What It Is
The HTB CPTS (Certified Penetration Testing Specialist) is HackTheBox’s professional penetration testing certification. You complete the “Penetration Tester” job-role path on HTB Academy 100%, then sit a 10-day practical exam: grey-box web, external, and internal Active Directory assessment, plus a commercial-grade report. Both exploitation and report submission must land within those 10 days.
Validated skills: penetration testing methodology, information gathering, Active Directory attacks, web application testing, privilege escalation, lateral movement and pivoting, post-exploitation, professional reporting.
Why I Went for It
At the time, I was an apprentice on a red team. The work was heavily focused on red team operations — advanced TTPs, C2 infrastructure, evasion. The CPTS made sense as a way to step back and build solid pentest methodology foundations: web application testing, comprehensive AD coverage, and professional report writing. Skills I was using in pieces but hadn’t formally structured.
The Training Path
The path covers everything from basic enumeration to advanced Active Directory attacks. Some modules will feel redundant if you already have experience — Getting Started, basic Nmap, foundational web recon. Don’t skip them anyway. There’s usually something worth noting even in modules you think you know.
The modules that actually matter:
Pivoting, Tunneling, and Port Forwarding — critical for the exam. Don’t skim this one.
Active Directory Enumeration & Attacks — the heart of the path. Covers BloodHound, Kerberoasting, AS-REP roasting, ACL abuse, delegation attacks, trust attacks. Extremely thorough.
Documentation & Reporting — underestimated by most people. The exam report is half the certification. Get comfortable with SysReptor before you hit the exam.
Attacking Enterprise Networks — the capstone. Ties everything together in a realistic scenario. Good indicator of where you actually stand.
One real criticism: certain modules drag unnecessarily. Some sections spend pages on concepts that could fit in a paragraph. The path is long and maintaining focus across all of it takes genuine discipline.
Skills Assessments: The Key Differentiator
Every module ends with a skills assessment — no answers provided, no walkthroughs. You pass or you don’t. This is what separates CPTS from certifications where you can coast on memorization. By the time you reach the exam, you’ve already demonstrated you can apply the material, not just recall it.
That said, some people try to shortcut these assessments by searching for external walkthroughs. If you do that, you’re paying to fool yourself — the exam has no such option. 😒
Note-Taking
With this much material, notes aren’t optional. I separated technical notes (commands, syntax, techniques by category) from methodology notes (when to use what, in what order). Quick-reference sheets for common tasks were also invaluable: enumeration commands, reverse shell one-liners, privesc checklists.
You will use these during the exam. Start building them from module one.
The Exam
10 days to compromise a realistic corporate network and produce a professional report. You receive a letter of engagement defining scope and objectives — read it carefully. It defines what’s in scope, what findings to document, and the expectations for the deliverable.
The environment I tested on (pre-summer 2025 redesign) had some limitations worth knowing: no active defenses, no EDR, no Defender. Exploitation paths were somewhat linear with limited alternate routes. This makes the exam more accessible but also means it doesn’t test evasion — it’s core pentest competency, not red team stealth.
The report is not an afterthought. It’s a formal deliverable. Mine was 213 pages. Use the SysReptor template — it structures the document correctly and saves significant time. Document everything as you go, not after. Reconstructing 48 hours of operations from memory is not a fun exercise.
Practical tips:
- Enumerate thoroughly. The exam path reveals itself to people who look carefully.
- Screenshot and document everything in real time.
- Don’t leave the report for the last three days. It takes longer than you think.
- Read the letter of engagement twice.
What I Got Out of It
The training gave me structured methodology where I previously had intuition. The report component pushed me to think about findings from a client perspective — not just “this is exploitable” but “here’s the business risk and here’s how to fix it.”
The breadth of coverage is genuine: web, network, AD, post-exploitation, pivoting, reporting. Full engagement lifecycle. For someone coming from a more specialized background, that breadth has real value.
What it doesn’t cover: operating against active defenses. No EDR evasion, no AV bypass, no detection avoidance. That’s not a flaw — it’s a different certification category. If that’s what you’re after, look at RTO or similar.
Where It Fits
CPTS is more comprehensive than entry-level certifications and more realistic than most mid-tier ones. The closest comparison is OSCP — similar scope and difficulty, but CPTS puts significantly more weight on professional reporting and less on time pressure. OSCP’s 24-hour sprint tests something different. Choose based on what you actually want to demonstrate.
If you want to go deeper on specific domains after CPTS, CRTP is solid for Active Directory, and CRTO for red team operations.
Verdict
Worth it. The continuous evaluation model means you earn the certification progressively, not in one stressful sitting. The report requirement sets it apart from certifications that only test technical skills. And the extended exam duration allows for work that actually resembles a real engagement.
Be clear on what it is and isn’t. It’s a strong penetration testing foundation certification. It’s not a red team certification. Both are legitimate goals — just pick the right one for where you’re trying to go.