WGU D332: Penetration Testing and Vulnerability Analysis
CompTIA PenTest+ PT0-003 Certification Exam
2026/2027 | Newly Released
Verified Q&A with Rationales |100% Correct |Grade A
Section 1: Planning and Scoping (Questions 1-15)
Q1: A penetration tester is engaged for a gray box assessment of a healthcare organization's
external web application. Which document MUST be signed and in place BEFORE any scanning
activities begin?
A. Vulnerability scan report template
B. Master service agreement (MSA) with statement of work (SOW)
C. Post-exploitation cleanup checklist
D. Threat modeling diagram (STRIDE)
Correct Answer: B
Rationale: The MSA and SOW define the legal scope, authorization, rules of engagement, and
liability for the penetration test. Written authorization is required before any testing to avoid
legal violations (CFAA). The scan report template is for output, cleanup checklist is for post-
engagement, and threat modeling is part of planning but does not provide legal authorization.
Q2: During the planning phase, a tester identifies that the target organization processes credit
card transactions. Which compliance framework would be MOST relevant to the scope and
reporting requirements?
A. HIPAA
B. PCI DSS
C. SOX
D. GDPR
,Correct Answer: B
Rationale: The Payment Card Industry Data Security Standard (PCI DSS) specifically governs
the handling of credit card data. HIPAA is for healthcare (PHI), SOX is for financial reporting,
and GDPR is for EU data privacy.
Q3: A penetration tester is using the STRIDE methodology to model threats against a new web
application. If an attacker exploits a vulnerability to access user data without authorization,
which element of STRIDE does this represent?
A. Spoofing
B. Tampering
C. Information disclosure
D. Denial of service
Correct Answer: C
Rationale: Information disclosure refers to the exposure of information to unauthorized
individuals. Spoofing is identity impersonation, tampering is unauthorized data modification, and
denial of service is availability disruption.
Q4: Which of the following scenarios describes a "Black Box" penetration test?
A. The tester is provided with network diagrams and credentials.
B. The tester has no prior knowledge of the target other than the name.
C. The tester focuses on social engineering and physical security only.
D. The tester uses automated tools exclusively without manual intervention.
Correct Answer: B
Rationale: A Black Box test simulates an external hacker with no internal knowledge (zero-
knowledge). Option A describes a White Box test. Option C describes a specific type of
engagement, not the knowledge level. Option D describes a tooling methodology, not a
knowledge level.
Q5: A client specifies in the Rules of Engagement (ROE) that no Denial of Service (DoS) testing
is permitted. Which of the following actions would violate the ROE?
,A. Running a SYN scan on the external firewall.
B. Attempting to exploit a buffer overflow in a web server.
C. Sending a flood of UDP packets to test bandwidth capacity.
D. Performing a brute-force attack on the FTP login portal.
Correct Answer: C
Rationale: Sending a flood of packets constitutes a DoS attack or stress test, which was
explicitly prohibited. SYN scans, exploit attempts, and brute force attacks are generally
acceptable unless they specifically cause a service crash or outage.
Q6: When calculating risk using the formula Risk = Likelihood × Impact, which of the following
represents a "Qualitative" risk assessment?
A. Likelihood: 0.7, Impact: 0.5, Risk: 0.35
B. Likelihood: High, Impact: Medium, Risk: High
C. Likelihood: 70%, Impact: $50,000 loss, Risk: $35,000
D. Likelihood: 1 in 10 years, Impact: 100 systems down
Correct Answer: B
Rationale: Qualitative assessments use descriptive scales (High, Medium, Low) rather than
numerical values. Options A, C, and D use quantitative or semi-quantitative metrics
(percentages, currency, specific numbers).
Q7: A penetration tester needs to ensure that any captured data is admissible in court. Which
process must be strictly followed to maintain the integrity of the evidence?
A. Hashing the evidence and storing it securely
B. Encrypting the evidence with a strong passphrase
C. Chain of custody
D. Anonymizing the data in the report
Correct Answer: C
Rationale: Chain of custody is the documentation of the seizure, custody, control, transfer,
analysis, and disposition of evidence, ensuring it has not been tampered with. Hashing ensures
, integrity (Option A) but doesn't cover the legal transfer documentation. Encryption protects
confidentiality but not legal admissibility via provenance.
Q8: Which of the following best describes the difference between a Red Team engagement and a
vulnerability assessment?
A. A Red Team engagement focuses on identifying and patching vulnerabilities, while a
vulnerability assessment focuses on exploiting them.
B. A Red Team engagement simulates an adversary to test detection and response, while a
vulnerability assessment identifies technical flaws.
C. A vulnerability assessment requires physical access, while a Red Team engagement is purely
network-based.
D. A Red Team engagement is automated, while a vulnerability assessment is manual.
Correct Answer: B
Rationale: Red Teaming is an adversarial simulation focused on the human and
detection/response elements (Blue Team), whereas a vulnerability assessment is a technical scan
to find known flaws. Red Teaming is manual and intensive (refuting D), and both can be network
or physical.
Q9: A tester is reviewing the scope and notices the target includes a legacy ICS (Industrial
Control System) controlling a power grid. Which constraint is MOST critical to consider?
A. The scanning speed of the vulnerability scanner.
B. The potential for physical damage to the operational environment.
C. The color scheme of the reporting format.
D. The version of the web server on the corporate LAN.
Correct Answer: B
Rationale: In OT/ICS environments, active scanning or exploitation can cause physical
machinery to malfunction or fail, leading to real-world safety consequences. Scanning speed (A)
is a secondary concern to safety.
Q10: Which of the following tools is used for Threat Modeling and can visually map out data
flows and potential threats?
CompTIA PenTest+ PT0-003 Certification Exam
2026/2027 | Newly Released
Verified Q&A with Rationales |100% Correct |Grade A
Section 1: Planning and Scoping (Questions 1-15)
Q1: A penetration tester is engaged for a gray box assessment of a healthcare organization's
external web application. Which document MUST be signed and in place BEFORE any scanning
activities begin?
A. Vulnerability scan report template
B. Master service agreement (MSA) with statement of work (SOW)
C. Post-exploitation cleanup checklist
D. Threat modeling diagram (STRIDE)
Correct Answer: B
Rationale: The MSA and SOW define the legal scope, authorization, rules of engagement, and
liability for the penetration test. Written authorization is required before any testing to avoid
legal violations (CFAA). The scan report template is for output, cleanup checklist is for post-
engagement, and threat modeling is part of planning but does not provide legal authorization.
Q2: During the planning phase, a tester identifies that the target organization processes credit
card transactions. Which compliance framework would be MOST relevant to the scope and
reporting requirements?
A. HIPAA
B. PCI DSS
C. SOX
D. GDPR
,Correct Answer: B
Rationale: The Payment Card Industry Data Security Standard (PCI DSS) specifically governs
the handling of credit card data. HIPAA is for healthcare (PHI), SOX is for financial reporting,
and GDPR is for EU data privacy.
Q3: A penetration tester is using the STRIDE methodology to model threats against a new web
application. If an attacker exploits a vulnerability to access user data without authorization,
which element of STRIDE does this represent?
A. Spoofing
B. Tampering
C. Information disclosure
D. Denial of service
Correct Answer: C
Rationale: Information disclosure refers to the exposure of information to unauthorized
individuals. Spoofing is identity impersonation, tampering is unauthorized data modification, and
denial of service is availability disruption.
Q4: Which of the following scenarios describes a "Black Box" penetration test?
A. The tester is provided with network diagrams and credentials.
B. The tester has no prior knowledge of the target other than the name.
C. The tester focuses on social engineering and physical security only.
D. The tester uses automated tools exclusively without manual intervention.
Correct Answer: B
Rationale: A Black Box test simulates an external hacker with no internal knowledge (zero-
knowledge). Option A describes a White Box test. Option C describes a specific type of
engagement, not the knowledge level. Option D describes a tooling methodology, not a
knowledge level.
Q5: A client specifies in the Rules of Engagement (ROE) that no Denial of Service (DoS) testing
is permitted. Which of the following actions would violate the ROE?
,A. Running a SYN scan on the external firewall.
B. Attempting to exploit a buffer overflow in a web server.
C. Sending a flood of UDP packets to test bandwidth capacity.
D. Performing a brute-force attack on the FTP login portal.
Correct Answer: C
Rationale: Sending a flood of packets constitutes a DoS attack or stress test, which was
explicitly prohibited. SYN scans, exploit attempts, and brute force attacks are generally
acceptable unless they specifically cause a service crash or outage.
Q6: When calculating risk using the formula Risk = Likelihood × Impact, which of the following
represents a "Qualitative" risk assessment?
A. Likelihood: 0.7, Impact: 0.5, Risk: 0.35
B. Likelihood: High, Impact: Medium, Risk: High
C. Likelihood: 70%, Impact: $50,000 loss, Risk: $35,000
D. Likelihood: 1 in 10 years, Impact: 100 systems down
Correct Answer: B
Rationale: Qualitative assessments use descriptive scales (High, Medium, Low) rather than
numerical values. Options A, C, and D use quantitative or semi-quantitative metrics
(percentages, currency, specific numbers).
Q7: A penetration tester needs to ensure that any captured data is admissible in court. Which
process must be strictly followed to maintain the integrity of the evidence?
A. Hashing the evidence and storing it securely
B. Encrypting the evidence with a strong passphrase
C. Chain of custody
D. Anonymizing the data in the report
Correct Answer: C
Rationale: Chain of custody is the documentation of the seizure, custody, control, transfer,
analysis, and disposition of evidence, ensuring it has not been tampered with. Hashing ensures
, integrity (Option A) but doesn't cover the legal transfer documentation. Encryption protects
confidentiality but not legal admissibility via provenance.
Q8: Which of the following best describes the difference between a Red Team engagement and a
vulnerability assessment?
A. A Red Team engagement focuses on identifying and patching vulnerabilities, while a
vulnerability assessment focuses on exploiting them.
B. A Red Team engagement simulates an adversary to test detection and response, while a
vulnerability assessment identifies technical flaws.
C. A vulnerability assessment requires physical access, while a Red Team engagement is purely
network-based.
D. A Red Team engagement is automated, while a vulnerability assessment is manual.
Correct Answer: B
Rationale: Red Teaming is an adversarial simulation focused on the human and
detection/response elements (Blue Team), whereas a vulnerability assessment is a technical scan
to find known flaws. Red Teaming is manual and intensive (refuting D), and both can be network
or physical.
Q9: A tester is reviewing the scope and notices the target includes a legacy ICS (Industrial
Control System) controlling a power grid. Which constraint is MOST critical to consider?
A. The scanning speed of the vulnerability scanner.
B. The potential for physical damage to the operational environment.
C. The color scheme of the reporting format.
D. The version of the web server on the corporate LAN.
Correct Answer: B
Rationale: In OT/ICS environments, active scanning or exploitation can cause physical
machinery to malfunction or fail, leading to real-world safety consequences. Scanning speed (A)
is a secondary concern to safety.
Q10: Which of the following tools is used for Threat Modeling and can visually map out data
flows and potential threats?
