Security Architecture on the SY0-701 exam covers how to design and implement secure networks, systems, and applications using principles like defense in depth, segmentation, and least privilege.
Start practicing
Security Architecture — choose a session length
Free · No account required
Domain overview
Security Architecture is the domain of the SY0-701 exam that focuses on how to design and implement secure networks, systems, and applications. Think of it as the blueprint for an organization's security posture—deciding where to place firewalls, how to segment a network, what encryption to use, and how to manage access controls. In plain English, it's about making sure that the right people have the right access to the right resources, while keeping bad actors out. For example, a security architect might design a multi-tier web application where the database server is isolated in a separate subnet, accessible only from the application server, and all communication is encrypted with TLS. This domain covers both the theory and practical implementation of such designs.
Why is this important for real-world IT and cloud work? Because every company, from startups to global enterprises, relies on secure architectures to protect sensitive data and maintain operations. A misconfigured cloud environment can lead to data breaches costing millions, as seen in incidents like the Capital One breach where a misconfigured web application firewall allowed access to S3 buckets. Understanding Security Architecture helps you prevent such disasters by applying principles like defense in depth, least privilege, and secure segmentation. In cloud environments (AWS, Azure, GCP), you need to know how to set up virtual private clouds, security groups, identity and access management (IAM) roles, and encryption keys. This domain is critical for roles like security analyst, network administrator, cloud engineer, and of course, security architect.
On the SY0-701 exam, Security Architecture tests your ability to apply security principles to design and implement secure systems. You'll be asked about secure network architectures (e.g., DMZ, VLANs, VPNs), secure system design (e.g., trusted computing base, hardware security modules), and secure application development (e.g., secure coding practices, application firewalls). The exam also covers cloud and virtualization security, including shared responsibility models, hypervisor security, and container security. You'll need to know how to select and configure security controls like firewalls, intrusion prevention systems, and data loss prevention solutions. Expect scenario-based questions where you must choose the best architecture to meet security requirements—for instance, which network segmentation strategy prevents lateral movement in case of a breach.
To study effectively, start by understanding the core principles: defense in depth, least privilege, separation of duties, and secure defaults. Then, map these to concrete technologies: VLANs for segmentation, VPNs for remote access, TLS for encryption, and IAM for access control. Use diagrams to visualize network architectures—draw a typical enterprise network with a DMZ, internal network, and management network. Practice with labs: set up a simple AWS VPC with public and private subnets, configure security groups, and test connectivity. Review common exam traps like confusing encryption in transit vs. at rest, or thinking that a firewall alone provides sufficient security. Focus on the CompTIA Security+ objectives for this domain, and use practice questions to identify weak areas. Remember, the exam is about applying concepts, not just memorizing definitions. Good luck!
Exam objectives
Secure network architecture design (e.g., DMZ, VLANs, VPNs)
Secure system design (e.g., trusted platform module, secure boot)
Cloud and virtualization security (e.g., shared responsibility, hypervisor security)
Secure application development (e.g., input validation, secure coding)
Selection and configuration of security controls (e.g., firewalls, IDS/IPS, DLP)
Identity and access management architecture (e.g., SSO, MFA, federation)
Confusing encryption in transit (TLS) with encryption at rest (AES-256)
Thinking a firewall is sufficient to protect a network; forgetting defense in depth
Assuming cloud security is entirely the provider's responsibility (shared responsibility model)
Mixing up secure network segmentation (VLANs) with physical separation (air gaps)
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?
2A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?
3A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?
4A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?
5A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?
6A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?
7A security architect at a retail company is deploying a new e-commerce platform that processes credit card payments. The architect needs to minimize the scope of the PCI DSS assessment. The platform consists of a web server, an application server, and a database server. The cardholder data (credit card numbers) will be processed and stored only on the database server. Which of the following network architecture designs would best reduce the PCI DSS scope?
8A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?
9A security architect is redesigning the network for a payment card processing environment. The goal is to create a cardholder data environment (CDE) that is isolated from the rest of the corporate network to reduce PCI DSS scope. The CDE will contain only the payment application servers and the database storing credit card numbers. The architect must allow authorized administrators in the corporate network to perform updates and monitoring on the CDE servers. Which of the following network architecture designs provides the strongest isolation while still meeting the requirement for authorized administrative access?
10A security architect is designing the wireless network for a new branch office. The branch will have two types of users: employees who need access to internal corporate resources, and guests who need internet-only access. The architect plans to use WPA3-Enterprise for the employee SSID and WPA3-SAE for the guest SSID. Which of the following additional configurations is MOST critical to prevent guests from accessing internal corporate resources?
11A security operations center (SOC) analyst is overwhelmed by the volume of alerts. The management wants to implement a solution that can automatically respond to common threats, such as blocking an IP address or isolating a compromised endpoint, without requiring human intervention. Which of the following technologies best meets this requirement?
12A company is implementing network segmentation to isolate the guest wireless network from the internal corporate network. Which of the following technologies is most appropriate to enforce this separation at Layer 2?
13Based on the exhibit, which change best reduces the blast radius if a user workstation is compromised?
14Based on the exhibit, which change should be made first to secure remote administration of the network device?
15Administrators need to manage internal switches from home. Management traffic must be encrypted, MFA must be used, and no switch management interface should be exposed directly to the internet. Which design is best?
16Field staff use company-owned tablets that also run approved personal apps. Security needs business data isolated from personal data, the ability to wipe only corporate content, and enforcement of screen lock and encryption. Which two controls best fit? Select two.
17A manufacturing company is redesigning its plant network. PLCs must communicate with a SCADA server for telemetry, but neither the PLCs nor the SCADA server should be reachable from employee laptops or the internet. Which architecture best meets the requirement?
18A supplier portal is browser-based and used by external partner companies. Each partner already has its own identity provider. The portal must trust assertions from those IdPs and avoid creating separate local passwords for each partner. Which integration is best?
19A team hosts a confidential document repository on an IaaS virtual machine. The provider secures the datacenter, hardware, and hypervisor. The organization wants to control who can decrypt the files and be able to revoke that access without changing providers. Which control is best?
20An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?
21A manufacturer wants partner-company users to access a procurement portal using their own company identities. The manufacturer does not want to create local accounts for each partner user, but it still needs to control what those users can do in the portal. Which approach should be used?
22A customer portal runs on a single application server behind a database cluster. Leadership wants the portal to keep working if that application server fails, but the budget is tight and the team wants the simplest design that can automatically fail over. What should they add?
23A company is building a public web app with three tiers. Internet users should reach only the web tier, and the app tier should never be reachable from the internet. Which two network design choices support this goal? Select two.
24A web application needs to be internet-facing. The web tier must accept public traffic, the application tier should be reachable only from the web tier, and the database must be reachable only from the application tier. Which design best supports this?
25A customer portal must continue operating if one application server fails. The business wants a simple, cost-conscious design that improves availability. What is the best approach?
26A company uses four cloud applications and wants employees to sign in once with corporate credentials. The applications should trust the company’s identity platform, and disabling a user in the directory should remove access everywhere without separate password resets. Which architecture should the team implement?
27A web application must keep running if one application server fails. Management wants the simplest design that automatically switches traffic to a healthy server. Which two choices support that goal? Select two.
28A company uses a SaaS email platform. The provider manages the servers and application code. Which two tasks remain the company's responsibility? Select two.
29Based on the exhibit, what is the best security change to address the exposed management access on the cloud VM?
30An order-entry application must survive a single server failure and continue serving users if the primary site becomes unavailable. Management wants automatic failover, but does not want to pay for fully active production capacity in two regions. Which design is best?
31System administrators need to manage internal switches from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. What should be used?
32An online retailer is redesigning a network for a public web app. Customers must reach only the web tier from the internet. The web tier must reach the application tier, and the application tier must reach the database tier. Which two design changes best support this zoning model? Select two.
33Network engineers need to manage switches in a data center from home. The solution must encrypt management traffic, strongly authenticate users, and avoid exposing management ports directly to the internet. Which approach is best?
34A manufacturer wants partner-company users to access a procurement portal. The manufacturer does not want to create separate local accounts, and the partners want to authenticate their own users with existing corporate identities. Which two capabilities should be implemented? Select two.
35An online ticketing system must survive a single server failure and continue operating after a primary site outage. The business wants the lowest-cost design that still improves availability. Which architecture is best?
36A hospital is redesigning its wireless network. Guest devices must reach only the internet. Staff laptops need access to internal applications. Medical devices must communicate with a monitoring server but never with guest devices or the broader employee LAN. What design best meets these goals with the least operational complexity?
37An organization is redesigning its office network. Guest Wi-Fi must reach the internet only, employee laptops need access to internal apps, and a payment-processing system must be separated from general user traffic but still reach one database server. Which design best meets these requirements?
38Based on the exhibit, which architecture best meets the goal of keeping the order service running if one application server fails?
39A manufacturer needs to grant a partner company access to a procurement portal. Partner users should authenticate with their own identity provider, and the manufacturer does not want to create local passwords for each partner employee. Which design best supports this?
40A company wants guest laptops on Wi-Fi to reach the internet but not internal printers or servers. Which two changes best support this design? Select two.
41An enterprise is moving from on-prem identity to a SaaS HR platform. Employees should sign in with corporate credentials, and terminated users must lose access quickly without manually creating or deleting SaaS passwords. Which solution best fits?
42A company wants guest Wi-Fi to reach only the internet, employee laptops to reach internal apps, and payment servers to remain isolated from both. What is the best design approach?
43A customer portal must keep operating if one application server fails and also remain available if an entire site goes offline. Management is willing to pay more for automatic failover and the shortest possible interruption. Which design is best?
44A company runs a Linux virtual machine in an IaaS cloud service. The provider secures the physical datacenter and hypervisor. Which task remains the company's responsibility?
45A customer portal must keep operating if one application server fails. Management wants the simplest and lowest-cost design that still improves availability. What should the team implement?
46A SaaS vendor supports both browser access and a mobile app. The company wants employees to sign in with corporate credentials, avoid separate passwords for each app, and use token-based authentication that works well with modern APIs. Which integration should the architect choose?
47Network engineers need to administer internal switches from home. The company wants encrypted management traffic, strong user verification, and no management ports exposed directly to the internet. Which approach is best?
48A team deploys an e-commerce application on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. The company wants to reduce the chance that attackers exploit outdated software on the VM itself. Which responsibility remains with the company?
49Based on the exhibit, which capability should be added so the SaaS app automatically creates, updates, and disables user accounts as directory changes occur?
50An online retailer is moving its public web app, internal API, and database into separate zones. Public users must reach only the web tier. The web tier must contact the app tier, and only the app tier may query the database. Admins should manage all servers from a hardened jump host. Which design best meets these goals and minimizes lateral movement?
51A team runs a confidential document repository on an IaaS virtual machine. The cloud provider secures the datacenter, hardware, and hypervisor. Which task remains the organization’s responsibility?
52Sales staff use company laptops on public Wi-Fi and travel frequently. The company wants the disk contents unreadable if a laptop is stolen, even if the drive is removed and placed in another system. Which control is the best fit?
53Company-owned tablets are used by field staff for both corporate email and approved personal apps. Security must isolate company data from personal data, allow remote wipe of only the corporate workspace, and block access if the device is rooted or encryption is disabled. Which approach best fits?
54A company uses a SaaS CRM platform. The provider patches the application and underlying infrastructure. Which two responsibilities remain with the company? Select two.
55Employees use a browser SaaS portal, a native mobile app, and an internal API. The company wants one corporate identity, reduced password reuse, and automated removal of access when HR terminates users. Which two solutions best meet the requirement? Select two.
56A customer portal must keep serving users if one application server fails and also remain available if the primary site becomes unreachable. Management prefers automatic recovery over manual intervention. Which two design choices best satisfy the goal? Select two.
57A team deploys a Linux virtual machine in IaaS and stores documents in a managed cloud object storage service. The provider secures datacenters, hardware, and the storage platform, but the organization still wants to reduce exposure. Which two tasks remain the organization's responsibility? Select two.
58A development team deploys a Linux web server on an IaaS cloud VM. The cloud provider secures the datacenter, hardware, and hypervisor. Which control remains the organization's responsibility?
59Based on the exhibit, which change best meets the requirement that guest devices can reach the internet but must not reach any internal subnets or printer VLANs?
60Employees must sign in to several SaaS applications with corporate credentials, and terminated users should lose access quickly without manual changes in each app. Which solution best meets the requirement?
61Employees use a browser-based SaaS portal, a native expense app, and an internal API. The company wants one corporate identity, API access without separate passwords, and automatic account removal when HR disables a user. Which solution best fits?
62A company needs a public website that anyone on the internet can reach, but the application and database servers must stay off the internet. Where should the web server be placed?
63A company uses a SaaS file-sharing platform for employee documents. Which action is the company's responsibility, not the provider's?
64Employees must sign in to several cloud applications with their corporate account, and terminated users should lose access without separate password resets in each app. What is the best solution?
65An access point connected to a switch suddenly lets guest Wi-Fi users reach an internal printer VLAN, but only on the new wiring closet. The AP uplink is configured as a trunk with dynamic negotiation enabled, native VLAN 1, and allowed VLANs 10, 20, and 30. Guest traffic should be VLAN 40 and must not transit to internal segments. Which change best fixes the issue?
66A company stores customer documents in cloud object storage. The provider already offers encryption at rest and physical security. Which action most directly reduces the risk of unauthorized access to the stored files?
67A company wants employees to sign in once with corporate credentials and access multiple SaaS apps without creating separate passwords for each service. Which two features best support this goal? Select two.
68An HR system marks employees as hired, transferred, or terminated. The security team wants those changes to create, update, or disable accounts in multiple SaaS apps automatically after the user authenticates through the company identity provider. Which capability should be added?
69Field staff use company-owned tablets that also run approved personal apps. Security wants corporate email and documents separated from personal data, with the ability to wipe only the work data if a device is lost. What is the best control?
70Administrators must manage network switches from home. Requirements: encrypted management traffic, MFA for users, no management ports exposed to the Internet, and centralized logging of admin sessions. Which solution best meets the requirements?
71A team stores sensitive archives on cloud block storage. The provider already encrypts disks at rest, but the company wants copies of the disks to remain unreadable even if a cloud administrator can snapshot and mount the volume. Which control is best?
72Field technicians use company-owned tablets that also run approved personal apps. Security needs corporate email and documents isolated from personal data, selective wipe of only business content if a device is lost, and compliance checks before access is allowed. What should be deployed?
73Company-owned tablets run both business apps and approved personal apps. Which two controls best keep company data separated and support selective wipe? Select two.
74Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?
75Based on the exhibit, which control should be enabled so corporate data stays separated from personal data on company-owned tablets?
76A manufacturer wants to give partner-company users access to a procurement portal. The partner wants to authenticate its own users, and the manufacturer does not want to create separate local passwords for them. What is the best solution?
77A network team must manage switches from home without exposing management ports to the internet. Which two controls best fit? Select two.
78A team manages virtual machines in a public cloud and wants an audit trail of who created instances, changed security groups, and modified IAM settings. What should be enabled first?
79Based on the exhibit, which network change best isolates finance workstations from general user PCs while still allowing printing and application access? VLAN table: - VLAN 20 Users: 10.20.20.0/24 - VLAN 30 Finance: 10.20.30.0/24 - VLAN 40 Printers: 10.20.40.0/24 - VLAN 50 Accounting App: 10.20.50.0/24 Current SVI routing policy: permit ip any any Management goal: Finance devices must not initiate traffic to User VLAN 20, but they must be able to print and access the accounting application.
80An organization wants employees to sign in once and then access several SaaS applications without repeated logins. Which two technologies make this possible? Select two.
81A regulated analytics workload is moving to a public cloud. The business wants the strongest practical tenant isolation without managing physical servers, and it also needs an audit trail for changes made to the cloud environment. Which two design choices best meet those requirements? Select two.
82A help desk manager is hardening a fleet of Windows laptops. The goal is to prevent booting from untrusted external media and to ensure only approved software can run on the devices. Which two controls best address those goals? Select two.
83A small enterprise is rebuilding its public customer portal. The web front end must be reachable from the internet, the application tier should never be directly exposed, and the database must remain private even if the web server is compromised. Which two design changes best meet those goals? Select two.
84A laptop repeatedly starts with an unapproved bootloader, and the security team wants the firmware to refuse boot code that is not signed by a trusted key. Which feature should be used?
85A small company is deploying a public web application with a front-end server, an API server, and a database. The web server must be reachable from the internet, the API must be reachable only from the web server, and the database must never be accessible from user subnets. Which design best meets the requirement?
86A company wants employees to use one corporate login for multiple SaaS applications, require MFA when users sign in from unmanaged devices, and centralize account lifecycle management. Which design best meets these requirements?
87A SaaS vendor hosts a customer relationship platform for multiple organizations. Your company wants to know which two responsibilities typically remain with the customer rather than the SaaS provider. Select two.
88A team is moving a workload to infrastructure as a service (IaaS). Which two items are usually the customer's responsibility? Select two.
89A company wants employees to sign in once to several SaaS apps, while the security team also wants to require extra verification when users sign in from unmanaged devices or unusual locations. Which two architecture changes best satisfy both requirements? Select two.
90Based on the exhibit, which logging capability should be enabled first to create an audit trail for cloud administration changes? Exhibit: 2026-04-25 09:14:03 iam:AttachRolePolicy user=alice 2026-04-25 09:15:10 ec2:AuthorizeSecurityGroupIngress user=alice 2026-04-25 09:16:22 s3:PutBucketPolicy user=alice Requirement: Security wants to track management-plane API calls and configuration changes across cloud resources.
91A team moved a Linux VM to IaaS. They need OS login events, process activity, and network flow metadata sent to one central platform for alerting. What is the best first step?
92Based on the exhibit, which identity architecture change best addresses the repeated password resets and delayed offboarding across the company's SaaS applications? Exhibit: - SaaS A uses local user accounts - SaaS B uses local user accounts - SaaS C supports SAML and automated provisioning - Help desk reports 120 password reset tickets per month - Former employees can remain active in two apps for up to 24 hours after termination Management wants one sign-in and faster deprovisioning.
93Match each cloud security concept to the best description.
94Match each network segment to the best use in a small enterprise.
95A branch office has users, finance workstations, and printers on the same LAN. Management wants finance devices isolated from general users while still allowing approved printing and internet access. Which two changes best meet this goal? Select two.
96A branch office has users, finance workstations, printers, and IP phones on one flat network. The security team wants to reduce lateral movement if one user PC is compromised, but printers still need to receive print jobs from users. What is the best design change?
97Based on the exhibit, which cloud deployment choice best satisfies the workload requirements? Exhibit: Workload requirements: - Processes regulated customer records - Should not share underlying compute with other tenants if avoidable - Team wants provider-managed hardware maintenance - Application will run in a public cloud Which deployment choice is the best fit?
98A company wants visibility into who changed settings in its cloud account and what commands ran on a cloud VM. Which two log sources should the team enable first? Select two.
99A company wants employees to sign in once to access several SaaS applications, but it also wants to require MFA only when users connect from unmanaged devices or outside the corporate network. Which architecture best supports this goal?
100A small company is moving its public web app to a new network. The front-end server must be reachable from the internet, the application server should only accept traffic from the front end, and the database must never be reachable from the internet or user VLANs. Which design best meets these requirements with the least exposure?
101After a merger, dozens of laptops arrive with inconsistent settings and a history of unsupported utilities installed by the previous owner. The security team wants to establish a known-good configuration, reduce future drift, and accelerate remediation of newly discovered vulnerabilities. Which three actions best support that goal? Select three.
102An office wants finance workstations separated from general user PCs, but employees still need to print to a shared printer and access one accounting application. Which change best supports this?
103Several company laptops were found to boot from a removable drive containing an untrusted pre-boot utility before the operating system loaded. The security team wants to prevent unsigned or tampered boot code from starting. Which control is the best fit?
104A manager can access the HR portal normally from a managed laptop, but if they sign in from an unmanaged tablet, the system should require extra verification before granting access. Which control best fits?
105Based on the exhibit, which change best reduces exposure for the public web application while keeping the backend tiers protected? The current design is: Internet -> Firewall -> DMZ VLAN 10: reverse proxy Private App VLAN 20: application server 10.10.20.20 Private DB VLAN 30: database server 10.10.30.30 User VLAN 40: internal workstations ACL summary: 1. permit tcp any -> 10.10.10.10 eq 443 2. permit tcp 10.10.10.10 -> 10.10.20.20 eq 8443 3. permit tcp 10.10.20.20 -> 10.10.30.30 eq 1433 4. deny ip any -> 10.10.30.30
106An organization is redesigning access for its HR portal. HR staff need to update employee records, managers need to approve leave requests, and payroll staff need access to salary data, but no single user should receive all of those permissions by default. What is the best access model?
107A small company is publishing an internal website to the internet. The security team wants the web server reachable from the internet while keeping the database and file share isolated from direct internet access. Which design is best?
108A company wants to stop employees from running unauthorized tools downloaded from the internet on managed Windows laptops, but still allow approved internal apps and vendor-updated software. Which control is best?
109A help desk team wants users to be unable to install unsanctioned browser extensions or freeware on corporate Windows laptops, while approved business apps still run. Which endpoint control is best?
110Several corporate laptops occasionally boot from a removable drive containing an untrusted recovery tool before Windows loads. The security team wants to reduce the chance of pre-boot tampering and unauthorized boot media use. Which two controls are most effective? Select two.
111A security team discovers that several laptops occasionally boot from a removable drive before Windows loads, allowing unapproved recovery tools to run. Management wants to prevent this with the least impact on normal users. Which control is the best fit?
112A company uses several SaaS applications and wants employees to sign in once with a corporate account instead of maintaining separate passwords for each app. Which architecture is best?
113A regulated analytics workload must run in the cloud with the strongest isolation from other customers, but the company does not want to manage its own physical server room. Which placement is most appropriate?
114The help desk can patch endpoints only after testing on a few pilot systems because one legacy app sometimes breaks after updates. What patching approach is most secure and least disruptive?
115A company moves a Linux server to infrastructure as a service (IaaS). Which task remains the customer's responsibility?
116A small company is redesigning its network for a public web application. The web front end must be reachable from the internet, but the database should never be exposed directly to external or general user traffic. Which architecture is the best choice?
117A company wants employees to use their normal login from managed devices but require extra verification when they sign in from an unmanaged laptop or a new location. Which two controls should the team use? Select two.
118A regulated workload must run in the cloud with the strongest possible isolation from other tenants, and the company wants to avoid managing its own physical hardware. Which placement is the best fit?
119An HR portal has three job functions: HR staff update employee records, managers approve leave requests, and payroll views salary data. The security team wants to prevent any one role from having all capabilities. Which access design is the best fit?
120An HR portal has three groups: HR staff can edit employee records, managers can approve leave, and payroll can view salary data. No one should have all functions. Which access model should the engineer implement?
121Match each traffic control to the best description.
122A help desk team manages 300 Windows laptops. A legacy accounting app sometimes fails after updates, so the company wants to reduce patch risk while still preventing long-term exposure. Which patching strategy is the best balance?
123A finance team deploys a regulated workload to a public cloud. They want operating system login events, process activity, and network flow metadata to be retained in one central place for detection and investigation. Which action best supports this requirement with the least operational overhead?
124A company wants its laptop fleet to start from a known configuration before shipping to users and to reduce exposure to newly discovered vulnerabilities over time. Which two actions are best? Select two.
125A regulated analytics workload must run in a public cloud with the strongest practical tenant isolation while avoiding management of physical servers. The workload should also remain off the public internet. Which two deployment choices best fit? Select two.
126A branch office uses a flat LAN, and a compromise on one user workstation could spread quickly to finance systems. Management wants finance workstations isolated from general users, but finance staff still need access to a central finance application and network printer. What is the best design change?
127A company moved an internal application to a cloud virtual machine. The security team wants operating system login events, process activity, and network flow metadata to be available in the SIEM for investigations. Which action best supports that goal?
128A company manages 300 laptops and wants to reduce risk from missed patches while avoiding a widespread outage if an update has compatibility issues. Which patching approach is the best choice?
129Employees use several SaaS applications, and the security team wants one corporate login, MFA for unmanaged devices, and centralized account provisioning. Which architecture should be used?
130A security team wants to reduce the chance that employees boot unmanaged tools from removable media and wants only approved software to run on laptops. Which two controls should they use? Select two.
131A branch office has users, finance workstations, printers, and IP phones on one flat LAN. After a malware outbreak on a user PC, management wants to limit lateral movement without blocking printing or voice traffic. What should the network team implement?
132A finance workflow currently lets one employee create a payment batch and approve it in the same session. Audit findings say the design increases fraud risk. Which two access architecture changes best reduce that risk while keeping the process functional? Select two.
133A small company is deploying a public web application with a front-end server, an application server, and a database. Which two design choices best reduce exposure of the backend systems? Select two.
134A development team is moving a regulated application to a cloud platform. The security architect wants the strongest practical separation from other customers without buying and operating physical servers. Which hosting option is most appropriate?
135Based on the exhibit, which action best addresses both the unsanctioned software problem and the need for consistent endpoint configuration? Exhibit: Device group: Sales-Laptops Baseline check: - Approved browser: installed - Approved EDR: installed - Unapproved remote admin tool: detected on 14 endpoints - Local administrator rights: granted to all users in group - Patch compliance: 68% Management wants to prevent unauthorized software from running and keep future builds consistent.
136Based on the exhibit, which hardening change best prevents a laptop from booting unapproved tools from external media? Exhibit: UEFI Setup - Secure Boot: Disabled - Boot order: USB, External NIC, Internal SSD - Firmware admin password: Not configured - BitLocker status: Enabled Incident note: A technician confirmed the laptop was started from a USB recovery stick that bypassed the normal corporate login workflow.
137Based on the exhibit, which access design change best reduces fraud risk without stopping the payroll process? Exhibit: Payroll application roles: - HR-Editor: can update employee records - Payroll-Approver: can release payment batches - Audit-Reader: can view reports only Current assignment: User Lisa has both HR-Editor and Payroll-Approver because she "handles payroll end to end." Management wants to reduce the chance of one person creating and approving a fraudulent payment.
138A finance portal lets one employee create a payment batch and approve it without review. Management wants to reduce fraud risk while keeping the workflow functional. Which two changes best achieve that goal? Select two.
139After a server rebuild, an administrator notices that Remote Desktop, SMBv1, and Print Spooler are still enabled on a Windows file server even though the server only stores department documents. The security team also wants to know if future changes drift away from the approved build. What should be implemented?
140After building a new file server, an administrator reviews the security baseline and notices that a remote desktop service is enabled even though no one uses it. What is the best hardening action?
141A help desk team needs to reset passwords on servers during incidents, but they should not keep standing administrator rights all day. Which two controls best support this requirement? Select two.
142Employees need to sign in once to the corporate portal and then access email and the HR app without entering credentials again. Which two technologies make this possible in a secure design? Select two.
143A contractor signs in to a project portal that fronts several SaaS tools. Access must be granted only if all of the following are true: the user is assigned to the project, the device is managed, and the request occurs during the approved maintenance window. Which access model best supports this requirement?
144A team is moving an application to a cloud provider. The cloud provider will secure the physical data center and core infrastructure, while the company must still secure its own application settings and user access. What concept does this describe?
145Before applying a major patch to a virtual machine, the administrator wants a quick way to return the VM to its exact pre-change state if the patch fails. What should the administrator create?
146A security team wants to know whether a workstation has drifted away from the approved hardened configuration after several months of changes. What should they use to compare the current state against the approved setup?
147A development team runs multiple customer workloads in a shared Kubernetes cluster. Security wants to reduce the risk that one compromised container can read another team's data or deploy an altered image. Which three actions best improve the design? Select three.
148A company wants guest laptops on Wi-Fi to reach the internet, but not internal file servers or printers. Which two changes best support that design? Select two.
149A cloud support team is replacing separate logins for several internal apps. The new design must support one sign-in, reduce the chance that a stolen session remains valid too long, and let the identity team revoke access centrally after termination. Which three controls best fit? Select three.
150A company runs payroll and HR application servers on the same VLAN because a redesign is not possible this quarter. Security wants to reduce lateral movement if one workload is compromised, but the team cannot renumber the environment or add new physical firewalls. Which control best fits the requirement?
151A company is redesigning a customer portal. Internet users must reach only the web tier, the web tier must talk to the application tier, and the application tier must talk to the database tier. The security team also wants to reduce lateral movement if one server is compromised. Which three changes best meet these goals? Select three.
152A company is redesigning how systems are separated in its office and data center network. Match each network design element to the scenario it best supports. Use each term once.
153Employees use one corporate login to sign in to email, the ticketing portal, and the HR application. After signing in once, the other apps accept the same identity without separate passwords. What capability is this?
154After a server rebuild, a Windows administrator notices several unneeded services are still enabled, including Remote Registry and Print Spooler on a server that only hosts a database. What should the administrator do to reduce attack surface and keep the build consistent?
155A Windows file server was rebuilt from a gold image, but later troubleshooting re-enabled Remote Desktop, SMBv1, and the Print Spooler. The security team wants to harden the host and catch the same configuration changes early in the future. Which three actions are the best fit? Select three.
156A development team stores container images in a registry before deployment. Security wants to reduce the chance of shipping vulnerable libraries or packages inside the image. What should the team do before release?
157A customer portal must keep serving requests if one application server stops responding. The team wants traffic to be sent to whichever healthy server is available. Which design should they implement?
158A customer portal must stay online if an entire site fails, and the company must also be able to recover if data is corrupted or encrypted by ransomware. Which two design choices best satisfy both requirements? Select two.
159Guest tablets in a conference room use the same physical switches as employee devices. The security team wants guests to have internet access only, with no route to internal subnets. Which design best meets the goal?
160After a server rebuild, a Linux database host still has several unnecessary services enabled, including a graphical desktop, Telnet, and a printer service. The operations team wants a secure baseline that prevents the same drift from happening again after future maintenance. Which two actions best address the issue? Select two.
161Employees sign in once to the company portal and then can access email, the ticketing system, and the HR site without logging in again. What is this called?
162A web application must be reachable from the internet, but its database should be isolated from direct internet access. Which two placements or controls are most appropriate? Select two.
163A Linux operations team has a standing need to restart services and edit protected configuration files on production servers, but administrators should not keep root privileges all day. Every elevation must be approved through a ticket and logged centrally. Which solution best meets this requirement?
164An organization is placing its public-facing website behind a new security design. The site must be reachable from the internet, but the database and file servers must stay isolated from direct external access. What design should the architect use?
165A help desk team wants guest Wi-Fi users to access only the internet and nothing on the internal corporate network. Which control should the network team implement at the wireless edge?
166A company is redesigning a customer portal. Internet users must reach only the web tier, the application tier must be reachable only from the web tier, and the database must be reachable only from the application tier. Administrators should manage servers from a dedicated jump host. Which design best meets these requirements?
167An HR assistant should be able to view employee records, but should not have access to payroll administration or IT server tools. Which access model is best for assigning permissions by job role?
168A Windows file server was built from a gold image, but six months later a scan shows Remote Desktop enabled, SMBv1 re-enabled, and Print Spooler running. The same drift appears on several other servers after emergency troubleshooting. Security wants to return the environment to the approved baseline and prevent the changes from coming back. What is the best solution?
169An HR department wants each employee to access only the systems required for their job. A new hire should receive the same permissions as other HR specialists, and changes to the role should update access centrally. Which access model should be used?
170A system administrator is creating a secure baseline for a new Linux application server. Which two actions are appropriate hardening steps? Select two.
171A legacy finance application cannot yet support multifactor authentication. The security team still wants administrators to use separate privileged accounts, receive elevated access only when a ticket is approved, and have those privileges removed automatically after the maintenance window ends. Which solution best fits?
172A router interface connects the DMZ subnet 10.10.10.0/24 to the internal network. A web server at 10.10.10.25 must reach an application server at 10.10.20.20 on TCP 8443, and all other DMZ-to-internal traffic must be blocked. Which two ACL entries should be applied inbound on the DMZ-facing interface? Select two.
173A customer-facing website must stay available if one of two application servers fails. Which design should the team implement?
174A DevOps team stores container images in a registry before deployment. Which two practices reduce the chance of deploying a risky image? Select two.
175A Linux server is being prepared for production as a database host. The build team notices that a graphical desktop environment, an unused FTP service, and an open mail submission port are present on the image, even though none of them are required. The organization wants future builds to be consistent and easy to verify. What is the best approach?
176A company is placing its public web server so internet users can reach it, but the database server must stay hidden from the internet and be reachable only by the web server. Which design best supports this goal?
177In a virtualized environment, several workloads share the same physical host and the same IP subnet. After one payroll VM is compromised, the security team wants to prevent that VM from freely scanning or reaching the other workloads on the host. Which control best addresses this lateral-movement risk?
178A stateless firewall sits between a DMZ subnet 10.10.10.0/24 and an internal subnet 10.10.20.0/24. Only the web server at 10.10.10.25 should be allowed to initiate TCP sessions to the app server at 10.10.20.20 on port 8443. All other DMZ-to-internal traffic must remain blocked. Which ACL entry is the best fit on the DMZ-facing interface?
179A security team wants to verify that a server has not drifted from its approved hardened configuration after several months of changes. Which two actions help most? Select two.
180A contractor signs in to a project portal that integrates several SaaS apps. Access should be granted only while the user is on a managed device, assigned to the project, and using a fresh second factor. The business also wants the contractor to avoid separate logins to each app. Which three controls best fit this design? Select three.
181A DevOps team builds container images in a CI/CD pipeline. Security wants to reduce the chance of deploying vulnerable libraries and also wants the cluster to reject images that have not been approved. Which approach best meets both requirements?
182A customer portal runs from a primary data center. Management wants the secondary site to take over within minutes if the primary site loses power, and the secondary site should already have current systems and data ready to serve users. Which design best fits this requirement?
183Employees sign in once to the corporate portal and then open email, the ticketing system, and an HR application without entering credentials again. The external SaaS providers should trust the company's identity provider rather than creating separate user databases. What architecture is being used?
184A customer portal must stay online if one application server fails. Which two design choices improve availability? Select two.
185An architect reviews a design where an internet-facing reverse proxy in a DMZ forwards HTTPS to a web application tier, and the web tier queries a database on a protected internal subnet. The current firewall plan allows the DMZ subnet to reach the database subnet on any TCP port, and the admins want to manage the proxy without exposing it to the user VLAN. Which two changes best improve the design? Select two.
186Based on the exhibit, which change would best reduce the attack surface of the public web server while preserving remote administration from the internal network?
187Based on the exhibit, which cloud service model best fits the application's operational and security requirements?
188A company is publishing an internet-facing customer portal that must also query an internal database containing order history. Security wants to reduce the chance that a compromise of the portal exposes the database directly. Which design is the best choice?
189Based on the exhibit, what is the best next control to prevent noncompliant mobile devices from accessing corporate email while still allowing IT to wipe company data from lost phones?
190A company wants all corporate laptops to authenticate to Wi-Fi using device certificates instead of shared passwords. It also wants to deny network access to systems that do not meet the baseline requirement for disk encryption and current endpoint protection. Which approach best satisfies both goals?
191Based on the exhibit, what is the best cloud identity control to ensure terminated users lose access to the SaaS application quickly and consistently?
192A development team wants to deploy a new internal application without managing operating system patching, runtime updates, or automatic scaling. The security team still wants the company to control the application code and its data access settings. Which cloud service model best fits this need?
193A payment processor stores full card numbers in its transaction database, but developers and analysts should never see the real numbers in nonproduction reports or troubleshooting tools. The business still needs to correlate the same card across multiple records. Which technique is the best fit?
194Based on the exhibit, which data protection control best allows analysts to work with the records without exposing full card numbers?
195A hospital has clinical workstations, badge readers, and building cameras all connected to the same switching infrastructure. After a workstation infection, the security team wants to prevent those endpoints from laterally reaching the badge readers while still allowing the cameras to report to a recording server. What should be implemented first?
196An office is replacing WPA2-PSK. The new design must ensure only company-managed laptops can join the wireless network, and any device that falls out of compliance must be blocked or quarantined until remediated. Which two controls best meet the requirement? Select two.
197An organization stores full payment card numbers, analysts need the last four digits for investigation, and the backup team is worried about ransomware and stolen backup media. Which three controls best address these requirements? Select three.
198Based on the exhibit, which backup protection change best improves ransomware resilience and protects the backup media if it is stolen?
199A company is evaluating a multi-tenant SaaS document platform. The security team wants to reduce the impact of another tenant’s breach and ensure employees who leave are removed from the app within minutes. Which two requirements should the team prioritize? Select two.
200A company is concerned about ransomware and insider tampering with backups. It wants daily restore points, monthly archives, and protection if a backup drive is stolen from the storage room. Which backup design is the best answer?
201A company uses a third-party expense application and wants employees to sign in with their corporate identity once, then automatically lose access in the expense app when they are terminated in the HR system. Which solution best meets both requirements?
202Based on the exhibit, which wireless security change best addresses both unauthorized device access and the risk of a lost laptop connecting to corporate resources?
203Based on the exhibit, which network redesign would best limit lateral movement between user endpoints and building systems after a workstation compromise?
204Sales representatives use company-managed smartphones for email, CRM, and document access. If a phone is lost, IT must remove only the corporate apps and work data without erasing the employee's personal photos and contacts. Which control should be used?
205A platform team runs production, staging, and developer containers on the same Kubernetes cluster. After a staging compromise, the team wants to reduce the chance of access to production secrets or lateral movement to other namespaces. Which two architecture changes are most effective? Select two.
206A team is deploying a containerized API to a public cloud. The service must be reachable only by internal corporate applications, and secrets must not be embedded in images or readable as plaintext by administrators of the underlying host. Which two actions best fit the design? Select two.
207A payment application must keep running if one application server fails, and the business can tolerate no more than 5 minutes of lost transactions and 30 minutes of downtime during a site outage. Which two controls best match the availability requirements? Select two.
208A company is redesigning a three-tier customer portal. Internet users must reach only the web tier, the application tier must never be directly reachable from the internet, database traffic must flow only from the app tier, and administrators need a protected path to manage servers. Which two design choices best meet these requirements? Select two.
209An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employee laptops, reduce lateral movement if one admin endpoint is compromised, and keep a log of every administrative session. Which two design choices best fit? Select two.
210A company distributes update packages through a web portal. Users must verify the portal's identity over the network, and the downloaded packages must be trusted even if the web server is later compromised. Which two controls best satisfy these goals? Select two.
211A virtualization host connects to an access switch through one Ethernet link. It must carry only VLAN 30 for production VMs and VLAN 40 for management VMs. A review finds the link currently accepts every VLAN, uses VLAN 1 as the native VLAN, and a guest VLAN can accidentally be added later. Which two changes best harden the design? Select two.
212Match each design requirement to the best security architecture control. Use each control once.
213A manufacturing floor uses barcode scanners and a kiosk terminal that cannot support full endpoint agents or frequent manual patching. USB storage has previously introduced malware, and the devices only need to run one approved application and reach a backend system. Which two controls best reduce risk while preserving function? Select two.
214A security architect is designing a multi-tier web application that must meet strict compliance requirements for data confidentiality and integrity. Which three of the following security architecture principles should be applied? (Choose three.)
215An organization is migrating its on-premises infrastructure to a hybrid cloud model. Which three of the following considerations are most important for maintaining a secure security architecture? (Choose three.)
216A company is designing a secure industrial control system (ICS) network that must be isolated from the corporate IT network. Which three of the following architectural controls should be implemented? (Choose three.)
217A security architect is evaluating a zero trust architecture (ZTA) for a remote workforce. Which three of the following components are essential to the implementation? (Choose three.)
218Which four of the following are key principles of secure network architecture design that help enforce defense-in-depth? (Choose four.)
219Which four of the following are essential considerations when designing a secure cloud architecture in a hybrid environment? (Choose four.)
220Drag and drop the steps to implement a new firewall rule in an iptables-based Linux firewall into the correct order.
221Drag and drop the steps for the TLS 1.3 handshake process into the correct order.
Security Architecture on the SY0-701 exam covers how to design and implement secure networks, systems, and applications using principles like defense in depth, segmentation, and least privilege.
The Courseiva SY0-701 question bank contains 221 questions in the Security Architecture domain, covering the 18% of the exam attributed to this domain in the official CompTIA blueprint. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included