Question 7
UnclassifiedA CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP?s security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode is selected by the CSP?
Correct answer: D
Explanation
Double blind testing means neither the testers nor the defenders are fully informed in advance. Here, the auditor has "no prior knowledge of its defenses, assets, or channels," and the SOC is "not notified in advance of the scope of the audit and the test vectors," which matches a double blind engagement.
Why each option is right or wrong
A. Double gray box
B. Tandem
C. Reversal
D. Double blind
Under common penetration-testing classifications, a double-blind engagement is the one where the testing team is not briefed on the target’s defenses or assets and the defenders are also kept uninformed so they respond as they would to a real attack. The facts given match both conditions: the auditor starts with no prior knowledge, and the SOC receives no advance notice of the scope or test vectors, so the exercise is designed to measure detection and response without prior coordination.