CCNA Reporting and Communication Questions

75 of 102 questions · Page 1/2 · Reporting and Communication · Answers revealed

1
MCQeasy

Refer to the exhibit. A penetration tester gained a Meterpreter session on a Windows server. Which of the following should the tester include in the report to provide the most actionable remediation advice?

A.That SYSTEM-level access was achieved on the server.
B.The command used to gain the session.
C.The username 'NT AUTHORITY\SYSTEM' as a local user.
D.The operating system and architecture details.
AnswerA

This indicates full control and requires immediate attention.

Why this answer

Option B is correct because the session shows SYSTEM level access, indicating a critical compromise. Option A is wrong because merely listing commands is not actionable. Option C is wrong because the user details from getuid are shown.

Option D is wrong because architecture is system info.

2
MCQeasy

A penetration tester has completed a network penetration test for a large financial institution. The client has requested a report that includes details for both technical staff and executive management. The tester has written a single report with a technical focus, including raw CLI outputs and exploit code. During the review, the chief information security officer (CISO) expresses confusion about the overall risk posture and wants a concise summary. Which action should the tester take to best address the CISO's concerns?

A.Schedule a meeting to walk through the technical details.
B.Remove all technical details and replace them with high-level statements.
C.Provide a separate document with only the executive summary.
D.Add an executive summary at the beginning that highlights critical risks and business impact.
AnswerD

This integrates both audiences; the executive summary gives a high-level view and technical sections remain for staff.

Why this answer

Adding an executive summary directly in the report provides a concise, business-oriented overview that addresses the CISO's needs while retaining technical details for staff.

3
MCQhard

A penetration tester is finalizing a report and needs to ensure that sensitive data discovered during the test (e.g., password hashes, PII) is handled appropriately. Which of the following is the BEST practice?

A.Sanitize the data by redacting or replacing with placeholders.
B.Destroy all copies of sensitive data after the test and do not include any.
C.Present the data only in the oral debrief, not in written form.
D.Include the raw data in an encrypted appendix for the technical team.
AnswerA

Sanitization reduces risk while still conveying the finding.

Why this answer

Option B is correct because sensitive data should be sanitized (e.g., redacted, hashed) in the report to protect confidentiality. Option A is wrong because including raw data increases risk. Option C is wrong because destroying all data may be counterproductive if the client needs it.

Option D is wrong because leaving it out entirely might hide important context.

4
MCQeasy

During a penetration test, the tester discovers a critical vulnerability that could lead to a data breach. The tester needs to communicate this to the client's management, who are non-technical. What is the BEST way to communicate this finding?

A.Include the finding only in the final report
B.High-level summary with business impact and recommended timeline for fix
C.Email with subject 'URGENT' and no further details
D.Detailed technical exploit steps
AnswerB

This approach effectively communicates the risk and necessary actions in terms management can understand and act upon.

Why this answer

Option C is correct because communicating a high-level summary with business impact and recommended timeline is most effective for non-technical management. Option A is wrong because technical details may overwhelm them. Option B is wrong because a subject line alone doesn't convey the context.

Option D is wrong because waiting for the final report delays critical communication.

5
MCQmedium

During a penetration test, a tester discovers a critical vulnerability that could lead to data exposure. The tester plans to include a screenshot of the exploit in the report. What is the most important step to take before inserting the screenshot?

A.Obtain explicit permission from the client to use the screenshot
B.Remove the finding from the report to avoid sharing sensitive information
C.Check the company policy on screenshot use
D.Sanitize any sensitive data displayed in the screenshot
AnswerD

Prevents exposure of client data.

Why this answer

Option D is correct because testers must sanitize any sensitive data (e.g., real usernames, session tokens) from screenshots before including them in reports to protect client confidentiality. Option A is unnecessary if data is sanitized. Option B is not required by policy.

Option C is incorrect as the tester should not remove the finding but sanitize the evidence.

6
MCQeasy

A penetration tester has completed the testing phase and is preparing the final report for the client's board of directors. The board members are non-technical and need to understand the overall security posture and business risk. Which section of the report should the tester focus on for this audience?

A.A detailed list of all vulnerabilities with CVSS scores and exploitation steps
B.An executive summary highlighting key risks and business impact
C.A complete log of all commands executed during the test
D.A network diagram showing all discovered hosts and open ports
AnswerB

The executive summary is tailored for non-technical decision-makers, summarizing risks and impacts.

Why this answer

The board of directors requires a high-level overview that translates technical findings into business risk. An executive summary achieves this by focusing on key risks, potential financial or reputational impact, and strategic recommendations, avoiding technical jargon like CVSS scores or command logs.

Exam trap

CompTIA often tests the candidate's ability to distinguish between report sections for different audiences, trapping those who think all findings must be presented in full detail regardless of the reader's technical level.

How to eliminate wrong answers

Option A is wrong because a detailed list of vulnerabilities with CVSS scores and exploitation steps is too technical for a non-technical board; it belongs in the technical appendix for IT staff. Option C is wrong because a complete log of all commands executed during the test is operational documentation for the penetration tester's own records or for client technical teams, not for board-level risk communication.

7
MCQmedium

A penetration tester is writing the executive summary for a report. The client's CEO needs to understand the business impact of a critical SQL injection vulnerability. Which of the following should the tester include?

A.The exact SQL injection payload used
B.The CVSS vector string
C.The potential for data breach and financial loss
D.The remediation steps in detail
AnswerC

This directly addresses business impact, which is the focus of the executive summary.

Why this answer

The CEO needs to understand the business impact, not technical details. Option C directly addresses the core concern: a SQL injection vulnerability can lead to unauthorized data access, resulting in a data breach and significant financial loss from fines, remediation costs, and reputational damage. This aligns with the executive summary's goal of translating technical risk into business risk.

Exam trap

The trap here is that candidates confuse the purpose of an executive summary with a technical report, choosing detailed technical data (payload or CVSS) instead of business impact, which is what the CEO actually needs.

How to eliminate wrong answers

Option A is wrong because including the exact SQL injection payload is too technical for an executive summary; it belongs in the technical findings section for the development team. Option B is wrong because the CVSS vector string provides a numerical severity score but does not convey the specific business impact (e.g., potential financial loss or regulatory penalties) that the CEO requires for decision-making.

8
MCQhard

You are leading a penetration test for a financial institution. The scope was defined as the external network and web applications. During the test, you identify a vulnerability in an internal application that was accidentally exposed due to a misconfiguration. The client's project manager requests that you extend the test scope to include the internal network to fully assess the risk. The request comes on the last day of testing. According to reporting and communication best practices, what should you do FIRST?

A.Accept the request and test the internal network immediately
B.Include the internal vulnerability in the final report as an out-of-scope finding
C.Reject the request because it is outside the original scope
D.Document the request and communicate it to both the client and your management for formal scope change approval
AnswerD

This ensures proper authorization and protects both parties contractually.

Why this answer

Option C is correct. Any scope change must be formally documented and approved by both parties to ensure legal and contractual coverage. Option A is wrong because proceeding without approval could violate scope boundaries and liability.

Option B is wrong because outright rejection may miss an important opportunity and damage client relations. Option D is wrong because including out-of-scope findings without authorization may breach contract terms.

9
MCQmedium

After completing a penetration test, the tester is writing the report. The client's Chief Information Security Officer (CISO) is the primary audience and wants to understand the overall security posture and the most critical risks to the business. Which section of the report should the tester most heavily focus on for this audience?

A.Technical Findings
B.Executive Summary
C.Appendix - Vulnerability Details
D.Methodology
AnswerB

The Executive Summary provides a concise business-oriented risk overview tailored for executives like a CISO.

Why this answer

The Executive Summary is the section of a penetration test report that provides a high-level overview of the security posture, focusing on business risks and strategic recommendations. For a CISO, who needs to understand the most critical risks to the business without delving into technical details, this section is the most relevant. It translates technical vulnerabilities into business impact, aligning with the CISO's role in risk management and decision-making.

Exam trap

CompTIA often tests the distinction between audience-appropriate report sections, and the trap here is that candidates mistakenly choose Technical Findings or Appendix - Vulnerability Details because they focus on technical depth rather than the business-oriented communication required for a CISO audience.

How to eliminate wrong answers

Option A is wrong because Technical Findings contain detailed exploit steps, affected systems, and raw vulnerability data, which are too granular for a CISO who needs a business-risk perspective rather than technical specifics. Option C is wrong because the Appendix - Vulnerability Details lists raw CVSS scores, CVE IDs, and proof-of-concept code, which are operational details for remediation teams, not for executive-level risk assessment. Option D is wrong because Methodology describes the tools, techniques, and scope of the test (e.g., Nmap scans, Metasploit modules), which is procedural information that does not directly communicate business risk or overall security posture to a CISO.

10
MCQeasy

In a penetration test report, the executive summary is primarily intended for which audience?

A.IT system administrators
B.Senior management (e.g., CISO, board of directors)
C.Software developers
D.External compliance auditors
AnswerB

The executive summary provides a concise overview of security posture, business impact, and strategic recommendations for decision-makers.

Why this answer

The executive summary is designed for senior management (e.g., CISO, board of directors) because it provides a high-level overview of the penetration test's objectives, key findings, risk impact, and recommended strategic actions. It avoids technical jargon and detailed exploit steps, focusing instead on business risk and remediation priorities that inform decision-making and resource allocation.

Exam trap

The trap here is that candidates confuse the audience for the executive summary with the audience for the technical report, mistakenly thinking that all stakeholders need the same level of detail, when in fact senior management requires a non-technical, risk-focused summary while technical teams need the full exploit details.

How to eliminate wrong answers

Option A is wrong because IT system administrators need detailed technical findings, including specific vulnerabilities, exploitation steps, and remediation commands (e.g., patch versions, configuration changes), which are found in the technical report, not the executive summary. Option C is wrong because software developers require code-level details such as vulnerable functions, input validation flaws, and proof-of-concept exploits to fix application bugs, which are not included in the executive summary. Option D is wrong because external compliance auditors need evidence of specific control failures and adherence to standards (e.g., PCI DSS, ISO 27001), which are documented in the technical findings and compliance mapping sections, not the executive summary.

11
MCQeasy

The client's development team needs to reproduce a cross-site scripting vulnerability found in the login form. They require the exact payload and steps. Which deliverable should the penetration tester provide to meet this need?

A.An executive summary
B.A proof of concept code or walkthrough in the report appendix
C.A spreadsheet of findings with CVSS scores
D.A verbal explanation during the readout
AnswerB

Correct. The appendix often contains detailed proof of concept code, screenshots, and step-by-step reproduction instructions for each finding.

Why this answer

The correct deliverable is a proof of concept (PoC) code or walkthrough in the report appendix because the client's development team needs the exact payload and step-by-step instructions to reproduce the cross-site scripting (XSS) vulnerability. This allows them to validate the finding and implement a fix by injecting a crafted script (e.g., <script>alert('XSS')</script>) into the login form's input fields, demonstrating how user input is not properly sanitized or encoded. Including this in the appendix ensures the technical details are documented for replication without cluttering the main report.

Exam trap

The trap here is that candidates often choose the executive summary or CVSS spreadsheet because they focus on reporting severity rather than the technical reproduction details required by the development team, confusing the purpose of different report sections.

How to eliminate wrong answers

Option A is wrong because an executive summary provides a high-level overview for management, not the precise payload and reproduction steps needed by the development team. Option C is wrong because a spreadsheet of findings with CVSS scores only lists severity ratings and basic descriptions, lacking the exact payload and step-by-step walkthrough required to reproduce the XSS vulnerability. Option D is wrong because a verbal explanation during the readout is not a documented deliverable; the development team needs written, reproducible instructions that can be referenced later, not an ephemeral conversation.

12
MCQeasy

A penetration tester has completed the test and is writing the executive summary. The CEO wants to understand the overall security posture without technical jargon. Which of the following is the best approach for the executive summary?

A.List every vulnerability with its CVSS score and technical remediation steps.
B.Provide a high-level overview of the most critical risks, business impact, and recommended strategic improvements.
C.Include a detailed step-by-step reproduction of all attack scenarios.
D.Focus only on network vulnerabilities and omit application-level findings.
AnswerB

This approach aligns with the executive's need for a concise, business-focused summary.

Why this answer

Option B is correct because an executive summary must communicate the overall security posture in business terms, not technical details. The CEO needs to understand the most critical risks, their potential business impact (e.g., financial loss, reputational damage), and recommended strategic improvements—this aligns with the PT0-002 objective of tailoring reports to the audience. Including CVSS scores or step-by-step attack reproductions would overwhelm non-technical readers and fail to convey the big-picture risk.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, selecting options that include excessive technical detail (like CVSS scores or attack steps) instead of focusing on business impact and strategic recommendations.

How to eliminate wrong answers

Option A is wrong because listing every vulnerability with CVSS scores and technical remediation steps is too granular for an executive summary; it belongs in the technical report. Option C is wrong because including a detailed step-by-step reproduction of all attack scenarios is appropriate for the technical findings section, not the executive summary, which should focus on risk and impact. Option D is wrong because omitting application-level findings would give an incomplete picture of the security posture; application vulnerabilities (e.g., SQL injection, XSS) often pose critical business risks and must be summarized at a high level.

13
MCQeasy

A penetration tester has completed the technical portion of a test and is now writing the executive summary. Which of the following is most important to include in this section to effectively communicate with senior management?

A.A detailed list of all tools and commands used during the test
B.The total number of vulnerabilities found and their risk ratings, with a focus on business impact
C.Step-by-step instructions on how to reproduce the most critical vulnerability
D.The names of the penetration testers and their certifications
AnswerB

Risk ratings and business impact are key for executives to understand the severity and make informed decisions about resource allocation for remediation.

Why this answer

The executive summary is intended for senior management, who need to understand the business impact of findings rather than technical details. Option B focuses on the total number of vulnerabilities, their risk ratings, and business impact, which directly aligns with management's decision-making needs. This ensures the report communicates risk in terms of potential financial or operational consequences, not just technical severity.

Exam trap

The trap here is that candidates mistake technical completeness for executive communication, choosing options like A or C because they focus on the tester's work rather than the audience's needs, but the exam specifically tests the distinction between technical reporting and management reporting.

How to eliminate wrong answers

Option A is wrong because a detailed list of all tools and commands used during the test is too technical for senior management; this level of detail belongs in the technical report or appendices, not the executive summary. Option C is wrong because step-by-step instructions on how to reproduce the most critical vulnerability are operational details meant for the technical team, not for high-level management who require a summary of risks and remediation priorities.

14
MCQeasy

During a penetration test report review, the client's IT manager asks for a 'quick reference' that lists each vulnerability, its severity, and the affected system, without detailed exploit steps. Which section of the report should the tester point to?

A.Executive summary
B.Technical findings section
C.Appendix with raw scan results
D.Remediation recommendations
AnswerB

The technical findings section typically includes a summary table listing each vulnerability, its risk severity, and the affected systems, which is perfect for a quick reference.

Why this answer

The technical findings section is the correct place because it provides a structured list of each vulnerability, its severity rating (e.g., CVSS score), and the affected system, while intentionally omitting detailed exploit steps. This directly satisfies the IT manager's request for a 'quick reference' without the operational risk of exposing attack procedures. The executive summary is too high-level, and the appendix with raw scan results lacks the curated, severity-ranked format needed for a quick reference.

Exam trap

The trap here is that candidates confuse the 'quick reference' request with the executive summary, assuming any summary must be in the executive section, but the executive summary lacks the per-vulnerability detail and system mapping that the technical findings section provides.

How to eliminate wrong answers

Option A is wrong because the executive summary is a high-level overview for non-technical stakeholders, focusing on business risk and strategic recommendations, not a per-vulnerability list with severity and affected systems. Option C is wrong because the appendix with raw scan results contains unprocessed, often voluminous output from tools like Nmap or Nessus, which lacks the curated, severity-ranked format and clear mapping of each vulnerability to a specific system that the IT manager needs.

15
Multi-Selecteasy

When calculating the risk rating for a vulnerability found during a penetration test, which two factors are most fundamental to the risk calculation?

Select 2 answers
A.Likelihood and impact
B.CVSS base score and temporal score
C.Number of affected systems and data classification
D.Ease of exploitation and attack vector
AnswersA, D

Risk = Likelihood × Impact. This is the standard formula used in risk management. Likelihood considers factors like ease of exploitation and exposure, while impact considers data sensitivity and business disruption.

Why this answer

Risk rating in penetration testing is fundamentally derived from the likelihood that a vulnerability will be exploited and the impact if it is exploited. These two factors form the core of any risk assessment framework, including NIST SP 800-30 and ISO 31000, because they directly quantify the probability and consequence of a threat event. Without likelihood and impact, you cannot compute a meaningful risk score, as other factors like CVSS scores or asset counts are secondary inputs that feed into these primary dimensions.

Exam trap

CompTIA often tests the misconception that CVSS scores alone define risk, but the trap here is that CVSS is a measure of vulnerability severity, not risk, which requires contextual likelihood and impact to be meaningful.

16
MCQmedium

A penetration tester has completed the test and is writing the technical report. The client's security team is highly skilled and wants detailed information about each vulnerability, including the exact request/response used to exploit it. The team also wants to understand the potential impact on the business. Which of the following is the best way to structure the findings for this audience?

A.Provide only a list of CVSS scores and short descriptions.
B.Include a separate 'Executive Summary' section that covers business impact, and a 'Technical Appendix' with detailed reproduction steps.
C.Combine business impact and technical details in a single paragraph for each finding.
D.Omit technical details to keep the report concise.
AnswerB

This structure allows each audience to find the appropriate level of detail.

Why this answer

Option B is correct because it separates the business impact discussion into an Executive Summary for the client's leadership while providing the detailed technical reproduction steps (exact request/response pairs) in a Technical Appendix, satisfying the highly skilled security team's need for granular exploit details without diluting the business risk narrative.

Exam trap

The trap here is that candidates often pick Option C thinking it is efficient to combine everything, but Cisco tests the understanding that skilled technical audiences require clear separation of business impact and raw technical data to avoid confusion and ensure actionable findings.

How to eliminate wrong answers

Option A is wrong because providing only CVSS scores and short descriptions omits the exact request/response data the client's skilled security team explicitly requires to validate and remediate each vulnerability; it also fails to address business impact, which the team requested. Option C is wrong because combining business impact and technical details in a single paragraph for each finding creates a cluttered, hard-to-scan format that forces the reader to wade through raw HTTP request/response payloads to find the business risk summary, reducing clarity for both technical and non-technical stakeholders.

17
Multi-Selectmedium

A penetration tester is preparing a final report after a web application test. The tester wants to prioritize vulnerabilities based on risk. Which TWO factors should the tester primarily consider when assigning risk ratings?

Select 2 answers
A.Business impact
B.Ease of exploitation
C.Number of times the vulnerability was detected
D.CVSS base score
E.Time to remediate
AnswersA, D

Business impact contextualizes risk for the organization, a key component of risk ratings.

Why this answer

CVSS base score and business impact are the primary factors for risk ratings per CompTIA PenTest+ objectives.

18
MCQeasy

A penetration tester is preparing the executive summary for a client's board of directors. Which of the following is the most appropriate content for this section?

A.Detailed step-by-step reproduction steps for each vulnerability
B.A list of all discovered IP addresses and open ports
C.A high-level overview of risks, business impact, and recommended strategic improvements
D.The raw output of automated scanning tools used during the test
AnswerC

This format allows board members to understand the security posture in the context of business risk and make informed decisions.

Why this answer

The executive summary is intended for the board of directors, who require a high-level understanding of risks, business impact, and strategic recommendations rather than technical details. Option C aligns with the PT0-002 objective of tailoring communication to the audience, focusing on risk posture and remediation priorities that inform executive decision-making.

Exam trap

CompTIA often tests the candidate's ability to distinguish between audience-appropriate content, trapping those who confuse the executive summary with the technical report by including granular technical data like reproduction steps or raw scan results.

How to eliminate wrong answers

Option A is wrong because detailed step-by-step reproduction steps belong in the technical report or findings appendix, not the executive summary, which must avoid overwhelming non-technical stakeholders with procedural minutiae. Option B is wrong because a raw list of IP addresses and open ports is operational data for the technical team; the executive summary should synthesize this into risk context and business impact, not present unprocessed reconnaissance output.

19
MCQhard

A penetration tester is writing a report and needs to classify vulnerabilities by risk level. The client has a formal risk acceptance process. Which of the following best describes the purpose of including a risk acceptance section in the report?

A.To provide step-by-step remediation instructions
B.To record vulnerabilities the client has decided not to fix, with justification
C.To justify why the tester did not exploit certain vulnerabilities
D.To document all vulnerabilities found during the test
AnswerB

Formalizes the client's decision to accept risk.

Why this answer

Option C is correct because the risk acceptance section formally documents which vulnerabilities the client chooses not to remediate, providing a clear record for compliance and future audits. Option A is incorrect because risk acceptance is about accepting risk, not documenting all findings. Option B is incorrect as it is part of the remediation plan, not acceptance.

Option D is incorrect because it is for client's decision, not tester's justification.

20
MCQeasy

A penetration tester is compiling the final report. The client's compliance officer requires a section that maps each finding to specific regulatory requirements (e.g., PCI DSS, HIPAA). Which section of the report is best suited for this mapping?

A.Executive Summary
B.Technical Findings
C.Compliance Mapping
D.Appendices
AnswerC

This section is specifically designed to correlate vulnerabilities to compliance standards, addressing the compliance officer's need.

Why this answer

The Compliance Mapping section is specifically designed to cross-reference each technical finding with relevant regulatory frameworks such as PCI DSS, HIPAA, or GDPR. This allows the compliance officer to quickly verify that all required controls are addressed and that the report meets audit or legal standards. The other sections focus on summarizing or detailing technical issues, not on mapping findings to specific regulations.

Exam trap

The trap here is that candidates often confuse the Technical Findings section as the place for all detailed information, including compliance references, but the exam expects a dedicated Compliance Mapping section to satisfy audit and regulatory requirements separately.

How to eliminate wrong answers

Option A is wrong because the Executive Summary provides a high-level overview of the engagement's objectives, scope, and critical risks for management, not a detailed mapping to regulatory requirements. Option B is wrong because the Technical Findings section describes vulnerabilities, exploitation steps, and remediation in depth, but does not explicitly correlate each finding with specific compliance standards like PCI DSS or HIPAA.

21
MCQeasy

A penetration tester is writing the executive summary of a report for a client. The client's executive team needs to understand the overall risk posture. Which of the following should be included in the executive summary?

A.Detailed step-by-step replication steps for each vulnerability
B.A list of all CVSS scores for each finding
C.A high-level overview of the test's objectives, scope, and key findings with business impact
D.Raw scan output from vulnerability scanners
AnswerC

This is exactly what executives need to understand the outcomes and make informed decisions about resource allocation.

Why this answer

The executive summary is intended for non-technical leadership who need to grasp the overall risk posture quickly. Option C provides a high-level overview of objectives, scope, and key findings with business impact, which aligns with the PT0-002 objective of tailoring communication to the audience. Detailed technical data like replication steps or raw CVSS scores belong in the technical report, not the executive summary.

Exam trap

The trap here is that candidates confuse the executive summary with the technical report, thinking that including raw data like CVSS scores or replication steps makes the summary more 'complete,' when in fact it overwhelms the intended audience with irrelevant detail.

How to eliminate wrong answers

Option A is wrong because detailed step-by-step replication steps are operational details meant for the technical report or remediation team, not for executives who need a strategic risk overview. Option B is wrong because a list of all CVSS scores is too granular and lacks business context; executives need interpreted risk levels (e.g., critical, high) tied to business impact, not raw numerical scores.

22
MCQmedium

A penetration tester has completed a test and is finalizing the report. The client's security team needs to know the exact commands and steps to reproduce a critical remote code execution vulnerability. In which section of the report should this information be primarily documented?

A.Executive Summary
B.Methodology
C.Findings and Remediation
D.Appendix
AnswerC

This section details each finding, including how to reproduce it, evidence, and remediation recommendations. It is intended for the technical team.

Why this answer

The Findings and Remediation section is the correct place to document the exact commands and steps to reproduce a critical remote code execution vulnerability. This section provides detailed technical evidence, including proof-of-concept (PoC) code, command syntax, and step-by-step reproduction steps, enabling the client's security team to validate and remediate the issue. The Executive Summary is too high-level for such technical details, and the Methodology section describes the overall testing approach, not specific exploit commands.

Exam trap

The trap here is that candidates confuse the Methodology section (which describes the general process) with the Findings section (which contains specific exploit details), leading them to incorrectly choose Methodology when the question asks for exact commands and steps to reproduce.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for management, focusing on risk ratings, business impact, and strategic recommendations, not the precise commands or reproduction steps. Option B is wrong because the Methodology section outlines the penetration testing framework, tools, and techniques used (e.g., scanning, enumeration, exploitation phases) but does not include the specific commands or step-by-step reproduction of individual vulnerabilities.

23
MCQhard

A penetration tester is preparing a report for a client that requires compliance with PCI DSS. Which of the following is the MOST important consideration for the report structure?

A.Include a separate section for vulnerabilities found in the ASV scan.
B.The client's name and sensitive data should be anonymized.
C.All findings must be encrypted at rest and in transit.
D.The report should map findings to specific PCI DSS requirements.
AnswerD

Compliance reports need to show how findings relate to standards.

Why this answer

Option B is correct because PCI DSS requires specific reporting formats and evidence mapping. Option A is wrong because encryption is a security measure, not a report structure consideration. Option C is wrong while useful, it does not specifically address compliance.

Option D is wrong because anonymity may conflict with accountability.

24
MCQhard

A penetration tester needs to communicate the financial impact of a critical vulnerability to the board of directors. Which metric is most appropriate for this audience?

A.CVSS base score (e.g., 9.8 out of 10).
B.Risk rating (High, Medium, Low).
C.Annualized loss expectancy (ALE).
D.Number of affected systems.
AnswerC

ALE estimates the expected monetary loss per year due to a risk, making it easy for non-technical executives to understand the financial impact.

Why this answer

The board of directors is concerned with financial risk and business impact, not technical severity. Annualized loss expectancy (ALE) quantifies the expected monetary loss per year from a vulnerability, making it directly relevant for executive decision-making. CVSS scores and risk ratings are technical metrics that do not translate to financial terms.

Exam trap

The trap here is that candidates often choose CVSS score or risk rating because they are familiar from technical reports, but the question specifically asks for a metric to communicate financial impact to the board, which requires a quantitative financial measure like ALE.

How to eliminate wrong answers

Option A is wrong because CVSS base score (e.g., 9.8) measures technical severity based on exploitability and impact metrics, but it does not incorporate asset value, threat frequency, or financial loss—so it cannot communicate monetary impact to the board. Option B is wrong because risk rating (High, Medium, Low) is a qualitative label derived from likelihood and impact, but it lacks the specific dollar figures needed to convey financial consequences to non-technical stakeholders.

25
MCQeasy

Which of the following metrics is most useful for demonstrating the overall security posture improvement after remediation in a penetration test report?

A.Total hours spent testing
B.The size of the attack surface
C.Total number of vulnerabilities found
D.Number of critical vulnerabilities before and after remediation
AnswerD

Directly measures improvement.

Why this answer

Option D is correct because comparing the number of critical vulnerabilities before and after remediation provides a clear metric for improvement. Option A (vulnerabilities found) does not show change. Option B (test duration) is irrelevant.

Option C (attack surface) is not directly measurable in a single test.

26
MCQeasy

A penetration tester is writing the executive summary for the final report. The CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?

A.A high-level overview of the most critical vulnerabilities and their potential business impact.
B.Detailed exploit steps with screenshots.
C.A list of all CVSS scores without context.
D.The exact commands used during testing.
AnswerA

This matches the purpose of the executive summary: concise, business-focused information that allows leadership to make informed decisions without needing technical expertise.

Why this answer

The executive summary is intended for non-technical stakeholders like the CEO, who need to grasp the overall risk posture and business implications without technical jargon. Option A provides a high-level overview of critical vulnerabilities and their potential business impact, directly addressing the CEO's need to understand risk level and business impact, which aligns with the PT0-002 objective for effective reporting and communication.

Exam trap

The trap here is that candidates often confuse the executive summary with a technical summary, choosing options with detailed exploit steps or raw CVSS scores, forgetting that the CEO needs a business-focused, non-technical overview of risk and impact.

How to eliminate wrong answers

Option B is wrong because detailed exploit steps with screenshots are too technical and granular for an executive summary; they belong in the technical findings section of the report, not in a high-level overview for a CEO. Option C is wrong because listing all CVSS scores without context fails to convey the business impact or risk level; CVSS scores alone do not explain how vulnerabilities affect business operations, compliance, or strategic goals, which is essential for executive decision-making.

27
MCQmedium

Refer to the exhibit. A penetration tester performed an initial nmap scan and recorded the above output. The tester wants to include this in the report. What additional information should the tester add to make the finding more useful for remediation?

A.The version of services running on each port.
B.The list of open ports only.
C.The operating system of each host.
D.The result of a UDP scan for these ports.
AnswerA

Service versions help identify known vulnerabilities.

Why this answer

Option C is correct because service version information is critical for identifying vulnerable versions. Option A is wrong because open ports are already shown. Option B is wrong because OS detection is not always reliable and not shown here.

Option D is wrong because UDP scan results are not shown.

28
MCQeasy

A penetration tester is preparing the executive summary for a report. Which of the following metrics would be MOST valuable to include for non-technical stakeholders to understand the overall security posture?

A.A list of all tools used during the penetration test
B.The total number of vulnerabilities discovered and their average CVSS score
C.The number of critical and high-risk findings along with the average time to exploit them
D.A detailed step-by-step exploitation walkthrough of one critical vulnerability
AnswerC

This gives executives a clear, non-technical view of the most pressing issues and how quickly an attacker could take advantage of them.

Why this answer

Option C is correct because non-technical stakeholders (e.g., executives) need a high-level, risk-focused summary that communicates the severity and urgency of findings. The number of critical/high-risk findings directly indicates the most dangerous exposures, and the average time to exploit them conveys how quickly an attacker could compromise the environment. This metric translates technical risk into business impact, which is the core goal of an executive summary.

Exam trap

The trap here is that candidates often choose Option B (total vulnerabilities and average CVSS score) because CVSS is a familiar metric, but the exam tests the understanding that non-technical stakeholders need actionable, prioritized risk data (critical/high count and exploit time) rather than a statistically averaged score that can obscure severe findings.

How to eliminate wrong answers

Option A is wrong because listing all tools used (e.g., Nmap, Burp Suite, Metasploit) provides no insight into the security posture; it is operational detail irrelevant to non-technical stakeholders. Option B is wrong because the total number of vulnerabilities and their average CVSS score can be misleading—a low average CVSS score may hide many critical findings, and non-technical stakeholders need prioritization, not a diluted average. Option D is wrong because a detailed step-by-step exploitation walkthrough is too technical and granular for an executive summary; it belongs in the technical report, not in a high-level communication for non-technical readers.

29
MCQmedium

After a penetration test, the client's development team requests that the report include specific, actionable remediation steps for each vulnerability. Where in the report should this information be placed?

A.In the executive summary to emphasize the need for fixing vulnerabilities
B.In the appendix as a separate remediation checklist
C.Within the technical report section, under each vulnerability finding
D.In a separate document attached to the report to avoid cluttering the main report
AnswerC

Correct. Each vulnerability finding should include a remediation subsection that provides clear, actionable steps for the responsible team.

Why this answer

The correct placement for specific, actionable remediation steps is within the technical report section under each vulnerability finding. This aligns with industry best practices (e.g., PTES, OWASP) where each finding includes a description, risk rating, and a dedicated remediation subsection, ensuring developers have immediate context and clear steps without cross-referencing other sections.

Exam trap

The trap here is that candidates may think the executive summary or appendix is sufficient for remediation details, but the exam specifically tests that actionable steps must be embedded within each finding to ensure clear ownership and immediate applicability for the development team.

How to eliminate wrong answers

Option A is wrong because the executive summary is a high-level overview for management, not a place for detailed technical remediation steps; it should focus on business risk and strategic recommendations, not per-vulnerability fixes. Option B is wrong because placing remediation steps only in an appendix separates them from the vulnerability context, forcing developers to flip back and forth, which reduces clarity and increases the risk of misapplication. Option D is wrong because a separate document can be lost or overlooked, and the PT0-002 exam expects remediation to be integrated into the main report for traceability and completeness, not hidden in an attachment.

30
MCQeasy

Which of the following is the MOST appropriate format for delivering the final penetration test report to the client?

A.HTML file hosted on the tester's website.
B.Plain text file with no formatting.
C.Microsoft Word document with tracked changes.
D.PDF with password protection and digital signature.
AnswerD

PDF ensures integrity and non-repudiation.

Why this answer

Option A is correct because PDF provides a secure, non-editable format that preserves formatting. Option B is wrong because Word docs can be easily altered. Option C is wrong because text files lack structure.

Option D is wrong because HTML may not be easily printable or secure.

31
MCQhard

A penetration tester is writing a report that includes a vulnerability with a CVSS score of 9.8. The client's security team argues that the score should be lower due to compensating controls. How should the tester respond in the report?

A.Report the base CVSS score and include a note about the compensating controls
B.Report both scores and let the client decide
C.Remove the CVSS score entirely to avoid disagreement
D.Adjust the CVSS score lower to reflect the client's compensating controls
AnswerA

Provides objective score plus context.

Why this answer

Option B is correct because the CVSS base score reflects intrinsic characteristics of the vulnerability; the tester should include the base score and note the compensating controls but allow the client to adjust the risk in their own risk management process. Option A is incorrect because base score should not be changed arbitrarily. Option C is incorrect as reporting multiple scores can confuse.

Option D is incorrect because the tester's job is to report objectively, not to change scores to please the client.

32
Multi-Selectmedium

Which TWO of the following are key components that should be included in an executive summary of a penetration test report? (Select TWO.)

Select 2 answers
A.Disclaimer of liability for the testing company.
B.Detailed step-by-step exploitation procedures.
C.Overall risk score or security posture rating.
D.High-level summary of findings and risk ratings.
E.Full command-line output from penetration testing tools.
AnswersC, D

Provides a quick understanding of the organization's security health.

Why this answer

Options B and D are correct. The executive summary should provide a high-level overview of risks and business impact, and overall risk score. Option A is detailed technical steps, not for executives.

Option C is also technical. Option E is a legal disclaimer, which is important but not a key summary component.

33
MCQmedium

A penetration tester is writing the technical report and needs to prioritize remediation recommendations. Which factor should be given the MOST weight when prioritizing?

A.The risk posed to the organization, considering likelihood and impact.
B.The number of systems affected by the vulnerability.
C.The CVSS base score of the vulnerability.
D.The ease of implementing the remediation.
AnswerA

Risk-based prioritization aligns with business needs.

Why this answer

Option A is correct because risk (likelihood and impact) is the standard basis for prioritization in penetration testing. Option B is wrong because ease of remediation is secondary to risk. Option C is wrong because the number of systems affected is only one component of risk.

Option D is wrong because CVSS score alone does not consider the client's environment.

34
MCQmedium

A client asks why a medium-severity finding should be remediated before a high-severity finding. The medium finding is internet-facing and actively exploited; the high finding is isolated in a lab subnet. What is the best explanation?

A.Prioritization should account for exposure and active exploitation, not only the scanner severity.
B.Medium findings must always be fixed before high findings.
C.The high finding should be ignored permanently because it is in a lab.
D.Only CVSS base score matters for remediation order.
AnswerA

An internet-facing actively exploited issue may require faster action than an isolated lab finding.

Why this answer

Option A is correct because risk-based prioritization must consider real-world factors like internet exposure and active exploitation, not just the CVSS base score. A medium-severity finding that is internet-facing and actively exploited poses a higher immediate risk to the organization than a high-severity finding isolated in a lab subnet, which has no external attack surface. This aligns with industry frameworks like CVSS environmental metrics and the FIRST CVSS v3.1 specification, which allow adjusting severity based on attack vector, complexity, and environmental context.

Exam trap

The trap here is that candidates often assume CVSS base severity alone dictates remediation order, ignoring the critical role of environmental and temporal metrics, as well as business context like exposure and active exploitation.

How to eliminate wrong answers

Option B is wrong because it incorrectly states that medium findings must always be fixed before high findings, which ignores the context of exposure and active exploitation; remediation priority should be based on risk, not a fixed severity hierarchy. Option C is wrong because it suggests the high finding should be ignored permanently, but even isolated lab findings can be leveraged in lateral movement or indicate systemic weaknesses, and should be remediated based on risk, not ignored. Option D is wrong because it claims only CVSS base score matters, but CVSS provides environmental and temporal metrics that adjust severity for factors like exposure and active exploitation, which are critical for accurate prioritization.

35
MCQmedium

A penetration tester has completed the test and is writing the final report. The client's VP of Security requests a single-page summary that highlights the most critical risks and their business impact. Which section of the report should be expanded to satisfy this request while maintaining the integrity of the full report?

A.Executive Summary – should include high-level findings and risk ratings
B.Technical Findings – should include a risk matrix
C.Appendices – should include a condensed risk report
D.Methodology – should include a summary of attack paths
AnswerA

The executive summary is intended for decision-makers and should be concise, highlighting critical risks and business impact, which aligns with the VP's request.

Why this answer

The VP of Security needs a concise, business-focused overview of critical risks and their impact. The Executive Summary is the appropriate section to expand because it is designed to present high-level findings, risk ratings, and business context for non-technical stakeholders, preserving the full report's integrity by keeping detailed technical data in other sections.

Exam trap

The trap here is that candidates may think a risk matrix belongs in Technical Findings (Option B) because it involves technical scoring, but the exam tests that business-impact summaries are always placed in the Executive Summary to satisfy non-technical stakeholders.

How to eliminate wrong answers

Option B is wrong because the Technical Findings section contains detailed vulnerability descriptions, exploit steps, and evidence; expanding it with a risk matrix would clutter the technical detail and fail to provide the concise, business-oriented summary the VP needs. Option C is wrong because Appendices are supplementary reference materials (e.g., logs, tool outputs, configuration files); condensing a risk report there would bury critical information and not serve as a quick executive overview. Option D is wrong because the Methodology section describes the testing approach, tools, and attack paths used; summarizing attack paths there would not address business impact or risk prioritization, which is the VP's request.

36
MCQeasy

After completing a penetration test, a tester needs to dispose of test data securely. Which of the following methods is most appropriate for this purpose?

A.Delete the data using standard operating system commands
B.Use a secure data destruction tool that overwrites data multiple times
C.Format the storage device once
D.Keep the data encrypted for future reference
AnswerB

Ensures data is irrecoverable.

Why this answer

Option C is correct because secure data destruction, such as using degaussing or secure erase tools, ensures data cannot be recovered. Option A (deleting files) leaves recoverable traces. Option B (formatting) may not wipe all sectors.

Option D (storing indefinitely) violates data handling policies.

37
MCQmedium

A penetration tester has completed testing and identified several vulnerabilities: a critical SQL injection (CVSS 9.8), a medium stored XSS (CVSS 6.1), and a low self-signed certificate (CVSS 3.7). The client's security manager asks for a simplified way to prioritize remediation. Which of the following is the most effective approach for the tester to present the findings?

A.List all vulnerabilities in descending order of CVSS score only.
B.Provide a risk matrix that maps likelihood and impact for each finding.
C.Present only the critical SQL injection finding because it overshadows the others.
D.Calculate a single overall risk score for the entire engagement by averaging all CVSS scores.
AnswerB

A risk matrix allows the tester to rate each finding based on the likelihood of exploitation and the potential business impact. This gives the client a clear, actionable prioritization that accounts for their specific environment and risk tolerance.

Why this answer

Option B is correct because a risk matrix that maps likelihood and impact for each finding provides a more nuanced prioritization than raw CVSS scores alone. CVSS scores reflect intrinsic severity but do not account for the client's specific threat environment, asset criticality, or compensating controls. By presenting a risk matrix, the tester enables the security manager to make informed decisions based on the actual risk to the organization, which is the core goal of the reporting and communication domain in PT0-002.

Exam trap

The trap here is that candidates often assume CVSS scores are the definitive prioritization metric, but PT0-002 emphasizes that risk-based communication (using likelihood and impact) is the most effective approach for client remediation discussions.

How to eliminate wrong answers

Option A is wrong because listing vulnerabilities in descending order of CVSS score only ignores the context of likelihood and business impact, which can lead to misprioritization (e.g., a critical SQL injection on a non-critical server may be less urgent than a medium XSS on a public-facing application with sensitive user data). Option C is wrong because presenting only the critical SQL injection finding disregards the other vulnerabilities, which could be exploited in combination (e.g., chaining XSS with SQL injection) or pose significant risk in the client's specific environment. Option D is wrong because calculating a single overall risk score by averaging CVSS scores is statistically invalid and obscures the distinct severity levels of individual findings; a low-severity issue can dilute the critical finding, giving a false sense of security.

38
MCQeasy

After completing a penetration test, the client requests a one-page document that highlights the most critical vulnerabilities, overall risk level, and recommended next steps for management. Which deliverable should the penetration tester provide?

A.Executive summary
B.Technical report
C.Raw scan data
D.Remediation guide
AnswerA

The executive summary condenses the test results into a format suitable for management, focusing on business impact and top priorities.

Why this answer

The executive summary is the correct deliverable because it is specifically designed to provide a high-level overview of the most critical vulnerabilities, overall risk level, and recommended next steps for management. Unlike a technical report, it avoids deep technical jargon and focuses on business impact, aligning with the client's request for a concise one-page document.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, thinking management needs detailed evidence, when in fact the exam emphasizes that management requires a concise, risk-focused overview without technical depth.

How to eliminate wrong answers

Option B is wrong because a technical report is a detailed document that includes full attack chains, command outputs, and evidence, which is too lengthy and technical for a one-page management summary. Option C is wrong because raw scan data is unprocessed output from tools like Nmap or Nessus, lacking analysis, risk ratings, or actionable recommendations, and is not suitable for management. Option D is wrong because a remediation guide is a step-by-step technical document for fixing vulnerabilities, not a high-level summary of critical findings and risk levels for executive decision-making.

39
MCQmedium

A penetration tester has completed the test and is writing the findings section. For a critical vulnerability, the tester wants to provide a clear and actionable remediation recommendation. Which of the following is the best practice for writing this recommendation?

A.State 'Upgrade the software to the latest version'
B.Provide a step-by-step guide including commands, patches, and configuration changes
C.Recommend applying vendor-supplied patches but do not include specific versions
D.Suggest hiring a third-party consultant to fix the issue
AnswerB

This gives the client a clear path to remediation, reducing the chance of misinterpretation and ensuring the vulnerability is properly addressed.

Why this answer

Option B is correct because a penetration test report must provide actionable remediation that the client can implement immediately. A step-by-step guide with specific commands, patch identifiers, and configuration changes ensures the client can verify and apply the fix without ambiguity, which is critical for a high-severity vulnerability.

Exam trap

The trap here is that candidates often choose Option A or C because they seem efficient, but the exam emphasizes that a penetration test report must be actionable and specific, not generic or reliant on external parties.

How to eliminate wrong answers

Option A is wrong because stating 'Upgrade to the latest version' is too vague; it does not specify the exact version number, patch level, or any prerequisite steps, leaving room for misinterpretation or incomplete remediation. Option C is wrong because recommending vendor-supplied patches without specific version numbers fails to address the exact vulnerable component; the client may apply an outdated or incorrect patch, leaving the vulnerability unmitigated. Option D is wrong because suggesting a third-party consultant shifts responsibility without providing any technical guidance; the report should empower the client's own team to act, not defer action to an external party.

40
MCQmedium

After the penetration test, the client requests a one-page summary of the test's scope, key findings, and recommended next steps for the board of directors. Which document should the penetration tester provide?

A.Executive Summary
B.Detailed Technical Report
C.Vulnerability Scan Report
D.Remediation Plan
AnswerA

The executive summary is designed for leadership, offering a high-level view of the engagement's outcome and action items.

Why this answer

The executive summary is specifically designed to provide a high-level overview of the penetration test's scope, key findings, and recommended next steps for non-technical stakeholders like the board of directors. It distills complex technical details into business-focused language, enabling informed decision-making without requiring deep cybersecurity expertise.

Exam trap

The trap here is that candidates confuse the executive summary with the detailed technical report, assuming the board needs full technical evidence, when in fact the board requires a concise, business-impact-focused narrative that omits exploit details.

How to eliminate wrong answers

Option B is wrong because the detailed technical report contains in-depth exploit chains, raw logs, and system-level data that would overwhelm a board of directors and is intended for technical teams. Option C is wrong because a vulnerability scan report is an automated output listing CVEs and severity scores, lacking the manual exploitation context and business risk analysis required for a penetration test summary. Option D is wrong because a remediation plan focuses solely on step-by-step fix instructions for technical staff, omitting the scope and high-level findings needed for executive review.

41
MCQeasy

A penetration tester has discovered a critical SQL injection vulnerability in a web application. The developer team will fix the issue. Which level of detail is most appropriate for this audience?

A.Provide the CVSS score and a brief description.
B.Include the full proof-of-concept code and the exact HTTP requests used.
C.Describe the business impact in financial terms.
D.List all findings in a bullet-point summary without additional context.
AnswerB

This level of detail allows developers to reproduce the vulnerability step-by-step, identify the vulnerable code, and apply the correct fix.

Why this answer

Option B is correct because the developer team needs the exact technical details to reproduce and fix the vulnerability. Providing the full proof-of-concept code and exact HTTP requests allows developers to understand the injection point, the payload structure, and the vulnerable parameter, enabling them to implement a precise fix such as parameterized queries or input validation.

Exam trap

The trap here is that candidates may choose a high-level summary (like CVSS score or business impact) thinking it is sufficient for all audiences, but the PT0-002 exam emphasizes tailoring the level of detail to the recipient's role—developers need technical specifics to remediate, not just risk scores or financial context.

How to eliminate wrong answers

Option A is wrong because a CVSS score and brief description provide only a severity rating and high-level summary, which lacks the technical specifics (e.g., vulnerable parameter, injection syntax) developers need to remediate the SQL injection. Option C is wrong because describing business impact in financial terms is relevant for management or stakeholders, not for developers who require technical details to fix the code. Option D is wrong because a bullet-point summary without context omits critical information like the exact HTTP requests, payloads, and vulnerable endpoints, leaving developers without enough detail to reproduce or patch the vulnerability.

42
Multi-Selecthard

Which THREE of the following are best practices for writing a penetration test report?

Select 3 answers
A.Organize findings by severity and likelihood
B.Include a glossary of terms for non-technical readers
C.Use technical jargon to demonstrate expertise
D.Provide clear remediation steps for each finding
E.Include all vulnerabilities discovered even if they are duplicates or false positives
AnswersA, B, D

Prioritizing findings helps the client focus on the most critical risks first.

Why this answer

Options B, D, and E are correct. Including clear remediation steps (B) helps the client fix issues. Organizing findings by severity and likelihood (D) improves readability.

A glossary (E) aids non-technical readers. Option A is wrong because duplicates and false positives should be filtered out. Option C is wrong because excessive jargon hinders communication.

43
MCQhard

During a penetration test for a financial institution, the tester discovers that a third-party vendor's system is vulnerable and could expose customer PII. The tester is unsure if the vendor is within scope. How should the tester proceed?

A.Perform additional testing on the vendor system to confirm the vulnerability
B.Ignore the finding since it is out of scope
C.Include the vulnerability in the final report as a high-risk finding
D.Communicate with the client to clarify whether the vendor is in scope
AnswerD

Clarifies boundaries before reporting.

Why this answer

Option B is correct because the tester should immediately contact the client to clarify scope; reporting an out-of-scope finding could violate boundaries. Option A is premature and could cause legal issues. Option C is too passive.

Option D is incorrect because the tester should not test out-of-scope systems.

44
MCQeasy

A penetration tester is preparing the executive summary of a penetration test report. Which of the following BEST describes the primary audience and appropriate level of technical detail?

A.A narrative of the testing methodology for other penetration testers.
B.High-level findings and business impact for management and executives.
C.Detailed technical analysis for system administrators.
D.Step-by-step exploitation procedures for developers.
AnswerB

Executives need a summary of risks and business implications without technical jargon.

Why this answer

Option D is correct because the executive summary targets non-technical stakeholders who need a high-level overview of risks and business impact. Option A is wrong because the executive summary is not for technical staff. Option B is wrong because it should avoid deep technical details.

Option C is wrong because the audience is not primarily the testers.

45
MCQeasy

After completing a penetration test, the client's board of directors requests a document that provides a high-level overview of the test's objectives, key findings, and business impact. Which section of the standard penetration testing report should be produced for this audience?

A.Executive Summary
B.Technical Findings Section
C.Methodology Section
D.Appendix with Logs
AnswerA

The executive summary is the appropriate section for a non-technical audience to understand overall risk and impact.

Why this answer

The executive summary is the section of a penetration testing report designed for non-technical stakeholders, such as the board of directors. It provides a high-level overview of the test's objectives, key findings, and business impact, avoiding technical jargon and focusing on risk and remediation priorities. This aligns with the PT0-002 objective of tailoring communication to the audience.

Exam trap

The trap here is that candidates confuse the 'Executive Summary' with the 'Technical Findings Section,' thinking the board needs detailed exploit proof-of-concepts, when in fact the board requires only business-level risk context and strategic recommendations.

How to eliminate wrong answers

Option B is wrong because the Technical Findings Section contains detailed vulnerability descriptions, exploit steps, and raw data (e.g., CVSS scores, CVE references) that are too technical for a board-level audience. Option C is wrong because the Methodology Section describes the tools and techniques used (e.g., Nmap scanning, Metasploit modules), which is operational detail irrelevant to business impact. Option D is wrong because the Appendix with Logs includes raw output (e.g., packet captures, system logs) that is only useful for technical remediation teams, not for high-level decision-making.

46
Matchingmedium

Match each evasion technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Splitting packets to evade IDS/IPS

Converting payload to bypass signature detection

Faking source IP to hide origin

Routing traffic through multiple proxies

Delaying requests to avoid rate limiting

Why these pairings

Evasion techniques help penetration testers bypass security controls.

47
MCQeasy

A penetration tester is finalizing a report. Which section should include a detailed technical explanation of how each vulnerability was exploited?

A.Executive Summary
B.Findings and Recommendations
C.Methodology
D.Appendix
AnswerB

This section contains detailed technical information about each vulnerability, including how it was exploited.

Why this answer

The Findings and Recommendations section is the correct place for detailed technical explanations of how each vulnerability was exploited because it provides the technical audience (e.g., system administrators, developers) with the step-by-step attack chain, including specific commands, payloads, and tools used. This section bridges the gap between raw scan data and actionable remediation, ensuring that the technical team can reproduce and verify the findings. The Executive Summary is too high-level for this detail, and the Methodology section describes the overall approach, not per-vulnerability exploitation steps.

Exam trap

The trap here is that candidates confuse the Methodology section (which describes the overall testing process) with the per-vulnerability exploitation details, leading them to incorrectly select Methodology instead of Findings and Recommendations.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is intended for non-technical stakeholders (e.g., executives, management) and should only contain a high-level overview of risks, business impact, and key metrics—not detailed exploitation steps. Option C is wrong because the Methodology section describes the overall testing approach, tools, and scope (e.g., whether black-box or white-box testing was used), but it does not break down the specific exploitation steps for each individual vulnerability.

48
MCQmedium

A client review of a penetration test report reveals confusion about why a particular vulnerability exists. The client's security engineer wants to understand the root cause and the exact steps to reproduce the issue. Which section of the report should the tester point the engineer to?

A.Executive Summary
B.Technical Findings
C.Methodology
D.Risk Rating Appendix
AnswerB

This section includes in-depth vulnerability descriptions, root cause analysis, reproduction steps, and remediation guidance.

Why this answer

The Technical Findings section provides the detailed, step-by-step reproduction steps and root cause analysis that the security engineer needs. This section includes specific commands, payloads, and configurations that led to the vulnerability, enabling the engineer to understand and verify the issue. The Executive Summary and Methodology sections do not contain this level of technical detail.

Exam trap

The trap here is that candidates confuse the purpose of the Methodology section (which describes the testing process) with the Technical Findings section (which contains the actual vulnerability details and reproduction steps).

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview intended for non-technical stakeholders, summarizing business risks and key findings without providing reproduction steps or root cause details. Option C is wrong because the Methodology section describes the overall testing approach, tools, and scope, but does not include the specific vulnerability reproduction steps or root cause analysis.

49
MCQeasy

A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?

A.Detailed list of all ports and services found
B.CVSS scores for every vulnerability
C.A high-level summary of the overall risk and key findings
D.Raw tool output from vulnerability scans
AnswerC

This provides the essential overview that executives need to understand the test's outcome and make informed decisions.

Why this answer

C is correct because the executive summary is intended for a non-technical audience, such as senior management or stakeholders, who need a concise overview of the organization's security posture. A high-level summary of the overall risk and key findings communicates the business impact and strategic priorities without overwhelming them with technical details. This aligns with the PT0-002 objective of tailoring communication to the audience, ensuring the report drives decision-making rather than technical analysis.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, assuming that including raw data like port lists or CVSS scores demonstrates thoroughness, when in fact the exam tests the ability to tailor content to the audience's technical level.

How to eliminate wrong answers

Option A is wrong because a detailed list of all ports and services found is too granular for a non-technical audience; it belongs in the technical findings or appendices, where system administrators can act on it. Option B is wrong because CVSS scores for every vulnerability are numerical metrics that require context to interpret; non-technical readers may not understand the scoring methodology or its implications, and presenting all scores without prioritization can obscure the overall risk picture.

50
Multi-Selectmedium

Which THREE of the following are best practices when communicating findings to stakeholders during a penetration test?

Select 3 answers
A.Share raw exploit code and logs without sanitization
B.Provide regular status updates to the client point of contact
C.Always include full technical details in every communication
D.Notify the client immediately upon discovering a critical vulnerability
E.Adjust the level of technical detail based on the audience
AnswersB, D, E

Keeps client informed.

Why this answer

Options A, B, and D are correct. Regular status updates (A) keep stakeholders informed. Immediate notification of critical findings (B) allows timely action.

Tailoring communication to audience (D) ensures understanding. Option C is wrong because technical details may be omitted for non-technical audience. Option E is wrong because evidence should be sanitized, not raw.

51
MCQeasy

A penetration tester is writing the findings section of a report. The tester identified a critical SQL injection vulnerability that allows extraction of the entire customer database. The client's technical team has already remediated the issue. How should the tester present this finding to ensure clarity and usefulness?

A.Include the vulnerability with the risk rating, a brief description, and a note that it was remediated during the test
B.Exclude the vulnerability from the report because it has already been fixed
C.Document the vulnerability in full, including reproduction steps, impact, and evidence, and note the remediation status
D.Reduce the risk rating of the vulnerability because it has been fixed, and include it in an appendix
AnswerC

This approach ensures the report is complete and useful for the client's records, compliance, and future prevention. The remediation status provides closure.

Why this answer

Option C is correct because penetration testing standards (e.g., PTES, OWASP) require full documentation of all findings regardless of remediation status. Including reproduction steps, impact analysis, and evidence ensures the report serves as a permanent record for compliance, audit, and future reference. Noting the remediation status provides clear context that the issue has been resolved, which is critical for stakeholders who need to verify the fix.

Exam trap

The trap here is that candidates mistakenly think remediated vulnerabilities should be omitted or minimized, but the PT0-002 exam expects full documentation to maintain report integrity and support post-remediation validation.

How to eliminate wrong answers

Option A is wrong because it omits essential technical details such as reproduction steps and evidence, which are necessary for validating the remediation and for legal/regulatory compliance. Option B is wrong because excluding a remediated vulnerability violates reporting best practices and can lead to incomplete audit trails, making it impossible to prove the issue was ever addressed.

52
MCQhard

After completing a penetration test, the lead tester is preparing the executive summary. The client's CISO wants to understand the business impact of a critical vulnerability found in the customer-facing web application. Which of the following is the BEST way to convey this in the report?

A.List the CVSS score and exploitability metrics
B.Describe the attack scenario and potential financial loss
C.Provide the raw log entries showing the exploitation
D.Recommend a specific patch version
AnswerB

Correct. This explains the real-world consequences in business terms, which is most relevant for an executive summary.

Why this answer

Option B is correct because the executive summary must communicate business risk, not technical details. Describing the attack scenario and potential financial loss directly addresses the CISO's need to understand the business impact, such as revenue loss from a data breach or regulatory fines. This aligns with the PT0-002 objective of tailoring reports to the audience, where executives require risk context rather than exploit mechanics.

Exam trap

The trap here is that candidates confuse technical severity (CVSS) with business impact, assuming a high CVSS score inherently conveys business risk, but the CISO explicitly needs the financial and operational consequences, not just the score.

How to eliminate wrong answers

Option A is wrong because listing the CVSS score and exploitability metrics provides a technical severity rating but does not translate that into business impact (e.g., dollar amounts or reputational harm), which the CISO specifically requested. Option C is wrong because providing raw log entries showing exploitation is operational evidence for technical teams, not a summary for executive decision-making; it fails to convey the broader business consequences.

53
Drag & Dropmedium

Drag and drop the steps to perform a man-in-the-middle (MITM) attack using ARP spoofing with Bettercap into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ARP spoofing MITM requires enabling forwarding, spoofing both target and gateway, then capturing traffic.

54
MCQeasy

A penetration tester needs to describe a stored XSS vulnerability to a web developer who will fix it. Which level of detail is most appropriate for this audience?

A.Provide the CVSS score and risk rating.
B.Describe the business impact and potential regulatory fines.
C.Include the specific vulnerable URL, the request parameters, the payload used, and a code snippet for proper output encoding.
D.Use a graph showing the number of vulnerabilities by severity across the application.
AnswerC

This level of detail gives the developer everything needed to reproduce the vulnerability and apply the correct fix. It is precise and actionable.

Why this answer

Option C is correct because a web developer needs precise, actionable technical details to remediate the vulnerability: the exact URL, request parameters, the payload that triggered the stored XSS, and a code snippet showing proper output encoding (e.g., using OWASP ESAPI or context-specific escaping). This level of detail enables the developer to locate the vulnerable code, understand the injection point, and apply the correct fix without ambiguity.

Exam trap

The trap here is that candidates confuse the audience's needs: they may pick business impact (Option B) for a developer, but developers require technical details (Option C) to actually fix the code, not just awareness of consequences.

How to eliminate wrong answers

Option A is wrong because a CVSS score and risk rating provide a severity metric but no technical specifics about the vulnerable endpoint, input vector, or remediation steps, which a developer needs to fix the code. Option B is wrong because describing business impact and regulatory fines addresses management concerns but omits the technical details (e.g., the vulnerable parameter, payload, or encoding fix) required for a developer to remediate the stored XSS vulnerability.

55
MCQmedium

The client's development team needs to reproduce a cross-site scripting (XSS) vulnerability discovered during the penetration test. They require the exact payload and step-by-step instructions. Which deliverable should the tester provide to meet this need?

A.Executive Summary
B.Detailed Vulnerability Report with reproduction steps
C.Rules of Engagement
D.Risk Assessment Matrix
AnswerB

This deliverable provides the technical depth required by the development team to understand and fix the vulnerability.

Why this answer

The correct answer is B because the development team needs the exact payload and step-by-step instructions to reproduce the XSS vulnerability. A Detailed Vulnerability Report with reproduction steps provides the precise technical details, including the payload string, input vectors, and browser behavior, enabling the team to replicate the issue in their environment. This aligns with the PT0-002 objective of delivering actionable findings for remediation.

Exam trap

The trap here is that candidates may confuse the Executive Summary (Option A) with a deliverable that contains technical details, but the exam expects you to know that reproduction steps belong in the detailed vulnerability report, not in a summary document.

How to eliminate wrong answers

Option A is wrong because an Executive Summary is a high-level overview for management, lacking the specific payload and step-by-step reproduction instructions needed by the development team. Option C is wrong because the Rules of Engagement define the scope, authorization, and constraints of the penetration test, not the technical details of a discovered vulnerability.

56
MCQhard

Refer to the exhibit. A penetration tester is presenting this finding to a non-technical executive. Which improvement should be made to the description?

A.Include the CVSS vector
B.List the exact database tables affected
C.Add a proof-of-concept screenshot
D.Describe the business impact in plain language
AnswerD

Translating technical impact into business terms (e.g., financial, reputational risk) is essential for executive communication.

Why this answer

Describing the business impact in plain language helps executives understand the risk without technical jargon.

57
MCQeasy

A penetration tester needs to provide a metric that communicates the financial risk of the identified vulnerabilities to the client's CFO. Which metric is most appropriate?

A.Annual Loss Expectancy (ALE).
B.CVSS base score.
C.Number of critical findings.
D.Technical difficulty of exploitation.
AnswerA

ALE expresses risk in financial terms, allowing the CFO to understand potential monetary impact and prioritize remediation spending.

Why this answer

Annual Loss Expectancy (ALE) is the most appropriate metric for communicating financial risk to a CFO because it quantifies the expected monetary loss per year from a vulnerability, calculated as ALE = Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO). This directly translates technical risk into financial terms, enabling informed budget decisions for remediation. CVSS base scores and critical finding counts lack a financial dimension, making them unsuitable for executive-level risk communication.

Exam trap

CompTIA often tests the misconception that technical severity scores (like CVSS) are sufficient for executive reporting, but the trap here is that financial risk requires a dollar-based metric like ALE, not a technical or count-based measure.

How to eliminate wrong answers

Option B is wrong because CVSS base score is a technical severity metric (0-10) based on exploitability and impact factors, not a financial measure; it does not incorporate asset value or loss frequency, so it cannot express monetary risk to a CFO. Option C is wrong because the number of critical findings is a raw count of high-severity vulnerabilities without any financial context; it ignores asset valuation, likelihood of exploitation, and potential loss, making it irrelevant for financial risk communication.

58
MCQeasy

A penetration tester is preparing a report for a client. The client's C-suite executives need a high-level overview of the engagement results without technical jargon. Which section of the report is most appropriate for this audience?

A.Executive summary
B.Technical findings and remediation steps
C.Appendices with raw scan data
D.Methodology section
AnswerA

Provides high-level overview suitable for C-suite.

Why this answer

Option B is correct because the executive summary is designed for non-technical stakeholders, providing a high-level overview of findings and recommendations. Option A (Technical findings) contains detailed technical explanations not suitable for executives. Option C (Methodology) describes testing approach, not prioritized for executives.

Option D (Appendices) contain raw data not summarized.

59
Multi-Selectmedium

Which TWO of the following are appropriate ways to handle sensitive data discovered during a penetration test when producing the final report? (Select TWO.)

Select 2 answers
A.Include the raw sensitive data in an appendix with restricted distribution.
B.Encrypt the report with a strong password and email it to all stakeholders.
C.Label the entire report as 'Sensitive' and leave data unaltered.
D.Securely delete any copies of sensitive data after the report is delivered.
E.Redact or mask the sensitive data in the report.
AnswersD, E

This follows data minimization principles.

Why this answer

Options B and D are correct. Sensitive data should be sanitized in the report (e.g., redacted or anonymized), and any retained data should be securely destroyed after the report is delivered. Option A is wrong because assigning a separate sensitivity label is not a handling method.

Option C is wrong because including raw data increases risk. Option E is wrong because secure transmission is about delivery, not report content.

60
MCQmedium

A penetration test report includes a finding about a SQL injection vulnerability in a public-facing web application. Which section of the report would be the MOST appropriate place to provide step-by-step remediation instructions for the development team?

A.Executive Summary
B.Risk Assessment
C.Technical Findings
D.Appendices
AnswerC

This section is where remediation steps for each finding should be documented for the development team.

Why this answer

Option C is correct because the Technical Findings section of a penetration test report is designed to provide detailed, step-by-step remediation instructions for technical audiences, such as the development team. This section includes specific code-level fixes, parameterized query examples, and input validation techniques to address the SQL injection vulnerability, ensuring the team can implement precise changes.

Exam trap

Cisco often tests the distinction between report sections by making candidates confuse the high-level Executive Summary with the detailed Technical Findings, especially when the question emphasizes 'step-by-step remediation' for a technical team.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is intended for non-technical stakeholders (e.g., management) and provides a high-level overview of risks and business impact, not granular remediation steps. Option B is wrong because the Risk Assessment section focuses on the likelihood, impact, and severity rating of findings (e.g., CVSS scores), not on how to fix the vulnerability technically.

61
MCQeasy

A penetration tester is preparing the executive summary of a report for a client's board of directors. Which of the following metrics would be MOST valuable for this audience to understand the overall security posture?

A.The exact CVSS score for each vulnerability found
B.A heat map showing the number of vulnerabilities by severity (Critical, High, Medium, Low)
C.A detailed list of commands used during exploitation
D.The names of the operating systems and applications that were tested
AnswerB

This provides a quick, visual representation of the overall security posture and is easily understood by non-technical stakeholders.

Why this answer

The board of directors needs a high-level, risk-based overview of the security posture, not technical details. A heat map with vulnerability counts by severity (Critical, High, Medium, Low) provides an immediate visual representation of risk distribution, enabling strategic decisions without requiring technical expertise. This aligns with the PT0-002 objective of tailoring reporting to the audience.

Exam trap

The trap here is that candidates may think exact CVSS scores (Option A) are more precise and therefore more valuable, but the board needs actionable risk summaries, not technical precision.

How to eliminate wrong answers

Option A is wrong because exact CVSS scores (e.g., 7.5) are too granular for a board audience; they require context and are better suited for technical remediation teams. Option C is wrong because a detailed list of commands used during exploitation is operational data for technical staff, not strategic information for executives, and would obscure the overall risk picture.

62
MCQmedium

After a penetration test, the client's development team requires detailed, step-by-step instructions to reproduce a SQL injection vulnerability found in the user login functionality. In which section of the standard penetration testing report should this information be included?

A.Executive Summary
B.Technical Findings
C.Recommendations
D.Risk Rating
AnswerB

This section contains detailed information about each vulnerability, including steps to reproduce, proof of concept, and technical impact.

Why this answer

The Technical Findings section is the correct location because it provides detailed, step-by-step reproduction steps for vulnerabilities, including the exact SQL injection payloads, input fields, and HTTP request parameters used to exploit the login functionality. This section is intended for technical audiences (e.g., developers) who need to understand and remediate the issue, not for high-level summaries or general advice.

Exam trap

The trap here is that candidates often confuse the purpose of the Recommendations section, thinking it should include step-by-step reproduction steps, when in fact it only contains high-level remediation guidance, while the Technical Findings section is the proper place for detailed exploitation procedures.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, containing business impact, risk ratings, and strategic recommendations, not step-by-step technical reproduction instructions. Option C is wrong because the Recommendations section provides high-level remediation advice (e.g., 'use parameterized queries') but does not include the detailed, step-by-step reproduction steps needed by the development team to verify and fix the specific vulnerability.

63
MCQmedium

You are writing the final report for a penetration test. The client has requested that the report be delivered in an encrypted format. Additionally, the client wants to include raw screenshots and command outputs for evidence. The tester has captured screenshots that show user credentials in clear text from a successful phishing attack. What is the BEST way to handle this?

A.Exclude the evidence and only describe the finding
B.Redact or obfuscate the credentials in the screenshots before including them
C.Provide the screenshots in a separate unencrypted file
D.Include the raw screenshots as requested
AnswerB

This preserves the evidence while protecting sensitive information.

Why this answer

Option B is correct. Redacting or obfuscating sensitive data like credentials protects confidentiality while still providing evidence. Option A is wrong because exposing credentials in raw screenshots violates data protection best practices.

Option C is wrong because removing the evidence may weaken the report's credibility. Option D is wrong because unencrypted delivery defeats the purpose of encryption and exposes data.

64
Multi-Selecthard

Which THREE of the following are important elements to include in the remediation section of a penetration test report? (Select THREE.)

Select 3 answers
A.Priority levels (e.g., Critical, High, Medium) based on risk.
B.A list of all external parties notified about the vulnerabilities.
C.Step-by-step instructions to fix each vulnerability.
D.CVE identifiers or references to industry best practices.
E.Detailed timeline of when each finding was discovered.
AnswersA, C, D

Prioritization guides the client on what to fix first.

Why this answer

Options A, C, and D are correct. Remediation should include specific steps, reference to industry standards, and priority based on risk. Option B is not a standard part of remediation; it's for methodology.

Option E is about disclosure, not remediation.

65
MCQeasy

After completing a penetration test, you present the findings to the client's technical team. During the debrief meeting, the technical lead argues that one of the identified vulnerabilities is not exploitable in their environment and should be removed from the report. The evidence you have shows it is exploitable. What is the BEST response?

A.Immediately remove the finding to maintain good client relations
B.Challenge the technical lead and insist it stays
C.Document the disagreement and include both perspectives in the report
D.Offer to demonstrate the exploit to confirm
AnswerC

This provides transparency and allows the client to evaluate the risk based on both views.

Why this answer

Option D is correct. The best practice is to document the disagreement and include both perspectives, allowing the client to make an informed decision. Option A is wrong because removing the finding compromises the report's accuracy.

Option B is wrong because it may escalate conflict without constructive outcome. Option C is wrong because demonstrating exploits during a debrief may not be appropriate or feasible.

66
MCQhard

During a penetration test, a tester identifies a critical SQL injection vulnerability. The client remediates the issue, but a retest reveals the same vulnerability in a different module of the application. How should the tester present this information in the final report to best communicate recurring risks?

A.List each instance as a separate finding with its own risk rating.
B.Increase the CVSS score of the second finding to reflect the repeated issue.
C.Note that the vulnerability was successfully remediated earlier and reappeared, so it is now considered a new finding.
D.Document the recurrence and recommend a root-cause analysis and secure coding training to prevent future regressions.
AnswerD

This provides a comprehensive view of the problem and offers strategic remediation advice.

Why this answer

Option D is correct because it addresses the root cause of the recurrence rather than treating each instance as an isolated event. By recommending a root-cause analysis and secure coding training, the tester helps the client prevent future regressions across the entire codebase, which is the core goal of a penetration test report. This aligns with the PT0-002 objective of providing actionable remediation guidance beyond simply listing vulnerabilities.

Exam trap

The trap here is that candidates may think treating each recurrence as a separate or escalated finding is more thorough, but the exam emphasizes that the report should drive systemic improvement rather than just cataloging symptoms.

How to eliminate wrong answers

Option A is wrong because listing each instance as a separate finding with its own risk rating would inflate the risk count without addressing the underlying systemic issue, leading to a fragmented and less actionable report. Option B is wrong because increasing the CVSS score of the second finding is not a valid practice; CVSS scores are based on the intrinsic characteristics of a vulnerability, not on the history of its recurrence. Option C is wrong because noting the vulnerability as a new finding ignores the fact that it is a regression of a previously fixed issue, which should trigger a deeper investigation into why the fix failed, not simply be treated as a brand-new finding.

67
MCQmedium

A penetration tester has completed the test and is preparing the final report. The client requested a risk rating for each vulnerability. Which of the following frameworks is MOST commonly used to standardize vulnerability severity ratings in penetration testing reports?

A.OWASP Top 10
B.CVSS
C.CVE
D.NIST SP 800-115
AnswerB

Correct. CVSS provides a standardized and widely accepted severity score for vulnerabilities.

Why this answer

CVSS (Common Vulnerability Scoring System) is the industry-standard framework for assigning numeric severity scores (0-10) to vulnerabilities based on metrics like attack vector, complexity, and impact. Penetration testers use CVSS scores to provide consistent, quantitative risk ratings that clients can compare across findings. OWASP Top 10 is a list of web application risk categories, not a scoring system, and CVE is a vulnerability identifier database, not a rating framework.

Exam trap

The trap here is that candidates confuse OWASP Top 10 (a risk categorization list) with a scoring framework, or mistake CVE (an identifier system) for a severity rating system, when CVSS is the only option that provides a standardized numerical severity scale for individual vulnerabilities.

How to eliminate wrong answers

Option A is wrong because OWASP Top 10 is a periodic awareness document that ranks broad categories of web application security risks (e.g., injection, broken authentication), not a framework for assigning individual vulnerability severity scores. Option C is wrong because CVE (Common Vulnerabilities and Exposures) is a dictionary of unique identifiers for publicly known vulnerabilities, with no scoring or rating mechanism—it simply names and describes the flaw.

68
MCQmedium

A penetration tester discovers that a previously reported vulnerability from a prior test has not been remediated. How should this be communicated in the current report?

A.Only mention it in the executive summary, referencing the past report.
B.Include it as a recurring finding and note the lack of remediation.
C.Omit the finding to avoid repetition.
D.Reduce the severity rating because it was already reported.
AnswerB

This provides accountability and highlights the need for action.

Why this answer

Option B is correct because penetration testing standards (e.g., PTES, OWASP) require that previously identified vulnerabilities that remain unpatched be documented as recurring findings with explicit reference to the prior report. This ensures the client understands the risk persists and can track remediation progress over time. Including the finding with a note on lack of remediation maintains the integrity of the current risk assessment and supports compliance with reporting frameworks like NIST SP 800-115.

Exam trap

The trap here is that candidates mistakenly think repeating a finding is redundant or that the executive summary is sufficient, but CompTIA expects the finding to be fully documented in the technical body of the report with a clear note on recurrence.

How to eliminate wrong answers

Option A is wrong because relegating a recurring vulnerability solely to the executive summary omits the technical details, evidence, and risk context needed for the technical audience to act on the finding. Option C is wrong because omitting the finding violates the principle of full disclosure and could lead to legal liability if the client assumes the vulnerability was fixed. Option D is wrong because reducing the severity rating based solely on prior reporting is a logical fallacy; the risk to the environment remains unchanged unless compensating controls have been verified.

69
MCQmedium

A penetration tester is conducting an internal network test. During the engagement, the tester discovers a critical vulnerability that could be exploited to gain domain admin privileges. According to best practices, how should the tester communicate this finding to the client?

A.Immediately notify the client's point of contact via a secure channel
B.Only communicate it if the client asks for a status update
C.Wait until the end of the test to include it in the formal report
D.Exploit the vulnerability to demonstrate impact and then fix it before reporting
AnswerA

Timely communication of critical risks is essential.

Why this answer

Option A is correct because critical findings should be communicated immediately to allow the client to take urgent action, rather than waiting for the formal report. Option B is too slow. Option C delays communication.

Option D is inappropriate as testers should not remediate without authorization.

70
MCQhard

Refer to the exhibit. A penetration tester used a vulnerability scanner and obtained the above result. What is the BEST way to represent this finding in the report to ensure the client can reproduce and fix it?

A.Include only the URL and parameter name.
B.Include the full request with the exact payload and evidence.
C.Provide the exact error message from the database.
D.List the vulnerability scanner used and its version.
AnswerB

This allows the client to replicate the issue and test the fix.

Why this answer

Option D is correct because the report should include the full request details, including payload and evidence. Option A is wrong because the URL and parameter are not enough to show exploitation. Option B is wrong because the scanner name is not critical.

Option C is wrong because the error message is evidence, not the fix.

71
MCQeasy

A penetration tester has submitted the final report to the client. The client's legal team requests a separate document that describes the methodology used, but does not include any actual findings or sensitive data. Which type of document should the tester provide?

A.A new executive summary that omits the findings
B.A copy of the technical findings with redacted details
C.A document describing the testing methodology and scope
D.The remediation plan without the exploit steps
AnswerC

This document covers the 'how' and 'what' of the test without any vulnerability details, suitable for legal review.

Why this answer

The client's legal team specifically requested a document describing the methodology used without any actual findings or sensitive data. Option C, a document describing the testing methodology and scope, directly fulfills this requirement by providing a high-level overview of the penetration testing approach, tools, and boundaries, while excluding all findings, evidence, and sensitive client data. This type of document is often called a 'Methodology Statement' or 'Scope of Work' and is commonly used for legal or compliance purposes to demonstrate due diligence without exposing risk details.

Exam trap

The trap here is that candidates confuse the purpose of an executive summary (which summarizes findings) with a methodology-only document, leading them to choose Option A, but the legal team explicitly wants no findings or sensitive data, making a pure methodology document the only correct choice.

How to eliminate wrong answers

Option A is wrong because an executive summary, by definition, includes a high-level overview of the findings and risk ratings, which the legal team explicitly asked to omit. Option B is wrong because a copy of the technical findings with redacted details still contains sensitive data (even if redacted, the underlying structure and context of findings remain), and the legal team requested a document that does not include any actual findings or sensitive data at all.

72
MCQhard

After a penetration test, the client requests that the tester remove certain findings from the final report because they reveal sensitive information about a new product. What is the BEST response from the tester?

A.Agree to remove the findings but note in the report that they were omitted.
B.Remove the findings entirely and do not mention them.
C.Refuse to remove the findings and threaten to disclose them publicly.
D.Insist on including the findings but obfuscate the sensitive details.
AnswerA

This maintains transparency while respecting client wishes.

Why this answer

Option D is correct because the client owns the data and can decide what is included, but the tester should ensure the report accurately reflects risks. Option A is wrong because refusing cooperation could damage the relationship. Option B is wrong because the client has the right to manage their information.

Option C is wrong because omitting findings undermines the report's integrity; instead, document the decision.

73
MCQhard

After completing a penetration test, the client's technical team requests a document that provides step-by-step reproduction instructions for each vulnerability, including exact payloads, tools used, and screenshots. Which deliverable BEST satisfies this requirement?

A.Executive Summary
B.Technical Findings Report
C.Remediation Guide
D.Vulnerability Scanner Output
AnswerB

This section contains detailed descriptions, CVSS scores, step-by-step reproduction instructions, payloads, and evidence for each vulnerability, making it suitable for the development team.

Why this answer

The Technical Findings Report (Option B) is the correct deliverable because it is specifically designed to provide granular, step-by-step reproduction steps, exact payloads, tool commands, and screenshots for each vulnerability. This level of detail is essential for the client's technical team to validate and remediate the findings, aligning with the PT0-002 objective of producing a comprehensive technical report that supports evidence-based remediation.

Exam trap

The trap here is that candidates often confuse the Technical Findings Report with the Remediation Guide, mistakenly thinking that remediation steps include reproduction details, but the PT0-002 exam emphasizes that the Technical Findings Report is the only deliverable that provides the exact payloads and step-by-step reproduction instructions required for technical validation.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview intended for management, containing no step-by-step reproduction instructions, payloads, or screenshots; it focuses on risk ratings and business impact, not technical replication. Option C is wrong because the Remediation Guide focuses on fixing vulnerabilities (e.g., patching, configuration changes) and does not include reproduction steps, exact payloads, or tool commands; its purpose is to guide remediation, not to validate findings through replication.

74
Matchingmedium

Match each scanning technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Sends SYN packet, waits for SYN-ACK, then RST

Completes full TCP three-way handshake

Sends UDP packets to determine open ports

Used to map firewall rulesets

Sends packets with FIN, PSH, URG flags set

Why these pairings

Scanning techniques are fundamental to network reconnaissance in penetration testing.

75
MCQeasy

A penetration tester is preparing the final report. The client's IT director wants a high-level overview of the test results, including the number of findings and the overall risk rating. Which section of the report should the tester point to?

A.Executive summary
B.Technical findings
C.Methodology
D.Recommendations
AnswerA

The executive summary contains a concise high-level overview for management.

Why this answer

The executive summary is specifically designed to provide a high-level overview for management and non-technical stakeholders, such as the IT director. It summarizes the number of findings, overall risk rating, and key business impacts without delving into technical details, making it the correct section for this request.

Exam trap

The trap here is that candidates often confuse the 'executive summary' with the 'technical findings' section, mistakenly thinking a high-level overview belongs in the detailed technical results, but the exam expects you to recognize that management-focused summaries are always in the executive summary.

How to eliminate wrong answers

Option B is wrong because the technical findings section contains detailed vulnerability descriptions, proof-of-concept code, and remediation steps, which is too granular for a high-level overview. Option C is wrong because the methodology section describes the testing approach, tools, and scope, not the summary of results or risk ratings.

Page 1 of 2 · 102 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Reporting and Communication questions.