Which statement is MOST appropriate evaluation of using diagrams to plan and communicate penetration testing to the client?

• A. An attack path map should be used to visualize potential attack paths and techniques, helping both the pentester and the client understand the steps to compromise high-value targets.
• B. A detailed stack diagram is sufficient.
• C. Only textual descriptions are necessary.
• D. Ignore diagrams and rely on charts.

Answer: (A)

Using diagrams to plan and communicate penetration testing helps translate complex attacker behavior into a visual plan that clients can grasp. An attack path map shows how different entry points, systems, and controls could be chained together to reach high-value targets, making risks, priorities, and the sequence of testing steps clear to both testers and stakeholders. This fosters better scoping, risk-based prioritization, and buys-in for remediation efforts, since the client can see where protections matter most without wading through dense technical prose.

A detailed stack diagram alone focuses on the components in isolation and doesn’t convey how an attacker might move between them. Textual descriptions, while necessary, are harder to digest and can fail to communicate the overall flow and interdependencies. Ignoring diagrams altogether misses the efficiency and clarity that visuals provide, especially for non-technical decision-makers who need to understand risk and timelines.