CompTIA PenTest+

Domain 1.0: Planning and Scoping

Domain 2.0: Information Gathering and Vulnerability Scanning

Domain 3.0: Attacks and Exploits

Domain 4.0: Reportng and Communication

Domain 5.0: Tools and Code Analysis

Planning and Scoping

Question 1/ 73

When planning an external pentest, determining the budget is very important. What is the FIRST
metric that is taken into consideration when calculating the estimate?

A Price of software that will be used

B Price of the clients' shares

C Price of hardware that will be used

D Estimated number of hours

Explanation Details
Correct answer: Estimated number of hours

For an external or commercial pentest, budget determination normally begins with estimating the
number of hours the testing will take, based on the complexity of the test.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 43.
Question 2/ 73

When planning a pentest, one of the MOST important things that needs to be considered is:

A firewall rules

B pentesting tools

C number of VLANs in the environment

D target selection

Explanation Details
Correct answer: target selection

Selecting the targets to include in the engagement is crucial, as the organization may have many
assets (people, processes, facilities, and technologies) located throughout the world that need to be
considered during the target selection process.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 37.

Question 3/ 73
Jamal's client is legally obligated to prevent their R&D data from leaving the country. What sort of
restriction is this?

A Network restriction

B Corporate policy restriction

C Compliance-based restriction

D Governmental restriction

Explanation Details
Correct answer: Governmental restriction

Export restrictions are governmental rules prohibiting the export of certain goods and services to
other countries. U.S. export laws prohibit the export of certain encryption technology.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 47–49.
 Question 4/ 73
Maria is preparing for a pentest, but the client has a network access control in place that would
prevent most, if not all, of Maria's packets during testing. What can be done to enable the testing?

A Devices behind the firewall can be excluded from the testing scope

B The client can disable the firewall

C Maria can test out of office hours

D The client can make a security exception in the NAC

Explanation Details
Correct answer: The client can make a security exception in the NAC

Sometimes a security exception at the network layer is needed to enable a pentester to complete
their tests.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 42.

Question 5/ 73
Signing a Non-Disclosure Agreement (NDA) forbids you from doing which of the following?

A Testing sensitive targets within the organization

B Sharing sensitive information in the pentest report

C Sharing test results with third parties

D Conducting social engineering attacks

Explanation Details
Correct answer: Sharing test results with third parties

A Non-Disclosure Agreement (NDA) is signed by two parties, in this case the pentester and the client,
and is used to prevent one or both parties from sharing the information externally.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 46.
Question 6/ 73
When contracting an external company to perform a penetration test, what document would you
need to have signed in order to guarantee the confidentiality of the organization's internal
information?

A NDA

B MSA
C SOW
D RoE

Explanation Details
Correct answer: NDA

A Non-Disclosure Agreement (NDA) is protecting the business's competitive advantages from being
disclosed to third parties. In the event the organization is compromised, the vendor is obligated to
maintain the secrecy of the privileged information it might obtain during the pentest.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 45–47.

Question 7/ 73
You are tasked with a compliance-based pentest. The client's key management solution is hosted
on a third-party vendor. How could this affect the pentest?

A The pentest's scope might have to include the third party's policies and practices regarding key
management.

B The third-party service provider needs to request an additional pentest and pass the compliance
requirements.

C The pentest's scope might have to exclude key management from testing, as it falls outside of the
client's environment.

D The client will have to arrange local key management in order to fulfill the compliance
requirements.

Explanation Details
Correct answer: The pentest's scope might have to include the third party's policies and practices
regarding key management.
Depending on the third-party provider, the scope of the test might have to be increased to cover the
additional policies and practices. Some key management service providers do have the certification
needed to fulfill the compliance requirements, in which case the pentest's scope would not need to
be increased.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 37–40, 45–48.

Question 8/ 73
You are tasked with helping an organization with threat modeling before a pentest. Your client
shares that their most valuable asset is the information they have and the extensive R&D they
have invested in. It worries them that data could easily be exfiltrated by almost anyone in the
organization. What sort of threat actor are they MOSTLY concerned about?

A Insider threat

B Red team attack

C Script kiddies

D Social engineering attacker

Explanation Details
Correct answer: Insider threat

Insider threat is usually related to information exfiltration. It is fairly easy to copy sensitive internal
information to a thumb drive and take it off the premises.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 43.

Question 9/ 73
Data isolation is usually important in what sort of
engagement?
A Black box

B Red team

C Goal-based
D Compliance-based

Explanation Details
Correct answer: Compliance-based

Data isolation is usually related to systems covered by a compliance requirement. Such systems fall
under specific conditions directly related to the purpose they are built for.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 33–35, 49–51.

Question 10/ 73
What sort of assessment would you recommend to a company that would like to have the
following criteria met?

 Detailed code review of the application

 External test of the application
 Internal test of the application
 Internal test of the application in a testing environment

A Known environment assessment

B Red team assessment

C Code review

D Black box assessment

Explanation Details
Correct answer: Known environment assessment

Known environment testing allows the pentest team to have insider knowledge of organizational
network assets, policies, and procedures. In many cases, this also means full access to the
application code. In order to include all of the listed criteria, you would need to conduct a known
environment pentest.

Unknown environment and red team assessments would exclude the code review and internal
testing.

Code review does not include either external or internal application testing.
Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 32, 126, 132.

Question 11/ 73
Which of the following could NOT be tested off-site?
A Domain controllers
B Social engineering
C Internal web applications
D Wi-Fi AP

Explanation Details
Correct answer: Wi-Fi AP

In order to test wireless Access Points (APs), the pentester needs to be on-site and in proximity to
the AP.

Domain controllers and social engineering are usually tested through the internet. Internal web
applications are usually tested once an internal account is compromised.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 40.

Question 12/ 73
You are contracted to perform a penetration test for a small company. The client provides you
with a list of servers, running services, and credentials for all login portals.

How would you classify this test?

A Unknown environment test
B Known environment test
C Vulnerability scan
D Partially known environment test

Explanation Details
Correct answer: Known environment test
Known environment testing is a method of software testing that tests internal structures or workings
of an application, as opposed to its functionality. In known environment testing, an internal
perspective of the system, as well as programming skills, are used to design test cases.

Partially known environment testing is a combination of known environment testing and unknown
environment testing. The aim of this testing is to search for defects, if any exist, due to improper
structure or improper usage of applications.

Unknown environment testing is a method of software testing that examines the functionality of an
application without peering into its internal structures or workings. This method of testing can be
applied virtually to every level of software testing: unit, integration, system and acceptance.

Vulnerability scans are not exactly penetration tests and usually consist of automated scans for
known vulnerabilities.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35.

Question 13/ 73
You are looking for any additional information about the application you
are testing. Where could you find it?
A RoE documentation
B NDA documentation
C SOW documentation
D WSDL and SDK documentation

Explanation Details
Correct answer: WSDL and SDK documentation

You could look for exposed web services through Web Services Description Language (WSDL)
documents and Software Development Kit (SDK) documentation. Those documents are usually
associated with the development of an application and would contain useful information provided
by the developers.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 41–42.

Question 14/ 73
When developing a remediation plan, which metric is NOT important and can be ignored?
A Public exploits available

B Exposure of the vulnerability

C Criticality of the system and information affected by the vulnerability

D Difficulty of remediating the vulnerability

Explanation Details
Correct answer: Public exploits available

Although it might have some impact on the exploitation of the vulnerability if there are available
public exploits, it is not usually a deciding factor in the remediation planning. Exploits for a specific
vulnerability might be available but not released publicly; thus other factors such as criticality,
exposure, severity and so on are more relevant.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 138–141.

Question 15/ 73
What type of assessment is usually governed by clearly
defined objectives and regulations?
A Compliance-based

B Advanced persistent threat

C Code review

D Black box

Explanation Details
Correct answer: Compliance-based

In some cases, compliance-based assessments can be easier to conduct, as they have clearly stated
objectives defined in regulations or standards. Those objectives are based on industry best practices
and are mandatory for achieving compliance certification.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 33–35, 49–51.
Question 16/ 73
A complete list of targets and services to be tested is usually known as:

A R&R
B RoE
C MSA
D scope

Explanation Details
Correct answer: scope

When determining the list of targets and the limits of the penetration test, this information is
structured and detailed as the scope of the test. The test scope could be a separate document or
part of some other document related to the pentest. Defining the scope is extremely important and
should be done with care.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 32–35.

Question 17/ 73
When preparing for a pentest, one of the main aspects that needs to be well documented is the
purpose of the test. In which document is the test's purpose defined?

A Rules of engagement

B Nondisclosure agreement

C Statement of work

D Master service agreement

Explanation Details
Correct answer: Statement of work

The Statement of Work (SOW) usually contains the following main topics:

 Purpose
 Scope of work
 Location of work
  Period of performance
 Deliverable schedule
 Applicable industry standards
 Acceptance criteria
 Special requirements
 Payment schedule

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 45.

Question 18/ 73
Which document is part of the pentest documentation and
describes the prices of the penetration test?
A Scope

B NDA
C SOW
D RoE

Explanation Details
Correct answer: SOW

The Statement of Work (SOW) is a document that defines what deliverables will be created, the
timeline for the work to be completed, the price of the work and any additional terms and
conditions.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 45–46.

Question 19/ 73
Which of the following statements is TRUE?
A The penetration test is never intrusive and only lists the vulnerabilities found.

B Only external entities could conduct a penetration test.

C The penetration test is limited to the devices and services listed in the scope.
D All penetration testers were malicious threat actors in the past.

Explanation Details
Correct answer: The penetration test is limited to the devices and services listed in the scope.

The scope of the test defines all machines that should be tested, services running on those
machines, and any other details that should be included. Unless a target is specifically listed in the
documented scope, it should not be tested.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 52.

Question 20/ 73
As a penetration tester, you are hired by a company to perform a penetration test at their
location, which is in a country that is on the US government's list of places where export of
encryption technology is restricted. In your bag of tools and software, you have encryption tools
that fall under this US export restriction of encryption technology. What should you do?

A You have legally bought the tools/software; this restriction does not concern you

B Transfer the tools to Canada over the internet

C Leave behind all restricted tools/software and travel without them

D Perform the tests remotely to avoid breaching the restrictions

Explanation Details
Correct answer: Leave behind all restricted tools/software and travel without them

Penetration testers need to be aware of the export restrictions of their country and abide by them.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 48.

Next Question
Question 21/ 73

While conducting a penetration test, you notice that your scans reveal new hosts
on the targeted network. Those hosts are not listed in the initial scope document
and were only revealed through extensive testing. What sort of scenario has
developed?
A Contract breach
B Scope increase
C Scope creep
D Technical constraint bypass

Explanation Details

Correct answer: Scope creep

Scope creep occurs during a pentest when additional tasks or testing activities are added to
the project and exceed the original expectations documented in the statement of work. This
can negatively affect the overall schedule or delivery of the final pentest report.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 41.

Question 22/ 73

What sort of assessment would REQUIRE the testing of limited network access and
limited storage access for a host?
A A white hat pentest
B A black hat pentest
C A compliance-driven assessment
D A network pentest
Explanation Details

Correct answer: A compliance-driven assessment

Testing of limited network access and limited storage access are usually required by a
compliance assessment. For example, a PCI (Payment Card Industry) assessment would
require the host that handles card transactions to be isolated from the regular network.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 33–35, 49–52.

Question 23/ 73

A useful tool maintained by MITRE is the ATT&CK database, a knowledgebase of

adversary tactics and techniques. Which of the following is NOT a tactic listed in
the ATT&CK Matrix for Enterprise?
A Exploitation
B Exfiltration
C Privilege Escalation
D Credential Access

Explanation Details

Correct answer: Exploitation

The ATT&CK Matrix for Enterprise includes the following tactics: Reconnaissance, Resource
Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion,
Credential Access, Discovery, Lateral Movement, Collection, Command and Control,
Exfiltration, and Impact.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 44.

Question 24/ 73

Through threat modeling, the client determines that their main concern is
persistent attackers using complex attacking techniques and models. Which sort of
threat actor is the organization MOST worried about?
A Insider threat
B Pentester
C APT
D Hacktivist

Explanation Details

Correct answer: APT

The Advanced Persistent Threat (APT) is a type of threat actor motivated to steal sensitive
information from high-profile targets using sophisticated hacking capabilities.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 36–37.

Question 25/ 73

For what sort of pentest is the sample application request documentation usually
helpful?
A PCI assessments
B Vulnerability scanning
C Network pentests
D Web-based pentests

Explanation Details

Correct answer: Web-based pentests

Things like sample application requests are usually part of a web application development
and would be helpful in a web-based pentest. An example of a sample request could be a
list of API calls compiled by developers.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 41–42.

Question 26/ 73

An organization involved in online payment processing and storing of billing

information should consider which of the following?
A FISMA assessment
B PCI Data Security Standard (DSS) assessment
C ISO 27001 compliance assessment
D HIPAA compliance assessment

Explanation Details

Correct answer: PCI Data Security Standard (DSS) assessment

Companies dealing with billing and processing payments as well as those storing payment
information are obliged to be compliant with the PCI Security Standards. This compliance is
assessed with a Payment Card Industry (PCI) Data Security Standard (DSS) assessment.
These assessments are conducted by a PCI Qualified Security Assessor.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 49–50.

Question 27/ 73

Kenji is involved in a pentest, and the client would like to add his IP address to the
IPS allow list. What sort of engagement will it LIKELY be?
A APT
B Known environment
C Partially known environment
D Red team
Explanation Details

Correct answer: Known environment

Usually, in a known environment engagement, the pentester is allowed through the firewall
and other preventive measures.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35–37.

Question 28/ 73

Larry is an attacker whose arsenal consists mainly of open-source tools and scripts
found online. What kind of attacker is Larry considered?
A Unauthorized hacker
B Script kiddie
C APT
D Hacktivist

Explanation Details

Correct answer: Script kiddie

In programming and hacking cultures, a script kiddie, skiddie, or skid is an unskilled

individual who uses scripts or programs developed by others to attack computer systems,
networks, and websites. They rely heavily on open-source tools and scripts.

Hacktivism (the individual is known as a hacktivist) is the use of computer-based techniques,

such as hacking, as a form of civil disobedience to promote a political agenda or social
change.

An Advanced Persistent Threat (APT) is a stealthy computer network threat actor which
gains unauthorized access to a computer network and remains undetected for an extended
period.

An unauthorized hacker is a hacker who violates computer security for personal gain or
maliciousness.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 36.

Question 29/ 73

You are performing a penetration test at a retail store that handles credit cards
onsite. Which of the following do you need to consider when performing this test?
A PCI DSS
B FIPS 140-2
C GDPR
D HIPAA

Explanation Details

Correct answer: PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) sets the rules for completing
assessments for credit card processing environments and systems.

The General Data Protection Regulation (GDPR) is a European Union regulation that protects
data and privacy.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law to
protect sensitive patient health information.

FIPS 140-2 is a U.S. government computer security standard used to approve cryptographic
modules.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 49-51.

Question 30/ 73

Your client uses a technology that associates servers with their public keys. What
type of technique is this?
A Pass the hash
B Two-factor authentication
C Certificate pinning
D TLS over TCP

Explanation Details

Correct answer: Certificate pinning

Certificate pinning is the technique of associating one host with its public key and using it to
make a trust decision. Once the public key changes, the host is no longer trusted. SSH is an
example of a service that uses this technology.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 42–43.

Question 31/ 73

What is the difference between an allow list and a blocklist?

A An allow list is used in firewalls and a blocklist is used in IDS.
B From an IT security perspective, they are the same.
C An allow list only blocks a specific list of items and allows everything else; a blocklist only
allows a specific item and blocks everything else.
D An allow list only allows a specific list of accepted items and blocks everything else; a
blocklist only blocks a specific item and allows everything else.

Explanation Details

Correct answer: An allow list only allows a specific list of accepted items and blocks
everything else; a blocklist only blocks a specific item and allows everything else.

An allow list only allows a specific list of accepted items and blocks everything else. A
blocklist only blocks a specific item and allows everything else. For example, in relation to
firewalls, when you put a short list of ports on an allow list, it means that all ports are closed
and only those in the allow list are open. In blocklisting, a specific list of "known bad"
characters is created, and the web application firewall will block all requests containing the
characters in the blocklist and allow everything else.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 55.

Question 32/ 73

A penetration test in which the tester is provided with a network topology schema
prior to the test, but no other insider information, is considered a:
A Red team assessment
B Partially known environment test
C Known environment test
D Unknown environment test

Explanation Details

Correct answer: Partially known environment test

Partially known environment testing is a combination of known environment testing and

unknown environment testing. The aim of this testing is to search for the defects, if any, due
to improper structure or improper usage of applications. The attacker would have limited
knowledge of the targeted environment. Being provided with network topology could help
the attacker, but at the same time it does not reveal too much of the infrastructure. Partially
known environment testing gives the ability to test both sides of an application,
presentation layer as well as the code part.

Unknown environment testing is a method of software testing that examines the

functionality of an application without peering into its internal structures or workings. This
method of test can be applied virtually to every level of software testing: unit, integration,
system and acceptance.

Known environment testing is a method of software testing that tests internal structures or
workings of an application, as opposed to its functionality. In known environment testing, an
internal perspective of the system, as well as programming skills, are used to design test
cases. Known environment tests allow the pentester to have insider information that could
aid the test process. Such information could include network firewall policies, security
patches, etc.

A red team assessment is similar to a penetration test in many ways but is more targeted.
The goal of the red team assessment is not to find as many vulnerabilities as possible. The
goal is to test the organization's detection and response capabilities. The red team will try to
get in and access sensitive information in any way possible, as quietly as possible. The red
team assessment emulates a malicious actor targeting attacks and looking to avoid
detection, similar to an advanced persistent threat (APT).

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35–37.

Question 33/ 73

Your client needs you to verify the successful implementation of limited network
access and limited storage access for part of their environment. What sort of
assessment would that be?
A Compliance-driven assessment
B Black box assessment
C Red team assessment
D Vulnerability scanning

Explanation Details

Correct answer: Compliance-driven assessment

Limited network access and limited storage access are common conditions in PCI
compliance, for example. This usually applies to specific systems involved in transactions
processing to other specific services.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35.

Question 34/ 73

Of the following, which is a European Union regulation that protects data and
privacy?
A GLBA
B PCI DSS
C SOX
D GDPR

Explanation Details

Correct answer: GDPR

The General Data Protection Regulation (GDPR) is a European Union regulation that protects
data and privacy. GDPR was introduced in 2016.

PCI DSS, the Payment Card Industry Data Security Standard, is used for environments that
process payment card information.
The Gramm-Leach-Bliley Act (GLBA) regulates how financial institutions handle the personal
information of individuals.

SOX, the Sarbanes-Oxley Act, is a U.S. federal law that sets standards for U.S public company
boards, management, and accounting firms.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 49-51.

Question 35/ 73

When performing an on-site pentest including Wi-Fi access points, what needs to
be clearly defined in the pentest's scope?
A Number of clients for each AP
B Physical location of the APs being tested
C Wi-Fi channels of the APs being tested
D SSID of the APs being tested

Explanation Details

Correct answer: SSID of the APs being tested

When conducting on-site pentests involving Wi-Fi Access Points (APs), it is important to
have a clear understanding which APs are in the scope of the test. This will help you exclude
potential out-of-scope or third-party APs.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 40.

Question 36/ 73

Mechanisms like an allow list and a blocklist can be used on which of the
following?
A Malware and Trojan horses
B Man-in-the-middle tools and sniffing tools
C Firewall, IPS and IDS
D Vulnerability scanners and host discovery services
Explanation Details

Correct answer: Firewall, IPS and IDS

In computer security, an allow list and a blocklist are basic access control mechanisms that
can be implemented in network firewalls, spam filters, web application firewalls (WAFs), etc.
An allow list denies all except members of the whitelist. A blocklist is the opposite—it allows
all but denies members of the blocklist.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 42, 315.

Question 37/ 73

When planning a penetration test, the client informs the testing company of a
specific type of data that falls under national export restrictions. What does that
mean for the penetration testers?

A It means that a nondisclosure agreement should be signed.

B It means the data is a high-value target.
C It prohibits the testing company from exporting this data to restricted countries.
D It means this data is outside of the pentest's scope.

Explanation Details

Correct answer: It prohibits the testing company from exporting this data to restricted
countries

Export restrictions apply to services, technology, or data. National export restrictions would
mean that the given services, data, or technology should not leave the country.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 47–49.

Question 38/ 73

You are assessing an organization's key management system and policies. The
organization has delegated this responsibility to a cloud provider. In this case, how
should you proceed with the assessment?

A Research the cloud provider, but do not contact it directly

B There is no need to review the client's key management system if it's delegated or
outsourced
C Examine the cloud provider and its key management policies and procedures
D The cloud provider is out of your scope and should not be reviewed

Explanation Details

Correct answer: Examine the cloud provider and its key management policies and
procedures

In some cases, cloud providers are already certified with the necessary compliance for key
management services. They could easily provide documentation to support it. If the cloud
provider is not compliant with the specific requirements, the assessment should be
extended to the cloud provider's key management policies and procedures.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 47.

Question 39/ 73

You are hiring an external pentesting company to conduct a penetration test. You
are concerned that in case of successful exploitation, they will gain access to
internal information that should be considered confidential. What can you do to
make sure that the penetration testing company does NOT disclose this
information?

A Ask the pentesting company to not share the information if obtained

B Encrypt the data, so that even if hacked, it will not be readable
C Ask the pentesting company to sign an NDA
D Hide this information from your servers

Explanation Details
Correct answer: Ask the pentesting company to sign an NDA

A Non-Disclosure Agreement (NDA) is an agreement that legally obliges the parties involved
to not disclose any information obtained during the penetration test.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 45–47.

Question 40/ 73

You are in the middle of a pentest engagement when one of the hosts you are
testing suddenly goes offline. What can you do to remediate the issue?

A Look for support contacts on the official client website

B Call the client CEO to inform them of the issue
C Contact the appropriate support based on the predefined escalation path
D Note the issue in the report and keep testing other targets

Explanation Details

Correct answer: Contact the appropriate support based on the predefined escalation path

The escalation path is a pre-engagement document to be used in case an issue arises during
the engagement. This escalation path usually contains contact details for appropriate
support teams.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 38–39.

Question 41/ 73
Anna is about to conduct a pentest. The client has informed her that a large
percentage of their services are hosted in an AWS cloud. What requirement would
have to be fulfilled before Anna proceeds with the test?

A A third-party provider authorization

B A new pentest agreement with the third-party provider
C The pentest should be declined due to the third party
D An NDA with the third-party provider

Explanation Details

Correct answer: A third-party provider authorization

In cases where a third-party provider is involved, additional authorization would be required

by that particular provider.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 47.

Question 42/ 73

When gathering information about a specific domain, which two tools would a
penetration tester use?
A theharvester, msfconsole
B nslookup, msfconsole
C nslookup, CeWL
D theharvester, nslookup

Explanation Details

Correct answer: theharvester, nslookup

theHarvester and nslookup are two easy to use and very helpful tools used to interrogate
DNS servers.

theHarvester is a tool for gathering email accounts, subdomain names, virtual hosts, open
ports/ banners, and employee names from different public sources (search engines, pgp key
servers).

nslookup is a network administration command-line tool available in many computer

operating systems for querying the Domain Name System to obtain domain name or IP
address mapping, or other DNS records. The name "nslookup" means "name server lookup".
The msfconsole is probably the most popular interface to the Metasploit Framework (MSF).
It provides an “all-in-one” centralized console and allows you efficient access to virtually all
of the options available in the MSF.

CeWL is a ruby app which spiders a given url to a specified depth, optionally following
external links, and returns a list of words which can then be used for password crackers.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 19.

Question 43/ 73

During a pentest discussion, it becomes clear that the client wants to specifically
test if the penetration tester could gain access to one particular domain controller.
What type of assessment does this client want?
A Compliance-based assessment
B Goal-based assessment
C Red team assessment
D The client wants to perform all of these assessments

Explanation Details

Correct answer: Goal-based assessment

Goal-based or objective-based assessments usually provide general instruction for a given

scenario. For example, obtain administrative access from a specific server.

Compliance-based assessments audit an organization’s ability to follow and implement a

given set of security standards within an environment. Red team assessment, or red
teaming, will evaluate how well an organization would fare given a scenario of a real-world
attack.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35.

Question 44/ 73

What sort of compliance-based assessment would come into play for systems that
are covered in the compliance assessment but are maintained separately from the
other elements of the organizational infrastructure?
A User access compliance assessment
B Data isolation compliance assessment
C Key management compliance assessment
D Password policy compliance assessment

Explanation Details

Correct answer: Data isolation compliance assessment

Understanding how the data isolation design fits in the context of the organization's
infrastructure is crucial. Data isolation is also an important concept to understand when
dealing with third-party service providers.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 33.

Question 45/ 73

The group of stakeholders usually involved in the penetration test discussions

includes executive management, security personnel, the IT department,
pentesters, and:
A a Microsoft representative
B the legal department
C a company sales representative
D a local law enforcement representative

Explanation Details

Correct answer: the legal department

Legal representation may be necessary to ensure that legal and contractual commitments
are upheld by all parties involved in the engagement. The group of stakeholders usually
involved in the penetration test discussions includes executive management, security
personnel, the IT department, pentesters, and the legal department.
Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 45–48.

Question 46/ 73

Which of the following subjects is NOT typically part of the Statement of Work
(SOW)?
A Payment schedule
B Location of work
C Scope of work
D Non-disclosure agreement

Explanation Details

Correct answer: Non-disclosure agreement

A Statement of Work (SOW) is a key document for your penetration testing project. If you
are at the stage of executing an SOW, it should mean that you have completed your vetting
process and will be locking in your penetration testing vendor.

Key items in a penetration testing SOW:

 Scope
 Deliverables
 Price
 Completion date
 Location of work
 Payment schedule
A Non-Disclosure Agreement (NDA) is typically a separate document and only covers the
confidentiality of the information owned by the organization.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 46.

Question 47/ 73

Which of the following helps organizations ensure the safe handling of cardholder
information at every step?
A OWASP Wiki page
B CWE Database
C PCI Security Standards Council® Document Library
D Exploit DB website

Explanation Details

Correct answer: PCI Security Standards Council® Document Library

A merchant of any size accepting credit cards must be in compliance with the PCI Security
Standards Council®. The PCI Security Standards Council® Document Library includes a
framework of specifications, tools, measurements, and support resources to help
organizations ensure the safe handling of cardholder information at every step.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 33–34.

Question 48/ 73

Your client was hacked just one month following a penetration test you conducted.
It is a vulnerability newly presented due to a software update. How can you BEST
ensure that you are NOT held liable for this breach?
A Apologize for not being able to detect the vulnerability earlier
B Do nothing — once a penetration test is completed, pentesters cannot be held liable for
any breaches
C Include disclaimers in the agreement and final report
D Inform the client that you are not accountable for third party breaches

Explanation Details

Correct answer: Include disclaimers in the agreement and final report

Usually, disclaimers are used in the testing agreement and the final report. Such disclaimers
state that the list of vulnerabilities and findings is presenting the current security state of
the environment and is only valid for the point in time when it was conducted.
Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 38–39.

Question 49/ 73

Which of the following types of engagement is CLOSEST to a real-world scenario?

A Red team engagement
B Grey box engagement
C White box engagement
D Black box engagement

Explanation Details

Correct answer: Red team engagement

Red team assessment involves stealth and blended methodologies (i.e., network
penetration testing and social engineering) to conduct scenarios of real-world attacks and
determine how well an organization would fare with the use of the customer’s existing
counter-defense and detection capabilities.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35.

Question 50/ 73

Which of the following are at the bottom of the adversary tier, being the MOST
motivated and well-prepared?
A Hackers
B Professional unauthorized hackers
C Script kiddies
D APTs

Explanation Details

Correct answer: APTs

APTs (advanced persistent threats) are the most motivated and well-prepared threat actors
and are therefore at the bottom of the adversary tier.

Professional unauthorized hackers are in the middle of the adversary tier.

Script kiddies are at the top of the adversary tier, as they are less prepared and skilled.

Hackers are not in the adversary tier.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 36–37.

Question 51/ 73

You are involved in a pentest. The client would like to pay for the test using
milestones.

Which document should be used to specify the payment schedule?

A Nondisclosure agreement
B Master service agreement
C Rules of engagement
D Master payment agreement

Explanation Details

Correct answer: Master service agreement

The master service agreement (MSA) documents the following topics:

 Payment terms
 Product warranties
 Intellectual property ownership
 Dispute resolution
 Allocation of risk
 Indemnification
Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 46.

Question 52/ 73

What method is used to objectively identify, quantify and address the risk
associated with an organization's IT infrastructure?
A Vulnerability scanning
B Asset management
C Red teaming
D Threat modeling

Explanation Details

Correct answer: Threat modeling

Threat modeling is a complex process that takes a structured approach to identify, quantify,
and address the risks associated with an organization’s information system. It involves
activities such as identifying assets, getting an overview of the architecture, decomposing
the application, and identifying the threats.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 34, 45.

Question 53/ 73

Would it make any difference if the machines you were targeting for your client's
pentest were hosted by another entity?
A This is for the client to determine; all you need is your client's approval
B As long as the assets belong to your client, it does not matter where are they hosted
C Only if the assets were hosted in specific places that would require notification or
authorization
D In many cases, you would need formal approval from the hosting company or the cloud
provider

Explanation Details

Correct answer: In many cases, you would need formal approval from the hosting company
or the cloud provider
If the targets are hosted in a third-party environment, such as a Cloud Service Provider
(CSP), testing is not only subject to the company’s policies, it is also subject to the third
party’s acceptable use policies. For instance, Amazon Web Services (AWS) requires that
tenants submit pentesting request forms to receive authorization prior to penetration
testing to or from any AWS resource.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 37–40, 47.

Question 54/ 73

What type of assessment is a password policy assessment?

A Black box
B Red team
C Compliance-based
D White box

Explanation Details

Correct answer: Compliance-based

Compliance-based assessments usually verify the company's ability to enforce specific

security policies, for example, minimum password strength or minimum encryption strength
on data in transit or at rest.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35.

Question 55/ 73

Who should be signing the contractual agreement between two entities defining a
pentest engagement?
A Client's CEO
B Project managers from both sites
C Client's security officer
D Appropriate signing authority from the client site
Explanation Details

Correct answer: Appropriate signing authority from the client site

Contracts are mutual agreements that are enforceable by law and require an authorized
representative from each party (i.e., contract signing authority) to sign the contract.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 47.

Question 56/ 73

Mia is tasked with a pentest. One of her objectives is to attack the company supply
chain. During the OSINT phase, Mia is able to identify third-party resources
involved in the supply chain. Those resources are not listed in her scope of testing,
but they are part of the supply chain and therefore part of her objectives. How
should Mia handle the third-party resources?
A She should only test in-scope resources and completely exclude any other assets from
testing.
B She should contact her client and ask for permission to test the third-party resources.
C If the supply chain is in the objectives, then Mia should test everything related to it.
D She should test the third-party resources as long as the tests are not intrusive.

Explanation Details

Correct answer: She should only test in-scope resources and completely exclude any other
assets from testing.

Third-party assets or resources are owned by another company. Unless explicitly approved
by that company, Mia should not attack them. There needs to be a written statement from
the third party that such tests are approved.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 39–42, 47.
Question 57/ 73

What sort of a pentest is Zach conducting that includes the following specific
requirements?

 Password complexity policy

 Encryption algorithm complexity
 Data encryption in transit and at rest
A An insider threat
B A red team engagement
C An advanced persistent threat
D A compliance-based pentest

Explanation Details

Correct answer: A compliance-based pentest

Compliance-based assessments audit an organization’s ability to implement and follow a

given set of security standards within an environment.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 33–35, 49–51.

Question 58/ 73

A client contacts you three months after the completion of a pentest. They have
been hacked through a vulnerability not listed in your report and are asking for an
explanation. What should you do?
A Accept the responsibility and cover the losses
B Refer the client to your legal team
C Refer the client to the pentest report disclaimers
D Conduct a security analysis to verify the initial attack vector

Explanation Details

Correct answer: Refer the client to the pentest report disclaimers

The testing agreement or scope documentation should contain disclaimers explaining that
the test is valid only at the point in time when it is conducted and that the scope and
methodology that were chosen can impact the comprehensiveness of the test.
Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 36–39.

Question 59/ 73

How would you classify the following special requirement from a client during the
planning of a pentest? They would like to exclude a network segment that contains
devices with an older OS version that is known to be unstable.
A This is a strategy requirement.
B This is a technical constraint.
C This is a scope change.
D This is a methodology change.

Explanation Details

Correct answer: This is a technical constraint.

The situation is a typical technical constraint and should be discussed when planning the
pentest. It does not affect the pentest's strategy or its methodology. The scope of the test is
not changed either, as it is not yet defined.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 37.

Question 60/ 73

What sort of test would involve putting the pentesters on firewalls and IDS/IPS
devices on an allow list to allow them unrestricted access to the client's
environment?
A Partially known environment
B Object-based
C Unknown environment
D Known environment

Explanation Details

Correct answer: Known environment

Sometimes in known environment pentests, the pentesters are allowed through the firewall
and other preventive measures in order to save time and increase the accuracy of the test.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35.

Question 61/ 73

Company A and Company B are merging. What might happen if you conducted a
pre-merger pentest of company A?
A Pentesters might have to request formal approval from company B for the pentest.
B The companies will merge only if the pentest does not find any critical vulnerabilities.
C Company B might ask for a similar pentest against their environment.
D Company B may have a vested interest in how the company’s assets and best interests are
being protected.

Explanation Details

Correct answer: Company B may have a vested interest in how the company’s assets and
best interests are being protected

There is a high probability that company B would inherit the weaknesses of company A
when both environments are merged. Any potential vulnerability in the environment of
company A could impact the environment of company B, as they would eventually be
interconnected.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 46–48.

Question 62/ 73

In what document might you find the expectations for the penetration tester such
as availability, reliability, and quality of service?
A NDA
B Non-compete
C SLA
D CA

Explanation Details

Correct answer: SLA

A service level agreement (SLA) sets expectations for services, including things such as
availability, reliability, and quality of service. Although SLAs are most often associated with
service providers, SLAs may also be used for pentesters as part of their contract.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 46-47.

Question 63/ 73

Before beginning work with a new client, you were asked to sign a legal document
stating that all of the information discovered during the penetration test is kept
confidential. What type of document is this?
A Non-compete
B RoE
C SLA
D NDA

Explanation Details

Correct answer: NDA

Penetration testers are often asked to sign non-disclosure agreements (NDA), legal
documents that enforce confidentiality between two parties. NDAs outline what
information is considered confidential, how long the agreement lasts, and how confidential
information should be handled.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 46-47.

Question 64/ 73

Martin works in the IT department of a big company. He has access to the file
server used by the HR department and has installed a backdoor in order to access
the server remotely from his home. He has been downloading sensitive documents
from this server to his personal machine for weeks. What kind of a threat actor is
Martin?
A Martin is an insider threat
B Martin acts as an APT attacker
C Martin is a script kiddie
D Martin is hacktivist

Explanation Details

Correct answer: Martin is an insider threat

Being part of the organization and possessing internal knowledge, Martin is in the position
of an insider, or also known as an insider threat. Insider threats are very common and are
considered high risk.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 43.

Question 65/ 73

Which are the three main goals of information security?

A Cryptography, Firewalls, AV
B Confidentiality, Integrity, Availability
C Security, Protection, Transparency
D Disclosure, Alteration, Denial

Explanation Details

Correct answer: Confidentiality, Integrity, Availability

The CIA triad is a model that shows the three main goals needed to achieve information
security. While a wide variety of factors determine the security situation of information
systems and networks, some factors stand out as the most significant. The assumption is
that there are some factors that will always be important in information security. These
factors are the goals of the CIA triad, as follows:

1. Confidentiality — preventing unauthorized access to information or systems

2. Integrity — preventing unauthorized changes and modifications of information or
systems
3. Availability — ensure that use or access to systems and information remains possible
Confidentiality, integrity and availability are the most basic concepts to information security.
These concepts in the CIA triad must always be part of the core objectives of information
security efforts.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 2.

Question 66/ 73

When defining scope, you need to consider the difference between "third-party
assets" and "third-party hosted assets." What is the difference?
A Third-party assets belong to another company, and third-party hosted assets belong to the
client's company but are hosted on another's resources
B Third-party assets are located on a third-party resource, and third-party hosted assets are
owned by a third-party company
C Both third-party assets and third-party hosted assets belong to a third-party company
D They are essentially the same thing, but the third-party hosted assets are simply hosted
online

Explanation Details

Correct answer: Third-party assets belong to another company, and third-party hosted
assets belong to the client's company but are hosted on another's resources

When defining the scope of a pentest, it is very important to be able to distinguish between
assets owned by the client and those owned by a third party.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 96.

Question 67/ 73

During the scoping process, which of the following should be considered?

A Whether targets are on-site or off-site
B The security officer's working hours
C What AV vendor is used by the organization
D The network equipment vendor

Explanation Details

Correct answer: Whether targets are on-site or off-site

Detailed scoping begins by determining the acceptable targets: Are they internally or
externally hosted; are they on-site or off-site?

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 39.

Question 68/ 73

Which type of assessment involves stealth and blended methodologies for

developing real-world scenarios of attack?
A Hybrid
B Vulnerability scanning
C Red team
D Black box

Explanation Details

Correct answer: Red team

Red team assessment involves stealth and blended methodologies (i.e., network
penetration testing and social engineering) to conduct scenarios of real-world attacks and
determine how well an organization would fare with the use of the customer’s existing
counter-defense and detection capabilities (i.e., what an attacker could do with a certain
level of access).

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 35.

Question 69/ 73

Which very important topic needs to be discussed during the scoping of a pentest
that would determine the aggressiveness of the test and the depth of exploitation?
A Goals of the test
B Tolerance for the impact
C High-value targets
D Physical targets

Explanation Details

Correct answer: Tolerance for the impact

Gauging a company's tolerance for the impact involves estimating how much of an impact
the company could endure during the test. Scoping also addresses an organization's risk
acceptance and tolerance for potential damage.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 40–41.

Question 70/ 73

Select which two tools are used during the reconnaissance phase of a pentest.
A Sqlmap, Maltego
B Burp, SQLmap
C Shodan, aircrack-ng
D Maltego, Shodan

Explanation Details

Correct answer: Maltego, Shodan

Maltego is a very powerful tool for collecting reconnaissance data and identifying
connections between objects of interest. Shodan is a search engine, specialized in
identifying hardware appliances and servers along with running services and software
version. Shodan is very helpful when performing reconnaissance against internet-facing
targets.
Burp is a local proxy tool, heavily used when performing web penetration tests. Sqlmap is a
python-based tool focused on SQL injection attacks. Aircrack-ng is a tool used for WiFi
penetration testing.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 18–20.

Question 71/ 73

Scheduling and timelines are usually determined and detailed in which of the
following?
A The pentest report
B The pentest scope
C Non-Disclosure Agreement (NDA)
D The pentest offer

Explanation Details

Correct answer: The pentest scope

The pentest scope usually includes the following:

 Testing requirements
 Target selection
 Scheduling and timelines
 Strategy for testing
Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 38–40, 43.

Question 72/ 73

As you are performing a pentest, you are unsure if brute-force tests are allowed. In
which document would you find information regarding pentest constraints?
A RoE
B API
C SOW
D NDA
Explanation Details

Correct answer: RoE

Rules of Engagement (RoE) is a document that deals with the manner in which the
penetration test is to be conducted. Some of the directives that should be clearly spelled out
in RoE before you start the penetration test are as follows:

 The type and scope of testing

 Client contact details
 Client IT team notifications
 Sensitive data handling
 Status meeting and reports
Any constraints regarding the execution of a pentest are usually listed in the Rules of
Engagement (RoE) document under the type and scope of testing.

Reference:

CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 37–38.

Question 73/ 73

When targeting the supply chain of a client, what needs to be considered BEFORE
engaging in attacks?
A Only in red team engagement is the supply chain tested.
B The supply chain could be global and involve other countries.
C The supply chain could be behind a firewall.
D There could be third party providers involved.

Explanation Details

Correct answer: There could be third-party providers involved

The supply chain may include parties outside of the target organization’s control. During the
scoping process, ensure that you know who all the players are going to be, and define
authorized boundaries for the pentest.

Reference:
CompTIA PenTest+ Study Guide: Exam PT0-002, 2nd Edition. Pg 37–41, 47.