CompTIA Nears Launch of New Cybersecurity Certification

Woman doing penetration test

The already large family of cybersecurity certifications will soon have a new member — tech industry association CompTIA is nearing the launch of its newest credential: PenTest+. The beta exam period for PenTest+ has ended, and CompTIA says the live exam should make its debut on July 31.

PenTest+, which takes its name from a foreshortening of "penetration testing," will soon join CompTIA's expanding cybersecurity program which includes the Security+, Cybersecurity Analyst (CySA+), and Advanced Security Practitioner (CASP) certifications.

Let's take a look at what penetration testing is, how the new certification fits into CompTIA's push to expand its cybersecurity program, and what skills and knowledge the PenTest+ exam should cover.

What is penetration testing?

A penetration test is a simulated attack made against an information system of some kind, usually either a network or a single computer, meant to discover security vulnerabilities present in the system. Penetration testing is used to perform a risk analysis of the computer or network being attacked. The resulting risk analysis can then be used to determine if further precautions must be taken.

Penetration testing may also be required in order to achieve compliance with certain legal or regulatory standards. For example, companies that work with the United States government or the Armed Forces may need to perform penetration testing on their systems to provide proof of information system security levels.

Penetration testing is important because it provides validation of an organization's cybersecurity systems. It is one thing to have hardware and software security measures in place, but until an attack is made and the security response is fully observed and recorded, the effectiveness of a security solution isn't truly known.

IT professionals who perform penetration testing typically need to know how to assess a given computer or network, make a "plan of attack" and carry out the testing, analyze the results, and create a report that explains the results of the penetration testing. They may also be asked to make recommendations to address vulnerabilities discovered by the test.

CompTIA's ongoing cybersecurity push

So why has CompTIA chosen to introduce another new cybersecurity certification?

The organization has likely been motivated by some of its in-house research regarding cybersecurity jobs across the U.S. A little over a month ago, CompTIA reported that there were more than 300,000 cybersecurity job openings in the U.S. between April 2017 and March 2018. During that same 12-month period, the total employed U.S. cybersecurity workforce was more than 750,000 strong.

The release of PenTest+ is also consistent with CompTIA's recent strategy of creating more granular security-related certifications. The Cybersecurity Analyst (CySA+) credential can be viewed as a comprehensive subcategory of CompTIA's original Security+ certification. Likewise, PenTest+ is a focused subcategory of CySA+ since it covers a more specialized discipline within the larger field of cybersecurity.

CompTIA's new PenTest+ certification is almost ready to hit the market.

CompTIA also understands that its cybersecurity certification program is in competition with other security certification players like EC-Council, (ISC)2, ISACA, and SANS-GIAC. CompTIA's ongoing push for more cybersecurity credentials could also be viewed as a concerted effort to compete for mindshare in the infosec education market.

PenTest+ exam preview

PenTest+ will be an intermediate-level certification that CompTIA has positioned between its core Security+ credential and its advanced CASP certification. This places PenTest+ in parallel with the Cybersecurity Analyst certification, a designation that CompTIA must have carefully considered before deciding to make it so.

"While CySA+ focuses on defense through incident detection and response, PenTest+ focuses on offense through penetration testing and vulnerability assessment," reads the description on CompTIA's PenTest+ certification page. CompTIA clearly views the two certifications to be complementary to each other.

What about the PenTest+ exam, which will debut (if all goes as planned) at the end of July with the exam code PT0-001? The total number of questions will be capped at a maximum of 80, with a passing score of 750 based on a scale of 100 to 900. The amount of time candidates will have to complete the exam has been given as 165 minutes.

All of these items were determined from the results gathered during the PenTest+ beta exam period which started at the end of January 2018.

The PenTest+ exam will consist of a combination of multiple-choice questions and performance-based questions which employ a simulation that requires the candidate to complete one or more tasks. This is the standard composition CompTIA continues to use for its certification exams.

The content in the PenTest+ exam has been split into the following knowledge domains, listed below along with an estimate of how much exam content is devoted to each domain:

? Planning and Scoping (15 percent)
? Information Gathering and Vulnerability Identification (22 percent)
? Attacks and Exploits (30 percent)
? Penetration Testing Tools (17 percent)
? Reporting and Communications (16 percent)

As with many of its other IT certifications, CompTIA has placed emphasis in its PenTest+ exam on more than just the practical work involved during penetration testing. The planning, reporting, and communication components are also given significant coverage.

The recommended experience level for a PenTest+ candidate is "3-to-4 years of hands-on experience performing penetration tests, vulnerability assessments, and vulnerability management." There is no prerequisite for taking the exam, but CompTIA has said that PenTest+ should follow Security+, for candidates deciding in what order to take these two exams.

Once achieved, PenTest+ certification will be valid for three years. The PenTest+ certification exam will only be available in English when it launches, but other languages could become available depending on the popularity of the certification.

PenTest+ goes live July 31

CompTIA continues to be very active in the cybersecurity section of its training and certification program. PenTest+ promises to be a significant addition to the broader family of infosec industry credentials.

It will be interesting to see how PenTest+ compares to similar certifications from other vendors like the Certified Ethical Hacker (CEH) and Licensed Penetration Tester (LPT) Master certifications from EC-Council, and the GIAC Penetration Tester (GPEN) certification from SANS-GIAC. We will have more coverage of PenTest+ after it has been released to the public.

Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author
Aaron Axline is a freelance technology writer based in Canada.

Aaron Axline is a technology journalist and copywriter based in Edmonton, Canada. He can be found on LinkedIn, and anywhere fine coffee is served.