Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Risk Identification, Monitoring, and Analysis practice sets

SSCP Risk Identification, Monitoring, and Analysis • Complete Question Bank

SSCP Risk Identification, Monitoring, and Analysis — All Questions With Answers

Complete SSCP Risk Identification, Monitoring, and Analysis question bank — all 0 questions with answers and detailed explanations.

74
Questions
Free
No signup
Certifications/SSCP/Practice Test/Risk Identification, Monitoring, and Analysis/All Questions
Question 1mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is reviewing logs and notices multiple failed login attempts for a user account, followed by a successful login from an unfamiliar IP address at 3:00 AM. Which type of risk is most directly indicated by this scenario?

Question 2easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

In a qualitative risk analysis, a risk is assigned a probability of 'High' and an impact of 'Medium'. According to common probability/impact matrices, what is the overall risk rating?

Question 3hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization calculates the SLE for a server as $5,000 and the ARO as 0.2. What is the ALE?

Question 4mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a vulnerability scan, a security analyst discovers that several workstations are missing critical security patches. The organization decides to implement a compensating control by restricting network access to these workstations until patches are applied. Which risk response strategy is being used?

Question 5easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which type of IDS uses a baseline of normal behavior to detect anomalies?

Question 6mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security team implements a SIEM solution to collect logs from firewalls, servers, and workstations. They create a correlation rule that triggers an alert when a single user logs in from more than three different geographic locations within one hour. This is an example of which detection method?

Question 7hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization uses User Behavior Analytics (UBA) to detect insider threats. Which of the following activities would most likely trigger an alert for a compromised account?

Question 8mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A vulnerability management program requires that critical vulnerabilities be remediated within 72 hours. A scanner identifies a critical vulnerability on a server, but after patching, the scanner still reports it as vulnerable. What is the most likely cause?

Question 9easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which of the following is a vulnerability source explicitly based on publicly known flaws?

Question 10mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A company stores log files on a dedicated log server. To ensure log integrity, they implement a solution where logs are written to a WORM (Write Once, Read Many) device. Which property does this primarily protect?

Question 11hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

After a security incident, the incident response team needs to analyze logs from multiple sources to reconstruct the timeline. The SIEM retains logs for 90 days, but the incident occurred 120 days ago. Which action should the organization have taken to ensure log availability?

Question 12mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization decides to implement CIS Benchmarks on all Windows servers. They choose Level 1 settings. What does Level 1 represent?

Question 13mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is reviewing SIEM alerts and wants to identify potential data exfiltration. Which TWO of the following indicators are most relevant?

Question 14hardmulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization is implementing a new vulnerability management program. The CISO wants to establish remediation SLAs based on risk severity. Which THREE of the following are commonly recommended SLAs?

Question 15easymulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security manager is evaluating log sources for a SIEM implementation. Which THREE of the following are considered log types that should be included?

Question 16mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is reviewing logs and notices multiple failed login attempts from a single IP address against an administrative account. The SIEM has not generated an alert. Which configuration change would best detect this scenario?

Question 17easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a qualitative risk analysis, an organization rates the likelihood of a flood as 'Low' and the impact as 'High'. Using a standard 3x3 risk matrix, what is the overall risk rating?

Question 18hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization is calculating the Annualized Loss Expectancy (ALE) for a server. The Asset Value (AV) is $50,000, the Exposure Factor (EF) is 40%, and the Annualized Rate of Occurrence (ARO) is 0.5. What is the Single Loss Expectancy (SLE) and ALE?

Question 19mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A company has implemented a new vulnerability scanner and the first scan reports 200 vulnerabilities. The security team needs to prioritize remediation. Which approach should they use first?

Question 20easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which of the following is a technical threat source that could lead to a security breach?

Question 21mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is tuning a SIEM to reduce false positives. Which of the following actions is most likely to reduce false positives while maintaining detection of real threats?

Question 22hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a vulnerability scan, a tool reports a critical vulnerability on a web server. The system owner claims it is a false positive because the server is not accessible from the internet. However, the server is accessible from the internal network. What is the best course of action?

Question 23mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A company wants to implement a security baseline for its Windows servers. Which of the following frameworks is most commonly used for this purpose?

Question 24easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which type of IDS monitors network traffic at a specific network segment and analyzes packets for malicious patterns?

Question 25mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization wants to detect insider threats by identifying abnormal user behavior. Which technology is best suited for this purpose?

Question 26hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security manager needs to comply with PCI DSS requirement 11.2, which mandates quarterly vulnerability scans. The company uses an external Qualified Security Assessor (QSA) for the quarterly scans. However, the internal team also performs continuous scanning. Which of the following best describes the required scan frequency?

Question 27mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a risk assessment, a company identifies that a legacy system cannot be patched due to vendor end-of-life. The system is critical to operations. Which risk response strategy is most appropriate initially?

Question 28mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is reviewing logs for signs of data exfiltration. Which TWO log sources would provide the most relevant evidence? (Choose TWO.)

Question 29hardmulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A company is implementing a new SIEM. Which THREE factors are most important to ensure log integrity and usefulness for forensic investigations? (Choose THREE.)

Question 30easymulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which TWO of the following are examples of vulnerability sources? (Choose TWO.)

Question 31mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is reviewing logs from a SIEM and notices multiple failed login attempts for a privileged account from an IP address in a foreign country, followed by a successful login after hours. Which type of security monitoring tool would be most effective at detecting this pattern as anomalous behavior based on user baseline?

Question 32mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a qualitative risk analysis, an organization assesses a threat of a data breach due to weak encryption. The likelihood is rated as 'Medium' and the impact as 'High'. According to a standard 3x3 risk matrix, what is the overall risk rating?

Question 33hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization experiences a ransomware attack that encrypts file servers. The annualized loss expectancy (ALE) for this risk is calculated as $150,000. The single loss expectancy (SLE) is $30,000. What is the annualized rate of occurrence (ARO)?

Question 34easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security team identifies a vulnerability in a web application that allows SQL injection. Which risk response strategy involves implementing input validation and parameterized queries to reduce the risk to an acceptable level?

Question 35mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

After implementing security controls, a risk assessment shows that a residual risk of data exfiltration remains. Which document should formally record this residual risk and the decision to accept it?

Question 36mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A company's vulnerability scanner reports a critical vulnerability in a third-party library. The remediation SLA for critical vulnerabilities is 48 hours. However, the patch is not yet available from the vendor. Which of the following is the most appropriate immediate action?

Question 37hardmultiple choice
Read the full DNS explanation →

A security analyst is configuring a SIEM to detect data exfiltration. Which of the following correlation rules would best identify potential data exfiltration via DNS tunneling?

Question 38mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security engineer is reviewing system logs and notices that the log file size has not changed for several days, despite high system activity. Which log management concern does this indicate?

Question 39easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which of the following is a primary purpose of implementing a security baseline such as the CIS Benchmarks?

Question 40mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A vulnerability scan identifies a critical flaw in a web server. The server is currently in production and cannot be patched immediately due to compatibility issues. The risk response chosen is to implement a web application firewall (WAF) rule to block exploitation attempts. This is an example of which risk response?

Question 41hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is tuning a SIEM and needs to reduce false positives from a rule that alerts on failed logins. The rule currently triggers on any single failed login. Which modification would best reduce false positives while still detecting brute-force attacks?

Question 42easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which type of IDS uses a database of known attack patterns to identify malicious activity?

Question 43mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A company's security policy requires that all logs be stored in a write-once, read-many (WORM) format. What is the primary security objective of this requirement?

Question 44mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization decides to outsource its data center operations to a cloud provider. The cloud provider is responsible for physical security and hardware maintenance. This is an example of which risk response strategy?

Question 45hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A vulnerability scanner reports a medium-severity finding on a server. After investigation, the security team determines that the vulnerability is not exploitable due to existing compensating controls. How should this finding be classified in the vulnerability management process?

Question 46mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is configuring a SIEM to detect potential insider threats. Which TWO of the following data sources would be most relevant for detecting an employee exfiltrating sensitive data via email?

Question 47mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a risk assessment, a bank identifies the following threats: flood, phishing attack, hardware failure, and power outage. Which TWO of these are considered environmental threat sources?

Question 48hardmulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security team is implementing a vulnerability management program. According to industry best practices, which THREE of the following are essential components of a mature vulnerability management process?

Question 49mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a qualitative risk analysis, an organization assigns a risk rating of 'High' for a specific threat. Which combination of factors most directly leads to this rating?

Question 50hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization's risk register lists a vulnerability with an annualized loss expectancy (ALE) of $50,000. The cost of implementing a mitigation control is $40,000 with an expected lifespan of 5 years. The control is expected to reduce the ALE by 80%. What is the net present value (NPV) of implementing this control over 5 years, assuming a discount rate of 5%? (Ignore residual risk for simplicity.)

Question 51mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst notices a large number of failed login attempts from a single IP address targeting multiple user accounts within a short time frame. Which type of detection method in a SIEM would most effectively identify this pattern?

Question 52easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which of the following is a primary purpose of a security baseline, such as the CIS Benchmarks?

Question 53mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization is required to maintain audit logs for at least one year for compliance purposes. Which log management practice best ensures the integrity of these logs?

Question 54hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A vulnerability scan identifies a critical vulnerability with a CVSS score of 9.8. According to standard remediation SLAs, within what timeframe should this vulnerability typically be remediated?

Question 55mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which of the following is a key advantage of using a behavior-based detection approach in a User and Entity Behavior Analytics (UEBA) system?

Question 56mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a risk assessment, a team identifies that a legacy application cannot be patched due to vendor end-of-life. The business decides to continue using the application but implement compensating controls such as network segmentation and strict access controls. This risk response strategy is best classified as:

Question 57easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which of the following is a common vulnerability source that would be documented in a risk register?

Question 58mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization uses a network-based intrusion detection system (NIDS). An analyst receives an alert for a known exploit signature. Which type of detection is the NIDS using?

Question 59hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A company is preparing for a PCI DSS assessment. According to PCI DSS requirements, how frequently must internal vulnerability scans be performed?

Question 60easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which term describes the risk that remains after implementing risk mitigation controls?

Question 61mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which TWO of the following are common techniques used in quantitative risk analysis?

Question 62hardmulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A SIEM correlation rule triggers when an administrative account logs in after hours and subsequently performs a bulk export of a customer database. Which THREE threat types does this scenario most likely indicate?

Question 63mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

Which TWO of the following are examples of technical threat sources that should be considered during risk identification?

Question 64mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization's web application experienced a data breach due to a SQL injection vulnerability. During the risk analysis phase, the security team calculated the SLE as $25,000 and the ARO as 0.5. What is the ALE?

Question 65mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst notices repeated failed login attempts from a single IP address targeting a domain controller. The SIEM alerts after 10 failed attempts within 5 minutes. Which detection type is most likely used?

Question 66hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

During a risk assessment, a company identifies that a legacy system has a known CVE with a CVSS score of 9.8. The system is critical but cannot be patched immediately. The management decides to implement strict network segmentation and monitor the system continuously. This risk response is best described as:

Question 67easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is reviewing logs and notices that an application log shows an error message indicating 'unhandled exception' followed by a stack trace. This log is most likely categorized as which type?

Question 68easymultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A vulnerability scanner identifies a high-severity vulnerability in a web server that is exposed to the internet. According to common remediation SLAs, what is the typical timeframe to remediate a critical vulnerability?

Question 69mediummultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

After implementing a new IDS, the security team receives numerous alerts about legitimate traffic being flagged as malicious. This phenomenon is known as:

Question 70hardmultiple choice
Read the full Risk Identification, Monitoring, and Analysis explanation →

A company's security policy requires that all servers be hardened according to CIS Level 1 benchmarks. During an audit, it is discovered that a server has password complexity settings that exceed Level 1 requirements. Which of the following is the most appropriate action?

Question 71mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security analyst is configuring a SIEM to detect potential data exfiltration. Which TWO log sources are most critical for detecting large outbound data transfers?

Question 72hardmulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A security team is implementing User Behavior Analytics (UBA) to detect insider threats. Which THREE types of activities would most likely indicate a compromised account?

Question 73mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

An organization is developing a risk register. Which TWO elements are essential for each risk entry?

Question 74mediummulti select
Read the full Risk Identification, Monitoring, and Analysis explanation →

A vulnerability management team is scanning a network. Which THREE factors should be considered to minimize false positives?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SSCP Practice Test 1 — 25 Questions→SSCP Practice Test 2 — 25 Questions→SSCP Practice Test 3 — 25 Questions→SSCP Practice Test 4 — 25 Questions→SSCP Practice Test 5 — 25 Questions→SSCP Practice Exam 1 — 20 Questions→SSCP Practice Exam 2 — 20 Questions→SSCP Practice Exam 3 — 20 Questions→SSCP Practice Exam 4 — 20 Questions→Free SSCP Practice Test 1 — 30 Questions→Free SSCP Practice Test 2 — 30 Questions→Free SSCP Practice Test 3 — 30 Questions→SSCP Practice Questions 1 — 50 Questions→SSCP Practice Questions 2 — 50 Questions→SSCP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Access ControlsRisk Identification, Monitoring, and AnalysisIncident Response and RecoverySecurity Operations and AdministrationCryptographyNetwork and Communications SecuritySystems and Application SecurityRisk Identification, Monitoring and Analysis

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Risk Identification, Monitoring, and Analysis setsAll Risk Identification, Monitoring, and Analysis questionsSSCP Practice Hub