New Certification: CompTIA PenTest+

124

Comments

  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    I just took the PenTest+ beta ( March 15, 2018 ) and here are some of my thoughts:

    All in all I had a fun time taking the PenTest+ exam. I completed all 110 exam items in 103 minutes. There were a few sims, but most were the typical CompTIA-style items and options that we all are familiar with. Many item stems (questions) required my re-reading once or twice.

    The item difficulty ranged across the board. I can see how any exam item answered (in)correctly by 80%+ of the candidates taking this beta exam would not be used in the released exam.

    Tools, command lines, output interpretation, rules/processes/best practices, and pentesting puzzle solving--very true to what is listed in the PenTest+ objectives.

    The most fun to me were items that required knowledge of coding--bash, python, ruby (often mistaken for perl), and Powershell--also as detailed in the PenTest+ objectives. Rather clever some of the programing items were. I'd like to see more of these types of items in CompTIA exams.

    To me, the PenTest+ (beta) was more of an assessment of my weaknesses in pentesting than a test of my strengths. For example, it showed how really weak I am in pen testing Web-based systems--not a revelation to me. I do not do pentesting, and I would probably need 2-3 years of continuous, hands-on experience to be worthy of this exam.

    And no, I do not think I passed ;)
  • arussnflarussnfl Member Posts: 9 ■■■□□□□□□□
    Thank you for taking the time providing these details!
  • ejg398ejg398 Member Posts: 57 ■■■□□□□□□□
    JDMurray wrote: »
    I just took the PenTest+ beta ( March 15, 2018 ) and here are some of my thoughts:

    All in all I had a fun time taking the PenTest+ exam. I completed all 110 exam items in 103 minutes. There were a few sims, but most were the typical CompTIA-style items and options that we all are familiar with. Many item stems (questions) required my re-reading once or twice.

    The item difficulty ranged across the board. I can see how any exam item answered (in)correctly by 80%+ of the candidates taking this beta exam would not be used in the released exam.

    Tools, command lines, output interpretation, rules/processes/best practices, and pentesting puzzle solving--very true to what is listed in the PenTest+ objectives.

    The most fun to me were items that required knowledge of coding--bash, python, ruby (often mistaken for perl), and Powershell--also as detailed in the PenTest+ objectives. Rather clever some of the programing items were. I'd like to see more of these types of items in CompTIA exams.

    To me, the PenTest+ (beta) was more of an assessment of my weaknesses in pentesting than a test of my strengths. For example, it showed how really weak I am in pen testing Web-based systems--not a revelation to me. I do not do pentesting, and I would probably need 2-3 years of continuous, hands-on experience to be worthy of this exam.

    And no, I do not think I passed ;)

    I took it this morning 3/19/18. I completely agree with JDMurray. I am mainly a blue teamer looking to get more involved in Red Teaming. As mentioned above the objectives are pretty spot on. Scripting and the web apps is definitely a weakness I will need to work on. all in all this exam was good. I also do not believe I passed it but it will help out for future studying.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Really interesting to see the feedback on this exam. I've always thought that the CompTIA certs were good for measuring ones baseline knowledge on each cert topic. For me the issue was always value proposition. I got the Net+ and Sec+ and they did nothing for my career. I did however just pick up the CySA+ and CASP books to read periodically since I have been away from the technical side of InfoSec. For me I find value in using the study material for their certs to keep knowledge fresh in the requisite areas. No books out for Pentest+ yet, but I suspect they would make a good library add for the same reason, to keep fresh on stuff.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • suntosunto Member Posts: 29 ■■■□□□□□□□
    Hopefully this will be a good replacement for GPEN. SANS courses are just prohibitively expensive.
  • josephandrejosephandre Member Posts: 315 ■■■■□□□□□□
    sunto wrote: »
    Hopefully this will be a good replacement for GPEN. SANS courses are just prohibitively expensive.

    funny enough, I took these a week apart, and I feel like they were pretty comparable, with the comptia one being slightly more difficult.

    Same amount of questions, no real official study material, and not open book. The questions were a bit broader also which was a bit more frustrating.

    I enjoyed it though, assume I failed, and agree with JD Murray
  • dialecticaldialectical Member Posts: 55 ■■□□□□□□□□
    I enjoyed it though, assume I failed

    Just took it today, also enjoyed it but am not expecting much. However, the overwhelming pessimism I'm seeing could be good news for us. I've never failed a CompTIA exam before.

    I did however, just fail the C|HFI a few days ago... (been lagging on my WGU progress). The C|HFI had garbage questions (like "What data is on the 5th block of a CD-ROM?"). This test had great questions though. Lots and lots of malware analysis, my goodness. I feel like this could help mildly raise the prestige of CompTIA certs.

    One thing I am very curious about is how pentest+ will fall in line with the stackable certs or if there will be a new one. My plan is to take CSA+ for the "Cyber Analytics Expert" stackable cert, pentest+ until I pass and then I'm done with CompTIA (However, I have mistakenly said that before).
  • josephandrejosephandre Member Posts: 315 ■■■■□□□□□□
    Just took it today, also enjoyed it but am not expecting much. However, the overwhelming pessimism I'm seeing could be good news for us. I've never failed a CompTIA exam before.

    I did however, just fail the C|HFI a few days ago... (been lagging on my WGU progress). The C|HFI had garbage questions (like "What data is on the 5th block of a CD-ROM?"). This test had great questions though. Lots and lots of malware analysis, my goodness. I feel like this could help mildly raise the prestige of CompTIA certs.

    One thing I am very curious about is how pentest+ will fall in line with the stackable certs or if there will be a new one. My plan is to take CSA+ for the "Cyber Analytics Expert" stackable cert, pentest+ until I pass and then I'm done with CompTIA (However, I have mistakenly said that before).

    right, i have a feeling the curve for the beta will be pretty low. with CySA a lot of of it is stuff you could just know through other studies, general cyber experience, etc.

    this is pretty specialized and drilled down. So be cool to get a pass this go around.

    As said though, by most, good exam
  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    sunto wrote: »
    Hopefully this will be a good replacement for GPEN. SANS courses are just prohibitively expensive.

    This is my hope too. Working as a contractor, we just had a major change with one of our large clients. Previously they required GCIA for specific job functions. Last year they switched the requirements for that position to CSA+. Those with GCIA were able to get it waived, but it did show the direction of things.

    Of course their pentesting knowledge is lacking. Their current requirement is "A pentesting certification". Which used to mean GPEN, but we've had some get eJPT just to meet the requirement. I feel like with the hard-on a lot of large organizations (and the .gov) have for CompTIA, that Pentest+ will become the requirement for certification and SEC560/GPEN will be a nice to have.

    Another thought I've had. I wonder if this will force GIAC to become more competitive independent of SANS. SANS training is second to none, and while CompTIA might put some good books out, some of their partners might have some good hands-on classes, I don't see them touching SANS in quality of training. If the CPT+ exam is held as a requirement, I could absolutely save some money by having employees take SEC560, then the CPT+ exam, instead of paying for GPEN.
  • spiderjerichospiderjericho Registered Users, Member Posts: 890 ■■■■■□□□□□
    Not a joke not a drill. This test is serious.

    Took the beta today. Have to admit, I didn’t do any preparation. And I probably performed poorly. I’m not a pentester. I have a very weak programming and scripting background.

    The test was 110 questions. There were “simulations.” I only saw drag and drop, and drop downs with code output. I don’t remember how many. The rest of the questions were multiple choice.

    You have to know Ruby, Bash Scripting, Powershell and Python.

    You have to know tools like NMAP, NCAT, Dig, TCPDump, Aircrack-ng, W3AF, Nessus, Hydra, BeEF, John the Ripper, Cain and Abel, Wireshark.

    There a lot of website, SQL, XSS related questions. You have to be very familiar.

    You also have to be familiar with the domains, e.g. phases of a pen test and the terminology.

    There were questions on Point of Sale and mobile Devices, and physical Security.

    I might have to re-attack this later. Read the Sybex Pentesting book recommended in the thread and possibly do the eJPT. This is definitely more difficult than the CEH, which is really just SEC+ with pentesting tools. I appreciate CompTIA letting me pay $50 to get a piece of humble pie. I’d assume the pentesting experience comment that has been reiterated is accurate. Good luck to anyone else taking the test.
  • kurosaki00kurosaki00 Member Posts: 973
    PC509 wrote: »
    Compared to EC|Council and their CEH, I would put CompTIA and this ahead. I don't expect it to be much more challenging, but EC|Council came off as an inferior company to work with. The exam was very easy and didn't really give much real world knowledge. I think the CompTIA one will be a little better (not much) than the CEH exam. Still, an entry level pen test - multiple choice, not a performance based exam.

    It has it's place, but it's not a replacement of eJPT, OSCP, etc..

    This will probably improve @Cyberguypr opinion on EC|Council

    /s
    meh
  • packetphilterpacketphilter Member Posts: 85 ■■□□□□□□□□
    I've been on the fence for about a week on taking this exam. I assisted with pentests and audits in my last job, but only for a few months. I learned some things, but a lot of it is fuzzy now. I think I likely wouldn't pass.

    I'm not a big CompTIA fan, but from what people are saying, it sounds like they may have done a good job with this test. Nevertheless, I think I'm going to save my $50 and see what people are saying about it in a year or so. The CEH doesn't have a lot of friends these days, but it's still got one big friend: the DoD. I imagine if the DoD decides to start asking for Pentest+, then it'll become a popular cert overnight.
  • SpiegelSpiegel Member Posts: 322 ■■■■■□□□□□
    Signed up for a 4/21 exam date. Will look over the exam objectives and study as much as I can based from that. I'm not a pentester but as I continue my pursuit to be a network engineer, with a strong focus in security, I feel like this will only help me. Will probably fail but this will be really good exposure to that area.
    Degree: WGU B.S. Network Operations and Security [COMPLETE]
    Current Certs: A+ | N+ | S+ | Cloud Essentials+ | Project+ | MTA: OSF | CIW: SDA | ITIL: F | CCENT | CCNA R&S | CCNA | LPI Linux Essentials
    Currently Working On: JNCIA-MistAI


    2022 Goals: JNCIA-MistAI [ ]
    Future Certs: CCNP Enterprise
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    I've been on the fence for about a week on taking this exam. I assisted with pentests and audits in my last job, but only for a few months. I learned some things, but a lot of it is fuzzy now. I think I likely wouldn't pass.

    If penetration testing is something you're interested in, I recommend signing up for eLearnSecurity's Penetration Testing Student course.
  • jeremywatts2005jeremywatts2005 Member Posts: 347 ■■■■□□□□□□
    Hopefully this turns into a Cloud+ situation and a bunch of us pass even though we think we clearly failed LOL. I passed Cloud+ and have no idea how it was a monster and I have very little Cloud background like a couple of yrs doing basic things. The exam was tailored more to a Cloud Admin. Maybe this Pentest will be the same and turn into an exam we pass because of the questions being thrown out. Remember we have no idea how many questions are actually going to be used going forward or thrown out. If you pass a bunch of the keepers you could pass this exam. Not hoping though but trying to stay positive.
  • wiz2kidwiz2kid Registered Users Posts: 1 ■□□□□□□□□□
    Have you came across any more recent information regarding the objectives for PT+ ?
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    I would say the reviews of PenTest+ here on TechExams.Net contain the most recent information currently available.
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    I took the beta test last night. It was incredibly broad. It was much tougher than any other CompTIA exam I have ever tried. If you don't have experience actually doing penetration testing, I think it would be a big learning curve to pass this one. This was my 4th CompTIA beta and the first one that I actually worry I won't pass (I felt pretty good about the CSA/CySA beta and passed).

    This was a very challenging exam! I REALLY hope I passed this one because studying the broad material for the re-take will be a chore.
  • shochanshochan Member Posts: 1,004 ■■■■■■■■□□
    OH I cannot wait...mine is on Thurs! WOO!
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    shochan wrote: »
    OH I cannot wait...mine is on Thurs! WOO!

    I found that everyone here has been accurate about it. No special 'key' to the exam except wide-ranging experience.
  • meni0nmeni0n Member Posts: 68 ■■■□□□□□□□
    It was a fun exam to take. Preparing for OSCP and doing hackthebox machine really helped with some of the questions. Some questions were weird and some were trying to trick you. I had 4 simulations as well.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    Took the exam on Monday. I am not a pen tester but participated in JTA for PenTest+. Agree with everyone; you need to have hands-on experience, are familiar with the tools and the exam covers quite a wide range of topics.
  • josephandrejosephandre Member Posts: 315 ■■■■□□□□□□
    dang. how'd you manage to get selected for the jta? i'd like to do one of those
  • EnderWigginEnderWiggin Member Posts: 551 ■■■■□□□□□□
    dang. how'd you manage to get selected for the jta? i'd like to do one of those

    Step 1: Have the experience they're asking for.
    Step 2: Sign up.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    dang. How'd you manage to get selected for the jta? I'd like to do one of those

    They sent an email to me. Excerpt below
    Dear XXX XXX

    you are being asked to complete this survey because you hold a comptia
    certification. Comptia would like your input on the exam objectives. We
    hope you'll appreciate how important your input is to the development of
    this certification, and ultimately to those who follow you in their it
    careers.

    to begin this approximately fifteen-minute survey, please go here:
    http://<URL_LINK&gt;

    as a small token of our appreciation for your feedback, we are giving away an official comptia t-shirt to every tenth person who completes the survey.

    comptia values your privacy. Results are completely confidential and the data
    will only be viewed in the aggregate. Please complete the survey by XXXX XX, 2017

    thanks for your participation.

    I hold CASP certification. In the survey, they asked about my work experience.
    Yes, I subscribe to their emails. No, I did not receive the t-shirt. icon_sad.gif
  • josephandrejosephandre Member Posts: 315 ■■■■□□□□□□
    Step 1: Have the experience they're asking for.
    Step 2: Sign up.

    I do. I have. It was more of a “that’s really cool” kinda post
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    Hopefully this turns into a Cloud+ situation and a bunch of us pass even though we think we clearly failed LOL. I passed Cloud+ and have no idea how it was a monster and I have very little Cloud background like a couple of yrs doing basic things. The exam was tailored more to a Cloud Admin. Maybe this Pentest will be the same and turn into an exam we pass because of the questions being thrown out. Remember we have no idea how many questions are actually going to be used going forward or thrown out. If you pass a bunch of the keepers you could pass this exam. Not hoping though but trying to stay positive.

    I didn't take the Cloud+ beta because that test looked onerous! I now wonder what the actual CySA+ and Cloud+ look like compared to the beta exams. I hope you are right about the PenTest+. I want that cert SO BAD!
  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    Just got back from the testing center. I think I might have passed. I found it to be easier than expected. Maybe I've been underestimating my pentesting knowledge. Either that or I'm delusional.

    I actually enjoyed taking it and often during questions I'd think to myself, "I've done that before" or "I just had to do that for a client like 3 days ago." In terms of difficulty, I found it equal to or perhaps slightly easier than the CySA+ that I took 2 weeks ago. I'm probably weird.

    I found the labsims to be fair and appropriate, unlike the CySA+ labsims, which were ridiculously difficult in my opinion.

    I do remember in one question, a Perl script was an answer choice. Since Perl is not in scope, I assume that was an incorrect choice. Or so I hope. Lots of bash and Python and a bit of ruby/PowerShell here and there.

    Some advice:
    Read the acronyms list from the exam objectives. I remember looking one up that I didn't know just yesterday, and sure enough, it was on the exam and I believe I got that question correction because I spent 15 minutes researching that acronym.

    Good luck!
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • meni0nmeni0n Member Posts: 68 ■■■□□□□□□□
    It was the other way for me on the sims. I found the CySA+ sims easier than the PenTest+ ones. Possibly because I can recognise most of the attacks in that one sim but not so much the remediation. Maybe I'm just paranoid about selecting the same remediation for like 3-4 exploits.
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    One thing I learned about taking CompTIA beta exams... Don't obsess about it after the test. You can't do anything about it now. It will take sooooooo long to get back the pass/fail that it will all be a haze when you learn your pass/fail status. Just move on to your next cert and leave a placeholder to study and retake that CompTIA exam if necessary.
Sign In or Register to comment.