Taking the beta of CompTIA’s new Pentest+

Glenn at work

Pre-test: March 11, 2018

Okay: going in to take the beta of CompTIA’s new Pentest+ exam. There are no materials to study yet, so it’s pretty much a crapshoot. In theory it’s harder than the CEH (which I have), so we’ll see.
It was funny to realize as I dug through Reddit looking for info that I’m a “Trifecta Instructor”: A+, Network+, Security+.


Oh, am I ever glad I’ve done a lot of coding/scripting, and reviewed my PHP, Python and Ruby before the test. Right off the bat I got a long series of long, detailed scenario and “drag and drop” questions that I let suck up too much time. One involved dragging lines or blocks of code from a random assortment into working locations in a script. Recognizing the language was instantly critical. Another “interactive” section comprised ten questions where I needed to identify one-liner payloads and the right control to block them. Be sure you’re very clear on the different types of SQL injection and XSS.
The multiple-choice questions were, for a relief, pretty normal. Some did make clear to me some of the things I’ve never done: creating a sandbox, and setting up persistence on a target once it’s been compromised.
I know the CEH pretty well (I’m on the review board), and no it is not particularly similar to this test. The CEH concentrates on higher-level tools, like gui exploit tools and specific-function apps. The Pentest+ seems much more focused on knowing low-level tools like nc and nmap, sometimes deeply into the switches and syntax. Definitely spend time working/playing with these so the long, complex multiple choices don’t become a blur.
I got 120 question for my 165 minutes, plus a lengthy pre-test agreement and a fairly quick post-test review, both off the clock. It was a race all the way, especially with the intricately detailed commands to pick in multiple-choice questions. I only finished 105, racing to the end, though since I got so many questions maybe I’ll get some slack for that. 😉
Notably, I did NOT see any policy, risk calculations, subnetting or crypto, and no SOAP or REST. Reading other people’s experiences, though, I’m betting there’s a huge question pool (that will hopefully get trimmed down) and your mileage will likely differ.
Do I think I passed? I practically never think so walking out of a test, but I practically always do pass.
Is it a good alternative to the CEH? I’d say it’s more similar than different. Both certs are really much more focused on defense than offense. It still looks like the OSCP is the big dog of real pen testing, and that’s okay. We all need ladders with more rungs above us.