Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsSecurity Assessment and Testing
CISSPFree — No Signup

Security Assessment and Testing

Practice CISSP Security Assessment and Testing questions with full explanations on every answer.

55questions

Start practicing

Security Assessment and Testing — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice Security Assessment and Testing questions

10Q20Q30Q50Q

All CISSP Security Assessment and Testing questions (55)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst is asked to identify vulnerabilities in a web application without attempting to exploit them. Which type of assessment is being performed?

2

During a penetration test, the tester has obtained initial access and is now trying to move laterally to other systems. Which phase of the penetration testing process does this represent?

3

A company wants to ensure its internal web application is free from security flaws during development. Which testing approach analyzes source code without executing the program?

4

Which of the following is a key component of the rules of engagement for a penetration test?

5

A security auditor is assessing whether a company's controls comply with ISO 27001. What type of audit is being conducted?

6

Which vulnerability scoring system provides a standardized severity rating for vulnerabilities based on exploitability and impact metrics?

7

A company wants to measure the effectiveness of its vulnerability management program. Which metric would best indicate the organization's ability to respond quickly to critical vulnerabilities?

8

Which type of SOC report provides a public summary of an organization's controls over security, availability, and confidentiality?

9

An organization is required to retain security logs for a minimum of one year to meet compliance regulations. Which practice is most directly related to this requirement?

10

During a security audit, the auditor selects a sample of user access reviews to verify that access rights are properly managed. This type of testing is best described as:

11

Which type of scanning provides the most comprehensive view of an organization's vulnerabilities by allowing the scanner to log into systems and access detailed configuration information?

12

A company hires a third party to perform an assessment where the testers are given no prior knowledge of the internal network. This type of penetration test is known as:

13

A security manager is planning a penetration test and needs to ensure proper rules of engagement are established. Which TWO of the following are essential components of the rules of engagement?

14

An organization is selecting security metrics to report to the board. Which THREE metrics would best demonstrate the effectiveness of the vulnerability management program?

15

A company is preparing for a PCI DSS assessment. Which TWO of the following are likely to be required as part of the assessment?

16

A security analyst is conducting a vulnerability scan of a web application. The scan identifies several vulnerabilities, but the analyst wants to minimize false positives. Which type of vulnerability scan would be most appropriate?

17

During a penetration test, the tester successfully exploits a vulnerability in a web server and gains initial access. The next step in the penetration testing process is to:

18

An organization wants to ensure that its web application is secure by analyzing the source code for vulnerabilities without executing the code. Which type of testing is most appropriate?

19

A company is preparing for an external audit to comply with PCI DSS. Which type of auditor is typically required to perform this assessment?

20

Which of the following is the primary purpose of a security audit?

21

A security manager is reviewing metrics and sees that the "mean time to remediate" for critical vulnerabilities has increased over the past quarter. This metric is an example of a:

22

After a penetration test, the tester provides a report that includes vulnerabilities found, exploitation details, and recommended fixes. Which step of the penetration testing process does this represent?

23

An organization wants to test its security controls by simulating an attack where the tester has no prior knowledge of the internal network. This is known as a:

24

A company is required to retain logs for regulatory compliance. Which factor primarily determines the log retention period?

25

During a SOC 2 audit, the auditor evaluates controls over a period of time to assess their operating effectiveness. Which type of SOC report is being performed?

26

A vulnerability scanner reports a vulnerability with a CVSS score of 9.8. What does this score indicate?

27

Which of the following is a key element of the rules of engagement for a penetration test?

28

A security analyst is reviewing logs from multiple systems in a centralized log management platform. Which TWO of the following are primary benefits of centralized log management?

29

A company is planning to conduct a penetration test. Which THREE of the following should be included in the rules of engagement?

30

An organization wants to assess the security of its custom web application. Which TWO of the following are types of code review that can be used to identify vulnerabilities?

31

An organization wants to identify vulnerabilities in their network without attempting to exploit them. Which type of security assessment should they perform?

32

During a penetration testing engagement, which TWO of the following are essential components of the rules of engagement document?

33

A security analyst is reviewing logs from multiple systems and needs to ensure that logs are tamper-proof and available for incident investigation. Which of the following is the BEST approach?

34

Which TWO of the following are characteristics of a SOC 2 Type II report?

35

A company must comply with a regulation requiring a formal, independent assessment of its security controls against a standard. Which type of assessment is MOST appropriate?

36

A developer uses a tool that analyzes source code for potential security flaws without executing the program. This is an example of:

37

Which THREE of the following are common key performance indicators (KPIs) used in security assessment and testing?

38

An organization is preparing for an ISO 27001 certification audit. The audit will be performed by an external body. This type of audit is classified as:

39

During a penetration test, the tester successfully gains access to a server and then attempts to move laterally to other systems. This phase is known as:

40

Which TWO of the following are benefits of authenticated vulnerability scanning compared to unauthenticated scanning?

41

An organization wants to test its web application for vulnerabilities by running the application and probing it with malicious inputs. Which tool is BEST suited for this purpose?

42

A company's security team uses a tool that instruments the application at runtime to monitor and block attacks. This is an example of:

43

Which vulnerability scoring system is commonly used to assess the severity of vulnerabilities?

44

An organization requires a security assessment that evaluates controls against a specific standard and results in a formal report. The organization is not required to exploit vulnerabilities. Which type of assessment is this?

45

Which THREE of the following are valid types of penetration testing based on the level of knowledge provided to the tester?

46

A security analyst is tasked with identifying vulnerabilities in a network without exploiting them. Which type of assessment is most appropriate?

47

During a penetration test, the tester gains initial access to a server and then attempts to pivot to other systems. Which phase of the penetration testing process does this represent?

48

Which of the following is a key component of the rules of engagement for a penetration test?

49

A security team is reviewing application security and needs to analyze source code without executing the application. Which technique should they use?

50

Which type of SOC report provides a public summary of controls related to security, availability, confidentiality, integrity, and privacy, but does not include detailed testing results?

51

A security analyst is setting up a vulnerability scanning program. Which TWO of the following are best practices for determining scanning frequency?

52

An organization is planning an external audit for SOC 2 Type II compliance. Which TWO of the following are true about this type of audit?

53

Which TWO of the following are examples of security metrics that can be used as key performance indicators (KPIs)?

54

A security team is selecting tools for code review. Which THREE of the following are characteristics of Static Application Security Testing (SAST) tools?

55

An organization is reviewing its log management practices. Which THREE of the following are key considerations for effective log review?

Practice all 55 Security Assessment and Testing questions

Other CISSP exam domains

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySoftware Development SecurityIdentity and Access Management

Frequently asked questions

What does the Security Assessment and Testing domain cover on the CISSP exam?

The Security Assessment and Testing domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Security Assessment and Testing questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 55 questions in the Security Assessment and Testing domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Assessment and Testing for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Assessment and Testing questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Security Assessment and Testing domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM