CompTIA SecurityX (CAS-005) · Domain 4 · 22% of exam

Security Operations

Drill 20 practice questions focused entirely on Security Operations for the CompTIA CAS-005 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A security operations team at a multinational firm has been relying on quarterly authenticated internal vulnerability scans of its known asset inventory. During a recent breach investigation, responders discovered that the initial foothold was an internet-facing marketing microsite spun up by a business unit on a third-party cloud account that IT never inventoried. Leadership wants a program change that will systematically reduce the chance of another unknown internet-exposed asset being exploited. Which approach best addresses the underlying gap?

Reviewed for accuracy · Report an issue
Question 2 of 20

A hospital's business continuity plan is being revised after a ransomware incident forced a full recovery from backups. During recovery, teams restored systems alphabetically, which delayed the electronic health record (EHR) system and its authentication dependency for over 14 hours while a low-priority reporting server came online first. The CISO wants to prevent this during the next event. Which action MOST directly addresses the failure demonstrated during this recovery?

Reviewed for accuracy · Report an issue
Question 3 of 20

A vulnerability management analyst runs a weekly authenticated scan against a Linux server fleet. This week, one server that historically reported dozens of missing-patch findings suddenly reports only two open-port findings and no OS-level vulnerabilities. The scan job completed without errors, and the host is confirmed reachable. Other servers in the same subnet still return full patch-level results. What is the MOST likely explanation the analyst should investigate first?

Reviewed for accuracy · Report an issue
Question 4 of 20

During an enterprise incident, the SOC contained a compromised workload by isolating the affected host and rebuilding it from a golden image. Within 48 hours, the same malware family reappears on the rebuilt host and two adjacent servers. Endpoint telemetry shows the initial detection was a dropper, but the reinfection has no matching download event. Which action would most effectively prevent further reinfection during the eradication phase?

Reviewed for accuracy · Report an issue
Question 5 of 20

A cloud-hosted web application was compromised via an exploited API endpoint. During the enterprise incident response, the DFIR team discovers that CloudTrail management events are available but the S3 data-plane access logs and the application-tier logs were only retained for 7 days—well short of the estimated 6-week dwell time. Leadership demands a root-cause determination of the initial access vector. Which action MOST effectively enables the team to reconstruct the earliest attacker activity despite the retention gap?

Reviewed for accuracy · Report an issue
Question 6 of 20

During an enterprise incident, an analyst recovers a suspicious executable from a compromised finance workstation. The malware appears heavily packed, and static string extraction reveals only obfuscated data. The IR team needs to determine the file's command-and-control infrastructure and file-system modifications as quickly as possible while preserving the ability to attribute behavior to the sample. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 7 of 20

During an active intrusion on a Linux production server, the IR team must collect evidence before decommissioning the host. Business requires the server be reimaged within 30 minutes to restore service. The lead analyst wants to maximize forensic value while respecting the time constraint. Which data should be collected FIRST to preserve the most fragile evidence?

Reviewed for accuracy · Report an issue
Question 8 of 20

During an enterprise incident response engagement, a forensic analyst must acquire a bit-for-bit image of a suspect employee's laptop SSD that has already been powered off. The evidence may be used in future litigation. Which combination of actions BEST preserves the forensic integrity and admissibility of the acquired image?

Reviewed for accuracy · Report an issue
Question 9 of 20

During enterprise-scale incident response, a forensic analyst has collected disk images from five compromised hosts. Investigators need to reconstruct the exact sequence of attacker actions across filesystem metadata, registry hives, event logs, and browser artifacts to determine the initial access vector. Which approach best supports this reconstruction?

Reviewed for accuracy · Report an issue
Question 10 of 20

During an active incident, a SecurityX analyst confirms that a threat actor has compromised a domain-joined workstation and is using stolen Kerberos tickets to authenticate laterally to file servers. The finance department is actively closing quarter-end books and their file share resides on one of the targeted servers. Leadership has authorized aggressive containment but wants business disruption minimized. Which containment action BEST limits lateral movement while preserving evidence and critical business function?

Reviewed for accuracy · Report an issue
Question 11 of 20

During a busy shift, a SOC receives four concurrent alerts. The incident response plan requires analysts to triage based on business impact and containment urgency before assigning resources. Which alert should be classified as the highest severity and worked first?

Reviewed for accuracy · Report an issue
Question 12 of 20

After a major ransomware incident, a security operations manager is asked to establish measurable improvements for the incident response program. During the lessons-learned review, the team notes that although the malware was contained quickly, three days passed between the initial phishing compromise and the first analyst alert. The manager wants to select a single metric that most directly targets this specific weakness so improvement can be tracked over future incidents. Which metric should the manager prioritize?

Reviewed for accuracy · Report an issue
Question 13 of 20

During an active incident on a Linux production database server, the responder confirms suspicious outbound connections from a process with no matching binary on disk (fileless malware indicator). The server cannot be immediately taken offline due to business impact, and legal has requested court-admissible evidence. Which action should the responder take FIRST to preserve the most probative evidence?

Reviewed for accuracy · Report an issue
Question 14 of 20

A financial services firm hires an external red team to conduct a penetration test against its customer-facing web application. Midway through the engagement, the testers discover that the application shares a database backend with an internal HR system that was explicitly excluded from the signed scope. The testers realize they could pivot to the HR data through a SQL injection flaw. What is the MOST appropriate action for the red team to take?

Reviewed for accuracy · Report an issue
Question 15 of 20

Following a major outage caused by a ransomware infection that spread from a single phishing-compromised workstation, the incident response team has completed containment and full recovery. During the lessons-learned meeting, the security manager wants to ensure the review produces durable improvements rather than assigning individual blame. Which approach BEST supports identifying systemic corrective actions at the root-cause level?

Reviewed for accuracy · Report an issue
Question 16 of 20

A security operations manager wants to validate whether the SOC can detect the specific TTPs used by a threat actor known to target their industry. The red team has already demonstrated it can achieve initial access and lateral movement, but the manager is frustrated that detection engineering never improved afterward because the red team report only listed successful compromises without SOC visibility details. Which approach BEST addresses this gap going forward?

Reviewed for accuracy · Report an issue
Question 17 of 20

A SOC team receives over 4,000 alerts per day from a rule that flags any outbound connection to a newly-registered domain. Analysts report severe alert fatigue, and a genuine command-and-control beacon was recently missed because it was buried among benign marketing and CDN domains. Leadership demands a fix that preserves detection of malicious beaconing while reducing analyst workload. Which approach best addresses the root problem?

Reviewed for accuracy · Report an issue
Question 18 of 20

A SOC analyst is building a SIEM correlation rule to detect credential-stuffing attacks against a public-facing authentication API. The current rule fires an alert whenever ANY of the following occur: more than 50 failed logins from a single IP in 5 minutes, OR failed logins across more than 20 distinct usernames from one IP, OR a login from a geolocation the account has never used. During the first week, the rule generated over 4,000 alerts, of which fewer than 20 were confirmed malicious, overwhelming the team. Management wants higher-fidelity detection without deploying new tooling. Which change to the correlation logic will BEST improve alert fidelity for this specific attack pattern?

Reviewed for accuracy · Report an issue
Question 19 of 20

A SOC analyst at a global logistics company reviews raw SIEM alerts and finds that a high volume of 'impossible travel' authentication alerts are being generated. Investigation reveals that many involve legitimate users connecting through the company's regional VPN concentrators and corporate proxy egress points, which cause geolocation to appear inconsistent. The SOC lead wants to reduce noise while preserving genuine detection capability for compromised credentials. Which action MOST effectively improves the fidelity of these detections?

Reviewed for accuracy · Report an issue
Question 20 of 20

During an enterprise incident investigation, analysts notice that correlation rules across the SIEM are failing to link related events from the firewall, the domain controllers, and a cloud IdP. Manual review confirms the events are genuinely related, but the SIEM's timeline shows them scattered across hours that do not match the true sequence. Each source is forwarding logs successfully with no drops. What is the MOST likely root cause the SIEM engineering team should investigate first?

Reviewed for accuracy · Report an issue

More CAS-005 practice

Keep going with the other CompTIA SecurityX (CAS-005) domains, or take a full timed mock exam.

← Back to CAS-005 overview