Practice CAS-004 Security Operations questions with full explanations on every answer.
Start practicing
Security Operations — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
During an incident response engagement, the security team identifies that a compromised host has been communicating with multiple external IP addresses using encrypted channels. The team needs to determine which processes initiated the connections. Which type of evidence collection should be performed first to preserve the most volatile data?
2A security analyst is investigating a potential advanced persistent threat (APT) that has evaded traditional signature-based defenses. The analyst hypothesizes that the attacker is using a specific technique from the MITRE ATT&CK framework: process injection. Which threat hunting methodology is most appropriate for this scenario?
3A security operations center (SOC) is implementing a SOAR platform to automate responses to phishing incidents. The playbook will include steps to automatically quarantine suspicious emails, delete them from user mailboxes, and block the sender's domain. Which element should the SOAR playbook incorporate to ensure the automated response does not cause unintended disruption?
4A vulnerability management team is prioritizing patches for a large number of vulnerabilities discovered in a quarterly scan. A critical vulnerability in a widely used application has a CVSS base score of 9.8, but it is not currently being exploited in the wild and the application is not directly exposed to the internet. According to CVSS scoring principles, which factors should the team consider to adjust the priority?
5During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which technique is most commonly used for lateral movement in a Windows environment?
6An organization is deploying deception technology to detect lateral movement by attackers. Which of the following would be the most effective to detect an attacker who has gained access to the internal network and is attempting to move to a sensitive server?
7A security analyst is reviewing logs from a SIEM and notices that a user account has been successfully authenticated from two different geographic locations within a short time span, which is impossible. The SIEM uses user behavior analytics (UBA). What type of anomaly is this most likely to detect?
8Which of the following best describes the purpose of the STIX and TAXII standards in threat intelligence sharing?
9A security team is conducting a penetration test against a client's web application. During the reconnaissance phase, the tester discovers a subdomain that hosts a development version of the application with debug mode enabled. Which type of reconnaissance does this activity represent?
10During a digital forensics investigation of a compromised Linux server, the investigator needs to preserve the evidence in a forensically sound manner. The server is still running. Which of the following should the investigator do first?
11Which of the following is a key benefit of using an Extended Detection and Response (XDR) solution over traditional Endpoint Detection and Response (EDR)?
12A security analyst is using Volatility to analyze a memory dump from a compromised Windows system. The analyst suspects that a rootkit is hiding processes. Which Volatility plugin should the analyst use to detect hidden processes?
13A security operations team is developing a SOAR playbook to automate response to a detected ransomware outbreak. The team wants to ensure the playbook can contain the threat quickly while minimizing business disruption. Which TWO actions should the playbook include as automated responses? (Select TWO.)
14A security analyst is reviewing a malware sample in a sandbox environment. The analyst notes that the malware attempts to check for the presence of a debugger and modifies its behavior if one is detected. Additionally, the malware uses encrypted strings and resolves API calls dynamically. Which THREE analysis techniques would be most effective for understanding this malware's capabilities? (Select THREE.)
15A penetration tester is planning a test for a client that has a critical web application. The rules of engagement specify that the tester must avoid causing a denial of service (DoS). Which THREE actions are appropriate for the tester to include in the scope? (Select THREE.)
16During a security incident, the incident response team has identified the root cause and removed the threat from all affected systems. Which phase of the incident response lifecycle involves returning systems to normal operation and monitoring for any signs of recurrence?
17A security analyst is using the MITRE ATT&CK framework to categorize adversary behavior observed in recent incidents. The analyst notes that the adversary used spearphishing with a malicious attachment to gain initial access, then executed a PowerShell script to download additional tools. Which ATT&CK tactic is the PowerShell execution associated with?
18A security engineer is configuring a SIEM correlation rule to detect a potential data exfiltration attempt. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address that has never been communicated with before, within a 5-minute window. Additionally, the external IP should not be on any whitelist. Which correlation logic best implements this detection?
19During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which of the following techniques would be most effective for identifying valid credentials that could be reused on the database server?
20A security analyst is reviewing a suspicious executable file. The analyst performs static analysis by examining the file's strings and imports. Which of the following findings would most strongly suggest the file is packed or obfuscated?
21An organization's vulnerability management team discovers a critical vulnerability in a legacy application that cannot be patched because the vendor no longer supports it. The application is essential for business operations. Which of the following compensating controls would best reduce the risk of exploitation while maintaining functionality?
22A security operations center (SOC) analyst is investigating an alert from an EDR tool indicating that a workstation executed a suspicious PowerShell command that decoded a base64 string. The decoded string contained a command to download a file from an external IP address. Which stage of the cyber kill chain does this activity most likely represent?
23Which of the following is the primary purpose of a honeypot in a security operations environment?
24During a forensic investigation, an analyst needs to collect volatile data from a compromised Linux server. Which of the following orders of volatility is correct for collecting the listed data?
25A security analyst is using a SOAR platform to automate response to phishing emails reported by users. The playbook should perform the following actions in order: (1) extract indicators from the email, (2) query threat intelligence feeds for reputation, (3) if malicious, block the sender's domain at the email gateway and delete the email from all user inboxes. Which type of playbook step is most appropriate for step 3?
26An organization is implementing a threat hunting program. The team decides to use a hypothesis-driven approach. Which of the following best describes this methodology?
27Which of the following is the primary advantage of using STIX and TAXII for threat intelligence sharing?
28A security analyst is conducting a penetration test for a client. The rules of engagement specify that no social engineering is allowed. Which TWO of the following reconnaissance techniques are permitted under these rules?
29During a digital forensics investigation, an analyst is examining a Windows system suspected of being compromised. Which THREE of the following artifacts would be most useful for determining the timeline of the attack?
30A security operations center (SOC) is implementing User Behavior Analytics (UBA) to detect insider threats. Which TWO of the following data sources are most critical for establishing a baseline of normal user behavior?
31A security analyst is investigating a phishing campaign targeting the organization. The threat intelligence team has provided indicators such as email subject lines, sender domains, and attachment hashes. However, the analyst notices that these IOCs change rapidly and are only effective for a short period. Which type of threat intelligence would provide more durable and actionable information for defending against this campaign?
32During an incident response, a forensic analyst captures the memory of a compromised Windows system. Using Volatility, the analyst runs the 'pslist' command and sees a suspicious process 'svchost.exe' with a parent process 'explorer.exe'. Which Volatility plugin should the analyst use next to detect potential process hollowing?
33A vulnerability management team is prioritizing patches for a set of critical vulnerabilities. Vulnerability A has a CVSS base score of 9.8, vulnerability B has a CVSS base score of 7.5, and vulnerability C has a CVSS base score of 8.2. However, vulnerability B is actively being exploited in the wild, while the others are not. Which vulnerability should be patched first according to best practices?
34An organization needs to ensure that evidence collected during a forensic investigation remains intact and admissible in court. Which process is most critical for maintaining the integrity of digital evidence?
35A security operations center (SOC) analyst receives an alert from the SIEM indicating a user has logged into the corporate VPN from an unusual geographic location at 3 AM, which is outside the user's normal working hours. The user has not previously exhibited this behavior. Which advanced SIEM capability is most likely responsible for generating this alert?
36A penetration tester is performing an assessment of a web application. During reconnaissance, the tester discovers a publicly accessible Jenkins server with default credentials. The tester gains access and finds a build job that executes arbitrary commands. What is the most effective way for the tester to escalate privileges and move laterally within the network?
37An organization wants to detect and respond to advanced threats that may evade traditional endpoint security solutions. They deploy an EDR solution that provides real-time visibility into endpoint activities. However, the security team is overwhelmed by alerts. Which technology can be integrated with EDR to automate response actions and reduce alert fatigue?
38A security analyst is investigating a malware sample found on a workstation. The analyst wants to determine the malware's capabilities without executing it. Which type of malware analysis involves examining the binary's strings, headers, and structure?
39During a penetration test, the tester has obtained a foothold on an internal server. The tester wants to identify other systems on the network and find potential targets for lateral movement. Which type of reconnaissance is MOST appropriate in this scenario?
40A security engineer is implementing deception technology to detect lateral movement by adversaries. Which type of deception resource would be MOST effective for capturing adversary credential harvesting activities on a network segment that contains no real domain controllers?
41An organization is unable to patch a critical vulnerability in a legacy application due to vendor limitations. The risk assessment indicates a high likelihood of exploitation. Which compensating control should the organization implement to reduce the risk?
42A security analyst is reviewing a SIEM alert that indicates a user's credentials were used to log in from two different countries within a span of 10 minutes. This is likely an indicator of what type of attack?
43A security operations team is designing a threat hunting program. They want to use the MITRE ATT&CK framework to structure their hunts. Which TWO components of the ATT&CK framework should they focus on to develop hypothesis-driven hunts? (Select TWO.)
44A security engineer is reviewing the results of a penetration test. The tester successfully exploited a vulnerability in a web application and escalated privileges to domain admin. Which THREE of the following findings should be included in the technical report to provide actionable remediation steps? (Select THREE.)
45A SOC analyst is investigating a potential data exfiltration incident. The analyst suspects that an attacker used DNS tunneling to exfiltrate data. Which THREE network traffic indicators would support this hypothesis? (Select THREE.)
46During a threat hunting exercise, a security analyst hypothesizes that an adversary is using PowerShell to execute malicious scripts. Which approach is the analyst employing?
47An organization uses a SIEM to collect logs from multiple sources. The security team wants to identify users who are accessing resources outside of normal business hours and exhibiting unusual data transfer patterns. Which advanced SIEM capability would be most effective?
48A security analyst is performing incident response and needs to collect evidence from a live system. Which of the following should be collected first to preserve volatile data?
49During a penetration test, the tester has gained initial access to a network and now aims to move laterally to a sensitive database server. Which phase of the penetration testing lifecycle does this activity represent?
50An organization discovers a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. Which of the following is the BEST compensating control to reduce risk?
51A security analyst is investigating a malware sample and wants to determine its capabilities without executing it. The analyst examines the binary's imports, strings, and structure. What type of analysis is being performed?
52Which component of the MITRE ATT&CK framework categorizes the 'why' of an adversary's action, such as initial access or credential access?
53A SOC team receives an alert from a SOAR platform indicating a potential phishing email. The SOAR playbook automatically quarantines the email, blocks the sender, and opens a ticket. This is an example of which SOAR capability?
54An organization wants to detect attackers who have already breached the network by deploying decoy credentials and data files. Which type of deception technology should they use?
55A security analyst is analyzing a memory dump using Volatility. The analyst wants to list all running processes and identify any hidden processes. Which Volatility plugin should be used?
56A security team is preparing for a penetration test. Which document defines the scope, rules, and restrictions for the test?
57A vulnerability has a CVSS base score of 9.8. The vulnerability is present on a server that is not exposed to the internet but is accessible to internal users with valid credentials. Which CVSS metric should be adjusted to reflect the reduced risk?
58A security analyst is triaging a suspicious file. The analyst wants to perform static analysis to gather initial information. Which TWO of the following are static analysis techniques?
59During an incident response, a team is prioritizing containment actions. Which THREE of the following actions should be taken to contain the incident effectively?
60A security analyst is reviewing CVSS scores for vulnerability prioritization. Which TWO of the following are component metric groups in CVSS v3?
61A security analyst is reviewing a suspicious file. Which static analysis technique would the analyst use to examine the file without executing it?
62During an incident response, a security analyst identifies a previously unknown malware variant. Which type of threat intelligence feed would provide the most timely and structured information about this threat?
63A security operations center (SOC) analyst is tuning a SIEM correlation rule to detect a known attack pattern that involves multiple failed logins followed by a successful login from a different IP address. Which approach best reduces false positives while maintaining detection effectiveness?
64A security analyst is conducting a threat hunt based on the hypothesis that an adversary may have used PowerShell to execute malicious scripts. Which threat hunting methodology is being employed?
65Which phase of the incident response lifecycle involves removing the threat from the environment and restoring systems to normal operations?
66A penetration tester is performing a test against a web application. The rules of engagement prohibit any denial of service (DoS) attacks. Which of the following actions is most likely prohibited by this restriction?
67An organization uses an EDR solution and wants to detect ransomware that encrypts files and then deletes volume shadow copies. Which EDR detection technique would be most effective for this behavior?
68During a vulnerability assessment, a security analyst discovers a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. Which compensating control would best mitigate the risk?
69A security analyst is collecting evidence from a compromised workstation. Which of the following should be collected first to preserve volatile data?
70A SOC team is implementing a SOAR playbook to automate response to phishing emails reported by users. Which step should be included in the playbook to prevent other users from accessing the malicious link?
71An analyst is examining a memory dump with Volatility and finds a suspicious process that has no parent process (parent PID 0). Which technique is the malware likely using to hide?
72Which CVSS metric component is used to reflect the impact of a vulnerability based on the specific environment of an organization?
73A security operations team is implementing deception technology to detect lateral movement. Which TWO of the following are examples of deception technologies? (Select TWO.)
74A penetration tester is performing reconnaissance against a target. Which TWO of the following are examples of active reconnaissance? (Select TWO.)
75A security analyst is using the MITRE ATT&CK framework to map adversarial behaviors. Which THREE of the following are tactics defined by ATT&CK? (Select THREE.)
76A security analyst is reviewing a suspicious process that has been identified on an endpoint. The analyst wants to determine if the process has any network connections and what data it might be sending. Which tool is most appropriate for analyzing the memory of the affected system to identify network connections and potential data exfiltration?
77During an incident response, the team identifies that an attacker gained initial access via a phishing email containing a malicious macro. The macro downloaded a payload from a remote server. Which phase of the incident response lifecycle is currently being executed when the team identifies the phishing email as the attack vector?
78An organization wants to share threat intelligence with industry peers using a standardized format. Which of the following formats is specifically designed for representing structured threat information in a machine-readable way?
79A security operations center (SOC) analyst is tuning a SIEM correlation rule to detect lateral movement using pass-the-hash attacks. The analyst wants to minimize false positives while ensuring detection of true positives. Which approach is most effective for reducing false positives in this scenario?
80During a penetration test, the tester successfully gains access to a web server and wants to escalate privileges to domain administrator. The tester discovers that the web server has a service account that is a member of the local administrators group. Which technique would the tester most likely use to move laterally to a domain controller?
81A security analyst is investigating a potential malware infection on a user's workstation. The analyst wants to examine the file system for any suspicious files without altering the original data. Which forensic principle is the analyst following?
82A SOC team is implementing a SOAR platform to automate responses to phishing emails. The team wants to create a playbook that, upon detection of a phishing email, automatically quarantines the email from all mailboxes and blocks the sender's domain. Which type of playbook action is being described?
83An organization has a critical vulnerability in a legacy application that cannot be patched due to vendor end-of-life. The application is required for business operations and is accessible only from the internal network. Which compensating control would best reduce the risk of exploitation while maintaining availability?
84A threat hunter is looking for signs of a ransomware attack that encrypts files and drops a ransom note. The hunter decides to search for processes that have modified many files in a short period. Which threat hunting methodology is being used?
85An organization wants to deploy a technology that lures attackers into a controlled environment to observe their tactics, techniques, and procedures (TTPs). Which deception technology should the organization implement?
86During a malware analysis, an analyst runs a suspicious binary in a sandbox and observes that it attempts to communicate with a known malicious IP address, modifies registry keys, and creates a service. The analyst then extracts strings from the binary and finds references to a specific C2 server. Which analysis phase does the extraction of strings represent?
87A security analyst is reviewing CVSS scores for vulnerabilities in the environment. A vulnerability has a base score of 9.0, but the organization has a compensating control that reduces the likelihood of exploitation. The analyst adjusts the score to 6.0 for prioritization. Which CVSS metric group did the analyst modify?
88A security team is implementing a threat intelligence program and wants to consume intelligence from various sources. Which TWO of the following are commonly used threat intelligence feeds or sharing mechanisms? (Select TWO.)
89An incident response team is handling a ransomware incident. The team has successfully contained the threat and is now in the eradication phase. Which THREE actions are appropriate for the eradication phase? (Select THREE.)
90A penetration tester is planning a test against a web application. The rules of engagement specify that the tester must not disrupt production services. Which TWO reconnaissance techniques are considered passive and would be appropriate for initial information gathering without impacting the target? (Select TWO.)
91A security analyst is reviewing threat intelligence feeds and notices indicators from a known APT group. Which threat intelligence sharing standard is most commonly used to structure and share such cyber threat information in a machine-readable format?
92During a security incident, a forensic investigator needs to acquire volatile data from a compromised server. Which of the following is the correct order for collecting volatile data according to the standard digital forensics process?
93A security operations center (SOC) analyst is investigating a potential malware infection on a workstation. The analyst wants to perform static analysis on a suspicious executable. Which tool or technique is most appropriate for examining the executable without executing it?
94A SOC analyst is tuning a SIEM correlation rule to detect lateral movement. The rule currently triggers on a single failed authentication followed by a successful authentication from a new IP address within 5 minutes. Which improvement would best reduce false positives while maintaining detection of pass-the-hash attacks?
95A penetration tester is performing a test against a web application. During active reconnaissance, the tester discovers that the application discloses version numbers in HTTP headers. Which phase of the penetration testing lifecycle does this activity belong to?
96A security team is implementing deception technology to detect attackers inside the network. They plan to deploy fake systems that appear vulnerable and attract attackers. Which of the following is an example of a honeytoken?
97A vulnerability management team is prioritizing patches for a large enterprise. They have identified a critical vulnerability in a widely used software with a CVSS base score of 9.8. However, the exploit requires local access and authentication. Which CVSS metric should the team use to adjust the score to reflect the actual risk in their environment?
98During a threat hunting exercise, a hunter uses the MITRE ATT&CK framework to identify a series of behaviors: an attacker used PowerShell to download a payload, then created a scheduled task for persistence, and finally performed credential dumping via LSASS. Which ATT&CK tactic is associated with the credential dumping technique?
99A security analyst is analyzing a memory dump from a compromised host using Volatility. Which Volatility plugin would be most useful to identify a malicious process that is hidden from the standard process listing?
100An organization is developing a SOAR playbook to handle phishing emails reported by users. Which of the following actions is most appropriate to automate in the first step of the playbook?
101During a penetration test, the tester gains access to a web server and wants to escalate privileges to root. The tester discovers that the web application runs with a service account that has the SeImpersonatePrivilege enabled. Which attack is most likely to succeed for privilege escalation?
102A security team is evaluating an EDR solution. Which of the following capabilities is a primary differentiator between EDR and traditional antivirus?
103A SOC analyst is investigating a potential data exfiltration incident. The analyst suspects that an insider is using encrypted tunnels to transfer data. Which TWO of the following network traffic analysis (NTA) indicators are most likely to suggest encrypted exfiltration? (Choose two.)
104A senior security architect is designing a detection strategy for advanced persistent threats (APTs) that employ living-off-the-land (LotL) techniques. Which THREE of the following approaches are most effective for detecting LotL activities? (Choose three.)
105A security analyst is reviewing a CVSS score for a vulnerability that affects a critical server. The base score is 7.5, but the analyst needs to adjust for the environment. Which TWO of the following are valid CVSS environmental metrics that can modify the score? (Choose two.)
106A security analyst is reviewing threat intelligence feeds and notices that a known Advanced Persistent Threat (APT) group has been using a specific technique to move laterally within networks. The analyst wants to map this technique to the MITRE ATT&CK framework. Which resource would the analyst use to find the corresponding ATT&CK technique ID?
107During an incident response engagement, the team has completed containment and eradication. What is the next phase in the incident response lifecycle according to NIST SP 800-61?
108A SOC analyst is investigating a suspicious process that is making outbound connections to an unknown IP address. The analyst wants to examine the process memory for injected code. Which Volatility plugin is most appropriate for detecting code injection by listing all Virtual Address Descriptors (VADs) that are mapped as executable and writable?
109An organization is implementing a SOAR solution to automate responses to common incidents. They want to create a playbook for phishing email handling. Which of the following actions should be automated in the playbook after a user reports a suspicious email?
110A vulnerability scanner reports a critical vulnerability on a critical server with a CVSS v3.1 base score of 9.8. The server cannot be patched immediately due to vendor constraints. Which of the following should the security team implement as a compensating control?
111A penetration tester is in the post-exploitation phase and wants to maintain access to a compromised system. Which of the following techniques is most effective for establishing persistent access while evading detection?
112An incident responder is analyzing a malware sample obtained from an infected host. The responder wants to perform dynamic analysis to observe the malware's behavior in a safe environment. Which of the following is the best approach?
113A security analyst is tuning the SIEM and wants to create a correlation rule that detects potential lateral movement using pass-the-hash attacks. Which log sources are most essential for detecting this technique?
114An organization wants to collect threat intelligence from multiple Information Sharing and Analysis Centers (ISACs) relevant to their industry. Which of the following is a primary benefit of participating in an ISAC?
115A digital forensics investigator is called to the scene of a potential data breach. The investigator must collect evidence from a live Windows system. Which of the following represents the correct order of volatility when collecting volatile data?
116A SOC analyst is investigating an alert from the EDR system indicating that a user's workstation made multiple failed login attempts to a sensitive server, followed by a successful login from an unusual IP address. The analyst suspects a brute force attack. Which type of threat hunting methodology is being used?
117During a penetration test, the tester has gained initial access to a system and wants to escalate privileges. Which of the following techniques is most likely to be effective for privilege escalation on a Windows system?
118A security architect is designing deception technologies to detect and delay attackers. Which TWO of the following are examples of deception technologies that can be deployed? Select TWO.
119A threat intelligence analyst is profiling a threat actor that has been targeting the energy sector. Which THREE of the following attributes are most important to include in a threat actor profile? Select THREE.
120A penetration tester is preparing for an engagement and must define the rules of engagement (ROE) with the client. Which TWO of the following should be included in the ROE? Select TWO.
121During a threat hunting exercise, a security analyst hypothesizes that adversaries may be using PowerShell to execute commands in memory. Which threat hunting methodology is being employed?
122A security analyst receives an alert from the SIEM indicating multiple failed logon attempts from an external IP address followed by a successful logon for a domain admin account. Which phase of the incident response lifecycle is the analyst currently in?
123During a digital forensics investigation, an analyst needs to acquire the contents of RAM from a compromised server. Which order of volatility should the analyst follow?
124A security team is analyzing a suspicious binary using static analysis. They run the strings command and observe references to 'CreateRemoteThread' and 'WriteProcessMemory'. Which technique is the binary likely employing?
125A company uses a SIEM with User Behavior Analytics (UBA). The UBA generates an alert when a user accesses sensitive data at unusual hours. Which type of correlation rule is being applied?
126A security analyst receives an alert from the SIEM indicating a potential phishing email with a malicious attachment. The analyst wants to automatically isolate the affected endpoint and block the sender. Which technology should be used to automate this response?
127A vulnerability scanner reports a critical vulnerability with a CVSS base score of 9.8 on a public-facing web server. However, the server has a compensating control: a Web Application Firewall (WAF) that blocks exploit attempts. How should the security team prioritize patching this vulnerability?
128During a penetration test, the tester successfully gains initial access to a web server and wants to move laterally to a database server. The web server uses a service account that has local admin rights on the database server. What is the most effective technique for lateral movement in this scenario?
129An organization deploys honeypots to detect attackers. Which type of deception technology is being used?
130A security analyst is reviewing a suspicious email reported by a user. The email contains an attachment named 'invoice.pdf.exe'. Which type of malware analysis technique should the analyst perform first to determine if the file is malicious?
131During a red team exercise, the team gains access to a workstation and needs to maintain persistence. They modify a registry run key to execute a payload. However, the organization uses EDR that monitors registry changes. Which technique could the red team use to avoid detection?
132A company's incident response team is conducting a post-incident review. They identify that the intrusion was not detected for 72 hours due to insufficient logging on critical servers. Which phase of the incident response lifecycle should be improved to address this gap?
133A security analyst is investigating a potential data exfiltration incident. The analyst needs to preserve evidence for legal proceedings. Which two actions must the analyst take to maintain the chain of custody? (Select TWO).
134A penetration tester is conducting a black-box test on a web application. The tester wants to gather information about the target without directly interacting with the target systems. Which three techniques are considered passive reconnaissance? (Select THREE).
135A security operations center (SOC) is evaluating a new EDR solution. Which three capabilities are essential for effective endpoint detection and response? (Select THREE).
136During a security incident, a SOC analyst identifies a process with a suspicious hash on several endpoints. The analyst wants to determine if this hash is known to be malicious by querying internal and external threat intelligence sources. Which standard should the analyst use to structure the threat intelligence data for automated sharing?
137A security analyst is investigating a potential data exfiltration incident. The analyst has collected a memory dump from the affected server. Which Volatility command should the analyst use to extract the contents of the clipboard, which may contain copied sensitive data?
138A SOC team is implementing a SOAR playbook to automate the response to phishing emails reported by users. The playbook should perform initial triage and, if the email is determined to be malicious, take containment actions. Which TWO of the following actions should be included in the playbook? (Choose TWO.)
139An organization is implementing a vulnerability management program and needs to prioritize patching based on risk. The team has identified multiple vulnerabilities with different CVSS scores. Which THREE factors should be considered when prioritizing patches according to CVSS environmental metrics? (Choose THREE.)
140A penetration tester is conducting a test against a web application. The client has defined rules of engagement that prohibit any denial of service attacks. The tester discovers an endpoint that is vulnerable to command injection. Which THREE of the following actions should the tester take to validate the vulnerability while staying within scope? (Choose THREE.)
141During an incident response, a forensic examiner is collecting evidence from a compromised Windows workstation. The examiner must follow proper order of volatility to preserve potential evidence. Which THREE of the following items should be collected first, before the others? (Choose THREE.)
142A security team is deploying deception technology to detect lateral movement within the network. They plan to use honeypots configured to mimic critical servers. Which TWO of the following are essential considerations for the honeypot deployment to be effective? (Choose TWO.)
143An organization is implementing a threat hunting program. The team plans to use the MITRE ATT&CK framework to structure their hunts. Which THREE of the following are core components of the ATT&CK framework? (Choose THREE.)
144A security analyst is investigating a potential advanced persistent threat (APT) that has been evading traditional detection. The analyst decides to use User and Entity Behavior Analytics (UEBA) to identify anomalous activity. Which TWO of the following activities would be most indicative of a potential compromise when analyzed through UEBA? (Choose TWO.)
145A company's incident response team is developing a playbook for ransomware incidents. The playbook should cover the preparation phase. Which THREE of the following are appropriate preparation activities? (Choose THREE.)
146A security team is evaluating endpoint detection and response (EDR) solutions. They want a solution that can detect fileless malware and malicious PowerShell scripts. Which TWO capabilities should the team prioritize? (Choose TWO.)
147During a penetration test, the tester has gained initial access to a web server and wants to perform lateral movement to reach a database server. The tester enumerates the network and finds that the web server has two network interfaces: one connected to a DMZ and one to an internal network. The database server is on the internal network. Which TWO techniques could the tester use to pivot from the web server to the database server? (Choose TWO.)
The Security Operations domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.
The Courseiva CAS-004 question bank contains 147 questions in the Security Operations domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included