Home/ cybersecurity/ CompTIA PenTest+/ Cheat Sheet
CompTIA PenTest+· Exam reference card · 2026 · Edureify AI
CompTIA PenTest+

PenTest+ Cheat Sheet

PenTest+ Tests Penetration Testing Methodology and Reporting — Not Just Attack Execution

The exam tests the full pentest lifecycle: planning, reconnaissance, scanning, exploitation, post-exploitation, and professional reporting within legal and ethical boundaries.

Check Your Readiness →
Among the harder certs
Avg: Approximately 62–67%
Pass: 750 / 1000
Most candidates understand CompTIA PenTest+ concepts — and still fail. This exam tests how you apply knowledge under pressure.
Core Framework

PenTest+ Penetration Testing Lifecycle

CompTIA PenTest+ (PT0-002) tests the full penetration testing lifecycle with emphasis on planning, scoping, and professional reporting within legal and ethical boundaries.

  1. 01
    Planning & Scoping — Define rules of engagement, legal authorization, scope
  2. 02
    Reconnaissance — Passive OSINT and active scanning to map the attack surface
  3. 03
    Vulnerability Scanning — Identify exploitable weaknesses systematically
  4. 04
    Exploitation — Gain access through identified vulnerabilities
  5. 05
    Post-Exploitation — Lateral movement, persistence, data exfiltration assessment
  6. 06
    Reporting — Communicate findings, risk rating, and remediation to stakeholders
Scenario Traps

Wrong instinct vs correct approach

During a web application test, the tester discovers access to a production database
✕ Wrong instinct

Extract sample data to demonstrate the severity of the finding

✓ Correct approach

Stop at demonstrating access — document the finding with evidence (screenshots without PII), assess business impact, and report immediately; extracting actual data may violate scope and data protection laws

A vulnerability is found in a system outside the agreed scope
✕ Wrong instinct

Test the out-of-scope system since it poses a real risk

✓ Correct approach

Document the discovery, immediately notify the client contact, pause testing of that system, and await explicit written authorization before proceeding — out-of-scope testing without authorization is unauthorized access

Post-exploitation has provided domain admin credentials
✕ Wrong instinct

Use the credentials to access as many systems as possible to demonstrate the full impact

✓ Correct approach

Demonstrate the minimum access required to prove the impact, document the escalation path, and immediately report the critical finding — unnecessary access beyond what is required to demonstrate the vulnerability exceeds scope

Quick Rules

Know these cold

  • Rules of Engagement define the legal boundary — never act outside scope
  • Passive recon is undetectable; active scanning leaves logs — choose based on detection risk
  • Exploit only after thorough vulnerability analysis and prioritization
  • CVSS v3 Base Score = Attack Vector + Complexity + Privileges + User Interaction + Scope + CIA Impact
  • Pentest reports — xecutive summary (business risk) + technical findings (remediation guidance)
  • Evidence collection: screenshots, command output, timestamps — document everything in real time
  • If in doubt about scope, stop and ask — unauthorized access has legal consequences
Self Check

Can you answer these without checking your notes?

In this scenario: "During a web application test, the tester discovers access to a production database" — what should you do first?
Stop at demonstrating access — document the finding with evidence (screenshots without PII), assess business impact, and report immediately; extracting actual data may violate scope and data protection laws
In this scenario: "A vulnerability is found in a system outside the agreed scope" — what should you do first?
Document the discovery, immediately notify the client contact, pause testing of that system, and await explicit written authorization before proceeding — out-of-scope testing without authorization is unauthorized access
In this scenario: "Post-exploitation has provided domain admin credentials" — what should you do first?
Demonstrate the minimum access required to prove the impact, document the escalation path, and immediately report the critical finding — unnecessary access beyond what is required to demonstrate the vulnerability exceeds scope
Failure Patterns

Common Exam Mistakes — What candidates get wrong

Exploiting vulnerabilities without confirming scope authorization

Every action during a pentest must be within the agreed scope defined in the Rules of Engagement. Acting outside scope — even if technically possible — is illegal. PenTest+ heavily tests scope awareness.

Jumping to exploitation before completing vulnerability analysis

The methodology requires thorough vulnerability scanning and analysis before exploitation attempts. Candidates who select exploitation answers without first enumerating and prioritizing vulnerabilities skip required methodology steps.

Confusing active vs. passive information gathering consequences

Passive OSINT is undetectable. Active scanning generates network traffic and logs. The choice between them has detection risk implications that the exam tests explicitly.

Producing technical reports without executive summaries

Professional pentest reports have two sections: an executive summary for non-technical stakeholders and technical findings for the security team. Candidates who report only technical findings fail the professional communication component.

Misidentifying CVSS scoring components

CVSS v3 Base Score considers Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and CIA Impact. Candidates who assign CVSS scores without understanding these components produce inaccurate risk ratings.

PenTest+ tests professional pentesting judgment. Test whether you know the methodology and not just the techniques.

Start Diagnostic Test → View all exams