9. Reporting and Communication

Ref:📕CompTIA PenTest+ PT0-002 Cert Guide (Certification Guide) 2nd Edition

Press the Start button to begin the practice test.

PenTest+ (PT0-002) Chapter 09. Reporting and Communication

1 / 61

Why is it important to know who your report audience is in the context of pen testing reports?

A. It determines the language and technical jargon used and understood by the intended audience.

B. It helps decide which pen testing tool should be used.

C. It can influence the scheduling of the pen-testing process.

D. It decides whether the report should be printed or not.

2 / 61

What does the term ’Secure Software Development Life Cycle’ refers to in the context of penetration testing reports?

A. The process of adding multiple layers of password complexity to software

B. The process of incorporating security best practices, policies, and technologies to find and remediate vulnerabilities during the SDLC

C. The policies that define how an organization protects its various information systems and assets

D. The strategy to grant access permissions based on specific roles and functions only

3 / 61

Which of the following is not an example of a physical control that can be recommended in a penetration testing report?

A. Video surveillance

B. Access control vestibule

C. Biometric controls

D. Antivirus software

4 / 61

Which of the following sources can provide information on which files need cleanup after exploitation failure during a penetration testing process?

A. Error message from the failed exploit

B. Metasploit documentation

C. Input validation data

D. SQL injection reports

5 / 61

What is the purpose of operational controls in an organization’s strategy?

A. Implementing machine-operated security strategies

B. Ensuring management policies are followed during intermediate-level operations

C. Training machines for security operations

D. Creating policies for senior-level management

6 / 61

Which of the following is an example of a biometric control that can be recommended in a penetration testing report?

A. Access control vestibule

B. Video surveillance

C. Face recognition

D. Door locks

7 / 61

Which of the following is NOT a listed example of a technical control for vulnerabilities found during a pen test?

A. Multifactor authentication

B. Query parameterization

C. User traffic monitoring

D. Network segmentation

8 / 61

Which of the following tools can ingest the results from many penetration testing tools and help you produce reports in formats such as CSV, HTML, and PDF?

A. Nmap

B. Wireshark

C. Metasploit

D. Dradis

9 / 61

What is the purpose of using the Common Vulnerability Scoring System (CVSS) in a penetration testing report?

A. To provide justification for the need of regular system maintenance

B. To calculate a score for the seriousness of a threat and help prioritize the impact of each vulnerability

C. To summarize the executive findings of the penetration test

D. To detail the scope of the network and systems tested during the engagement

10 / 61

Which of the following does a penetration testing report NOT typically include?

A. Methodology used

B. CVE and CVSS scores

C. Business impact analysis

D. Personal opinions and biased statements

11 / 61

Which among the following is not typically a section in a penetration testing report?

A. Executive summary

B. Methodology

C. Project timeline

D. Remediation

12 / 61

Why is it important to analyze the results of your testing and correlate them to the actual environment?

A. It is necessary to do this to produce the report

B. It is necessary to validate the scanner’s findings

C. It helps understand the risk and this understanding should be carefully conveyed in your report

D. It is needed to update the scanner with latest vulnerabilities

13 / 61

What operational control makes users learn new skills and get more exposure to other security technologies and practices?

A. Time-of-day restrictions

B. Job rotation

C. Mandatory vacations

D. User training

14 / 61

Your client might require you to report any critical findings at what time?

A. After the completion of the penetration testing

B. At the time of their discovery

C. During the final report presentation

D. Prior to the start of the testing

15 / 61

Which of the following activities should be performed during the post-engagement cleanup after delivering a penetration testing report to a client?

A. Removing any payload left on the system from the Metasploit framework

B. Restoring the database to a previous state if it contains injected data or malicious scripts from the testing

C. Installing additional tools on the systems under test for future use

D. Leaving tester-created credentials on the systems under test for convenience

16 / 61

Which of the following elements is NOT typically included in a penetration testing report?

A. CVSS scores for each vulnerability

B. Detailed scope of the network and systems tested

C. The client’s budgetary constraints

D. Methodologies used for the testing

17 / 61

Which of the following is not considered an operational control to improve security operations?

A. Job rotation

B. Mandatory vacations

C. Client satisfaction surveys

D. Time-of-day restrictions

18 / 61

Which of the following is NOT typically included in a penetration testing report?

A. Executive summary

B. Legal disclaimers

C. Temporal metric group

D. Methodology

19 / 61

What is an important process to follow as part of post-report delivery activities as a pen tester?

A. Procure new penetration testing software

B. Document client acceptance of your report

C. Ignore retesting requests

D. Hoard client sensitive data for future use

20 / 61

What is an important process to reduce the attack surface and meet industry standards and compliance as mentioned in the text?

A. System hardening

B. Query parameterization

C. Key rotation

D. Password encryption

21 / 61

What information should be included in the findings and recommendations section of a penetration testing report?

A. Only an executive summary in non-technical language

B. Detailed technical details that teams like IT, information security, and development can use

C. An outline of the client’s project budget and timeframe

D. Broad generalizations of the system’s vulnerabilities

22 / 61

What is an important post-report delivery activity for a penetration tester according to the text?

A. Neglect feedback from clients

B. Avoid retesting requested by clients

C. Destroy any client sensitive data as agreed

D. Ignore lessons learned during the penetration testing engagement

23 / 61

Which of the following descriptions accurately portray the administrative control of Role-based Access Control (RBAC) as discussed in the CompTIA PenTest+ (PT0-002) study guide?

A. It is a control based on access permissions granted to roles or functions within an organization.

B. It revolves around password requirements.

C. It is referred to as a software development lifecycle.

D. It defines how an organization protects its information assets.

24 / 61

What term is used to describe a situation when a security device triggers an alarm, although there is no real malicious activity or attack?

A. True positive

B. False positive

C. True negative

D. False negative

25 / 61

Which of the following is NOT typically included in a penetration testing report?

A. Executive summary

B. A glossary of terms

C. Detailed instructions on how to repeat the exploit

D. Methodology

26 / 61

Which of the following is not a type of contact you should have during a penetration testing engagement?

A. Primary contact

B. technical contacts

C. marketing contacts

D. emergency contacts

27 / 61

Which of the following is NOT an example of operational controls that often allow organizations to improve their security operations?

A. Job rotation

B. Time-of-day restrictions

C. Mandatory annual audits

D. User training

28 / 61

Which remediation method involves the process of distributing, installing, and applying software updates?

A. System hardening

B. Multifactor authentication

C. Secrets management solution

D. Patch management

29 / 61

Which of the following is NOT considered as an important post-report delivery activity in a penetration testing engagement?

A. Client acceptance

B. Lessons learned

C. Follow-up actions/retest

D. Data acquisition

30 / 61

According to the text, which of the following should be communicated immediately during a penetration test?

A. The progress of the testing

B. The status of the pre-engagement phase

C. Critical findings

D. Indicators of prior compromise

31 / 61

Which of the following does not belong in a typical penetration testing report?

A. Executive summary

B. User data

C. Methodology

D. Findings

32 / 61

What is included in the post-report delivery activities of penetration testing?

A. Client acceptance, Lessons learned, Follow-up actions/retest, Attestation of findings, Data destruction process

B. Client invoice, Project closure, Post-engagement briefing

C. Data gathering, Attenuation of findings, Defining scope, Client briefing

D. Policy brief, Analysis, Findings report

33 / 61

Which of the following is NOT a recommended technical control that can be implemented as remediation for vulnerabilities found during penetration testing?

A. Multifactor Authentication

B. User Input sanitization and query parameterization

C. Use of unencrypted passwords

D. System Hardening

34 / 61

What is the purpose of job rotation as an operational control in improving security operations?

A. To reduce the workload of employees

B. To allow individuals to learn new skills and get exposure to other security technologies and practices

C. To schedule mandatory vacations for the employees

D. To restrict the access of employees based on the time of the day

35 / 61

In a penetration testing report, which administrative control bases access permissions on specific roles or functions?

A. Role-based access control (RBAC)

B. Secure software development life cycle

C. Minimum password requirements

D. Policies and procedures

36 / 61

How should the contents of a penetration test report generally be considered in regard to classification and distribution?

A. Top secret and distributed to as many relevant parties as possible

B. Public knowledge and distributed only in hard copy

C. Highly classified and distributed on a need-to-know basis

D. Proprietary and distributed both digitally and physically regularly

37 / 61

Which of the following is NOT typically included in a penetration testing report, according to the CompTIA PenTest+ study guide?

A. An executive summary

B. A detailed definition of the scope of the network and systems tested

C. An employee performance review

D. Findings and related technical details

38 / 61

Which of the following is NOT a content that should be included in a penetration testing report?

A. Environmental metric group

B. CVSS Scores

C. Attack narrative

D. Blue team recommendations

39 / 61

What should be included in a penetration testing report?

A. Executive summary and CVSS scores.

B. Only findings of the testing process.

C. Methodology and issue encountered during testing.

D. All of the above.

40 / 61

In role-based access control (RBAC), how are access rights and permissions assigned?

A. Directly to user or group accounts

B. To specific software

C. To specific roles or functions

D. Randomly based on a system algorithm

41 / 61

Which of the following is NOT an example of a physical control that can be recommended in a penetration testing report?

A. Access control vestibule

B. Video surveillance

C. Biometric controls

D. Multi-factor authentication

42 / 61

Which of the following is not a trigger for communicating with the client during a penetration test?

A. Major software updates

B. Critical findings

C. Status reports

D. Indicators of prior compromise

43 / 61

Which of the following is not considered a post-report delivery activity as outlined in the text?

A. Client acceptance

B. Lessons learned

C. Data encryption process

D. Follow-up actions/retest

44 / 61

In the context of post-engagement cleanup after a penetration test, what should you do to minimize residual effects on the systems that have been tested?

A. Restore the database to a previous state

B. Delete all the security measures on the systems

C. Keep the fake data used during the test in the database

D. Stop all the systems’ operations for a certain period

45 / 61

Which of the following is NOT a characteristic of a good cybersecurity policy according to the text?

A. Endorsed

B. Enforceable

C. Detailed technical instructions

D. Adaptable

46 / 61

What is an important step to take after delivering a penetration testing report to a client?

A. Revert the tests and discontinue further analysis

B. Ensure the client or system owner validates that the cleanup efforts are sufficient

C. Delete all the test data and tools

D. Schedule the next penetration testing without consulting the client

47 / 61

Which of the following is NOT a reason for potential scope creep in a penetration testing engagement?

A. poor change management

B. ineffective identification of technical and non-technical elements

C. poor communication among stakeholders

D. lack of testing tools

48 / 61

What can be prevented through the use of parameterized queries and input sanitization?

A. Unauthorized software installation

B. Cross-site scripting and SQL injection

C. Hardware malfunctions

D. Inadequate user training

49 / 61

Which of the following is NOT a circumstance under which a penetration tester should communicate findings to their client?

A. If a critical finding has been discovered

B. If they have located indicators of a previous compromise

C. If the client has asked for regular status reports

D. If a low-risk vulnerability has been discovered

50 / 61

What are some examples of technical controls that can be recommended as mitigations and remediation of the vulnerabilities found during a pen test?

A. System hardening and user input sanitization

B. Multifactor authentication and password encryption

C. Process-level remediation and patch management

D. All of the above

51 / 61

What is a recommended technical control method for reducing vulnerabilities found during a penetration test?

A. Ignoring unused ports

B. Allowing all user input

C. Leaving softwares out of date

D. System hardening

52 / 61

What are some recommended technical controls that can mitigate and remediate the vulnerabilities found during a penetration test?

A. System hardening and input sanitization

B. Multifactor authentication and password encryption

C. Patch management and key rotation

D. All of the above

53 / 61

Which of the following is NOT considered a physical control measure that can be recommended in a penetration testing report?

A. Access control vestibule

B. Biometric controls

C. Video surveillance

D. VPN implementation

54 / 61

What is one of the technical controls recommended as a method of mitigating vulnerabilities found during a pen test?

A. Disabling all user accounts

B. Allowing application systems to have full internet access

C. Implementing multifactor authentication

D. Allowing SQL injections

55 / 61

What is an important activity you must complete after delivering a penetration testing report to a client according to the section ’9. Reporting and Communication’?

A. Initialization of new testing phases

B. Post-Engagement Cleanup

C. Provide additional training to staff

D. Schedule the next penetration testing date

56 / 61

Why is it important to have a clear communication path and channels with your client during a penetration testing engagement?

A. To avoid scope creep

B. To have someone to go to in case of an emergency

C. To keep the client updated about the progress

D. All of the above

57 / 61

What are some of the important post-report delivery activities a pen tester should follow?

A. Client denial, Lessons learned, No follow-up actions

B. Attestation of findings, No lessons learned, Follow-up actions/retest

C. Attestation of findings, No Data destruction process, Client acceptance

D. Client acceptance, Lessons learned, Follow-up actions/retest, Attestation of findings, Data destruction process

58 / 61

What are some causes for scope creep in a penetration testing engagement?

A. Poor change management and ineffective identification of technical and nontechnical elements required for the test

B. Failure to identify the primary contact

C. Absence of technical contacts and emergency contacts

D. Lack of training for emergency procedures

59 / 61

Which of the following is NOT an example of a technical control recommended in the ’Reporting and Communication’ section of a penetration test?

A. System hardening

B. User input sanitization

C. Network segmentation

D. Secure File Transfer Protocol

60 / 61

What are the three metric groups used by CVSS to determine a vulnerability’s score?

A. Base metric group, Temporal metric group, Environmental metric group

B. Attack metric group, Risk metric group, Protocol metric group

C. Vulnerability metric group, Impact metric group, Network metric group

D. Code metric group, Test metric group, System metric group

61 / 61

Which of the following actions is NOT recommended as a technical control to mitigate and remediate vulnerabilities found during a pen test?

A. System hardening

B. Using single-factor authentication

C. Password encryption

D. Patch management

Your score is

Boost Your Skills with Free Anki Flashcards

Click the download button to get the CompTIA Pentest+ Anki deck.

Refine your skills in reporting and communication with our CompTIA PenTest+ Chapter 09 practice questions.

Learn how to effectively document findings, communicate with stakeholders, and ensure compliance.
Supplement your study with our free Anki decks for comprehensive preparation.
Visit CompTIA’s official page for more insights.

Ready for the final chapter? Proceed to Chapter 10: Tools and Code Analysis to complete your PenTest+ certification preparation.

9. Reporting and Communication

Press the Start button to begin the practice test.

Boost Your Skills with Free Anki Flashcards

Explore our other free practice tests:

Related Posts

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.

JOIN OUR

NEWSLETTER

9. Reporting and Communication

Press the Start button to begin the practice test.

Boost Your Skills with Free Anki Flashcards

Explore our other free practice tests:

Related Posts

Hands-onCybersecurity Training in a LIVE SOCwith Enterprise Security ToolsInternships Available.

JOIN OUR

NEWSLETTER

Hands-on
Cybersecurity Training
in a LIVE SOC
with Enterprise Security Tools

Internships Available.