HTB CPTS Review 2026

A hands-on breakdown of the learning path, the exam, and everything I wish someone had told me.

Charles-Thibault Sanchez

~7 min read · March 16, 2026 (Updated: March 16, 2026) · Free: Yes

What Is CPTS?

The Certified Penetration Testing Specialist (CPTS) is HackTheBox's certification for offensive security practitioners. CPTS is a fully hands-on exam that requires you to compromise a simulated enterprise environment and produce a professional-grade penetration testing report.

It's designed to validate real-world skills: not just your ability to run tools, but your capacity to think like an attacker, chain vulnerabilities together, and communicate findings clearly to a client.

If you're looking for a benchmark that actually reflects what the job looks like, this is one of the closest things to it.

What You'll Learn

The CPTS learning path on HTB Academy is extensive. It covers everything from the fundamentals of penetration testing to advanced techniques used in real engagements. Here's a high-level overview of the major areas:

Reconnaissance & Information Gathering — passive and active enumeration, OSINT
Vulnerability Assessment — identifying and validating weaknesses across services
Web Application Attacks — SQLi, XSS, file inclusion, authentication bypasses, and more
Active Directory — enumeration, Kerberoasting, AS-REP Roasting, ACL abuse, lateral movement
Privilege Escalation — both Windows and Linux
Pivoting & Tunneling — moving through segmented networks
Post-Exploitation & Pillaging — credential harvesting, persistence, data exfiltration
Reporting — structuring findings, writing executive summaries, and delivering a professional document

The material is dense. Each module goes deep, and some topics — particularly Active Directory — demand a level of understanding that takes time to build. Don't let that intimidate you; it's what makes the certification genuinely valuable.

My Learning Journey

The path took me six months to complete, and I wouldn't have done it any faster by choice.

There is no point in rushing. The material rewards patience and deep understanding. The course is built like a stack — each layer depends on what came before it.

My advice: slow down to go faster. If you don't fully grasp a topic, sit with it. Research it. Lab it. Break it. Build it again. That depth of understanding is exactly what the exam tests.

How I Prepared for the Exam

Once I'd finished the learning path, I didn't go straight into the exam. I spent additional time consolidating my skills through a few specific activities:

Attacking Enterprise Networks (AEN) — blind. I did this module without following the course material. I just read the engagement letter, spun up the target, and tried to work my way through it from scratch. It forces you to build a real methodology instead of following guided steps.

IppSec's CPTS playlist. IppSec's content is excellent for building a structured methodology and seeing how an experienced practitioner thinks through a box. Worth doing, though some of it is starting to feel dated — treat it as a complement, not a core resource.

The CPTS track on HTB Labs. I worked through most of the machines on the CPTS track. Some of the content there isn't covered in the course material, but I'd consider it a must-do anyway. It expands your thinking and exposes you to edge cases, which could be very valuable during the exam.

Pro Labs — Dante and Zephyr. I completed both. The specific content of a Pro Lab matters less than what they train you to do: pivot through a network, pillage a machine properly before moving on, and maintain your composure when you're not sure what to do next. If you do only one, pick any — just do at least one.

The Exam Experience

No matter how much you prepare, you probably won't feel ready. I didn't. Almost everyone I've spoken to who passed says the same thing. At some point, you just have to jump in.

The exam is hard — but maybe not in the way you'd expect. The individual techniques aren't necessarily complex. What makes it difficult is that you have to chain things together. Think of it less as a series of hard boxes and more as a sequence of easy-to-medium challenges where the real skill is recognizing how they connect.

It took me two days to get my first flag. The beginning is brutal, and it's designed to be. Flags 1 and 8 were, in my experience, the hardest. Don't let an early block convince you that you're not capable — push through, enumerate more, and trust your preparation.

One more thing: the exam has rabbit holes. Some paths look promising and lead nowhere. The ability to recognize when you're chasing a dead end — and pivot without losing too much time — is a genuine skill the exam tests. Some people recommend to set a timer to make sure you don't lose too much time.

Tips for Future Candidates

These are the things I'd tell myself if I were starting over:

Build a proper knowledge base. Clear, well-organized notes are non-negotiable. I structured mine as a Gitbook following the same format as HackTricks — one entry per technique, with commands, context, and examples. When you're deep in the exam, you don't want to be re-reading entire modules. You want to find what you need in 30 seconds.

Do the AEN module blind. Just read the engagement letter and start. Don't follow the walkthrough. If you get stuck for too long, it's ok to look at hints. If you've never written a pentest report before, use this target to practice — it's the perfect low-stakes rehearsal before the real thing.

Do at least one Pro Lab. The point isn't to cover every topic — some content will be out of scope for the exam anyway. The point is to get comfortable operating inside a large network: pivoting between segments, thoroughly pillaging each machine before moving on, and maintaining a clear picture of where you are in a complex environment.

The IppSec playlist is useful, but treat it as a supplement. It's great for methodology-building. Some of the boxes are older and the techniques may feel a bit dated. Use it to sharpen your thinking, not as your primary resource.

Do most of the CPTS track on HTB Labs — it's a must. Some machines in the track cover techniques that aren't explicitly taught in the course material, which might feel frustrating at first. Lean into it. That's the point. The track pushes you to research independently, adapt, and fill gaps in your knowledge — which is exactly what the exam demands. Think of it as the bridge between following a course and operating on your own.

When you're stuck, don't panic — enumerate more. This is easy to say and hard to do at 2 AM on day three of the exam. But stalling is almost always a signal that you've missed something. Try different wordlists. Revisit services you've already touched. Most importantly: take a step back and mentally replay your path. You may have walked past something earlier that's now the key to moving forward.

Don't overlook the small details. In a real engagement — and especially in this exam — the thing that unlocks your next move is often hiding in plain sight. Train yourself to slow down during enumeration and actually read your output, not just scan it. The difference between being stuck for hours and moving forward is sometimes a single line you almost scrolled past.

Take obsessive notes during the exam. Your notes should read like a full walkthrough — every command, every output, every step replicable via copy-paste. This serves two purposes: if you need to reset the environment, you won't lose your progress; and it forces you to stay methodical. Also note what didn't work. It'll save you from repeating dead ends.

Report as you go. Don't leave it for the end. The reporting component is not an afterthought — it's part of the exam, and it matters. You can be an exceptional hacker and still fail if your report is incomplete or poorly structured. I'd recommend using SysReptor for this: it provides a solid template, and there's also an example report in the path's reporting module that's worth studying closely to make sure you don't miss any required sections. Check the resource below, as it guides you very well on the process.

HTB CPTS Reporting: The Easy Way

Or "How I how i passed the HTB CPTS exam without ever writing a pentest report".

brunorochamoura.com

Was It Worth It?

Absolutely. Without hesitation.

I'm not aware of another learning platform that offers the depth and quality of material that HackTheBox Academy does for this price point — especially for students, where the cost is genuinely low relative to what you get.

The CPTS won't just teach you tools. It will teach you how to think offensively, how to move through a network with intention, and how to communicate what you found in a way that has real professional value.

If you're serious about a career in offensive security, this is one of the best investments of time and money you can make.

Good luck. Take your time. Trust the process.

Feel free to reach out in the comments if you have questions about the path or the exam — happy to help.

#hackthebox #cybersecurity #hacking #ethical-hacking #infosec