CompTIA PenTest+ (PT0-003) — Question 74

A company hires a penetration tester to perform an external attack surface review as part of a security engagement. The company informs the tester that the main company domain to investigate is comptia.org. Which of the following should the tester do to accomplish the assessment objective?

Answer options

• A. Perform information-gathering techniques to review internet-facing assets for the company.
• B. Perform a phishing assessment to try to gain access to more resources and users’ computers.
• C. Perform a physical security review to identify vulnerabilities that could affect the company.
• D. Perform a vulnerability assessment over the main domain address provided by the client.

Correct answer: A

Explanation

The correct answer is A because performing information-gathering techniques is essential for identifying and reviewing the internet-facing assets of the company, which aligns with the objective of an external attack surface review. Options B, C, and D do not focus on the external attack surface analysis but rather on phishing, physical security, and vulnerability assessments, which are not the primary objectives in this context.