CompTIA PenTest+ (PT0-003) prep, adaptive plan with ARIA
CompTIA PenTest+ (PT0-003) is the vendor-neutral pentest cert most relevant for security analysts pivoting into offensive roles, blue-team folks who want red-team exposure, and pentesters who want a CompTIA-stack credential recruiters recognize. The exam runs 165 minutes, max 90 questions (a mix of multiple choice and performance-based items). Passing score is 750/900. The PT0-003 update was released April 2024, so older PT0-002 material misses about 20 percent of the current weight.
What the exam is
| Domain | Weight |
|---|---|
| Engagement Management | 13% |
| Reconnaissance and Enumeration | 21% |
| Vulnerability Discovery and Analysis | 17% |
| Attacks and Exploits | 35% |
| Post-exploitation and Lateral Movement | 14% |
The cert is valid for 3 years. Renewal goes through CompTIA's Continuing Education program (multiple paths, including higher-stack certs, training hours, CEU activities), or by retaking the latest exam.
PenTest+ vs OSCP at a glance
PenTest+ is hybrid (multiple choice plus performance items inside a CompTIA labs interface), 165 minutes, taken in-test-center or online proctored. OSCP is fully hands-on (24-hour lab plus 24-hour report), live exploitation against real machines. PenTest+ tests breadth and methodology vocabulary. OSCP tests typing speed and exploitation stamina. Take PenTest+ first if you want the credential signal at a lower price, then OSCP later if you want the hands-on bar.
How 
ARIA preps you for it
The CAT evaluation lands a per-domain skill estimate. Most candidates land heavy on Attacks and Exploits, because PT0-003 added more cloud-native and Active Directory attack content than PT0-002 carried. Your roadmap is weighted to gaps. The error backlog tags every miss by attack stage (recon, vulnerability assessment, exploitation, post-exploit) and by tool family (Nmap, Burp, Metasploit, Mimikatz, BloodHound, Empire, with Cobalt Strike awareness).
Common pitfalls
- Studying PT0-002 material in 2026. PT0-003 added cloud-native pentest, expanded AD coverage, and updated tools. Books and courses dated before April 2024 miss those sections.
- Memorizing tools without methodology. Performance items test "given this scenario, pick the right tool and use it correctly," not "what does this tool do." Methodology beats tool recall.
- Skipping Engagement Management. 13 percent weight, easy points if you read the chapter on rules of engagement, scoping, and reporting. It gets skipped by candidates focused on hacking content.
Lab pairing
ClaudeLab covers MCQ and methodology. Pair with hands-on practice on TryHackMe, HackTheBox, or PortSwigger Web Security Academy to build the muscle memory the performance-based items will test.
Pass guarantee
Same five conditions as every ARIA roadmap. Full refund if you complete the roadmap and do not pass within the 60-day window.