CompTIA PenTest+ PT0-001 vs. PT0-002: What’s New?

Malware, ransomware, denial of service, phishing, SQL injections — does it ever end? Preparing network defenses and defending against cyberattacks is increasingly a way of life for every enterprise.

If you're an IT executive, you do your best to set up an effective defensive shield, but there's bound to be a crack or two. Whether it's an operational misstep, a software flaw or some other glitch, you still have a potential disaster in the making. That's why it's smart to find those cracks before the bad guys do. And that's where a rigorous penetration testing regimen comes into play.

Penetration testing is where authorized security professionals use the same sort of tools and techniques that hackers use, in order to identify weaknesses in an organization's information security defenses. Given the importance of the role, it's no surprise that certified penetration testing professionals are in demand.

There are numerous penetration testing certifications — at various levels of expertise — from organizations such as CompTIA, EC-Council, Global Tech Council (GTC), GIAC,  Offensive Security, and the IACRB.

In this post, we're going to take a closer look at the CompTIA PenTest+ certification, and in particular, the changes that were made when the new PT0-002 certification exam was introduced in October 2021.

The CompTIA PenTest+ Certification

The Computing Technology Industry Association (CompTIA) is a certification organization widely-known for their Network+ and Security+ cert for system and network administrators and engineers. In their cybersecurity certification portfolio, the CompTIA PenTest+ cert is complemented by accreditations for security analysts and engineers (CySA+) and for advanced security practitioners such as security architects (CASP+).

PenTest+ was introduced in 2018 and was intended for security professionals who were involved in the detection of security flaws and vulnerabilities in IT infrastructures. There was some confusion as to how PenTest+ related to CompTIA's Cybersecurity Analyst (CySA+) cert which had been introduced the previous year. The answer is that penetration testing is a proactive function, as compared with the reactive security monitoring approach that is reflected in the CySA+ cert. Using a sports analogy, think of security monitoring (CySA+) as the defense and penetration testing (PenTest+) as the offense.

CompTIA introduced PenTest+ as an intermediate-level cert that validated the candidate's ability to perform penetration testing and vulnerability assessments. While there were no actual prerequisites, PenTest+ followed Security+ in CompTIA's suggested career pathway. It was expected that candidates would have a minimum of three to four years of IT security experience, as reflected by the CompTIA Network+ or Security+ certifications.

Typical cybersecurity roles that benefit from PenTest+ include pen testers, vulnerability analysts, cybersecurity engineers and analysts, and network security managers. The certification is now approved by the U.S. Department of Defense (DoD) 8570 for a number of cybersecurity jobs in the Cyber Security Service Provider (CSSP) function.

As a role-based certification, PenTest+ was designed to exercise and validate the holder's ability to perform actual job tasks typically expected of a pen testing and vulnerability management professional. The initial PT0-001 certification exam covered the following domains:

• Planning and scoping penetration tests,

• Information gathering and vulnerability identification,

• Attacks and exploits,

• Penetration testing tools, and

• Reporting and communication.

The PT0-001 certification exam itself was considered to be quite challenging. It consisted of up to 85 performance-based and multiple-choice questions and took nearly 3 hours. Successful candidates needed to score 750 or more on a scale of 100-900 points.

PenTest+ Certification Changes as Threats Evolve

As we all know, the nature of the cyberthreat is continually changing. The types of attack that might be expected when PenTest+ was first introduced in 2018, are no longer the weapons of choice for today's black hats! So what changes were needed in the PenTest+ cert?

A State of Cybersecurity 2021 survey commissioned by CompTIA questioned 400 IT professionals about their company's approach to cybersecurity.

Respondents cited numerous areas for cybersecurity improvement, including application security, endpoint security, network security, and threat knowledge. The report also showed that the vast majority (65%) of the represented organizations did not have a formal penetration testing program.

Disturbingly, respondents thought that things were getting worse with their organizations' cybersecurity programs. Overall satisfaction with those approaches was 10 points lower than in the previous year's survey.

In line with the findings of this report, CompTIA announced the updated PT0-002 version of the PenTest+ certification exam.

PenTest+ PT0-002 Certification Exam

The new PT0-002 PenTest+ certification exam was introduced in October 2021. The old PT0-001 PenTest+ exam was retired in April 2022.

The new exam was updated to expand the range of cybersecurity attack surfaces covered—adding web applications, cloud and hybrid environments, Internet of Things (IoT), and embedded devices. In addition, based on the findings on threat intelligence from the Cyberthreat survey, CompTIA  added emphasis on candidates' hands-on skills and expertise in vulnerability management. Through a mix of performance-based and knowledge-based exam questions, candidates are now tested on their proficiency in planning for, scoping, and managing cybersecurity weaknesses.

This focus on vulnerability management differentiates PenTest+ from its closest vendor-neutral alternatives—EC-Council's Certified Ethical Hacker (CEH), the GIAC Penetration Tester (GPEN), and Offensive Security's Certified Professional (OSCP).

What's New With the PT0-002?

The new exam has 21 overall objectives, compared to 24 in the previous PT0-001 exam. CompTIA reports that this is due to the consolidation of topics.  You can dig down into the details in the official CompTIA PenTest+ Certification Exam Objectives (PT0-002) document.

Let's look at the topic domains and the relative weightings for the PT0-002 exam compared with those for PT0-001.

At a high level, you'll see that the exam objectives are similar with two exceptions. For the second domain, CompTIA has changed the focus from vulnerability identification to vulnerability scanning. This reflects the increased emphasis on the hands-on skills necessary to perform vulnerability scanning, as well as both passive and active reconnaissance, and vulnerability management. The candidates' ability to analyze and report on the results of completed reconnaissance exercises is also tested.

The second change is that the PT0-001 fourth domain, Penetration Testing Tools,is flipped with the Reporting and Communication domain and renamed as Tools and Code Analysis. This change emphasizes both the hands-on use of testing tools, as well as the increased focus on code analysis during penetration testing.

Although no scripting or coding is required for the exam, there is no doubt that it is very useful for penetration testers to understand scripting and coding. And since penetration testing platforms like Security Onion are Linux-based, it's also useful to know your way around that OS! Knowledge of Python in addition to basics of a Linux distribution like Kali or Ubuntu will be a distinct advantage. This is even more important once testers dive into applications to uncover vulnerabilities.

Taking the PT0-002 Exam

The PT0-002 exam is the same length as the previous exam, lasting 165 minutes with 85 performance-based and multi-choice questions. The passing grade is also the same: 750 on a scale of 100-900.

PenTest+ has a technical, hands-on focus, so CompTIA recommends that candidates have at least 3 years of IT security or similar work experience, that is equivalent to having earned the Network+ or Security+ credentials.

As with all other CompTIA certification exams, PT0-002 is administered and proctored by Pearson VUE and can be taken either in-person at a testing center, or online. Either way, the cost to take the exam is $381 USD.

Your PenTest+ certification is valid for three years from the date that you take the exam. It can be extended in three year increments either by participating in CompTIA's continuing education program, or by passing a higher CompTIA certification.

Final Thoughts

So who can benefit from pursuing the CompTIA PenTest+ certification? Well, it's definitely a good move if you've got your eye on becoming a penetration tester, web app penetration tester, or cloud penetration tester. It can also be appropriate if you already hold a more defensive security position, or are looking at cybersecurity career options such as a security analyst, network and security specialist, information security engineer. In these cases, proficiency in penetration testing will be a valuable complement to your skill set.  Another reason to earn the PenTest+ credential is to increase your marketability while also renewing your expiring Security+ and/or Network+ certification.

CBT Nuggets has a wealth of on-line training related to penetration testing and cybersecurity. In particular, you can check out the new training course specifically for the CompTIA PenTest+ (PT0-002).

Or if you're building up your skills before you take on PenTest+, then try individual courses like Information Gathering and Vulnerability Scanning for Penetration Testing, Penetration Testing Planning and Scoping, and Penetration Testing Tools.