Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›PT0-002›Objectives›Planning and Scoping
Objective 1.0

Planning and Scoping

PT0-002 Practice Questions

Use this page to practise Planning and Scoping questions for this certification. Focus on how the exam tests planning and scoping in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

PT0-002 Planning and Scoping — Key Topics

Planning and Scoping questions on this certification test your ability to deploy and manage planning and scoping concepts in scenario-based situations.

  • Core Planning and Scoping concepts and how they apply in real-world cloud scenarios.
  • How to deploy planning and scoping correctly and verify the outcome.
  • Troubleshooting planning and scoping issues by interpreting error output and system state.
  • Cloud best practices and Planning and Scoping design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Planning and Scoping

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

PT0-002 Planning and Scoping — Practice Questions

30 questions from this objective

Question 2mediummultiple choice
Full question →

A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

A penetration tester is scoping a test for a multinational corporation that has offices in the United States and the European Union. The client wants to test the entire environment. Which of the following is the MOST important legal consideration for the tester to include in the rules of engagement?

Question 4mediummultiple choice
Full question →

During a penetration test of a large e-commerce platform, the client requests additional testing on a newly discovered microservice mid-engagement. The scope defined in the rules of engagement (ROE) explicitly lists all target systems. What should the penetration tester do FIRST?

Question 5easymultiple choice
Full question →

A penetration testing firm is hired to assess a U.S.-based company that has recently expanded operations to a country with strict data privacy laws (e.g., GDPR-style regulations). Which of the following is the MOST important legal consideration to include in the rules of engagement?

Question 6easymultiple choice
Full question →

A penetration testing firm is scoping a test for a client that has a hybrid infrastructure with on-premises servers and cloud-based virtual machines. The client insists on testing only the on-premises systems due to budget constraints. Which of the following should the penetration tester emphasize during the scoping discussion?

Question 7hardmultiple choice
Full question →

A penetration testing firm is engaged to assess a cloud infrastructure hosted in multiple AWS regions. The client specifies that only systems in US-based regions should be tested due to data sovereignty concerns. Which of the following is the MOST critical documentation to include in the rules of engagement (ROE) to ensure compliance?

Question 8mediummultiple choice
Full question →

A penetration testing firm is hired to assess a client's network that includes both internal servers and external cloud-based services. The client wants to test only the internal network due to compliance concerns about testing cloud infrastructure. Which of the following should the penetration tester MOST strongly emphasize during the scoping meeting?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

A penetration testing firm is hired to perform a test on a multinational company that has offices in Europe and North America. The client wants to test all systems including those in the European office, which is subject to GDPR. Which of the following is the MOST important legal consideration to include in the rules of engagement?

Question 10easymultiple choice
Full question →

A client requests a penetration test that simulates an external attacker with no prior knowledge of the internal network. The tester is not provided with any credentials, network diagrams, or source code. Which type of test does this describe?

Question 11mediummultiple choice
Full question →

A penetration testing firm is scoping a test for a client that uses a hybrid infrastructure with both on-premises servers and cloud-based services (IaaS). The client specifies that only the cloud environment should be tested this year. Which concept is MOST important for the tester to discuss during the scoping meeting to avoid testing out-of-scope assets?

Question 12mediummultiple choice
Full question →

A penetration testing firm is hired to assess a client's hybrid infrastructure with on-premises and cloud servers in multiple regions. The client specifies testing only the on-premises systems due to budget and compliance. Which of the following should the tester emphasize in the rules of engagement (ROE)?

Question 13easymultiple choice
Full question →

A penetration testing firm is hired to assess the security of a small business's web application. The client has explicitly stated that they do not want any testing that could cause a denial of service. Which section of the rules of engagement should specify this restriction?

Question 14mediummultiple choice
Full question →

A client with a hybrid on-premises and cloud infrastructure requests a penetration test. The client uses an IaaS provider for some servers. Which of the following is the MOST important aspect to clarify in the rules of engagement regarding the cloud environment?

Question 15easymultiple choice
Full question →

A small business hires a penetration tester to assess the security of their network. The owner is concerned about employee data breaches and wants to ensure compliance with industry regulations. Which of the following is the MOST critical document to establish before the test begins?

Question 16mediummultiple choice
Full question →

A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?

Question 17easymultiple choice
Full question →

A penetration testing firm is hired to assess a client's web application that integrates with a third-party payment processor's API. The client wants to include the payment processor's API in the test scope. Which action should the tester take FIRST?

Question 18mediummultiple choice
Full question →

A client with a hybrid infrastructure (on-premises and cloud IaaS) requests a penetration test covering both environments. The cloud provider's terms of service require notification and restrict scanning to specific IP ranges. In which document should these constraints be documented?

Question 19mediummultiple choice
Full question →

A client hires a penetration testing firm to assess a web application. The client uses a third-party content delivery network (CDN) for static assets and explicitly wants to exclude the CDN infrastructure from testing. In which document should this restriction be formally documented?

Question 20mediummultiple choice
Full question →

A penetration testing firm has been hired to test the internal network of a large enterprise. During the scoping meeting, the client states that they want to include all IP ranges, including those used by the HR department's sensitive systems. The tester should recommend which of the following to minimize business impact and avoid disruption?

Question 21mediummultiple choice
Full question →

A client wants to test a web application that uses multiple third-party APIs for payment processing, shipping, and customer relationship management. The client states that the APIs are critical for operations but cannot be taken offline. Which scoping consideration is most important to include in the rules of engagement?

Question 22hardmultiple choice
Read the full NAT/PAT explanation →

A penetration testing firm is hired to assess a healthcare organization's network. The client has strict regulatory requirements (HIPAA) and wants to ensure that all patient data is protected during testing. Which scoping document should specify the data handling procedures and the destruction of any collected sensitive information?

Question 23mediummultiple choice
Full question →

A client wants to test a web application that uses a third-party payment gateway. The client explicitly wants the payment gateway to be excluded from the test to avoid service disruption. Where should this exclusion be formally documented?

Question 24mediummultiple choice
Full question →

A client hires a penetration testing firm to assess a web application that integrates with a third-party API for payment processing. The client wants to include the API endpoint in the test scope. What should the penetration tester do FIRST to ensure the test is conducted ethically and legally?

Question 25easymultiple choice
Full question →

A penetration testing firm is contracted to test a multi-tenant SaaS application. During scoping, the client needs to ensure that testing does not affect other tenants' data. Which scoping control is most important to implement?

Question 26easymultiple choice
Full question →

A penetration tester is scoping an engagement for a client that hosts a public-facing web application and an internal database server. The client wants to ensure that testing does not cause any disruption to the database server. Which of the following should the tester include in the rules of engagement to address this concern?

Question 27mediummultiple choice
Full question →

A client requests a penetration test that includes an API endpoint hosted by a third-party vendor. The client does not have a signed agreement with the vendor for testing. What is the most appropriate action for the tester?

Question 28mediummultiple choice
Full question →

A penetration tester is hired to assess a web application that integrates with a third-party payment API. The client wants the API included in the test but does not have a signed agreement with the vendor. What is the most appropriate action for the tester?

Question 29easymultiple choice
Full question →

A client asks a penetration tester to perform a test on an e-commerce website. The website experiences high traffic during weekdays and major sales events. To minimize business disruption, when should the tester schedule the active scanning and exploitation activities?

Question 30easymultiple choice
Full question →

A client requests a penetration test of their web application, but they want to exclude all third-party APIs from the scope. Where should this exclusion be documented?

Question 31mediummultiple choice
Full question →

A penetration testing firm is contracted to test a cloud-based infrastructure. The client uses a shared responsibility model. Which of the following should be clarified in the rules of engagement to avoid legal issues?

More Planning and Scoping questions available in the full practice test.

Continue Practising →

Next objective

Information Gathering and Vulnerability Scanning

→

All PT0-002 Objectives

  • 1.Planning and Scoping
  • 2.Information Gathering and Vulnerability Scanning
  • 3.Attacks and Exploits
  • 4.Reporting and Communication
  • 5.Tools and Code Analysis