nerdexam
(ISC)2

CISSP · Question #635

Which of the following is a PRIMARY challenge when running a penetration test?

The correct answer is D. Determining the depth of coverage. Penetration testing requires careful scoping decisions that balance thoroughness against time, cost, and risk. Determining the depth of coverage is a primary operational challenge because it directly affects the validity and usefulness of the test results.

Submitted by emma.c· Mar 5, 2026Security Assessment and Testing

Question

Which of the following is a PRIMARY challenge when running a penetration test?

Options

  • ADetermining the cost
  • BEstablishing a business case
  • CRemediating found vulnerabilities
  • DDetermining the depth of coverage

How the community answered

(17 responses)
  • A
    18% (3)
  • B
    6% (1)
  • C
    6% (1)
  • D
    71% (12)

Why each option

Penetration testing requires careful scoping decisions that balance thoroughness against time, cost, and risk. Determining the depth of coverage is a primary operational challenge because it directly affects the validity and usefulness of the test results.

ADetermining the cost

Cost determination is an administrative and procurement concern handled before the engagement begins, not a technical or operational challenge encountered during the execution of a penetration test.

BEstablishing a business case

Establishing a business case is a pre-engagement management activity used to justify the test to stakeholders, and while important, it occurs before the test runs and is not a challenge intrinsic to conducting the penetration test itself.

CRemediating found vulnerabilities

Remediation of found vulnerabilities is a post-engagement activity performed by the target organization's teams after the report is delivered, and it falls outside the scope of running the penetration test itself.

DDetermining the depth of coverageCorrect

Determining the depth of coverage is a primary challenge because penetration testers must decide how far to pursue an exploit chain, which systems are in scope, and how deeply to probe without causing outages or exceeding authorization boundaries. Insufficient depth yields false assurance, while excessive depth risks system damage or legal liability. This scoping decision fundamentally shapes the value and safety of the entire engagement.

Concept tested: Penetration testing scope and depth of coverage challenges

Source: https://csrc.nist.gov/publications/detail/sp/800-115/final

Topics

#Penetration testing#Pen test scope#Security assessment challenges

Community Discussion

No community discussion yet for this question.

Full CISSP Practice