CCNA Planning and Scoping Questions

28 of 103 questions · Page 2/2 · Planning and Scoping · Answers revealed

76
MCQeasy

A penetration testing firm is hired to assess a mobile banking application. The client wants to test both Android and iOS versions, but only the production environment. Which of the following is the MOST important scoping consideration to include in the rules of engagement?

A.Requiring jailbroken/rooted devices for testing
B.Specifying the number of concurrent users during testing
C.Defining the test window to avoid peak hours
D.Excluding the backend API from testing
AnswerA

Rooting/jailbreaking enables deep testing that is often necessary for comprehensive mobile app security assessments.

Why this answer

Requiring jailbroken or rooted devices is the most important scoping consideration because mobile banking applications often implement runtime integrity checks (e.g., MagiskHide, Frida detection) that prevent the app from running on compromised devices. Without explicit authorization to bypass these controls, the penetration tester cannot perform deep dynamic analysis, such as hooking API calls or inspecting encrypted local storage, which is essential for a thorough security assessment of the production environment.

Exam trap

The trap here is that candidates often confuse operational scheduling (Option C) with technical feasibility, overlooking that without a jailbroken/rooted device, the tester cannot bypass runtime integrity checks and thus cannot perform the most critical parts of the mobile app assessment.

How to eliminate wrong answers

Option B is wrong because specifying the number of concurrent users is irrelevant for a mobile application penetration test; load testing is a performance concern, not a security scoping consideration, and the rules of engagement focus on authorization boundaries, not throughput metrics. Option C is wrong because defining the test window to avoid peak hours is an operational consideration to minimize business impact, but it is not the most important scoping factor; the core technical constraint for mobile app testing is the device's integrity state, as production apps often refuse to run on jailbroken/rooted devices, making authorization to use such devices a prerequisite for any meaningful testing.

77
MCQmedium

A client requests a penetration test of their internal network. During scoping, the tester learns that the client uses a managed security service provider (MSSP) that monitors all network traffic. The client does not want the MSSP to be informed about the test. What is the most appropriate action for the tester to take?

A.Proceed with the test without informing the MSSP, as the client has requested confidentiality
B.Include a clause in the rules of engagement that holds the tester harmless for any disruptions caused by the MSSP's monitoring
C.Advise the client to inform the MSSP about the scheduled test and coordinate a maintenance window or exclusion list
D.Perform the test only after hours to minimize the chance of the MSSP detecting the test activity
AnswerC

Proper coordination ensures the MSSP can whitelist test traffic, avoid false positives, and prevent unnecessary incident response. This aligns with best practices for scoping.

Why this answer

Option C is correct because failing to inform the MSSP could trigger automated incident response actions (e.g., IPS blocking, SIEM alerting, or even network isolation) that disrupt the test and potentially cause false-positive security incidents. Coordinating a maintenance window or exclusion list ensures the MSSP's monitoring tools (like Snort, Suricata, or proprietary NDR) do not interfere with legitimate test traffic, preserving both test integrity and the client's operational security.

Exam trap

The trap here is that candidates assume client confidentiality overrides all other considerations, but the PT0-002 exam emphasizes that penetration testing must not cause unintended operational disruptions or violate third-party agreements, making coordination with the MSSP a mandatory scoping step.

How to eliminate wrong answers

Option A is wrong because proceeding without informing the MSSP violates standard penetration testing best practices and could cause the MSSP's monitoring systems (e.g., IDS/IPS, SIEM correlation rules) to flag the test traffic as malicious, leading to automated blocking, alert fatigue, or unnecessary escalation to the client's security team. Option B is wrong because a hold-harmless clause does not prevent the MSSP from actively blocking or alerting on test traffic; it only shifts liability after disruption occurs, which still compromises the test's accuracy and may violate the MSSP's own terms of service or SLAs.

78
MCQeasy

A client wants to conduct a penetration test of their e-commerce website. They are concerned about impacting live transactions. Which clause should be included in the Rules of Engagement to address this?

A.Exclusion of network stress testing and availability testing.
B.Out-of-scope systems list.
C.In-scope IP addresses.
D.Authorization for testing.
AnswerA

This clause directly addresses the concern by prohibiting activities that could overload the web servers or cause downtime, ensuring live transactions remain unaffected.

Why this answer

Option A is correct because the client's primary concern is avoiding disruption to live transactions. A clause excluding network stress testing and availability testing (e.g., DoS attacks, resource exhaustion, or high-volume scanning) directly addresses this by prohibiting any action that could degrade performance or cause downtime. This is a standard Rules of Engagement (RoE) safeguard for production e-commerce environments where transaction integrity and uptime are critical.

Exam trap

The trap here is that candidates often confuse 'out-of-scope systems' with operational restrictions, failing to realize that even in-scope systems can be disrupted by stress testing, so a specific exclusion clause is required.

How to eliminate wrong answers

Option B is wrong because an out-of-scope systems list defines which hosts or networks are off-limits, but it does not specifically prohibit stress or availability testing on in-scope systems; the client's concern is about impacting live transactions on the target e-commerce site, not about accessing unrelated systems. Option C is wrong because listing in-scope IP addresses merely identifies the targets for testing, but it does not include any operational restrictions; without an explicit clause against stress testing, the tester could still perform disruptive actions on those IPs, violating the client's requirement.

79
MCQmedium

Refer to the exhibit. A penetration tester obtains this output from a Linux server. The tester notes that port 3389 is typically used for RDP on Windows. Which of the following is the MOST likely explanation?

A.The server has been compromised and is used as a jump box
B.The server is running a honeypot mimicking RDP
C.The server is running a Windows virtual machine using RDP
D.The server is running a service that mimics RDP using xrdp
AnswerD

xrdp is common on Linux.

Why this answer

Option D is correct because Linux can host RDP using xrdp. Option A is possible but less likely without evidence of a VM. Option B is plausible but not most likely.

Option C is uncommon.

80
MCQeasy

A penetration testing firm is contracted to test a multi-tenant SaaS application. During scoping, the client needs to ensure that testing does not affect other tenants' data. Which scoping control is most important to implement?

A.Isolated testing environment
B.Data anonymization
C.Signed waiver from all tenants
D.Limit test to read-only operations
AnswerA

An isolated environment allows testing without risk to other tenants' data or availability.

Why this answer

An isolated testing environment is the most important scoping control because it ensures that the penetration testing activities, including any potentially disruptive scans or exploits, are contained within a dedicated instance of the SaaS application. This prevents any cross-tenant data leakage or service degradation, as the tester's actions are restricted to a logically or physically separate environment that does not share databases or compute resources with production tenants. Without isolation, even read-only testing could inadvertently access or modify data belonging to other tenants due to shared multi-tenant architecture.

Exam trap

The trap here is that candidates may confuse data anonymization as a sufficient control for multi-tenant isolation, overlooking that anonymization does not prevent cross-tenant data access or service disruption in a shared environment.

How to eliminate wrong answers

Option B (Data anonymization) is wrong because data anonymization is a data protection technique applied to production data to remove personally identifiable information (PII), but it does not prevent the tester's actions from affecting other tenants' data or the application's shared infrastructure; it only reduces the risk of exposing sensitive data if accessed. Option C (Signed waiver from all tenants) is wrong because a signed waiver is a legal document that releases the testing firm from liability, but it does not technically prevent the testing from affecting other tenants' data; it merely shifts responsibility after a breach occurs, which is not a proactive scoping control.

81
MCQeasy

Which of the following is the most important factor when determining the scope of a penetration test?

A.Tester's available tools
B.Business objectives
C.Latest vulnerabilities
D.Number of testing team members
AnswerB

Objectives define the purpose and targets of the test.

Why this answer

The client's business objectives drive the scope to ensure the test addresses what the client needs to protect. Tools, vulnerabilities, and team size are secondary considerations.

82
MCQeasy

A client has limited budget for a penetration test covering critical assets. Which scoping decision best balances coverage and cost?

A.Test only the external perimeter
B.Focus on physical security assessments
C.Perform full-scope test of a representative subset
D.Conduct only automated scans
AnswerC

Balances cost and coverage.

Why this answer

Option C is correct because testing a representative subset of critical systems is efficient. Option A is wrong because it only tests perimeter. Option B is wrong because it is too limited.

Option D is wrong because it is not comprehensive.

83
MCQmedium

A client requests a penetration test that includes an API endpoint hosted by a third-party vendor. The client does not have a signed agreement with the vendor for testing. What is the most appropriate action for the tester?

A.Proceed with testing the API endpoint as requested by the client
B.Exclude the API endpoint from scope until the client obtains written permission from the vendor
C.Test the API endpoint using only non-intrusive methods
D.Include a disclaimer in the report that the tester is not liable for any damages
AnswerB

This is the only safe path. Once the vendor provides written consent, the endpoint can be added to the scope legally.

Why this answer

The tester must exclude the API endpoint from scope until the client obtains written permission from the vendor because testing a third-party API without explicit authorization violates legal boundaries and could constitute unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). Even though the client requests the test, the tester has no contractual or legal relationship with the vendor, making any testing activity potentially illegal. This aligns with the PT0-002 objective of ensuring proper scoping and authorization before any testing begins.

Exam trap

The trap here is that candidates assume the client's request overrides legal boundaries, or that non-intrusive testing is a safe middle ground, when in fact any unauthorized interaction with a third-party system is prohibited without explicit written permission.

How to eliminate wrong answers

Option A is wrong because proceeding without vendor permission exposes the tester and client to legal liability for unauthorized access, regardless of the client's request. Option C is wrong because non-intrusive methods still involve sending crafted requests to the API endpoint, which constitutes unauthorized access without a signed agreement; there is no technical distinction that makes non-intrusive testing legally permissible.

84
MCQmedium

A client requires a penetration test of their web application that uses Single Sign-On (SSO) with a third-party identity provider. The client is concerned that testing could lock out real user accounts and disrupt operations. Which of the following should be included in the rules of engagement to address this concern?

A.Prohibit all testing of the authentication mechanism
B.Provide test accounts that are excluded from lockout policies
C.Only perform testing during business hours
D.Require the tester to use only passive reconnaissance techniques
AnswerB

Test accounts that are configured to not lock out allow the tester to perform authentication testing without the risk of locking out real users, which meets the client's requirement.

Why this answer

Option B is correct because providing test accounts that are excluded from lockout policies allows the penetration tester to thoroughly assess the SSO authentication mechanism—including the SAML or OIDC flows—without risking the lockout of real user accounts. This directly addresses the client's operational concern while still enabling comprehensive testing of the identity provider integration.

Exam trap

The trap here is that candidates may assume restricting testing to business hours (Option C) is sufficient to mitigate account lockout risks, but they fail to recognize that lockout policies operate independently of time and that real user accounts remain vulnerable to disruption regardless of when testing occurs.

How to eliminate wrong answers

Option A is wrong because prohibiting all testing of the authentication mechanism would leave critical SSO vulnerabilities (e.g., SAML assertion injection, OIDC token replay) unexamined, violating the core objective of a penetration test. Option C is wrong because performing testing only during business hours does not prevent account lockouts; lockout policies apply regardless of time, and real user accounts could still be disabled during testing, causing operational disruption.

85
MCQmedium

Refer to the exhibit. During scoping, what risk does this policy pose?

A.Public read access to all objects
B.Insecure SSL configuration
C.Lack of encryption
D.Unauthorized deletion of objects
AnswerA

With Principal set to *, anyone can read objects.

Why this answer

The policy allows any principal (Principal: *) to perform the GetObject action on all objects in the company-data bucket, meaning public read access. Unauthorized deletion is not allowed (only GetObject). SSL configuration and encryption are not addressed in this policy.

86
MCQmedium

You are conducting a penetration test for a financial institution. The rules of engagement specify that you are not to access any production customer data. During the test, you discover a SQL injection vulnerability in a public-facing web application that allows you to extract customer personally identifiable information (PII). You successfully demonstrate the injection but do not extract any actual PII. According to ethical guidelines and the rules of engagement, what is the appropriate course of action?

A.Extract a small sample of PII to prove impact, then report the vulnerability.
B.Continue the test but avoid exploiting the SQL injection further to stay within scope.
C.Document the vulnerability and include it in the final report without further action.
D.Immediately stop the test and notify the client with details of the finding.
AnswerD

This is the ethical and professional response to a critical finding with potential data exposure.

Why this answer

Accessing PII would violate the ROE and likely breach confidentiality. The best practice is to halt testing, notify the client immediately, and let them assess the critical risk. Option A violates ROE; C ignores the urgency; D fails to alert the client promptly.

87
MCQmedium

A client wants to test a web application that uses a third-party payment gateway. The client explicitly wants the payment gateway to be excluded from the test to avoid service disruption. Where should this exclusion be formally documented?

A.Non-Disclosure Agreement (NDA)
B.Statement of Work (SOW)
C.Rules of Engagement (ROE)
D.Penetration Test Plan
AnswerC

The ROE documents scope, exclusions, and rules for the test.

Why this answer

The Rules of Engagement (ROE) document is the correct place to formally exclude the third-party payment gateway from testing. The ROE defines the scope, boundaries, and constraints of the penetration test, including specific systems or services that must not be targeted. This ensures the client's requirement to avoid service disruption to the payment gateway is legally and operationally enforced.

Exam trap

The trap here is that candidates often confuse the Penetration Test Plan (which details how to test) with the Rules of Engagement (which defines what is allowed and forbidden), leading them to incorrectly select the Plan instead of the ROE for scope exclusions.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) is a legal contract for confidentiality, not for defining test scope or exclusions. Option B is wrong because the Statement of Work (SOW) describes the high-level objectives, deliverables, and timeline, but it does not contain the granular operational constraints like system exclusions. Option D is wrong because the Penetration Test Plan details the technical methodology and procedures, but the formal authorization to exclude specific targets belongs in the ROE, which is the authoritative document for rules and boundaries.

88
MCQmedium

A penetration tester is scoping a test for a multinational corporation that has offices in the United States and the European Union. The client wants to test the entire environment. Which of the following is the MOST important legal consideration for the tester to include in the rules of engagement?

A.Ensuring all testing is performed from a single external IP address
B.Obtaining explicit written authorization from each country's legal department
C.Ensuring compliance with GDPR and data protection laws
D.Restricting testing to non-business hours to minimize impact
AnswerC

GDPR imposes strict rules on handling personal data; the test must be scoped to avoid violations.

Why this answer

Option C is correct because the multinational corporation operates in the European Union, where the General Data Protection Regulation (GDPR) imposes strict requirements on the processing and transfer of personal data. A penetration test that accesses or stores EU residents' personal data must comply with GDPR, including data minimization, lawful processing, and breach notification obligations. Failure to include GDPR compliance in the rules of engagement could result in severe fines (up to 4% of annual global turnover) and legal liability for the tester and client.

Exam trap

The trap here is that candidates often focus on technical constraints like IP whitelisting or broad authorization, overlooking that GDPR compliance is a mandatory legal requirement that overrides all other considerations when testing in or involving EU data subjects.

How to eliminate wrong answers

Option A is wrong because testing from a single external IP address is a technical constraint that might be used for firewall whitelisting or attribution, but it is not a legal consideration; it does not address cross-border data transfer laws, privacy regulations, or jurisdictional consent requirements. Option B is wrong because obtaining explicit written authorization from each country's legal department is impractical and not the most important legal consideration; while authorization is necessary, the primary legal risk in an EU context is GDPR compliance, which governs how personal data is handled during the test, not just permission to test.

89
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments for common protocols used in penetration testing.

90
MCQeasy

A penetration tester is asked to perform a test that focuses on identifying vulnerabilities in a company's external web application without providing any internal credentials. The tester has been given a signed agreement that lists the IP range and URLs. Which of the following scoping considerations is MOST directly addressed by the agreement?

A.Type of testing (black box vs white box)
B.Time constraints for the test
C.Rules of engagement regarding social engineering
D.Data handling procedures
AnswerA

Correct. The lack of internal credentials and the external IP/URL scope clearly indicate a black box test, which is a primary scoping consideration.

Why this answer

The signed agreement explicitly defines the IP range and URLs for testing, which directly informs the type of testing. Since no internal credentials are provided, this is a black box test, where the tester has no prior knowledge of the internal system. The agreement's scope (IPs and URLs) is the primary factor that determines the testing approach, making 'Type of testing (black box vs white box)' the most directly addressed scoping consideration.

Exam trap

The trap here is that candidates may confuse the provision of an IP range and URL list with a 'white box' scenario, but the lack of internal credentials and the signed agreement's focus on external targets clearly define it as a black box test, not a white box test.

How to eliminate wrong answers

Option B is wrong because time constraints, while important in scoping, are not directly addressed by an agreement that only lists IP ranges and URLs; time constraints would be specified in a separate section of the rules of engagement or project timeline. Option C is wrong because rules of engagement regarding social engineering are not implied by the provision of an IP range and URL list; social engineering rules require explicit consent and separate authorization, and the absence of internal credentials does not automatically permit social engineering.

91
MCQeasy

A client is planning a penetration test of their AWS cloud environment. They will provide the tester with an IAM user account with limited permissions. Which of the following scoping restrictions is most important to include in the rules of engagement to avoid unexpected costs?

A.The tester must not create any new AWS resources that incur costs.
B.The tester must use only premium AWS services for testing.
C.The tester must request permission from AWS Support before each test.
D.The tester must avoid testing in the us-east-1 region due to higher costs.
AnswerA

This restriction prevents the tester from accidentally or intentionally launching billable resources. It is a standard and critical control for cloud penetration tests.

Why this answer

Option A is correct because creating new AWS resources (e.g., EC2 instances, RDS databases, Lambda functions) can incur direct costs under the tester's IAM user account, even with limited permissions. The rules of engagement must explicitly prohibit resource creation to prevent unexpected billing, as AWS charges for resources provisioned regardless of the test's purpose. This scoping restriction aligns with the principle of cost containment in penetration testing engagements.

Exam trap

The trap here is that candidates may focus on technical restrictions like service tiers or support permissions, overlooking the direct financial risk of resource creation, which is the most critical scoping concern in cloud penetration testing.

How to eliminate wrong answers

Option B is wrong because requiring the use of only premium AWS services would increase costs unnecessarily and contradicts the goal of avoiding unexpected expenses; premium services are more expensive and not required for effective testing. Option C is wrong because requesting permission from AWS Support before each test is impractical and not a standard scoping restriction; AWS Support does not authorize individual penetration tests, and the tester should rely on the client's authorization and the AWS Acceptable Use Policy.

92
MCQmedium

A penetration testing firm is contracted to test a cloud-based infrastructure. The client uses a shared responsibility model. Which of the following should be clarified in the rules of engagement to avoid legal issues?

A.Who is responsible for patching the operating system
B.Whether the tester needs authorization from the cloud provider
C.The encryption method for data at rest
D.The backup strategy for logs
AnswerB

Many cloud providers require explicit authorization for penetration testing; failing to obtain it can lead to service termination or legal action.

Why this answer

In a shared responsibility model, the cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. However, penetration testing activities may violate the cloud provider's terms of service or acceptable use policy, potentially triggering legal action. Therefore, obtaining explicit authorization from the cloud provider is critical to ensure the tester's actions are legally permitted and to avoid liability for unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA).

Exam trap

CompTIA often tests the misconception that operational security tasks like patching or encryption are the primary legal concerns in a shared responsibility model, when in fact the critical legal issue is obtaining explicit authorization from the cloud provider to avoid violating their terms of service or anti-hacking laws.

How to eliminate wrong answers

Option A is wrong because patching the operating system is a shared responsibility that varies by service model (e.g., IaaS vs. PaaS), but it is an operational security task, not a legal authorization issue that must be clarified in the rules of engagement to avoid legal issues. Option C is wrong because encryption methods for data at rest are a security control configuration, not a legal authorization requirement; while important for data protection, they do not address the legal risk of unauthorized testing against the cloud provider's infrastructure.

93
MCQmedium

A client with a hybrid on-premises and cloud infrastructure requests a penetration test. The client uses an IaaS provider for some servers. Which of the following is the MOST important aspect to clarify in the rules of engagement regarding the cloud environment?

A.The list of operating systems used in the cloud
B.The authorization from the cloud provider for testing
C.The public IP addresses of the cloud servers
D.The budget allocated for cloud testing
AnswerB

Correct. Under shared responsibility, the customer must ensure they have permission from the cloud provider to test certain components; the ROE should specify that this authorization has been obtained.

Why this answer

The most critical aspect to clarify in the rules of engagement for a cloud environment is obtaining explicit authorization from the IaaS provider. Without this authorization, the penetration test may violate the provider's acceptable use policy or terms of service, potentially leading to legal action or service termination. This is a foundational scoping requirement because the client does not own the underlying infrastructure; the cloud provider retains control over the network and hypervisor layers.

Exam trap

The trap here is that candidates focus on technical scoping details like IP addresses or OS lists, overlooking the critical legal and contractual prerequisite of obtaining the cloud provider's explicit authorization, which is a unique requirement for cloud environments compared to on-premises testing.

How to eliminate wrong answers

Option A is wrong because the list of operating systems used in the cloud is a technical detail that can be discovered during reconnaissance or provided in the scope, but it is not the most important legal or contractual aspect to clarify in the rules of engagement. Option C is wrong because while public IP addresses are necessary for targeting, they are operational details that can be scoped later; the primary concern is obtaining the cloud provider's written permission to test, as testing without it could be considered unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA).

94
MCQmedium

A client has a highly dynamic cloud environment where resources are frequently spun up and down. What scoping challenge does this present?

A.Compliance issues
B.Lack of logs
C.Insufficient testing time
D.Inconsistent attack surface
AnswerD

Resources changing frequently make it hard to scope and test consistently.

Why this answer

An inconsistent attack surface makes it difficult to define a stable scope of targets. Testing may miss transient resources or encounter resources that change during the engagement. Other options are risks but not specific scoping challenges.

95
MCQeasy

A client wants a social engineering test focusing on phishing. What should be included in the scope to ensure ethical handling?

A.The rules of engagement for notifying employees after the test
B.The attacker infrastructure details
C.The list of approved sender domains to use
D.The expected number of employees who should fall for the email
AnswerA

Ensures ethical closure.

Why this answer

Option B is correct because the rules of engagement should include how to notify employees after the test. Option A is wrong because attacker infrastructure details are operational, not scope. Option C is wrong because expected failure rates are not typically defined.

Option D is wrong although important, notification rules are more critical.

96
Multi-Selectmedium

Which THREE factors are critical to include in the rules of engagement for a penetration test?

Select 3 answers
A.Emergency contact information
B.Target IP ranges
C.Testing schedule
D.List of tools to be used
E.Post-exploitation procedures
AnswersA, B, C

Essential for stopping the test if issues arise.

Why this answer

Rules of engagement typically include target IP ranges (scope), testing schedule (time windows), and emergency contact information. Tools list and post-exploitation procedures are often documented in the test plan but are not always part of the RoE.

97
MCQmedium

A multi-tenant SaaS application needs tenant isolation testing. Which type of testing is most appropriate?

A.White-box testing with access to source code
B.Vulnerability scanning of the underlying infrastructure
C.Black-box testing from the internet
D.Gray-box testing with a tenant account
AnswerD

Allows testing from an authenticated perspective.

Why this answer

Option A is correct because gray-box testing with a tenant account allows authentication and testing of isolation. Option B is wrong because black-box from the internet cannot test isolation. Option C is wrong because white-box with source code may not reflect real access.

Option D is wrong because infrastructure scanning does not test isolation.

98
Matchingmedium

Match each type of social engineering attack to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fraudulent emails to obtain sensitive information

Targeted phishing at a specific individual or organization

Voice-based phishing over phone calls

Phishing via SMS text messages

Following an authorized person into a restricted area

Why these pairings

Social engineering attacks exploit human psychology to gain access or information.

99
MCQhard

A penetration testing firm is contracted to perform an external test of a company's web applications. During the scoping meeting, the client mentions that they use a CDN and WAF provided by a third party. The client wants the test to accurately reflect the security of their backend servers behind these protections. What should the tester recommend?

A.Test the CDN and WAF as part of the scope
B.Obtain the backend server IPs from the client and test them directly
C.Include a plan to bypass the WAF in the rules of engagement
D.Only test the public-facing URLs as they are
AnswerB

This allows the tester to assess the backend servers as intended, bypassing the CDN/WAF but with the client's authorization. It is the most accurate way to test the client's own infrastructure.

Why this answer

Option B is correct because the client wants the test to accurately reflect the security of their backend servers behind the CDN and WAF. By obtaining the backend server IPs directly, the tester can bypass the third-party protections and assess the actual security posture of the origin servers, which is the true target of the external test. This approach ensures that vulnerabilities not mitigated by the CDN/WAF are identified, aligning with the client's goal of evaluating backend security.

Exam trap

The trap here is that candidates may assume bypassing the WAF is the correct approach (Option C), but the ethical and practical method is to test the backend servers directly with client permission, not to actively circumvent security controls during the test.

How to eliminate wrong answers

Option A is wrong because testing the CDN and WAF as part of the scope would evaluate the third-party provider's security, not the client's backend servers, and may violate the terms of service or contractual agreements with the provider. Option C is wrong because including a plan to bypass the WAF in the rules of engagement is risky, potentially illegal, and could disrupt the WAF's operation or trigger false positives; the proper approach is to test the backend IPs directly with client authorization. Option D is wrong because only testing public-facing URLs would leave the backend servers untested, as the CDN and WAF may mask vulnerabilities or block malicious traffic, failing to meet the client's requirement to assess backend security.

100
MCQmedium

A client wants to test a web application that uses multiple third-party APIs for payment processing, shipping, and customer relationship management. The client states that the APIs are critical for operations but cannot be taken offline. Which scoping consideration is most important to include in the rules of engagement?

A.The tester must use only non-intrusive scanning techniques on the APIs.
B.The tester must exclude all API endpoints from testing.
C.The tester must coordinate testing schedules with the API vendors.
D.The tester must provide a list of all API calls to be made prior to testing.
AnswerA

Non-intrusive techniques reduce the likelihood of causing service disruption while still allowing assessment.

Why this answer

Option A is correct because the client explicitly stated that the APIs are critical for operations and cannot be taken offline. Non-intrusive scanning techniques, such as passive traffic analysis or read-only API calls with safe HTTP methods (GET, HEAD), minimize the risk of service disruption, data corruption, or rate-limit triggering. This aligns with the scoping requirement to maintain availability while still allowing security testing of the API layer.

Exam trap

The trap here is that candidates may assume 'non-intrusive' means only using automated scanners or that coordinating with vendors (Option C) is necessary for third-party APIs, but the core scoping principle is to avoid impacting production availability while still testing the API attack surface.

How to eliminate wrong answers

Option B is wrong because excluding all API endpoints would leave the most critical attack surface (third-party integrations for payment, shipping, and CRM) completely untested, violating the client's goal of a comprehensive security assessment. Option C is wrong because coordinating schedules with API vendors is impractical and unnecessary; the tester only needs to coordinate with the client, and the APIs are consumed by the web app, not owned by the tester. Option D is wrong because providing a list of all API calls prior to testing is overly restrictive and unrealistic for dynamic testing; it would prevent the tester from discovering undocumented endpoints or chaining calls in ways an attacker would, and it violates the principle of simulating real-world adversarial behavior.

101
MCQmedium

A penetration tester is scoping a test for a multinational company that must comply with GDPR. The tester wants to ensure that any personal data captured during the test is handled appropriately. Which document should be reviewed?

A.Test plan
B.Authorization letter
C.Data processing agreement
D.Non-disclosure agreement
AnswerC

DPA defines how personal data must be handled, ensuring GDPR compliance.

Why this answer

A data processing agreement (DPA) outlines how personal data is processed and protected, which is essential for GDPR compliance. An NDA covers confidentiality but not data processing specifics. An authorization letter grants permission, and a test plan is technical.

102
MCQeasy

A penetration tester is engaged to perform a red team exercise for a large enterprise. The client wants the test to simulate a realistic attack from an external threat actor. Which of the following scoping elements is most important to include in the rules of engagement?

A.A list of all IP addresses to be scanned
B.The time window for the test
C.The amount of data to be exfiltrated
D.The specific vulnerabilities to be exploited
AnswerB

Defining the start and end times ensures the test does not interfere with critical operations and allows the blue team to be prepared.

Why this answer

In a red team exercise simulating an external threat actor, the rules of engagement must define the time window for testing to ensure the test aligns with operational constraints and minimizes business disruption. This scoping element is critical because it sets legal and logistical boundaries, such as avoiding peak business hours or maintenance windows, which is a core requirement for realistic yet safe adversarial simulation.

Exam trap

CompTIA often tests the misconception that a fixed target list (Option A) is essential for scoping, when in reality, red team exercises require discovery phases that mimic real attackers, making a predefined IP list counterproductive to the simulation's authenticity.

How to eliminate wrong answers

Option A is wrong because providing a list of all IP addresses to be scanned would undermine the realism of an external attack simulation, where the threat actor must discover targets through reconnaissance (e.g., DNS enumeration, Shodan, or passive scanning). Option C is wrong because specifying the amount of data to be exfiltrated is a constraint that would artificially limit the test's realism; in a real attack, exfiltration volume is determined by the attacker's objectives and the environment's defenses, not pre-defined limits.

103
MCQhard

A penetration testing firm is engaged to assess a cloud infrastructure hosted in multiple AWS regions. The client specifies that only systems in US-based regions should be tested due to data sovereignty concerns. Which of the following is the MOST critical documentation to include in the rules of engagement (ROE) to ensure compliance?

A.Statement of Work (SOW)
B.List of allowed AWS regions and associated VPC CIDR ranges
C.Data Processing Agreement (DPA)
D.Penetration testing methodology document
AnswerB

This explicitly defines the geographic scope, preventing tests in non-US regions and ensuring compliance with data sovereignty laws.

Why this answer

Option B is correct because the rules of engagement (ROE) must explicitly define the authorized scope to prevent testing outside US-based regions, which could violate data sovereignty laws. Listing allowed AWS regions and their associated VPC CIDR ranges provides a precise technical boundary for the penetration test, ensuring that only in-scope systems are targeted. Without this, the testing team might inadvertently access resources in non-US regions, leading to legal and compliance breaches.

Exam trap

The trap here is that candidates often confuse the SOW (which defines high-level scope) with the ROE (which requires specific technical boundaries like region and CIDR lists), leading them to select Option A instead of the more precise Option B.

How to eliminate wrong answers

Option A is wrong because a Statement of Work (SOW) describes the overall project objectives, deliverables, and timelines, but it does not provide the granular technical scope (e.g., specific AWS regions and IP ranges) required to enforce data sovereignty restrictions during testing. Option C is wrong because a Data Processing Agreement (DPA) governs how personal data is processed and protected between parties, but it does not define the operational boundaries (e.g., which AWS regions or VPCs are permitted) for a penetration test; it is a legal document, not a scoping control.

← PreviousPage 2 of 2 · 103 questions total

Ready to test yourself?

Try a timed practice session using only Planning and Scoping questions.