PT0-002 · topic practice

Reporting and Communication practice questions

Practise CompTIA PenTest+ PT0-002 Reporting and Communication practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Reporting and Communication

What the exam tests

What to know about Reporting and Communication

Reporting and Communication questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Reporting and Communication exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Reporting and Communication questions

20 questions · select your answer, then reveal the explanation

During a penetration test, a penetration tester discovers a critical vulnerability that allows unauthenticated remote code execution on a public-facing web server. According to best practices for communication during a penetration test, what should the tester do next?

When writing the executive summary of a penetration test report, which of the following is the most appropriate language to use?

A penetration tester is preparing a remediation recommendation for a SQL injection vulnerability found in a legacy application. The development team cannot immediately update the framework due to compatibility issues. What should the tester recommend as a compensating control?

A penetration tester is calculating the severity of a vulnerability using the DREAD model. Which of the following factors is assessed under the 'Damage' category?

In a penetration test report, which section should contain detailed technical information such as affected systems, proof-of-concept code, and remediation steps?

During a penetration test, the tester discovers evidence of an ongoing cyber attack by an external threat actor on the client's network. What is the tester's responsibility?

A penetration tester is presenting findings to a mixed audience of technical staff and executives. The executives seem confused about the risk ratings. How should the tester adjust the presentation?

A penetration tester is prioritizing remediation recommendations in a report. Which of the following should be considered first?

In a penetration test report, the tester includes a screenshot of a successful exploit. What metadata should the screenshot include to ensure proper evidence documentation?

Which of the following is an example of a responsible remediation recommendation?

A penetration tester uses the CVSS base score to rate a vulnerability. The tester finds that the vulnerability has a high CVSS score but the affected system is isolated from the internet and has no sensitive data. Which approach should the tester take when assigning an overall severity rating?

A client requests that the penetration test report include raw output from the scanning tools used. Where should this output be placed in the report?

A penetration tester is preparing to present findings to the client's technical team. Which TWO practices are most effective for this audience?

During a penetration test, the tester encounters a situation where the scope of the test is ambiguous. Which TWO actions should the tester take to clarify the situation?

Which THREE items are typically included in the appendices of a penetration test report?

A penetration tester discovers a critical vulnerability on a client's web server and wants to communicate it immediately. Which of the following is the most appropriate action?

Which section of a penetration testing report should provide a high-level overview of the test results using business language and strategic recommendations?

During a penetration test, a tester discovers evidence of an ongoing live exploitation by an unknown third party. Which of the following should the tester do first?

A penetration tester is writing a report and needs to assign a severity rating to a vulnerability that has a CVSS base score of 7.5. According to CVSS v3.1, which severity level does this score correspond to?

A penetration tester is evaluating vulnerabilities using the DREAD model. For a specific vulnerability, the tester assigns the following scores: Damage=8, Reproducibility=7, Exploitability=9, Affected users=6, Discoverability=5. Which of the following is the overall DREAD risk rating?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Reporting and Communication sessions

Start a Reporting and Communication only practice session

Every question in these sessions is drawn from the Reporting and Communication domain — nothing else.

Related practice questions

Related PT0-002 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PT0-002 exam test about Reporting and Communication?
Reporting and Communication questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Reporting and Communication questions in a focused session?
Yes — the session launcher on this page draws every question from the Reporting and Communication domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PT0-002 topics?
Use the topic links above to move to related areas, or go back to the PT0-002 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PT0-002 exam covers. They are not copied from any real exam or dump site.