13% of PT0-003 — the foundation that keeps a test legal, scoped, and useful
Practice — Domain 1
1.1 Pre-engagement activities (rules of engagement)
Before a test begins, the client and testing firm agree on a document that sets the detailed constraints on how testing is executed and grants the team authority to carry out the defined activities without seeking fresh permission for each action. Which pre-engagement artifact is this?
Answer
Correct answerB · Rules of engagement
Rules of engagement are the detailed guidelines and constraints on executing the test, established beforehand and giving the team authority to act without additional per-action permissions.
Why the other options are wrong
AA statement of work itemizes the deliverables, hours, and price of the project; it does not set the operational constraints and standing authority for how testing is executed.
CThe scope statement defines what is to be tested; the question asks for the document governing how testing is conducted and the standing authority, which is a different artifact.
DA non-disclosure agreement protects confidential information shared between the parties; it neither constrains testing execution nor grants authority to perform the defined activities.
RoE = guidelines/constraints on test execution that grant standing authority (NIST SP 800-115 glossary; PCI DSS)
During pre-engagement, a client hands the tester a list of in-scope IP ranges, domains, and the cardholder data environment perimeter, making clear exactly which systems may be assessed. Which pre-engagement element does this list define?
Answer
Correct answerA · The scope statement
Scope specifically defines what is to be tested; here the enumerated ranges, domains, and CDE perimeter establish precisely which systems are in bounds for the engagement.
Why the other options are wrong
BRules of engagement govern how each aspect of the test is conducted, such as timing and constraints; they do not by themselves enumerate which target systems are in bounds.
CA master service agreement sets the overarching commercial and legal terms of the relationship; it is not the artifact that lists which specific systems are in scope.
DPayment terms address billing schedules and amounts; they have nothing to do with identifying which IP ranges, domains, and systems may be tested.
Scope defines what is tested; targets given as IP ranges/domains/CDE perimeter (PTES Pre-engagement; PCI DSS)
A tester is scoping an engagement against a web application a client runs on a public cloud platform. Under the shared responsibility model, who is responsible for securing the underlying physical hosts, hypervisor, and datacenter facilities — the "security of the cloud" layer?
Answer
Correct answerC · The cloud service provider
The provider is responsible for protecting the infrastructure that runs its services — hardware, hypervisor, and facilities — the layer described as security of the cloud.
Why the other options are wrong
AThe customer is responsible for security in the cloud — its data, configurations, and workloads — not the underlying physical infrastructure, which falls outside what the tenant controls.
BThe testing firm assesses systems within an authorized scope; it never owns operational security responsibility for the provider's infrastructure under the shared responsibility model.
DEnd users consume the application and hold no responsibility for infrastructure security; the shared responsibility split is strictly between the provider and the customer tenant.
Provider secures infrastructure = 'security of the cloud' (AWS Shared Responsibility Model; Microsoft Azure)
A client uses a SaaS platform and asks which security duties remain theirs during a cloud assessment. Under the shared responsibility model, which responsibility does the customer always retain regardless of whether the workload is IaaS, PaaS, or SaaS?
Answer
Correct answerA · Their data and user identities
Across every cloud deployment model the customer always owns its data and identities, remaining responsible for classifying, protecting, and managing accounts and access.
Why the other options are wrong
BSecuring datacenter facilities, including physical access and environmental controls, is the provider's responsibility in all cloud models, not something the customer retains.
CThe virtualization layer and physical hosts are managed by the provider; the customer never retains responsibility for the hypervisor or underlying server hardware.
DThe provider's physical network infrastructure is its responsibility; the customer configures only its own logical network controls, not the provider's backbone.
Customer always owns data and identities in every cloud model (Microsoft Azure; AWS Shared Responsibility Model)
1.1 Pre-engagement activities (assessment types)
A client wants an engagement in which evaluators actively mimic real attacks to exploit and chain weaknesses in order to circumvent the security features of in-scope systems, rather than merely identifying and ranking known weaknesses. Which type of assessment is being requested?
Answer
Correct answerC · Penetration test
A penetration test has evaluators mimic real-world attacks to identify ways to exploit and circumvent the security features of systems, exactly as described.
Why the other options are wrong
AA vulnerability scan identifies, ranks, and reports potential weaknesses but does not actively exploit them; the scenario requires exploitation to circumvent security features.
BA compliance gap audit compares controls against a standard's requirements; it is a documentation and control review, not active exploitation of vulnerabilities.
DA configuration review inspects settings against a baseline without attacking the system; it cannot demonstrate exploitable paths that defeat security features.
Pentest = mimic attacks to exploit/circumvent security features, beyond a scan (PCI DSS; NIST SP 800-115 glossary)
A client insists on the most realistic simulation possible and refuses to share any network diagrams, source code, or implementation details before the engagement starts. Which testing approach does providing no prior knowledge of the internal structure describe?
Answer
Correct answerB · Black-box (unknown-environment) test
Black-box testing assumes no knowledge of the internal structure and is performed without prior detail of the target, matching the no-information condition described.
Why the other options are wrong
AWhite-box testing assumes explicit and substantial knowledge of the internal structure and implementation; the client here deliberately withholds all such detail.
CGrey-box testing assumes some knowledge of the internal structure; the scenario provides none at all, so it exceeds the information available to a grey-box tester.
DA credentialed configuration review depends on supplied access and internal detail; that contradicts the client's refusal to provide any prior information.
To maximize coverage in a limited window, a client provides the testing team with full and complete details of the application — architecture diagrams, source code, and administrative documentation — before testing begins. Which approach does this explicit, substantial internal knowledge define?
Answer
Correct answerD · White-box (known-environment) test
White-box testing assumes explicit and substantial knowledge of the internal structure and implementation, which is exactly what the full documentation and source code provide.
Why the other options are wrong
ABlack-box testing assumes no knowledge of the internal structure; the client here supplies complete internal detail, which is the opposite condition.
BGrey-box testing assumes only some knowledge of the internal structure; the scenario provides full and complete detail, exceeding the grey-box information level.
CA blind external scan probes from outside with no internal information; that conflicts with the client handing over source code and architecture documentation.
A client provides the testing team with a standard user account and partial details of the target systems, but withholds source code and full architecture documentation. Which testing approach does this partial knowledge of the internal structure describe?
Answer
Correct answerA · Grey-box (partially known) test
Grey-box testing assumes some knowledge of the internal structure and is performed with partial details of the target, matching the limited information the client supplied.
Why the other options are wrong
BBlack-box testing assumes no knowledge of the internal structure; here the client provided a user account and partial detail, which is more than black-box allows.
CWhite-box testing assumes explicit and substantial internal knowledge; the client deliberately withheld source code and full documentation, so this exceeds what was given.
DAn unauthenticated scan uses no credentials and only identifies surface weaknesses; the client supplied an account and partial detail, which describes a knowledge level, not a scan.
While drafting the report, a tester needs a section written for senior leadership responsible for the oversight and strategic vision of the security program — conveying business impact and high-level findings while leaving out technical reproduction detail. Which report section serves this audience?
Answer
Correct answerB · Executive summary
The executive summary is written for leadership overseeing the security program, focusing on business impact and high-level findings while leaving out technical detail.
Why the other options are wrong
AThe technical findings section targets engineers with reproduction steps and remediation detail; it is not the non-technical, business-impact view leadership needs.
CRules of engagement are a pre-engagement agreement on how testing is conducted; they are not the narrative report section addressed to senior leadership.
DThe statement of work defines deliverables and hours before testing; it is a contractual artifact, not the report section summarizing findings for executives.
Executive summary = leadership/oversight audience, business impact, no technical detail (OWASP WSTG; PTES Reporting)
1.4 Penetration test reports (findings and remediation)
A client's engineering team asks where in the report they will find each vulnerability described in enough detail to understand it, replicate it, and resolve it, including the attack path, impact, and remediation steps. Which section is aimed at this technical audience?
Answer
Correct answerC · Technical findings section
The technical findings section is aimed at the technical team and details each vulnerability with the scope, attack path, impact, and remediation needed to fix it.
Why the other options are wrong
AThe executive summary is the non-technical, business-impact overview for leadership; it intentionally omits the reproduction and remediation detail engineers require.
BThe scope statement defines what was in bounds for testing; it does not contain the per-vulnerability technical detail, attack path, and remediation guidance.
DA non-disclosure agreement governs confidentiality of shared information; it is unrelated to documenting and remediating the specific vulnerabilities found.
1.3 Collaboration and communication (root cause analysis)
After completing an assessment, the team wants to translate findings into actionable mitigations and uncover the underlying process failures — for example, an absent patch-management process — rather than only listing the individual missing patches. Which analysis accomplishes this?
Answer
Correct answerD · Root cause analysis
Root cause analysis after an assessment translates findings into actionable mitigations and surfaces failed processes, addressing organizational weaknesses, not just the symptomatic patch.
Why the other options are wrong
AA business impact analysis estimates the consequences of disruption to processes and assets; it does not trace findings back to the underlying process failures that caused them.
BRetesting confirms whether findings were remediated; it verifies fixes but does not identify the systemic process weaknesses behind the vulnerabilities.
CRescoring with CVSS reprioritizes findings by severity; it changes ranking but never reveals the root process failures or translates findings into mitigations.
RCA translates findings into mitigations and surfaces process failures, not just patches (NIST SP 800-115; PTES Reporting)
1.2 Legal and ethical considerations (risk to the client)
A scoping discussion centers on protecting a fragile production environment from availability impact during active testing. Which approach best reduces the risk that testing degrades production systems?
Answer
Correct answerA · Test off-hours on duplicate non-production systems
Performing testing off-hours and on duplicates of production systems is a recommended way to minimize the risk that assessment techniques affect production availability.
Why the other options are wrong
BRunning intrusive tests at peak hours maximizes the chance of disrupting live operations; that raises rather than reduces the risk to production availability.
CSkipping exploitation altogether would prevent validating real risk; the goal is to manage impact through scheduling and duplicates, not to abandon the test's purpose.
DChoosing black-box over white-box concerns how much information the tester has, not how testing load affects production; it does not inherently reduce availability impact.
Off-hours testing and duplicate/non-production systems reduce production impact (NIST SP 800-115; PTES Pre-engagement)
A client runs virtual machines on Infrastructure as a Service and asks who must apply operating system updates and security patches to those instances when scoping the assessment. Under the shared responsibility model for IaaS, which party holds that duty?
Answer
Correct answerC · The customer (cloud tenant)
In IaaS the customer manages the guest operating system, including updates and security patches, along with the applications it installs on the instances.
Why the other options are wrong
AIn IaaS the provider secures the underlying infrastructure but not the guest operating system; OS patching of customer instances is not the provider's duty.
BThe testing firm assesses the systems within scope; it never assumes operational responsibility for patching the client's virtual machines under the shared model.
DIaaS does not auto-patch guest operating systems; assuming it does leaves instances unpatched, and the responsibility still rests with the customer tenant.
In IaaS the customer patches the guest OS; provider secures infrastructure (AWS Shared Responsibility Model; Microsoft Azure)
1.2 Legal and ethical considerations (authorization; third parties)
An in-scope application is hosted on a third-party cloud platform. The client has signed an authorization to test, but the assets run on infrastructure the client does not own. Before testing the hosted assets, what must the tester do?
Answer
Correct answerB · Obtain separate authorization from the cloud hosting provider
Because the client does not own the hosting infrastructure, the cloud provider must be alerted and must grant permission, often via its own testing policy or request form.
Why the other options are wrong
AThe client cannot speak for its third-party providers; their authorization does not automatically extend to the hosting provider's infrastructure and systems.
CCloud-hosted assets can be tested once proper permission is obtained; excluding them outright is unnecessary and misstates how third-party authorization works.
DNotifying the ISP does not satisfy the hosting provider's authorization requirement, and beginning before the provider grants permission risks legal and policy violations.
Third-party/cloud-hosted assets require the provider's own authorization (PTES Pre-engagement; AWS Penetration Testing Policy)
1.3 Collaboration and communication (articulation of risk and business impact)
A stakeholder asks the lead tester to frame the engagement's primary value during a kickoff. Which statement best captures the fundamental purpose of a penetration test?
Answer
Correct answerD · Identify the business risk that attacks pose
The fundamental purpose is to identify the business risk associated with attacks and translate findings into risk mitigation that improves security posture.
Why the other options are wrong
AA penetration test should not be a confrontational contest to show the tester can hack; framing it that way undermines the engagement's real, business-focused purpose.
BTotal compromise is not an end in itself; pursuing it without regard to scope and impact ignores the goal of informing business risk decisions.
CAssessments are not meant to take the place of implementing and maintaining security controls; a test evaluates controls, it does not replace them.
Pentest purpose = identify business risk, not prove hacking or replace controls (PTES Pre-engagement; NIST SP 800-115)
1.4 Penetration test reports (structure and audiences)
When planning the deliverable, the team structures the report so it communicates objectives, methods, and results to the different readers who will receive it. Which combination of audiences should a complete penetration test report be written to serve?
Answer
Correct answerA · Both executive management and technical staff
A good report appeals to both executive management and technical staff, splitting into an executive summary and a detailed findings section for those distinct audiences.
Why the other options are wrong
BLegal counsel may review confidentiality terms, but the report is not written solely for them; it must reach both leadership and the technical remediation team.
CSOC analysts are one technical audience, but a complete report also has to communicate business impact to executives, so this excludes a required audience.
DRegulators may consume results for compliance, but the report's two major sections are designed for management and technical staff, not auditors alone.
Report is structured in two sections for executive and technical audiences (OWASP WSTG; PTES Reporting)
Ad slot · in-content rectangle (336×280 / responsive)Below the quiz card, inside the article body — well clear of answer buttons
About this domain
Engagement Management is the professional scaffolding around every penetration test: agreeing what is in scope, staying inside the law, talking to the client, and writing a report they can act on. On PT0-003 it carries 13% of your score, and the questions reward judgment over tooling — knowing when to pause and escalate, what a rule of engagement actually permits, and how to frame risk for an executive.
The domain opens with pre-engagement activities — defining scope and target selection, drafting the rules of engagement, choosing the right assessment type (red team, goal-based, objective-based, web, mobile, cloud), and understanding the shared-responsibility model for cloud targets. It then covers the legal and ethical guardrails: authorization, third-party considerations, and managing risk to the client.
Collaboration and communication tie it together — articulating risk and business impact, performing root-cause analysis, and knowing when to trigger a communication path. Finally, the penetration test report: its structure, its audiences, the executive summary, and writing findings with clear, prioritized remediation. The questions below mirror that scenario-driven style.
What Domain 1 covers
1.1 Summarize pre-engagement activities (scope, rules of engagement, assessment types)
1.2 Explain the legal and ethical considerations of a penetration test
1.3 Given a scenario, perform collaboration and communication activities
1.4 Explain the components and structure of a penetration test report
Domain 1 quick glossary
The terms that show up most on Domain 1 questions — one line each.
Rules of engagementThe agreed boundaries of a test — targets, timing, techniques, and escalation paths — that keep the engagement authorized and safe.
ScopeThe explicit set of in-bounds systems, networks, and applications a tester is authorized to assess; anything outside it is off-limits.
Shared responsibilityThe cloud model dividing security duties between provider and customer, which shapes what a tester may legally probe.
Goal-based assessmentAn engagement defined by an objective (e.g., reach domain admin or a crown-jewel asset) rather than broad coverage.
Executive summaryThe non-technical opening of a report that frames business risk and impact for leadership in plain language.
Root-cause analysisIdentifying the underlying weakness behind a finding so remediation fixes the cause, not just the symptom.
AuthorizationWritten permission from the asset owner that makes testing legal; testing without it is a crime.
Keep going
Practice the other domains, or go deeper with the full study materials.