Practice CISSP Security Assessment and Testing questions with full explanations on every answer.
Start practicing
Security Assessment and Testing — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?
2A company is implementing a continuous monitoring program for its cloud infrastructure. Which of the following metrics would be MOST useful for detecting unauthorized changes to production systems?
3A security assessor is conducting a penetration test and needs to identify live hosts on a network without causing disruption. Which of the following techniques should the assessor use FIRST?
4A security team is planning a social engineering test for their organization. Which of the following scenarios would BEST assess the effectiveness of security awareness training?
5A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?
6A security auditor is reviewing the results of a recently completed internal vulnerability scan. The scan report shows several hosts with the same vulnerability. Which of the following actions should the auditor take FIRST?
7A company has implemented a new web application firewall (WAF) and wants to test its effectiveness. Which of the following testing methods would provide the MOST accurate assessment?
8Which TWO of the following are key objectives of a security assessment? (Select exactly 2.)
9Which THREE of the following are common methods used in security assessment and testing? (Select exactly 3.)
10A security analyst receives the IDS alert shown in the exhibit. The analyst checks the web server logs and finds that the request returned a 200 OK status. Which of the following should the analyst do NEXT?
11A system administrator receives the vulnerability scan report snippet shown in the exhibit. Which of the following actions should the administrator take to remediate the vulnerability?
12A multinational corporation with a hybrid cloud infrastructure has recently experienced a series of security incidents involving unauthorized access to sensitive customer data. The incidents were traced to compromised credentials of privileged users. The company has implemented multi-factor authentication (MFA) for all privileged accounts, but the attacks persisted. A security assessment team is brought in to evaluate the environment. During the assessment, they discover that some privileged accounts do not require MFA when accessing systems via API calls, and that session tokens for these APIs have a long expiration time of 24 hours. Additionally, the team finds that the logging and monitoring system does not capture API calls from privileged accounts, making it difficult to detect anomalous behavior. The company wants to remediate these issues effectively. Which of the following is the BEST course of action to address the root cause of the incidents?
13Drag and drop the steps of the incident response process in the correct order.
14Drag and drop the steps for a secure password change procedure in the correct order.
15Match each cryptographic algorithm to its type.
16Match each security assessment type to its description.
17A security analyst is tasked with identifying vulnerabilities in a web application that is still in development. The application code is not yet stable, and frequent changes are expected. Which testing approach would be most appropriate to identify vulnerabilities without hindering the development process?
18A vulnerability scan report shows that a web server has a critical vulnerability with a CVSS score of 9.8. However, the server is behind a WAF that blocks the attack vector, and the vulnerability is in a deprecated feature that cannot be removed until the next major release. What should the security manager do first?
19During a security audit of a financial application, the auditor discovers that the application uses a custom encryption algorithm for storing sensitive data. The developer claims it is more efficient than AES. What should the auditor recommend?
20A security analyst reviews system logs and notices multiple failed SSH login attempts from a single IP address over the past hour. The attempts are spaced 30 seconds apart and target different usernames. Which type of attack is most likely occurring?
21An organization is planning a penetration test of its internal network. The test team has been given network diagrams, source code access, and administrative credentials. This type of testing is known as:
22A company's compliance officer wants to ensure that the organization's security controls meet regulatory requirements for data protection. The officer requests a review of the controls against the regulation's specific clauses. Which type of assessment is most appropriate?
23A security tester needs to test a new application for vulnerabilities but is concerned about contaminating the production database with test data. What is the best practice for conducting such tests?
24A vulnerability scanner reports a medium-severity finding on a web server. After investigating, the system administrator claims the finding is a false positive because the service in question is not actually running. Which step should the security analyst take next?
25A red team exercise is planned to simulate a sophisticated adversary. The blue team is aware of the exercise but not the exact methods. The red team is given a budget to acquire attack tools. What is the primary advantage of this approach over a traditional penetration test?
26A security analyst is reviewing the findings from a vulnerability scan of a web application. Which TWO actions are most appropriate to prioritize remediation?
27An organization is implementing a security information and event management (SIEM) system. Which THREE factors are most critical for the SIEM to provide actionable security insights?
28During a security assessment, an organization wants to ensure that its web application is resistant to common attacks. Which THREE testing types should be included?
29Based on the vulnerability scan exhibit, which vulnerability should be remediated first?
30An auditor is reviewing the JSON policy exhibit. What is the most likely security issue with this policy?
31A security analyst reviews the syslog configuration exhibit. What is the primary security concern with this configuration?
32A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address followed by a successful login. What should the analyst do next?
33A company wants to test the effectiveness of its security controls without causing disruption. Which type of assessment is most appropriate?
34During an internal audit, an organization discovers that a critical application has not been patched for six months. The application is business-critical and cannot be taken offline during business hours. Which of the following is the best course of action?
35An organization is conducting a security assessment of a new web application. Which testing technique would best identify cross-site scripting (XSS) vulnerabilities?
36A security team is analyzing logs from multiple sources and notices anomalous outbound traffic to a known command-and-control server. What is the most likely conclusion?
37A company's vulnerability management program requires that all critical vulnerabilities be remediated within 30 days. A critical vulnerability is discovered in a legacy system that cannot be patched because the vendor no longer supports it. Which of the following is the best compensating control?
38Which of the following is the primary purpose of a security assessment?
39An organization has implemented a new SIEM system. What is the most critical factor for its effectiveness?
40During a penetration test, the tester gains access to a server and finds sensitive customer data. What should the tester do next?
41Which TWO of the following are examples of types of security assessments?
42Which THREE of the following are commonly used metrics for measuring the effectiveness of a vulnerability management program?
43Which TWO of the following are best practices for conducting a penetration test?
44Refer to the exhibit. Based on the exhibit, what does the sequence of requests indicate?
45Refer to the exhibit. What is a potential security weakness in this policy?
46Refer to the exhibit. Based on the exhibit, what is the most urgent remediation?
47A security analyst is conducting a review of aggregated logs from firewalls, IDS, and servers to detect anomalous behavior. This activity is best described as:
48During an internal security assessment, a tester uses a tool to attempt to crack password hashes extracted from a domain controller. Which phase of the penetration testing process does this represent?
49A company's security team discovers that a critical web application has a SQL injection vulnerability. However, the team is unable to remediate it immediately due to a dependency on a third-party component. Which of the following is the BEST approach to manage the risk while awaiting a patch?
50A security professional is tasked with testing the effectiveness of security controls in a production environment without causing disruption. Which type of assessment should be performed?
51An organization wants to verify that its security policies are being followed by employees. Which testing method is most appropriate?
52A security analyst notes that a recent penetration test successfully exploited a vulnerability in a legacy application that cannot be patched. The analyst recommends implementing network segmentation to limit the application's exposure. This recommendation is an example of:
53Which of the following is the primary purpose of a security assessment?
54During a web application security test, a tester attempts to inject JavaScript into a search field and observes that the script executes when the page is loaded. This indicates a vulnerability to:
55A security team is evaluating the results of a penetration test. The test revealed that a low-privileged user could escalate privileges to domain administrator. This is a critical finding. Which of the following should be the immediate next step?
56A company is conducting a security assessment of its network infrastructure. Which of the following activities are typically performed during a vulnerability assessment? (Select TWO.)
57A security analyst is reviewing log data from various sources. Which of the following are essential for effective security logging in accordance with best practices? (Select THREE.)
58A penetration tester is planning an engagement. Which of the following rules of engagement should be defined before testing begins? (Select TWO.)
59Your organization is a medium-sized e-commerce company with a hybrid infrastructure: on-premises datacenter and AWS cloud. The security team recently conducted an internal vulnerability scan of the on-premises network and discovered multiple critical vulnerabilities in a legacy ERP system that cannot be patched because the vendor no longer supports it. The ERP system is essential for order processing and cannot be decommissioned. The team also ran a penetration test against the cloud environment and found that an attacker with network access could leverage misconfigured security groups to move laterally between instances. The company has a risk appetite that allows for limited risk acceptance with compensating controls. As the senior security analyst, what is the BEST course of action?
60A security analyst is reviewing logs from a web application firewall (WAF) and notices multiple requests containing the payload "1=1--" in the query string. The analyst suspects a SQL injection attack. Which of the following is the BEST immediate action to validate the suspicion?
61During a penetration test, a tester discovers that the target web application responds to HTTP requests with a "200 OK" status for both valid and invalid session tokens on a particular API endpoint. The application uses JSON Web Tokens (JWT) for authentication. Which of the following vulnerabilities is MOST likely present?
62Which TWO of the following are common techniques used in dynamic application security testing (DAST)?
63A security team is planning to conduct a social engineering test as part of an organization's security assessment. Which THREE of the following should be included in the test plan to ensure ethical and legal compliance?
64A financial institution is conducting a vulnerability assessment of its internal network. The assessor runs a comprehensive scan and discovers that several Windows servers have missing security patches. The organization has a patch management policy that requires all critical patches to be applied within 30 days. The scan results show that some patches have been pending for 45 days. The assessor also finds that the servers are isolated in a separate VLAN with strict firewall rules limiting inbound traffic to only necessary ports. The business owner argues that because the servers are isolated, the risk is low and the patches can be delayed. As the security assessor, what should be the BEST course of action?
65A healthcare organization recently experienced a data breach. The incident response team traced the breach to a compromised third-party vendor that had remote access to the organization's network. The vendor's credentials were stolen via a phishing attack. The organization's security policy requires that all third-party remote access be monitored and logged. During the investigation, it was discovered that the vendor's session traffic was not logged because the logging system was misconfigured. The security team needs to prevent similar incidents in the future. Which of the following is the MOST effective remediation?
66An e-commerce company is preparing for a PCI DSS compliance assessment. The assessor needs to perform an external network vulnerability scan. The company has a public-facing web application that processes credit card payments. The scan must be conducted from an external IP address that is not whitelisted by the company's firewall. The security team is concerned that the scan might trigger intrusion detection alerts and cause operational disruptions. What is the BEST approach to handle this situation?
67A global technology firm has implemented a continuous integration/continuous deployment (CI/CD) pipeline for its flagship software product. The security testing team is tasked with integrating security testing into the pipeline. The team has decided to use a static application security testing (SAST) tool and a software composition analysis (SCA) tool. They are currently running both tools every night against the entire codebase, but the developers complain that the reports are too long and often contain false positives. The team wants to improve the efficiency without sacrificing security coverage. Which of the following is the BEST strategy?
68A security analyst runs a vulnerability scan and sees the output shown in the exhibit. The analyst wants to remediate the most critical issue first. Which action should the analyst take to address the SQL injection vulnerability?
69An organization is planning a penetration test of its internal network. Which TWO of the following are essential elements to include in the test scope and rules of engagement?
70A large e-commerce company operates a multi-tier application in a public cloud. The environment includes a web tier, application tier, and database tier. The security team recently deployed a host-based intrusion detection system (HIDS) on all servers. During a routine review, the HIDS alerts show repeated failed login attempts from a single external IP address to several web servers, but no successful logins from that IP. The team also notices that the database servers have been sending outbound traffic to an unknown IP address on port 443, which is unusual because the database servers typically communicate only with the application servers on port 3306 (MySQL). The application team confirms no changes were made recently. The CISO wants an immediate investigation. What should the security team do first?
The Security Assessment and Testing domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 70 questions in the Security Assessment and Testing domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Assessment and Testing domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included