How I Passed HTB CPTS
On March 4, 2026 I passed the Hack The Box Certified Penetration Testing Specialist (CPTS) exam. This post covers the full timeline — what worked, what didn’t, how I approached the exam, and what I’d recommend to anyone considering it.
What Is CPTS
For the unfamiliar, CPTS is a hands-on penetration testing certification from Hack The Box. There is no multiple choice. The exam drops you into a full Active Directory environment with multiple hosts across multiple subnets. You enumerate, exploit, pivot, escalate, and chain your way through the network collecting flags. Then you write a commercial-grade penetration test report documenting everything you found. If your report doesn’t meet professional standards, you fail regardless of how many flags you captured.
The exam window is 10 days of hands-on testing plus the report. There are 14 flags total.
Timeline
February 2025 — Started the path. I jumped in and started grinding modules. A lot of the early material was straightforward but as I got deeper into things, some concepts needed more time than the modules alone could give me. When I didn’t fully understand something, I went outside the platform — YouTube, Udemy, whatever it took to make sure I understood the concept and not just the surface-level execution. I didn’t want to be someone who could follow steps without knowing why they worked.
May 2025 — 70% complete. Three months in and I was making solid progress. But I’d just retired from the Army after 20 years and my kids had never had a full summer with their dad home. I put the studies down and spent June and July being present. No regrets.
August 2025 — Back at it, sort of. I took a job as a systems administrator. Steady paycheck, good experience, but it ate all the time I wanted to dedicate to studying. Months went by and I barely touched the material.
November 2025 — Made a decision. I quit the sysadmin job. I needed to finish this. I went back to full-time studying and pushed through the remaining modules over the next few months.
Late February 2026 — Material complete, clock ticking. When I finished the last module I realized I only had about 4–5 days before my exam voucher expired. I took one day off, then started the exam.
Exam Approach
I went in with a locked-in methodology. Every command I ran, I logged. Every output worth keeping, I copied. I kept thorough screenshots but more importantly I kept thorough commands and outputs — the reporting module emphasizes reproducibility through code blocks over walls of screenshots.
I was taking notes in real time alongside every step. This made the reporting phase significantly less painful because I wasn’t trying to reconstruct what I did from memory days later. It was all there.
My Active Directory methodology was solid. That was the area I felt most comfortable in and it showed during the exam. My weakest area was web applications — I didn’t have enough reps to quickly identify which technique to apply in a given situation. Enumeration took longer on the web-facing targets because of that gap, but thorough enumeration carried me through regardless.
I finished 12 out of 14 flags in 8 days. Flag 13 I was at the cusp of solving but I had to pack up and travel out of state for my brother’s birthday. So I loaded up my entire setup, transported it, and used day 9 at my brother’s place to finalize and revise my report instead of sleeping that night.
I submitted with 12/14. That was enough to pass.
Reporting
I used Sysreptor for the report. Being extremely familiar with markdown formatting already, I used Sysreptor more as an organizational tool and editor rather than relying on its templates or auto-formatting. It kept findings structured and organized in a way I couldn’t have managed in a flat document, especially under time pressure.
I also used AI to help proofread the final report — not to generate content, but to catch grammar issues and formatting inconsistencies before submission. Every finding, every command, every screenshot was mine. The AI just made sure I didn’t submit a report with typos after staying up all night.
Did the Course Material Prepare Me
Yes. I will strongly say the material is enough to pass the exam. You do not need to go buy other courses or complete a specific list of boxes to be ready. A thorough understanding of the material — not a surface-level pass through it — is what prepares you.
That said, I did complete around 5 HTB boxes before the exam. They weren’t from the CPTS-recommended playlist. I’d also recommend adding Heartbreaker and Tombwatcher to your prep list if you’re looking for supplemental practice.
One approach that worked well for me: I spent time reading walkthroughs for boxes rather than solving every one from scratch. I know this is controversial. Some people insist you have to do every box hands-on. For me, reading walkthroughs was about absorbing methodology and understanding how experienced testers think through attack paths — not memorizing steps. When I saw something I didn’t understand, I’d go deeper on that concept. When something clicked, I moved on. This worked for me because I was focused on building a mental framework, not collecting box completions.
Recommendations
Log everything in real time. Don’t wait until the report phase to figure out what you did. I logged every tmux pane, every command, every output as I went. This saved me hours during reporting.
Understand concepts, not just steps. When a module teaches you a technique, make sure you understand why it works. The exam won’t present things exactly the way the modules do. If you only memorized the steps, you’ll stall when the context changes slightly.
Enumerate thoroughly. This is the single most important piece of advice. When I was stuck during the exam, the answer was always more enumeration. Not a different exploit, not a new tool — something I missed during recon.
Don’t neglect the report. People fail this exam with enough flags because their report isn’t professional. Use a reporting tool. Structure your findings with impact, evidence, and remediation. Treat it like a deliverable you’d hand to a client.
Budget your time honestly. I had 4–5 days of cushion and used almost all of it. If your voucher is expiring, start the exam as soon as you finish the material. You can rest when you pass.
What’s Next
I know my web application skills need more depth. I’m currently finishing the HTB Certified Web Exploitation Specialist (CWES) path to close that gap, followed by the Certified Red Team Operator (CRTO) for Cobalt Strike and red team operations.
CPTS was the first milestone. There’s more to build.