Vulnerability Discovery and Analysis for CompTIA PenTest+

Sample Practice Questions

1. Question 1

   Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?
   1. A. The tester is conducting a web application test.
   2. B. The tester is assessing a mobile application.
   3. C. The tester is evaluating a thick client application.
   4. D. The tester is creating a threat model.
   Explanation

   The correct answer is: D. The tester is creating a threat model..

   DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is a threat-modeling rating system used to rank threats during the design and planning of an assessment, while PTES is a process methodology that structures the test itself across seven phases. The tester would choose DREAD specifically when the goal is to build a threat model that prioritizes risks, which is a different objective from running through the engagement phases PTES describes. Whether the asset is a web application, mobile app, or thick client does not by itself determine that DREAD is preferable; PTES applies to all those assessment types. Threat modeling is the activity for which DREAD is the right instrument.

2. Question 2

   A penetration tester is performing a security review of a web application. Which of the following should the tester leverage to identify the presence of vulnerable open-source libraries?
   1. A. VM
   2. B. IAST
   3. C. DAST
   4. D. SCA
   Explanation

   The correct answer is: D. SCA.

   Software composition analysis is the technique that ingests a project's manifests, lockfiles, and packaged artifacts to enumerate every open-source dependency and its version, then matches that inventory against vulnerability databases such as the NVD, GitHub Advisory Database, and OSV to identify vulnerable libraries. That is exactly what the tester needs when reviewing a web application for vulnerable open-source components. VM is virtualization and unrelated. IAST instruments a running application to detect runtime behaviors and is not optimized for dependency-version discovery. DAST attacks the application from the outside and surfaces behaviors but does not enumerate the dependency graph. SCA is the right tool class for the job.

3. Question 3

   A penetration tester reviews a SAST vulnerability scan report. The following lines of code have been reported as vulnerable: Which of the following is the best method to remediate this vulnerability?
   1. A. Implementing a logging framework
   2. B. Removing the five code lines reported with issues
   3. C. Initiating a secure coding-awareness program with all the developers
   4. D. Documenting the vulnerability as a false positive
   Explanation

   The correct answer is: A. Implementing a logging framework.

   Implementing a logging framework is the durable remediation when SAST flags repeated, ad-hoc, insecure logging patterns across multiple lines, because it replaces each scattered call site with a centralized, well-configured component that handles output sinks, redaction, levels, and structured fields uniformly. Removing the five flagged lines treats only the local symptom and is likely to recur as soon as another developer writes similar code. A secure coding awareness program is a cultural lever that pays off over months and does not directly fix the present finding. Documenting the issue as a false positive ignores a real problem rather than addressing it. The best remediation is the structural one: replace the recurring insecure pattern with a logging framework that makes the safe path the default.

4. Question 4

   During a penetration test of a web application, the tester gains full access to the application's source code. The application repository includes thousands of code files. Given that the assessment timeline is very short, which of the following approaches would allow the tester to identify hard-coded credentials most effectively?
   1. A. Run TruffleHog against a local clone of the application.
   2. B. Scan the live web application using Nikto.
   3. C. Perform a manual code review of the Git repository.
   4. D. Use SCA software to scan the application source code.
   Explanation

   The correct answer is: A. Run TruffleHog against a local clone of the application..

   TruffleHog is purpose-built to scan Git history and working trees for high-entropy strings and known credential patterns, walking through commits, branches, and file contents to surface hard-coded secrets quickly even in repositories with thousands of files. Running it against a local clone is the fastest path to comprehensive secret discovery on a tight timeline. Scanning the live web application with Nikto is a runtime web-server scan and cannot see committed credentials. A manual code review of the repository is correct in spirit but infeasible at thousands-of-files scale within a short window. SCA tools focus on identifying vulnerable third-party dependencies via lockfiles and manifests, not credential text in source. TruffleHog is the right tool for time-boxed credential hunting.

5. Question 5

   Which of the following describes the process of determining why a vulnerability scanner is not providing results?
   1. A. Root cause analysis
   2. B. Secure distribution
   3. C. Peer review
   4. D. Goal reprioritization
   Explanation

   The correct answer is: A. Root cause analysis.

   Root cause analysis is the formal process of methodically determining why something is going wrong and tracing the failure to its underlying source rather than its surface symptoms; when a vulnerability scanner is not producing results, the right discipline is to ask why and trace through credentials, network reachability, scan policy, target responsiveness, and tool configuration until the original cause is identified. Secure distribution governs how a finished report is shared and is unrelated to scanner troubleshooting. Peer review is a quality-control activity for deliverables. Goal reprioritization is a scoping conversation about what to test. Root cause analysis is the named technique for the diagnostic activity the question describes.

Other CompTIA PenTest+ domains

• Attacks and Exploits (83 questions)
• Engagement Management (36 questions)
• Post-Exploitation and Lateral Movement (55 questions)
• Reconnaissance and Enumeration (58 questions)