Free practice test · no sign-up
CompTIA PenTest+Free Certified Penetration Tester practice test
10 real CompTIA PenTest+ practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 900questions whenever you’re ready. The CompTIA PenTest+ passing score is 750 / 900.
Three months after a pentest concludes, a client reports being breached through a vector not identified in your report and demands an explanation. What is the appropriate response?
Answer key
All 10 CompTIA PenTest+ questions & answers
Prefer to just read the answers and explanations? Here’s the full key for this free CompTIA PenTest+ test.
Q1. Three months after a pentest concludes, a client reports being breached through a vector not identified in your report and demands an explanation. What is the appropriate response?
Correct answer: D. Direct the client to the scope disclaimers in the testing agreement
Testing agreements and scope documents include disclaimers clarifying that results reflect the environment at a specific point in time, and that methodology and scope choices affect test comprehensiveness. Pointing the client to these disclaimers is the correct first response. Accepting financial liability would be costly and inappropriate. Escalating to legal counsel is a secondary step if the client disputes after reviewing the disclaimers.
Q2. A client wants to protect the organization's internal information from being disclosed to outside parties during a penetration test. Which agreement should be executed to address this requirement?
Correct answer: B. NDA
A non-disclosure agreement (NDA) legally obligates the signing parties to keep confidential any privileged information encountered during the engagement. This protects the client's competitive advantages from being shared with third parties. A Statement of Work (SOW) details what tasks will be performed. Rules of Engagement (RoE) define the boundaries, scope, and objectives of the test. A Master Service Agreement (MSA) governs general terms across multiple contracts.
Q3. A client must maintain GDPR compliance during a penetration test. Which of the following actions would most directly violate that requirement?
Correct answer: D. Extracting personally identifiable data from a live production database
GDPR is an EU regulation that prohibits unnecessary processing or exposure of personal data, including during security testing. Extracting personal data from production databases without necessity violates GDPR obligations. Testing publicly accessible systems is permitted. Authorized social engineering is allowable with written consent. Scanning unallocated disk space is not inherently restricted under GDPR unless personal data is encountered.
Q4. A business stores identifiable data about customers who reside in European Union member states. Which regulation governs how that data must be handled?
Correct answer: C. GDPR
The General Data Protection Regulation (GDPR), introduced in 2016, is the EU framework governing the collection, storage, and processing of personal data. PCI DSS applies to environments that handle payment card transactions. The Gramm-Leach-Bliley Act (GLBA) regulates how U.S. financial institutions manage personal information. The Sarbanes-Oxley Act (SOX) establishes financial reporting standards for publicly traded U.S. companies.
Q5. A firm is engaging an external security company to conduct a pentest. The client is concerned that the testers may access sensitive internal data during exploitation. Which type of agreement ensures only the testing company is bound to maintain secrecy?
Correct answer: D. Unilateral NDA
A non-disclosure agreement (NDA) legally requires parties to protect information obtained during the engagement. A unilateral NDA places confidentiality obligations on only one party — in this case, the penetration testing firm. A bilateral NDA requires both organizations to maintain confidentiality. A multilateral NDA extends the obligation to all involved parties. Rules of Engagement (RoE) govern scope, targets, and testing boundaries rather than confidentiality.
Q6. A penetration tester is mid-engagement and is uncertain whether brute-force attacks fall within the permitted testing activities. Which document should they consult to clarify this?
Correct answer: C. RoE
The Rules of Engagement (RoE) document defines how testing is to be conducted, specifying permitted and prohibited techniques, target selection, communication contacts, time windows, and data-handling procedures. Constraints on specific testing activities like brute-forcing are typically listed under the type and scope of testing section within the RoE. The NDA binds testers to confidentiality. The SOW describes the work to be done but does not govern constraints in detail. An SLA defines service-level commitments from a provider.
Q7. After completing a penetration test, a tester is helping prioritize remediation efforts. Which of the following factors is the LEAST significant when ranking which vulnerabilities to fix first?
Correct answer: C. Availability of publicly known exploits
While public exploit availability may provide some signal, it is not the primary driver for prioritization. Exploits for a given vulnerability may exist but remain unreleased or undisclosed, making them invisible to this metric. Factors such as system criticality, exposure level, and remediation complexity have more direct impact on risk and are more reliable for prioritization decisions.
Q8. During the pre-engagement phase, a penetration tester is asked to assess a client's APIs. Which type of file should the tester request to understand the supported API operations and message formats?
Correct answer: C. SOAP
A SOAP project file defines the structure and format for sending and receiving messages in a web service, giving a tester insight into available operations and potential error conditions to probe. DirBuster is used to brute-force hidden directories on web servers. OWASP ZAP is a web application security scanner. Nessus is a network vulnerability scanner — none of these describe an API specification file.
Q9. A pentest reveals that staff regularly fall for phishing simulations. Given that spam filters and detection tools often lag behind evolving phishing tactics, what is the MOST effective mitigation a tester should recommend in their report?
Correct answer: C. Train employees to recognize and report suspicious email
Regular security awareness training helps employees identify phishing attempts and reduces susceptibility to social engineering. Well-trained users act as a layer of defense that complements technical controls. Disabling email is operationally infeasible. IDS and IPS signature-based phishing detection is reactive and cannot keep pace with novel lures. Removing email addresses from public sources reduces targeting but does not improve employee recognition skills.
Q10. While conducting an authorized penetration test, a tester finds evidence that a real threat actor has already compromised the client's network. What is the correct course of action?
Correct answer: D. Immediately alert the client about the active compromise
When a penetration tester discovers signs of an actual intrusion, the client must be notified at once so they can take protective action. Delaying until the final report leaves the client exposed to ongoing damage. Attempting to interact with the attacker is unsafe and outside the tester's mandate. Removing attacker artifacts would destroy forensic evidence and is unethical.
Exam facts and objectives sourced from the official CompTIA certification page. Last reviewed June 2026.
Ready for the full CompTIA PenTest+ bank? Start free.
900 questions, timed mock exams, and missed-question review — 30 free questions, no card.
Start free trial