Table of Contents
Introduction
Would you trust your food with a fasting cook who can’t taste the food to know if there is too much salt or too little seasoning? Of course you would not!
Well, no company will entrust their site or software with engineers who know nothing about penetration testing too.
With food, you could easily taste it for yourself, but if penetration testing was so easy that employers could do it by themselves, it would not be from the most in-demand skills.
Penetration testing is the practice of testing computer systems, software, networks and web applications for vulnerabilities which can be exploited by hackers.
Penetration testing is a critical component of cyber security and is one of the most in-demand skills related to cyber security in the world right now. But if you want to learn about penetration testing, what platform is best to get certified in this field?
CompTIA PenTest+
Only a few certifications can rival CompTIA penTest+ in terms of global acceptance and relevance.
The CompTIA PenTest+ certification is a vendor-neutral, globally recognized certification of intermediate-level penetration testing knowledge and skills. It focuses on the latest pen testing techniques, attack surfaces, vulnerability management, post-delivery and compliance tasks.
CompTIA’s penTest+ is particularly recommended due to the frequent updates CompTIA release in order to meet new demand in the cyber security world.
CompTIA updates its certifications every three years to keep up with evolving technology, so your skills are relevant and you stay up to date on the latest technologies.
When CompTIA updates exams, Subject Matter Experts (SMEs) from the industry participate in workshops to write and review the content, ensuring that the exam domains, objectives and questions validate the skills needed on the job today.
Cyber security experts from the following companies contributed to the update of CompTIA PenTest+:
RxSense
John Hopkins University Applied Physics Laboratory
U.S. Army
Target Corp.
General Dynamics IT (GDIT)
Ricoh
The skills covered by CompTIA PenTest+ help companies comply with regulations, such as PCI-DSS and NIST 800-53 Risk Management Framework (RMF), which require pen tests, vulnerability assessments and reports
PT0-001 vs PT0-002
There is not so much difference between the exam domains covered in CompTIA penTest+ PT0-001 and PT0-002 since both are still relevant to the job roles, but there have still been some slight changes.
CompTIA changed the name of exam domain 2.0 from Information Gathering and Vulnerability Identification to Information Gathering and Vulnerability Scanning.
CompTIA also swapped the order of two domains – what was formerly 5.0 Reporting and Communication is now 4.0, (with the same name), and what was formerly 4.0 Penetration Testing Tools is now 5.0 Tools and Code Analysis.
Also the new CompTIA PenTest+ (PT0-002) focuses on the most up to date and current skills needed for the following tasks:
Planning and scoping a penetration testing engagement
Understanding legal and compliance requirements
Performing vulnerability scanning and penetration testing using appropriate tools and techniques, and then analyzing the results
Producing a written report containing proposed remediation techniques, effectively communicating results to the management team and providing practical recommendations
This is equivalent to three to four years of hands-on experience working in a security consultant or penetration tester job role. CompTIA PenTest+ is recommended to follow CompTIA Security+ on the CompTIA cyber security career pathway.
Changes Made From CompTIA PenTest+ PT0-001 to PT0-002:
Newer techniques for pen testing an expanded attack surface
Emphasis on demonstrating an ethical hacking mindset given various scenarios
More focus on the hands-on tasks and automation required for vulnerability management
More focus on code analysis to emphasize the growing need to identify and analyze code during a penetration test
CompTIA consolidated the exam objectives down from 24 to 21 in the new PT0-002 to improve the instructional design and merge similar topics, but the same number of exam domains remain.
PT0-002 Exam Domains vs PenTest+ PT0-001 Domains
1. Planning and Scoping (14% vs 15%)
This includes updated techniques emphasizing governance, risk and compliance concepts, scoping and organizational/customer requirements and demonstrating an ethical hacking mindset
2. Information Gathering and Vulnerability Scanning (22% vs 22%)
This includes updated skills on performing vulnerability scanning and passive/active reconnaissance, vulnerability management as well as analyzing the results of the reconnaissance exercise
3. Attacks and Exploits (30% vs 30%)
This includes updated approaches to expanded attack surfaces; researching social engineering techniques; performing network, wireless, cloud and application-based attacks; and post-exploitation techniques
4. Reporting and Communication (18% vs 16%)
This was expanded to focus on the importance of reporting and communication in an increased regulatory environment during the pen testing process through analysis and appropriate remediation recommendations
5. Tools and Code Analysis (16% vs 17%)
This includes updated concepts of identifying scripts in software deployments, analyzing a script or code sample and explaining use cases of pen test tools
Conclusion
Given the fact that the updates to CompTIA’s penTest+ certification exams were done with an eye on the leading industries’ needs, there is almost no room for arguing the fact that going for the new PT0-002 would certainly be the best option the moment it is out.
