Which of the following statements best reflects industry-recognized legal and ethical practices for conducting a penetration test?
Before any testing begins, the tester and the system owner must have written authorization and a mutually agreed-upon scope, even if some staff are not notified.
Causing intentional service outages is an acceptable and recommended way to reveal the most critical vulnerabilities quickly.
For realism, testers should deliberately avoid documenting their activities during the engagement.
A penetration test is most effective when performed covertly without prior approval or notification to any part of the organization.
Written authorization and a clearly defined scope are mandatory before any penetration test begins. Even when part of the IT staff is kept unaware to measure real-world detection, senior management or the system owner must grant explicit permission, and rules of engagement must be documented in advance. Conducting an unapproved test, omitting documentation, or deliberately causing service outages can violate laws such as the CFAA and breach professional ethics.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are red team/blue team exercises?
Open an interactive chat with Bash
Why is prior notification important in penetration testing?
Open an interactive chat with Bash
What are the ethical standards in penetration testing?