Palo Alto Networks Cybersecurity Apprentice Questions and Answers
What is a function of a Network-Based Intrusion Detection System (NIDS)?
Options:
Scanning and quarantining infected files on a host machine
Proxying traffic before reaching an internal network
Blocking malicious traffic from entering a network in real time
Monitoring network traffic and reporting results to an administrator
Answer:
DExplanation:
A Network-Based Intrusion Detection System monitors network traffic and reports suspicious findings to administrators or security tools. It observes packets traversing a network segment and compares activity against signatures, patterns, protocol anomalies, or behavior models. Because it is detection-focused, a NIDS typically alerts rather than blocks traffic inline. Scanning and quarantining infected files on a host machine is an endpoint security function. Proxying traffic before it reaches an internal network is a proxy function. Blocking malicious traffic in real time is more closely associated with an IPS or firewall. A NIDS is useful because it can provide visibility across multiple hosts without installing an agent on each one. However, encrypted traffic, high throughput, and east-west blind spots can limit visibility if sensors are not placed correctly. SOC teams use NIDS alerts as evidence during investigation and correlation. Reference/topics: Cybersecurity 1.4, NIDS and other threat detection systems; Security Operations 6.3, alerts and events.
Which device reads information from packets at the application layer of the OSI model to determine if traffic should be forwarded?
Options:
Switch
Next-generation firewall
WAN accelerator
Router
Answer:
BExplanation:
A next-generation firewall is designed to inspect traffic at higher layers, including application-layer information, before deciding whether traffic should be forwarded. It can identify applications, users, content, and threats instead of relying only on ports and IP addresses. This application awareness enables more precise policy decisions, such as allowing sanctioned business applications while blocking evasive or risky applications using the same port. A switch forwards frames using Layer 2 information. A router forwards packets based on Layer 3 addresses and routing decisions. A WAN accelerator improves performance over wide area links and does not primarily make application-layer security enforcement decisions. The application-layer capability is what makes NGFW policy more effective than traditional port-based filtering. In modern networks, many applications use web ports, so inspecting only TCP 80 or 443 is insufficient. Reference/topics: Network Security 3.2, NGFWs; Network Fundamentals 2.6 and 2.7, OSI model and network devices.
What is the purpose of an API?
Options:
It allows operating systems to redesign themselves.
It allows machine learning models to internally check datagrams.
It allows hardware controls to be modified.
It allows software applications to share data.
Answer:
DExplanation:
An API, or application programming interface, allows software applications and services to communicate and share data in a structured way. APIs define how requests are made, what data formats are accepted, what operations are available, and how responses are returned. In cloud and modern application environments, APIs are fundamental because applications often rely on microservices, third-party integrations, identity providers, automation tools, and cloud management platforms. APIs do not allow operating systems to redesign themselves. They are not specifically for machine learning models to check datagrams, and they are not primarily hardware modification controls. From a security perspective, APIs must be protected because they expose application functions and data paths. API security includes authentication, authorization, rate limiting, input validation, logging, and secrets protection. If poorly secured, APIs can expose sensitive data or allow unauthorized actions. Reference/topics: Cloud Security 5.4, common cloud terms including API and microservice; Identity Security 7.4, secrets management.
What are two components of a cloud-native security platform (CNSP)? (Choose two.)
Options:
Asset inventory
VPN
Endpoint security
Identity and access management (IAM)
Answer:
A, DExplanation:
A cloud-native security platform commonly includes asset inventory and identity and access management visibility or control. Asset inventory is essential because cloud environments are dynamic: workloads, containers, storage buckets, APIs, and services can appear or change rapidly. Security teams must know what exists before they can protect it. IAM is also critical because cloud access is heavily identity-driven. Overprivileged roles, exposed keys, weak permissions, and unmanaged service accounts can create major risk. A VPN may secure connectivity, but it is not a core CNSP component. Endpoint security protects user devices and hosts, but CNSP focuses on cloud-native assets, configurations, workloads, identities, and runtime risk. CNSP helps secure cloud applications across posture, workload, identity, and runtime layers. In practical terms, it answers questions such as: what cloud assets exist, who can access them, are they misconfigured, and are they behaving safely at runtime? Reference/topics: Cloud Security 5.5, CNSP; Identity Security 7.1, IAM components.
Which device reads information from packets at the application layer of the OSI model to determine if traffic should be forwarded?
Options:
WAN accelerator
Router
Switch
Next-generation firewall
Answer:
DExplanation:
A next-generation firewall evaluates traffic beyond basic ports, protocols, and IP addresses. It can inspect application-layer information to identify the actual application, user context, content, and threat indicators before deciding whether traffic should be allowed, blocked, or further inspected. This is the defining difference between a traditional firewall and an NGFW. A switch primarily forwards frames using Layer 2 information, such as MAC addresses. A router forwards packets using Layer 3 information, such as destination IP addresses and routing tables. A WAN accelerator improves performance across wide area links but is not primarily a security enforcement device that makes application-layer allow/block decisions. Application-aware inspection matters because modern applications may use common ports such as TCP 443, making port-only policy insufficient. NGFWs address this by classifying traffic according to application behavior and enforcing security policy accordingly. Reference/topics: Network Security 3.2, stateful firewalls and next-generation firewalls; Network Fundamentals 2.6 and 2.7, OSI model and devices.
What is an effective use case of URL filtering?
Options:
Monitoring threat logs and traffic logs
Restricting access to phishing websites
Acting as a sandbox for potentially malicious files
Discovering internet of things (IoT) devices
Answer:
BExplanation:
Restricting access to phishing websites is an effective URL filtering use case. URL filtering evaluates web destinations by category, reputation, risk, or policy and can block users from visiting malicious or prohibited sites. Phishing sites are designed to steal credentials or sensitive information, so blocking known or suspected phishing URLs reduces the chance that users will submit passwords or tokens to attacker-controlled pages. Monitoring threat logs and traffic logs is a security operations activity, not the direct purpose of URL filtering. Sandboxing potentially malicious files is a malware analysis function. Discovering IoT devices is asset visibility or IoT security, not URL filtering. URL filtering is especially valuable when combined with user awareness, DNS security, browser protection, and identity-based policy. Because phishing often starts with a link, controlling access to risky web destinations is a practical prevention layer. Reference/topics: Network Security 3.3, URL filtering; Cybersecurity 1.3, social engineering and phishing.
Which two sets of actions are examples of multi-factor authentication (MFA)? (Choose two.)
Options:
Answering a security question and providing a thumbprint
Entering a PIN and scanning a smart card
Scanning the palm of one hand followed by the other hand
Answering three sequential security questions
Answer:
A, BExplanation:
Multi-factor authentication requires two or more different categories of authentication factors. The standard categories are something you know, something you have, and something you are. Answering a security question is something you know, while providing a thumbprint is something you are, so answer A is MFA. Entering a PIN is something you know, while scanning a smart card is something you have, so answer B is also MFA. Scanning the palm of one hand followed by the other hand uses the same factor category twice: biometrics, or something you are. That may be stronger biometric checking, but it is not multi-factor. Answering three sequential security questions also repeats the knowledge factor and therefore remains single-factor authentication. MFA improves identity security because stolen passwords alone are less useful to attackers when another independent proof is required. Strong MFA should use phishing-resistant methods where possible. Reference/topics: Identity Security 7.1.2, single-factor and multifactor authentication.
Which cloud service model allows a third-party provider to host an application that is readily available for customer use?
Options:
Software as a service (SaaS)
Platform as a service (PaaS)
Desktop as a service (DaaS)
Infrastructure as a service (IaaS)
Answer:
AExplanation:
Software as a Service provides a complete application hosted and operated by a third-party provider and made available to customers over a network, usually through a browser or client application. The customer consumes the software without managing the underlying servers, operating system, runtime, or application infrastructure. Examples include business productivity suites, CRM platforms, collaboration tools, and many security consoles. PaaS provides a managed development or application platform, not a finished application. IaaS provides infrastructure resources such as compute and storage, leaving the customer responsible for more of the workload stack. Desktop as a Service provides hosted virtual desktops, but it is not the general model described by a provider-hosted application ready for customer use. SaaS changes the shared responsibility boundary because the provider handles more of the application delivery stack, while the customer still manages data, users, access policies, and configuration choices. Reference/topics: Cloud Security 5.2, SaaS, PaaS, IaaS, NaaS; Cloud Security 5.3, shared responsibility.
What does continuous integration and continuous delivery/deployment (CI/CD) improve for an organization?
Options:
Network threat alert potential
API interaction optimization
Secure development pipeline
Storage quotas for code
Answer:
CExplanation:
CI/CD improves the secure development pipeline by making software build, test, delivery, and deployment processes more automated, repeatable, and controlled. Continuous integration encourages developers to merge code frequently into a shared repository where automated tests and checks can run. Continuous delivery keeps software in a deployable state, while continuous deployment can automatically release changes that pass required tests. Security can be embedded into this pipeline through static analysis, dependency scanning, container image scanning, secrets detection, infrastructure-as-code checks, and policy gates. The goal is not merely faster software delivery, but safer and more reliable delivery. Network threat alert potential is a SOC concern, not the primary CI/CD outcome. API interaction optimization may occur in development, but it is too narrow. Storage quotas for code are repository management settings. Secure CI/CD reduces late-stage security surprises and helps organizations detect weaknesses earlier when they are cheaper and easier to fix. Reference/topics: Cloud Security 5.6, CI/CD; Identity Security 7.4.2, CI/CD pipeline secrets.
Which packets are considered east-west traffic in a data center?
Options:
Those originating from the internet destined to the public IP address of a virtual server
Those sent from a virtual desktop to a cloud-based proxy
Those sent from a cloud-based server to a virtual desktop
Those that move between virtual servers across a virtual switch
Answer:
DExplanation:
East-west traffic is internal traffic moving between systems within the same environment or data center. Packets moving between virtual servers across a virtual switch are east-west because they remain inside the data center or virtualized environment. This traffic may never pass through a traditional perimeter firewall unless the architecture specifically routes it through inspection points. Internet-originated traffic to a public IP address is north-south because it enters the environment from outside. Traffic from a virtual desktop to a cloud-based proxy leaves toward an external or cloud service, making it north-south or external service traffic. Traffic from a cloud-based server to a virtual desktop crosses environment boundaries and is not the clearest east-west example. East-west visibility is critical because attackers who compromise one workload often attempt lateral movement to other internal systems. Segmentation, internal firewalls, workload security, and telemetry help control this risk. Reference/topics: Network Fundamentals 2.2, east-west and north-south traffic; Cloud Security 5.4, virtualization.
Which tunnel protocol is used to secure communications over HTTPS?
Options:
IKE
GRE
SSH
TLS
Answer:
DExplanation:
TLS, or Transport Layer Security, is the protocol used to secure HTTPS communications. HTTPS is HTTP carried over TLS, which provides encryption, integrity protection, and server authentication through certificates. TLS prevents eavesdroppers from easily reading web traffic and helps ensure that clients are communicating with the intended server rather than an impostor. IKE is used in IPsec VPN negotiation to establish authenticated security associations. GRE is a tunneling protocol that encapsulates traffic but does not inherently provide encryption. SSH secures remote shell and administrative sessions, and can support tunneling, but it is not the protocol that secures HTTPS. TLS is central to modern web security because web applications, APIs, SaaS platforms, and identity providers depend on protected browser-to-server communication. However, TLS must be deployed correctly with valid certificates, strong protocol versions, and secure cipher suites. Reference/topics: Network Security 3.4, tunneling protocols including TLS, SSH, and IKE; Network Security 3.3, secure web access.
Batch 5 — Questions 56–70
What does DHCP provide to a client?
Options:
Zone
MAC address
IP address
Port range
Answer:
CExplanation:
DHCP provides IP addressing information to a client. When a device joins a network, it can request configuration from a DHCP server instead of requiring manual assignment. The server leases an IP address to the client and may also provide subnet mask, default gateway, DNS server, lease duration, and other options. DHCP does not provide a MAC address; the MAC address is assigned to the network interface by the hardware vendor. It does not provide a security zone, which is a firewall or segmentation concept. It also does not assign a port range in the normal client addressing process. DHCP is important operationally because it reduces manual configuration and supports scalable network management. It is also useful in investigations because DHCP lease records can help map an IP address observed in logs to the device that used it at a specific time. Reference/topics: Network Fundamentals 2.4, DHCP; Network Fundamentals 2.3, default gateway.
What are two endpoint security implementation methods? (Choose two.)
Options:
Installing an anti-malware agent onto a user device
Deploying a firewall to prevent traffic from reaching an end user
Enforcing security policies on north-south traffic between users and the internet
Downloading software onto a laptop to prevent spyware
Answer:
A, DExplanation:
Endpoint security focuses on protecting the individual device where users work, such as laptops, desktops, mobile devices, and other endpoint systems. Installing an anti-malware agent onto a user device is a direct endpoint security implementation method because the security control resides on the host and inspects files, processes, and system behavior for malicious activity. Downloading software onto a laptop to prevent spyware is also an endpoint-focused control because it protects the local device against malicious code designed to monitor activity, steal data, or weaken the operating environment. By contrast, deploying a firewall to prevent traffic from reaching an end user is primarily a network security control when placed at the network boundary. Enforcing north-south traffic policies is also network security because it governs traffic moving between internal users and the internet. Palo Alto Networks identifies endpoint security objectives and components such as security updates, antivirus, and host-based firewalls under the Endpoint Security domain. Reference: Cybersecurity Apprentice Datasheet, Endpoint Security 4.2 and 4.3.
Which type of segmentation divides traffic based on the interface on which a packet is received or sent?
Options:
Zone
Port
Application
Role
Answer:
AExplanation:
Zone segmentation groups traffic based on logical security zones, commonly tied to interfaces or interface groups. A firewall can apply policy depending on the source zone and destination zone, such as trust, untrust, DMZ, data center, or guest. If a packet enters or exits through an interface assigned to a specific zone, that zone becomes part of the policy decision. Port-based segmentation would focus on physical or logical ports, but in firewall security design, zones are the standard construct for interface-based policy grouping. Application segmentation divides traffic based on the application being used. Role-based segmentation uses user or device roles. Zone segmentation is powerful because it allows administrators to express trust boundaries and enforce policy between parts of the network. It is often combined with VLANs, IP subnets, and application-aware controls to create layered segmentation. Reference/topics: Network Security 3.1, zone segmentation; Network Security 3.2, firewall policy enforcement.
What is a self-sufficient executable package that encompasses all necessary components for running a piece of software including the code, runtime, libraries, and system tools?
Options:
Container
Host
Server
Virtual machine (VM)
Answer:
AExplanation:
A container is a self-sufficient executable package that includes application code and the dependencies needed to run consistently across environments. Containers usually package code, runtime, libraries, and system tools, while sharing the underlying host operating system kernel. This makes them lighter and faster to start than virtual machines. A host is the physical or virtual system that runs workloads. A server provides services to clients, but the term does not specifically describe packaged application dependencies. A virtual machine is a full isolated operating environment with its own guest OS, making it heavier than a container. Containers are central to cloud-native application design because they support portability, scalability, microservices, and automated deployment. From a security perspective, containers must be scanned for vulnerabilities, configured securely, run with least privilege, and monitored at runtime. Container security also depends on image integrity, registry controls, orchestration policy, and secrets handling. Reference/topics: Cloud Security 5.4, container and virtual machine; Cloud Security 5.5, CNSP.
Which security control is best suited to block traffic based on the actual application being used rather than only the port number?
Options:
Hub
Next-generation firewall
DHCP server
Layer 2 switch
Answer:
BExplanation:
A next-generation firewall is best suited to block or allow traffic based on the actual application being used rather than only the port number. Traditional firewalls commonly rely on IP addresses, protocols, and ports, which is insufficient when many applications use common ports such as TCP 80 or TCP 443. A next-generation firewall adds application awareness, allowing it to identify traffic based on application behavior and enforce more precise security policy. A hub operates at OSI Layer 1 and simply repeats signals; it cannot inspect applications. A DHCP server assigns IP configuration information to clients and does not enforce application-based security policy. A Layer 2 switch forwards frames based on MAC addresses and does not determine whether a specific application should be allowed. Application-aware policy is important because attackers and risky applications often hide within allowed ports. NGFWs help security teams control traffic according to business intent, application risk, user identity, and threat context. Reference/topics: Network Security, stateful firewalls, next-generation firewalls, application awareness.
Which statement describes both stateful firewalls and stateless firewalls?
Options:
Stateful firewalls encrypt all traffic they inspect; stateless firewalls only pass through unencrypted traffic.
Stateful firewalls are primary hardware appliances; stateless firewalls are exclusively software-based.
Stateful firewalls only allow access to internal applications; stateless firewalls allow connections only to the internet.
Stateful firewalls track and secure ongoing connections; stateless firewalls inspect each packet individually.
Answer:
DExplanation:
Stateful firewalls track connection state, while stateless firewalls evaluate each packet independently against rules. A stateful firewall maintains a state table that records active sessions, allowing it to understand whether a packet is part of an established connection or an unsolicited attempt. This improves security and usability because return traffic for legitimate sessions can be permitted without writing separate broad rules. A stateless firewall does not remember connection context; it checks packet attributes such as source, destination, protocol, and port each time. Firewalls do not inherently encrypt all inspected traffic, so answer A is incorrect. Stateful and stateless capabilities can exist in hardware, software, virtual, or cloud form, so answer B is incorrect. Answer C incorrectly describes access direction rather than inspection behavior. The key distinction is session awareness. Understanding stateful inspection is foundational because NGFW capabilities build on traffic classification, session tracking, and policy enforcement. Reference/topics: Network Security 3.2, stateful firewalls and NGFWs.
Which cloud computing model allows a single organization to keep its data in a private environment but also access the scalability and cost-effectiveness of public resources?
Options:
Hybrid
Public
Community
Private
Answer:
AExplanation:
A hybrid cloud model combines private cloud or private infrastructure with public cloud resources. It allows an organization to keep sensitive workloads or data in a controlled private environment while using public cloud capacity for elasticity, scalability, geographic reach, or cost optimization. This model is common when organizations have regulatory requirements, legacy systems, or sensitive datasets that cannot be moved fully into a public cloud, but still need the flexibility of public services. A public cloud is shared provider-operated infrastructure available to many customers. A private cloud is dedicated to one organization but does not inherently provide public cloud scalability unless integrated with it. A community cloud is shared by organizations with common requirements, such as sector-specific compliance needs. Hybrid cloud security requires consistent visibility, identity controls, policy enforcement, and shared responsibility awareness across both private and public components. Reference/topics: Cloud Security 5.1, cloud-computing deployment models; Cloud Security 5.3, shared responsibility model.
Which tool resides on a host to identify malicious activity?
Options:
Instruction Detection System (IDS)
Unified threat detection device
Endpoint protection agent
Next-generation firewall appliance
Answer:
CExplanation:
An endpoint protection agent is software installed directly on a host, such as a workstation, laptop, or server, to monitor local activity and identify malicious behavior. Because it resides on the endpoint, it can observe processes, files, registry changes, network connections, and user activity that may not be visible to a perimeter security device. This makes it especially useful for detecting malware execution, suspicious scripts, privilege abuse, and post-compromise activity. An IDS may detect suspicious patterns, but the answer is not precise because IDS can be network-based or host-based and is not necessarily an agent. A next-generation firewall appliance is typically deployed inline at a network control point, not directly on the host. “Unified threat detection device” is not the standard course term for a host-resident control. The Palo Alto Networks Cybersecurity Apprentice blueprint places endpoint protection components under Endpoint Security and also recognizes host-based detection concepts under cybersecurity threat detection systems. Reference: Cybersecurity Apprentice Datasheet, Endpoint Security 4.3 and Cybersecurity 1.4.
Which activity increases the ability of endpoint protection to successfully identify threats?
Options:
Creating honeypots
Implementing virtualization
Encoding null routes
Applying security updates
Answer:
DExplanation:
Applying security updates improves endpoint protection by closing known vulnerabilities, updating defensive components, and reducing the number of exploitable weaknesses on the host. Endpoint protection relies on current software, current detection logic, and patched operating systems or applications to recognize and resist common attack techniques. When systems remain unpatched, attackers can use known exploits that security tools may detect but cannot always prevent from succeeding if the vulnerable component remains exposed. Honeypots are deception systems used to attract or study attackers, but they do not directly improve endpoint protection on user devices. Virtualization can isolate workloads or support testing, but it is not the best answer for improving endpoint threat identification. Null routes are network routing controls used to discard traffic and are unrelated to endpoint detection capability. Security updates are a basic but essential endpoint security component because they reduce attack surface and improve compatibility with modern protections. Reference/topics: Endpoint Security 4.3, security updates and antivirus; Cybersecurity 1.5, threat prevention practices.
Which pillar should a company focus on first when establishing a new security operations department?
Options:
Technology
Processes
People
Business
Answer:
CExplanation:
People should be the first pillar when establishing a security operations department. Tools and processes matter, but a SOC ultimately depends on skilled people who understand the environment, interpret alerts, make decisions, communicate risk, and improve operations. Without defined roles, responsibilities, escalation paths, and analyst capability, even advanced technology can become noisy and ineffective. Processes come next because people need repeatable methods for triage, investigation, mitigation, and improvement. Technology should support those people and processes, not replace them. Business context is also essential because the SOC must prioritize what matters most to the organization, but the first practical foundation is staffing and capability. A strong SOC needs analysts, incident responders, engineers, threat intelligence support, leadership, and clear ownership. Security operations is not just a tool stack; it is an operating function that converts telemetry into risk reduction. Reference/topics: Security Operations 6.1, SOC functions; Security Operations 6.2, optimizing SOC performance.
Batch 8 — Questions 101–113
What is the fundamental role of a proxy server in internet communication?
Options:
Enhancing the processing power of a user device when accessing internet.
Managing and securing email communications.
Acting as an intermediary, routing traffic between users and online resources.
Directly connecting endpoint agents to web servers.
Answer:
CExplanation:
A proxy server acts as an intermediary between a client and an online resource. Instead of the user system connecting directly to the destination server, the request is sent to the proxy, which forwards, filters, logs, or inspects the traffic according to policy. This design allows organizations to control web access, enforce acceptable use policies, inspect content, apply authentication, and hide some internal network details from external destinations. A proxy does not increase the processing power of the user’s device. It is not limited to email, although mail security gateways can perform similar intermediary functions for email traffic. It also does not directly connect endpoint agents to web servers as its core function. In security architecture, proxies are useful control points because they sit in the request path and can make decisions before a user reaches a site or downloads content. Reference/topics: Network Security 3.3, proxies and URL filtering; Network Security 3.6, enterprise browsers.
Which metric measures how long it takes a security team to detect a cybersecurity incident?
Options:
MTTR
MTTD
MFA
NAT
Answer:
BExplanation:
MTTD, or mean time to detect, measures how long it takes a security team to discover a cybersecurity incident or suspicious activity. A lower MTTD indicates that detection controls, monitoring processes, alert quality, and analyst workflows are working effectively. MTTD is important because attackers often cause more damage the longer they remain undetected. MTTR, or mean time to respond or recover, measures how long it takes to respond to or recover from an incident after detection. MFA is multi-factor authentication, an identity security control used to strengthen login security. NAT is network address translation, which converts one IP address to another. Security operations teams use metrics such as MTTD and MTTR to evaluate SOC performance, improve alerting, tune detection logic, and reduce operational delays. Strong logging, SIEM correlation, endpoint telemetry, threat intelligence, and automation can help reduce detection time. Reference/topics: Security Operations, SOC metrics, MTTD, MTTR, incident detection and response.
Why would an organization implement a demilitarized zone (DMZ)?
Options:
To provision multiple external zones that allow for destination NAT
To facilitate the use of SD-WAN departments within an organization
To allow effective communications with other organizations
To protect internal resources while still allowing access to public-facing internet services
Answer:
DExplanation:
A DMZ is implemented to host public-facing services while reducing direct exposure to the internal trusted network. Web servers, mail gateways, VPN portals, or other externally accessible systems may be placed in a DMZ so internet users can reach required services without being allowed directly into internal resources. The DMZ acts as a controlled buffer zone between untrusted external networks and trusted internal networks. Destination NAT may be used with DMZ services, but provisioning external zones for NAT is not the core reason. SD-WAN departments is not a valid DMZ purpose. Communication with other organizations may occur through public services, but the security purpose is controlled exposure and internal protection. DMZ design supports segmentation, firewall policy, logging, and containment. If a public-facing server is compromised, proper DMZ controls reduce the attacker’s ability to pivot into sensitive internal systems. Reference/topics: Network Security 3.1, zone segmentation; Network Security 3.2, firewall policy enforcement.
In which cloud service model does a company use hardware resources from a cloud service provider?
Options:
Platform as a service (PaaS)
Software as a service (SaaS)
Network as a service (NaaS)
Infrastructure as a service (IaaS)
Answer:
DExplanation:
Infrastructure as a Service provides cloud-hosted infrastructure resources such as compute, storage, and networking. In IaaS, the customer uses provider-operated hardware resources without owning the physical servers, racks, power, cooling, or data center facilities. The customer typically remains responsible for securing operating systems, applications, data, identities, and workload configurations. PaaS provides a managed platform for developing and deploying applications, where the provider handles more of the runtime environment. SaaS delivers a complete application that customers consume directly. NaaS delivers networking capabilities as a service. The phrase “hardware resources from a cloud service provider” points directly to IaaS because the customer consumes virtualized infrastructure backed by provider hardware. Security teams must understand IaaS because it creates a shared responsibility boundary: the provider secures the physical infrastructure, while the customer secures what they build, configure, and run on top of it. Reference/topics: Cloud Security 5.2, IaaS, PaaS, SaaS, NaaS; Cloud Security 5.3, shared responsibility.
What is a function of a cloud-native security platform (CNSP)?
Options:
Protecting applications at runtime
Generating cost analysis
Sandboxing ransomware
Executing penetration testing
Answer:
AExplanation:
A cloud-native security platform protects cloud-native applications across their lifecycle, including runtime. Runtime protection means monitoring and securing workloads while they are actively running, such as containers, microservices, serverless functions, Kubernetes clusters, and cloud workloads. This can include detecting suspicious process behavior, enforcing workload policies, identifying misconfigurations, controlling network connections, and responding to active threats. Cost analysis may exist in cloud management platforms, but it is not a core CNSP security function. Sandboxing ransomware is a malware analysis technique, not the defining role of a cloud-native security platform. Penetration testing may be part of security assessment, but CNSP is designed for continuous visibility, posture, identity, workload, and runtime security rather than one-time offensive testing. CNSP matters because cloud-native environments are dynamic: workloads scale, containers are replaced, APIs interact continuously, and identities drive access. Security must therefore be integrated into build, deploy, and runtime phases. Reference/topics: Cloud Security 5.5, CNSP; Cloud Security 5.4, containers, microservices, APIs.
What is a documented strategy outlining how an organization will detect, respond to, and recover from cybersecurity attacks or other disruptions?
Options:
Security framework alignment
MTTR
MTTD
Incident response plan
Answer:
DExplanation:
An incident response plan is the documented strategy that defines how an organization detects, analyzes, contains, eradicates, recovers from, and learns from cybersecurity incidents or disruptive events. It assigns responsibilities, escalation paths, communication rules, evidence-handling expectations, and recovery procedures so that teams can act quickly under pressure. MTTR, or mean time to respond/recover, is a performance metric that measures how long response or recovery takes. MTTD, or mean time to detect, measures detection speed. Security framework alignment helps map controls and practices to recognized standards, but it is not the operational response document itself. A strong incident response plan reduces confusion during an event because teams do not need to invent roles and procedures while an attack is unfolding. It also improves post-incident review by creating a baseline for what should have happened. Reference/topics: Security Operations 6.3, incident response plan and disaster recovery plan; Security Operations 6.1, investigate, mitigate, improve functions.
Which attack takes place in the Exploitation phase of the cyber attack lifecycle?
Options:
Weaponized PDF file executing on a target
Malicious phishing link sent to a target
Polymorphic malware altering its structure on a target after gaining access
Undisclosed software vulnerability used to gain remote access to a target
Answer:
DExplanation:
Exploitation occurs when an attacker takes advantage of a vulnerability to cause unauthorized behavior, such as code execution, authentication bypass, privilege escalation, or remote access. An undisclosed software vulnerability used to gain remote access is a clear example of exploitation because the attacker is actively using a weakness to compromise the target. A malicious phishing link sent to a target is delivery, because it attempts to place the attack mechanism in front of the victim. A weaponized PDF executing may overlap with exploitation depending on the payload, but the strongest answer is the use of a software vulnerability to gain access. Polymorphic malware changing its structure after access is more closely related to evasion and persistence after compromise. The exam objective requires candidates to distinguish lifecycle stages by attacker intent: reconnaissance gathers, weaponization prepares, delivery transmits, exploitation triggers compromise, installation persists, command-and-control manages, and actions on objectives achieve the mission. Reference/topics: Cybersecurity 1.2, attack lifecycle; Cybersecurity 1.1, vulnerabilities and exploits.
What is a benefit of SD-WAN versus traditional WANs?
Options:
Reliance on multiple different WAN connection types and licenses is removed.
All physical WAN components can be easily removed and replaced without network disruption.
Administrators can deploy WAN connection policies across an entire network at once.
WANs are physically connected and strengthened against electromagnetic interference.
Answer:
CExplanation:
SD-WAN provides centralized, software-defined control over wide area network connectivity. A major benefit is that administrators can create and deploy policies across many sites consistently, rather than manually configuring each traditional WAN device in isolation. SD-WAN can use multiple transport types, such as broadband, LTE, internet, and MPLS, so it does not remove reliance on diverse connection types; it manages them more intelligently. It also does not mean all physical WAN components disappear. Physical links, edge devices, and provider circuits still exist, but the control and policy model becomes more centralized and flexible. Electromagnetic interference is unrelated to the primary value of SD-WAN. SD-WAN is useful because it can steer application traffic based on performance, cost, availability, or security requirements. For security teams, centralized policy helps reduce configuration drift and supports consistent connectivity decisions across branches and cloud environments. Reference/topics: Network Fundamentals 2.1, WAN, LAN, SD-WAN; Network Security 3.3, VPNs and proxies.
What does a host-based firewall primarily attempt to prevent?
Options:
Exhaustion of network memory resources
Privilege escalation
Pop-up advertisements
Unauthorized or suspicious network connections
Answer:
DExplanation:
A host-based firewall controls network connections to and from an individual endpoint or server. Its primary purpose is to prevent unauthorized or suspicious network connections by enforcing local rules based on ports, protocols, applications, network profiles, or direction of traffic. For example, it can block inbound connections to services that should not be exposed or restrict outbound traffic from suspicious applications. Exhaustion of network memory resources describes a denial-of-service concern, not the normal role of a host firewall. Privilege escalation is an endpoint attack technique, but it is usually addressed through patching, least privilege, exploit prevention, and operating system hardening rather than host firewall rules alone. Pop-up advertisements are typically handled by browser controls or anti-adware functions. Host-based firewalls are valuable because they continue to enforce policy even when the device moves between networks, such as home, office, and public Wi-Fi. Reference/topics: Endpoint Security 4.3, host-based firewalls; Endpoint Security 4.2, endpoint security objectives.
What is a function of an Intrusion Detection System (IDS)?
Options:
Rejecting connections deemed anomalous
Filtering outbound malicious TCP packets
Monitoring network traffic for specific patterns
Dropping inline network packets
Answer:
CExplanation:
An Intrusion Detection System monitors traffic or host activity and generates alerts when it identifies suspicious patterns. The correct answer is monitoring network traffic for specific patterns because detection is the central IDS function. An IDS can use signatures, anomaly detection, protocol analysis, or behavioral indicators to identify potential attacks. However, unlike an IPS, a traditional IDS is not usually placed inline to block traffic. Rejecting connections, filtering malicious packets, and dropping inline packets are prevention or enforcement actions more closely associated with an IPS or firewall. IDS alerts are valuable to security operations because they create visibility into attempted attacks, policy violations, scanning activity, or suspicious behavior that may require investigation. A NIDS monitors network traffic, while a HIDS monitors activity on a specific host. The certification expects candidates to distinguish detection systems from prevention systems and understand where each operates. Reference/topics: Cybersecurity 1.4, IDS, HIDS, and NIDS; Cybersecurity 1.5, threat prevention systems.
What are two functions of VPN gateways? (Choose two.)
Options:
Certificate refresh
Site-to-Site connectivity
Remote access
URL filtering
Answer:
B, CExplanation:
VPN gateways commonly provide site-to-site connectivity and remote access. Site-to-site VPN connects networks across encrypted tunnels, such as branch office to headquarters or cloud network to data center. Remote access VPN allows individual users to securely connect to enterprise resources from outside the corporate network. Certificate refresh may support authentication infrastructure in some environments, but it is not a primary VPN gateway function in this question. URL filtering controls web access based on categories or reputation and is a separate network security function. VPN gateways terminate encrypted tunnels, authenticate peers or users, and route protected traffic into the appropriate network. They are important because they allow secure communication over untrusted networks, but they must be configured carefully. Weak authentication, overly broad access, split tunneling misconfiguration, or poor logging can turn VPN access into a major risk path. Reference/topics: Network Security 3.3, VPNs; Network Security 3.4, IKE and tunneling protocols.
Which type of attack occurs when malware is hidden within an application and infects the host without being detected?
Options:
Botnet
Ransomware
Trojan
Virus
Answer:
CExplanation:
A trojan is malware disguised as legitimate or useful software. It tricks the user or system into running it, then performs malicious actions such as installing backdoors, stealing data, downloading additional payloads, or giving attackers remote access. The key characteristic is deception: the malware is hidden inside or presented as a trusted application. A botnet is a network of compromised devices controlled by an attacker, often through command-and-control infrastructure. Ransomware encrypts or locks systems and demands payment. A virus is malware that attaches to files or programs and replicates when executed, but the scenario specifically describes malicious code hidden within an application to avoid detection, which fits a trojan. Trojans are common because they exploit user trust and can bypass purely technical controls if users install unauthorized software. Endpoint protection, application control, user training, and least privilege help reduce trojan risk. Reference/topics: Cybersecurity 1.3, malware types; Endpoint Security 4.3, antivirus.
What is an example of an exploit?
Options:
Misconfigured access control
Unpatched software
Buffer overflow attack
Exposed password
Answer:
CExplanation:
An exploit is a technique, code path, or attack method that takes advantage of a vulnerability. A buffer overflow attack is an exploit because it abuses improper memory handling to overwrite memory and potentially execute malicious code, crash a process, or alter program behavior. Misconfigured access control is a vulnerability: it is the weakness that may allow unauthorized access. Unpatched software is also a vulnerability because known flaws remain present. An exposed password is a credential exposure or security weakness, not the exploit itself. The distinction is essential: vulnerabilities are conditions, exploits are methods that use those conditions, and attacks are the broader malicious actions performed by threat actors. Defenders reduce exploitability by patching, secure coding, configuration hardening, input validation, exploit prevention, segmentation, and monitoring. Reference/topics: Cybersecurity 1.1, vulnerabilities and exploits; Cybersecurity 1.5, threat prevention practices.