Engagement Management for CompTIA PenTest+

Sample Practice Questions

1. Question 1

   Which of the following tasks would ensure the key outputs from a penetration test are not lost as part of the cleanup and restoration activities?
   1. A. Preserving artifacts
   2. B. Reverting configuration changes
   3. C. Keeping chain of custody
   4. D. Exporting credential data
   Explanation

   The correct answer is: A. Preserving artifacts.

   Preserving artifacts means deliberately exporting and securing the evidence (screenshots, logs, captured hashes, exploit transcripts, scan outputs, command histories) that prove what was tested and what was found before the cleanup phase wipes systems back to baseline. Without this step, the tester loses the supporting evidence needed for the final report and for any later disputes. Reverting configuration changes is part of cleanup itself and actively destroys forensic state on the test target. Chain of custody is a discipline for tracking who handled which artifact, but it presupposes that artifacts have already been preserved. Exporting credential data is narrow, partial, and creates serious data-handling risk. Preserving artifacts is the umbrella activity that ensures key engagement outputs survive cleanup.

2. Question 2

   A penetration tester is developing the rules of engagement for a potential client. Which of the following would most likely be specified in the rules of engagement?
   1. A. Testing window
   2. B. Terms of service
   3. C. Authorization letter
   4. D. Shared responsibilities
   Explanation

   The correct answer is: A. Testing window.

   The testing window, meaning the explicit dates and hours during which testing activity may occur, is one of the canonical items spelled out in the rules of engagement so both sides know exactly when traffic should be expected and when it constitutes an actual incident. Terms of service is a separate contractual document governing the use of platforms or services, not a ROE element. An authorization letter (sometimes called a get-out-of-jail-free letter) is a related but distinct document used by testers to prove sanctioned activity, often in physical or social engineering scenarios. Shared responsibilities tend to live in master service agreements or statements of work. Among these choices the testing window is the item that belongs squarely inside the rules of engagement.

3. Question 3

   Which of the following could be used to enhance the quality and reliability of a vulnerability scan report?
   1. A. Risk analysis
   2. B. Peer review
   3. C. Root cause analysis
   4. D. Client acceptance
   Explanation

   The correct answer is: B. Peer review.

   Peer review elevates the quality and reliability of a vulnerability scan report by having an independent qualified reviewer validate scan configurations, confirm findings are not false positives, check severity alignment with CVSS and environmental context, and verify the writing is clear and defensible. This second-set-of-eyes step is an industry standard for technical deliverables. Risk analysis is a step in producing the report content but is performed by the same author and so does not catch their blind spots. Root cause analysis is a remediation-focused activity for understanding why a vulnerability exists, not a quality gate on the report itself. Client acceptance happens after delivery and only signifies receipt, not quality. Peer review is the recognized mechanism for improving deliverable quality and reliability.

4. Question 4

   During a preengagement activity with a new customer, a penetration tester looks for assets to test. Which of the following is an example of a target that can be used for testing?
   1. A. API
   2. B. HTTP
   3. C. IPA
   4. D. ICMP
   Explanation

   The correct answer is: A. API.

   An API is a concrete asset that can be enumerated, scoped, and tested: it has endpoints, authentication models, payload contracts, and underlying business logic, all of which become legitimate targets in a penetration test. HTTP is a protocol used to talk to many assets but is not itself an asset. IPA is overloaded (Indian Pale Ale, an iOS application archive format, or InterProcess communication tooling) and in any case is not a scoping target the way an API is. ICMP is a network-layer protocol used for diagnostics, not an asset. Among these options API is the only thing that names a system the tester can be authorized to attack.

5. Question 5

   Which of the following activities should be performed to prevent uploaded web shells from being exploited by others?
   1. A. Remove the persistence mechanisms.
   2. B. Spin down the infrastructure.
   3. C. Preserve artifacts.
   4. D. Perform secure data destruction.
   Explanation

   The correct answer is: A. Remove the persistence mechanisms..

   Web shells uploaded during a test are a textbook persistence mechanism, and removing all such persistence is the activity that prevents a real attacker from later discovering the unauthenticated webshell URL and weaponizing it. This is exactly the kind of artifact whose presence after engagement end has caused real breaches. Spinning down infrastructure refers to the tester's attacker-side resources (C2, redirectors, phishing servers) and does nothing about a shell sitting on a customer host. Preserving artifacts retains evidence for the report but does not eliminate the live attack surface; in fact, an unremoved shell is the opposite of safe handling. Performing secure data destruction protects client data on tester systems, not file uploads on client systems. Removing persistence mechanisms is the cleanup step that mitigates the risk.

Other CompTIA PenTest+ domains

• Attacks and Exploits (83 questions)
• Post-Exploitation and Lateral Movement (55 questions)
• Reconnaissance and Enumeration (58 questions)
• Vulnerability Discovery and Analysis (38 questions)