CCNA Ptp Reporting Questions

69 questions · Ptp Reporting topic · All types, answers revealed

1
MCQhard

A penetration tester uses the DREAD model to assess a vulnerability. The tester assigns the following scores: Damage=8, Reproducibility=10, Exploitability=9, Affected users=7, Discoverability=6. What is the overall DREAD risk rating?

A.8.5
B.7.5
C.9.0
D.8.0
AnswerD

Average of the scores is 8.0.

Why this answer

DREAD rating is the average of the five scores: (8+10+9+7+6)/5 = 40/5 = 8.0.

2
Multi-Selectmedium

A penetration tester is creating a report and needs to include evidence of a cross-site scripting vulnerability. Which TWO of the following are appropriate types of evidence? (Choose two.)

Select 2 answers
A.The HTTP request and response showing the injected script
B.The full exploit script that deletes all user accounts
C.The raw output of a vulnerability scanner without context
D.A video recording of the entire test
E.A screenshot of the alert box showing the XSS payload
AnswersA, E

Shows the vulnerability in action.

Why this answer

Screenshots with proof of execution and the actual payload used are standard evidence. The exploit code should not be destructive, and a video is not required; raw scanner output alone may not show exploitation.

3
Multi-Selectmedium

A penetration tester is following responsible disclosure timelines. Which TWO of the following actions align with responsible disclosure practices?

Select 2 answers
A.Publish exploit code on a public forum immediately.
B.Publicly disclose the vulnerability the same day.
C.Notify the software vendor immediately after discovery.
D.Sell the vulnerability information to the highest bidder.
E.Allow the vendor a reasonable timeframe to patch.
AnswersC, E

Correct. Vendor should be informed first.

Why this answer

Responsible disclosure involves notifying the vendor and providing a reasonable time to fix before public disclosure.

4
MCQmedium

During a penetration test, the tester discovers evidence of an ongoing cyber attack by an external threat actor on the client's network. What is the tester's responsibility?

A.Document the evidence and include it in the final report without immediate notification.
B.Attempt to trace and engage the attacker to gather more information.
C.Immediately report the evidence to the client and recommend involving law enforcement.
D.Ignore the evidence and continue with the planned test scope.
AnswerC

This is the correct course of action to address the active threat.

Why this answer

Option C is correct because the tester's primary responsibility is to protect the client's assets and data. Upon discovering evidence of an ongoing cyber attack, immediate notification allows the client to activate incident response procedures, potentially containing the threat and minimizing damage. Recommending law enforcement involvement is appropriate when criminal activity is suspected, as the tester is not authorized to conduct forensic investigation or engage with the attacker.

Exam trap

The trap here is that candidates may confuse the tester's role with that of a law enforcement officer or incident responder, incorrectly believing they should investigate or engage the attacker, when in fact the tester must stop all testing and immediately notify the client.

How to eliminate wrong answers

Option A is wrong because delaying notification until the final report could allow the attack to cause significant harm, violating the tester's duty of care and potentially breaching the rules of engagement that typically require immediate reporting of critical findings. Option B is wrong because attempting to trace or engage the attacker exceeds the scope of a penetration test, could be illegal under laws like the Computer Fraud and Abuse Act (CFAA), and risks escalating the incident or destroying forensic evidence. Option D is wrong because ignoring evidence of an active attack is unethical and negligent, as the tester has a professional obligation to report any signs of compromise that fall outside the agreed test scope.

5
MCQeasy

Which of the following is an example of a responsible remediation recommendation?

A.Upgrade Apache to version 2.4.51 to fix the vulnerability.
B.Apply security patches regularly.
C.Update the web server software.
D.Configure the firewall to block all incoming traffic.
AnswerA

Specific and actionable.

Why this answer

Option A is correct because it provides a specific, actionable remediation: upgrading Apache to version 2.4.51, which is known to address a particular vulnerability (e.g., CVE-2021-41773 or CVE-2021-42013 for path traversal). A responsible recommendation must include a concrete version number or patch identifier to ensure the fix is verifiable and not ambiguous.

Exam trap

Cisco often tests the distinction between a specific, actionable remediation (with version numbers) and a generic security policy statement, trapping candidates who choose broad advice like 'apply patches regularly' instead of a precise fix.

How to eliminate wrong answers

Option B is wrong because 'Apply security patches regularly' is a general policy statement, not a specific remediation for the identified vulnerability; it lacks the version or patch details needed for immediate action. Option C is wrong because 'Update the web server software' is too vague—it does not specify the target version or the exact vulnerability being fixed, leaving room for incomplete or incorrect updates. Option D is wrong because 'Configure the firewall to block all incoming traffic' is an overly restrictive and impractical measure that would break legitimate web services; it is a workaround, not a responsible remediation that addresses the root cause.

6
MCQeasy

Which of the following is the correct CVSS metric that describes the level of access an attacker needs to exploit a vulnerability?

A.Privileges Required (PR)
B.Attack Vector (AV)
C.Attack Complexity (AC)
D.User Interaction (UI)
AnswerB

AV describes the context in which exploitation is possible.

Why this answer

The Attack Vector (AV) metric describes how the vulnerability can be exploited (e.g., network, adjacent, local).

7
MCQmedium

During a penetration test, a tester discovers evidence of an ongoing live exploitation by an unknown third party. Which of the following should the tester do first?

A.Attempt to stop the exploitation on their own.
B.Continue the test and document the evidence.
C.Immediately inform the client's point of contact.
D.Ignore the finding as it is out of scope.
AnswerC

The client needs to know about active exploitation to respond.

Why this answer

If there is evidence of criminal activity or live exploitation, the tester should inform the client immediately so they can take appropriate action.

8
Multi-Selectmedium

A penetration tester is preparing a report that includes technical findings. Which TWO of the following should be included in each technical finding? (Select TWO.)

Select 2 answers
A.Executive summary
B.Client's network diagram
C.Remediation steps with code or commands
D.Business impact analysis
E.Evidence such as screenshots
AnswersC, E

Specific actionable remediation steps are required.

Why this answer

Each technical finding should include remediation steps and evidence such as screenshots.

9
MCQhard

A penetration tester is presenting findings to a mixed audience of technical staff and executives. The executives seem confused about the risk ratings. How should the tester adjust the presentation?

A.Ask the executives to leave and schedule a separate meeting with them later.
B.Explain the risk ratings in terms of business impact and likelihood, avoiding technical jargon.
C.Provide the executives with a separate written report and continue the technical presentation.
D.Skip the technical details and focus only on the executive summary.
AnswerB

This helps executives understand the ratings without overwhelming them.

Why this answer

When communicating to a mixed audience, the tester should tailor the message to each group's needs, focusing on risk and business impact for executives.

10
Multi-Selectmedium

A penetration tester is preparing a presentation for both technical and executive audiences. Which TWO of the following are effective strategies for communicating findings to an executive audience?

Select 2 answers
A.Discuss each vulnerability's CVSS vector string.
B.Focus on business risk and financial impact.
C.Use technical jargon and detailed exploit steps.
D.Provide a high-level summary with visual aids.
E.Include raw command-line output in slides.
AnswersB, D

Correct. Executives care about risk to the business.

Why this answer

Executives need high-level overviews and business impact, not technical details.

11
MCQmedium

A penetration tester is prioritizing remediation recommendations. Which approach is most aligned with industry best practices?

A.Recommend fixing all vulnerabilities simultaneously.
B.Prioritize by ease of remediation regardless of severity.
C.List all findings in alphabetical order.
D.Address critical vulnerabilities first, then high, then medium, with quick wins highlighted.
AnswerD

Correct. This is standard prioritization.

Why this answer

Prioritization should address critical/high vulnerabilities first, including quick wins that can be implemented rapidly.

12
MCQmedium

A client requests that the penetration test report include raw output from the scanning tools used. Where should this output be placed in the report?

A.In the appendices.
B.As a separate deliverable not included in the report.
C.In the executive summary.
D.In the technical findings section, alongside each vulnerability.
AnswerA

Appendices are the appropriate place for raw data.

Why this answer

Raw tool output is typically included in appendices to avoid cluttering the main findings.

13
Multi-Selecthard

During a penetration test, the tester encounters a situation where the scope of the test is ambiguous. Which TWO actions should the tester take to clarify the situation?

Select 2 answers
A.Document the ambiguity and the agreed-upon resolution in the test plan.
B.Proceed with the test based on the tester's best guess.
C.Test all systems within the network to ensure thoroughness.
D.Ignore the ambiguity and continue testing the original scope.
E.Contact the client to clarify the scope before proceeding.
AnswersA, E

This provides a clear record for both parties.

Why this answer

When scope is unclear, the tester should communicate with the client and document the assumptions to avoid misunderstandings.

14
MCQmedium

During a penetration test, a penetration tester discovers a critical vulnerability that allows unauthenticated remote code execution on a public-facing web server. According to best practices for communication during a penetration test, what should the tester do next?

A.Immediately notify the client of the critical finding and provide initial remediation steps.
B.Document the finding and inform the client only after verifying with a second tester.
C.Wait until the end of the test to include it in the final report.
D.Exploit the vulnerability to demonstrate the full impact before notifying the client.
AnswerA

Immediate notification allows the client to mitigate the risk promptly.

Why this answer

Critical findings should be communicated to the client immediately to allow them to take urgent action, even before the formal report is delivered.

15
MCQmedium

A penetration tester has completed the test and is preparing the final report. The client asks the tester to include a section that describes the scope, methodology, and tools used. In which section should this information be placed?

A.Appendices
B.Remediation section
C.Technical findings
D.Executive summary
AnswerA

Appendices contain supporting details.

Why this answer

Appendices are the appropriate place for supplementary information such as scope, methodology, and tools used.

16
MCQeasy

A penetration tester discovers a critical vulnerability during an assessment. According to best practices, when should the tester communicate this finding to the client?

A.Only in the final report
B.After the test is complete
C.Immediately upon discovery
D.At the next scheduled status meeting
AnswerC

Critical findings should be communicated immediately to the client.

Why this answer

Critical findings should be reported immediately to allow the client to take urgent action.

17
MCQmedium

A penetration tester needs to assign a severity rating to a vulnerability based on business context. Which model uses Impact and Likelihood to determine the risk?

A.CVSS
B.Custom severity based on business context
C.DREAD
D.OWASP Risk Rating
AnswerB

Custom severity ratings often incorporate impact and likelihood.

Why this answer

Custom severity ratings often use a matrix of Impact and Likelihood to assess business risk.

18
MCQeasy

When a client disagrees with a finding's severity rating, what is the best approach for the penetration tester?

A.Discuss the rationale and adjust if valid business context is provided
B.Escalate to the tester's manager
C.Insist on the original rating and refuse to change it
D.Lower the rating to satisfy the client
AnswerA

Allows for constructive discussion and potential adjustment if justified.

Why this answer

The tester should listen to the client's perspective and discuss the risk assessment, providing rationale to explain the rating.

19
MCQmedium

A penetration tester is documenting evidence for a finding. Which of the following is the least appropriate type of evidence to include?

A.Screenshot of the vulnerability with timestamp
B.Proof-of-concept code that deletes user data to prove impact
C.Network capture showing the exploit traffic
D.Output from the vulnerability scanner
AnswerB

Destructive proof-of-concept is irresponsible and should be avoided.

Why this answer

Proof-of-concept code should demonstrate exploitability without causing harm. Including a fully functional exploit that could cause harm is irresponsible.

20
Multi-Selecteasy

Which TWO of the following are components of the DREAD model for risk assessment? (Select TWO.)

Select 2 answers
A.Likelihood
B.Severity
C.Reproducibility
D.Impact
E.Damage
AnswersC, E

Reproducibility is a DREAD component.

Why this answer

DREAD stands for Damage, Reproducibility, Exploitability, Affected users, Discoverability.

21
Multi-Selecteasy

Which THREE items are typically included in the appendices of a penetration test report?

Select 3 answers
A.Scope of the test
B.Testing methodology
C.Executive summary
D.Detailed remediation steps
E.Raw tool output
AnswersA, B, E

Scope is often documented in the appendices.

Why this answer

Appendices contain supplementary information such as scope, methodology, and raw data.

22
MCQmedium

A penetration tester is writing a report and needs to assign a severity rating to a vulnerability that has a CVSS base score of 7.5. According to CVSS v3.1, which severity level does this score correspond to?

A.Critical
B.Low
C.Medium
D.High
AnswerD

7.5 falls in the High range (7.0-8.9).

Why this answer

CVSS v3.1 defines scores from 0.0 to 10.0: 0.0 = None, 0.1-3.9 = Low, 4.0-6.9 = Medium, 7.0-8.9 = High, 9.0-10.0 = Critical.

23
Multi-Selecthard

A penetration tester is presenting findings to a technical audience. Which THREE practices are MOST appropriate for this setting? (Select THREE.)

Select 3 answers
A.Use high-level business language only
B.Demonstrate the exploit steps
C.Show evidence like packet captures
D.Provide detailed remediation commands
E.Focus on strategic recommendations
AnswersB, C, D

Showing how the vulnerability is exploited is valuable for technical staff.

Why this answer

Technical audiences benefit from details about exploitation, technical steps, and evidence.

24
MCQmedium

A penetration tester needs to provide remediation recommendations for a critical vulnerability found on a web server. Which of the following is the most appropriate recommendation?

A.Apply security patches regularly.
B.Update the web server software to the latest version.
C.Reconfigure the firewall to block attacks.
D.Upgrade Apache from version 2.4.41 to 2.4.51.
AnswerD

Specific version upgrade addresses the vulnerability.

Why this answer

Specific, actionable steps with version numbers ensure clarity and reduce ambiguity for the client.

25
MCQmedium

A penetration tester is writing the executive summary of a report. Which of the following best describes the appropriate language and content for this section?

A.Detailed technical descriptions of each vulnerability with CVSS scores.
B.Business language, overall risk rating, key findings, and strategic recommendations.
C.A list of all tools used during the penetration test.
D.Step-by-step exploitation procedures for each finding.
AnswerB

Correct. This is the standard content for an executive summary.

Why this answer

The executive summary is for non-technical stakeholders, so it should use business language and focus on overall risk, key findings, and strategic recommendations.

26
MCQeasy

Which section of a penetration test report contains detailed technical information such as the vulnerability description, evidence, affected systems, and remediation steps?

A.Technical findings section
B.Appendices
C.Executive summary
D.Methodology section
AnswerA

This section includes all technical details about each finding.

Why this answer

The technical findings section provides in-depth details for technical teams to understand and remediate vulnerabilities.

27
MCQhard

A penetration tester is presenting findings to a group of executives. Which of the following is the most effective way to communicate a critical vulnerability?

A.Describe the vulnerability in terms of potential financial and reputational damage.
B.Recommend specific code changes without context.
C.Explain the technical exploit steps in detail.
D.Show raw network captures as evidence.
AnswerA

Business impact resonates with executives.

Why this answer

Executives need to understand business impact, not technical details. Use business language and focus on risk.

28
Multi-Selectmedium

A penetration tester is writing a report and wants to prioritize remediation recommendations. Which TWO factors should the tester consider when prioritizing? (Choose TWO.)

Select 2 answers
A.The cost of the fix
B.Severity of the vulnerability
C.The number of systems affected
D.Time required to implement the fix
E.The tester's personal preference
AnswersB, D

Higher severity should be addressed first.

Why this answer

Prioritization should consider severity and quick wins to address high risks and build momentum.

29
MCQmedium

A penetration tester is presenting findings to a mixed audience of executives and technical staff. For the executives, the tester should focus on:

A.Raw tool output and log files
B.Risk ratings, business impact, and high-level remediation strategy
C.Detailed exploit code and proof-of-concept
D.Step-by-step remediation commands
AnswerB

Executives need to understand risk and make decisions.

Why this answer

Executives are interested in business risk, impact, and strategic recommendations, not technical details.

30
MCQmedium

A penetration tester is documenting evidence for a finding and takes a screenshot. Which of the following is the most important metadata to include with the screenshot?

A.The tool version used
B.A timestamp
C.The file size of the screenshot
D.The tester's name
AnswerB

Correct. Timestamps are crucial for evidence integrity.

Why this answer

Timestamps provide context and prove when the evidence was captured.

31
MCQhard

During a penetration test, a tester discovers evidence of an ongoing data exfiltration attack by an unknown third party. Which of the following should the tester do first?

A.Contact law enforcement directly
B.Immediately notify the client point of contact
C.Document the evidence and include it in the final report
D.Attempt to block the exfiltration to protect the client
AnswerB

The client needs to be informed so they can respond appropriately.

Why this answer

Evidence of criminal activity should be reported immediately to the client, who can then involve law enforcement if needed. The tester should not interfere directly.

32
MCQeasy

Which of the following is an example of a custom severity rating based on business context?

A.DREAD score of 7
B.High/Medium/Low based on CVSS
C.CVSS score of 9.0
D.Risk rating of 'Critical' based on high business impact and likelihood
AnswerD

This incorporates business context.

Why this answer

Custom severity often uses impact and likelihood to determine risk, as not all vulnerabilities affect the business equally.

33
MCQhard

A penetration tester is preparing a remediation recommendation for a SQL injection vulnerability found in a legacy application. The development team cannot immediately update the framework due to compatibility issues. What should the tester recommend as a compensating control?

A.Disable the affected functionality until the framework can be updated.
B.Conduct manual code reviews to identify and fix the vulnerability immediately.
C.Upgrade the database to a newer version to prevent SQL injection.
D.Implement a web application firewall (WAF) with rules to block SQL injection attempts.
AnswerD

A WAF can block attacks while the development team works on a permanent fix.

Why this answer

When a full fix is not immediately possible, compensating controls such as a WAF can provide temporary protection.

34
MCQmedium

In a penetration test report, the tester includes a screenshot of a successful exploit. What metadata should the screenshot include to ensure proper evidence documentation?

A.Only the exploit output without any timestamps or identifiers.
B.A timestamp and the IP address or hostname of the affected system.
C.A diagram of the network architecture instead of the exploit screenshot.
D.The tester's name and the date of the test, but not the system details.
AnswerB

This provides verifiable proof of the finding.

Why this answer

Screenshots should include timestamps and relevant context such as the affected system to provide clear evidence.

35
MCQeasy

A penetration tester is writing a report and needs to assign a severity rating to a vulnerability. Which of the following scoring systems is specifically designed to consider Damage, Reproducibility, Exploitability, Affected users, and Discoverability?

A.STRIDE
B.OWASP Risk Rating
C.CVSS
D.DREAD
AnswerD

Correct. DREAD stands for Damage, Reproducibility, Exploitability, Affected users, Discoverability.

Why this answer

The DREAD model is a risk assessment model that uses these five categories.

36
MCQhard

A penetration tester uses a custom severity rating based on business context. The tester determines the likelihood of exploitation is high and the business impact is low. According to a standard risk matrix, what should the overall severity be?

A.Medium
B.High
C.Low
D.Critical
AnswerA

High likelihood + low impact often yields medium.

Why this answer

In many risk matrices, high likelihood combined with low impact typically results in a medium severity rating.

37
MCQmedium

During a penetration test, a penetration tester discovers a critical vulnerability that could allow an attacker to gain administrative access to the client's payment processing server. According to best practices, what should the tester do?

A.Exploit the vulnerability to demonstrate impact and document it
B.Wait until the end of the test to include it in the final report
C.Immediately notify the client point of contact
D.Ask the client for permission to continue testing
AnswerC

Immediate notification allows the client to mitigate the risk promptly.

Why this answer

Option C is correct because when a critical vulnerability that could compromise a payment processing server is discovered during a penetration test, the tester must immediately notify the client point of contact (POC) per responsible disclosure and incident response best practices. This allows the client to take urgent mitigating actions, such as applying patches or isolating the server, before the vulnerability is exploited by malicious actors. Delaying notification violates ethical guidelines and could lead to severe financial and reputational damage.

Exam trap

The trap here is that candidates may think exploiting the vulnerability to demonstrate impact (Option A) is necessary for a convincing report, but the PT0-002 exam emphasizes that immediate notification of critical findings takes precedence over demonstration to prevent real-world harm.

How to eliminate wrong answers

Option A is wrong because exploiting the vulnerability without prior authorization, even for demonstration, could cause unintended service disruption or data corruption on a live payment processing server, violating the rules of engagement and potentially the Computer Fraud and Abuse Act (CFAA). Option B is wrong because waiting until the end of the test to report a critical vulnerability leaves the client exposed to exploitation during the testing period, which contradicts the principle of responsible disclosure and could result in a breach. Option D is wrong because asking for permission to continue testing after discovering a critical vulnerability is redundant; the tester already has permission to test, and the immediate priority is to alert the client to the risk, not to seek further authorization.

38
MCQmedium

A penetration tester is prioritizing remediation recommendations in a report. Which of the following should be considered first?

A.Vulnerabilities that require significant code changes first.
B.Vulnerabilities with the lowest CVSS scores to clear many issues quickly.
C.Critical and high severity vulnerabilities, especially those that are easy to fix.
D.All vulnerabilities in the order they were discovered.
AnswerC

This addresses the highest risk and provides quick wins.

Why this answer

Critical and high severity vulnerabilities that pose immediate risk should be prioritized first, along with quick wins that can be implemented rapidly.

39
MCQmedium

A penetration tester is writing the executive summary of a report. Which of the following is MOST important to include?

A.Overall risk rating and strategic recommendations
B.Step-by-step exploitation commands
C.Raw tool output and screenshots
D.Detailed CVSS scores for every vulnerability
AnswerA

The executive summary should present the big picture in business language.

Why this answer

The executive summary should provide a high-level overview in business language, including the overall risk rating, key findings, and strategic recommendations.

40
MCQhard

A penetration tester receives pushback from a client's technical team regarding a finding, claiming it is not exploitable. Which of the following is the best response?

A.Escalate the issue to the executive without further discussion.
B.Provide additional evidence and offer to demonstrate the exploit in a controlled environment.
C.Downgrade the severity to low.
D.Remove the finding from the report to avoid conflict.
AnswerB

Demonstration proves exploitability.

Why this answer

Providing evidence and offering to demonstrate helps validate the finding and address concerns professionally.

41
MCQeasy

Which section of a penetration testing report should include screenshots, affected systems, and remediation steps?

A.Technical findings
B.Scope and methodology
C.Appendices
D.Executive summary
AnswerA

Correct. This section includes detailed evidence and remediation.

Why this answer

Technical findings contain detailed information for each vulnerability.

42
MCQmedium

A penetration tester is recommending remediation for a critical vulnerability. Which of the following is the best example of a specific, actionable remediation step?

A.Apply security patches.
B.Upgrade Apache from version 2.4.49 to 2.4.51.
C.Update the software to the latest version.
D.Fix the vulnerability.
AnswerB

Correct. This is specific and actionable.

Why this answer

Effective remediation should be specific, including exact versions or commands.

43
MCQeasy

Which of the following is the primary audience for the executive summary of a penetration test report?

A.Executives and management
B.Developers
C.External auditors
D.System administrators
AnswerA

The executive summary is tailored for non-technical decision-makers.

Why this answer

The executive summary is written for non-technical stakeholders such as executives and managers, using business language and focusing on risk and strategic recommendations.

44
MCQhard

A penetration tester is writing a report and needs to assign a custom severity rating for a vulnerability that has high business impact but low likelihood of exploitation. Using a custom severity based on business context (impact + likelihood), which rating is most appropriate?

A.Critical
B.High
C.Medium
D.Low
AnswerC

Correct. High impact + low likelihood balances to medium.

Why this answer

High impact but low likelihood typically results in a medium severity when combining both factors.

45
MCQhard

During a penetration test, the tester discovers evidence that an external attacker is actively exploiting a vulnerability in the client's environment. Which of the following is the MOST appropriate action?

A.Document the evidence and ignore it
B.Attempt to block the attacker's activities
C.Immediately notify the client and stop testing
D.Continue testing and include the finding in the final report
AnswerC

The tester should stop testing and inform the client of the live attack.

Why this answer

If there is evidence of a live attack or criminal activity, the tester should stop testing and immediately notify the client so they can take appropriate action.

46
MCQeasy

When writing the executive summary of a penetration test report, which of the following is the most appropriate language to use?

A.A list of all vulnerabilities sorted by CVSS score without context.
B.Raw output from scanning tools and network packet captures.
C.Business-oriented language focusing on risk, impact, and high-level recommendations.
D.Detailed technical descriptions of each vulnerability and exploit code used.
AnswerC

This aligns with the needs of executives who need to understand risk and make decisions.

Why this answer

The executive summary should be written in business language, avoiding technical jargon, to convey the overall risk and strategic recommendations to non-technical stakeholders.

47
MCQeasy

A penetration tester discovers a critical vulnerability on a client's web server and wants to communicate it immediately. Which of the following is the most appropriate action?

A.Notify the client's point of contact immediately.
B.Include the finding in the report without prior communication.
C.Wait until the final report is complete.
D.Post the findings on a public forum for disclosure.
AnswerA

This aligns with responsible disclosure and client expectations.

Why this answer

Immediate notification of critical findings ensures the client can take urgent steps to mitigate risk.

48
MCQmedium

A penetration tester is preparing a report and wants to include proof-of-concept code to demonstrate a vulnerability. Which of the following is the best practice for including such code?

A.Include fully automated exploit scripts that could be used for attacks.
B.Include code that extracts sensitive data to prove impact.
C.Provide code that demonstrates the vulnerability in a responsible manner without destructive payloads.
D.Omit code and only describe the vulnerability verbally.
AnswerC

Responsible disclosure shows exploitability without damage.

Why this answer

Proof-of-concept code should prove the vulnerability is exploitable without causing harm to the client's environment.

49
MCQeasy

Which of the following should be included in the appendix section of a penetration testing report?

A.Raw tool output and scan results
B.Remediation steps for each finding
C.Executive summary
D.Key findings and overall risk rating
AnswerA

Correct. Raw output is typically placed in an appendix.

Why this answer

Appendices contain supporting details like scope, methodology, and raw tool output.

50
MCQhard

A penetration tester uses the CVSS base score to rate a vulnerability. The tester finds that the vulnerability has a high CVSS score but the affected system is isolated from the internet and has no sensitive data. Which approach should the tester take when assigning an overall severity rating?

A.Increase the severity because the system is isolated and may be overlooked.
B.Adjust the severity lower to reflect the reduced business impact.
C.Remove the finding from the report since the system is isolated.
D.Use the CVSS score as the final severity rating.
AnswerB

The risk is lower because the system is isolated and data is not sensitive.

Why this answer

CVSS is a good starting point but should be adjusted based on business context such as impact and likelihood in the specific environment.

51
MCQhard

A penetration tester is compiling evidence for a critical-severity SQL injection vulnerability. Which of the following is the most important piece of evidence to include in the report to demonstrate exploitability while remaining responsible?

A.A video of the full exploitation process, including data extraction.
B.A screenshot of the database table with all user credentials.
C.Raw network captures showing SQL injection attempts.
D.A proof-of-concept script that retrieves the current database user (e.g., 'SELECT user()').
AnswerD

This demonstrates exploitability without accessing sensitive data.

Why this answer

Proof-of-concept code should demonstrate the vulnerability without causing harm or exposing sensitive data.

52
Multi-Selecthard

A penetration tester is presenting findings to a mixed audience of technical staff and executives. Which THREE of the following should the tester do to effectively communicate to both groups? (Choose THREE.)

Select 3 answers
A.Include detailed technical evidence for the technical audience.
B.Provide a separate executive summary and a technical summary.
C.Use technical jargon to impress the executives.
D.Focus only on high-level findings for the entire presentation.
E.Use analogies and business impact for the executives.
AnswersA, B, E

Technical staff need evidence to validate findings.

Why this answer

Effective communication to mixed audiences requires adjusting language, providing separate summaries, and using clear visuals.

53
MCQeasy

Which of the following is the most appropriate evidence to include in a penetration testing report for a SQL injection vulnerability?

A.A verbal description of the exploit
B.Screenshots of the successful injection with timestamps
C.A link to a public exploit database
D.Raw source code of the application
AnswerB

Screenshots demonstrate proof of exploitability.

Why this answer

Screenshots with timestamps provide clear visual evidence of the exploitation and help validate the finding.

54
MCQmedium

A penetration tester is writing a report and wants to provide a remediation recommendation for an outdated Apache server. Which of the following is the most specific and actionable recommendation?

A.Reconfigure Apache to be more secure
B.Apply security patches to Apache
C.Upgrade Apache from version 2.4.41 to 2.4.54
D.Update the Apache software to the latest version
AnswerC

Specifies exact versions, making it actionable.

Why this answer

Option C is the most specific and actionable recommendation because it explicitly states the exact version to upgrade from (2.4.41) and to (2.4.54), which eliminates ambiguity. In penetration testing reports, vague terms like 'latest version' or 'patches' can lead to incomplete remediation, whereas a precise version number ensures the system administrator knows exactly what action to take to address the vulnerability.

Exam trap

The trap here is that candidates often choose a vague but technically correct-sounding option like 'Update to the latest version' (Option D) without realizing that the PT0-002 exam requires recommendations to be specific, actionable, and verifiable—exact version numbers are the gold standard for remediation in penetration testing reports.

How to eliminate wrong answers

Option A is wrong because 'Reconfigure Apache to be more secure' is too generic and does not address the outdated software; configuration changes alone cannot fix known vulnerabilities in the codebase. Option B is wrong because 'Apply security patches to Apache' is ambiguous—patches may not be available for version 2.4.41, and the term 'patches' could refer to hotfixes rather than a full version upgrade, which is the standard remediation for outdated software. Option D is wrong because 'Update the Apache software to the latest version' is not specific enough; 'latest version' could change over time, and without a target version number, the recommendation lacks the precision needed for verifiable remediation in a penetration test report.

55
Multi-Selecthard

A penetration tester discovers a critical vulnerability that cannot be fully remediated immediately. The client asks for recommendations. Which THREE of the following should the tester include?

Select 3 answers
A.Implement compensating controls to reduce risk.
B.Prioritize remediation of this vulnerability first.
C.Delete the finding from the report.
D.Offer to retest after remediation is applied.
E.Ignore the vulnerability until the next test.
AnswersA, B, D

Correct. Compensating controls provide interim protection.

Why this answer

When full remediation is not possible, recommend compensating controls, prioritize critical fixes, and offer retesting.

56
Multi-Selectmedium

A penetration tester is writing remediation recommendations. Which THREE practices should the tester follow? (Select THREE.)

Select 3 answers
A.Recommend updates with specific version numbers
B.Suggest compensating controls if full remediation is not immediate
C.Recommend only one fix for each vulnerability
D.Avoid mentioning retesting to reduce client concern
E.Prioritize critical and high-severity findings first
AnswersA, B, E

Specific version numbers provide clear guidance.

Why this answer

Good remediation recommendations are specific, prioritized, and offer alternatives if full fixes are impossible.

57
MCQmedium

During a penetration test, a tester discovers a critical vulnerability that could allow remote code execution on an internet-facing server. According to best practices, what is the most appropriate immediate action?

A.Keep the finding confidential until retesting.
B.Notify the client immediately about the critical finding.
C.Exploit the vulnerability to demonstrate impact.
D.Wait until the final report to disclose the finding.
AnswerB

Correct. Critical findings should be reported promptly.

Why this answer

Critical findings should be communicated immediately so the client can take urgent action.

58
MCQmedium

During a penetration test, a client asks the tester to clarify the scope of the test. Which of the following is the best approach for the tester?

A.Make a decision based on previous tests.
B.Clarify with the client via email or documented communication.
C.Include the scope in the report after testing.
D.Ignore the question and continue testing.
AnswerB

Documented communication maintains a clear record.

Why this answer

Clarifying scope questions helps ensure the test stays within agreed boundaries and avoids misunderstandings.

59
MCQmedium

A penetration tester is presenting findings to a group of IT administrators. One administrator questions the validity of a finding, claiming it is not exploitable. How should the tester respond?

A.Insist that the finding is valid based on the tester's experience.
B.Escalate the issue to the project manager.
C.Present the proof-of-concept code and screenshots that demonstrate the exploit.
D.Agree to remove the finding from the report.
AnswerC

Correct. Evidence helps validate the finding.

Why this answer

The tester should provide evidence to support the finding rather than being defensive or dismissive.

60
MCQeasy

Which section of a penetration testing report should provide a high-level overview of the test results using business language and strategic recommendations?

A.Executive summary
B.Technical findings section
C.Remediation recommendations
D.Appendices
AnswerA

The executive summary uses business language and provides strategic recommendations.

Why this answer

The executive summary is designed for non-technical stakeholders to understand the overall risk and key actions.

61
MCQhard

During a penetration test, the tester discovers evidence of an ongoing ransomware attack on the client's network. Which of the following is the most appropriate action?

A.Continue the test as planned and include the finding in the final report.
B.Notify the client immediately and recommend contacting law enforcement.
C.Disconnect from the network and destroy all evidence.
D.Try to stop the ransomware attack using penetration testing tools.
AnswerB

Correct. Immediate notification is critical for incident response.

Why this answer

Evidence of criminal activity must be reported immediately to the client and may require law enforcement involvement.

62
MCQmedium

A penetration tester is calculating the severity of a vulnerability using the DREAD model. Which of the following factors is assessed under the 'Damage' category?

A.The likelihood that an attacker can reproduce the exploit.
B.The potential data loss or system damage that could result from exploitation.
C.How easy it is for an attacker to discover the vulnerability.
D.The number of users affected by the vulnerability.
AnswerB

Damage assesses the impact of exploitation.

Why this answer

In the DREAD model, the 'Damage' category specifically assesses the potential harm from a successful exploit, such as data loss, system corruption, or service disruption. Option B correctly captures this by focusing on the impact to confidentiality, integrity, or availability, which is the core of the Damage factor.

Exam trap

The trap here is confusing the 'Damage' category with 'Affected Users' (Option D), as both involve impact, but Damage focuses on the severity of harm to data or systems, while Affected Users counts the number of individuals or systems impacted.

How to eliminate wrong answers

Option A is wrong because the likelihood of reproducing an exploit is assessed under the 'Reproducibility' category, not Damage. Option C is wrong because the ease of discovering a vulnerability falls under the 'Discoverability' category, which evaluates how easily an attacker can find the flaw. Option D is wrong because the number of users affected is considered under the 'Affected Users' category, which measures the scope of impact, not the direct damage to data or systems.

63
Multi-Selectmedium

A penetration tester is preparing to present findings to the client's technical team. Which TWO practices are most effective for this audience?

Select 2 answers
A.Focus on the return on investment for fixing vulnerabilities.
B.Use analogies to explain vulnerabilities in everyday terms.
C.Include proof-of-concept code and remediation commands.
D.Explain the technical details of each vulnerability, including exploit steps.
E.Provide high-level business impact summaries only.
AnswersC, D

This provides actionable information for the technical team.

Why this answer

Technical audiences benefit from detailed explanations and evidence, including proof-of-concept code and remediation steps.

64
Multi-Selectmedium

A penetration tester discovers a vulnerability that cannot be immediately remediated. Which TWO compensating controls should the tester recommend? (Choose TWO.)

Select 2 answers
A.Disable the affected service entirely.
B.Ignore the vulnerability until the next patch cycle.
C.Implement network segmentation to limit exposure.
D.Add an intrusion detection system (IDS) to monitor for exploitation.
E.Upgrade the software immediately.
AnswersC, D

Segmentation reduces the attack surface.

Why this answer

Network segmentation (C) is a compensating control that limits the blast radius by isolating the vulnerable system from critical assets, reducing the likelihood of lateral movement. An IDS (D) provides detection and alerting for exploitation attempts, enabling a rapid response even when the root vulnerability cannot be patched immediately. Both controls reduce risk without requiring an immediate fix.

Exam trap

The trap here is that candidates often confuse compensating controls with remediation actions, selecting 'upgrade the software immediately' (E) even though the scenario explicitly states the vulnerability cannot be immediately remediated.

65
Multi-Selecthard

A penetration tester is handling a client's pushback on a finding. Which THREE approaches are appropriate? (Select THREE.)

Select 3 answers
A.Re-evaluate the finding and adjust if new information is available
B.Provide additional evidence to support the finding
C.Immediately lower the severity to satisfy the client
D.Listen to the client's concerns and discuss them
E.Refuse to change the report under any circumstances
AnswersA, B, D

The tester should be open to adjusting based on new facts.

Why this answer

When handling pushback, the tester should listen, provide evidence, and possibly adjust the report if valid points are made.

66
MCQhard

A penetration tester is evaluating vulnerabilities using the DREAD model. For a specific vulnerability, the tester assigns the following scores: Damage=8, Reproducibility=7, Exploitability=9, Affected users=6, Discoverability=5. Which of the following is the overall DREAD risk rating?

A.9
B.8
C.7
D.6
AnswerC

The average is 7.

Why this answer

DREAD scores are averaged across the five categories. Compute (8+7+9+6+5)/5 = 35/5 = 7.

67
MCQeasy

In a penetration test report, which section should contain detailed technical information such as affected systems, proof-of-concept code, and remediation steps?

A.Technical findings
B.Appendices
C.Executive summary
D.Methodology
AnswerA

This section contains the detailed technical information for each vulnerability.

Why this answer

The technical findings section is where detailed vulnerability descriptions, evidence, and remediation steps are documented.

68
Multi-Selecthard

During a penetration test, the tester discovers a critical SQL injection vulnerability. The client cannot deploy the full fix (parameterized queries) immediately due to legacy code. Which THREE actions should the tester recommend as compensating controls? (Choose three.)

Select 3 answers
A.Disable detailed error messages to prevent information disclosure
B.Restrict the database account used by the application to least privilege
C.Patch the database management system to the latest version
D.Implement a web application firewall (WAF) rule to block SQL injection patterns
E.Apply input validation and sanitization on the affected parameters
AnswersB, D, E

Limits potential damage.

Why this answer

Compensating controls reduce risk while the full fix is pending. WAF rules, input validation, and restricted DB privileges are appropriate. Disabling error messages is not a direct compensating control, and patching the DBMS may not address the injection.

69
Multi-Selectmedium

A penetration tester is preparing the executive summary. Which THREE elements should be included? (Choose three.)

Select 3 answers
A.Key findings summary
B.Detailed exploit steps for each vulnerability
C.Strategic recommendations
D.Overall risk rating
E.Description of the testing methodology
AnswersA, C, D

Highlights important issues.

Why this answer

Executive summary should include overall risk rating, key findings, and strategic recommendations. Technical details and methodology are not appropriate for this section.

Ready to test yourself?

Try a timed practice session using only Ptp Reporting questions.

CCNA Ptp Reporting Questions | Courseiva