1
CompTIA PenTest+ (PT0-002) Exam | 2025/2026 Edition
– Real Exam Questions and Verified Answers
1.0 Planning and Scoping
Q1. A penetration tester is asked to perform an assessment but only has publicly available information
about the target company. The client is aware of this exercise and is preparing for the test. Which of the
following describes the scope of the assessment?
A. Partially known environment testing
B. Known environment testing
C. Unknown environment testing
D. Physical environment testing
✔✔ Answer ✔✔ C
Rationale: An "unknown environment" test (black-box) means the tester has no prior knowledge or
credentials. The client knows the test is happening but provides no internal information.
Q2. Which of the following would be the most important document to define the rules of engagement
(ROE) for a penetration test?
A. Statement of Work (SOW)
B. Non-Disclosure Agreement (NDA)
C. Service Level Agreement (SLA)
D. Master Services Agreement (MSA)
✔✔ Answer ✔✔ A
Rationale: The SOW defines the ROE, including scope, timeline, goals, and testing boundaries. An NDA
protects confidentiality; an SLA defines service performance; an MSA is a framework for future
agreements.
Q3. A compliance-based penetration test is primarily concerned with:
A. Obtaining personally identifiable information (PII) from the protected network
B. Bypassing protection on edge devices
C. Determining the efficacy of a specific set of security standards
D. Obtaining specific information from the protected network
✔✔ Answer ✔✔ C
Rationale: Compliance-based testing ensures that an organization meets specific regulatory or security
standards (e.g., PCI DSS, HIPAA). It focuses on verifying control effectiveness rather than simply
obtaining data.
,2
Q4. A penetration tester wants to ensure that the test does not disrupt business operations. Which of
the following would be the best approach?
A. Perform the test only during business hours
B. Ask the client to shut down critical systems
C. Schedule the test during a maintenance window with clear rollback procedures
D. Use only passive reconnaissance techniques
✔✔ Answer ✔✔ C
Rationale: Scheduling during a maintenance window with explicit rollback procedures minimizes the risk
of business disruption. Active testing can still be performed, but with controlled conditions.
Q5. Which of the following best describes a "black-box" penetration test?
A. The tester has full knowledge of the internal network and credentials.
B. The tester has limited internal knowledge but some credentials.
C. The tester has no prior knowledge of the target.
D. The tester is provided with logical access to the internal network.
✔✔ Answer ✔✔ C
Rationale: Black-box testing simulates an external attacker with zero prior information. The tester must
gather all intelligence from scratch.
Q6. A penetration tester is hired to test a web application. The client requests that the tester not
attempt any denial-of-service attacks or brute-force logins. This restriction should be documented in
which section of the rules of engagement (ROE)?
A. Scope
B. Goals
C. Limitations and exclusions
D. Timeline
✔✔ Answer ✔✔ C
Rationale: Limitations and exclusions specify what the tester is explicitly prohibited from doing. This
protects the client’s operational stability.
Q7. A client wants to understand the potential impact of a successful attack on their environment.
Which type of penetration testing engagement would best provide this?
A. Vulnerability assessment
B. Red team exercise
C. Compliance audit
D. Security audit
✔✔ Answer ✔✔ B
Rationale: A red team exercise emulates a real-world adversary, focusing on achieving objectives (e.g.,
data exfiltration) and measuring the organization’s detection and response capabilities.
Q8. Which of the following should be included in a penetration testing contract to protect the tester
from legal liability?
A. Proof of insurance
,3
B. A non-circumvention agreement
C. A hold-harmless clause
D. A non-compete agreement
✔✔ Answer ✔✔ C
Rationale: A hold-harmless clause (or indemnification clause) protects the tester from legal liability
arising from the test, provided the test is conducted within the agreed ROE.
Q9. During scoping, the client mentions that their environment includes systems subject to PCI DSS.
Which of the following is the most critical factor to consider?
A. The need for a separate segmentation check
B. The requirement for a quarterly external scan
C. The prohibition of password cracking
D. The need for a dedicated test environment
✔✔ Answer ✔✔ A
Rationale: PCI DSS requires that cardholder data environments (CDE) be properly segmented from other
networks. A segmentation check is often a required part of a PCI DSS assessment.
Q10. A penetration tester is asked to perform an internal assessment with no credentials. This type of
test is often referred to as:
A. Double-blind test
B. Unauthenticated internal test
C. Authenticated internal test
D. Physical security test
✔✔ Answer ✔✔ B
Rationale: An unauthenticated internal test simulates a compromised user on the internal network who
has not yet obtained domain credentials. It focuses on privilege escalation and lateral movement.
2.0 Information Gathering and Vulnerability Scanning
Q11. During the reconnaissance phase, a penetration tester runs the following command: sudo
responder -I tun0. The result is a list of NTLMv2 hashes. What should the penetration tester do next?
A. Use the hash in a password spraying attack.
B. Use the hashes in a collision attack.
C. Attempt to pass the hash with CrackMapExec.
D. Crack the hash with Hashcat.
✔✔ Answer ✔✔ D
Rationale: NTLMv2 hashes are not directly usable for pass-the-hash attacks because they include a
challenge-response mechanism. The next step is to crack them (e.g., with Hashcat) to obtain clear-text
passwords.
Q12. A penetration tester is reviewing DNS reconnaissance results for comptia.org:
text
, 4
;; ANSWER SECTION
comptia.org. 3569 IN MX comptia-org.mail.protection.outlook.com.
comptia.org. 3569 IN A 3.219.13.186.
comptia.org. 3569 IN NS ns1.comptia.org.
comptia.org. 3569 IN SOA haven. administrator.comptia.org.
comptia.org. 3569 IN MX new.mx0.comptia.org.
comptia.org. 3569 IN MX new.mx1.comptia.org.
Which of the following potential issues can the penetration tester identify based on this output?
A. At least one of the records is out of scope.
B. There is a duplicate MX record.
C. The NS record is not within the appropriate domain.
D. The SOA record is outside the comptia.org domain.
✔✔ Answer ✔✔ B
Rationale: The output shows three MX records, which is unusual and indicates a duplicate configuration.
This could lead to mail routing issues or misconfiguration.
Q13. Which of the following Nmap commands would perform a SYN stealth scan on the top 100 ports?
A. nmap -sT -p 1-100 target
B. nmap -sS --top-ports 100 target
C. nmap -sA --top-ports 100 target
D. nmap -sW -p- target
✔✔ Answer ✔✔ B
Rationale: -sS performs a SYN (half-open) scan, and --top-ports 100 limits the scan to the 100 most
common ports. This is fast and less likely to be logged.
Q14. Which of the following is the primary purpose of performing a zone transfer (AXFR) during DNS
reconnaissance?
A. To enumerate all DNS records for a domain
B. To test DNS server response time
C. To perform a reverse lookup
D. To verify DNSSEC signatures
✔✔ Answer ✔✔ A
Rationale: A zone transfer replicates DNS records from primary to secondary servers. If misconfigured,
an attacker can enumerate all records (A, MX, TXT, etc.) for the domain.
Q15. A penetration tester discovers that a web server returns a detailed stack trace when an invalid
parameter is sent. This is an example of:
A. Directory traversal
B. Information disclosure
CompTIA PenTest+ (PT0-002) Exam | 2025/2026 Edition
– Real Exam Questions and Verified Answers
1.0 Planning and Scoping
Q1. A penetration tester is asked to perform an assessment but only has publicly available information
about the target company. The client is aware of this exercise and is preparing for the test. Which of the
following describes the scope of the assessment?
A. Partially known environment testing
B. Known environment testing
C. Unknown environment testing
D. Physical environment testing
✔✔ Answer ✔✔ C
Rationale: An "unknown environment" test (black-box) means the tester has no prior knowledge or
credentials. The client knows the test is happening but provides no internal information.
Q2. Which of the following would be the most important document to define the rules of engagement
(ROE) for a penetration test?
A. Statement of Work (SOW)
B. Non-Disclosure Agreement (NDA)
C. Service Level Agreement (SLA)
D. Master Services Agreement (MSA)
✔✔ Answer ✔✔ A
Rationale: The SOW defines the ROE, including scope, timeline, goals, and testing boundaries. An NDA
protects confidentiality; an SLA defines service performance; an MSA is a framework for future
agreements.
Q3. A compliance-based penetration test is primarily concerned with:
A. Obtaining personally identifiable information (PII) from the protected network
B. Bypassing protection on edge devices
C. Determining the efficacy of a specific set of security standards
D. Obtaining specific information from the protected network
✔✔ Answer ✔✔ C
Rationale: Compliance-based testing ensures that an organization meets specific regulatory or security
standards (e.g., PCI DSS, HIPAA). It focuses on verifying control effectiveness rather than simply
obtaining data.
,2
Q4. A penetration tester wants to ensure that the test does not disrupt business operations. Which of
the following would be the best approach?
A. Perform the test only during business hours
B. Ask the client to shut down critical systems
C. Schedule the test during a maintenance window with clear rollback procedures
D. Use only passive reconnaissance techniques
✔✔ Answer ✔✔ C
Rationale: Scheduling during a maintenance window with explicit rollback procedures minimizes the risk
of business disruption. Active testing can still be performed, but with controlled conditions.
Q5. Which of the following best describes a "black-box" penetration test?
A. The tester has full knowledge of the internal network and credentials.
B. The tester has limited internal knowledge but some credentials.
C. The tester has no prior knowledge of the target.
D. The tester is provided with logical access to the internal network.
✔✔ Answer ✔✔ C
Rationale: Black-box testing simulates an external attacker with zero prior information. The tester must
gather all intelligence from scratch.
Q6. A penetration tester is hired to test a web application. The client requests that the tester not
attempt any denial-of-service attacks or brute-force logins. This restriction should be documented in
which section of the rules of engagement (ROE)?
A. Scope
B. Goals
C. Limitations and exclusions
D. Timeline
✔✔ Answer ✔✔ C
Rationale: Limitations and exclusions specify what the tester is explicitly prohibited from doing. This
protects the client’s operational stability.
Q7. A client wants to understand the potential impact of a successful attack on their environment.
Which type of penetration testing engagement would best provide this?
A. Vulnerability assessment
B. Red team exercise
C. Compliance audit
D. Security audit
✔✔ Answer ✔✔ B
Rationale: A red team exercise emulates a real-world adversary, focusing on achieving objectives (e.g.,
data exfiltration) and measuring the organization’s detection and response capabilities.
Q8. Which of the following should be included in a penetration testing contract to protect the tester
from legal liability?
A. Proof of insurance
,3
B. A non-circumvention agreement
C. A hold-harmless clause
D. A non-compete agreement
✔✔ Answer ✔✔ C
Rationale: A hold-harmless clause (or indemnification clause) protects the tester from legal liability
arising from the test, provided the test is conducted within the agreed ROE.
Q9. During scoping, the client mentions that their environment includes systems subject to PCI DSS.
Which of the following is the most critical factor to consider?
A. The need for a separate segmentation check
B. The requirement for a quarterly external scan
C. The prohibition of password cracking
D. The need for a dedicated test environment
✔✔ Answer ✔✔ A
Rationale: PCI DSS requires that cardholder data environments (CDE) be properly segmented from other
networks. A segmentation check is often a required part of a PCI DSS assessment.
Q10. A penetration tester is asked to perform an internal assessment with no credentials. This type of
test is often referred to as:
A. Double-blind test
B. Unauthenticated internal test
C. Authenticated internal test
D. Physical security test
✔✔ Answer ✔✔ B
Rationale: An unauthenticated internal test simulates a compromised user on the internal network who
has not yet obtained domain credentials. It focuses on privilege escalation and lateral movement.
2.0 Information Gathering and Vulnerability Scanning
Q11. During the reconnaissance phase, a penetration tester runs the following command: sudo
responder -I tun0. The result is a list of NTLMv2 hashes. What should the penetration tester do next?
A. Use the hash in a password spraying attack.
B. Use the hashes in a collision attack.
C. Attempt to pass the hash with CrackMapExec.
D. Crack the hash with Hashcat.
✔✔ Answer ✔✔ D
Rationale: NTLMv2 hashes are not directly usable for pass-the-hash attacks because they include a
challenge-response mechanism. The next step is to crack them (e.g., with Hashcat) to obtain clear-text
passwords.
Q12. A penetration tester is reviewing DNS reconnaissance results for comptia.org:
text
, 4
;; ANSWER SECTION
comptia.org. 3569 IN MX comptia-org.mail.protection.outlook.com.
comptia.org. 3569 IN A 3.219.13.186.
comptia.org. 3569 IN NS ns1.comptia.org.
comptia.org. 3569 IN SOA haven. administrator.comptia.org.
comptia.org. 3569 IN MX new.mx0.comptia.org.
comptia.org. 3569 IN MX new.mx1.comptia.org.
Which of the following potential issues can the penetration tester identify based on this output?
A. At least one of the records is out of scope.
B. There is a duplicate MX record.
C. The NS record is not within the appropriate domain.
D. The SOA record is outside the comptia.org domain.
✔✔ Answer ✔✔ B
Rationale: The output shows three MX records, which is unusual and indicates a duplicate configuration.
This could lead to mail routing issues or misconfiguration.
Q13. Which of the following Nmap commands would perform a SYN stealth scan on the top 100 ports?
A. nmap -sT -p 1-100 target
B. nmap -sS --top-ports 100 target
C. nmap -sA --top-ports 100 target
D. nmap -sW -p- target
✔✔ Answer ✔✔ B
Rationale: -sS performs a SYN (half-open) scan, and --top-ports 100 limits the scan to the 100 most
common ports. This is fast and less likely to be logged.
Q14. Which of the following is the primary purpose of performing a zone transfer (AXFR) during DNS
reconnaissance?
A. To enumerate all DNS records for a domain
B. To test DNS server response time
C. To perform a reverse lookup
D. To verify DNSSEC signatures
✔✔ Answer ✔✔ A
Rationale: A zone transfer replicates DNS records from primary to secondary servers. If misconfigured,
an attacker can enumerate all records (A, MX, TXT, etc.) for the domain.
Q15. A penetration tester discovers that a web server returns a detailed stack trace when an invalid
parameter is sent. This is an example of:
A. Directory traversal
B. Information disclosure
