- A
Statement of Work (SOW)
Why wrong: The SOW describes the work to be performed and deliverables, but it does not typically detail specific technical restrictions like excluding a CDN.
- B
Non-Disclosure Agreement (NDA)
Why wrong: The NDA is a legal agreement regarding confidentiality, not technical scope or restrictions.
- C
Master Services Agreement (MSA)
Why wrong: The MSA outlines long-term business terms, liabilities, and payment, but not per-engagement scope exclusions.
- D
Rules of Engagement (ROE)
The ROE is the correct document for specifying what is in scope, what is out of scope, and any specific restrictions like not testing the CDN.
Quick Answer
The correct document for formally documenting scope exclusions like a third-party CDN is the Rules of Engagement (ROE). The ROE is the authoritative source for defining the boundaries, constraints, and special permissions of a penetration test, including which IP ranges, domains, or systems are explicitly off-limits. This ensures the testing team avoids targeting infrastructure outside the client’s control, preventing contractual violations or unintended disruptions. On the CompTIA PenTest+ PT0-002 exam, this concept tests your ability to distinguish between the ROE and the Statement of Work (SOW)—the SOW outlines the high-level objectives and deliverables, while the ROE contains the operational guardrails. A common trap is confusing the two, but remember: the ROE is the “rulebook” for what testers can and cannot touch during the engagement. Memory tip: ROE = Restrictions On Engagement.
PT0-002 Planning and Scoping Practice Question
This PT0-002 practice question tests your understanding of planning and scoping. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: the ROE defines the scope, targets, and boundaries of a pen test.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A client hires a penetration testing firm to assess a web application. The client uses a third-party content delivery network (CDN) for static assets and explicitly wants to exclude the CDN infrastructure from testing. In which document should this restriction be formally documented?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Rules of Engagement (ROE)
The Rules of Engagement (ROE) document is the correct place to formally document restrictions such as excluding the CDN infrastructure from testing. The ROE defines the scope, boundaries, and specific constraints for the penetration test, including which IP ranges, domains, or systems are off-limits. This ensures the testing team does not inadvertently target the third-party CDN, which could violate contractual agreements or cause unintended disruptions.
Key principle: The ROE defines the scope, targets, and boundaries of a pen test.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Statement of Work (SOW)
Why it's wrong here
The SOW describes the work to be performed and deliverables, but it does not typically detail specific technical restrictions like excluding a CDN.
- ✗
Non-Disclosure Agreement (NDA)
Why it's wrong here
The NDA is a legal agreement regarding confidentiality, not technical scope or restrictions.
- ✗
Master Services Agreement (MSA)
Why it's wrong here
The MSA outlines long-term business terms, liabilities, and payment, but not per-engagement scope exclusions.
- ✓
Rules of Engagement (ROE)
Why this is correct
The ROE is the correct document for specifying what is in scope, what is out of scope, and any specific restrictions like not testing the CDN.
Related concept
The ROE defines the scope, targets, and boundaries of a pen test.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates confuse the ROE with the SOW, assuming the SOW is the catch-all document for all restrictions, but the ROE is specifically designed for operational boundaries and constraints in penetration testing engagements.
Detailed technical explanation
How to think about this question
In penetration testing, the ROE often includes explicit IP address ranges, CIDR blocks, or domain names that are in-scope or out-of-scope, as well as time windows and notification procedures. For CDN exclusion, the tester must ensure that requests to static assets (e.g., images, scripts) are not sent to the CDN’s edge nodes, which may be achieved by configuring the testing tool to bypass the CDN’s DNS resolution or by using a direct origin IP. A real-world scenario is when a tester accidentally triggers a CDN’s DDoS protection mechanism, causing service degradation; the ROE’s explicit exclusion prevents such incidents.
KKey Concepts to Remember
- The ROE defines the scope, targets, and boundaries of a pen test.
- It specifies what is in-scope and out-of-scope for testing.
- The ROE details specific technical restrictions and methodologies.
- It is a critical document for preventing unauthorized testing activities.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
The ROE defines the scope, targets, and boundaries of a pen test.
Real-world example
How this comes up in practice
A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. The ROE defines the scope, targets, and boundaries of a pen test. Security exam questions test whether you can match controls to threats in context — not just recall definitions.
What to study next
Got this wrong? Here's your next step.
Review the ROE defines the scope, targets, and boundaries of a pen test., then practise related PT0-002 questions on the same topic to reinforce the concept.
- →
Planning and Scoping — study guide chapter
Learn the concepts, then practise the questions
- →
Planning and Scoping practice questions
Targeted practice on this topic area only
- →
All PT0-002 questions
509 questions across all exam domains
- →
CompTIA PenTest+ PT0-002 study guide
Full concept coverage aligned to exam objectives
- →
PT0-002 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PT0-002 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Planning and Scoping practice questions
Practise PT0-002 questions linked to Planning and Scoping.
Information Gathering and Vulnerability Scanning practice questions
Practise PT0-002 questions linked to Information Gathering and Vulnerability Scanning.
Attacks and Exploits practice questions
Practise PT0-002 questions linked to Attacks and Exploits.
Reporting and Communication practice questions
Practise PT0-002 questions linked to Reporting and Communication.
Tools and Code Analysis practice questions
Practise PT0-002 questions linked to Tools and Code Analysis.
PT0-002 fundamentals practice questions
Practise PT0-002 questions linked to PT0-002 fundamentals.
PT0-002 scenario practice questions
Practise PT0-002 questions linked to PT0-002 scenario.
PT0-002 troubleshooting practice questions
Practise PT0-002 questions linked to PT0-002 troubleshooting.
Practice this exam
Start a free PT0-002 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PT0-002 question test?
Planning and Scoping — This question tests Planning and Scoping — The ROE defines the scope, targets, and boundaries of a pen test..
What is the correct answer to this question?
The correct answer is: Rules of Engagement (ROE) — The Rules of Engagement (ROE) document is the correct place to formally document restrictions such as excluding the CDN infrastructure from testing. The ROE defines the scope, boundaries, and specific constraints for the penetration test, including which IP ranges, domains, or systems are off-limits. This ensures the testing team does not inadvertently target the third-party CDN, which could violate contractual agreements or cause unintended disruptions.
What should I do if I get this PT0-002 question wrong?
Review the ROE defines the scope, targets, and boundaries of a pen test., then practise related PT0-002 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
The ROE defines the scope, targets, and boundaries of a pen test.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Keep practising
More PT0-002 practice questions
- A penetration tester is performing passive reconnaissance on a target organization. Which of the following activities wo…
- A penetration tester is conducting passive reconnaissance on a target organization. Which technique can be used to disco…
- A penetration tester is analyzing a Python script that uses the 'requests' library to send HTTP POST requests to a targe…
- A penetration tester is analyzing a PowerShell script that contains the following code: Get-WmiObject -Class Win32_Servi…
- A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's…
- A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the teste…
Last reviewed: Jun 11, 2026
This PT0-002 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PT0-002 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.