CompTIA PenTest+ Training Boot Camp

Become a CompTIA certified penetration tester! Infosec's CompTIA PenTest+ training builds your hands-on pentesting skills — from newer environments, such as cloud and mobile, to traditional desktops and servers.

4.6
(695 ratings)
Updated May 2020
93% exam pass rate

Earn your PenTest+, guaranteed!

  • Exam Pass Guarantee (live online)
  • 100% Satisfaction Guarantee
  • PenTest+ exam voucher
  • Unlimited PenTest+ practice exam attempts
  • Five days of expert, live pentesting instruction (live online or in-person)
  • Penetration Testing Cyber Range
  • Immediate access to Infosec Skills — including a bonus PenTest+ boot camp prep course — from the minute you enroll to 90 days after your boot camp
  • Learn by doing with hundreds of additional hands-on courses and labs, including web app pentesting, cloud pentesting and ethical hacking
  • 90-day access to all boot camp video replays and materials
  • Knowledge Transfer Guarantee

Authorized training partner

Infosec is an authorized CompTIA training partner and has won several awards from CompTIA for our training. All Infosec instructors have at least 10 years of training experience and have recently passed the latest version of the CompTIA exam.

Training overview

This boot camp teaches you the skills you need to conduct an authorized penetration test against an organization. In addition to getting hands-on experience across each stage of the pentesting process, you’ll learn management skills used to plan, scope and manage the weaknesses you uncover — not just exploit them.

You’ll leave fully prepared to pass the CompTIA PenTest+ certification exam, which focuses on five key skills:

  • Planning and scoping
  • Information gathering and vulnerability identification
  • Attacks and exploits
  • Penetration testing tools
  • Reporting and communication

Learn by doing in the Penetration Testing Cyber Range

You won’t just learn pentesting, you’ll put what you learn into practice our Penetration Testing Cyber Range. Build your skills as you progress through dozens of hands-on labs — from reconnaissance to compromising web servers to various Capture the Flag (CTF) exercises. Apply your pentesting skills to practical scenarios and gain transferrable skills that will help you in your current or future cybersecurity role.

Who should attend

  • Penetration tester
  • Vulnerability tester
  • Security analyst II
  • Vulnerability assessment analyst
  • Network security operations
  • Application security analyst
  • Cybersecurity consultants
  • Offensive security professionals
  • Anyone with a desire to learn about penetration testing and develop hands-on skills

Prerequsites

The PenTest+ certification has a technical, hands-on focus. CompTIA recommends having a Security+ certification or equivalent knowledge, as well as a minimum of 3-4 years of hands-on information security or related experience.

Meets 8570.1 requirements

U.S. Department of Defense information assurance and cybersecurity personnel must obtain an approved certification per DoD Directive 8570.01-M. In November 2020, the DoD approved PenTest+ as a certification for several roles: CCSP Analyst, CCSP Incident Response and CCSP Auditor.

Get training resources sent to your inbox

Everything you need to earn your PenTest+

  • Exam Pass Guarantee
  • 100% Satisfaction Guarantee
  • PenTest+ exam voucher
  • 5 days live, expert instruction (live online or in-person)
  • PenTest+ Boot Camp prep course
  • 90-day access to recordings of daily lessons
  • 100s of additional hands-on courses and labs
  • Knowledge Transfer Guarantee

Exam Pass Guarantee

We guarantee you’ll pass your exam on the first attempt. Learn more.

CompTIA PenTest+ training schedule

Infosec’s PenTest+ training is more than just a boot camp. We support you before, during and after your live training to ensure you’re fully prepared for your exam — and get certified on your first attempt.

  • Before your boot camp
    • Start learning now. You’ll get immediate access to all the content in Infosec Skills, including an in-depth PenTest+ prep course, the moment you enroll. Prepare for your live boot camp, uncover your knowledge gaps and maximize your training experience.

  • During your boot camp
    • Planning and scoping

      • Explain the importance of planning for an engagement
        • Understanding the target audience
        • Rules of engagement
        • Communication escalation path
        • Resources and requirements
          • Confidentiality of findings
          • Known vs. unknown
        • Budget
        • Impact analysis and remediation timelines
        • Disclaimers
          • Point-in-time assessment
          • Comprehensiveness
        • Technical constraints
        • Support resources
          • WSDL/WADL
          • SOAP project file
          • SDK documentation
          • Swagger document
          • XSD
          • Sample application requests
          • Architectural diagrams
      • Explain key legal concepts
        • Contracts
          • SOW
          • MSA
          • NDA
        • Environmental differences
          • Export restrictions
          • Local and national government restrictions
          • Corporate policies
        • Written authorization
          • Obtain signature from proper signing authority
          • Third-party provider authorization when necessary
      • Explain the importance of scoping an engagement properly
        • Types of assessment
          • Goals-based/objectives-based
          • Compliance-based
          • Red team
        • Special scoping considerations
          • Premerger
          • Supply chain
        • Target selection
          • Targets
            • Internal
              • On-site vs. off-site
            • External
            • First-party vs. third-party hosted
            • Physical
            • Users
            • SSIDs
            • Applications
          • Considerations
            • White-listed vs. black-listed
            • Security exceptions
              • IPS/WAF whitelist
              • NAC
              • Certificate pinning
              • Company’s policies
        • Strategy
          • Black box vs. white box vs. gray box
        • Risk acceptance
        • Tolerance to impact
        • Scheduling
        • Scope creep
        • Threat actors
          • Adversary tier
            • APT
            • Script kiddies
            • Hacktivist
            • Insider threat
          • Capabilities
          • Intent
          • Threat models
      • Explain the key aspects of compliance-based assessments
        • Compliance-based assessments, limitations and caveats
          • Rules to complete assessment
          • Password policies
          • Data isolation
          • Key management
          • Limitations
            • Limited network access
            • Limited storage access
        • Clearly defined objectives based on regulations

      Information gathering and vulnerability identification

      • Given a scenario, conduct information gathering using appropriate techniques
        • Scanning
        • Enumeration
          • Hosts
          • Networks
          • Domains
          • Users
          • Groups
          • Network shares
          • Web pages
          • Applications
          • Services
          • Tokens
          • Social networking sites
        • Packet crafting
        • Packet inspection
        • Fingerprinting
        • Cryptography
          • Certificate inspection
        • Eavesdropping
          • RF communication monitoring
          • Sniffing
            • Wired
            • Wireless
        • Decompilation
        • Debugging
        • Open Source Intelligence Gathering
          • Sources of research
            • CERT
            • NIST
            • JPCERT
            • CAPEC
            • Full disclosure
            • CVE
            • CWE
      • Given a scenario, perform a vulnerability scan
        • Credentialed vs. non-credentialed
        • Types of scans
          • Discovery scan
          • Full scan
          • Stealth scan
          • Compliance scan
        • Container security
        • Application scan
          • Dynamic vs. static analysis
        • Considerations of vulnerability scanning
          • Time to run scans
          • Protocols used
          • Network topology
          • Bandwidth limitations
          • Query throttling
          • Fragile systems/non-traditional assets
      • Given a scenario, analyze vulnerability scan results
        • Asset categorization
        • Adjudication
          • False positives
        • Prioritization of vulnerabilities
        • Common themes
          • Vulnerabilities
          • Observations
          • Lack of best practices
      • Explain the process of leveraging information to prepare for exploitation
        • Map vulnerabilities to potential exploits
        • Prioritize activities in preparation for penetration test
        • Describe common techniques to complete attack
          • Cross-compiling code
          • Exploit modification
          • Exploit chaining
          • Proof-of-concept development (exploit development)
          • Social engineering
          • Credential brute forcing
          • Dictionary attacks
          • Rainbow tables
          • Deception
      • Explain weaknesses related to specialized systems
        • ICS
        • SCADA
        • Mobile
        • IoT
        • Embedded
        • Point-of-sale system
        • Biometrics
        • Application containers
        • RTOS

      Attacks and exploits

      • Compare and contrast social engineering attacks
        • Phishing
          • Spear phishing
          • SMS phishing
          • Voice phishing
          • Whaling
        • Elicitation
          • Business email compromise
        • Interrogation
        • Impersonation
        • Shoulder surfing
        • USB key drop
        • Motivation techniques
          • Authority
          • Scarcity
          • Social proof
          • Urgency
          • Likeness
          • Fear
      • Given a scenario, exploit network-based vulnerabilities
        • Name resolution exploits
          • NETBIOS name service
          • LLMNR
        • SMB exploits
        • SNMP exploits
        • SMTP exploits
        • FTP exploits
        • DNS cache poisoning
        • Pass the hash
        • Man-in-the-middle
          • ARP spoofing
          • Replay
          • Relay
          • SSL stripping
          • Downgrade
        • DoS/stress test
        • NAC bypass
        • VLAN hopping
      • Given a scenario, exploit wireless and RF-based vulnerabilities
        • Evil twin
          • Karma attack
          • Downgrade attack
        • Deauthentication attacks
        • Fragmentation attacks
        • Credential harvesting
        • WPS implementation weakness
        • Bluejacking
        • Bluesnarfing
        • RFID cloning
        • Jamming
        • Repeating
      • Given a scenario, exploit application-based vulnerabilities
        • Injections
          • SQL
          • HTML
          • Command
          • Code
        • Authentication
          • Credential brute forcing
          • Session hijacking
          • Redirect
          • Default credentials
          • Weak credentials
          • Kerberos exploits
        • Authorization
          • Parameter pollution
          • Insecure direct object reference
        • Cross-site scripting (XSS)
          • Stored/persistent
          • Reflected
          • DOM
        • Cross-site request forgery (CSRF/XSRF)
        • Clickjacking
        • Security misconfiguration
          • Directory traversal
          • Cookie manipulation
        • File inclusion
          • Local
          • Remote
        • Unsecure code practices
          • Comments in source code
          • Lack of error handling
          • Overly verbose error handling
          • Hard-coded credentials
          • Race conditions
          • Unauthorized use of functions/unprotected APIs
          • Hidden elements
            • Sensitive information in the DOM
          • Lack of code signing
      • Given a scenario, exploit local host vulnerabilities
        • OS vulnerabilities
          • Windows
          • Mac OS
          • Linux
          • Android
          • iOS
        • Unsecure service and protocol configurations
        • Privilege escalation
          • Linux-specific
            • SUID/SGID programs
            • Unsecure SUDO
            • Ret2libc
            • Sticky bits
          • Windows-specific
            • Cpassword
            • Clear text credentials in LDAP
            • Kerberoasting
            • Credentials in LSASS
            • Unattended installation
            • SAM database
            • DLL hijacking
          • Exploitable services
            • Unquoted service paths
            • Writable services
          • Unsecure file/folder permissions
          • Keylogger
          • Scheduled tasks
          • Kernel exploits
        • Default account settings
        • Sandbox escape
          • Shell upgrade
          • VM
          • Container
        • Physical device security
          • Cold boot attack
          • JTAG debug
          • Serial console
      • Summarize physical security attacks related to facilities
        • Piggybacking/tailgating
        • Fence jumping
        • Dumpster diving
        • Lock picking
        • Lock bypass
        • Egress sensor
        • Badge cloning
      • Given a scenario, perform post-exploitation techniques
        • Lateral movement
          • RPC/DCOM
            • PsExec
            • WMI
            • Scheduled tasks
          • PS remoting/WinRM
          • SMB
          • RDP
          • Apple Remote Desktop
          • VNC
          • X-server forwarding
          • Telnet
          • SSH
          • RSH/Rlogin
        • Persistence
          • Scheduled jobs
          • Scheduled tasks
          • Daemons
          • Back doors
          • Trojan
          • New user creation
        • Covering your tracks

      Penetration testing tools

      • Given a scenario, use Nmap to conduct information gathering exercises
        • SYN scan (-sS) vs. full connect scan (-sT)
        • Port selection (-p)
        • Service identification (-sV)
        • OS fingerprinting (-O)
        • Disabling ping (-Pn)
        • Target input file (-iL)
        • Timing (-T)
        • Output parameters
          • oA
          • oN
          • oG
          • oX
      • Compare and contrast various use cases of tools
        • Use cases
          • Reconnaissance
          • Enumeration
          • Vulnerability scanning
          • Credential attacks
            • Offline password cracking
            • Brute-forcing services
          • Persistence
          • Configuration compliance
          • Evasion
          • Decompilation
          • Forensics
          • Debugging
          • Software assurance
            • Fuzzing
            • SAST
            • DAST
        • Tools
          • Scanners
            • Nikto
            • OpenVAS
            • SQLmap
            • Nessus
          • Credential testing tools
            • Hashcat
            • Medusa
            • Hydra
            • Cewl
            • John the Ripper
            • Cain and Abel
            • Mimikatz
            • Patator
            • Dirbuster
            • W3AF
          • Debuggers
            • OLLYDBG
            • Immunity debugger
            • GDB
            • WinDBG
            • IDA
          • Software assurance
            • Findbugs/findsecbugs
            • Peach
            • AFL
            • SonarQube
            • YASCA
          • OSINT
            • Whois
            • Nslookup
            • Foca
            • Theharvester
            • Shodan
            • Maltego
            • Recon-NG
            • Censys
          • Wireless
            • Aircrack-NG
            • Kismet
            • WiFite
          • Web proxies
            • OWASP ZAP
            • Burp Suite
          • Social engineering tools
            • SET
            • BeEF
          • Remote access tools
            • SSH
            • NCAT
            • NETCAT
            • Proxychains
          • Networking tools
            • Wireshark
            • Hping
          • Mobile tools
            • Drozer
            • APKX
            • APK studio
          • MISC
            • Searchsploit
            • Powersploit
            • Responder
            • Impacket
            • Empire
            • Metasploit framework
      • Given a scenario, analyze tool output or data related to a penetration test
        • Password cracking
        • Pass the hash
        • Setting up a bind shell
        • Getting a reverse shell
        • Proxying a connection
        • Uploading a web shell
        • Injections
      • Given a scenario, analyze a basic script (limited to Bash, Python, Ruby, and PowerShell)
        • Logic
          • Looping
          • Flow control
        • I/O
          • File vs. terminal vs. network
        • Substitutions
        • Variables
        • Common operations
          • String operations
          • Comparisons
        • Error handling
        • Arrays
        • Encoding/decoding

      Reporting and communication

      • Given a scenario, use report writing and handling best practices
        • Normalization of data
        • Written report of findings and remediation
          • Executive summary
          • Methodology
          • Findings and remediation
          • Metrics and measures
            • Risk rating
          • Conclusion
        • Risk appetite
        • Storage time for report
        • Secure handling and disposition of reports
      • Explain post-report delivery activities
        • Post-engagement cleanup
          • Removing shells
          • Removing tester-created credentials
          • Removing tools
        • Client acceptance
        • Lessons learned
        • Follow-up actions/retest
        • Attestation of findings
      • Given a scenario, recommend mitigation strategies for discovered vulnerabilities
        • Solutions
          • People
          • Process
          • Technology
        • Findings
          • Shared local administrator credentials
          • Weak password complexity
          • Plain text passwords
          • No multifactor authentication
          • SQL injection
          • Unnecessary open services
        • Remediation
          • Randomize credentials/LAPS
          • Minimum password requirements/password filters
          • Encrypt the passwords
          • Implement multifactor authentication
          • Sanitize user input/p
          • System hardening
      • Explain the importance of communication during the penetration testing process
        • Communication path
        • Communication triggers
          • Critical findings
          • Stages
          • Indicators of prior compromise
        • Reasons for communication
          • Situational awareness
          • De-escalation
          • De-confliction
        • Goal reprioritization
  • After your boot camp
    • Your Infosec Skills access extends 90 days past your boot camp, so you can take additional time to prepare for your PenTest+ exam, get a head start on your next certification goal or start earning CPEs.

Free PenTest+ training resources

How to become a penetration tester

It’s been a while since we’ve talked penetration testing and offense-oriented network security on the show, and I know some of you have been asking for it, so today’s your lucky day!

On the show we have Dr. Wesley McGrew, the director of Cyber Operations for HORNE Cyber. We’re going to talk about going on the offense as a good defense, the current state of pentesting and the raw work of reverse engineering malicious software and vulnerability testing. If you’re looking for the type of job that gets you out on the cybersecurity battlefield and fighting the bad guys, you’re going to want to give this episode your undivided attention!

Wesley McGrew is the author of penetration testing and forensic tools used by many practitioners. He is a frequent presenter at DEF CON and Black Hat USA. At the National Forensics Training Center, he provided digital forensics training to law enforcement and wounded veterans. As an adjunct professor he designed a course he teaches on reverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. This effort was undertaken as part of earning National Security Agency CAE Cyber Ops certification for the university. He has presented his work on critical infrastructure security to the DHS joint working group on industrial control systems. Wesley earned his Ph.D. in computer science at Mississippi State University for his research in vulnerability analysis of SCADA HMI systems used in national critical infrastructure. He served as a research professor in MSU’s Department of Computer Science & Engineering and Distributed Analytics and Security Institute.

Listen Now