1 $What is the primary objective of the Planning and Scoping phase in penetration testing?$

A.

To exploit known vulnerabilities in the target system

B.

To define the rules of engagement, objectives, and boundaries of the test

C.

To generate the final report for the stakeholders

D.

To perform active scanning of the network perimeter

2 $Which of the following best describes a Black Box penetration test?$

A.

The tester has full knowledge of the network infrastructure and source code

B.

The tester works alongside the internal security team to audit systems

C.

The tester has zero prior knowledge of the target system, simulating an external attacker

D.

The tester has partial knowledge, such as user credentials but no network diagrams

3 $In the context of the CIA Triad, penetration testing primarily seeks to ensure that security controls maintain:$

A.

Cost, Insurance, and Assessment

B.

Confidentiality, Integrity, and Availability

C.

Control, Identity, and Authorization

D.

Compliance, Inspection, and Auditing

4 $Which document is essential to obtain before starting any penetration testing activities to avoid legal liability?$

A.

Service Level Agreement (SLA)

B.

Vulnerability Scan Report

C.

Written Authorization (Get Out of Jail Free card)

D.

Software License Agreement

5 $In a White Box penetration test, which of the following is typically provided to the tester?$

A.

Only the company name

B.

Network diagrams, source code, and IP addressing schemes

C.

Only a URL to the public website

D.

Physical access badges only

6 $What distinguishes a Vulnerability Assessment from a Penetration Test ?$

A.

Vulnerability assessments are manual; penetration tests are automated

B.

Vulnerability assessments identify potential flaws; penetration tests attempt to exploit them to verify risk

C.

Vulnerability assessments take longer to complete than penetration tests

D.

There is no difference; the terms are interchangeable

7 $Which regulatory standard applies specifically to organizations handling credit card information ?$

A.

HIPAA

B.

GDPR

C.

PCI-DSS

D.

FERPA

8 $According to the PTES (Penetration Testing Execution Standard), which phase immediately follows Pre-engagement Interactions?$

A.

Exploitation

B.

Reporting

C.

Intelligence Gathering

D.

Post-Exploitation

9 $What is the purpose of the Rules of Engagement (RoE) document?$

A.

To list the specific exploits that will be used

B.

To define how the test will be conducted, constraints, timeline, and communication channels

C.

To detail the cost and payment terms of the contract

D.

To report the findings of the test after completion

10 $Which of the following implies a Gray Box testing approach?$

A.

The tester has Administrator access to all servers

B.

The tester has no knowledge of the system

C.

The tester acts as an authenticated user with limited knowledge of the backend

D.

The tester audits the physical security of the building only

11 $When defining Scope, what does the term "Out-of-Scope" refer to?$

A.

Systems that have critical vulnerabilities

B.

Assets or systems that must explicitly not be tested or touched

C.

Tools that the tester is not allowed to use

D.

Vulnerabilities that cannot be patched

12 $Which type of team is responsible for defending the network during a penetration test exercise?$

A.

Red Team

B.

Blue Team

C.

White Team

D.

Purple Team

13 $What is a Purple Team exercise?$

A.

A test conducted strictly by government auditors

B.

A collaborative effort where Red and Blue teams work together to improve detection and defense

C.

A physical security assessment combined with social engineering

D.

A test focused solely on wireless networks

14 $In the context of Risk Management, how is Risk typically calculated conceptually?$

A.

B.

C.

D.

15 $Which standard is specifically known as the Open Source Security Testing Methodology Manual ?$

A.

OSSTMM

B.

NIST SP 800-115

C.

ISO 27001

D.

OWASP

16 $Why is Passive Reconnaissance preferred in the early stages of a stealthy penetration test?$

A.

It generates a large amount of network traffic

B.

It involves direct interaction with the target system

C.

It relies on public information and does not alert the target's IDS/IPS

D.

It exploits vulnerabilities immediately

17 $What is a critical Environmental Consideration when planning a penetration test on a SCADA or Industrial Control System (ICS)?$

A.

These systems handle high-speed video streaming

B.

These systems are usually robust and can handle heavy scanning traffic

C.

These systems are often fragile; active scanning may cause physical damage or safety hazards

D.

These systems are always connected to the internet

18 $Which US regulation requires healthcare organizations to secure Protected Health Information (PHI)?$

A.

SOX

B.

HIPAA

C.

FISMA

D.

GLBA

19 $During the Scoping phase, why is it important to identify Third-Party providers (e.g., Cloud hosts, ISPs)?$

A.

To ask them for free software

B.

To ensure they are ignored completely

C.

To obtain necessary permission, as testing their infrastructure without consent is illegal

D.

To hack them instead of the client

20 $What is the NIST Special Publication that acts as a Technical Guide to Information Security Testing and Assessment?$

A.

NIST SP 800-53

B.

NIST SP 800-115

C.

NIST SP 800-30

D.

NIST SP 800-37

21 $Which test type focuses on the human element of security?$

A.

Social Engineering

B.

Network Sniffing

C.

SQL Injection

D.

Buffer Overflow

22 $In the context of scoping, what is a Blackout Window ?$

A.

A period when the power is turned off

B.

A specific time period where no testing is allowed due to critical business operations

C.

A tool used to block network traffic

D.

The time when Black Box testing is conducted

23 $What is the main advantage of an Internal penetration testing team?$

A.

They are cheaper than automated tools

B.

They have deep contextual knowledge of the organization's culture and systems

C.

They bring a completely unbiased external perspective

D.

They do not require any rules of engagement

24 $Which phase involves cleaning up artifacts, removing user accounts created during the test, and restoring settings?$

A.

Pre-engagement

B.

Reconnaissance

C.

Post-Exploitation / Restoration

D.

Vulnerability Mapping

25 $Which organization manages the Common Vulnerability Scoring System (CVSS) ?$

A.

FIRST.org

B.

NSA

C.

FBI

D.

Google

26 $If a client requests a penetration test but forbids the use of automated scanners to prevent noise, this constraint is part of:$

A.

The invoice

B.

The Rules of Engagement (RoE)

C.

The CVSS score

D.

The Post-Mortem

27 $Which of the following is an example of Open Source Intelligence (OSINT) ?$

A.

Scanning the target's firewall ports

B.

Looking up employee email addresses on LinkedIn

C.

Cracking the Wi-Fi password

D.

Intercepting internal phone calls

28 $What is the difference between Production and Staging environments in the context of scoping?$

A.

Production is live data; Staging is a replica for testing

B.

Production is for developers; Staging is for customers

C.

Staging is more secure than Production

D.

There is no difference

29 $Which legal concept requires the pentester to keep client findings secret?$

A.

Indemnification Clause

B.

Non-Disclosure Agreement (NDA)

C.

Statement of Work (SOW)

D.

Chain of Custody

30 $In the OWASP Top 10, what does OWASP stand for?$

A.

Open Web Application Security Project

B.

Official Wireless Access Security Protocol

C.

Online Wide Assessment of Security Procedures

D.

Organization for Web Authentication and Security Pentesters

31 $What is the primary goal of Physical Penetration Testing ?$

A.

To test the firewall throughput

B.

To access the facility, server room, or workstations physically to compromise security

C.

To check if the air conditioning is working

D.

To ensure the website loads fast

32 $Which term describes a limitation where the tester cannot perform Denial of Service (DoS) attacks?$

A.

Scope Creep

B.

Rules of Engagement Constraint

C.

White Box Requirement

D.

Compliance Failure

33 $During the planning phase, defining Communication Paths ensures:$

A.

The tester can blog about the findings

B.

The client knows who to contact if the test causes a critical outage

C.

The tester can ask the client for passwords

D.

The media is informed of the test

34 $What is Scope Creep ?$

A.

A type of slow network scan

B.

The gradual expansion of the project's goals or boundaries beyond the original agreement

C.

A method of physical entry

D.

The process of analyzing results

35 $Which testing methodology focuses heavily on the business logic and data flow?$

A.

Network Layer Testing

B.

Application Logic Testing

C.

Wireless Testing

D.

Physical Testing

36 $ISO/IEC 27001 is a standard for:$

A.

Information Security Management Systems (ISMS)

B.

Payment Card Processing

C.

Medical Record Storage

D.

Wireless Encryption

37 $In a Double-Blind test:$

A.

Both the tester and the client know everything

B.

The tester knows nothing, and the client's security team is unaware of the test

C.

Two testers work simultaneously

D.

The test is done twice

38 $What is the Statement of Work (SOW) ?$

A.

A list of vulnerabilities found

B.

A formal document defining the timeline, deliverables, and payment for the project

C.

A code snippet used for exploitation

D.

A manual for the testing software

39 $If a pentester discovers evidence of a previous, ongoing criminal compromise during a test, what should they do?$

A.

Delete the evidence to clean the system

B.

Hack the criminal back

C.

Stop the test immediately and notify the client's point of contact

D.

Include it in the final report next month

40 $Which of the following is an example of Active Reconnaissance ?$

A.

Browsing the company website

B.

Searching WHOIS records

C.

Port scanning using Nmap

D.

Reading employee blogs

41 $What does FEDRAMP standardize?$

A.

Credit Card processing fees

B.

Security assessment and authorization for cloud products used by US federal agencies

C.

European data privacy

D.

Password complexity rules

42 $Which scanning type identifies open ports and services?$

A.

Vulnerability Scanning

B.

Port Scanning

C.

Social Engineering

D.

Phishing

43 $In the context of the Cyber Kill Chain, which phase corresponds to the actual execution of malicious code on the target?$

A.

Reconnaissance

B.

Weaponization

C.

Exploitation

D.

Actions on Objectives

44 $Why is Shodan a relevant tool in the planning phase?$

A.

It cracks passwords

B.

It is a search engine for Internet-connected devices

C.

It generates reports

D.

It is a virus scanner

45 $What is Lateral Movement ?$

A.

Moving physically from one office to another

B.

Moving deeper into a network from a compromised host to access other resources

C.

Exfiltrating data out of the network

D.

Escalating privileges on a single machine

46 $A Targeted Testing approach generally means:$

A.

The IT team and the pentester work together to test a specific system

B.

Random testing of all systems

C.

Testing only on weekends

D.

Testing without any authorization

47 $Which of the following represents a Technical constraint in scoping?$

A.

Budget limitations

B.

Legal restrictions

C.

Bandwidth limitations or unstable network connections

D.

Holiday schedules

48 $What is the primary focus of GDPR compliance testing?$

A.

Protecting US Government Data

B.

Protecting the privacy and personal data of EU citizens

C.

Ensuring credit card transactions are fast

D.

Securing medical devices

49 $When is the Chain of Custody relevant in penetration testing?$

A.

When ordering lunch

B.

When handling physical evidence or forensic data found during a test

C.

When writing the invoice

D.

When scheduling the test

50 $Mathematically, in the CVSS v3.1 equations, the Base Score is a function of:$

A.

B.

C.

D.

Unit 1 - Practice Quiz