RoleMath Study Track · free study companion

RoleMath Study Track for CompTIA PenTest+ (PT0-003)

A free study companion keyed to the officially published exam domains of CompTIA PenTest+ (PT0-003): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. CompTIA PenTest+ (PT0-003) exam objectives

A free, source-cited study companion built on CompTIA's published PenTest+ (PT0-003) exam objectives — not official training, not a pass guarantee. PenTest+ is not an entry-level certification; it assumes Security+-level knowledge plus hands-on experience, and every hands-on lab here runs only against deliberately-vulnerable practice systems you own or platforms you are explicitly authorized to use. Verify the current objectives on the official page before your exam.

Program blueprint under review

Use the whole program, with the limits visible

A complete free CompTIA PenTest+ (PT0-003) program pinned to the currently published exam objectives, sequenced the way a real engagement runs — scope and authorization first, then reconnaissance, vulnerability analysis, restrained exploitation, and post-exploitation with a report — with every hands-on lab bounded to deliberately-vulnerable systems you own on an isolated host-only network or an explicitly-authorized hosted platform, and an explicit recheck of the official objectives before any exam scheduling. This is not entry-level: it assumes Security+-level knowledge and hands-on Linux and networking practice.

This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.

Modules
5
Labs
5
Concept checks
12
Resource mix
2 official / 2 community

Choose an outcome

Three routes through the same evidence

Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.

Certification-focused

Experienced learners who already have Security+-level knowledge, Linux command-line fluency, and networking fundamentals and want one current, dependency-ordered PT0-003 sequence across all five domains with every lab run in their own isolated host-only lab and a recheck of the official objectives before scheduling.

Completion emphasis: Complete every module, run each lab only against deliberately-vulnerable systems you own or an authorized hosted platform (with isolation verified and snapshots reverted), correct every missed check, finish the integrated engagement capstone against your own lab, and diff the current objectives before booking the exam — never inferring a score from coverage.

Required phases: Engagement management, ethics, and isolated-lab setup, Reconnaissance, enumeration, and vulnerability discovery, Attacks and exploits — exploitation with restraint, Post-exploitation, cleanup, reporting, and integrated capstone

Offensive skills first

Career changers with prior IT, help-desk, or defensive-security experience who want reviewable evidence that they can scope an engagement, enumerate a target, validate vulnerabilities, and exploit with restraint against systems they own, whether or not they sit the exam soon.

Completion emphasis: Retain a labeled, redacted artifact per domain — a scope-and-RoE document, a prioritized attack surface, a validated-findings shortlist with a false-positive log, a restrained-exploitation write-up, and a post-exploitation report with remediations — plus the capstone engagement report and a snapshot-revert record proving nothing was left in place.

Required phases: Engagement management, ethics, and isolated-lab setup, Reconnaissance, enumeration, and vulnerability discovery, Attacks and exploits — exploitation with restraint, Post-exploitation, cleanup, reporting, and integrated capstone

Career-fit sprint

Learners deciding whether offensive security — the scoping, methodology, and hands-on attack work of penetration testing — is a direction worth deeper investment before committing to the full PT0-003 exam grind, given that it is not an entry-level certification.

Completion emphasis: Complete the diagnostic, the engagement-and-lab foundation, and the recon-and-vulnerability-analysis phase with their labs in your own isolated lab, then choose a next offensive-security experiment or a full exam commitment rather than inferring job readiness or a pass from partial coverage.

Required phases: Engagement management, ethics, and isolated-lab setup, Reconnaissance, enumeration, and vulnerability discovery

Start safely

Prerequisite diagnostic

Confirm you meet the not-entry-level bar and can build a safe, isolated lab before the PenTest+ labs; this diagnostic is not a CompTIA prerequisite, a cost promise, or an exam prediction, and PT0-003 is an intermediate offensive-security exam that assumes Security+-level knowledge plus hands-on experience.

  1. Do you already have Security+-level security knowledge plus networking fundamentals — TCP/IP, ports and services, subnets, and common protocols — since PT0-003 assumes this and does not re-teach it?

    Ready when: Yes, or you will review Security+ and Network+ level fundamentals before Domain 2 rather than learning the baseline and offensive skills at once.

    If not yet: Spend time on Security+/Network+ level fundamentals (or those tracks) first, because PenTest+ is not entry-level and builds directly on that baseline.

  2. Are you comfortable working in a Linux command line — navigating the filesystem, running tools, reading output, and editing text — since Kali and nearly every lab tool are command-line first?

    Ready when: Yes, or you will use each lab's documented steps and the authorized hosted platforms while you build CLI fluency in parallel.

    If not yet: Practice basic Linux CLI (a free Linux fundamentals room or the Linux+ track) before the reconnaissance lab, because every later lab assumes it.

  3. Can you build an isolated VirtualBox lab on your own hardware — Kali plus a deliberately-vulnerable VM (Metasploitable/DVWA/Juice Shop) on a Host-Only network — or will you use an authorized hosted platform instead?

    Ready when: Yes, with enough RAM and disk for two VMs on a Host-Only adapter, or a plan to use PortSwigger Web Security Academy and TryHackMe free rooms for the hands-on work.

    If not yet: Start with the authorized hosted platforms (PortSwigger Academy, TryHackMe free rooms) that provide isolated targets you are explicitly permitted to attack until you can build local VMs.

  4. Do you understand that every technique here is lawful only against systems you own or are explicitly, in writing, authorized to test, and that scanning or attacking anything else is a crime (e.g. 18 U.S.C. Sec. 1030)?

    Ready when: Yes, and you will complete the lab isolation and authorization checklist before every scanning or exploitation lab and never point a tool outside your own isolated lab or an authorized platform.

    If not yet: Study Domain 1 (Engagement management) and the safety baseline first and do not run any scanning or exploitation lab until scoping, written authorization, and isolation are automatic.

  5. Have you chosen a pace whose weekly hours you can realistically protect across roughly 80 to 180 total hours depending on your prior offensive-security and lab experience?

    Ready when: Yes, with a pace selected and the objective recheck, the lab safety steps, and the capstone left uncompressed.

    If not yet: Pick the steady pace if you are new to hands-on offensive work and reserve the intensive pace for experienced learners; never compress the isolation, snapshot, and revert steps to save time.

Plan, then adapt

Pace options

Steady

16 weeks 8-10 hours/week

A planning estimate of roughly 120-180 hours for a Security+ holder without prior penetration-testing lab experience: one domain block at a time, every lab run only against systems you own or an authorized platform with isolation verified and snapshots reverted, plus the capstone engagement and an objectives recheck before scheduling.

Standard

12 weeks 10-12 hours/week

A planning estimate for learners with some hands-on security exposure that pairs the CompTIA-cited domain study with one retained, redacted artifact per domain and preserves the integrated engagement capstone, the missed-check corrections, and an objectives-diff block before any exam logistics.

Intensive

8 weeks 14-16 hours/week

Roughly 80-120 hours for an experienced learner with prior offensive-security, CTF, or lab practice; do not compress the isolation and authorization checklist, the snapshot-and-revert discipline, the exploit-with-restraint judgment, or unfamiliar attack surfaces such as cloud, API, wireless, or AI-enabled vectors.

Evidence-gated sequence

Program roadmap

  1. Engagement management, ethics, and isolated-lab setup

    Build the legal, ethical, and physical frame that makes every later lab lawful: scoping, rules of engagement, statements of work, and written authorization (Domain 1), plus a verified-isolated VirtualBox host-only lab with Kali and a deliberately-vulnerable target, snapshots taken, and the isolation-and-authorization checklist rehearsed until it is automatic.

    Exit evidence

    • Complete the Domain 1 documentation lab: draft a scope, rules of engagement, and statement-of-work skeleton for a fictional engagement whose only in-scope range is your own host-only 192.168.56.0/24 lab, mapped to PTES and MITRE ATT&CK, with an explicit written authorization statement.
    • Stand up and verify an isolated lab — Kali plus a deliberately-vulnerable VM on a Host-Only adapter with no Bridged adapter, the target's internet-path check failing, and a snapshot of every VM — or confirm your authorized hosted platform (PortSwigger Academy, TryHackMe free rooms) instead.
    • Complete the security/networking, Linux-CLI, isolated-lab, ethics-and-authorization, and study-time diagnostics, choose a pace you can protect, and be able to state why written, scoped authorization plus isolation is what keeps every later lab lawful.
    • Attempt every authored Engagement management check and correct each miss against its cited source before moving to reconnaissance.
  2. Reconnaissance, enumeration, and vulnerability discovery

    Map the attack surface before touching it and then triage it: verify the target IP and run service/version detection, SMB, and web enumeration against only your own isolated target (Domain 2), then scan a deliberately-vulnerable app and manually validate findings, deliberately logging a false positive, to turn scanner output into a prioritized, evidence-backed shortlist (Domain 3).

    Exit evidence

    • Complete the reconnaissance lab against a confirmed host-only target only — isolation checklist done, target IP verified, service/version, SMB, and web enumeration recorded — and produce a three-item prioritized attack surface mapped to Domain 2 sub-topics, then revert the snapshot.
    • Complete the vulnerability-analysis lab against a localhost-bound DVWA (or PortSwigger Academy): manually confirm a SQL injection and a reflected XSS, document at least one scanner false positive with a reason, and record severity and remediation for each true finding.
    • Retain a prioritized attack-surface artifact and a validated-findings shortlist with a false-positive log, both produced only against systems you own or an authorized platform, with the target IP verified before every scan.
    • Attempt every authored Reconnaissance and Vulnerability-analysis check and correct each miss against its cited source, tracing why each top vector or confirmed finding matters and why the false positive does not.
  3. Attacks and exploits — exploitation with restraint

    Work the heaviest domain (35%) with the strictest safety discipline: exploit only deliberately-vulnerable targets you own or an authorized hosted platform — a Metasploit module capturing whoami, a sqlmap-confirmed injection you stop after confirming, and a Hydra brute-force that halts on the first valid credential — proving each weakness with the minimum necessary action and stopping (Domain 4).

    Exit evidence

    • Complete the exploitation lab only against Metasploitable/DVWA on a host-only network or PortSwigger Academy: obtain a shell and capture whoami, confirm a SQL injection with sqlmap and stop without dumping data, and run a Hydra brute-force that halts on the first success, with the isolation checklist done and the target IP verified before every exploit.
    • Document each vector as minimal proof plus a remediation, noting explicitly where you chose to stop and why, and be able to explain why proportionate, in-scope exploitation with restraint is both the ethical and the examinable standard.
    • Recognize the breadth of the domain — network, host, authentication, and web attacks plus cloud, API, wireless, and AI-enabled vectors — and map each lab result to a Domain 4 sub-topic, then revert every VM to its pre-lab snapshot.
    • Attempt every authored Attacks-and-exploits check and correct each miss against its cited source, confirming no exploit ever ran outside your isolated lab or an authorized platform.
  4. Post-exploitation, cleanup, reporting, and integrated capstone

    Turn access into documented business impact and then leave no trace: enumerate a privilege-escalation path, document a persistence technique and remove it, treat lateral movement as theoretical, crack harvested hashes offline, note data at risk without exfiltrating it, and clean up (Domain 5) — then integrate all five domains in the capstone engagement against your own isolated lab and a report.

    Exit evidence

    • Complete the post-exploitation lab against your own Metasploitable target (or the authorized hosted alternative): record the access vector and privilege level, enumerate an escalation path, document a persistence technique and then remove it, crack at least one weak hash offline, and note data at risk without exfiltrating anything.
    • Run the cleanup discipline — remove simulated persistence, close sessions and listeners, delete harvested material after documenting it, and revert every VM to snapshot — and produce a post-exploitation report with a three-item prioritized remediation summary.
    • Complete the integrated engagement capstone spanning scoping, reconnaissance, vulnerability analysis, restrained exploitation, and post-exploitation against your own isolated lab, then tear the lab down and verify nothing persists.
    • Diff the current CompTIA PenTest+ objectives, record remaining gaps, and choose a continue, practice, defer, offensive-security experiment, or exam-scheduling next decision rather than inferring a pass from coverage.

Before a lab

Environment, access, and safety

Required and optional setup

Required

  • A browser plus text, spreadsheet, and diagram tools for the CompTIA-cited objectives, methodology references, and for recording each lab's scope documents, findings, evidence, and snapshot-revert confirmation
  • Either an isolated VirtualBox lab on your own hardware — Kali Linux (attacker) plus a deliberately-vulnerable VM such as Metasploitable 2, DVWA, or OWASP Juice Shop, every VM on a Host-Only adapter with no Bridged adapter — or an explicitly-authorized hosted platform (PortSwigger Web Security Academy, TryHackMe free rooms) for learners who cannot run local VMs
  • The free, preinstalled Kali tooling the labs use — Nmap, enum4linux, Nikto, Burp Suite Community, Metasploit, sqlmap, Hydra, and John the Ripper — used only against systems you own or are explicitly authorized to test
  • A lab isolation and authorization checklist plus a snapshot-and-revert ledger recording, for each lab, that the target IP was verified, isolation held, and every VM was reverted to its pre-lab snapshot

Optional

  • A second deliberately-vulnerable VM you own on the same host-only network to practice theoretical lateral movement against an owned target rather than describing it only
  • MITRE ATT&CK and PTES open in a browser as a shared vocabulary for planning and reporting engagement phases and techniques
  • A free TCM Security or freeCodeCamp penetration-testing walkthrough as an alternate explanation after the official CompTIA objectives (community-produced — verify it is free and current before relying on it)
Accounts and accessibility routes

Accounts

  • The local VirtualBox route requires no account and no payment: Kali and the deliberately-vulnerable VMs are free downloads or builds, and every lab runs offline on a host-only network.
  • The authorized hosted alternatives may require a free account: PortSwigger Web Security Academy is free and browser-based, and TryHackMe and HackTheBox Academy offer free rooms/modules (verify the free label before relying on it, since paid tiers exist).
  • No lab requires a paid subscription, a cloud account, or a card; if a hosted platform ever moves a needed exercise behind a paywall, use the local host-only VM route instead.

Equivalent routes

  • When building local VMs is impractical for account, device, memory, motor, or visual reasons, use the authorized hosted platforms — PortSwigger Web Security Academy (browser-based labs you are explicitly permitted to attack), TryHackMe free rooms, and HackTheBox Academy free Tier-0 modules — which reach the same enumeration, validation, exploitation, and post-exploitation outcomes and the same template evidence with no local setup.
  • Every lab is command-line and text driven, so the whole program is keyboard-operable with plain-text tool output a screen reader can read; the findings, vulnerability, and post-exploitation templates are plain Markdown with labeled headings and fields, and the hosted platforms are keyboard-navigable web interfaces.
  • In low-bandwidth conditions run the local host-only labs, which generate no internet traffic, and record every artifact in a local document; when a hands-on step cannot be executed at all, study the objective, read the documented steps, and record a written expected-state walkthrough labeled simulated instead.
Safety baseline
  • Run every scanning, exploitation, and post-exploitation technique ONLY against deliberately-vulnerable systems you own on a VirtualBox Host-Only network, or against a platform that explicitly authorizes attacking its hosted labs (PortSwigger Academy, TryHackMe free rooms) — never a real, third-party, employer, school, cloud, or internet target.
  • Keep every VM on a Host-Only adapter and never a Bridged adapter, so no scan or attack traffic can reach your real network, home router, ISP gateway, or the internet; bind local web targets such as DVWA to 127.0.0.1.
  • Complete the lab isolation and authorization checklist and verify the target IP before every scan or exploit; never point a tool at an IP you have not confirmed belongs to your own lab VM, and never aim OSINT tooling at a real organization or domain.
  • Snapshot every VM before you start and revert after every lab so nothing persists; never leave persistence, backdoors, listeners, or accounts in place — document the technique and then remove it, and delete any harvested hashes or files after recording them.
  • Do not exfiltrate any data to an external system, do not cause destruction or a denial of service, and exploit with restraint — prove a weakness with the minimum necessary action and stop; unauthorized access to a computer is a crime (e.g. 18 U.S.C. Sec. 1030 in the US).

Show your work

Module evidence and missed-check protocol

Module exit evidence

  • A labeled, redacted artifact per domain tied to its module: a fictional scope/RoE/SoW document; a prioritized attack surface from a confirmed host-only target; a validated-findings shortlist with a false-positive log; a restrained-exploitation write-up with minimal proof and remediations; or a post-exploitation report with an escalation path, documented-then-removed persistence, and a remediation summary.
  • A plain-language explanation of the technique, the authorization boundary it stayed inside, the tool and vector chosen, where the tester chose to stop and why, the remediation a defender should make, and the condition that would change the finding.
  • All authored checks for the domain attempted, with each miss corrected against its cited source and re-applied to a fresh scenario, plus a recorded snapshot-and-revert confirmation for every lab that scanned or exploited a system.

After a missed check

  1. Identify whether the question tests engagement management, reconnaissance and enumeration, vulnerability discovery and analysis, attacks and exploits, or post-exploitation and lateral movement before reviewing the answer.
  2. Write why the distractor was plausible and which scoping/authorization rule, enumeration technique, validation-versus-false-positive judgment, attack family or restraint decision, or escalation/persistence/cleanup step distinguishes the correct answer.
  3. Change one fictional detail — the scope, the service and version, the environment, the privilege level, or the authorization boundary — and explain whether the correct answer changes.

Completing this policy demonstrates current-objectives PenTest+ coverage and hands-on offensive-security practice inside RoleMath against systems you own or are authorized to test; it does not predict an exam score, confer any authorization to test systems you do not own, establish professional penetration-testing experience, or serve as a RoleMath credential.

Integrated practice

Integrated authorized engagement against your own isolated lab, with a redacted findings report

Run a complete, methodology-ordered penetration test against a deliberately-vulnerable target you own on an isolated host-only network — scope and rules of engagement, reconnaissance, vulnerability analysis, restrained exploitation, and post-exploitation — then write a redacted findings report and revert every VM, integrating all five PT0-003 domains into one reviewable evidence packet.

Workflow

  1. Write a fictional engagement brief and a scope, rules of engagement, and statement-of-work skeleton whose only in-scope range is your own host-only lab (for example 192.168.56.0/24), with everything else — the host OS, home network, any real system — explicitly out of scope, an emergency-stop procedure, and a written authorization statement that this test against these owned systems is permitted.
  2. Complete the lab isolation and authorization checklist, confirm every VM is on a Host-Only adapter with no Bridged adapter and the target's internet-path check fails, verify the target IP belongs to your own vulnerable VM, and snapshot every VM before any scanning.
  3. Run reconnaissance and enumeration against only the confirmed target: service and version detection, SMB, and web enumeration, and record a prioritized attack surface of the strongest candidate vectors mapped to Domain 2.
  4. Perform vulnerability discovery and analysis: scan the target, manually validate the most promising findings, deliberately identify at least one false positive with a reason, and record a prioritized, evidence-backed findings shortlist with severity and remediation for each true finding.
  5. Exploit with restraint: prove one or more validated vulnerabilities with the minimum necessary action — capture whoami, confirm an injection without dumping data, or find one weak credential and stop — staying strictly in scope and documenting each as minimal proof, then never proceed past evidence.
  6. Perform post-exploitation: enumerate a privilege-escalation path, document a persistence technique and then remove it, treat lateral movement as theoretical (or use a second owned VM on the isolated network), crack at least one weak hash offline, and note what data would be at risk without exfiltrating anything.
  7. Write a redacted findings report — an executive summary, severity-ranked technical findings with reproduction evidence and remediation, and a post-exploitation section — plus an operator handoff, using fictional client details and redacting any lab specifics that should not be shared.
  8. Run the cleanup checklist: remove any simulated persistence, close all sessions and listeners, delete harvested hashes and files from the attacker VM after documenting them, and revert every VM to its pre-lab snapshot.
  9. Verify nothing persists anywhere in the lab, then crosswalk every scoping, reconnaissance, vulnerability, exploitation, and post-exploitation artifact to the five PT0-003 domain IDs, diff the current CompTIA objectives, flag any uncovered topics as explicit gaps, and record the next offensive-security or exam-scheduling decision.

Retained artifacts

  • Fictional engagement brief with a scope, rules of engagement, statement-of-work skeleton, and a written authorization statement bounded to your own isolated lab
  • A completed lab isolation and authorization checklist plus a snapshot record proving host-only isolation and a verified target IP before any scanning
  • A reconnaissance record: a prioritized attack surface of candidate vectors from the confirmed host-only target
  • A vulnerability-analysis record: a prioritized, evidence-backed findings shortlist with a false-positive log, severity estimates, and remediations
  • An exploitation-and-post-exploitation record: minimal-proof write-ups, an escalation path, documented-then-removed persistence, at least one cracked weak hash, and a data-at-risk note with nothing exfiltrated
  • The redacted findings report (executive summary, technical findings, post-exploitation section), an operator handoff, a snapshot-revert confirmation, and a five-domain crosswalk with an objectives diff

Review checklist

  • Scope, reconnaissance, vulnerability analysis, exploitation, and post-exploitation describe one consistent authorized engagement run entirely against a deliberately-vulnerable target the learner owns on an isolated host-only network.
  • The isolation and authorization checklist was completed, the target IP was verified before every scan and exploit, no VM used a Bridged adapter, and no tool was ever pointed at a real, third-party, or internet target.
  • Every finding is validated (not a raw scanner hit), at least one false positive is documented with a reason, and each true finding carries a severity estimate, reproduction evidence, and a remediation.
  • Exploitation stayed in scope and proportionate — each weakness proven with the minimum necessary action and stopped at evidence, with no data exfiltration, destruction, or denial of service.
  • Persistence was documented and then removed, lateral movement was theoretical or against a second owned VM only, harvested hashes and files were deleted after documenting, and every VM was reverted to its pre-lab snapshot with nothing left behind.
  • The report and handoff use fictional client details, redact anything that should not be shared, and no real target, credential, or unredacted finding was published.
  • The current CompTIA PenTest+ objectives were rechecked and any changed objective invalidates the affected mapping or review.
  • All five current PT0-003 domains map to at least one artifact; uncovered topics remain explicit gaps rather than implied completion.
  • The packet does not claim exam success, official CompTIA approval or training beyond linked sources, any authorization to test systems the learner does not own, professional penetration-testing experience, or a RoleMath credential.

Safety boundary: Run the entire capstone ONLY against deliberately-vulnerable systems you own on a VirtualBox Host-Only network (or an explicitly-authorized hosted platform) — never a real, third-party, employer, school, cloud, or internet target, and never over a Bridged adapter. Complete the isolation checklist and verify the target IP before every scan and exploit, exploit with restraint and stop at proof, exfiltrate nothing, document persistence then remove it, and revert every VM to its pre-lab snapshot when finished; unauthorized access is a crime (e.g. 18 U.S.C. Sec. 1030).

Finish honestly

Completion, portfolio, and maintenance

Completion evidence

  • All five current PT0-003 domain modules have been covered and checked against the official CompTIA PenTest+ objectives, including a recheck of the current objectives before any exam scheduling.
  • Every domain lab has been run only against deliberately-vulnerable systems the learner owns or an explicitly-authorized hosted platform — with the isolation checklist completed, the target IP verified, and every VM reverted to its pre-lab snapshot — and its redacted artifact retained.
  • Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh scenario.
  • The CompTIA objectives and the free methodology, tool, and hosted-platform resources have been used within their current free-access terms, with any community walkthrough reconciled to the official objectives.
  • The integrated engagement capstone passes its scope, isolation, validation, restraint, cleanup, redaction, consistency, and five-domain coverage review, with nothing left in the lab.
  • The learner has recorded remaining objective gaps and a next offensive-security or exam-scheduling decision; completion is not represented as an exam result, a credential, authorization to test systems the learner does not own, job readiness, or professional penetration-testing experience.

Portfolio candidates

  • A sanitized engagement scope packet: a fictional scope, rules of engagement, and statement-of-work skeleton bounded to a self-owned isolated lab
  • A reconnaissance record: a prioritized attack surface from a confirmed host-only target, with the target IP redacted
  • A vulnerability-analysis record: a validated-findings shortlist with a false-positive log, severity estimates, and remediations
  • A restrained-exploitation write-up: each vector as minimal proof with the stop-point and a remediation, no exfiltrated data
  • A post-exploitation report: an escalation path, documented-then-removed persistence, a cracked weak hash, a data-at-risk note, and a remediation summary
  • The integrated capstone redacted findings report with a snapshot-revert confirmation and a five-domain crosswalk

Present the packet as self-directed PenTest+ offensive-security lab work done only against systems you own or an explicitly-authorized platform. Do not call it a real-world penetration test, CompTIA approval, authorization to test any system you do not own, professional penetration-testing experience, or a RoleMath credential, and never publish real targets or unredacted findings.

Freshness controls

Objective source checked 2026-07-10. Recheck objectives every 30 days and resources every 90 days.

Stop and re-verify when

  • CompTIA changes the PenTest+ objectives, domain set, weight ranges, exam code, format, passing score, lifecycle, recommended experience, or credential terms.
  • A methodology reference (PTES, MITRE ATT&CK), a tool (Kali, Nmap, enum4linux, Nikto, Burp Community, Metasploit, sqlmap, Hydra, John), or a deliberately-vulnerable image (Metasploitable, DVWA, Juice Shop) changes URL, access, version, behavior, or reuse terms.
  • An authorized hosted platform (PortSwigger Web Security Academy, TryHackMe free rooms, HackTheBox Academy free modules) changes URL, access, its free tier, or its authorization to attack its labs.
  • A lab can no longer be run isolated and host-only against a self-owned target within the free tier, or its isolation, snapshot-and-revert, target-IP-verification, or exploit-with-restraint guarantees no longer hold.
  • An engagement-management, reconnaissance, vulnerability-analysis, attacks-and-exploits, or post-exploitation concept materially changes, or a new attack surface (cloud, API, wireless, AI-enabled) is added to or removed from the objectives.
  • Any module, lab, check, phase, capstone step, account instruction, safety guardrail, or objectives diff fails technical, source, offensive-security-domain, intermediate-level, safety, authorization, privacy, accessibility, currency, or claims review.

Skills measured

The official objective domains and their exam weight — titles & weights only, straight from the vendor’s exam objectives. CompTIA PenTest+ (PT0-003) exam objectives

35%Attacks and exploitsCompTIA PenTest+ (PT0-003) exam objectives (2026-07-10)
21%Reconnaissance and enumerationCompTIA PenTest+ (PT0-003) exam objectives (2026-07-10)
17%Vulnerability discovery and analysisCompTIA PenTest+ (PT0-003) exam objectives (2026-07-10)
14%Post-exploitation and lateral movementCompTIA PenTest+ (PT0-003) exam objectives (2026-07-10)
13%Engagement managementCompTIA PenTest+ (PT0-003) exam objectives (2026-07-10)

Suggested study order

For PenTest+ we recommend studying the domains in their published order, because that order already mirrors the methodology of a real engagement rather than fighting it. CompTIA weights the five domains as Engagement management 13%, Reconnaissance and enumeration 21%, Vulnerability discovery and analysis 17%, Attacks and exploits 35%, and Post-exploitation and lateral movement 14%, so the raw weights climb toward the heaviest domain and then taper — and that curve happens to match the order you should learn in. We open with Engagement management (Domain 1) even though it is the lightest slice at 13%, because it is the legal and ethical frame that makes every later lab safe: scoping, rules of engagement, statements of work, and written authorization are what separate authorized testing from a federal crime, and you cannot responsibly run a single scan until you have internalized this domain. Reconnaissance and enumeration (Domain 2, 21%) comes next because you map an attack surface before you attack it — recon feeds everything downstream. Vulnerability discovery and analysis (Domain 3, 17%) then turns that map into a triaged list of real, validated weaknesses, teaching you to separate a genuine finding from scanner noise. Attacks and exploits (Domain 4) is the heaviest domain on the exam at 35% and the natural centerpiece: only after you have scoped, enumerated, and validated do you actually exploit, so it earns the most study time and the most careful safety discipline in the lab. Post-exploitation and lateral movement (Domain 5, 14%) closes the sequence because it only makes sense once you have a foothold — persistence, privilege escalation, and documentation are the last phase of an engagement and the bridge to the report. In short: you scope before you scan, scan before you exploit, and exploit before you pivot, and Domain 4 deserves the deepest practice because it is over a third of the exam. This is sequencing advice based on the published weights and the methodology the exam models, not a claim about the science of learning — if a different order fits how you think, use it, but keep Domain 1 first so your labs stay lawful.

  1. Engagement management13% of the exam
  2. Reconnaissance and enumeration21% of the exam
  3. Vulnerability discovery and analysis17% of the exam
  4. Attacks and exploits35% of the exam
  5. Post-exploitation and lateral movement14% of the exam

Module 1 of 5 · domain 1 · 13% of the exam

Engagement management

Study this first. At 13% it is the lightest domain by weight, but it is the legal and ethical frame that makes every later lab safe: scoping, rules of engagement, statements of work, and written authorization are what separate authorized testing from a crime. Do not run a single scan until this domain's discipline is automatic.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA PenTest+ (PT0-003) exam objectives

This is the 'set up the engagement correctly, legally, and professionally before anyone touches a keyboard' domain, and CompTIA weights it at 13% of the exam. It is the lightest domain by raw weight, but it is the one we insist you study first, because everything offensive that follows is only legitimate when it sits inside a properly scoped, authorized engagement. A penetration test without a signed scope and rules of engagement is not a penetration test — it is unauthorized access, which is a crime in most jurisdictions. This domain is where you learn to build the paperwork and the boundaries that make the rest of the job lawful.

Pre-engagement scoping is the heart of the domain. Before a test begins, the tester and client agree on exactly what is in scope (which IP ranges, domains, applications, or physical locations may be tested) and what is explicitly out of scope. They agree on the type of test (external, internal, web application, wireless, social engineering), the depth, the timing window, and any constraints — for example, no denial-of-service, no testing during business hours, no touching production databases. The exam expects you to reason about scope the way a professional does: an ambiguous or overbroad scope is a liability, and the narrowest scope that meets the client's goal is usually the right one. Getting scope wrong is how testers accidentally attack systems they were never authorized to touch.

The governing documents are the second pillar. The rules of engagement (RoE) define how the test is conducted — permitted techniques, emergency-stop procedures, points of contact, and escalation paths if something breaks. The statement of work (SoW) defines the commercial and delivery terms — objectives, deliverables, timeline, and reporting format. A non-disclosure agreement (NDA) protects the sensitive information the tester will inevitably see. And underlying all of it is written authorization: a signed document from someone with the authority to grant it, stating that this testing against these systems during this window is permitted. CompTIA wants you to understand that authorization is not implied, casual, or verbal — it is explicit, written, and scoped, and without it the tester has no legal standing.

Frameworks and methodology give the engagement structure and repeatability. Standards like the Penetration Testing Execution Standard (PTES) and the Open Source Security Testing Methodology Manual (OSSTMM) describe the phases of a test so nothing is skipped, while MITRE ATT&CK provides a shared vocabulary of real adversary tactics and techniques that testers use to plan realistic attack chains and to communicate findings in terms defenders recognize. You are not expected to recite these frameworks line by line, but you should know what each is for and be able to map a testing activity to a phase or technique. A framework turns a test from an ad-hoc collection of tools into a defensible, repeatable process.

Communication and reporting close the domain and are often underrated by newcomers who focus on the exploitation. Throughout an engagement, the tester keeps the right stakeholders informed — especially about critical findings that need immediate attention, and about anything that might disrupt operations. The deliverable is the report, and its components are examinable: an executive summary written for leadership, a technical findings section with severity-ranked issues and evidence, and clear, actionable remediation guidance. The value a client actually buys is not the break-in — it is the prioritized, fixable list of what a real attacker could do and how to close it. A test that ends with a clean, honest report is a successful test; a test that ends with unauthorized damage and no clear findings is a failure no matter how clever the exploit.

Study this domain by producing the artifacts, not just reading about them, because the exam includes performance-based questions and the job is paperwork-first. The lab below is a documentation exercise: using a scope worksheet, you draft a scope, rules of engagement, and a statement-of-work skeleton for a fictional engagement against your own isolated lab network — no scanning at all — and cross-reference PTES and MITRE ATT&CK so the vocabulary sticks. As always, read the official PenTest+ objectives for CompTIA's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Pentest Engagement Scoping Lab

Draft a complete scope, rules of engagement, and statement-of-work skeleton for a fictional engagement Map an engagement's documents to PTES phases and MITRE ATT&CK techniques

Free tools

  • Any operating system with a text editor
  • A web browser to read the PTES and MITRE ATT&CK references

Steps

  1. Open the engagement-scope-worksheet.md fixture and read its top warning: every field describes a FICTIONAL engagement against your own isolated lab only, never a real organization or a range you do not own.
  2. Fill in engagement identity and the in-scope/out-of-scope sections, keeping the only in-scope range as your host-only 192.168.56.0/24 subnet and marking the host OS, home network, and any real system explicitly out of scope.
  3. Write the rules of engagement (authorization statement, permitted methods, emergency stop-and-revert, escalation contact) and the statement-of-work skeleton (objectives, deliverables, timeline, reporting format).
  4. Open the PTES pre-engagement page and the MITRE ATT&CK enterprise matrix, then record which PTES phase your document covers and two or three ATT&CK techniques you would model in this fictional test, and complete the three-item Domain 1 objective crosswalk.

What you should see

Confirm the finished worksheet names only 192.168.56.0/24 as in-scope, contains a written authorization statement, lists SoW deliverables, and maps at least one PTES phase plus two ATT&CK techniques.

Practice evidence maps to exam_domain_comptia_pentest_plus_pt0_003_01

Stay safe & legal: Every field in this worksheet describes a fictional engagement against your own isolated host-only lab (192.168.56.0/24) only; never enter a real organization, a real domain, or any IP range you do not own and operate. Account required: no; payment required: no; maximum designed cost: $0.

Check yourself

2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A tester finds an out-of-scope system that appears vulnerable while conducting an assessment. What should they do?
Check 2. A client needs proof of exploitation risk without unnecessary business disruption. What should the tester plan for?

Module 2 of 5 · domain 2 · 21% of the exam

Reconnaissance and enumeration

Study this second, right after you have internalized scoping. At 21% it is the second-heaviest domain, and it is the phase that feeds everything downstream: you map an attack surface before you attack it, so a disciplined recon habit makes every later domain sharper.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA PenTest+ (PT0-003) exam objectives

This is the 'map the target before you touch it' domain, and CompTIA weights it at 21% — the second-heaviest slice of the exam. Reconnaissance and enumeration is where a tester turns an authorized scope into a concrete, prioritized attack surface: which hosts are alive, which services they run, what versions those services are, what accounts and shares exist, and where the soft spots are. It is the phase that feeds every later domain, and doing it thoroughly is what separates a professional from someone who runs an exploit blindly. Everything in this domain, in a lab, is performed only against deliberately-vulnerable practice VMs you own on an isolated network — never a real system.

The domain splits into passive and active work. Passive reconnaissance — often called open-source intelligence, or OSINT — gathers information without directly touching the target's systems: DNS and WHOIS records, certificate transparency logs, document metadata, employee names and email formats, and exposed assets indexed by search engines. The important professional and legal nuance is that OSINT tools reach out over the internet, so they are only ever pointed at fictional or explicitly-owned domains in practice; on an isolated lab they return nothing, which is exactly the point — against an owned lab target, your recon is active scanning, not passive OSINT. Never aim OSINT tooling at a real organization you are not authorized to investigate.

Active reconnaissance and enumeration are where the hands-on tooling lives. Host discovery finds live systems; port scanning finds open TCP and UDP ports; and service and version detection identifies what is actually listening and which software version it is — the single most useful input to the next phase, because a version often maps directly to a known vulnerability. Nmap is the workhorse here, with service/version detection and its scripting engine; enum4linux pulls users, shares, and policy details from Windows/SMB targets; and web-focused tools like Nikto and directory brute-forcers reveal hidden paths and misconfigurations on web servers. The exam expects you to know which tool and which technique fit a described enumeration goal, and to read scan output well enough to prioritize.

Enumeration is more than scanning — it is the disciplined follow-through that pulls specific, actionable detail out of each discovered service. From an open SMB service you enumerate shares, users, and password policy; from a web server you enumerate directories, technologies, and endpoints; from an exposed database or mail service you enumerate versions and misconfigurations. The recurring skill the exam rewards is turning raw scan output into a ranked list of candidate vectors: not 'here are forty open ports,' but 'these three services are the most promising ways in, and here is why.' That prioritization is the real deliverable of the recon phase and the bridge to vulnerability analysis.

A theme that unifies the domain is signal versus noise. Scanners produce enormous output, and much of it is irrelevant; the tester's judgment is in knowing which findings matter, which need confirmation, and which are dead ends. This is also where the safety discipline is non-negotiable: every scan you run in a lab must be aimed at an IP you have verified belongs to your own vulnerable practice VM on a host-only network, never at the host OS, the home router, or anything beyond the isolated lab. Recon is the first place a careless tester can stray outside scope, so verifying the target IP before every scan is a habit worth drilling until it is automatic.

Study this domain by scanning a deliberately-vulnerable target you own and writing up the results as a prioritized attack surface, because that is exactly the exam's mental model. The lab below has you stand up Kali and Metasploitable 2 on a VirtualBox host-only network, confirm the lab has no internet path, verify the target IP, run service/version and vulnerability scans plus SMB and web enumeration against only that target, and record the findings in a recon template — then revert your snapshot. As always, read the official PenTest+ objectives for CompTIA's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Pentest Recon Lab

Enumerate services, versions, SMB shares, and web paths on an isolated vulnerable target Produce a prioritized attack surface mapped to Domain 2 sub-topics

Free tools

  • VirtualBox on your own hardware
  • Kali Linux attacker VM
  • Metasploitable 2 target VM

Steps

  1. Complete the lab isolation & authorization checklist, confirming both VMs use a Host-Only adapter, no VM is Bridged, and the target has no internet path (ping 8.8.8.8 fails), then snapshot both VMs.
  2. From Kali, discover and VERIFY the Metasploitable target's host-only IP, then record it; never scan an IP you have not confirmed is your lab target.
  3. Run service/version detection and the vulnerability script category against ONLY the confirmed target IP, recording ports, services, versions, and vuln hints.
  4. Enumerate SMB (users, shares, policy) and the web server (paths, misconfigurations) on the same target, then write the top-three prioritized attack surface mapped to Domain 2 sub-topics.
  5. Revert both VMs to their pre-lab snapshots so nothing persists in the lab environment.

What you should see

Confirm the template records a verified host-only target IP, a service/version table, SMB and web enumeration detail, and a three-item prioritized attack surface, with the lab reverted to snapshot afterward.

Practice evidence maps to exam_domain_comptia_pentest_plus_pt0_003_02

Stay safe & legal: Scan only the deliberately-vulnerable Metasploitable VM you downloaded and run on your own hardware, on a VirtualBox Host-Only network; never scan a real, third-party, employer, school, cloud, or internet target, or any IP you have not confirmed is your own lab VM. Account required: no; payment required: no; maximum designed cost: $0.

Check yourself

2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A tester gathers public DNS records and employee naming patterns before touching client systems. What type of activity is this?
Check 2. An authorized scan identifies open ports, service banners, and versions on in-scope hosts. What should the tester do with this data?

Module 3 of 5 · domain 3 · 17% of the exam

Vulnerability discovery and analysis

Study this third, after recon. At 17% it is the middle-weight domain, and it is the bridge between mapping the target and attacking it: here you turn scan output into a triaged list of real, validated weaknesses and learn to distinguish a genuine finding from scanner noise.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA PenTest+ (PT0-003) exam objectives

This is the 'which of these findings are real, and how bad are they' domain, and CompTIA weights it at 17% — the middle of the five domains by weight. Vulnerability discovery and analysis sits between reconnaissance and exploitation: recon told you what is there, this domain tells you what is actually weak, and the attacks domain then proves it. The core professional skill here is triage — separating genuine, exploitable vulnerabilities from the flood of scanner output, false positives, and low-value informational findings. A tester who reports every scanner hit as a critical vulnerability is worse than useless; the value is in the honest, prioritized shortlist. Every hands-on activity in this domain, in a lab, runs only against deliberately-vulnerable software you own or an authorized hosted platform.

Automated scanning is the starting point. Vulnerability scanners like Nessus and OpenVAS probe targets for known vulnerabilities, missing patches, and misconfigurations and produce a report with severity ratings; web scanners like Nikto flag common web-server issues; and tools like sqlmap probe specifically for SQL injection. You should understand the difference between authenticated and unauthenticated scans (an authenticated scan logs in and sees far more), and between the dynamic testing of a running application (DAST) and the static analysis of source code (SAST). The exam expects you to pick the right kind of scan for a described goal and to know that a scanner is a starting point, not a verdict.

Manual validation is where the domain earns its weight, because scanners are wrong constantly. Every meaningful automated finding needs a human to confirm it actually exists and is actually exploitable in this environment. A classic example is SQL injection: a scanner flags a parameter, and you confirm it by hand — a single quote that produces a database error is strong evidence, where a generic warning with no reproducible impact is not. Cross-site scripting, authentication weaknesses, and misconfigurations all get the same treatment: reproduce it, or it is not a confirmed finding. This manual-confirmation discipline is exactly what the exam's performance-based questions probe, and it is the habit that keeps a report credible.

False-positive triage is the other half of validation and is worth practicing deliberately. Scanners over-report: they flag issues that do not apply to this configuration, that are already mitigated, or that have no real exploit path. Part of the analyst's job is to mark those clearly and explain why, so the client is not chasing phantom risks. Equally important is de-duplication and severity calibration — grouping related findings, assigning a defensible severity (often with a CVSS estimate), and ranking so the client fixes the genuinely dangerous issues first. The exam rewards the judgment to say 'this is real and critical, this is real but low, and this one is a false positive here, and here is why.'

Documentation ties the domain to the report. Each confirmed vulnerability becomes a finding record: a title, the affected component, an estimated severity, the manual step that confirmed it, whether it is a true or false positive, and a remediation recommendation. This is where analysis becomes the deliverable the client pays for — not a raw scan export, but a curated, evidence-backed, prioritized list a defender can act on. Good documentation is also what makes findings reproducible and defensible if a client pushes back, and it is the direct input to both the attacks phase (what to actually exploit) and the final report.

Study this domain by scanning a deliberately-vulnerable web app you run locally and then confirming the findings by hand, because manual validation is the examinable skill and the professional core. The lab below has you run DVWA locally on Kali bound to localhost, scan it with Nikto and browse it through Burp Community, manually confirm a SQL injection and a reflected XSS, deliberately identify one false positive, and record it all — with a proper false-positive column — in the vulnerability findings template. PortSwigger's Web Security Academy is the authorized hosted alternative. As always, read the official PenTest+ objectives for CompTIA's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Pentest Vuln Analysis Lab

Manually validate a SQL injection and a reflected XSS on a deliberately-vulnerable app Triage a scanner false positive and document a prioritized findings shortlist

Free tools

  • Kali Linux in VirtualBox on your own hardware
  • DVWA running in a local Docker container bound to localhost
  • Burp Suite Community as the browsing proxy

Steps

  1. Review the isolation checklist, then run DVWA via Docker on Kali bound to localhost (127.0.0.1) only and set its security level to low for this exercise.
  2. Run Nikto against the local DVWA and browse it through Burp Suite Community so your test requests are captured; treat every Nikto hit as a lead, not a confirmed finding.
  3. Manually confirm a SQL injection (a single quote producing a database error) and a reflected XSS (a harmless script payload reflecting and executing in your own browser), recording the exact reproduction step for each.
  4. Identify one Nikto false positive with no real exploit path here and record why, then complete the finding records and the false-positive log so the template reads as a prioritized, evidence-backed shortlist.
  5. Stop the DVWA container so nothing keeps listening on your machine, and revert your Kali snapshot if you took one.

What you should see

Confirm the template records a reproduced SQL injection, a reproduced reflected XSS, at least one documented false positive, and severity plus remediation for each true finding, all against a localhost-bound DVWA.

Practice evidence maps to exam_domain_comptia_pentest_plus_pt0_003_03

Stay safe & legal: Attack only the DVWA instance you launched yourself, bound to localhost on your own machine, or PortSwigger's Web Security Academy, which explicitly authorizes attacking its hosted labs; never test any site, app, or IP you do not own or are not authorized to test. Account required: optional; payment required: no; maximum designed cost: $0.

Check yourself

2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A scanner flags a critical CVE on a service, but the service version may be backported by the vendor. What should the tester do?
Check 2. Individually, weak passwords and overly broad file permissions are medium risk, but together they expose sensitive data. What analysis skill is being tested?

Module 4 of 5 · domain 4 · 35% of the exam

Attacks and exploits

Study this fourth, and give it the most time. At 35% it is by far the heaviest domain — over a third of the exam — and it is the natural centerpiece: only after you have scoped, enumerated, and validated do you actually exploit, so it also carries the most careful safety discipline in the lab.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA PenTest+ (PT0-003) exam objectives

This is the 'actually break in' domain, and at 35% it is by far the heaviest slice of the exam — more than a third of it, and larger than any two other domains combined except the recon-plus-vuln pairing. Attacks and exploits is the centerpiece of PenTest+ and the phase most people picture when they think of penetration testing, but it only comes fourth in our sequence for a reason: exploitation is legitimate only after you have scoped the engagement, enumerated the target, and validated the vulnerabilities. Because this domain is where real damage is possible, it also carries the strictest safety discipline in the lab — every exploit here runs only against deliberately-vulnerable practice systems you own on an isolated network, or an authorized hosted platform.

The domain spans a wide range of attack surfaces. Network attacks include on-path (man-in-the-middle) techniques, relay and poisoning attacks, and exploitation of vulnerable network services. Authentication attacks include password spraying, credential stuffing, brute-forcing, and abusing weak or default credentials — with the tester's judgment being to stop at proof rather than causing lockouts or damage. Host-based attacks target the operating system and its services. The exam expects breadth: you should recognize the common attack families, the tools associated with each, and the scenario in which one fits, rather than deep mastery of any single exploit.

Web application attacks are a large and heavily-tested part of this domain, and they map directly to the vulnerability work from Domain 3. You are expected to understand injection attacks (SQL injection and command injection), cross-site scripting (XSS), server-side request forgery (SSRF), insecure direct object references (IDOR), file-upload and file-inclusion flaws, and authentication and session weaknesses. The mental model is the OWASP-style catalog of web weaknesses, and the skill is matching an observed behavior to the underlying flaw and knowing how it is exploited and confirmed. Because so much of modern penetration testing is web-focused, this is where a lot of your practice time should go — and it is exactly what hosted platforms like PortSwigger's Academy let you practice safely and legally.

Beyond the classic surfaces, PT0-003 explicitly broadens into modern territory. Cloud and API attacks cover misconfigured storage, over-permissive identity and access policies, exposed keys, and insecure API endpoints. Wireless attacks cover weaknesses in Wi-Fi authentication and encryption. And the current objectives introduce AI-enabled attack vectors — recognizing how attackers use and target AI systems, and how AI-assisted tooling changes the tester's own workflow. You are not expected to be a specialist in every one of these, but you should recognize each as an attack surface and know the characteristic weaknesses and tools involved, because the exam samples across all of them.

The unifying professional discipline in this domain is exploitation with restraint. A skilled tester proves a vulnerability is exploitable with the minimum necessary action and then stops — confirming a SQL injection without dumping a customer database, demonstrating a brute-force works by stopping on the first valid credential, gaining a shell and capturing 'whoami' rather than causing an outage. The point is evidence for the report, not maximum destruction, and staying inside scope at all times. This restraint is both an ethical requirement and an examinable judgment: many questions test whether you choose the proportionate, in-scope action over the flashy, damaging one.

Study this domain by exploiting deliberately-vulnerable targets you own, with the strongest safety discipline on the track, because this is where a careless tester does real harm. The lab below, run only against Metasploitable 2 and DVWA on a host-only network, has you launch a Metasploit module against a known-vulnerable service (capturing whoami), confirm a SQL injection with sqlmap and stop after confirmation (no dumping sensitive data), and run a controlled Hydra brute-force against the DVWA login that stops on the first success. PortSwigger's Web Security Academy is the authorized hosted alternative for the web-attack portions. As always, read the official PenTest+ objectives for CompTIA's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Pentest Exploitation Lab

Exploit a vulnerable service and confirm a web injection against targets you own, with restraint Run a controlled brute-force that stops on the first success and document minimal proof

Free tools

  • VirtualBox on your own hardware
  • Kali Linux attacker VM
  • Metasploitable 2 and local DVWA targets

Steps

  1. Complete the lab isolation & authorization checklist in full and verify the Metasploitable target IP again; if any box cannot be checked, stop and do not run any exploit.
  2. In msfconsole, select a module for a service you enumerated as vulnerable on Metasploitable, set RHOSTS to the confirmed target IP, run it, and on success capture whoami as evidence, then stop.
  3. Use sqlmap to confirm an injection point on a DVWA parameter you already validated by hand, and STOP once it is confirmed — do not enumerate or dump databases or any sensitive data.
  4. Run a controlled Hydra brute-force against your local DVWA login using a SMALL wordlist you build yourself (a handful of common passwords, so the run is fast), configured to stop on the first valid credential. Treat the command as a template to adapt, not a copy-paste: DVWA runs on port 8080 and its login uses an anti-CSRF user_token, so set the correct port, supply the current token, and use DVWA's real failure string.
  5. Write each result up as evidence with a remediation, noting where you chose to stop and why, then revert every VM to its pre-lab snapshot and stop the DVWA container.

What you should see

Confirm each exploit ran only against a verified self-owned target, produced minimal proof (whoami, confirmed injection, one weak credential), stopped short of damage or data exfiltration, and was documented with a remediation before reverting snapshots.

Practice evidence maps to exam_domain_comptia_pentest_plus_pt0_003_04

Stay safe & legal: Exploit only Metasploitable 2 and a local DVWA that you run yourself on a VirtualBox Host-Only network, or PortSwigger's Web Security Academy, which authorizes attacking its hosted labs; never launch any exploit, injection, or brute-force at a real, third-party, employer, school, cloud, or internet target. Account required: no; payment required: no; maximum designed cost: $0.

Check yourself

4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. A web form appears to concatenate user input into a database query. Which safe testing concept should the candidate understand?
Check 2. A tester discovers that changing an object ID in a request exposes another user's record. What category should they recognize?
Check 3. The rules of engagement permit credential testing but require avoiding account lockouts. Which attack technique and control should be considered?
Check 4. A client authorizes a phishing simulation but requires pre-approved templates and no credential collection. What should the tester do?

Module 5 of 5 · domain 5 · 14% of the exam

Post-exploitation and lateral movement

Study this last. At 14% it is a light domain, but it only makes sense once you have a foothold: persistence, privilege escalation, and documentation are the final phase of an engagement and the bridge to the report, so it naturally closes the sequence.

What this domain actually covers

Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA PenTest+ (PT0-003) exam objectives

This is the 'you are in — now what' domain, and CompTIA weights it at 14% of the exam. Post-exploitation and lateral movement is the final phase of an engagement: once a tester has a foothold, this domain covers what they do next to demonstrate real business impact — escalating privileges, moving to other systems within scope, harvesting credentials, understanding what data would be at risk, and then cleaning up and documenting. We place it last because none of it makes sense until you have gained access, so it naturally follows the attacks domain and leads directly into the report. Everything here, in a lab, is performed only against a deliberately-vulnerable VM you own on an isolated network, and persistence and lateral movement are documented or simulated rather than left in place.

Privilege escalation is the domain's core skill. Initial access often lands you as a low-privileged user, and the tester's job is to find a path to higher privilege — administrator or root — that a real attacker could take. On Linux this includes enumerating SUID binaries, misconfigured sudo rules, writable scripts running as root, and kernel vulnerabilities; on Windows it includes unquoted service paths, weak service permissions, token abuse, and stored credentials. The exam expects you to recognize the common escalation techniques on both platforms and to know the enumeration that reveals them — the discipline of methodically checking each avenue rather than guessing. Escalation is often where a test moves from 'we got a shell' to 'we could have owned the environment.'

Persistence and lateral movement extend the foothold, and both demand strict professional restraint. Persistence is how an attacker survives a reboot or a lost session — scheduled tasks, cron jobs, added accounts, or services. In an authorized test, persistence is documented as a demonstrated technique and then removed; you never leave a real backdoor behind. Lateral movement is how an attacker pivots from the first compromised host to others — reusing credentials, abusing trust relationships, or tunneling through the compromised host — always staying strictly within the authorized scope. On a single-target home lab, lateral movement is necessarily theoretical: you describe the path you would take, and you do not attack any additional machine unless it too is an owned vulnerable VM on your isolated network.

Credential harvesting and understanding data at risk are what turn access into business impact for the report. Testers collect credentials that a real attacker could use — password hashes, stored secrets, tokens, and reused passwords — and may crack recovered hashes offline to demonstrate that weak passwords are exploitable. Just as important is articulating what sensitive data the access exposes: the point of a test is to show a defender what a breach would actually cost, not to steal anything. In an authorized engagement you never exfiltrate real data to an external system; you document what is reachable and what the risk would be, and you delete any harvested material from your attacker machine once it is recorded.

Cleanup and documentation close both the domain and the engagement. A professional leaves the environment as they found it: removing any simulated persistence, closing sessions and listeners, deleting harvested files from the attacker machine after documenting them, and — in a lab — reverting VMs to their pre-lab snapshots. The deliverable is the post-exploitation section of the report: the access obtained, how privilege was escalated, what credentials and data were at risk, and a prioritized set of remediations a defender should make. This documentation-and-cleanup discipline is exactly what the exam's performance-based and scenario questions probe, because it is what separates a legitimate assessment from a break-in.

Study this domain by practicing the full post-exploitation cycle against a target you own and, crucially, by practicing the cleanup, because the discipline is the point. The lab below has you re-establish a session on Metasploitable, enumerate users and SUID binaries for escalation, DOCUMENT (not deploy) a persistence technique and then remove it, crack a couple of hashes with John against the rockyou list, note what data would be at risk without exfiltrating it, complete the post-exploitation report template, and revert your snapshots. As always, read the official PenTest+ objectives for CompTIA's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.

Learn it free

Pentest Postexploitation Lab

Enumerate a privilege-escalation path and document persistence, then remove it Crack harvested hashes offline and produce a post-exploitation report with remediations

Free tools

  • VirtualBox on your own hardware
  • Kali Linux attacker VM
  • Metasploitable 2 target VM

Steps

  1. Complete the isolation checklist, confirm the target IP, snapshot both VMs, then re-establish a session on Metasploitable and record the access vector and privilege level (whoami/id) in the report template.
  2. Enumerate for privilege escalation by listing users and finding SUID binaries, and note any that suggest a known escalation path.
  3. Document a persistence technique as syntax only in the template, then remove it immediately and confirm it is gone; treat lateral movement as theoretical and describe the path you would take without attacking any additional machine.
  4. Harvest a couple of password hashes from the target and crack them offline with John against rockyou to demonstrate weak passwords, then note what data would be at risk WITHOUT exfiltrating anything.
  5. Run the cleanup checklist (remove simulated persistence, close sessions and listeners, delete harvested files after documenting), complete the remediation summary, and revert both VMs to their pre-lab snapshots.

What you should see

Confirm the report records the access vector and privilege level, an enumerated escalation path, a persistence technique that was documented and then removed, at least one cracked hash, a data-at-risk note with no exfiltration, and a three-item remediation summary, with both VMs reverted afterward.

Practice evidence maps to exam_domain_comptia_pentest_plus_pt0_003_05

Stay safe & legal: Perform post-exploitation only on Metasploitable 2 that you run yourself on a VirtualBox Host-Only network; never against a real, third-party, employer, school, cloud, or internet target, and never move laterally to any machine you do not own on this isolated network. Account required: no; payment required: no; maximum designed cost: $0.

Check yourself

2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.

Check 1. After gaining a limited test account on an in-scope host, the tester checks misconfigurations that could raise privileges without causing disruption. What phase is being tested?
Check 2. A tester proves that one compromised host can reach a sensitive file server using reused credentials. What should be captured?

Skills you’ll build

Studying CompTIA PenTest+builds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:

Before you book the exam

Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.

Exam facts (cited)

A free, source-cited study companion built on CompTIA's published PenTest+ (PT0-003) exam objectives — not official training, not a pass guarantee. PenTest+ is not an entry-level certification; it assumes Security+-level knowledge plus hands-on experience, and every hands-on lab here runs only against deliberately-vulnerable practice systems you own or platforms you are explicitly authorized to use. Verify the current objectives on the official page before your exam.

Sources used on this page

Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by CompTIA.