Quick answer: This post provides 20 free Security+ SY0-701 practice questions spanning all five domains, including a Performance-Based Question (PBQ) example. Each question includes a full explanation, why incorrect answers are wrong, and test-taking tips. Use these to gauge your readiness and identify weak areas before exam day.
Studying for the CompTIA Security+ SY0-701 exam? You need more than memorization—you need to think like a security professional. The exam tests your ability to apply concepts to real-world scenarios, not just recall definitions. Below are 20 practice questions across all five domains: General Security Concepts, Threats, Vulnerabilities, and Mitigations, Security Architecture, Security Operations, and Security Program Management and Oversight. Each includes a full rationale and a breakdown of why distractors fail. Let’s dive in.
Domain 1: General Security Concepts (Questions 1–4)
Question 1: CIA Triad Application
A healthcare organization implements a new policy requiring all patient records to be encrypted at rest and in transit. Which principle of the CIA triad is primarily addressed?
A. Availability
B. Integrity
C. Confidentiality
D. Non-repudiation
Correct Answer: C. Confidentiality
Explanation: Encryption protects data from unauthorized access, directly supporting confidentiality. Availability ensures data is accessible when needed; integrity protects against unauthorized modification. Non-repudiation is not part of the CIA triad—it’s a related concept ensuring actions can’t be denied.
Why distractors are wrong: Availability (A) relates to uptime, not secrecy. Integrity (B) focuses on accuracy, not access control. Non-repudiation (D) is a security goal but not a CIA triad component.
Question 2: Least Privilege Principle
A network administrator has full administrative rights on all servers. During a routine audit, you discover they also have local admin rights on their workstation. What security principle is most violated?
A. Defense in depth
B. Separation of duties
C. Least privilege
D. Role-based access control
Correct Answer: C. Least privilege
Explanation: Least privilege means users get only the permissions needed to perform their job. The admin’s workstation rights exceed necessity, increasing risk if compromised. Separation of duties divides critical tasks among multiple people.
Why distractors are wrong: Defense in depth (A) layers security controls. Separation of duties (B) prevents fraud by splitting responsibilities. Role-based access control (D) is a method to implement least privilege, not the principle itself.
Question 3: Zero Trust Model
Which of the following best describes the “never trust, always verify” approach in network security?
A. Implicit trust for internal traffic
B. Continuous verification of every access request
C. Perimeter-only security controls
D. Single sign-on for all applications
Correct Answer: B. Continuous verification of every access request
Explanation: Zero Trust assumes no implicit trust, even within the network. Every access request must be authenticated, authorized, and validated. Implicit trust (A) is the opposite.
Why distractors are wrong: Perimeter-only (C) is a traditional model. Single sign-on (D) improves user experience but doesn’t enforce continuous verification.
Question 4: Non-repudiation
A company uses digital signatures on all official contracts. What security goal does this primarily achieve?
A. Authentication
B. Non-repudiation
C. Authorization
D. Accounting
Correct Answer: B. Non-repudiation
Explanation: Digital signatures provide proof of origin and integrity, preventing the signer from denying their action. Authentication (A) verifies identity, but non-repudiation adds legal proof.
Why distractors are wrong: Authorization (C) controls access rights. Accounting (D) tracks resource usage.
Domain 2: Threats, Vulnerabilities, and Mitigations (Questions 5–9)
Question 5: Phishing Identification
An employee receives an email from “IT Support” asking them to click a link and reset their password due to “suspicious activity.” The link appears to be http://courseiva-reset.com. What type of attack is this?
A. Spear phishing
B. Whaling
C. Phishing
D. Vishing
Correct Answer: C. Phishing
Explanation: This is a generic, mass-targeted phishing attempt. Spear phishing (A) targets specific individuals; whaling (B) targets executives. Vishing (D) uses voice calls.
Why distractors are wrong: The email lacks personalization, ruling out spear phishing. No executive targeting is evident. The attack is email-based, not voice.
Question 6: Malware Classification
A user’s system displays ransom notes demanding payment in cryptocurrency to unlock files. Which malware type is this?
A. Worm
B. Trojan
C. Ransomware
D. Rootkit
Correct Answer: C. Ransomware
Explanation: Ransomware encrypts files and demands payment for decryption. Worms (A) self-replicate; Trojans (B) disguise as legitimate software; rootkits (D) hide deep in the OS.
Why distractors are wrong: The ransom note is the telltale sign of ransomware, not replication or stealth.
Question 7: Social Engineering Principle
An attacker calls a help desk, pretending to be a manager, and uses urgency to get a password reset. Which social engineering principle is exploited?
A. Authority
B. Scarcity
C. Familiarity
D. Consensus
Correct Answer: A. Authority
Explanation: The attacker leverages the perceived authority of a manager to bypass security. Scarcity (B) creates false urgency; familiarity (C) builds trust; consensus (D) uses social proof.
Why distractors are wrong: The key is the manager’s position, not time pressure or group behavior.
Question 8: Vulnerability Scanning
Which tool is best for identifying missing patches on a network?
A. Nmap
B. Wireshark
C. Nessus
D. Metasploit
Correct Answer: C. Nessus
Explanation: Nessus is a vulnerability scanner that identifies missing patches and misconfigurations. Nmap (A) maps networks; Wireshark (B) captures packets; Metasploit (D) exploits vulnerabilities.
Why distractors are wrong: Only Nessus is designed for patch-level vulnerability assessment.
Question 9: Attack Vector
Which of these is a physical attack vector?
A. SQL injection
B. Tailgating
C. Cross-site scripting
D. DNS poisoning
Correct Answer: B. Tailgating
Explanation: Tailgating is a physical social engineering attack where an unauthorized person follows an authorized one into a secure area. The others are network-based attacks.
Why distractors are wrong: SQL injection (A), XSS (C), and DNS poisoning (D) all exploit software or protocol weaknesses.
Domain 3: Security Architecture (Questions 10–13)
Question 10: Firewall Rules
A company wants to allow inbound HTTPS traffic to a web server. Which firewall rule is correct?
A. Allow TCP 443 inbound
B. Allow UDP 443 inbound
C. Allow TCP 80 inbound
D. Allow TCP 3389 inbound
Correct Answer: A. Allow TCP 443 inbound
Explanation: HTTPS uses TCP port 443. UDP 443 (B) is for QUIC, not standard HTTPS. TCP 80 (C) is HTTP; TCP 3389 (D) is RDP.
Why distractors are wrong: Only TCP 443 matches HTTPS protocol requirements.
Question 11: Secure Network Design
What is the primary purpose of a DMZ (demilitarized zone)?
A. Host internal employee workstations
B. Provide a buffer between internal and external networks
C. Store backup data
D. Run antivirus scans
Correct Answer: B. Provide a buffer between internal and external networks
Explanation: A DMZ isolates public-facing servers (e.g., web, email) from the internal network, reducing attack surface. It does not host workstations (A) or backups (C).
Why distractors are wrong: Antivirus scans (D) are a function, not the DMZ’s purpose.
Question 12: Cloud Security Model
Which cloud service model gives the customer the most control over the operating system and applications?
A. SaaS
B. PaaS
C. IaaS
D. FaaS
Correct Answer: C. IaaS
Explanation: Infrastructure as a Service (IaaS) provides virtualized hardware, letting customers manage OS and apps. SaaS (A) offers only applications; PaaS (B) manages runtime; FaaS (D) is serverless functions.
Why distractors are wrong: Each higher-level model abstracts more control away from the customer.
Question 13: Encryption Protocols
Which protocol ensures secure communication between a web browser and server?
A. FTP
B. TLS
C. SSH
D. SNMP
Correct Answer: B. TLS
Explanation: Transport Layer Security (TLS) encrypts HTTP traffic (HTTPS). FTP (A) is unencrypted; SSH (C) is for remote shell; SNMP (D) manages network devices.
Why distractors are wrong: TLS is the standard for secure web browsing.
Domain 4: Security Operations (Questions 14–17)
Question 14: Incident Response Steps
After detecting a breach, which step should occur first in the incident response process?
A. Eradication
B. Containment
C. Recovery
D. Identification
Correct Answer: D. Identification
Explanation: The NIST incident response lifecycle starts with preparation, then detection/identification. Containment (B) follows identification. Eradication (A) and recovery (C) come later.
Why distractors are wrong: You must first confirm an incident exists before containing it.
Question 15: Log Analysis
A security analyst sees repeated failed login attempts from a single IP address. What type of attack is this likely?
A. Brute force
B. Man-in-the-middle
C. Replay attack
D. Denial of service
Correct Answer: A. Brute force
Explanation: Multiple failed logins from one source indicate a password guessing attempt. MITM (B) intercepts communications; replay attacks (C) resend captured data; DoS (D) overwhelms resources.
Why distractors are wrong: The pattern of failed logins is classic brute force behavior.
Question 16: Backup Strategy
Which backup method captures only changes since the last full backup?
A. Incremental
B. Differential
C. Full
D. Synthetic
Correct Answer: B. Differential
Explanation: Differential backups copy all changes since the last full backup. Incremental (A) copies changes since the last backup (any type). Full (C) copies everything; synthetic (D) combines previous backups.
Why distractors are wrong: Differential is the only one that specifically references the last full backup.
Question 17: Multi-factor Authentication
Which combination qualifies as multi-factor authentication?
A. Password and security question
B. Smart card and PIN
C. Fingerprint and retina scan
D. Username and password
Correct Answer: B. Smart card and PIN
Explanation: Multi-factor requires two different factors: something you have (smart card) and something you know (PIN). A (password + security question) are both knowledge factors. C (two biometrics) are both inherent factors. D is single-factor.
Why distractors are wrong: Only B uses two distinct factor types.
Domain 5: Security Program Management and Oversight (Questions 18–20)
Question 18: Business Continuity
Which document outlines procedures to restore critical operations after a disaster?
A. Incident response plan
B. Business continuity plan (BCP)
C. Disaster recovery plan (DRP)
D. Risk assessment
Correct Answer: B. Business continuity plan (BCP)
Explanation: BCP focuses on maintaining business functions during and after a disaster. DRP (C) specifically covers IT recovery. Incident response (A) handles immediate threats.
Why distractors are wrong: BCP is broader than DRP, covering overall operations.
Question 19: Compliance Standard
Which regulation requires breach notification for healthcare data?
A. GDPR
B. PCI DSS
C. HIPAA
D. SOX
Correct Answer: C. HIPAA
Explanation: HIPAA mandates notification for breaches of protected health information (PHI). GDPR (A) covers EU personal data; PCI DSS (B) handles cardholder data; SOX (D) addresses financial reporting.
Why distractors are wrong: Only HIPAA specifically targets healthcare data.
Question 20: Risk Management
A company decides to purchase cyber insurance to cover potential losses. This is an example of:
A. Risk avoidance
B. Risk mitigation
C. Risk transference
D. Risk acceptance
Correct Answer: C. Risk transference
Explanation: Insurance transfers financial risk to a third party. Avoidance (A) eliminates the activity; mitigation (B) reduces impact; acceptance (D) acknowledges risk without action.
Why distractors are wrong: Insurance shifts liability, not reduces or eliminates it.
Performance-Based Question (PBQ) Example
Scenario: You are a security analyst. A user reports they cannot access a shared folder \\fileserver\data. Review the logs below and identify the most likely cause.
- Log entry 1: 10:00 AM – User
jsmithauthenticated successfully from workstationWS-12. - Log entry 2: 10:01 AM – Access denied to
\\fileserver\dataforjsmithfromWS-12. - Log entry 3: 10:02 AM – Firewall rule
Allow-FileShareshows destination port 445 (SMB) allowed fromWS-12tofileserver. - Log entry 4: 10:03 AM – NTFS permissions on
\\fileserver\datashowjsmithhas “Read” access only.
Task: Identify the issue and recommend a fix.
Answer: The user has only “Read” NTFS permissions but needs write access. The firewall allows traffic, and authentication succeeded. Fix: Modify NTFS permissions to grant jsmith “Modify” or “Full Control” on the folder.
Final Takeaway and Next Steps
These 20 questions mirror the depth and breadth of the SY0-701 exam. Master the “why” behind each answer—CompTIA tests application, not recall. For more practice, including full-length simulations and PBQs, visit Courseiva.com for free Security+ SY0-701 practice questions. Consistent practice with detailed explanations is your fastest path to certification.