Practice CISSP Security Assessment and Testing questions with full explanations on every answer.
Start practicing
Security Assessment and Testing — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst is asked to identify vulnerabilities in a web application without attempting to exploit them. Which type of assessment is being performed?
2During a penetration test, the tester has obtained initial access and is now trying to move laterally to other systems. Which phase of the penetration testing process does this represent?
3A company wants to ensure its internal web application is free from security flaws during development. Which testing approach analyzes source code without executing the program?
4Which of the following is a key component of the rules of engagement for a penetration test?
5A security auditor is assessing whether a company's controls comply with ISO 27001. What type of audit is being conducted?
6Which vulnerability scoring system provides a standardized severity rating for vulnerabilities based on exploitability and impact metrics?
7A company wants to measure the effectiveness of its vulnerability management program. Which metric would best indicate the organization's ability to respond quickly to critical vulnerabilities?
8Which type of SOC report provides a public summary of an organization's controls over security, availability, and confidentiality?
9An organization is required to retain security logs for a minimum of one year to meet compliance regulations. Which practice is most directly related to this requirement?
10During a security audit, the auditor selects a sample of user access reviews to verify that access rights are properly managed. This type of testing is best described as:
11Which type of scanning provides the most comprehensive view of an organization's vulnerabilities by allowing the scanner to log into systems and access detailed configuration information?
12A company hires a third party to perform an assessment where the testers are given no prior knowledge of the internal network. This type of penetration test is known as:
13A security manager is planning a penetration test and needs to ensure proper rules of engagement are established. Which TWO of the following are essential components of the rules of engagement?
14An organization is selecting security metrics to report to the board. Which THREE metrics would best demonstrate the effectiveness of the vulnerability management program?
15A company is preparing for a PCI DSS assessment. Which TWO of the following are likely to be required as part of the assessment?
16A security analyst is conducting a vulnerability scan of a web application. The scan identifies several vulnerabilities, but the analyst wants to minimize false positives. Which type of vulnerability scan would be most appropriate?
17During a penetration test, the tester successfully exploits a vulnerability in a web server and gains initial access. The next step in the penetration testing process is to:
18An organization wants to ensure that its web application is secure by analyzing the source code for vulnerabilities without executing the code. Which type of testing is most appropriate?
19A company is preparing for an external audit to comply with PCI DSS. Which type of auditor is typically required to perform this assessment?
20Which of the following is the primary purpose of a security audit?
21A security manager is reviewing metrics and sees that the "mean time to remediate" for critical vulnerabilities has increased over the past quarter. This metric is an example of a:
22After a penetration test, the tester provides a report that includes vulnerabilities found, exploitation details, and recommended fixes. Which step of the penetration testing process does this represent?
23An organization wants to test its security controls by simulating an attack where the tester has no prior knowledge of the internal network. This is known as a:
24A company is required to retain logs for regulatory compliance. Which factor primarily determines the log retention period?
25During a SOC 2 audit, the auditor evaluates controls over a period of time to assess their operating effectiveness. Which type of SOC report is being performed?
26A vulnerability scanner reports a vulnerability with a CVSS score of 9.8. What does this score indicate?
27Which of the following is a key element of the rules of engagement for a penetration test?
28A security analyst is reviewing logs from multiple systems in a centralized log management platform. Which TWO of the following are primary benefits of centralized log management?
29A company is planning to conduct a penetration test. Which THREE of the following should be included in the rules of engagement?
30An organization wants to assess the security of its custom web application. Which TWO of the following are types of code review that can be used to identify vulnerabilities?
31An organization wants to identify vulnerabilities in their network without attempting to exploit them. Which type of security assessment should they perform?
32During a penetration testing engagement, which TWO of the following are essential components of the rules of engagement document?
33A security analyst is reviewing logs from multiple systems and needs to ensure that logs are tamper-proof and available for incident investigation. Which of the following is the BEST approach?
34Which TWO of the following are characteristics of a SOC 2 Type II report?
35A company must comply with a regulation requiring a formal, independent assessment of its security controls against a standard. Which type of assessment is MOST appropriate?
36A developer uses a tool that analyzes source code for potential security flaws without executing the program. This is an example of:
37Which THREE of the following are common key performance indicators (KPIs) used in security assessment and testing?
38An organization is preparing for an ISO 27001 certification audit. The audit will be performed by an external body. This type of audit is classified as:
39During a penetration test, the tester successfully gains access to a server and then attempts to move laterally to other systems. This phase is known as:
40Which TWO of the following are benefits of authenticated vulnerability scanning compared to unauthenticated scanning?
41An organization wants to test its web application for vulnerabilities by running the application and probing it with malicious inputs. Which tool is BEST suited for this purpose?
42A company's security team uses a tool that instruments the application at runtime to monitor and block attacks. This is an example of:
43Which vulnerability scoring system is commonly used to assess the severity of vulnerabilities?
44An organization requires a security assessment that evaluates controls against a specific standard and results in a formal report. The organization is not required to exploit vulnerabilities. Which type of assessment is this?
45Which THREE of the following are valid types of penetration testing based on the level of knowledge provided to the tester?
46A security analyst is tasked with identifying vulnerabilities in a network without exploiting them. Which type of assessment is most appropriate?
47During a penetration test, the tester gains initial access to a server and then attempts to pivot to other systems. Which phase of the penetration testing process does this represent?
48Which of the following is a key component of the rules of engagement for a penetration test?
49A security team is reviewing application security and needs to analyze source code without executing the application. Which technique should they use?
50Which type of SOC report provides a public summary of controls related to security, availability, confidentiality, integrity, and privacy, but does not include detailed testing results?
51A security analyst is setting up a vulnerability scanning program. Which TWO of the following are best practices for determining scanning frequency?
52An organization is planning an external audit for SOC 2 Type II compliance. Which TWO of the following are true about this type of audit?
53Which TWO of the following are examples of security metrics that can be used as key performance indicators (KPIs)?
54A security team is selecting tools for code review. Which THREE of the following are characteristics of Static Application Security Testing (SAST) tools?
55An organization is reviewing its log management practices. Which THREE of the following are key considerations for effective log review?
The Security Assessment and Testing domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 55 questions in the Security Assessment and Testing domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Assessment and Testing domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included