Skip to content

Graded Quiz: Penetration Testing: Reporting Phase :Penetration Testing, Threat Hunting, and Cryptography (IBM Cybersecurity Analyst Professional Certificate) Answers 2025

1. Question 1

Which testing should be performed while the application is running?

  • ❌ IAST

  • Dynamic Application Security Testing (DAST)

  • ❌ SAST

  • ❌ Mobile Application Testing

Explanation:
DAST tests applications in runtime, simulating external attacks.

2. Question 2

What should an organization implement to strengthen authentication?

  • ❌ Removing session tokens after login

  • ❌ Allowing password reuse

  • ❌ Strong passwords only

  • Multifactor authentication (MFA)

Explanation:
MFA drastically reduces unauthorized access by requiring multiple verification factors.

3. Question 3

Primary benefit of automated scanning tools:

  • ❌ Replace manual reviews

  • ❌ Eliminate all processes

  • Provide instant feedback on vulnerabilities

  • ❌ Complicate workflow

Explanation:
DevSecOps uses automated scanners for fast, continuous feedback.

4. Question 4

Why embed penetration testing in repo scanning?

  • ❌ Only a recommendation

  • ❌ To eliminate all vulnerabilities

  • To enhance security posture & safeguard development

  • ❌ Speed up development lifecycle

Explanation:
Embedding testing ensures new commits/features do not introduce vulnerabilities.

5. Question 5

Primary goal of using Wireshark during slow network troubleshooting:

  • ❌ Send sensitive info

  • ❌ Change protocols

  • ❌ Launch DoS attack

  • Analyze captured data for performance bottlenecks

Explanation:
Wireshark helps identify latency, packet loss, retransmissions, etc.

6. Question 6

Best method to stay updated on vulnerabilities in dependencies:

  • ❌ Limit software usage

  • ❌ Ignore updates

  • Regular scans with OWASP Dependency-Check

  • ❌ Manual reviews

Explanation:
Dependency scans automatically detect known CVEs in project libraries.

7. Question 7

Best tool to explore network, discover services, find vulnerabilities:

  • ❌ ZenMap

  • Nmap

  • ❌ Metasploit

  • ❌ Wireshark

Explanation:
Nmap is the industry-standard for host discovery and port/service scanning.

8. Question 8

Best PCAP format for detailed multi-interface capture:

  • ❌ Npcap

  • Pcapng

  • ❌ Libpcap

  • ❌ Pcap

Explanation:
Pcapng supports enhanced features like multi-interface capture, comments, and metadata.

9. Question 9

What to do after a patch is applied?

  • ❌ Trust vendor blindly

  • ❌ Run full pen test again

  • ❌ Wait months

  • Recommend targeted assessment of the patched vulnerability

Explanation:
A focused re-test ensures the vulnerability is truly fixed.

10. Question 10

Client asks about retention period of the pen test report:

  • ❌ Share with anyone

  • ❌ Keep indefinitely

  • ❌ Never destroy

  • Retention period is defined in the penetration testing agreement

Explanation:
Data retention is part of the contractual terms.

🧾 Summary Table

Q Correct Answer Key Concept
1 DAST Tests running apps
2 MFA Strengthens authentication
3 Instant feedback Automated scanning benefit
4 Enhance security Repo scanning + pentest
5 Analyze bottlenecks Wireshark purpose
6 Dependency scanning OWASP dependency-check
7 Nmap Network discovery
8 Pcapng Best capture format
9 Targeted re-test Validate patch
10 Defined in agreement Report retention