2026 CPTS Review

A year ago, “hacking” looked like black magic to me. I’d been a web developer for the best part of 7 years, and despite a long-standing interest in offensive security, I had no real idea how anyone actually broke into anything. CTFs, red teaming, pentesting, all of it sat behind a wall I didn’t know how to climb.

Five months of study and an exam later, I’m CPTS-certified. This post walks through how I got there, what the HackTheBox Certified Penetration Testing Specialist course and exam are actually like, and what I’d tell someone with a similar background who’s eyeing the same path.

My background

The web side of things meant I came in with some useful foundations - HTTP, networking basics, server admin, the general shape of how web apps and infrastructure fit together. What I had no real grasp on, and what turned out to be the steepest part of the course, was Active Directory. I’ll come back to that.

The Course

I committed to the HTB CPTS course in October 2025 and finished it in March 2026. I had about a month off in there, so the actual study time was roughly 5 months at 2–3 hours a day.

Course Overview

The CPTS course provides a strong layer of theory for each service or target, followed by multiple approaches to enumerate, fingerprint, and exploit them. It covers the pentest process end-to-end: network scanning, file transfers, shells and payloads, pivoting and tunneling, password attacks, and vulnerability assessment. Target-wise, it covers the standard network services (SMB, NFS, FTP, RDP, mail, databases), Active Directory, and a wide range of web tech (from WordPress to Tomcat to GitLab). Dedicated modules and sections cover the tooling you’d expect, from Nmap, Metasploit, Burp Suite, OWASP ZAP, SQLMap, BloodHound, NetExec (formerly CrackMapExec) and many others scattered throughout.

What sets the course apart from the alternatives I’ve come across isn’t just the breadth, it’s the depth and structure. The theory before each technique is detailed enough that you understand why an attack works, not just how to run it. The hands-on questions force you to actually apply what’s been taught rather than copy-paste from a walkthrough. I haven’t found another resource online that hits the same combination of breadth, depth, and practical application.

Course Experience

Roughly 80% of my time was spent on HTB Academy modules. The other 20% was personal research and going deeper on concepts and attacks beyond what the course covered, reading writeups, working through related material, and generally chasing whatever I wanted to understand more fully.

Web content needed little supplementary learning for me. I already understood the environment, so I just had to learn the attacks. AD was the hardest part by a long way, because it meant learning an entirely new environment and how to attack it at the same time. Web and networking attacks made sense because the underlying concepts were already there. AD wasn’t like that. Even while progressing through the Active Directory Attacks and Enumeration module, applying techniques and attacks correctly, there was this little question mark over my head as to what just happened.

The breakthrough came once I started properly understanding Active Directory overall; understanding identity, authentication, and especially privilages, not just if I have compromised a Domain User vs a Domain Admin, but what was actually acheievable with each new user and why. Once that clicked, I could reason about when and why to do something rather than just how. Knowing when a Kerberoast or DCSync made sense, or discovering a specific user was of more use to me than another, for example, only became obvious once the underlying model was in place. AD became genuinely enjoyable from that point — as much as web pentesting. For anyone coming from a web background and worried about the AD content: it’s hard, but the steepness is mostly because the environment is new. Once it stops being new, it actually gets fun.

There were moments in the path that felt a bit tedious, and other parts where it felt like “is that all?”, but what I personally found tedious, others may find extremely valuable. Throughout the course I’d occasionally look at reviews and feedback from others who had finished it. Sometimes I’d nod my head and fully agree, other times I’d raise an eyebrow and wonder if we’d done the same module. Password Attacks can get a pretty bad wrap, but I honestly found it to be a pretty good module overall.

One critique worth flagging: the Pivoting, Tunneling, and Port Forwarding module does an exceptional job of teaching the fundamentals and the tools, but since I mostly primarily pivot with Ligolo, half the module, while important, felt like it wasn’t going to add much for me in the near future. That’s a personal call, not a knock on the content.

The course felt like a real milestone in itself. Even without going for the exam and certification, it’s a valuable course that I’d recommend to anyone with some level of IT background, all the way up to working pentesters looking to sharpen their knowledge.

The Exam

The CPTS exam is a 10 day practical exam against a realistic enterprise environment, with a minimum of 12 flags (14 in total) to capture and a professional pentest report to deliver alongside. You get one free retake if you don’t pass on the first attempt as long as you submit a report.

Exam Prep Experience

Throughout the course, I spent a lot of time writing notes and my methodologies to a “notes vault” in Obsidian. The course recommends on doing this to build a strong methodology, which in turn helps you in an engagement. What tends to be understated in my opinion is that the act of building a “notes vault” reinforces what you’ve learnt. I treated it as a side project, with the intent to one day make it public, which forced me to constantly rewrite, research, and improve my notes. Doing that burned a lot of concepts and techniques into my head.

After finishing the Linux and Windows Privilege Escalation modules, as well as the Documenting & Reporting module, I was becoming a bit constrained on time due to upcoming events. I either had to squeeze the practice and exam attempts in, or wait a little over two months. Two months felt like an eternity, so I bit the bullet and crammed as much prep as I could before starting.

First, I did the final required module, Attacking Enterprise Networks, almost blind. The two times I did peek were just to check I wasn’t going well beyond scope or down a rabbit hole, not to grab the answer. I got through the module in about 5 days without too much trouble. That was a big confidence boost. It’s often said in the community that if you can do AEN almost blind, you’re in a good position for the exam. It’s not a guarantee, but it’s the closest thing in the course to the exam itself.

Still feeling some imposter syndrome, I worked through as much of the CPTS track as I could. Around 50%. After that, I started the exam the same week.

Exam Experience

By the time I hit the start button, I’d made sure everything was set up and ready. VM running, tools checked, folders prepared, tmux setup ready, notes vault, notepad, and browser all good to go.

Just before starting, I made myself a promise: dedicate day 1 to pure enumeration, nothing else, no matter what. Stay composed, stay disciplined, and leave the ego outside.

The Exam - First Attempt

The exam starts, and off you go. Despite my ego wanting to speedrun, I spent most of day 1 enumerating everything I could think of. I’d actually found something that caught my attention fairly early on, but I refused to go deep on it until I’d enumerated everything else. It was a tricky balance, going for what made perfect sense to me versus making sure I had the full picture first. In hindsight, with the clock ticking, this was still the right play, but sometimes you have to trust your gut and commit, or know how to back out if it starts to look like a dead end. Not knowing what the exam would be like ahead of time, it was nearly impossible for me to tell what was going to be a rabbit hole and what wasn’t.

Once I was ready to start pursuing paths, things moved quickly. By day 2, flag 1 was captured. Flags 2 through 7 each took anywhere from 20 minutes to a couple of hours. There were tricky moments, but on the whole, that stretch was a breeze. Then I hit flag 8.

Flag 8 halted the entire attempt. I was stuck for around 5 days. I failed there.

As gutted as I felt, I made sure to submit a full report for the free retake, not a blank one. I wanted to treat it as a proper deliverable, not just an exam submission. I don’t have professional pentesting experience yet, but I’d imagine in a real engagement you still deliver something to the client for everything you found. Showing what you found and wrapping it up with “no further vulnerabilities identified” is far more valuable to a client than a blank report. They’re paying you to find what you can and deliver a report, not to hit a passing mark. The added benefit was that it gave me a gauge on whether the report was good enough, which after feedback, it was. Going into the second attempt, I knew that as long as I kept the report at a consistent quality, I could focus purely on exploitation.

The Exam - Second Attempt

I deliberately re-enumerated everything on day 1, even knowing most of it already. Discipline over ego.

On day 2, after a bit more enumeration, I decided to commit to the play I’d been working toward in the first attempt. I had all the information I needed, I’d re-enumerated just to be safe, and it was time to trust my gut and send it. Flag 8 was owned.

The remaining flags fell within hours. Flag 12 caused a brief stumble, but I worked through them all.

I’d love to go into more detail about the halts and how I worked through them, but I don’t want to drop anything that could be perceived as a hint. I’ll cover the general lessons in the next section instead.

Overall, I don’t know if I’ve ever had so much fun in my life while being so insanely stuck and frustrated. Looking back, the exam was a brilliant experience, and it’s made me want to do more of these.

Tips & Advice

Prep Advice

AEN blind. Helps with mindset and recognition. It’s not a 1:1 preview of the exam, and it’s definitely not copy-paste, but doing it blind tells you a lot about where your head is at and where your skill level sits.

Refine your notes during the course. Treat the vault as a fun side project. Rewrite it multiple times. The act of restructuring and rewording is what cements the theory.

Do the CPTS track. This is key for applying what you’ve been taught outside of the guided course material.

One thing to expect: some of the machines have paths and attack chains that go beyond CPTS scope. That’s normal. When you get stuck and hit something you know is clearly out of scope, note it for later and move on. Don’t get caught up wondering why a machine is in the track if half of it is outside the course’s focus. Document it all, apply what’s useful, move on.

Retired machines. Reps and muscle memory. You’re there to get comfortable being stuck, practice the core techniques under your own steam, and build the reflexes for things like enumeration and tool-switching that you don’t want to be thinking about consciously during the exam.

Seasonal machines. Technically not recommended for CPTS prep, but while I initially did a few out of pure interest, they actually helped me understand the CPTS ceiling and built the mental muscle for connecting dots under uncertainty. Going outside the scope paradoxically helped me stay within it.

ProLabs (Dante / Zephyr). I didn’t get to do one due to time constraints, but they’re generally recommended for pivoting practice and general network environment experience. I’d honestly wish there was more experience with network pivoting throughout the course, but regradless, it was still there in the course.

Be familiar with your tooling before exam day. Know your pivoting setup (Ligolo handled almost everything for me), and know your note-taking workflow (I split attack chain notes from raw dumps, and used a tmux logger throughout). The exam isn’t the place to be working out how a tool behaves for the first time.

Tools that carried me through the exam. A handful stand out as worth getting genuinely comfortable with before sitting the exam:

• NetExec - fast enumeration and authentication checks across hosts. Indispensable.
• bloodyAD - straightforward AD object manipulation when you need it.
• BloodHound (with SharpHound or bloodhound-python for collection) - for mapping AD relationships and finding paths.
• Ligolo-ng - pivoting that just works once it’s set up.

Exam Advice

Keep composure throughout. The trap isn’t losing focus at the start, it’s losing it as the clock runs down. My first attempt fell apart precisely because tunnel vision set in deep into the exam, after days of being stuck. Take breaks. Step away. Come back with fresh eyes. Methodology over panic, all the way to the end.

“Think dumber” isn’t quite right. That’s the common advice you’ll hear, but I disagree with the framing. It implies the answer is always simple, when really, the discipline is what’s simple, not the answer. A better framing: think methodical, think objective. If you have your methodology, your checklists, and a clear view of what you’ve already tried, the correct path will eventually open. The attacks themselves aren’t overly complex, the discipline to stay systematic is what gets you there.

Trust the course. Everything you need is in it. If you’ve done the prep, you have everything you need to clear the exam.

Write the report regardless of pass/fail. Treat it as a real pentest deliverable, not an exam submission. List your findings, write it up properly, keep it professional. As I covered above, doing this on my failed first attempt gave me one less thing to worry about going into the second.

Double-check everything. This is the lesson I took out of the first attempt more than any other. I’d already considered myself someone who double-checks their work, but the first attempt cost me days over a detail small enough that I’d glossed past it without thinking. I won’t say more than that, but the lesson has been cemented at a level I don’t think a clean first-go pass would have given me. If anything, I’d rather have learned it on an exam than on a real engagement.

Mindset. Discipline beats speed. Ego will tunnel you faster than anything else. The exam isn’t designed to be brute-forced, it’s designed to reward methodical,enumeration and execution. If you’ve done the course properly, you have everything you need. Trust the prep, work the methodology, and stay patient when something stalls.

Summary

CPTS was, hands down, one of the most rewarding things I’ve put time into. The course built skills I didn’t realise I was missing, and the exam stress-tested all of them at once.

If you’re coming from a similar background, interested in offensive security but unsure where the on-ramp is: CPTS is, in my experience, the on-ramp.

It doesn’t assume a CTF or red team background. It teaches you the foundations, gives you the techniques, and trusts you to apply them. A web dev, a sysadmin, a networking person, a curious developer, there’s a path through this course for all of them. Do the course at minimum. Take it seriously, build a real notes vault, and let yourself get stuck on things. The exam will follow if you want it to.