Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSY0-701DomainsSecurity Architecture
SY0-70118% of examFree — No Signup

Security Architecture

Security Architecture on the SY0-701 exam covers how to design and implement secure networks, systems, and applications using principles like defense in depth, segmentation, and least privilege.

Exam weight18% of SY0-701
221questions

Start practicing

Security Architecture — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SY0-701 Domains

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight

Domain overview

About the Security Architecture domain

Security Architecture is the domain of the SY0-701 exam that focuses on how to design and implement secure networks, systems, and applications. Think of it as the blueprint for an organization's security posture—deciding where to place firewalls, how to segment a network, what encryption to use, and how to manage access controls. In plain English, it's about making sure that the right people have the right access to the right resources, while keeping bad actors out. For example, a security architect might design a multi-tier web application where the database server is isolated in a separate subnet, accessible only from the application server, and all communication is encrypted with TLS. This domain covers both the theory and practical implementation of such designs.

Why is this important for real-world IT and cloud work? Because every company, from startups to global enterprises, relies on secure architectures to protect sensitive data and maintain operations. A misconfigured cloud environment can lead to data breaches costing millions, as seen in incidents like the Capital One breach where a misconfigured web application firewall allowed access to S3 buckets. Understanding Security Architecture helps you prevent such disasters by applying principles like defense in depth, least privilege, and secure segmentation. In cloud environments (AWS, Azure, GCP), you need to know how to set up virtual private clouds, security groups, identity and access management (IAM) roles, and encryption keys. This domain is critical for roles like security analyst, network administrator, cloud engineer, and of course, security architect.

On the SY0-701 exam, Security Architecture tests your ability to apply security principles to design and implement secure systems. You'll be asked about secure network architectures (e.g., DMZ, VLANs, VPNs), secure system design (e.g., trusted computing base, hardware security modules), and secure application development (e.g., secure coding practices, application firewalls). The exam also covers cloud and virtualization security, including shared responsibility models, hypervisor security, and container security. You'll need to know how to select and configure security controls like firewalls, intrusion prevention systems, and data loss prevention solutions. Expect scenario-based questions where you must choose the best architecture to meet security requirements—for instance, which network segmentation strategy prevents lateral movement in case of a breach.

To study effectively, start by understanding the core principles: defense in depth, least privilege, separation of duties, and secure defaults. Then, map these to concrete technologies: VLANs for segmentation, VPNs for remote access, TLS for encryption, and IAM for access control. Use diagrams to visualize network architectures—draw a typical enterprise network with a DMZ, internal network, and management network. Practice with labs: set up a simple AWS VPC with public and private subnets, configure security groups, and test connectivity. Review common exam traps like confusing encryption in transit vs. at rest, or thinking that a firewall alone provides sufficient security. Focus on the CompTIA Security+ objectives for this domain, and use practice questions to identify weak areas. Remember, the exam is about applying concepts, not just memorizing definitions. Good luck!

Exam objectives

What Security Architecture tests on SY0-701

  1. 1

    Secure network architecture design (e.g., DMZ, VLANs, VPNs)

  2. 2

    Secure system design (e.g., trusted platform module, secure boot)

  3. 3

    Cloud and virtualization security (e.g., shared responsibility, hypervisor security)

  4. 4

    Secure application development (e.g., input validation, secure coding)

  5. 5

    Selection and configuration of security controls (e.g., firewalls, IDS/IPS, DLP)

  6. 6

    Identity and access management architecture (e.g., SSO, MFA, federation)

Watch out — common Security Architecture traps

  • !

    Confusing encryption in transit (TLS) with encryption at rest (AES-256)

  • !

    Thinking a firewall is sufficient to protect a network; forgetting defense in depth

  • !

    Assuming cloud security is entirely the provider's responsibility (shared responsibility model)

  • !

    Mixing up secure network segmentation (VLANs) with physical separation (air gaps)

Practice Security Architecture questions

10Q20Q30Q50Q

All SY0-701 Security Architecture questions (221)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

2

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

3

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

4

A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?

5

A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

6

A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?

7

A security architect at a retail company is deploying a new e-commerce platform that processes credit card payments. The architect needs to minimize the scope of the PCI DSS assessment. The platform consists of a web server, an application server, and a database server. The cardholder data (credit card numbers) will be processed and stored only on the database server. Which of the following network architecture designs would best reduce the PCI DSS scope?

8

A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?

9

A security architect is redesigning the network for a payment card processing environment. The goal is to create a cardholder data environment (CDE) that is isolated from the rest of the corporate network to reduce PCI DSS scope. The CDE will contain only the payment application servers and the database storing credit card numbers. The architect must allow authorized administrators in the corporate network to perform updates and monitoring on the CDE servers. Which of the following network architecture designs provides the strongest isolation while still meeting the requirement for authorized administrative access?

10

A security architect is designing the wireless network for a new branch office. The branch will have two types of users: employees who need access to internal corporate resources, and guests who need internet-only access. The architect plans to use WPA3-Enterprise for the employee SSID and WPA3-SAE for the guest SSID. Which of the following additional configurations is MOST critical to prevent guests from accessing internal corporate resources?

11

A security operations center (SOC) analyst is overwhelmed by the volume of alerts. The management wants to implement a solution that can automatically respond to common threats, such as blocking an IP address or isolating a compromised endpoint, without requiring human intervention. Which of the following technologies best meets this requirement?

12

A company is implementing network segmentation to isolate the guest wireless network from the internal corporate network. Which of the following technologies is most appropriate to enforce this separation at Layer 2?

13

Based on the exhibit, which change best reduces the blast radius if a user workstation is compromised?

14

Based on the exhibit, which change should be made first to secure remote administration of the network device?

15

Administrators need to manage internal switches from home. Management traffic must be encrypted, MFA must be used, and no switch management interface should be exposed directly to the internet. Which design is best?

16

Field staff use company-owned tablets that also run approved personal apps. Security needs business data isolated from personal data, the ability to wipe only corporate content, and enforcement of screen lock and encryption. Which two controls best fit? Select two.

17

A manufacturing company is redesigning its plant network. PLCs must communicate with a SCADA server for telemetry, but neither the PLCs nor the SCADA server should be reachable from employee laptops or the internet. Which architecture best meets the requirement?

18

A supplier portal is browser-based and used by external partner companies. Each partner already has its own identity provider. The portal must trust assertions from those IdPs and avoid creating separate local passwords for each partner. Which integration is best?

19

A team hosts a confidential document repository on an IaaS virtual machine. The provider secures the datacenter, hardware, and hypervisor. The organization wants to control who can decrypt the files and be able to revoke that access without changing providers. Which control is best?

20

An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?

21

A manufacturer wants partner-company users to access a procurement portal using their own company identities. The manufacturer does not want to create local accounts for each partner user, but it still needs to control what those users can do in the portal. Which approach should be used?

22

A customer portal runs on a single application server behind a database cluster. Leadership wants the portal to keep working if that application server fails, but the budget is tight and the team wants the simplest design that can automatically fail over. What should they add?

23

A company is building a public web app with three tiers. Internet users should reach only the web tier, and the app tier should never be reachable from the internet. Which two network design choices support this goal? Select two.

24

A web application needs to be internet-facing. The web tier must accept public traffic, the application tier should be reachable only from the web tier, and the database must be reachable only from the application tier. Which design best supports this?

25

A customer portal must continue operating if one application server fails. The business wants a simple, cost-conscious design that improves availability. What is the best approach?

26

A company uses four cloud applications and wants employees to sign in once with corporate credentials. The applications should trust the company’s identity platform, and disabling a user in the directory should remove access everywhere without separate password resets. Which architecture should the team implement?

27

A web application must keep running if one application server fails. Management wants the simplest design that automatically switches traffic to a healthy server. Which two choices support that goal? Select two.

28

A company uses a SaaS email platform. The provider manages the servers and application code. Which two tasks remain the company's responsibility? Select two.

29

Based on the exhibit, what is the best security change to address the exposed management access on the cloud VM?

30

An order-entry application must survive a single server failure and continue serving users if the primary site becomes unavailable. Management wants automatic failover, but does not want to pay for fully active production capacity in two regions. Which design is best?

31

System administrators need to manage internal switches from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. What should be used?

32

An online retailer is redesigning a network for a public web app. Customers must reach only the web tier from the internet. The web tier must reach the application tier, and the application tier must reach the database tier. Which two design changes best support this zoning model? Select two.

33

Network engineers need to manage switches in a data center from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. Which approach is best?

34

A manufacturer wants partner-company users to access a procurement portal. The manufacturer does not want to create separate local accounts, and the partners want to authenticate their own users with existing corporate identities. Which two capabilities should be implemented? Select two.

35

An online ticketing system must survive a single server failure and continue operating after a primary site outage. The business wants the lowest-cost design that still improves availability. Which architecture is best?

36

A hospital is redesigning its wireless network. Guest devices must reach only the internet. Staff laptops need access to internal applications. Medical devices must communicate with a monitoring server but never with guest devices or the broader employee LAN. What design best meets these goals with the least operational complexity?

37

An organization is redesigning its office network. Guest Wi-Fi must reach the internet only, employee laptops need access to internal apps, and a payment-processing system must be separated from general user traffic but still reach one database server. Which design best meets these requirements?

38

Based on the exhibit, which architecture best meets the goal of keeping the order service running if one application server fails?

39

A manufacturer needs to grant a partner company access to a procurement portal. Partner users should authenticate with their own identity provider, and the manufacturer does not want to create local passwords for each partner employee. Which design best supports this?

40

A company wants guest laptops on Wi-Fi to reach the internet but not internal printers or servers. Which two changes best support this design? Select two.

41

An enterprise is moving from on-prem identity to a SaaS HR platform. Employees should sign in with corporate credentials, and terminated users must lose access quickly without manually creating or deleting SaaS passwords. Which solution best fits?

42

A company wants guest Wi-Fi to reach only the internet, employee laptops to reach internal apps, and payment servers to remain isolated from both. What is the best design approach?

43

A customer portal must keep operating if one application server fails and also remain available if an entire site goes offline. Management is willing to pay more for automatic failover and the shortest possible interruption. Which design is best?

44

A company runs a Linux virtual machine in an IaaS cloud service. The provider secures the physical datacenter and hypervisor. Which task remains the company's responsibility?

45

A customer portal must keep operating if one application server fails. Management wants the simplest and lowest-cost design that still improves availability. What should the team implement?

46

A SaaS vendor supports both browser access and a mobile app. The company wants employees to sign in with corporate credentials, avoid separate passwords for each app, and use token-based authentication that works well with modern APIs. Which integration should the architect choose?

47

Network engineers need to administer internal switches from home. The company wants encrypted management traffic, strong user verification, and no management ports exposed directly to the internet. Which approach is best?

48

A team deploys an e-commerce application on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. The company wants to reduce the chance that attackers exploit outdated software on the VM itself. Which responsibility remains with the company?

49

Based on the exhibit, which capability should be added so the SaaS app automatically creates, updates, and disables user accounts as directory changes occur?

50

An online retailer is moving its public web app, internal API, and database into separate zones. Public users must reach only the web tier. The web tier must contact the app tier, and only the app tier may query the database. Admins should manage all servers from a hardened jump host. Which design best meets these goals and minimizes lateral movement?

51

A team runs a confidential document repository on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. Which task remains the organization’s responsibility?

52

Sales staff use company laptops on public Wi-Fi and travel frequently. The company wants the disk contents unreadable if a laptop is stolen, even if the drive is removed and placed in another system. Which control is the best fit?

53

Company-owned tablets are used by field staff for both corporate email and approved personal apps. Security must isolate company data from personal data, allow remote wipe of only the corporate workspace, and block access if the device is rooted or encryption is disabled. Which approach best fits?

54

A company uses a SaaS CRM platform. The provider patches the application and underlying infrastructure. Which two responsibilities remain with the company? Select two.

55

Employees use a browser SaaS portal, a native mobile app, and an internal API. The company wants one corporate identity, reduced password reuse, and automated removal of access when HR terminates users. Which two solutions best meet the requirement? Select two.

56

A customer portal must keep serving users if one application server fails and also remain available if the primary site becomes unreachable. Management prefers automatic recovery over manual intervention. Which two design choices best satisfy the goal? Select two.

57

A team deploys a Linux virtual machine in IaaS and stores documents in a managed cloud object storage service. The provider secures datacenters, hardware, and the storage platform, but the organization still wants to reduce exposure. Which two tasks remain the organization's responsibility? Select two.

58

A development team deploys a Linux web server on an IaaS cloud VM. The cloud provider secures the datacenter, hardware, and hypervisor. Which control remains the organization's responsibility?

59

Based on the exhibit, which change best meets the requirement that guest devices can reach the internet but must not reach any internal subnets or printer VLANs?

60

Employees must sign in to several SaaS applications with corporate credentials, and terminated users should lose access quickly without manual changes in each app. Which solution best meets the requirement?

61

Employees use a browser-based SaaS portal, a native expense app, and an internal API. The company wants one corporate identity, API access without separate passwords, and automatic account removal when HR disables a user. Which solution best fits?

62

A company needs a public website that anyone on the internet can reach, but the application and database servers must stay off the internet. Where should the web server be placed?

63

A company uses a SaaS file-sharing platform for employee documents. Which action is the company's responsibility, not the provider's?

64

Employees must sign in to several cloud applications with their corporate account, and terminated users should lose access without separate password resets in each app. What is the best solution?

65

An access point connected to a switch suddenly lets guest Wi-Fi users reach an internal printer VLAN, but only on the new wiring closet. The AP uplink is configured as a trunk with dynamic negotiation enabled, native VLAN 1, and allowed VLANs 10, 20, and 30. Guest traffic should be VLAN 40 and must not transit to internal segments. Which change best fixes the issue?

66

A company stores customer documents in cloud object storage. The provider already offers encryption at rest and physical security. Which action most directly reduces the risk of unauthorized access to the stored files?

67

A company wants employees to sign in once with corporate credentials and access multiple SaaS apps without creating separate passwords for each service. Which two features best support this goal? Select two.

68

An HR system marks employees as hired, transferred, or terminated. The security team wants those changes to create, update, or disable accounts in multiple SaaS apps automatically after the user authenticates through the company identity provider. Which capability should be added?

69

Field staff use company-owned tablets that also run approved personal apps. Security wants corporate email and documents separated from personal data, with the ability to wipe only the work data if a device is lost. What is the best control?

70

Administrators must manage network switches from home. Requirements: encrypted management traffic, MFA for users, no management ports exposed to the Internet, and centralized logging of admin sessions. Which solution best meets the requirements?

71

A team stores sensitive archives on cloud block storage. The provider already encrypts disks at rest, but the company wants copies of the disks to remain unreadable even if a cloud administrator can snapshot and mount the volume. Which control is best?

72

Field technicians use company-owned tablets that also run approved personal apps. Security needs corporate email and documents isolated from personal data, selective wipe of only business content if a device is lost, and compliance checks before access is allowed. What should be deployed?

73

Company-owned tablets run both business apps and approved personal apps. Which two controls best keep company data separated and support selective wipe? Select two.

74

Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?

75

Based on the exhibit, which control should be enabled so corporate data stays separated from personal data on company-owned tablets?

76

A manufacturer wants to give partner-company users access to a procurement portal. The partner wants to authenticate its own users, and the manufacturer does not want to create separate local passwords for them. What is the best solution?

77

A network team must manage switches from home without exposing management ports to the internet. Which two controls best fit? Select two.

78

A team manages virtual machines in a public cloud and wants an audit trail of who created instances, changed security groups, and modified IAM settings. What should be enabled first?

79

Based on the exhibit, which network change best isolates finance workstations from general user PCs while still allowing printing and application access? VLAN table: - VLAN 20 Users: 10.20.20.0/24 - VLAN 30 Finance: 10.20.30.0/24 - VLAN 40 Printers: 10.20.40.0/24 - VLAN 50 Accounting App: 10.20.50.0/24 Current SVI routing policy: permit ip any any Management goal: Finance devices must not initiate traffic to User VLAN 20, but they must be able to print and access the accounting application.

80

An organization wants employees to sign in once and then access several SaaS applications without repeated logins. Which two technologies make this possible? Select two.

81

A regulated analytics workload is moving to a public cloud. The business wants the strongest practical tenant isolation without managing physical servers, and it also needs an audit trail for changes made to the cloud environment. Which two design choices best meet those requirements? Select two.

82

A help desk manager is hardening a fleet of Windows laptops. The goal is to prevent booting from untrusted external media and to ensure only approved software can run on the devices. Which two controls best address those goals? Select two.

83

A small enterprise is rebuilding its public customer portal. The web front end must be reachable from the internet, the application tier should never be directly exposed, and the database must remain private even if the web server is compromised. Which two design changes best meet those goals? Select two.

84

A laptop repeatedly starts with an unapproved bootloader, and the security team wants the firmware to refuse boot code that is not signed by a trusted key. Which feature should be used?

85

A small company is deploying a public web application with a front-end server, an API server, and a database. The web server must be reachable from the internet, the API must be reachable only from the web server, and the database must never be accessible from user subnets. Which design best meets the requirement?

86

A company wants employees to use one corporate login for multiple SaaS applications, require MFA when users sign in from unmanaged devices, and centralize account lifecycle management. Which design best meets these requirements?

87

A SaaS vendor hosts a customer relationship platform for multiple organizations. Your company wants to know which two responsibilities typically remain with the customer rather than the SaaS provider. Select two.

88

A team is moving a workload to infrastructure as a service (IaaS). Which two items are usually the customer's responsibility? Select two.

89

A company wants employees to sign in once to several SaaS apps, while the security team also wants to require extra verification when users sign in from unmanaged devices or unusual locations. Which two architecture changes best satisfy both requirements? Select two.

90

Based on the exhibit, which logging capability should be enabled first to create an audit trail for cloud administration changes? Exhibit: 2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.

91

A team moved a Linux VM to IaaS. They need OS login events, process activity, and network flow metadata sent to one central platform for alerting. What is the best first step?

92

Based on the exhibit, which identity architecture change best addresses the repeated password resets and delayed offboarding across the company's SaaS applications? Exhibit: - SaaS A uses local user accounts - SaaS B uses local user accounts - SaaS C supports SAML and automated provisioning - Help desk reports 120 password reset tickets per month - Former employees can remain active in two apps for up to 24 hours after termination Management wants one sign-in and faster deprovisioning.

93

Match each cloud security concept to the best description.

94

Match each network segment to the best use in a small enterprise.

95

A branch office has users, finance workstations, and printers on the same LAN. Management wants finance devices isolated from general users while still allowing approved printing and internet access. Which two changes best meet this goal? Select two.

96

A branch office has users, finance workstations, printers, and IP phones on one flat network. The security team wants to reduce lateral movement if one user PC is compromised, but printers still need to receive print jobs from users. What is the best design change?

97

Based on the exhibit, which cloud deployment choice best satisfies the workload requirements? Exhibit: Workload requirements: - Processes regulated customer records - Should not share underlying compute with other tenants if avoidable - Team wants provider-managed hardware maintenance - Application will run in a public cloud Which deployment choice is the best fit?

98

A company wants visibility into who changed settings in its cloud account and what commands ran on a cloud VM. Which two log sources should the team enable first? Select two.

99

A company wants employees to sign in once to access several SaaS applications, but it also wants to require MFA only when users connect from unmanaged devices or outside the corporate network. Which architecture best supports this goal?

100

A small company is moving its public web app to a new network. The front-end server must be reachable from the internet, the application server should only accept traffic from the front end, and the database must never be reachable from the internet or user VLANs. Which design best meets these requirements with the least exposure?

101

After a merger, dozens of laptops arrive with inconsistent settings and a history of unsupported utilities installed by the previous owner. The security team wants to establish a known-good configuration, reduce future drift, and accelerate remediation of newly discovered vulnerabilities. Which three actions best support that goal? Select three.

102

An office wants finance workstations separated from general user PCs, but employees still need to print to a shared printer and access one accounting application. Which change best supports this?

103

Several company laptops were found to boot from a removable drive containing an untrusted pre-boot utility before the operating system loaded. The security team wants to prevent unsigned or tampered boot code from starting. Which control is the best fit?

104

A manager can access the HR portal normally from a managed laptop, but if they sign in from an unmanaged tablet, the system should require extra verification before granting access. Which control best fits?

105

Based on the exhibit, which change best reduces exposure for the public web application while keeping the backend tiers protected? The current design is: Internet -> Firewall -> DMZ VLAN 10: reverse proxy Private App VLAN 20: application server 10.10.20.20 Private DB VLAN 30: database server 10.10.30.30 User VLAN 40: internal workstations ACL summary: 1. permit tcp any -> 10.10.10.10 eq 443 2. permit tcp 10.10.10.10 -> 10.10.20.20 eq 8443 3. permit tcp 10.10.20.20 -> 10.10.30.30 eq 1433 4. deny ip any -> 10.10.30.30

106

An organization is redesigning access for its HR portal. HR staff need to update employee records, managers need to approve leave requests, and payroll staff need access to salary data, but no single user should receive all of those permissions by default. What is the best access model?

107

A small company is publishing an internal website to the internet. The security team wants the web server reachable from the internet while keeping the database and file share isolated from direct internet access. Which design is best?

108

A company wants to stop employees from running unauthorized tools downloaded from the internet on managed Windows laptops, but still allow approved internal apps and vendor-updated software. Which control is best?

109

A help desk team wants users to be unable to install unsanctioned browser extensions or freeware on corporate Windows laptops, while approved business apps still run. Which endpoint control is best?

110

Several corporate laptops occasionally boot from a removable drive containing an untrusted recovery tool before Windows loads. The security team wants to reduce the chance of pre-boot tampering and unauthorized boot media use. Which two controls are most effective? Select two.

111

A security team discovers that several laptops occasionally boot from a removable drive before Windows loads, allowing unapproved recovery tools to run. Management wants to prevent this with the least impact on normal users. Which control is the best fit?

112

A company uses several SaaS applications and wants employees to sign in once with a corporate account instead of maintaining separate passwords for each app. Which architecture is best?

113

A regulated analytics workload must run in the cloud with the strongest isolation from other customers, but the company does not want to manage its own physical server room. Which placement is most appropriate?

114

The help desk can patch endpoints only after testing on a few pilot systems because one legacy app sometimes breaks after updates. What patching approach is most secure and least disruptive?

115

A company moves a Linux server to infrastructure as a service (IaaS). Which task remains the customer's responsibility?

116

A small company is redesigning its network for a public web application. The web front end must be reachable from the internet, but the database should never be exposed directly to external or general user traffic. Which architecture is the best choice?

117

A company wants employees to use their normal login from managed devices but require extra verification when they sign in from an unmanaged laptop or a new location. Which two controls should the team use? Select two.

118

A regulated workload must run in the cloud with the strongest possible isolation from other tenants, and the company wants to avoid managing its own physical hardware. Which placement is the best fit?

119

An HR portal has three job functions: HR staff update employee records, managers approve leave requests, and payroll views salary data. The security team wants to prevent any one role from having all capabilities. Which access design is the best fit?

120

An HR portal has three groups: HR staff can edit employee records, managers can approve leave, and payroll can view salary data. No one should have all functions. Which access model should the engineer implement?

121

Match each traffic control to the best description.

122

A help desk team manages 300 Windows laptops. A legacy accounting app sometimes fails after updates, so the company wants to reduce patch risk while still preventing long-term exposure. Which patching strategy is the best balance?

123

A finance team deploys a regulated workload to a public cloud. They want operating system login events, process activity, and network flow metadata to be retained in one central place for detection and investigation. Which action best supports this requirement with the least operational overhead?

124

A company wants its laptop fleet to start from a known configuration before shipping to users and to reduce exposure to newly discovered vulnerabilities over time. Which two actions are best? Select two.

125

A regulated analytics workload must run in a public cloud with the strongest practical tenant isolation while avoiding management of physical servers. The workload should also remain off the public internet. Which two deployment choices best fit? Select two.

126

A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?

127

A company moved an internal application to a cloud virtual machine. The security team wants operating system login events, process activity, and network flow metadata to be available in the SIEM for investigations. Which action best supports that goal?

128

A company manages 300 laptops and wants to reduce risk from missed patches while avoiding a widespread outage if an update has compatibility issues. Which patching approach is the best choice?

129

Employees use several SaaS applications, and the security team wants one corporate login, MFA for unmanaged devices, and centralized account provisioning. Which architecture should be used?

130

A security team wants to reduce the chance that employees boot unmanaged tools from removable media and wants only approved software to run on laptops. Which two controls should they use? Select two.

131

A branch office has users, finance workstations, printers, and IP phones on one flat LAN. After a malware outbreak on a user PC, management wants to limit lateral movement without blocking printing or voice traffic. What should the network team implement?

132

A finance workflow currently lets one employee create a payment batch and approve it in the same session. Audit findings say the design increases fraud risk. Which two access architecture changes best reduce that risk while keeping the process functional? Select two.

133

A small company is deploying a public web application with a front-end server, an application server, and a database. Which two design choices best reduce exposure of the backend systems? Select two.

134

A development team is moving a regulated application to a cloud platform. The security architect wants the strongest practical separation from other customers without buying and operating physical servers. Which hosting option is most appropriate?

135

Based on the exhibit, which action best addresses both the unsanctioned software problem and the need for consistent endpoint configuration? Exhibit: Device group: Sales-Laptops Baseline check: - Approved browser: installed - Approved EDR: installed - Unapproved remote admin tool: detected on 14 endpoints - Local administrator rights: granted to all users in group - Patch compliance: 68% Management wants to prevent unauthorized software from running and keep future builds consistent.

136

Based on the exhibit, which hardening change best prevents a laptop from booting unapproved tools from external media? Exhibit: UEFI Setup - Secure Boot: Disabled - Boot order: USB, External NIC, Internal SSD - Firmware admin password: Not configured - BitLocker status: Enabled Incident note: A technician confirmed the laptop was started from a USB recovery stick that bypassed the normal corporate login workflow.

137

Based on the exhibit, which access design change best reduces fraud risk without stopping the payroll process? Exhibit: Payroll application roles: - HR-Editor: can update employee records - Payroll-Approver: can release payment batches - Audit-Reader: can view reports only Current assignment: User Lisa has both HR-Editor and Payroll-Approver because she "handles payroll end to end." Management wants to reduce the chance of one person creating and approving a fraudulent payment.

138

A finance portal lets one employee create a payment batch and approve it without review. Management wants to reduce fraud risk while keeping the workflow functional. Which two changes best achieve that goal? Select two.

139

After a server rebuild, an administrator notices that Remote Desktop, SMBv1, and Print Spooler are still enabled on a Windows file server even though the server only stores department documents. The security team also wants to know if future changes drift away from the approved build. What should be implemented?

140

After building a new file server, an administrator reviews the security baseline and notices that a remote desktop service is enabled even though no one uses it. What is the best hardening action?

141

A help desk team needs to reset passwords on servers during incidents, but they should not keep standing administrator rights all day. Which two controls best support this requirement? Select two.

142

Employees need to sign in once to the corporate portal and then access email and the HR app without entering credentials again. Which two technologies make this possible in a secure design? Select two.

143

A contractor signs in to a project portal that fronts several SaaS tools. Access must be granted only if all of the following are true: the user is assigned to the project, the device is managed, and the request occurs during the approved maintenance window. Which access model best supports this requirement?

144

A team is moving an application to a cloud provider. The cloud provider will secure the physical data center and core infrastructure, while the company must still secure its own application settings and user access. What concept does this describe?

145

Before applying a major patch to a virtual machine, the administrator wants a quick way to return the VM to its exact pre-change state if the patch fails. What should the administrator create?

146

A security team wants to know whether a workstation has drifted away from the approved hardened configuration after several months of changes. What should they use to compare the current state against the approved setup?

147

A development team runs multiple customer workloads in a shared Kubernetes cluster. Security wants to reduce the risk that one compromised container can read another team's data or deploy an altered image. Which three actions best improve the design? Select three.

148

A company wants guest laptops on Wi-Fi to reach the internet, but not internal file servers or printers. Which two changes best support that design? Select two.

149

A cloud support team is replacing separate logins for several internal apps. The new design must support one sign-in, reduce the chance that a stolen session remains valid too long, and let the identity team revoke access centrally after termination. Which three controls best fit? Select three.

150

A company runs payroll and HR application servers on the same VLAN because a redesign is not possible this quarter. Security wants to reduce lateral movement if one workload is compromised, but the team cannot renumber the environment or add new physical firewalls. Which control best fits the requirement?

151

A company is redesigning a customer portal. Internet users must reach only the web tier, the web tier must talk to the application tier, and the application tier must talk to the database tier. The security team also wants to reduce lateral movement if one server is compromised. Which three changes best meet these goals? Select three.

152

A company is redesigning how systems are separated in its office and data center network. Match each network design element to the scenario it best supports. Use each term once.

153

Employees use one corporate login to sign in to email, the ticketing portal, and the HR application. After signing in once, the other apps accept the same identity without separate passwords. What capability is this?

154

After a server rebuild, a Windows administrator notices several unneeded services are still enabled, including Remote Registry and Print Spooler on a server that only hosts a database. What should the administrator do to reduce attack surface and keep the build consistent?

155

A Windows file server was rebuilt from a gold image, but later troubleshooting re-enabled Remote Desktop, SMBv1, and the Print Spooler. The security team wants to harden the host and catch the same configuration changes early in the future. Which three actions are the best fit? Select three.

156

A development team stores container images in a registry before deployment. Security wants to reduce the chance of shipping vulnerable libraries or packages inside the image. What should the team do before release?

157

A customer portal must keep serving requests if one application server stops responding. The team wants traffic to be sent to whichever healthy server is available. Which design should they implement?

158

A customer portal must stay online if an entire site fails, and the company must also be able to recover if data is corrupted or encrypted by ransomware. Which two design choices best satisfy both requirements? Select two.

159

Guest tablets in a conference room use the same physical switches as employee devices. The security team wants guests to have internet access only, with no route to internal subnets. Which design best meets the goal?

160

After a server rebuild, a Linux database host still has several unnecessary services enabled, including a graphical desktop, Telnet, and a printer service. The operations team wants a secure baseline that prevents the same drift from happening again after future maintenance. Which two actions best address the issue? Select two.

161

Employees sign in once to the company portal and then can access email, the ticketing system, and the HR site without logging in again. What is this called?

162

A web application must be reachable from the internet, but its database should be isolated from direct internet access. Which two placements or controls are most appropriate? Select two.

163

A Linux operations team has a standing need to restart services and edit protected configuration files on production servers, but administrators should not keep root privileges all day. Every elevation must be approved through a ticket and logged centrally. Which solution best meets this requirement?

164

An organization is placing its public-facing website behind a new security design. The site must be reachable from the internet, but the database and file servers must stay isolated from direct external access. What design should the architect use?

165

A help desk team wants guest Wi-Fi users to access only the internet and nothing on the internal corporate network. Which control should the network team implement at the wireless edge?

166

A company is redesigning a customer portal. Internet users must reach only the web tier, the application tier must be reachable only from the web tier, and the database must be reachable only from the application tier. Administrators should manage servers from a dedicated jump host. Which design best meets these requirements?

167

An HR assistant should be able to view employee records, but should not have access to payroll administration or IT server tools. Which access model is best for assigning permissions by job role?

168

A Windows file server was built from a gold image, but six months later a scan shows Remote Desktop enabled, SMBv1 re-enabled, and Print Spooler running. The same drift appears on several other servers after emergency troubleshooting. Security wants to return the environment to the approved baseline and prevent the changes from coming back. What is the best solution?

169

An HR department wants each employee to access only the systems required for their job. A new hire should receive the same permissions as other HR specialists, and changes to the role should update access centrally. Which access model should be used?

170

A system administrator is creating a secure baseline for a new Linux application server. Which two actions are appropriate hardening steps? Select two.

171

A legacy finance application cannot yet support multifactor authentication. The security team still wants administrators to use separate privileged accounts, receive elevated access only when a ticket is approved, and have those privileges removed automatically after the maintenance window ends. Which solution best fits?

172

A router interface connects the DMZ subnet 10.10.10.0/24 to the internal network. A web server at 10.10.10.25 must reach an application server at 10.10.20.20 on TCP 8443, and all other DMZ-to-internal traffic must be blocked. Which two ACL entries should be applied inbound on the DMZ-facing interface? Select two.

173

A customer-facing website must stay available if one of two application servers fails. Which design should the team implement?

174

A DevOps team stores container images in a registry before deployment. Which two practices reduce the chance of deploying a risky image? Select two.

175

A Linux server is being prepared for production as a database host. The build team notices that a graphical desktop environment, an unused FTP service, and an open mail submission port are present on the image, even though none of them are required. The organization wants future builds to be consistent and easy to verify. What is the best approach?

176

A company is placing its public web server so internet users can reach it, but the database server must stay hidden from the internet and be reachable only by the web server. Which design best supports this goal?

177

In a virtualized environment, several workloads share the same physical host and the same IP subnet. After one payroll VM is compromised, the security team wants to prevent that VM from freely scanning or reaching the other workloads on the host. Which control best addresses this lateral-movement risk?

178

A stateless firewall sits between a DMZ subnet 10.10.10.0/24 and an internal subnet 10.10.20.0/24. Only the web server at 10.10.10.25 should be allowed to initiate TCP sessions to the app server at 10.10.20.20 on port 8443. All other DMZ-to-internal traffic must remain blocked. Which ACL entry is the best fit on the DMZ-facing interface?

179

A security team wants to verify that a server has not drifted from its approved hardened configuration after several months of changes. Which two actions help most? Select two.

180

A contractor signs in to a project portal that integrates several SaaS apps. Access should be granted only while the user is on a managed device, assigned to the project, and using a fresh second factor. The business also wants the contractor to avoid separate logins to each app. Which three controls best fit this design? Select three.

181

A DevOps team builds container images in a CI/CD pipeline. Security wants to reduce the chance of deploying vulnerable libraries and also wants the cluster to reject images that have not been approved. Which approach best meets both requirements?

182

A customer portal runs from a primary data center. Management wants the secondary site to take over within minutes if the primary site loses power, and the secondary site should already have current systems and data ready to serve users. Which design best fits this requirement?

183

Employees sign in once to the corporate portal and then open email, the ticketing system, and an HR application without entering credentials again. The external SaaS providers should trust the company's identity provider rather than creating separate user databases. What architecture is being used?

184

A customer portal must stay online if one application server fails. Which two design choices improve availability? Select two.

185

An architect reviews a design where an internet-facing reverse proxy in a DMZ forwards HTTPS to a web application tier, and the web tier queries a database on a protected internal subnet. The current firewall plan allows the DMZ subnet to reach the database subnet on any TCP port, and the admins want to manage the proxy without exposing it to the user VLAN. Which two changes best improve the design? Select two.

186

Based on the exhibit, which change would best reduce the attack surface of the public web server while preserving remote administration from the internal network?

187

Based on the exhibit, which cloud service model best fits the application's operational and security requirements?

188

A company is publishing an internet-facing customer portal that must also query an internal database containing order history. Security wants to reduce the chance that a compromise of the portal exposes the database directly. Which design is the best choice?

189

Based on the exhibit, what is the best next control to prevent noncompliant mobile devices from accessing corporate email while still allowing IT to wipe company data from lost phones?

190

A company wants all corporate laptops to authenticate to Wi-Fi using device certificates instead of shared passwords. It also wants to deny network access to systems that do not meet the baseline requirement for disk encryption and current endpoint protection. Which approach best satisfies both goals?

191

Based on the exhibit, what is the best cloud identity control to ensure terminated users lose access to the SaaS application quickly and consistently?

192

A development team wants to deploy a new internal application without managing operating system patching, runtime updates, or automatic scaling. The security team still wants the company to control the application code and its data access settings. Which cloud service model best fits this need?

193

A payment processor stores full card numbers in its transaction database, but developers and analysts should never see the real numbers in nonproduction reports or troubleshooting tools. The business still needs to correlate the same card across multiple records. Which technique is the best fit?

194

Based on the exhibit, which data protection control best allows analysts to work with the records without exposing full card numbers?

195

A hospital has clinical workstations, badge readers, and building cameras all connected to the same switching infrastructure. After a workstation infection, the security team wants to prevent those endpoints from laterally reaching the badge readers while still allowing the cameras to report to a recording server. What should be implemented first?

196

An office is replacing WPA2-PSK. The new design must ensure only company-managed laptops can join the wireless network, and any device that falls out of compliance must be blocked or quarantined until remediated. Which two controls best meet the requirement? Select two.

197

An organization stores full payment card numbers, analysts need the last four digits for investigation, and the backup team is worried about ransomware and stolen backup media. Which three controls best address these requirements? Select three.

198

Based on the exhibit, which backup protection change best improves ransomware resilience and protects the backup media if it is stolen?

199

A company is evaluating a multi-tenant SaaS document platform. The security team wants to reduce the impact of another tenant’s breach and ensure employees who leave are removed from the app within minutes. Which two requirements should the team prioritize? Select two.

200

A company is concerned about ransomware and insider tampering with backups. It wants daily restore points, monthly archives, and protection if a backup drive is stolen from the storage room. Which backup design is the best answer?

201

A company uses a third-party expense application and wants employees to sign in with their corporate identity once, then automatically lose access in the expense app when they are terminated in the HR system. Which solution best meets both requirements?

202

Based on the exhibit, which wireless security change best addresses both unauthorized device access and the risk of a lost laptop connecting to corporate resources?

203

Based on the exhibit, which network redesign would best limit lateral movement between user endpoints and building systems after a workstation compromise?

204

Sales representatives use company-managed smartphones for email, CRM, and document access. If a phone is lost, IT must remove only the corporate apps and work data without erasing the employee's personal photos and contacts. Which control should be used?

205

A platform team runs production, staging, and developer containers on the same Kubernetes cluster. After a staging compromise, the team wants to reduce the chance of access to production secrets or lateral movement to other namespaces. Which two architecture changes are most effective? Select two.

206

A team is deploying a containerized API to a public cloud. The service must be reachable only by internal corporate applications, and secrets must not be embedded in images or readable as plaintext by administrators of the underlying host. Which two actions best fit the design? Select two.

207

A payment application must keep running if one application server fails, and the business can tolerate no more than 5 minutes of lost transactions and 30 minutes of downtime during a site outage. Which two controls best match the availability requirements? Select two.

208

A company is redesigning a three-tier customer portal. Internet users must reach only the web tier, the application tier must never be directly reachable from the internet, database traffic must flow only from the app tier, and administrators need a protected path to manage servers. Which two design choices best meet these requirements? Select two.

209

An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employee laptops, reduce lateral movement if one admin endpoint is compromised, and keep a log of every administrative session. Which two design choices best fit? Select two.

210

A company distributes update packages through a web portal. Users must verify the portal's identity over the network, and the downloaded packages must be trusted even if the web server is later compromised. Which two controls best satisfy these goals? Select two.

211

A virtualization host connects to an access switch through one Ethernet link. It must carry only VLAN 30 for production VMs and VLAN 40 for management VMs. A review finds the link currently accepts every VLAN, uses VLAN 1 as the native VLAN, and a guest VLAN can accidentally be added later. Which two changes best harden the design? Select two.

212

Match each design requirement to the best security architecture control. Use each control once.

213

A manufacturing floor uses barcode scanners and a kiosk terminal that cannot support full endpoint agents or frequent manual patching. USB storage has previously introduced malware, and the devices only need to run one approved application and reach a backend system. Which two controls best reduce risk while preserving function? Select two.

214

A security architect is designing a multi-tier web application that must meet strict compliance requirements for data confidentiality and integrity. Which three of the following security architecture principles should be applied? (Choose three.)

215

An organization is migrating its on-premises infrastructure to a hybrid cloud model. Which three of the following considerations are most important for maintaining a secure security architecture? (Choose three.)

216

A company is designing a secure industrial control system (ICS) network that must be isolated from the corporate IT network. Which three of the following architectural controls should be implemented? (Choose three.)

217

A security architect is evaluating a zero trust architecture (ZTA) for a remote workforce. Which three of the following components are essential to the implementation? (Choose three.)

218

Which four of the following are key principles of secure network architecture design that help enforce defense-in-depth? (Choose four.)

219

Which four of the following are essential considerations when designing a secure cloud architecture in a hybrid environment? (Choose four.)

220

Drag and drop the steps to implement a new firewall rule in an iptables-based Linux firewall into the correct order.

221

Drag and drop the steps for the TLS 1.3 handshake process into the correct order.

Practice all 221 Security Architecture questions

Other SY0-701 exam domains

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity OperationsSecurity Program Management and Oversight

Frequently asked questions

What does the Security Architecture domain cover on the SY0-701 exam?

Security Architecture on the SY0-701 exam covers how to design and implement secure networks, systems, and applications using principles like defense in depth, segmentation, and least privilege.

How many Security Architecture questions are in the SY0-701 question bank?

The Courseiva SY0-701 question bank contains 221 questions in the Security Architecture domain, covering the 18% of the exam attributed to this domain in the official CompTIA blueprint. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Architecture for SY0-701?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Architecture questions for SY0-701?

Yes — the session launcher on this page draws questions exclusively from the Security Architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SY0-701 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

N10-009CS0-003CAS-004AZ-500