Skip to main content

HTB CAPE Exam Review

· 8 min read
Jason Ampoloquio, OSCE3
Jason Ampoloquio, OSCE3
CISO, Author of ECE Superbooks

I began my CAPE journey a few weeks after its release on December 11, 2024. Fast forward to 2025, after a year of a love-hate relationship with Active Directory, I was able to complete the course and passed the hardest AD security certification that I've taken.

In this post, I would like to share my experience taking the CAPE exam and my journey toward becoming a Certified Active Directory Pentesting Expert (CAPE). I hope this brief write-up provides insights into what the course offers, what to expect from the exam, and a few helpful tips for future CAPE candidates.

CAPE Banner

Overview

The Certified Active Directory Pentesting Expert (CAPE) is a 10-day, self-paced examination designed to assess a candidate’s ability to conduct a comprehensive AD Security Assessment and identify advanced and hard-to-find vulnerabilities against a simulated Active Directory enterprise network.

To earn the certification, candidates must obtain a minimum of 90 points by capturing at least 9 out of 10 flags and submit a professional, client-ready penetration testing report that meets industry standards for technical accuracy, clarity, and actionable recommendations.

AD Pentester Path

To qualify for the CAPE examination, all candidates must complete the entire Active Directory Penetration Tester job-role path. Completing these modules is a mandatory step before being eligible to take the certification exam.

As mentioned on the HTB website, the Active Directory Penetration Tester Job Role Path is designed for professionals who aim to develop advanced skills in performing security assessments of enterprise Active Directory (AD) networks and components commonly found in such environments. The whole course covers 15 modules with varying difficulties and covers a wide range of AD exploitation and abuse techniques.

CAPE Job Role

Completing the course will equip you with the skills necessary to conduct professional security assessments in complex Active Directory environments. You will learn how to identify and chain multiple vulnerabilities to reveal critical weaknesses. Most importantly, you will gain the ability to effectively document your findings and provide actionable recommendations in your reports.

Who is CAPE For?

The CAPE certification is definitely not for beginners. It requires prior knowledge and experience in network penetration testing, as well as a strong background in an Active Directory environment. To succeed, candidates should already possess a solid pentesting foundation.

Knowledge domains

Based on the article from HTB, the certification exam assesses the candidates’ knowledge of the following topics:

  • Advanced Active Directory Enumeration
  • Advanced Active Directory Attacks
  • Abusing AD Protocols
  • Abusing AD Trusts
  • Abusing AD Misconfigurations
  • Abusing Common Active Directory Components
  • Command and Control (C2) Operations
  • Windows Evasion
  • Pivoting & Lateral Movement
  • Advanced Post-exploitation Tactics

What Do You Get After?

Once you pass the exam, you’ll officially earn the HTB Certified Active Directory Pentesting Expert (CAPE) title, along with a shiny digital badge from Credly. CAPE is HackTheBox’s only expert-level certification focused entirely on Active Directory. Unlike other AD security courses, it's definitely not something you breeze through. What sets it apart is not just the difficulty, but the depth. Getting this cert means you’ve completed all the required modules, solved hundreds of advanced AD puzzles, and endured a 10-day hands-on exam that mirrors real-world engagements. It’s solid proof that you know how to identify, chain, and exploit complex AD misconfigurations under pressure, and that you’ve got the skills to deliver professional-grade assessments in the field.

CAPE Certificate

My Overall Experience

Before I started the course, I thought I had a solid grasp of Active Directory security, but I was wrong. Some of the modules presented in the course really made me pause, dig deeper, and spend extra time researching the topics. That said, completing it gave me a serious boost in confidence. I now feel much more comfortable navigating and exploiting AD environments.

The first flag set my expectation for the exam. It took me a couple of days to piece everything together and find the intended exploitation path. The good thing about this first flag is that it provides me with the necessary warm-up, and I immediately know it will be a long 10-day examination.

Looking back at my notes, I'd say that the path to the second flag gave me the hardest time. To reach this flag, you need to complete several tasks; fortunately, I was able to utilize my OSEP notes to solve a specific challenge and then adjust my exploits to work flawlessly on the remote machine. Each flag has its own set of traps, but I found flag four to be the most frustrating. Depending on your approach, it could be a quick win, or it could burn days of your exam time. Without giving too much away, my biggest advice is this: be thorough with enumeration. If something doesn't behave the way it should, dig deeper. Triple-check your binaries, experiment with different angles, and have a Windows machine ready, as you'll need it to compile several binaries during the exam. Don't abandon a path too quickly; sometimes persistence is the key that unlocks the whole thing.

CAPE Dashboard

The final flag was hands down the most technically rewarding. It's one of those challenges that feels just within reach; you can almost see the finish line, but getting there requires a lot of tinkering and trial and error. Once I managed to connect the dots and piece together all the needed elements, the exploit came together smoothly, leading to a satisfying full domain compromise. It was a great way to end an immensely challenging but rewarding 10-day engagement.

One thing I want to emphasize is that the course itself provides enough material to pass the exam, especially the modules on DACL Attacks I and II. These sections alone give you the foundation needed to work through most of the exam challenges. While some might say there are exam elements not directly covered in the course, that's to be expected. The course is designed to teach you the core techniques, while the exam is there to test whether you've actually internalized them and can apply them under pressure. For anything beyond what's explicitly covered, your critical thinking and ability to think outside the box will make all the difference. It's not about memorizing steps—it's about adapting your knowledge to real-world attack paths.

Game Changer

While I was waiting for my results, I tried out the Hades mini ProLab. It only took me 2 days to finish it, and it felt pretty easy compared to what I went through during the exam. That alone shows how much this course and exam can sharpen your skills. CAPE is on a whole different level.

Hades Certificate

tip

If you’re planning to take CAPE, I strongly recommend completing the CPTS path first. The knowledge and techniques you’ll pick up there really help during preparation. I also highly suggest going through the Cybernetics and Ifrit ProLabs. Those labs are packed with practical experience in AV evasion, pivoting, lateral movement, and various AD attacks that are super helpful for the exam.

Resources for CAPE Prep

Again, the HTB modules are more than sufficient for the exam, but if you need additional references, I have found the following resources to be particularly helpful. These will sharpen your AD skills and provide a well-rounded mix of theory, tooling, and real-world practice.

📚 AD Abuses and Techniques

🧰 Tools and GitHub Repos

  • GhostPack – Includes Rubeus, SharpDump, Seatbelt, and more
  • Certipy – Your go-to for ADCS enumeration and abuse
  • GOAD Lab – A pentest AD LAB project

Final Thoughts

What I really appreciated about the CAPE exam was how well the topics were selected and how realistic the attack chains were. Some of them directly mirror techniques that have been used in real-world Active Directory breaches, making the exam not only challenging but also highly applicable to actual scenarios. HackTheBox managed to pack a wide range of advanced concepts into each flag, from abusing misconfigured DACLs to exploiting Certificate Template misconfigurations. Each challenge required a different combination of enumeration, privilege escalation, and lateral movement techniques.

If you're serious about Active Directory security, this course is absolutely worth it. Just be ready to put in the time, do the research, and get your hands dirty. It's extremely challenging, but it will take your skills to a whole new level.

~thekeym4ker