Connect with our experts for counseling on your next step to succeed as a Penetration Tester.
Is PenTest+ Worth It?
The CompTIA PenTest+ a vendor-neutral penetration testing exam. While not as illustrious as the CEH or as notorious as the OSCP, PenTest+ is a valuable certification for any IT professional looking to get into security — or experienced security professionals attempting to validate their skills.
Whether or not you consider the PenTest+ worth the time, effort, and the cost is very much dependent on your career goals and experience.
In this article, we’ll take a look at the PenTest+ itself, whether the PenTest+ is worth it based on a number of experiences, and try to conclude whether the PenTest+ is worth it for you.
What is PenTest+?
The CompTIA PenTest+ (PT0-001) is an entry-level security certification, which means it’s an intermediate-level IT certification. Earning the PenTest+ means passing a 165-minute, 85-question exam with a 750 out of 900, which is an 83%. CompTIA doesn’t publish pass rates, but checking the CompTIA subreddit shows fairly high success rates — as long as you study.
The PenTest+ is not an overly hands-on exam like the CEH Practical or OSCP, but that doesn’t mean it’s not difficult — or completely multiple choice. The PenTest+ combines multiple-choice with performance-based questions, which are typically dragged and dropped, hands-on and scenario-based. For instance, there may be performance-based questions that provide a scenario and ask you to complete a Nmap command.
Technically, you could probably pass the PenTest+ without fundamental networking and systems experience, or hands-on, on-the-job experience with penetration testing tools like Kali Linux and Nmap. But, being successful in security (and on security exams) means having both a good handle on the basics as well as also hands-on experience.
Read More: Everything you need to Know about CompTIA Pentest+ Certification
What Experience Do You Need for PenTest+
There’s an adage that goes: There’s no such thing as entry-level security professional. And that rings true in the experience requirement for the PenTest+. CompTIA recommends PenTest+ hopefuls either have the Network+ and Security+ certification or the equivalent experience, which makes sense. Just look at the exam domains:
- Planning and scoping - 15%
- Information gathering and vulnerability identification - 22%
- Attacks and exploits - 30%
- Penetration testing tools - 17%
- Reporting and communication - 16%
Looking deeper into the attacks and exploits exam objectives, you’ll see the vulnerabilities broken into groups that very much marry the concepts from Network+ and Security+, and even the A+:
- Application-based vulnerabilities
- Network-based vulnerabilities
- Wireless-based vulnerabilities
- RF-based vulnerabilities
- Post-exploitation techniques
Looking even deeper into the network-based vulnerabilities, you’ll see that a lot of the vulnerabilities lie within network protocols (SNMP, FTP, SMB, ARP). Meanwhile, the application-based vulnerabilities include common low-hanging attacks like SQL injection and HTML. It’s possible for someone with no network or systems experience to approach the security concepts in PenTest+ and learn them in the context of security alone. However, it’s much easier to learn security and particularly offensive security with a good handle on networking and systems administration.
Remember: The PenTest+ Isn’t Technical
With that said, CompTIA doesn’t bill the PenTest+ exam as an overly technical exam, and it’s certainly not as hands-on as the OSCP or CEH Practical exams. But that doesn’t mean it’s not difficult. Nearly three-quarters of the PenTest+ exam consists of identifying vulnerabilities, knowing which attacks might be successful to exploit those vulnerabilities, and then knowing what tools to use to carry out those attacks. The PenTest+ may stop short of physically requiring you to carry out the attack, but the sheer amount of information you need to get to that point is considerable.
While the PenTest+ may not be hands-on, the best way to pass the PenTest+ is with considerable hands-on experience — either in the real world or lab environments. There are a number of ways to (legally) practice these new skills.
Start your 30-day FREE TRIAL and begin your PenTest+ certification journey today!
Kali Linux & PenTest+: How to Start Hacking
Like every CompTIA exam, the PenTest+ certification exam is vendor-neutral. So nowhere in the PenTest+ does CompTIA specifically point to Kali Linux. In fact, CompTIA goes out of their way in the exam objectives covered in the tools section, 4.2 Compare and contrast various use cases of tools, to point out:
“The intent of this objective is NOT to test specific vendor feature sets.”
However, all the tools covered in PenTest+ are pre-installed on Kali, so you might as well just start there. But with so many tools packed into one distro, Kali can be overwhelming.
Who Should Take the PenTest+
The PenTest+ is an inexpensive, widely respected exam that validates a lucrative skill — penetration testing. The PenTest+ is likely either the first certification you’ll earn in the pursuit of a career in offensive security, which means IT professionals from all specialties funnel into the career field through it. These IT professionals may include:
- Network Engineers
- Systems Administrators
- Software Engineers
- Security Analysts
In this section, we’ll go through the individual career fields and determine whether the PenTest+ is worth it to them, and what they’ll need to do to prepare.
PenTest+ for Network Engineers
Networking engineers can easily make a lateral move into penetration testing because they already have experience in a couple of core concepts: networking and scripting.
Networking is often the Achilles heel among penetration testers from other systems or software backgrounds. They’re familiar with the concepts well enough, but don’t have the deep topographical knowledge that network engineers have honed.
Network engineers likely not only have the experience, but also valuable networking certifications like the Network+, CCNA, and possibly even the CCNP (or the Juniper equivalents). As a bonus, networking engineers are increasingly fluent in at least one scripting language like BASH or Python thanks to the rise of software-defined networking. These are all valuable skills to bring to a career in penetration testing — and the PenTest+
Weaknesses. In terms of networking, network engineers have it made. However, the PenTest+ moves further up the OSI Model into the Layer 4 and 5 vulnerabilities, too. For someone who has spent their career in Layer 1 and 2, there are some rocky roads ahead, particularly with the application-based vulnerabilities.
Is the PenTest+ worth it for network engineers? Absolutely. In fact, it may be recommended to get a good handle on the systems and application vulnerabilities without committing to the big challenge (and price tag) of the CEH or OSCP.
PenTest+ for Systems Administrators
Systems administrators can make excellent penetration testers. Systems administrators are the jack of all trades and typically find themselves spread across managing users and applications, networking, and troubleshooting. Sysadmins are often proficient in scripting, potentially with BASH or PowerShell, which are great jumping-off points into penetration testing. Often enough, security falls on the systems administrators as well. That’s particularly true in smaller IT shops.
For systems administrators to move into penetration testing, they’ll need to start getting deeper into the networking, application, and scripting. But luckily the world runs on Microsoft products, which means you’re probably already familiar with the biggest vulnerabilities because you’ve been running updates against them for years. Now, it’s time to expand out and down into the lower layers of the OSI model.
Is the PenTest+ worth it for sysadmins? Absolutely. The PenTest+ will deepen the broad knowledge that systems administrators have across networking, applications, hardware, and scripting. For any system, admin thinking about becoming a penetration tester, the PenTest+ is a good place to start.
PenTest+ for Software Engineers
Software engineers are typically the best suited to become penetration testers. That’s particularly true because most modern engineers are full-stack engineers. They typically have infrastructure and security experience as well as the code chops. They know how applications are built and how to test them, which means they have more visibility into their vulnerabilities. It’s really then a matter of specializing in penetration testing.
Is the PenTest+ worth it for software engineers? Maybe. If you’re already familiar with networking and security best practices as a software engineer looking toward a career in offensive security, then the CEH or OSCP may be a better choice. The PenTest+ may be a cheaper option to build some confidence en route to the gold standards in
PenTest+ for Security Analysts
Security analysts spend their time deep in the weeds — reading logs, identifying breaches and vulnerabilities, and writing up reports. They’re already actively involved in helping engineers develop policies, run tests, and create patches. These are valuable skills for a penetration tester, particularly those who want to circumvent defenses undetected. Finally, remember that there’s no such thing as an entry-level security professional, so it’s likely that security analysts already often have the requisite networking and systems skills. This all adds up to the fact that security analysts can readily transition into penetration testing.
Enroll in our Cybersecurity Bootcamp program to launch your career in cybersecurity.
Is the PenTest+ worth it for security analysts? Maybe. Security analysts can readily transition into penetration testing by passing the PenTest+ exam. However, CEH or OSCP may be better options. Importantly, security analysts often end up as security engineers rather than penetration testers. But the PenTest+ will still be worth it to strengthen your security resume.
Is the PenTest+ Worth It?
It depends. The value of the PenTest+ certification on your resume comes down to what you want to do with it. The PenTest+ is worth it if you want to learn pen testing or you want to validate the skills you already have.
Using PenTest+ to Learn Pen Testing
Focusing your efforts on earning the PenTest+ certification is one of the best ways to learn penetration. That’s particularly true if you already have technical experience. PenTest+ applies your existing knowledge to security — and specifically offensive security. It’s also a relatively light investment in time and money.
The PenTest+ only costs $349, which is nearly a quarter of similar exams like CEH and OSCP. With that said, the PenTest+ doesn’t hold as much weight as the CEH and OSCP. Despite that, the PenTest+ will teach you how to enumerate targets, deploy attacks, and document your findings, which are key in your transition to security.
Thus, PenTest+ is an excellent first step toward becoming a penetration tester — and totally worth it.
Using PenTest+ to Validate Skills
Penetration testers, like many roles in IT, sometimes find themselves in their position without any formal training or education. Similarly, you may be a hobbyist white hat. There are plenty out there. Turning those skills into a new role often requires credentials like the PenTest+. Certifications are designed to validate a set of skills in an industry-approved way. It’s certainly possible to get past a technical pen tester interview without ever having had a security position, but you have to get the interview first. Unfortunately, without formal experience or training, you may not get past the HR screen. With the PenTest+, however, you’re able to validate your offensive security skills in an industry-approved way. To have the opportunity, the PenTest+ is absolutely worth it.