BLOG

HTB CPTS Exam Review

Published on December 5, 2025

Hello there:)

HTB CPTS Certification

I got my results back in summer of 2025 after a full year of combining a full-time penetration testing job, university studies, and CPTS preparation. This is my first certification in this field.

While preparing, I read multiple CPTS reviews online and those experiences helped guide me and comforted me when I was anxious, so now it's my turn to contribute to the community by sharing my own journey.

What is CPTS?

The CPTS is a 10-day practical exam where you're dropped into a simulated corporate network. You must compromise systems, pivot through network segments, chain vulnerabilities, and produce a commercial-grade penetration testing report.

To pass you need:

Let me walk you through my complete journey, organized into three phases: before the exam, during the exam, and what came after.

Part 1: Before the Exam

How It Started

In March 2024, I landed my first penetration testing job at one of the largest banks in my country. The company recruits red, blue, and purple team members via CTF competitions. My CTF was for a junior purple team member, nothing too complex, mostly web exploitation basics plus blue team tasks like PCAP and log analysis. At that point, I had university cybersecurity coursework and some CTF experience behind me, but minimal professional pentesting exposure.

That summer of 2024, my manager researched certification options for me and landed on CPTS. It was still relatively new, and none of my teammates had it. HTB's reputation for quality boxes and academy content made it appealing, and the price point sealed the deal. OSCP costs significantly more and is probably a harder investment to justify for a newcomer when a company is testing the waters. CPTS offered strong course content at a fraction of the cost, and people online were saying it rivaled or even exceeded OSCP in difficulty.

My company bought me a Silver Annual subscription ($490), which includes an exam voucher.

HTB Silver Annual Subscription
🎉 While writing this blog post, I noticed: Currently until December 31st, HTB has a 25% off sale on annual subscriptions! Check it out here or use coupon code 25OFFANNUALDEC25 at checkout.

When I first opened the course, web exploitation felt familiar, everything else hit differently. Active Directory was completely foreign to me. Windows in general was a weak spot, I'd been running Linux as my daily OS for years, and my university coursework focused on Linux too.

I started the course in June 2024 and got certified July 2025. The year-long timeline wasn't the plan, it happened because university exam periods and heavy projects at work kept interfering with momentum. A focused 3–6 months would have been healthier and more efficient. If you have more free time (no university getting in the way, no work interfering), this is totally manageable.

The Path

Balancing full-time work, university, and CPTS preparation was brutal. My study schedule looked like this:

Study Type Time Investment
Two 2-week vacation blocks 10–16 hours daily
Workdays (few times/week) 1–2 hours
Weekends 3–4 hours
Total estimate ~1,000 hours (42 full days over one year)

Most heavy studying happened during vacation days I specifically took for CPTS rather than using them for actual vacations. I binged the path for 16 hours daily during those times :(

This worked because at this point I was already pentesting professionally and writing reports daily, giving me practical context. But I don't recommend this schedule unless absolutely necessary.

For what it's worth, the CPTS exam is excellent, but I think the course content is even better. The Penetration Tester path has 28 modules covering everything from basic enumeration to complex Active Directory attacks. You must complete 100% before attempting the exam, no skipping allowed.

HTB's official estimates put the path at roughly 777 hours, just over 32 full days if you could somehow binge it straight through. The discrepancy between their estimate and my actual time makes sense when you account for focus limits. You can't maintain eight hours of deep concentration, some concepts require re-reading, and you can't speed through text the way I do with video content. I occasionally wished HTB Academy offered video alternatives alongside the written modules (so I could binge them on 2x speed).

Every module matters, but which ones challenge you depends on your existing skillset. In my case, Active Directory content demanded the most effort given my Linux-heavy background. One module worth mentioning is Password Attacks, which has a reputation as the most hated module in the community for being particularly demanding. The content itself is important, but the module's structure requires extra patience to work through.

By the time you finish the path, you'll have earned around 500 cubes. These can be used to unlock additional modules. I'd recommend considering:

Each costs 500 cubes, so pick whichever addresses your weakest area or find other ways to unlock the rest if you want them all.

AEN as Mock Exam

The final module, Attacking Enterprise Networks (AEN), deserves special attention. Many recommend treating it as a mock exam by attempting it completely blind. I tried this approach, though time pressure made me peek at guided questions and hints occasionally. It took me 3–4 days to complete.

Here's the readiness test I'd suggest:

If you can work through most of AEN with minimal assistance, you're probably prepared.
If you find yourself constantly needing guidance, spend more time solidifying your methodology before scheduling the exam.

There's a meaningful difference between feeling stuck while knowing you could eventually figure it out, versus feeling genuinely lost about what to even try next.

Note-Taking

Every CPTS review emphasizes taking comprehensive notes throughout the path. This was my single most important preparation decision.

I set up my entire note-taking structure before even starting module one. I heavily referenced Bruno Rocha Moura's CPTS tips blog, which includes his full note organization system. I adopted his framework and layered in my own additions. Setting this up before diving into content meant I had a consistent system from day one rather than retrofitting notes into a structure later.

I consider myself pretty organized, especially for studying and professional work. That said, I've seen people who don't like this approach and prefer minimal note-taking (just one file with necessary commands). I'm not saying my way is ultimate, but I found myself referencing these notes not only during the exam but also during professional pentests to refresh methodology or recall specific commands. The people I saw who didn't take extensive notes usually already had solid professional experience and were more seasoned than me. For someone earlier in their career, in my opinion comprehensive notes fill gaps that experience hasn't covered yet.

What I kept in my notes:

One addition I'd recommend: skill assessment writeups. Each module ends with skill assessments, mini labs to test your understanding. For every one I completed, I documented each step, wrote mini attack chains (good practice since the actual report requires these), captured screenshots, and noted my thinking process. I tracked where my methodology led me elsewhere, what came to mind first and whether it was correct, and where I made mistakes. These became valuable reference material and directly prepared me for report writing.

I used Notion because of personal preference, but other tools like CherryTree, Obsidian, or OneNote work just as well, some might say even better. With 250 pages of notes, retrieval speed matters during a 10-day exam.

Useful Notion shortcuts if you decide to use Notion:

Shortcut Action
Cmd+Opt+T Expand/collapse all toggles (then use Ctrl+F to search)
Cmd+P Global search across all notes

On Windows, substitute Ctrl for Cmd and Alt for Opt.

Pro Labs and Boxes

I didn't complete any Pro Labs. The subscription tier I had didn't include them, and my professional pentesting experience was already providing similar practice so I passed without them.

I did work through some easy and medium seasonal boxes, which helped reinforce module concepts. But I found individual boxes have limitations for CPTS preparation specifically. they often contain techniques, technologies, and scenarios outside the exam's scope. Even boxes on officially recommended lists can have this problem.

The community consensus I encountered during preparation is that "everything necessary to pass is contained in the Academy path". If you read that and assume answers are copy-paste from modules, you're missing the point. The modules teach methodology, you still need to develop the instincts to apply it. Boxes and labs help build that hacker mindset and intuition for what to try when nothing obvious works.

For those without professional experience or substantial CTF background, Pro Labs seem to offer the most exam-relevant practice. Dante gets mentioned repeatedly as the closest simulation to the actual exam environment because it involves navigating a connected corporate network rather than isolated machines. If I were advising someone without real-world pentesting exposure, I'd point them toward Dante over grinding individual boxes.

That said, I'm not the most qualified voice on Pro Labs specifically. Reddit's CPTS community and other reviews from people who actually completed them will give you better insight on whether that investment makes sense for your situation.

IppSec's Playlist

Many recommend IppSec's "Unofficial CPTS Prep" playlist as essential. I watched it during free time on the bus, while eating, whenever I had moments.

I started watching alongside the modules, which made early videos sometimes confusing, because the playlist assumed knowledge I hadn't acquired yet. Topics made sense only after I'd progressed further through the path. If I could redo it, I'd save this playlist for the latter half of preparation. Once you've completed most modules, the content clicks into place.

The playlist contains excellent material but includes techniques outside CPTS scope. That's not a problem if you approach it correctly. By the time you've finished the path, you should be comfortable researching beyond course content to solve unfamiliar problems. When boxes venture into unfamiliar territory, treat it as practice for that skill rather than exam-specific prep. For me, he real value wasn't specific techniques. It was absorbing his methodology, thought process when stuck and systematic enumeration approach. That mindset preparation proved more valuable than any specific exploit.

For the Easy and Medium boxes in the playlist, you should be capable of solving them, especially in Guided Mode. If you struggle, use the videos to fill gaps. The Hard and Insane boxes cover topics beyond exam scope, treat those as walkthroughs rather than challenges you need to solve independently.

Pivoting

Complex network pivoting is central to the exam. You'll need to perform double and triple pivots, chaining through multiple network segments where Machine A can reach Machine B, Machine B can reach Machine C, but your attack box cannot reach Machine C directly. If this concept isn't second nature before you start, you'll burn valuable time troubleshooting connectivity instead of hunting flags.

I completed the exam primarily using Ligolo-ng, but I'd strongly recommend getting comfortable with multiple techniques: Ligolo-ng, Chisel, and SSH tunneling at minimum. Each has its place, and relying solely on one tool without understanding the underlying networking principles can leave you stuck when things go wrong.

Sometimes you'll land on a system where running uploaded binaries is restricted, or you lack the privileges to execute them. SSH port forwarding and manual methods become your only option. If you've never practiced these, you're stuck.

Different techniques operate at different layers. Classic SSH port forwarding works at Layer 7 (application layer), while Ligolo-ng creates a network adapter operating at Layer 3 (network layer). This affects what traffic you can tunnel, detection evasion, and how you chain multiple pivots together.

Generally, Ligolo-ng offers the smoothest experience when you can run binaries and want full network access to a segment. Chisel provides flexibility when you need specific port forwards without full tunnel overhead. SSH tunneling works when you have credentials and SSH access but can't or don't want to upload tools.

The Pivoting, Tunneling, and Port Forwarding module in the path covers these concepts, but it doesn't cover specifially Ligolo usage. Practice until pivoting feels automatic, until you can set up a double pivot without consulting notes. I heard from many people that pivoting was where they struggled most. Don't be one of them. Learn all the techniques, understand where each applies best, and make the underlying networking principles intuitive. The exam isn't the time to learn fundamentals.

Report Preparation

Many candidates don't take report writing seriously enough. Poor reports have failed candidates who captured enough flags. That said, I think I took it too seriously. After submitting, I felt certain I could have done better. I noticed some minor unclear sections and expected to fail, especially after hearing stories about harsh grading. But I passed. So the standard isn't impossible, just don't take it lightly, and don't stress over a few typos either.

HTB provides detailed guidance in the Documentation & Reporting module, along with a sample report and official template. The template is available both in the module and during the exam itself. I got significant inspiration from their template and later redesigned it for my professional work too. Take time to understand the sample report's structure thoroughly, some candidates struggle to parse how it's organized, and that confusion costs time during the exam.

This is where skill assessment writeups pay off. Throughout the path, I documented each skill assessment with screenshots, step-by-step methodology, and attack chain narratives. The HTB template includes a complete attack chain section that must be well-structured and replicable; someone should be able to follow your report and reproduce your exploitation path.

Report writing tips:

The HTB community strongly recommends SysReptor over Microsoft Word. HTB provides free official SysReptor templates, it handles formatting more cleanly, and code blocks replace excessive screenshots, keeping file size manageable and improving readability. That said, tool choice is personal preference. I used Microsoft Word because I'm comfortable with it and prefer the traditional approach.

Scheduling

Once you complete the path, you can start the exam immediately, there is no booking queue or waiting period.

I started about a month after finishing AEN. Partly because I tend to do everything last minute and it was my subscription's final days when I started:). There's no required buffer, but some breathing room after the path lets concepts settle. Others start right after AEN while everything is fresh. Both approaches work.

My exam began on a Wednesday night immediately after finishing my workday. I worked through the night and found my first flag before morning. This timing happened out of necessity, not strategy. Starting on a weekend would likely be smarter, you get momentum before work obligations compete for your attention.

I was still working full-time throughout the exam. My manager and teammates were incredibly supportive, reducing my workload and giving me flexibility. I was putting maybe two hours into actual work each day and spending everything else on the exam. If your workplace can't accommodate this level of flexibility, seriously consider using vacation time.

The exam is mentally exhausting. Coming home from even a light workday then switching to exam mode is incredibly difficult. I made it work but slept very little for 10 days. The aftermath was weeks of mental burnout and sleep debt recovery. Don't be like me, if you can take days off, take them.

Important: The exam voucher includes two attempts at no additional cost, effectively making this a 20-day exam with feedback between attempts. If you submit at least a blank report on your first attempt, you maintain access to the same environment for round two. You continue from where you left off rather than starting fresh.

Note for procrastinators: I had a Silver Annual subscription and started my exam on the literal last day. I'd panicked about whether the 10-day exam period needed to fall within my subscription window. The HTB Discord gave mixed answers, so I contacted HTB support directly. They confirmed that as long as you start the exam within your subscription period, you're fine and the exam runs its full duration regardless. If you have similar questions, reach out to HTB support on their website for a definitive answer.

Part 2: During the Exam

Day One

There are rabbit holes in this exam, and you will fall into them, I did. It took me almost 10 hours to get my first flag.

Pursuing a single direction too long was my mistake at first. Once I recognized nothing was progressing despite thorough enumeration, I shifted to a breadth-first approach. I identified multiple potential vectors across the environment and followed them simultaneously rather than going deep on only one path. When one finally produced results, I had already mapped alternatives to return to later.

First 10 hours without a flag were demoralizing. I started Wednesday night after work and didn't sleep until around 5–6 AM. By then I felt depressed and hopeless but I didn't want to sleep without getting the first flag, because I knew it would destroy my momenentum. This experience is completely normal. People say some candidates take 2–3 days for their first flag. Many struggle significantly on day one. The initial attack surface feels enormous, and you're building foundational understanding, mapping the network, documenting potential entry points, cataloging everything you find. This groundwork is essential even without immediate flags.

That said, 2–3 days for first flag seems excessive if you're enumerating methodically. The starting surface isn't as vast as it first appears. IppSec's enumeration methodology helped me here, systematic coverage rather than scattered poking. I worked through my pre-made checklists and documented every finding, every plan, every direction I wanted to explore.

Documentation during the exam was critical. I saved complete command outputs alongside screenshots. Every successful command, every failed attempt, everything went into my notes. When something finally worked, I had full context. When I needed to reference earlier enumeration, it was all there.

After the first flag, something clicked. I moved significantly faster. Days 3–4 continued this momentum. Each flag opened new paths, each compromised system revealed information that made the next step clearer.

Going Back Several Steps or Resetting the Environment

I developed a strategy: when stuck on an attack chain for too long, I'd take a break, usually to sleep or eat, then return and go back several steps. Sometimes I'd reset machines entirely and follow my attack path from the beginning.

The exam interface has a reset button which resets the whole environment. I used it more than I expected, probably five or more times throughout the 10 days. It became part of my methodology.

Resetting worked repeatedly for a few reasons. The attack surface is large, and it's easy to miss things during rushed enumeration. Coming back with fresh eyes, I occasionally caught services or details I'd overlooked the first time. Starting from scratch also verified I could reproduce each step and truly understood what I was doing rather than stumbling through.

One initial hesitation I had was that resetting felt like losing progress sometimes. But I learned to polish my notes so thoroughly that catching up became quick. If your documentation is solid you can rebuild your position fast. If catching up feels painful, that's a sign your notes need work.

This approach served double duty. Taking breaks and re-enumerating got me unstuck. Following my documented path verified accuracy for the report. By the time I submitted, I was confident every step was reproducible because I'd actually reproduced them.

Tool Flexibility

Don't tunnel vision on a single tool or approach. When something isn't working, switch tools, change your environment, try different techniques.

Tools sometimes fail or behave strangely for reasons unrelated to your methodology. When this happened, I'd try different parameters with the same tool, switch to alternatives, consider the lab's Pwnbox, and finally reset machines. Sometimes it's just an environment glitch.

Pwnbox

There are two ways to take the exam: HTB's provided Pwnbox or your own machine. I used Pwnbox not because it's optimal, but because I'd started skill assessments and practice with it and figured I'd stay consistent.

My own setup is a Kali VM on my daily OS. Pwnbox runs Parrot. I probably should have used my own machine. Pwnbox isn't personalized, you don't have your own tools, your own configurations, your familiar environment. Not everything I needed was pre-installed, so I had to download and configure tools during the exam. And when you reset Pwnbox, it wipes everything. You're starting fresh each time.

Performance was sometimes laggy. Connection had occasional hiccups, though nothing critical. When things felt off, I'd reset and rebuild my environment.

That said, my experience was better than expected. I went in with low expectations, and Pwnbox didn't fail me when it mattered. If you've been practicing with Pwnbox throughout the path and you're comfortable with it, you can make it work. But if you have a well-configured personal VM with your tools ready, that's probably the smoother choice.

Mid-Exam

Some flags came fast, others slower. Around day five, I hit a challenge that held me for three days.

This phase was mentally exhausting and I felt completely out of ideas, I almost gave up. Getting out of that block was a combination of: reviewing notes, getting proper sleep, re-reading relevant modules, fresh enumeration passes, searching the web, and eventually something just clicked.

The course taught me to trust my instincts. If something felt "off" during enumeration, a service that seemed too simple, output that didn't match expectations, something that should work but wasn't, I'd dig deeper rather than abandon the approach. The exam is designed fairly. Your intuition is worth following.

That said, it's not one-to-one replication from modules. There are parts where you need to think creatively, combine techniques in new ways, or search online for variations on concepts you've learned. The course gives you foundations, the exam tests whether you can extend them. With proper methodology and thoroughness, you'll find the path forward, just don't stop and keep pushing.

Sleep & Mental Challenges

I barely slept during the 10 days. This was not a good strategy, and I don't recommend it. Yes, I passed. But I spent months recovering from exhaustion, and fatigue caused me to miss obvious things or go down avoidable rabbit holes.

Your brain processes problems subconsciously during rest. One person discovered hints in their dreams after short naps.

The exam is 10 days long specifically so you can approach it sustainably. You're not proving anything by destroying your health. You're just making an already difficult exam harder.

Multiple times I wanted to give up. Stuck for hours, feeling like I'd tried everything, questioning whether I was capable. Self-doubt was intense, especially when I couldn't see any way forward.

What kept me going: remembering that every person who's passed felt exactly the same. The difficulty is intentional. Feeling stuck is part of the test. Persistence and methodical troubleshooting matter as much as technical knowledge.

When overwhelmed, I'd ask basic questions:

Report Sprint

By day nine, I had 12 flags, which is a passing score. I'd documented attack chains throughout the exam but hadn't started writing the actual report: vulnerability details, CVSS scores, risk rankings, executive summary. That was a mistake.

Day ten was all reporting. Grading CVSS scores for each vulnerability, ranking them by severity, documenting every finding, even those that didn't produce flags, because this exam simulates a real engagement. Report reached 200 pages.

Then, with literal seconds remaining, I realized the file exceeded the 20MB submission limit. Screenshots had bloated the file size beyond what I could fix in time. I panicked, didn't know what to do, and ended up submitting a blank PDF.

Part 3: After the Exam

Second Attempt

My blank report was graded the next day. Even though I submitted nothing, they gave me some general tips. After grading confirmation, I scheduled my second attempt immediately. Because I'd submitted a report (even blank), I kept my free second attempt and was placed in the same environment.

You have 14 days to schedule your second attempt. If you didn't capture all flags on the first try, that window gives you time to revisit relevant modules before going back in. I started right away since my flags were already captured.

The second attempt gave me another full 10 days. I used them. Even though I'd documented attack chains during the first attempt, now I focused on writing the actual report. Organizing findings by risk, writing an executive summary, making sure every reproduction step was clear. I also captured the remaining two flags during this attempt.

I spent days going through my documentation, refining every section, making sure evidence was clear, verifying every finding had proper reproduction steps, writing specific remediation recommendations. I followed my own report step by step and confirmed everything was reproducible.

My final report was 160 pages long. There's no magic number. Some write concise 50-page reports that pass because they're well-organized. Others write detailed 250-page reports that also pass because they're thorough. Quality matters more than quantity, but you need enough detail to show your work.

File Size Challenge

One problem I didn't expect: HTB requires reports under 20MB to upload. My 200-page report with all those screenshots was way over. This is common.

Here's what I actually did:

Even after that, I still needed to compress the final PDF. I used this Ghostscript command:

gs -sDEVICE=pdfwrite -dPDFSETTINGS=/screen -dCompatibilityLevel=1.4 \ -dNOPAUSE -dQUIET -dBATCH -dDetectDuplicateImages \ -dSubsetFonts=true -dCompressFonts=true \ -dConvertCMYKImagesToRGB=true -r150 \ -sOutputFile=output.pdf -f input.pdf

Compression levels (from most to least compressed):

Setting Use Case
/screen Maximum compression, lower quality
/ebook Good balance of size and quality
/printer Higher quality, larger files
/prepress Highest quality, largest files

My advice: reduce screenshots first, compress second. Ghostscript is your safety net, not your primary solution. If you're relying heavily on compression, you probably have too many screenshots. Replace what you can with code blocks during writing, not after. It's easier to do it as you go than to hunt through 160 pages later.

Results

After submitting my final report, the waiting began. Different candidates receive results at different speeds. I hear that exams are graded in batches, so grades usually come out in batches. No one can really tell when the next batch is released, so maybe you're lucky and will be part of a batch graded sooner. Because of different timing and how close candidates' finish times are to batch grading, some might get results in under 24 hours while others wait days or weeks.

What It Means

Receiving that passing email on July 31st, 2025 was one of my yet-short career's most satisfying moments. But CPTS value goes beyond the certification itself. The exam fundamentally changed how I approach professional penetration testing engagements.

I developed better enumeration discipline, more thorough documentation habits, and more structured methodology for complex networks. The mental resilience built during those 10 days carries over into real engagements when encountering difficult obstacles. It was really stressful, but I kinda like the feeling of stress, so I might go back to other certifications from HTB soon. But before that, OSCP is my next stop.

Good luck on your CPTS journey!