1 | P a g e | © copyright 2024/2025 | Grade A+
Penetration Testing and
Vulnerability Analysis - D332
Questions and Answers (100% Pass)
How do you calculate Risk?
✓ Risk = Threat x Vulnerability
Describe unified threat management (UTM)
✓ All-in-one security appliances and agents that combine the functions
of a firewall, malware scanner, intrusion detection, vulnerability
scanner, data loss prevention, content filtering, and so on.
Describe OWASP
✓ Open Web Application Security Project: A framework for testing during
each phase of the development cycle. Publishes a Top Ten
vulnerabilities list, with a focus on Web Applications.
Describe NIST
Master01 | October, 2024/2025 | Latest update
, 1 | P a g e | © copyright 2024/2025 | Grade A+
✓ United States (U.S.) National Institute of Standards and Technology
(NIST): Develops computer security standards used by US federal
agencies and publishes cybersecurity best practice guides and
research.
What is NIST SP 800-115?
✓ "Technical Guide to Information Security Testing and Assessment."
Describe OSSTMM
✓ Open-source Security Testing Methodology Manual (OSSTMM): this
manual outlines every area of an organization that needs testing, as
well as goes into details about how to conduct the relevant tests.
OSSTMM doesn't provide the tools needed to accomplish a complete
PenTesting exercise, but it does cover other areas, such as Human Security
and Physical Security testing.
Describe ISSAF
Master01 | October, 2024/2025 | Latest update
, 1 | P a g e | © copyright 2024/2025 | Grade A+
✓ Information Systems Security Assessment Framework (ISSAF): Open
Source .rar file, a collection of 14 documents related to Pen Testing
(incldues includes a Security Assessment Contract, Request for Proposal
and Reporting templates)
Describe PTES
✓ Penetration Testing Execution Standard (PTES) has seven main sections
that provide a comprehensive overview of the proper structure of a
complete PenTest. ex. pre-engagement interactions, threat modeling,
vulnerability analysis, exploitation, and reporting.
Explain MITRE ATT&CK
✓ ATT&CK (Adversarial Tactics, Techniques & Common Knowledge): non-
profit, sponsored by US-CERT and DHS, containing specific adversary
tactics, techniques, and procedures
Explain CVSS
✓ Common Vulnerability Scoring System (CVSS): A risk management
approach to quantifying vulnerability data and then taking into
account the degree of risk to different types of systems or information.
Explain CVE
Master01 | October, 2024/2025 | Latest update
, 1 | P a g e | © copyright 2024/2025 | Grade A+
✓ Common Vulnerabilities and Exposures (CVE): The information in a
CVSS is fed into a CVE, with the format CVE-[YEAR]-[NUMBER] and an
explanation of the vulnerability. CVE = SPECIFIC vulnerabilities o
particular products. Most CVEs contain links to the NVD (National
Vulnerability Database) where you can find out more info about the
vulnerabilities.
Explain CWE
✓ Common Weakness Enumeration (CWE): MITRE Database of hardware
and software weaknesses. CWE = dictionary of software-related
vulnerabilities that details software & hardware weaknesses.
What are important considerations when PenTesting a company's web
applications and services?
✓ The client will provide a percentage / discrete value of total number of
web pages or forms that require user interaction to test.
The team should obtain a variety of roles and permissions so each role can
be tested (user, etc.)
What are examples of assets when determining scope of the test?
Master01 | October, 2024/2025 | Latest update
Penetration Testing and
Vulnerability Analysis - D332
Questions and Answers (100% Pass)
How do you calculate Risk?
✓ Risk = Threat x Vulnerability
Describe unified threat management (UTM)
✓ All-in-one security appliances and agents that combine the functions
of a firewall, malware scanner, intrusion detection, vulnerability
scanner, data loss prevention, content filtering, and so on.
Describe OWASP
✓ Open Web Application Security Project: A framework for testing during
each phase of the development cycle. Publishes a Top Ten
vulnerabilities list, with a focus on Web Applications.
Describe NIST
Master01 | October, 2024/2025 | Latest update
, 1 | P a g e | © copyright 2024/2025 | Grade A+
✓ United States (U.S.) National Institute of Standards and Technology
(NIST): Develops computer security standards used by US federal
agencies and publishes cybersecurity best practice guides and
research.
What is NIST SP 800-115?
✓ "Technical Guide to Information Security Testing and Assessment."
Describe OSSTMM
✓ Open-source Security Testing Methodology Manual (OSSTMM): this
manual outlines every area of an organization that needs testing, as
well as goes into details about how to conduct the relevant tests.
OSSTMM doesn't provide the tools needed to accomplish a complete
PenTesting exercise, but it does cover other areas, such as Human Security
and Physical Security testing.
Describe ISSAF
Master01 | October, 2024/2025 | Latest update
, 1 | P a g e | © copyright 2024/2025 | Grade A+
✓ Information Systems Security Assessment Framework (ISSAF): Open
Source .rar file, a collection of 14 documents related to Pen Testing
(incldues includes a Security Assessment Contract, Request for Proposal
and Reporting templates)
Describe PTES
✓ Penetration Testing Execution Standard (PTES) has seven main sections
that provide a comprehensive overview of the proper structure of a
complete PenTest. ex. pre-engagement interactions, threat modeling,
vulnerability analysis, exploitation, and reporting.
Explain MITRE ATT&CK
✓ ATT&CK (Adversarial Tactics, Techniques & Common Knowledge): non-
profit, sponsored by US-CERT and DHS, containing specific adversary
tactics, techniques, and procedures
Explain CVSS
✓ Common Vulnerability Scoring System (CVSS): A risk management
approach to quantifying vulnerability data and then taking into
account the degree of risk to different types of systems or information.
Explain CVE
Master01 | October, 2024/2025 | Latest update
, 1 | P a g e | © copyright 2024/2025 | Grade A+
✓ Common Vulnerabilities and Exposures (CVE): The information in a
CVSS is fed into a CVE, with the format CVE-[YEAR]-[NUMBER] and an
explanation of the vulnerability. CVE = SPECIFIC vulnerabilities o
particular products. Most CVEs contain links to the NVD (National
Vulnerability Database) where you can find out more info about the
vulnerabilities.
Explain CWE
✓ Common Weakness Enumeration (CWE): MITRE Database of hardware
and software weaknesses. CWE = dictionary of software-related
vulnerabilities that details software & hardware weaknesses.
What are important considerations when PenTesting a company's web
applications and services?
✓ The client will provide a percentage / discrete value of total number of
web pages or forms that require user interaction to test.
The team should obtain a variety of roles and permissions so each role can
be tested (user, etc.)
What are examples of assets when determining scope of the test?
Master01 | October, 2024/2025 | Latest update
