Browse Certification Practice Tests by Exam Family

GIAC GPEN Sample Questions & Practice Test

May 1, 2026

Try 12 GIAC Penetration Tester (GPEN) sample questions and practice-test preview prompts on scope, reconnaissance, enumeration, exploitation safety, password attacks, reporting, remediation evidence, and retesting.

On this page

GIAC Penetration Tester (GPEN) is an offensive-security route for candidates who need practical judgment around scoping, reconnaissance, enumeration, exploitation safety, credential attacks, reporting, remediation, and retesting.

Use this page to preview the kind of penetration-testing decisions a GPEN practice route should test. The questions below are original IT Mastery sample questions, not official GIAC exam questions.

What this route should test

  • keeping test activity inside written authorization and agreed scope
  • selecting reconnaissance, enumeration, validation, and exploitation steps from evidence
  • distinguishing proof-of-risk from unnecessary destructive action
  • writing findings that connect evidence, impact, likelihood, and remediation

Sample Exam Questions

Question 1

Topic: scope

A tester discovers an adjacent IP range that appears to belong to the client but is not listed in the rules of engagement. What should happen?

  • A. Test it quietly because it is probably related
  • B. Scan only the web ports
  • C. Ask a coworker to approve it verbally
  • D. Stop testing that range and request written scope clarification before proceeding

Best answer: D

Explanation: Penetration testing must stay inside authorized scope. Related-looking assets still require written authorization.

Question 2

Topic: reconnaissance

Which activity is most appropriate during passive reconnaissance?

  • A. Running password guesses against production accounts
  • B. Reviewing public DNS, certificate transparency, public repositories, and open-source company information
  • C. Exploiting a production web app
  • D. Changing firewall rules

Best answer: B

Explanation: Passive reconnaissance collects public or nonintrusive information. Active interaction with client systems belongs to later authorized phases.

Question 3

Topic: enumeration

A port scan shows TCP 445 open on several internal hosts. What should the tester do next?

  • A. Declare domain compromise immediately
  • B. Ignore the hosts because 445 is common
  • C. Enumerate service details, allowed authentication behavior, shares, signing posture, and exposure within scope
  • D. Delete scan records

Best answer: C

Explanation: Enumeration turns open ports into useful evidence. The tester needs service, configuration, and access context before drawing conclusions.

Question 4

Topic: vulnerability validation

A scanner reports a critical vulnerability, but exploitation may crash a production service. What is the best next step?

  • A. Validate risk using safe checks, version evidence, configuration evidence, or client-approved testing rather than uncontrolled exploitation
  • B. Exploit immediately because the scanner says critical
  • C. Ignore the finding entirely
  • D. Change the production service configuration

Best answer: A

Explanation: Testers should prove risk safely and within the rules of engagement. Scanner severity alone is not a reason for destructive validation.

Question 5

Topic: password spraying

What makes password spraying different from repeated brute force against one account?

  • A. It requires physical access
  • B. It never creates logs
  • C. It uses no passwords
  • D. It tries a small number of common passwords across many accounts to reduce lockout risk

Best answer: D

Explanation: Password spraying spreads attempts across many accounts. It can evade simple lockout thresholds and must still be authorized.

Question 6

Topic: privilege escalation

A tester gains low-privilege shell access on a Linux host. Which next step is most appropriate?

  • A. Check kernel, sudo rights, writable paths, credentials, services, and misconfigurations within scope
  • B. Immediately delete system logs
  • C. Disable endpoint protection
  • D. Install cryptocurrency software to prove impact

Best answer: A

Explanation: Privilege-escalation analysis should look for controlled, evidence-based paths. Destructive or unauthorized actions are not appropriate.

Question 7

Topic: web authentication

An application exposes a password-reset link that remains valid after password change. What is the likely concern?

  • A. CSS styling risk
  • B. DNS caching
  • C. Weak token lifecycle control that may allow unauthorized account recovery
  • D. Firewall throughput

Best answer: C

Explanation: Password-reset tokens should expire or be invalidated appropriately. Weak token lifecycle can create account-takeover risk.

Question 8

Topic: reporting

What makes a penetration-test finding more useful to the client?

  • A. Evidence, business impact, affected assets, reproduction steps where safe, risk rating, and remediation guidance
  • B. A vague statement that security is bad
  • C. Only a screenshot with no context
  • D. A list of tools used without findings

Best answer: A

Explanation: Good reports connect technical evidence to risk and remediation. Clients need enough detail to prioritize and fix issues.

Question 9

Topic: exploitation safety

A tester can prove SQL injection by dumping sensitive customer records. What is the better proof approach?

  • A. Exfiltrate the entire database
  • B. Publish a sample online
  • C. Change customer records to prove write access
  • D. Use a safe, minimal proof that demonstrates impact without unnecessary data exposure

Best answer: D

Explanation: Penetration testers should minimize harm. A safe proof should demonstrate risk without exposing more sensitive data than needed.

Question 10

Topic: remediation evidence

After the client patches a vulnerability, what should retesting focus on?

  • A. Whether the original exploit path is closed and whether the fix introduced obvious related gaps
  • B. Whether the report template changed
  • C. Whether the tester can ignore scope
  • D. Whether all findings can be marked fixed without evidence

Best answer: A

Explanation: Retesting validates remediation with evidence. It should confirm the original issue is fixed and check for closely related regressions.

Question 11

Topic: phishing authorization

A client asks for a phishing test but has not approved target groups, sending domains, or escalation handling. What should the tester do?

  • A. Launch immediately to preserve realism
  • B. Use personal email accounts
  • C. Obtain written authorization, scope, target rules, safety limits, and response procedures first
  • D. Avoid documenting results

Best answer: C

Explanation: Social-engineering tests require explicit authorization and safety boundaries. Scope protects both users and the testing team.

Question 12

Topic: retesting

Why should retesting be separate from the original finding write-up?

  • A. It creates an evidence trail showing whether remediation changed the actual risk condition
  • B. It replaces the need for remediation
  • C. It proves all systems are secure forever
  • D. It allows testers to add unrelated scope

Best answer: A

Explanation: Retesting documents whether the fix worked. It should be evidence-based and limited to the agreed remediation scope.

Quick readiness checklist

If you miss…Drill this next
scope questionswritten authorization, rules of engagement, and safety boundaries
attack-path questionsrecon, enumeration, validation, exploitation, and post-exploitation evidence
reporting questionsimpact, likelihood, affected assets, proof, and remediation
retesting questionsfix validation and controlled follow-up
Revised on Monday, May 18, 2026
GCSA
GSEC