Back to blog
Study Tips9 min read

How to Pass the CompTIA PenTest+ (PT0-003) Exam in 2026: An 8-Week Study Plan

A week-by-week plan to pass CompTIA PenTest+ PT0-003 in 2026. Domain weights, lab setup, tooling and a realistic 8-week schedule built around the 35% Attacks and Exploits domain.

Tom Ashford

Tom Ashford · Security Certifications Lead

14 July 2026

If you have booked the CompTIA PenTest+ (PT0-003) exam and you are staring at the objectives wondering where to begin, this is the plan for you. PenTest+ is not a memorisation test. It rewards judgment under time pressure, and the only reliable way to pass it is a structured schedule that mixes theory with real hands-on practice. This 8-week study plan for PenTest+ PT0-003 tells you exactly what to study each week, how much lab time to budget, and where most candidates go wrong.

The short version: PT0-003 is a maximum of 85 questions in 165 minutes, you need at least 750 on a scale of 100 to 900 to pass, and the exam blends multiple-choice questions with performance-based questions (PBQs) that put you inside a simulated terminal. Domain 4, Attacks and Exploits, is 35% of the exam on its own, so your plan has to be weighted the same way. Spread your effort evenly across all five domains and you will run out of time on the topics that actually decide the result.

What Is on the PenTest+ PT0-003 Exam?

The PT0-003 (V3) exam replaced PT0-002 and reorganised the objectives into five domains. Knowing the weightings is the single most useful planning fact you have, because it tells you where your hours should go.

DomainWeightWhat it covers
1. Engagement Management13%Scoping, rules of engagement, legal and compliance, methodologies
2. Reconnaissance and Enumeration21%Passive and active recon, OSINT, scanning, enumeration
3. Vulnerability Discovery and Analysis17%Vulnerability scanning, analysing results, prioritising findings
4. Attacks and Exploits35%Network, application, cloud, wireless and host attacks, lateral movement
5. Reporting and Communication14%Writing the report, remediation, communicating findings

Exam Tip: Domains 2, 3 and 4 together are 73% of the exam. If your recon, enumeration and exploitation are solid, you are most of the way to a pass. Do not let Engagement Management and Reporting slide, though, because those questions are often the fastest points on the exam.

A crucial change in PT0-003 is that vulnerability discovery (17%) is now separate from reconnaissance. The exam expects you to treat scanning and analysis as distinct skills, so practise both the act of running a scan and the harder act of reading the output and deciding what matters.

Exam Facts at a Glance

  • Questions: Maximum of 85 (multiple-choice and performance-based)
  • Time: 165 minutes
  • Passing score: 750 out of 100 to 900
  • Cost: Around 425 USD for a single voucher (regional pricing varies)
  • Validity: 3 years, renewable with 60 Continuing Education Units (CEUs)
  • Recommended background: Network+ and Security+ or equivalent, plus 3 to 4 years of hands-on information security experience

There is no hard prerequisite, but PenTest+ sits above Security+ in difficulty. If you have not yet built a comfortable foundation in networking and security fundamentals, close that gap before you start this plan.

Before Week 1: Set Up Your Lab

Building a hands-on lab is non-negotiable for PenTest+. The performance-based questions assume you have actually run these tools, not just read about them. Set this up before the eight weeks begin so no study time is lost to installation.

  1. Install a virtualisation platform such as VirtualBox or VMware Workstation Player.
  2. Build a Kali Linux virtual machine. It ships with almost every tool the objectives mention.
  3. Add a couple of deliberately vulnerable targets, for example Metasploitable and a vulnerable web app like OWASP Juice Shop or DVWA.
  4. Create an account on a practical platform. TryHackMe's Jr Penetration Tester and Offensive Pentesting paths map closely to the objectives, and Hack The Box is excellent if you want a stiffer challenge.

Budget your week around two types of session. Content sessions are for reading objectives and watching video, and they build recognition. Lab sessions are where you build the muscle memory the PBQs test. Aim for at least a 60/40 split in favour of hands-on work as the weeks progress.

The 8-Week PenTest+ PT0-003 Study Plan

This plan assumes roughly 8 to 12 hours of study per week. If you have more time, add lab hours rather than more reading. If you have less, stretch the plan to 10 or 12 weeks rather than cutting the hands-on practice.

Week 1: Engagement Management and Methodology

Start with Domain 1 while your energy is high, because it is the most conceptual and the easiest to underestimate. Learn scoping, rules of engagement, the difference between assessment types, and the legal and compliance concepts. Understand standard methodologies such as OWASP, MITRE ATT&CK, PTES and OSSTMM at a level where you can recognise them in a scenario.

  • Read the official CompTIA PT0-003 objectives PDF end to end so you know the full scope.
  • Map out which permissions and documents a real engagement needs (SOW, MSA, rules of engagement).

Week 2: Reconnaissance and OSINT

Move into Domain 2, the second-largest domain. Focus on passive reconnaissance first: OSINT sources, DNS enumeration, WHOIS, certificate transparency, and search-engine discovery. Then move to active recon.

  • Lab: run whois, dnsenum, theHarvester and recon-ng against a target you own.
  • Learn how to read the difference between what passive and active techniques reveal, and why order matters.

Week 3: Scanning and Enumeration

Finish Domain 2 with active scanning and service enumeration, the heart of a real test.

  • Lab: master Nmap. Host discovery, port scanning, service and version detection, and NSE scripts.
  • Enumerate SMB, SNMP, LDAP, SMTP and web services by hand so you understand what each service leaks.

Exam Tip: You will see Nmap flags in the PBQs. Know the common switches cold: -sS, -sV, -p-, -A, -O, -oN and the timing templates. Guessing costs you time you do not have.

Week 4: Vulnerability Discovery and Analysis

Now tackle Domain 3. This is the bridge between finding services and exploiting them, and it is where careless candidates lose easy marks.

  • Lab: run a scanner such as OpenVAS or Nessus Essentials, then practise interpreting the results.
  • Learn to prioritise findings by real risk, remove false positives, and map a CVE to an exploit.

Weeks 5 and 6: Attacks and Exploits (the 35% Domain)

Give this domain two full weeks because it is 35% of the exam. Split it by attack surface.

  • Week 5: network and host attacks. Exploitation with Metasploit, password attacks with Hashcat and John, privilege escalation on Linux and Windows, and lateral movement.
  • Week 6: application, web, wireless and cloud attacks. SQL injection, XSS, directory traversal, insecure APIs, wireless attacks, and common cloud misconfigurations.

Work through as many practice boxes as you can this fortnight. The goal is speed and pattern recognition, not learning new theory. By the end of Week 6 you should be able to look at a target and know your first three moves without hesitating.

Week 7: Reporting and Communication

Return to a lighter domain to recover before the final push. Domain 5 is about turning findings into a report a client can act on.

  • Learn report structure, executive summary versus technical detail, and how to write clear remediation guidance.
  • Understand risk ratings, CVSS scoring, and how to communicate findings to both technical and non-technical audiences.

Week 8: Full Practice Exams and Weak-Spot Repair

The final week is all about exam conditions. Do not learn anything new. Consolidate.

  • Sit at least two full-length, timed practice exams that include PBQs.
  • Review every wrong answer and every question you got right but were unsure about.
  • Spend your remaining lab time only on the weak areas your practice scores expose.

Why Most People Fail PenTest+ (and How to Avoid It)

Candidates rarely fail PenTest+ because they do not know enough. They fail because they make slow or uncertain decisions when the exam expects speed and clarity. A few specific traps:

  • Skipping the lab. You cannot reason your way through a PBQ. If you have not typed the commands, you will freeze.
  • Under-weighting Domain 4. Studying every domain equally leaves you thin on the 35% that matters most.
  • Course-hopping. Using three courses at once creates conflicting mental models. Pick one primary resource and supplement narrowly.
  • Ignoring the clock. With up to 85 questions in 165 minutes, that is under two minutes per item. Practise pacing, and flag and move on rather than stalling.

PenTest+ PT0-003 vs Other Pentest Certifications

If you are still deciding whether PenTest+ is the right exam, it helps to see where it sits.

CertificationFormatBest for
CompTIA PenTest+ (PT0-003)Multiple-choice plus PBQs, 165 minBroad, vendor-neutral coverage of the whole engagement lifecycle
CompTIA CySA+Multiple-choice plus PBQsDefensive analysts moving toward blue-team roles
CEHMultiple-choiceRecognisable HR-checkbox cert, lighter on hands-on
OSCP24-hour hands-on examDeep, practical exploitation and report writing

PenTest+ is the pragmatic middle ground: more hands-on than CEH, far less punishing than OSCP, and it covers scoping and reporting that purely technical exams skip. For a fuller comparison, read our breakdowns of PenTest+ vs CEH and whether PenTest+ is worth it.

Ready to Start Practising?

Reading objectives will get you familiar with PenTest+, but passing it comes down to repetition under exam conditions. The fastest way to find your weak domains is to answer realistic questions and see where you stumble, then repeat until the patterns are automatic.

CertCrush gives you exam-style PenTest+ practice questions with detailed explanations for every answer, so you understand not just what is correct but why the other options are wrong. That is exactly the judgment PT0-003 tests.

Create a free CertCrush account and start your PenTest+ practice today. Browse the full range of certification courses to build your whole roadmap, from Security+ through PenTest+ and beyond. Follow the eight-week plan, put in the lab hours, and walk into PT0-003 knowing your first three moves before you even read the scenario.

PenTest+PT0-003CompTIApenetration testingstudy planexam prepcybersecurity certificationethical hacking
Tom Ashford

Written by

Tom Ashford · Security Certifications Lead

Tom spent over a decade in security operations and consulting before turning to full-time exam-prep writing. He covers the big security certifications — CISSP, CISM, CISA, Security+ and the rest of the alphabet — with a soft spot for the questions everyone gets wrong. His rule for every article: if it doesn’t help you score marks, it doesn’t go in.

All articles by Tom

Practise for CompTIA Pentest+free

10 real exam-style questions with full explanations, no account needed. Then unlock the complete bank with an exam-readiness score and a daily plan built around your exam date.