- A
A high-level overview of the most critical vulnerabilities and their potential business impact.
This matches the purpose of the executive summary: concise, business-focused information that allows leadership to make informed decisions without needing technical expertise.
- B
Detailed exploit steps with screenshots.
Why wrong: Detailed exploit steps are too technical for a CEO. This level of detail belongs in the technical findings section for the IT team.
- C
A list of all CVSS scores without context.
Why wrong: Raw CVSS scores may be confusing without interpretation. The executive summary should translate technical severity into business risk.
- D
The exact commands used during testing.
Why wrong: Commands are operational details that are irrelevant to executive-level understanding. They belong in the methodology appendix.
Quick Answer
The correct answer is a high-level overview of the most critical vulnerabilities and their potential business impact. This choice is correct because the executive summary for non-technical stakeholders, such as a CEO, must translate technical risk into business language, focusing on how findings affect revenue, compliance, or reputation rather than on exploit details or CVSS scores. On the CompTIA PenTest+ PT0-002 exam, this question tests your understanding of effective reporting and communication, specifically the objective to tailor reports to the audience; a common trap is including remediation steps or technical jargon, which belongs in the technical report, not the executive summary. To remember this, think of the CEO’s perspective: they care about “what keeps the business awake at night,” not the specific port numbers or command syntax.
PT0-002 Reporting and Communication Practice Question
This PT0-002 practice question tests your understanding of reporting and communication. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A penetration tester is writing the executive summary for the final report. The CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
A high-level overview of the most critical vulnerabilities and their potential business impact.
The executive summary is intended for non-technical stakeholders like the CEO, who need to grasp the overall risk posture and business implications without technical jargon. Option A provides a high-level overview of critical vulnerabilities and their potential business impact, directly addressing the CEO's need to understand risk level and business impact, which aligns with the PT0-002 objective for effective reporting and communication.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
A high-level overview of the most critical vulnerabilities and their potential business impact.
Why this is correct
This matches the purpose of the executive summary: concise, business-focused information that allows leadership to make informed decisions without needing technical expertise.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Detailed exploit steps with screenshots.
Why it's wrong here
Detailed exploit steps are too technical for a CEO. This level of detail belongs in the technical findings section for the IT team.
- ✗
A list of all CVSS scores without context.
Why it's wrong here
Raw CVSS scores may be confusing without interpretation. The executive summary should translate technical severity into business risk.
- ✗
The exact commands used during testing.
Why it's wrong here
Commands are operational details that are irrelevant to executive-level understanding. They belong in the methodology appendix.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse the executive summary with a technical summary, choosing options with detailed exploit steps or raw CVSS scores, forgetting that the CEO needs a business-focused, non-technical overview of risk and impact.
Trap categories for this question
Similar concept trap
Raw CVSS scores may be confusing without interpretation. The executive summary should translate technical severity into business risk.
Command / output trap
Commands are operational details that are irrelevant to executive-level understanding. They belong in the methodology appendix.
Detailed technical explanation
How to think about this question
The executive summary should distill complex technical findings into business-relevant terms, often using a risk matrix (e.g., likelihood vs. impact) to communicate overall risk. For example, a critical vulnerability like an unpatched remote code execution in a public-facing web server might be summarized as 'High risk of data breach affecting customer PII, potentially leading to regulatory fines and reputational damage,' rather than listing CVSS 9.8. This approach aligns with the PT0-002 domain's emphasis on tailoring communication to the audience, ensuring the CEO can prioritize remediation based on business impact.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Reporting and Communication — study guide chapter
Learn the concepts, then practise the questions
- →
Reporting and Communication practice questions
Targeted practice on this topic area only
- →
All PT0-002 questions
509 questions across all exam domains
- →
CompTIA PenTest+ PT0-002 study guide
Full concept coverage aligned to exam objectives
- →
PT0-002 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related PT0-002 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Planning and Scoping practice questions
Practise PT0-002 questions linked to Planning and Scoping.
Information Gathering and Vulnerability Scanning practice questions
Practise PT0-002 questions linked to Information Gathering and Vulnerability Scanning.
Attacks and Exploits practice questions
Practise PT0-002 questions linked to Attacks and Exploits.
Reporting and Communication practice questions
Practise PT0-002 questions linked to Reporting and Communication.
Tools and Code Analysis practice questions
Practise PT0-002 questions linked to Tools and Code Analysis.
PT0-002 fundamentals practice questions
Practise PT0-002 questions linked to PT0-002 fundamentals.
PT0-002 scenario practice questions
Practise PT0-002 questions linked to PT0-002 scenario.
PT0-002 troubleshooting practice questions
Practise PT0-002 questions linked to PT0-002 troubleshooting.
Practice this exam
Start a free PT0-002 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this PT0-002 question test?
Reporting and Communication — This question tests Reporting and Communication — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: A high-level overview of the most critical vulnerabilities and their potential business impact. — The executive summary is intended for non-technical stakeholders like the CEO, who need to grasp the overall risk posture and business implications without technical jargon. Option A provides a high-level overview of critical vulnerabilities and their potential business impact, directly addressing the CEO's need to understand risk level and business impact, which aligns with the PT0-002 objective for effective reporting and communication.
What should I do if I get this PT0-002 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
5 more ways this is tested on PT0-002
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A penetration tester is preparing the executive summary for a report. Which of the following metrics would be MOST valuable to include for non-technical stakeholders to understand the overall security posture?
easy- A.A list of all tools used during the penetration test
- B.The total number of vulnerabilities discovered and their average CVSS score
- ✓ C.The number of critical and high-risk findings along with the average time to exploit them
- D.A detailed step-by-step exploitation walkthrough of one critical vulnerability
Why C: Option C is correct because non-technical stakeholders (e.g., executives) need a high-level, risk-focused summary that communicates the severity and urgency of findings. The number of critical/high-risk findings directly indicates the most dangerous exposures, and the average time to exploit them conveys how quickly an attacker could compromise the environment. This metric translates technical risk into business impact, which is the core goal of an executive summary.
Variation 2. In a penetration test report, the executive summary is primarily intended for which audience?
easy- A.IT system administrators
- ✓ B.Senior management (e.g., CISO, board of directors)
- C.Software developers
- D.External compliance auditors
Why B: The executive summary is designed for senior management (e.g., CISO, board of directors) because it provides a high-level overview of the penetration test's objectives, key findings, risk impact, and recommended strategic actions. It avoids technical jargon and detailed exploit steps, focusing instead on business risk and remediation priorities that inform decision-making and resource allocation.
Variation 3. A penetration tester is preparing the executive summary of a penetration test report. Which of the following BEST describes the primary audience and appropriate level of technical detail?
easy- A.A narrative of the testing methodology for other penetration testers.
- ✓ B.High-level findings and business impact for management and executives.
- C.Detailed technical analysis for system administrators.
- D.Step-by-step exploitation procedures for developers.
Why B: Option D is correct because the executive summary targets non-technical stakeholders who need a high-level overview of risks and business impact. Option A is wrong because the executive summary is not for technical staff. Option B is wrong because it should avoid deep technical details. Option C is wrong because the audience is not primarily the testers.
Variation 4. A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?
easy- A.Detailed list of all ports and services found
- B.CVSS scores for every vulnerability
- ✓ C.A high-level summary of the overall risk and key findings
- D.Raw tool output from vulnerability scans
Why C: C is correct because the executive summary is intended for a non-technical audience, such as senior management or stakeholders, who need a concise overview of the organization's security posture. A high-level summary of the overall risk and key findings communicates the business impact and strategic priorities without overwhelming them with technical details. This aligns with the PT0-002 objective of tailoring communication to the audience, ensuring the report drives decision-making rather than technical analysis.
Variation 5. Refer to the exhibit. A penetration tester is presenting this finding to a non-technical executive. Which improvement should be made to the description?
hard- A.Include the CVSS vector
- B.List the exact database tables affected
- C.Add a proof-of-concept screenshot
- ✓ D.Describe the business impact in plain language
Why D: Describing the business impact in plain language helps executives understand the risk without technical jargon.
Last reviewed: Jun 11, 2026
This PT0-002 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PT0-002 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.