Question 9 - Top CompTIA Pentest+ PT0-003 Real Exam Questions [March 2026 Update]

Q: 9

[Reporting and Communication] Which of the following elements of a penetration test report can be used to most effectively prioritize the remediation efforts for all the findings?

Options

Discussion

Olivia D. Feb 20, 2026 1:19 am

C. risk score is always used for prioritization. Detailed findings list doesn't actually rank the issues.

Nathan D. Feb 27, 2026 4:42 am

Option C solid question clarity here. Risk score lets you tackle what matters first.

Kevin Mar 2, 2026 10:27 am

Option C since risk score is literally meant for prioritizing which findings to fix first. A detailed list (B) just tells you what exists, not how urgent each one is. At least that's how I remember it from the study guides, but open to other interpretations if anyone disagrees.

Arjun Q. Mar 3, 2026 9:48 am

Maybe B, not C. I remember seeing practice questions trying to trip you up with the detailed findings list, since it shows all the discovered issues in one spot. Let me know if anyone thinks that’s off.

MethodicalSec20 Feb 22, 2026 4:38 pm

Isn't B just a list without priority? Wouldn't the risk score be more actionable for remediation?

Rowan X. Feb 19, 2026 6:31 pm

Probably C. The risk score is what lets you quickly figure out which findings need action first.

Quinn R. Feb 13, 2026 3:52 pm

Why does CompTIA keep asking these risk score questions, it's always C.

Sanjay T. Feb 17, 2026 11:24 pm

Its C, had something like this in a mock, risk score lets you prioritize easily.

Emma Feb 14, 2026 4:51 pm

D . If the execs need to actually action stuff, sometimes the executive summary has tailored priorities that override raw risk scores.

RowanV Feb 22, 2026 1:38 pm

C imo, risk score is designed for prioritization, B just lists findings but doesn't order by criticality.

Be respectful. No spam.

Correct Answer:

Explanation

The risk score is the most effective element for prioritizing remediation because it quantifies the severity and potential impact of each identified vulnerability. By assigning a score (e.g., using the Common Vulnerability Scoring System - CVSS) or a rating (e.g., Critical, High, Medium, Low), stakeholders can objectively rank the findings. This allows them to allocate resources efficiently, addressing the most significant threats to the organization first. The risk score synthesizes technical severity with business context, providing a clear roadmap for remediation efforts.

Why Incorrect

A. Methodology: This section details how the test was conducted (scope, tools, techniques), not the severity of the findings, and is therefore not used for prioritization.

B. Detailed findings list: While this list contains all the vulnerabilities that need remediation, it does not inherently rank them; it requires a risk score for effective prioritization.

D. Executive summary: This is a high-level overview for management. While it may highlight the most critical risks, it lacks the granular detail needed to prioritize all findings systematically.

References

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-115

Technical Guide to Information Security Testing and Assessment.

Section 6.2

Final Report Development: This section outlines the components of a security assessment report. It states

"For each vulnerability

a risk rating (e.g.

High

Medium

or Low) should be provided... This information helps the system owner to prioritize the mitigation of the identified vulnerabilities." This directly supports using a risk rating/score for prioritization.

2. The Penetration Testing Execution Standard (PTES). (2012). Reporting.

Technical Report Section: The standard specifies that the technical report must include a "Risk Rating" for each finding. It notes

"The purpose of the risk rating is to provide the client with the information necessary to understand the risk that a particular finding poses to their organization... This is a critical component of the report as it is what the client will use to prioritize their remediation efforts."

3. Holm

& Eikeland

O. J. (2019). A study of the quality of penetration testing reports for web applications. Norwegian University of Science and Technology.

Section 2.2.3

Risk Assessment: This academic thesis

discussing penetration testing standards

highlights that "The risk rating is arguably the most important part of the finding

as this is what the reader will use to prioritize the remediation efforts." It further discusses the use of CVSS for this purpose.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE