Question 162 of 509
Reporting and CommunicationeasyMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is a high-level overview of the most critical vulnerabilities and their potential business impact. This choice is correct because the executive summary for non-technical stakeholders, such as a CEO, must translate technical risk into business language, focusing on how findings affect revenue, compliance, or reputation rather than on exploit details or CVSS scores. On the CompTIA PenTest+ PT0-002 exam, this question tests your understanding of effective reporting and communication, specifically the objective to tailor reports to the audience; a common trap is including remediation steps or technical jargon, which belongs in the technical report, not the executive summary. To remember this, think of the CEO’s perspective: they care about “what keeps the business awake at night,” not the specific port numbers or command syntax.

PT0-002 Reporting and Communication Practice Question

This PT0-002 practice question tests your understanding of reporting and communication. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A penetration tester is writing the executive summary for the final report. The CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?

Question 1easymultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

A high-level overview of the most critical vulnerabilities and their potential business impact.

The executive summary is intended for non-technical stakeholders like the CEO, who need to grasp the overall risk posture and business implications without technical jargon. Option A provides a high-level overview of critical vulnerabilities and their potential business impact, directly addressing the CEO's need to understand risk level and business impact, which aligns with the PT0-002 objective for effective reporting and communication.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • A high-level overview of the most critical vulnerabilities and their potential business impact.

    Why this is correct

    This matches the purpose of the executive summary: concise, business-focused information that allows leadership to make informed decisions without needing technical expertise.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Detailed exploit steps with screenshots.

    Why it's wrong here

    Detailed exploit steps are too technical for a CEO. This level of detail belongs in the technical findings section for the IT team.

  • A list of all CVSS scores without context.

    Why it's wrong here

    Raw CVSS scores may be confusing without interpretation. The executive summary should translate technical severity into business risk.

  • The exact commands used during testing.

    Why it's wrong here

    Commands are operational details that are irrelevant to executive-level understanding. They belong in the methodology appendix.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse the executive summary with a technical summary, choosing options with detailed exploit steps or raw CVSS scores, forgetting that the CEO needs a business-focused, non-technical overview of risk and impact.

Trap categories for this question

  • Similar concept trap

    Raw CVSS scores may be confusing without interpretation. The executive summary should translate technical severity into business risk.

  • Command / output trap

    Commands are operational details that are irrelevant to executive-level understanding. They belong in the methodology appendix.

Detailed technical explanation

How to think about this question

The executive summary should distill complex technical findings into business-relevant terms, often using a risk matrix (e.g., likelihood vs. impact) to communicate overall risk. For example, a critical vulnerability like an unpatched remote code execution in a public-facing web server might be summarized as 'High risk of data breach affecting customer PII, potentially leading to regulatory fines and reputational damage,' rather than listing CVSS 9.8. This approach aligns with the PT0-002 domain's emphasis on tailoring communication to the audience, ensuring the CEO can prioritize remediation based on business impact.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security team runs a vulnerability scan on a web application and discovers an unpatched SQL injection flaw. The team prioritises remediation by CVSS score — critical flaws are patched within 24 hours, high within 7 days. Questions like this test whether you understand vulnerability management processes, scanning tools, and remediation prioritisation.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PT0-002 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PT0-002 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PT0-002 question test?

Reporting and Communication — This question tests Reporting and Communication — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: A high-level overview of the most critical vulnerabilities and their potential business impact. — The executive summary is intended for non-technical stakeholders like the CEO, who need to grasp the overall risk posture and business implications without technical jargon. Option A provides a high-level overview of critical vulnerabilities and their potential business impact, directly addressing the CEO's need to understand risk level and business impact, which aligns with the PT0-002 objective for effective reporting and communication.

What should I do if I get this PT0-002 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

5 more ways this is tested on PT0-002

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A penetration tester is preparing the executive summary for a report. Which of the following metrics would be MOST valuable to include for non-technical stakeholders to understand the overall security posture?

easy
  • A.A list of all tools used during the penetration test
  • B.The total number of vulnerabilities discovered and their average CVSS score
  • C.The number of critical and high-risk findings along with the average time to exploit them
  • D.A detailed step-by-step exploitation walkthrough of one critical vulnerability

Why C: Option C is correct because non-technical stakeholders (e.g., executives) need a high-level, risk-focused summary that communicates the severity and urgency of findings. The number of critical/high-risk findings directly indicates the most dangerous exposures, and the average time to exploit them conveys how quickly an attacker could compromise the environment. This metric translates technical risk into business impact, which is the core goal of an executive summary.

Variation 2. In a penetration test report, the executive summary is primarily intended for which audience?

easy
  • A.IT system administrators
  • B.Senior management (e.g., CISO, board of directors)
  • C.Software developers
  • D.External compliance auditors

Why B: The executive summary is designed for senior management (e.g., CISO, board of directors) because it provides a high-level overview of the penetration test's objectives, key findings, risk impact, and recommended strategic actions. It avoids technical jargon and detailed exploit steps, focusing instead on business risk and remediation priorities that inform decision-making and resource allocation.

Variation 3. A penetration tester is preparing the executive summary of a penetration test report. Which of the following BEST describes the primary audience and appropriate level of technical detail?

easy
  • A.A narrative of the testing methodology for other penetration testers.
  • B.High-level findings and business impact for management and executives.
  • C.Detailed technical analysis for system administrators.
  • D.Step-by-step exploitation procedures for developers.

Why B: Option D is correct because the executive summary targets non-technical stakeholders who need a high-level overview of risks and business impact. Option A is wrong because the executive summary is not for technical staff. Option B is wrong because it should avoid deep technical details. Option C is wrong because the audience is not primarily the testers.

Variation 4. A penetration tester is writing the executive summary of a penetration test report. Which of the following elements is MOST important to include for a non-technical audience?

easy
  • A.Detailed list of all ports and services found
  • B.CVSS scores for every vulnerability
  • C.A high-level summary of the overall risk and key findings
  • D.Raw tool output from vulnerability scans

Why C: C is correct because the executive summary is intended for a non-technical audience, such as senior management or stakeholders, who need a concise overview of the organization's security posture. A high-level summary of the overall risk and key findings communicates the business impact and strategic priorities without overwhelming them with technical details. This aligns with the PT0-002 objective of tailoring communication to the audience, ensuring the report drives decision-making rather than technical analysis.

Variation 5. Refer to the exhibit. A penetration tester is presenting this finding to a non-technical executive. Which improvement should be made to the description?

hard
  • A.Include the CVSS vector
  • B.List the exact database tables affected
  • C.Add a proof-of-concept screenshot
  • D.Describe the business impact in plain language

Why D: Describing the business impact in plain language helps executives understand the risk without technical jargon.

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PT0-002 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PT0-002 exam.