Download PTO-001 Certification Practice Exam with Guaranteed Accurate Answers and more Exams Nursing in PDF only on Docsity! CompTIA PenTEST+ PTO-001 CERTIFICATION PRACTICE EXAM CompTIA PenTEST+ PTO-001 CERTIFICATION PRACTICE EXAM WITH GUARANTEED ACCURATE ANSWERS|VERIFIED A - Accurate Answer✅✅A company has been hacked, and several e-mails that are embarrassing to the CFO and potentially indicative of criminal activity on their part have been leaked to the press. Incident response has determined that only three user accounts accessed the organization's mail server in the 24 hours immediately preceding the disclosure. One of these accounts was assigned to an employee who was fired two weeks before the incident. No other access to the system has been found by incident response. What type of threat actor should be considered a likely culprit for this breach first? A. Insider threat B. Advanced persistent threat (APT) C. Hacktivist D. Script kiddie B - Accurate Answer✅✅Which step in Microsoft's published guidance on threat modeling consists of documenting the technologies in use in the architecture of an information systems environment and discovering how they are implemented therein? A. Rate the threats B. Architecture overview C. Identify assets D. Decompose the application D - Accurate Answer✅✅In the scoping phase of a penetration testing engagement, how might a penetration tester effectively obtain the information necessary to begin testing? A. Waiting for the client to tell them B. Asking previous penetration test providers what they looked at C. Starting an e-mail chain with business leadership so communications are documented D. Sending a pre-engagement survey (also known as a scoping document) to the client for them to fill out C - Accurate Answer✅✅Which contractual document is a confidentiality agreement that protects the proprietary information and intellectual property of a business? A. Master service agreement (MSA) B. Statement of work (SOW) C. Nondisclosure agreement (NDA) D. Written authorization letter C - Accurate Answer✅✅With respect to penetration testing conducted behind perimeter defenses, what does it mean to be provided limited access? A. Client personnel will only be available for limited periods of time. B. Network access to the target systems or networks will only be permitted during predefined hours. C. The penetration tester is only provided with initial, basic connectivity to target systems. D. The penetration tester is provided with an administrative user account. D - Accurate Answer✅✅A red team assessment is typically conducted in a manner consistent with what type of threat actor? A - Accurate Answer✅✅Identified by the target audience of a penetration test, a(n) __________ is a specific technological challenge that could significantly impact an organization (for example, a mission- critical host or delicate legacy equipment that is scheduled for replacement). A. technical constraint B. statement of work C. engagement scope D. nondisclosure agreement AD - Accurate Answer✅✅Which of the following are types of point-in-time assessments? (Choose two.) A. Compliance-based B. Black box C. Gray box D. Goals-based C - Accurate Answer✅✅Which category of threat actor is highly skilled, frequently backed by nation-state- level resources, and is often motivated by obtaining sensitive information (such as industrial or national secrets) or financial gain? A. Insider threat B. Hacktivist C. Advanced persistent threat D. Script kiddies C - Accurate Answer✅✅A defense contractor that manufactures hardware for the U.S. military has put out a request for proposal for penetration tests of a new avionics system. The contractor indicated that penetration testers for this project must hold a security clearance. Which of the following is the most likely explanation for this requirement? A. Export control restriction B. Corporate policy C. Government restriction D. Nondisclosure agreement AD - Accurate Answer✅✅Which of the following are items typically addressed in a master service agreement (MSA)? (Choose two.) A. Dispute resolution practices B. Location of work C. Acceptance criteria D. Indemnification clauses C - Accurate Answer✅✅Which type of assessment is marked by a longer-than-typical engagement time and significant risk or cost to the organization without effective expectation management? A. White box B. Compliance-based C. Red team D. Goals-based D - Accurate Answer✅✅In compliance-based testing, why is it problematic for a penetration tester to have only limited or restricted access to an organization's network or systems? A. The tester might not have sufficient time within the testing period to find all vulnerabilities present on the target system or network. B. The tester needs to be able to verify that export control regulations are adhered to. C. The tester needs sufficient time to be able to accurately emulate an advanced persistent threat (APT). D. The tester requires sufficient access to the information and resources necessary to successfully complete a full audit. D - Accurate Answer✅✅The function of which support resource is to define a format used for sending and receiving messages? A. WSDL B. XSD C. Architecture diagram D. SOAP project file B - Accurate Answer✅✅Which type of threat actor is generally unskilled, is typically motivated by curiosity or personal profit, and is frequently indicated by the use of publicly available exploits? A. Advanced persistent threat B. Script kiddies, or "skids" C. Insider threat D. Hacktivist BC - Accurate Answer✅✅All the following may typically be considered stakeholders in the findings of a penetration test except which two? A. IT department B. Rival corporations C. Third-party media organizations D. Executive management A - Accurate Answer✅✅According to Microsoft's published procedures, what is the first step in threat modeling? A. Identify assets B. Identify threats C. Decompose the application B - Accurate Answer✅✅Which document outlines the project-specific work to be executed by a penetration tester for an organization? A. Nondisclosure agreement B. Statement of work C. Rules of engagement D. Communication escalation path B - Accurate Answer✅✅This key aspect of requirements management is the formal approach to assessing the potential pros and cons of pursuing a course of action. A. Executive management B. Impact analysis C. Scheduling D. Technical constraint identification B - Accurate Answer✅✅General terms for future agreements and conditions such as payment schedules, intellectual property ownership, and dispute resolution are typically addressed in which contractual document between a penetration tester and their client? A. Statement of work B. Master service agreement C. Rules of engagement D. Nondisclosure agreement D - Accurate Answer✅✅Which penetration testing methodology may require valid authentication credentials or other information granting intimate knowledge of an environment or network? A. Black box B. Red box C. Red team D. White box