⬅ Retour aux Certifications
Certified Penetration Testing Specialist (CPTS)

Certified Penetration Testing Specialist (CPTS)

🏢 HackTheBox | ✅ Obtenue | 📅 2024 | 17 min read

CPTS Badge

About the certification

The certification HTB CPTS (HTB Certified Penetration Testing Specialist) from HackTheBox is a recognized certification in the field of penetration testing, evaluating candidates on real-world security assessment skills across web applications, external networks, and Active Directory environments.

Validated skills

  • Penetration testing processes and methodologies
  • Information gathering & reconnaissance techniques
  • Attacking Windows & Linux targets
  • Active Directory penetration testing
  • Web application penetration testing
  • Manual & automated exploitation
  • Vulnerability assessment
  • Pivoting & Lateral Movement
  • Post-exploitation enumeration
  • Windows & Linux Privilege escalation
  • Vulnerability/Risk communication and reporting

Exam format

  • Duration: 10 days for both exploitation and report submission.
  • Objective: Perform grey-box web, external, and internal penetration testing activities against a real-world Active Directory network, and produce a comprehensive commercial-grade penetration testing report.

Introduction

Penetration testing is a critical component of organizational security, requiring not only technical prowess but also the ability to communicate findings effectively to both technical and non-technical stakeholders. The reality of modern penetration testing goes beyond simply finding vulnerabilities it demands a methodical approach, creative thinking, and the ability to chain multiple weaknesses to demonstrate real business impact. Yet many certifications focus solely on technical exploitation without addressing the crucial reporting and communication aspects that define a professional penetration tester.


Why I Chose This Training

At the time of purchase and certification, I was working as an apprentice within a red team. This was an excellent opportunity to broaden my skillset beyond pure red team operations, learn comprehensive penetration testing methodologies, and develop professional reporting skills. This certification allowed me to validate my technical abilities across web, network, and Active Directory domains while demonstrating my capacity to produce client-ready deliverables that meet commercial standards.

Certification Overview

About HackTheBox

HackTheBox is a leading cybersecurity training platform that has revolutionized hands-on security education. Known initially for its challenging machines and CTF-style challenges, HTB has evolved into a comprehensive training provider offering structured learning paths and professional certifications. Their Academy platform combines theoretical knowledge with extensive practical exercises, ensuring students don’t just memorize concepts but can apply them in realistic scenarios.


What sets HackTheBox apart is their commitment to continuous evaluation throughout the learning journey, not just at the exam stage. Every module includes hands-on skills assessments without provided answers, forcing students to truly understand the material rather than simply following walkthroughs.


Training Format

The training includes:

  • Comprehensive written course materials for each module
  • Interactive hands-on exercises throughout the learning path
  • Skills assessments at the end of each module (mandatory completion)
  • Access to spawnable machines and environments
  • Real-world penetration testing scenarios
  • Professional report template via SysReptor integration
  • Active community forums and Discord for support

Duration and Options
The CPTS follows a job-role path called “Penetration Tester” which must be completed 100% before taking the exam. The path contains multiple modules covering everything from basic enumeration to advanced Active Directory attacks and professional reporting. Access depends on your subscription level (Silver, Gold+, Platinum or Student), with most students taking several months to complete all modules thoroughly. I would recommend allocating sufficient time not just to complete the modules, but to truly practice and internalize the techniques.


Recommended Prerequisites

  • Basic understanding of networking concepts and protocols
  • Familiarity with Linux command line and basic scripting
  • General knowledge of web technologies and HTTP
  • Experience with HackTheBox machines is highly beneficial
  • Understanding of Windows and Active Directory basics

Course Content

Pedagogical Approach

Quality and Completeness of Course Materials

The course material is extensive, covering a broad spectrum of penetration testing domains. Each module progresses logically, building upon previous knowledge. The written materials are detailed and include practical examples, though the density varies significantly between modules. Some foundational modules may feel redundant for experienced practitioners, while advanced modules provide substantial depth.


Key Feature: Continuous Evaluation Throughout

One of the defining characteristics of CPTS is the continuous evaluation model. Unlike traditional certifications where you only prove your knowledge during a final exam, CPTS requires you to complete skills assessments for every single module. These assessments:

  • Have no provided answers or walkthroughs
  • Test real understanding, not memorization
  • Must be completed to unlock exam eligibility
  • Prepare you for the exam’s difficulty level
  • Build confidence through progressive achievement

This approach ensures that anyone who reaches the exam has already demonstrated competency across all required domains if they not got walkthroughts on internet 😒.


Practical Tips

  • Take structured notes from the beginning you’ll reference them constantly during the exam
  • Don’t skip modules even if topics seem familiar; there’s often nuanced information worth capturing
  • Complete skills assessments thoroughly; they’re excellent exam preparation
  • The course can be lengthy; breaking it into daily goals helps maintain momentum

Module Breakdown and Relevance

Foundational Modules (May be redundant for experienced practitioners)

  • Penetration Testing Process: Useful for understanding methodology, but basic for those with prior experience
  • Getting Started: Introductory material, skip if familiar with basics
  • Network Enumeration with Nmap: Comprehensive but elementary for experienced users
  • Footprinting: Good depth on service enumeration, though foundational
  • Information Gathering - Web Edition: Solid OSINT coverage, basic if already practiced
  • Vulnerability Assessment: Important for methodology, may feel repetitive

Core Technical Modules (Essential content)

  • File Transfers: Practical techniques for moving data across compromised environments
  • Shells & Payloads: Understanding shell types and payload generation
  • Using the Metasploit Framework: Covered but less relevant for real-world engagements
  • Password Attacks: Various password cracking and spraying techniques
  • Attacking Common Services: Service-specific exploitation, may overlap with other content
  • Pivoting, Tunneling, and Port Forwarding: Critical module for lateral movement
  • Active Directory Enumeration & Attacks: Essential for the exam, comprehensive AD coverage

Web Application Security (Strong focus area)

  • Using Web Proxies: Fundamental for web testing
  • Attacking Web Applications with Ffuf: Practical fuzzing techniques
  • Login Brute Forcing: Credential attacks on web applications
  • SQL Injection Fundamentals: Core injection concepts
  • SQLMap Essentials: Automated SQL injection exploitation
  • Cross-Site Scripting (XSS): Client-side attack vectors
  • File Inclusion: LFI/RFI exploitation techniques
  • File Upload Attacks: Bypassing upload restrictions
  • Command Injections: OS command injection exploitation
  • Web Attacks: Additional web vulnerability coverage
  • Attacking Common Applications: Real-world application exploitation

Privilege Escalation & Post-Exploitation

  • Linux Privilege Escalation: Comprehensive Linux privilege escalation vectors
  • Windows Privilege Escalation: Windows-specific escalation techniques
  • Documentation & Reporting: Critical module for exam success

Capstone

  • Attacking Enterprise Networks: Integrates all learned techniques in a realistic scenario

The Realistic Approach: Real-World Penetration Testing

Comprehensive Coverage Across Multiple Domains

Unlike certifications that specialize in a single area, CPTS provides broad coverage across all aspects of penetration testing. This reflects the reality of modern penetration testing engagements where you might encounter web vulnerabilities, network misconfigurations, and Active Directory weaknesses all in the same assessment. The training prepares you to:

  • Identify and exploit vulnerabilities across multiple attack surfaces
  • Chain seemingly minor issues into critical compromises
  • Think like an attacker moving through a network
  • Adapt your methodology based on discovered information

Skills Directly Applicable to Professional Engagements

The techniques taught throughout the path are immediately applicable to real penetration testing work:

  • Methodology-driven approach: Following a structured process from reconnaissance to reporting
  • Tool diversity: Learning multiple tools for similar tasks, not just one “right” way
  • Creative problem-solving: Encouraged to think beyond automated scanners and known exploits
  • Professional communication: Report writing as a core competency, not an afterthought

The Learning Path

Structure and Progression

Penetration Tester Job-Role Path

The learning path contains multiple modules organized into logical sections, each building upon previous knowledge. The progression takes you from fundamental enumeration through exploitation to post-exploitation and reporting. Each module concludes with a skills assessment that must be completed to progress, ensuring you’ve absorbed the material.


Skills Assessments

These mandatory assessments are where the real learning happens. Without provided answers, you must apply the taught concepts independently. Some assessments are straightforward applications of module content, while others require creative thinking and combining multiple techniques. They’re excellent preparation for the exam’s challenges.

Practical Tips

  • Complete modules sequentially when possible; they build upon each other logically
  • Don’t rush through skills assessments: Take time to understand why your approach works
  • Practice documentation: Start documenting your approach during module completion, not just for the exam
  • Leverage the community: HTB Discord and forums are valuable resources when stuck

Note-Taking Management

Importance of a Clear and Organized Structure

With such extensive course material spanning dozens of modules, effective note-taking becomes critical. You can’t possibly remember every command, technique, and nuance without organized documentation. Your notes will become your most valuable asset during the exam when you need to quickly reference a technique or command syntax.


My Personal Approach

I separated technical notes from methodology notes. I maintained organized sections for each domain (web, network, AD) with subsections for specific attack types. Each technique included the conceptual explanation, practical commands with syntax explanations, prerequisites needed, expected outputs, and potential pitfalls. I also created quick-reference cheat sheets for common tasks I found myself repeating.


Recommended Structure

Consider organizing your notes with:

  • Methodology: Overall penetration testing process, when to use which techniques
  • Technical references: Commands organized by attack type with working examples
  • Module-specific information: Key takeaways from each module, especially skills assessment approaches
  • Quick reference sections: Common enumeration commands, reverse shell one-liners, privilege escalation checklists
  • Reporting templates: Structure and phrasing for common vulnerability types

The Exam

Format and Process

Duration and Objectives
The practical exam provides 10 days to both exploit the environment and submit your report. This extended timeframe reflects the comprehensive nature of the assessment, you’ll be conducting a full penetration test including web application testing, external network assessment, and internal Active Directory compromise. The report is not an afterthought; it’s a core component of the certification and must meet commercial standards.


Type of Environment
The exam environment simulates a realistic corporate network with web applications, external-facing services, and an Active Directory domain. You’ll receive a letter of engagement clearly defining scope, objectives, and client expectations. Unlike the training modules, you won’t have hints or guided steps this is a true grey-black box assessment where you must apply your methodology to discover and exploit vulnerabilities.


The Report Requirement

Successfully exploiting the environment is only half the battle. Your report must be:

  • Professional and client-ready: Clear executive summary, detailed technical findings, and actionable remediation recommendations
  • Properly scoped: Only report findings within the defined scope; carefully read the letter of engagement
  • Well-structured: Logical flow from methodology through findings to recommendations
  • Comprehensive: Document all significant findings with proper risk assessment
  • Evidence-based: Include screenshots, command outputs, and proof of exploitation

The report can be substantial, for example mine was 213 pages. Using the official SysReptor template is highly recommended to structure your documentation efficiently and meet HTB’s expectations.

Exam Limitations and Considerations

Important Note About Realism

I took this exam before the summer 2025 redesign. At that time, the environment had some limitations in terms of realism:

  • No active defenses: No EDR, no Windows Defender, no security monitoring
  • Linear paths: Exploitation paths felt somewhat constrained with limited alternative routes
  • Potential blocking points: Some individuals might get stuck if they don’t identify the specific intended path

This differs from real-world environments where multiple attack paths usually exist and security controls actively oppose you. However, this also makes the certification more accessible and focuses evaluation on core techniques rather than evasion.

Tips for Success

  • Methodical enumeration: Don’t skip steps; thorough enumeration reveals paths forward
  • Documentation from day one: Screenshot and document everything as you go; reconstructing later is painful
  • Read the letter of engagement carefully: Understanding scope and objectives is critical for report accuracy
  • Time management: Balance exploitation time with report writing; don’t leave the report for the last day
  • Use the SysReptor template: It structures your report properly and saves significant formatting time
  • Risk assessment practice: Understand how to properly categorize and assess vulnerability severity
  • Breaks and mental health: It’s 10 days, not a sprint; maintain sustainable pacing

My Personal Experience

What I Appreciated Most
The breadth of coverage across multiple domains, the continuous evaluation model that builds confidence progressively, the extended exam duration allowing for thorough testing and professional report creation, and the active community always ready to help when stuck.


Challenges Encountered
Some modules felt redundant with prior knowledge, making initial progress slower. Certain sections of the course are excessively long without adding real value, which can make maintaining focus challenging. The training lacks a defensive perspective on the vulnerabilities being exploited, there’s minimal coverage of detection methods, indicators of compromise, or defensive countermeasures for the attacks taught. Certain exam exploitation paths felt somewhat “guessy” without multiple clear alternatives, which could frustrate some candidates. The report writing process is time intensive allocating sufficient time for a comprehensive, professional document is essential. Maintaining focus across such extensive course material requires discipline.


What I Learned Beyond Technical Content
Professional communication and client-centric thinking, the importance of structured methodology over ad-hoc hacking, patience and thoroughness in enumeration, effective time management across extended engagements, and the ability to translate technical findings into business risk.


Skills Acquired

  • Comprehensive penetration testing across web, network, and AD domains
  • Vulnerability identification and creative exploitation chaining
  • Lateral movement and privilege escalation techniques
  • Professional report writing and risk communication
  • Structured, repeatable penetration testing methodology
  • Client-ready deliverable creation

Conclusion

Who Is This Certification For?

Recommended Profiles
Junior penetration testers looking to formalize their skills, security analysts transitioning into offensive security, IT professionals wanting to understand attacker perspectives, anyone seeking a comprehensive and recognized penetration testing certification, really any profile wanting to validate broad penetration testing competency.


Required Level
Suitable for those with foundational security knowledge and some practical experience. Complete beginners may find the pace challenging, while experienced practitioners might find early modules redundant but will still benefit from the structured methodology and reporting focus. Prior experience with HackTheBox machines or similar platforms significantly eases the learning curve.

Final Verdict

Quality-to-Content Ratio
The CPTS offers exceptional value, particularly for those with HTB Academy subscriptions. The sheer volume of material, continuous hands-on practice, and the requirement to produce a professional report create a comprehensive learning experience. The extended exam duration and realistic scenarios provide excellent preparation for actual penetration testing work. While some modules may feel basic for experienced practitioners, the overall path delivers substantial educational value.


Would I Recommend This Training?
yes. This is an excellent certification for establishing a solid penetration testing foundation or validating existing skills across multiple domains. The continuous evaluation model ensures you’re genuinely prepared by exam time. The reporting requirement sets it apart from purely technical certifications and prepares you for real-world client engagements. However, be aware that unlike some certifications, there’s less focus on evasion techniques and operating in defended environments it’s more about core penetration testing competency than red team stealth operations.


Comparison with Other Certifications
CPTS sits in an interesting position in the certification landscape. It’s more comprehensive than entry-level certifications like eJPT but less specialized than certifications focusing on specific domains (like CRTP for Active Directory). In terms of difficulty and scope, it’s comparable to certifications like eCPPTv2 or OSCP, but with a stronger emphasis on professional reporting. Unlike OSCP which focuses heavily on exam time pressure and ctf like, CPTS prioritizes realistic scenarios and client-deliverable quality. If you’re deciding between certifications, choose CPTS if you want broad coverage with professional reporting skills, or more specialized certifications like CRTP or RTO if you want deep expertise in specific domains.

Useful Resources

Certification Link

Additional Resources That Helped Me

Community/Discord/Forums