200+ Free GPEN Practice Questions

Pass your GIAC GPEN Certified Penetration Tester exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65% Pass Rate

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

During the pre-engagement phase of a penetration test, which document establishes the legal boundaries, scope limitations, and authorized testing windows?

The vulnerability assessment report

The Rules of Engagement (ROE)

The incident response plan

The business continuity plan

to track

2026 Statistics

Key Facts: GPEN Exam

~65%

Pass Rate

With SEC560 training

73%

Passing Score

GIAC

Questions

GIAC

3 hours

Duration

GIAC

$999

Exam Fee

GIAC

DoD 8570

CSSP Analyst

DoD Approved

GIAC GPEN (Certified Penetration Tester) validates practical penetration testing skills including network reconnaissance, vulnerability exploitation, post-exploitation techniques, and report writing. The exam has 82 questions in 3 hours with a 73% passing score. GPEN covers comprehensive pentest methodology, scanning and enumeration, exploitation with Metasploit, password attacks, Kerberos attacks, and web application testing. It includes CyberLive practical testing and is DoD 8570 approved for CSSP Analyst and CSSP Infrastructure Support positions. GIAC certifications require renewal every 4 years.

Sample GPEN Practice Questions

Try these sample questions to test your GPEN exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1During the pre-engagement phase of a penetration test, which document establishes the legal boundaries, scope limitations, and authorized testing windows?

A.The vulnerability assessment report

B.The Rules of Engagement (ROE)

C.The incident response plan

D.The business continuity plan

Explanation: The Rules of Engagement (ROE) document defines the legal authorization, scope, timing, and boundaries of a penetration test. It specifies what systems can be tested, testing methods allowed, and emergency contacts. Without proper ROE signed by authorized parties, penetration testing activities may violate laws like the Computer Fraud and Abuse Act (CFAA).

2A client requests that critical production systems should not be tested during business hours. This requirement should be documented in which section of the penetration testing agreement?

A.Threat intelligence section

B.Scope and timeline limitations

C.Vulnerability scoring matrix

D.Remediation priority guidelines

Explanation: Testing time restrictions are scope and timeline limitations that must be clearly documented in the Rules of Engagement or Statement of Work. These constraints affect testing methodology and may require out-of-hours testing or specialized approaches to avoid business disruption.

3Which of the following best describes the primary purpose of a Statement of Work (SOW) in a penetration testing engagement?

A.To provide technical details of vulnerabilities found

B.To define the contractual agreement including deliverables, timeline, and cost

C.To document the step-by-step exploitation procedures

D.To outline the incident response procedures during testing

Explanation: The Statement of Work (SOW) is a contractual document that defines the business relationship between the penetration testing firm and the client. It includes deliverables, timelines, costs, and high-level scope. It differs from the ROE which focuses on technical testing boundaries and authorizations.

4Under the Penetration Testing Execution Standard (PTES), which phase involves understanding the organization's business processes and identifying high-value targets?

A.Pre-engagement interactions

B.Intelligence gathering

C.Threat modeling

D.Reporting

Explanation: The Threat Modeling phase in PTES involves understanding the target organization's business processes, identifying valuable assets, and determining potential threat actors. This helps prioritize testing efforts and focus on systems that would cause the most business impact if compromised.

5A penetration tester discovers that the scope document excludes testing the HR database system. However, they find a critical SQL injection vulnerability on a web application that appears to have direct database connectivity to the excluded HR system. What is the appropriate action?

A.Exploit the vulnerability to demonstrate the full impact

B.Document the finding without exploiting and immediately notify the client

C.Continue testing to map the extent of the vulnerability

D.Stop all testing activities immediately

Explanation: When discovering out-of-scope vulnerabilities, testers must document the finding without exploitation and immediately notify the client. Exploiting systems outside the defined scope violates the ROE and could have legal consequences, even if the vulnerability provides access to excluded systems.

6Which of the following information should be included in the emergency contact procedures section of a Rules of Engagement document?

A.Detailed exploit code for critical vulnerabilities

B.Client technical contacts and escalation procedures for critical issues

C.Pricing information for additional testing hours

D.The tester's personal contact information only

Explanation: Emergency contact procedures should include client technical contacts, escalation paths, and procedures for reporting critical vulnerabilities that require immediate attention. This ensures that if testers discover severe issues or cause unintended outages, the right people can be contacted immediately.

7In a black box penetration test, the tester is provided with which level of information about the target environment?

A.Full network diagrams and source code access

B.No prior information about the target

C.Administrator credentials for all systems

D.Complete asset inventory and vulnerability scan results

Explanation: In a black box (blind) penetration test, the tester has no prior knowledge of the target environment. This simulates an external attacker with no insider information and requires the tester to conduct extensive reconnaissance to identify targets, mimicking real-world attack scenarios.

8A penetration testing firm is asked to test a hospital network. Which regulatory consideration is MOST important to address in the engagement documentation?

A.PCI DSS compliance for credit card processing

B.HIPAA protections for patient health information

C.SOX compliance for financial reporting

D.FISMA requirements for government systems

Explanation: Healthcare organizations are subject to HIPAA (Health Insurance Portability and Accountability Act), which protects patient health information (PHI). Penetration testers must ensure their testing activities and any data collected comply with HIPAA requirements, including data encryption, access controls, and proper disposal of test data containing PHI.

9Which type of reconnaissance involves gathering information from publicly available sources without directly interacting with the target organization?

A.Active reconnaissance

B.Passive reconnaissance

C.Internal reconnaissance

D.Physical reconnaissance

Explanation: Passive reconnaissance (OSINT - Open Source Intelligence) gathers information without directly interacting with target systems. Sources include public websites, social media, WHOIS databases, job postings, and DNS records. This phase is generally low-risk and does not alert the target organization.

10During reconnaissance, a tester uses theHarvester tool to extract email addresses and domain-related information. Which technique is being employed?

A.Network scanning

B.Open source intelligence (OSINT) gathering

C.Vulnerability scanning

D.Social engineering

Explanation: theHarvester is an OSINT tool that gathers email addresses, subdomains, hosts, employee names, and open ports from public sources like search engines, PGP servers, and SHODAN. This is a passive reconnaissance technique that does not directly interact with target systems.

About the GPEN Exam

The GIAC GPEN validates hands-on penetration testing skills including network scanning, exploitation, post-exploitation, password attacks, and web application testing. Based on SANS SEC560 course, it emphasizes practical abilities through CyberLive hands-on testing.

Questions

82 scored questions

Time Limit

3 hours

Passing Score

73%

Exam Fee

$999 (GIAC (Global Information Assurance Certification))

GPEN Exam Content Outline

Penetration Test Planning

Rules of Engagement (ROE), scoping, legal considerations, PTES framework, threat modeling, and documentation requirements

Reconnaissance and OSINT

Passive reconnaissance, active reconnaissance, OSINT gathering, Google dorking, DNS enumeration, and social media intelligence

Scanning and Host Discovery

Nmap scanning techniques, host discovery, port scanning, OS fingerprinting, service enumeration, and vulnerability scanning

Vulnerability Scanning

Nessus, OpenVAS, Nikto, vulnerability validation, false positive elimination, and scan result analysis

10%

Exploitation Fundamentals

Exploit research, vulnerability exploitation, buffer overflows, SQL injection, command injection, and exploitation frameworks

10%

Escalation and Exploitation

Privilege escalation techniques, local exploits, unquoted service paths, scheduled tasks, and DLL hijacking

10%

Post-Exploitation and Pivoting

Credential harvesting, lateral movement, pivoting techniques, tunneling, and maintaining access

Metasploit Framework

Metasploit console, exploit modules, payloads, Meterpreter, post-exploitation modules, and automation

Command and Control

C2 frameworks, DNS tunneling, domain fronting, covert channels, beaconing, and malleable C2 profiles

Password Attacks

Brute force attacks, dictionary attacks, hybrid attacks, mask attacks, and password spraying

Advanced Password Attacks

Rule-based attacks, rainbow tables, credential stuffing, hashcat usage, and John the Ripper

Password Hashes

NTLM hashes, Windows authentication, Linux password hashes, Mimikatz usage, and hash extraction

Kerberos Attacks

Kerberoasting, AS-REP Roasting, Golden Tickets, Silver Tickets, Pass-the-Ticket, and Kerberos authentication

Domain Escalation and Persistence

BloodHound, DCSync, DCShadow, domain trust attacks, and Active Directory persistence techniques

How to Pass the GPEN Exam

What You Need to Know

Passing score: 73%
Exam length: 82 questions
Time limit: 3 hours
Exam fee: $999

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

GPEN Study Tips from Top Performers

1Master the penetration testing methodology from reconnaissance through reporting

2Practice hands-on with Nmap for scanning, OS fingerprinting, and service enumeration

3Study Metasploit thoroughly including exploit selection, payload configuration, and post-exploitation

4Learn password attack techniques including brute force, dictionary, rules, and masks with Hashcat

5Understand Kerberos attacks including Kerberoasting, AS-REP Roasting, and Golden Tickets

6Practice Active Directory enumeration and attacks using BloodHound and PowerView

7Study web application vulnerabilities including SQL injection, XSS, and command injection

8Learn privilege escalation techniques for both Windows and Linux systems

9Understand pivoting and tunneling techniques for network traversal

10Take all 200 practice questions and review explanations thoroughly, especially for incorrect answers

Frequently Asked Questions

Is GPEN worth it for penetration testers?

Yes, GPEN is highly valued for penetration testing roles. It validates practical hands-on skills through CyberLive labs and is DoD 8570 approved. GPEN holders are recognized for their ability to conduct professional penetration tests using industry-standard tools and methodologies. The certification is particularly valuable for roles in consulting firms, red teams, and security assessment teams.

What is the difference between GPEN and OSCP?

GPEN focuses on comprehensive penetration testing methodology with CyberLive practical testing, while OSCP is entirely hands-on with a 24-hour practical exam. GPEN has multiple choice questions plus hands-on labs, covers more methodology and reporting, and is based on SANS SEC560. OSCP is more exploit-focused with a "try harder" philosophy. Both are highly respected; GPEN is often preferred for consulting roles requiring thorough documentation, while OSCP is favored for pure technical exploitation roles.

How long should I study for GPEN?

Plan for 100-150 hours of study over 8-12 weeks. The SANS SEC560 course (6 days or OnDemand) is the official training and highly recommended. Focus heavily on hands-on practice with Metasploit, Nmap, PowerShell, and password cracking tools. Complete all 200 practice questions and review explanations thoroughly. Candidates without penetration testing experience may need additional preparation time.

What jobs can I get with GPEN certification?

GPEN qualifies you for penetration testing and offensive security roles: Penetration Tester ($95,000-140,000), Security Consultant ($100,000-150,000), Red Team Operator ($110,000-160,000), Vulnerability Assessment Analyst ($85,000-120,000), and Security Engineer ($100,000-145,000). GPEN demonstrates practical penetration testing competency to employers and is often required for consulting positions.