CCNA Reporting And Communication Questions

27 of 102 questions · Page 2/2 · Reporting And Communication topic · Answers revealed

76
MCQeasy

After a penetration test, the client requests a document that includes the methodology used, a list of all vulnerabilities found along with their CVSS scores, and detailed steps for remediation. Which type of report section is this?

A.Executive summary
B.Technical report
C.Rules of engagement
D.Scope of work
AnswerB

This section contains detailed findings, CVSS scores, and remediation guidance for technical teams.

Why this answer

The client's request for methodology, vulnerability list with CVSS scores, and remediation steps describes the detailed, technical findings of the penetration test. This content is characteristic of the Technical Report section, which provides in-depth analysis and actionable data for technical stakeholders, as opposed to high-level summaries or contractual documents.

Exam trap

The trap here is confusing the Executive Summary's high-level risk ratings with the Technical Report's detailed CVSS scores and remediation steps, leading candidates to incorrectly select the Executive Summary when the question explicitly lists granular technical details.

How to eliminate wrong answers

Option A is wrong because the Executive Summary provides a high-level overview for non-technical management, not the detailed methodology, CVSS scores, and step-by-step remediation instructions. Option C is wrong because the Rules of Engagement (RoE) is a pre-engagement document defining scope, boundaries, and legal terms, not a post-test deliverable containing findings and remediation.

77
MCQmedium

After completing a penetration test, the tester prepares the final report. According to best practices, which of the following should be included in the executive summary?

A.Detailed list of vulnerabilities and CVSS scores
B.Step-by-step exploitation procedures
C.The tester's personal opinions about the security posture
D.High-level findings, risk ratings, and strategic recommendations
AnswerD

This provides executives with a clear understanding of the overall security posture and necessary actions.

Why this answer

Option D is correct because the executive summary should provide high-level findings, risk ratings, and strategic recommendations. Option A is wrong because detailed vulnerability lists belong in the technical section. Option B is wrong because exploitation procedures are too detailed.

Option C is wrong because personal opinions are unprofessional and subjective.

78
MCQeasy

A penetration tester discovers a critical vulnerability in a client's production environment. What is the BEST immediate course of action before including this finding in the final report?

A.Immediately communicate the finding to the client's point of contact.
B.Wait until the final report is complete to include all findings together.
C.Include the finding only in the technical appendix of the final report.
D.Stop the penetration test and wait for further instructions.
AnswerA

Immediate communication allows the client to take urgent action to mitigate the risk.

Why this answer

Option B is correct because ethical obligations require immediate notification of critical findings to allow the client to take protective measures. Option A is wrong because delaying report generation could leave the client vulnerable. Option C is wrong because simply including it in the final report may be too late.

Option D is wrong because halting the test without communication is not productive.

79
MCQmedium

During a penetration test, the tester discovers a critical vulnerability that could allow an attacker to take over the entire Active Directory domain. The tester wants to report this to the client as soon as possible. Which communication channel is most appropriate for this initial notification?

A.Update the final report with the finding
B.Send an email to the technical contact
C.Call the main point of contact immediately
D.Post the finding in the shared collaboration portal
AnswerC

A direct phone call ensures prompt notification and allows for immediate discussion of containment steps.

Why this answer

Option C is correct because a critical vulnerability that could lead to full Active Directory domain compromise requires immediate attention to prevent potential exploitation. The most appropriate communication channel for urgent, high-severity findings during a penetration test is a direct phone call to the main point of contact, as it ensures real-time, synchronous communication and allows for immediate clarification and action. This aligns with the PT0-002 exam's emphasis on escalation procedures for critical findings, where email or collaboration portals may introduce delays.

Exam trap

The trap here is that candidates may choose email (Option B) thinking it provides a written record, but the exam emphasizes that for critical vulnerabilities, immediate verbal notification is required to minimize risk, with written follow-up as a secondary step.

How to eliminate wrong answers

Option A is wrong because updating the final report with the finding is a post-engagement activity and does not provide timely notification; critical vulnerabilities must be communicated immediately, not deferred to a final deliverable. Option B is wrong because sending an email to the technical contact, while faster than a final report, is asynchronous and may not be read promptly, risking exploitation before the client is aware; a phone call is required for urgent findings. Option D is wrong because posting the finding in a shared collaboration portal relies on the client actively monitoring the portal, which introduces unacceptable delay for a critical vulnerability that could lead to domain takeover.

80
MCQeasy

A penetration tester is preparing a report for a client's CISO who is not technical. The CISO needs to understand the overall risk posture and the business impact of the findings. Which section of the report should be tailored for this audience?

A.Executive summary
B.Technical findings
C.Appendices with raw scan data
D.Remediation details
AnswerA

This section is designed for decision-makers like the CISO, summarizing risks and business impact in non-technical language.

Why this answer

The executive summary is designed for non-technical stakeholders like a CISO to quickly grasp the overall risk posture and business impact without needing to interpret raw data or technical jargon. It synthesizes findings into high-level business risks, such as potential financial loss or regulatory exposure, rather than detailing specific vulnerabilities or exploit chains. This section ensures the audience can make informed decisions about resource allocation and risk acceptance.

Exam trap

The trap here is that candidates confuse 'executive summary' with 'remediation details' or 'technical findings,' assuming the CISO needs operational specifics, when in fact the exam tests the principle that non-technical audiences require a distilled, business-focused overview of risk posture and impact.

How to eliminate wrong answers

Option B is wrong because technical findings contain detailed vulnerability descriptions, exploit steps, and proof-of-concept code that require technical expertise to understand, making it unsuitable for a non-technical CISO. Option C is wrong because appendices with raw scan data (e.g., Nmap XML, Nessus .nessus files) are dense, unprocessed outputs that overwhelm non-technical readers and obscure business impact. Option D is wrong because remediation details focus on specific patches, configuration changes, or code fixes, which are operational instructions for technical teams, not a high-level risk summary for executive decision-making.

81
MCQeasy

A penetration tester is preparing the final report. The client's CEO wants a high-level overview of the test results, including the overall security posture and business risk, without technical details. Which section of the report should the tester emphasize for the CEO?

A.Technical findings and recommendations
B.Executive summary
C.Methodology
D.Appendices
AnswerB

The executive summary is intended for management and provides a concise, non-technical summary of the test, including overall risk level, key business impacts, and high-level recommendations.

Why this answer

The executive summary is the section of a penetration testing report that provides a high-level overview of the test results, focusing on the overall security posture and business risk without technical details. It is specifically designed for non-technical stakeholders like the CEO, who need to understand the impact on the organization without delving into specific vulnerabilities or exploitation steps.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical findings section, mistakenly believing the CEO needs detailed vulnerability data to understand risk, when in fact the executive summary is the only section tailored for non-technical decision-makers.

How to eliminate wrong answers

Option A is wrong because technical findings and recommendations contain detailed vulnerability descriptions, exploit steps, and remediation commands (e.g., specific CVEs, patch versions, or configuration changes) that are too granular for a CEO's high-level needs. Option C is wrong because the methodology section describes the testing approach, tools used (e.g., Nmap, Metasploit), and scope limitations, which are operational details irrelevant to a business risk overview. Option D is wrong because appendices include raw data such as scan outputs, log excerpts, and evidence files (e.g., PCAPs or screenshots), which are too technical and voluminous for an executive audience.

82
MCQeasy

A penetration tester is preparing a report for a client who has both a technical security team and a non-technical executive team. The tester wants to ensure that each audience receives the appropriate level of detail. Which of the following is the most effective approach?

A.Provide the same comprehensive report to both audiences, assuming the security team will interpret it for executives.
B.Create a single report that includes an executive summary at the beginning and a detailed technical section later.
C.Write two separate reports: one for executives with only business impact and another for technical staff with all details.
D.Present only the executive summary and invite the technical team to ask questions orally.
AnswerB

This structure serves both audiences: executives can read the summary, while the technical team can dive into the details.

Why this answer

Option B is correct because it provides a single report with an executive summary for non-technical stakeholders and a detailed technical section for the security team, satisfying both audiences' needs without duplication or omission. This approach aligns with industry best practices for penetration testing reporting, as outlined in standards like PTES and NIST SP 800-115, ensuring clear communication of risks and technical findings.

Exam trap

The trap here is that candidates may choose Option C, thinking two separate reports are more precise, but the exam emphasizes efficiency and consistency, where a single report with both sections avoids redundancy and ensures all stakeholders share the same foundational information.

How to eliminate wrong answers

Option A is wrong because it assumes the technical team will interpret the report for executives, which risks miscommunication or omission of critical business impacts, and fails to provide a tailored summary for non-technical readers. Option C is wrong because creating two separate reports can lead to inconsistencies, duplication of effort, and potential loss of context between business impact and technical details, which may confuse decision-making. Option D is wrong because it omits a written technical report, leaving the technical team without documented evidence for remediation, and relies on oral communication that can be forgotten or misinterpreted.

83
MCQeasy

After completing a penetration test, the client's technical team requests a detailed list of all vulnerabilities found, prioritized by severity, along with step-by-step reproduction steps and remediation guidance. In which section of the standard penetration testing report should this information be provided?

A.Executive Summary
B.Methodology
C.Findings
D.Appendices
AnswerC

Correct. The technical findings section contains detailed descriptions of each vulnerability, including severity, reproduction steps, and remediation.

Why this answer

The Findings section of a standard penetration testing report is the correct location for a detailed, prioritized list of vulnerabilities with step-by-step reproduction steps and remediation guidance. This section provides the technical depth required by the client's technical team, contrasting with the high-level summaries found elsewhere.

Exam trap

The trap here is that candidates confuse the Executive Summary's high-level risk overview with the detailed technical breakdown required by the client's technical team, leading them to choose Option A instead of the Findings section.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, not a detailed technical list with reproduction steps. Option B is wrong because the Methodology section describes the tools, techniques, and scope of the test, not the specific vulnerabilities found. Option D is wrong because Appendices contain supplementary material like raw logs or configuration files, not the primary vulnerability details and remediation steps.

84
MCQmedium

A client requests that the penetration tester deliver the final report in an encrypted format via email. Which encryption method should the tester use to ensure confidentiality?

A.Rely on TLS encryption for the email transport
B.Upload the report to a web server using HTTPS
C.Compress the report in a password-protected ZIP file
D.Use S/MIME or PGP to encrypt the email message
AnswerD

Provides end-to-end encryption.

Why this answer

Option A is correct because S/MIME or PGP encrypts the email content and attachments end-to-end. Option B (SSL/TLS) protects in transit but not at endpoints. Option C (HTTPS) only applies to web delivery.

Option D (ZIP with password) is weaker as passwords are often transmitted separately.

85
MCQeasy

During a penetration test, the tester identifies a low-risk information disclosure vulnerability in a public-facing web server. The tester includes this finding in the final report. Which component of the risk rating should the tester use to justify the low severity?

A.CVSS base score
B.Exploitability metrics
C.Impact metrics
D.Temporal score
AnswerA

The base score is the standard metric for severity, calculated from exploitability and impact. A low base score justifies the low-risk rating.

Why this answer

The CVSS base score is the correct component to justify the low severity because it represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and across user environments. In this case, the information disclosure vulnerability has a low base score due to factors such as low attack complexity and low impact on confidentiality, which are captured in the base metrics. The base score is the standard starting point for communicating severity, making it the appropriate justification for the low-risk rating in the report.

Exam trap

CompTIA often tests the misconception that exploitability metrics or impact metrics alone determine the severity, when in fact the CVSS base score is the aggregate of both and is the authoritative component for justifying the risk rating in a report.

How to eliminate wrong answers

Option B is wrong because exploitability metrics (e.g., attack vector, attack complexity, privileges required, user interaction) are sub-components of the CVSS base score that influence the overall severity, but they alone do not define the final risk rating; they must be combined with impact metrics to produce the base score. Option C is wrong because impact metrics (e.g., confidentiality, integrity, availability) are also sub-components of the base score and do not independently justify the low severity; the base score integrates both exploitability and impact. Option D is wrong because the temporal score adjusts the base score based on factors that change over time (e.g., exploit code maturity, remediation level, report confidence), but the question asks for the component to justify the low severity at the time of the test, not a future-adjusted score.

86
MCQeasy

After a penetration test, the client's technical team wants to understand the exact steps required to reproduce a cross-site scripting vulnerability found in the web application. In which section of the standard penetration testing report should this information be included?

A.Executive Summary
B.Technical Findings and Recommendations
C.Methodology
D.Appendices
AnswerB

This section contains detailed technical information for each vulnerability, including the steps to reproduce.

Why this answer

The Technical Findings and Recommendations section is the correct place for step-by-step reproduction steps because it provides detailed, actionable technical information for the client's technical team. This section typically includes specific payloads, HTTP request/response details, and the exact sequence of user interactions needed to trigger the XSS vulnerability, enabling the team to verify and remediate the issue.

Exam trap

The trap here is that candidates confuse the high-level 'Methodology' section (which describes the overall testing process) with the detailed 'Technical Findings' section, mistakenly thinking reproduction steps belong in the methodology rather than the findings.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical stakeholders, focusing on business impact and risk ratings, not detailed reproduction steps. Option C is wrong because the Methodology section describes the overall testing approach and tools used (e.g., OWASP ZAP, Burp Suite), not the specific steps for a single vulnerability. Option D is wrong because Appendices contain supplementary material like raw scan outputs or log excerpts, but the primary, structured reproduction steps belong in the main body of the Technical Findings section.

87
MCQmedium

During a penetration test, the tester discovers that a third-party vendor has remote access to the client's network. The vendor was not mentioned in the scope of work. How should the tester communicate this finding in the report?

A.Ignore it entirely because it is outside the testing agreement.
B.Document it in the 'Observations' or 'Out-of-Scope Findings' section.
C.Include it as a critical vulnerability in the main findings.
D.Remove the finding because it is out of scope.
AnswerB

This allows the client to be aware without implying it was a tested vulnerability.

Why this answer

Option C is correct because the finding should be documented as an observation because it is relevant to the overall security posture but may be out of scope. Option A is wrong because it unnecessarily delays reporting. Option B is wrong because ignoring it could miss an important risk.

Option D is wrong because it is not a confirmed vulnerability but an observation.

88
MCQmedium

A penetration tester has completed an engagement and needs to present findings to a mixed audience of technical engineers and business executives. Which section of the penetration test report is BEST suited for communicating high-level risk ratings and potential business impact to the non-technical stakeholders?

A.Executive Summary
B.Technical Findings and Vulnerability Details
C.Remediation Steps
D.Appendix
AnswerA

The executive summary is designed for non-technical audiences and provides a high-level overview of findings, risk ratings, and business impact.

Why this answer

The Executive Summary is the correct section because it is specifically designed to communicate high-level risk ratings, business impact, and strategic recommendations to non-technical stakeholders such as executives. It avoids technical jargon and focuses on the business context, aligning with the PT0-002 objective of tailoring reports to the audience.

Exam trap

CompTIA often tests the candidate's ability to distinguish between audience-appropriate report sections, and the trap here is assuming that 'Technical Findings' is the most important section for all stakeholders, when in fact the Executive Summary is the primary communication tool for non-technical decision-makers.

How to eliminate wrong answers

Option B is wrong because Technical Findings and Vulnerability Details contains in-depth technical descriptions, CVSS scores, proof-of-concept code, and exploit paths that are intended for engineers, not for executives who need a high-level overview. Option C is wrong because Remediation Steps provides specific technical fixes (e.g., patch versions, configuration changes) that require technical understanding to implement, and it does not prioritize business impact or risk ratings for non-technical readers.

89
MCQmedium

A penetration tester is finalizing a report for a client. The client's technical team needs a concise list of each vulnerability with its risk rating, CVSS score, and recommended remediation steps. In which section of the report should this information be placed?

A.Findings and technical details
B.Executive summary
C.Scope and methodology
D.Appendix
AnswerA

This section is designed to present each vulnerability with its risk rating, CVSS score, impact, and remediation.

Why this answer

The Findings and technical details section is the correct placement because it is specifically designed to provide a detailed, itemized list of vulnerabilities, including risk ratings, CVSS scores, and remediation steps, which the client's technical team needs for action. This section goes beyond high-level summaries to deliver the granular data required for patching and mitigation, aligning with the PT0-002 objective of structuring reports for different audiences.

Exam trap

The trap here is that candidates confuse the Executive summary's role for technical audiences, but the PT0-002 exam emphasizes that technical details belong in the Findings section, while the Executive summary is for non-technical decision-makers.

How to eliminate wrong answers

Option B is wrong because the Executive summary is intended for non-technical stakeholders (e.g., management) and provides a high-level overview of risks, business impact, and strategic recommendations, not a concise list of each vulnerability with CVSS scores and remediation steps. Option C is wrong because the Scope and methodology section describes the testing boundaries, tools used, and techniques employed (e.g., Nmap scans, exploitation frameworks), not the detailed findings or remediation guidance.

90
MCQeasy

A penetration tester is preparing the final report. The client's CEO needs to understand the overall risk level and the business impact of the findings. Which of the following should be included in the executive summary?

A.A detailed list of all vulnerabilities with CVSS scores
B.The exact commands and payloads used during exploitation
C.A quantitative risk analysis including annualized loss expectancy
D.A high-level summary of the test's scope, overall risk rating, and business impact
AnswerD

This is exactly what the executive summary is designed for: giving non-technical leaders a clear picture of the risk without overwhelming them with technical details.

Why this answer

The executive summary is designed for senior management, such as the CEO, who needs a concise overview of the penetration test's scope, overall risk rating, and business impact to make informed decisions. Detailed technical data, such as CVSS scores or exploitation commands, is inappropriate for this audience and belongs in the technical report. Option D directly addresses the requirement for a high-level, business-focused summary.

Exam trap

The trap here is that candidates often confuse the executive summary with the technical report, mistakenly thinking that including detailed CVSS scores or exploitation commands demonstrates thoroughness, when in fact the exam expects a clear separation of audience-specific content.

How to eliminate wrong answers

Option A is wrong because a detailed list of all vulnerabilities with CVSS scores is too granular for an executive summary; CVSS scores are technical metrics that require context and are better placed in the technical findings section. Option B is wrong because exact commands and payloads used during exploitation are operational details intended for the technical team, not for a CEO who needs business impact analysis. Option C is wrong because while quantitative risk analysis (e.g., ALE) can be useful, it is not always feasible or required in a penetration test report; the executive summary should focus on qualitative risk ratings and business impact, not specific financial calculations that may rely on assumptions not validated by the test.

91
MCQhard

After completing a penetration test, the client's technical team requests the detailed raw data (e.g., scan results, exploit logs, packet captures) used to support the findings. According to best practices, which of the following should the penetration tester do?

A.Include all raw data in the appendices of the final report
B.Provide the raw data in a separate, sanitized deliverable with a data handling agreement
C.Refuse to provide raw data to protect the confidentiality of the testing process
D.Provide the raw data only if the client signs a non-disclosure agreement
AnswerB

This approach protects confidentiality and allows the client to use the data responsibly.

Why this answer

Option B is correct because raw data such as scan results, exploit logs, and packet captures often contain sensitive information like IP addresses, credentials, or system details. Best practices (e.g., PTES, NIST SP 800-115) dictate that raw data should be provided in a separate, sanitized deliverable accompanied by a data handling agreement to ensure confidentiality and proper data governance, rather than embedding it directly in the final report.

Exam trap

The trap here is that candidates may assume the final report should include all evidence for completeness (Option A), overlooking the confidentiality and data handling risks inherent in raw, unsanitized data.

How to eliminate wrong answers

Option A is wrong because including all raw data in the appendices of the final report risks exposing sensitive information to unauthorized readers and violates data minimization principles; the final report should contain only synthesized findings and evidence. Option C is wrong because refusing to provide raw data outright is not a best practice—clients have a legitimate need for supporting evidence, and a professional tester should provide it under controlled conditions with a data handling agreement.

92
MCQmedium

A penetration tester is writing the technical report for a client. The client's security team needs detailed, step-by-step instructions on how to reproduce each vulnerability found. In which section of the report should this information be placed?

A.Executive summary
B.Risk rating section
C.Findings and recommendations
D.Appendix
AnswerC

This section provides a detailed breakdown of each finding, including how it was discovered, steps to reproduce, and recommended remediation actions.

Why this answer

The 'Findings and recommendations' section is the correct location for detailed, step-by-step reproduction instructions because it provides the technical depth needed for the client's security team to validate and remediate each vulnerability. This section typically includes exact commands, payloads, and sequences used during testing, aligning with the PT0-002 objective of delivering actionable technical details.

Exam trap

The trap here is that candidates confuse the 'Executive summary' (which summarizes findings for management) with the 'Findings and recommendations' section, mistakenly thinking step-by-step instructions belong in the high-level overview due to a misunderstanding of report audience segmentation.

How to eliminate wrong answers

Option A is wrong because the executive summary is a high-level overview for non-technical stakeholders, focusing on business impact and risk posture, not step-by-step technical reproduction steps. Option B is wrong because the risk rating section assigns severity scores (e.g., CVSS v3.1 base scores) and prioritizes findings, but does not contain the granular procedural instructions needed to replicate vulnerabilities.

93
MCQeasy

A penetration tester has completed an internal network test. The client's IT manager requests a document that lists each vulnerability with its CVSS score, risk rating, and a brief description of the impact. Which section of the final report should contain this information?

A.Executive Summary
B.Technical Findings
C.Methodology
D.Remediation Summary
AnswerB

The Technical Findings section lists vulnerabilities with CVSS scores, risk ratings, and impact descriptions, tailored for technical staff.

Why this answer

The Technical Findings section is the correct location because it provides a detailed, itemized list of each discovered vulnerability, including its CVSS score, risk rating, and impact description. This section is intended for technical stakeholders who need granular data to prioritize remediation, unlike the Executive Summary which offers high-level business impact and risk overviews.

Exam trap

The trap here is that candidates confuse the Executive Summary's role as a summary of all findings with the Technical Findings' role of providing detailed, per-vulnerability data, leading them to incorrectly select the Executive Summary for listing CVSS scores and impacts.

How to eliminate wrong answers

Option A is wrong because the Executive Summary is a high-level overview for non-technical management, focusing on business risk, strategic recommendations, and key findings without listing individual CVSS scores or detailed impact descriptions. Option C is wrong because the Methodology section describes the tools, techniques, and procedures used during the test (e.g., Nmap scans, exploitation frameworks), not the specific vulnerabilities found.

94
Multi-Selectmedium

Which TWO of the following should be included in the methodology section of a penetration test report?

Select 2 answers
A.List of vulnerabilities discovered
B.Step-by-step remediation instructions
C.The client's network diagram
D.The specific tools and commands used during testing
E.The testing approach (e.g., black-box, white-box)
AnswersD, E

Methodology includes tools.

Why this answer

The methodology section of a penetration test report documents the testing approach and the specific techniques used to ensure reproducibility and transparency. Option D is correct because listing the specific tools and commands (e.g., Nmap with `-sV -sC`, Metasploit modules, or custom scripts) allows the client to understand exactly how each test was performed. Option E is correct because stating the testing approach (e.g., black-box, white-box, or gray-box) defines the scope and context of the engagement, which is a core part of the methodology.

Exam trap

CompTIA often tests the distinction between the methodology section (which describes the 'how' and 'approach') and the findings/recommendations sections, leading candidates to mistakenly include vulnerability lists or remediation steps in the methodology.

95
MCQmedium

A penetration tester is writing the findings section of a report. The tester discovered a cross-site scripting vulnerability that allows session hijacking. The technical team wants to understand exactly how to reproduce it, while the business owner wants to know the risk it poses to customer data. Which approach best addresses both audiences?

A.Include a single detailed description with both technical and business impact
B.Write two separate sections: one for technical details and one for risk analysis
C.Place technical details in an appendix and include only risk ratings in the main body
D.Provide a video demonstration separately from the written report
AnswerB

Separation allows the technical team to quickly find reproduction steps and the business owner to focus on risk and impact.

Why this answer

Option B is correct because it separates the technical reproduction steps (for the technical team) from the business impact analysis (for the business owner), ensuring each audience receives the information in the format they need. This aligns with the PT0-002 objective of tailoring communication to different stakeholders, avoiding confusion or information overload. A single combined description (Option A) would likely be too technical for the business owner or too vague for the technical team.

Exam trap

The trap here is that candidates may choose Option A, thinking a single comprehensive section is efficient, but the PT0-002 exam emphasizes that different stakeholders require different levels of detail—technical teams need exact reproduction steps, while business owners need risk context—so separating them is the correct approach.

How to eliminate wrong answers

Option A is wrong because a single detailed description mixing technical steps and business impact risks confusing both audiences—the technical team may find the risk language irrelevant, while the business owner may be overwhelmed by technical jargon like 'XSS payload injection via unescaped user input in the HTTP GET parameter.' Option C is wrong because placing technical details in an appendix and only risk ratings in the main body fails to provide the technical team with the step-by-step reproduction steps they need, and the business owner may not understand the context of the risk ratings without supporting explanation. Option D is wrong because a video demonstration alone does not replace a written report; it lacks the structured, searchable documentation required for compliance and audit trails, and it may not be accessible to all stakeholders (e.g., those with visual impairments or network restrictions).

96
MCQmedium

A penetration tester is preparing a report for a client that includes both a technical security team and an executive leadership team. The executive team needs to understand the overall risk posture, while the technical team requires detailed reproduction steps. Which reporting structure best serves both audiences?

A.A single report with an executive summary and technical appendices
B.Two completely separate reports: one for executives and one for technical staff
C.Only an executive summary, omitting technical details
D.Only a technical report with all details
AnswerA

This structure allows both audiences to find the information they need in one document. The executive summary is concise and non-technical, while technical appendices provide depth.

Why this answer

A single report with an executive summary and technical appendices is the correct structure because it satisfies both audiences: the executive summary provides a high-level risk posture overview (e.g., CVSS scores, business impact), while the technical appendices contain detailed reproduction steps (e.g., exact commands, payloads, and packet captures) for the technical team. This approach aligns with the PT0-002 objective of tailoring communication to stakeholders without losing technical rigor.

Exam trap

The trap here is that candidates think separate reports are more 'professional' or 'targeted,' but the PT0-002 exam expects a single cohesive report with layered detail to ensure consistency and traceability between the executive summary and technical findings.

How to eliminate wrong answers

Option B is wrong because two completely separate reports can lead to misalignment between the executive summary and technical details, causing executives to miss critical context or technical staff to lack business impact understanding. Option C is wrong because omitting technical details prevents the technical team from validating or reproducing findings, violating the reporting requirement for actionable remediation steps. Option D is wrong because a purely technical report overwhelms executives with jargon and lacks the risk posture summary they need for decision-making, failing the communication objective.

97
MCQmedium

You are contracted to perform a penetration test for a healthcare organization. During the testing, you discover a critical SQL injection vulnerability that exposes patient health information. The deadline for the final report is one week away. The client's IT manager asks you to exclude this finding from the report because they are already aware of it and are working on a fix. The IT manager claims that including it would cause panic among stakeholders. What is the BEST course of action?

A.Agree to exclude it but note it verbally
B.Explain that findings must be included in the report regardless of awareness, and offer to present the finding in a controlled manner to management
C.Report the issue to the client's compliance officer without informing the IT manager
D.Include it only in the technical appendix
AnswerB

This maintains integrity while addressing the client's concerns about stakeholder reaction.

Why this answer

Option A is correct. According to reporting best practices, all findings must be documented regardless of awareness. Offering to present the finding in a controlled manner addresses the client's concern while ensuring transparency.

Option B is wrong because verbal notes are not part of the formal report and may be forgotten. Option C is wrong because hiding the finding in an appendix still includes it but may not give it appropriate visibility. Option D is wrong because bypassing the IT manager could damage trust and violate reporting protocols.

98
MCQmedium

A penetration tester has identified a critical misconfiguration in a cloud storage bucket that exposes sensitive customer data. The client's technical team has already applied a fix, but the tester wants to ensure the report accurately reflects the risk and the remediation. Which section of the report should include the steps to reproduce the vulnerability?

A.Executive summary
B.Findings and risk rating
C.Technical details and proof of concept
D.Remediation recommendations
AnswerC

This is the correct section, as it contains the exact commands, screenshots, and steps needed to reproduce the vulnerability for technical staff.

Why this answer

The technical details and proof of concept (POC) section is the correct place to include step-by-step reproduction steps because it provides the client's technical team with the exact commands, API calls, or configuration checks needed to verify the vulnerability and the fix. This section is distinct from the executive summary (which targets non-technical stakeholders) and the findings and risk rating (which focuses on impact and severity). By including reproduction steps here, the tester ensures the remediation can be validated without ambiguity.

Exam trap

The trap here is that candidates confuse the 'findings and risk rating' section with the 'technical details' section, assuming reproduction steps belong with the risk description, when in fact the PT0-002 exam expects a clear separation: risk rating is for impact, technical details is for replication.

How to eliminate wrong answers

Option A is wrong because the executive summary is intended for management and non-technical stakeholders, providing a high-level overview of risks and business impact, not detailed reproduction steps. Option B is wrong because the findings and risk rating section describes the vulnerability's nature, impact, and CVSS score, but does not include the procedural steps to replicate the issue; those steps belong in the technical details section.

99
Drag & Dropmedium

Drag and drop the steps to perform privilege escalation on a Linux system using kernel exploit enumeration into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Privilege escalation requires system info gathering, exploit search, compilation, execution, and verification.

100
Multi-Selecthard

Which TWO of the following actions are appropriate when handling personally identifiable information (PII) discovered during a penetration test?

Select 2 answers
A.Include raw PII in the report as proof of access
B.Transfer PII to the client's secure storage for inclusion in the report
C.Securely delete any PII that is not required for reporting
D.Redact or mask PII in screenshots and logs before inclusion
E.Anonymize PII by replacing with fake data in the report
AnswersC, D

Minimizes data retention.

Why this answer

Options B and D are correct. PII should not be included in reports; instead, use redacted evidence (B). If PII is accidentally collected, it must be securely deleted (D).

Option A violates protection. Option C is acceptable but not the best practice; redaction is preferred over anonymization when evidence is needed. Option E is incorrect because it transfers risk inappropriately.

101
MCQmedium

During a penetration test, the tester discovers active ransomware on a critical server. Which communication should the tester perform FIRST according to standard rules of engagement?

A.Include it in the final report
B.Immediately notify the client's emergency contact
C.Attempt to contain the ransomware
D.Log the finding and continue testing
AnswerB

The tester should promptly alert the client to allow them to take immediate action to mitigate the active threat.

Why this answer

The standard rules of engagement (ROE) for penetration testing require immediate notification of the client's emergency contact upon discovery of active ransomware. This is because ransomware represents an active, ongoing security incident that demands urgent response to prevent data loss and further spread, overriding the normal testing timeline. The tester must not attempt containment or continue testing, as those actions could interfere with incident response or violate legal boundaries.

Exam trap

CompTIA often tests the misconception that a penetration tester should attempt to contain or remediate active threats, but the correct action is always to notify the client's emergency contact immediately, as testers are observers, not incident responders.

How to eliminate wrong answers

Option A is wrong because including ransomware in the final report delays critical notification, potentially allowing the ransomware to encrypt more data or spread laterally, which violates the ROE requirement for immediate incident reporting. Option C is wrong because the tester lacks authorization and expertise to contain ransomware; attempting containment could destroy forensic evidence, trigger further encryption, or breach legal agreements. Option D is wrong because logging and continuing testing ignores the active threat, risking catastrophic data loss and violating the ethical duty to report imminent harm under the ROE.

102
MCQmedium

A penetration tester is preparing the final report. The client's legal team requests a document that outlines the scope, limitations, and any data handling procedures to comply with regulatory requirements. Which section of the report should include this information?

A.Executive Summary
B.Methodology
C.Scope and Rules of Engagement
D.Technical Findings
AnswerC

This section explicitly states the authorized scope, limitations, and data handling procedures, meeting legal and compliance requirements.

Why this answer

The Scope and Rules of Engagement section is the correct location for documenting the scope, limitations, and data handling procedures because it formally defines the boundaries of the penetration test, including authorized targets, testing windows, and legal constraints. This section ensures compliance with regulatory requirements by specifying how data is collected, stored, and disposed of, which is critical for audits and legal review.

Exam trap

The trap here is that candidates confuse the Executive Summary with a catch-all for legal disclaimers, but the exam expects the precise placement of contractual and compliance details in the Scope and Rules of Engagement section.

How to eliminate wrong answers

Option A is wrong because the Executive Summary provides a high-level overview of findings and risk posture for management, not the detailed legal and procedural boundaries of the engagement. Option B is wrong because the Methodology section describes the technical approach, tools, and techniques used (e.g., NIST SP 800-115 phases), not the contractual scope or data handling policies.

← PreviousPage 2 of 2 · 102 questions total

Ready to test yourself?

Try a timed practice session using only Reporting And Communication questions.