Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCAS-004DomainsSecurity Operations
CAS-004Free — No Signup

Security Operations

Practice CAS-004 Security Operations questions with full explanations on every answer.

147questions

Start practicing

Security Operations — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CAS-004 Domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity ArchitectureSecurity Engineering and CryptographySecurity OperationsGovernance, Risk, and ComplianceGovernance, Risk and ComplianceSecurity Engineering

Practice Security Operations questions

10Q20Q30Q50Q

All CAS-004 Security Operations questions (147)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

During an incident response engagement, the security team identifies that a compromised host has been communicating with multiple external IP addresses using encrypted channels. The team needs to determine which processes initiated the connections. Which type of evidence collection should be performed first to preserve the most volatile data?

2

A security analyst is investigating a potential advanced persistent threat (APT) that has evaded traditional signature-based defenses. The analyst hypothesizes that the attacker is using a specific technique from the MITRE ATT&CK framework: process injection. Which threat hunting methodology is most appropriate for this scenario?

3

A security operations center (SOC) is implementing a SOAR platform to automate responses to phishing incidents. The playbook will include steps to automatically quarantine suspicious emails, delete them from user mailboxes, and block the sender's domain. Which element should the SOAR playbook incorporate to ensure the automated response does not cause unintended disruption?

4

A vulnerability management team is prioritizing patches for a large number of vulnerabilities discovered in a quarterly scan. A critical vulnerability in a widely used application has a CVSS base score of 9.8, but it is not currently being exploited in the wild and the application is not directly exposed to the internet. According to CVSS scoring principles, which factors should the team consider to adjust the priority?

5

During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which technique is most commonly used for lateral movement in a Windows environment?

6

An organization is deploying deception technology to detect lateral movement by attackers. Which of the following would be the most effective to detect an attacker who has gained access to the internal network and is attempting to move to a sensitive server?

7

A security analyst is reviewing logs from a SIEM and notices that a user account has been successfully authenticated from two different geographic locations within a short time span, which is impossible. The SIEM uses user behavior analytics (UBA). What type of anomaly is this most likely to detect?

8

Which of the following best describes the purpose of the STIX and TAXII standards in threat intelligence sharing?

9

A security team is conducting a penetration test against a client's web application. During the reconnaissance phase, the tester discovers a subdomain that hosts a development version of the application with debug mode enabled. Which type of reconnaissance does this activity represent?

10

During a digital forensics investigation of a compromised Linux server, the investigator needs to preserve the evidence in a forensically sound manner. The server is still running. Which of the following should the investigator do first?

11

Which of the following is a key benefit of using an Extended Detection and Response (XDR) solution over traditional Endpoint Detection and Response (EDR)?

12

A security analyst is using Volatility to analyze a memory dump from a compromised Windows system. The analyst suspects that a rootkit is hiding processes. Which Volatility plugin should the analyst use to detect hidden processes?

13

A security operations team is developing a SOAR playbook to automate response to a detected ransomware outbreak. The team wants to ensure the playbook can contain the threat quickly while minimizing business disruption. Which TWO actions should the playbook include as automated responses? (Select TWO.)

14

A security analyst is reviewing a malware sample in a sandbox environment. The analyst notes that the malware attempts to check for the presence of a debugger and modifies its behavior if one is detected. Additionally, the malware uses encrypted strings and resolves API calls dynamically. Which THREE analysis techniques would be most effective for understanding this malware's capabilities? (Select THREE.)

15

A penetration tester is planning a test for a client that has a critical web application. The rules of engagement specify that the tester must avoid causing a denial of service (DoS). Which THREE actions are appropriate for the tester to include in the scope? (Select THREE.)

16

During a security incident, the incident response team has identified the root cause and removed the threat from all affected systems. Which phase of the incident response lifecycle involves returning systems to normal operation and monitoring for any signs of recurrence?

17

A security analyst is using the MITRE ATT&CK framework to categorize adversary behavior observed in recent incidents. The analyst notes that the adversary used spearphishing with a malicious attachment to gain initial access, then executed a PowerShell script to download additional tools. Which ATT&CK tactic is the PowerShell execution associated with?

18

A security engineer is configuring a SIEM correlation rule to detect a potential data exfiltration attempt. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address that has never been communicated with before, within a 5-minute window. Additionally, the external IP should not be on any whitelist. Which correlation logic best implements this detection?

19

During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which of the following techniques would be most effective for identifying valid credentials that could be reused on the database server?

20

A security analyst is reviewing a suspicious executable file. The analyst performs static analysis by examining the file's strings and imports. Which of the following findings would most strongly suggest the file is packed or obfuscated?

21

An organization's vulnerability management team discovers a critical vulnerability in a legacy application that cannot be patched because the vendor no longer supports it. The application is essential for business operations. Which of the following compensating controls would best reduce the risk of exploitation while maintaining functionality?

22

A security operations center (SOC) analyst is investigating an alert from an EDR tool indicating that a workstation executed a suspicious PowerShell command that decoded a base64 string. The decoded string contained a command to download a file from an external IP address. Which stage of the cyber kill chain does this activity most likely represent?

23

Which of the following is the primary purpose of a honeypot in a security operations environment?

24

During a forensic investigation, an analyst needs to collect volatile data from a compromised Linux server. Which of the following orders of volatility is correct for collecting the listed data?

25

A security analyst is using a SOAR platform to automate response to phishing emails reported by users. The playbook should perform the following actions in order: (1) extract indicators from the email, (2) query threat intelligence feeds for reputation, (3) if malicious, block the sender's domain at the email gateway and delete the email from all user inboxes. Which type of playbook step is most appropriate for step 3?

26

An organization is implementing a threat hunting program. The team decides to use a hypothesis-driven approach. Which of the following best describes this methodology?

27

Which of the following is the primary advantage of using STIX and TAXII for threat intelligence sharing?

28

A security analyst is conducting a penetration test for a client. The rules of engagement specify that no social engineering is allowed. Which TWO of the following reconnaissance techniques are permitted under these rules?

29

During a digital forensics investigation, an analyst is examining a Windows system suspected of being compromised. Which THREE of the following artifacts would be most useful for determining the timeline of the attack?

30

A security operations center (SOC) is implementing User Behavior Analytics (UBA) to detect insider threats. Which TWO of the following data sources are most critical for establishing a baseline of normal user behavior?

31

A security analyst is investigating a phishing campaign targeting the organization. The threat intelligence team has provided indicators such as email subject lines, sender domains, and attachment hashes. However, the analyst notices that these IOCs change rapidly and are only effective for a short period. Which type of threat intelligence would provide more durable and actionable information for defending against this campaign?

32

During an incident response, a forensic analyst captures the memory of a compromised Windows system. Using Volatility, the analyst runs the 'pslist' command and sees a suspicious process 'svchost.exe' with a parent process 'explorer.exe'. Which Volatility plugin should the analyst use next to detect potential process hollowing?

33

A vulnerability management team is prioritizing patches for a set of critical vulnerabilities. Vulnerability A has a CVSS base score of 9.8, vulnerability B has a CVSS base score of 7.5, and vulnerability C has a CVSS base score of 8.2. However, vulnerability B is actively being exploited in the wild, while the others are not. Which vulnerability should be patched first according to best practices?

34

An organization needs to ensure that evidence collected during a forensic investigation remains intact and admissible in court. Which process is most critical for maintaining the integrity of digital evidence?

35

A security operations center (SOC) analyst receives an alert from the SIEM indicating a user has logged into the corporate VPN from an unusual geographic location at 3 AM, which is outside the user's normal working hours. The user has not previously exhibited this behavior. Which advanced SIEM capability is most likely responsible for generating this alert?

36

A penetration tester is performing an assessment of a web application. During reconnaissance, the tester discovers a publicly accessible Jenkins server with default credentials. The tester gains access and finds a build job that executes arbitrary commands. What is the most effective way for the tester to escalate privileges and move laterally within the network?

37

An organization wants to detect and respond to advanced threats that may evade traditional endpoint security solutions. They deploy an EDR solution that provides real-time visibility into endpoint activities. However, the security team is overwhelmed by alerts. Which technology can be integrated with EDR to automate response actions and reduce alert fatigue?

38

A security analyst is investigating a malware sample found on a workstation. The analyst wants to determine the malware's capabilities without executing it. Which type of malware analysis involves examining the binary's strings, headers, and structure?

39

During a penetration test, the tester has obtained a foothold on an internal server. The tester wants to identify other systems on the network and find potential targets for lateral movement. Which type of reconnaissance is MOST appropriate in this scenario?

40

A security engineer is implementing deception technology to detect lateral movement by adversaries. Which type of deception resource would be MOST effective for capturing adversary credential harvesting activities on a network segment that contains no real domain controllers?

41

An organization is unable to patch a critical vulnerability in a legacy application due to vendor limitations. The risk assessment indicates a high likelihood of exploitation. Which compensating control should the organization implement to reduce the risk?

42

A security analyst is reviewing a SIEM alert that indicates a user's credentials were used to log in from two different countries within a span of 10 minutes. This is likely an indicator of what type of attack?

43

A security operations team is designing a threat hunting program. They want to use the MITRE ATT&CK framework to structure their hunts. Which TWO components of the ATT&CK framework should they focus on to develop hypothesis-driven hunts? (Select TWO.)

44

A security engineer is reviewing the results of a penetration test. The tester successfully exploited a vulnerability in a web application and escalated privileges to domain admin. Which THREE of the following findings should be included in the technical report to provide actionable remediation steps? (Select THREE.)

45

A SOC analyst is investigating a potential data exfiltration incident. The analyst suspects that an attacker used DNS tunneling to exfiltrate data. Which THREE network traffic indicators would support this hypothesis? (Select THREE.)

46

During a threat hunting exercise, a security analyst hypothesizes that an adversary is using PowerShell to execute malicious scripts. Which approach is the analyst employing?

47

An organization uses a SIEM to collect logs from multiple sources. The security team wants to identify users who are accessing resources outside of normal business hours and exhibiting unusual data transfer patterns. Which advanced SIEM capability would be most effective?

48

A security analyst is performing incident response and needs to collect evidence from a live system. Which of the following should be collected first to preserve volatile data?

49

During a penetration test, the tester has gained initial access to a network and now aims to move laterally to a sensitive database server. Which phase of the penetration testing lifecycle does this activity represent?

50

An organization discovers a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. Which of the following is the BEST compensating control to reduce risk?

51

A security analyst is investigating a malware sample and wants to determine its capabilities without executing it. The analyst examines the binary's imports, strings, and structure. What type of analysis is being performed?

52

Which component of the MITRE ATT&CK framework categorizes the 'why' of an adversary's action, such as initial access or credential access?

53

A SOC team receives an alert from a SOAR platform indicating a potential phishing email. The SOAR playbook automatically quarantines the email, blocks the sender, and opens a ticket. This is an example of which SOAR capability?

54

An organization wants to detect attackers who have already breached the network by deploying decoy credentials and data files. Which type of deception technology should they use?

55

A security analyst is analyzing a memory dump using Volatility. The analyst wants to list all running processes and identify any hidden processes. Which Volatility plugin should be used?

56

A security team is preparing for a penetration test. Which document defines the scope, rules, and restrictions for the test?

57

A vulnerability has a CVSS base score of 9.8. The vulnerability is present on a server that is not exposed to the internet but is accessible to internal users with valid credentials. Which CVSS metric should be adjusted to reflect the reduced risk?

58

A security analyst is triaging a suspicious file. The analyst wants to perform static analysis to gather initial information. Which TWO of the following are static analysis techniques?

59

During an incident response, a team is prioritizing containment actions. Which THREE of the following actions should be taken to contain the incident effectively?

60

A security analyst is reviewing CVSS scores for vulnerability prioritization. Which TWO of the following are component metric groups in CVSS v3?

61

A security analyst is reviewing a suspicious file. Which static analysis technique would the analyst use to examine the file without executing it?

62

During an incident response, a security analyst identifies a previously unknown malware variant. Which type of threat intelligence feed would provide the most timely and structured information about this threat?

63

A security operations center (SOC) analyst is tuning a SIEM correlation rule to detect a known attack pattern that involves multiple failed logins followed by a successful login from a different IP address. Which approach best reduces false positives while maintaining detection effectiveness?

64

A security analyst is conducting a threat hunt based on the hypothesis that an adversary may have used PowerShell to execute malicious scripts. Which threat hunting methodology is being employed?

65

Which phase of the incident response lifecycle involves removing the threat from the environment and restoring systems to normal operations?

66

A penetration tester is performing a test against a web application. The rules of engagement prohibit any denial of service (DoS) attacks. Which of the following actions is most likely prohibited by this restriction?

67

An organization uses an EDR solution and wants to detect ransomware that encrypts files and then deletes volume shadow copies. Which EDR detection technique would be most effective for this behavior?

68

During a vulnerability assessment, a security analyst discovers a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. Which compensating control would best mitigate the risk?

69

A security analyst is collecting evidence from a compromised workstation. Which of the following should be collected first to preserve volatile data?

70

A SOC team is implementing a SOAR playbook to automate response to phishing emails reported by users. Which step should be included in the playbook to prevent other users from accessing the malicious link?

71

An analyst is examining a memory dump with Volatility and finds a suspicious process that has no parent process (parent PID 0). Which technique is the malware likely using to hide?

72

Which CVSS metric component is used to reflect the impact of a vulnerability based on the specific environment of an organization?

73

A security operations team is implementing deception technology to detect lateral movement. Which TWO of the following are examples of deception technologies? (Select TWO.)

74

A penetration tester is performing reconnaissance against a target. Which TWO of the following are examples of active reconnaissance? (Select TWO.)

75

A security analyst is using the MITRE ATT&CK framework to map adversarial behaviors. Which THREE of the following are tactics defined by ATT&CK? (Select THREE.)

76

A security analyst is reviewing a suspicious process that has been identified on an endpoint. The analyst wants to determine if the process has any network connections and what data it might be sending. Which tool is most appropriate for analyzing the memory of the affected system to identify network connections and potential data exfiltration?

77

During an incident response, the team identifies that an attacker gained initial access via a phishing email containing a malicious macro. The macro downloaded a payload from a remote server. Which phase of the incident response lifecycle is currently being executed when the team identifies the phishing email as the attack vector?

78

An organization wants to share threat intelligence with industry peers using a standardized format. Which of the following formats is specifically designed for representing structured threat information in a machine-readable way?

79

A security operations center (SOC) analyst is tuning a SIEM correlation rule to detect lateral movement using pass-the-hash attacks. The analyst wants to minimize false positives while ensuring detection of true positives. Which approach is most effective for reducing false positives in this scenario?

80

During a penetration test, the tester successfully gains access to a web server and wants to escalate privileges to domain administrator. The tester discovers that the web server has a service account that is a member of the local administrators group. Which technique would the tester most likely use to move laterally to a domain controller?

81

A security analyst is investigating a potential malware infection on a user's workstation. The analyst wants to examine the file system for any suspicious files without altering the original data. Which forensic principle is the analyst following?

82

A SOC team is implementing a SOAR platform to automate responses to phishing emails. The team wants to create a playbook that, upon detection of a phishing email, automatically quarantines the email from all mailboxes and blocks the sender's domain. Which type of playbook action is being described?

83

An organization has a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. The application is required for business operations and is accessible only from the internal network. Which compensating control would best reduce the risk of exploitation while maintaining availability?

84

A threat hunter is looking for signs of a ransomware attack that encrypts files and drops a ransom note. The hunter decides to search for processes that have modified many files in a short period. Which threat hunting methodology is being used?

85

An organization wants to deploy a technology that lures attackers into a controlled environment to observe their tactics, techniques, and procedures (TTPs). Which deception technology should the organization implement?

86

During a malware analysis, an analyst runs a suspicious binary in a sandbox and observes that it attempts to communicate with a known malicious IP address, modifies registry keys, and creates a service. The analyst then extracts strings from the binary and finds references to a specific C2 server. Which analysis phase does the extraction of strings represent?

87

A security analyst is reviewing CVSS scores for vulnerabilities in the environment. A vulnerability has a base score of 9.0, but the organization has a compensating control that reduces the likelihood of exploitation. The analyst adjusts the score to 6.0 for prioritization. Which CVSS metric group did the analyst modify?

88

A security team is implementing a threat intelligence program and wants to consume intelligence from various sources. Which TWO of the following are commonly used threat intelligence feeds or sharing mechanisms? (Select TWO.)

89

An incident response team is handling a ransomware incident. The team has successfully contained the threat and is now in the eradication phase. Which THREE actions are appropriate for the eradication phase? (Select THREE.)

90

A penetration tester is planning a test against a web application. The rules of engagement specify that the tester must not disrupt production services. Which TWO reconnaissance techniques are considered passive and would be appropriate for initial information gathering without impacting the target? (Select TWO.)

91

A security analyst is reviewing threat intelligence feeds and notices indicators from a known APT group. Which threat intelligence sharing standard is most commonly used to structure and share such cyber threat information in a machine-readable format?

92

During a security incident, a forensic investigator needs to acquire volatile data from a compromised server. Which of the following is the correct order for collecting volatile data according to the standard digital forensics process?

93

A security operations center (SOC) analyst is investigating a potential malware infection on a workstation. The analyst wants to perform static analysis on a suspicious executable. Which tool or technique is most appropriate for examining the executable without executing it?

94

A SOC analyst is tuning a SIEM correlation rule to detect lateral movement. The rule currently triggers on a single failed authentication followed by a successful authentication from a new IP address within 5 minutes. Which improvement would best reduce false positives while maintaining detection of pass-the-hash attacks?

95

A penetration tester is performing a test against a web application. During active reconnaissance, the tester discovers that the application discloses version numbers in HTTP headers. Which phase of the penetration testing lifecycle does this activity belong to?

96

A security team is implementing deception technology to detect attackers inside the network. They plan to deploy fake systems that appear vulnerable and attract attackers. Which of the following is an example of a honeytoken?

97

A vulnerability management team is prioritizing patches for a large enterprise. They have identified a critical vulnerability in a widely used software with a CVSS base score of 9.8. However, the exploit requires local access and authentication. Which CVSS metric should the team use to adjust the score to reflect the actual risk in their environment?

98

During a threat hunting exercise, a hunter uses the MITRE ATT&CK framework to identify a series of behaviors: an attacker used PowerShell to download a payload, then created a scheduled task for persistence, and finally performed credential dumping via LSASS. Which ATT&CK tactic is associated with the credential dumping technique?

99

A security analyst is analyzing a memory dump from a compromised host using Volatility. Which Volatility plugin would be most useful to identify a malicious process that is hidden from the standard process listing?

100

An organization is developing a SOAR playbook to handle phishing emails reported by users. Which of the following actions is most appropriate to automate in the first step of the playbook?

101

During a penetration test, the tester gains access to a web server and wants to escalate privileges to root. The tester discovers that the web application runs with a service account that has the SeImpersonatePrivilege enabled. Which attack is most likely to succeed for privilege escalation?

102

A security team is evaluating an EDR solution. Which of the following capabilities is a primary differentiator between EDR and traditional antivirus?

103

A SOC analyst is investigating a potential data exfiltration incident. The analyst suspects that an insider is using encrypted tunnels to transfer data. Which TWO of the following network traffic analysis (NTA) indicators are most likely to suggest encrypted exfiltration? (Choose two.)

104

A senior security architect is designing a detection strategy for advanced persistent threats (APTs) that employ living-off-the-land (LotL) techniques. Which THREE of the following approaches are most effective for detecting LotL activities? (Choose three.)

105

A security analyst is reviewing a CVSS score for a vulnerability that affects a critical server. The base score is 7.5, but the analyst needs to adjust for the environment. Which TWO of the following are valid CVSS environmental metrics that can modify the score? (Choose two.)

106

A security analyst is reviewing threat intelligence feeds and notices that a known Advanced Persistent Threat (APT) group has been using a specific technique to move laterally within networks. The analyst wants to map this technique to the MITRE ATT&CK framework. Which resource would the analyst use to find the corresponding ATT&CK technique ID?

107

During an incident response engagement, the team has completed containment and eradication. What is the next phase in the incident response lifecycle according to NIST SP 800-61?

108

A SOC analyst is investigating a suspicious process that is making outbound connections to an unknown IP address. The analyst wants to examine the process memory for injected code. Which Volatility plugin is most appropriate for detecting code injection by listing all Virtual Address Descriptors (VADs) that are mapped as executable and writable?

109

An organization is implementing a SOAR solution to automate responses to common incidents. They want to create a playbook for phishing email handling. Which of the following actions should be automated in the playbook after a user reports a suspicious email?

110

A vulnerability scanner reports a critical vulnerability on a critical server with a CVSS v3.1 base score of 9.8. The server cannot be patched immediately due to vendor constraints. Which of the following should the security team implement as a compensating control?

111

A penetration tester is in the post-exploitation phase and wants to maintain access to a compromised system. Which of the following techniques is most effective for establishing persistent access while evading detection?

112

An incident responder is analyzing a malware sample obtained from an infected host. The responder wants to perform dynamic analysis to observe the malware's behavior in a safe environment. Which of the following is the best approach?

113

A security analyst is tuning the SIEM and wants to create a correlation rule that detects potential lateral movement using pass-the-hash attacks. Which log sources are most essential for detecting this technique?

114

An organization wants to collect threat intelligence from multiple Information Sharing and Analysis Centers (ISACs) relevant to their industry. Which of the following is a primary benefit of participating in an ISAC?

115

A digital forensics investigator is called to the scene of a potential data breach. The investigator must collect evidence from a live Windows system. Which of the following represents the correct order of volatility when collecting volatile data?

116

A SOC analyst is investigating an alert from the EDR system indicating that a user's workstation made multiple failed login attempts to a sensitive server, followed by a successful login from an unusual IP address. The analyst suspects a brute force attack. Which type of threat hunting methodology is being used?

117

During a penetration test, the tester has gained initial access to a system and wants to escalate privileges. Which of the following techniques is most likely to be effective for privilege escalation on a Windows system?

118

A security architect is designing deception technologies to detect and delay attackers. Which TWO of the following are examples of deception technologies that can be deployed? Select TWO.

119

A threat intelligence analyst is profiling a threat actor that has been targeting the energy sector. Which THREE of the following attributes are most important to include in a threat actor profile? Select THREE.

120

A penetration tester is preparing for an engagement and must define the rules of engagement (ROE) with the client. Which TWO of the following should be included in the ROE? Select TWO.

121

During a threat hunting exercise, a security analyst hypothesizes that adversaries may be using PowerShell to execute commands in memory. Which threat hunting methodology is being employed?

122

A security analyst receives an alert from the SIEM indicating multiple failed logon attempts from an external IP address followed by a successful logon for a domain admin account. Which phase of the incident response lifecycle is the analyst currently in?

123

During a digital forensics investigation, an analyst needs to acquire the contents of RAM from a compromised server. Which order of volatility should the analyst follow?

124

A security team is analyzing a suspicious binary using static analysis. They run the strings command and observe references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique is the binary likely employing?

125

A company uses a SIEM with User Behavior Analytics (UBA). The UBA generates an alert when a user accesses sensitive data at unusual hours. Which type of correlation rule is being applied?

126

A security analyst receives an alert from the SIEM indicating a potential phishing email with a malicious attachment. The analyst wants to automatically isolate the affected endpoint and block the sender. Which technology should be used to automate this response?

127

A vulnerability scanner reports a critical vulnerability with a CVSS base score of 9.8 on a public-facing web server. However, the server has a compensating control: a Web Application Firewall (WAF) that blocks exploit attempts. How should the security team prioritize patching this vulnerability?

128

During a penetration test, the tester successfully gains initial access to a web server and wants to move laterally to a database server. The web server uses a service account that has local admin rights on the database server. What is the most effective technique for lateral movement in this scenario?

129

An organization deploys honeypots to detect attackers. Which type of deception technology is being used?

130

A security analyst is reviewing a suspicious email reported by a user. The email contains an attachment named 'invoice.pdf.exe'. Which type of malware analysis technique should the analyst perform first to determine if the file is malicious?

131

During a red team exercise, the team gains access to a workstation and needs to maintain persistence. They modify a registry run key to execute a payload. However, the organization uses EDR that monitors registry changes. Which technique could the red team use to avoid detection?

132

A company's incident response team is conducting a post-incident review. They identify that the intrusion was not detected for 72 hours due to insufficient logging on critical servers. Which phase of the incident response lifecycle should be improved to address this gap?

133

A security analyst is investigating a potential data exfiltration incident. The analyst needs to preserve evidence for legal proceedings. Which two actions must the analyst take to maintain the chain of custody? (Select TWO).

134

A penetration tester is conducting a black-box test on a web application. The tester wants to gather information about the target without directly interacting with the target systems. Which three techniques are considered passive reconnaissance? (Select THREE).

135

A security operations center (SOC) is evaluating a new EDR solution. Which three capabilities are essential for effective endpoint detection and response? (Select THREE).

136

During a security incident, a SOC analyst identifies a process with a suspicious hash on several endpoints. The analyst wants to determine if this hash is known to be malicious by querying internal and external threat intelligence sources. Which standard should the analyst use to structure the threat intelligence data for automated sharing?

137

A security analyst is investigating a potential data exfiltration incident. The analyst has collected a memory dump from the affected server. Which Volatility command should the analyst use to extract the contents of the clipboard, which may contain copied sensitive data?

138

A SOC team is implementing a SOAR playbook to automate the response to phishing emails reported by users. The playbook should perform initial triage and, if the email is determined to be malicious, take containment actions. Which TWO of the following actions should be included in the playbook? (Choose TWO.)

139

An organization is implementing a vulnerability management program and needs to prioritize patching based on risk. The team has identified multiple vulnerabilities with different CVSS scores. Which THREE factors should be considered when prioritizing patches according to CVSS environmental metrics? (Choose THREE.)

140

A penetration tester is conducting a test against a web application. The client has defined rules of engagement that prohibit any denial of service attacks. The tester discovers an endpoint that is vulnerable to command injection. Which THREE of the following actions should the tester take to validate the vulnerability while staying within scope? (Choose THREE.)

141

During an incident response, a forensic examiner is collecting evidence from a compromised Windows workstation. The examiner must follow proper order of volatility to preserve potential evidence. Which THREE of the following items should be collected first, before the others? (Choose THREE.)

142

A security team is deploying deception technology to detect lateral movement within the network. They plan to use honeypots configured to mimic critical servers. Which TWO of the following are essential considerations for the honeypot deployment to be effective? (Choose TWO.)

143

An organization is implementing a threat hunting program. The team plans to use the MITRE ATT&CK framework to structure their hunts. Which THREE of the following are core components of the ATT&CK framework? (Choose THREE.)

144

A security analyst is investigating a potential advanced persistent threat (APT) that has been evading traditional detection. The analyst decides to use User and Entity Behavior Analytics (UEBA) to identify anomalous activity. Which TWO of the following activities would be most indicative of a potential compromise when analyzed through UEBA? (Choose TWO.)

145

A company's incident response team is developing a playbook for ransomware incidents. The playbook should cover the preparation phase. Which THREE of the following are appropriate preparation activities? (Choose THREE.)

146

A security team is evaluating endpoint detection and response (EDR) solutions. They want a solution that can detect fileless malware and malicious PowerShell scripts. Which TWO capabilities should the team prioritize? (Choose TWO.)

147

During a penetration test, the tester has gained initial access to a web server and wants to perform lateral movement to reach a database server. The tester enumerates the network and finds that the web server has two network interfaces: one connected to a DMZ and one to an internal network. The database server is on the internal network. Which TWO techniques could the tester use to pivot from the web server to the database server? (Choose TWO.)

Practice all 147 Security Operations questions

Other CAS-004 exam domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity ArchitectureSecurity Engineering and CryptographyGovernance, Risk, and ComplianceGovernance, Risk and ComplianceSecurity Engineering

Frequently asked questions

What does the Security Operations domain cover on the CAS-004 exam?

The Security Operations domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.

How many Security Operations questions are in the CAS-004 question bank?

The Courseiva CAS-004 question bank contains 147 questions in the Security Operations domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Operations for CAS-004?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Operations questions for CAS-004?

Yes — the session launcher on this page draws questions exclusively from the Security Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CAS-004 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CS0-003SY0-701CISSP