Planning & Scoping

During the pre-engagement phase, what is the PRIMARY purpose of the Rules of Engagement (RoE) document?

• A To list every vulnerability that will be exploited
• B To define the scope, constraints, timing, and authorised activities of the test ✓
• C To provide the final report template to the client
• D To calculate the total cost of the engagement

Answer: The Rules of Engagement formally define what testers may and may not do, including scope boundaries, timing windows, permitted techniques, and emergency contacts, protecting both parties legally and operationally.

A client wants assurance that a penetration test will not be confused with a real attack and that testers are legally protected. Which document grants explicit legal permission to perform the test?

• A Non-Disclosure Agreement (NDA)
• B Authorization / 'get out of jail free' letter ✓
• C Master Service Agreement (MSA)
• D Statement of Work (SOW)

Answer: A signed authorization letter (often called a 'get out of jail free' card) provides written proof that the testing activity is authorised by the asset owner, which is essential to avoid violating computer misuse laws.

Which assessment type provides the tester with NO prior knowledge of the target environment, simulating an external attacker?

• A Crystal-box testing
• B White-box testing
• C Grey-box testing
• D Black-box testing ✓

Answer: Black-box testing gives the tester no internal knowledge such as source code, credentials, or network diagrams, closely simulating an outside attacker who must discover everything through reconnaissance.

When scoping an engagement that includes systems hosted on a third-party cloud provider, what MUST the tester verify before testing begins?

• A The provider's stock price
• B Whether the cloud provider permits penetration testing and any required authorization ✓
• C The age of the data centre hardware
• D The provider's marketing materials

Answer: Cloud providers have their own terms governing security testing; testing assets you do not own without provider permission can breach the provider's acceptable use policy and laws, so authorization must be confirmed first.

A penetration testing contract specifies that only the 10.0.50.0/24 subnet may be tested. During scanning the tester finds an interesting host at 10.0.60.5. What is the correct action?

• A Exploit it immediately since it is on the same network
• B Stay within scope and do not test 10.0.60.5 unless the scope is formally amended ✓
• C Quietly add it to the report as compromised
• D Scan it but do not exploit it

Answer: Testers must remain strictly within the authorised scope; any expansion requires formal written approval, because testing out-of-scope hosts is unauthorised access regardless of network proximity.

Which factor is MOST important when determining the appropriate timing window for an on-site network penetration test?

• A The tester's personal preference
• B Avoiding business-critical periods to minimise operational disruption ✓
• C The colour scheme of the client's office
• D The number of social media followers the client has

Answer: Scheduling should account for the client's business operations so that potentially disruptive testing avoids peak or critical processing windows, reducing the risk of unacceptable downtime.