Hack The Box Certification

Hack The Box HTB Certified Penetration Testing Specialist (HTB CPTS) Practice Test

Prepare for the HTB Certified Penetration Testing Specialist exam with free practice tests covering penetration testing methodology, enumeration, exploitation, web application testing, Active Directory attacks, privilege escalation, pivoting, and reporting. Each 20-question set helps you review the concepts behind the hands-on CPTS assessment.

17Practice Tests
340Total Questions
28Modules Covered
100%Free Forever

Mixed Set — HTB CPTS Practice Tests

Use these mixed sets to review the full CPTS skill range across web, external, internal, and Active Directory penetration testing. The real exam is hands-on and does not include multiple-choice questions, so these timed sets are designed for concept review and exam-readiness reinforcement.

Domain Wise — HTB CPTS Mock Tests

Target focused CPTS topics one at a time. HTB CPTS does not publish conventional MCQ domain weights, so the percentages below show approximate Path Depth based on the HTB Academy Penetration Tester path section counts grouped into these 12 practice areas.

D1
Penetration Testing Process
Engagement planning, scope, rules of engagement, methodology, reporting expectations, and getting started with professional assessments
7.7% Path Depth Start Test →
D2
Reconnaissance and Enumeration
Nmap workflows, service discovery, footprinting, target profiling, infrastructure mapping, and enumeration-driven attack planning
6.7% Path Depth Start Test →
D3
Web Information Gathering
Passive and active web reconnaissance, DNS review, crawling, archives, headers, technology fingerprinting, and target discovery
3.8% Path Depth Start Test →
D4
Vulnerability Assessment
Assessment methodology, vulnerability validation, prioritization, scanner interpretation, risk context, and remediation-ready findings
3.4% Path Depth Start Test →
D5
File Transfer and Payloads
Linux and Windows transfer methods, shells, payload handling, foothold setup, Metasploit usage, and post-exploitation tooling basics
8.5% Path Depth Start Test →
D6
Password Attacks
Credential discovery, password storage, hash attacks, spraying, brute forcing, pass-the-hash concepts, defaults, and weak authentication
5.3% Path Depth Start Test →
D7
Common Services Attacks
Enumeration and exploitation patterns for standard enterprise services, misconfigurations, service exposure, and attack validation
3.8% Path Depth Start Test →
D8
Pivoting, Tunneling, and Port Forwarding
Foothold expansion, lateral movement support, tunnels, port forwards, route planning, and reaching internal-only systems
3.6% Path Depth Start Test →
D9
Active Directory Enumeration and Attacks
AD architecture, identity attack paths, enumeration tools, common misconfigurations, credential abuse, and domain compromise planning
7.3% Path Depth Start Test →
D10
Web Application Testing
Burp and ZAP workflows, fuzzing, login attacks, SQL injection, XSS, file inclusion, uploads, command injection, IDOR, XXE, and common apps
33.1% Path Depth Start Test →
D11
Privilege Escalation
Linux and Windows escalation methodology, local enumeration, permissions, services, misconfigurations, credentials, and real-world escalation paths
12.3% Path Depth Start Test →
D12
Reporting
Evidence collection, technical documentation, attack-chain narrative, remediation advice, executive clarity, and commercial-grade reporting
4.4% Path Depth Start Test →

About the HTB CPTS Certification Exam

Everything you need to know about the hands-on CPTS format, eligibility, pricing, and the skills this certification validates.

What Is HTB CPTS?

HTB Certified Penetration Testing Specialist is a hands-on Hack The Box Academy certification for learners who want to prove intermediate penetration testing capability. Instead of a traditional multiple-choice exam, CPTS validates whether candidates can interpret a scope, enumerate targets, exploit web and infrastructure weaknesses, pivot through networks, attack Active Directory, document evidence, and write an actionable commercial-grade report.

The certification is best suited for aspiring penetration testers, red team juniors, security analysts, vulnerability analysts, incident handlers, systems administrators moving into offensive security, and cybersecurity students who want a practical credential based on real assessment workflows. Relevant career paths include Penetration Tester, Security Consultant, Vulnerability Analyst, Red Team Operator, Application Security Tester, and Cybersecurity Analyst.

Cybersecurity remains a strong career area. The U.S. Bureau of Labor Statistics reported a $124,910 median annual wage for information security analysts in May 2024 and projects 29% employment growth from 2024 to 2034, much faster than the average for all occupations.

Exam Format (2026)

Testing method: Hands-on, browser-accessible penetration testing lab with a dedicated exam instance, letter of engagement, objectives, flags, and report template.

Questions: No fixed multiple-choice question count. Candidates complete scoped hands-on objectives and submit flags as evidence of exploitation.

Duration: Exam lab access and report submission window are ten days from the time the candidate enters the exam.

Question types: Practical exploitation, enumeration, vulnerability chaining, Active Directory compromise, web and infrastructure testing, evidence capture, and professional reporting.

Passing score: No public scaled score. HTB checks minimum points and evaluates the final report against quality requirements.

Exam fee: $490 USD listed by HTB, with one required exam voucher.

Eligibility Requirements

Required path: Complete 100% of the HTB Academy Penetration Tester job-role path before starting the CPTS exam.

Experience: HTB does not require a fixed number of professional work years, but candidates should be comfortable with intermediate web and infrastructure penetration testing.

Prerequisite skills: Interpret a letter of engagement, navigate target networks, exploit vulnerabilities manually and with tools, and report findings professionally.

Attempts: Each exam voucher includes two exam attempts, according to HTB's CPTS launch guidance.

Validity: HTB states that Academy certifications have no expiration date after successful certification.

HTB CPTS Path Depth — Penetration Tester Coverage

CPTS maps to the HTB Academy Penetration Tester path, which currently contains 28 modules. Because HTB does not publish traditional MCQ domain weights, this table uses approximate percentages based on official path section counts and groups the 28 modules into the 12 practice-test areas on this page.

DomainTopicWeight
Domain 1Penetration Testing Process7.7%
Domain 2Reconnaissance and Enumeration6.7%
Domain 3Web Information Gathering3.8%
Domain 4Vulnerability Assessment3.4%
Domain 5File Transfer and Payloads8.5%
Domain 6Password Attacks5.3%
Domain 7Common Services Attacks3.8%
Domain 8Pivoting, Tunneling, and Port Forwarding3.6%
Domain 9Active Directory Enumeration and Attacks7.3%
Domain 10Web Application Testing33.1%
Domain 11Privilege Escalation12.3%
Domain 12Reporting4.4%

How Our Practice Tests Are Designed

Hands-on path alignment — Questions are written around the skills covered in the HTB Academy Penetration Tester path, including reconnaissance, enumeration, vulnerability assessment, exploitation, pivoting, Active Directory attacks, web application testing, privilege escalation, and reporting.

Realistic decision-making — CPTS rewards methodology, evidence handling, and vulnerability chaining. These practice questions emphasize what to check next, how to interpret output, how to prioritize findings, and how to communicate risk clearly.

Timer note — The official CPTS exam is a ten-day hands-on lab and does not have an official per-question timer because it is not an MCQ exam. Each practice set is timed at about 30 minutes for 20 questions, or roughly 1.5 minutes per review question, to build focus without misrepresenting the real exam format.

Focused remediation — Use mixed sets to identify weak areas, then use domain-wise tests to strengthen one topic at a time before returning to hands-on labs and report-writing practice.

HTB CPTS Exam Preparation Tips

Study Strategy

Finish the path completely: CPTS eligibility requires 100% completion of the Penetration Tester job-role path, and the path itself is the best blueprint for what HTB expects you to know.

Practice full methodology: Do not study tools in isolation. Build a repeatable workflow for scope review, recon, enumeration, exploitation, privilege escalation, pivoting, cleanup notes, and reporting.

Document while practicing: Treat practice labs like client work. Capture commands, screenshots, proof, risk, impact, reproduction steps, and remediation notes as you go.

Test-Taking Strategy

Start with the letter of engagement: Read scope, objectives, and restrictions carefully before touching the lab. CPTS is designed around professional assessment behavior.

Enumerate before exploiting: If you are stuck, return to enumeration. Service details, hidden routes, web directories, credentials, group memberships, and trust relationships often reveal the next step.

Write the report early: Begin drafting findings and attack-chain notes while you work. Waiting until the end increases the risk of missing evidence or producing a weak report.

Frequently Asked Questions

How many questions are on the real HTB CPTS exam?+
The real HTB CPTS exam does not use a fixed multiple-choice question count. It is a hands-on penetration testing assessment where candidates work through scoped objectives, submit flags, and deliver a professional report.
How long is the HTB CPTS exam?+
HTB states that the CPTS exam lab is accessible for ten days without restrictions. Candidates must also upload the final report within ten days from the time they enter the exam.
What is the passing score for HTB CPTS?+
HTB does not publish a standard scaled passing score for CPTS. An HTB Academy instructor checks whether the candidate gathered the minimum required points and then evaluates the submitted report for quality requirements.
Do I need to complete the Penetration Tester path before taking CPTS?+
Yes. To be eligible for the HTB CPTS exam, you must complete 100% of the HTB Academy Penetration Tester job-role path before starting the examination process.
How much does the HTB CPTS certification cost?+
HTB lists the HTB Certified Penetration Testing Specialist certification at $490 with one required exam voucher. HTB also states that each exam voucher includes two exam attempts.
Are these HTB CPTS practice tests free?+
Yes. All HTB CPTS practice tests on Security Practice Test are free to use. Each practice test contains 20 review questions designed to reinforce the concepts used in the hands-on CPTS path.
How are the domain-wise HTB CPTS tests weighted?+
HTB does not publish traditional multiple-choice domain percentages for CPTS. The weights on this page are approximate Path Depth percentages based on the HTB Academy Penetration Tester path section counts and grouped into the 12 focused practice-test areas.
Do these practice tests replace hands-on lab practice?+
No. These practice tests help reinforce methodology, tooling concepts, terminology, and decision-making, but the real CPTS exam is hands-on. You should also practice exploitation, pivoting, Active Directory attacks, web testing, note-taking, and report writing in labs.

Ready to Test Your HTB CPTS Knowledge?

Start with a mixed practice set to measure your readiness, then use focused domain tests to strengthen weak areas before returning to hands-on labs.

Start HTB CPTS Practice Test 1 →

Authors

  • Security Practice Test Editorial Team

    Security Practice Test Editorial Team is the expert content team at SecurityPracticeTest.com dedicated to producing authoritative cybersecurity certification exam-prep resources. We create comprehensive practice tests, study materials, and exam-focused content for top security certifications including CompTIA Security+, SecurityX, PenTest+, CISSP, CCSP, SSCP, Certified in Cybersecurity (CC), CGRC, CISM, SC-900, SC-200, AZ-500, AWS Certified Security - Specialty, Professional Cloud Security Engineer, OSCP+, GIAC certifications, CREST certifications, Check Point, Cisco, Fortinet, and Palo Alto Networks exams. Our content is developed through careful review of official exam objectives, cybersecurity knowledge domains, and practical job-relevant concepts to help learners build confidence, strengthen understanding, and prepare effectively for certification success.

  • Sudhanshu Thakur - Reviewer

    Enterprise Technology and Digital Transformation Professional with 18+ years of experience in enterprise software, SaaS, industrial automation, and business consulting. Formerly associated with Rockwell Automation, Tech Mahindra, Emerson, ABB, L&T Infotech, and Hewlett Packard Enterprise.