Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsSecurity Assessment and Testing
CISSPFree — No Signup

Security Assessment and Testing

Practice CISSP Security Assessment and Testing questions with full explanations on every answer.

70questions

Start practicing

Security Assessment and Testing — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice Security Assessment and Testing questions

10Q20Q30Q50Q

All CISSP Security Assessment and Testing questions (70)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?

2

A company is implementing a continuous monitoring program for its cloud infrastructure. Which of the following metrics would be MOST useful for detecting unauthorized changes to production systems?

3

A security assessor is conducting a penetration test and needs to identify live hosts on a network without causing disruption. Which of the following techniques should the assessor use FIRST?

4

A security team is planning a social engineering test for their organization. Which of the following scenarios would BEST assess the effectiveness of security awareness training?

5

A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?

6

A security auditor is reviewing the results of a recently completed internal vulnerability scan. The scan report shows several hosts with the same vulnerability. Which of the following actions should the auditor take FIRST?

7

A company has implemented a new web application firewall (WAF) and wants to test its effectiveness. Which of the following testing methods would provide the MOST accurate assessment?

8

Which TWO of the following are key objectives of a security assessment? (Select exactly 2.)

9

Which THREE of the following are common methods used in security assessment and testing? (Select exactly 3.)

10

A security analyst receives the IDS alert shown in the exhibit. The analyst checks the web server logs and finds that the request returned a 200 OK status. Which of the following should the analyst do NEXT?

11

A system administrator receives the vulnerability scan report snippet shown in the exhibit. Which of the following actions should the administrator take to remediate the vulnerability?

12

A multinational corporation with a hybrid cloud infrastructure has recently experienced a series of security incidents involving unauthorized access to sensitive customer data. The incidents were traced to compromised credentials of privileged users. The company has implemented multi-factor authentication (MFA) for all privileged accounts, but the attacks persisted. A security assessment team is brought in to evaluate the environment. During the assessment, they discover that some privileged accounts do not require MFA when accessing systems via API calls, and that session tokens for these APIs have a long expiration time of 24 hours. Additionally, the team finds that the logging and monitoring system does not capture API calls from privileged accounts, making it difficult to detect anomalous behavior. The company wants to remediate these issues effectively. Which of the following is the BEST course of action to address the root cause of the incidents?

13

Drag and drop the steps of the incident response process in the correct order.

14

Drag and drop the steps for a secure password change procedure in the correct order.

15

Match each cryptographic algorithm to its type.

16

Match each security assessment type to its description.

17

A security analyst is tasked with identifying vulnerabilities in a web application that is still in development. The application code is not yet stable, and frequent changes are expected. Which testing approach would be most appropriate to identify vulnerabilities without hindering the development process?

18

A vulnerability scan report shows that a web server has a critical vulnerability with a CVSS score of 9.8. However, the server is behind a WAF that blocks the attack vector, and the vulnerability is in a deprecated feature that cannot be removed until the next major release. What should the security manager do first?

19

During a security audit of a financial application, the auditor discovers that the application uses a custom encryption algorithm for storing sensitive data. The developer claims it is more efficient than AES. What should the auditor recommend?

20

A security analyst reviews system logs and notices multiple failed SSH login attempts from a single IP address over the past hour. The attempts are spaced 30 seconds apart and target different usernames. Which type of attack is most likely occurring?

21

An organization is planning a penetration test of its internal network. The test team has been given network diagrams, source code access, and administrative credentials. This type of testing is known as:

22

A company's compliance officer wants to ensure that the organization's security controls meet regulatory requirements for data protection. The officer requests a review of the controls against the regulation's specific clauses. Which type of assessment is most appropriate?

23

A security tester needs to test a new application for vulnerabilities but is concerned about contaminating the production database with test data. What is the best practice for conducting such tests?

24

A vulnerability scanner reports a medium-severity finding on a web server. After investigating, the system administrator claims the finding is a false positive because the service in question is not actually running. Which step should the security analyst take next?

25

A red team exercise is planned to simulate a sophisticated adversary. The blue team is aware of the exercise but not the exact methods. The red team is given a budget to acquire attack tools. What is the primary advantage of this approach over a traditional penetration test?

26

A security analyst is reviewing the findings from a vulnerability scan of a web application. Which TWO actions are most appropriate to prioritize remediation?

27

An organization is implementing a security information and event management (SIEM) system. Which THREE factors are most critical for the SIEM to provide actionable security insights?

28

During a security assessment, an organization wants to ensure that its web application is resistant to common attacks. Which THREE testing types should be included?

29

Based on the vulnerability scan exhibit, which vulnerability should be remediated first?

30

An auditor is reviewing the JSON policy exhibit. What is the most likely security issue with this policy?

31

A security analyst reviews the syslog configuration exhibit. What is the primary security concern with this configuration?

32

A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address followed by a successful login. What should the analyst do next?

33

A company wants to test the effectiveness of its security controls without causing disruption. Which type of assessment is most appropriate?

34

During an internal audit, an organization discovers that a critical application has not been patched for six months. The application is business-critical and cannot be taken offline during business hours. Which of the following is the best course of action?

35

An organization is conducting a security assessment of a new web application. Which testing technique would best identify cross-site scripting (XSS) vulnerabilities?

36

A security team is analyzing logs from multiple sources and notices anomalous outbound traffic to a known command-and-control server. What is the most likely conclusion?

37

A company's vulnerability management program requires that all critical vulnerabilities be remediated within 30 days. A critical vulnerability is discovered in a legacy system that cannot be patched because the vendor no longer supports it. Which of the following is the best compensating control?

38

Which of the following is the primary purpose of a security assessment?

39

An organization has implemented a new SIEM system. What is the most critical factor for its effectiveness?

40

During a penetration test, the tester gains access to a server and finds sensitive customer data. What should the tester do next?

41

Which TWO of the following are examples of types of security assessments?

42

Which THREE of the following are commonly used metrics for measuring the effectiveness of a vulnerability management program?

43

Which TWO of the following are best practices for conducting a penetration test?

44

Refer to the exhibit. Based on the exhibit, what does the sequence of requests indicate?

45

Refer to the exhibit. What is a potential security weakness in this policy?

46

Refer to the exhibit. Based on the exhibit, what is the most urgent remediation?

47

A security analyst is conducting a review of aggregated logs from firewalls, IDS, and servers to detect anomalous behavior. This activity is best described as:

48

During an internal security assessment, a tester uses a tool to attempt to crack password hashes extracted from a domain controller. Which phase of the penetration testing process does this represent?

49

A company's security team discovers that a critical web application has a SQL injection vulnerability. However, the team is unable to remediate it immediately due to a dependency on a third-party component. Which of the following is the BEST approach to manage the risk while awaiting a patch?

50

A security professional is tasked with testing the effectiveness of security controls in a production environment without causing disruption. Which type of assessment should be performed?

51

An organization wants to verify that its security policies are being followed by employees. Which testing method is most appropriate?

52

A security analyst notes that a recent penetration test successfully exploited a vulnerability in a legacy application that cannot be patched. The analyst recommends implementing network segmentation to limit the application's exposure. This recommendation is an example of:

53

Which of the following is the primary purpose of a security assessment?

54

During a web application security test, a tester attempts to inject JavaScript into a search field and observes that the script executes when the page is loaded. This indicates a vulnerability to:

55

A security team is evaluating the results of a penetration test. The test revealed that a low-privileged user could escalate privileges to domain administrator. This is a critical finding. Which of the following should be the immediate next step?

56

A company is conducting a security assessment of its network infrastructure. Which of the following activities are typically performed during a vulnerability assessment? (Select TWO.)

57

A security analyst is reviewing log data from various sources. Which of the following are essential for effective security logging in accordance with best practices? (Select THREE.)

58

A penetration tester is planning an engagement. Which of the following rules of engagement should be defined before testing begins? (Select TWO.)

59

Your organization is a medium-sized e-commerce company with a hybrid infrastructure: on-premises datacenter and AWS cloud. The security team recently conducted an internal vulnerability scan of the on-premises network and discovered multiple critical vulnerabilities in a legacy ERP system that cannot be patched because the vendor no longer supports it. The ERP system is essential for order processing and cannot be decommissioned. The team also ran a penetration test against the cloud environment and found that an attacker with network access could leverage misconfigured security groups to move laterally between instances. The company has a risk appetite that allows for limited risk acceptance with compensating controls. As the senior security analyst, what is the BEST course of action?

60

A security analyst is reviewing logs from a web application firewall (WAF) and notices multiple requests containing the payload "1=1--" in the query string. The analyst suspects a SQL injection attack. Which of the following is the BEST immediate action to validate the suspicion?

61

During a penetration test, a tester discovers that the target web application responds to HTTP requests with a "200 OK" status for both valid and invalid session tokens on a particular API endpoint. The application uses JSON Web Tokens (JWT) for authentication. Which of the following vulnerabilities is MOST likely present?

62

Which TWO of the following are common techniques used in dynamic application security testing (DAST)?

63

A security team is planning to conduct a social engineering test as part of an organization's security assessment. Which THREE of the following should be included in the test plan to ensure ethical and legal compliance?

64

A financial institution is conducting a vulnerability assessment of its internal network. The assessor runs a comprehensive scan and discovers that several Windows servers have missing security patches. The organization has a patch management policy that requires all critical patches to be applied within 30 days. The scan results show that some patches have been pending for 45 days. The assessor also finds that the servers are isolated in a separate VLAN with strict firewall rules limiting inbound traffic to only necessary ports. The business owner argues that because the servers are isolated, the risk is low and the patches can be delayed. As the security assessor, what should be the BEST course of action?

65

A healthcare organization recently experienced a data breach. The incident response team traced the breach to a compromised third-party vendor that had remote access to the organization's network. The vendor's credentials were stolen via a phishing attack. The organization's security policy requires that all third-party remote access be monitored and logged. During the investigation, it was discovered that the vendor's session traffic was not logged because the logging system was misconfigured. The security team needs to prevent similar incidents in the future. Which of the following is the MOST effective remediation?

66

An e-commerce company is preparing for a PCI DSS compliance assessment. The assessor needs to perform an external network vulnerability scan. The company has a public-facing web application that processes credit card payments. The scan must be conducted from an external IP address that is not whitelisted by the company's firewall. The security team is concerned that the scan might trigger intrusion detection alerts and cause operational disruptions. What is the BEST approach to handle this situation?

67

A global technology firm has implemented a continuous integration/continuous deployment (CI/CD) pipeline for its flagship software product. The security testing team is tasked with integrating security testing into the pipeline. The team has decided to use a static application security testing (SAST) tool and a software composition analysis (SCA) tool. They are currently running both tools every night against the entire codebase, but the developers complain that the reports are too long and often contain false positives. The team wants to improve the efficiency without sacrificing security coverage. Which of the following is the BEST strategy?

68

A security analyst runs a vulnerability scan and sees the output shown in the exhibit. The analyst wants to remediate the most critical issue first. Which action should the analyst take to address the SQL injection vulnerability?

69

An organization is planning a penetration test of its internal network. Which TWO of the following are essential elements to include in the test scope and rules of engagement?

70

A large e-commerce company operates a multi-tier application in a public cloud. The environment includes a web tier, application tier, and database tier. The security team recently deployed a host-based intrusion detection system (HIDS) on all servers. During a routine review, the HIDS alerts show repeated failed login attempts from a single external IP address to several web servers, but no successful logins from that IP. The team also notices that the database servers have been sending outbound traffic to an unknown IP address on port 443, which is unusual because the database servers typically communicate only with the application servers on port 3306 (MySQL). The application team confirms no changes were made recently. The CISO wants an immediate investigation. What should the security team do first?

Practice all 70 Security Assessment and Testing questions

Other CISSP exam domains

Software Development SecurityIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Frequently asked questions

What does the Security Assessment and Testing domain cover on the CISSP exam?

The Security Assessment and Testing domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Security Assessment and Testing questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 70 questions in the Security Assessment and Testing domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Assessment and Testing for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Assessment and Testing questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Security Assessment and Testing domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM