Engagement Management
Drill 20 practice questions focused entirely on Engagement Management for the CompTIA PT0-003 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
During a black-box external penetration test governed by a signed statement of work, a tester discovers what appears to be evidence of a prior, unauthorized breach in the client's web server logs — including malware and command-and-control artifacts unrelated to the current engagement. The contract contains no specific provision addressing this situation. What is the MOST appropriate immediate action for the tester to take?
A retail client hires your firm to perform a penetration test to satisfy an annual PCI DSS requirement. During scoping, the client states that their cardholder data environment (CDE) is isolated from the corporate network by firewalls and VLAN segmentation. To properly define the scope of the engagement in line with PCI DSS guidance, which action should the penetration tester prioritize?
A penetration testing firm is contracted to assess a client's web application that is hosted entirely on a third-party cloud provider's infrastructure (IaaS). The signed contract and rules of engagement between the firm and the client authorize active exploitation of the application. As the lead tester reviews the scope during pre-engagement, which action is MOST important to take before launching any testing activity?
During an internal network penetration test, you discover an actively exploited vulnerability on a domain controller, along with evidence suggesting a previously unknown third-party breach. The rules of engagement specify weekly status reports and a named technical point of contact. What is the most appropriate immediate action?
A penetration testing firm has completed a web application assessment for a healthcare client subject to HIPAA. During testing, the team captured screenshots and database extracts containing protected health information (PHI) to demonstrate exploit impact. As the engagement closes, the client's compliance officer asks how the firm will handle the sensitive data it collected. Which action BEST satisfies the firm's obligations at engagement closeout?
During a kickoff call, a client's IT manager verbally provides a list of IP ranges and web application URLs that are in scope for an upcoming external penetration test. The engagement is scheduled to begin in two days. Which action should the lead tester take BEFORE any active testing to ensure the scope is properly authorized and defensible?
During pre-engagement planning for a black-box external penetration test, the client asks how the testing team will handle situations where a discovered vulnerability could lead to accidental service disruption or evidence of a prior compromise. The lead penetration tester wants to formally document who must be notified, under what conditions, and through which channels before defining these details in the rules of engagement. Which pre-engagement element most directly addresses this requirement?
A penetration testing firm based in the United States is contracted to test a web application for a client headquartered in Germany. During pre-engagement scoping, the tester discovers the application processes personal data of EU residents, and captured test artifacts may include this data. What is the MOST important legal consideration the tester must address before beginning the engagement?
A penetration tester is midway through a two-week engagement for a healthcare client. The client's CISO requests that the team stop testing the legacy billing application and instead focus remaining hours on a newly deployed patient portal that was not in the original scope document. The tester wants to accommodate the request while remaining compliant with the engagement's governance requirements. What should the tester do FIRST?
A penetration testing firm is finalizing pre-engagement paperwork for a hospital network. During testing, the team will access servers that store and process electronic protected health information (ePHI). The hospital's compliance officer wants to ensure the firm is legally bound to safeguard this data and to specify permitted uses, breach notification obligations, and safeguards. Which document must be executed to satisfy this HIPAA requirement before testing begins?
A penetration testing firm is finalizing pre-engagement paperwork for a client that operates a legacy manufacturing control system. The client is concerned that active testing could inadvertently disrupt production equipment or cause physical damage. The lead tester wants to ensure the firm is financially protected if such an incident occurs during authorized testing. Which contractual element should the firm confirm is in place before starting the engagement?
A penetration testing firm is finalizing pre-engagement paperwork for a client. During scoping, the client's IT manager verbally authorizes testing of a marketing web application that is hosted and fully managed by a separate managed service provider (MSSP). The IT manager insists this asset is 'in scope' and asks the testers to begin immediately. What is the tester's most appropriate action before testing that application?
During pre-engagement discussions, a penetration testing firm will be given access to a client's proprietary network diagrams, source code repositories, and internal credentials. The client is concerned that sensitive information gathered during testing could be disclosed to competitors, and the testing firm equally wants to protect its proprietary tooling and methodology from being shared. Which document should be executed FIRST to address both parties' confidentiality concerns before any sensitive information is exchanged?
A financial services client requires that a penetration testing firm follow a formally recognized, government-published framework so the assessment maps cleanly to the client's existing security control audits. The client specifically wants the technical testing to align with a structured four-phase process (planning, discovery, attack, and reporting) that their internal auditors already reference. Which methodology should the testing firm adopt to best satisfy this requirement?
A client contracts a penetration testing firm to assess a customer-facing web application built on a modern JavaScript framework with a REST API backend. The client's primary concern is coverage of application-layer vulnerabilities such as injection, broken authentication, and business logic flaws. The lead tester must select a methodology that provides a structured, repeatable framework specifically tailored to web application security testing so the engagement can be defended as thorough and standards-aligned. Which methodology should the tester adopt as the primary framework for this assessment?
A penetration tester has completed the fieldwork for an engagement and drafted the final report. Before the report is delivered to the client, the consulting firm's internal process requires the lead tester to have a colleague independently review the document. The reviewer checks that each finding maps to supporting evidence, that risk ratings are consistent with the firm's scoring methodology, and that recommendations are technically accurate. What is the PRIMARY purpose of this step?
A penetration tester is following the Penetration Testing Execution Standard (PTES) for a new engagement with a retail client. Before any scanning or exploitation begins, the tester and client need to formally agree on the systems in scope, the testing timeframe, acceptable techniques, and communication procedures. According to PTES, which phase encompasses these activities?
A penetration tester is finalizing the report for a mid-sized retail client. The document must serve two very different readers: the board of directors, who approved the engagement budget and want a high-level view of business risk, and the IT operations team, who must remediate each issue. Which approach best structures the report to meet both audiences' needs?
During contract negotiations for a web application penetration test, the client asks that any remediation validation (retesting) of previously reported findings be included in the engagement terms. The penetration testing firm wants to ensure the retest is properly bounded and does not become an open-ended obligation. Which document and provision should the firm use to define the timing, scope, and cost of the retest?
During pre-engagement planning for an external penetration test, the client's operations manager expresses concern that scanning could degrade performance of a customer-facing e-commerce platform during peak sales periods. The penetration testing team needs to formally address this concern before work begins. Which document and specific element should capture the agreed-upon constraint that active testing may only occur between 1:00 AM and 5:00 AM on weekdays?
More PT0-003 practice
Keep going with the other CompTIA PenTest+ (PT0-003) domains, or take a full timed mock exam.
← Back to PT0-003 overview