During a pentest, the database containing customer information is described as what in terms of testing focus?

• A. A routine, low-risk asset to ignore.
• B. A high-value asset to prioritize within the scope.
• C. A non-critical asset for incidental testing.
• D. An external system not under test scope.

Answer: (B)

In penetration testing, you prioritize effort based on asset value and risk. A database that stores customer information is a high-value asset because it contains sensitive data and represents a major risk if breached. So it should be described as a high-priority focus within the testing scope, guiding you to rigorously test controls around access and authentication, data protection at rest and in transit, database configurations, patching, incident monitoring, and the potential for data exfiltration or tampering. Treating it as routine or incidental would underemphasize the risk and likely miss critical weaknesses, and labeling it external or outside the scope wouldn’t reflect the need to protect that data within the testing effort.