312-50V10 · Question #704
Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name.
The correct answer is A. Reconnaissance. With only a company name provided and no prior information, the mandatory first phase of any penetration test is Reconnaissance - gathering publicly available data about the target before any active probing begins.
Question
Your team has won a contract to infiltrate an organization. The company wants to have the attack be as realistic as possible; therefore, they did not provide any information besides the company name. What should be the first step in security testing the client?
Options
- AReconnaissance
- BEscalation
- CScanning
- DEnumeration
How the community answered
(25 responses)- A92% (23)
- C4% (1)
- D4% (1)
Why each option
With only a company name provided and no prior information, the mandatory first phase of any penetration test is Reconnaissance - gathering publicly available data about the target before any active probing begins.
Reconnaissance is the foundational first phase of the penetration testing lifecycle, where testers collect open-source and passive information about the target such as domain registrations, IP ranges, employee names, and technology stacks. Without this phase, subsequent steps like scanning and enumeration have no defined scope or targets to work with.
Privilege escalation occurs deep into the attack chain, after initial access has already been established, making it impossible as a first step.
Scanning actively probes systems for open ports and services using tools like Nmap, but requires target IP addresses or hostnames that are only identified during prior reconnaissance.
Enumeration extracts detailed resource information from already-discovered services and requires active hosts and open ports to have been identified first through scanning.
Concept tested: Penetration testing lifecycle - reconnaissance as first phase
Source: http://www.pentest-standard.org/index.php/Intelligence_Gathering
Topics
Community Discussion
No community discussion yet for this question.