CompTIA PT0-003 Sample Questions with Explanations

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for CompTIA PenTest+ (PT0-003) topics such as authorization, scoping, reconnaissance, vulnerability validation, exploitation safety, post-engagement cleanup, reporting, and remediation communication.

Where these questions fit in the PT0-003 guide

The sample set below is part of the CompTIA PT0-003 guide path:

• CompTIA certification hub
• PT0-003 exam guide
• PT0-003 cheat sheet
• PT0-003 study plan
• PT0-003 FAQ
• PT0-003 resources
• PT0-003 glossary

PT0-003 penetration testing sample questions

Work through each prompt before opening the explanation. PT0-003 questions usually reward authorized, scoped, low-disruption testing with evidence-based validation and useful remediation.

---

Question 1

Topic: Scope boundary during testing

During an authorized assessment, a tester discovers an adjacent system that appears vulnerable but is not listed in the signed rules of engagement. What should the tester do?

• A. Test the system immediately because it is related to the target environment.
• B. Exploit the system only if the vulnerability looks easy to confirm.
• C. Stop testing that system, document the observation, and request written scope clarification or authorization before proceeding.
• D. Delete all notes about the system because it is out of scope.

Best answer: C

Explanation: PenTest+ consistently rewards authorization and scope discipline. Adjacent assets are not fair game unless written scope is updated or clarified.

Why the other choices are weaker:

• A and B risk unauthorized activity.
• D loses useful evidence and does not support professional communication.

What this tests: authorization, rules of engagement, scope control, documentation, and escalation.

Related topics: Scope; Authorization; Rules of engagement; Ethics

---

Question 2

Topic: Validating scanner output

A vulnerability scanner reports a critical finding on a production web server. The report is noisy, and the client requires evidence before remediation work begins. What should the tester do next?

• A. Report the scanner result as confirmed without further review.
• B. Ignore the finding because scanners are never reliable.
• C. Validate the finding safely using approved methods, gather evidence, and avoid disruptive exploitation unless explicitly authorized.
• D. Launch denial-of-service testing to prove impact by taking the service offline.

Best answer: C

Explanation: Scanner output is a lead, not proof. The best answer validates safely, preserves evidence, and respects authorization and disruption limits.

Why the other choices are weaker:

• A overstates confidence.
• B dismisses useful signals without analysis.
• D is disruptive and requires explicit authorization.

What this tests: vulnerability validation, evidence, false positives, safe testing, and production impact.

Related topics: Validation; Evidence; Scanner results; Safety

---

Question 3

Topic: Reporting for remediation

A tester confirmed weak access control in an internal application. The technical team needs to fix it, and executives need to understand business risk. What should the report include?

• A. Only raw tool output and screenshots with no prioritization.
• B. Exploit code first, with no business explanation.
• C. A statement that all systems are secure because only one issue was confirmed.
• D. Clear finding summary, affected scope, evidence, impact, risk rating, remediation guidance, and retest recommendation.

Best answer: D

Explanation: Penetration-test reporting must help different audiences act. Evidence, impact, remediation, and retest guidance turn technical findings into risk decisions.

Why the other choices are weaker:

• A is not actionable enough.
• B overfocuses on technique and underdelivers remediation value.
• C makes an unsupported assurance claim.

What this tests: reporting, remediation, risk communication, evidence, and retesting.

Related topics: Reporting; Remediation; Risk; Evidence

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by CompTIA or any certification body.