Prepare for CompTIA PenTest+ PT0-003 with a free 90-question diagnostic, topic drills, timed mocks, detailed explanations, and a 780-question IT Mastery bank.
Start with the free diagnostic or public sample questions. IT Mastery gives you a stable, exam-domain-mapped practice bank with timed mocks, topic drills, progress tracking, and detailed explanations across web and mobile.
Start a practice session for CompTIA PenTest+ PT0-003 below, or open the full app in a new tab. For the best experience, open the full app in a new tab and navigate with swipes/gestures or the mouse wheel—just like on your phone or tablet.
Open Full App in a New TabA small set of questions is available for free preview. Subscribers can unlock full access by signing in with the same app-family account they use on web and mobile.
Prefer to practice on your phone or tablet? Download the IT Mastery – AWS, Azure, GCP & CompTIA exam prep app for iOS or IT Mastery app on Google Play (Android) and use the same IT Mastery account across web and mobile.
Initial release: this CompTIA PenTest+ PT0-003 bank currently includes 780 questions. We expand high-demand banks first based on learner usage, feedback, and subscriber demand. Subscribers receive access to future additions automatically.
Free diagnostic: Try the 90-question CompTIA PenTest+ PT0-003 full-length practice exam before subscribing.
CompTIA PenTest+ (PT0-003) is CompTIA’s current penetration-testing route for candidates who need practical judgment across planning, scoping, reconnaissance, vulnerability discovery, exploitation, post-exploitation, reporting, and remediation guidance.
PT0-003 is the newer PenTest+ version, so current preparation should keep authorization, engagement scope, evidence validation, reporting, and remediation in view. This page includes original sample questions, exam guidance, and live IT Mastery practice.
PenTest+ questions usually reward the option that stays inside scope, uses evidence from the right phase, validates findings safely, and turns technical issues into useful remediation guidance.
Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.
Need concept review first? Read the CompTIA PenTest+ PT0-003 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.
Try these 12 original sample questions for CompTIA PenTest+ PT0-003. Use them for study, self-assessment, and exam-scope review.
What this tests: scope control
A tester discovers a public IP range that appears related to the client but is not listed in the signed rules of engagement. What should the tester do?
Best answer: A
Explanation: PenTest+ emphasizes authorization and scope. A target not listed in the rules of engagement should not be tested until written scope clarification is obtained. Timing or perceived risk does not override authorization.
What this tests: reconnaissance type
A tester reviews job postings, technology blogs, DNS records, and public code repositories before touching the client’s systems. What phase is this?
Best answer: C
Explanation: Passive reconnaissance gathers information from public or third-party sources without directly interacting with target systems in a probing way. It helps build a target profile while reducing detection and operational impact.
What this tests: vulnerability validation
A scanner reports a critical vulnerability on a production web server. Before including it as a confirmed finding, what should the tester do?
Best answer: C
Explanation: Automated scanner findings need validation to reduce false positives. Validation must stay within scope and avoid unnecessary damage. A good report distinguishes confirmed findings from tool output.
What this tests: credential attack safety
The rules of engagement allow password spraying but limit attempts to avoid account lockouts. Which action best follows the rules?
Best answer: A
Explanation: Password attacks can create real operational impact. The tester should follow the approved rate, thresholds, timing, and notification requirements. Exceeding limits violates scope and can disrupt users.
What this tests: web application finding
A web form places user input directly into a database query. The tester can alter the query logic by entering crafted input. What vulnerability is most likely present?
Best answer: B
Explanation: SQL injection occurs when untrusted input changes database query structure or logic. CSRF abuses authenticated user actions, clickjacking tricks UI interaction, and DNS cache poisoning targets DNS resolution.
What this tests: privilege escalation evidence
A tester gains low-privilege shell access on a Linux server. Which action is most appropriate before attempting privilege escalation?
Best answer: A
Explanation: Privilege escalation should start with enumeration and evidence gathering. Destructive exploits, persistence, and log deletion are not appropriate unless explicitly authorized and necessary, and they often violate engagement rules.
What this tests: cloud testing boundary
A penetration test includes an application deployed on AWS, but the rules of engagement exclude denial-of-service testing and attacks against AWS-managed infrastructure. Which action is acceptable only if it stays within the approved scope?
Best answer: B
Explanation: Testing the client’s application authorization controls can be in scope if authorized. Attacks against AWS-managed infrastructure, unrelated customers, or denial-of-service targets are outside typical engagement boundaries and may violate provider rules.
What this tests: reporting remediation
A report finding says an application allows SQL injection. Which remediation recommendation is strongest?
Best answer: D
Explanation: A useful penetration-test report maps the finding to concrete remediation. Parameterized queries address SQL injection directly, while validation, least privilege, and testing support durable risk reduction.
What this tests: cleanup and evidence handling
At the end of an engagement, a tester has temporary test accounts, uploaded tools, and screenshots containing sensitive data. What should happen?
Best answer: D
Explanation: Cleanup and evidence handling should follow the rules of engagement and reporting agreement. Test artifacts should not remain unmanaged, and sensitive evidence should be protected according to the agreed process.
What this tests: exploitation risk control
A tester finds a suspected remote code execution flaw on a production system. Exploitation might crash the service. What is the best next step?
Best answer: C
Explanation: Penetration testing must balance validation with safety. When proof could disrupt production, the tester should coordinate, use controlled validation, or document constraints. Criticality does not justify unnecessary damage.
What this tests: social engineering authorization
The client asks a tester informally to send phishing emails, but the signed scope does not mention social engineering. What is the correct action?
Best answer: D
Explanation: Social engineering is sensitive and requires explicit written authorization, target lists, timing, safety controls, and reporting expectations. Verbal requests are not enough for activities that can affect employees and business operations.
What this tests: finding prioritization
Two findings are confirmed: one unauthenticated remote exploit on an internet-facing system and one low-impact information disclosure on an internal test page. How should they be prioritized?
Best answer: B
Explanation: PenTest+ expects risk-based prioritization. Exposure, impact, likelihood, exploitability, affected assets, and business context should guide severity and remediation order, not scanner order or formatting details.
flowchart LR
A["Written scope and rules"] --> B["Reconnaissance"]
B --> C["Scanning and enumeration"]
C --> D["Validate findings safely"]
D --> E["Exploit only when authorized"]
E --> F["Document impact and remediation"]
F --> G["Cleanup, retest, and evidence handling"]
Use the map when a PenTest+ item asks what the tester should do next. The best answer stays inside written scope, validates evidence without unnecessary disruption, and turns technical proof into useful remediation guidance.
| Task area | What matters most | Common trap |
|---|---|---|
| Scoping | Written authorization, targets, timing, limits, contacts | Assuming a related domain is automatically in scope |
| Reconnaissance | Passive sources first, then approved active probing | Touching target systems before the engagement allows it |
| Vulnerability validation | Evidence, reproducibility, safe proof, false-positive reduction | Reporting scanner output as confirmed proof |
| Exploitation | Least disruptive payload, approval for risky tests, clear stop conditions | Proving impact by damaging production systems |
| Reporting | Business impact, technical evidence, remediation, severity rationale | Listing tools used without explaining risk |
| Cleanup | Remove tools, test accounts, payloads, and sensitive artifacts per agreement | Leaving artifacts because a retest might happen later |
Use this page to review PT0-003 sample questions and use the Notify me form for exam updates. The related pages below help you compare adjacent IT Mastery cybersecurity practice options before choosing what to study next.
| If you need to practice… | Best page | Why |
|---|---|---|
| security fundamentals before offensive depth | Security+ SY0-701 | Best live baseline before penetration-testing questions. |
| network foundations and troubleshooting | Network+ N10-009 | Important for reconnaissance, enumeration, protocols, and network attack context. |
| analyst-side detection and response | CySA+ CS0-003 | Best nearby status route when you are comparing offensive testing with defensive analysis. |
| cloud architecture and boundaries | AWS SAA-C03 | Useful live route for cloud network, identity, and workload-boundary decisions. |