During a preengagement activity with a new customer, a penetration tester looks for assets to test. Which of the following is an example of a target that can be used for testing?
In the PenTest+ pre-engagement and scoping process, a “target” refers to an asset or system component that can be assessed—such as an application, host, network segment, cloud resource, or interface that provides business functionality. An API is a valid target because it is a discrete, testable asset with defined inputs/outputs and commonly has its own authentication, authorization, rate limiting, data handling, and business-logic controls. During scoping, APIs are often explicitly listed as in-scope assets (for example, REST endpoints, GraphQL interfaces, or partner-facing integrations) because they can expose sensitive data and functionality even when the main web UI appears secure.
By contrast, HTTP and ICMP are protocols, not assets. They can be part of the assessment (e.g., testing HTTP services or ICMP filtering), but they are not themselves “targets” in the sense of scoping an asset inventory. “IPA” is not a standard target category in PenTest+ scoping language (it is typically associated with file formats or unrelated terms). Therefore, API is the correct example of a target asset.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit