CompTIA PenTest+ Practice Test (PT0-002)
Use the form below to configure your CompTIA PenTest+ Practice Test (PT0-002). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

CompTIA PenTest+ PT0-002 Information
CompTIA PenTest+ (PT0-002) Exam
The CompTIA PenTest+ (PT0-002) certification is designed for cybersecurity professionals who specialize in penetration testing and vulnerability assessment. It validates hands-on skills in planning, conducting, and reporting penetration tests for organizations. This certification is vendor-neutral and focuses on real-world scenarios, making it relevant for security professionals working with various technologies and environments.
Exam Overview
The PT0-002 exam consists of a maximum of 85 questions, including multiple-choice and performance-based questions. Candidates have 165 minutes to complete the test. The exam costs $392 USD. A passing score is 750 on a scale of 100 to 900. The certification is valid for three years and can be renewed through CompTIA’s continuing education program.
Exam Content
The PT0-002 exam covers five main domains: planning and scoping, information gathering and vulnerability scanning, attacks and exploits, reporting and communication, and tools and code analysis. Planning and scoping include engagement rules, compliance, and risk assessment. Information gathering and vulnerability scanning focus on reconnaissance, fingerprinting, and scanning techniques. Attacks and exploits test knowledge of network, web, wireless, and physical attacks. Reporting and communication cover documentation, remediation, and risk communication. Tools and code analysis assess scripting, automation, and exploit development.
Who Should Take This Exam?
The CompTIA PenTest+ certification is ideal for cybersecurity professionals working as penetration testers, security analysts, vulnerability assessment analysts, or red team members. It is recommended for individuals with at least three to four years of hands-on cybersecurity experience. The certification is also useful for IT professionals who want to advance their careers in offensive security.
How to Prepare
Candidates should review the official CompTIA PenTest+ Exam Objectives and study materials provided by CompTIA. Practical experience with penetration testing tools such as Metasploit, Nmap, and Burp Suite is essential. Practice exams can help assess readiness and identify weak areas. Hands-on labs and ethical hacking courses can further strengthen skills.
Summary
The CompTIA PenTest+ (PT0-002) certification is a valuable credential for cybersecurity professionals specializing in penetration testing and vulnerability assessment. It validates hands-on skills in ethical hacking, exploit development, and security testing. This certification is ideal for those pursuing careers in offensive security and ethical hacking.
Scroll down to see your responses and detailed results
Free CompTIA PenTest+ PT0-002 Practice Test
Press start when you are ready, or press Change to modify any settings for the practice test.
- Questions: 15
- Time: Unlimited
- Included Topics:Planning and ScopingInformation Gathering and Vulnerability ScanningAttacks and ExploitsReporting and CommunicationTools and Code Analysis
As a penetration tester, you have uncovered several security flaws within your client's network infrastructure. In order to systematically convey the severity of each finding in your report, you must adhere to an industry-standard risk rating framework. Which of the following would best allow for a consistent and quantitative expression of vulnerability severity that can be understood by both technical and non-technical stakeholders?
- You selected this option
Calculating severity based on the average cost of incidents associated with similar vulnerabilities in the past year
- You selected this option
Relying on the Common Weakness Scoring System (CWSS) to measure the risk level of each weakness without factoring in environmental metrics
- You selected this option
Developing an algorithmic risk matrix that combines asset value, threat capability, and vulnerability severity tailored to the client
- You selected this option
Employing the Common Vulnerability Scoring System (CVSS) to apply a numerical and qualitative severity level to each vulnerability
Answer Description
The Common Vulnerability Scoring System (CVSS) offers a way to rate the severity of vulnerabilities in a standardized manner, providing scores that correspond to a qualitative severity ranking. By applying CVSS, you are able to communicate the severity of vulnerabilities in a uniform way that is independent of proprietary methodologies or the potentially subjective measure of impact to the specific organization. This is the accepted industry practice for reporting severity in penetration testing and is expected knowledge for professionals. Other methods may not provide the standardization needed or could introduce confusion if the stakeholders are not familiar with a custom scoring system.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Common Vulnerability Scoring System (CVSS)?
Why is it important to have a standardized method like CVSS for reporting vulnerabilities?
What are some limitations of other scoring systems, like the Common Weakness Scoring System (CWSS)?
Your penetration testing firm has been contracted to conduct a security assessment of a web application. The client has specified the use of recognized industry standards. As part of your scoping document, you decide to incorporate the OWASP Top 10 to structure the testing methodology. Which of the following best describes the relevance of including the OWASP Top 10 in your scoping document?
- You selected this option
It helps prioritize the focus of the penetration test on common web application vulnerabilities recognized as significant industry-wide.
- You selected this option
It provides a complete list of all possible vulnerabilities in any given web application, ensuring a penetration test will cover every known vulnerability.
- You selected this option
It mandates a mandatory checklist that the client must resolve before a penetration test can be considered valid.
- You selected this option
It sets the legal framework for conducting penetration tests, ensuring compliance with international laws and regulations.
Answer Description
The OWASP Top 10 provides a list of the most critical security risks to web applications, which serves as a standard to guide the testing process towards the most relevant and common vulnerabilities that attackers are likely to exploit. It helps to align the objectives of the penetration test with industry-recognized security risks, ensuring a comprehensive security assessment specifically for web applications. Mentioning OWASP in the scoping document indicates a structured and knowledgeable approach to web application security.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OWASP and what role does it play in web application security?
How often is the OWASP Top 10 updated, and why is this important?
Can you explain the significance of prioritizing vulnerabilities during a penetration test?
When conducting a security assessment of a web application, you discover that the application fails to properly restrict URL access to a function that should only be accessible to users with administrative privileges. Through this functionality, non-admin users can perform sensitive operations which poses a significant security risk. Based on the OWASP Top 10 list, which vulnerability category does this scenario BEST align with?
- You selected this option
A01:2021-Broken Access Control
- You selected this option
A03:2021-Injection
- You selected this option
A04:2021-Insecure Direct Object References (IDOR)
- You selected this option
A10:2021-Insufficient Logging & Monitoring
Answer Description
The correct answer is 'Broken Access Control', which is a category in the OWASP Top 10 that includes failures in restrictions on what authenticated users are allowed to do. Attackers can exploit these flaws to access unauthorized functionality or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc. 'A04:2021-Insecure Direct Object References' refers to a subcategory that was a part of earlier editions of the OWASP Top 10, which has been merged under 'Broken Access Control' in recent versions. 'Sensitive Data Exposure' deals with the actual exposure of sensitive data due to inadequate protection, which does not directly relate to the described scenario. 'Insufficient Logging & Monitoring' is about the lack of sufficient tracking and auditing, which may allow breaches to go unnoticed, but is not directly relevant to the issue of failing to restrict URL access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some common examples of Broken Access Control vulnerabilities?
How can developers prevent Broken Access Control in their applications?
What is the OWASP Top 10, and why is it important for web application security?
When attempting to reverse engineer an executable file to uncover potential vulnerabilities, which technique is MOST effective for understanding the high-level logic and control flow without executing the code?
- You selected this option
Performing static analysis of the code
- You selected this option
Observing the behavior of the application through dynamic analysis
- You selected this option
Reviewing the application logs for error messages and system events
- You selected this option
Conducting a fuzz test to identify potential memory leaks or crashes
Answer Description
Static analysis is the process of examining the code without executing the program. It is the best technique for understanding the high-level logic and control flow of the executable without execution, which could reveal vulnerabilities and hidden functionalities. Dynamic analysis involves observing the system's behavior during execution, which does not fit the criteria of not executing the code. A fuzz test is used to feed a series of inputs to software to find vulnerabilities, but it is not a technique used for reverse engineering without execution. Application logs can provide runtime details, but they won't help reverse engineer binary code or understand high-level logic and control flow before execution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the primary methods used in static analysis?
How does dynamic analysis differ from static analysis?
What kinds of vulnerabilities can static analysis help identify?
During a passive reconnaissance mission, you discover that the secure communication certificate used by the target organization's web server has been invalidated. Which option should you choose to most authoritatively confirm the current status of this certificate?
- You selected this option
Employ an automated scanning tool to analyze the server's encryption protocols and identify any invalidations.
- You selected this option
Conduct a WHOIS domain lookup to see if there is any mention of certificate invalidation.
- You selected this option
Use the Online Certificate Status Protocol (OCSP) to verify the current status directly from the issuing authority.
- You selected this option
Inspect the browser's security panel while accessing the website for any security warnings.
Answer Description
The correct method to ascertain the live status of a digital certificate is to use the Online Certificate Status Protocol (OCSP), which checks with the issuing Certificate Authority for current revocation information. This is more reliable and timely than other methods such as Certificate Revocation Lists (CRLs), which might not be updated immediately. Manually inspecting the browser for warnings or using a vulnerability scanner could yield some information, but these methods are not as direct, current, or authoritative as using OCSP. Additionally, WHOIS lookups provide domain registration details but do not provide information on certificate revocation statuses.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Online Certificate Status Protocol (OCSP)?
Why is OCSP more reliable than other methods like CRLs?
What are some alternative methods to verify certificate status besides OCSP?
A penetration tester is conducting passive reconnaissance to gather information about the security posture of a company. Which source would provide the most comprehensive list of known vulnerabilities associated with the company's publicly acknowledged software?
- You selected this option
Job listings revealing the technology stack
- You selected this option
Common weakness enumeration (CWE) listings
- You selected this option
Strategic search engine analysis of the company
- You selected this option
Common vulnerabilities and exposures (CVE) listings
Answer Description
The Common Vulnerabilities and Exposures (CVE) list is a registry of publicly disclosed cybersecurity vulnerabilities and exposures. A CVE list would provide the tester with detailed information about known vulnerabilities in specific versions of software that the target company uses or develops. This information can help pinpoint potential security flaws in the company's infrastructure. On the contrary, CWE offers a categorization of different types of vulnerabilities which is broader and not specific to individual programs or systems. Job listings and strategic search engine analysis could reveal insights about the technology stack but are not focused on known vulnerabilities like the CVE list.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Common Vulnerabilities and Exposures (CVE)?
How does the CVE listing compare to Common Weakness Enumeration (CWE)?
What types of information can be found in a CVE entry?
A penetration tester has gained access to a network and would like to determine what other machines are active on the subnet. Which of the following techniques should the tester use to quickly and efficiently enumerate devices on the network without triggering potential intrusion detection systems?
- You selected this option
Service version scan
- You selected this option
ARP scan
- You selected this option
Port scan with SYN packets
- You selected this option
ICMP echo request
Answer Description
The correct answer is ARP scan. An ARP scan is an efficient and less intrusive method of enumerating live hosts on a local subnet by resolving IP addresses to MAC addresses within the same broadcast domain. It is less likely to be noticed by intrusion detection systems compared to more aggressive scanning techniques that generate a larger amount of network traffic. ICMP echo request might be blocked by firewalls or might trigger IDS systems due to its commonly known usage in scanning activities. Service version scan is not directly used to enumerate active hosts, but rather to identify service versions running on known up hosts. Port scan with SYN packets generates SYN packets, which can be easily detected by IDS systems due to their typical association with reconnaissance activities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an ARP scan and how does it work?
What are the limitations of using an ICMP echo request for enumeration?
Why are service version scans and port scans with SYN packets not optimal for enumeration?
What set of standards pertains specifically to the security of cardholder data and is critical for organizations that handle branded credit cards from the major card schemes?
- You selected this option
Payment Card Industry Data Security Standard (PCI DSS)
- You selected this option
General Data Protection Regulation (GDPR)
- You selected this option
Health Insurance Portability and Accountability Act (HIPAA)
- You selected this option
Federal Information Security Management Act (FISMA)
Answer Description
The Payment Card Industry Data Security Standard (PCI DSS) is the correct answer because it is a set of security requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. The PCI DSS is important for penetration testers to understand when planning and scoping an engagement as they must comply with these requirements when handling cardholder data.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the main requirements of PCI DSS?
Why is PCI DSS important for organizations handling credit cards?
How does PCI DSS affect penetration testing engagements?
Which type of control would include establishing a policy that mandates regular security awareness training for all employees?
- You selected this option
Operational control
- You selected this option
Administrative control
- You selected this option
Physical control
- You selected this option
Technical control
Answer Description
Establishing a policy that mandates regular security awareness training for all employees is an example of an administrative control. Administrative controls consist of policies, procedures, and regulations that manage the human elements of security operations. They are crucial for ensuring that employees understand their roles and responsibilities regarding organizational security. Technical controls involve the use of technology to mitigate risks, while physical controls address the protection of physical assets. Operational controls, although related to procedures, are more about the day-to-day implementation of security measures rather than policy establishment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are examples of administrative controls?
How do administrative controls differ from technical controls?
What are some reasons for implementing regular security awareness training?
During a penetration test, you’re tasked with analyzing a network’s organizational schema exported from an Active Directory environment. The schema is presented in a hierarchical JSON format that must be walked through to identify potential privileged users for further targeting. Which of the following data structures is most appropriate for representing and processing this hierarchical schema?
- You selected this option
Tree
- You selected this option
Hash table
- You selected this option
List
- You selected this option
Stack
Answer Description
A tree data structure is particularly efficient at representing hierarchical data due to its branching nature, where each node can have any number of child nodes. This allows for easy representation of an organizational schema where entities such as users and groups have parent-child relationships (e.g., groups containing users or other groups). In contrast, a list structure does not inherently represent hierarchical relationships and a hash table or stack is not specialized for representing hierarchical relationships like a tree.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a tree data structure, and how does it work?
What are the main differences between a tree and a list data structure?
Why are hash tables and stacks not suitable for representing hierarchical schemas like those in Active Directory?
During a security assessment of a web application, you notice that carefully crafted inputs that should result in server-side errors do not produce discernible changes in the application's output. To confirm your suspicions of a potential back-end data store vulnerability, which technique would be most effective given the lack of informative responses?
- You selected this option
Input crafted payloads that result in immediate reflection in application output to validate execution against the server's data handler.
- You selected this option
Send an input that would typically generate an error and check for specific error messaging in the response.
- You selected this option
Rely on automated tools using common payloads that produce detailed error messages to identify potential data extraction points.
- You selected this option
Initiate a timing attack by sending a payload designed to trigger a delay in the application response indicative of successful execution on the data store.
Answer Description
The correct approach in this scenario is to utilize a time-based technique, such as crafting payloads that make the server wait for a certain amount of time before responding (e.g., through a command like SLEEP). The presence of a delay would suggest that the payload was executed, confirming the vulnerability without the need for an error message. Attempting to cause errors or expecting instantaneous feedback are typical signs of standard vulnerabilities and not suitable for scenarios where the application suppresses error details.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a timing attack and how does it work?
Why are error messages sometimes suppressed in web applications?
What other techniques can be used to test for vulnerabilities in web applications?
Running an ARP poisoning attack can allow an attacker to intercept and modify traffic between two other hosts on the same network segment without being detected by network intrusion detection systems.
- You selected this option
False
- You selected this option
True
Answer Description
The correct answer is True
. ARP poisoning involves sending forged ARP reply packets to the target hosts, causing them to associate the attacker's MAC address with the IP address of another host on the network. This man-in-the-middle position allows the attacker to capture traffic between the two hosts. If the traffic is not encrypted, the attacker can also modify it. This attack may go unnoticed by intrusion detection systems, especially if they are not configured to detect anomalies in ARP traffic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is ARP poisoning?
What does a man-in-the-middle attack entail?
How can network intrusion detection systems fail to detect ARP poisoning?
During the initial meeting with a client for a penetration testing project, the client specifies that they want a comprehensive assessment of their infrastructure within a strict timeline. However, the client has numerous third-party hosted services that are critical to their operations. As an ethical hacker, which of the following steps is MOST important to perform next?
- You selected this option
Assume responsibility for any legal issues with third-party vendors that might arise during the testing procedure.
- You selected this option
Advice the client that testing third-party services is not required since it is beyond the client's direct control.
- You selected this option
Validate the scope of engagement by questioning the client and reviewing the contracts pertaining to the third-party services.
- You selected this option
Immediately start testing the client's internal network to map out all accessible devices and services.
Answer Description
Validating the scope of engagement with the client by reviewing contracts and client requirements is the most important next step. It ensures that the penetration tester understands which assets are included in the test, respects the boundaries set by third-party agreements, and accurately aligns the testing process with the client's timeline and expectations. Other options, while important in different contexts, do not prioritize the immediate requirement to understand and agree upon the scope before beginning any assessment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to validate the scope of engagement in penetration testing?
What are some typical elements included in contracts for third-party services?
What risks are associated with testing third-party services during a penetration test?
When preparing for a penetration test, which strategy BEST aligns with the concept of unknown-environment testing?
- You selected this option
Comprehensive documentation review of the target's systems
- You selected this option
Utilizing findings from previous penetration tests conducted on the target
- You selected this option
Cursory reconnaissance to gather basic information on the target
- You selected this option
Intensive source code analysis of the target's applications
Answer Description
Option B is correct because cursory reconnaissance implies a limited understanding of the environment, which is characteristic of unknown-environment testing. This approach involves gathering only readily available information without detailed knowledge of the target, which is consistent with the scenario of an unknown environment. Option A is incorrect because comprehensive documentation review suggests a familiarity with the environment, making it more suited for known-environment testing. Option C is incorrect because it refers to a practice more commonly associated with known-environment testing where previous engagement information is leveraged to understand the scope. Option D is incorrect as intensive source code analysis indicates deep familiarity with the application, aligning more with known-environment testing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is cursory reconnaissance in penetration testing?
What does unknown-environment testing mean?
How does known-environment testing differ from unknown-environment testing?
A penetration tester is tasked with evaluating the security of a mobile application. The tester wants to analyze the behavior of the application in a controlled environment to observe how it interacts with system resources and other applications. Which of the following is the BEST method to accomplish this goal?
- You selected this option
Leveraging a mobile security framework for static code analysis
- You selected this option
Deploying the application on a segmented area of the production network
- You selected this option
Using a mobile device emulator
- You selected this option
Running the application on a jailbroken device with monitoring tools
Answer Description
Using a mobile device emulator creates a virtual mobile device on which the application can be safely run and analyzed. This allows the penetration tester to observe the application's behavior under different conditions without risking the integrity of a physical device or the production environment. The other options either are not as relevant for analysis on a mobile application (a and c) or are general tools for mobile security testing but not specifically designed for behavioral analysis in a controlled environment like an emulator (d).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the advantages of using a mobile device emulator over a physical device?
What is the role of monitoring tools when analyzing mobile applications on a jailbroken device?
What constitutes a mobile security framework for static code analysis, and how does it differ from behavioral analysis?
Woo!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.