Complete PenTest+ PT0-002 study guide — penetration testing planning, reconnaissance, attacks, reporting.
This guide works best as a loop: read a chapter, test yourself with practice questions, look up unfamiliar terms in the glossary, then move to the next chapter.
104 chapters covering every exam objective. Each chapter includes key concepts, exam tips, common traps, comparison tables, and a 5-question quiz at the end.
Start Chapter 1Free timed and untimed practice with instant feedback and full explanations. Pick 10–120 questions per session. Filter by domain to drill your weak areas.
Go to practice testEvery PT0-002term defined and searchable. Use it when a chapter mentions a concept you haven't seen before or want a quick refresher on.
Browse glossaryExam blueprint, domain weights, passing score, duration, cost, and registration links. Start here if you're new to this certification.
View exam guide8 chapters
Penetration Testing Methodology
Objective 1.1 · Planning Scoping
Scope, Rules of Engagement, and Legal
Objective 1.2 · Planning Scoping
Threat Modelling for PenTest Planning
Objective 1.1 · Planning Scoping
Third-Party and Supply Chain Risk in Scope
Objective 1.2 · Planning Scoping
Bug Bounty Programs and Responsible Disclosure
Objective 1.2 · Planning Scoping
Red Team Exercises vs Penetration Tests
Objective 1.1 · Planning Scoping
Purple Team Operations
Objective 1.1 · Planning Scoping
Operational Security (OPSEC) for PenTesters
Objective 1.2 · Planning Scoping
19 chapters
OSINT and Passive Reconnaissance
Objective 2.1 · Recon Enumeration
Active Scanning and Enumeration
Objective 2.2 · Recon Enumeration
Vulnerability Identification
Objective 2.3 · Recon Enumeration
Nmap Scanning Techniques
Objective 2.2 · Recon Enumeration
BloodHound and Active Directory Enumeration
Objective 2.2 · Recon Enumeration
Passive DNS Reconnaissance Techniques
Objective 2.1 · Recon Enumeration
Shodan and Censys for Asset Discovery
Objective 2.1 · Recon Enumeration
WHOIS, Certificate Transparency, and ARIN
Objective 2.1 · Recon Enumeration
Google Dorking for OSINT
Objective 2.1 · Recon Enumeration
LinkedIn and Social Media OSINT
Objective 2.1 · Recon Enumeration
Maltego and Recon-ng Frameworks
Objective 2.1 · Recon Enumeration
Advanced Nmap: Scripting Engine (NSE)
Objective 2.2 · Recon Enumeration
Masscan and ZMap for Fast Port Scanning
Objective 2.2 · Recon Enumeration
SMB Enumeration with enum4linux and CrackMapExec
Objective 2.2 · Recon Enumeration
LDAP and Active Directory Enumeration
Objective 2.2 · Recon Enumeration
SNMP Enumeration Techniques
Objective 2.2 · Recon Enumeration
Web Fuzzing: Dirbusting and Parameter Discovery
Objective 2.2 · Recon Enumeration
Subdomain Enumeration and Takeover
Objective 2.1 · Recon Enumeration
API Endpoint Enumeration
Objective 2.2 · Recon Enumeration
54 chapters
Network Exploitation
Objective 3.1 · Attacks Exploits
Web Application Attacks
Objective 3.2 · Attacks Exploits
Social Engineering Attacks
Objective 3.3 · Attacks Exploits
Post-Exploitation Techniques
Objective 3.4 · Attacks Exploits
Wireless and RF Attacks
Objective 3.5 · Attacks Exploits
Metasploit Framework for PenTesters
Objective 3.1 · Attacks Exploits
Burp Suite for Web Application Testing
Objective 3.2 · Attacks Exploits
SQL Injection: Union, Blind, Time-Based
Objective 3.2 · Attacks Exploits
Cross-Site Scripting (XSS) Types
Objective 3.2 · Attacks Exploits
CSRF and SSRF Attacks
Objective 3.2 · Attacks Exploits
Command Injection and Directory Traversal
Objective 3.2 · Attacks Exploits
IDOR and Broken Access Control
Objective 3.2 · Attacks Exploits
Mimikatz and Credential Extraction
Objective 3.4 · Attacks Exploits
Privilege Escalation on Linux
Objective 3.4 · Attacks Exploits
Privilege Escalation on Windows
Objective 3.4 · Attacks Exploits
Lateral Movement Techniques
Objective 3.4 · Attacks Exploits
Pivoting and Tunnelling Through Networks
Objective 3.4 · Attacks Exploits
Cloud Pentesting: AWS and Azure
Objective 3.5 · Attacks Exploits
Mobile Application Testing
Objective 3.5 · Attacks Exploits
Phishing Campaigns in Penetration Testing
Objective 3.3 · Attacks Exploits
Physical Security Testing Techniques
Objective 3.3 · Attacks Exploits
Command and Control (C2) Framework Concepts
Objective 3.4 · Attacks Exploits
Exploit Frameworks: Core Impact and Canvas
Objective 3.1 · Attacks Exploits
Buffer Overflow Exploitation Concepts
Objective 3.1 · Attacks Exploits
Remote Code Execution (RCE) Vulnerabilities
Objective 3.1 · Attacks Exploits
SMB Exploitation: EternalBlue and PsExec
Objective 3.1 · Attacks Exploits
Kerberoasting and AS-REP Roasting
Objective 3.4 · Attacks Exploits
DCSync Attack and Domain Replication
Objective 3.4 · Attacks Exploits
Golden Ticket and Silver Ticket Attacks
Objective 3.4 · Attacks Exploits
LSASS Credential Dumping Methods
Objective 3.4 · Attacks Exploits
Post-Exploitation File Transfer Techniques
Objective 3.4 · Attacks Exploits
Persistence Mechanisms: Scheduled Tasks, Registry
Objective 3.4 · Attacks Exploits
RDP Exploitation and BlueKeep
Objective 3.1 · Attacks Exploits
Web Shells and Maintaining Access
Objective 3.2 · Attacks Exploits
XXE Injection Attacks
Objective 3.2 · Attacks Exploits
Insecure Deserialization Attacks
Objective 3.2 · Attacks Exploits
JWT Token Attacks
Objective 3.2 · Attacks Exploits
OAuth 2.0 and SSO Attacks
Objective 3.2 · Attacks Exploits
VLAN Hopping and Network Pivoting
Objective 3.1 · Attacks Exploits
DNS Poisoning and Spoofing
Objective 3.1 · Attacks Exploits
WPA3 and Modern Wireless Attacks
Objective 3.5 · Attacks Exploits
Bluetooth and BLE Attack Surface
Objective 3.5 · Attacks Exploits
Evil Twin and Rogue AP Attacks
Objective 3.5 · Attacks Exploits
AWS Pentesting: IAM Escalation, S3 Exposure
Objective 3.5 · Attacks Exploits
Azure Pentesting Techniques
Objective 3.5 · Attacks Exploits
Container Escape Techniques
Objective 3.5 · Attacks Exploits
NTLM Relay Attacks and Responder
Objective 3.4 · Attacks Exploits
Active Directory ACL Abuse
Objective 3.4 · Attacks Exploits
AS-REP Roasting vs Kerberoasting
Objective 3.4 · Attacks Exploits
IoT and SCADA/ICS Pentesting Concepts
Objective 3.5 · Attacks Exploits
Pentesting AI and ML Systems
Objective 3.5 · Attacks Exploits
Pass-the-Hash and Pass-the-Ticket Attacks
Objective 3.4 · Attacks Exploits
Subdomain Takeover in Pentesting
Objective 3.2 · Attacks Exploits
ARP Spoofing and MITM Attacks
Objective 3.1 · Attacks Exploits
7 chapters
Writing Penetration Test Reports
Objective 4.1 · Reporting Comms
Remediation Recommendations
Objective 4.2 · Reporting Comms
Debriefing the Client After a PenTest
Objective 4.2 · Reporting Comms
CVSS Scoring in Penetration Test Reports
Objective 4.1 · Reporting Comms
Finding Severity Classification
Objective 4.1 · Reporting Comms
Technical vs Executive Report Sections
Objective 4.1 · Reporting Comms
Re-Testing and Validation Testing
Objective 4.2 · Reporting Comms
16 chapters
Penetration Testing Tools
Objective 5.1 · Tools Scripts
Scripting and Automation for PenTest
Objective 5.2 · Tools Scripts
Hashcat and Password Cracking
Objective 5.1 · Tools Scripts
John the Ripper
Objective 5.1 · Tools Scripts
Hydra for Credential Brute-Forcing
Objective 5.1 · Tools Scripts
Payload Generation with msfvenom
Objective 5.1 · Tools Scripts
Cobalt Strike Beacon Concepts
Objective 5.1 · Tools Scripts
PowerShell for Penetration Testing
Objective 5.2 · Tools Scripts
Bash Scripting for Automation
Objective 5.2 · Tools Scripts
Python for Penetration Testing
Objective 5.2 · Tools Scripts
ProxyChains and SOCKS Tunneling
Objective 5.1 · Tools Scripts
Wireshark for Pentesters
Objective 5.1 · Tools Scripts
Impacket Suite for Windows Exploitation
Objective 5.1 · Tools Scripts
Evil-WinRM and Remote Management
Objective 5.1 · Tools Scripts
Ligolo-ng and Chisel for Tunneling
Objective 5.1 · Tools Scripts
Source Code Review for Vulnerabilities
Objective 5.2 · Tools Scripts
Free PT0-002 practice questions with full explanations. Test what you learn chapter by chapter.
PT0-002 Practice Questions