CompTIA PenTest+ (PT0-002) — Question 79

A new client hired a penetration-testing company for a month-long contract for various security assessments against the client's new service. The client is expecting to make the new service publicly available shortly after the assessment is complete and is planning to fix any findings, except for critical issues, after the service is made public. The client wants a simple report structure and does not want to receive daily findings.
Which of the following is most important for the penetration tester to define FIRST?

Answer options

• A. Establish the format required by the client.
• B. Establish the threshold of risk to escalate to the client immediately.
• C. Establish the method of potential false positives.
• D. Establish the preferred day of the week for reporting.

Correct answer: B

Explanation

The most critical aspect for the penetration tester to establish first is the threshold of risk to escalate to the client immediately, as this determines how urgent issues will be communicated during the testing phase. While the report format and other methods are important, they can be addressed after ensuring that critical vulnerabilities are communicated promptly to the client. Focusing on the escalation threshold ensures that the client is informed of significant risks that could impact their launch timeline.