Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Reporting and Communication practice sets

PT0-002 Reporting and Communication • Complete Question Bank

PT0-002 Reporting and Communication — All Questions With Answers

Complete PT0-002 Reporting and Communication question bank — all 0 questions with answers and detailed explanations.

102
Questions
Free
No signup
Certifications/PT0-002/Practice Test/Reporting and Communication/All Questions
Question 1hardmultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, the lead tester is preparing the executive summary. The client's CISO wants to understand the business impact of a critical vulnerability found in the customer-facing web application. Which of the following is the BEST way to convey this in the report?

Question 2mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed the test and is preparing the final report. The client requested a risk rating for each vulnerability. Which of the following frameworks is MOST commonly used to standardize vulnerability severity ratings in penetration testing reports?

Question 3mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration test report includes a finding about a SQL injection vulnerability in a public-facing web application. Which section of the report would be the MOST appropriate place to provide step-by-step remediation instructions for the development team?

Question 4hardmultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, the client's technical team requests the detailed raw data (e.g., scan results, exploit logs, packet captures) used to support the findings. According to best practices, which of the following should the penetration tester do?

Question 5easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing the executive summary for a report. Which of the following metrics would be MOST valuable to include for non-technical stakeholders to understand the overall security posture?

Question 6mediummultiple choice
Read the full Reporting and Communication explanation →

After a penetration test, the client's development team requests that the report include specific, actionable remediation steps for each vulnerability. Where in the report should this information be placed?

Question 7easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing the executive summary of a report for a client's board of directors. Which of the following metrics would be MOST valuable for this audience to understand the overall security posture?

Question 8mediummultiple choice
Read the full Reporting and Communication explanation →

After a penetration test, the client's development team requires detailed, step-by-step instructions to reproduce a SQL injection vulnerability found in the user login functionality. In which section of the standard penetration testing report should this information be included?

Question 9easymultiple choice
Read the full Reporting and Communication explanation →

In a penetration test report, the executive summary is primarily intended for which audience?

Question 10easymultiple choice
Read the full Reporting and Communication explanation →

After a penetration test, the client's technical team wants to understand the exact steps required to reproduce a cross-site scripting vulnerability found in the web application. In which section of the standard penetration testing report should this information be included?

Question 11mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed an engagement and needs to present findings to a mixed audience of technical engineers and business executives. Which section of the penetration test report is BEST suited for communicating high-level risk ratings and potential business impact to the non-technical stakeholders?

Question 12easymultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, the client requests a one-page document that highlights the most critical vulnerabilities, overall risk level, and recommended next steps for management. Which deliverable should the penetration tester provide?

Question 13easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?

Question 14mediummultiple choice
Read the full Reporting and Communication explanation →

After the penetration test, the client requests a one-page summary of the test's scope, key findings, and recommended next steps for the board of directors. Which document should the penetration tester provide?

Question 15easymultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, the client's technical team requests a detailed list of all vulnerabilities found, prioritized by severity, along with step-by-step reproduction steps and remediation guidance. In which section of the standard penetration testing report should this information be provided?

Question 16easymultiple choice
Read the full Reporting and Communication explanation →

The client's development team needs to reproduce a cross-site scripting vulnerability found in the login form. They require the exact payload and steps. Which deliverable should the penetration tester provide to meet this need?

Question 17mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, the tester discovers active ransomware on a critical server. Which communication should the tester perform FIRST according to standard rules of engagement?

Question 18easymultiple choice
Read the full Reporting and Communication explanation →

After a penetration test, the client requests a document that includes the methodology used, a list of all vulnerabilities found along with their CVSS scores, and detailed steps for remediation. Which type of report section is this?

Question 19easymultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, the client's board of directors requests a document that provides a high-level overview of the test's objectives, key findings, and business impact. Which section of the standard penetration testing report should be produced for this audience?

Question 20mediummultiple choice
Read the full Reporting and Communication explanation →

The client's development team needs to reproduce a cross-site scripting (XSS) vulnerability discovered during the penetration test. They require the exact payload and step-by-step instructions. Which deliverable should the tester provide to meet this need?

Question 21hardmultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, the client's technical team requests a document that provides step-by-step reproduction instructions for each vulnerability, including exact payloads, tools used, and screenshots. Which deliverable BEST satisfies this requirement?

Question 22easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed an internal network test. The client's IT manager requests a document that lists each vulnerability with its CVSS score, risk rating, and a brief description of the impact. Which section of the final report should contain this information?

Question 23mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, the tester discovers a critical vulnerability that could allow an attacker to take over the entire Active Directory domain. The tester wants to report this to the client as soon as possible. Which communication channel is most appropriate for this initial notification?

Question 24easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed the testing phase and is preparing the final report for the client's board of directors. The board members are non-technical and need to understand the overall security posture and business risk. Which section of the report should the tester focus on for this audience?

Question 25easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is compiling the final report. The client's compliance officer requires a section that maps each finding to specific regulatory requirements (e.g., PCI DSS, HIPAA). Which section of the report is best suited for this mapping?

Question 26mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing the final report. The client's legal team requests a document that outlines the scope, limitations, and any data handling procedures to comply with regulatory requirements. Which section of the report should include this information?

Question 27easymultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, the tester identifies a low-risk information disclosure vulnerability in a public-facing web server. The tester includes this finding in the final report. Which component of the risk rating should the tester use to justify the low severity?

Question 28easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing the executive summary for a client's board of directors. Which of the following is the most appropriate content for this section?

Question 29mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the tester wants to provide a clear and actionable remediation recommendation. Which of the following is the best practice for writing this recommendation?

Question 30mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is finalizing a report for a client. The client's technical team needs a concise list of each vulnerability with its risk rating, CVSS score, and recommended remediation steps. In which section of the report should this information be placed?

Question 31hardmultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, a tester identifies a critical SQL injection vulnerability. The client remediates the issue, but a retest reveals the same vulnerability in a different module of the application. How should the tester present this information in the final report to best communicate recurring risks?

Question 32mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the executive summary for a report. The client's CEO needs to understand the business impact of a critical SQL injection vulnerability. Which of the following should the tester include?

Question 33easymultiple choice
Read the full NAT/PAT explanation →

A penetration tester is finalizing a report. Which section should include a detailed technical explanation of how each vulnerability was exploited?

Question 34mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the technical report for a client. The client's security team needs detailed, step-by-step instructions on how to reproduce each vulnerability found. In which section of the report should this information be placed?

Question 35mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has identified a critical misconfiguration in a cloud storage bucket that exposes sensitive customer data. The client's technical team has already applied a fix, but the tester wants to ensure the report accurately reflects the risk and the remediation. Which section of the report should include the steps to reproduce the vulnerability?

Question 36easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing a report for a client's CISO who is not technical. The CISO needs to understand the overall risk posture and the business impact of the findings. Which section of the report should be tailored for this audience?

Question 37mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed a test and is finalizing the report. The client's security team needs to know the exact commands and steps to reproduce a critical remote code execution vulnerability. In which section of the report should this information be primarily documented?

Question 38easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the executive summary of a report for a client. The client's executive team needs to understand the overall risk posture. Which of the following should be included in the executive summary?

Question 39easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the findings section of a report. The tester identified a critical SQL injection vulnerability that allows extraction of the entire customer database. The client's technical team has already remediated the issue. How should the tester present this finding to ensure clarity and usefulness?

Question 40easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed the technical portion of a test and is now writing the executive summary. Which of the following is most important to include in this section to effectively communicate with senior management?

Question 41mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing a report for a client that includes both a technical security team and an executive leadership team. The executive team needs to understand the overall risk posture, while the technical team requires detailed reproduction steps. Which reporting structure best serves both audiences?

Question 42easymulti select
Read the full Reporting and Communication explanation →

When calculating the risk rating for a vulnerability found during a penetration test, which two factors are most fundamental to the risk calculation?

Question 43easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing a report for a client who has both a technical security team and a non-technical executive team. The tester wants to ensure that each audience receives the appropriate level of detail. Which of the following is the most effective approach?

Question 44mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed the test and is writing the final report. The client's VP of Security requests a single-page summary that highlights the most critical risks and their business impact. Which section of the report should be expanded to satisfy this request while maintaining the integrity of the full report?

Question 45mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the findings section of a report. The tester discovered a cross-site scripting vulnerability that allows session hijacking. The technical team wants to understand exactly how to reproduce it, while the business owner wants to know the risk it poses to customer data. Which approach best addresses both audiences?

Question 46mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed testing and identified several vulnerabilities: a critical SQL injection (CVSS 9.8), a medium stored XSS (CVSS 6.1), and a low self-signed certificate (CVSS 3.7). The client's security manager asks for a simplified way to prioritize remediation. Which of the following is the most effective approach for the tester to present the findings?

Question 47easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester needs to describe a stored XSS vulnerability to a web developer who will fix it. Which level of detail is most appropriate for this audience?

Question 48easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has discovered a critical SQL injection vulnerability in a web application. The developer team will fix the issue. Which level of detail is most appropriate for this audience?

Question 49hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester needs to communicate the financial impact of a critical vulnerability to the board of directors. Which metric is most appropriate for this audience?

Question 50easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed the test and is writing the executive summary. The CEO wants to understand the overall security posture without technical jargon. Which of the following is the best approach for the executive summary?

Question 51mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed the test and is writing the technical report. The client's security team is highly skilled and wants detailed information about each vulnerability, including the exact request/response used to exploit it. The team also wants to understand the potential impact on the business. Which of the following is the best way to structure the findings for this audience?

Question 52easymultiple choice
Read the full Reporting and Communication explanation →

During a penetration test report review, the client's IT manager asks for a 'quick reference' that lists each vulnerability, its severity, and the affected system, without detailed exploit steps. Which section of the report should the tester point to?

Question 53easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has submitted the final report to the client. The client's legal team requests a separate document that describes the methodology used, but does not include any actual findings or sensitive data. Which type of document should the tester provide?

Question 54easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the executive summary for the final report. The CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?

Question 55easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester needs to provide a metric that communicates the financial risk of the identified vulnerabilities to the client's CFO. Which metric is most appropriate?

Question 56easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing the final report. The client's IT director wants a high-level overview of the test results, including the number of findings and the overall risk rating. Which section of the report should the tester point to?

Question 57easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing the final report. The client's CEO wants a high-level overview of the test results, including the overall security posture and business risk, without technical details. Which section of the report should the tester emphasize for the CEO?

Question 58easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing the final report. The client's CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?

Question 59mediummultiple choice
Read the full Reporting and Communication explanation →

A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?

Question 60mediummultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, the tester is writing the report. The client's Chief Information Security Officer (CISO) is the primary audience and wants to understand the overall security posture and the most critical risks to the business. Which section of the report should the tester most heavily focus on for this audience?

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

A client asks why a medium-severity finding should be remediated before a high-severity finding. The medium finding is internet-facing and actively exploited; the high finding is isolated in a lab subnet. What is the best explanation?

Question 62mediumdrag order
Read the full Reporting and Communication explanation →

Drag and drop the steps to perform a man-in-the-middle (MITM) attack using ARP spoofing with Bettercap into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 63mediumdrag order
Read the full Reporting and Communication explanation →

Drag and drop the steps to perform privilege escalation on a Linux system using kernel exploit enumeration into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 64mediummatching
Read the full Reporting and Communication explanation →

Match each scanning technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends SYN packet, waits for SYN-ACK, then RST

Completes full TCP three-way handshake

Sends UDP packets to determine open ports

Used to map firewall rulesets

Sends packets with FIN, PSH, URG flags set

Question 65mediummatching
Read the full Reporting and Communication explanation →

Match each evasion technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Splitting packets to evade IDS/IPS

Converting payload to bypass signature detection

Faking source IP to hide origin

Routing traffic through multiple proxies

Delaying requests to avoid rate limiting

Question 66easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing a report for a client. The client's C-suite executives need a high-level overview of the engagement results without technical jargon. Which section of the report is most appropriate for this audience?

Question 67mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, a tester discovers a critical vulnerability that could lead to data exposure. The tester plans to include a screenshot of the exploit in the report. What is the most important step to take before inserting the screenshot?

Question 68hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing a report and needs to classify vulnerabilities by risk level. The client has a formal risk acceptance process. Which of the following best describes the purpose of including a risk acceptance section in the report?

Question 69mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is conducting an internal network test. During the engagement, the tester discovers a critical vulnerability that could be exploited to gain domain admin privileges. According to best practices, how should the tester communicate this finding to the client?

Question 70easymultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, a tester needs to dispose of test data securely. Which of the following methods is most appropriate for this purpose?

Question 71hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing a report that includes a vulnerability with a CVSS score of 9.8. The client's security team argues that the score should be lower due to compensating controls. How should the tester respond in the report?

Question 72mediummultiple choice
Read the full Reporting and Communication explanation →

A client requests that the penetration tester deliver the final report in an encrypted format via email. Which encryption method should the tester use to ensure confidentiality?

Question 73easymultiple choice
Read the full Reporting and Communication explanation →

Which of the following metrics is most useful for demonstrating the overall security posture improvement after remediation in a penetration test report?

Question 74hardmultiple choice
Read the full Reporting and Communication explanation →

During a penetration test for a financial institution, the tester discovers that a third-party vendor's system is vulnerable and could expose customer PII. The tester is unsure if the vendor is within scope. How should the tester proceed?

Question 75mediummulti select
Read the full Reporting and Communication explanation →

Which TWO of the following should be included in the methodology section of a penetration test report?

Question 76mediummulti select
Read the full Reporting and Communication explanation →

Which THREE of the following are best practices when communicating findings to stakeholders during a penetration test?

Question 77hardmulti select
Read the full Reporting and Communication explanation →

Which TWO of the following actions are appropriate when handling personally identifiable information (PII) discovered during a penetration test?

Question 78easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester discovers a critical vulnerability in a client's production environment. What is the BEST immediate course of action before including this finding in the final report?

Question 79easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing the executive summary of a penetration test report. Which of the following BEST describes the primary audience and appropriate level of technical detail?

Question 80mediummultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, the tester discovers that a third-party vendor has remote access to the client's network. The vendor was not mentioned in the scope of work. How should the tester communicate this finding in the report?

Question 81mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is writing the technical report and needs to prioritize remediation recommendations. Which factor should be given the MOST weight when prioritizing?

Question 82hardmultiple choice
Read the full Reporting and Communication explanation →

After a penetration test, the client requests that the tester remove certain findings from the final report because they reveal sensitive information about a new product. What is the BEST response from the tester?

Question 83hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is finalizing a report and needs to ensure that sensitive data discovered during the test (e.g., password hashes, PII) is handled appropriately. Which of the following is the BEST practice?

Question 84easymultiple choice
Read the full Reporting and Communication explanation →

Which of the following is the MOST appropriate format for delivering the final penetration test report to the client?

Question 85mediummultiple choice
Read the full Reporting and Communication explanation →

A penetration tester discovers that a previously reported vulnerability from a prior test has not been remediated. How should this be communicated in the current report?

Question 86hardmultiple choice
Read the full Reporting and Communication explanation →

A penetration tester is preparing a report for a client that requires compliance with PCI DSS. Which of the following is the MOST important consideration for the report structure?

Question 87mediummultiple choice
Read the full Reporting and Communication explanation →

Refer to the exhibit. A penetration tester performed an initial nmap scan and recorded the above output. The tester wants to include this in the report. What additional information should the tester add to make the finding more useful for remediation?

Exhibit

Refer to the exhibit.

Exhibit: NMAP scan output
```
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
443/tcp  open     https
8080/tcp open     http-proxy
```
Question 88easymultiple choice
Read the full Reporting and Communication explanation →

Refer to the exhibit. A penetration tester gained a Meterpreter session on a Windows server. Which of the following should the tester include in the report to provide the most actionable remediation advice?

Exhibit

Refer to the exhibit.

Exhibit: Metasploit session output
```
session -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer    : WIN-2K8R2
OS          : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
Meterpreter : x64/windows
```
Question 89hardmultiple choice
Read the full Reporting and Communication explanation →

Refer to the exhibit. A penetration tester used a vulnerability scanner and obtained the above result. What is the BEST way to represent this finding in the report to ensure the client can reproduce and fix it?

Exhibit

Refer to the exhibit.

Exhibit: Web application vulnerability scanner output
```
Vulnerability: SQL Injection
URL: https://example.com/search?q=test
Parameter: q
Payload: ' OR 1=1--
Evidence: Error message shows database version: Microsoft SQL Server 2016 (RTM)
Severity: Critical
```
Question 90mediummulti select
Read the full Reporting and Communication explanation →

Which TWO of the following are key components that should be included in an executive summary of a penetration test report? (Select TWO.)

Question 91mediummulti select
Read the full Reporting and Communication explanation →

Which TWO of the following are appropriate ways to handle sensitive data discovered during a penetration test when producing the final report? (Select TWO.)

Question 92hardmulti select
Read the full Reporting and Communication explanation →

Which THREE of the following are important elements to include in the remediation section of a penetration test report? (Select THREE.)

Question 93easymultiple choice
Read the full Reporting and Communication explanation →

During a penetration test, the tester discovers a critical vulnerability that could lead to a data breach. The tester needs to communicate this to the client's management, who are non-technical. What is the BEST way to communicate this finding?

Question 94mediummultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, the tester prepares the final report. According to best practices, which of the following should be included in the executive summary?

Question 95hardmulti select
Read the full Reporting and Communication explanation →

Which THREE of the following are best practices for writing a penetration test report?

Question 96mediummultiple choice
Read the full NAT/PAT explanation →

You are contracted to perform a penetration test for a healthcare organization. During the testing, you discover a critical SQL injection vulnerability that exposes patient health information. The deadline for the final report is one week away. The client's IT manager asks you to exclude this finding from the report because they are already aware of it and are working on a fix. The IT manager claims that including it would cause panic among stakeholders. What is the BEST course of action?

Question 97hardmultiple choice
Read the full Reporting and Communication explanation →

You are leading a penetration test for a financial institution. The scope was defined as the external network and web applications. During the test, you identify a vulnerability in an internal application that was accidentally exposed due to a misconfiguration. The client's project manager requests that you extend the test scope to include the internal network to fully assess the risk. The request comes on the last day of testing. According to reporting and communication best practices, what should you do FIRST?

Question 98easymultiple choice
Read the full Reporting and Communication explanation →

After completing a penetration test, you present the findings to the client's technical team. During the debrief meeting, the technical lead argues that one of the identified vulnerabilities is not exploitable in their environment and should be removed from the report. The evidence you have shows it is exploitable. What is the BEST response?

Question 99mediummultiple choice
Read the full Reporting and Communication explanation →

You are writing the final report for a penetration test. The client has requested that the report be delivered in an encrypted format. Additionally, the client wants to include raw screenshots and command outputs for evidence. The tester has captured screenshots that show user credentials in clear text from a successful phishing attack. What is the BEST way to handle this?

Question 100mediummulti select
Read the full Reporting and Communication explanation →

A penetration tester is preparing a final report after a web application test. The tester wants to prioritize vulnerabilities based on risk. Which TWO factors should the tester primarily consider when assigning risk ratings?

Question 101hardmultiple choice
Read the full Reporting and Communication explanation →

Refer to the exhibit. A penetration tester is presenting this finding to a non-technical executive. Which improvement should be made to the description?

Exhibit

Vulnerability: SQL Injection on login.php
Risk: High
Impact: An attacker can extract data from the database.
Recommendation: Use parameterized queries.
Question 102easymultiple choice
Read the full Reporting and Communication explanation →

A penetration tester has completed a network penetration test for a large financial institution. The client has requested a report that includes details for both technical staff and executive management. The tester has written a single report with a technical focus, including raw CLI outputs and exploit code. During the review, the chief information security officer (CISO) expresses confusion about the overall risk posture and wants a concise summary. Which action should the tester take to best address the CISO's concerns?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PT0-002 Practice Test 1 — 10 Questions→PT0-002 Practice Test 2 — 10 Questions→PT0-002 Practice Test 3 — 10 Questions→PT0-002 Practice Test 4 — 10 Questions→PT0-002 Practice Test 5 — 10 Questions→PT0-002 Practice Exam 1 — 20 Questions→PT0-002 Practice Exam 2 — 20 Questions→PT0-002 Practice Exam 3 — 20 Questions→PT0-002 Practice Exam 4 — 20 Questions→Free PT0-002 Practice Test 1 — 30 Questions→Free PT0-002 Practice Test 2 — 30 Questions→Free PT0-002 Practice Test 3 — 30 Questions→PT0-002 Practice Questions 1 — 50 Questions→PT0-002 Practice Questions 2 — 50 Questions→PT0-002 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Planning and ScopingInformation Gathering and Vulnerability ScanningAttacks and ExploitsReporting and CommunicationTools and Code Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Reporting and Communication setsAll Reporting and Communication questionsPT0-002 Practice Hub