Practice PT0-002 Reporting and Communication questions with full explanations on every answer.
Start practicing
Reporting and Communication — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During a penetration test, a penetration tester discovers a critical vulnerability that allows unauthenticated remote code execution on a public-facing web server. According to best practices for communication during a penetration test, what should the tester do next?
2When writing the executive summary of a penetration test report, which of the following is the most appropriate language to use?
3A penetration tester is preparing a remediation recommendation for a SQL injection vulnerability found in a legacy application. The development team cannot immediately update the framework due to compatibility issues. What should the tester recommend as a compensating control?
4A penetration tester is calculating the severity of a vulnerability using the DREAD model. Which of the following factors is assessed under the 'Damage' category?
5In a penetration test report, which section should contain detailed technical information such as affected systems, proof-of-concept code, and remediation steps?
6During a penetration test, the tester discovers evidence of an ongoing cyber attack by an external threat actor on the client's network. What is the tester's responsibility?
7A penetration tester is presenting findings to a mixed audience of technical staff and executives. The executives seem confused about the risk ratings. How should the tester adjust the presentation?
8A penetration tester is prioritizing remediation recommendations in a report. Which of the following should be considered first?
9In a penetration test report, the tester includes a screenshot of a successful exploit. What metadata should the screenshot include to ensure proper evidence documentation?
10Which of the following is an example of a responsible remediation recommendation?
11A penetration tester uses the CVSS base score to rate a vulnerability. The tester finds that the vulnerability has a high CVSS score but the affected system is isolated from the internet and has no sensitive data. Which approach should the tester take when assigning an overall severity rating?
12A client requests that the penetration test report include raw output from the scanning tools used. Where should this output be placed in the report?
13A penetration tester is preparing to present findings to the client's technical team. Which TWO practices are most effective for this audience?
14During a penetration test, the tester encounters a situation where the scope of the test is ambiguous. Which TWO actions should the tester take to clarify the situation?
15Which THREE items are typically included in the appendices of a penetration test report?
16A penetration tester discovers a critical vulnerability on a client's web server and wants to communicate it immediately. Which of the following is the most appropriate action?
17Which section of a penetration testing report should provide a high-level overview of the test results using business language and strategic recommendations?
18During a penetration test, a tester discovers evidence of an ongoing live exploitation by an unknown third party. Which of the following should the tester do first?
19A penetration tester is writing a report and needs to assign a severity rating to a vulnerability that has a CVSS base score of 7.5. According to CVSS v3.1, which severity level does this score correspond to?
20A penetration tester is evaluating vulnerabilities using the DREAD model. For a specific vulnerability, the tester assigns the following scores: Damage=8, Reproducibility=7, Exploitability=9, Affected users=6, Discoverability=5. Which of the following is the overall DREAD risk rating?
21Which of the following is the most appropriate evidence to include in a penetration testing report for a SQL injection vulnerability?
22A penetration tester needs to provide remediation recommendations for a critical vulnerability found on a web server. Which of the following is the most appropriate recommendation?
23During a penetration test, a client asks the tester to clarify the scope of the test. Which of the following is the best approach for the tester?
24A penetration tester is presenting findings to a group of executives. Which of the following is the most effective way to communicate a critical vulnerability?
25A penetration tester is preparing a report and wants to include proof-of-concept code to demonstrate a vulnerability. Which of the following is the best practice for including such code?
26A penetration tester receives pushback from a client's technical team regarding a finding, claiming it is not exploitable. Which of the following is the best response?
27Which of the following is an example of a custom severity rating based on business context?
28A penetration tester is writing a report and wants to prioritize remediation recommendations. Which TWO factors should the tester consider when prioritizing? (Choose TWO.)
29A penetration tester is presenting findings to a mixed audience of technical staff and executives. Which THREE of the following should the tester do to effectively communicate to both groups? (Choose THREE.)
30A penetration tester discovers a vulnerability that cannot be immediately remediated. Which TWO compensating controls should the tester recommend? (Choose TWO.)
31Which of the following is the primary audience for the executive summary of a penetration test report?
32During a penetration test, a penetration tester discovers a critical vulnerability that could allow an attacker to gain administrative access to the client's payment processing server. According to best practices, what should the tester do?
33A penetration tester uses the DREAD model to assess a vulnerability. The tester assigns the following scores: Damage=8, Reproducibility=10, Exploitability=9, Affected users=7, Discoverability=6. What is the overall DREAD risk rating?
34Which section of a penetration test report contains detailed technical information such as the vulnerability description, evidence, affected systems, and remediation steps?
35A penetration tester is writing a report and wants to provide a remediation recommendation for an outdated Apache server. Which of the following is the most specific and actionable recommendation?
36During a penetration test, a tester discovers evidence of an ongoing data exfiltration attack by an unknown third party. Which of the following should the tester do first?
37A penetration tester is presenting findings to a mixed audience of executives and technical staff. For the executives, the tester should focus on:
38Which of the following is the correct CVSS metric that describes the level of access an attacker needs to exploit a vulnerability?
39A penetration tester has completed the test and is preparing the final report. The client asks the tester to include a section that describes the scope, methodology, and tools used. In which section should this information be placed?
40A penetration tester uses a custom severity rating based on business context. The tester determines the likelihood of exploitation is high and the business impact is low. According to a standard risk matrix, what should the overall severity be?
41A penetration tester is documenting evidence for a finding. Which of the following is the least appropriate type of evidence to include?
42When a client disagrees with a finding's severity rating, what is the best approach for the penetration tester?
43A penetration tester is creating a report and needs to include evidence of a cross-site scripting vulnerability. Which TWO of the following are appropriate types of evidence? (Choose two.)
44During a penetration test, the tester discovers a critical SQL injection vulnerability. The client cannot deploy the full fix (parameterized queries) immediately due to legacy code. Which THREE actions should the tester recommend as compensating controls? (Choose three.)
45A penetration tester is preparing the executive summary. Which THREE elements should be included? (Choose three.)
46A penetration tester is writing a report and needs to assign a severity rating to a vulnerability. Which of the following scoring systems is specifically designed to consider Damage, Reproducibility, Exploitability, Affected users, and Discoverability?
47During a penetration test, a tester discovers a critical vulnerability that could allow remote code execution on an internet-facing server. According to best practices, what is the most appropriate immediate action?
48A penetration tester is compiling evidence for a critical-severity SQL injection vulnerability. Which of the following is the most important piece of evidence to include in the report to demonstrate exploitability while remaining responsible?
49A penetration tester is writing the executive summary of a report. Which of the following best describes the appropriate language and content for this section?
50A penetration tester is recommending remediation for a critical vulnerability. Which of the following is the best example of a specific, actionable remediation step?
51A penetration tester is presenting findings to a group of IT administrators. One administrator questions the validity of a finding, claiming it is not exploitable. How should the tester respond?
52During a penetration test, the tester discovers evidence of an ongoing ransomware attack on the client's network. Which of the following is the most appropriate action?
53Which section of a penetration testing report should include screenshots, affected systems, and remediation steps?
54A penetration tester is prioritizing remediation recommendations. Which approach is most aligned with industry best practices?
55A penetration tester is writing a report and needs to assign a custom severity rating for a vulnerability that has high business impact but low likelihood of exploitation. Using a custom severity based on business context (impact + likelihood), which rating is most appropriate?
56Which of the following should be included in the appendix section of a penetration testing report?
57A penetration tester is documenting evidence for a finding and takes a screenshot. Which of the following is the most important metadata to include with the screenshot?
58A penetration tester is preparing a presentation for both technical and executive audiences. Which TWO of the following are effective strategies for communicating findings to an executive audience?
59A penetration tester discovers a critical vulnerability that cannot be fully remediated immediately. The client asks for recommendations. Which THREE of the following should the tester include?
60A penetration tester is following responsible disclosure timelines. Which TWO of the following actions align with responsible disclosure practices?
61A penetration tester discovers a critical vulnerability during an assessment. According to best practices, when should the tester communicate this finding to the client?
62A penetration tester is writing the executive summary of a report. Which of the following is MOST important to include?
63During a penetration test, the tester discovers evidence that an external attacker is actively exploiting a vulnerability in the client's environment. Which of the following is the MOST appropriate action?
64A penetration tester needs to assign a severity rating to a vulnerability based on business context. Which model uses Impact and Likelihood to determine the risk?
65A penetration tester is preparing a report that includes technical findings. Which TWO of the following should be included in each technical finding? (Select TWO.)
66A penetration tester is presenting findings to a technical audience. Which THREE practices are MOST appropriate for this setting? (Select THREE.)
67Which TWO of the following are components of the DREAD model for risk assessment? (Select TWO.)
68A penetration tester is writing remediation recommendations. Which THREE practices should the tester follow? (Select THREE.)
69A penetration tester is handling a client's pushback on a finding. Which THREE approaches are appropriate? (Select THREE.)
The Reporting and Communication domain covers the key concepts tested in this area of the PT0-002 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PT0-002 domains — no account required.
The Courseiva PT0-002 question bank contains 69 questions in the Reporting and Communication domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Reporting and Communication domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included