Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsPT0-002Exam Questions

CompTIA · Free Practice Questions · Last reviewed May 2026

PT0-002 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

85 exam questions
165 min time limit
Pass: 750/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Planning and Scoping2. Information Gathering and Vulnerability Scanning3. Attacks and Exploits4. Reporting and Communication5. Tools and Code Analysis
1

Domain 1: Planning and Scoping

All Planning and Scoping questions
Q1
mediumFull explanation →

A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?

A

The test will include social engineering of remote employees

B

The exclusion of cloud infrastructure may leave critical assets untested

Correct. Emphasizing the risk of untested critical assets helps the client understand the scope limitation's impact on overall security assurance.

C

The test can only be performed during off-hours

D

The tester will require VPN access to the corporate network

Why: Option B is correct because the client's exclusion of cloud-based infrastructure and remote branch offices creates a significant gap in the test scope. A penetration test that ignores cloud assets (e.g., AWS, Azure, or SaaS applications) may miss critical vulnerabilities in systems that process or store sensitive financial data, as these are often part of the institution's attack surface. The tester must emphasize that such exclusions can lead to a false sense of security, as attackers frequently target cloud and remote assets due to their accessibility and potential misconfigurations.
Q2
mediumFull explanation →

A penetration tester is scoping a test for a multinational corporation that has offices in the United States and the European Union. The client wants to test the entire environment. Which of the following is the MOST important legal consideration for the tester to include in the rules of engagement?

A

Ensuring all testing is performed from a single external IP address

B

Obtaining explicit written authorization from each country's legal department

C

Ensuring compliance with GDPR and data protection laws

GDPR imposes strict rules on handling personal data; the test must be scoped to avoid violations.

D

Restricting testing to non-business hours to minimize impact

Why: Option C is correct because the multinational corporation operates in the European Union, where the General Data Protection Regulation (GDPR) imposes strict requirements on the processing and transfer of personal data. A penetration test that accesses or stores EU residents' personal data must comply with GDPR, including data minimization, lawful processing, and breach notification obligations. Failure to include GDPR compliance in the rules of engagement could result in severe fines (up to 4% of annual global turnover) and legal liability for the tester and client.
Q3
mediumFull explanation →

During a penetration test of a large e-commerce platform, the client requests additional testing on a newly discovered microservice mid-engagement. The scope defined in the rules of engagement (ROE) explicitly lists all target systems. What should the penetration tester do FIRST?

A

Add the microservice to the test and include it in the final report as an unadvertised finding

B

Decline the request because the microservice was not part of the original scope

C

Inform the client that a scope amendment is needed and pause testing on the microservice until it is approved

This is the correct procedure. Communicating the need for a formal amendment ensures the test remains within authorized bounds and protects both parties.

D

Test the microservice only if it is using the same technology stack as other targets

Why: Option C is correct because the rules of engagement (ROE) are a legally binding document that defines the scope of testing. Adding a new microservice mid-engagement without an approved scope amendment violates the ROE and could lead to legal or contractual issues. The penetration tester must first pause testing on the microservice and formally request a scope amendment to ensure all activities remain authorized.
Q4
easyFull explanation →

A penetration testing firm is hired to assess a U.S.-based company that has recently expanded operations to a country with strict data privacy laws (e.g., GDPR-style regulations). Which of the following is the MOST important legal consideration to include in the rules of engagement?

A

The client's headquarters location determines which laws apply

B

Data collected during the test must be stored only within the country of operation and deleted after the engagement

This addresses data sovereignty and privacy requirements common in many jurisdictions, making it a key legal consideration for the ROE.

C

All findings must be reported in the local language of the country of operation

D

The penetration testers must be citizens of the country where the systems reside

Why: Option B is correct because under strict data privacy laws like GDPR, personal data collected during a penetration test must be stored within the jurisdiction where it was obtained and deleted once the engagement is complete. This ensures compliance with data localization and minimization requirements, which are critical legal considerations in the rules of engagement.
Q5
easyFull explanation →

A penetration testing firm is scoping a test for a client that has a hybrid infrastructure with on-premises servers and cloud-based virtual machines. The client insists on testing only the on-premises systems due to budget constraints. Which of the following should the penetration tester emphasize during the scoping discussion?

A

The on-premises systems are more critical, so testing them is sufficient.

B

Cloud systems are generally more secure and do not require testing.

C

Limiting the scope to on-premises may result in an incomplete risk picture because cloud systems are part of the attack surface.

Both on-premises and cloud systems contribute to the overall attack surface; excluding one may leave critical vulnerabilities undetected.

D

Testing cloud systems would violate the shared responsibility model.

Why: Option C is correct because the client's hybrid infrastructure means that cloud-based virtual machines are part of the overall attack surface, and limiting the scope to on-premises systems ignores potential attack vectors such as misconfigured cloud APIs, insecure inter-VPC routing, or compromised cloud credentials that could lead to lateral movement into on-premises systems. A penetration test must assess all components that can be exploited to provide a complete risk picture, as cloud systems often serve as entry points or pivot points into the on-premises environment.
Q6
hardFull explanation →

A penetration testing firm is engaged to assess a cloud infrastructure hosted in multiple AWS regions. The client specifies that only systems in US-based regions should be tested due to data sovereignty concerns. Which of the following is the MOST critical documentation to include in the rules of engagement (ROE) to ensure compliance?

A

Statement of Work (SOW)

B

List of allowed AWS regions and associated VPC CIDR ranges

This explicitly defines the geographic scope, preventing tests in non-US regions and ensuring compliance with data sovereignty laws.

C

Data Processing Agreement (DPA)

D

Penetration testing methodology document

Why: Option B is correct because the rules of engagement (ROE) must explicitly define the authorized scope to prevent testing outside US-based regions, which could violate data sovereignty laws. Listing allowed AWS regions and their associated VPC CIDR ranges provides a precise technical boundary for the penetration test, ensuring that only in-scope systems are targeted. Without this, the testing team might inadvertently access resources in non-US regions, leading to legal and compliance breaches.

Want more Planning and Scoping practice?

Practice this domain
2

Domain 2: Information Gathering and Vulnerability Scanning

All Information Gathering and Vulnerability Scanning questions
Q1
mediumFull explanation →

During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?

A

Enable SYN scan instead of full TCP connect scan

B

Adjust the scan timing template to a slower rate

C

Activate the 'safe checks' option in the scanner

Correct. Safe checks perform non-intrusive testing, minimizing disruption and reducing false positives from exploitation attempts.

D

Increase the port range to include high ports

Why: Option C is correct because the 'safe checks' option in vulnerability scanners (such as Nessus or OpenVAS) disables intrusive plug-ins that attempt to exploit services aggressively, which can cause service crashes. This configuration allows the scanner to identify potential vulnerabilities without disrupting the target service, avoiding misleading findings from crashed services.
Q2
mediumFull explanation →

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

A

Identifying subdomains through DNS brute-forcing

B

Discovering open ports and services on public IP ranges

Shodan collects banner data from services like HTTP, SSH, FTP, etc., allowing testers to see what is exposed on the internet.

C

Enumerating email addresses from corporate websites

D

Extracting metadata from documents found on the target's website

Why: Shodan is a search engine for internet-connected devices that scans public IP ranges and indexes the banners returned by services. Its primary use in reconnaissance is to discover open ports and running services on target IP ranges, revealing attack surface such as exposed databases, web servers, or industrial control systems. This aligns directly with the information-gathering phase of a penetration test.
Q3
easyFull explanation →

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

A

Performing a DNS zone transfer

B

Querying publicly available DNS records

Using public DNS resolvers to retrieve records like A, MX, or CNAME is passive and avoids direct interaction.

C

Using Nmap to scan for DNS servers

D

Sending crafted DNS queries to the target's DNS server

Why: Option B is correct because querying publicly available DNS records (e.g., via passive DNS, WHOIS, or DNS dumpster) allows the tester to gather DNS information without any direct interaction with the target's servers. This technique relies on third-party databases and cached records, avoiding any packets sent to the target, which is essential for stealth during reconnaissance. It aligns with passive information gathering, as defined in the PT0-002 objectives.
Q4
mediumFull explanation →

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

A

Performing a zone transfer against the target's DNS servers

B

Searching for the target's SSL certificates in Certificate Transparency logs

Certificate Transparency logs are public and can be queried without contacting the target. They often expose subdomains that may not be publicly listed elsewhere.

C

Using Nmap to scan common ports on the target's public IP range

D

Querying the target's WHOIS records for IP addresses

Why: Certificate Transparency (CT) logs are publicly accessible, append-only ledgers of SSL/TLS certificates. By searching CT logs for certificates issued to the target organization, a penetration tester can discover subdomains, hostnames, and even internal-facing server names that are included in Subject Alternative Names (SANs) or Common Names (CNs). This reveals internal network architecture details (e.g., 'mail.internal.example.com') without any direct interaction with the target's systems, making it a purely passive reconnaissance technique.
Q5
hardFull explanation →

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

A

The scanner used an outdated vulnerability database that does not match the application's patches

B

The scanner identified the application version from the HTTP response header, but the vulnerability was already patched in that version

C

The scanner detected a vulnerable library used by the application, but the application's implementation does not expose the vulnerable code path

This is a classic false positive: the scanner sees the library version but cannot determine if the vulnerable functionality is reachable. The tester must manually validate.

D

The scanner performed an exploit attempt that succeeded on a different service on the same host

Why: Option C is correct because vulnerability scanners often identify libraries or components with known CVEs, but they cannot determine whether the application's code actually invokes the vulnerable functions. In this case, the scanner flagged a library with a known vulnerability, but the custom web application's implementation does not expose the vulnerable code path, resulting in a false positive. This is a common limitation of static or version-based detection versus dynamic, context-aware analysis.
Q6
easyFull explanation →

A penetration tester is conducting an internal network scan and wants to minimize the chance of detection by the target's intrusion detection system (IDS). Which Nmap timing template is the MOST appropriate for this goal?

A

T0 (Paranoid)

T0 uses the slowest timing, ideal for stealth by spacing out packets to avoid IDS thresholds.

B

T1 (Sneaky)

C

T3 (Normal)

D

T5 (Insane)

Why: The T0 (Paranoid) timing template is the most appropriate because it introduces an extremely slow scan rate, sending packets at a rate of no more than one packet every 5 minutes (300 seconds). This slow pace is designed to evade threshold-based intrusion detection systems (IDS) that trigger alerts when they detect a high volume of traffic from a single source within a short time window, making it ideal for stealthy internal reconnaissance.

Want more Information Gathering and Vulnerability Scanning practice?

Practice this domain
3

Domain 3: Attacks and Exploits

All Attacks and Exploits questions
Q1
mediumFull explanation →

A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?

A

PsExec

B

MS16-075 exploit

C

WinRM

Correct. WinRM is designed for remote management and the account's group membership makes it usable for lateral movement.

D

BloodHound

Why: WinRM (Windows Remote Management) is the most appropriate tool because the tester's service account is a member of the 'Remote Management Users' group on the domain controller, which grants explicit permission to connect via WinRM over HTTP/HTTPS (ports 5985/5986). This allows direct PowerShell remoting or winrs execution for lateral movement without requiring administrative privileges or additional exploits.
Q2
hardFull explanation →

During an internal test, a penetration tester discovers a web application that is vulnerable to Server-Side Template Injection (SSTI). The application uses a template engine that does not sandbox user input. Which of the following payloads would be MOST effective to achieve remote code execution on the server?

A

{{7*7}}

B

<script>alert('xss')</script>

C

${7*7}

D

{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

Correct. This payload exploits Python object chaining to execute system commands, achieving remote code execution.

Why: Option D is correct because it exploits Python's object model to access the `os` module via `__class__.__init__.__globals__`, bypassing the template engine's lack of sandboxing. This allows the attacker to execute arbitrary system commands like `id` on the server, achieving remote code execution (RCE). The payload is specific to Jinja2 or similar Python-based template engines that expose built-in objects.
Q3
hardFull explanation →

During a penetration test, a tester finds a custom binary that is vulnerable to a stack-based buffer overflow. The binary has DEP enabled but no ASLR. Which of the following exploitation techniques would be MOST effective to achieve code execution?

A

Return-oriented programming (ROP) to bypass DEP

B

Heap spraying to inject shellcode

C

ret2libc to call system() with a controlled argument

ret2libc leverages existing libc functions (like system) at fixed addresses (since no ASLR) to execute commands, bypassing DEP.

D

Stack pivoting to redirect execution to a known location

Why: Option C is correct because ret2libc allows the tester to call the system() function from libc with a controlled argument (e.g., "/bin/sh") to spawn a shell, bypassing DEP (which prevents code execution on the stack) without needing to execute shellcode. Since ASLR is disabled, the address of system() and the string "/bin/sh" in libc are predictable, making this technique reliable and effective.
Q4
mediumFull explanation →

A penetration tester is testing a web application that has input validation blocking single quotes. The tester wants to perform a SQL injection attack. Which of the following techniques would be MOST effective to bypass the filter?

A

Using URL encoding for the single quote (%27)

B

Using double quotes instead of single quotes

C

Using a second-order SQL injection

D

Using a payload without quotes, such as numeric injection

If the input is used in a numeric context (e.g., WHERE id=5), quoting is not needed, allowing injection without single quotes.

Why: Option D is correct because numeric injection does not require quotes at all, directly bypassing the single-quote filter. When the vulnerable parameter expects a numeric value (e.g., an ID), the tester can inject SQL logic like `OR 1=1` without any quotes, making it the most effective technique against input validation that blocks single quotes.
Q5
mediumFull explanation →

During a web application test, a penetration tester discovers that the application exposes internal object references (e.g., user ID in a URL) and does not properly authorize access. The tester can view other users' private data by simply changing the ID parameter. Which type of vulnerability does this represent?

A

Cross-Site Request Forgery (CSRF)

B

Insecure Direct Object Reference (IDOR)

Correct. The scenario describes exactly this: direct manipulation of an object reference (user ID) to access other users' data without proper authorization.

C

SQL Injection

D

Cross-Site Scripting (XSS)

Why: The vulnerability is Insecure Direct Object Reference (IDOR) because the application exposes internal object references (e.g., user ID in a URL) and fails to enforce proper authorization checks. By simply changing the ID parameter, the tester can access other users' private data without authentication or permission validation, which is the hallmark of IDOR.
Q6
hardFull explanation →

A penetration tester is attempting to exploit a buffer overflow vulnerability in a Linux binary. The binary has Data Execution Prevention (DEP) enabled but Address Space Layout Randomization (ASLR) is disabled. Which exploitation technique would be the MOST effective to achieve code execution?

A

Inject shellcode into the buffer and redirect execution to it

B

Use a ROP chain to call mprotect() to make the stack executable, then jump to shellcode

C

Perform a return-to-libc attack to call system("/bin/sh")

Correct. Return-to-libc bypasses DEP by reusing existing executable code in libc. Without ASLR, addresses are predictable, making this straightforward.

D

Use a heap spray to place shellcode at a known address and then trigger the overflow

Why: With DEP enabled, the stack is non-executable, so injecting shellcode directly into the buffer (Option A) would fail. Since ASLR is disabled, library addresses are fixed, making a return-to-libc attack viable. Option C exploits this by overwriting the return address with the address of system() and placing the string "/bin/sh" in memory, achieving code execution without needing an executable stack.

Want more Attacks and Exploits practice?

Practice this domain
4

Domain 4: Reporting and Communication

All Reporting and Communication questions
Q1
hardFull explanation →

After completing a penetration test, the lead tester is preparing the executive summary. The client's CISO wants to understand the business impact of a critical vulnerability found in the customer-facing web application. Which of the following is the BEST way to convey this in the report?

A

List the CVSS score and exploitability metrics

B

Describe the attack scenario and potential financial loss

Correct. This explains the real-world consequences in business terms, which is most relevant for an executive summary.

C

Provide the raw log entries showing the exploitation

D

Recommend a specific patch version

Why: Option B is correct because the executive summary must communicate business risk, not technical details. Describing the attack scenario and potential financial loss directly addresses the CISO's need to understand the business impact, such as revenue loss from a data breach or regulatory fines. This aligns with the PT0-002 objective of tailoring reports to the audience, where executives require risk context rather than exploit mechanics.
Q2
mediumFull explanation →

A penetration tester has completed the test and is preparing the final report. The client requested a risk rating for each vulnerability. Which of the following frameworks is MOST commonly used to standardize vulnerability severity ratings in penetration testing reports?

A

OWASP Top 10

B

CVSS

Correct. CVSS provides a standardized and widely accepted severity score for vulnerabilities.

C

CVE

D

NIST SP 800-115

Why: CVSS (Common Vulnerability Scoring System) is the industry-standard framework for assigning numeric severity scores (0-10) to vulnerabilities based on metrics like attack vector, complexity, and impact. Penetration testers use CVSS scores to provide consistent, quantitative risk ratings that clients can compare across findings. OWASP Top 10 is a list of web application risk categories, not a scoring system, and CVE is a vulnerability identifier database, not a rating framework.
Q3
mediumFull explanation →

A penetration test report includes a finding about a SQL injection vulnerability in a public-facing web application. Which section of the report would be the MOST appropriate place to provide step-by-step remediation instructions for the development team?

A

Executive Summary

B

Risk Assessment

C

Technical Findings

This section is where remediation steps for each finding should be documented for the development team.

D

Appendices

Why: Option C is correct because the Technical Findings section of a penetration test report is designed to provide detailed, step-by-step remediation instructions for technical audiences, such as the development team. This section includes specific code-level fixes, parameterized query examples, and input validation techniques to address the SQL injection vulnerability, ensuring the team can implement precise changes.
Q4
hardFull explanation →

After completing a penetration test, the client's technical team requests the detailed raw data (e.g., scan results, exploit logs, packet captures) used to support the findings. According to best practices, which of the following should the penetration tester do?

A

Include all raw data in the appendices of the final report

B

Provide the raw data in a separate, sanitized deliverable with a data handling agreement

This approach protects confidentiality and allows the client to use the data responsibly.

C

Refuse to provide raw data to protect the confidentiality of the testing process

D

Provide the raw data only if the client signs a non-disclosure agreement

Why: Option B is correct because raw data such as scan results, exploit logs, and packet captures often contain sensitive information like IP addresses, credentials, or system details. Best practices (e.g., PTES, NIST SP 800-115) dictate that raw data should be provided in a separate, sanitized deliverable accompanied by a data handling agreement to ensure confidentiality and proper data governance, rather than embedding it directly in the final report.
Q5
easyFull explanation →

A penetration tester is preparing the executive summary for a report. Which of the following metrics would be MOST valuable to include for non-technical stakeholders to understand the overall security posture?

A

A list of all tools used during the penetration test

B

The total number of vulnerabilities discovered and their average CVSS score

C

The number of critical and high-risk findings along with the average time to exploit them

This gives executives a clear, non-technical view of the most pressing issues and how quickly an attacker could take advantage of them.

D

A detailed step-by-step exploitation walkthrough of one critical vulnerability

Why: Option C is correct because non-technical stakeholders (e.g., executives) need a high-level, risk-focused summary that communicates the severity and urgency of findings. The number of critical/high-risk findings directly indicates the most dangerous exposures, and the average time to exploit them conveys how quickly an attacker could compromise the environment. This metric translates technical risk into business impact, which is the core goal of an executive summary.
Q6
mediumFull explanation →

After a penetration test, the client's development team requests that the report include specific, actionable remediation steps for each vulnerability. Where in the report should this information be placed?

A

In the executive summary to emphasize the need for fixing vulnerabilities

B

In the appendix as a separate remediation checklist

C

Within the technical report section, under each vulnerability finding

Correct. Each vulnerability finding should include a remediation subsection that provides clear, actionable steps for the responsible team.

D

In a separate document attached to the report to avoid cluttering the main report

Why: The correct placement for specific, actionable remediation steps is within the technical report section under each vulnerability finding. This aligns with industry best practices (e.g., PTES, OWASP) where each finding includes a description, risk rating, and a dedicated remediation subsection, ensuring developers have immediate context and clear steps without cross-referencing other sections.

Want more Reporting and Communication practice?

Practice this domain
5

Domain 5: Tools and Code Analysis

All Tools and Code Analysis questions
Q1
mediumFull explanation →

A penetration tester wrote a Python script to automate HTTP request fuzzing. The script uses the 'requests' library to send payloads and checks for reflected content in the response. The tester wants to analyze the script for potential improvements. Which of the following code changes would MOST directly reduce false positives in detecting reflection?

A

Convert the response to lowercase before checking for reflection

Correct. Case-insensitive matching reduces false positives caused by case differences in the reflected content.

B

Add a random delay between requests

C

Remove the User-Agent header from requests

D

Use a session object to maintain cookies

Why: Option A directly reduces false positives by normalizing the case of the response before checking for reflected content. HTTP responses may contain the payload in different cases (e.g., 'Test' vs 'test'), and without case-insensitive matching, the script would miss reflections that differ only in case, incorrectly reporting a false negative. Converting to lowercase ensures that any case variation of the reflected payload is detected, thereby reducing false positives from case-sensitive mismatches.
Q2
mediumFull explanation →

A penetration tester is analyzing a PowerShell script used for post-exploitation on a Windows domain. The script contains the following line: Invoke-Command -ComputerName $target -ScriptBlock { get-process -Name "explorer" }. What is the primary purpose of this command?

A

To start the Explorer process on a remote system

B

To check if a user is logged in on the remote system

The presence of explorer.exe is a strong indicator of an interactive user session.

C

To enumerate running processes on the remote system

D

To execute a script block locally on the remote system

Why: The `Get-Process -Name 'explorer'` command retrieves the Explorer process, which runs only when a user is interactively logged into the Windows desktop. If the command returns a process object, it confirms a user session is active on the remote system. This is a common post-exploitation technique to verify user presence before executing further actions like keylogging or token theft.
Q3
easyFull explanation →

A penetration tester wants to identify live hosts on a large internal network. Which Nmap option would be the FASTEST for initial host discovery?

A

-sV (Version detection)

B

-sS (SYN stealth scan)

C

-sn (Ping sweep)

The -sn option uses minimal probes to determine host availability and is the fastest method for host discovery.

D

-A (Aggressive scan)

Why: The -sn option performs a ping sweep, sending ICMP echo requests, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp requests by default. It does not perform port scanning, making it the fastest method for initial host discovery on a large internal network because it only checks for host availability without enumerating services.
Q4
mediumFull explanation →

A penetration tester writes a Python script to test an API for vulnerabilities. The script sends requests with multiple payloads and checks if the response contains an error message indicating a potential injection. Which of the following code snippets would BEST reduce false positives by verifying that the injected parameter is processed?

A

Check if the response status code is 500 for each payload

B

Compare the response time of the injected request to a baseline without injection

C

Check if the response contains a specific error message that is only triggered when the injection is successful

D

Compare the response of the injected request to the response of a benign request with the same parameter structure

Correct. By comparing responses, the tester can confirm that the injection causes a different behavior than a normal request, reducing false positives.

Why: Option D is correct because comparing the response of an injected request to a benign request with the same parameter structure directly confirms that the injected parameter was processed and caused a different application behavior, thereby reducing false positives. This technique, often called differential analysis, isolates the effect of the injection from normal variations in the API response, such as dynamic content or session tokens. It is more reliable than checking for specific error messages or status codes, which may be suppressed or generic.
Q5
mediumFull explanation →

A penetration tester is reviewing a Python script that uses the `requests` library to send HTTP POST requests to a login endpoint. The script attempts to bypass authentication by sending SQL injection payloads in the username field. Which of the following code changes would MOST effectively help the tester identify successful injections by reducing false negatives?

A

Using a `requests.Session` object to maintain cookies across requests

B

Parsing the response for specific error messages such as 'SQL syntax' or 'mysql_fetch_array'

This allows the script to confirm that the injection payload was processed by the database, reducing false negatives.

C

Implementing a random delay between requests to avoid rate limiting

D

Adding a function to automatically resend each payload multiple times

Why: Option B is correct because parsing the HTTP response for database-specific error messages (e.g., 'SQL syntax', 'mysql_fetch_array') directly indicates that the SQL injection payload triggered a detectable database error, confirming a successful injection. This reduces false negatives by catching cases where the login fails but the injection still executes, rather than relying solely on authentication bypass (which may not occur if the injection is blind or the query structure differs).
Q6
mediumFull explanation →

A penetration tester writes a Python script to test for directory traversal vulnerabilities in a web application. The script uses the requests library to send a payload like '../../etc/passwd' and checks if the response contains the string 'root:'. However, the tester notices many false negatives because the application requires URL encoding of the dots and slashes. Which code modification would BEST improve the detection rate?

A

Increase the number of payloads in the list

B

URL-encode the payload using urllib.parse.quote()

Proper URL encoding ensures the payload is correctly interpreted by the server, matching common attack vectors.

C

Check the HTTP status code instead of response content

D

Use raw sockets to send HTTP requests manually

Why: Option B is correct because the penetration tester's script is failing to detect directory traversal vulnerabilities due to the web application requiring URL-encoded characters. By using `urllib.parse.quote()` to URL-encode the dots and slashes in the payload (e.g., `%2e%2e%2f` for `../`), the request matches the application's expected input format, reducing false negatives. This directly addresses the root cause—encoding—rather than adding more payloads or changing the detection method.

Want more Tools and Code Analysis practice?

Practice this domain

Frequently asked questions

How many questions are on the PT0-002 exam?

The PT0-002 exam has 85 questions and must be completed in 165 minutes. The passing score is 750/1000.

What types of questions appear on the PT0-002 exam?

Multiple-choice and performance-based questions covering IT security, networking, and operations. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are PT0-002 questions organised by domain?

The exam covers 5 domains: Planning and Scoping, Information Gathering and Vulnerability Scanning, Attacks and Exploits, Reporting and Communication, Tools and Code Analysis. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual PT0-002 exam questions?

No. These are original exam-style practice questions written against the official CompTIA PT0-002 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 85 PT0-002 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all PT0-002 questionsTake a timed practice test