PT0-002 · topic practice

Information Gathering and Vulnerability Scanning practice questions

Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Information Gathering and Vulnerability Scanning

What the exam tests

What to know about Information Gathering and Vulnerability Scanning

Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.

Threat actor types and motivations (APT, script kiddie, insider, nation-state).

Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.

Vulnerability scanning vs penetration testing vs risk assessment.

Mitigation strategies mapped to specific attack types.

Watch out for

Common Information Gathering and Vulnerability Scanning exam traps

  • Social engineering targets people, not systems — the attack vector matters.
  • A vulnerability scanner finds weaknesses; it does not exploit them.
  • Phishing is email-based; vishing is voice-based; smishing is SMS-based.
  • Zero-day vulnerabilities have no patch available at the time of discovery.

Practice set

Information Gathering and Vulnerability Scanning questions

20 questions · select your answer, then reveal the explanation

During a vulnerability scan, a penetration tester notices that the scanner is repeatedly attempting to exploit a service, causing the service to crash and generating misleading findings. Which of the following scan configurations would BEST help the tester avoid this issue while still identifying potential vulnerabilities?

A penetration tester is performing reconnaissance on a target organization and uses Shodan to find internet-facing devices. Which of the following is the BEST use case for Shodan in this context?

Question 3easymultiple choice
Read the full DNS explanation →

During the reconnaissance phase, a penetration tester wants to map out the target's DNS infrastructure without directly interacting with the target's servers. Which of the following techniques BEST achieves this?

A penetration tester is conducting passive reconnaissance on a target organization. Which of the following techniques would provide the MOST useful information about internal network architecture without directly interacting with the target's systems?

A penetration tester is using a vulnerability scanner to assess an internal network. The scanner reports a critical vulnerability in a custom web application, but manual verification shows the application is not vulnerable. Which of the following is the MOST likely cause of this false positive?

A penetration tester is conducting an internal network scan and wants to minimize the chance of detection by the target's intrusion detection system (IDS). Which Nmap timing template is the MOST appropriate for this goal?

A penetration tester is using a vulnerability scanner on a web application and notices that many findings are false positives caused by the scanner sending oversized payloads that the application truncates or rejects. Which scanner configuration change would MOST effectively reduce false positives in this scenario?

Question 8easymultiple choice
Read the full DNS explanation →

During the reconnaissance phase, a penetration tester wants to identify subdomains of a target domain without making direct requests to the target's own DNS servers. Which technique would be BEST for this purpose?

During a penetration test, a vulnerability scanner reports a critical SQL injection vulnerability in a web application. However, manual testing shows that the parameter is not injectable due to proper parameterized queries. Which of the following is the MOST likely cause of this false positive?

During reconnaissance, a penetration tester discovers a public GitHub repository belonging to the target organization. The repository contains internal project names, server IP addresses, and code comments with database credentials. Which reconnaissance technique does this represent?

A penetration tester wants to discover email addresses associated with a target domain (example.com) without sending any network packets to the target's systems. Which technique is BEST suited for this?

A penetration tester wants to perform a network scan that minimizes the chance of detection by an intrusion detection system (IDS). Which Nmap timing template is MOST appropriate?

Question 13mediummultiple choice
Read the full DNS explanation →

A penetration tester is conducting passive reconnaissance against a target domain. The tester wants to discover all subdomains associated with the domain without making any direct DNS queries to the target's authoritative servers. Which technique is BEST suited for this purpose?

A penetration tester wants to enumerate user accounts and SMB shares from a Windows machine without authenticating. Which tool is specifically designed for this purpose and is commonly used in Linux penetration testing distributions?

A penetration tester is performing reconnaissance on a target organization. The tester wants to discover the internal IP address scheme used by the company without making any direct connections to the company's network. Which technique is MOST effective for this purpose?

A vulnerability scanner reports a reflected XSS vulnerability in a web application. Manual testing confirms that the application HTML-encodes all user input in the response. Which scanner misconfiguration is MOST likely causing this false positive?

A penetration tester is conducting passive reconnaissance on a target organization. The tester wants to identify the technologies and frameworks used by the target's web application without making any requests to the target's servers. Which resource is BEST suited for this task?

A penetration tester receives an Nmap scan report showing that port 445/TCP is open on a target Windows host. The tester wants to determine if the host is vulnerable to EternalBlue (MS17-010) without triggering an alert. Which Nmap NSE script is most appropriate to use?

During passive reconnaissance, a penetration tester wants to compile a list of valid employee email addresses for a target company to be used in a future phishing campaign. Which technique is LEAST likely to be detected by the target or its security controls?

A penetration tester is tasked with discovering all publicly accessible Amazon S3 buckets that belong to a target company. Which technique is MOST effective for this purpose?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Information Gathering and Vulnerability Scanning sessions

Start a Information Gathering and Vulnerability Scanning only practice session

Every question in these sessions is drawn from the Information Gathering and Vulnerability Scanning domain — nothing else.

Related practice questions

Related PT0-002 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PT0-002 exam test about Information Gathering and Vulnerability Scanning?
Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Information Gathering and Vulnerability Scanning questions in a focused session?
Yes — the session launcher on this page draws every question from the Information Gathering and Vulnerability Scanning domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PT0-002 topics?
Use the topic links above to move to related areas, or go back to the PT0-002 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PT0-002 exam covers. They are not copied from any real exam or dump site.