Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Assessment and Testing practice sets

CISSP Security Assessment and Testing • Complete Question Bank

CISSP Security Assessment and Testing — All Questions With Answers

Complete CISSP Security Assessment and Testing question bank — all 0 questions with answers and detailed explanations.

70
Questions
Free
No signup
Certifications/CISSP/Practice Test/Security Assessment and Testing/All Questions
Question 1mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?

Question 2hardmultiple choice
Read the full Security Assessment and Testing explanation →

A company is implementing a continuous monitoring program for its cloud infrastructure. Which of the following metrics would be MOST useful for detecting unauthorized changes to production systems?

Question 3easymultiple choice
Read the full Security Assessment and Testing explanation →

A security assessor is conducting a penetration test and needs to identify live hosts on a network without causing disruption. Which of the following techniques should the assessor use FIRST?

Question 4mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security team is planning a social engineering test for their organization. Which of the following scenarios would BEST assess the effectiveness of security awareness training?

Question 5hardmultiple choice
Read the full Security Assessment and Testing explanation →

A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?

Question 6easymultiple choice
Read the full Security Assessment and Testing explanation →

A security auditor is reviewing the results of a recently completed internal vulnerability scan. The scan report shows several hosts with the same vulnerability. Which of the following actions should the auditor take FIRST?

Question 7mediummultiple choice
Read the full Security Assessment and Testing explanation →

A company has implemented a new web application firewall (WAF) and wants to test its effectiveness. Which of the following testing methods would provide the MOST accurate assessment?

Question 8mediummulti select
Read the full Security Assessment and Testing explanation →

Which TWO of the following are key objectives of a security assessment? (Select exactly 2.)

Question 9hardmulti select
Read the full Security Assessment and Testing explanation →

Which THREE of the following are common methods used in security assessment and testing? (Select exactly 3.)

Question 10hardmultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst receives the IDS alert shown in the exhibit. The analyst checks the web server logs and finds that the request returned a 200 OK status. Which of the following should the analyst do NEXT?

Exhibit

Refer to the exhibit.

```
[IDS Alert]
Timestamp: 2024-03-15 14:32:17
Signature: ET WEB_SERVER SQL Injection Attempt
Source IP: 192.168.1.105
Destination IP: 10.0.0.5
Destination Port: 80
Payload: GET /search.php?q=1' OR '1'='1' HTTP/1.1
```

Exhibit:
Question 11easymultiple choice
Read the full Security Assessment and Testing explanation →

A system administrator receives the vulnerability scan report snippet shown in the exhibit. Which of the following actions should the administrator take to remediate the vulnerability?

Exhibit

Refer to the exhibit.

```
[Vulnerability Scan Report - Snippet]
Host: 10.0.0.15
Port: 22/tcp
Service: SSH
Vulnerability: Weak SSH Cryptographic Algorithms
Severity: Medium
CVE: CVE-2016-0777
Fix: Disable weak ciphers (arcfour, blowfish-cbc) and enable strong ones (aes256-ctr, aes128-ctr)
```

Exhibit:
Question 12mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation with a hybrid cloud infrastructure has recently experienced a series of security incidents involving unauthorized access to sensitive customer data. The incidents were traced to compromised credentials of privileged users. The company has implemented multi-factor authentication (MFA) for all privileged accounts, but the attacks persisted. A security assessment team is brought in to evaluate the environment. During the assessment, they discover that some privileged accounts do not require MFA when accessing systems via API calls, and that session tokens for these APIs have a long expiration time of 24 hours. Additionally, the team finds that the logging and monitoring system does not capture API calls from privileged accounts, making it difficult to detect anomalous behavior. The company wants to remediate these issues effectively. Which of the following is the BEST course of action to address the root cause of the incidents?

Question 13mediumdrag order
Read the full Security Assessment and Testing explanation →

Drag and drop the steps of the incident response process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 14mediumdrag order
Read the full Security Assessment and Testing explanation →

Drag and drop the steps for a secure password change procedure in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 15mediummatching
Read the full Security Assessment and Testing explanation →

Match each cryptographic algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric (public-key) cipher

Hash function

Keyed-hash message authentication code

Elliptic curve digital signature algorithm

Question 16mediummatching
Read the full Security Assessment and Testing explanation →

Match each security assessment type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated check for known vulnerabilities

Simulated attack to exploit vulnerabilities

Systematic evaluation of compliance with policies

Identification and analysis of risks

Question 17easymultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst is tasked with identifying vulnerabilities in a web application that is still in development. The application code is not yet stable, and frequent changes are expected. Which testing approach would be most appropriate to identify vulnerabilities without hindering the development process?

Question 18mediummultiple choice
Read the full Security Assessment and Testing explanation →

A vulnerability scan report shows that a web server has a critical vulnerability with a CVSS score of 9.8. However, the server is behind a WAF that blocks the attack vector, and the vulnerability is in a deprecated feature that cannot be removed until the next major release. What should the security manager do first?

Question 19hardmultiple choice
Read the full Security Assessment and Testing explanation →

During a security audit of a financial application, the auditor discovers that the application uses a custom encryption algorithm for storing sensitive data. The developer claims it is more efficient than AES. What should the auditor recommend?

Question 20easymultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst reviews system logs and notices multiple failed SSH login attempts from a single IP address over the past hour. The attempts are spaced 30 seconds apart and target different usernames. Which type of attack is most likely occurring?

Question 21mediummultiple choice
Read the full Security Assessment and Testing explanation →

An organization is planning a penetration test of its internal network. The test team has been given network diagrams, source code access, and administrative credentials. This type of testing is known as:

Question 22hardmultiple choice
Read the full Security Assessment and Testing explanation →

A company's compliance officer wants to ensure that the organization's security controls meet regulatory requirements for data protection. The officer requests a review of the controls against the regulation's specific clauses. Which type of assessment is most appropriate?

Question 23easymultiple choice
Read the full NAT/PAT explanation →

A security tester needs to test a new application for vulnerabilities but is concerned about contaminating the production database with test data. What is the best practice for conducting such tests?

Question 24mediummultiple choice
Read the full Security Assessment and Testing explanation →

A vulnerability scanner reports a medium-severity finding on a web server. After investigating, the system administrator claims the finding is a false positive because the service in question is not actually running. Which step should the security analyst take next?

Question 25hardmultiple choice
Read the full Security Assessment and Testing explanation →

A red team exercise is planned to simulate a sophisticated adversary. The blue team is aware of the exercise but not the exact methods. The red team is given a budget to acquire attack tools. What is the primary advantage of this approach over a traditional penetration test?

Question 26mediummulti select
Read the full Security Assessment and Testing explanation →

A security analyst is reviewing the findings from a vulnerability scan of a web application. Which TWO actions are most appropriate to prioritize remediation?

Question 27hardmulti select
Read the full Security Assessment and Testing explanation →

An organization is implementing a security information and event management (SIEM) system. Which THREE factors are most critical for the SIEM to provide actionable security insights?

Question 28easymulti select
Read the full Security Assessment and Testing explanation →

During a security assessment, an organization wants to ensure that its web application is resistant to common attacks. Which THREE testing types should be included?

Question 29mediummultiple choice
Read the full Security Assessment and Testing explanation →

Based on the vulnerability scan exhibit, which vulnerability should be remediated first?

Exhibit

Refer to the exhibit.

Vulnerability Scan Report (excerpt):
Host: 192.168.1.100
Port: 443 (https)
Vulnerability ID: 12345
Plugin: OpenSSL Heartbleed Detection
Output: Vulnerable to Heartbleed (CVE-2014-0160)

Host: 192.168.1.100
Port: 22 (ssh)
Vulnerability ID: 67890
Plugin: SSH Weak MAC Algorithms
Output: Server supports weak MAC algorithms (hmac-md5, hmac-sha1-96)

Host: 192.168.1.100
Port: 25 (smtp)
Vulnerability ID: 11111
Plugin: SMTP Open Relay
Output: Server is an open relay.
Question 30hardmultiple choice
Read the full Security Assessment and Testing explanation →

An auditor is reviewing the JSON policy exhibit. What is the most likely security issue with this policy?

Exhibit

Refer to the exhibit.

{
  "policyName": "DataAccessPolicy",
  "rules": [
    {
      "effect": "Allow",
      "action": "read",
      "resource": "customers",
      "condition": {
        "ipAddress": {
          "cidr": "10.0.0.0/8"
        }
      }
    },
    {
      "effect": "Deny",
      "action": "write",
      "resource": "*"
    },
    {
      "effect": "Allow",
      "action": "*",
      "resource": "public_data"
    }
  ]
}
Question 31easymultiple choice
Read the full network assurance explanation →

A security analyst reviews the syslog configuration exhibit. What is the primary security concern with this configuration?

Exhibit

Refer to the exhibit.

# Syslog configuration snippet
local7.* @10.0.0.2:514
mail.* ~/var/log/maillog
*.info;mail.none;authpriv.none /var/log/messages
Question 32easymultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address followed by a successful login. What should the analyst do next?

Question 33mediummultiple choice
Read the full Security Assessment and Testing explanation →

A company wants to test the effectiveness of its security controls without causing disruption. Which type of assessment is most appropriate?

Question 34hardmultiple choice
Read the full NAT/PAT explanation →

During an internal audit, an organization discovers that a critical application has not been patched for six months. The application is business-critical and cannot be taken offline during business hours. Which of the following is the best course of action?

Question 35easymultiple choice
Read the full Security Assessment and Testing explanation →

An organization is conducting a security assessment of a new web application. Which testing technique would best identify cross-site scripting (XSS) vulnerabilities?

Question 36mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security team is analyzing logs from multiple sources and notices anomalous outbound traffic to a known command-and-control server. What is the most likely conclusion?

Question 37hardmultiple choice
Read the full NAT/PAT explanation →

A company's vulnerability management program requires that all critical vulnerabilities be remediated within 30 days. A critical vulnerability is discovered in a legacy system that cannot be patched because the vendor no longer supports it. Which of the following is the best compensating control?

Question 38easymultiple choice
Read the full Security Assessment and Testing explanation →

Which of the following is the primary purpose of a security assessment?

Question 39mediummultiple choice
Read the full Security Assessment and Testing explanation →

An organization has implemented a new SIEM system. What is the most critical factor for its effectiveness?

Question 40hardmultiple choice
Read the full Security Assessment and Testing explanation →

During a penetration test, the tester gains access to a server and finds sensitive customer data. What should the tester do next?

Question 41mediummulti select
Read the full Security Assessment and Testing explanation →

Which TWO of the following are examples of types of security assessments?

Question 42hardmulti select
Read the full Security Assessment and Testing explanation →

Which THREE of the following are commonly used metrics for measuring the effectiveness of a vulnerability management program?

Question 43easymulti select
Read the full Security Assessment and Testing explanation →

Which TWO of the following are best practices for conducting a penetration test?

Question 44mediummultiple choice
Read the full Security Assessment and Testing explanation →

Refer to the exhibit. Based on the exhibit, what does the sequence of requests indicate?

Exhibit

192.168.1.10 - - [01/Jan/2023:10:15:30 +0000] "GET /index.html HTTP/1.1" 200 1234
192.168.1.10 - - [01/Jan/2023:10:15:31 +0000] "POST /login.php HTTP/1.1" 302 -
192.168.1.10 - - [01/Jan/2023:10:15:32 +0000] "GET /admin/dashboard HTTP/1.1" 401 -
192.168.1.10 - - [01/Jan/2023:10:15:33 +0000] "GET /admin/dashboard HTTP/1.1" 200 5678
Question 45hardmultiple choice
Read the full Security Assessment and Testing explanation →

Refer to the exhibit. What is a potential security weakness in this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
Question 46easymultiple choice
Read the full Security Assessment and Testing explanation →

Refer to the exhibit. Based on the exhibit, what is the most urgent remediation?

Exhibit

CVE-2023-1234 - Apache HTTP Server 2.4.49 - Path Traversal
- Severity: Critical
- Exploit Available: Yes
- Plugin Output: The remote web server is running Apache HTTP Server version 2.4.49 which is vulnerable to a path traversal attack.
Question 47easymultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst is conducting a review of aggregated logs from firewalls, IDS, and servers to detect anomalous behavior. This activity is best described as:

Question 48mediummultiple choice
Read the full Security Assessment and Testing explanation →

During an internal security assessment, a tester uses a tool to attempt to crack password hashes extracted from a domain controller. Which phase of the penetration testing process does this represent?

Question 49hardmultiple choice
Read the full NAT/PAT explanation →

A company's security team discovers that a critical web application has a SQL injection vulnerability. However, the team is unable to remediate it immediately due to a dependency on a third-party component. Which of the following is the BEST approach to manage the risk while awaiting a patch?

Question 50easymultiple choice
Read the full Security Assessment and Testing explanation →

A security professional is tasked with testing the effectiveness of security controls in a production environment without causing disruption. Which type of assessment should be performed?

Question 51mediummultiple choice
Read the full Security Assessment and Testing explanation →

An organization wants to verify that its security policies are being followed by employees. Which testing method is most appropriate?

Question 52hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst notes that a recent penetration test successfully exploited a vulnerability in a legacy application that cannot be patched. The analyst recommends implementing network segmentation to limit the application's exposure. This recommendation is an example of:

Question 53easymultiple choice
Read the full Security Assessment and Testing explanation →

Which of the following is the primary purpose of a security assessment?

Question 54mediummultiple choice
Read the full Security Assessment and Testing explanation →

During a web application security test, a tester attempts to inject JavaScript into a search field and observes that the script executes when the page is loaded. This indicates a vulnerability to:

Question 55hardmultiple choice
Read the full Security Assessment and Testing explanation →

A security team is evaluating the results of a penetration test. The test revealed that a low-privileged user could escalate privileges to domain administrator. This is a critical finding. Which of the following should be the immediate next step?

Question 56mediummulti select
Read the full Security Assessment and Testing explanation →

A company is conducting a security assessment of its network infrastructure. Which of the following activities are typically performed during a vulnerability assessment? (Select TWO.)

Question 57hardmulti select
Read the full Security Assessment and Testing explanation →

A security analyst is reviewing log data from various sources. Which of the following are essential for effective security logging in accordance with best practices? (Select THREE.)

Question 58easymulti select
Read the full Security Assessment and Testing explanation →

A penetration tester is planning an engagement. Which of the following rules of engagement should be defined before testing begins? (Select TWO.)

Question 59hardmultiple choice
Read the full NAT/PAT explanation →

Your organization is a medium-sized e-commerce company with a hybrid infrastructure: on-premises datacenter and AWS cloud. The security team recently conducted an internal vulnerability scan of the on-premises network and discovered multiple critical vulnerabilities in a legacy ERP system that cannot be patched because the vendor no longer supports it. The ERP system is essential for order processing and cannot be decommissioned. The team also ran a penetration test against the cloud environment and found that an attacker with network access could leverage misconfigured security groups to move laterally between instances. The company has a risk appetite that allows for limited risk acceptance with compensating controls. As the senior security analyst, what is the BEST course of action?

Question 60mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst is reviewing logs from a web application firewall (WAF) and notices multiple requests containing the payload "1=1--" in the query string. The analyst suspects a SQL injection attack. Which of the following is the BEST immediate action to validate the suspicion?

Question 61hardmultiple choice
Read the full Security Assessment and Testing explanation →

During a penetration test, a tester discovers that the target web application responds to HTTP requests with a "200 OK" status for both valid and invalid session tokens on a particular API endpoint. The application uses JSON Web Tokens (JWT) for authentication. Which of the following vulnerabilities is MOST likely present?

Question 62easymulti select
Read the full Security Assessment and Testing explanation →

Which TWO of the following are common techniques used in dynamic application security testing (DAST)?

Question 63mediummulti select
Read the full Security Assessment and Testing explanation →

A security team is planning to conduct a social engineering test as part of an organization's security assessment. Which THREE of the following should be included in the test plan to ensure ethical and legal compliance?

Question 64easymultiple choice
Open the full VLAN trunking answer →

A financial institution is conducting a vulnerability assessment of its internal network. The assessor runs a comprehensive scan and discovers that several Windows servers have missing security patches. The organization has a patch management policy that requires all critical patches to be applied within 30 days. The scan results show that some patches have been pending for 45 days. The assessor also finds that the servers are isolated in a separate VLAN with strict firewall rules limiting inbound traffic to only necessary ports. The business owner argues that because the servers are isolated, the risk is low and the patches can be delayed. As the security assessor, what should be the BEST course of action?

Question 65mediummultiple choice
Read the full Security Assessment and Testing explanation →

A healthcare organization recently experienced a data breach. The incident response team traced the breach to a compromised third-party vendor that had remote access to the organization's network. The vendor's credentials were stolen via a phishing attack. The organization's security policy requires that all third-party remote access be monitored and logged. During the investigation, it was discovered that the vendor's session traffic was not logged because the logging system was misconfigured. The security team needs to prevent similar incidents in the future. Which of the following is the MOST effective remediation?

Question 66mediummultiple choice
Read the full Security Assessment and Testing explanation →

An e-commerce company is preparing for a PCI DSS compliance assessment. The assessor needs to perform an external network vulnerability scan. The company has a public-facing web application that processes credit card payments. The scan must be conducted from an external IP address that is not whitelisted by the company's firewall. The security team is concerned that the scan might trigger intrusion detection alerts and cause operational disruptions. What is the BEST approach to handle this situation?

Question 67hardmultiple choice
Read the full Security Assessment and Testing explanation →

A global technology firm has implemented a continuous integration/continuous deployment (CI/CD) pipeline for its flagship software product. The security testing team is tasked with integrating security testing into the pipeline. The team has decided to use a static application security testing (SAST) tool and a software composition analysis (SCA) tool. They are currently running both tools every night against the entire codebase, but the developers complain that the reports are too long and often contain false positives. The team wants to improve the efficiency without sacrificing security coverage. Which of the following is the BEST strategy?

Question 68mediummultiple choice
Read the full Security Assessment and Testing explanation →

A security analyst runs a vulnerability scan and sees the output shown in the exhibit. The analyst wants to remediate the most critical issue first. Which action should the analyst take to address the SQL injection vulnerability?

Exhibit

Refer to the exhibit.

Vulnerability Scan Report Excerpt:
[+] SQL Injection (SQLi) - Parameter 'id'
   URL: https://app.example.com/item?id=123
   Payload: 1' OR '1'='1
   Risk: Critical
   CVE: CVE-2023-XXXX
[+] Stored XSS - Parameter 'name'
   URL: https://app.example.com/profile
   Payload: <script>alert(1)</script>
   Risk: High
[+] Open Redirect - Parameter 'next'
   URL: https://app.example.com/login?next=
   Payload: https://evil.com
   Risk: Medium
Question 69easymulti select
Read the full Security Assessment and Testing explanation →

An organization is planning a penetration test of its internal network. Which TWO of the following are essential elements to include in the test scope and rules of engagement?

Question 70hardmultiple choice
Read the full Security Assessment and Testing explanation →

A large e-commerce company operates a multi-tier application in a public cloud. The environment includes a web tier, application tier, and database tier. The security team recently deployed a host-based intrusion detection system (HIDS) on all servers. During a routine review, the HIDS alerts show repeated failed login attempts from a single external IP address to several web servers, but no successful logins from that IP. The team also notices that the database servers have been sending outbound traffic to an unknown IP address on port 443, which is unusual because the database servers typically communicate only with the application servers on port 3306 (MySQL). The application team confirms no changes were made recently. The CISO wants an immediate investigation. What should the security team do first?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 10 Questions→CISSP Practice Test 2 — 10 Questions→CISSP Practice Test 3 — 10 Questions→CISSP Practice Test 4 — 10 Questions→CISSP Practice Test 5 — 10 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Assessment and Testing setsAll Security Assessment and Testing questionsCISSP Practice Hub