Free CompTIA CySA+ Certification Exam

CompTIA CySA+ certification exam practice test with cybersecurity analyst study materials and multiple-choice questions.

Free CompTIA CySA+ Certification Exam Practice Test

Prepare confidently for your CompTIA CySA+ certification with this Free CompTIA CySA+ Certification Exam Practice Test. Designed to mirror the current exam objectives, this practice test covers key cybersecurity analyst topics including threat detection, incident response, vulnerability management, and security monitoring.

Ideal for both beginners and seasoned IT professionals, the test features realistic multiple-choice questions and detailed explanations to help you deepen your knowledge and identify areas for improvement. Use this free resource to sharpen your skills, enhance your understanding of cybersecurity best practices, and boost your exam readiness.

Access this practice exam anytime without registration and take a significant step toward achieving your CySA+ certification and advancing your cybersecurity career.

1. Which of the following BEST describes a vulnerability scan that does not impact system performance or consume network bandwidth excessively?

A. Credentialed scan
B. Non-intrusive scan
C. Exploit-based scan
D. Authenticated scan

Correct Answer: B. Non-intrusive scan

Explanation:
A non-intrusive scan is designed to identify vulnerabilities without exploiting them or consuming significant resources. It uses passive detection techniques and is ideal for environments where performance must not be impacted. Unlike exploit-based or authenticated scans, it avoids direct interaction with system components beyond basic fingerprinting. This makes it safer for production environments and less likely to trigger alerts or cause disruptions.

2. A security analyst receives multiple reports of failed logins followed by successful access attempts. Which attack is MOST likely taking place?

A. SQL Injection
B. Brute Force
C. Credential Stuffing
D. Session Hijacking

Correct Answer: C. Credential Stuffing

Explanation:
Credential stuffing uses lists of stolen username/password combinations from data breaches to gain unauthorized access to accounts. The pattern of failed logins followed by success suggests that attackers are testing credentials until a match is found. This differs from brute-force attacks, which try random combinations rather than known pairs. It’s essential to detect this early to prevent lateral movement or privilege escalation.

3. During log analysis, a security analyst notices an abnormal number of DNS requests to random domains. What type of malware is MOST likely involved?

A. Ransomware
B. Botnet
C. Keylogger
D. Command and Control (C2)

Correct Answer: D. Command and Control (C2)

Explanation:
Frequent DNS requests to random or suspicious domains often indicate an attempt to contact a C2 server. This technique allows attackers to bypass firewall rules by using DNS as a covert communication channel. C2 infrastructure is essential for remote control of compromised hosts and often precedes malicious payload delivery or data exfiltration. Monitoring DNS traffic helps identify such activity early.

4. What is the PRIMARY reason for conducting a tabletop exercise in an organization’s incident response process?

A. To simulate ransomware execution
B. To test the backup systems
C. To evaluate team coordination and response procedures
D. To discover unknown vulnerabilities

Correct Answer: C. To evaluate team coordination and response procedures

Explanation:
Tabletop exercises simulate real-world incident scenarios in a controlled, discussion-based environment. The goal is to evaluate the effectiveness of an incident response plan and ensure all stakeholders understand their roles. These exercises help uncover procedural gaps, improve coordination, and refine communication strategies without interrupting operations. They are a vital part of improving overall security posture.

5. Which of the following BEST ensures the integrity of collected forensic data during an investigation?

A. Antivirus logs
B. Chain of custody
C. Log aggregation
D. Sandboxing

Correct Answer: B. Chain of custody

Explanation:
The chain of custody is a documented process that tracks the collection, handling, and storage of digital evidence. It ensures that evidence remains untampered and admissible in court. Every person who interacts with the evidence must be recorded to prevent disputes over its authenticity. This is critical in maintaining the credibility of a forensic investigation.

6. Which of the following metrics is MOST important when prioritizing patching in a vulnerability management program?

A. Patch release date
B. CVSS score
C. Vendor reputation
D. Exploit complexity

Correct Answer: B. CVSS score

Explanation:
The Common Vulnerability Scoring System (CVSS) provides a standardized way to assess the severity of vulnerabilities. It considers factors like exploitability, impact, and environmental variables. A higher CVSS score indicates greater risk and urgency, making it a vital metric for prioritization. While exploit complexity and vendor reputation matter, CVSS offers a comprehensive and widely accepted basis for decisions in patch management.

7. A security team notices traffic on port 445 from an unknown host. What is the BEST action to take?

A. Block all outbound HTTPS traffic
B. Quarantine the host for investigation
C. Restart the firewall
D. Disable DNS services

Correct Answer: B. Quarantine the host for investigation

Explanation:
Port 445 is commonly associated with SMB, which is often exploited in attacks like EternalBlue or lateral movement attempts. Unexpected traffic from an unrecognized host may indicate a compromised system. Quarantining the host helps prevent potential spread or data exfiltration while allowing deeper analysis. This proactive containment approach aligns with incident response best practices.

8. Which type of threat intelligence provides real-time data from sensors and logs within an organization’s environment?

A. Strategic
B. Tactical
C. Technical
D. Operational

Correct Answer: D. Operational

Explanation:
Operational threat intelligence focuses on real-time, actionable information gathered from internal systems, sensors, and logs. It helps teams understand the current threat landscape and take immediate action. This includes information about active attacks, attacker behavior, and infrastructure. Unlike strategic or tactical intel, operational data supports rapid detection and response efforts.

9. What BEST describes the role of a Security Information and Event Management (SIEM) system?

A. Manages encryption keys across devices
B. Automatically blocks all unauthorized traffic
C. Collects, analyzes, and correlates security data from multiple sources
D. Creates firewall rules based on heuristics

Correct Answer: C. Collects, analyzes, and correlates security data from multiple sources

Explanation:
A SIEM centralizes logs and events from various systems, including firewalls, servers, and applications. It applies correlation rules and analytics to detect suspicious patterns, generate alerts, and support compliance reporting. By aggregating and contextualizing security data, SIEMs help analysts identify threats quickly and respond more effectively, making them essential in modern security operations centers (SOCs).

10. What technique is MOST effective for detecting a rogue wireless access point?

A. Vulnerability scanning
B. Packet filtering
C. War driving
D. Wireless site survey

Correct Answer: D. Wireless site survey

Explanation:
A wireless site survey uses tools to map all active wireless signals in an area. It helps detect unauthorized or rogue access points broadcasting from within or near an organization. Comparing survey results against a list of approved devices allows quick identification of suspicious activity. This approach is more precise than general scanning or filtering and supports proactive wireless threat mitigation.

11. An analyst detects an increase in 404 errors in a short period. Which scenario is MOST likely occurring?

A. Brute force attack
B. Path traversal
C. Directory enumeration
D. SQL injection

Correct Answer: C. Directory enumeration

Explanation:
A surge in 404 (Not Found) errors suggests that an attacker is trying to discover valid URLs, directories, or resources on a web server. Directory enumeration involves making automated requests to guess paths to admin panels, scripts, or hidden files. If these attempts fail, they return 404s. Monitoring such anomalies helps detect early-stage reconnaissance.

12. What is the PRIMARY purpose of using a honeypot in a network?

A. Prevent DDoS attacks
B. Attract and analyze malicious activity
C. Encrypt data in motion
D. Automate access control

Correct Answer: B. Attract and analyze malicious activity

Explanation:
A honeypot is a decoy system designed to lure attackers. It mimics legitimate services to observe and log intrusion attempts without risking production environments. This tactic provides insight into attacker methods, tools, and behavior, helping teams strengthen defenses. Honeypots also divert attackers from valuable assets, increasing detection and response effectiveness.

13. Which technique allows analysts to identify when a threat actor has successfully pivoted within a network?

A. Signature-based detection
B. Threat hunting
C. Lateral movement detection
D. Social engineering testing

Correct Answer: C. Lateral movement detection

Explanation:
Lateral movement detection involves identifying unauthorized activity where an attacker moves from one compromised system to others within the same network. Detecting this movement helps analysts understand the attack path and stop adversaries before they reach high-value targets. Tools like EDRs and SIEMs are often configured to flag such suspicious inter-host behavior.

14. A company discovers that an internal user has been accessing customer records without authorization. What type of threat actor is involved?

A. Script kiddie
B. Insider threat
C. Hacktivist
D. Nation-state

Correct Answer: B. Insider threat

Explanation:
An insider threat originates from within the organization—an employee, contractor, or affiliate—who misuses access privileges. In this case, unauthorized access to customer records by a staff member reflects intentional or negligent behavior. Insider threats are particularly dangerous because they bypass perimeter defenses and often have intimate knowledge of systems.

15. Which tool is MOST appropriate for performing a passive asset discovery on a corporate network?

A. Wireshark
B. Metasploit
C. Nessus
D. Nikto

Correct Answer: A. Wireshark

Explanation:
Wireshark captures and analyzes network traffic in real-time, making it suitable for passive asset discovery. By listening to traffic, analysts can identify hosts, MAC addresses, protocols, and communication patterns without actively probing devices. This method is less likely to trigger alarms or impact network performance, making it ideal for stealth assessments.

16. Which of the following BEST describes the benefit of threat hunting over traditional reactive detection?

A. Requires fewer staff to operate
B. Identifies insider threats automatically
C. Detects unknown or stealthy threats proactively
D. Replaces the need for SIEM tools

Correct Answer: C. Detects unknown or stealthy threats proactively

Explanation:
Threat hunting is a proactive process that goes beyond alerts to uncover hidden threats not identified by traditional tools. It relies on hypotheses, behavioral analysis, and deep investigation into systems and network activity. Unlike reactive detection, which responds to known signatures, threat hunting aims to catch advanced persistent threats (APTs) and zero-day attacks before they cause significant damage.

17. What type of malware disguises itself as a legitimate program but gives an attacker remote access?

A. Rootkit
B. Ransomware
C. Trojan
D. Worm

Correct Answer: C. Trojan

Explanation:
A Trojan (or Trojan Horse) pretends to be legitimate software to trick users into installing it. Once installed, it opens a backdoor for attackers to gain remote access and control over the system. Unlike worms or ransomware, a Trojan relies heavily on social engineering and does not self-replicate. Trojans are used to steal data, deploy payloads, or conduct surveillance.

18. What is the PRIMARY benefit of using Security Orchestration, Automation, and Response (SOAR) platforms?

A. Blocking phishing emails automatically
B. Real-time encryption of endpoint data
C. Automating and coordinating security processes across tools
D. Monitoring CPU usage on critical systems

Correct Answer: C. Automating and coordinating security processes across tools

Explanation:
SOAR platforms improve operational efficiency by automating repetitive security tasks and orchestrating response across multiple tools. They allow analysts to triage incidents, run playbooks, enrich alerts, and even initiate responses—all without manual intervention. SOAR reduces mean time to detect (MTTD) and respond (MTTR), empowering smaller teams to handle large volumes of security events.

19. Which of the following is a symptom of a misconfigured SIEM correlation rule?

A. No alerts generated during active attack
B. Increase in firewall throughput
C. Disabled user account notifications
D. Normalized logs from multiple sources

Correct Answer: A. No alerts generated during active attack

Explanation:
If a SIEM fails to trigger alerts during a real attack, it likely indicates a misconfigured or overly narrow correlation rule. These rules define what patterns should raise an alert. Incorrect logic, thresholds, or filtering can lead to false negatives—missed detections. Regular tuning and testing are crucial to ensure SIEM rules match evolving threat behaviors and maintain detection efficacy.

20. What is the MOST appropriate action to take after discovering sensitive data stored unencrypted on a public-facing server?

A. Encrypt the files with AES-256 immediately
B. Notify legal and begin incident response
C. Rename the files to obscure the contents
D. Increase server bandwidth

Correct Answer: B. Notify legal and begin incident response

Explanation:
Storing sensitive data unencrypted on a public-facing server constitutes a serious data exposure. The appropriate first step is to initiate the incident response plan and notify legal or compliance teams to assess breach implications. Tampering with data or delaying reporting can worsen the impact and violate regulatory requirements. Swift containment and communication are key in such scenarios.

21. What is the PRIMARY reason for conducting a baseline security assessment?

A. To monitor server uptime
B. To identify compliance gaps
C. To establish a performance metric
D. To compare against previous threat reports

Correct Answer: B. To identify compliance gaps

Explanation:
A baseline security assessment evaluates the current security posture against organizational policies, standards, or regulatory frameworks. It helps identify gaps, outdated configurations, or missing controls. Establishing a baseline also supports future assessments, helping track improvements or regressions over time. It’s essential for audits, risk management, and strategic planning.

22. Which attack vector is MOST commonly associated with watering hole attacks?

A. Malicious mobile apps
B. Compromised websites visited by the target group
C. Phishing emails with embedded links
D. USB drives left in public spaces

Correct Answer: B. Compromised websites visited by the target group

Explanation:
Watering hole attacks involve compromising websites that are frequently visited by specific user groups, such as employees in an industry or organization. Attackers inject malicious code into these trusted websites, waiting for victims to visit. Once visited, the malware executes and infects the system. This passive yet targeted approach increases the likelihood of success without directly contacting the victim.

23. Which phase of the incident response process includes eradication and recovery efforts?

A. Identification
B. Containment
C. Lessons learned
D. Remediation

Correct Answer: D. Remediation

Explanation:
Remediation follows containment and focuses on eliminating the root cause of the incident. This includes removing malware, closing vulnerabilities, and restoring systems to their secure state. Recovery efforts ensure business continuity and may involve restoring from backups or applying new security controls. Effective remediation is critical to prevent recurrence and ensure complete resolution of the issue.

24. An attacker used a vulnerability in outdated software to gain control of a web server. What is this attack type called?

A. Zero-day exploit
B. Privilege escalation
C. Known exploit
D. Logic bomb

Correct Answer: C. Known exploit

Explanation:
A known exploit targets a publicly disclosed vulnerability for which a patch or fix already exists. Attackers take advantage of organizations that haven’t applied the update. This differs from zero-day exploits, which attack unknown or unpatched flaws. Staying current with patching and vulnerability scanning is essential to defend against such threats.

25. A company wants to monitor changes to critical files on its servers. What tool is BEST suited for this purpose?

A. Nmap
B. File integrity monitoring (FIM)
C. SIEM
D. Proxy server

Correct Answer: B. File integrity monitoring (FIM)

Explanation:
File integrity monitoring tools track and alert on unauthorized or unexpected changes to critical system or configuration files. They use checksums and baseline comparisons to detect modifications, deletions, or additions. FIM is crucial in detecting tampering, malware infections, or policy violations and is often required for compliance with standards like PCI-DSS.

26. What type of scan attempts to identify open ports and services without logging into a system?

A. Credentialed scan
B. Authenticated scan
C. Passive scan
D. Uncredentialed scan

Correct Answer: D. Uncredentialed scan

Explanation:
An uncredentialed scan probes systems externally without using valid credentials. It assesses surface-level vulnerabilities and open ports but cannot access internal configurations or settings. While less thorough than credentialed scans, it simulates how an external attacker views the system. It’s useful for identifying perimeter weaknesses without compromising credentials or access.

27. What is the BEST way to reduce false positives in a SIEM platform?

A. Increase alert sensitivity
B. Tune correlation rules based on environment
C. Disable anomaly detection
D. Send logs only from domain controllers

Correct Answer: B. Tune correlation rules based on environment

Explanation:
Fine-tuning SIEM correlation rules ensures alerts are relevant and contextualized to the specific environment. Default settings often generate too many irrelevant or low-risk alerts. By refining rules, filters, and thresholds based on organizational behavior and assets, analysts can reduce noise and focus on genuine threats. This optimization enhances incident response efficiency.

28. An attacker intercepts session cookies to gain unauthorized access. Which attack does this represent?

A. Session hijacking
B. CSRF
C. Clickjacking
D. URL redirection

Correct Answer: A. Session hijacking

Explanation:
Session hijacking involves stealing valid session cookies or tokens to impersonate an authenticated user. Attackers may capture these via insecure transmission, XSS attacks, or malware. Once obtained, they can access resources without needing credentials. Protecting cookies with encryption, HTTPOnly flags, and secure transmission protocols like HTTPS mitigates this risk.

29. What type of log would MOST likely contain evidence of brute-force login attempts?

A. DNS logs
B. Web proxy logs
C. Authentication logs
D. File access logs

Correct Answer: C. Authentication logs

Explanation:
Authentication logs record login attempts, including timestamps, usernames, source IPs, and success/failure status. Multiple rapid failures followed by a successful login often indicate brute-force activity. These logs are vital for intrusion detection, account security monitoring, and forensic investigations. Regular analysis helps identify compromised accounts or malicious scripts.

30. Which of the following controls BEST supports data confidentiality?

A. Hashing
B. Segmentation
C. Encryption
D. Logging

Correct Answer: C. Encryption

Explanation:
Encryption protects data confidentiality by converting plaintext into unreadable ciphertext, which can only be decrypted by authorized parties. It applies to data at rest, in transit, and in use. Unlike hashing (used for integrity), encryption ensures that sensitive data like PII or financial records remain inaccessible to unauthorized users even if intercepted or stolen.

31. During a threat hunt, a security analyst discovers unauthorized communication to an unfamiliar IP over port 443. What is the analyst’s MOST appropriate next step?

A. Block the IP address at the firewall
B. Terminate the user’s session immediately
C. Conduct deep packet inspection (DPI)
D. Update antivirus signatures

Correct Answer: C. Conduct deep packet inspection (DPI)**

Explanation:
While port 443 is typically used for HTTPS traffic, attackers can abuse it to hide malicious activity. The best next step is to perform deep packet inspection to analyze the payload of encrypted traffic and determine if it’s legitimate or suspicious. This helps confirm whether the connection is malicious before taking disruptive actions like blocking or terminating sessions.

32. Which of the following BEST defines the use of a SOAR platform in a SOC environment?

A. Prevents known malware using heuristic scanning
B. Automates response workflows and integrates multiple tools
C. Stores logs from all endpoints
D. Analyzes wireless traffic

Correct Answer: B. Automates response workflows and integrates multiple tools**

Explanation:
SOAR (Security Orchestration, Automation, and Response) platforms streamline incident response by automating repetitive tasks, integrating threat intelligence, and connecting multiple security tools. It reduces analyst workload, speeds up response time, and ensures consistency in handling alerts. By codifying playbooks, SOAR platforms also enhance decision-making and scalability within Security Operations Centers (SOCs).

33. A vulnerability scan detects a remote code execution flaw in a production web application. What should the analyst do FIRST?

A. Uninstall the application
B. Apply the patch immediately
C. Validate the finding and assess risk
D. Notify all users to stop using the app

Correct Answer: C. Validate the finding and assess risk**

Explanation:
Before taking action, it’s essential to validate the scan result to rule out false positives. Once confirmed, the analyst should assess the exploitability and impact to determine the urgency and plan mitigation. Jumping straight to patching or taking services offline without due diligence can cause unnecessary disruption, especially in production environments.

34. What is the PRIMARY objective of implementing segmentation in a network?

A. To boost overall bandwidth
B. To reduce network latency
C. To isolate sensitive systems and limit attack surface
D. To simplify routing protocols

Correct Answer: C. To isolate sensitive systems and limit attack surface**

Explanation:
Network segmentation divides a network into smaller segments or zones to isolate traffic and sensitive assets. This limits lateral movement during a breach, reduces the attack surface, and improves access control. For example, separating finance or HR systems from general user networks prevents attackers from easily reaching critical systems even if one segment is compromised.

35. A cybersecurity analyst receives an alert about a device beaconing to a known command-and-control (C2) server. What should be the FIRST action?

A. Inform the legal team
B. Disable internet access for the device
C. Format the hard drive
D. File a police report

Correct Answer: B. Disable internet access for the device**

Explanation:
Disabling internet access immediately cuts off the attacker’s remote control over the infected system. This containment action is essential to prevent data exfiltration or further command execution. Once isolated, the analyst can safely investigate, collect evidence, and remediate the threat without allowing the attacker to interfere or escalate the compromise.

36. Which of the following BEST describes the purpose of MITRE ATT&CK in threat detection?

A. It provides firewall rule configurations
B. It categorizes malware signatures
C. It outlines tactics and techniques used by adversaries
D. It ranks antivirus software by effectiveness

Correct Answer: C. It outlines tactics and techniques used by adversaries**

Explanation:
MITRE ATT&CK is a knowledge base that details the behavior of adversaries across different stages of an attack. It outlines tactics (the attack goals) and techniques (how those goals are achieved), helping organizations map threats, analyze incidents, and improve detection and response strategies. Security teams use ATT&CK to align defenses and threat hunting to real-world adversary behavior.

37. A host-based intrusion detection system (HIDS) on a server alerts the SOC to a potential buffer overflow attack. What should the analyst do NEXT?

A. Patch the server immediately
B. Disable the affected service
C. Investigate the process memory and event logs
D. Restart the server

Correct Answer: C. Investigate the process memory and event logs**

Explanation:
Buffer overflow attacks can allow remote code execution or privilege escalation. Before taking action like patching or disabling services, the analyst should investigate the process memory and logs to verify the alert, check indicators of compromise, and determine the attack’s scope. This ensures the response is both appropriate and evidence-based.

38. An organization wants to detect unusual outbound traffic from its internal network. Which tool is MOST suitable for this task?

A. Web proxy
B. IDS/IPS
C. NetFlow analyzer
D. Vulnerability scanner

Correct Answer: C. NetFlow analyzer**

Explanation:
NetFlow data provides insight into network traffic patterns, including source, destination, protocol, and volume. It’s ideal for detecting anomalies like data exfiltration, C2 communication, or lateral movement. A NetFlow analyzer can alert the SOC to spikes in outbound traffic or traffic to suspicious IP addresses without needing full packet capture, offering performance and scalability.

39. Which of the following BEST represents an example of risk transference in cybersecurity?

A. Accepting phishing risks due to low impact
B. Purchasing cyber insurance
C. Mitigating DDoS attacks with rate-limiting
D. Monitoring systems 24/7 with a SIEM

Correct Answer: B. Purchasing cyber insurance**

Explanation:
Risk transference involves shifting the financial consequences of a risk to another party. Purchasing cyber insurance is a classic example, as it doesn’t reduce the likelihood of incidents but helps cover the cost of response, recovery, and potential legal liabilities. This strategy is part of a broader risk management plan when mitigation isn’t sufficient or feasible.

40. An attacker gains access to an internal network and begins scanning for open ports. Which detection method would MOST likely identify this activity?

A. Web application firewall
B. Behavioral anomaly detection
C. Patch management tool
D. URL filtering

Correct Answer: B. Behavioral anomaly detection**

Explanation:
Behavioral anomaly detection tools monitor normal system and network behavior, triggering alerts when deviations occur—such as internal port scans. Unlike signature-based detection, which relies on known patterns, behavioral methods can catch previously unseen tactics. This is essential for early detection of lateral movement and reconnaissance within compromised networks.

46. Which of the following BEST describes a zero-day vulnerability?

A. A known vulnerability with an available patch
B. A recently discovered vulnerability already being exploited
C. A vulnerability that only affects IoT devices
D. A misconfiguration in a firewall rule

Correct Answer: B. A recently discovered vulnerability already being exploited**

Explanation:
A zero-day vulnerability is a flaw unknown to the vendor and often lacks a patch. Threat actors exploit it before developers are aware or can fix it, making it highly dangerous. Detection relies on behavior-based tools and threat intelligence. Once disclosed and patched, it’s no longer “zero-day.” The term highlights the gap between discovery and resolution, which adversaries actively target.

47. Which tool would MOST effectively help an analyst identify patterns in malicious DNS traffic?

A. Proxy server
B. DNS sinkhole
C. Packet sniffer
D. SIEM platform

Correct Answer: D. SIEM platform**

Explanation:
A SIEM platform aggregates and correlates log data from across the network, including DNS traffic, helping analysts spot patterns such as repeated DNS queries to known malicious domains. Unlike packet sniffers or individual tools, SIEMs provide centralized visibility, automated alerts, and historical context, enabling detection of suspicious DNS behavior indicative of malware or command-and-control activities.

48. A vulnerability scanner detects CVE-2024-XXXX on multiple servers. What should the analyst do FIRST?

A. Decommission the affected servers
B. Apply the patch across all servers immediately
C. Validate the findings against official advisories
D. Block all network access to the servers

Correct Answer: C. Validate the findings against official advisories**

Explanation:
Before applying a patch or taking drastic actions, it’s essential to validate scanner results. False positives are common, and CVE identifiers must be matched to vendor advisories and internal configurations. An accurate risk assessment depends on confirming exploitability and potential impact, ensuring that any action taken is justified, safe, and compliant with change control procedures.

49. Which of the following BEST defines the purpose of a honeypot in cybersecurity?

A. To store sensitive data for legal purposes
B. To attract and monitor attacker behavior
C. To act as a firewall substitute
D. To speed up forensic analysis

Correct Answer: B. To attract and monitor attacker behavior**

Explanation:
A honeypot is a decoy system or service designed to lure attackers and observe their techniques in a controlled environment. It gathers intelligence without exposing real assets and helps improve defensive strategies by identifying new attack vectors. Properly isolated, honeypots serve as early warning systems and training tools for blue teams without interfering with production systems.

50. Which of the following MOST effectively reduces the risk of lateral movement within an enterprise network?

A. Antivirus software
B. Full-disk encryption
C. Network segmentation
D. DNS filtering

Correct Answer: C. Network segmentation**

Explanation:
Lateral movement refers to an attacker’s ability to navigate a network after initial access. Network segmentation limits this by isolating systems and controlling inter-zone communication. Even if one segment is compromised, the attacker’s movement is restricted, reducing potential damage. This security architecture is crucial in large networks, protecting critical assets like databases and domain controllers.

51. Which of the following BEST helps identify lateral movement within a compromised network?

A. Vulnerability scanner
B. Endpoint Detection and Response (EDR)
C. DLP software
D. Patch management system

Correct Answer: B. Endpoint Detection and Response (EDR)

Explanation:
EDR solutions continuously monitor endpoint activity and provide detailed logs of process behavior, file access, and network communication. They are well-suited to detecting lateral movement, which often involves credential theft and remote access to other systems. By flagging anomalies, such as remote logins from unusual devices or privilege escalation attempts, EDR helps analysts trace and block attacker paths.

52. A company is deploying security patches in a staggered manner. What is this method called?

A. Phased rollout
B. Full deployment
C. Hotfix push
D. Emergency patching

Correct Answer: A. Phased rollout

Explanation:
A phased rollout involves applying patches to a subset of systems first, then gradually expanding the deployment to the rest of the environment. This method reduces risk by allowing testing in a controlled group, identifying compatibility issues early, and avoiding mass outages. It’s a common best practice in patch management processes.

53. What technique does a threat actor use in a watering hole attack?

A. Infecting popular websites visited by targets
B. Sending phishing emails to random users
C. Directly compromising internal systems
D. Exploiting known vulnerabilities in software

Correct Answer: A. Infecting popular websites visited by targets

Explanation:
In a watering hole attack, adversaries compromise websites that are frequently visited by the target group, often related to industry or location. When users access the infected site, malware is silently delivered to their systems. This targeted approach is stealthy and effective against well-defended organizations, making web traffic filtering and behavior monitoring crucial.

54. Which of the following is the MOST effective method for preventing unauthorized device access in a corporate network?

A. Antivirus software
B. Network segmentation
C. MAC address filtering
D. NAC (Network Access Control)

Correct Answer: D. NAC (Network Access Control)

Explanation:
Network Access Control (NAC) enforces security policies by evaluating devices before allowing them on the network. It checks for compliance (e.g., antivirus, patch level, OS version) and can quarantine or deny access to non-compliant systems. Unlike MAC filtering, which can be spoofed, NAC offers real-time, policy-based access decisions that are more secure and scalable.

55. An analyst finds an IoC related to a known APT group in their SIEM logs. What should they do FIRST?

A. Share the IOC on social media
B. Initiate system patching
C. Validate the finding through threat intelligence sources
D. Immediately shut down affected systems

Correct Answer: C. Validate the finding through threat intelligence sources

Explanation:
Before acting, it is critical to confirm the legitimacy and context of the indicator of compromise (IoC). Threat intelligence platforms and feeds can help verify if the artifact is associated with known threat actors or false positives. This ensures a balanced, accurate response and avoids disrupting legitimate operations unnecessarily.

56. What type of analysis involves checking how malware interacts with a system in a sandbox environment?

A. Static analysis
B. Predictive analysis
C. Behavioral analysis
D. Hash-based analysis

Correct Answer: C. Behavioral analysis

Explanation:
Behavioral analysis involves executing the malware in a controlled (sandbox) environment and monitoring its actions—such as file creation, process initiation, or network calls. This dynamic approach is effective in identifying previously unknown threats and understanding payloads that are not revealed through static analysis alone.

57. Which encryption protocol is considered MOST secure for Wi-Fi networks?

A. WEP
B. WPA
C. WPA2
D. WPA3

Correct Answer: D. WPA3

Explanation:
WPA3 is the latest and most secure Wi-Fi encryption standard. It introduces stronger encryption through SAE (Simultaneous Authentication of Equals), which replaces the PSK mechanism in WPA2. WPA3 also provides forward secrecy and protection against brute-force attacks, making it ideal for modern wireless security in enterprise and consumer environments.

58. Which of the following actions can MOST help reduce the attack surface of a system?

A. Installing multiple antivirus tools
B. Applying service patches
C. Removing unused software and services
D. Running applications with administrator privileges

Correct Answer: C. Removing unused software and services

Explanation:
The attack surface is the sum of all potential entry points for attackers. Unused applications and services represent unnecessary risk, especially if they are outdated or misconfigured. By uninstalling them, you reduce potential vulnerabilities and limit the pathways attackers can exploit. This is a fundamental part of system hardening.

59. Which attack vector is MOST associated with credential stuffing?

A. Brute force
B. Exploit chaining
C. Reuse of breached credentials
D. SQL injection

Correct Answer: C. Reuse of breached credentials

Explanation:
Credential stuffing leverages leaked usernames and passwords from past breaches to attempt logins on other systems. This is successful due to widespread password reuse. Unlike brute force, which tries random combinations, credential stuffing uses real credentials, often bypassing basic login attempt limits. Multi-factor authentication (MFA) is an effective defense.

60. What technique do adversaries use when embedding malicious scripts inside image files?

A. Keylogging
B. Steganography
C. SQL injection
D. Typosquatting

Correct Answer: B. Steganography

Explanation:
Steganography is the practice of concealing data within files—commonly images or audio—without altering their appearance or behavior. Attackers use this to bypass security controls, hide payloads, or exfiltrate sensitive information. Because the file appears harmless, traditional malware detection tools may not identify the threat, making behavioral monitoring essential.

61. Which of the following would BEST help a security analyst determine whether a suspicious process is part of a fileless malware attack?

A. VirusTotal hash lookup
B. Static code analysis
C. Behavioral monitoring
D. Firewall rules review

Correct Answer: C. Behavioral monitoring

Explanation:
Fileless malware operates in memory and does not write traditional files to disk, making it difficult for signature-based detection to find. Behavioral monitoring can detect anomalies such as PowerShell execution, memory injection, or abnormal parent-child process relationships. These indicators help identify malicious behavior that evades traditional antivirus solutions.

62. A cybersecurity team detects traffic going to known malicious IPs from multiple internal hosts. What is the MOST appropriate first response?

A. Block IPs on the firewall
B. Shut down all systems
C. Contact law enforcement
D. Disable internet access

Correct Answer: A. Block IPs on the firewall

Explanation:
Blocking malicious IP addresses immediately helps contain the potential breach and prevents further communication with threat actors. This action buys time for the cybersecurity team to analyze affected hosts and implement further remediation steps. It is a measured and effective first response that avoids overreaction like shutting down entire networks.

63. Which of the following BEST defines risk appetite?

A. The total number of vulnerabilities in a system
B. The likelihood of a threat exploiting a vulnerability
C. The level of risk an organization is willing to accept
D. The value of an asset to the business

Correct Answer: C. The level of risk an organization is willing to accept

Explanation:
Risk appetite is a strategic decision that defines how much risk an organization is prepared to tolerate in pursuit of its goals. It helps guide security policies, investment decisions, and the prioritization of controls. A company with a low risk appetite may implement more strict security measures than one with a higher tolerance.

64. What is the primary benefit of using threat hunting in a cybersecurity program?

A. Reduces patch management workload
B. Prevents insider threats completely
C. Proactively detects threats before alerts are triggered
D. Enhances phishing simulation effectiveness

Correct Answer: C. Proactively detects threats before alerts are triggered

Explanation:
Threat hunting involves actively searching for hidden threats that have not been detected by automated tools. It focuses on identifying advanced persistent threats, lateral movement, and other signs of compromise by using intelligence, hypothesis testing, and behavioral analysis. This proactive strategy complements reactive security monitoring.

65. A SOC analyst notices repeated login failures followed by a successful login from an unfamiliar IP. What type of attack is this MOST likely?

A. Cross-site scripting
B. Credential stuffing
C. Port scanning
D. Phishing

Correct Answer: B. Credential stuffing

Explanation:
The pattern of repeated login failures followed by a success suggests an automated attack using compromised credentials. Credential stuffing involves attackers trying leaked username-password pairs across multiple accounts. Once a correct pair is found, access is gained. MFA, IP reputation blocking, and account lockouts can mitigate such attacks.

66. What is the main function of STIX in cyber threat intelligence?

A. Sharing threat data securely
B. Generating firewall rules
C. Encrypting traffic logs
D. Running vulnerability scans

Correct Answer: A. Sharing threat data securely

Explanation:
STIX (Structured Threat Information eXpression) is a standardized format for representing cyber threat intelligence (CTI). It allows organizations to share detailed, structured information about threats, indicators, and incidents in a machine-readable format. STIX promotes consistency and collaboration in threat intelligence across organizations and platforms.

67. Which type of attack MOST often exploits unvalidated input in web applications?

A. DNS poisoning
B. Buffer overflow
C. SQL injection
D. Credential harvesting

Correct Answer: C. SQL injection

Explanation:
SQL injection exploits unvalidated input fields, such as login forms or search boxes, by inserting malicious SQL statements. This allows attackers to read, modify, or delete database content. Proper input validation, use of parameterized queries, and web application firewalls are critical defenses against this common web application attack.

68. A company’s incident response plan includes an RTO of 2 hours. What does this indicate?

A. The recovery process should begin within 2 hours
B. Data loss cannot exceed 2 hours
C. The system must be back online within 2 hours
D. The response team must be contacted every 2 hours

Correct Answer: C. The system must be back online within 2 hours

Explanation:
Recovery Time Objective (RTO) defines the maximum acceptable downtime for a system after a disruption. An RTO of 2 hours means the organization must restore operations within that time frame to avoid unacceptable impact. It’s a key metric in disaster recovery and business continuity planning.

69. Which type of malware is designed specifically to provide unauthorized access and persistence on a system?

A. Ransomware
B. Adware
C. Rootkit
D. Keylogger

Correct Answer: C. Rootkit

Explanation:
Rootkits are stealthy malware designed to gain and maintain privileged access while hiding their presence. They often modify operating system components or boot loaders to stay undetected. Rootkits can be extremely difficult to remove and are commonly used in long-term espionage or sabotage campaigns.

70. A forensic analyst is documenting timestamps from a compromised system. Which of the following is MOST important to establish during this process?

A. Encryption keys used
B. Chain of custody
C. File permissions
D. Data classification

Correct Answer: B. Chain of custody

Explanation:
Chain of custody ensures that evidence collected during a forensic investigation remains untampered and legally admissible. It documents who collected the data, when, how it was handled, and who accessed it. Without a clear chain of custody, the evidence could be challenged or dismissed in court or internal reviews.

71. Which of the following is the BEST method to detect unauthorized lateral movement within a network?

A. Port scanning
B. Endpoint antivirus logs
C. Internal network segmentation
D. East-west traffic monitoring

Correct Answer: D. East-west traffic monitoring

Explanation:
Lateral movement occurs when attackers move within a network to find critical systems or data. East-west traffic monitoring, which observes internal traffic between systems (not just inbound or outbound), helps detect such unauthorized movements. It complements north-south monitoring and is key for identifying anomalies between trusted hosts.

72. What is the PRIMARY goal of vulnerability management?

A. Prevent zero-day threats
B. Identify, prioritize, and remediate known security weaknesses
C. Detect malware
D. Encrypt all traffic

Correct Answer: B. Identify, prioritize, and remediate known security weaknesses

Explanation:
Vulnerability management is a cyclical process aimed at discovering, assessing, and addressing security flaws in systems. By continuously scanning and patching known vulnerabilities based on risk level and asset value, organizations can significantly reduce their attack surface and prevent exploitation.

73. Which data source would provide the BEST visibility into unauthorized USB device usage?

A. DHCP logs
B. SIEM alert history
C. Endpoint audit logs
D. Firewall logs

Correct Answer: C. Endpoint audit logs

Explanation:
USB device insertions and removals are recorded in the audit logs of operating systems. These logs provide details like time, user, and device information. Unlike firewall or DHCP logs, which focus on network traffic, endpoint audit logs give direct insight into physical device activity on a host.

74. Which of the following BEST mitigates the risk of credential reuse attacks?

A. Antivirus
B. Data loss prevention
C. Single Sign-On
D. Multi-factor authentication

Correct Answer: D. Multi-factor authentication

Explanation:
Credential reuse attacks take advantage of users repeating passwords across multiple sites. MFA adds an extra layer of authentication (such as a code or biometrics), making stolen credentials insufficient on their own. It significantly reduces the success of such attacks even if credentials are compromised.

75. A company wants to prevent malware from spreading via email attachments. What is the BEST solution?

A. DNS filtering
B. Email sandboxing
C. Host-based firewall
D. SIEM correlation rules

Correct Answer: B. Email sandboxing

Explanation:
Email sandboxing analyzes attachments in a secure, isolated environment before delivering them to the user. If the attachment behaves maliciously (e.g., drops a payload or makes abnormal system calls), it’s blocked. This is highly effective against zero-day and polymorphic malware distributed via email.

76. Which of the following provides a structured way to identify attacker techniques and improve detection rules?

A. WHOIS database
B. MITRE ATT&CK
C. NIST CSF
D. DNSSEC

Correct Answer: B. MITRE ATT&CK

Explanation:
MITRE ATT&CK is a knowledge base that categorizes and describes tactics, techniques, and procedures (TTPs) used by adversaries. It’s widely used for mapping attack behavior, improving SIEM use cases, red teaming, and defensive strategy planning. It helps SOCs detect and correlate activities to specific threats.

77. What is the PRIMARY purpose of a SIEM system?

A. Generate reports for compliance
B. Automatically block malicious traffic
C. Correlate security events from multiple sources
D. Backup sensitive data

Correct Answer: C. Correlate security events from multiple sources

Explanation:
SIEM (Security Information and Event Management) solutions aggregate logs from across the infrastructure (firewalls, servers, endpoints) and correlate them to identify patterns and threats. It enables analysts to detect incidents that would be missed if examining logs in isolation and is a core SOC tool.

78. Which of the following is a commonly used technique to evade signature-based detection systems?

A. Salting
B. Obfuscation
C. API throttling
D. DNS over HTTPS

Correct Answer: B. Obfuscation

Explanation:
Obfuscation alters malware code or behavior so that it avoids matching known signatures in antivirus or intrusion detection systems. This can include packing, encryption, or renaming functions. Obfuscation doesn’t change what the malware does—it just makes it harder to detect using traditional means.

79. What is the MOST appropriate use of a honeypot in cybersecurity?

A. Speed up system patching
B. Attract and monitor attackers for threat intelligence
C. Encrypt backups in real-time
D. Conduct social engineering tests

Correct Answer: B. Attract and monitor attackers for threat intelligence

Explanation:
A honeypot is a decoy system designed to appear vulnerable and lure attackers. It allows defenders to safely observe adversary behavior, tactics, and intentions without risking production systems. Insights gained can improve detection, inform incident response, and enhance security policies.

80. During a post-incident review, a team notes a failed alert escalation. What is the BEST process to improve?

A. Data retention policy
B. Patch management
C. Incident response plan
D. Backup rotation schedule

Correct Answer: C. Incident response plan

Explanation:
If alerts weren’t escalated properly, it points to a flaw in the incident response plan. This document defines roles, responsibilities, communication workflows, and escalation paths during a security event. Reviewing and updating the plan ensures future incidents are handled more effectively.

You may also like...