighted MCQ exam. The table below uses the official 15-module Active Directory Penetration Tester path and shows each module’s approximate share of the 253 total path sections to help prioritize review time.

ModuleTopicPath SectionsApprox. Path Depth
Module 1Active Directory Enumeration and Attacks36 Sections14.2%
Module 2Active Directory LDAP12 Sections4.7%
Module 3Active Directory PowerView9 Sections3.6%
Module 4Active Directory BloodHound14 Sections5.5%
Module 5Windows Lateral Movement14 Sections5.5%
Module 6Using CrackMapExec27 Sections10.7%
Module 7Kerberos Attacks23 Sections9.1%
Module 8DACL Attacks I7 Sections2.8%
Module 9DACL Attacks II9 Sections3.6%
Module 10NTLM Relay Attacks10 Sections4.0%
Module 11ADCS Attacks19 Sections7.5%
Module 12Active Directory Trust Attacks21 Sections8.3%
Module 13Intro to C2 Operations With Sliver19 Sections7.5%
Module 14Introduction to Windows Evasion Techniques14 Sections5.5%
Module 15MSSQL, Exchange, and SCCM Attacks19 Sections7.5%

How Our Practice Tests Are Designed

Hands-on concept review — The real HTB CAPE exam is practical, open-ended, and report-based. These practice tests are not a replacement for lab work, but they help reinforce the concepts, tool behavior, terminology, and decision-making patterns needed before entering the exam environment.

Path-aligned coverage — Mixed tests pull from the same topic areas represented in the 15-module Active Directory Penetration Tester path, including enumeration, LDAP, PowerView, BloodHound, lateral movement, CrackMapExec, Kerberos, DACLs, NTLM relay, ADCS, trusts, C2, evasion, and enterprise application attack surfaces.

Practical timer choice — Because CAPE is a 10-day hands-on engagement rather than a fixed-question exam, there is no official per-question timer. Each 20-question practice test uses an estimated 30-minute timer to encourage careful analysis without forcing unrealistic speed.

Report-ready reasoning — Questions emphasize why an attack path works, what evidence matters, how a finding should be explained, and which remediation ideas belong in a client-ready report.

HTB CAPE Exam Preparation Tips

Study Strategy

Master the AD fundamentals first: Revisit users, groups, ACLs, trusts, Kerberos, NTLM, GPOs, certificate services, and Windows privilege models before focusing on advanced exploitation chains.

Build repeatable notes: CAPE rewards organized methodology. Keep structured notes for enumeration, decision points, commands used in authorized labs, evidence screenshots, discovered relationships, and remediation language.

Practice attack chaining: Do not study modules in isolation. Learn how LDAP discovery, BloodHound analysis, credential access, DACL abuse, lateral movement, and ADCS issues can combine into a full compromise path.

Test-Taking Strategy

Treat it like a real engagement: Start with scope review, then enumerate carefully, document every useful artifact, maintain a findings list, and preserve evidence as you go.

Manage the 10-day window: Split time across enumeration, exploitation, objective validation, report drafting, review, and final submission. Do not leave reporting until the final hours.

Explain impact clearly: A working exploit path is only part of the assessment. Your report should show business risk, proof, affected assets, root cause, and actionable remediation.

Frequently Asked Questions

How many questions are on the real HTB CAPE exam?+
HTB CAPE is not a traditional multiple-choice exam, so there is no fixed question count. It is a hands-on Active Directory penetration testing assessment where candidates exploit a realistic enterprise AD environment, capture objectives, and submit a professional report.
What is the passing score for HTB CAPE?+
HTB describes the CAPE objective as earning 90 points by submitting flags and delivering a professional-grade penetration test report using the provided template. Candidates should always follow the current exam portal instructions because scoring and submission details may be updated by HTB.
How long is the HTB CAPE exam?+
HTB states that CAPE provides a 10-day exam window. During that time, candidates work through a realistic Active Directory environment, document evidence, and submit a report for evaluation.
Are these HTB CAPE practice tests free?+
Yes. All HTB CAPE practice tests on Security Practice Test are free to use. Each set includes 20 questions designed to help you review concepts before working through hands-on labs and the real certification exam.
How are the domain-wise HTB CAPE tests distributed?+
The domain-wise tests follow the 15 modules in HTB Academy’s Active Directory Penetration Tester path. Because HTB does not publish MCQ-style exam weights for CAPE, this page shows approximate Path Depth percentages based on each module’s section count.
Can I retake the HTB CAPE exam if I fail?+
HTB Academy certification vouchers typically include exam access and a retake opportunity according to the terms shown in the candidate portal. Always check your HTB Academy exam dashboard for the current retake window, eligibility, and submission rules.
Is HTB CAPE open book?+
HTB’s CAPE exam is described as open book, meaning personal notes, course material, and public documentation are allowed. Outside help from other people is not allowed, and candidates must complete the assessment independently.
Do I need experience before attempting HTB CAPE?+
HTB CAPE is an expert-level certification and is not recommended for absolute beginners. Candidates should be comfortable with Active Directory fundamentals, Windows and Linux attack workflows, network penetration testing, Kerberos, NTLM, DACLs, ADCS, lateral movement, and professional reporting.

Ready to Test Your HTB CAPE Knowledge?

Start with a mixed set to gauge your readiness, then use module-specific tests to strengthen weak areas before returning to hands-on Active Directory labs.

Start HTB CAPE Practice Test 1 →

Authors

  • Security Practice Test Editorial Team

    Security Practice Test Editorial Team is the expert content team at SecurityPracticeTest.com dedicated to producing authoritative cybersecurity certification exam-prep resources. We create comprehensive practice tests, study materials, and exam-focused content for top security certifications including CompTIA Security+, SecurityX, PenTest+, CISSP, CCSP, SSCP, Certified in Cybersecurity (CC), CGRC, CISM, SC-900, SC-200, AZ-500, AWS Certified Security - Specialty, Professional Cloud Security Engineer, OSCP+, GIAC certifications, CREST certifications, Check Point, Cisco, Fortinet, and Palo Alto Networks exams. Our content is developed through careful review of official exam objectives, cybersecurity knowledge domains, and practical job-relevant concepts to help learners build confidence, strengthen understanding, and prepare effectively for certification success.

  • Sudhanshu Thakur - Reviewer

    Enterprise Technology and Digital Transformation Professional with 18+ years of experience in enterprise software, SaaS, industrial automation, and business consulting. Formerly associated with Rockwell Automation, Tech Mahindra, Emerson, ABB, L&T Infotech, and Hewlett Packard Enterprise.