Home/ cybersecurity/ Penetration Tester/ Cheat Sheet
Penetration Tester· Exam reference card · 2026 · Edureify AI
Penetration Tester

Penetration Tester Cheat Sheet

CompTIA PenTest+ Tests Practical Penetration Testing Judgment

PenTest+ goes beyond attack knowledge — it tests planning, scoping, reporting, and legal/compliance aspects of professional penetration testing engagements.

Check Your Readiness →
Among the harder certs
Avg: Approximately 62–67%
Pass: 750 / 1000
Most candidates understand Penetration Tester concepts — and still fail. This exam tests how you apply knowledge under pressure.
Core Framework

PenTest+ Engagement Lifecycle

PenTest+ PT0-002 covers the full engagement lifecycle. The exam tests not just attack techniques but the professional and legal context of penetration testing. Reporting and communication questions are frequently underestimated.

  1. 01
    Planning & Scoping — Define scope, rules of engagement, legal agreements
  2. 02
    Information Gathering & Vulnerability Scanning — Passive/active recon, vulnerability identification
  3. 03
    Attacks & Exploits — Network, application, wireless, social engineering, physical
  4. 04
    Reporting & Communication — Document findings, risk ratings, remediation recommendations
  5. 05
    Tools & Code Analysis — Scripting, exploitation frameworks, analysis tools
Scenario Traps

Wrong instinct vs correct approach

During an engagement, the tester discovers evidence of an active intrusion by a third party
✕ Wrong instinct

Continue the engagement and include it in the final report

✓ Correct approach

Stop and immediately notify the client — active breaches require incident response, not continued penetration testing; the rules of engagement should define this escalation process

A critical vulnerability is found that could expose sensitive customer data
✕ Wrong instinct

Complete the full engagement before notifying the client

✓ Correct approach

Critical findings with potential for significant harm must be communicated to the client immediately, not held for the final report — define this in the rules of engagement upfront

An internal web application is out of scope but is clearly vulnerable
✕ Wrong instinct

Exploit it anyway since it's a significant security risk

✓ Correct approach

Document the finding and notify the client that an out-of-scope asset may have significant vulnerabilities — never exploit out-of-scope assets regardless of the apparent risk

Quick Rules

Know these cold

  • Written authorization is mandatory before any testing — verbal permission is insufficient
  • Define scope, rules of engagement, and escalation procedures before engagement begins
  • CVSS Base = inherent; Temporal = exploitability status; Environmental = organizational context
  • Critical findings require immediate client notification — don't wait for the final report
  • Out-of-scope assets — ocument and notify, never exploit
  • Report findings with business impact context, not just technical severity
  • Cleanup and remediation verification are part of a complete engagement
Self Check

Can you answer these without checking your notes?

In this scenario: "During an engagement, the tester discovers evidence of an active intrusion by a third party" — what should you do first?
Stop and immediately notify the client — active breaches require incident response, not continued penetration testing; the rules of engagement should define this escalation process
In this scenario: "A critical vulnerability is found that could expose sensitive customer data" — what should you do first?
Critical findings with potential for significant harm must be communicated to the client immediately, not held for the final report — define this in the rules of engagement upfront
In this scenario: "An internal web application is out of scope but is clearly vulnerable" — what should you do first?
Document the finding and notify the client that an out-of-scope asset may have significant vulnerabilities — never exploit out-of-scope assets regardless of the apparent risk
Failure Patterns

Common Exam Mistakes — What candidates get wrong

Ignoring scoping and rules of engagement questions

PenTest+ heavily tests the pre-engagement phase: defining scope, establishing rules of engagement, obtaining written authorization, handling out-of-scope discoveries. Candidates who focus only on attack techniques miss a significant portion of the exam.

Confusing gray box vs. black box vs. white box testing

Black box: no prior knowledge of target. Gray box: partial knowledge (e.g., network diagram). White box: full knowledge (source code, architecture). The testing methodology and depth vary by model — candidates mix these up in scenario questions.

Misidentifying CVSS scoring components

CVSS scores reflect: Base (inherent characteristics), Temporal (evolving factors like exploit availability), and Environmental (deployment-specific factors). Candidates use Base score alone when the question requires Environmental or Temporal context.

Not knowing when to stop and report

PenTest+ tests professional judgment about escalation — when to stop an attack, when to notify the client of a critical finding immediately (vs. documenting it for the report), and when an out-of-scope discovery must be reported immediately.

Treating post-exploitation activities as unrestricted

Post-exploitation activities (lateral movement, data exfiltration simulation, privilege escalation) must stay within the authorized scope. Candidates who treat post-exploitation as unrestricted are applying CTF thinking, not professional pentest methodology.

PenTest+ tests the full engagement lifecycle, not just attack techniques. Test your penetration testing judgment.

Start Diagnostic Test → View all exams