Pentest+ - thoughts?

I just looked at the CompTIA site and it looks like Pentest+ is out at the end of the month. I looked at the objectives and was pleasantly surprised. It looks like it's typical CompTIA - a huge, huge variety of topics, but on the whole, it looks good.

Anyone know how much web-app pen-testing will be on there? Reason I ask, is because I have found that my workplace is going to be looking for new Red-team members soon and I did the OSCP approx 3 years ago now and it was all infrastructure stuff - which is great, but not as great as web app.

Anyone else looking to take this exam? I notice there are no books out just yet. Hopefully some study guides will show up soon.

Find more posts tagged with

Comments

LordQarlyn

Hmmm another new CompTIA exam? Soon we will have Forum+ and Resume+ exams coming out. On a serious note, I could actually see that as an exam I would take. I don't have any goals to be a pen tester, but, I can see myself needing to have a deeper understanding of pen testing as part of my career path, and this exam looks like it fits the bill without being all hardcore (well for me anyway) as OSCP or eCPPT.
I would wait and see as more materials regarding this exam are released. But looking at your credentials you are miles above Pentest+, it seems that Pentest+ would bring little value considering your other certs, but you said your OSCP is three years old so it may serve as a good review.

si20

Yep that's it! I never got a pen-testing role after I got my OSCP because all the pen-testing companies wanted a web-app guy. I didn't realise at the time that web-app was the big thing, so I totally missed the boat despite getting the OSCP.

And 3 years later I've lost so much knowledge I think the Pentest+ will get me back in the right spot. After that, I'd probably take the eLearnSec web app courses if they still offer them and get myself back on track.

But yeah, the Pentest+ objectives look right on point this time.

yoba222

I studied for and took the beta based on their exam objectives.

https://certification.comptia.org/docs/default-source/exam-objectives/comptia-pentest-exam-objectives-(2-0).pdf

Web app pentesting looks to be like 5% of the exam, which sounds about right from what I remember of the questions.

I'm doing Virtual Hacking Labs at the moment, and while that is also kind of a general focus with a bit of web application testing, I'm getting much more pentest training value out of it than I ever did studying for the PenTest+ exam.

And since CompTia doesn't provide any training, that means the way most people are going to "train" for this exam is by reading some all-in-one study guide. Meh.

The beta generated some positive hype because the questions on that multiple choice exam were respectably challenging, unlike something like the CEH, which is largely a joke in terms of its challenge/quality.

But at the end of the day, it's just a multiple choice exam, which isn't a stellar way of proving the competency of a very specific and technical skillset.

If I were you, I'd prep for those red team spots by buffing up on a bunch of CTFs/labs/cyber ranges.

PsychoData91

I was reading a CEH book last night and it says

The EC-Council is known for presenting concepts in unexpected ways on their exam. The exam tests whether you can apply your knowledge rather than just commit information to memory and repeat it back. Use your analytical skills to visualize the situation and then determine how it works.

Part of the Cynic in me says "oh, trick questions" and then the realist says "Or things like wording something like a user report that isn't specific rather than a precise problem summary"

I took the pentest+ beta as well, I would say that the eLearn might be a good way to learn it, but I would look at least somewhat into some intentionally vulnerable VMs and images, in a lab, too. Thats how I got my web-app familiarity for the Beta. I also took CEH, CISSP, GHFI studying and random guides and chapters as they sounded like they applied to the beta objectives

jwdk19

I took the PenTest+ beta in April. IMO to pass this exam requires actual knowledge and use of the tools.

Kind of hard to look at a wireshark pcap and know what is going on without some type of prior knowledge/training/use.

Although it is primarily multiple-choice I think the exam accomplishes the purpose that it was designed for. Is it comparable to OSCP? Negative, hard to compare with a 100% practical application cert. However, if I didnt pass the beta I definitely plan to retake PenTest+ later in the year.

xcopy

LMAO too funny! Forum+