, which now executes in the browser of every visitor who views that comment thread. Which type of attack does this indicate?","acceptedAnswer":{"@type":"Answer","text":"Stored cross-site scripting (XSS)"},"suggestedAnswer":[{"@type":"Answer","text":"SQL injection"},{"@type":"Answer","text":"Directory traversal"},{"@type":"Answer","text":"Server-side request forgery"}]},{"@context":"https://schema.org","@type":"Question","text":"A healthcare organization stores patient records in a database on physical servers in their data center. The Chief Information Security Officer (CISO) is concerned about unauthorized access to sensitive patient information if storage media is physically stolen or improperly disposed of. Which cryptographic solution should be implemented to protect this data?","acceptedAnswer":{"@type":"Answer","text":"Full disk encryption using AES-256"},"suggestedAnswer":[{"@type":"Answer","text":"TLS 1.3 encryption for database connections"},{"@type":"Answer","text":"IPsec tunneling between database servers"},{"@type":"Answer","text":"Hashing patient records with SHA-256"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst is reviewing vulnerability scan results for the company's environment. Two findings must be prioritized for remediation: Finding 1 has a CVSS base score of 9.8 but affects an isolated internal test server with no network access to production. Finding 2 has a CVSS base score of 7.5 and affects a customer-facing web server that processes payment data. Company risk tolerance is low, and PCI DSS compliance is required. Which finding should the analyst remediate first, and why?","acceptedAnswer":{"@type":"Answer","text":"Finding 2, because environmental variables and organizational impact raise its effective risk despite the lower base score"},"suggestedAnswer":[{"@type":"Answer","text":"Finding 1, because its higher CVSS base score indicates greater technical severity"},{"@type":"Answer","text":"Finding 1, because a score above 9.0 is always classified as critical and must be patched immediately"},{"@type":"Answer","text":"Finding 2, because a lower CVSS base score is easier and faster to remediate"}]},{"@context":"https://schema.org","@type":"Question","text":"A healthcare organization is implementing a new customer service system where call center representatives need to verify patient identities but should not have access to full Social Security Numbers or complete credit card details. The organization wants to maintain the original data format while protecting sensitive information from unauthorized viewing. Which data protection method should be implemented?","acceptedAnswer":{"@type":"Answer","text":"Data masking"},"suggestedAnswer":[{"@type":"Answer","text":"Tokenization"},{"@type":"Answer","text":"Hashing"},{"@type":"Answer","text":"Encryption"}]},{"@context":"https://schema.org","@type":"Question","text":"A multinational pharmaceutical company is migrating patient trial data to a cloud provider. The company must comply with regulations requiring that EU citizen health data remain physically stored within EU borders and cannot be transferred to other jurisdictions. Which of the following should the security architect implement to meet this requirement?","acceptedAnswer":{"@type":"Answer","text":"Configure geolocation restrictions to ensure data residency within EU data centers"},"suggestedAnswer":[{"@type":"Answer","text":"Implement encryption at rest and in transit for all stored patient data"},{"@type":"Answer","text":"Deploy tokenization to replace sensitive patient identifiers with non-sensitive equivalents"},{"@type":"Answer","text":"Enable data classification tags to mark all records as confidential or restricted"}]},{"@context":"https://schema.org","@type":"Question","text":"A European healthcare organization is migrating patient health records to a cloud service provider. Regulatory requirements mandate that all patient data must be processed and stored within the European Union to comply with GDPR. Which data protection consideration is primarily being addressed?","acceptedAnswer":{"@type":"Answer","text":"Data sovereignty"},"suggestedAnswer":[{"@type":"Answer","text":"Data classification"},{"@type":"Answer","text":"Data masking"},{"@type":"Answer","text":"Data segmentation"}]},{"@context":"https://schema.org","@type":"Question","text":"A multinational healthcare organization is migrating patient records to a cloud provider. The organization operates in the European Union and must comply with GDPR requirements that mandate patient data remain within EU borders. Which of the following should the security architect prioritize when selecting cloud storage regions?","acceptedAnswer":{"@type":"Answer","text":"Data sovereignty"},"suggestedAnswer":[{"@type":"Answer","text":"Data masking"},{"@type":"Answer","text":"Data segmentation"},{"@type":"Answer","text":"Data tokenization"}]},{"@context":"https://schema.org","@type":"Question","text":"A multinational financial services company stores customer account data in a cloud database hosted in the United States. New regulations in the European Union require that all personal data of EU citizens must be processed and stored within EU borders. The company needs to comply while maintaining operational efficiency. Which solution BEST addresses this data sovereignty requirement?","acceptedAnswer":{"@type":"Answer","text":"Implement geolocation-based data storage routing to store EU customer data in EU-region cloud data centers"},"suggestedAnswer":[{"@type":"Answer","text":"Enable AES-256 encryption for all customer data stored in the US data centers"},{"@type":"Answer","text":"Apply data masking to EU customer records before storing them in the US database"},{"@type":"Answer","text":"Use tokenization to replace EU customer sensitive data with non-sensitive equivalents"}]},{"@context":"https://schema.org","@type":"Question","text":"A multinational financial services company is expanding operations into the European Union and must comply with GDPR requirements for customer data. The company currently stores all customer records in a centralized database hosted in their US-based data center. Which approach BEST addresses data sovereignty concerns while maintaining operational efficiency?","acceptedAnswer":{"@type":"Answer","text":"Implement data tokenization to replace EU customer data with tokens stored in the US while keeping actual data in EU-based storage"},"suggestedAnswer":[{"@type":"Answer","text":"Deploy encryption for all customer records using AES-256 and store encrypted EU customer data in the US data center"},{"@type":"Answer","text":"Configure data masking to hide sensitive EU customer information when accessed by US-based administrators"},{"@type":"Answer","text":"Enable database replication to mirror all customer records across multiple geographic regions for redundancy"}]},{"@context":"https://schema.org","@type":"Question","text":"A retail organization is redesigning its point-of-sale system to reduce the scope of PCI DSS compliance. The security team needs to protect credit card numbers while still allowing the system to reference transactions for returns and customer service inquiries. The solution must ensure that if the database is compromised, actual card numbers cannot be retrieved. Which data protection method best meets these requirements?","acceptedAnswer":{"@type":"Answer","text":"Tokenization with tokens stored in the transaction database and card data stored in a separate secure vault"},"suggestedAnswer":[{"@type":"Answer","text":"Data masking by displaying only the last four digits of card numbers in all system interfaces"},{"@type":"Answer","text":"AES-256 encryption of card numbers with keys stored in a hardware security module"},{"@type":"Answer","text":"SHA-256 hashing of card numbers before storing them in the transaction database"}]},{"@context":"https://schema.org","@type":"Question","text":"A healthcare organization is implementing encryption for its patient database to protect data at rest. The security team needs to ensure cryptographic keys are stored securely and isolated from the application servers. The solution must provide dedicated hardware for key management with tamper-resistant properties and meet compliance requirements for protecting sensitive health information. Which cryptographic tool should the organization implement?","acceptedAnswer":{"@type":"Answer","text":"Hardware Security Module (HSM)"},"suggestedAnswer":[{"@type":"Answer","text":"Trusted Platform Module (TPM)"},{"@type":"Answer","text":"Secure enclave"},{"@type":"Answer","text":"Key management system (KMS)"}]},{"@context":"https://schema.org","@type":"Question","text":"An employee is terminated during a contentious meeting on Friday afternoon. The security team is notified 20 minutes before the meeting begins. Which action should be taken FIRST to reduce the risk of retaliation or data theft by this insider?","acceptedAnswer":{"@type":"Answer","text":"Disable the employee's user accounts and revoke active sessions at the scheduled meeting time"},"suggestedAnswer":[{"@type":"Answer","text":"Schedule an account deletion job to run over the weekend during the maintenance window"},{"@type":"Answer","text":"Reset the employee's password and email the new credentials to their manager"},{"@type":"Answer","text":"Archive the employee's mailbox and home directory before taking any further action"}]},{"@context":"https://schema.org","@type":"Question","text":"A security manager wants to establish clear expectations for how employees may use company laptops and email, so that if misuse occurs, the organization can point to a written expectation that guided user behavior. Which type of security control BEST describes publishing an acceptable use policy for this purpose?","acceptedAnswer":{"@type":"Answer","text":"Directive"},"suggestedAnswer":[{"@type":"Answer","text":"Detective"},{"@type":"Answer","text":"Corrective"},{"@type":"Answer","text":"Compensating"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst notices that several employees repeatedly attempt to visit newly registered domains that are hosting phishing kits and malware droppers. Management wants a solution that prevents workstations from resolving these known-bad domains before any connection is established, without requiring an agent on each endpoint. Which enterprise capability should the analyst implement?","acceptedAnswer":{"@type":"Answer","text":"DNS filtering"},"suggestedAnswer":[{"@type":"Answer","text":"File integrity monitoring"},{"@type":"Answer","text":"SSL/TLS accelerator"},{"@type":"Answer","text":"Network access control (NAC)"}]},{"@context":"https://schema.org","@type":"Question","text":"Users at a company report that when they type their bank's correct URL into their browsers, they are redirected to a fraudulent site that looks identical but has a different IP address. Internal DNS server logs show that the cached record for the bank's domain was modified without any authorized change. Which type of attack is MOST likely occurring?","acceptedAnswer":{"@type":"Answer","text":"DNS cache poisoning"},"suggestedAnswer":[{"@type":"Answer","text":"Typosquatting"},{"@type":"Answer","text":"On-path (man-in-the-middle) TLS stripping"},{"@type":"Answer","text":"Distributed denial-of-service (DDoS)"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst reviewing packet captures notices that several client sessions with the company's web server negotiated TLS 1.0 despite both endpoints supporting TLS 1.3. The captures show an intermediary modifying the ClientHello to remove the stronger cipher suites before it reaches the server. Which type of attack does this most likely indicate?","acceptedAnswer":{"@type":"Answer","text":"Downgrade attack"},"suggestedAnswer":[{"@type":"Answer","text":"Collision attack"},{"@type":"Answer","text":"Birthday attack"},{"@type":"Answer","text":"Credential replay attack"}]},{"@context":"https://schema.org","@type":"Question","text":"A security engineer notices that attackers are sending emails that appear to originate from the company's own domain to trick employees into wiring funds. Legitimate outbound mail already passes SPF and DKIM checks. Which additional email security mechanism should the engineer configure to instruct receiving servers to reject messages that fail authentication and to receive reports on spoofing attempts?","acceptedAnswer":{"@type":"Answer","text":"DMARC with a reject policy"},"suggestedAnswer":[{"@type":"Answer","text":"S/MIME message encryption"},{"@type":"Answer","text":"A secure email gateway sandbox"},{"@type":"Answer","text":"STARTTLS on the SMTP connection"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst discovers that several employees in the marketing department have been using personal cloud storage accounts to share large campaign files with external contractors, bypassing the company's approved file transfer system. The IT department was not aware of these services being used. Which type of threat actor does this scenario represent?","acceptedAnswer":{"@type":"Answer","text":"Shadow IT"},"suggestedAnswer":[{"@type":"Answer","text":"Insider threat"},{"@type":"Answer","text":"Unskilled attacker"},{"@type":"Answer","text":"Organized crime"}]},{"@context":"https://schema.org","@type":"Question","text":"A healthcare organization stores nightly database backups on tape media that are transported by a third-party courier to an offsite facility 50 miles away. The security team is concerned about protecting patient health information during transit. Which cryptographic solution should be implemented to protect the confidentiality of the data if the tapes are lost or stolen during transport?","acceptedAnswer":{"@type":"Answer","text":"Data at rest encryption"},"suggestedAnswer":[{"@type":"Answer","text":"Data in transit encryption"},{"@type":"Answer","text":"Digital signatures"},{"@type":"Answer","text":"Data masking"}]},{"@context":"https://schema.org","@type":"Question","text":"A DevOps team's CI/CD pipeline needs to authenticate to a cloud provider to deploy resources. Currently, a long-lived API key is stored in the pipeline configuration, and security auditors flagged it as a risk because the key rarely rotates and could be exposed in logs. The security team wants to minimize the risk of a leaked credential being reused by an attacker. Which PAM approach best addresses this concern?","acceptedAnswer":{"@type":"Answer","text":"Issue ephemeral credentials that are generated on demand and automatically expire shortly after the deployment completes"},"suggestedAnswer":[{"@type":"Answer","text":"Store the API key in a password vault and require analysts to check it out manually before each pipeline run"},{"@type":"Answer","text":"Rotate the long-lived API key on a quarterly schedule and restrict access to the pipeline configuration file"},{"@type":"Answer","text":"Apply time-of-day restrictions so the pipeline can only run during business hours"}]},{"@context":"https://schema.org","@type":"Question","text":"A security engineer wants to be automatically alerted whenever critical system binaries or configuration files on production web servers are modified, as unauthorized changes have recently gone unnoticed until after an incident. Which enterprise capability should the engineer deploy to meet this requirement?","acceptedAnswer":{"@type":"Answer","text":"File integrity monitoring (FIM)"},"suggestedAnswer":[{"@type":"Answer","text":"Data loss prevention (DLP)"},{"@type":"Answer","text":"Network access control (NAC)"},{"@type":"Answer","text":"DNS filtering"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company is migrating customer credit card data to a cloud storage solution. Regulatory requirements mandate that cardholder data must be protected from unauthorized access even if storage media is physically compromised. The security team needs to select the most appropriate data protection method that addresses this specific compliance requirement while maintaining the ability to process transactions.","acceptedAnswer":{"@type":"Answer","text":"Implement encryption at rest using AES-256 with hardware security module (HSM) key management"},"suggestedAnswer":[{"@type":"Answer","text":"Configure tokenization to replace card numbers with randomly generated surrogate values"},{"@type":"Answer","text":"Apply data masking to display only the last four digits of card numbers in all interfaces"},{"@type":"Answer","text":"Enable transport layer security (TLS) 1.3 for all data transmission to the cloud storage"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company is migrating customer credit card data to a cloud-based payment processing system. The security team must ensure that cardholder data is protected both when stored in the database and when transmitted between the payment gateway and third-party processors. Which combination of data protection methods should be implemented to meet PCI DSS compliance requirements?","acceptedAnswer":{"@type":"Answer","text":"Encryption for data at rest and TLS 1.2 or higher for data in transit"},"suggestedAnswer":[{"@type":"Answer","text":"Tokenization for data at rest and IPSec VPN for data in transit"},{"@type":"Answer","text":"Data masking for data at rest and SSH tunneling for data in transit"},{"@type":"Answer","text":"Hashing for data at rest and SSL 3.0 for data in transit"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company operates a primary data center and a warm recovery site located 12 miles apart in the same metropolitan area. During a disaster recovery review, an auditor notes that a regional hurricane or flood could disable both facilities simultaneously. Which change best addresses the auditor's concern?","acceptedAnswer":{"@type":"Answer","text":"Relocate the recovery site to a different geographic region far from the primary site"},"suggestedAnswer":[{"@type":"Answer","text":"Upgrade the warm site to a hot site to reduce recovery time"},{"@type":"Answer","text":"Add redundant UPS and generator capacity at both facilities"},{"@type":"Answer","text":"Increase backup frequency and enable journaling at the primary site"}]},{"@context":"https://schema.org","@type":"Question","text":"A security manager is organizing the company's governance documentation. One document states: 'All company laptops must use AES-256 full-disk encryption.' The manager wants to file this document under the correct governance category. Which type of document does this statement represent?","acceptedAnswer":{"@type":"Answer","text":"Standard"},"suggestedAnswer":[{"@type":"Answer","text":"Policy"},{"@type":"Answer","text":"Procedure"},{"@type":"Answer","text":"Guideline"}]},{"@context":"https://schema.org","@type":"Question","text":"A security team wants to detect attackers who have already bypassed the perimeter and are moving through the internal network. They deploy a decoy server that mimics a legitimate database server but holds only fake data, with no legitimate business reason for any user to connect to it. Any connection attempt is logged and generates a high-priority alert. Which security concept does this deployment BEST represent?","acceptedAnswer":{"@type":"Answer","text":"A honeypot used as a deception and disruption technology"},"suggestedAnswer":[{"@type":"Answer","text":"A compensating control for an unpatched legacy system"},{"@type":"Answer","text":"A data masking technique protecting production records"},{"@type":"Answer","text":"A zero trust policy engine enforcing least privilege"}]},{"@context":"https://schema.org","@type":"Question","text":"A manufacturing plant runs a SCADA system that controls production line machinery. The vendor no longer provides firmware updates, and the embedded controllers cannot be taken offline without halting production for days. A recent assessment flagged several unpatchable vulnerabilities in these controllers. Which architectural consideration is the security team primarily dealing with, and what is the most appropriate response?","acceptedAnswer":{"@type":"Answer","text":"Inability to patch — isolate the controllers in a segmented network zone with strict access controls"},"suggestedAnswer":[{"@type":"Answer","text":"Risk transference — purchase cyber insurance to cover any losses from the SCADA system"},{"@type":"Answer","text":"Ease of deployment — redeploy the controllers using infrastructure as code templates"},{"@type":"Answer","text":"Responsiveness — add a load balancer in front of the controllers to improve availability"}]},{"@context":"https://schema.org","@type":"Question","text":"A company hires remote employees who never visit a physical office. Before issuing credentials, the security team must confirm that each new hire is actually the real person they claim to be by validating government-issued documents and biometric selfies against those documents. Which IAM activity does this process represent?","acceptedAnswer":{"@type":"Answer","text":"Identity proofing"},"suggestedAnswer":[{"@type":"Answer","text":"Attestation"},{"@type":"Answer","text":"Federation"},{"@type":"Answer","text":"Provisioning"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst reviewing authentication logs notices that a sales manager's account successfully logged in from an office in Chicago at 9:02 AM, and then a second successful login for the same account appeared from an IP address geolocated in Singapore at 9:14 AM. Both sessions remained active simultaneously. Which indicator of malicious activity BEST describes what the analyst has observed?","acceptedAnswer":{"@type":"Answer","text":"Impossible travel"},"suggestedAnswer":[{"@type":"Answer","text":"Account lockout"},{"@type":"Answer","text":"Resource consumption"},{"@type":"Answer","text":"Out-of-cycle logging"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst reviewing authentication logs notices that a user account successfully logged in from an office in Chicago at 9:02 AM and then logged in again from an IP address geolocated in Singapore at 9:14 AM the same day. Both sessions authenticated successfully with the correct password. Which indicator of malicious activity does this BEST represent?","acceptedAnswer":{"@type":"Answer","text":"Impossible travel"},"suggestedAnswer":[{"@type":"Answer","text":"Account lockout"},{"@type":"Answer","text":"Resource consumption"},{"@type":"Answer","text":"Out-of-cycle logging"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst reviews authentication logs and discovers that a user account successfully authenticated from New York at 09:15 AM EST, and the same account authenticated from Tokyo at 09:45 AM EST on the same day. No VPN connections were recorded for this user. What type of indicator of malicious activity has been identified?","acceptedAnswer":{"@type":"Answer","text":"Impossible travel"},"suggestedAnswer":[{"@type":"Answer","text":"Concurrent session usage"},{"@type":"Answer","text":"Account lockout"},{"@type":"Answer","text":"Out-of-cycle logging"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst reviews authentication logs and discovers that a user account successfully authenticated from Tokyo, Japan at 08:15 UTC, and then the same account authenticated from New York, USA at 09:30 UTC the same day. There are no VPN connections associated with either login. Both authentication attempts were successful and used correct credentials. What indicator of malicious activity does this scenario BEST represent?","acceptedAnswer":{"@type":"Answer","text":"Impossible travel"},"suggestedAnswer":[{"@type":"Answer","text":"Concurrent session usage"},{"@type":"Answer","text":"Credential replay attack"},{"@type":"Answer","text":"Account lockout pattern"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst reviews authentication logs and discovers that a user account successfully authenticated from New York at 09:15 AM EST and then authenticated again from Tokyo at 09:45 AM EST on the same day. Both login attempts were successful, and no VPN connections were detected. Which indicator of malicious activity is MOST likely present?","acceptedAnswer":{"@type":"Answer","text":"Impossible travel"},"suggestedAnswer":[{"@type":"Answer","text":"Concurrent session usage"},{"@type":"Answer","text":"Account lockout"},{"@type":"Answer","text":"Out-of-cycle logging"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst confirms that a workstation is infected with malware that has established persistence through a malicious scheduled task and a modified registry key. The affected system has already been isolated from the network. Following the NIST incident response process, which phase's activities should the analyst perform NEXT?","acceptedAnswer":{"@type":"Answer","text":"Eradication — remove the malicious scheduled task, revert the registry changes, and delete malware artifacts"},"suggestedAnswer":[{"@type":"Answer","text":"Containment — disconnect the system from the network and disable its switch port"},{"@type":"Answer","text":"Recovery — restore the system to production and monitor for reinfection"},{"@type":"Answer","text":"Lessons learned — document the timeline and update the incident response plan"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company runs a transaction-processing database that updates thousands of records per minute. After a recent power event, the recovery team discovered that restoring from the previous night's full backup lost nearly a full day of transactions. Management now requires a solution that captures every committed change so the database can be restored to the exact moment before any failure with minimal data loss. Which backup-related technique best meets this requirement?","acceptedAnswer":{"@type":"Answer","text":"Journaling that logs each transaction so changes can be replayed to a precise point in time"},"suggestedAnswer":[{"@type":"Answer","text":"Increasing the frequency of nightly full backups to twice per day"},{"@type":"Answer","text":"Taking hourly snapshots of the storage volume and retaining them offsite"},{"@type":"Answer","text":"Replicating the full backup files to a geographically dispersed cold site"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company wants to reduce the risk associated with administrators holding standing access to production database servers. The security team needs a solution that grants elevated privileges only for the duration of an approved task and automatically revokes them afterward, while also recording all privileged sessions. Which approach best meets these requirements?","acceptedAnswer":{"@type":"Answer","text":"Implement a PAM solution with just-in-time permissions and password vaulting"},"suggestedAnswer":[{"@type":"Answer","text":"Assign administrators to a permanent role-based access control group with least privilege applied"},{"@type":"Answer","text":"Enable time-of-day restrictions on all administrator accounts during business hours"},{"@type":"Answer","text":"Require multifactor authentication for all administrative logins to the database"}]},{"@context":"https://schema.org","@type":"Question","text":"An e-commerce company experiences occasional web server outages during peak shopping periods, causing lost revenue. The infrastructure team wants a solution that keeps the site online during a single server failure AND distributes incoming traffic across all available servers simultaneously to improve responsiveness. Which approach best meets both requirements?","acceptedAnswer":{"@type":"Answer","text":"Deploy multiple web servers behind a load balancer configured in active-active mode"},"suggestedAnswer":[{"@type":"Answer","text":"Configure a warm standby server that is manually promoted when the primary fails"},{"@type":"Answer","text":"Implement scheduled snapshots of the web server every 15 minutes"},{"@type":"Answer","text":"Add a second uninterruptible power supply (UPS) to each web server rack"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst is investigating a suspected breach that spans multiple servers, firewalls, and endpoints. Each device stores logs locally in different formats, making it difficult to build a timeline of events. Which activity would most directly address this problem going forward?","acceptedAnswer":{"@type":"Answer","text":"Configure log aggregation to a centralized SIEM"},"suggestedAnswer":[{"@type":"Answer","text":"Increase the retention period on each local device"},{"@type":"Answer","text":"Enable alert tuning to reduce false positives"},{"@type":"Answer","text":"Deploy SNMP traps on all network infrastructure"}]},{"@context":"https://schema.org","@type":"Question","text":"A manufacturer of network routers is compromised, and attackers embed hidden code in a signed firmware update that is then distributed to thousands of customers through the vendor's automatic update service. Customers install the update believing it is legitimate, unknowingly granting attackers remote access. Which vulnerability type does this scenario BEST illustrate?","acceptedAnswer":{"@type":"Answer","text":"Supply chain vulnerability"},"suggestedAnswer":[{"@type":"Answer","text":"Zero-day vulnerability"},{"@type":"Answer","text":"Cryptographic vulnerability"},{"@type":"Answer","text":"Race condition"}]},{"@context":"https://schema.org","@type":"Question","text":"A payroll administrator resigned two weeks ago. This morning, exactly at midnight on the last day of the fiscal quarter, several critical payroll database records were silently deleted, and a script was found that had been scheduled to execute the deletion when a specific date arrived. No network connections or external commands were involved. Which type of malware best describes this activity?","acceptedAnswer":{"@type":"Answer","text":"Logic bomb"},"suggestedAnswer":[{"@type":"Answer","text":"Worm"},{"@type":"Answer","text":"Rootkit"},{"@type":"Answer","text":"Ransomware"}]},{"@context":"https://schema.org","@type":"Question","text":"A defense contractor requires that access to files be governed strictly by security clearance levels and information classification labels. Users, regardless of their job role or ownership of a file, cannot change these labels or grant access to others. Only the system enforces access decisions based on the sensitivity of the resource and the clearance of the subject. Which access control model does this describe?","acceptedAnswer":{"@type":"Answer","text":"Mandatory access control (MAC)"},"suggestedAnswer":[{"@type":"Answer","text":"Discretionary access control (DAC)"},{"@type":"Answer","text":"Role-based access control (RBAC)"},{"@type":"Answer","text":"Attribute-based access control (ABAC)"}]},{"@context":"https://schema.org","@type":"Question","text":"A development team is migrating a large monolithic application to a microservices architecture running in separate containers, each exposing its own API. The security manager is documenting the security implications of this design change. Which of the following is the MOST significant security consideration introduced by this migration?","acceptedAnswer":{"@type":"Answer","text":"The increased number of exposed service endpoints expands the overall attack surface that must be secured"},"suggestedAnswer":[{"@type":"Answer","text":"Microservices eliminate the need for network segmentation because each service is already isolated"},{"@type":"Answer","text":"Patching becomes impossible because each container runs an embedded real-time operating system"},{"@type":"Answer","text":"Microservices remove all availability concerns because a single service failure cannot affect others"}]},{"@context":"https://schema.org","@type":"Question","text":"A healthcare organization is decommissioning 50 mobile devices that were previously used by clinical staff to access patient records through a mobile app. The devices contain cached data and are enrolled in the organization's MDM solution. Which of the following actions should be performed FIRST to ensure proper data sanitization before disposal?","acceptedAnswer":{"@type":"Answer","text":"Issue a remote wipe command through the MDM platform to factory reset all devices"},"suggestedAnswer":[{"@type":"Answer","text":"Physically destroy the devices using a certified shredding service"},{"@type":"Answer","text":"Remove the devices from the MDM enrollment and donate them to a charity"},{"@type":"Answer","text":"Perform a manual factory reset on each device through the device settings menu"}]},{"@context":"https://schema.org","@type":"Question","text":"Two organizations plan to collaborate on a joint research initiative. Leadership wants a document that expresses their shared intent, general roles, and mutual understanding of the partnership, but they explicitly do NOT want the document to create legally enforceable obligations at this stage. Which agreement type best fits this requirement?","acceptedAnswer":{"@type":"Answer","text":"Memorandum of understanding (MOU)"},"suggestedAnswer":[{"@type":"Answer","text":"Master service agreement (MSA)"},{"@type":"Answer","text":"Service level agreement (SLA)"},{"@type":"Answer","text":"Business partners agreement (BPA)"}]},{"@context":"https://schema.org","@type":"Question","text":"A hardware reliability engineer is preparing a report for the infrastructure team. She wants to communicate the average length of time a critical storage array is expected to operate between unplanned hardware failures, so the team can plan proactive replacement cycles. Which metric should she report to convey this information?","acceptedAnswer":{"@type":"Answer","text":"Mean time between failures (MTBF)"},"suggestedAnswer":[{"@type":"Answer","text":"Mean time to repair (MTTR)"},{"@type":"Answer","text":"Recovery time objective (RTO)"},{"@type":"Answer","text":"Recovery point objective (RPO)"}]},{"@context":"https://schema.org","@type":"Question","text":"A security administrator is reviewing an identity management program where accounts have been created inconsistently over the years — some service accounts are named 'svc_backup', others 'backupagent01', and still others 'jsmith-test'. This inconsistency makes it difficult to distinguish human accounts from service accounts during audits and to apply automated group policies. Which practice should the administrator implement to address this problem?","acceptedAnswer":{"@type":"Answer","text":"Enforce a standard naming convention for all account types"},"suggestedAnswer":[{"@type":"Answer","text":"Implement time-based access restrictions on all accounts"},{"@type":"Answer","text":"Deploy multifactor authentication for every service account"},{"@type":"Answer","text":"Migrate all accounts to a discretionary access control model"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst suspects that a compromised internal workstation is sending large volumes of data to an external host during off-hours. The analyst needs a data source that will show the volume of traffic, source and destination IP addresses, and ports of the conversations without capturing the full packet payloads. Which tool BEST meets this requirement?","acceptedAnswer":{"@type":"Answer","text":"NetFlow"},"suggestedAnswer":[{"@type":"Answer","text":"Full packet capture (PCAP)"},{"@type":"Answer","text":"SNMP traps"},{"@type":"Answer","text":"Antivirus logs"}]},{"@context":"https://schema.org","@type":"Question","text":"A company allows employees to connect personal laptops to the corporate network. Security wants to ensure that any device connecting has an updated antivirus signature and current OS patches before being granted access to internal resources. Which enterprise capability best accomplishes this?","acceptedAnswer":{"@type":"Answer","text":"Network Access Control (NAC) with posture assessment"},"suggestedAnswer":[{"@type":"Answer","text":"DNS filtering on the corporate resolver"},{"@type":"Answer","text":"A host-based intrusion prevention system (HIPS)"},{"@type":"Answer","text":"SSL/TLS decryption at the perimeter firewall"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst reviews authentication logs and discovers that a user account successfully authenticated from New York at 09:15 AM EST and then authenticated again from Singapore at 09:45 AM EST on the same day. The user is a marketing manager with no international travel scheduled. Which indicator of malicious activity is MOST clearly demonstrated?","acceptedAnswer":{"@type":"Answer","text":"Impossible travel"},"suggestedAnswer":[{"@type":"Answer","text":"Concurrent session usage"},{"@type":"Answer","text":"Account lockout"},{"@type":"Answer","text":"Credential replay attack"}]},{"@context":"https://schema.org","@type":"Question","text":"A network analyst investigating slow performance on a corporate LAN notices that multiple workstations show the same MAC address mapped to the default gateway's IP in their ARP caches, and packet captures reveal traffic destined for the gateway is being relayed through an unexpected internal host before reaching the router. What type of attack is most likely occurring?","acceptedAnswer":{"@type":"Answer","text":"On-path attack using ARP spoofing"},"suggestedAnswer":[{"@type":"Answer","text":"DNS poisoning"},{"@type":"Answer","text":"Distributed denial-of-service (DDoS)"},{"@type":"Answer","text":"Credential replay"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst notices that a workstation is periodically sending encrypted traffic to an unfamiliar external IP address on port 443. Firewall logs show only source, destination, and port information, which does not reveal what data is being transmitted. The analyst needs to examine the actual contents of the packets to determine whether sensitive data is being exfiltrated. Which data source should the analyst use?","acceptedAnswer":{"@type":"Answer","text":"A full packet capture of the workstation's traffic"},"suggestedAnswer":[{"@type":"Answer","text":"NetFlow records from the core switch"},{"@type":"Answer","text":"SNMP trap data from the firewall"},{"@type":"Answer","text":"The SIEM correlation dashboard"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company shares a single set of local administrator credentials among five system administrators for a critical database cluster. Auditors flagged this as a risk because individual actions cannot be attributed and the password is rarely rotated. The security team wants to enforce checkout of the credential, automatic rotation after each use, and full session logging. Which solution best addresses these requirements?","acceptedAnswer":{"@type":"Answer","text":"Deploy a password vaulting solution within a privileged access management platform"},"suggestedAnswer":[{"@type":"Answer","text":"Implement role-based access control on the database cluster"},{"@type":"Answer","text":"Require multifactor authentication for all administrator logins"},{"@type":"Answer","text":"Establish a standard account naming convention for administrators"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company must validate its disaster recovery plan without interrupting production operations. Management wants to confirm that the recovery site can fully process real transaction workloads and produce identical results to the primary site before an actual failover is ever needed. Which testing method best meets this requirement?","acceptedAnswer":{"@type":"Answer","text":"Parallel processing test"},"suggestedAnswer":[{"@type":"Answer","text":"Tabletop exercise"},{"@type":"Answer","text":"Full failover test"},{"@type":"Answer","text":"Simulation exercise"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst reviews authentication logs and notices that a single source IP attempted to log in to over 400 different user accounts within a 10-minute window. Each account received exactly one login attempt using the password 'Winter2025!', and none triggered an account lockout. Which type of attack does this pattern most likely indicate?","acceptedAnswer":{"@type":"Answer","text":"Password spraying"},"suggestedAnswer":[{"@type":"Answer","text":"Traditional brute-force attack"},{"@type":"Answer","text":"Credential replay"},{"@type":"Answer","text":"Dictionary attack against a single account"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services firm hires an external security team to test its customer portal. Management provides the testers with valid low-privilege user credentials and general documentation about the application's architecture, but withholds source code and administrative access. The goal is to simulate what an authenticated but non-privileged attacker could achieve. Which type of penetration test does this describe?","acceptedAnswer":{"@type":"Answer","text":"Partially known environment test"},"suggestedAnswer":[{"@type":"Answer","text":"Unknown environment test"},{"@type":"Answer","text":"Known environment test"},{"@type":"Answer","text":"Physical penetration test"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services firm hires an external security company to conduct offensive testing of its customer-facing web applications. Before the engagement begins, the CISO wants to formally document which IP ranges are in scope, the permitted testing hours, prohibited techniques such as denial-of-service, and the emergency contacts to notify if a critical system becomes unstable. Which document should be created to capture these details?","acceptedAnswer":{"@type":"Answer","text":"Rules of engagement"},"suggestedAnswer":[{"@type":"Answer","text":"Master service agreement (MSA)"},{"@type":"Answer","text":"Business impact analysis (BIA)"},{"@type":"Answer","text":"Statement of work (SOW)"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company wants to hire a security firm to test its external-facing web applications. Management wants the engagement to simulate a real external attacker who has no prior information about the systems, network topology, or credentials. The testers must perform their own reconnaissance to discover targets. Which type of penetration test should the company request?","acceptedAnswer":{"@type":"Answer","text":"Unknown environment test"},"suggestedAnswer":[{"@type":"Answer","text":"Known environment test"},{"@type":"Answer","text":"Partially known environment test"},{"@type":"Answer","text":"Defensive penetration test"}]},{"@context":"https://schema.org","@type":"Question","text":"A security awareness manager ran a one-time simulated phishing campaign six months ago. Leadership now wants to know whether employee susceptibility to phishing is actually improving over time. Which change to the awareness program will BEST provide this insight?","acceptedAnswer":{"@type":"Answer","text":"Conduct recurring phishing campaigns and track click and reporting rates across each cycle"},"suggestedAnswer":[{"@type":"Answer","text":"Add a signed acknowledgement of the acceptable use policy to the onboarding process"},{"@type":"Answer","text":"Deploy an email gateway that automatically quarantines suspected phishing messages"},{"@type":"Answer","text":"Require all employees to complete a single comprehensive security training module"}]},{"@context":"https://schema.org","@type":"Question","text":"An EDR platform triggers a high-severity alert indicating that a workstation is beaconing to a known command-and-control server. The SOC analyst wants to prevent the potentially compromised host from spreading laterally or exfiltrating data while preserving it for investigation. Which automated alert response action should the analyst take FIRST?","acceptedAnswer":{"@type":"Answer","text":"Quarantine the endpoint by isolating it from the network"},"suggestedAnswer":[{"@type":"Answer","text":"Reimage the workstation immediately to remove the malware"},{"@type":"Answer","text":"Tune the alert to reduce future false positives"},{"@type":"Answer","text":"Archive the EDR logs to long-term storage for compliance"}]},{"@context":"https://schema.org","@type":"Question","text":"An independent security researcher discovers a critical authentication bypass in a company's public web application. The company has no formal bug bounty program. The researcher privately emails the company's security team with technical details and states they will wait 90 days before publishing the findings publicly. Which vulnerability identification method does this describe?","acceptedAnswer":{"@type":"Answer","text":"Responsible disclosure"},"suggestedAnswer":[{"@type":"Answer","text":"Bug bounty"},{"@type":"Answer","text":"Penetration testing"},{"@type":"Answer","text":"Open-source intelligence"}]},{"@context":"https://schema.org","@type":"Question","text":"A customer in the EU submits a formal request to an online retailer, demanding that all of their personal data be permanently erased from the company's systems. The privacy team confirms there is no ongoing legal or contractual obligation to retain the data. Which privacy principle obligates the company to honor this request?","acceptedAnswer":{"@type":"Answer","text":"Right to be forgotten"},"suggestedAnswer":[{"@type":"Answer","text":"Data inventory requirement"},{"@type":"Answer","text":"Attestation and acknowledgement"},{"@type":"Answer","text":"Data sovereignty"}]},{"@context":"https://schema.org","@type":"Question","text":"The board of directors at a financial services firm issues a statement declaring that the organization is generally comfortable pursuing new fintech ventures but is unwilling to accept regulatory violations under any circumstances. The CISO must translate this high-level directive into an operational metric that defines the specific amount of variance from expected outcomes the organization will accept for its anti-money-laundering monitoring system before escalation is required. Which concept does the CISO need to define?","acceptedAnswer":{"@type":"Answer","text":"Risk tolerance"},"suggestedAnswer":[{"@type":"Answer","text":"Risk appetite"},{"@type":"Answer","text":"Exposure factor"},{"@type":"Answer","text":"Annualized rate of occurrence"}]},{"@context":"https://schema.org","@type":"Question","text":"A security analyst is performing a quantitative risk analysis for a critical database server. The asset value is $500,000, and a successful ransomware attack would cause 60% damage to the asset. Historical data indicates this type of attack occurs twice per year on average. What is the Annualized Loss Expectancy (ALE) for this risk scenario?","acceptedAnswer":{"@type":"Answer","text":"$600,000"},"suggestedAnswer":[{"@type":"Answer","text":"$300,000"},{"@type":"Answer","text":"$500,000"},{"@type":"Answer","text":"$1,000,000"}]},{"@context":"https://schema.org","@type":"Question","text":"A financial services company is evaluating the risk of a potential cloud provider outage that could disrupt critical trading systems. The annual cost of mitigation controls would be $180,000, while the estimated single loss from an outage is $2,500,000 with an expected occurrence of once every 10 years. The company decides to purchase cyber insurance with a $200,000 annual premium that covers up to $3,000,000 in losses. Which risk management strategy is the company implementing?","acceptedAnswer":{"@type":"Answer","text":"Risk transfer"},"suggestedAnswer":[{"@type":"Answer","text":"Risk mitigation"},{"@type":"Answer","text":"Risk avoidance"},{"@type":"Answer","text":"Risk acceptance"}]},{"@context":"https://schema.org","@type":"Question","text":"After recovering from a ransomware incident, a security team meets to determine why the initial infection succeeded. They discover that an unpatched VPN appliance allowed the attacker's initial access, and they document a plan to enforce a stricter patching SLA for all edge devices. Which incident response activity is the team performing?","acceptedAnswer":{"@type":"Answer","text":"Root cause analysis"},"suggestedAnswer":[{"@type":"Answer","text":"Containment"},{"@type":"Answer","text":"Eradication"},{"@type":"Answer","text":"Threat hunting"}]}]}
CompTIA · Intermediate · Full-length timed mock

CompTIA Security+ (SY0-701) (SY0-701) full-length practice exam

Sit a free, full-length SY0-701 mock exam under real timed conditions: 90 exam-style questions in 90 minutes — about 60 seconds per question — with 70% to pass. The clock runs in real time and the screen stays completely ad-free from the moment you start until you submit.

Verified answer90 questions90 minutes
90
Questions
90 min
Time limit
70%
Pass mark
5
Domains

How this timed SY0-701 mock exam works

  • One real-time clock. You get 90 minutes for all 90 questions. The timer counts down continuously — even if you close the tab — and the exam auto-submits the instant it reaches zero, exactly like the proctored test.
  • No answers until the end. Unlike topic drills, the mock hides feedback while you work. Choose an option, move on, and flag anything you want to revisit using the question navigator.
  • Jump around freely. The navigator grid shows which questions you have answered so you can manage your pace and return to skipped items before time runs out.
  • Your progress is saved. Answers, your place in the exam, and the remaining time are stored in your browser, so an accidental refresh drops you right back where you were.
  • Ad-free while you test. Ads only appear on this landing page. Once the exam starts, the screen is clean until you submit.

What your SY0-701 results show

When you submit, you get an overall score against the 70% pass mark and a per-domain breakdown. Weak domains are highlighted in amber so you know exactly where to focus, and every question links straight to its full explanation and a breakdown of why each wrong option is wrong.

General Security Concepts12% of exam
Threats, Vulnerabilities, and Mitigations22% of exam
Security Architecture18% of exam
Security Operations28% of exam
Security Program Management and Oversight20% of exam

How to get the most out of it

Treat this like the real exam: find a quiet hour, put your notes away, and do not pause. Aim to finish with a few minutes to spare so you can revisit flagged questions. If you clear the pass mark comfortably on two separate attempts, you are in good shape to book the live SY0-701. If a single domain keeps dragging you down, drill it on the topic pages, then come back and retake the full mock.

Disclaimer

Not affiliated with or endorsed by CompTIA. CompTIA, SY0-701, and related product names are trademarks or registered trademarks of their respective owners, used here for identification and study reference only. These practice questions are original study material written to align with the published SY0-701 exam objectives — none are reproduced from a live test. For authoritative, up-to-date requirements, always consult the official CompTIA certification documentation.

Ready for the full SY0-701 mock exam?

90 questions · 90 minutes · 70% to pass. The clock runs in real time and the screen stays ad-free until you submit — just like the real thing.