The exam frequently tests the sequence of events in a penetration test. The rules of engagement are always established and documented before any testing begins — not after, not during, not "when it becomes relevant."
What the rules of engagement contain (exam checklist):
- Type of testing authorized (external, internal, physical, social engineering)
- Permitted timing (hours, days of week)
- In-scope systems (specific IPs, ranges, domains)
- Out-of-scope systems (explicitly excluded)
- Emergency contacts (both the testing team and the client)
- Sensitive data handling procedures
Out-of-scope trap: A common exam question describes a tester who reaches an out-of-scope system via an in-scope entry point and asks what they should do. The answer is always: stop, document the finding (the path itself is a vulnerability), contact the emergency contact, do not proceed. Reaching an out-of-scope system from an in-scope system does not authorize testing the out-of-scope system.
The exam tests the ability to match a described scenario to the correct phase. The phases are not strictly sequential — lateral movement and pivoting can interleave — but knowing the defining characteristic of each phase eliminates wrong answers.
Identifying characteristics for each phase:
- Initial exploitation — the first foothold; getting into the network from outside; no prior access existed. Keywords: "first access," "initial foothold," "bypassing perimeter."
- Lateral movement — using the foothold to reach additional internal systems on the same accessible network. Keywords: "credential reuse," "pass-the-hash," "moving from system to system," "spreading through internal network."
- Persistence — establishing mechanisms that survive patching or session loss. Keywords: "backdoor," "new account," "scheduled task," "startup modification," "continues after patch applied."
- The pivot — using a compromised system to reach architecturally isolated systems not directly accessible. Keywords: "unreachable network," "relay," "proxy," "routing through," "bypassing VLAN or firewall separation."
Persistence vs. Lateral Movement confusion: Persistence is about surviving loss of access (backward-looking — maintaining what was gained). Lateral movement is about expanding access (forward-looking — reaching new systems). Creating a backdoor account is persistence; using stolen credentials to log into a new server is lateral movement.
The exam frequently presents a scenario where an organization patches the vulnerability used by an attacker (or pen tester) and asks whether the threat is eliminated. The answer is: not if persistence was established.
Why patching is not enough:
- Persistence mechanisms (backdoor accounts, scheduled tasks, web shells, startup scripts, remote access tools) operate independently of the original vulnerability
- Closing the door does not remove the spare key someone left behind inside
- A well-established persistence mechanism can survive reboots, user password changes, and even re-imaging if the attacker has access to the Active Directory or backup infrastructure
Complete post-breach remediation requires:
- Identify and remove all unauthorized accounts
- Review and reset all service account credentials
- Audit all startup services and scheduled tasks against a known-good baseline
- Scan web server directories for web shells
- Review network connections for unauthorized outbound callbacks
- Only after all persistence is confirmed removed: patch the original vulnerability
The exam tests whether candidates understand that public disclosure happens after the patch is available, not before or simultaneously with discovery.
The four-step sequence to memorize in order:
- Researcher privately reports — to the vendor, through defined channel; no public disclosure yet
- Vendor creates a fix — investigate, develop, test the patch; up to 90 days (industry norm)
- Patch deployed — distributed to users; coordinated with major platforms
- Public disclosure — vulnerability details + CVE published; simultaneous with patch availability; researcher credited
Wrong answer patterns on the exam:
- "Researcher discloses publicly immediately" — wrong; this is full disclosure, not responsible disclosure, and gives attackers a window with no available fix
- "Researcher sells the vulnerability" — wrong; this is exploit brokering, not responsible disclosure
- "Vendor patches before the researcher is notified" — wrong order; researcher notifies first
Bug bounty adds to, not replaces, responsible disclosure: Bug bounty programs follow the same sequence but add financial compensation. The disclosure process is identical.