Question 74 of 509
Planning and ScopingmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct document for formally documenting scope exclusions like a third-party CDN is the Rules of Engagement (ROE). The ROE is the authoritative source for defining the boundaries, constraints, and special permissions of a penetration test, including which IP ranges, domains, or systems are explicitly off-limits. This ensures the testing team avoids targeting infrastructure outside the client’s control, preventing contractual violations or unintended disruptions. On the CompTIA PenTest+ PT0-002 exam, this concept tests your ability to distinguish between the ROE and the Statement of Work (SOW)—the SOW outlines the high-level objectives and deliverables, while the ROE contains the operational guardrails. A common trap is confusing the two, but remember: the ROE is the “rulebook” for what testers can and cannot touch during the engagement. Memory tip: ROE = Restrictions On Engagement.

PT0-002 Planning and Scoping Practice Question

This PT0-002 practice question tests your understanding of planning and scoping. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: the ROE defines the scope, targets, and boundaries of a pen test.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A client hires a penetration testing firm to assess a web application. The client uses a third-party content delivery network (CDN) for static assets and explicitly wants to exclude the CDN infrastructure from testing. In which document should this restriction be formally documented?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Rules of Engagement (ROE)

The Rules of Engagement (ROE) document is the correct place to formally document restrictions such as excluding the CDN infrastructure from testing. The ROE defines the scope, boundaries, and specific constraints for the penetration test, including which IP ranges, domains, or systems are off-limits. This ensures the testing team does not inadvertently target the third-party CDN, which could violate contractual agreements or cause unintended disruptions.

Key principle: The ROE defines the scope, targets, and boundaries of a pen test.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Statement of Work (SOW)

    Why it's wrong here

    The SOW describes the work to be performed and deliverables, but it does not typically detail specific technical restrictions like excluding a CDN.

  • Non-Disclosure Agreement (NDA)

    Why it's wrong here

    The NDA is a legal agreement regarding confidentiality, not technical scope or restrictions.

  • Master Services Agreement (MSA)

    Why it's wrong here

    The MSA outlines long-term business terms, liabilities, and payment, but not per-engagement scope exclusions.

  • Rules of Engagement (ROE)

    Why this is correct

    The ROE is the correct document for specifying what is in scope, what is out of scope, and any specific restrictions like not testing the CDN.

    Related concept

    The ROE defines the scope, targets, and boundaries of a pen test.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates confuse the ROE with the SOW, assuming the SOW is the catch-all document for all restrictions, but the ROE is specifically designed for operational boundaries and constraints in penetration testing engagements.

Detailed technical explanation

How to think about this question

In penetration testing, the ROE often includes explicit IP address ranges, CIDR blocks, or domain names that are in-scope or out-of-scope, as well as time windows and notification procedures. For CDN exclusion, the tester must ensure that requests to static assets (e.g., images, scripts) are not sent to the CDN’s edge nodes, which may be achieved by configuring the testing tool to bypass the CDN’s DNS resolution or by using a direct origin IP. A real-world scenario is when a tester accidentally triggers a CDN’s DDoS protection mechanism, causing service degradation; the ROE’s explicit exclusion prevents such incidents.

KKey Concepts to Remember

  • The ROE defines the scope, targets, and boundaries of a pen test.
  • It specifies what is in-scope and out-of-scope for testing.
  • The ROE details specific technical restrictions and methodologies.
  • It is a critical document for preventing unauthorized testing activities.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

The ROE defines the scope, targets, and boundaries of a pen test.

Real-world example

How this comes up in practice

A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. The ROE defines the scope, targets, and boundaries of a pen test. Security exam questions test whether you can match controls to threats in context — not just recall definitions.

What to study next

Got this wrong? Here's your next step.

Review the ROE defines the scope, targets, and boundaries of a pen test., then practise related PT0-002 questions on the same topic to reinforce the concept.

Related practice questions

Related PT0-002 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PT0-002 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PT0-002 question test?

Planning and Scoping — This question tests Planning and Scoping — The ROE defines the scope, targets, and boundaries of a pen test..

What is the correct answer to this question?

The correct answer is: Rules of Engagement (ROE) — The Rules of Engagement (ROE) document is the correct place to formally document restrictions such as excluding the CDN infrastructure from testing. The ROE defines the scope, boundaries, and specific constraints for the penetration test, including which IP ranges, domains, or systems are off-limits. This ensures the testing team does not inadvertently target the third-party CDN, which could violate contractual agreements or cause unintended disruptions.

What should I do if I get this PT0-002 question wrong?

Review the ROE defines the scope, targets, and boundaries of a pen test., then practise related PT0-002 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

The ROE defines the scope, targets, and boundaries of a pen test.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PT0-002 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PT0-002 exam.