CCNA Planning And Scoping Questions

75 of 103 questions · Page 1/2 · Planning And Scoping topic · Answers revealed

1
MCQhard

A contract prohibits DoS testing, but a tester finds a WAF that could be tested with a technique resembling slowloris. What is the best course of action?

A.Use a different technique, such as a buffer overflow
B.Proceed with a slowloris attack
C.Send a single malformed HTTP request and observe
D.Request a scope change to include DoS testing
AnswerD

Proper to obtain permission before testing.

Why this answer

Option D is correct because the tester should request a scope change to include DoS testing after explaining the risk. Option A is wrong because it violates the contract. Option B is wrong because even a single request might be considered excessive.

Option C is wrong because it does not address the prohibition.

2
MCQmedium

A penetration testing firm is hired to assess a client's network that includes both internal servers and external cloud-based services. The client wants to test only the internal network due to compliance concerns about testing cloud infrastructure. Which of the following should the penetration tester MOST strongly emphasize during the scoping meeting?

A.That cloud services are often the most vulnerable and should be included for a thorough test
B.That the test will not provide a complete risk picture without cloud components
C.That the client can always test cloud services later in a separate engagement
D.That compliance concerns are unfounded and the test should proceed anyway
AnswerB

This emphasizes the scope gap and ensures stakeholders understand that the assessment will be partial.

Why this answer

Option B is correct because the scope of a penetration test directly determines the validity of its risk assessment. Excluding cloud services creates a significant blind spot, as the client's attack surface includes both internal servers and external cloud-based services; without testing the cloud components, the test cannot provide a complete risk picture. The penetration tester must emphasize this limitation during scoping to ensure the client understands that the final report will not reflect the full security posture of their hybrid environment.

Exam trap

The trap here is that candidates may choose Option A because it sounds technically aggressive and 'security-first,' but the PT0-002 exam tests the ability to prioritize scoping discussions based on client-defined constraints and risk communication, not on unsupported claims about vulnerability prevalence.

How to eliminate wrong answers

Option A is wrong because it makes an unsubstantiated claim that cloud services are 'often the most vulnerable,' which is not a universal truth and distracts from the core scoping issue: the client's compliance concerns, not relative vulnerability. Option C is wrong because it suggests deferring cloud testing to a separate engagement, which fails to address the immediate need for a holistic risk assessment and may lead to fragmented, less actionable results; the tester's role is to advocate for complete coverage within the current engagement's constraints.

3
MCQeasy

A company wants to test the security of their internet-facing web application without impacting production servers or user data. The tester must be authorized to attempt authentication bypass and SQL injection. Which item is most critical to include in the scope definition to ensure the test is focused and lawful?

A.A list of user accounts with credentials for authenticated testing
B.A list of target URLs and IP addresses of the web application
C.A detailed testing schedule and hours of operation
D.The testing methodology and tools to be used
AnswerB

This directly defines the boundaries of the test, ensuring the tester confines attacks to the agreed systems.

Why this answer

Option B is correct because the scope definition must explicitly list target URLs and IP addresses to establish legal authorization boundaries and prevent unintended access to production systems. Without precise targets, the tester could inadvertently impact non-authorized systems, violating the rules of engagement and potentially causing data breaches or service disruption.

Exam trap

The trap here is that candidates confuse operational details (like credentials or schedules) with the legal and technical boundaries required to keep testing lawful and focused, leading them to pick options that are useful but not critical for scope definition.

How to eliminate wrong answers

Option A is wrong because providing user accounts with credentials is not a scope definition item; it is a test execution detail that may be included in the rules of engagement but does not define the lawful boundaries of testing. Option C is wrong because a detailed testing schedule and hours of operation, while useful for coordination, do not define the scope of systems under test and thus do not ensure the test is focused and lawful.

4
MCQhard

A large enterprise hires your firm to perform a penetration test on a new cloud-based product that integrates with several third-party services. The product is built on AWS and uses serverless functions (Lambda), API Gateway, DynamoDB, and S3. The client provides you with access to a staging environment that mirrors production in architecture but with relaxed security controls: the staging environment has less restrictive security groups, enabled debugging endpoints, and broad IAM permissions. The client insists that the staging environment is sufficient for testing and that production testing is not allowed due to compliance constraints. What is the best recommendation?

A.Propose a limited production test during a maintenance window, accepting the compliance risk.
B.Request that the staging environment be reconfigured to match production security controls, then test.
C.Refuse to proceed until production access is granted.
D.Test the staging environment as is and note the differences in the final report.
AnswerB

This ensures valid results without violating compliance.

Why this answer

Testing a non-representative environment may produce false positives or miss real vulnerabilities. The correct approach is to align the staging environment to production as closely as possible. Option A may lead to inaccurate conclusions; B is too rigid; D violates compliance and likely is not feasible.

5
MCQmedium

A client engages a penetration testing firm to evaluate the security of their internal network. During the scoping meeting, the client states that they use a network access control (NAC) solution that might block the tester's machine if it is connected to the internal network without prior authorization. Which of the following should be included in the rules of engagement to address this potential issue?

A.Include a requirement that the client disables NAC during the testing window.
B.State that the tester will not connect to the internal network and will only test externally.
C.Specify that the tester will bypass NAC as part of the test objectives.
D.Add a clause requiring the client to whitelist the tester's MAC address in the NAC policy before testing.
AnswerD

Whitelisting the tester's MAC address allows the NAC to recognize the testing device as authorized, preventing service disruption without weakening overall security.

Why this answer

Option D is correct because whitelisting the tester's MAC address in the NAC policy allows the tester's machine to connect to the internal network without being blocked, while keeping the NAC solution active for other devices. This approach preserves the real-world security posture of the client's environment and ensures the tester can perform internal network assessments as scoped. It is a standard practice in penetration testing to request MAC address whitelisting to avoid false positives from NAC enforcement.

Exam trap

The trap here is that candidates may assume disabling NAC (Option A) is the simplest solution, but the exam tests whether you understand that altering security controls during a test can invalidate the assessment's realism and that proper scoping requires minimal disruption to the client's environment.

How to eliminate wrong answers

Option A is wrong because disabling NAC entirely would alter the security posture of the client's network, potentially allowing the tester to bypass a control that would normally be present, which does not reflect a realistic attack scenario and may violate the integrity of the test. Option B is wrong because the client specifically engaged the tester to evaluate the security of their internal network, and testing only externally would fail to meet the scope and objectives of the engagement. Option C is wrong because specifying that the tester will bypass NAC as a test objective implies that the tester will attempt to circumvent the NAC solution, which is a separate attack vector and not a scoping or rules-of-engagement measure to address the potential blocking issue; it also risks disrupting the client's network or violating the rules of engagement if not explicitly authorized.

6
MCQmedium

A client wants a penetration test that simulates an external threat actor with no prior access. The client provides a list of public IP ranges and domain names. Which type of test is this?

A.External black-box test.
B.Internal white-box test.
C.Gray-box test.
D.Red team exercise.
AnswerA

Black-box testing means the tester has no inside knowledge; external means testing from outside the network perimeter. This matches the scenario of simulating an external threat actor.

Why this answer

This is an external black-box test because the client provides only public IP ranges and domain names, simulating an external threat actor with no prior access. The tester has no internal knowledge or credentials, which defines a black-box approach, and the scope is limited to external-facing assets, making it external.

Exam trap

The trap here is confusing 'external' with 'black-box'—candidates may think a gray-box test is appropriate because the client provides some information, but the key is that no internal access or credentials are given, which strictly defines a black-box test.

How to eliminate wrong answers

Option B is wrong because an internal white-box test assumes the tester has full knowledge of the internal network, including credentials and architecture, which contradicts the 'no prior access' requirement. Option C is wrong because a gray-box test typically provides partial internal knowledge (e.g., credentials or network diagrams), which is not the case here as the client only gives public IP ranges and domain names.

7
MCQeasy

A company needs to test the security of its web application without causing any service disruption. Which testing methodology is most appropriate to include in the scope?

A.Automated vulnerability scanning with a high intensity profile
B.Black-box penetration testing against the production environment
C.White-box code review and static analysis
D.Gray-box penetration testing with a read-only account
AnswerC

Does not interact with live environment.

Why this answer

Option A is correct because white-box code review and static analysis do not interact with the live environment, minimizing disruption. Option B is wrong because black-box testing may involve active scanning that could cause performance issues. Option C is wrong because gray-box testing still involves active testing.

Option D is wrong because high-intensity scanning can cause denial of service.

8
MCQeasy

Refer to the exhibit. A penetration tester is scoping a test and needs to reach a host at 10.0.1.50. Through which interface will traffic be routed?

A.The route is ambiguous
B.eth0
C.eth2
D.eth1
AnswerC

The 10.0.1.0/24 route directly matches 10.0.1.50.

Why this answer

The most specific route matches the destination. 10.0.1.50 falls within the 10.0.1.0/24 network (Genmask 255.255.255.0), which is routed via eth2. The default route via eth0 and the broader 10.0.0.0/8 route via eth1 are less specific.

9
MCQmedium

A client requests a penetration test for a new e-commerce application. The application uses a microservices architecture with RESTful APIs and a React frontend. The tester recommends including both a vulnerability assessment and manual penetration testing. However, the client has a tight budget and asks to skip the vulnerability assessment to save costs. Which response best aligns with best practices?

A.Perform only a vulnerability assessment because it covers more vulnerabilities.
B.Use automated scanning tools during the manual penetration test to compensate.
C.Agree to skip the vulnerability assessment and focus only on manual penetration testing.
D.Conduct a vulnerability assessment first and then manually validate findings.
AnswerD

This follows the industry best practice of combining automated scanning with manual validation.

Why this answer

Best practices recommend a vulnerability assessment to identify potential weaknesses, followed by manual validation to reduce false positives and exploit critical issues. Skipping the assessment may leave critical vulnerabilities undetected.

10
MCQmedium

A penetration tester is hired to assess a web application that integrates with a third-party payment API. The client wants the API included in the test but does not have a signed agreement with the vendor. What is the most appropriate action for the tester?

A.Ask the client to obtain a written authorization from the third-party vendor before testing the API.
B.Proceed with testing the API using anonymous techniques to avoid detection.
C.Test only the client's application logic but not the actual API endpoint.
D.Include the API in the test because the client owns the integration.
AnswerA

This is the proper ethical and legal step to ensure the tester has permission to test the vendor's system.

Why this answer

Option A is correct because testing a third-party API without explicit written authorization from the vendor violates legal and contractual boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). The penetration tester must obtain signed authorization to ensure the test is legally defensible and within scope, as the client cannot grant permission for assets they do not own.

Exam trap

The trap here is that candidates may assume 'anonymous techniques' or 'testing only the application logic' are safe workarounds, failing to recognize that legal authorization is a non-negotiable prerequisite for any testing activity, regardless of technique or scope limitation.

How to eliminate wrong answers

Option B is wrong because using anonymous techniques to avoid detection does not circumvent the lack of legal authorization; it still constitutes unauthorized access and could lead to criminal charges or civil liability. Option C is wrong because testing only the client's application logic without the actual API endpoint would miss critical integration vulnerabilities (e.g., improper handling of API responses, insecure direct object references) and fail to meet the client's requirement to include the API in the test.

11
Drag & Dropmedium

Drag and drop the steps to perform a basic Nmap scan to discover open ports on a target host into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Nmap scanning begins with verifying connectivity, then executing the scan, interpreting results, and documenting them.

12
MCQeasy

A client requests a penetration test of their web application, but they want to exclude all third-party APIs from the scope. Where should this exclusion be documented?

A.Rules of Engagement
B.Executive Summary
C.Findings Report
D.Remediation Plan
AnswerA

The RoE is the formal agreement that outlines what is and is not permitted, making it the correct place for scope exclusions.

Why this answer

The Rules of Engagement (ROE) document is the authoritative source for defining the scope, boundaries, and constraints of a penetration test, including explicit exclusions such as third-party APIs. This document is established during the planning and scoping phase to ensure both the client and the testing team agree on what is and is not in scope, preventing legal or operational issues. Without documenting the exclusion in the ROE, the tester might inadvertently interact with the third-party APIs, violating the agreement and potentially causing service disruptions or legal liabilities.

Exam trap

CompTIA often tests the misconception that scope exclusions belong in the final report or executive summary because candidates confuse 'what was tested' with 'what was excluded,' but the ROE is the only document that governs the testing parameters before execution begins.

How to eliminate wrong answers

Option B is wrong because the Executive Summary is a high-level overview of the test results, typically found in the final report, and is not used to document scope exclusions or operational constraints; it summarizes findings for non-technical stakeholders. Option C is wrong because the Findings Report details vulnerabilities discovered during the test and their remediation, but it does not define the scope or exclusions—those must be established before testing begins in the ROE.

13
MCQhard

You are a penetration tester conducting an internal network penetration test for a medium-sized company. The network consists of a Windows domain with multiple servers and workstations. The scope includes testing the Active Directory security. The client has provided a low-privileged domain user account for initial access. During the reconnaissance phase, you discover that the domain controller is running Windows Server 2012 R2 with no recent patches. There is a known privilege escalation vulnerability (e.g., Zerologon) that could allow you to become Domain Admin. However, the client's rules of engagement explicitly prohibit the use of any exploit that could cause a denial of service on the domain controller. The Zerologon exploit, if not carefully executed, could crash the domain controller. Which of the following actions should you take?

A.Modify the exploit code to ensure no disruption, then run it
B.Proceed with the Zerologon exploit during off-hours to minimize risk
C.Report the vulnerability immediately without attempting exploitation
D.Avoid the exploit and instead attempt Kerberoasting or AS-REP roasting
AnswerD

Non-disruptive techniques that test AD security.

Why this answer

Option B is correct because it adheres to the rules of engagement while still testing AD security. Option A is wrong because it could cause DoS and violate scope. Option C is wrong because the tester should still perform other tests.

Option D is wrong because modifying exploits is risky and not approved.

14
MCQeasy

A penetration tester is conducting an external network assessment for a client. During the reconnaissance phase, the tester identifies an IP address range that is not listed in the rules of engagement (ROE). The client had initially provided a list of authorized target IPs. What should the tester do next?

A.Stop testing and notify the client to update the ROE.
B.Include the new IPs in the test scope and proceed.
C.Perform a quick scan of the new IPs to gather more information.
D.Ignore the new IPs and only test the provided range.
AnswerA

This is correct because it ensures all testing remains within agreed scope.

Why this answer

Testing outside the defined scope is unauthorized and could breach contract or legal boundaries. The correct course is to pause and seek clarification, updating the ROE before proceeding.

15
MCQmedium

A penetration tester is contracted to perform a test of a company's critical web application that handles financial transactions. The client requires that testing must not degrade the application's performance for live users. Which of the following scoping controls would best address this requirement?

A.Require the use of only passive reconnaissance techniques and exclude all active scanning
B.Implement rate limiting in the testing tools and schedule the test during a maintenance window with low traffic
C.Include a clause that the client must monitor application performance and halt the test if degradation is observed
D.Test only from a single IP address and use low-packet-rate tools to avoid overwhelming the application
AnswerB

Rate limiting reduces the load on the application, and scheduling during low traffic minimizes impact on users. These controls directly address the performance concern.

Why this answer

Option B is correct because rate limiting and scheduling during a maintenance window directly prevent performance degradation for live users. Rate limiting controls the request rate (e.g., limiting to 10 requests per second) to avoid overwhelming the application, while a maintenance window ensures minimal user impact. This approach balances active testing needs with the client's requirement to preserve live user experience.

Exam trap

CompTIA often tests the misconception that passive reconnaissance alone is sufficient for a full-scope penetration test, but the trap here is that active testing is required for financial transaction validation, and rate limiting with scheduling is the only option that proactively prevents performance degradation.

How to eliminate wrong answers

Option A is wrong because passive reconnaissance alone (e.g., using Wireshark or Shodan) cannot test the application's active functionality, such as transaction processing or input validation, which is critical for a financial web application. Option C is wrong because relying on the client to monitor and halt testing is reactive and may still cause performance degradation before detection, violating the requirement to prevent degradation proactively. Option D is wrong because testing from a single IP with low-packet-rate tools does not guarantee no performance impact; without explicit rate limiting and scheduling, even low-rate traffic during peak hours could degrade performance for live users.

16
MCQeasy

A client asks a penetration tester to perform a test on an e-commerce website. The website experiences high traffic during weekdays and major sales events. To minimize business disruption, when should the tester schedule the active scanning and exploitation activities?

A.During peak business hours on weekdays
B.During a major holiday sale event
C.During weekends outside of any special promotions
D.Anytime, as long as the tester does not perform denial-of-service attacks
AnswerC

Low traffic periods minimize business disruption while still allowing effective testing.

Why this answer

Option C is correct because scheduling active scanning and exploitation during weekends outside of special promotions aligns with the requirement to minimize business disruption. High-traffic periods like weekdays and major sales events increase the risk of performance degradation or service interruption from scanning tools, which could impact revenue and user experience. By choosing low-traffic windows, the tester reduces the likelihood of overwhelming the web server or triggering rate-limiting mechanisms.

Exam trap

The trap here is that candidates assume 'no denial-of-service attacks' means no disruption, overlooking that active scanning itself can degrade performance and cause business impact during peak periods.

How to eliminate wrong answers

Option A is wrong because peak business hours on weekdays coincide with high user traffic, making active scanning likely to degrade website performance or trigger security controls like WAF rate limits, causing business disruption. Option B is wrong because a major holiday sale event is a critical revenue period where any disruption from scanning could lead to significant financial loss and violate the client's requirement to minimize business impact. Option D is wrong because even without denial-of-service attacks, active scanning can still cause resource exhaustion, latency spikes, or trigger IPS/IDS blocks, which disrupts normal operations during high-traffic periods.

17
MCQmedium

A penetration testing firm has been hired to test the internal network of a large enterprise. During the scoping meeting, the client states that they want to include all IP ranges, including those used by the HR department's sensitive systems. The tester should recommend which of the following to minimize business impact and avoid disruption?

A.Exclude the HR department's IP range from the test
B.Perform the test during off-peak hours and provide prior notification
C.Use only passive reconnaissance techniques on the HR systems
D.Include the HR systems but require written authorization from HR management
AnswerB

Scheduling testing during off-peak hours reduces impact on business operations, and notifying the HR department in advance allows them to take precautions and avoid data loss or service interruption.

Why this answer

Option B is correct because performing the test during off-peak hours and providing prior notification minimizes business impact by reducing the likelihood of disrupting critical HR operations during normal business hours. This approach aligns with the scoping requirement to include all IP ranges while allowing the client to prepare for potential service interruptions, such as those caused by active scanning techniques like TCP SYN scans or service enumeration. Prior notification ensures that HR staff can take precautions, such as backing up sensitive data or pausing batch jobs, thereby avoiding data corruption or system unavailability.

Exam trap

The trap here is that candidates often choose Option C (passive reconnaissance) thinking it avoids disruption entirely, but they overlook that passive techniques cannot fulfill the test's objective of identifying exploitable vulnerabilities, which requires active interaction with the target systems.

How to eliminate wrong answers

Option A is wrong because excluding the HR department's IP range directly contradicts the client's explicit request to include all IP ranges, including sensitive HR systems, and would leave a critical attack surface untested, potentially missing vulnerabilities like weak authentication on HR databases or exposed SMB shares. Option C is wrong because using only passive reconnaissance techniques on the HR systems is insufficient for a thorough penetration test; passive techniques (e.g., sniffing network traffic or analyzing DNS records) cannot identify active vulnerabilities such as unpatched services, default credentials, or misconfigured firewall rules that require active probing like Nmap version scans or vulnerability scanning with tools like OpenVAS.

18
Multi-Selectmedium

A penetration tester is scoping an engagement for a client that has both on-premises and cloud infrastructure. Which TWO documents should be reviewed to understand the client's cloud security posture?

Select 2 answers
A.AWS IAM policies
B.Azure AD logs
C.Cloud service agreement
D.On-premises firewall rules
E.Shared responsibility model
AnswersC, E

Outlines contractual security requirements and protections.

Why this answer

The shared responsibility model defines security boundaries between the cloud provider and client, and the cloud service agreement outlines contractual security obligations. IAM policies and Azure AD logs are technical details, while on-premises firewall rules are not cloud-specific.

19
MCQeasy

A client requests a penetration test that simulates an external attacker with no prior knowledge of the internal network. The tester is not provided with any credentials, network diagrams, or source code. Which type of test does this describe?

A.White-box test
B.Black-box test
C.Gray-box test
D.Covert test
AnswerB

In a black-box test, the tester has no internal knowledge and must rely solely on publicly available information and reconnaissance.

Why this answer

This is a black-box test because the tester simulates an external attacker with no prior knowledge of the internal network, no credentials, no network diagrams, and no source code. In black-box testing, the tester must discover all vulnerabilities from an outsider's perspective, relying solely on publicly available information and active reconnaissance techniques such as port scanning, service enumeration, and vulnerability scanning. This approach aligns with the client's requirement to mimic a real-world attacker who has zero insider knowledge.

Exam trap

The trap here is that candidates often confuse black-box testing with gray-box testing, mistakenly thinking that 'no credentials' automatically implies gray-box, but gray-box testing still provides some internal knowledge (e.g., network diagrams or low-privilege access), which is explicitly absent in this scenario.

How to eliminate wrong answers

Option A is wrong because a white-box test provides the tester with full knowledge of the internal network, including credentials, network diagrams, and source code, which contradicts the scenario where no such information is given. Option C is wrong because a gray-box test offers partial knowledge, such as limited credentials or network topology, whereas the scenario explicitly states no prior knowledge or credentials are provided.

20
MCQmedium

A client hires a penetration testing firm to assess a web application. The client uses a third-party content delivery network (CDN) for static assets and explicitly wants to exclude the CDN infrastructure from testing. In which document should this restriction be formally documented?

A.Statement of Work (SOW)
B.Non-Disclosure Agreement (NDA)
C.Master Services Agreement (MSA)
D.Rules of Engagement (ROE)
AnswerD

The ROE is the correct document for specifying what is in scope, what is out of scope, and any specific restrictions like not testing the CDN.

Why this answer

The Rules of Engagement (ROE) document is the correct place to formally document restrictions such as excluding the CDN infrastructure from testing. The ROE defines the scope, boundaries, and specific constraints for the penetration test, including which IP ranges, domains, or systems are off-limits. This ensures the testing team does not inadvertently target the third-party CDN, which could violate contractual agreements or cause unintended disruptions.

Exam trap

The trap here is that candidates confuse the ROE with the SOW, assuming the SOW is the catch-all document for all restrictions, but the ROE is specifically designed for operational boundaries and constraints in penetration testing engagements.

How to eliminate wrong answers

Option A is wrong because the Statement of Work (SOW) describes the high-level objectives, deliverables, and timeline of the engagement, but it does not typically contain granular operational constraints like excluding specific infrastructure components. Option B is wrong because the Non-Disclosure Agreement (NDA) is a legal contract protecting confidential information, not a document for defining testing boundaries or restrictions. Option C is wrong because the Master Services Agreement (MSA) establishes the overarching legal and business terms between parties, but it does not detail per-engagement technical limitations such as CDN exclusion.

21
Multi-Selecteasy

A penetration tester is developing a rules of engagement document for a client. Which TWO elements should the tester include to ensure proper scope boundaries?

Select 2 answers
A.List of authorized testing tools
B.Target IP addresses and subnets
C.Credentials for privileged accounts
D.Escalation procedures for critical findings
E.Emergency contact information for law enforcement
AnswersB, D

Clear definition of the target systems is essential for scope.

Why this answer

The rules of engagement should clearly define what is in scope and how to handle findings. Target IP addresses and subnets (B) specify the scope of systems to test, and escalation procedures (D) outline how to communicate critical findings. While authorized tools (A) may be listed, they are not scope boundaries; privileged credentials (C) are sometimes provided but not a scope boundary; emergency contact info (E) is typically part of incident response, not ROE scope.

22
MCQmedium

A penetration testing firm is hired to assess a client's hybrid infrastructure with on-premises and cloud servers in multiple regions. The client specifies testing only the on-premises systems due to budget and compliance. Which of the following should the tester emphasize in the rules of engagement (ROE)?

A.Detailed network diagrams of the cloud environment
B.Explicit exclusion of all cloud-based assets
C.Approval from the cloud service provider
D.A list of all cloud API endpoints
AnswerB

This ensures that the tester and client are aligned on what is off-limits, reducing the risk of scope creep and compliance violations.

Why this answer

The client explicitly restricted testing to on-premises systems due to budget and compliance. The rules of engagement (ROE) must clearly define the authorized scope to prevent accidental testing of cloud assets, which could violate the contract and potentially breach the cloud provider's terms of service. Option B is correct because explicitly excluding all cloud-based assets ensures the tester does not touch any cloud resources, aligning with the client's constraints.

Exam trap

The trap here is that candidates may think they need cloud provider approval or network diagrams to understand the environment, but the key is respecting the client's explicit scope limitation by excluding cloud assets in the ROE.

How to eliminate wrong answers

Option A is wrong because detailed network diagrams of the cloud environment are irrelevant and out of scope; the tester is not authorized to test cloud systems, and requesting such diagrams could imply intent to test them, violating the client's restrictions. Option C is wrong because approval from the cloud service provider is not required when the cloud assets are explicitly excluded from testing; the tester has no need to interact with the cloud provider's infrastructure, and seeking such approval could create unnecessary legal or contractual complications.

23
MCQmedium

A client wants to test a mobile app that uses certificate pinning. The penetration tester needs to perform dynamic analysis of the app's network traffic. Which of the following should be included in the rules of engagement to enable this testing?

A.Include a provision to install a custom CA certificate on a rooted/jailbroken device.
B.Request the app's source code for static analysis instead of dynamic analysis.
C.Use a proxy tool like Burp Suite without any modification to the device.
D.Obtain a list of API endpoints from the developer and test them manually.
AnswerA

This is the standard approach to bypass certificate pinning. By installing a custom CA certificate that the testing proxy uses, the tester can intercept and modify traffic. Rooting/jailbreaking may void warranties, so client permission is essential.

Why this answer

Certificate pinning in mobile apps rejects any proxy or interception certificate that is not the expected pinned certificate. Installing a custom CA certificate on a rooted/jailbroken device allows the tester to bypass the pinning by injecting a trusted root CA that the proxy (e.g., Burp Suite) uses to sign its certificates, enabling decryption of HTTPS traffic for dynamic analysis.

Exam trap

The trap here is that candidates assume a proxy tool alone can intercept pinned traffic, forgetting that certificate pinning explicitly rejects untrusted CAs, so device modification (root/jailbreak and custom CA) is mandatory for dynamic analysis.

How to eliminate wrong answers

Option B is wrong because static analysis of source code does not capture runtime network behavior, which is required for dynamic analysis of traffic; the client specifically requested dynamic analysis. Option C is wrong because using a proxy tool like Burp Suite without modifying the device will fail — the app's certificate pinning will reject the proxy's certificate, preventing any interception of HTTPS traffic.

24
MCQhard

A client requests a penetration test but refuses to provide any information about the target systems due to security concerns. What is the most appropriate response from the tester?

A.Escolate to management
B.Offer a grey box test with minimal info
C.Conduct a black box test as requested
D.Decline the engagement
AnswerC

Black box testing assumes no prior information, meeting the client's requirements.

Why this answer

Conducting a black box test is appropriate when the client wants zero information sharing. Declining may be premature, insisting on disclosure violates the client's policy, and offering a grey box still requires some information.

25
MCQeasy

Which agreement is typically signed before a penetration test to protect both parties from legal liability?

A.Authorization letter
B.Indemnification agreement
C.Hold harmless agreement
D.Mutual NDA
AnswerC

This agreement waives liability for damages during testing.

Why this answer

A hold harmless agreement (or similar liability waiver) protects both the client and tester from legal claims arising from the test. Mutual NDA covers confidentiality, while authorization and statement of work define scope but not liability.

26
MCQmedium

During scoping, a client asks the tester to avoid a specific IP range containing legacy systems. The tester discovers these systems are vulnerable but out of scope. What should the tester do?

A.Passively monitor traffic without active exploitation
B.Ignore the legacy systems and continue as agreed
C.Notify the client and request a scope change
D.Exploit the legacy systems and include them in the report
AnswerC

Professional approach to handle out-of-scope vulnerabilities.

Why this answer

Option C is correct because the tester should notify the client and request a scope change before testing out-of-scope systems. Option A is wrong because it violates the agreed scope. Option B is wrong because ignoring a critical vulnerability is not best practice.

Option D is wrong because passive monitoring may still be considered testing.

27
MCQmedium

A client requests a penetration test of a new mobile application that is still in development and only accessible on a test server behind the corporate VPN. The tester should include which of the following in the scope?

A.The production servers hosting the app when it goes live
B.Only the test server and the mobile application client
C.The corporate VPN infrastructure
D.All third-party APIs used by the application
AnswerB

These are the actual targets of the test and should be scoped.

Why this answer

Option B is correct because the scope of a penetration test for an application still in development should be limited to the test server and the mobile application client. This ensures the assessment focuses on the application's security posture without including production systems that are not yet live or the corporate VPN infrastructure, which is typically out of scope unless explicitly requested. The tester should only evaluate the components directly relevant to the application's functionality and security during development.

Exam trap

The trap here is that candidates may mistakenly include the corporate VPN infrastructure or production servers, thinking they are necessary for a comprehensive test, but the scope must be strictly limited to the components specified by the client to avoid unauthorized testing and scope creep.

How to eliminate wrong answers

Option A is wrong because including production servers that are not yet live or accessible during the test would extend the scope beyond the client's request, potentially introducing risks to systems that are not part of the current development phase. Option C is wrong because the corporate VPN infrastructure is a network component that provides access to the test server, but it is not part of the mobile application itself; testing it would require separate authorization and is outside the scope of an application-focused penetration test.

28
MCQeasy

A client requests a penetration test of their production environment that includes critical financial transaction systems. The client is concerned about potential service disruptions. Which of the following should the tester include in the Rules of Engagement to address this concern?

A.The tester will only use passive reconnaissance techniques
B.A 'stop loss' condition that requires immediate termination of testing if system metrics exceed defined thresholds
C.Exclude all financial transaction systems from the scope of testing
D.The client must provide a service level agreement (SLA) to the tester
AnswerB

This ensures that testing halts if it starts to cause unacceptable performance degradation, protecting production systems.

Why this answer

Option B is correct because a 'stop loss' condition is a standard mechanism in Rules of Engagement (RoE) that defines specific system metrics (e.g., CPU utilization > 90%, memory usage > 80%, or transaction latency > 500ms) which, when exceeded, require immediate termination of testing. This directly addresses the client's concern about service disruptions in the production environment by providing a safety threshold that prevents the penetration test from causing performance degradation or outages in critical financial transaction systems.

Exam trap

The trap here is that candidates may confuse 'scope exclusion' (Option C) with a valid risk mitigation strategy, but the PT0-002 exam expects testers to include controls like stop-loss conditions to enable safe testing of in-scope critical systems rather than excluding them.

How to eliminate wrong answers

Option A is wrong because passive reconnaissance techniques (e.g., OSINT, traffic sniffing without injection) are insufficient for a full penetration test of financial transaction systems; they cannot validate active vulnerabilities like SQL injection or authentication bypass, and the client's concern about disruption is not addressed by limiting to passive techniques since active testing is still needed for meaningful security assessment. Option C is wrong because excluding all financial transaction systems from scope would render the penetration test ineffective for the client's primary concern—these systems are the critical assets that need testing; the goal is to test them safely, not to avoid them entirely.

29
MCQeasy

A penetration testing firm is hired to assess a U.S.-based company that has recently expanded operations to a country with strict data privacy laws (e.g., GDPR-style regulations). Which of the following is the MOST important legal consideration to include in the rules of engagement?

A.The client's headquarters location determines which laws apply
B.Data collected during the test must be stored only within the country of operation and deleted after the engagement
C.All findings must be reported in the local language of the country of operation
D.The penetration testers must be citizens of the country where the systems reside
AnswerB

This addresses data sovereignty and privacy requirements common in many jurisdictions, making it a key legal consideration for the ROE.

Why this answer

Option B is correct because under strict data privacy laws like GDPR, personal data collected during a penetration test must be stored within the jurisdiction where it was obtained and deleted once the engagement is complete. This ensures compliance with data localization and minimization requirements, which are critical legal considerations in the rules of engagement.

Exam trap

The trap here is that candidates often confuse practical or contractual preferences (like language or citizenship) with mandatory legal requirements, overlooking the core data sovereignty and deletion obligations that are non-negotiable under strict privacy laws.

How to eliminate wrong answers

Option A is wrong because data privacy laws often apply based on the location of the data subjects or where the data is processed, not solely the client's headquarters; for example, GDPR applies to any entity processing EU residents' data regardless of headquarters location. Option C is wrong because while reporting in the local language may be a practical or contractual requirement, it is not a legal mandate under typical data privacy laws like GDPR, which focus on data protection rather than language of reporting. Option D is wrong because there is no legal requirement under GDPR or similar laws that penetration testers must be citizens of the country where the systems reside; such a restriction would be unusual and not a standard legal consideration.

30
MCQeasy

A client requests a penetration test of their network and provides a list of IP addresses. During scoping, the tester notices that several IP addresses belong to a major cloud service provider. What should the tester do FIRST before including those IP addresses in the test?

A.Proceed with testing since the client provided the IP addresses
B.Ask the client to verify ownership and obtain written authorization from the cloud provider if needed
C.Exclude the cloud IP addresses from the scope without further discussion
D.Perform a quick port scan to determine if the IPs are responsive before deciding
AnswerB

This ensures that testing is performed legally and ethically, with proper authorization from all parties involved.

Why this answer

Option B is correct because testing cloud provider IP addresses without explicit authorization violates the cloud provider's terms of service and could be considered unauthorized access, potentially leading to legal action. The tester must first verify that the client actually owns those IPs (e.g., via ARIN WHOIS or cloud provider documentation) and obtain written authorization from the cloud provider, as the provider's shared infrastructure means the tester's traffic could impact other tenants. This aligns with the PT0-002 scoping requirement to confirm all targets are within the authorized boundary.

Exam trap

CompTIA often tests the misconception that a client-provided IP list is sufficient authorization, but the trap here is that cloud IPs require additional verification and written permission from the provider due to multi-tenant risks and legal boundaries.

How to eliminate wrong answers

Option A is wrong because proceeding with testing solely based on the client's list ignores the critical step of verifying ownership and authorization, risking violation of laws like the Computer Fraud and Abuse Act (CFAA) and cloud provider policies. Option C is wrong because excluding cloud IPs without discussion may omit legitimate client-owned resources (e.g., a VPC or dedicated host) that should be tested, and the tester must first clarify ownership rather than making assumptions.

31
MCQeasy

During scoping, a client insists that no social engineering be used. Which rule of engagement element does this affect?

A.Rules of engagement
B.Constraints
C.Limitations
D.Scope
AnswerC

Limitations specify restrictions like disallowed techniques.

Why this answer

Limitations define what is off-limits or restricted during the test, such as prohibiting social engineering. Rules of engagement and scope are broader concepts, while constraints is a less specific term.

32
MCQmedium

A client wants a penetration test that simulates a disgruntled employee with access to the internal network but no administrative privileges. The client provides a standard user account on the domain. The tester discovers that the account has local administrator rights on a critical file server. Which step should the tester take according to typical Rules of Engagement?

A.Continue testing with the elevated privileges because they were provided
B.Use the privileges to escalate to domain admin and test further
C.Pause testing and inform the client of the unexpected privilege level for guidance
D.Revert to a lower-privileged account provided by the client
AnswerC

The tester should communicate with the client to clarify the intended scope and receive authorization for the elevated access.

Why this answer

Option C is correct because the Rules of Engagement (RoE) require the tester to operate within the agreed scope and privilege level. Discovering that the provided standard user account has unexpected local administrator rights on a critical file server represents a scope change that could invalidate the test's assumptions and potentially cause unintended damage. The tester must pause and inform the client to obtain explicit guidance before proceeding with elevated privileges.

Exam trap

The trap here is that candidates assume any discovered privilege is fair game to use, ignoring the RoE's requirement to stay within the authorized scope and the ethical obligation to seek client guidance when unexpected access is found.

How to eliminate wrong answers

Option A is wrong because continuing to test with the elevated privileges violates the RoE scope, which specified a standard user account with no administrative privileges; using unapproved privileges can lead to unauthorized access and legal issues. Option B is wrong because using local admin rights to escalate to domain admin exceeds the agreed scope and could compromise the entire domain without client consent, which is a breach of ethical hacking principles and the test's authorization.

33
MCQmedium

A penetration testing firm is scoping a test for a client that uses a hybrid infrastructure with both on-premises servers and cloud-based services (IaaS). The client specifies that only the cloud environment should be tested this year. Which concept is MOST important for the tester to discuss during the scoping meeting to avoid testing out-of-scope assets?

A.The shared responsibility model between the client and the cloud provider
B.The need to test on-premises systems as well to get a complete picture
C.The potential for false positives in cloud vulnerability scanners
D.The cost of third-party cloud penetration testing tools
AnswerA

The client is responsible for securing their own data and configurations, while the provider secures the underlying infrastructure. Testing should focus only on the client's area of responsibility.

Why this answer

The shared responsibility model defines which security controls and operational tasks are managed by the cloud provider versus the client. In a scoping meeting, understanding this model is critical because the penetration tester must only target the client's side of the responsibility boundary (e.g., guest OS, applications, and IaaS configurations) and avoid testing the provider's underlying infrastructure, which is out-of-scope. Without this discussion, the tester could inadvertently probe the provider's hypervisor or physical network, violating the scope agreement and potentially causing legal or contractual issues.

Exam trap

The trap here is that candidates may focus on technical testing concerns like false positives or scope expansion, rather than recognizing that the shared responsibility model is the foundational scoping concept that prevents testing the cloud provider's infrastructure.

How to eliminate wrong answers

Option B is wrong because the client explicitly specified that only the cloud environment should be tested this year; insisting on testing on-premises systems would directly violate the scope and is not a scoping discussion point but a scope expansion request. Option C is wrong because false positives in cloud vulnerability scanners are a technical testing concern, not a scoping issue; the most important discussion for avoiding out-of-scope assets is defining the boundary of responsibility, not the accuracy of tools.

34
MCQhard

A penetration test is being conducted for a healthcare organization subject to HIPAA. The tester is given access to a production system that contains electronic protected health information (ePHI). Which of the following should be included in the rules of engagement to ensure compliance?

A.A clause requiring encryption of all test data at rest and in transit.
B.A business associate agreement (BAA) signed between the client and the testing firm.
C.A detailed data handling and destruction procedure within the rules of engagement.
D.A restriction to only test in non-production environments.
AnswerC

The RoE should explicitly state how ePHI will be handled, stored, accessed, and destroyed to ensure HIPAA compliance.

Why this answer

Option C is correct because HIPAA requires covered entities to ensure the confidentiality, integrity, and availability of ePHI, which includes proper disposal of data after testing. A detailed data handling and destruction procedure within the rules of engagement (RoE) ensures that test data containing ePHI is securely wiped or destroyed in compliance with 45 CFR § 164.310(d)(2)(i) and NIST SP 800-88 guidelines. Without this clause, the tester might leave residual ePHI on production systems, violating HIPAA's security rule.

Exam trap

The trap here is that candidates confuse a BAA (a separate legal requirement) with a clause that must be included in the rules of engagement, or they assume encryption is a mandatory RoE clause when HIPAA treats it as addressable and not a procedural scope item.

How to eliminate wrong answers

Option A is wrong because while encryption of test data at rest and in transit is a good security practice, it is not a specific HIPAA compliance requirement that must be included in the rules of engagement; HIPAA mandates encryption as an addressable implementation specification under 45 CFR § 164.312(a)(2)(iv), but the RoE focuses on scope and handling procedures, not technical controls. Option B is wrong because a Business Associate Agreement (BAA) is a legal contract between the covered entity and the business associate (the testing firm) that must be signed before any ePHI access, but it is not part of the rules of engagement document; the BAA is a separate prerequisite, not a clause within the RoE.

35
MCQhard

During scoping, a tester learns that the client's network has multiple subsidiaries with different IP ranges. The client wants a test that covers all subsidiaries but with a limited number of target IPs. How should the tester proceed?

A.Ask for a larger budget
B.Select a representative sample of IPs from each subsidiary
C.Test only the corporate headquarters and ignore subsidiaries
D.Use a subnet calculator to combine all ranges
AnswerB

Sampling provides coverage across the entire organization within limits.

Why this answer

Selecting a representative sample of IPs from each subsidiary allows coverage across all subsidiaries while respecting the target limit. Testing only headquarters ignores subsidiaries, and combining ranges may produce too many targets. Asking for a larger budget may not be an option.

36
MCQmedium

During a penetration test of a large e-commerce platform, the client requests additional testing on a newly discovered microservice mid-engagement. The scope defined in the rules of engagement (ROE) explicitly lists all target systems. What should the penetration tester do FIRST?

A.Add the microservice to the test and include it in the final report as an unadvertised finding
B.Decline the request because the microservice was not part of the original scope
C.Inform the client that a scope amendment is needed and pause testing on the microservice until it is approved
D.Test the microservice only if it is using the same technology stack as other targets
AnswerC

This is the correct procedure. Communicating the need for a formal amendment ensures the test remains within authorized bounds and protects both parties.

Why this answer

Option C is correct because the rules of engagement (ROE) are a legally binding document that defines the scope of testing. Adding a new microservice mid-engagement without an approved scope amendment violates the ROE and could lead to legal or contractual issues. The penetration tester must first pause testing on the microservice and formally request a scope amendment to ensure all activities remain authorized.

Exam trap

The trap here is that candidates may confuse 'professional flexibility' (Option A) with proper scope management, or think that declining outright (Option B) is safer, when the correct answer requires following formal change control procedures to maintain legal and ethical boundaries.

How to eliminate wrong answers

Option A is wrong because adding the microservice without amending the ROE constitutes unauthorized testing, which could breach the contract and expose the tester to liability; the final report should only include findings from authorized targets. Option B is wrong because outright declining the request without offering a path forward (scope amendment) is unprofessional and fails to address the client's evolving needs; the correct procedure is to pause testing and seek formal approval, not simply refuse.

37
Multi-Selecthard

During the scoping phase of a penetration test, the tester and client must define the rules of engagement (ROE). Which THREE of the following should be included in the ROE? (Select THREE.)

Select 3 answers
A.Contact information for the client to report issues during the test.
B.Types of attacks permitted (e.g., phishing, social engineering).
C.Specific vulnerabilities that will be exploited.
D.Post-test remediation steps.
E.Boundaries such as IP ranges and subnets to test.
AnswersA, B, E

This ensures timely communication of critical findings.

Why this answer

The ROE should cover attack types, communication protocols, and scope boundaries. Specific vulnerabilities are unknown beforehand, and remediation is part of the post-test phase.

38
MCQhard

A 'no-fail' clause prohibits service outages. How should the tester address high-risk tests like SQL injection?

A.Remove all high-risk tests from the scope
B.Require a staging environment for testing
C.Include a clause that the tester is not liable
D.Proceed with testing and hope no outages occur
AnswerB

Eliminates risk to production.

Why this answer

Option B is correct because testing in a staging environment prevents real outages. Option A is wrong because it removes important tests. Option C is wrong because it does not prevent outages.

Option D is wrong because it is irresponsible.

39
MCQmedium

A client is planning a penetration test of their internal network but refuses to provide network diagrams or access to a staging environment. The tester is concerned about causing a denial of service (DoS) on critical systems. Which clause should be included in the rules of engagement to mitigate this risk?

A.A clause requiring the client to provide a complete list of in-scope IP addresses.
B.A waiver stating that any service disruption is the client's responsibility.
C.A rate-limiting clause that restricts scan speed and concurrent connections.
D.An exclusion list for systems that should not be tested.
AnswerC

Rate limiting is a proactive measure that reduces the chance of overwhelming network devices or services, even when the tester lacks full network visibility.

Why this answer

Option C is correct because a rate-limiting clause directly addresses the risk of causing a denial of service (DoS) by controlling the speed and concurrency of the penetration test. By restricting scan rates (e.g., using tools like Nmap with `--max-rate` or `--min-hostgroup`) and limiting concurrent connections, the tester can prevent overwhelming critical systems, even without network diagrams or a staging environment. This clause mitigates the risk without requiring the client to provide additional information or shifting liability.

Exam trap

The trap here is that candidates may choose Option A (list of IPs) thinking it reduces risk by narrowing scope, but they overlook that aggressive scanning of even a small IP list can still cause DoS, while rate-limiting directly controls the traffic intensity.

How to eliminate wrong answers

Option A is wrong because requiring a complete list of in-scope IP addresses does not prevent DoS; it only clarifies the target scope, but the tester could still cause a DoS by scanning those IPs too aggressively. Option B is wrong because a waiver stating that any service disruption is the client's responsibility does not mitigate the risk; it merely transfers liability, which is unethical and may violate the testing agreement, and does not prevent the actual DoS from occurring.

40
MCQmedium

A client hires a penetration testing firm to assess a web application that integrates with a third-party API for payment processing. The client wants to include the API endpoint in the test scope. What should the penetration tester do FIRST to ensure the test is conducted ethically and legally?

A.Assume the client has already obtained permission from the API provider
B.Obtain written authorization from the third-party API provider
C.Rely on the client's statement that the API is within scope
D.Test only the client's application code and ignore the API
AnswerB

Formal permission from the API owner is necessary to avoid legal repercussions.

Why this answer

Option B is correct because the penetration tester must obtain explicit written authorization from the third-party API provider before testing. Without this, testing the API endpoint could violate the Computer Fraud and Abuse Act (CFAA) or similar laws, as the tester would be accessing a system they do not own or have contractual permission to test. The client's scope inclusion does not grant legal access to the third-party's infrastructure.

Exam trap

The trap here is that candidates assume the client's scope definition automatically covers third-party systems, but the exam tests the legal and ethical requirement to obtain explicit permission from the actual owner of the target system.

How to eliminate wrong answers

Option A is wrong because assuming the client has obtained permission is a dangerous assumption that could lead to unauthorized access and legal liability; the tester must independently verify authorization. Option C is wrong because relying solely on the client's statement that the API is in scope ignores the fact that the client cannot grant permission for a third-party system; the tester needs direct authorization from the API provider.

41
MCQmedium

Refer to the exhibit. A penetration tester has run an initial reconnaissance scan and obtained the above output. The tester needs to decide which attack vector to prioritize based on the principle of exploiting the oldest software version. Which of the following is the most appropriate next step?

A.Exploit the MySQL service using default credentials
B.Launch a brute-force attack against SSH
C.Attempt to exploit the Remote Desktop Protocol (RDP) service
D.Perform a vulnerability scan on the web applications
AnswerB

OpenSSH 6.6 is old and vulnerable; brute-force is a common vector for SSH.

Why this answer

The SSH service is running OpenSSH 6.6, which is relatively old and known to have several vulnerabilities that can be exploited via brute-force or remote code execution. Therefore, launching a brute-force attack against SSH is prioritized. The MySQL version (5.1.73) is also old but less likely to be directly exploitable without credentials.

The web server version is not listed but Apache 2.4.29 is newer. RDP is a common target but no version indicator suggests it's old.

42
MCQeasy

A client wants to perform a penetration test on a new web application that is still in development. The application is not yet connected to the internet. Which of the following is the most appropriate scope for this test?

A.External network penetration test
B.Internal network penetration test
C.Web application vulnerability assessment
D.Social engineering campaign
AnswerC

This type of assessment is designed to find vulnerabilities in web applications, regardless of network location.

Why this answer

The application is not yet connected to the internet, so an external network penetration test (which targets internet-facing assets) is irrelevant. An internal network penetration test focuses on the internal LAN infrastructure, not the application itself. A web application vulnerability assessment is the correct scope because it directly examines the application's code, logic, and configurations for flaws such as SQL injection, XSS, and authentication bypasses, regardless of network connectivity.

Exam trap

The trap here is confusing the type of test with the network environment: candidates often assume an 'internal' test is always appropriate for any non-internet asset, but the scope must match the target's technology (web application vs. network infrastructure).

How to eliminate wrong answers

Option A is wrong because an external network penetration test requires the target to be reachable over the internet, but the application is not connected to the internet, making this scope impossible. Option B is wrong because an internal network penetration test targets network-level vulnerabilities (e.g., ARP spoofing, SMB relay) and does not focus on the web application's specific vulnerabilities, which is the client's stated need.

43
MCQhard

A medium-sized e-commerce company, CyberMart, has contracted your penetration testing firm to assess their security posture. The company operates from three physical locations: headquarters, a data center, and a remote warehouse. They have a flat internal network but separate VLANs for production, development, and guest Wi-Fi. CyberMart's CISO insists that the test must be conducted without causing any disruption to the production environment, especially the payment processing system. The test should simulate an external attacker targeting the public-facing web servers and an internal attacker who has gained initial access to the guest network. The CISO also requests that all testing be done during off-peak hours to minimize impact. You are preparing the rules of engagement. Which of the following is the most appropriate action to include in the ROE to satisfy the client's requirements while maintaining a realistic test scenario?

A.Include all VLANs but with explicit permission to conduct denial-of-service tests only during off-peak hours.
B.Allow testing on all VLANs except the production VLAN containing payment processing, with a rule to immediately stop if any degradation is observed.
C.Focus exclusively on the external web servers and exclude internal network testing due to the risk of disruption.
D.Restrict testing to only the guest network and external IPs, excluding all production VLANs.
AnswerB

This covers the required scenarios while protecting critical systems.

Why this answer

Option C allows testing on all VLANs except the critical production VLAN with payment processing, and includes a stop condition if degradation is observed. This balances realism (testing internal segmentation from guest network) with safety (protecting payment systems). Option A is too restrictive and does not test internal movement from guest network.

Option B includes denial-of-service tests which are explicitly not allowed due to disruption. Option D ignores the internal testing requirement entirely.

44
MCQmedium

A penetration testing firm is hired to perform a test on a multinational company that has offices in Europe and North America. The client wants to test all systems including those in the European office, which is subject to GDPR. Which of the following is the MOST important legal consideration to include in the rules of engagement?

A.A limitation of liability clause
B.Data protection and privacy clauses addressing handling of personal data
C.A non-disclosure agreement
D.A schedule of testing hours
AnswerB

This directly addresses GDPR requirements, specifying how personal data will be protected during the penetration test.

Why this answer

The engagement involves testing systems in a European office subject to GDPR, which imposes strict requirements on the processing and protection of personal data. The rules of engagement must include data protection and privacy clauses to define how the penetration tester will handle any personal data encountered during the test, ensuring compliance with GDPR Article 5 (lawfulness, fairness, transparency) and Article 32 (security of processing). Without these clauses, the tester could inadvertently violate GDPR by collecting or storing personal data without a lawful basis, exposing both the client and the testing firm to significant fines.

Exam trap

The trap here is that candidates often choose a non-disclosure agreement (NDA) as the most important legal consideration, confusing general confidentiality with the specific data protection obligations required by GDPR, which are distinct and more prescriptive.

How to eliminate wrong answers

Option A is wrong because a limitation of liability clause is a standard contractual provision that caps financial damages, but it does not address the specific GDPR compliance requirements for handling personal data during the test. Option C is wrong because a non-disclosure agreement (NDA) protects confidentiality of the test results and client information, but it does not define how personal data must be processed, stored, or deleted under GDPR. Option D is wrong because a schedule of testing hours is an operational consideration that avoids business disruption, but it has no direct relevance to GDPR's data protection obligations.

45
MCQhard

A penetration testing firm is hired to assess a healthcare organization's network. The client has strict regulatory requirements (HIPAA) and wants to ensure that all patient data is protected during testing. Which scoping document should specify the data handling procedures and the destruction of any collected sensitive information?

A.Rules of Engagement
B.Testing Methodology
C.Data Protection Addendum
D.Scope of Work
AnswerC

A DPA specifies how sensitive data (e.g., PHI) must be handled, stored, and destroyed in compliance with regulations.

Why this answer

A Data Protection Addendum (DPA) or equivalent data handling agreement is the appropriate document to define how sensitive data will be handled, stored, and destroyed. The Rules of Engagement cover authorization and constraints, but specific data protection clauses are often in a separate addendum or included in the contract. The Methodology and Scope of Work do not typically detail data destruction procedures.

46
MCQeasy

A small business hires a penetration tester to assess the security of their network. The owner is concerned about employee data breaches and wants to ensure compliance with industry regulations. Which of the following is the MOST critical document to establish before the test begins?

A.Vulnerability scan report
B.Rules of engagement
C.Penetration test report
D.Risk assessment matrix
AnswerB

This document outlines the scope, authorization, and constraints, making it essential before any testing occurs.

Why this answer

The Rules of Engagement (RoE) is the most critical document because it defines the legal boundaries, scope, and authorization for the penetration test. Without a signed RoE, the tester has no legal protection and the test could be considered unauthorized access, violating laws like the Computer Fraud and Abuse Act (CFAA). It also specifies key constraints such as testing times, target IP ranges, and prohibited actions, ensuring compliance with industry regulations like PCI DSS or HIPAA.

Exam trap

The trap here is that candidates confuse the Rules of Engagement with the penetration test report or vulnerability scan report, thinking that technical outputs are more important than the legal and scoping document that authorizes the entire test.

How to eliminate wrong answers

Option A is wrong because a vulnerability scan report is an output of the testing process, not a pre-engagement document; it would be generated after scanning begins. Option C is wrong because a penetration test report is the final deliverable summarizing findings, not a document that establishes authorization or scope before testing. Option D is wrong because a risk assessment matrix is a tool used during planning to prioritize risks, but it does not provide the legal and operational boundaries required to start the test; it is secondary to the RoE.

47
MCQeasy

A penetration testing firm is hired to assess the security of a small business's web application. The client has explicitly stated that they do not want any testing that could cause a denial of service. Which section of the rules of engagement should specify this restriction?

A.Scope
B.Limitations
C.Scheduling
D.Legal
AnswerB

Correct. Limitations document constraints and excluded activities, such as no DoS testing.

Why this answer

The restriction against denial of service testing is a limitation on the types of activities permitted during the engagement. In the rules of engagement (RoE), the Limitations section explicitly defines what is prohibited, such as specific attack vectors, tools, or impacts like DoS, to ensure testing stays within agreed boundaries. This is distinct from the Scope, which defines what is tested (e.g., IP ranges, URLs), not what is forbidden.

Exam trap

The trap here is that candidates confuse 'Scope' (what is tested) with 'Limitations' (how it is tested), leading them to incorrectly select Scope because they think the restriction defines the boundaries of the engagement, when in fact Limitations specifies the prohibited actions within those boundaries.

How to eliminate wrong answers

Option A is wrong because Scope defines the targets (e.g., specific IP addresses, subdomains, or web application URLs) and systems in scope, not the restrictions on testing methods or impacts. Option C is wrong because Scheduling covers the timing and duration of testing (e.g., start/end dates, maintenance windows), not prohibitions on specific attack types. Option D is wrong because Legal covers contractual and regulatory compliance (e.g., data handling, liability, jurisdiction), not the operational constraints like prohibiting DoS attacks.

48
Multi-Selecteasy

A tester is planning a physical security assessment. Which TWO should be included in the scope? (Choose two.)

Select 2 answers
A.Testing the ability to tailgate through secured entrances
B.Running vulnerability scans on internal servers
C.Performing a man-in-the-middle attack on the Wi-Fi
D.Attempting to bypass biometric locks using fake fingerprints
E.Conducting a dumpster diving exercise
AnswersA, E

Standard physical test.

Why this answer

Options A and C are correct because tailgating and dumpster diving are common physical assessment tests. Option B is too specialized and may need specific approval. Options D and E are network-based, not physical.

49
MCQhard

The scope allows only Nmap, but it is ineffective against heavy packet filtering. The tester wants to use an alternate tool. What should the tester do?

A.Request approval from the client to use a different tool
B.Use the alternate tool and note it in the report
C.Abort the scan and report that the network is not testable
D.Use Nmap with different parameters
AnswerA

Proper scope management.

Why this answer

Option B is correct because the tester should request approval before using an alternate tool. Option A is wrong because using an unapproved tool violates scope. Option C is wrong because the question states alternate tool is needed.

Option D is wrong because aborting is premature.

50
MCQmedium

A client requests a penetration test that includes both their internal network and a third-party cloud service provider's infrastructure. The cloud provider has not given permission for testing. Which action should the penetration tester take regarding the cloud provider's assets?

A.Test the cloud assets as part of the engagement because they support the client's business
B.Exclude the cloud provider's assets from the scope and update the rules of engagement
C.Test only the client-facing parts of the cloud service
D.Request the client to sign an additional liability waiver for testing third-party assets
AnswerB

Assets owned by third parties without their consent must be excluded to remain within legal and ethical boundaries.

Why this answer

The correct action is to exclude the cloud provider's assets from the scope and update the rules of engagement (ROE). Penetration testing without explicit authorization from the asset owner violates legal and ethical boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). The ROE must clearly define the scope to avoid testing third-party infrastructure that the client does not own or have permission to test.

Exam trap

The trap here is that candidates may assume a liability waiver or partial testing is sufficient, but the CompTIA PT0-002 exam emphasizes that explicit permission from the asset owner is non-negotiable, regardless of business relationships or waivers.

How to eliminate wrong answers

Option A is wrong because testing assets without the cloud provider's permission constitutes unauthorized access, which is illegal and violates standard penetration testing ethics and legal frameworks. Option C is wrong because there is no technical mechanism to isolate 'client-facing parts' of a cloud service without affecting the provider's backend infrastructure; any interaction with the service involves the provider's systems, and partial testing still requires the provider's consent. Option D is wrong because a liability waiver does not grant legal authorization to test third-party assets; permission must come directly from the asset owner, not from the client signing a waiver.

51
Multi-Selectmedium

Before starting a penetration test, the tester receives permission to test only two public IP ranges and is told not to perform denial-of-service testing. Which two documents or artefacts are most important to confirm before testing begins? (Choose 2.)

Select 2 answers
A.Written authorization to test the specified targets.
B.Rules of engagement describing prohibited techniques such as DoS.
C.A list of exploit payloads from a public GitHub repository.
D.A screenshot of the company home page.
AnswersA, B

Testing must be explicitly authorized.

Why this answer

Written authorization (A) is the foundational legal document that explicitly grants the tester permission to test the specified public IP ranges, protecting against claims of unauthorized access under laws like the Computer Fraud and Abuse Act. The rules of engagement (B) define the scope boundaries, including the prohibition of denial-of-service testing, which is critical to avoid service disruption and legal liability. Without these two documents, the tester lacks both legal authority and operational constraints, making them the most important artefacts before testing begins.

Exam trap

The trap here is that candidates may mistakenly prioritize technical artefacts like exploit lists or screenshots over the legal and scoping documents that are mandatory before any testing begins, confusing operational tools with authorization requirements.

52
MCQeasy

A penetration tester is scoping an engagement for a client that hosts a public-facing web application and an internal database server. The client wants to ensure that testing does not cause any disruption to the database server. Which of the following should the tester include in the rules of engagement to address this concern?

A.Specify that only passive reconnaissance techniques will be used on the database server.
B.Include a clause that the tester will not attempt to exploit any vulnerabilities on the database server.
C.Define the database server as an out-of-scope target.
D.Require that all testing activities be performed during off-peak hours only.
AnswerC

By explicitly listing the database server as out-of-scope, no testing of any kind will be performed against it, eliminating any risk of disruption.

Why this answer

Option C is correct because defining the database server as out-of-scope explicitly removes it from all testing activities, ensuring zero disruption as requested. This is the only option that fully prevents any interaction with the database server, including passive reconnaissance or exploitation attempts, which could still cause unintended load or queries.

Exam trap

The trap here is that candidates may think passive reconnaissance or off-peak testing is sufficient to avoid disruption, but the CompTIA PT0-002 exam emphasizes that only explicit out-of-scope designation guarantees no interaction with a target system.

How to eliminate wrong answers

Option A is wrong because passive reconnaissance on the database server (e.g., banner grabbing, DNS enumeration) could still generate traffic or queries that disrupt the server, violating the client's requirement. Option B is wrong because including a clause not to exploit vulnerabilities still allows other testing activities (e.g., scanning, enumeration) that could cause disruption, and the tester might inadvertently trigger a vulnerability during reconnaissance. Option D is wrong because performing tests during off-peak hours does not prevent disruption; it only reduces the impact on users, but the database server could still be affected by scanning or exploitation attempts.

53
MCQmedium

A wireless network test must not disrupt the network. How can the tester crack WPA2 passwords without disruption?

A.Scan for rogue access points
B.Use passive sniffing to capture traffic and crack offline
C.Perform a deauthentication attack
D.Attempt a brute-force attack against the Wi-Fi password
AnswerB

Non-disruptive.

Why this answer

Option D is correct because passive sniffing captures the handshake without sending packets. Option A is wrong because deauth is active. Option B is wrong because brute-force is active.

Option C is wrong because it doesn't test password strength.

54
MCQmedium

A client wants a penetration test of their cloud infrastructure hosted on AWS. The client states that they want to test the security of their EC2 instances, S3 buckets, and IAM configurations. The client's security team is concerned about potential service disruption due to testing. Which of the following should be included in the rules of engagement to address this concern?

A.A clause that the tester will avoid using any automated scanning tools.
B.A clear definition of what constitutes a denial-of-service condition and a requirement to stop testing immediately if such a condition is detected.
C.A requirement that the tester only performs manual testing and no tools.
D.A clause that the tester will test only during business hours.
AnswerB

This addresses the concern directly by defining thresholds and a response plan.

Why this answer

Option B is correct because it directly addresses the client's concern about service disruption by establishing a clear threshold for denial-of-service (DoS) conditions and a mandatory stop action. In AWS, automated scanning or aggressive testing can inadvertently trigger Auto Scaling events, exhaust burst credits on EC2 instances, or saturate S3 request limits, leading to degraded performance. Defining what constitutes a DoS condition (e.g., CPU > 90%, network packet loss > 5%) ensures the tester can halt immediately, protecting the client's cloud infrastructure while still allowing effective security testing.

Exam trap

The trap here is that candidates often choose options A or C, mistakenly believing that avoiding automation or restricting testing hours will prevent service disruption, when in reality the key is having a clear, measurable definition of disruption and a stop condition, as required by the PT0-002 exam's focus on scoping and risk management.

How to eliminate wrong answers

Option A is wrong because completely avoiding automated scanning tools is impractical for a thorough penetration test of AWS EC2, S3, and IAM configurations; tools like Nmap, Burp Suite, or custom scripts are essential for discovering vulnerabilities such as open ports, misconfigured bucket policies, or weak IAM roles. Option C is wrong because requiring only manual testing is overly restrictive and unrealistic for testing cloud-scale environments; automated tools are needed to efficiently enumerate S3 bucket permissions, scan for IAM privilege escalation paths, and test EC2 security group rules. Option D is wrong because testing only during business hours does not mitigate the risk of service disruption; in fact, testing during peak usage could increase the chance of impacting production workloads, and the client's concern is about disruption itself, not timing.

55
MCQmedium

A penetration tester is performing reconnaissance on a target domain. The tester queries the public DNS records and finds an SPF record that includes an 'include' mechanism pointing to a third-party email service. Which technique can the tester use to potentially discover more subdomains or internal infrastructure?

A.Perform a DNS zone transfer
B.Enumerate MX records for the third-party
C.Query the TXT records of the third-party domain
D.Use Google dorks to find exposed email addresses
AnswerC

The SPF include points to another domain; querying that domain's TXT records may reveal additional SPF includes or other records that expose further domains or subdomains.

Why this answer

The SPF record's 'include' mechanism points to a third-party email service, which itself may have SPF or other TXT records that reveal additional domains or subdomains used for email infrastructure. By querying the TXT records of the third-party domain, the tester can discover these included domains, potentially expanding the attack surface. This technique leverages the recursive nature of SPF includes to map out related infrastructure.

Exam trap

The trap here is that candidates often assume DNS zone transfers (option A) are the go-to method for subdomain discovery, but the question specifically leverages the SPF 'include' mechanism, making TXT record enumeration the correct and targeted technique.

How to eliminate wrong answers

Option A is wrong because DNS zone transfers (AXFR) require explicit server configuration to allow them and are rarely successful against public DNS servers; they are not a reliable method for discovering subdomains from an SPF include. Option B is wrong because enumerating MX records for the third-party domain only reveals mail exchange servers, not necessarily subdomains or internal infrastructure of the target; it does not leverage the SPF include chain. Option D is wrong because Google dorks for exposed email addresses are a passive reconnaissance technique for finding user emails, not for systematically discovering subdomains or internal network infrastructure from an SPF record.

56
MCQmedium

A client requests a penetration test of their production environment, which includes critical financial transaction systems. The client is concerned about potential service disruptions. Which of the following should the tester include in the Rules of Engagement to address this concern?

A.A detailed schedule of every attack method to be used
B.A clause stating that testing will stop immediately if any service degradation is detected
C.A scope that limits testing to off-peak hours and includes a rollback plan for any changes
D.A list of all tools and versions that will be used during the test
AnswerC

Testing during low-usage periods and having a rollback plan directly reduces the risk of impacting live transactions.

Why this answer

Option C is correct because it directly addresses the client's concern about service disruptions by limiting testing to off-peak hours and including a rollback plan. This ensures that any changes made during the test can be reversed quickly, minimizing the risk to critical financial transaction systems. The Rules of Engagement (RoE) must balance thorough testing with operational stability, and this scope provision achieves that.

Exam trap

CompTIA often tests the misconception that immediate stoppage upon any degradation (Option B) is the best safeguard, but the trap is that this lacks measurable criteria and could halt testing unnecessarily, whereas a well-defined scope with off-peak hours and rollback plans is the correct, proactive approach.

How to eliminate wrong answers

Option A is wrong because providing a detailed schedule of every attack method violates operational security (OPSEC) and is impractical; the RoE should specify types of attacks, not a rigid timeline, as testers need flexibility to adapt to findings. Option B is wrong because a clause to stop testing immediately upon any service degradation is too vague and reactive; it lacks predefined thresholds for what constitutes degradation, potentially causing premature termination without proper analysis. Option D is wrong because listing all tools and versions is unnecessary for the RoE; while tool inventory may be part of a separate agreement, the RoE focuses on scope, constraints, and legal boundaries, not granular tool details.

57
Drag & Dropmedium

Drag and drop the steps to perform a DNS enumeration using dig into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DNS enumeration starts with basic queries, then specific records, zone transfer attempt, and analysis.

58
MCQmedium

A client with a hybrid infrastructure (on-premises and cloud IaaS) requests a penetration test covering both environments. The cloud provider's terms of service require notification and restrict scanning to specific IP ranges. In which document should these constraints be documented?

A.Non-Disclosure Agreement (NDA)
B.Rules of Engagement (ROE)
C.Penetration Testing Report
D.Scope of Work (SOW)
AnswerB

The ROE is the correct document to specify constraints like notification requirements and allowed IP ranges.

Why this answer

The Rules of Engagement (ROE) document is the authoritative source for defining the legal and technical boundaries of a penetration test, including provider-mandated constraints such as notification requirements and restricted IP ranges. In a hybrid infrastructure with cloud IaaS, the ROE must explicitly list the allowed source IPs, target CIDR blocks, and any time windows or rate limits imposed by the cloud provider to ensure compliance with their terms of service. This document is signed by both the client and the testing team before any testing begins, making it the correct place to document these operational constraints.

Exam trap

Cisco often tests the distinction between the SOW (high-level scope) and the ROE (detailed operational rules), so the trap here is that candidates confuse the SOW's 'what' with the ROE's 'how' and 'under what constraints'.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) only governs confidentiality of information shared between parties, not the technical or operational boundaries of the test. Option C is wrong because the Penetration Testing Report is a post-engagement deliverable that summarizes findings and remediation steps; it does not define pre-engagement constraints like IP ranges or notification requirements. Option D is wrong because the Scope of Work (SOW) defines the high-level objectives, deliverables, and timelines of the engagement, but it does not contain the granular operational rules (e.g., specific IP ranges, scanning windows, or provider-mandated restrictions) that belong in the ROE.

59
MCQhard

A client is subject to PCI DSS compliance and requests a penetration test. The client's network has a mix of in-scope systems (cardholder data environment) and out-of-scope systems. During scoping, the tester recommends a specific approach to ensure accurate segmentation testing. Which of the following is the most important consideration for the rules of engagement?

A.The tester must have network access to both in-scope and out-of-scope systems
B.The tester must be provided with a diagram of the network segmentation
C.The tester must agree not to scan any out-of-scope IP addresses
D.The tester must obtain written authorization from the client's security team
AnswerB

A segmentation diagram defines the boundaries and is essential for the tester to plan and conduct tests that verify isolation between CDE and other networks.

Why this answer

For accurate segmentation testing under PCI DSS, the tester must verify that the segmentation controls (e.g., firewalls, VLANs, ACLs) effectively isolate the cardholder data environment (CDE) from out-of-scope systems. A network diagram is essential because it documents the expected segmentation boundaries, IP ranges, and traffic flows, allowing the tester to design targeted tests (e.g., using traceroute, nm scans, or firewall rule validation) to confirm that no unauthorized paths exist between segments. Without this diagram, the tester cannot determine which systems should be reachable and which should be blocked, making segmentation validation unreliable.

Exam trap

The trap here is that candidates confuse the need for a network diagram (a scoping/planning artifact) with operational restrictions like not scanning out-of-scope IPs, but PCI DSS segmentation testing explicitly requires probing those out-of-scope systems to prove isolation.

How to eliminate wrong answers

Option A is wrong because providing network access to both in-scope and out-of-scope systems would defeat the purpose of segmentation testing; the tester should only have access to the CDE (in-scope) and must attempt to reach out-of-scope systems from that position to verify isolation. Option C is wrong because the tester must scan out-of-scope IP addresses as part of segmentation testing—specifically, to confirm that those systems are not reachable from the CDE—so agreeing not to scan them would prevent the core validation. Option D is wrong because written authorization from the client's security team is a general legal/contractual requirement for any penetration test, not a specific consideration for segmentation testing; the question asks for the most important consideration for the rules of engagement regarding segmentation.

60
Multi-Selectmedium

A web application test must cover OWASP Top 10. Which THREE should be explicitly included? (Choose three.)

Select 3 answers
A.SQL injection testing
B.Directory traversal testing
C.Cross-site scripting (XSS) testing
D.Buffer overflow testing
E.Broken authentication testing
AnswersA, C, E

In OWASP Top 10.

Why this answer

Options A, B, and D are correct because XSS, SQL injection, and broken authentication are consistently in the OWASP Top 10. Option C is not typically a web vulnerability. Option E is sometimes considered but not always as a separate category.

61
Multi-Selecthard

An internal test prohibits buffer overflow exploits. Which TWO techniques are appropriate to test privilege escalation without violating the rule? (Choose two.)

Select 2 answers
A.Use a kernel exploit that involves a heap overflow
B.Exploit EternalBlue (MS17-010)
C.Abuse misconfigured service permissions to run as SYSTEM
D.Use Metasploit's meterpreter to run getsystem
E.Perform a pass-the-hash attack
AnswersC, E

Configuration issue, no exploit.

Why this answer

Options C and E are correct because pass-the-hash and abusing service permissions do not involve memory corruption. Option A may use exploits, option B is a buffer overflow, option D is a heap overflow.

62
MCQeasy

A client wants a penetration test that includes social engineering attacks against employees. They request that the testing team not target the executive leadership team. What should be included in the rules of engagement to address this requirement?

A.A list of excluded users or groups, specifically the executive leadership team
B.The maximum number of phishing emails that can be sent
C.The time window for conducting social engineering activities
D.A description of the social engineering techniques that will be used
AnswerA

Clearly documenting exclusions in the rules of engagement ensures the testing team knows which targets to avoid.

Why this answer

Option A is correct because the rules of engagement (RoE) must explicitly define the scope and boundaries of the test. Including a list of excluded users or groups, specifically the executive leadership team, ensures that social engineering attacks are not directed at them, directly addressing the client's requirement. This is a standard scoping practice in penetration testing to prevent unintended consequences and maintain legal and ethical compliance.

Exam trap

The trap here is that candidates may confuse operational constraints (like volume or timing) with scoping exclusions, failing to recognize that only a direct list of excluded entities satisfies the requirement to avoid targeting a specific group.

How to eliminate wrong answers

Option B is wrong because the maximum number of phishing emails is a constraint on the volume of attacks, not a mechanism to exclude specific targets like the executive leadership team. Option C is wrong because the time window for conducting social engineering activities controls when attacks occur, not who is targeted; it does not prevent attacks against the executive team.

63
MCQhard

A client has a critical web application that cannot be tested in the production environment due to availability requirements. A staging environment exists that exactly mirrors production, but it uses different IP addresses, domain names, and a subset of data. The staging environment is isolated from production networks. Which scoping element is most important to include in the rules of engagement to ensure a valid test?

A.Explicitly define the staging environment as the target scope
B.Require the tester to use non-disruptive testing techniques only
C.Include the production IP ranges in the scope 'just in case'
D.Specify that the test must be performed from the internet only
AnswerA

The rules of engagement must specify the exact targets. Since the test is to be performed against staging, it must be listed as the authorized target system. This ensures legal coverage and clarity.

Why this answer

Option A is correct because the staging environment is an exact mirror of production but uses different IP addresses, domain names, and a subset of data. Explicitly defining the staging environment as the target scope ensures the tester focuses all activities on the authorized systems, preventing any accidental impact on production. This scoping element is critical for a valid test because it aligns the test with the client's availability requirements while still allowing comprehensive security testing on a representative environment.

Exam trap

The trap here is that candidates may confuse operational constraints (like non-disruptive techniques) with scoping requirements, or they may incorrectly assume that including production IPs as a 'safety net' is acceptable, when it actually violates the core principle of scope definition and availability requirements.

How to eliminate wrong answers

Option B is wrong because requiring non-disruptive testing techniques only is a constraint on methodology, not a scoping element; it does not address the need to define the target environment, and the staging environment is isolated so disruptive techniques could be safely used. Option C is wrong because including production IP ranges in the scope 'just in case' violates the client's availability requirements and could lead to unauthorized testing on production systems, which is both risky and against the rules of engagement.

64
MCQhard

Based on the exhibit, which host or network can SSH to 10.0.1.10?

A.192.168.1.0/24
B.10.0.1.0/24
C.None
D.0.0.0.0/0
AnswerC

Due to the first drop rule covering the entire 10.0.1.0/24 subnet, no SSH traffic can reach 10.0.1.10.

Why this answer

The first rule drops all traffic from any source to the 10.0.1.0/24 network. Since 10.0.1.10 falls within that subnet, all traffic to it is dropped before subsequent rules are evaluated, including the SSH allow rule. Therefore, no host can SSH to 10.0.1.10.

65
MCQmedium

A penetration testing firm is scoping a test for a financial institution. The client insists that the test only be performed on systems located in the corporate headquarters, excluding cloud-based infrastructure and remote branch offices. Which of the following should the penetration tester emphasize during the scoping discussion?

A.The test will include social engineering of remote employees
B.The exclusion of cloud infrastructure may leave critical assets untested
C.The test can only be performed during off-hours
D.The tester will require VPN access to the corporate network
AnswerB

Correct. Emphasizing the risk of untested critical assets helps the client understand the scope limitation's impact on overall security assurance.

Why this answer

Option B is correct because the client's exclusion of cloud-based infrastructure and remote branch offices creates a significant gap in the test scope. A penetration test that ignores cloud assets (e.g., AWS, Azure, or SaaS applications) may miss critical vulnerabilities in systems that process or store sensitive financial data, as these are often part of the institution's attack surface. The tester must emphasize that such exclusions can lead to a false sense of security, as attackers frequently target cloud and remote assets due to their accessibility and potential misconfigurations.

Exam trap

The trap here is that candidates may focus on operational details like timing or social engineering, rather than recognizing that scope exclusions (especially cloud) directly undermine the test's ability to assess the full attack surface, which is a core principle of scoping in PT0-002.

How to eliminate wrong answers

Option A is wrong because social engineering of remote employees is a separate attack vector that does not address the core scoping issue of excluding cloud and branch office systems; the client's restriction is on the systems tested, not the methods used. Option C is wrong because the timing of the test (off-hours vs. business hours) is a separate operational consideration, not a direct response to the client's exclusion of cloud and branch infrastructure; the primary scoping concern is the incomplete coverage of the attack surface, not the schedule.

66
MCQeasy

A penetration testing firm is hired to assess a client's web application that integrates with a third-party payment processor's API. The client wants to include the payment processor's API in the test scope. Which action should the tester take FIRST?

A.Begin testing the API because it is part of the client's environment
B.Request written permission from the payment processor
C.Only test the client's internal systems, excluding the API
D.Use the payment processor's sandbox environment without notifying them
AnswerB

This is the correct first step. The tester must obtain explicit permission from the third party to ensure legal and ethical testing.

Why this answer

The correct first action is to request written permission from the payment processor because the API is owned and operated by a third party, not the client. Testing a third-party API without explicit authorization could violate the Computer Fraud and Abuse Act (CFAA) and the payment processor's terms of service, potentially leading to legal liability for both the tester and the client. The scope of a penetration test must be legally defined and agreed upon by all parties whose systems are being tested.

Exam trap

The trap here is that candidates assume the client's request automatically grants legal authority to test any integrated system, overlooking the critical distinction between ownership and integration in scoping agreements.

How to eliminate wrong answers

Option A is wrong because beginning to test the API without authorization assumes the client has the legal right to grant access to a third-party system, which is a common misconception that can lead to unauthorized access and legal consequences. Option C is wrong because it ignores the client's explicit request to include the API in the test scope, failing to meet the engagement requirements and potentially leaving critical integration vulnerabilities unassessed.

67
MCQeasy

A small business owner contacts you to perform a penetration test. The company has a single office with 50 employees, uses a cloud-based email service (Office 365), and hosts a public-facing website on a shared server. The owner is concerned about external threats but does not allow any testing that could disrupt operations. The owner wants to test the security of the website and the email system against common attacks, such as SQL injection, XSS, and phishing. Based on these constraints and the environment, which type of penetration test is most appropriate?

A.Covert red team exercise simulating a persistent attacker.
B.Full disclosure black-box test from an external perspective.
C.External gray-box test with a restricted schedule and prior notification.
D.Internal vulnerability assessment of the local network.
AnswerC

This allows focused testing with minimal disruption and aligns with client's constraints.

Why this answer

Given the owner's concern about disruption and the need to test external assets, a gray-box test (some information provided) with a schedule that avoids peak hours and with prior notification best balances effectiveness and risk. Black-box could be disruptive; red team is covert and may cause alarm; internal assessment is not relevant for external assets.

68
MCQeasy

A penetration testing firm is scoping a test for a client that has a hybrid infrastructure with on-premises servers and cloud-based virtual machines. The client insists on testing only the on-premises systems due to budget constraints. Which of the following should the penetration tester emphasize during the scoping discussion?

A.The on-premises systems are more critical, so testing them is sufficient.
B.Cloud systems are generally more secure and do not require testing.
C.Limiting the scope to on-premises may result in an incomplete risk picture because cloud systems are part of the attack surface.
D.Testing cloud systems would violate the shared responsibility model.
AnswerC

Both on-premises and cloud systems contribute to the overall attack surface; excluding one may leave critical vulnerabilities undetected.

Why this answer

Option C is correct because the client's hybrid infrastructure means that cloud-based virtual machines are part of the overall attack surface, and limiting the scope to on-premises systems ignores potential attack vectors such as misconfigured cloud APIs, insecure inter-VPC routing, or compromised cloud credentials that could lead to lateral movement into on-premises systems. A penetration test must assess all components that can be exploited to provide a complete risk picture, as cloud systems often serve as entry points or pivot points into the on-premises environment.

Exam trap

The trap here is that candidates may assume budget constraints justify limiting scope to on-premises, but the exam tests the principle that a penetration test must cover the entire attack surface to be valid, and cloud systems are a critical part of that surface in hybrid architectures.

How to eliminate wrong answers

Option A is wrong because it assumes on-premises systems are inherently more critical, which is a subjective and unsupported claim; in a hybrid infrastructure, cloud systems may host sensitive data or applications and can be the initial breach vector, so excluding them leaves critical risks unassessed. Option B is wrong because it incorrectly states that cloud systems are generally more secure and do not require testing; in reality, cloud systems are subject to misconfigurations (e.g., open S3 buckets, overly permissive IAM roles) and shared responsibility model gaps that require dedicated security testing.

69
MCQeasy

A client requests a penetration test but only provides network diagrams and application credentials. Which type of test is being scoped?

A.Red team
B.Black box
C.Grey box
D.White box
AnswerC

Grey box testing involves limited information sharing, such as network diagrams and credentials.

Why this answer

A grey box test provides the tester with limited information such as network diagrams and credentials, which matches the scenario. Black box tests provide no information, white box tests provide full information, and red team engagements are a type of test, not a box color.

70
MCQhard

A client wants a penetration test that includes testing of their internal network, external perimeter, and wireless. However, they have a very limited budget. Which approach would best meet the client's needs while staying within budget?

A.Use vulnerability scanners for all three areas
B.Conduct a targeted test focusing on high-risk areas identified through threat modeling
C.Only test internal and external
D.Only test external and wireless
AnswerB

This balances coverage and cost by prioritizing the most critical assets.

Why this answer

Conducting a targeted test focused on high-risk areas identified through threat modeling allows coverage of all three areas with limited depth, maximizing value within budget. Skipping areas or using only automated tools may not meet the client's full requirements.

71
MCQeasy

A client wants a penetration test of their internal network. They are concerned about causing any disruption to the production systems. The tester should include which of the following in the rules of engagement to address this concern?

A.A list of all tools that will be used during the test
B.A clear definition of the testing window and contact information for emergency stop
C.A requirement for the client to disable their antivirus software
D.A statement that the tester will not be liable for any damages
AnswerB

This is essential to manage and halt testing if disruptions occur, aligning with client's concern.

Why this answer

Option B is correct because a clearly defined testing window with emergency stop contact information directly addresses the client's concern about production disruption. This ensures the tester can immediately halt activities if any instability is detected, aligning with the principle of minimizing operational impact during a penetration test.

Exam trap

The trap here is that candidates may mistakenly think listing tools or disabling antivirus is necessary for a thorough test, but the core concern is disruption prevention, which is directly addressed by the testing window and emergency stop clause in the RoE.

How to eliminate wrong answers

Option A is wrong because listing all tools used during the test does not prevent or mitigate disruption to production systems; it only provides transparency about the testing methodology. Option C is wrong because requiring the client to disable antivirus software would actually increase the risk of disruption, as it removes a critical security control that could detect and block malicious activity, potentially leading to unintended system instability or compromise.

72
MCQeasy

A client wants to conduct a penetration test of their web application, but they are concerned about potential service disruption. They request that the tester avoid using any techniques that could cause the application to crash or become unresponsive. Which of the following should the tester include in the rules of engagement to address this requirement?

A.Specify that the tester will only use ACK scans and never send data payloads.
B.Include a clause that prohibits denial-of-service attacks and rate-limits all automated tools.
C.State that the tester will not use any automated tools and will perform only manual testing.
D.Do not include any specific limitation; the tester assumes responsibility for any outages.
AnswerB

Explicitly prohibiting DoS and implementing rate limits directly addresses the client's concern about service disruption.

Why this answer

Option B is correct because it directly addresses the client's concern by prohibiting denial-of-service attacks and implementing rate-limiting on automated tools. Rate-limiting prevents overwhelming the web application with requests, which could cause resource exhaustion or unresponsiveness, while the prohibition on DoS ensures no intentional disruption occurs. This aligns with the rules of engagement (RoE) requirement to scope the test safely.

Exam trap

The trap here is that candidates confuse 'avoiding service disruption' with 'avoiding all automated tools' or 'avoiding all payloads,' when the correct approach is to control the intensity of testing through rate-limiting and explicit prohibitions on disruptive techniques like DoS.

How to eliminate wrong answers

Option A is wrong because ACK scans are a type of port scan that can still cause service disruption if sent at high rates or to vulnerable services, and the statement 'never send data payloads' is overly restrictive and irrelevant to preventing crashes—many safe techniques (e.g., SQL injection payloads) require data but can be rate-limited. Option C is wrong because it unnecessarily bans all automated tools, which would severely limit the test's effectiveness; manual testing alone cannot efficiently cover a large web application, and automated tools can be safely used with rate-limiting and proper configuration.

73
Multi-Selecthard

A penetration tester is scoping a test for a client that uses a hybrid identity system. The client wants to ensure that the test does not affect production authentication. Which TWO actions should the tester recommend?

Select 2 answers
A.Test using non-production accounts
B.Conduct testing during off-peak hours
C.Use a separate domain for testing
D.Perform password spraying against all users
E.Disable MFA for test accounts
AnswersA, C

Keeps test traffic away from real user accounts.

Why this answer

Using non-production accounts and a separate test domain isolate the test from production identity systems. Password spraying against all users could disrupt accounts, and disabling MFA may weaken security. Off-peak scheduling reduces impact but does not prevent direct interaction with production systems.

74
MCQeasy

During the scoping phase of a penetration test, a client wants to test a third-party API that is integral to their web application. However, they do not have permission from the third-party provider. Which of the following should the tester do first?

A.Proceed with testing the API but restrict the test to read-only operations
B.Exclude the third-party API from the scope and document the limitation
C.Contact the third-party provider directly to obtain permission
D.Include the API in the scope and note the legal risks in the report
AnswerB

This is the correct approach. The scope should clearly state what is in and out of bounds. The client can then seek permission separately if desired.

Why this answer

Option B is correct because testing a third-party API without explicit permission from the provider violates legal and ethical boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). The penetration tester must first document this limitation in the scope to ensure the client understands the risk and to maintain the test's legality. Proceeding without permission could lead to liability for both the tester and the client.

Exam trap

The trap here is that candidates may assume 'read-only' testing is safe or that direct contact with the third party is proactive, but the exam emphasizes that scope limitations must be documented and that the client, not the tester, is responsible for obtaining permissions.

How to eliminate wrong answers

Option A is wrong because restricting testing to read-only operations does not grant legal permission; any interaction with the third-party API without authorization, even read-only, can still be considered unauthorized access and may violate the provider's terms of service or applicable laws. Option C is wrong because the tester should not contact the third-party provider directly, as this is the client's responsibility; the tester lacks the contractual relationship to negotiate permissions and doing so could breach confidentiality or scope agreements.

75
MCQhard

Refer to the exhibit. A penetration tester reviews this S3 bucket policy. The bucket contains sensitive data. Which of the following best describes the security issue?

A.The policy allows only specific users to read objects
B.The policy allows anyone with an IP in the 10.0.0.0/8 range to read objects
C.The policy allows anonymous write access
D.The policy allows any AWS principal to read objects
AnswerB

Overly permissive and misconfigured.

Why this answer

Option A is correct because the policy allows anyone with an IP in the 10.0.0.0/8 range to read objects, which is overly permissive and ineffective since private IPs are not routable on the internet. Option B is wrong because condition restricts IP. Option C is wrong because principal is any.

Option D is wrong because action is GetObject only.

Page 1 of 2 · 103 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Planning And Scoping questions.