CompTIA Security+ Exam 2026 Questions and Answers
An IT team rolls out a new management application that uses a randomly generated MFA token sent to the administrator’s phone. Despite this new MFA precaution, there is a security breach of the same software. Which of the following describes this kind of attack?
Which of the following methods to secure credit card data is best to use when a requirement is to see only the last four numbers on a credit card?
An engineer moved to another team and is unable to access the new team ' s shared folders while still being able to access the shared folders from the former team. After opening a ticket, the engineer discovers that the account was never moved to the new group. Which of the following access controls is most likely causing the lack of access? 1
A security analyst reviews logs and finds a large number of malicious requests that have caused performance issues on the company ' s site. Which of the following would have most likely prevented this attack?
A security team created a document that details the order in which critical systems should be through back online after a major outage. Which of the following documents did the team create?
When trying to access an internal website, an employee reports that a prompt displays, stating that the site is insecure. Which of the following certificate types is the site most likely using?
To which of the following security categories does an EDR solution belong?
An important patch for a critical application has just been released, and a systems administrator is identifying all of the systems requiring the patch. Which of the following must be maintained in order to ensure that all systems requiring the patch are updated?
After a series of account compromises and credential misuse, a company hires a security manager to develop a security program. Which of the following steps should the security manager take first to increase security awareness?
A security engineer configured a remote access VPN. The remote access VPN allows end users to connect to the network by using an agent that is installed on the endpoint, which establishes an encrypted tunnel. Which of the following protocols did the engineer most likely implement?
Which of the following outlines the configuration, maintenance, and security roles between a cloud service provider and the customer?
A company discovers suspicious transactions that were entered into the company ' s database and attached to a user account that was created as a trap for malicious activity. Which of the following is the user account an example of?
An organization experiences a suspected data breach that affects sensitive client information. The incident response team must preserve logs, server images, and email communications related to the breach. Which of the following best describes this course of action?
A security analyst is creating the first draft of a network diagram for the company ' s new customer-facing payment application that will be hosted by a third-party cloud service
provider.


A business received a small grant to migrate its infrastructure to an off-premises solution. Which of the following should be considered first?
Which of the following best explains a concern with OS-based vulnerabilities?
Which of the following Is a common, passive reconnaissance technique employed by penetration testers in the early phases of an engagement?
A few weeks after deploying additional email servers, a company begins to receive complaints that messages are going into recipients’ spam folders. Which of the following needs to be updated?
Which of the following vulnerabilities is exploited when an attacker overwrites a register with a malicious address?
A security analyst is monitoring logs from the organization ' s SIEM and identifies logs related to one of their salespeople:
Time | IP address | Location | EmpID | App | Status
14:02 | 72.45.38.27 | Atlanta | 25687 | VPN | Success
14:04 | 72.45.38.27 | Atlanta | 25687 | Email | Failure
14:07 | 58.67.47.48 | Beijing | 25687 | VPN | Success
14:15 | 72.45.38.27 | Atlanta | 25687 | Teams | Success
Which of the following is being displayed in the logs?
Alerts from email protection systems and MSSPs must be entered into an IT service management system and assigned to the security team. Which of the following should an organization implement to enable this functionality?
An organization is leveraging a VPN between its headquarters and a branch location. Which of the following is the VPN protecting?
A systems administrator set up a perimeter firewall but continues to notice suspicious connections between internal endpoints. Which of the following should be set up in order to mitigate the threat posed by the suspicious activity?
Which of the following would be best suited for constantly changing environments?
A new employee logs in to the email system for the first time and notices a message from human resources about onboarding. The employee hovers over a few of the links within the email and discovers that the links do not correspond to links associated with the company. Which of the following attack vectors is most likely being used?
A security analyst sees an increase of vulnerabilities on workstations after a deployment of a company group policy. Which of the following vulnerability types will the analyst most likely find on the workstations?
A security architect wants to prevent employees from receiving malicious attachments by email. Which of the following functions should the chosen solution do?
An IT administrator needs to ensure data retention standards are implemented on an enterprise application. Which of the following describes the administrator ' s role?
Which of the following is the best way to provide secure remote access for employees while minimizing the exposure of a company ' s internal network?
An accounting clerk sent money to an attacker ' s bank account after receiving fraudulent instructions over the phone to use a new account. Which of the following would most likely prevent this activity in the future?
An attacker uses XSS to compromise a web server. Which of the following solutions could have been used to prevent this attack?
Which of the following best explains the role of compensating controls?
Which of the following solutions would most likely be used in the financial industry to mask sensitive data?
Which of the following technologies assists in passively verifying the expired status of a digital certificate?
The help desk receives multiple calls that machines with an outdated OS version are running slowly. Several users are seeing virus detection alerts. Which of the following mitigation techniques should be reviewed first?
An administrator installs an SSL certificate on a new system. During testing, errors indicate that the certificate is not trusted. The administrator has verified with the issuing CA and has validated the private key. Which of the following should the administrator check for next?
Which of the following are the most important considerations when encrypting data? (Select two).
Which of the following is the most likely motivation for a company administrator to look at an employee ' s personal information in a database?
An external security assessment report indicates a high click rate on suspicious emails. The Chief Intelligence Security Officer (CISO) must reduce this behavior. Which of the following should the CISO do first?
A company is in the process of cutting jobs to manage costs. The Chief Information Security Officer is concerned about the increased risk of an insider threat. Which of the following will most likely help the security awareness team address this potential threat?
Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer’s PII?
A company processes and stores sensitive data on its own systems. Which of the following steps should the company take first to ensure compliance with privacy regulations?
Which of the following would most likely be used by attackers to perform credential harvesting?
An organization has learned that its data is being exchanged on the dark web. The CIO
has requested that you investigate and implement the most secure solution to protect employee accounts.
INSTRUCTIONS
Review the data to identify weak security practices and provide the most appropriate
security solution to meet the CIO ' s requirements.

Prior to implementing a design change, the change must go through multiple steps to ensure that it does not cause any security issues. Which of the following is most likely to be one of those steps?
Which of the following digital forensics activities would a security team perform when responding to legal requests in a pending investigation?
An organization plans to increase security controls for devices that connect to its internal network. The additional security control must perform port-based authentication as part of the connection process. Which of the following should the organization implement?
A systems administrator is auditing all company servers to ensure. They meet the minimum security baseline While auditing a Linux server, the systems administrator observes the /etc/shadow file has permissions beyond the baseline recommendation. Which of the following commands should the systems administrator use to resolve this issue?
An organization wants to deploy software in a container environment to increase security. Which of the following will limit the organization ' s ability to achieve this goal?
Which of the following uses proprietary controls and is designed to function in harsh environments over many years with limited remote access management?
Which of the following allows an exploit to go undetected by the operating system?
A security engineer is implementing FDE for all laptops in an organization. Which of the following are the most important for the engineer to consider as part of the planning process? (Select two).
A security analyst receives an alert that an employee has clicked on a phishing email and exposed their credentials. Which of the following should the analyst do?
A business provides long-term cold storage services to banks that are required to follow regulator-imposed data retention guidelines. Banks that use these services require that data is disposed of in a specific manner at the conclusion of the regulatory threshold for data retention. Which of the following aspects of data management is the most important to the bank in the destruction of this data?
A company experiences a data loss event due to a stolen laptop. In order to prevent future similar events, a security analyst must implement a scalable solution to ensure all data on company laptops remains secure in the event of theft or loss. Which of the following should the analyst do next?
Which of the following should a company use to provide proof of external network security testing?
A security engineer needs to analyze the implications of moving proprietary company data from a local server to a public cloud storage service. Which of the following actions should the engineer take first?
An organization is evaluating new regulatory requirements associated with the implementation of corrective controls on a group of interconnected financial systems. Which of the following is the most likely reason for the new requirement?
Which of the following is a reason an organization should use different CSPs for a critical financial application?
An IT security team is concerned about the confidentiality of documents left unattended in MFPs. Which of the following should the security team do to mitigate the situation?
Which of the following objectives is best achieved by a tabletop exercise?
A company asks a vendor to help its internal red team with a penetration test without providing too much detail about the infrastructure. Which of the following penetration testing methods does this scenario describe?
An organization is implementing a COPE mobile device management policy. Which of the following should the organization include in the COPE policy? (Select two).
A security analyst is reviewing logs to identify the destination of command-and-control traffic originating from a compromised device within the on-premises network. Which of the following is the best log to review?
Which of the following explains how to determine the global regulations that data is subject to regardless of the country where the data is stored?
A network administrator wants to ensure that network traffic is highly secure while in transit. Which of the following actions best describes the actions the network administrator should take?
A systems administrator receives an alert that a company ' s internal file server is very slow and is only working intermittently. The systems administrator reviews the server management software and finds the following information about the server:

Which of the following indicators most likely triggered this alert?
Which of the following would be the greatest concern for a company that is aware of the consequences of non-compliance with government regulations?
Which of the following best describe why a process would require a two-person integrity security control?
Which of the following considerations is the most important for an organization to evaluate as it establishes and maintains a data privacy program?
An employee receives a text message that appears to have been sent by the payroll department and is asking for credential verification. Which of the following social engineering techniques are being attempted? (Choose two.)
Which of the following mitigation techniques would a security analyst most likely use to avoid bloatware on devices?
An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?
An attacker submits a request containing unexpected characters in an attempt to gain unauthorized access to information within the underlying systems. Which of the following best describes this attack?
A security administrator recently reset local passwords and the following values were recorded in the system:

Which of the following in the security administrator most likely protecting against?
A few weeks after deploying additional email servers, employees complain that messages are being marked as spam. Which needs to be updated?
A company is currently utilizing usernames and passwords, and it wants to integrate an MFA method that is seamless, can Integrate easily into a user ' s workflow, and can utilize employee-owned devices. Which of the following will meet these requirements?
Which of the following techniques would attract the attention of a malicious attacker in an insider threat scenario?
A company’s web filter is configured to scan the URL for strings and deny access when matches are found. Which of the following search strings should an analyst employ to prohibit access to non-encrypted websites?
Which of the following security measures is required when using a cloud-based platform for loT management?
Various company stakeholders meet to discuss roles and responsibilities in the event of a security breach that would affect offshore offices. Which of the following is this an example of?
An administrator must replace an expired SSL certificate. Which of the following does the administrator need to create the new SSL certificate?
A security professional discovers a folder containing an employee ' s personal information on the enterprise ' s shared drive. Which of the following best describes the data type the securityprofessional should use to identify organizational policies and standards concerning the storage of employees ' personal information?
Which of the following is most likely to be used as a just-in-time reference document within a security operations center?
Which of the following steps in the risk management process involves establishing the scope and potential risks involved with a project?
A systems administrator is redesigning now devices will perform network authentication. The following requirements need to be met:
• An existing Internal certificate must be used.
• Wired and wireless networks must be supported
• Any unapproved device should be Isolated in a quarantine subnet
• Approved devices should be updated before accessing resources
Which of the following would best meet the requirements?
A company must ensure that log searches are conducted in the shortest time frame. Which of the following should the company do to maintain logs in live storage for 90 days?
Which of the following best describes the concept of information being stored outside of its country of origin while still being subject to the laws and requirements of the country of origin?
Which vulnerability is most likely mitigated by setting up an MDM platform?
A user needs to complete training at After manually entering the URL, the user sees that the accessed website is noticeably different from the standard company website. Which of the following is the most likely explanation for the difference?
The Chief Information Security Officer (CISO) requires that new servers include hardware-level memory encryption. Which of the following data states does the CISO want to protect?
Which of the following is prevented by proper data sanitization?
Which of the following explains how regular patching helps mitigate risks when securing an enterprise environment?
Which of the following security threats aims to compromise a website that multiple employees frequently visit?
An organization has a new regulatory requirement to implement corrective controls on a financial system. Which of the following is the most likely reason for the new requirement?
A company requires hard drives to be securely wiped before sending decommissioned systems to recycling. Which of the following best describes this policy?
A vendor needs to remotely and securely transfer files from one server to another using the command line. Which of the following protocols should be Implemented to allow for this type of access? (Select two).
A security analyst receives an alert from a corporate endpoint used by employees to issue visitor badges. The alert contains the following details:
Which of the following best describes the indicator that triggered the alert?
An employee recently resigned from a company. The employee was responsible for managing and supporting weekly batch jobs over the past five years. A few weeks after the employee resigned. one of the batch jobs talked and caused a major disruption. Which of the following would work best to prevent this type of incident from reoccurring?
A manufacturing organization receives the results from a penetration test. According to the results, legacy devices that are critical to continued business function display vulnerabilities. The devices have minimal vendor support and should be segmented and monitored closely. Which of the following devices were most likely identified?
Which of the following best explains the benefit of using asymmetric encryption?
A company is required to use certified hardware when building networks. Which of the following best addresses the risks associated with procuring counterfeit hardware?
The Chief Information Security Officer wants to discuss options for a disaster recovery site that allows the business to resume operations as quickly as possible. Which of the following solutions meets this requirement?
An attacker used XSS to compromise a web server. Which of the following solutions could have been used to prevent this attack?
A hacker gained access to a system via a phishing attempt that was a direct result of a user clicking a suspicious link. The link laterally deployed ransomware, which laid dormant for multiple weeks, across the network. Which of the following would have mitigated the spread?
An organization has been experiencing issues with deleted network share data and improperly assigned permissions. Which of the following would best help track and remediate these issues?
Which of the following best describe the benefits of a microservices architecture when compared to a monolithic architecture? (Select two).
Which of the following security controls would best guard a payroll system against insider manipulation threats?
An alert references attacks associated with a zero-day exploit. An analyst places a bastion host in the network to reduce the risk of the exploit. Which of the following types of controls is the analyst implementing?
Which of the following best describes the main difference between an MOU and an SOW?
A systems administrator needs to encrypt all data on employee laptops. Which of the following encryption levels should be implemented?
A network manager wants to protect the company ' s VPN by implementing multifactor authentication that uses:
. Something you know
. Something you have
. Something you are
Which of the following would accomplish the manager ' s goal?
Which of the following is an example of change management?
A new corporate policy requires all staff to use multifactor authentication to access company resources. Which of the following can be utilized to set up this form of identity and access management? (Select two)
A user sends an email that includes a digital signature for validation. Which of the following security concepts would ensure that a user cannot deny that they sent the email?
An administrator must implement a solution that provides security and network connectivity between two companies. Which of the following infrastructure solutions is the best for this purpose?
During a recent log review, an analyst found evidence of successful injection attacks. Which of the following will best address this issue?
Which of the following is the most relevant reason a DPO would develop a data inventory?
An attacker posing as the Chief Executive Officer calls an employee and instructs the employee to buy gift cards. Which of the following techniques is the attacker using?
Which of the following is a prerequisite for a DLP solution?
Which of the following vulnerabilities would likely be mitigated by setting up an MDM platform?
Which of the following would be most useful in determining whether the long-term cost to transfer a risk is less than the impact of the risk?
A company decided to reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks.
Which of the following analysis elements did the company most likely use in making this decision?
During a routine audit, an analyst discovers that a department at a high school uses a simulation program that was not properly vetted before deployment. Which of the following threats is this an example of?
A security engineer receives reports of unauthorized devices on the organization ' s network. Which of the following best describes a secure and effective way to mitigate the risks?
Which of the following is used to quantitatively measure the criticality of a vulnerability?
A software developer released a new application and is distributing application files via the developer’s website. Which of the following should the developer post on the website to allow users to verify the integrity of the downloaded files?
Which of the following should a technician perform to verify the integrity of a file transferred from one device to another?
Which of the following log sources best detects port scan activity?
Which of the following control types involves restricting IP connectivity to a router ' s web management interface to protect it from being exploited by a vulnerability?
The Chief Information Security Officer wants to put security measures in place to protect PlI. The organization needs to use its existing labeling and classification system to accomplish this goal. Which of the following would most likely be configured to meet the requirements?
Employees are missing features on company-provided tablets, affecting productivity. Management demands resolution in 48 hours. Which is the best solution?
Which of the following should a security analyst consider when prioritizing remediation efforts against known vulnerabilities?
An organization plans to expand its operations internationally and needs to keep data at the new location secure. The organization wants to use the most secure architecture model possible. Which of the following models offers the highest level of security?
The private key for a website was stolen, and a new certificate has been issued. Which of the following needs to be updated next?
After a recent ransomware attack on a company ' s system, an administrator reviewed the log files. Which of the following control types did the administrator use?
Which of the following should be deployed on an externally facing web server in order to establish an encrypted connection?
Which of the following is a type of vulnerability that refers to the unauthorized installation of applications on a device through means other than the official application store?
A company is developing a critical system for the government and storing project information on a fileshare. Which of the following describes how this data will most likely be classified? (Select two).
An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal?
Which of the following would be the best way to block unknown programs from executing?
A company wants to reduce the time and expense associated with code deployment. Which of the following technologies should the company utilize?
Which of the following would be the best way to handle a critical business application that is running on a legacy server?
A systems administrator needs to ensure the secure communication of sensitive data within the organization ' s private cloud. Which of the following is the best choice for the administrator to implement?
A small business uses kiosks on the sales floor to display product information for customers. A security team discovers the kiosks use end-of-life operating systems. Which of the following is the security team most likely to document as a security implication of the current architecture?
A security analyst reviews domain activity logs and notices the following:

Which of the following is the best explanation for what the security analyst has discovered?
A security analyst locates a potentially malicious video file on a server and needs to identify both the creation date and the file ' s creator. Which of the following actions would most likely give the security analyst the information required?
A company that has a large IT operation is looking to better control, standardize, and lower the time required to build new servers. Which of the following architectures will best achieve the company’s objectives?
A store is setting up wireless access for their employees. Management wants to limit the number of access points while ensuring all areas of the store are covered. Which of the following tools will help management determine the number of access points needed?
An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a “page not found” error message. Which of the following types of social engineering attacks occurred?
An administrator is estimating the cost associated with an attack that could result in the replacement of a physical server. Which of the following processes is the administrator performing?
A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Which of the following is most likely occurring?
A systems administrator just purchased multiple network devices. Which of the following should the systems administrator perform to prevent attackers from accessing the devices by using publicly available information?
An administrator is installing an SSL certificate on a new system. During testing, errors indicate that the certificate is not trusted. The administrator has verified with the issuing CA and has validated the private key. Which of the following should the administrator check for next?
The Chief Information Security Officer gives the security community the opportunity to report vulnerabilities on the organization’s public-facing assets. Which of the following does this scenario best describe?
An employee asks a security analyst to scan a suspicious email that contains a link to a file on a file-sharing site. The analyst determines that the file is safe after downloading and scanning the file with antivirus software. When the employee opens the file, their device is infected with ransomware. Which of the following steps should the analyst have taken?
A company ' s website is Company. com Attackers purchased the domain company.com Which of the following types of attacks describes this example?
Which of the following would be the best way to test resiliency in the event of a primary power failure?
A security analyst needs to propose a remediation plan ' or each item in a risk register. The item with the highest priority requires employees to have separate logins for SaaS solutions and different password complexity requirements for each solution. Which of the following implementation plans will most likely resolve this security issue?
An organization maintains intellectual property that it wants to protect. Which of the following concepts would be most beneficial to add to the company ' s security awareness training program?
A company ' s antivirus solution is effective in blocking malware but often has false positives. The security team has spent a significant amount of time on investigations but cannot determine a root cause. The company is looking for a heuristic solution. Which of the following should replace the antivirus solution?
After completing an annual external penetration test, a company receives the following guidance:
Decommission two unused web servers currently exposed to the internet.
Close 18 open and unused ports found on their existing production web servers.
Remove company email addresses and contact info from public domain registration records.
Which of the following does this represent?
A bank set up a new server that contains customers ' Pll. Which of the following should the bank use to make sure the sensitive data is not modified?
Which of the following best describes why me SMS DIP authentication method is more risky to implement than the TOTP method?
While reviewing logs, a security administrator identifies the following code:
< script > function(send_info) < /script >
Which of the following best describes the vulnerability being exploited?
An administrator discovers a cross-site scripting vulnerability on a company website. Which of the following will most likely remediate the issue?
A Chief Information Officer wants to ensure that network devices cannot connect to the public internet or the local network to directly perform firmware updates. The IT team must manually perform the update process by using a portable device. Which of the following architecture types best fits this description?
Which of the following is a common data removal option for companies that want to wipe sensitive data from hard drives in a repeatable manner but allow the hard drives to be reused?
The executive management team is mandating the company develop a disaster recovery plan. The cost must be kept to a minimum, and the money to fund additional internet connections is not available. Which of the following would be the best option?
An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out?
A company is concerned about weather events causing damage to the server room and downtime. Which of the following should the company consider?
Which of the following is the best safeguard to protect against an extended power failure?
Which of the following most accurately describes the order in which a security engineer should implement secure baselines?
A security analyst is investigating an alert that was produced by endpoint protection software. The analyst determines this event was a false positive triggered by an employee who attempted to download a file. Which of the following is the most likely reason the download was blocked?
A Chief Information Security Officer is developing procedures to guide detective and corrective activities associated with common threats, including phishing, social engineering, and business email compromise. Which of the following documents will be most relevant to revise as part of this process?
While updating the security awareness training, a security analyst wants to address issues created if vendors ' email accounts are compromised. Which of the following recommendations should the security analyst include in the training?
Which of the following are the best for hardening end-user devices? (Selecttwo)
After multiple phishing simulations, the Chief Security Officer announces a new program that incentivizes employees to not click phishing links in the upcoming quarter. Which of the following security awareness execution techniques does this represent?
A company plans to secure its systems by:
Preventing users from sending sensitive data over corporate email
Restricting access to potentially harmful websites
Which of the following features should the company set up? (Select two).
A network security analyst monitors the network’s IDS, which has flagged unusual activity. The IDS has detected multiple login attempts to a database server within a short period. These attempts come from various IP addresses that are not normally recognized by the network’s usual traffic patterns. Each attempt uses the same username and password. Based on the following log output (corrected formatting for readability):
2025-04-10 14:22:01.4532 — Source IP: 192.168.15.101 — Status: Failed — User: JDoe — Action: Login Attempt
2025-04-10 14:22:02.1122 — Source IP: 192.168.15.102 — Status: Failed — User: JDoe — Action: Login Attempt
2025-04-10 14:22:02.7835 — Source IP: 192.168.15.103 — Status: Failed — User: JDoe — Action: Login Attempt
2025-04-10 14:22:03.5637 — Source IP: 192.168.15.104 — Status: Failed — User: JDoe — Action: Login Attempt
2025-04-10 14:22:04.9474 — Source IP: 192.168.15.105 — Status: Failed — User: JDoe — Action: Login Attempt
2025-04-10 14:22:05.5673 — Source IP: 192.168.15.106 — Status: Failed — User: JDoe — Action: Login Attempt
2025-04-10 14:22:06.1573 — Source IP: 192.168.15.107 — Status: Failed — User: JDoe — Action: Login Attempt
2025-04-10 14:22:07.7462 — Source IP: 192.168.15.108 — Status: Failed — User: JDoe — Action: Login Attempt
Which of the following types of network attacks is most likely occurring?
After a recent vulnerability scan, a security engineer needs to harden the routers within the corporate network. Which of the following is the most appropriate to disable?
A small business initially plans to open common communications ports (21, 22, 25, 80, 443) on its firewall to allow broad access to its screened subnet. However, their security consultant advises against this action. Which of the following security principles is the consultant addressing?
A company prevented direct access from the database administrators’ workstations to the network segment that contains database servers. Which of the following should a database administrator use to access the database servers?
A penetration test identifies that an SMBvl Is enabled on multiple servers across an organization. The organization wants to remediate this vulnerability in the most efficient way possible. Which of the following should the organization use for this purpose?
Which of the following is an example of a data protection strategy that uses tokenization?
Which of the following should be used to prevent changes to system-level data?
Which of the following roles, according to the shared responsibility model, is responsible for securing the company’s database in an IaaS model for a cloud environment?
After a company was compromised, customers initiated a lawsuit. The company ' s attorneys have requested that the security team initiate a legal hold in response to the lawsuit. Which of the following describes the action the security team will most likely be required to take?
Sine© a recent upgrade (o a WLAN infrastructure, several mobile users have been unable to access the internet from the lobby. The networking team performs a heat map survey of the building and finds several WAPs in the area. The WAPs are using similar frequencies with high power settings. Which of the following installation considerations should the security team evaluate next?
Cadets speaking a foreign language are using company phone numbers to make unsolicited phone calls lo a partner organization. A security analyst validates through phone system logs that the calls are occurring and the numbers are not being spoofed. Which of the following is the most likely explanation?
An organization implemented cloud-managed IP cameras to monitor building entry points and sensitive areas. The service provider enables direct TCP/IP connection to stream live video footage from each camera. The organization wants to ensure this stream is encrypted and authenticated. Which of the following protocols should be implemented to best meet this objective?
Which of the following best describes a common use of OSINT?
Which of the following actors attacking an organization is the most likely to be motivated by personal beliefs?
A company wants to minimize the chance of its outgoing marketing emails getting flagged as spam. The company decides to list the email servers on the proper DNS record. Which of the following protocols should the company apply next?
Which of the following should an organization focus on the most when making decisions about vulnerability prioritization?
Which of the following would best explain why a security analyst is running daily vulnerability scans on all corporate endpoints?
A security manager wants to reduce the number of steps required to identify and contain basic threats. Which of the following will help achieve this goal?
A company processes a large volume of business-to-business transactions and prioritizes data confidentiality over transaction availability. The company’s firewall administrator must configure a new hardware-based firewall to replace the current one. Which of the following should the administrator do to best align with the company requirements in case a security event occurs?
Which of the following activities uses OSINT?
Which of the following can a security director use to prioritize vulnerability patching within a company ' s IT environment?
Which of the following most securely protects data at rest?
A company has yearly engagements with a service provider. The general terms and conditions are the same for all engagements. The company wants to simplify the process and revisit the general terms every three years. Which of the following documents would provide the best way to set the general terms?
Which of the following security control types does an acceptable use policy best represent?
Which of the following should be used to ensure a device is inaccessible to a network-connected resource?
An administrator has identified and fingerprinted specific files that will generate an alert if an attempt is made to email these files outside of the organization. Which of the following best describes the tool the administrator is using?
A network engineer is increasing the overall security of network devices and needs to harden the devices. Which of the following will best accomplish this task?
Which of the following can assist in recovering data if the decryption key is lost?
While troubleshooting an internal resource ' s poor performance for an end user, a network engineer performs a traceroute on the end device and receives the following output:
C:\User > tracert 10.100.15.20
Tracing route to [internal.resource.org] 10.100.15.20
over a maximum of 30 hops:
1 200 ms 200 ms 200 ms 10.20.10.10
2 5 ms 3 ms 3 ms 10.20.10.1
3 20 ms 20 ms 10 ms 10.25.10.10
4 10 ms 8 ms 10 ms 10.30.110.1
5 5 ms 6 ms 3 ms 10.100.15.20
The engineer performs a traceroute from a device that is not experiencing poor performance but is connected to the same port. The engineer receives the following output:
C:\Engineer > tracert 10.100.15.20
Tracing route to [internal.resource.org] 10.100.15.20
over a maximum of 30 hops:
1 5 ms 3 ms 3 ms 10.20.10.1
2 20 ms 20 ms 10 ms 10.25.10.10
3 10 ms 8 ms 10 ms 10.30.110.1
4 5 ms 6 ms 3 ms 10.100.15.20
Which of the following is most likely occurring?
Which of the following data protection strategies can be used to confirm file integrity?
A network administrator must turn off insecure protocols after a recent inspection. Which of the following best describes the vulnerability the network administrator is remediating?
A security analyst reviews web server logs and sees the following entries:
16.22.48.102 -- 26/April/2023 22:00:04.33 GET " " 200
16.22.48.102 -- 26/April/2023 22:00:07.23 GET " " 404
16.22.48.102 -- 26/April/2023 22:01:16.03 GET " " 404
16.22.48.102 -- 26/April/2023 22:03:10.25 GET " " 404
16.22.48.102 -- 26/April/2023 22:05:11.22 GET " " 404
Which of the following attacks is most likely being attempted?
A company has begun labeling all laptops with asset inventory stickers and associating them with employee IDs. Which of the following security benefits do these actions provide? (Choose two.)
A Chief Information Officer wants to ensure that network devices cannot connect to the public internet and the local network to directly perform firmware updates. The IT team must manually perform the update process by using a portable device. Which of the following architecture types best fits this description?
A systems administrator notices that the research and development department is not using the company VPN when accessing various company-related services and systems. Which of the following scenarios describes this activity?
A security consultant is working with a client that wants to physically isolate its secure systems. Which of the following best describes this architecture?
During a risk treatment exercise, an administrator discovers a risk that cannot be mitigated. Which of the following best describes this situation?
A security analyst collects IOCs from a cybersecurity bulletin. Which of the following should the analyst do next to assess if an environment is compromised?
A newly appointed board member with cybersecurity knowledge wants the board of directors to receive a quarterly report detailing the number of incidents that impacted the organization. The systems administrator is creating a way to present the data to the board of directors. Which of the following should the systems administrator use?
Which of the following definitions best describes the concept of log co-relation?
Users at a company are reporting they are unable to access the URL for a new retail website because it is flagged as gambling and is being blocked.
Which of the following changes would allow users to access the site?
A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of ransomware-as-a-service in a report to the management team. Which of the following best describes the threat actor in the CISO ' s report?
An employee decides to collect PII data from the company ' s system for personal use. The employee compresses the data into a single encrypted file before sending the file to their personal email. The security department becomes aware of the attempted misuse and blocks the attachment from leaving the corporate environment. Which of the following types of employee training would most likely reduce the occurrence of this type of issue?
(Select two).
A company recently decided to allow employees to work remotely. The company wants to protect us data without using a VPN. Which of the following technologies should the company Implement?
A security practitioner completes a vulnerability assessment on a company ' s network and finds several vulnerabilities, which the operations team remediates. Which of the following should be done next?
Which of the following actions best addresses a vulnerability found on a company ' s web server?
Which of the following best explains the use of a policy engine in a Zero Trust environment?
A security analyst determines that a security breach will have a financial impact of $15,000 and is expected to occur twice within a three-year period. Which of the following is the ALE for this risk?
A security analyst reviews firewall configurations and finds that firewalls are configured to fail-open mode in the event of a crash. Which of the following describes the security risk associated with this configuration?
Employees sign an agreement that restricts specific activities when leaving the company. Violating the agreement can result in legal consequences. Which of the following agreements does this best describe?
The security team at a large global company needs to reduce the cost of storing data used for performing investigations. Which of the following types of data should have its retention length reduced?
You are security administrator investigating a potential infection on a network.
Click on each host and firewall. Review all logs to determine which host originated the Infecton and then deny each remaining hosts clean or infected.







While troubleshooting a firewall configuration, a technician determines that a “deny any” policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable.
Which of the following actions would prevent this issue?
Which of the following risk management strategies is being used when a Chief Information Security Officer ignores known vulnerabilities identified during a risk assessment?
After reviewing the following vulnerability scanning report:
Server:192.168.14.6
Service: Telnet
Port: 23 Protocol: TCP
Status: Open Severity: High
Vulnerability: Use of an insecure network protocol
A security analyst performs the following test:
nmap -p 23 192.168.14.6 —script telnet-encryption
PORT STATE SERVICE REASON
23/tcp open telnet syn-ack
I telnet encryption:
| _ Telnet server supports encryption
Which of the following would the security analyst conclude for this reported vulnerability?
While considering the organization ' s cloud-adoption strategy, the Chief Information Security Officer sets a goal to outsource patching of firmware, operating systems, and applications to the chosen cloud vendor. Which of the following best meets this goal?
Which of the following describes a situation where a user is authorized before being authenticated?
Which of the following risk analysis attributes measures the chance that a vulnerability will be exploited?
Which of the following is a social engineering attack in which a bad actor impersonates a web URL?
Which of the following enables the use of an input field to run commands that can view or manipulate data?
A company processes a large volume of business-to-business transactions and prioritizes data confidentiality over transaction availability. The company ' s firewall administrator must configure a new hardware-based firewall to replace the current one. Which of the following should the administrator do to best align with the company requirements in case a security event occurs?
A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent?
A group of developers has a shared backup account to access the source code repository. Which of the following is the best way to secure the backup account if there is an SSO failure?
Which of the following describes the reason for using an MDM solution to prevent jailbreaking?
Which of the following is a feature of a next-generation SIEM system?
A security analyst estimates that a small security incident will cost $10,000 and will occur twice per year. The analyst recommends a budget of $20,000 for next year. Which of the following does the $10,000 represent?
An administrator has configured a quarantine subnet for all guest devices that connect to the network. Which of the following would be best for the security team to configure on the MDM before allowing access to corporate resources?
Which of the following is the stage in an investigation when forensic images are obtained?
Visitors to a secured facility are required to check in with a photo ID and enter the facility through an access control vestibule Which of the following but describes this form of security control?
Which of the following strategies should an organization use to efficiently manage and analyze multiple types of logs?
A security team must help secure a company site after attackers defaced it. The site must be available to a wide range of countries over a secure protocol, but access from known malicious networks should be blocked. Which of the following will best secure the site?
Which of the following technologies can achieve microsegmentation?
A security analyst created a fake account and saved the password in a non-readily accessible directory in a spreadsheet. An alert was also configured to notify the security team if the spreadsheet is opened. Which of the following best describes the deception method being deployed?
A company evaluates several options that would allow employees to have remote access to the network. The security team wants to ensure the solution includes AAA to comply with internal security policies. Which of the following should the security team recommend?
Which of the following attacks primarily targets insecure networks?
Which of the following is a primary security concern for a company setting up a BYOD program?
Which of the following is the most important element when defining effective security governance?
In order to maintain system stability, a company ' s software developers cannot merge updates into the code base without supervisor approval. Which of the following is the best description of this practice?
An administrator finds that all user workstations and servers are displaying a message that is associated with files containing an extension of .ryk. Which of the following types of infections is present on the systems?
A security company informs its customers of a new vulnerability that affects web applications. The vulnerability does not have an available patch at the moment. Which of the following best describes this vulnerability?
A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step?
After creating a contract for IT contractors, the human resources department changed several clauses. The contract has gone through three revisions. Which of the following processes should the human resources department follow to track revisions?
An employee used a company ' s billing system to issue fraudulent checks. The administrator is looking for evidence of other occurrences of this activity. Which of the following should the administrator examine?
An organization wants to ensure the integrity of compiled binaries in the production environment. Which of the following security measures would best support this objective?
An administrator notices that several users are logging in from suspicious IP addresses. After speaking with the users, the administrator determines that the employees were not logging in from those IP addresses and resets the affected users’ passwords. Which of the following should the administrator implement to prevent this type of attack from succeeding in the future?
Which of the following should be used to ensure that a device is inaccessible to a network-connected resource?
A company with a high-availability website is looking to harden its controls at any cost. The company wants to ensure that the site is secure by finding any possible issues. Which of the following would most likely achieve this goal?
A diagram of a computer AI-generated content may be incorrect.
A screenshot of a computer AI-generated content may be incorrect.
A screenshot of a computer AI-generated content may be incorrect.