PT0-003 Question #174: Real Exam Question with Answer & Explanation

Question

Which of the following explains the reason a tester would opt to use DREAD over PTES during the planning phase of a penetration test?

Options

• AThe tester is conducting a web application test.
• BThe tester is assessing a mobile application.
• CThe tester is evaluating a thick client application.
• DThe tester is creating a threat model.

Explanation

DREAD vs. PTES Explanation

D is correct because DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) is a risk scoring/threat modeling framework used to prioritize and quantify threats, making it the natural choice when a tester needs to build a threat model during the planning phase - not a methodology for conducting the test itself.

Options A, B, and C are incorrect because web application testing, mobile application testing, and thick client testing all describe the type of target being tested, not a planning activity. PTES (Penetration Testing Execution Standard) is a comprehensive methodology that guides how to conduct a penetration test across many target types - it doesn't specifically address threat modeling or risk scoring. Choosing between DREAD and PTES is about the activity, not the target.

Memory Tip: Think of the acronym DREAD as a tool to "dread" the worst threats first - it scores and ranks risks, which is exactly what you do when building a threat model. If you're modeling threats, you reach for DREAD; if you're executing a pentest, you reach for PTES.

No community discussion yet for this question.