Exam PT0-002 All QuestionsBrowse all questions from this exam
Go to Exam
Question 30

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.

Which of the following is most important for the penetration tester to define FIRST?

    Correct Answer: B

    The most important task for the penetration tester to define first is the threshold of risk to escalate to the client immediately. The question specifies that the client plans to fix any critical issues before making the service publicly available. Therefore, it is crucial to agree on what constitutes a critical issue and the level of risk that would trigger an immediate notification. This ensures that such severe vulnerabilities are promptly communicated and mitigated before the service goes live, thus protecting the client's new service and its users from significant risks.

Discussion
RRabbitOption: B

B. Establish the threshold of risk to escalate to the client immediately. The most important thing for the penetration tester to define first is the threshold of risk to escalate to the client immediately. The client has stated that it wants to fix any findings, except for critical issues, after the service is made public. Therefore, it's important for the penetration tester to establish with the client the level of risk that would warrant an immediate escalation, so that the client can take action to fix the issue before the service is made public. This will help to mitigate the impact of any potential vulnerabilities on the new service and its users. Establishing the format required by the client (Option A) and the method of potential false positives (Option C) are important as well, but it is secondary to the threshold of risk escalation. Establishing the preferred day of the week for reporting (Option D) is also important but it is not as critical as establishing the threshold of risk escalation.

deeden

Agree with option B. However, I don't get why would anyone opt not to fix critical issues first?

e7cde6e

They are fixing the critical issues first. The other issues they are willing to fix AFTER the release.

KeToopStudyOption: B

The requierment of the client makes it clear that need the critical vulnerabilities to be reported a.s.a.p for it to be able to fix before launch date if possible

Neo12334Option: B

"except for critical issues" in the question makes me think B.

Mr_BuCk3th34D

I agree, I need to understand what the customer considers critical before anything else, because that's what we will have to report to be fixed before the product launch, in other words, prioritization.

nickwen007Option: B

The most important thing for the penetration tester to define first is B. Establish the threshold of risk to escalate to the client immediately. This will ensure that any findings that need to be fixed urgently are communicated to the client right away, and all other findings can be reported in a single report at the end of the assessment.

[Removed]

what you think about question 28?

kloug

bbbbbbbbbbbbbbbb

Etc_Shadow28000Option: B

B. Threshold of Risk: Since the client is planning to fix only critical issues before making the service public and the rest after, it is crucial to define what constitutes a “critical issue” and the threshold at which findings must be escalated immediately. This ensures that any severe vulnerabilities that could jeopardize the service’s security are addressed promptly. Analysis of Other Options: A. Establish the format required by the client: While important, the format of the report is secondary to understanding the criticality of issues that need immediate attention. C. Establish the method of potential false positives: Handling false positives is important for accurate reporting, but it comes after ensuring critical issues are promptly identified and escalated. D. Establish the preferred day of the week for reporting: Regular reporting is necessary, but it is more important to know when to escalate critical issues outside of regular reporting schedules.

beamageOption: A

Critical on the CVSS score is 9-10 it states CRITICAL

[Removed]

B is the answer your answer is wrong

masso435Option: D

Answer is D