CISSP · Question #635
Which of the following is a PRIMARY challenge when running a penetration test?
The correct answer is D. Determining the depth of coverage. Penetration testing requires careful scoping decisions that balance thoroughness against time, cost, and risk. Determining the depth of coverage is a primary operational challenge because it directly affects the validity and usefulness of the test results.
Question
Which of the following is a PRIMARY challenge when running a penetration test?
Options
- ADetermining the cost
- BEstablishing a business case
- CRemediating found vulnerabilities
- DDetermining the depth of coverage
How the community answered
(17 responses)- A18% (3)
- B6% (1)
- C6% (1)
- D71% (12)
Why each option
Penetration testing requires careful scoping decisions that balance thoroughness against time, cost, and risk. Determining the depth of coverage is a primary operational challenge because it directly affects the validity and usefulness of the test results.
Cost determination is an administrative and procurement concern handled before the engagement begins, not a technical or operational challenge encountered during the execution of a penetration test.
Establishing a business case is a pre-engagement management activity used to justify the test to stakeholders, and while important, it occurs before the test runs and is not a challenge intrinsic to conducting the penetration test itself.
Remediation of found vulnerabilities is a post-engagement activity performed by the target organization's teams after the report is delivered, and it falls outside the scope of running the penetration test itself.
Determining the depth of coverage is a primary challenge because penetration testers must decide how far to pursue an exploit chain, which systems are in scope, and how deeply to probe without causing outages or exceeding authorization boundaries. Insufficient depth yields false assurance, while excessive depth risks system damage or legal liability. This scoping decision fundamentally shapes the value and safety of the entire engagement.
Concept tested: Penetration testing scope and depth of coverage challenges
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.