Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Reporting and Communication practice sets

PT0-002 Reporting and Communication • Complete Question Bank

PT0-002 Reporting and Communication — All Questions With Answers

Complete PT0-002 Reporting and Communication question bank — all 0 questions with answers and detailed explanations.

69
Questions
Free
No signup
Certifications/PT0-002/Practice Test/Reporting and Communication/All Questions
Question 1mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, a penetration tester discovers a critical vulnerability that allows unauthenticated remote code execution on a public-facing web server. According to best practices for communication during a penetration test, what should the tester do next?

Question 2easymultiple choice
Read the full Reporting and Communication explanation →

When writing the executive summary of a penetration test report, which of the following is the most appropriate language to use?

Question 3hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing a remediation recommendation for a SQL injection vulnerability found in a legacy application. The development team cannot immediately update the framework due to compatibility issues. What should the tester recommend as a compensating control?

Question 4mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is calculating the severity of a vulnerability using the DREAD model. Which of the following factors is assessed under the 'Damage' category?

Question 5easymultiple choice
Read the full Reporting and Communication explanation →

In a penetration test report, which section should contain detailed technical information such as affected systems, proof-of-concept code, and remediation steps?

Question 6mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, the tester discovers evidence of an ongoing cyber attack by an external threat actor on the client's network. What is the tester's responsibility?

Question 7hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is presenting findings to a mixed audience of technical staff and executives. The executives seem confused about the risk ratings. How should the tester adjust the presentation?

Question 8mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is prioritizing remediation recommendations in a report. Which of the following should be considered first?

Question 9mediummultiple choice
Read the full Reporting and Communication explanation →

In a penetration test report, the tester includes a screenshot of a successful exploit. What metadata should the screenshot include to ensure proper evidence documentation?

Question 10easymultiple choice
Read the full Reporting and Communication explanation →

Which of the following is an example of a responsible remediation recommendation?

Question 11hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester uses the CVSS base score to rate a vulnerability. The tester finds that the vulnerability has a high CVSS score but the affected system is isolated from the internet and has no sensitive data. Which approach should the tester take when assigning an overall severity rating?

Question 12mediummultiple choice
Read the full Reporting and Communication explanation →

A client requests that the penetration test report include raw output from the scanning tools used. Where should this output be placed in the report?

Question 13mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is preparing to present findings to the client's technical team. Which TWO practices are most effective for this audience?

Question 14hardmulti select
Read the full Reporting and Communication explanation →

During a penetration test, the tester encounters a situation where the scope of the test is ambiguous. Which TWO actions should the tester take to clarify the situation?

Question 15easymulti select
Read the full Reporting and Communication explanation →

Which THREE items are typically included in the appendices of a penetration test report?

Question 16easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester discovers a critical vulnerability on a client's web server and wants to communicate it immediately. Which of the following is the most appropriate action?

Question 17easymultiple choice
Read the full Reporting and Communication explanation →

Which section of a penetration testing report should provide a high-level overview of the test results using business language and strategic recommendations?

Question 18mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, a tester discovers evidence of an ongoing live exploitation by an unknown third party. Which of the following should the tester do first?

Question 19mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing a report and needs to assign a severity rating to a vulnerability that has a CVSS base score of 7.5. According to CVSS v3.1, which severity level does this score correspond to?

Question 20hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is evaluating vulnerabilities using the DREAD model. For a specific vulnerability, the tester assigns the following scores: Damage=8, Reproducibility=7, Exploitability=9, Affected users=6, Discoverability=5. Which of the following is the overall DREAD risk rating?

Question 21easymultiple choice
Read the full Reporting and Communication explanation →

Which of the following is the most appropriate evidence to include in a penetration testing report for a SQL injection vulnerability?

Question 22mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester needs to provide remediation recommendations for a critical vulnerability found on a web server. Which of the following is the most appropriate recommendation?

Question 23mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, a client asks the tester to clarify the scope of the test. Which of the following is the best approach for the tester?

Question 24hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is presenting findings to a group of executives. Which of the following is the most effective way to communicate a critical vulnerability?

Question 25mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing a report and wants to include proof-of-concept code to demonstrate a vulnerability. Which of the following is the best practice for including such code?

Question 26hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester receives pushback from a client's technical team regarding a finding, claiming it is not exploitable. Which of the following is the best response?

Question 27easymultiple choice
Read the full Reporting and Communication explanation →

Which of the following is an example of a custom severity rating based on business context?

Question 28mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is writing a report and wants to prioritize remediation recommendations. Which TWO factors should the tester consider when prioritizing? (Choose TWO.)

Question 29hardmulti select
Read the full Reporting and Communication explanation →

A penetration tester is presenting findings to a mixed audience of technical staff and executives. Which THREE of the following should the tester do to effectively communicate to both groups? (Choose THREE.)

Question 30mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester discovers a vulnerability that cannot be immediately remediated. Which TWO compensating controls should the tester recommend? (Choose TWO.)

Question 31easymultiple choice
Read the full Reporting and Communication explanation →

Which of the following is the primary audience for the executive summary of a penetration test report?

Question 32mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, a penetration tester discovers a critical vulnerability that could allow an attacker to gain administrative access to the client's payment processing server. According to best practices, what should the tester do?

Question 33hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester uses the DREAD model to assess a vulnerability. The tester assigns the following scores: Damage=8, Reproducibility=10, Exploitability=9, Affected users=7, Discoverability=6. What is the overall DREAD risk rating?

Question 34easymultiple choice
Read the full Reporting and Communication explanation →

Which section of a penetration test report contains detailed technical information such as the vulnerability description, evidence, affected systems, and remediation steps?

Question 35mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing a report and wants to provide a remediation recommendation for an outdated Apache server. Which of the following is the most specific and actionable recommendation?

Question 36hardmultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, a tester discovers evidence of an ongoing data exfiltration attack by an unknown third party. Which of the following should the tester do first?

Question 37mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is presenting findings to a mixed audience of executives and technical staff. For the executives, the tester should focus on:

Question 38easymultiple choice
Read the full Reporting and Communication explanation →

Which of the following is the correct CVSS metric that describes the level of access an attacker needs to exploit a vulnerability?

Question 39mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed the test and is preparing the final report. The client asks the tester to include a section that describes the scope, methodology, and tools used. In which section should this information be placed?

Question 40hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester uses a custom severity rating based on business context. The tester determines the likelihood of exploitation is high and the business impact is low. According to a standard risk matrix, what should the overall severity be?

Question 41mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is documenting evidence for a finding. Which of the following is the least appropriate type of evidence to include?

Question 42easymultiple choice
Read the full Reporting and Communication explanation →

When a client disagrees with a finding's severity rating, what is the best approach for the penetration tester?

Question 43mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is creating a report and needs to include evidence of a cross-site scripting vulnerability. Which TWO of the following are appropriate types of evidence? (Choose two.)

Question 44hardmulti select
Read the full Reporting and Communication explanation →

During a penetration test, the tester discovers a critical SQL injection vulnerability. The client cannot deploy the full fix (parameterized queries) immediately due to legacy code. Which THREE actions should the tester recommend as compensating controls? (Choose three.)

Question 45mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is preparing the executive summary. Which THREE elements should be included? (Choose three.)

Question 46easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing a report and needs to assign a severity rating to a vulnerability. Which of the following scoring systems is specifically designed to consider Damage, Reproducibility, Exploitability, Affected users, and Discoverability?

Question 47mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, a tester discovers a critical vulnerability that could allow remote code execution on an internet-facing server. According to best practices, what is the most appropriate immediate action?

Question 48hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is compiling evidence for a critical-severity SQL injection vulnerability. Which of the following is the most important piece of evidence to include in the report to demonstrate exploitability while remaining responsible?

Question 49mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the executive summary of a report. Which of the following best describes the appropriate language and content for this section?

Question 50mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is recommending remediation for a critical vulnerability. Which of the following is the best example of a specific, actionable remediation step?

Question 51mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is presenting findings to a group of IT administrators. One administrator questions the validity of a finding, claiming it is not exploitable. How should the tester respond?

Question 52hardmultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, the tester discovers evidence of an ongoing ransomware attack on the client's network. Which of the following is the most appropriate action?

Question 53easymultiple choice
Read the full Reporting and Communication explanation →

Which section of a penetration testing report should include screenshots, affected systems, and remediation steps?

Question 54mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is prioritizing remediation recommendations. Which approach is most aligned with industry best practices?

Question 55hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing a report and needs to assign a custom severity rating for a vulnerability that has high business impact but low likelihood of exploitation. Using a custom severity based on business context (impact + likelihood), which rating is most appropriate?

Question 56easymultiple choice
Read the full Reporting and Communication explanation →

Which of the following should be included in the appendix section of a penetration testing report?

Question 57mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is documenting evidence for a finding and takes a screenshot. Which of the following is the most important metadata to include with the screenshot?

Question 58mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is preparing a presentation for both technical and executive audiences. Which TWO of the following are effective strategies for communicating findings to an executive audience?

Question 59hardmulti select
Read the full Reporting and Communication explanation →

A penetration tester discovers a critical vulnerability that cannot be fully remediated immediately. The client asks for recommendations. Which THREE of the following should the tester include?

Question 60mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is following responsible disclosure timelines. Which TWO of the following actions align with responsible disclosure practices?

Question 61easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester discovers a critical vulnerability during an assessment. According to best practices, when should the tester communicate this finding to the client?

Question 62mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the executive summary of a report. Which of the following is MOST important to include?

Question 63hardmultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, the tester discovers evidence that an external attacker is actively exploiting a vulnerability in the client's environment. Which of the following is the MOST appropriate action?

Question 64mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester needs to assign a severity rating to a vulnerability based on business context. Which model uses Impact and Likelihood to determine the risk?

Question 65mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is preparing a report that includes technical findings. Which TWO of the following should be included in each technical finding? (Select TWO.)

Question 66hardmulti select
Read the full Reporting and Communication explanation →

A penetration tester is presenting findings to a technical audience. Which THREE practices are MOST appropriate for this setting? (Select THREE.)

Question 67easymulti select
Read the full Reporting and Communication explanation →

Which TWO of the following are components of the DREAD model for risk assessment? (Select TWO.)

Question 68mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is writing remediation recommendations. Which THREE practices should the tester follow? (Select THREE.)

Question 69hardmulti select
Read the full Reporting and Communication explanation →

A penetration tester is handling a client's pushback on a finding. Which THREE approaches are appropriate? (Select THREE.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PT0-002 Practice Test 1 — 25 Questions→PT0-002 Practice Test 2 — 25 Questions→PT0-002 Practice Test 3 — 25 Questions→PT0-002 Practice Test 4 — 25 Questions→PT0-002 Practice Test 5 — 25 Questions→PT0-002 Practice Exam 1 — 20 Questions→PT0-002 Practice Exam 2 — 20 Questions→PT0-002 Practice Exam 3 — 20 Questions→PT0-002 Practice Exam 4 — 20 Questions→Free PT0-002 Practice Test 1 — 30 Questions→Free PT0-002 Practice Test 2 — 30 Questions→Free PT0-002 Practice Test 3 — 30 Questions→PT0-002 Practice Questions 1 — 50 Questions→PT0-002 Practice Questions 2 — 50 Questions→PT0-002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Information Gathering and Vulnerability ScanningPlanning and ScopingReporting and CommunicationAttacks and ExploitsTools and Code Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Reporting and Communication setsAll Reporting and Communication questionsPT0-002 Practice Hub