Logo
Overview
HTB Certified Penetration Testing Specialist (CPTS) Post-Exam Reflection

HTB Certified Penetration Testing Specialist (CPTS) Post-Exam Reflection

f1rst f1rst
January 26, 2026
4 min read
Certificate Penetration Testing CPTS HTB

Introduction

I recently had the opportunity to sit for the Hack The Box Certified Penetration Testing Specialist (CPTS) exam. After an intense 10-day period (simulating a real-world engagement), I am happy to share that I passed! This certification has been one of the most challenging yet rewarding experiences in my cybersecurity journey so far.

In this post, I want to share my thoughts on the exam, the preparation process, and some tips for those looking to tackle this beast.

Preparation

Unlike other certifications that might rely on third-party resources or vague syllabuses, HTB provides a clear path: the Penetration Testing Specialist job role path on HTB Academy.

Note (Note)

The path is massive. It covers everything from basic networking to advanced Active Directory attacks. Do not skip the modules. The exam is directly based on the content taught in the Academy.

You can find the full path here: Penetration Tester Job Role Path.

In addition to the official modules, I highly recommend checking out IppSec’s CPTS playlist. He covers a lot of relevant machines and techniques that solidify the concepts: IppSec CPTS Playlist.

Key areas to focus on:

  • Active Directory: This is the bread and butter of the exam. Understand Kerberos, ACLs, Trusts, and how to move laterally.
  • Pivoting: You will be navigating through multiple networks. Being comfortable with tools like Ligolo-ng, Chisel, or SSH tunnels is non-negotiable.
  • Web Attacks: Standard OWASP Top 10 but with a twist. You need to understand the underlying mechanics, not just how to run a tool.

The Exam Process

For a detailed guide on how to start the exam, connect to the VPN (using Pwnbox or your own machine), and navigate the exam interface, please refer to the official documentation: Academy Certifications - Exam Manual.

Note (Important Warning)

While the guide mentions options for Pwnbox and VPN, do NOT use both at the same time. During my exam, I attempted to use both and it caused significant connectivity instability that wasted valuable time. Pick one method and stick to it.

In order to pass the exam, you need to obtain the minimum required points (depending on the exam) and submit a commercial-grade report.

My Exam Experience

The CPTS exam allows for 10 days of access. This timeframe is generous, but necessary.

The Struggle

I spent the first 2-3 days just trying to find Flag 1. The scope of the environment is massive, and I fell into several rabbit holes. It can be discouraging, but once I finally compromised that first machine, everything became much clearer.

Note (Tip)

The exam tests the knowledge found in the learning path. If you find yourself trying to exploit something using a technique that was never mentioned in the Academy, you are likely in a rabbit hole.

The Flow

I completed the technical part of the exam in 6 days. The reason I managed to finish early (despite the slow start) was that I had prior experience and skills to lean on.

My strategy was to write the report as I worked. I cannot stress this enough: take screenshots and notes immediately. Reproducing an exploit chains later just for a screenshot is incredibly time-consuming and stressful.

The Reset Trap

One critical thing to note: you cannot reset individual machines. You can only reset the entire cluster.

If you are not careful and break something critical (like I did close to the final flag), you might have to reset the entire environment and start your active attacks from scratch. Treat the environment with care!

Reporting

The reporting aspect is emphasized heavily in CPTS. HTB recommends using SysReptor for generating your report, and they even provide templates. I used it and found it very helpful for maintaining a professional structure.

You can find more about it here: HTB Certification Templates.

CPTS vs OSCP?

I haven’t personally taken the OSCP yet, but based on reviews from those who have the “Trifecta” (OSCP, CPTS, PNPT):

  • OSCP is often described as a sprint (24 hours), focusing on methodology under pressure.
  • CPTS is a marathon. It feels more “real” due to the 10-day window, the depth of Active Directory, and the requirement for a polished, commercial-grade report.

If you want to learn deep technical skills, CPTS is widely considered superior in content.

Tips for Future Candidates

  1. Enumerate, Enumerate, Enumerate: If you are stuck, you missed something. Go back and check your nmap scans, your web fuzzing, your AD dumps.
  2. Create a Checklist: Have a checklist of steps for every service and port. Follow it religiously to ensure you don’t skip a simple check that turns out to be the foothold.
  3. Take Breaks: With 10 days, you have time to sleep. Your brain solves problems while you rest.
  4. Master Pivoting: Practice double and triple pivots. It will save you headaches during the exam.
  5. Organize your Notes: Use Obsidian, CherryTree, or whatever works. Document every finding as you go.

Conclusion

The HTB CPTS is a gold standard for modern penetration testing certifications. It forces you to level up your game in Active Directory and pivoting specifically. If you are on the fence, I highly recommend diving into the Academy modules and going for it.

Good luck to anyone planning to sit the exam :)

CPTS cert