Cert Review: PenTest+

Is It Worthwhile to Chase?

If you’ve ever taken a look at certification roadmaps online, you’ve probably come across Paul Jerimy’s Security Certification Roadmap. I love this roadmap, but one thing I think it doesn’t do well is conveying the difficulty, or ‘seniority’, of the red team certifications. I think it’s really an issue of space on his incredible layout because really taking a moment to look over it, you notice there are a ton of certs that fall under the spectrum of Penetration Testing and Exploitation. Because so many hats have tossed themselves into the ring of the Red Team, it becomes difficult to lay out these certs on a genuinely weighted footing, which is why I think without a doubt putting PenTest+ on the same level as GSEC is a bit B.S.

Started From the Bottom, Why Are We Still Here?

Pentest+ is one of the newer certifications that CompTIA has churned out over the years, having built themselves an empire with their notorious A+, Network+, and Security+ stack that many cybersecurity professionals, including myself, have started out with.

Realizing they probably need to continue to grow in the security department, they created a roadmap of certs for security professionals to get their hands on, including the Cybersecurity Analyst+ (CYSA+), PenTest+, and CompTIA Advanced Security Practitioner (CASP+) certifications. These are what I would classify as ‘intermediate’ and ‘professional’ level certifications that are great for those with a few years in the hot seat and gearing up to get promoted to a more senior-level role.

So for PenTest+ to be on a basic level as GSEC, which really just a Security++ certification, it would have to be pretty easy and a junior level certification, right? Wrong.

CYSA+’s Fraternal Twin

When I took CYSA+ a few years ago, it definitely was a different breed of cert compared to CompTIA’s entry-level stack. These questions had a purpose, content, and not just simple ‘given this scenario’ questions. Rather, you had to look through logs of data, outputs from forensic tools, and other information to make an accurate guess. I really believe they took a page from GIAC’s book and layered in the more technical level skills required to pass the certification. Quite simply, if you hadn’t had time in a SOC, you probably didn’t really understand a ton of the concepts the questions required you to have in order to answer. That isn’t to say you can’t pass CYSA+ without it, but after taking PenTest+, I truly understood what it looks like when you attempt those certs that recommend time in a career and you don’t have any.

PenTest+ wasn’t excruciatingly hard, but I didn’t get through the exam without sweating either. I don’t have real-world pentesting experience, as much as I’d love to. I’ve delved into some very light activities over my career, but any real work done was because it was a hobby, not because a job needed me to do it. When I studied for it, I realized that this exam wasn’t going to be easy, and I needed to do well-constructed labs in order to grasp any ability to actually pass the exam.

What I Used to Study

My exam prep consisted of two things for the version I took, PT0-002:

• Total Seminars’ PenTest+ Video Course on Udemy

• TryHackMe’s PenTest+ Lab

Total Seminars has been my go-to for every CompTIA certification, so this was a no-brainer to do. Their courses always worked well for me to paint the big picture in slowly, so I’m not lost piecing together the story it tells. I’d highly recommend them as a useful resource for that feeling that you’re in a virtual classroom.

TryHackMe was on the recommendation of both coworkers, who’ve used them extensively to do Red Team training. I’d highly recommend it, especially since it’s specifically built for PenTest+ objectives, compared to others like Hack The Box, which have labs but not one specifically for the cert.

I spent a total of about two months of time preparing for the cert, slowly watching the videos until completion before moving to the lab content.

You’ll learn how to run a PenTest or Red Team exercise, along with how to use the most common tools. This is important because there are a ton of tools listed in the objectives, and they will pull out any number of random commands or outputs just to quiz you on them. While I can say you don’t need to know every tool like the back of your hand, I would definitively argue that you should probably be familiar with most of them, that way you can easily guess what a tool you’re not familiar with looks like, giving you your best chance.

I must emphasize the need for the labs. If you’ve paid attention enough to most of the content from other certifications, you won’t need to know a lot from the videos, but the labs? Absolutely necessary. If you don’t practice the craft of hacking and understand the tools outlined in the objectives, you will most certainly fail the exam.

Who Is This For?

PenTest+ is an interesting beast I think because CompTIA either positioned it incorrectly or believed it all along to be just another Blue Team cert. But Mark, it’s a Red Team Cert? Well, honestly in my opinion, no. PenTest+ does a great job getting us acquainted with Red Team methodology, tactics, techniques, procedures, etc. However, it doesn’t really teach you how to hack. It teaches you how to run a pentest, then just sort of assumes you have the knowledge to hack away to your heart’s content from ‘experience’ or whatever learning environment you take upon yourself to hack in. This isn’t gonna fly for those trying to actually be a Red Teamer and are starting off fresh.

This comes now full circle to my opening statements about Paul’s certification board. The cert is positioned in between something simple, like eJPT (which I hear from my Red Team colleagues is the golden standard in getting started with pentesting), and something advanced like OSCP, which is still the crown jewel of Red Team Certs, even though its slowly becoming a professional-level cert instead of an expert one it used to be (because so many higher-level certs are hitting the market). Really, PenTest+ looked to take down Certified Ethical Hacker (CEH) which has slowly been shooting itself in the foot for years. Because of this, PenTest+ really is on its own, and many are just going to leap over it for bigger and better things.

So coming to these conclusions, I’m not sure a cert like PenTest+ is a worthy stepping stone to achieving your Red Team goals, thus I’ve boiled down my opinion to two needs:

• You’re a blue teamer who wants to dabble in Red Team activities and are willing to put in some effort to churn out how to hack

• You’re stacked deep in CompTIA certs, collecting them like Pokemon, and it’s time to get your free renewal by taking another