CompTIA Security+ (SY0-501) — Question 222

A security program manager wants to actively test the security posture of a system. The system is not yet in production and has no uptime requirement or active user base.
Which of the following methods will produce a report which shows vulnerabilities that were actually exploited?

Answer options

• A. Peer review
• B. Component testing
• C. Penetration testing
• D. Vulnerability testing

Correct answer: C

Explanation

Penetration testing is designed to simulate real-world attacks and demonstrate how vulnerabilities can be exploited, thus providing a report that highlights actual exploitation. In contrast, peer review focuses on the evaluation of design and implementation without testing for exploitability, while component testing and vulnerability testing identify vulnerabilities but do not necessarily prove that they can be exploited.