HTB CPTS Review

In this post, I would like to share a brief review and some personal insights from my experience taking the HackTheBox Penetration Testing Path and CPTS exam.

Completing the required 28 modules before taking the exam was a long and challenging journey, but it also included many rewarding moments. In the end, it was an awesome learning experience and a great way to wrap up my 2023.

Overview

The Certified Penetration Testing Specialist (CPTS) is a 10-day, self-paced examination designed to assess a candidate’s ability to conduct a comprehensive internal penetration test against a simulated corporate Active Directory environment.

To earn the certification, candidates must obtain a minimum of 85 points by capturing at least 12 out of 14 flags and submit a professional, client-ready penetration testing report that meets industry standards for technical accuracy, clarity, and actionable recommendations.

What is CPTS?

CPTS serves as the capstone certification in Hack The Box’s Penetration Tester job-role pathway, encompassing 28 comprehensive Academy modules. The exam simulates a real-world engagement, beginning with a professional letter of engagement and granting access to a multi-host Active Directory environment.

What sets CPTS apart from many other certifications is its emphasis on professional reporting. Rather than simply documenting the steps taken during the exam, candidates are required to submit a commercial-grade penetration testing report. This includes a well-written executive summary, CVSS scoring, detailed analysis of identified vulnerabilities with associated CVE and CWE references, and actionable remediation strategies categorized into short, medium, and long-term solutions.

Additionally, candidates must thoroughly document all system changes made during the assessment and provide clear evidence of post-engagement cleanup activities after achieving full forest compromise. This focus on real-world deliverables ensures candidates are technically competent and capable of delivering value in a professional consulting context.

Who is CPTS For?

The CPTS exam is designed for cybersecurity professionals who already have a solid grasp of penetration testing fundamentals and want to take their skills to the next level in a highly realistic environment. It’s particularly suitable for individuals who are comfortable navigating enterprise infrastructure, exploiting both Windows and Linux systems, and conducting Active Directory attacks.

Knowledge domains

Based on the article from HTB, the certification exam assesses the candidates’ knowledge of the following topics:

• Penetration testing processes and methodologies
• Information gathering & reconnaissance techniques
• Attacking Windows & Linux targets
• Active Directory penetration testing
• Web application penetration testing
• Manual & automated exploitation
• Vulnerability assessment
• Pivoting & Lateral Movement
• Post-exploitation enumeration
• Windows & Linux Privilege escalation
• Vulnerability/Risk communication and reporting

What Will You Gain?

After passing the exam, you’ll gain more than just a certificate, you’ll walk away with hands-on experience simulating a full-scope internal pentest, covering everything from initial enumeration to domain compromise. You’ll sharpen your ability to chain complex attack paths, navigate segmented environments, escalate privileges across different operating systems, and most importantly, communicate your findings through a well-structured, client-facing report. The real-world depth of the exam demands both critical thinking and professional discipline, making it one of the most practical and realistic penetration testing certifications I’ve completed

Skills You'll Need (and Build Along the Way)

• Network enumeration and service scanning
• Web and custom application exploitation
• Active Directory attacks (Kerberoasting, DCSync, trust abuses)
• Privilege escalation across Windows and Linux
• Lateral movement and pivoting
• Rigorous report writing (many use SysReptor to streamline this)

What Do You Get After?

Passing the CPTS exam earns you the HTB Certified Penetration Testing Specialist credential along with a digital badge issued via Credly. But beyond that, you gain something far more valuable—credibility.

The CPTS has quickly gained traction among professionals as a challenging and respected certification that stands out in resumes and client portfolios. Many in the community compare its realism and depth favorably to more established certifications like the OSCP.

CPTS vs OSCP

While both CPTS and OSCP are highly regarded certifications in the offensive security space, they differ significantly in structure, objectives, and real-world applicability. OSCP is well-known for its intense, time-pressured 24-hour exam, where candidates are tasked with compromising individual machines, each containing relatively isolated and CVE-based vulnerabilities. When I took the OSCP back in 2019, the focus was largely on identifying known exploits, performing basic enumeration, and modifying public proof-of-concept scripts to target specific vulnerable services. It tests your technical agility under pressure in a highly constrained window.

In contrast, CPTS presents a 10-day, self-paced exam that closely mirrors a real-world full-scale internal enterprise penetration test, particularly within a complex Active Directory environment. The exam challenges candidates to demonstrate situational awareness, perform thorough and methodical enumeration, and understand how systems interact within a realistic enterprise network. Unlike OSCP, CPTS doesn’t rely heavily on public CVEs. Instead, it focuses on realistic vulnerabilities, misconfigurations, and even poor cybersecurity practices by users, which are exactly the kind of issues you would encounter during an actual client engagement. The exam will push you to your limits to think creatively and strategically chain multiple vulnerabilities to achieve the defined objectives.

To be eligible for the CPTS exam, you must first complete all 28 modules and their accompanying lab challenges. It differs from OSCP, where you can schedule and take the exam immediately after purchasing it, regardless of whether you've completed all challenges.

Another significant difference lies in the reporting requirement. While OSCP requires a fairly straightforward technical write-up of your exploitation steps, CPTS demands an enterprise-grade VAPT report, including an executive summary, CVSS scoring, vulnerability classification, and practical remediation recommendations. It mirrors what you’d be expected to deliver as a professional consultant. In essence, if OSCP measures how quickly you can exploit under pressure, CPTS evaluates your ability to conduct, manage, and document a real-world engagement from start to finish.

I ended up writing a 145-page final report because of the extensive external and internal attack surfaces of the exam lab, as well as the required documentation of detailed vulnerability chaining and cleanup activities.

My Overall Experience

I took the exam on December 2, 2023, right after completing the Penetration Tester pathway. Fortunately, the methodologies outlined in the final module, Attacking Enterprise Networks, helped me secure the first flag fairly quickly. Interestingly, many examinees on Discord mentioned struggling at this initial stage due to the overwhelming amount of enumeration required and the presence of numerous rabbit holes that can easily throw you off track.

tip

One thing worth nothing: completing the CBBH examination prior to taking the CPTS can offer you crucial insights on how to approach this first challenge.

After capturing the first flag, I got humbled pretty quickly. I ended up stuck for a long time chasing the second flag, all because I had skipped a critical step. That mistake cost me almost two days and reminded me how important it is to slow down and follow a proper methodology, even when things feel “easy.” It was a frustrating oversight that taught me the importance of following through with thorough post-exploitation checks.

Once past that hurdle, several of the subsequent flags fell into place within a few hours each, and then I hit flag number 9. This one was a mental gauntlet. I went down a very deep rabbit hole, and it took me over two days to figure out what to do. It almost gave me a mild case of HTB-induced PTSD.

Looking back, completing this 10-day challenge was incredibly rewarding, but also brutal. I’ve taken other extremely challenging exams like the 48-hour OSWE and OSEP, but CPTS felt like torture in slow motion. It relentlessly pushed me to the edge, and at some point, I genuinely asked myself why I was putting myself through this. CPTS didn’t just test my technical ability; it tested my discipline, resilience, and capacity to endure an intense challenge from start to finish.

Exam Tips

• Master the Core Techniques - Be comfortable with credential enumeration, crackmapexec (CME), ACL abuse, Kerberos-based attacks, pivoting and tunneling through multiple hosts, and BloodHound for AD path mapping. These are essential to navigate the exam’s environment effectively.
• Use the Attacking Enterprise Networks Module as a Blueprint - This module closely mirrors the structure and logic of the exam network. Solve it multiple times, until you’re confident you can tackle it without referring to the solution guide. It’s a training ground for both methodology and mindset.
• Train with HTB Pro Labs - HTB’s Dante Pro Lab is one of the best resources for intermediate-level candidates to simulate a full enterprise pentest. It builds the enumeration habits, privilege escalation mindset, and lateral movement skills needed to succeed in CPTS. Completing Dante will significantly improve your confidence and readiness.
• Document Everything as You Go - Save time and reduce stress by writing your report progressively. Take annotated screenshots, jot down commands, and note credentials and system relationships as you move through each step. This will streamline your final report writing phase and prevent gaps in documentation.
• Take Breaks When You’re Stuck - When you hit a wall, step away. Go for a walk, stretch, grab coffee. A fresh perspective can help spot what you missed during tunnel vision.
• Don’t Forget to Enjoy the Process - It’s challenging, yes, but it’s also an incredibly rewarding experience. Lean into the learning moments, appreciate the realism of the network, and enjoy the satisfaction that comes with every breakthrough.
• Re-enumerate Often - The environment changes as you progress. New users, hosts, and services may appear after exploitation or privilege escalation. Always revisit your enumeration, especially after popping a new box or privilege level.
• Stay Organized With Obsidian - With multiple credentials, pivot points, and relationships between systems, things can get messy fast. Use Obsidian to document the whole process and a mindmap to track compromised hosts, credentials, users, and paths to domain escalation. It’ll save your sanity later.
• Don’t Underestimate User Habits - Not all vulnerabilities are technical, some are human. Always check for reused credentials, weak passwords, or scripts with hardcoded secrets. These “bad practices” are part of the realism in CPTS and often lead to key breakthroughs.
• Clean Up and Document It - Part of your deliverable is showing that you understand professional hygiene. Always remove any backdoors, tools, shells, or accounts you created, and clearly document all your cleanup steps. Treat it like a real-world engagement where you’re handing the network back in good faith.

Final Thoughts

For me, CPTS is more than an extremely hands-on challenge, it’s an immersive, enterprise-grade pentesting experience. It challenges your technical and documentation skills, demands patience, and validates your readiness for real-world engagements. If you’re looking to grow beyond OSCP-level skills and into full-scale corporate pen testing, CPTS is a powerful, career-defining next step.