Home/United States/IT & Cybersecurity/CompTIA PenTest+
IT & Cybersecurity · 2026 question bank

COMPTIA PenTest+
Practice Test

Review CompTIA PenTest+ domains with video walkthroughs, a free PDF and online mock exam access.

$2.99/week$6.99/monthfull unlock, cancel anytime
1010real questions
8free mock questions
5topic areas
Reconnaissance And Enumeration Engagement Management Attacks And Exploits Vulnerability Discovery And Analysis Post Exploitation And Lateral Movement
Free sample · CompTIA PenTest+Q1 / 8
During a penetration test, you aim to identify potential vulnerabilities in web applications by gathering information about them, including their IP addresses. What is the FIRST step you should take?
Correct — D. Answer: Use the whois command to query the domain WHOIS utilities allow penetration testers to search databases of registered domain users, providing useful information such as the IP addresses of web applications.
↑ Tap an answer to check it
Practice all 8 questions

Heads up: the app and the web exam use separate accounts — a web unlock and an in-app purchase do not carry over. Buy on the web to practice on the web.

Watch & learn

CompTIA PenTest+ exam — full Q&A walkthrough

Every question read aloud with the answer explained. Play it on your commute, then test yourself.

▶ Full Q&A walkthrough📺 @CertsQuizPrep
Sample questions

CompTIA PenTest+ sample questions

Tap any question below to reveal the answer and a plain-English explanation.

Reconnaissance And Enumeration During a penetration test, you aim to identify potential vulnerabilities in web applications by gathering information about them, including their IP addresses. What is the FIRST step you should take?

A. Use the nmap command to scan the web application

B. Perform a Shodan search for the web application

C. Run the Nessus vulnerability scanner on the domain

D. Use the whois command to query the domain ✓

Correct — D. Answer: Use the whois command to query the domain WHOIS utilities allow penetration testers to search databases of registered domain users, providing useful information such as the IP addresses of web applications.

Engagement Management Your client wants to ensure that specific user roles have the correct access permissions based on their job functions. What type of assessment is required to verify this?

A. Red team assessment

B. Compliance-driven assessment ✓

C. Black box assessment

D. Vulnerability scanning

Correct — B. Answer: Compliance-driven assessment. Ensuring correct access permissions based on job functions often relates to industry standards and regulations, making it a compliance-driven assessment.

Attacks And Exploits During a penetration test of a Windows-based network, you manage to access a user's account and find that RDP is closed. However, you notice that port 3389/TCP is open on another machine. When attempting to connect via RDP, you are prompted for credentials. What should you do next?

A. Look for RDP credentials in the system32/config directory

B. Attempt to brute-force the RDP credentials

C. Use the same credentials from the initial user account directly on RDP

D. Look for saved RDP credentials in the Windows Credential Manager ✓

Correct — D. The correct action is to look for saved RDP credentials in the Windows Credential Manager. Windows often stores user credentials that can be reused, especially if the user frequently connects to remote machines. This approach can reveal valid credentials that allow access via RDP without brute-force attacks or other more intrusive methods.

Vulnerability Discovery And Analysis What is Burp Suite?

A. Browser plugin

B. Intercepting proxy ✓

C. Password cracking tool

D. Network scanner

Correct — B. Burp Suite is an intercepting proxy that allows you to assess the security of web applications. It helps penetration testers intercept and modify HTTP/HTTPS communication between the client and the server, providing various tools to analyze and exploit web vulnerabilities.

Reconnaissance And Enumeration If Emily has access to a network's traffic data, what method can she use to fully understand the data flow and detect potential issues?

A. Use basic monitoring tools

B. Reverse-engineer it

C. Analyze it using Wireshark ✓

D. Run a script on it

Correct — C. Answer: Analyze it using Wireshark Wireshark is a network protocol analyzer that captures and interactively explores the traffic data. It allows a deep dive into the packets to understand what is happening at the network level. Simply running the data through a script or using basic monitoring tools might not provide the detailed insights necessary. Reverse-engineering is not applicable in this context.

Engagement Management You have identified a critical vulnerability on an internal server hosting sensitive financial data. What is the most appropriate action to take?

A. Notify the client immediately ✓

B. Document the vulnerability and include it in the final report

C. Fix the vulnerability and then inform the client

D. Continue with other tests as this is not a pressing issue

Correct — A. Answer: Notify the client immediately When a pentester identifies a critical vulnerability, particularly on a server hosting sensitive information, it is essential to notify the client immediately. This allows the client to take prompt action to mitigate the risk and protect their data.

Attacks And Exploits During a pentest on a corporate network, James discovered that an internal web application displayed a long error message whenever he included double quotation marks (") in his input. The error message included portions of JavaScript code. What kind of potential vulnerability has James found?

A. Directory Traversal

B. Sensitive data exposure

C. Cross-Site Scripting (XSS) ✓

D. SQL injection

Correct — C. Answer: Cross-Site Scripting (XSS) Cross-Site Scripting (XSS) attacks involve the injection of malicious scripts into trusted websites. In this case, the error message displaying JavaScript code suggests a potential XSS vulnerability, as it indicates the application is not properly sanitizing user input. SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database, but the inclusion of JavaScript in the error message points more towards XSS. Directory traversal allows an attacker to read arbitrary files on the server, but it doesn't involve JavaScript code in error messages. Sensitive data exposure involves inadvertently exposing personal data and does not relate to error messages containing JavaScript code.

Vulnerability Discovery And Analysis You are trying to analyze a suspicious script, but the script is obfuscated and unreadable. What is an alternative approach to gather useful information from the script?

A. Without deobfuscating the script, there is no way to get anything useful from it

B. Run it and see the results

C. Run the script through an online deobfuscator and analyze the output ✓

D. Use a debugger

Correct — C. Answer: Run the script through an online deobfuscator and analyze the output You can run the script through an online deobfuscator to analyze the output and gather useful information. To be able to run a debugger and get meaningful results, you would need to first deobfuscate the script.

What is on the exam

About the CompTIA PenTest+ test

CompTIA PenTest+ candidates are tested on IT & Cybersecurity and Reconnaissance And Enumeration, in the same format the real exam uses. Every question here comes with a plain-language explanation, so you learn why an answer is right instead of memorising it — with 1010 questions to start on.

You will be tested on

  • The core topics and terminology you'll be tested on
  • Rules, standards and best-practice procedures
  • Real-world scenarios and how to respond
  • Common mistakes and how to avoid them

How TheoryPractice helps you pass

  • Real exam-style questions with instant, detailed explanations
  • Full timed mock exams that mirror the real test format
  • Flashcards & quiz modes from the same question bank
  • Progress tracking so you know exactly when you're ready
Coverage

Topics in this question bank

Topic

The core topics and terminology you'll be tested on

Topic

Rules, standards and best-practice procedures

Topic

Real-world scenarios and how to respond

Topic

Common mistakes and how to avoid them

Unlock everything

Full CompTIA PenTest+ bank + unlimited mocks

Try 30 questions free. Unlock the complete CompTIA PenTest+ question bank, every explanation, and unlimited timed mock exams. Practice on any device.

Unlock CompTIA PenTest+ →
Cramming?
$2.99
/ week · per exam
Best value
$6.99
/ month · per exam
Questions

CompTIA PenTest+ test FAQ

Is the CompTIA PenTest+ hard?
The CompTIA PenTest+ is very passable when you study with realistic practice questions. Most people only find it tricky because the wording is unfamiliar. Practise in the real question format until you score consistently above the pass mark and you'll walk in confident.
How many questions are on the CompTIA PenTest+?
The exact number depends on the version of the CompTIA PenTest+ you sit. PenTest+ Test Prep includes a large bank of practice questions covering every topic, plus full-length mock exams set up to mirror the real test format and pass mark.
Can I practise the CompTIA PenTest+ for free?
Yes. You can practise a free sample of CompTIA PenTest+ questions on TheoryPractice in your browser, with answers and explanations. A web unlock adds the full question bank and unlimited timed mock exams for this exam.
Does PenTest+ Test Prep work offline?
The web practice works in your browser. If you prefer offline study, use the downloadable PDF or the mobile app where available, then return to the web version for timed mock exams and progress tracking.
Is CompTIA PenTest+ practice available in other languages?
Several of our apps support more than one language. Open the PenTest+ Test Prep listing on the App Store or Google Play to see the exact languages available for the CompTIA PenTest+.
How many CompTIA PenTest+ questions are there?
This bank covers 1010 CompTIA PenTest+ practice questions, each with a plain-English explanation for the correct answer.
Is CompTIA PenTest+ practice free?
Yes — the sample questions on this page are free to practice. Unlock the full bank and timed mock exams when you're ready to go further.
Where can I practice the CompTIA PenTest+ online?
Right here on TheoryPractice, in your browser — no download required.