Question 1mediummultiple choice
Full question →PT0-002 · topic practice
Planning And Scoping practice questions
Use this page to practise PT0-002 Planning And Scoping practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about Planning And Scoping
Planning And Scoping questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
Planning And Scoping questions
20 questions · select your answer, then reveal the explanation
Question 2mediummultiple choice
Full question →A client engages a penetration testing firm to evaluate the security of their internal network. During the scoping meeting, the client states that they use a network access control (NAC) solution that might block the tester's machine if it is connected to the internal network without prior authorization. Which of the following should be included in the rules of engagement to address this potential issue?
Question 3mediummultiple choice
Full question →A client wants to test a web application that uses multiple third-party APIs for payment processing, shipping, and customer relationship management. The client states that the APIs are critical for operations but cannot be taken offline. Which scoping consideration is most important to include in the rules of engagement?
Question 4hardmultiple choice
Full question →A client is subject to PCI DSS compliance and requests a penetration test. The client's network has a mix of in-scope systems (cardholder data environment) and out-of-scope systems. During scoping, the tester recommends a specific approach to ensure accurate segmentation testing. Which of the following is the most important consideration for the rules of engagement?
Question 5easymultiple choice
Full question →A penetration testing firm is scoping a test for a client that has a hybrid infrastructure with on-premises servers and cloud-based virtual machines. The client insists on testing only the on-premises systems due to budget constraints. Which of the following should the penetration tester emphasize during the scoping discussion?
Question 6easymultiple choice
Full question →A penetration tester is asked to perform a test that focuses on identifying vulnerabilities in a company's external web application without providing any internal credentials. The tester has been given a signed agreement that lists the IP range and URLs. Which of the following scoping considerations is MOST directly addressed by the agreement?
Question 7easymultiple choice
Full question →A small business hires a penetration tester to assess the security of their network. The owner is concerned about employee data breaches and wants to ensure compliance with industry regulations. Which of the following is the MOST critical document to establish before the test begins?
Question 8easymultiple choice
Full question →A penetration tester is scoping an engagement for a client that hosts a public-facing web application and an internal database server. The client wants to ensure that testing does not cause any disruption to the database server. Which of the following should the tester include in the rules of engagement to address this concern?
Question 9hardmultiple choice
Full question →A penetration testing firm is hired to assess a healthcare organization's network. The client has strict regulatory requirements (HIPAA) and wants to ensure that all patient data is protected during testing. Which scoping document should specify the data handling procedures and the destruction of any collected sensitive information?
Question 10mediummultiple choice
Full question →A penetration testing firm is scoping a test for a client that uses a hybrid infrastructure with both on-premises servers and cloud-based services (IaaS). The client specifies that only the cloud environment should be tested this year. Which concept is MOST important for the tester to discuss during the scoping meeting to avoid testing out-of-scope assets?
Question 11easymultiple choice
Full question →During the scoping phase of a penetration test, a client wants to test a third-party API that is integral to their web application. However, they do not have permission from the third-party provider. Which of the following should the tester do first?
Question 12mediummultiple choice
Full question →A client is planning a penetration test of their internal network but refuses to provide network diagrams or access to a staging environment. The tester is concerned about causing a denial of service (DoS) on critical systems. Which clause should be included in the rules of engagement to mitigate this risk?
Question 13easymultiple choice
Full question →A client is planning a penetration test of their AWS cloud environment. They will provide the tester with an IAM user account with limited permissions. Which of the following scoping restrictions is most important to include in the rules of engagement to avoid unexpected costs?
Question 14hardmultiple choice
Full question →A client has a critical web application that cannot be tested in the production environment due to availability requirements. A staging environment exists that exactly mirrors production, but it uses different IP addresses, domain names, and a subset of data. The staging environment is isolated from production networks. Which scoping element is most important to include in the rules of engagement to ensure a valid test?
Question 15easymultiple choice
Full question →A client requests a penetration test of their network and provides a list of IP addresses. During scoping, the tester notices that several IP addresses belong to a major cloud service provider. What should the tester do FIRST before including those IP addresses in the test?
Question 16easymultiple choice
Full question →A client wants a penetration test that includes social engineering attacks against employees. They request that the testing team not target the executive leadership team. What should be included in the rules of engagement to address this requirement?
Question 17mediummultiple choice
Full question →A penetration tester is contracted to perform a test of a company's critical web application that handles financial transactions. The client requires that testing must not degrade the application's performance for live users. Which of the following scoping controls would best address this requirement?
Question 18easymultiple choice
Full question →A penetration tester is engaged to perform a red team exercise for a large enterprise. The client wants the test to simulate a realistic attack from an external threat actor. Which of the following scoping elements is most important to include in the rules of engagement?
Question 19mediummultiple choice
Full question →A penetration tester is scoping a test for a multinational corporation that has offices in the United States and the European Union. The client wants to test the entire environment. Which of the following is the MOST important legal consideration for the tester to include in the rules of engagement?
Question 20mediummultiple choice
Full question →A penetration testing firm is hired to assess a client's network that includes both internal servers and external cloud-based services. The client wants to test only the internal network due to compliance concerns about testing cloud infrastructure. Which of the following should the penetration tester MOST strongly emphasize during the scoping meeting?
Watch out for
Common Planning And Scoping exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused Planning And Scoping sessions
Start a Planning And Scoping only practice session
Every question in these sessions is drawn from the Planning And Scoping domain — nothing else.
Related practice questions
Related PT0-002 topic practice pages
Move into related areas when this topic feels solid.
Frequently asked questions
- What does the PT0-002 exam test about Planning And Scoping?
- Planning And Scoping questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just Planning And Scoping questions in a focused session?
- Yes — the session launcher on this page draws every question from the Planning And Scoping domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other PT0-002 topics?
- Use the topic links above to move to related areas, or go back to the PT0-002 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the PT0-002 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeStudy resources
Exam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.