Know Your Enemy
Imagine walking into a battle without knowing where the enemy is hiding. That’s what preparing for PT0-003 feels like if you don’t understand the exam blueprint.
In this guide, I’ll break down exactly what’s tested in the PT0-003 exam. No guesswork. No “I think so.” Just the official domains, weightings, and topic breakdowns straight from CompTIA.
The Big Picture – Domain Weightings
The PT0-003 exam is divided into 5 domains. Each domain has a different weight (percentage of questions you’ll see):
| Domain | Title | Weight |
|---|---|---|
| Domain 1 | Planning and Scoping | 14% |
| Domain 2 | Information Gathering and Vulnerability Scanning | 24% |
| Domain 3 | Attacks and Exploits | 30% |
| Domain 4 | Penetration Testing Tools | 22% |
| Domain 5 | Reporting and Communication | 10% |
| Total | 100% |
Key Insight: Domains 2, 3, and 4 make up 76% of the exam. Focus your time here.
Domain 1: Planning and Scoping (14%)
This domain covers what happens before you start hacking. Many students skip it, but it’s important for real-world jobs.
What You Need to Know
| Topic | Details |
|---|---|
| Rules of Engagement | What you can/cannot do during a test |
| Legal Concepts | Laws, regulations, and compliance (GDPR, HIPAA, etc.) |
| Scope Creep | How to handle clients asking for more than agreed |
| Ethics | Professional behavior and boundaries |
| Resources | Budget, time, and team planning |
| Contracts | Understanding ROE (Rules of Engagement) documents |
Sample Questions
- “What should be included in a Rules of Engagement document?”
- “A client asks you to test systems outside the signed scope. What do you do?”
- “Which regulation affects pentesting healthcare organizations?”
Study Tips
- Read sample ROE documents online
- Understand key compliance standards (just basics)
- Focus on ethics scenarios
Domain 2: Information Gathering and Vulnerability Scanning (24%)
This is where the real work begins. Before you attack, you must understand the target.
What You Need to Know
| Topic | Details |
|---|---|
| Passive Reconnaissance | OSINT, social media, job postings, public records |
| Active Reconnaissance | DNS enumeration, network scanning, banner grabbing |
| Vulnerability Scanning | Using tools like Nessus, OpenVAS, Qualys |
| Scanning Techniques | Port scanning, service detection, OS fingerprinting |
| Evasion Techniques | Avoiding detection during scanning |
| Analysis | Interpreting scan results, false positives |
Key Tools
- Nmap (all scan types)
- Wireshark (packet capture analysis)
- DNS tools (nslookup, dig, dnsrecon)
- Shodan (internet device search)
- theHarvester (email/osint gathering)
Sample Tasks (PBQs)
- Given a network range, perform a scan and identify live hosts
- Analyze a PCAP file and find suspicious traffic
- Use OSINT to gather information about a target company
Study Tips
- Practice Nmap until you can use it in your sleep
- Set up a lab and scan your own machines
- Learn to read vulnerability scan reports
Domain 3: Attacks and Exploits (30%) – Most Important
This is the heart of the exam. 30% means nearly 1 out of every 3 questions comes from here.
What You Need to Know
Network Attacks
| Attack Type | Examples |
|---|---|
| Man-in-the-Middle (MITM) | ARP spoofing, DNS spoofing |
| Wireless Attacks | Evil twin, WPA cracking, deauthentication |
| Sniffing | Packet capture, protocol analysis |
Web Application Attacks
| Attack Type | Examples |
|---|---|
| Injection | SQL injection, command injection |
| Cross-Site Scripting (XSS) | Reflected, stored, DOM-based |
| Authentication Attacks | Brute force, session hijacking |
| File Inclusion | LFI, RFI |
System Attacks
| Attack Type | Examples |
|---|---|
| Password Cracking | Dictionary, brute force, rainbow tables |
| Privilege Escalation | Vertical, horizontal |
| Lateral Movement | Pivoting, pass-the-hash |
Social Engineering
| Attack Type | Examples |
|---|---|
| Phishing | Spear phishing, whaling |
| Pretexting | Creating fake scenarios |
| Physical | Tailgating, badge cloning |
Post-Exploitation
| Activity | Details |
|---|---|
| Covering Tracks | Clearing logs, hiding files |
| Persistence | Backdoors, scheduled tasks |
| Exfiltration | Stealing data |
Key Tools
- Metasploit (exploitation framework)
- John the Ripper / Hashcat (password cracking)
- Burp Suite (web app testing)
- SQLmap (SQL injection automation)
- Aircrack-ng (wireless attacks)
Sample Tasks (PBQs)
- Exploit a vulnerable machine and retrieve a flag
- Perform SQL injection on a login form
- Crack password hashes using John the Ripper
Study Tips
- This is where labs matter most
- Practice one attack type per day
- Use platforms like HackTheBox, TryHackMe, or VulnHub
Domain 4: Penetration Testing Tools (22%)
You need to know which tool for which job and basic command syntax.
What You Need to Know
| Tool Category | Examples | What to Know |
|---|---|---|
| Scanning | Nmap, Nessus, OpenVAS | Scan types, options, output |
| Exploitation | Metasploit, Searchsploit | Modules, payloads, exploits |
| Password Attacks | John, Hashcat, Hydra | Cracking modes, wordlists |
| Web Testing | Burp Suite, OWASP ZAP | Proxy, repeater, scanner |
| Wireless | Aircrack-ng, Kismet | Monitor mode, packet capture |
| Social Engineering | SET (Social Engineering Toolkit) | Phishing campaigns |
| Reporting | Dradis, Faraday | Report generation |
Key Concepts
- Not just tool names—understand when to use each
- Basic command syntax for common tools
- Tool limitations and alternatives
Sample Questions
- “Which tool would you use to crack NTLM hashes?”
- “What Nmap command performs a SYN scan on all ports?”
- “How do you launch a Metasploit exploit?”
Study Tips
- Create a tool cheat sheet with common commands
- Practice each tool in your lab
- Focus on Nmap and Metasploit (most heavily tested)
Domain 5: Reporting and Communication (10%)
Many technical people ignore this. Don’t. It’s the easiest domain to score high in.
What You Need to Know
| Topic | Details |
|---|---|
| Report Structure | Executive summary, methodology, findings, appendices |
| Risk Ratings | CVSS scores, critical/high/medium/low |
| Remediation | How to fix each vulnerability |
| Communication | Talking to technical vs. non-technical audiences |
| Data Handling | Secure storage of sensitive findings |
| Post-Testing Activities | Cleanup, evidence retention |
Key Concepts
- Executive Summary – For managers (no technical jargon)
- Technical Findings – For IT teams (detailed steps)
- CVSS Scoring – How to calculate risk scores
Sample Tasks (PBQs)
- Given scan results, write a finding with risk rating
- Create an executive summary from technical data
- Prioritize which vulnerabilities to fix first
Study Tips
- Download sample penetration test reports online
- Practice writing findings in simple language
- Learn CVSS scoring basics (calculator is allowed in exam)
What’s New in 2026?
The PT0-003 (2026)
) version has some updates from PT0-002:
| Change | Details |
|---|---|
| More Cloud | Cloud attacks (AWS, Azure) added |
| More Automation | Scripting (Bash, Python) emphasized |
| More DevOps | CI/CD pipeline security |
| Updated Tools | Newer versions of tools |
| PBQ Changes | More complex PBQs |
If you’re using old study materials, check if they cover these updates.
Exam Details Summary
| Detail | Information |
|---|---|
| Number of Questions | Maximum 85 |
| Question Types | Multiple choice + PBQs |
| Time Allotted | 165 minutes |
| Passing Score | 750 (on scale of 100-900) |
| Languages | English, Japanese |
| Experience Recommended | 3-4 years IT, 1-2 years security |
How to Use This Blueprint
Step 1: Print the Blueprint
Download the PDF from CompTIA PT0-003 Exam Questions and print it.
Step 2: Self-Assessment
For each topic, rate yourself:
- 🔴 Red – Never heard of it
- 🟡 Yellow – Know a little
- 🟢 Green – Could teach it
Step 3: Plan Your Study
Focus on 🔴 topics first, then 🟡. Review 🟢 occasionally.
Step 4: Track Progress
Revisit the blueprint weekly and update your ratings.
Frequently Asked Questions
Q: How many PBQs are there?
Usually 3-5 PBQs. They appear at the beginning.
Q: Are all domains equally important?
No. Domains 2, 3, and 4 = 76% of the exam.
Q: Do I need to memorize every tool?
No. Focus on common tools (Nmap, Metasploit, Burp Suite, John). Know their basic commands.
Q: Is cryptography heavily tested?
Only basics. Don’t dive too deep.
Q: What’s the hardest domain?
Most students say Domain 3 (Attacks) because it’s broad and practical.
Final Tip
The exam blueprint is your map. Without it, you’re wandering. With it, you have direction.
Print it. Highlight it. Check off topics as you master them. By exam day, every box should be checked.
Complete PT0-003 Study Resources
Is PT0-003 Hard? (Honest Truth + Hidden Challenges)
How Long to Study for PT0-003? (Timelines for Beginners & Pros)