CompTIA PenTest+ domain 1: Planning and scoping
Pentesting planning and scoping
Pen tests are complex exercises, and proper planning and scoping are essential for their success. A penetration tester needs to know why they’re performing the assessment, how they’re going about it and the customer’s expectations during and after the exercise.
Planning and scoping career skills
The topics covered in the PenTest+ exam cover a few different knowledge and skill areas.
Some of how the knowledge from this domain can be applied to other areas of cybersecurity include:
- Governance, risk and compliance (GRC): This domain tests knowledge of common regulations and other legal concepts. Corporate security programs must implement required security controls for applicable regulations, which touch all areas of cybersecurity.
- Cybersecurity frameworks: In this domain, candidates are tested on their knowledge of various cybersecurity standards and methodologies. These resources are equally applicable to developing cybersecurity defenses.
- Threat analysis: Pen tests are often designed to maximize value by focusing on high-risk threats to an organization. The ability to perform risk assessments and threat analysis are invaluable for threat hunting and the design of defensive security architectures.
What’s covered in PenTest+ domain 1 of the exam?
Domain 1 of the CompTIA PenTest+ examination is designed to ensure that a pentester starts an assessment from the right place. This domain accounts for 14% of a candidate’s score on an exam with a maximum of 85 questions. It is broken up into the following three sections.
Compare and contrast governance, risk, and compliance concepts
Organizations commonly engage penetration testers as part of their compliance management process. A penetration test can help to identify gaps in an organization’s security controls and compliance strategy. Penetration testers may need to be familiar with applicable regulations to evaluate corporate security. At the same time, penetration testers are also bound by other legal restrictions when performing an attack.
PenTest+ tests a candidate’s knowledge of the following topics:
- Regulatory compliance considerations: penetration testers should have familiarity with common regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR).
- Location restrictions: different jurisdictions have different laws, and penetration testers are bound by these laws when working within a certain jurisdiction. For example, testers operating within the EU or evaluating companies’ systems with EU citizens as customers are bound by GDPR.
- Legal concepts: during and after a penetration testing engagement, a tester may be bound by certain legal agreements such as a Service Level Agreement (SLA) and Non-Disclosure Agreement (NDA).
- Permission to attack: Penetration testers should only evaluate the security of an organization’s systems if they have permission to attack under a penetration testing agreement, bug bounty program, etc.
Explain the importance of scoping and organizational/customer requirements
While cyber threat actors may have no restrictions on their attacks, penetration tests commonly operate under rules of engagement and strict scope limits. This helps ensure that the client’s systems remain operational throughout the test and focus the assessment on particular threats or systems.
The PenTest+ exam covers a few different topics regarding scoping and assessment planning, including:
- Standards and methodologies: multiple standards and methodologies exist to help with developing a strategy and scope for a penetration testing engagement. Examples include the MITRE ATT&CK framework, OWASP Top Ten list and NIST standards.
- Rules of engagement: defining the rules of engagement is essential for a penetration test. Before an exercise begins, all parties should agree on when and how the testers can evaluate the target’s security and any other necessary restrictions.
- Environmental considerations: when planning a penetration test, the details of an organization’s environment may affect the strategy and rules of engagement. For example, some cloud service providers will not allow port and vulnerability scans against resources hosted on their platforms.
- Target list/in-scope assets: the pentest scope should include a list of the in-scope assets and targets. This can be defined as IP ranges, domains, networks or network segments etc.
- Validate scope of engagement: before the penetration test begins, both the tester and the client should be clear on the scope and plan for the assessment. Both parties should jointly review contracts and develop timelines to help avoid misunderstandings.
Given a scenario, demonstrate an ethical hacking mindset by maintaining professionalism and integrity
Penetration testers are tasked with using the tools, techniques and procedures of cyber threat actors to identify security issues in a customer environment before they can be exploited in a real attack. With this comes a great deal of trust on behalf of the customer that the penetration tester will act legally and ethically.
The PenTest+ exam tests a candidate’s knowledge of acting appropriately and ethically throughout the penetration testing process. This includes properly vetting potential team members, monitoring for and reporting criminal activity and only performing pentesting actions within the scope of a valid contract.
For more information on the PenTest+ exam, see the full CompTIA PenTest+ (PT0-002) exam objectives.
- CompTIA PenTest+, CompTIA
- CompTIA PenTest+ Certification Exam Objectives, CompTIA
- CompTIA PenTest+: Everything you need to know about the exam, Infosec Edge