How to use PT0-002 flashcards effectively
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For PT0-002 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the PT0-002 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your PT0-002 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real PT0-002 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass PT0-002.
PT0-002 flashcard preview
Sample cards from the PT0-002 flashcard bank. Read the question, think of the answer, then read the explanation below.
A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?
The exclusion of cloud infrastructure may leave critical assets untested
The exclusion of cloud and remote systems represents a significant gap in coverage. The tester should highlight that critical assets may remain untested, potentially giving a false sense of security.
During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?
Activate the 'safe checks' option in the scanner
Enabling the 'safe checks' option configures the scanner to use non-intrusive test methods that identify vulnerabilities without attempting exploitation, thus reducing the risk of crashing services and producing false positives from aggressive behavior.
A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?
WinRM
WinRM (Windows Remote Management) allows remote command execution and is typically enabled on domain controllers. Membership in the 'Remote Management Users' group grants the required permissions to use WinRM for lateral movement.
After completing a penetration test, the lead tester is preparing the executive summary. The client's CISO wants to understand the business impact of a critical vulnerability found in the customer-facing web application. Which of the following is the BEST way to convey this in the report?
Describe the attack scenario and potential financial loss
Executive summaries should focus on business impact. Describing the attack scenario and potential financial loss directly addresses the CISO's need to understand risk in business terms.
A penetration tester wrote a Python script to automate HTTP request fuzzing. The script uses the 'requests' library to send payloads and checks for reflected content in the response. The tester wants to analyze the script for potential improvements. Which of the following code changes would MOST directly reduce false positives in detecting reflection?
Convert the response to lowercase before checking for reflection
Converting both the response and the payload to lowercase before comparing eliminates case-sensitivity issues, which is a common cause of false negatives and false positives when checking for reflected content.
A penetration tester is writing the executive summary for a report. The client's CEO needs to understand the business impact of a critical SQL injection vulnerability. Which of the following should the tester include?
The potential for data breach and financial loss
The executive summary should communicate risks in business terms, such as potential data breaches and financial loss, rather than technical details. This helps non-technical stakeholders grasp the severity and urgency.
A penetration tester has gained a low-privileged shell on a Linux server. During enumeration, the tester discovers a binary with the SUID bit set that belongs to root and is known to have a buffer overflow vulnerability. What is the MOST effective next step to escalate privileges?
Develop and execute a buffer overflow exploit against the binary to gain a root shell
Since the binary is SUID root, exploiting the buffer overflow will execute code with root privileges. The tester should craft an exploit that leverages the vulnerability to spawn a root shell or execute commands as root, thereby escalating privileges.
A penetration tester has obtained a TGT from a domain controller by cracking the krbtgt hash. Which attack can the tester now perform to gain persistent administrative access to any resource in the domain?
Golden Ticket
The krbtgt account hash is used to sign all Kerberos ticket-granting tickets (TGTs). By cracking this hash, an attacker can forge arbitrary TGTs, enabling a Golden Ticket attack that grants domain admin-level access to any resource.
A penetration tester is writing the executive summary for the final report. The CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?
A high-level overview of the most critical vulnerabilities and their potential business impact.
The executive summary is intended for non-technical stakeholders such as executives. It should provide a high-level overview of the security posture, focusing on business risks and critical vulnerabilities. Technical details like exploit steps or command outputs are better placed in the technical report.
A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?
A high-level summary of the overall risk and key findings
The executive summary is intended for stakeholders like executives and managers who need a high-level understanding of the test results. Including a concise summary of the overall risk and key findings enables this audience to grasp the security posture without overwhelming technical detail.
A penetration tester is writing the executive summary of a report for a client. The client's executive team needs to understand the overall risk posture. Which of the following should be included in the executive summary?
A high-level overview of the test's objectives, scope, and key findings with business impact
The executive summary is intended for non-technical leadership stakeholders. It should provide a concise overview of the engagement's goals, scope, and key findings, along with their business impact. Detailed technical steps, CVSS scores, and raw data belong in the technical report sections.
A penetration testing firm is hired to assess a client's web application that integrates with a third-party payment processor's API. The client wants to include the payment processor's API in the test scope. Which action should the tester take FIRST?
Request written permission from the payment processor
Including a third-party service in a penetration test requires explicit authorization from that third party. Without permission, testing could violate laws and terms of service. The tester must first obtain written permission from the payment processor before proceeding.
A penetration tester is analyzing a Bash script that uses the tool 'curl' to send HTTP requests. The script contains the following line: curl -X POST -d "username=admin&password[$ne]=a" http://target/login. Which type of attack is this script most likely attempting?
NoSQL Injection
The payload uses the $ne (not equal) operator with square brackets, which is a strong indicator of a NoSQL injection attack targeting MongoDB. This technique attempts to bypass authentication by making the password condition always true. SQL injection would use different syntax such as ' OR 1=1 --.
A penetration tester is analyzing a Bash script used for post-exploitation enumeration. The script contains the line: `cat /etc/shadow | awk -F: '{print $1, $2}'`. What is the primary purpose of this command?
Display all usernames and their associated password hashes
The /etc/shadow file stores user password hashes. The awk command prints the first field (username) and second field (password hash), allowing the tester to extract credentials for offline cracking.
A penetration tester is analyzing a PowerShell script that contains the following code: Get-WmiObject -Class Win32_Service | Where-Object {$_.PathName -like "* *"} | Select-Object Name, PathName, State What is the primary purpose of this script?
List services that have unquoted paths in their binary path
The filter -like '* *' matches service binary paths that contain a space, which is a common indicator of an unquoted service path vulnerability. This vulnerability can be exploited for privilege escalation if a user can write to a directory in the path.
A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?
Technical Findings
The Technical Findings section (also called Detailed Findings) provides a full description of each vulnerability, including root cause, proof-of-concept (exploit steps), impact, and remediation. The Executive Summary is high-level, the Methodology section describes the overall approach, and the Risk Rating Appendix only provides severity scores.
A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the tester wants to provide a clear and actionable remediation recommendation. Which of the following is the best practice for writing this recommendation?
Provide a step-by-step guide including commands, patches, and configuration changes
Actionable remediation means providing specific steps that the client can follow. This includes exact commands, patches, and configuration changes. Vague recommendations like 'upgrade to the latest version' leave ambiguity and may not be sufficient.
A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?
Exclude the cloud provider's assets from the scope and update the rules of engagement
Testing assets without explicit authorization from the owner is illegal and unethical. The scope must be limited to assets that the client has permission to test. Updating the rules of engagement clarifies boundaries. Testing even client-facing parts without permission is unauthorized. Having the client sign a waiver does not grant permission from the provider.
A client wants to perform a penetration test on a new web application that is still in development. The application is not yet connected to the internet. Which of the following is the most appropriate scope for this test?
Web application vulnerability assessment
Since the application is not exposed to the internet and is in development, the most relevant test is a web application vulnerability assessment. This focuses specifically on the application's code and logic without requiring external network access. An external network test would be irrelevant, and a social engineering test is not applicable here.
A client requests a penetration test of a new mobile application that is still in development and only accessible on a test server behind the corporate VPN. The tester should include which of the following in the scope?
Only the test server and the mobile application client
The scope should be limited to the test server and the mobile application client, as that is the target of the test. Production servers (A) are not relevant yet. The corporate VPN infrastructure (C) is a means to access the target but not part of the scope unless specifically included. Third-party APIs (D) may be out of scope without prior authorization.
A penetration tester has compromised a host and wants to move laterally to a server using pass-the-hash. Which of the following is required for a successful pass-the-hash attack against a Windows target?
The target must have the same local admin password hash
Pass-the-hash works by using the NTLM hash of a local account. For lateral movement, the target machine must have the same local admin password hash as the source machine (or the same credentials). SMB signing (A) prevents relay attacks, but pass-the-hash still works if signing is not required. Machine account hash (D) is for machine authentication, not user-level access.
A penetration tester has obtained the NTLM hash of a local administrator account on a Windows domain-joined system. The tester wants to use this hash to authenticate to another system on the network and execute commands remotely. Which tool is commonly used for pass-the-hash attacks to achieve remote code execution?
Impacket's wmiexec.py
Impacket's wmiexec.py allows remote command execution using Windows Management Instrumentation (WMI) with an NTLM hash, without requiring a clear-text password. PsExec can also be used but requires the hash to be passed via other means. Hydra is an online brute-forcer, and Sqlmap is for SQL injection.
A client requests a penetration test of their internal network. During scoping, the tester learns that the client uses a managed security service provider (MSSP) that monitors all network traffic. The client does not want the MSSP to be informed about the test. What is the most appropriate action for the tester to take?
Advise the client to inform the MSSP about the scheduled test and coordinate a maintenance window or exclusion list
Penetration testers must ensure that all relevant parties are aware of testing to avoid false alarms and legal issues. If the MSSP is not informed, they may treat test traffic as malicious and cause unnecessary incident response actions, potentially harming the relationship. The best practice is to include the MSSP in the scoping process or at minimum ensure that the client coordinates with them.
PT0-002 flashcards by domain
The PT0-002 flashcard bank covers all 5 official blueprint domains published by CompTIA. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Planning and Scoping
Information Gathering and Vulnerability Scanning
Attacks and Exploits
Reporting and Communication
Tools and Code Analysis
Flashcards vs practice tests: which is better for PT0-002?
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that PT0-002 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.PT0-002 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective PT0-002 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
PT0-002 flashcards — frequently asked questions
Are the PT0-002 flashcards free?
Yes — all PT0-002 flashcards on Courseiva are completely free, no account required. Every card includes the question, correct answer, and a full explanation. Create a free account to track which cards you have studied and get spaced repetition recommendations.
How many PT0-002 flashcards are on Courseiva?
Courseiva has 300+ original PT0-002 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official CompTIA exam objectives.
How are Courseiva flashcards different from Anki or Quizlet?
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official PT0-002 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Can I use PT0-002 flashcards offline?
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Track your PT0-002 flashcard progress
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included