CompTIA Security+ (SY0-701) · Domain 2 · 22% of exam

Threats, Vulnerabilities, and Mitigations

Drill 15 practice questions focused entirely on Threats, Vulnerabilities, and Mitigations for the CompTIA SY0-701 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer15 questions
Question 1 of 15

A security analyst reviews authentication logs and discovers that a user account successfully logged in from New York at 09:00 AM EST and then from Tokyo at 09:45 AM EST on the same day. The account shows no other anomalies, and the user is currently on vacation. Which indicator of malicious activity is MOST likely present?

Reviewed for accuracy · Report an issue
Question 2 of 15

A security analyst reviewing authentication logs notices that a user account shows login activity from New York at 9:00 AM EST and from Singapore at 9:15 AM EST on the same day. The account has not logged out between these sessions. Which indicator of malicious activity is MOST likely present?

Reviewed for accuracy · Report an issue
Question 3 of 15

A security analyst reviews authentication logs and discovers that a user account from the finance department is currently logged in from two different locations: one session from the corporate office in New York at 2:15 PM EST, and another session from an IP address in Romania at 2:17 PM EST. Both sessions are actively accessing financial records. What type of indicator of malicious activity is MOST clearly demonstrated?

Reviewed for accuracy · Report an issue
Question 4 of 15

A security analyst discovers that several employees in the marketing department have been using personal cloud storage accounts to share large campaign files with external contractors, bypassing the company's approved file transfer system. The IT department was not aware of these services being used. Which type of threat actor does this scenario represent?

Reviewed for accuracy · Report an issue
Question 5 of 15

A security analyst reviewing authentication logs notices that a sales manager's account successfully logged in from an office in Chicago at 9:02 AM, and then a second successful login for the same account appeared from an IP address geolocated in Singapore at 9:14 AM. Both sessions remained active simultaneously. Which indicator of malicious activity BEST describes what the analyst has observed?

Reviewed for accuracy · Report an issue
Question 6 of 15

A security analyst reviewing authentication logs notices that a user account successfully logged in from an office in Chicago at 9:02 AM and then logged in again from an IP address geolocated in Singapore at 9:14 AM the same day. Both sessions authenticated successfully with the correct password. Which indicator of malicious activity does this BEST represent?

Reviewed for accuracy · Report an issue
Question 7 of 15

A security analyst reviews authentication logs and discovers that a user account successfully authenticated from New York at 09:15 AM EST, and the same account authenticated from Tokyo at 09:45 AM EST on the same day. No VPN connections were recorded for this user. What type of indicator of malicious activity has been identified?

Reviewed for accuracy · Report an issue
Question 8 of 15

A security analyst reviews authentication logs and discovers that a user account successfully authenticated from Tokyo, Japan at 08:15 UTC, and then the same account authenticated from New York, USA at 09:30 UTC the same day. There are no VPN connections associated with either login. Both authentication attempts were successful and used correct credentials. What indicator of malicious activity does this scenario BEST represent?

Reviewed for accuracy · Report an issue
Question 9 of 15

A security analyst reviews authentication logs and discovers that a user account successfully authenticated from New York at 09:15 AM EST and then authenticated again from Tokyo at 09:45 AM EST on the same day. Both login attempts were successful, and no VPN connections were detected. Which indicator of malicious activity is MOST likely present?

Reviewed for accuracy · Report an issue
Question 10 of 15

A security analyst reviews authentication logs and discovers that a user account successfully authenticated from New York at 09:15 AM EST and then authenticated again from Singapore at 09:45 AM EST on the same day. The user is a marketing manager with no international travel scheduled. Which indicator of malicious activity is MOST clearly demonstrated?

Reviewed for accuracy · Report an issue
Question 11 of 15

A security analyst receives an alert that a user's account authenticated successfully from New York at 9:00 AM EST and then authenticated again from Tokyo at 9:45 AM EST on the same day. The user is a finance employee who typically works from the New York office. Which indicator of malicious activity is MOST likely being observed?

Reviewed for accuracy · Report an issue
Question 12 of 15

A security analyst is investigating a breach where attackers gained access to the organization's research and development servers containing proprietary manufacturing designs for military equipment. The attackers spent three months conducting reconnaissance, used custom malware with advanced anti-forensics capabilities, and exfiltrated data without causing any system disruptions or requesting ransom. Which threat actor is MOST likely responsible for this attack?

Reviewed for accuracy · Report an issue
Question 13 of 15

A finance employee reports that after clicking a link in an internal-looking email, they entered credentials on a portal at 'micorsoft-login.com'. The company normally uses 'microsoft.com' services. The IT security team confirms the fraudulent site is nearly identical to the legitimate Microsoft login page. Which threat vector BEST describes the technique used to register the malicious domain?

Reviewed for accuracy · Report an issue
Question 14 of 15

A security engineer at a cloud hosting company is reviewing an incident where an attacker who controlled one tenant's virtual machine was able to execute code directly on the underlying host and access memory belonging to other tenants' VMs on the same physical server. Which type of vulnerability was exploited?

Reviewed for accuracy · Report an issue
Question 15 of 15

A security analyst reviewing web server logs for an e-commerce application notices repeated requests to the login page that contain strings such as ' OR '1'='1 and UNION SELECT username,password FROM users--. Shortly afterward, the application returned database error messages containing table and column names in the HTTP response. Which type of attack does this activity indicate?

Reviewed for accuracy · Report an issue

More SY0-701 practice

Keep going with the other CompTIA Security+ (SY0-701) domains, or take a full timed mock exam.

← Back to SY0-701 overview