Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Assessment and Testing practice sets

CISSP Security Assessment and Testing • Complete Question Bank

CISSP Security Assessment and Testing — All Questions With Answers

Complete CISSP Security Assessment and Testing question bank — all 0 questions with answers and detailed explanations.

55
Questions
Free
No signup
Certifications/CISSP/Practice Test/Security Assessment and Testing/All Questions
Question 1easymultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst is asked to identify vulnerabilities in a web application without attempting to exploit them. Which type of assessment is being performed?

Question 2mediummultiple choice
Read the full Security Assessment and Testing explanation →

During a penetration test, the tester has obtained initial access and is now trying to move laterally to other systems. Which phase of the penetration testing process does this represent?

Question 3hardmultiple choice
Read the full Security Assessment and Testing explanation →

A company wants to ensure its internal web application is free from security flaws during development. Which testing approach analyzes source code without executing the program?

Question 4easymultiple choice
Read the full Security Assessment and Testing explanation →

Which of the following is a key component of the rules of engagement for a penetration test?

Question 5mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security auditor is assessing whether a company's controls comply with ISO 27001. What type of audit is being conducted?

Question 6mediummultiple choice
Read the full Security Assessment and Testing explanation →

Which vulnerability scoring system provides a standardized severity rating for vulnerabilities based on exploitability and impact metrics?

Question 7hardmultiple choice
Read the full Security Assessment and Testing explanation →

A company wants to measure the effectiveness of its vulnerability management program. Which metric would best indicate the organization's ability to respond quickly to critical vulnerabilities?

Question 8easymultiple choice
Read the full Security Assessment and Testing explanation →

Which type of SOC report provides a public summary of an organization's controls over security, availability, and confidentiality?

Question 9mediummultiple choice
Read the full Security Assessment and Testing explanation →

An organization is required to retain security logs for a minimum of one year to meet compliance regulations. Which practice is most directly related to this requirement?

Question 10hardmultiple choice
Read the full Security Assessment and Testing explanation →

During a security audit, the auditor selects a sample of user access reviews to verify that access rights are properly managed. This type of testing is best described as:

Question 11mediummultiple choice
Read the full Security Assessment and Testing explanation →

Which type of scanning provides the most comprehensive view of an organization's vulnerabilities by allowing the scanner to log into systems and access detailed configuration information?

Question 12easymultiple choice
Read the full Security Assessment and Testing explanation →

A company hires a third party to perform an assessment where the testers are given no prior knowledge of the internal network. This type of penetration test is known as:

Question 13mediummulti select
Read the full Security Assessment and Testing explanation →

A security manager is planning a penetration test and needs to ensure proper rules of engagement are established. Which TWO of the following are essential components of the rules of engagement?

Question 14mediummulti select
Read the full Security Assessment and Testing explanation →

An organization is selecting security metrics to report to the board. Which THREE metrics would best demonstrate the effectiveness of the vulnerability management program?

Question 15hardmulti select
Read the full Security Assessment and Testing explanation →

A company is preparing for a PCI DSS assessment. Which TWO of the following are likely to be required as part of the assessment?

Question 16mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst is conducting a vulnerability scan of a web application. The scan identifies several vulnerabilities, but the analyst wants to minimize false positives. Which type of vulnerability scan would be most appropriate?

Question 17easymultiple choice
Read the full Security Assessment and Testing explanation →

During a penetration test, the tester successfully exploits a vulnerability in a web server and gains initial access. The next step in the penetration testing process is to:

Question 18hardmultiple choice
Read the full Security Assessment and Testing explanation →

An organization wants to ensure that its web application is secure by analyzing the source code for vulnerabilities without executing the code. Which type of testing is most appropriate?

Question 19mediummultiple choice
Read the full Security Assessment and Testing explanation →

A company is preparing for an external audit to comply with PCI DSS. Which type of auditor is typically required to perform this assessment?

Question 20easymultiple choice
Read the full Security Assessment and Testing explanation →

Which of the following is the primary purpose of a security audit?

Question 21mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security manager is reviewing metrics and sees that the "mean time to remediate" for critical vulnerabilities has increased over the past quarter. This metric is an example of a:

Question 22hardmultiple choice
Read the full Security Assessment and Testing explanation →

After a penetration test, the tester provides a report that includes vulnerabilities found, exploitation details, and recommended fixes. Which step of the penetration testing process does this represent?

Question 23easymultiple choice
Read the full Security Assessment and Testing explanation →

An organization wants to test its security controls by simulating an attack where the tester has no prior knowledge of the internal network. This is known as a:

Question 24mediummultiple choice
Read the full Security Assessment and Testing explanation →

A company is required to retain logs for regulatory compliance. Which factor primarily determines the log retention period?

Question 25hardmultiple choice
Read the full Security Assessment and Testing explanation →

During a SOC 2 audit, the auditor evaluates controls over a period of time to assess their operating effectiveness. Which type of SOC report is being performed?

Question 26mediummultiple choice
Read the full Security Assessment and Testing explanation →

A vulnerability scanner reports a vulnerability with a CVSS score of 9.8. What does this score indicate?

Question 27easymultiple choice
Read the full Security Assessment and Testing explanation →

Which of the following is a key element of the rules of engagement for a penetration test?

Question 28hardmulti select
Read the full Security Assessment and Testing explanation →

A security analyst is reviewing logs from multiple systems in a centralized log management platform. Which TWO of the following are primary benefits of centralized log management?

Question 29mediummulti select
Read the full Security Assessment and Testing explanation →

A company is planning to conduct a penetration test. Which THREE of the following should be included in the rules of engagement?

Question 30mediummulti select
Read the full Security Assessment and Testing explanation →

An organization wants to assess the security of its custom web application. Which TWO of the following are types of code review that can be used to identify vulnerabilities?

Question 31easymultiple choice
Read the full Security Assessment and Testing explanation →

An organization wants to identify vulnerabilities in their network without attempting to exploit them. Which type of security assessment should they perform?

Question 32mediummulti select
Read the full Security Assessment and Testing explanation →

During a penetration testing engagement, which TWO of the following are essential components of the rules of engagement document?

Question 33hardmultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst is reviewing logs from multiple systems and needs to ensure that logs are tamper-proof and available for incident investigation. Which of the following is the BEST approach?

Question 34mediummulti select
Read the full Security Assessment and Testing explanation →

Which TWO of the following are characteristics of a SOC 2 Type II report?

Question 35easymultiple choice
Read the full Security Assessment and Testing explanation →

A company must comply with a regulation requiring a formal, independent assessment of its security controls against a standard. Which type of assessment is MOST appropriate?

Question 36mediummultiple choice
Read the full Security Assessment and Testing explanation →

A developer uses a tool that analyzes source code for potential security flaws without executing the program. This is an example of:

Question 37hardmulti select
Read the full Security Assessment and Testing explanation →

Which THREE of the following are common key performance indicators (KPIs) used in security assessment and testing?

Question 38mediummultiple choice
Read the full Security Assessment and Testing explanation →

An organization is preparing for an ISO 27001 certification audit. The audit will be performed by an external body. This type of audit is classified as:

Question 39hardmultiple choice
Read the full Security Assessment and Testing explanation →

During a penetration test, the tester successfully gains access to a server and then attempts to move laterally to other systems. This phase is known as:

Question 40easymulti select
Read the full Security Assessment and Testing explanation →

Which TWO of the following are benefits of authenticated vulnerability scanning compared to unauthenticated scanning?

Question 41mediummultiple choice
Read the full Security Assessment and Testing explanation →

An organization wants to test its web application for vulnerabilities by running the application and probing it with malicious inputs. Which tool is BEST suited for this purpose?

Question 42hardmultiple choice
Read the full Security Assessment and Testing explanation →

A company's security team uses a tool that instruments the application at runtime to monitor and block attacks. This is an example of:

Question 43easymultiple choice
Read the full Security Assessment and Testing explanation →

Which vulnerability scoring system is commonly used to assess the severity of vulnerabilities?

Question 44mediummultiple choice
Read the full Security Assessment and Testing explanation →

An organization requires a security assessment that evaluates controls against a specific standard and results in a formal report. The organization is not required to exploit vulnerabilities. Which type of assessment is this?

Question 45hardmulti select
Read the full Security Assessment and Testing explanation →

Which THREE of the following are valid types of penetration testing based on the level of knowledge provided to the tester?

Question 46mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst is tasked with identifying vulnerabilities in a network without exploiting them. Which type of assessment is most appropriate?

Question 47hardmultiple choice
Read the full Security Assessment and Testing explanation →

During a penetration test, the tester gains initial access to a server and then attempts to pivot to other systems. Which phase of the penetration testing process does this represent?

Question 48easymultiple choice
Read the full Security Assessment and Testing explanation →

Which of the following is a key component of the rules of engagement for a penetration test?

Question 49mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security team is reviewing application security and needs to analyze source code without executing the application. Which technique should they use?

Question 50hardmultiple choice
Read the full Security Assessment and Testing explanation →

Which type of SOC report provides a public summary of controls related to security, availability, confidentiality, integrity, and privacy, but does not include detailed testing results?

Question 51mediummulti select
Read the full Security Assessment and Testing explanation →

A security analyst is setting up a vulnerability scanning program. Which TWO of the following are best practices for determining scanning frequency?

Question 52mediummulti select
Read the full Security Assessment and Testing explanation →

An organization is planning an external audit for SOC 2 Type II compliance. Which TWO of the following are true about this type of audit?

Question 53easymulti select
Read the full Security Assessment and Testing explanation →

Which TWO of the following are examples of security metrics that can be used as key performance indicators (KPIs)?

Question 54hardmulti select
Read the full Security Assessment and Testing explanation →

A security team is selecting tools for code review. Which THREE of the following are characteristics of Static Application Security Testing (SAST) tools?

Question 55hardmulti select
Read the full Security Assessment and Testing explanation →

An organization is reviewing its log management practices. Which THREE of the following are key considerations for effective log review?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 25 Questions→CISSP Practice Test 2 — 25 Questions→CISSP Practice Test 3 — 25 Questions→CISSP Practice Test 4 — 25 Questions→CISSP Practice Test 5 — 25 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Assessment and Testing setsAll Security Assessment and Testing questionsCISSP Practice Hub