Planning and Scoping

A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?

A penetration tester is scoping a test for a multinational corporation that has offices in the United States and the European Union. The client wants to test the entire environment. Which of the following is the MOST important legal consideration for the tester to include in the rules of engagement?

During a penetration test of a large e-commerce platform, the client requests additional testing on a newly discovered microservice mid-engagement. The scope defined in the rules of engagement (ROE) explicitly lists all target systems. What should the penetration tester do FIRST?

A penetration testing firm is hired to assess a U.S.-based company that has recently expanded operations to a country with strict data privacy laws (e.g., GDPR-style regulations). Which of the following is the MOST important legal consideration to include in the rules of engagement?

A penetration testing firm is scoping a test for a client that has a hybrid infrastructure with on-premises servers and cloud-based virtual machines. The client insists on testing only the on-premises systems due to budget constraints. Which of the following should the penetration tester emphasize during the scoping discussion?

A penetration testing firm is engaged to assess a cloud infrastructure hosted in multiple AWS regions. The client specifies that only systems in US-based regions should be tested due to data sovereignty concerns. Which of the following is the MOST critical documentation to include in the rules of engagement (ROE) to ensure compliance?

A penetration testing firm is hired to assess a client's network that includes both internal servers and external cloud-based services. The client wants to test only the internal network due to compliance concerns about testing cloud infrastructure. Which of the following should the penetration tester MOST strongly emphasize during the scoping meeting?

A penetration testing firm is hired to perform a test on a multinational company that has offices in Europe and North America. The client wants to test all systems including those in the European office, which is subject to GDPR. Which of the following is the MOST important legal consideration to include in the rules of engagement?

A client requests a penetration test that simulates an external attacker with no prior knowledge of the internal network. The tester is not provided with any credentials, network diagrams, or source code. Which type of test does this describe?

A penetration testing firm is scoping a test for a client that uses a hybrid infrastructure with both on-premises servers and cloud-based services (IaaS). The client specifies that only the cloud environment should be tested this year. Which concept is MOST important for the tester to discuss during the scoping meeting to avoid testing out-of-scope assets?

A penetration testing firm is hired to assess a client's hybrid infrastructure with on-premises and cloud servers in multiple regions. The client specifies testing only the on-premises systems due to budget and compliance. Which of the following should the tester emphasize in the rules of engagement (ROE)?

A penetration testing firm is hired to assess the security of a small business's web application. The client has explicitly stated that they do not want any testing that could cause a denial of service. Which section of the rules of engagement should specify this restriction?

A client with a hybrid on-premises and cloud infrastructure requests a penetration test. The client uses an IaaS provider for some servers. Which of the following is the MOST important aspect to clarify in the rules of engagement regarding the cloud environment?

A small business hires a penetration tester to assess the security of their network. The owner is concerned about employee data breaches and wants to ensure compliance with industry regulations. Which of the following is the MOST critical document to establish before the test begins?

A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?

A penetration testing firm is hired to assess a client's web application that integrates with a third-party payment processor's API. The client wants to include the payment processor's API in the test scope. Which action should the tester take FIRST?

A client with a hybrid infrastructure (on-premises and cloud IaaS) requests a penetration test covering both environments. The cloud provider's terms of service require notification and restrict scanning to specific IP ranges. In which document should these constraints be documented?

A client hires a penetration testing firm to assess a web application. The client uses a third-party content delivery network (CDN) for static assets and explicitly wants to exclude the CDN infrastructure from testing. In which document should this restriction be formally documented?

A penetration testing firm has been hired to test the internal network of a large enterprise. During the scoping meeting, the client states that they want to include all IP ranges, including those used by the HR department's sensitive systems. The tester should recommend which of the following to minimize business impact and avoid disruption?

A client wants to test a web application that uses multiple third-party APIs for payment processing, shipping, and customer relationship management. The client states that the APIs are critical for operations but cannot be taken offline. Which scoping consideration is most important to include in the rules of engagement?

A penetration testing firm is hired to assess a healthcare organization's network. The client has strict regulatory requirements (HIPAA) and wants to ensure that all patient data is protected during testing. Which scoping document should specify the data handling procedures and the destruction of any collected sensitive information?

A client wants to test a web application that uses a third-party payment gateway. The client explicitly wants the payment gateway to be excluded from the test to avoid service disruption. Where should this exclusion be formally documented?

A client hires a penetration testing firm to assess a web application that integrates with a third-party API for payment processing. The client wants to include the API endpoint in the test scope. What should the penetration tester do FIRST to ensure the test is conducted ethically and legally?

A penetration testing firm is contracted to test a multi-tenant SaaS application. During scoping, the client needs to ensure that testing does not affect other tenants' data. Which scoping control is most important to implement?

A penetration tester is scoping an engagement for a client that hosts a public-facing web application and an internal database server. The client wants to ensure that testing does not cause any disruption to the database server. Which of the following should the tester include in the rules of engagement to address this concern?

A client requests a penetration test that includes an API endpoint hosted by a third-party vendor. The client does not have a signed agreement with the vendor for testing. What is the most appropriate action for the tester?

A penetration tester is hired to assess a web application that integrates with a third-party payment API. The client wants the API included in the test but does not have a signed agreement with the vendor. What is the most appropriate action for the tester?

A client asks a penetration tester to perform a test on an e-commerce website. The website experiences high traffic during weekdays and major sales events. To minimize business disruption, when should the tester schedule the active scanning and exploitation activities?

A client requests a penetration test of their web application, but they want to exclude all third-party APIs from the scope. Where should this exclusion be documented?

A penetration testing firm is contracted to test a cloud-based infrastructure. The client uses a shared responsibility model. Which of the following should be clarified in the rules of engagement to avoid legal issues?

A client requests a penetration test of their network and provides a list of IP addresses. During scoping, the tester notices that several IP addresses belong to a major cloud service provider. What should the tester do FIRST before including those IP addresses in the test?

A client wants a penetration test that includes social engineering attacks against employees. They request that the testing team not target the executive leadership team. What should be included in the rules of engagement to address this requirement?

A penetration testing firm is contracted to perform an external test of a company's web applications. During the scoping meeting, the client mentions that they use a CDN and WAF provided by a third party. The client wants the test to accurately reflect the security of their backend servers behind these protections. What should the tester recommend?

A penetration tester is performing reconnaissance on a target domain. The tester queries the public DNS records and finds an SPF record that includes an 'include' mechanism pointing to a third-party email service. Which technique can the tester use to potentially discover more subdomains or internal infrastructure?

During the scoping phase of a penetration test, a client wants to test a third-party API that is integral to their web application. However, they do not have permission from the third-party provider. Which of the following should the tester do first?

A client requests a penetration test of their internal network. During scoping, the tester learns that the client uses a managed security service provider (MSSP) that monitors all network traffic. The client does not want the MSSP to be informed about the test. What is the most appropriate action for the tester to take?

A penetration tester is contracted to perform a test of a company's critical web application that handles financial transactions. The client requires that testing must not degrade the application's performance for live users. Which of the following scoping controls would best address this requirement?

A client requires a penetration test of their web application that uses Single Sign-On (SSO) with a third-party identity provider. The client is concerned that testing could lock out real user accounts and disrupt operations. Which of the following should be included in the rules of engagement to address this concern?

A client has a critical web application that cannot be tested in the production environment due to availability requirements. A staging environment exists that exactly mirrors production, but it uses different IP addresses, domain names, and a subset of data. The staging environment is isolated from production networks. Which scoping element is most important to include in the rules of engagement to ensure a valid test?

A client engages a penetration testing firm to evaluate the security of their internal network. During the scoping meeting, the client states that they use a network access control (NAC) solution that might block the tester's machine if it is connected to the internal network without prior authorization. Which of the following should be included in the rules of engagement to address this potential issue?

A client wants to conduct a penetration test of their web application, but they are concerned about potential service disruption. They request that the tester avoid using any techniques that could cause the application to crash or become unresponsive. Which of the following should the tester include in the rules of engagement to address this requirement?

A client is subject to PCI DSS compliance and requests a penetration test. The client's network has a mix of in-scope systems (cardholder data environment) and out-of-scope systems. During scoping, the tester recommends a specific approach to ensure accurate segmentation testing. Which of the following is the most important consideration for the rules of engagement?

A penetration tester is engaged to perform a red team exercise for a large enterprise. The client wants the test to simulate a realistic attack from an external threat actor. Which of the following scoping elements is most important to include in the rules of engagement?

A client wants to test a mobile app that uses certificate pinning. The penetration tester needs to perform dynamic analysis of the app's network traffic. Which of the following should be included in the rules of engagement to enable this testing?

A client is planning a penetration test of their AWS cloud environment. They will provide the tester with an IAM user account with limited permissions. Which of the following scoping restrictions is most important to include in the rules of engagement to avoid unexpected costs?

A client is planning a penetration test of their internal network but refuses to provide network diagrams or access to a staging environment. The tester is concerned about causing a denial of service (DoS) on critical systems. Which clause should be included in the rules of engagement to mitigate this risk?

A penetration test is being conducted for a healthcare organization subject to HIPAA. The tester is given access to a production system that contains electronic protected health information (ePHI). Which of the following should be included in the rules of engagement to ensure compliance?

A client wants to perform a penetration test on a new web application that is still in development. The application is not yet connected to the internet. Which of the following is the most appropriate scope for this test?

A client wants a penetration test of their cloud infrastructure hosted on AWS. The client states that they want to test the security of their EC2 instances, S3 buckets, and IAM configurations. The client's security team is concerned about potential service disruption due to testing. Which of the following should be included in the rules of engagement to address this concern?

A client requests a penetration test of their production environment that includes critical financial transaction systems. The client is concerned about potential service disruptions. Which of the following should the tester include in the Rules of Engagement to address this concern?

A client wants a penetration test that simulates a disgruntled employee with access to the internal network but no administrative privileges. The client provides a standard user account on the domain. The tester discovers that the account has local administrator rights on a critical file server. Which step should the tester take according to typical Rules of Engagement?

A client wants to conduct a penetration test of their e-commerce website. They are concerned about impacting live transactions. Which clause should be included in the Rules of Engagement to address this?

A client wants a penetration test that simulates an external threat actor with no prior access. The client provides a list of public IP ranges and domain names. Which type of test is this?

A client wants a penetration test of their internal network. They are concerned about causing any disruption to the production systems. The tester should include which of the following in the rules of engagement to address this concern?

A client requests a penetration test of a new mobile application that is still in development and only accessible on a test server behind the corporate VPN. The tester should include which of the following in the scope?

A client requests a penetration test of their production environment, which includes critical financial transaction systems. The client is concerned about potential service disruptions. Which of the following should the tester include in the Rules of Engagement to address this concern?

A company wants to test the security of their internet-facing web application without impacting production servers or user data. The tester must be authorized to attempt authentication bypass and SQL injection. Which item is most critical to include in the scope definition to ensure the test is focused and lawful?

Before starting a penetration test, the tester receives permission to test only two public IP ranges and is told not to perform denial-of-service testing. Which two documents or artefacts are most important to confirm before testing begins? (Choose 2.)

A penetration testing firm is hired to assess a mobile banking application. The client wants to test both Android and iOS versions, but only the production environment. Which of the following is the MOST important scoping consideration to include in the rules of engagement?

A penetration tester is asked to perform a test that focuses on identifying vulnerabilities in a company's external web application without providing any internal credentials. The tester has been given a signed agreement that lists the IP range and URLs. Which of the following scoping considerations is MOST directly addressed by the agreement?