CCNA Ptp Planning Scoping Questions

74 questions · Ptp Planning Scoping topic · All types, answers revealed

1
MCQmedium

A penetration tester is planning a social engineering engagement targeting employees of a client. The client requests that only non-managerial staff be tested. Which scoping consideration is most directly affected by this request?

A.IP address range
B.Production vs. staging
C.Third-party services
D.Personnel scope
AnswerD

Personnel scope defines which employees are in scope for social engineering.

Why this answer

Personnel scope determines which individuals or groups are targeted in social engineering tests.

2
MCQhard

During a social engineering engagement, a tester is authorized to target employees via email phishing. However, the tester accidentally sends a phishing email to a contractor who is not listed in the personnel scope. The contractor reports the email to the client's security team, causing an internal investigation. Which of the following best describes the tester's mistake?

A.Breach of the Non-Disclosure Agreement
B.Failure to follow the Rules of Engagement
C.Mishandling of discovered criminal activity
D.Violation of the Computer Fraud and Abuse Act (CFAA)
AnswerB

RoE should specify personnel scope; sending to out-of-scope individuals violates the engagement rules.

Why this answer

Personnel scope must be clearly defined; the tester failed to adhere to the scoping requirements for social engineering.

3
MCQmedium

Which of the following is the primary purpose of a get-out-of-jail letter in a penetration testing engagement?

A.To protect the client from legal liability
B.To document emergency contacts
C.To outline the scope of the test
D.To authorize the tester to perform testing activities and avoid prosecution
AnswerD

The letter serves as permission to test.

Why this answer

The get-out-of-jail letter provides legal authorization for the tester to perform activities that might otherwise be considered illegal, such as scanning or exploitation.

4
Multi-Selectmedium

A penetration testing company is scoping a test for a client. The client wants to ensure that testing does not impact production systems. Which TWO of the following are appropriate scoping considerations? (Select TWO.)

Select 2 answers
A.Testing on a staging environment
B.Including all third-party services
C.Allowing unlimited testing hours
D.Testing all IP addresses in the organization
E.Defining specific test windows
AnswersA, E

Staging environments are safe for testing.

Why this answer

Testing on a staging environment is correct because it isolates the penetration test from production systems, ensuring no risk of data corruption, service disruption, or unintended exposure of sensitive production data. Staging environments replicate production configurations and data sets, allowing the tester to identify vulnerabilities without impacting live operations.

Exam trap

The trap here is that candidates may confuse 'defining specific test windows' with a scheduling detail rather than a scoping control, but it directly prevents testing during production peak hours, thus protecting production systems from impact.

5
MCQmedium

During the pre-engagement phase, a penetration tester and the client agree on the specific IP ranges to be tested, testing windows, and what constitutes an emergency stop condition. Which document typically contains these details?

A.Non-Disclosure Agreement (NDA)
B.Get-out-of-jail letter
C.Rules of Engagement (RoE)
D.Statement of Work (SOW)
AnswerC

Correct. RoE includes IP ranges, testing windows, and stop criteria.

Why this answer

The Rules of Engagement (RoE) document is specifically designed to define the scope, authorization, and constraints of a penetration test, including target IP ranges, testing windows, and emergency stop conditions. This ensures both the tester and client have a clear, legally binding agreement on how the test will be conducted, preventing misunderstandings or unauthorized actions.

Exam trap

Cisco often tests the distinction between the SOW and RoE, where candidates mistakenly choose SOW because it sounds like it covers scope, but the RoE is the document that contains the granular operational rules like IP ranges and emergency stop conditions.

How to eliminate wrong answers

Option A is wrong because a Non-Disclosure Agreement (NDA) is a legal contract that protects confidential information shared between parties, not operational details like IP ranges or testing windows. Option B is wrong because a get-out-of-jail letter is an authorization document that protects the tester from legal liability during testing, but it does not contain scoping details such as IP ranges or testing schedules. Option D is wrong because a Statement of Work (SOW) outlines high-level project deliverables, timelines, and costs, but it typically does not include the granular operational constraints like emergency stop conditions or specific IP ranges, which are reserved for the RoE.

6
Multi-Selecthard

A penetration tester is preparing a post-engagement deliverable. Which THREE of the following should be included in the final report? (Select THREE.)

Select 3 answers
A.Remediation guidance
B.Detailed log of every command executed
C.Executive summary
D.Technical findings and vulnerabilities
E.Tester's hourly billing breakdown
AnswersA, C, D

Helps client fix issues.

Why this answer

Remediation guidance (A) is a required component of a penetration testing final report because it provides actionable steps to fix identified vulnerabilities. Without remediation guidance, the report would lack practical value for the client's security team, as they need clear instructions on how to mitigate risks. This aligns with PT0-002 objectives for post-engagement deliverables.

Exam trap

Cisco often tests the misconception that exhaustive operational logs (B) or billing details (E) are part of the final report, when in fact they are extraneous and not required for the client's understanding or remediation of security issues.

7
MCQeasy

A company hires a penetration testing firm to simulate the tactics, techniques, and procedures of a real adversary. The engagement includes attempting to achieve specific objectives without being detected. This type of engagement is best described as:

A.Network penetration test
B.Web application penetration test
C.Social engineering engagement
D.Red team exercise
AnswerD

Red team exercises mimic real adversaries with specific objectives.

Why this answer

A red team exercise is an adversary simulation that aims to test detection and response capabilities.

8
Multi-Selectmedium

A penetration tester is scoping a web application penetration test. The client wants to include a third-party API that processes payments. Which TWO are appropriate considerations?

Select 2 answers
A.Assume the API is secure because it is a well-known provider
B.Test only the client's code and ignore the API entirely
C.Obtain written permission from the third-party provider before testing
D.Include the API in scope without permission because it is critical to the application
E.Document the API as out-of-scope if permission is not granted
AnswersC, E

Permission is required to avoid legal issues.

Why this answer

Option C is correct because testing a third-party API without explicit written permission violates legal and ethical boundaries, potentially constituting unauthorized access under laws like the Computer Fraud and Abuse Act (CFAA). Penetration testers must obtain explicit authorization from the API provider to avoid liability and ensure the test is conducted within agreed-upon boundaries.

Exam trap

The trap here is that candidates may assume a well-known API is inherently secure (Option A) or that testing only the client's code is sufficient (Option B), overlooking the legal necessity of permission and the risk of integration flaws.

9
MCQhard

A penetration tester is conducting a grey box test on a web application. During the test, the tester discovers that the application is hosted on a cloud infrastructure that belongs to a third-party provider. The client did not mention this provider in the scope. What is the best course of action regarding testing this infrastructure?

A.Add the cloud provider to the scope without notifying the client
B.Stop testing the cloud infrastructure and notify the client
C.Continue testing because the application is owned by the client
D.Obtain verbal permission from the cloud provider and proceed
AnswerB

The tester should halt any testing on out-of-scope assets and inform the client.

Why this answer

Testing third-party infrastructure without permission is illegal and violates the rules of engagement. The tester should stop testing that part and inform the client.

10
MCQmedium

A company wants to simulate a real-world attack scenario where the penetration tester has no prior knowledge of the environment and must act as an external threat actor. However, the tester is allowed to use social engineering to gain initial access. Which type of engagement is most appropriate?

A.Red team exercise
B.Network penetration test
C.Wireless penetration test
D.Web application penetration test
AnswerA

A red team exercise simulates a real adversary and can include social engineering.

Why this answer

A red team exercise is a full-scope adversary simulation that can include social engineering and black box testing.

11
MCQhard

During a red team exercise, the tester successfully gains access to an internal server and finds evidence of ongoing criminal activity unrelated to the client. According to best practices for handling discovered criminal activity, what should the tester do first?

A.Contact the client's emergency contact as defined in the RoE
B.Immediately inform law enforcement
C.Cease all testing and delete the evidence
D.Continue testing and document the evidence for the final report
AnswerA

Correct. The tester should follow the communication plan.

Why this answer

The tester should follow the incident response plan and contact emergency contacts; the RoE should specify procedures.

12
MCQeasy

Which penetration testing standard provides a structured methodology for conducting penetration tests, including pre-engagement, reconnaissance, and reporting phases?

A.NIST SP 800-115
B.OWASP Testing Guide
C.PTES
D.OSSTMM
AnswerC

PTES defines a standard methodology for penetration testing.

Why this answer

The Penetration Testing Execution Standard (PTES) covers the entire testing lifecycle.

13
MCQhard

A penetration tester is performing a wireless penetration test. The RoE states that testing is only allowed between 8 PM and 6 AM. At 7:30 PM, the tester begins active scanning. At 8:15 PM, a client employee calls emergency contact to report suspicious activity. According to the RoE, which of the following is the most likely reason for the call?

A.The tester used an unauthorized tool
B.The tester started testing outside the agreed time window
C.The tester targeted an out-of-scope access point
D.The tester exceeded the allowed signal strength
AnswerB

Active scanning began at 7:30 PM, before 8 PM.

Why this answer

The tester started active scanning before the allowed window (8 PM), which violated the RoE and triggered an incident.

14
MCQmedium

A penetration testing company is scoping a social engineering engagement for a client. The client wants to test employee awareness of phishing attempts. Which of the following should be included in the scope?

A.All employees including the CEO
B.External contractors only
C.Only non-technical staff
D.A defined subset of employees agreed upon in advance
AnswerD

Correct. The scope should clearly define which personnel are in-scope.

Why this answer

Option D is correct because social engineering engagements require explicit, pre-agreed boundaries to ensure legal and ethical compliance. Including a defined subset of employees allows the client to control risk, avoid disrupting critical operations, and obtain informed consent, which is essential for a valid penetration test scope.

Exam trap

The trap here is that candidates assume testing must include all employees to be thorough, but the PT0-002 exam emphasizes that scope must be mutually agreed and limited to avoid legal and operational risks, not maximized for coverage.

How to eliminate wrong answers

Option A is wrong because including all employees, including the CEO, without prior agreement could violate employment policies, cause legal liability, and disrupt executive functions; scoping must be mutually agreed. Option B is wrong because limiting the test to external contractors only fails to assess the primary target—employee phishing awareness—and ignores internal staff who handle sensitive data. Option C is wrong because restricting to only non-technical staff creates a blind spot; technical staff (e.g., IT admins) are often high-value targets and must be included to fully test security awareness.

15
MCQmedium

During an external penetration test, the tester discovers that a critical web application is hosted on a third-party cloud provider. The SOW did not mention this provider. What should the tester do before proceeding with testing against that provider's infrastructure?

A.Obtain written authorization from the third-party provider
B.Scan only the IP addresses that resolve to the client's domain
C.Continue testing as long as the target is in scope
D.Ignore the web application and test only on-premises assets
AnswerA

Correct. Authorization from the third party is necessary.

Why this answer

Testing third-party services requires explicit permission from the provider to avoid legal and contractual issues.

16
MCQmedium

Which of the following is typically included in the final deliverables of a penetration test?

A.A list of all employee passwords
B.Network diagrams of the client's internal network
C.A copy of all data extracted during the test
D.Executive summary, technical findings, and remediation guidance
AnswerD

Correct. These are standard components.

Why this answer

Standard deliverables include an executive summary, technical findings, and remediation guidance.

17
Multi-Selectmedium

A penetration tester is scoping a network penetration test for a client that uses multiple third-party services. Which TWO of the following are correct actions regarding third-party services? (Select TWO.)

Select 2 answers
A.Include all third-party services in scope without restriction
B.Assume that third-party services are out of scope
C.Test third-party services without informing the provider
D.Exclude third-party services from testing unless explicitly authorized
E.Obtain written permission from each third-party provider before testing
AnswersD, E

Out-of-scope unless authorized.

Why this answer

Option D is correct because third-party services are outside the penetration tester's authorized boundary unless explicitly included in the scope definition. Testing without explicit authorization could violate the third-party's terms of service, the Computer Fraud and Abuse Act (CFAA), or similar laws. Scope must be clearly defined in the Rules of Engagement (RoE) to avoid legal and contractual breaches.

Exam trap

The trap here is that candidates may assume third-party services are automatically in scope because they are part of the client's infrastructure, but the exam tests the legal and contractual necessity of obtaining explicit written permission before testing any external system.

18
MCQhard

During a penetration test, the tester discovers evidence of an ongoing criminal activity, such as unauthorized data exfiltration by an insider. The client's legal team has not provided specific guidance on handling such discoveries. According to best practices and legal considerations, what should the tester do first?

A.Continue testing to gather more evidence
B.Contact law enforcement directly
C.Ignore the finding as it is out of scope
D.Stop testing and report the finding to the client immediately
AnswerD

This follows standard procedure for discovered criminal activity.

Why this answer

The tester should immediately stop testing and report the finding to the client point of contact, preserving evidence without further investigation to avoid legal complications.

19
Multi-Selecthard

During post-engagement, a penetration tester needs to ensure proper data handling. Which THREE actions should the tester take?

Select 3 answers
A.Securely destroy test artifacts after the client accepts the report
B.Purge any data stored on test systems used during the engagement
C.Retain all test data indefinitely for future reference
D.Follow the agreed-upon data handling procedures in the contract
E.Share findings with other clients to demonstrate expertise
AnswersA, B, D

Destruction of artifacts is standard practice.

Why this answer

After the engagement, test artifacts should be securely destroyed, data should be purged from test systems, and confidential information must be handled per agreement.

20
MCQhard

A penetration tester discovers evidence of ongoing criminal activity, such as a data breach by an internal employee, during a white box penetration test. The client's legal team has not provided specific instructions on handling such discoveries. According to best practices and legal considerations, what should the tester do first?

A.Notify law enforcement directly
B.Continue testing and document the evidence for later reporting
C.Stop testing and contact the client's emergency contact
D.Ignore the activity and proceed as planned
AnswerC

The tester should halt testing and follow the communication plan to notify the client.

Why this answer

The tester should immediately stop testing and inform the client's emergency contact to handle the criminal activity appropriately.

21
MCQeasy

A penetration tester is hired to assess the security of a company's internal network. The tester is given full network diagrams, credentials, and source code. Which type of penetration test is being performed?

A.White box
B.Black box
C.Grey box
D.Red team
AnswerA

White box testing provides full knowledge and credentials.

Why this answer

White box testing provides the tester with full knowledge of the target environment, including credentials and documentation.

22
MCQmedium

A penetration testing company is contracted to perform a social engineering engagement. The client requests that only employees in the finance department be targeted. Which scoping consideration is most relevant?

A.Personnel scope
B.Rules of engagement
C.Production vs. staging environments
D.Third-party services
AnswerA

Personnel scope specifies the target population for social engineering.

Why this answer

Personnel scope defines which individuals or groups are in-scope for social engineering testing.

23
MCQmedium

During a pre-engagement meeting, the client states that no testing is allowed on the wireless network or on any cloud-based services hosted by third parties. Which part of the engagement documentation would specify these restrictions?

A.Get-out-of-jail letter
B.Rules of engagement (RoE)
C.Statement of work (SOW)
D.Non-disclosure agreement (NDA)
AnswerB

RoE includes scope, restrictions, and emergency procedures.

Why this answer

The rules of engagement (RoE) define the scope, including what is allowed and not allowed, such as restrictions on wireless and cloud services.

24
MCQhard

After completing a penetration test, the tester must submit deliverables and then destroy all test artifacts. Which legal or ethical consideration primarily drives the requirement to destroy test artifacts?

A.Privacy laws such as GDPR or HIPAA
B.Computer Fraud and Abuse Act (CFAA)
C.Vulnerability disclosure responsibilities
D.The statement of work (SOW) and NDA
AnswerD

Typically, the SOW and NDA include clauses for data handling and destruction.

Why this answer

Data handling and destruction are required to protect client confidentiality and comply with privacy laws and contractual agreements.

25
Multi-Selectmedium

During a social engineering engagement, a tester plans to use phishing emails targeting employees. Which TWO of the following should be included in the rules of engagement?

Select 2 answers
A.The timeframe during which phishing emails will be sent
B.The exact wording of phishing emails
C.The tester's personal email address for replies
D.The method for employees to opt out of the test
E.The email addresses of employees to be targeted
AnswersA, D

Correct. Testing windows are part of RoE.

Why this answer

RoE should specify communication methods and measures to avoid harm, such as not targeting specific individuals or providing opt-out.

26
MCQmedium

A penetration tester is conducting a red team exercise. The goal is to simulate an advanced persistent threat (APT) and test the organization's detection and response capabilities. Which of the following engagement types best describes this scenario?

A.Wireless penetration test
B.Red team exercise
C.Network penetration test
D.Web application penetration test
AnswerB

Red team exercises simulate real-world attacks and test detection/response.

Why this answer

A red team exercise (Option B) is the correct engagement type because it simulates an advanced persistent threat (APT) by emulating real-world adversarial tactics, techniques, and procedures (TTPs) across multiple attack vectors, with the primary objective of testing the organization's detection and response capabilities. Unlike a standard penetration test, a red team exercise is goal-oriented (e.g., gaining access to a specific system or data) and often operates under a covert or no-notice scenario, requiring the team to bypass security controls and evade detection over an extended period.

Exam trap

The trap here is that candidates often confuse a red team exercise with a standard penetration test, mistakenly thinking any simulated attack qualifies as a red team exercise, but the key differentiator is the APT-style objective of testing detection and response rather than simply finding vulnerabilities.

How to eliminate wrong answers

Option A is wrong because a wireless penetration test focuses exclusively on assessing the security of wireless networks (e.g., WPA2/3, 802.1X, rogue APs) and does not simulate an APT's multi-vector, long-duration campaign. Option C is wrong because a network penetration test is a point-in-time assessment of network infrastructure vulnerabilities (e.g., open ports, misconfigured firewalls, weak SNMP strings) and does not involve the stealthy, persistent, and goal-driven behavior of an APT. Option D is wrong because a web application penetration test targets only web application vulnerabilities (e.g., SQLi, XSS, CSRF) and lacks the breadth of attack surfaces (e.g., physical, social engineering, endpoint) required to emulate an APT.

27
Multi-Selectmedium

A penetration tester is planning a red team exercise for a client. Which TWO of the following should be included in the rules of engagement (RoE)?

Select 2 answers
A.The client's business goals
B.The tester's background check information
C.The tester's hourly rate
D.Testing windows (allowed times for testing)
E.Emergency stop criteria
AnswersD, E

Correct. Testing windows are specified in RoE.

Why this answer

Option D is correct because testing windows define the specific times during which penetration testing activities are permitted, ensuring that testing does not disrupt critical business operations. This is a standard component of the Rules of Engagement (RoE) as outlined in the PT0-002 exam objectives for planning and scoping.

Exam trap

Cisco often tests the distinction between the Rules of Engagement (operational boundaries) and the Statement of Work (contractual/financial details), causing candidates to mistakenly include billing rates or business goals in the RoE.

28
Multi-Selecthard

A penetration tester is preparing for a web application penetration test. The client application is hosted on a cloud platform that serves multiple tenants. Which THREE of the following are critical legal and scoping considerations?

Select 3 answers
A.Include a clause in the SOW that the tester is not liable for any data exposure
B.Understand how the client's data privacy policies affect handling of any discovered data
C.Define the types of attacks allowed (e.g., SQL injection, XSS) in the rules of engagement
D.Ensure the cloud provider has granted permission for the test
E.Test all tenant data to ensure comprehensive coverage
AnswersB, C, D

Correct. Privacy laws impact how testers handle data.

Why this answer

Legal considerations include authorization from the cloud provider, handling sensitive data, and defining permissible testing methods.

29
MCQeasy

Which of the following is the primary purpose of a get-out-of-jail letter?

A.To outline the deliverables
B.To establish a communication plan
C.To provide legal authorization for the tester to perform the test
D.To define the rules of engagement
AnswerC

The letter grants permission and protects the tester.

Why this answer

A get-out-of-jail letter provides authorization and protects the tester from legal liability when performing authorized tests.

30
MCQhard

A penetration tester is engaged to test a web application that uses a third-party payment gateway. The client has not obtained permission from the payment gateway provider. Which of the following is the best course of action?

A.Proceed with testing but use only passive techniques on the gateway
B.Test the gateway without informing the client to avoid delays
C.Exclude the payment gateway from scope and notify the client that permission is required
D.Include the payment gateway in scope because it is part of the application
AnswerC

This protects the tester and client from legal issues.

Why this answer

Third-party services require explicit permission from the provider; testing without it could violate terms or laws. The tester should add the service as out-of-scope until permission is obtained.

31
MCQmedium

The penetration tester identifies that a web application is hosted on a server that also contains sensitive customer data unrelated to the test. The SOW clearly states that only the web application is in scope. The tester accidentally accesses the customer data. What should the tester do immediately?

A.Delete the data and continue as planned
B.Continue testing and ignore the data
C.Analyze the data to find vulnerabilities
D.Report the incident to the client and stop testing
AnswerD

Following the incident response plan is appropriate.

Why this answer

If out-of-scope data is accessed, the tester should stop, report, and follow the incident response plan without further investigation.

32
MCQmedium

A penetration tester is planning a red team exercise for a client. The client insists that the testing should not disrupt production systems and only target a replicated staging environment. However, the tester believes that testing the production environment is necessary for realistic adversary simulation. What is the MOST appropriate course of action?

A.Negotiate with the client to include some production systems, explaining the value, and document agreed scope
B.Proceed with testing the production environment despite the client's request to ensure realism
C.Cancel the engagement because the scope is too restrictive
D.Test the staging environment and then extrapolate results to production
AnswerA

Correct. Professional communication and documentation of agreed scope is key.

Why this answer

The scope must be agreed upon between both parties; if the client restricts scope, the tester should accept the limitation and adjust the approach.

33
MCQmedium

During pre-engagement, a client insists that the penetration testers sign a non-disclosure agreement (NDA). However, the client refuses to provide a 'get-out-of-jail' letter. What risk does this pose to the penetration testers?

A.Increased risk of data breach
B.Higher likelihood of false positives
C.Inability to use certain tools
D.Potential legal liability if the client or third parties perceive the testing as malicious
AnswerD

The letter provides authorization and protects testers.

Why this answer

Without a 'get-out-of-jail' letter (also known as a authorization letter or testing waiver), the penetration testers have no documented legal authorization to perform the agreed-upon attacks. If the client or a third party (e.g., an ISP, law enforcement, or a security monitoring service) detects the test traffic and interprets it as malicious, the testers could face criminal charges or civil lawsuits for unauthorized access, even if the NDA is in place. The NDA only protects confidentiality, not the legality of the actions.

Exam trap

The trap here is that candidates often confuse the NDA (which protects confidentiality) with the get-out-of-jail letter (which provides legal authorization), mistakenly thinking the NDA alone is sufficient to cover liability, when in fact the NDA does not grant permission to perform intrusive testing.

How to eliminate wrong answers

Option A is wrong because the risk of a data breach is not directly increased by the absence of a get-out-of-jail letter; a data breach risk is more related to the scope of testing or data handling practices, not the legal authorization document. Option B is wrong because false positives are a technical issue related to tool configuration, signature tuning, or environmental noise, not a legal or authorization document. Option C is wrong because the inability to use certain tools is typically caused by client restrictions, network controls, or tool licensing, not by the lack of a get-out-of-jail letter; the letter does not affect tool functionality.

34
Multi-Selecteasy

Which TWO of the following are typical deliverables of a penetration test?

Select 2 answers
A.Technical findings and remediation guidance
B.User credentials for all accounts
C.Source code of the tested application
D.Video recording of the testing process
E.Executive summary
AnswersA, E

Correct. Technical details are essential for remediation.

Why this answer

Standard deliverables include an executive summary for management and technical findings for remediation.

35
Multi-Selecteasy

Which TWO of the following are types of penetration testing based on the level of knowledge provided to the tester? (Select TWO.)

Select 2 answers
A.Social engineering
B.Network penetration test
C.Red team
D.Black box
E.White box
AnswersD, E

No prior knowledge.

Why this answer

Black box and white box are two common types based on knowledge level; grey box is the third.

36
MCQeasy

Which type of penetration test provides the tester with full knowledge of the target environment, including network diagrams, source code, and administrative credentials?

A.Grey box
B.White box
C.Black box
D.Red team
AnswerB

Correct. White box testing provides full disclosure of the target environment.

Why this answer

A white box test gives the tester complete information about the target, allowing for a comprehensive assessment.

37
MCQeasy

Which penetration testing standard provides a step-by-step methodology from pre-engagement through post-engagement activities, including intelligence gathering, vulnerability analysis, and exploitation?

A.PTES
B.OSSTMM
C.OWASP Testing Guide
D.NIST SP 800-115
AnswerA

Correct. PTES provides a full methodology.

Why this answer

PTES (Penetration Testing Execution Standard) covers the entire lifecycle of a penetration test.

38
MCQmedium

Which legal framework in the United States prohibits unauthorized access to computer systems and is commonly referenced in penetration testing authorization documents?

A.HIPAA
B.GLBA
C.CFAA
D.SOX
AnswerC

CFAA prohibits unauthorized computer access.

Why this answer

The Computer Fraud and Abuse Act (CFAA) is the primary U.S. law against unauthorized computer access.

39
MCQhard

A penetration tester is contracted to perform a grey box test of a company's internal network. The client provides a VPN account for remote access but does not disclose that the account has been used by a former employee. The tester connects and is immediately locked out. Which pre-engagement document should have addressed this scenario?

A.Emergency contact list
B.Data handling agreement
C.Statement of Work (SOW)
D.Rules of Engagement (RoE)
AnswerD

RoE should detail the credentials and their validity.

Why this answer

The rules of engagement (RoE) should specify the accounts and credentials provided, including any limitations or known issues.

40
MCQmedium

A penetration testing engagement requires testing a production environment during business hours. The client is concerned about potential service disruption. Which document should specify the conditions under which the test must be halted?

A.Get-out-of-jail letter
B.Rules of Engagement
C.Communication plan
D.Statement of Work
AnswerB

RoE contains stop criteria.

Why this answer

The Rules of Engagement (RoE) is the definitive document that outlines the scope, authorization, and constraints of a penetration test, including explicit conditions under which testing must be halted to prevent service disruption. Unlike other documents, the RoE is a legally binding agreement that specifies technical boundaries such as IP ranges, testing windows, and stop conditions (e.g., CPU threshold exceeded or application error rate spike). This ensures the client's production environment is protected during business hours.

Exam trap

Cisco often tests the distinction between the SOW (which defines what will be done) and the RoE (which defines how and under what constraints it will be done), leading candidates to mistakenly choose the SOW when the question specifically asks for the document that specifies halt conditions.

How to eliminate wrong answers

Option A is wrong because a get-out-of-jail letter (or authorization letter) is a document that provides the tester with emergency contact information and legal authorization to bypass security controls, but it does not define the technical conditions for halting the test. Option C is wrong because a communication plan outlines how and when to report findings and escalate issues, but it does not specify the technical stop conditions for the test itself. Option D is wrong because a Statement of Work (SOW) defines the high-level objectives, deliverables, and timeline of the engagement, but it lacks the granular technical constraints and halt conditions that are detailed in the Rules of Engagement.

41
MCQeasy

Which document defines the IP ranges that are in scope, testing windows, and emergency stop criteria for a penetration test?

A.Get-out-of-jail letter
B.Rules of Engagement (RoE)
C.Non-Disclosure Agreement (NDA)
D.Statement of Work (SOW)
AnswerB

RoE defines scope, timing, and stop criteria.

Why this answer

The Rules of Engagement (RoE) is the formal document that defines the scope boundaries, including IP ranges, testing windows, and emergency stop criteria for a penetration test. It establishes the legal and procedural framework that both the tester and client must follow, ensuring all activities remain within agreed constraints. Without a signed RoE, any testing could be considered unauthorized, potentially leading to legal liability.

Exam trap

Cisco often tests the distinction between the RoE and the SOW, where candidates mistakenly choose the SOW because it includes scope items, but the RoE is the only document that explicitly defines operational constraints like emergency stop criteria and testing windows.

How to eliminate wrong answers

Option A is wrong because a get-out-of-jail letter is a separate document that authorizes the tester to perform specific actions (e.g., bypassing security controls) if detected, but it does not define scope, testing windows, or stop criteria. Option C is wrong because a Non-Disclosure Agreement (NDA) is a confidentiality contract that prohibits sharing sensitive information, not a document that outlines technical scope or operational constraints. Option D is wrong because a Statement of Work (SOW) describes the high-level deliverables, tasks, and timelines of the engagement, but it lacks the detailed operational rules (e.g., exact IP ranges, emergency stop procedures) that are specified in the RoE.

42
MCQmedium

During a penetration test, the tester discovers evidence of an ongoing data breach that appears to involve criminal activity unrelated to the test scope. What is the tester's primary responsibility regarding this discovery?

A.Continue the test as planned and include the findings in the final report
B.Notify the client's emergency contact and follow the agreed-upon incident response procedures
C.Document the evidence and destroy it after the engagement to protect the client
D.Immediately stop testing and notify law enforcement without client approval
AnswerB

This is the correct procedure per RoE and legal considerations.

Why this answer

The tester should follow the incident response plan and notify the client immediately, as handling criminal activity is a legal and ethical obligation.

43
MCQhard

A penetration tester is contracted to perform a web application test for a company that hosts its application on a third-party cloud provider. The tester discovers a critical vulnerability that could allow access to other customers' data on the same cloud platform. Which legal consideration is MOST important for the tester to address?

A.Exploit the vulnerability to demonstrate impact
B.Include the finding in the final report without further action
C.Obtain a new get-out-of-jail letter for the cloud provider
D.Notify law enforcement of the criminal activity
AnswerD

Correct. Discovering illegal activity requires halting testing and informing appropriate authorities.

Why this answer

The tester must handle discovered criminal activity appropriately, typically by immediately stopping testing and notifying the client and possibly law enforcement.

44
MCQmedium

A penetration tester is planning an engagement that includes testing a web application hosted on a third-party cloud provider. The client has provided credentials for the application but not for the underlying infrastructure. Which of the following should the tester do before proceeding?

A.Ignore the third-party aspect and test as usual
B.Ask the client to move the application to on-premises
C.Obtain written permission from the cloud provider
D.Proceed with testing the application using the provided credentials
AnswerC

Explicit permission is necessary for third-party services.

Why this answer

Third-party services require explicit permission from the provider to test; the tester must obtain written authorization.

45
MCQeasy

A penetration tester is hired to perform an assessment where the tester is provided with network diagrams, source code, and administrative credentials. Which type of penetration test is this?

A.Grey box
B.Black box
C.White box
D.Red team
AnswerC

Provided with full knowledge and credentials.

Why this answer

In a white box test, the tester has full knowledge of the environment, including credentials and documentation.

46
MCQeasy

During the pre-engagement phase, which document defines the IP ranges, test windows, and emergency stop criteria for a penetration test?

A.Get-out-of-jail letter
B.Non-Disclosure Agreement (NDA)
C.Statement of Work (SOW)
D.Rules of Engagement (RoE)
AnswerD

RoE includes IP ranges, test windows, and stop criteria.

Why this answer

The Rules of Engagement (RoE) document specifies technical constraints like IP ranges, timing, and stop conditions.

47
MCQmedium

Which of the following best describes the primary purpose of a 'get-out-of-jail' letter in a penetration testing engagement?

A.To provide emergency contact information
B.To outline the rules of engagement
C.To authorize the tester to bypass security controls without legal repercussions
D.To ensure the tester does not steal data
AnswerC

It serves as proof of authorization.

Why this answer

The get-out-of-jail letter provides legal authorization and protects the tester if their actions are detected as malicious.

48
MCQmedium

A penetration tester is planning a web application test. The client wants to minimize risk to production data. Which environment should the tester recommend for testing?

A.Development environment with live data
B.Production environment with a read-only database
C.Staging environment with anonymized data
D.Production environment with full access
AnswerC

Correct. Staging with anonymized data minimizes risk.

Why this answer

Testing in a staging environment reduces the risk of impacting live data and systems.

49
Multi-Selectmedium

A penetration tester has completed a web application test and is preparing the final deliverables. According to best practices, which THREE components should be included in the deliverables? (Select THREE.)

Select 3 answers
A.Raw vulnerability scan output
B.Detailed technical findings with evidence
C.Executive summary for management
D.Remediation guidance for each finding
E.Full source code of the application
AnswersB, C, D

Technical report for IT staff.

Why this answer

Option B is correct because penetration testing deliverables must include detailed technical findings with evidence, such as proof-of-concept exploit code, HTTP request/response pairs, or screenshots, to validate each vulnerability. This aligns with PT0-002 best practices, ensuring the client can reproduce and understand the issue without ambiguity.

Exam trap

The trap here is that candidates confuse raw vulnerability scan output (Option A) with validated findings, but PT0-002 emphasizes that deliverables must contain analyst-verified evidence, not unprocessed tool results.

50
MCQeasy

A penetration tester is preparing a deliverable for a client. Which of the following should be included in the final report?

A.Executive summary, technical findings, and remediation guidance
B.The tester's personal notes and observations
C.Only the technical findings
D.Only the executive summary
AnswerA

This is the standard structure.

Why this answer

A standard penetration testing report includes an executive summary, technical findings, and remediation guidance.

51
Multi-Selectmedium

A penetration testing firm is scoping a network penetration test for a client. The client has provided a list of IP ranges and subnets. Which TWO of the following should the tester consider when defining the scope?

Select 2 answers
A.Identify any third-party hosted services within the provided IP ranges and obtain explicit permission
B.Define which IP ranges are out of scope and document them
C.All IP addresses owned by the client are in scope
D.Test all IP addresses regardless of ownership to ensure complete coverage
E.Include all subnets that are routable from the internet
AnswersA, B

Correct. Third-party services need separate authorization.

Why this answer

Scoping must distinguish in-scope vs out-of-scope assets and address third-party services that require permission.

52
Multi-Selecteasy

Which THREE of the following are common components of a pre-engagement agreement between a penetration tester and a client?

Select 3 answers
A.List of all employee passwords
B.Rules of Engagement (RoE)
C.Statement of Work (SOW)
D.Non-Disclosure Agreement (NDA)
E.Full source code of the target application
AnswersB, C, D

Correct. RoE defines the testing boundaries.

Why this answer

Pre-engagement typically includes SOW, RoE, NDA, permission letters, emergency contacts, and communication plans.

53
MCQeasy

Which document, often signed before a penetration test, protects the tester from legal liability if the tester's actions are perceived as malicious by third parties?

A.Statement of Work
B.Get-out-of-jail letter
C.Non-Disclosure Agreement
D.Rules of Engagement
AnswerB

Correct. This letter provides legal authorization.

Why this answer

A get-out-of-jail letter (authorization letter) confirms that the tester has permission to conduct the test.

54
MCQeasy

Which penetration testing standard provides a methodology that includes pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting?

A.OSSTMM
B.NIST SP 800-115
C.OWASP Testing Guide
D.PTES
AnswerD

Correct. PTES includes all phases from pre-engagement to reporting.

Why this answer

The Penetration Testing Execution Standard (PTES) is the only standard among the options that explicitly defines a full penetration testing methodology with the phases listed: pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. PTES provides a structured, seven-phase framework designed specifically for penetration testers, making it the correct choice for this question.

Exam trap

The trap here is that candidates often confuse the OWASP Testing Guide (Option C) as a general penetration testing standard because it is widely known, but it is strictly limited to web application security and does not cover the full lifecycle of a penetration test as defined in the question.

How to eliminate wrong answers

Option A is wrong because the Open Source Security Testing Methodology Manual (OSSTMM) focuses on operational security metrics and channel-based testing (e.g., human, physical, wireless, telecommunications, and data networks) rather than a sequential penetration testing methodology with the specific phases listed. Option B is wrong because NIST SP 800-115 is a technical guide for information security testing and assessment, but it does not prescribe a formal penetration testing methodology with phases like pre-engagement interactions or post-exploitation; it is more of a general assessment framework. Option C is wrong because the OWASP Testing Guide is specifically focused on web application security testing and does not cover the full scope of a penetration test, including pre-engagement interactions, threat modeling in the context of network or system testing, or post-exploitation activities beyond web applications.

55
MCQeasy

A penetration tester is hired to assess the security of a company's internal network. The client provides the tester with full network diagrams, credentials, and source code. Which type of penetration test is being performed?

A.Grey box
B.Black box
C.Red team
D.White box
AnswerD

Correct. White box testing provides full knowledge.

Why this answer

White box testing provides the tester with full knowledge and credentials, which matches the scenario.

56
MCQmedium

A penetration tester is about to start an engagement. Which document outlines the IP ranges that are in scope, the testing window, and the emergency stop criteria?

A.Non-Disclosure Agreement (NDA)
B.Statement of Work (SOW)
C.Rules of Engagement (RoE)
D.Get-out-of-jail letter
AnswerC

Correct. The RoE includes IP ranges, testing times, and stop conditions.

Why this answer

The rules of engagement (RoE) specify technical and procedural boundaries for the test.

57
Multi-Selecthard

A penetration tester is conducting a social engineering engagement targeting the finance department. Which THREE of the following actions are most appropriate to include in the scope of the engagement?

Select 3 answers
A.Exploiting a SQL injection vulnerability in the finance web app
B.Making pretext phone calls (vishing) to obtain sensitive information
C.Attempting to tailgate into the finance office
D.Sending phishing emails to finance employees
E.Performing a vulnerability scan on the finance network
AnswersB, C, D

Correct. Vishing is a social engineering technique.

Why this answer

Social engineering can include phishing, vishing, and USB drops. Physical tailgating may be included but requires careful planning; however, it is often in scope. The question asks for three appropriate actions.

Common social engineering vectors: phishing, vishing, and physical intrusion (tailgating). USB drops are also common. But we need three.

The best three: phishing, vishing, and tailgating. USB drops are also valid but tailgating is more direct. I'll include phishing, vishing, and tailgating.

Explanation: These are typical social engineering techniques.

58
MCQmedium

After completing a penetration test, the tester must deliver a report. According to standard practices, which of the following is a required component of the deliverables?

A.Executive summary, technical findings, and remediation guidance
B.Remediation guidance and a list of all tested IPs
C.Only technical findings and proof-of-concept code
D.Executive summary and raw data logs
AnswerA

These are standard components of a penetration test report.

Why this answer

A typical penetration test report includes an executive summary, technical findings, and remediation guidance.

59
MCQmedium

A penetration tester is preparing a proposal for a client. The client wants a test that includes a detailed technical report with remediation steps and an executive summary for management. Which standard or framework is most commonly used to structure the testing process from pre-engagement through post-engagement?

A.OWASP Testing Guide
B.OSSTMM
C.PTES
D.NIST SP 800-115
AnswerC

PTES covers the entire penetration testing lifecycle.

Why this answer

The Penetration Testing Execution Standard (PTES) provides a comprehensive framework covering all phases from pre-engagement to post-engagement.

60
Multi-Selecteasy

A company is planning a social engineering engagement. Which TWO items should be included in the pre-engagement documentation?

Select 2 answers
A.List of all employee passwords
B.Network topology diagrams
C.Source code of all applications
D.Emergency contact list
E.Rules of engagement
AnswersD, E

Required to stop testing if needed.

Why this answer

Pre-engagement documentation should include the rules of engagement (RoE) and emergency contacts to handle incidents during social engineering.

61
Multi-Selecthard

A penetration testing company is planning a social engineering engagement for a client. The engagement includes phishing and physical tailgating. Which THREE of the following should be clearly defined in the Rules of Engagement? (Select THREE.)

Select 3 answers
A.The format of the final report
B.The specific vulnerabilities to be exploited
C.The conditions under which the test must be stopped immediately
D.The types of social engineering attacks allowed (e.g., phishing, vishing, tailgating)
E.The list of employees and contractors who are in scope for social engineering
AnswersC, D, E

Emergency stop criteria are essential.

Why this answer

RoE should address personnel scope, emergency stop conditions, and specific techniques allowed; vulnerabilities and deliverables are part of SOW.

62
MCQmedium

A client requests a penetration test that includes testing of both internal network devices and a public-facing web application. The tester is provided with a VPN account for internal access but no credentials for the web application. Which type of penetration test is this?

A.White box
B.Red team
C.Grey box
D.Black box
AnswerC

Partial knowledge (VPN access) but not full.

Why this answer

Grey box testing involves partial knowledge; the tester has internal network access but not web app credentials.

63
Multi-Selectmedium

In a red team exercise, the team wants to simulate a realistic adversary. Which TWO of the following are typically included in the scope of a red team engagement compared to a standard penetration test?

Select 2 answers
A.Extensive vulnerability scanning of all in-scope systems
B.Comprehensive compliance verification against standards
C.Physical security testing (e.g., tailgating, lock picking)
D.Detailed reporting of all vulnerabilities found
E.Social engineering attacks against employees
AnswersC, E

Correct. Red team often includes physical attacks.

Why this answer

Red team exercises often include physical and social engineering attacks, and may attempt to remain undetected for longer periods.

64
Multi-Selecthard

A penetration tester discovers evidence of an ongoing criminal activity (e.g., data exfiltration by an insider) during a test. According to best practices and legal considerations, which THREE actions should the tester take?

Select 3 answers
A.Preserve all evidence and document findings for law enforcement
B.Publicly disclose the finding on a vulnerability disclosure platform
C.Immediately stop all testing activities
D.Contact the client's emergency contact per the communication plan
E.Continue testing to gather more evidence
AnswersA, C, D

Correct. Evidence preservation is crucial for investigation.

Why this answer

When discovering criminal activity, the tester should stop testing, notify the client contact, and preserve evidence for investigation.

65
MCQhard

After completing a penetration test, the tester is required to provide deliverables that include an executive summary, technical findings, and remediation guidance. However, the client also requests that all test artifacts, such as captured credentials and sample data, be securely destroyed after the report is delivered. Which standard or framework emphasizes the importance of data handling and destruction of test artifacts?

A.OSSTMM
B.OWASP Testing Guide
C.PTES
D.NIST SP 800-115
AnswerD

Correct. NIST SP 800-115 specifically addresses test data handling and destruction.

Why this answer

NIST SP 800-115 includes guidelines for handling and destroying test data to maintain confidentiality and integrity.

66
MCQhard

A penetration tester is scoping a test for a client that uses a SaaS application for customer relationship management. The client wants the tester to assess the application's security. What is the most important consideration regarding this SaaS application?

A.The application is hosted on the cloud, so it is automatically in scope
B.The tester should obtain explicit permission from the SaaS provider before testing
C.The tester should only test the client's configuration of the SaaS application
D.The tester can test the application as long as the client provides administrative credentials
AnswerB

Correct. Testing a third-party SaaS requires provider authorization.

Why this answer

The tester must ensure that the SaaS provider's terms of service allow security testing and that permission is obtained.

67
Multi-Selectmedium

After completing a penetration test, the tester must handle test artifacts appropriately. Which TWO of the following are best practices for data handling and destruction?

Select 2 answers
A.Securely delete all test data after the engagement is complete
B.Return any client data to the client before destruction
C.Keep all test data indefinitely for future reference
D.Store test data in an unencrypted archive on the tester's laptop
E.Share test data with other clients for benchmarking
AnswersA, B

Correct. Data should be securely destroyed.

Why this answer

Best practices include securely erasing test data and returning any client data to the client.

68
MCQhard

A penetration tester is conducting a wireless penetration test. The client's rules of engagement state that testing must not disrupt production services. During the test, the tester's de-authentication attack causes the company's guest Wi-Fi to go offline. What should the tester do?

A.Ignore the issue and complete the test
B.Reduce the intensity of the attack
C.Continue testing because guest Wi-Fi is not critical
D.Stop testing and follow the emergency stop procedure
AnswerD

The tester must halt and notify the client.

Why this answer

According to the RoE, the tester must stop testing if there is an emergency or disruption. The tester should follow the emergency stop procedure and contact the client.

69
MCQmedium

Which legal framework in the United States makes it a crime to access a computer system without authorization, and is a key consideration when obtaining permission for penetration testing?

A.SOX
B.HIPAA
C.GDPR
D.CFAA
AnswerD

Correct. The CFAA prohibits unauthorized access.

Why this answer

The Computer Fraud and Abuse Act (CFAA) is the primary US law against unauthorized access.

70
MCQmedium

Which of the following best describes the purpose of a vulnerability disclosure policy in the context of a penetration test?

A.To list the assets that are out of scope
B.To define the rules of engagement for the test
C.To establish a process for reporting discovered vulnerabilities to the client and possibly to the public
D.To provide legal protection to the tester
AnswerC

Correct. It sets expectations for vulnerability handling.

Why this answer

A vulnerability disclosure policy outlines how vulnerabilities found during testing will be reported and remediated.

71
MCQmedium

A penetration tester is planning a test that involves scanning for vulnerabilities across a large IP range. The client has provided a list of IPs that are in-scope, but the tester notices that some IPs belong to a third-party company hosting a client application. What should the tester do?

A.Assume the client has permission and scan all IPs
B.Exclude the third-party IPs and notify the client
C.Scan the IPs because they are on the client's list
D.Scan only the third-party IPs that respond to ping
AnswerB

The tester should exclude them and ask the client to obtain permission.

Why this answer

The tester must ensure that all in-scope IPs are authorized. If an IP belongs to a third party, the tester needs written permission from that provider before testing.

72
MCQmedium

Which of the following penetration testing standards includes detailed guidelines for pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting?

A.OSSTMM
B.OWASP Testing Guide
C.NIST SP 800-115
D.PTES
AnswerD

PTES covers all phases of a penetration test.

Why this answer

PTES (Penetration Testing Execution Standard) covers the entire testing lifecycle from pre-engagement to reporting.

73
MCQhard

A penetration tester is engaged to perform a social engineering assessment targeting the sales department. The RoE specifies that testing is allowed only during business hours. Which of the following actions would be most appropriate when planning the engagement?

A.Deploy USB drop attacks at the office entrance over the weekend
B.Conduct a phishing campaign with emails sent at 2:00 AM
C.Perform a tailgating attempt at 7:00 PM after most employees have left
D.Launch a vishing attack during normal business hours
AnswerD

Correct. Vishing during business hours complies with RoE.

Why this answer

Tailgating outside business hours would violate the RoE; the tester should design attacks that fit within the allowed times.

74
MCQeasy

A penetration tester is hired to perform a test with no prior knowledge of the target environment. The tester is given only the company name and must gather all necessary information from public sources. Which type of penetration test is this?

A.Grey box
B.Black box
C.Red team
D.White box
AnswerB

Black box provides no prior knowledge.

Why this answer

In a black box test, the tester has no prior knowledge or credentials, simulating an external attacker.

Ready to test yourself?

Try a timed practice session using only Ptp Planning Scoping questions.