🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CompTIA Coming Soon

PenTest Plus

CompTIA PenTest+ (PT0-003) course teaches planning, scoping, information gathering, vulnerability scanning, attack techniques, post‑exploitation, and reporting, enabling experienced testers to conduct authorized, comprehensive penetration assessments aligned with industry standards.

Who Should Take This

Mid‑level security professionals with three to four years of hands‑on experience in vulnerability assessment and exploitation are ideal candidates. They should hold CompTIA Security+ or equivalent knowledge and aim to validate and expand their penetration testing expertise for career advancement and compliance‑driven engagements.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

60 learning goals
1 Domain 1: Planning and Scoping
2 topics

Engagement planning and scoping

  • Apply engagement scoping techniques to define target systems, IP ranges, domains, testing windows, excluded assets, and rules of engagement for black-box, gray-box, and white-box tests.
  • Implement pre-engagement documentation including master service agreements, statements of work, authorization letters, and emergency contact procedures.
  • Analyze engagement requirements to determine appropriate testing methodology, resource allocation, timeline constraints, and risk considerations for client environments.

Attack frameworks and compliance considerations

  • Apply penetration testing frameworks including MITRE ATT&CK, OWASP Testing Guide, PTES, and OSSTMM to structure testing activities and ensure comprehensive attack technique coverage.
  • Implement threat modeling methodologies including STRIDE, PASTA, and attack trees to identify potential attack vectors and prioritize testing efforts.
  • Assess compliance-driven testing requirements for PCI-DSS, HIPAA, and FedRAMP to ensure penetration test scope and methodology satisfy regulatory mandates.
  • Design comprehensive engagement plans that align testing methodology with client business objectives, risk tolerance, compliance requirements, and organizational constraints.
2 Domain 2: Information Gathering and Vulnerability Scanning
3 topics

Passive reconnaissance and OSINT

  • Execute passive reconnaissance using OSINT sources including WHOIS, DNS lookups, certificate transparency logs, Shodan, social media, and cached web content to map the target.
  • Perform email harvesting, subdomain enumeration, and technology fingerprinting using theHarvester, Amass, Recon-ng, and Maltego to build target intelligence profiles.
  • Implement credential discovery techniques including breached credential databases, paste site monitoring, and public code repository scanning to identify exposed authentication data.
  • Analyze OSINT findings to identify potential attack paths, high-value targets, exposed credentials, and information leakage for exploitation phases.

Active reconnaissance and scanning

  • Execute active network scanning using Nmap for host discovery, port scanning, service version detection, OS fingerprinting, and NSE script-based enumeration.
  • Perform service enumeration on discovered hosts including SMB shares, SNMP communities, DNS zone transfers, LDAP queries, NFS exports, and web directory bruting.
  • Implement evasion techniques including scan timing adjustments, fragmentation, decoys, source port manipulation, and protocol-level obfuscation to bypass detection systems.
  • Analyze scan results to identify live hosts, open ports, running services, version vulnerabilities, and misconfigurations representing viable attack vectors.

Vulnerability scanning and analysis

  • Configure and execute vulnerability scans using Nessus and OpenVAS with appropriate scan policies, credentials, and scope settings to identify known vulnerabilities.
  • Perform web application scanning using Burp Suite, Nikto, and OWASP ZAP to identify injection points, authentication flaws, and insecure configurations.
  • Evaluate vulnerability scan output to validate findings, eliminate false positives, and map findings to potential attack chains based on CVSS and exploit availability.
  • Architect comprehensive reconnaissance strategies that combine passive and active techniques to maximize target intelligence while managing detection risk and engagement scope constraints.
3 Domain 3: Attacks and Exploits
5 topics

Network attacks

  • Execute network-based attacks including ARP poisoning, LLMNR/NBT-NS poisoning, MITM attacks, and relay attacks using Responder, Bettercap, and Impacket.
  • Perform DNS attacks including cache poisoning, DNS tunneling for data exfiltration, subdomain takeover, and zone transfer exploitation.
  • Execute on-path attacks to intercept and modify network traffic for credential capture, session hijacking, and SSL stripping using appropriate interception tools.
  • Analyze network attack results to determine credential capture scope, data interception extent, and lateral movement opportunities through exploited protocols.

Web application attacks

  • Execute SQL injection attacks including error-based, blind, union-based, and second-order injection using manual techniques and SQLmap to extract database contents.
  • Perform cross-site scripting attacks including reflected, stored, and DOM-based XSS to demonstrate client-side code execution and session hijacking.
  • Execute server-side attacks including SSRF, command injection, file inclusion (LFI/RFI), insecure deserialization, XXE injection, and template injection.
  • Perform authentication bypass attacks including session fixation, JWT manipulation, insecure direct object reference exploitation, and broken access control testing.
  • Analyze web application attack results to assess data exposure, privilege escalation potential, and chain multiple vulnerabilities for maximum business impact demonstration.

Authentication and credential attacks

  • Execute password attacks including online brute force, offline hash cracking with Hashcat and John the Ripper, password spraying, and credential stuffing.
  • Perform Active Directory attacks including Kerberoasting, AS-REP roasting, golden ticket, silver ticket, DCSync, and Pass-the-Hash using Mimikatz, Rubeus, and BloodHound.
  • Analyze Active Directory attack paths using BloodHound to identify shortest paths to domain admin, dangerous permissions, and delegation misconfigurations.

Wireless and physical attacks

  • Execute wireless attacks including WPA/WPA2 handshake capture and cracking, evil twin access points, deauthentication attacks, and WPS brute force with Aircrack-ng.
  • Execute social engineering attacks including pretexting, phishing campaigns, USB drop attacks, and physical security bypass as authorized engagement components.
  • Perform Bluetooth and RFID attacks including Bluetooth sniffing, RFID cloning, and near-field communication interception to demonstrate wireless technology vulnerabilities.
  • Assess wireless and physical attack effectiveness relative to the engagement scope and recommend countermeasures for identified weaknesses.

Cloud and AI-based attacks

  • Perform cloud-specific attacks including storage bucket exploitation, IAM privilege escalation, metadata service abuse, serverless injection, and cloud credential theft.
  • Apply AI-augmented attack techniques including AI-generated phishing, deepfake social engineering, automated vulnerability discovery, and AI-assisted code analysis.
  • Evaluate cloud and AI-based attack vectors to determine which techniques are most effective for the target environment and assess detection evasion capabilities.
  • Design multi-vector attack strategies that combine network, application, cloud, wireless, and social engineering techniques to demonstrate comprehensive compromise scenarios.
4 Domain 4: Post-Exploitation
4 topics

Lateral movement and pivoting

  • Execute lateral movement techniques including pass-the-hash, PsExec, WMI execution, RDP pivoting, SSH tunneling, and port forwarding between compromised systems.
  • Implement network pivoting using SOCKS proxies, SSH dynamic port forwarding, Chisel, and Metasploit autoroute to access segmented networks.
  • Analyze lateral movement paths to determine the most efficient route to high-value targets and domain controllers while minimizing detection risk.

Privilege escalation

  • Execute Linux privilege escalation including SUID/SGID exploitation, cron job abuse, kernel exploits, sudo misconfigurations, and capability abuse.
  • Execute Windows privilege escalation including unquoted service paths, DLL hijacking, token impersonation, UAC bypass, and Always Install Elevated exploitation.
  • Investigate privilege escalation opportunities by enumerating users, groups, installed software, processes, scheduled tasks, and misconfigured permissions on Linux and Windows.

Persistence and C2

  • Implement persistence mechanisms including scheduled tasks, registry modifications, startup scripts, web shells, backdoor accounts, and rootkits on compromised systems.
  • Configure C2 frameworks including Metasploit, Cobalt Strike, and Sliver to establish covert channels using HTTP/HTTPS, DNS, and custom protocols.
  • Design persistence and C2 strategies balancing operational security with engagement objectives and selecting methods appropriate to target monitoring capabilities.

Data exfiltration and evidence cleanup

  • Perform data exfiltration using DNS tunneling, HTTPS transfers, steganography, and encrypted archives to demonstrate data loss risk to the client.
  • Execute post-engagement cleanup including removing persistence mechanisms, deleting test accounts, removing tools, and restoring configurations to pre-test state.
  • Assess data exfiltration paths and volumes to quantify potential business impact including sensitive data exposure, regulatory notification, and reputational damage.
5 Domain 5: Reporting and Communication
3 topics

Penetration test report writing

  • Implement penetration test report structures including executive summary, methodology, findings with CVSS scoring, evidence, remediation recommendations, and appendices.
  • Apply findings classification using CVSS v3.1/v4.0 scoring, risk ratings, and business impact assessment to categorize discovered vulnerabilities.
  • Evaluate report quality by assessing finding reproducibility, evidence completeness, remediation actionability, and appropriate depth for the intended audience.

Remediation and retesting

  • Implement remediation recommendation documentation including specific fixes, compensating controls, implementation priority, estimated effort, and verification procedures.
  • Perform retesting engagements to validate client remediation actions and document results in a remediation validation report.
  • Recommend strategic security improvements beyond individual findings including architecture changes and program enhancements based on aggregate results.

Communication during engagements

  • Apply client communication protocols including status updates, critical finding notifications, scope change requests, and deconfliction procedures during active engagements.
  • Adapt report presentations for different audiences including technical teams, IT management, executive leadership, and compliance auditors.
  • Design engagement communication plans defining reporting cadence, escalation thresholds, secure channels, and deliverable schedules aligned with client expectations.

Scope

Included Topics

  • All domains and objectives in the CompTIA PenTest+ (PT0-003) exam: Domain 1 Planning and Scoping (14%), Domain 2 Information Gathering and Vulnerability Scanning (22%), Domain 3 Attacks and Exploits (30%), Domain 4 Post-Exploitation (18%), and Domain 5 Reporting and Communication (16%).
  • Advanced red team and offensive security skills including engagement planning, passive and active reconnaissance, exploitation across network, web application, wireless, cloud, and mobile attack surfaces, post-exploitation techniques, and professional penetration test reporting.
  • Core offensive tools and frameworks: Nmap, Nessus, Burp Suite, Metasploit, Cobalt Strike, BloodHound, Mimikatz, Hashcat, John the Ripper, Gobuster, Nikto, SQLmap, Responder, Impacket, CrackMapExec, Wireshark, Aircrack-ng, and social engineering toolkits. Frameworks: MITRE ATT&CK, OWASP Testing Guide, PTES, OSSTMM.
  • Scenario-driven offensive security decisions requiring engagement scoping, attack path selection, exploitation judgment, evidence documentation, and professional communication with clients during and after penetration test engagements.

Not Covered

  • Defensive security operations including SOC monitoring, SIEM tuning, and incident response workflows (covered by CySA+ CS0-003).
  • Enterprise security architecture design and governance at the executive level (covered by SecurityX CAS-005).
  • Foundational security concepts and terminology at the introductory level (covered by Security+ SY0-701).
  • Full exploit development from scratch including shellcode writing, ROP chain construction, and kernel exploitation beyond using existing tools and frameworks.
  • Legal practice and jurisdictional specifics beyond understanding the necessity of written authorization, scope limitations, and compliance considerations.

PenTest Plus is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

CompTIA® and all related certification marks (A+®, Network+®, Security+®, etc.) are registered trademarks of the Computing Technology Industry Association. CompTIA does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.