The correct answer is B. Provide the customer with a list of the changes made.

At the end of a penetration test, the tester must support post-engagement cleanup and restoration. To verify that exploited systems have been returned to their original state, the tester should provide the customer with a complete list of changes made during the engagement. This allows the client to confirm that all modifications, deployed tools, payloads, accounts, configuration changes, scripts, files, and other artifacts have been removed or restored appropriately.

A is incorrect because terminating a command-and-control payload addresses only one possible artifact. It does not verify that all exploited systems have been restored to preengagement conditions.

C is incorrect because restoring environment variables may be part of cleanup, but it is too narrow and only applies if environment variables were changed.

D is incorrect because reimaging a system is disruptive and may not be necessary. It should only be done if required by the client’s recovery process or if restoration cannot be otherwise verified.

In PenTest+ terms, this falls under Reporting and Communication, specifically post-engagement cleanup, restoration validation, documentation of changes, and client handoff.