Security Operations tests your ability to detect, respond to, and recover from real-world security incidents. On the SY0-701 exam it covers incident response (NIST SP 800-61), vulnerability management, SIEM log analysis, data protection, and change management. It is worth 28% of your score — the highest-weighted domain.
Start practicing
Security Operations — choose a session length
Free · No account required
Domain overview
Security Operations is the single largest domain on the SY0-701 exam at 28% — and the one most grounded in real-world analyst work.
This domain covers what a security team does every day: detecting threats through SIEM and IDS/IPS, running the incident response playbook, scanning and patching vulnerabilities, protecting data, and keeping change management locked down.
Exam questions are almost entirely scenario-based. You will be handed a situation — ransomware hits a file server, a SIEM alert fires at 2am, a critical CVE drops for a system you own — and asked what to do next, in what order, and with which tool.
The NIST SP 800-61 incident response lifecycle (Preparation → Detection and Analysis → Containment → Eradication and Recovery → Post-Incident Activity) appears on nearly every exam version. Treat it as a required memorisation.
Exam objectives
Incident response lifecycle — Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity (NIST SP 800-61). Know the exact order cold.
Vulnerability management — scan types, CVSS severity scoring, patch prioritisation, and the critical difference between a vulnerability scan and a penetration test.
Security monitoring — SIEM log correlation, IDS vs IPS placement and behaviour, alert triage, and separating true positives from false positives.
Identity and access management operations — enforcing MFA, detecting privilege escalation, account lockout policies, and least-privilege principles.
Data protection — encryption at rest vs in transit, DLP tool placement, data classification schemes, and secure data disposal methods.
Disaster recovery and business continuity — RTO vs RPO definitions, full/incremental/differential backup strategies, and failover testing.
Containment comes before Eradication in incident response — reversing these two phases is the most common mistake on this domain.
A vulnerability scan identifies weaknesses; a penetration test actively exploits them. The exam expects you to know which is appropriate and when.
RTO is how fast you restore service; RPO is how much data loss you can tolerate. Mixing these up costs marks on scenario questions.
Not every SIEM alert is a real threat — the exam tests alert triage. Recognising false positives is a distinct skill from detecting real incidents.
IDS alerts and logs; IPS blocks. Placement also differs — IDS can be passive/out-of-band, IPS must be inline. Confusing them is a guaranteed wrong answer.
Click any question to see the full explanation and answer options, or start a focused practice session above.
A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?
2A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?
3A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?
4A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?
5A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?
6A security analyst in the SOC is investigating a potential DNS tunneling incident. The analyst has identified a workstation that is making thousands of DNS queries to an external domain with base64-encoded subdomains. The analyst suspects that sensitive files from the workstation are being exfiltrated by encoding their contents into the subdomains of the DNS queries. Which of the following log sources will provide the most definitive evidence to confirm that the contents of a specific sensitive file are being transmitted in the DNS queries?
7A security analyst is reviewing network flow logs and notices a series of outbound connections from a single internal workstation to an external IP address on TCP port 443. The connections occur every 5 minutes, each lasting about 2 seconds, and the amount of data transferred per connection is consistently around 1 KB. The workstation's user reports no unusual activity. The analyst checks the host's EDR logs and sees no malicious processes or known indicators. Which type of activity is this pattern most consistent with?
8A security analyst in the SOC is reviewing an alert from the corporate VPN server. The alert indicates that user 'jsmith' authenticated successfully from an IP address in Brazil at 14:30 UTC. The analyst contacts jsmith, who confirms he is physically in the company's headquarters in Chicago and has not remotely accessed the VPN today. The VPN authentication logs show that jsmith's session used a valid smart card certificate for authentication. The analyst checks the certificate revocation list and finds that jsmith's certificate has not been revoked. Which of the following is the most likely explanation for this event?
9A security analyst is reviewing the perimeter firewall logs. The analyst observes repeated TCP SYN packets from a single external IP address (203.0.113.50) to multiple internal IP addresses on TCP port 3389. The packets are sent with a consistent 50-millisecond interval. There are no subsequent SYN-ACK or RST packets from the internal hosts in the logs. The analyst suspects this is a reconnaissance scan. Which of the following additional log sources would provide the most definitive evidence to confirm this suspicion?
10A digital forensics analyst is investigating a suspected insider threat. The analyst has acquired a laptop used by the suspect. The analyst needs to obtain a forensic image of the hard drive without altering any data. The laptop is running and logged into the suspect's user account. Which of the following is the most appropriate first step for the analyst to take?
11A security analyst receives an alert from the intrusion detection system indicating that a workstation in the finance department has established an outbound connection to a known malicious IP address using an encrypted protocol. The analyst verifies the alert and checks the user's activity logs, which show no legitimate business reason for the connection. According to the incident response process, what should the analyst do NEXT?
12A security analyst at a financial firm detects an unusual spike in outbound network traffic from a database server that normally only communicates with internal web servers. The traffic is directed to numerous external IP addresses in various countries. According to established incident response procedures, what should be the analyst's immediate next step?
13A security analyst receives an alert from the intrusion detection system (IDS) indicating a high volume of outbound traffic from a single internal workstation to an external IP address known to be associated with a command-and-control (C2) server. The workstation's user reports no unusual activity. Which of the following should the analyst do FIRST?
14A security analyst notices repeated failed login attempts to a critical database server from a single external IP address over the past hour. The analyst reviews the authentication logs and sees that the account name used in each attempt is 'admin'. Which of the following security controls should the analyst recommend to mitigate this type of attack with minimal impact on legitimate users?
15A security analyst receives multiple alerts indicating that several users in the finance department clicked a malicious link in an email. The analyst has confirmed the email subject line and sender address. Which of the following is the BEST first step to contain the incident?
16A security analyst receives an automated alert indicating that a standard user account logged in from a geographic location that is unusual for the user, and the login occurred at 3:00 AM local time. The analyst has not yet verified whether this was a successful login or if any additional suspicious activity occurred. According to standard incident response procedures, what should the analyst do NEXT?
17A security analyst detects unusual outbound traffic from a workstation that appears to be communicating with a known malicious IP address. The analyst immediately isolates the workstation from the network. Which of the following is the NEXT step in the incident response process according to NIST SP 800-61?
18An organization's file server contains sensitive HR data. The security team discovers that permissions on a confidential folder have been altered. Which of the following security controls would MOST likely help determine the account responsible for this change?
19A security analyst detects a high volume of failed authentication attempts from IP address 203.0.113.1 against a web application. The attempts use different usernames, such as 'admin', 'root', 'test', and several common names. Account lockout policies are configured to lock an account after five failed attempts. Despite this, the analyst sees the attempts continuing over several hours. Which of the following security controls is most likely missing or improperly configured?
20A security analyst receives an alert about a user account that has been attempting to authenticate from an unusual geographic location outside of business hours. The analyst reviews the event logs and sees that the authentication attempt was successful, but the user has not reported any suspicious activity. Which of the following actions should the analyst take NEXT?
21A help desk technician reports that a user's account was locked out three times overnight. The security team reviews the authentication logs and discovers that the lockouts resulted from failed login attempts originating from a single external IP address, each attempt using a slightly different variation of the user's password. Which of the following should the security analyst do FIRST?
22A security analyst detects an encrypted outbound connection from a web server to an unknown IP address. The connection is persistent and occurs every 5 minutes. What is the MOST appropriate first step for the analyst to take?
23A security analyst in the SOC observes a sudden spike in failed authentication attempts from a single external IP address targeting multiple user accounts over the last 30 minutes. After confirming the logs are accurate, which of the following actions should the analyst take FIRST according to standard incident response procedures?
24A security analyst detects repeated outbound traffic from a single workstation to an IP address listed on a public threat intelligence feed as a known command-and-control server. The user reports that the workstation is behaving slowly and that antivirus software is up to date. According to incident response best practices, what should the analyst do FIRST?
25A SOC analyst is investigating an alert triggered when a user clicked a link in an email. The email appeared to be from a trusted vendor and included a PDF attachment with a macro, but the user did not run the macro. Upon reviewing the email headers, the analyst notices that the sender's domain is a common misspelling of the vendor's legitimate domain. Which of the following is the most direct indicator that this email is a phishing attempt?
26A security analyst in a SOC receives an alert indicating that a large volume of data was transferred from a user's workstation to an external IP address at 2:00 AM. The analyst suspects a data exfiltration attack. According to incident response best practices, what should the analyst do FIRST?
27A security analyst receives an alert that a user clicked a link in a phishing email and entered their corporate credentials on a fake login page. Which of the following should the analyst do FIRST to minimize further damage?
28A security analyst notices a sudden increase in outbound traffic from a database server that normally only communicates with internal application servers. The server is running a standard OS with no recent changes. Which of the following actions should the analyst take FIRST to determine if the server is compromised?
29A security analyst is reviewing authentication logs from a corporate web application. The logs show that over a span of two hours, a single external IP address attempted to log in with 500 different usernames, each using the same password 'Spring2024!'. Only a few of these attempts succeeded. Which type of attack is most likely being observed?
30A security analyst is reviewing web server logs after a user reports that the company website displayed an error message containing raw database queries. The log shows repeated requests to the product search page with the following parameter: `?id=1 OR 1=1`. Which of the following should the analyst do FIRST to confirm the nature of the suspected attack?
31A security analyst detects real-time data exfiltration from a critical production database that supports customer transactions. The exfiltration appears to be occurring via a compromised application service account. Which containment strategy should the analyst implement FIRST to minimize damage while preserving forensic data?
32A security analyst receives an alert that a user's workstation is communicating with a known malicious IP address during off-hours. The analyst reviews the firewall logs and confirms the connection was established. Which of the following should the analyst perform NEXT to contain the threat?
33A security analyst observes a pattern where an account exhibits multiple failed login attempts from an IP address in a foreign country, followed by a successful login from the same account but from a different IP address in another foreign country minutes later. The analyst wants to deploy a control that can automatically detect and alert on this type of anomalous user behavior, even if the individual login events are not blocked by existing rules. Which of the following security controls is BEST suited for this task?
34A security analyst notices that a phishing campaign is targeting employees with emails that appear to be from the company's IT support team. The emails contain a link to a website that mimics the corporate password reset portal. Which of the following controls would be MOST effective in preventing users from reaching the malicious website, assuming the link uses HTTPS?
35A security analyst notices repeated attempts to copy large amounts of data to USB drives from a user's workstation. The analyst suspects the user may be exfiltrating company proprietary data. The company wants to implement a technical control that can both detect and block such data exfiltration without completely disabling all USB ports, as some users require USB for authorized work. Which of the following would best meet this requirement?
36A security analyst detects that multiple workstations in the finance department are displaying ransom notes and files are being encrypted. The analyst has disconnected the affected workstations from the network. Which of the following should the analyst do next according to the incident response procedure?
37A security analyst observes a critical server generating unusually high outbound traffic to an external IP address that is listed on a threat intelligence feed as a known command-and-control server. The analyst suspects the server is compromised. According to standard incident response procedures, what should the analyst do NEXT?
38A security analyst at a financial firm notices a significant increase in DNS queries from an internal server to a rarely visited external domain. The queries are for unusual subdomain names that contain encoded data. The server is not a DNS server and does not typically generate outbound traffic. Which of the following is the MOST appropriate immediate action for the analyst to take?
39A security analyst is reviewing firewall logs and notices repeated connection attempts from a single external IP address to multiple internal IP addresses on TCP port 22 (SSH). Each attempt uses a different username but the same password: 'Spring2024!'. The attempts occur sporadically over a 12-hour period. Which type of attack is most likely being observed?
40A SOC analyst detects that a user's workstation is sending large volumes of data to an unusual external IP address during non-business hours. The analyst has already isolated the workstation by disconnecting it from the network. What is the NEXT step in the incident response process?
41A security analyst is reviewing authentication logs and observes multiple failed login attempts for a single user account occurring within a short timeframe, followed by a successful login from an IP address located in a country where the user has never traveled. The failed attempts originate from various IP addresses and use different passwords. Which type of attack has most likely occurred?
42A security analyst notices unusual outbound traffic from a server that normally only communicates with internal clients. The traffic is encrypted and goes to an external IP address not on any blocklists. The analyst also finds a new scheduled task on the server that runs a PowerShell script. Which of the following best describes the analyst's immediate next step in the incident response process?
43A security analyst at a manufacturing company notices multiple workstations generating high volumes of encrypted outbound traffic and displaying ransom notes. The analyst suspects a ransomware outbreak. According to the incident response process, which of the following should the analyst perform FIRST?
44A security analyst detects unusual outbound traffic from a workstation to an external IP address known for command and control. The analyst has verified the alert and wants to contain the threat. According to the NIST SP 800-61 incident response process, which of the following steps should the analyst take FIRST?
45During malware response on a finance workstation, the system is still powered on and connected. The manager asks whether you can just reboot it to stop the issue. What is the best next step?
46A privileged account is used on a jump box at 02:15, and the SIEM shows multiple interactive logons from the same account to different servers within 10 minutes. The administrator says they used a password vault for the session. Which log source best confirms whether the access was authorized?
47After confirming malicious activity on a workstation, the incident lead wants the system cleaned up quickly. The analyst has not yet collected any volatile data. What should the analyst do before remediation begins?
48After restoring a virtualized file server from backup, users can log in but the accounting application returns database consistency errors. What should you do next?
49A web application was updated at 10:00. At 10:05, the SIEM reports a sharp rise in HTTP 500 errors and WAF blocks from the same source range. The application owner says customers are seeing failures only on the new checkout page. What is the best next step?
50EDR flags a word processor that launched encoded PowerShell and then made an outbound HTTPS connection to a rare domain. Which two actions should the analyst take first from the EDR console? Select two.
51Security receives a company laptop used in an insider theft investigation. A manager wants the device moved to another office for review by legal staff. Which action best supports chain of custody?
52After restoring a virtual file server from last night’s backup, users can browse shares, but finance reports that several spreadsheet edits from yesterday are missing. What should the administrator verify next before declaring the restore successful?
53A firewall rule was changed in production to allow a new vendor IP range, and payroll users immediately lost access to an internal service. Which two change-management practices would have reduced the risk of this outage? Select two.
54An investigator needs a copy of a suspect laptop drive for analysis without changing the original media. What should be used?
55A SIEM alert shows five failed logins to a SaaS admin portal from one IP, followed by a successful login from a new city three minutes later. Which two actions are the best next steps for the analyst to validate the event before containment? Select two.
56A workstation is suspected of malware infection, and it is still powered on and connected to the network. Which action best preserves volatile evidence before the system is shut down?
57After restoring a virtual file server from backup, users can log in and browse shares, but finance says the last day's edits are missing. Which two steps should the administrator take before declaring recovery complete? Select two.
58A firewall ACL must be modified in production to allow a vendor update server. The team wants to minimize the chance of accidentally blocking payroll traffic. Which change-management step is best before applying the rule?
59A Windows server is still running after suspected compromise. Before it is powered down, which two volatile data sources should be collected first? Select two.
60A company-owned laptop is being transferred from the incident site to the evidence locker for a theft investigation. Which two actions best support chain of custody during transport? Select two.
61After restoring a virtual file server from backup, users can browse folders, but an accounting application reports missing recent transactions. What should the administrator do next?
62A firewall rule was added directly in production to allow a new vendor IP range, and an internal service stopped responding because the new rule was placed above an existing deny rule. Which two change-management practices would have reduced the risk? Select two.
63An investigator receives a suspect laptop drive that may be used in court. Which approach best supports a forensically sound image while protecting the original media?
64An administrator pushed a firewall rule change to allow a new vendor IP range during business hours. Minutes later, payroll users lost access to an internal service. Which change management practice would have best reduced the impact?
65A SIEM alert shows five failed logins to an administrator account, followed by a successful login from a new city three minutes later. The account owner says they did not sign in. What should the analyst do first?
66A privileged cloud administrator account shows two suspicious events: an API key was created from an unfamiliar IP address, and a mailbox forwarding rule was added five minutes later. The account is still active and may be in attacker control. Which two actions should the analyst take first to preserve evidence while limiting additional abuse? Select two.
67You are handed a company laptop suspected in an insider theft case. Legal says the evidence may be needed in court. Which action best preserves admissibility?
68A virtual file server was restored from last night’s backup. The service is online, but some finance users report missing spreadsheet changes and a few files show a 'recovered copy' timestamp. Which two checks should be completed before the team accepts the restore as successful? Select two.
69After a new MFA policy rollout, the SIEM generates an alert for five failed logins to a SaaS admin portal from one IP, followed by a successful login to the same account from an IP in another country. The account owner says they were in meetings all day. What should the analyst do first?
70A firewall rule change was implemented directly in production to allow a new vendor IP range. Within minutes, several internal services became unreachable because the rule order changed unexpectedly. Which change-management practice would have most likely prevented this outage?
71A finance laptop is powered on, the user is still logged in, and it remains connected to Wi-Fi after a malware alert. What should the responder do first to preserve volatile evidence?
72A laptop is suspected of being used in a malware incident. It is still powered on and connected to Wi-Fi. What should the responder do before shutting it down?
73A Linux server starts showing many failed SSH logins from one source IP address. Which log source should the analyst review first?
74EDR alerts on a remote laptop show a suspicious process attempting to dump browser credentials and then contacting a rare domain. The user is in another time zone and still needs the laptop online for a presentation later today. What containment action is best?
75A server is suspected of being used for lateral movement after the SOC notices dozens of failed SSH logons, then a successful login from a new source IP, followed by new outbound SMB connections to internal hosts. The system is still running. Which two items should be collected first before any reboot or remediation? Select two.
76Security receives a company-owned laptop connected to an insider theft investigation. Before the device is transported to the evidence locker, what is the BEST action to support chain of custody?
77An investigator receives a suspect laptop that may be needed in court. The goal is to create a forensic image without changing the original drive contents. Which three actions best support chain of custody and evidence integrity? Select three.
78A SIEM correlation rule fires for a Microsoft 365 executive mailbox. At 02:14, the account signs in from a new country. At 02:17, the mailbox gets a forwarding rule that sends all mail to an external address. The user says they did not travel and did not create any rules. Which two log sources should the analyst review first to confirm whether this is account takeover or token abuse? Select two.
79A finance workstation is suspected of running malware. It is still powered on, the user is logged in, and the network cable is connected. Which two actions best preserve volatile evidence before shutdown? Select two.
80A vulnerability scan identifies a critical patch for a fleet of internet-facing servers. The operations lead wants to apply it immediately during peak business hours because the exploit is public. What is the BEST next step?
81A SIEM alert shows a successful VPN login for an executive account from an unusual country, followed 3 minutes later by large downloads from a file share the user rarely accesses. Which log source should the analyst review next to determine whether the session came from the user's assigned laptop or an unmanaged device?
82EDR detects encoded PowerShell launched from a word processor, a process attempt to read LSASS memory, and an outbound HTTPS connection to a rare domain. What should the analyst do first?
83EDR on a finance workstation shows Outlook launching mshta.exe, followed by a scheduled task named UpdateSvc_91 and repeated HTTPS beacons to a newly registered domain. The user is still working and has not rebooted. Which two telemetry sources would best help the analyst confirm the initial execution path and determine whether the host has communicated with other suspicious infrastructure? Select two.
84EDR flags a workstation after a word processor launches encoded PowerShell and the host begins contacting a rare domain over HTTPS. The user is still active. What is the best containment action from the EDR console?
85An EDR alert shows suspicious PowerShell activity on a remote employee laptop, and the user is still logged in to cloud applications. Which two response actions are best if the device is believed to be actively compromised? Select two.
86A SIEM correlates three failed MFA prompts for a payroll admin account from one IP, a successful login two minutes later from the same IP, and a new mailbox forwarding rule to an external address. What is the best immediate action?
87An administrator wants to add a new vendor IP range to a firewall rule in production. What is the best change-management step to reduce risk?
88During malware containment, an analyst needs to preserve transient information from a compromised Windows workstation that is still running. Which action is MOST appropriate before shutdown or imaging?
89A SIEM alert shows a successful sign-in to a cloud admin portal from an unusual country, followed by mailbox forwarding-rule changes four minutes later. Which two log sources should the analyst review first to confirm whether the account was abused? Select two.
90EDR reports that a workstation launched PowerShell from a word processor, created a scheduled task named WinUpdateSvc, and began making repeated HTTPS connections to a rare external domain. The user is still logged in to several cloud apps. Which two response actions are best to initiate from the EDR console? Select two.
91An investigator needs to make a forensic image of a suspect laptop without changing the original drive contents. Which two practices should be used? Select two.
92An employee reports a ransomware note on a file server. The server is still powered on, shares are still being accessed, and management wants service restored as quickly as possible. What should the incident response team do first?
93A Windows laptop is believed to be involved in a credential-theft incident. It is still powered on, connected to Wi-Fi, and the user reports that the screen recently locked by itself. The SOC can reach the device remotely through EDR. Which two actions should be taken before the laptop is shut down? Select two.
94Several Windows servers were built from the same image, and all of them use the same local Administrator password. What is the best operational hardening change?
95EDR flags a workstation because a word processor launched an unusual script and then contacted a rare external domain. What is the best immediate action?
96During a disaster recovery test, what is the most important thing to confirm about the backup?
97A SIEM reports a successful sign-in to a SaaS admin portal from a new country, followed three minutes later by multiple configuration changes to mailbox forwarding rules. The account owner says they were in the office and did not approve any changes. What should the analyst check next?
98A SIEM alert flags an interactive logon to a Windows file server from a service account that normally only runs scheduled tasks. The alert occurred at 01:12, but the maintenance window for that server is every Sunday at 02:00. The account also accessed a different server five minutes later. What should the analyst do first?
99EDR flags encoded PowerShell launched by a spreadsheet application, followed by an attempt to access LSASS and outbound HTTPS traffic to a rare domain. What should the analyst do first from the EDR console?
100A firewall rule must be changed to allow a vendor update server. Which step best reduces the chance of an unexpected outage?
101A company-owned laptop is suspected in an insider theft case and legal says the evidence may be used in court. Which two actions best support evidence admissibility during transport to the evidence locker? Select two.
102A new SIEM rule generates many alerts from a scheduled backup job that is known to be legitimate. What should the analyst do to improve alert quality?
103A company laptop is collected as evidence in a suspected theft case. Which action best supports chain of custody?
104EDR flags encoded PowerShell launched by a spreadsheet application and an outbound HTTPS connection to a rare domain. Which two response actions are best to take from the EDR console first? Select two.
105After restoring a virtual file server from backup, users can open shares, but the accounting application shows the previous day's transactions are missing. Which two steps should the administrator take next? Select two.
106After a file server is restored from backup, users can open the share, but the business wants to be sure the recovery was successful. What should the administrator verify next?
107An employee reports a ransomware note on a finance laptop. The laptop is still powered on, connected to Wi-Fi, and the user says they were just working in a spreadsheet. Management wants the fastest safe response that also preserves evidence. What should the responder do first?
108EDR shows encoded PowerShell launched by a word processor and an outbound connection to a rare domain. What is the best immediate containment action?
109A new SIEM rule generates hundreds of alerts from a scheduled backup job that is known to be legitimate. Which two tuning changes are the best ways to reduce noise without losing visibility into real abuse? Select two.
110A SIEM alert shows a payroll administrator account signed in at 02:10 from a country the employee has never visited. The employee says they are on vacation at home and did not travel. What should the analyst do first?
111Based on the exhibit, which improvement best aligns the current backup design with the stated recovery targets?
112Based on the exhibit, what is the most likely SOC conclusion and next action? A scheduled alert fired on a server that repeatedly connects to a vendor update site at fixed intervals. The security team wants to know whether the alert represents a real threat or a harmless operational pattern.
113An ERP database is backed up nightly to a NAS that remains online and is managed with the same admin group as production servers. After a ransomware incident, management wants the most effective change to improve recovery assurance without redesigning the whole environment. What should be implemented?
114An internal finance application has an RTO of 2 hours and an RPO of 30 minutes. Current backups restore in about 6 hours because the team must rebuild the server from scratch. Which change best aligns the recovery design to the business requirement?
115During morning SIEM review, an analyst sees 37 failed SSH logins followed by a successful login to a Linux server from a jump host. The account belongs to a configuration-management service account, and the activity occurred inside the normal maintenance window. What should the analyst do next to determine whether the alert is a true positive or a false positive?
116After isolating an infected endpoint and collecting volatile memory, the team identifies a malicious browser extension and a scheduled task used for persistence. Which two actions belong in the eradication phase before returning the system to service? Select two.
117A monthly scan finds a critical remote-code-execution vulnerability on an internet-facing VPN appliance. The vendor has not released a patch for six weeks, but the service must stay online. Which short-term action is the best risk treatment?
118A billing application has an RTO of 2 hours and an RPO of 30 minutes. The current recovery method requires rebuilding the VM from scratch and then restoring last night's backup, which takes over six hours. Which solution best meets the stated recovery objectives?
119A weekly vulnerability scan returns five findings across different systems. Which three should be remediated first? Select three.
120During a restore test, a technician brings back a file server successfully, but the application team discovers that the database is missing the last 12 hours of transactions. Management says the business can tolerate only one hour of data loss. What should be changed first?
121A help desk ticket confirms that a user entered corporate credentials into a fake sign-in page. Minutes later, the security team finds a new mailbox forwarding rule and evidence that the attacker added backup MFA codes. After disabling the account, what should the team do next to support containment and recovery?
122Based on the exhibit, which temporary control best reduces risk until the patch is released?
123Based on the exhibit, which change best moves the ERP recovery design toward meeting both recovery targets?
124The SOC has contained a mailbox compromise by resetting the password and revoking active sessions. Investigation shows the attacker created an automatic forwarding rule and added an OAuth consent grant. What should happen next to eradicate the threat?
125Based on the exhibit, which change best helps the company meet its recovery objectives after a ransomware event?
126Based on the exhibit, what is the most likely conclusion after correlating the logs? A configuration-management task ran from a jump host and generated repeated login alerts on target servers. The SOC wants to determine whether this is malicious activity or approved automation.
127Based on the exhibit, what is the best immediate action for the SOC or IR team? A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.
128Based on the exhibit, what is the best eradication decision for the server compromise?
129A SOC analyst reviews email platform logs for a finance user account. At 08:12, the user successfully signs in from Denver. At 08:15, the same account signs in from a residential ISP in another state. At 08:16, the mailbox creates a new external forwarding rule and deletes the original alert message. The user says they did not set up forwarding. What is the best assessment?
130A scan keeps reporting the same medium-severity TLS configuration issue on a public web server. The application owner says the vendor software cannot be changed until next quarter, but they can place the service behind a reverse proxy that enforces stronger cipher settings. How should the issue be handled in the vulnerability management process?
131Based on the exhibit, what is the most likely explanation for the alert?
132A SIEM rule flags a Linux server because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The server runs an approved patch agent that should check in on a regular schedule. Which two checks best validate whether the alert is a false positive? Select two.
133A legacy application server has a critical vulnerability, but the vendor will not release a fix for 30 days. Which two compensating controls are the best short-term risk reduction steps? Select two.
134An IDS raises an alert for a possible SQL injection attack against an internal reporting portal. The web server logs show the source IP belongs to the company's vulnerability scanner, and the requests match the scanner's normal test pattern. What is the most appropriate analyst action?
135A SIEM alert shows a workstation connecting to the same unknown internet address every 15 minutes, even after business hours. The device belongs to an employee who is on vacation. What is the best next step for the analyst?
136A ransomware incident encrypted a file share and the attached NAS backups because the NAS stayed mounted to production and was reachable over SMB. Which two design changes would have reduced the blast radius most effectively? Select two.
137An EDR alert shows winword.exe launching powershell.exe with an encoded command after a user opened an invoice attachment. No new executable file was written to disk, and the host is still online. Which two actions should the SOC analyst take first to validate the alert and collect usable evidence? Select two.
138At 10:15, a file server begins renaming documents and creating payment notes. The SOC confirms the server is also making SMB connections to other internal hosts, but users can still access shared folders. What should the incident handler do FIRST?
139Based on the exhibit, which issue should be remediated first by the operations team? A small company has limited maintenance windows and can address only one of several findings this week.
140A vulnerability dashboard shows four new findings. Which one should be remediated first by the operations team? - A low-severity issue on an offline lab VM - A medium-severity issue on a payroll server with no known exploit - A critical issue on an internet-facing web server with an available exploit - A high-severity issue on a test workstation that is not domain joined
141Based on the exhibit, what is the best eradication decision after containment? A quarantined endpoint was found to have a malicious startup item and a scheduled task. The team has already isolated it from the network and preserved memory for analysis.
142Based on the exhibit, which finding is the best candidate for immediate remediation or emergency mitigation?
143A user reports that a shared department drive is rapidly renaming files and creating ransom notes on a Windows file server. The SOC confirms suspicious activity is still occurring on that server. What should the incident responder do first?
144Based on the exhibit, what is the most important next IR action?
145A SOC analyst receives an alert that a domain admin account authenticated to a file server at 02:14 from a jump host that is normally used only by the infrastructure team. The Windows logs also show a scheduled task launching a backup script at the same time, and the backup team says the task was created during yesterday's change window. What is the best next step to determine whether this is a false positive?
146A branch office stores nightly backups on a NAS that is joined to the same Active Directory domain as the production servers. After a ransomware incident, management wants a backup design that is much harder for attackers to encrypt or delete. Which approach is the best improvement?
147An IDS generates an alert for possible SQL injection against an internal reporting portal at 02:00. The web logs show the source IP belongs to the company's approved vulnerability scanner, the request path matches the scheduled test window, and the WAF blocked the request. What is the most appropriate analyst conclusion?
148An engineering firm backs up its file server every night to a NAS that is always mounted to the production domain. After a ransomware event, management asks for the most effective improvement to reduce the chance that backups are encrypted along with production data. What should be recommended?
149A monthly vulnerability scan identifies a critical vulnerability on a public-facing VPN appliance, but the vendor says no patch is available yet. The service must remain online for remote workers. What is the best compensating control to reduce risk right away?
150After a phishing account compromise has been contained and the attacker’s mailbox forwarding rule was removed, what should the team do next?
151A SOC analyst receives a SIEM alert for a possible brute-force attack against a remote access portal. The alert shows 240 failed logins from the same source IP over 4 minutes, followed by one successful login. Before escalating as an incident, what is the BEST evidence to check to determine whether the alert is a false positive caused by approved activity?
152Based on the exhibit, which change best improves both recovery time and recovery point for the ERP database? A mid-sized company has a two-hour RTO and a 30-minute RPO, but its current backup design cannot meet either objective during restore testing.
153A vulnerability scan finds a critical flaw on a public-facing server and a medium flaw on a lab system that is not connected to the production network. Which issue should be fixed first?
154An EDR console reports possible beaconing from a workstation because it makes outbound HTTPS connections to the same cloud IP every 15 minutes. The workstation belongs to the patch-management team, and the destination resolves to a vendor update service. Which evidence best supports closing the alert as a false positive?
155A technician restores a file server from backup, but the business wants confidence that the recovery process will work during an outage. What should the team do most often to validate the backups?
156Based on the exhibit, what is the best-supported conclusion for the SOC analyst?
157A file server in the accounting department begins renaming documents and dropping ransom notes. The SOC confirms encryption is still in progress, and the server hosts a share used by several finance teams. What should the incident response team do first?
158An EDR alert flags suspicious PowerShell on a finance workstation. Windows logs show the script started immediately after a patch-management tool launched from the software distribution server. The script only queries installed software and writes results to a log file. What is the most likely conclusion?
159A company wants to make sure it can recover quickly after ransomware, even if the production network is unavailable. Which backup approach is the best choice?
160A SOC analyst sees 20 failed logins for one user account, followed by a successful login 30 seconds later from the same office subnet. The user confirms they mistyped the password several times. What is the best conclusion?
161A SOC analyst confirms that an employee entered credentials into a phishing site and that the mailbox now shows a new forwarding rule sending messages to an external address. The account is still signed in on a laptop and a mobile phone. What is the best next action?
162A legacy application cannot be patched for two weeks, but the security team still wants to reduce risk in the meantime. What is the best temporary measure?
163A weekly scan reports three findings: a medium-severity missing patch on a lab VM with no network access, a high-severity default credential on a management interface reachable from the internet, and a low-severity outdated browser plug-in on a visitor kiosk. Which issue should be remediated first?
164Based on the exhibit, which action should the incident response team take next to eradicate the threat?
165Based on the exhibit, which change best improves recovery resilience against a repeat ransomware incident?
166A monthly scan finds a critical remote-code-execution issue on an internet-facing VPN appliance. The vendor has released a fix, but the appliance can only be rebooted during the weekend maintenance window in five days. What is the BEST immediate action to lower risk until patching can occur?
167A Linux host is patched, but the scanner still flags the package as vulnerable. The vendor advisory says the distribution backported the fix, so the package version did not change. What should the analyst do before closing the ticket?
168A file server is actively renaming documents and generating ransom notes. The server hosts a shared drive used by finance, and users are still online. What is the best immediate action?
169A SIEM alert shows a workstation making repeated outbound HTTPS connections every 15 minutes to the same cloud IP address. The host belongs to the patch-management group, and the security team suspects an approved agent may be responsible. Which two checks best validate whether this is a false positive? Select two.
170A branch office uses a NAS for nightly backups, but the NAS is joined to the same domain as the production servers. After ransomware encrypted both production data and backups, management wants the most effective change to reduce the chance of backup tampering without a major redesign. Which control should be implemented?
171After containment and eradication of malware on several laptops, the team restores the devices from known-good images and verifies that users can authenticate and access email. Which action should occur NEXT to complete the incident response lifecycle and reduce future impact?
172A SOC analyst confirms that a user entered corporate credentials into a fake sign-in page. Mailbox logs now show a new forwarding rule sending messages to an external address, and the attacker may still have an active session. Which two actions should the analyst take first to contain the account compromise? Select two.
173A critical vulnerability is discovered on an internet-facing VPN appliance that cannot be patched for six weeks because the vendor has not released a fix. The VPN service must remain available. What is the best operational response?
174A systems administrator says the backup software reports success every night, but no one has restored a server from backup in over a year. The business wants confidence that a file server can be recovered within the agreed recovery window. What is the best next action?
175A user reports that their laptop is suddenly encrypting files and showing a ransom note. What should the incident response team do first?
176Based on the exhibit, what should the team do next after the account has been contained?
177Management wants to ensure a file server backed up every night can actually be restored within a 4-hour recovery time objective after an incident. Which two actions best improve recovery confidence? Select two.
178A Linux administrator must run a weekly maintenance script on 40 servers without giving technicians interactive root access. Which two practices best support secure administration? Select two.
179After a suspicious laptop is imaged with a write blocker, the original drive is sealed and stored. Before a second analyst examines the image, what is the most important next step to preserve admissibility?
180A server room is located next to a chilled-water pipe, and facilities staff want the earliest possible warning if moisture starts leaking under the raised floor. Which control is the best fit?
181An email security team receives a macro-enabled spreadsheet from a known supplier. The file must be analyzed before users open it, and if it proves malicious, the organization wants to stop the same attachment from reaching other inboxes. Which two tools are the best fit? Select two.
182Match each incident response activity to the phase of the incident response lifecycle it best represents. Use each option once. 1. A SOC analyst disables a compromised account, isolates the workstation from the network, and preserves volatile evidence. 2. The team images the infected system, removes the malicious persistence mechanism, and patches the exploited vulnerability. 3. After restoring services, the team reviews timeline gaps, detection delays, and control failures with management. 4. Before the attack occurs, the team verifies contact lists, playbooks, escalation paths, and backup credentials. 5. The team confirms suspicious authentication logs, endpoint alerts, and unusual outbound traffic indicate an active compromise.
183A finance workstation begins encrypting local files, and the EDR console shows the process is also enumerating SMB shares on adjacent hosts. The user reports no suspicious email and is still logged in. Management wants the fastest containment step that minimizes spread and the best follow-up action to preserve useful evidence. Which two actions should the SOC take first? Select two.
184A SIEM analyst reviews authentication logs and sees the following pattern over 15 minutes: 68 different user accounts each had one failed login attempt from the same source IP, followed by no lockouts, and then one of the accounts successfully authenticated from that same IP using a valid password. What is the most likely explanation?
185After a ransomware incident, management learns the attacker's stolen domain admin credentials were used to delete recent online backups from the same backup network. Which backup strategy would have most reduced the chance of permanent backup loss?
186The email security team receives a suspicious invoice attachment from a vendor. The attachment is not blocked by signature-based detection, but the team wants to observe its behavior in a safe environment before delivery to users. What tool best fits this requirement?
187A nightly patch script restarts services on 40 Linux servers. Security does not want an administrator to log in interactively, and the script should only have the permissions needed to install approved patches and restart those services. What is the best design?
188Based on the exhibit, which control should be installed or expanded to provide the earliest warning of this hazard?
189An investigator must collect data from a suspected insider-threat laptop so the evidence could be used in an HR and legal review. Which action best preserves admissibility?
190A SIEM alert shows 300 failed logins against the same VPN account from one source IP over 12 minutes, followed by a successful login from that same IP and a spike in mailbox access. The user says they did not initiate the session. What is the most likely cause?
191Based on the exhibit, which change best improves secure administration for the scheduled task?
192A SIEM correlates VPN authentication logs and sees 14 different user accounts receive one failed login attempt each from the same source IP during a 5-minute window. A few minutes later, one of those accounts successfully authenticates from that same IP. Which attack is most likely?
193A security team receives a macro-enabled spreadsheet from a supplier. The file must be analyzed before any user opens it, and if the same payload later executes on an endpoint the organization wants the ability to contain it automatically. Which two tools best fit those requirements? Select two.
194A network analyst reviews packet captures from a subnet where users intermittently lose access to the gateway. Which two findings would most strongly indicate ARP spoofing? Select two.
195A Linux operations team must run a nightly maintenance script on 70 servers to rotate logs and restart one service. Security will not allow interactive SSH logins, and the script should only have the permissions required for those two commands. Which two configuration choices best meet the requirement? Select two.
196A system administrator must run a weekly maintenance script that stops and restarts two services on 50 Linux servers. Security says the job must not use an interactive login and should have only the permissions needed for that task. What is the best approach?
197A public web application is seeing bursts of requests that contain SQL metacharacters, encoded script tags, and attempts to POST to administrative endpoints. The team wants a control that can inspect HTTP traffic and block the malicious requests before they reach the app. What should be deployed?
198A help desk ticket reports that a user's Microsoft 365 mailbox sent hundreds of messages to external contacts, and the user says they are still receiving MFA prompts they did not start. The attacker may still have an active web session. What is the best first containment action?
199An investigator has just created a bit-for-bit image of a suspect's SSD using a write blocker. Before the drive is returned to evidence storage, what action most directly validates the integrity of both the original media and the image?
200After a ransomware incident, management sees that last night's backups completed successfully and wants proof they can actually be used before production is declared recovered. Which three actions best validate recoverability? Select three.
201After seizing a suspect's laptop, a responder creates a bit-for-bit disk image using a write blocker. The legal team wants the next step that most directly supports evidence integrity for later review. What should the responder do?
202A branch office's network closet has repeated unauthorized access issues after staff badge in and hold the door for others. Management wants a control that allows one person through after valid badge use and helps prevent tailgating. Which control is best?
203A SIEM analyst reviews the following sequence from a VPN and email platform over 15 minutes: 47 failed logins against different accounts from one public IP, one successful VPN login from that same IP, a new inbox forwarding rule to an external address, and a mailbox sign-in from a device never seen before. Which three findings most strongly support a password-spraying-to-compromise scenario? Select three.
204After a ransomware incident, management says backups are available but will not approve closure until the team proves the restore process works without risking production data. Which two actions best validate recoverability? Select two.
205A data center has repeated tailgating incidents at the entry to the server room. Management wants a control that forces one person to pass after badge authentication and prevents two people from entering together. What should be installed?
206A server room uses raised flooring and sits below a chilled-water pipe. Facilities wants the earliest warning if water starts accumulating under the floor tiles. Which control should be added?
207After collecting a suspect laptop, the responder makes a bit-for-bit image of the drive. Which two actions best support chain of custody? Select two.
208An analyst receives a disk image and the original hash from a response team member. Before any examination begins, the analyst must be able to show the image is unchanged and that the evidence handling process is defensible. Which two actions are most important? Select two.
209A help desk technician receives an alert that an unmanaged laptop was plugged into a conference room network jack and was automatically placed into a restricted network segment until it passed a security check. Which control is responsible for that behavior?
210A records room has repeated tailgating after hours and occasional door propping during deliveries. Management wants one control that prevents follow-on entry and another that immediately alerts security if the door is forced open or left ajar. Which two controls best meet the need? Select two.
211A data center wants to reduce tailgating at a sensitive room entrance. Which two controls are most effective? Select two.
212A responder has imaged a suspect laptop and needs to preserve the evidence for possible legal action. Which three actions best support chain of custody and admissibility? Select three.
213A security team receives a suspicious email attachment and wants to inspect its behavior safely before any user opens it. They also want a tool that can isolate the same threat if it reaches an endpoint. Which two tools or capabilities best fit this need? Select two.
214A system administrator must run a weekly patch-and-restart job on 80 Linux servers without logging in interactively. The job should be repeatable, auditable, and limited to only the required maintenance commands. What is the best approach?
215A SOC analyst reviews an EDR alert showing powershell.exe launched with an encoded command, then immediately connected to an unfamiliar IP address and spawned rundll32.exe. The user is still logged in and the machine may still contain evidence needed for investigation. Which two actions should the analyst take first to contain the incident while preserving evidence? Select two.
216Based on the exhibit, which tool should the security team use to safely observe the attachment's behavior before delivery to users?
217Facilities sees occasional water droplets forming above the cable trays in a data room during humid afternoons. The team wants the earliest possible warning before equipment is damaged. Which control should be added?
218A SIEM correlates the following: 17 failed logons against the same VPN account from one IP in 9 minutes, a successful login from that IP, creation of a new API token in the SaaS tenant, and a large export job started two minutes later. Which two interpretations are best supported? Select two.
219A contractor connects a personal tablet to a lobby Ethernet jack. The network team wants the device blocked from internal resources until it passes posture checks and only guest access is allowed meanwhile. Which control best fits?
220After a ransomware event, management wants proof that last night's backups can actually support business operations before they declare recovery complete. What is the best action?
221A Linux operations team needs to run a nightly script that restarts one service and archives its logs on 60 servers. Security does not want an administrator to log in interactively, and the script should have only the permissions needed for that job. What is the best approach?
222A SOC analyst confirms that a critical Linux virtual machine is making outbound connections to a known malicious IP address. The application owner says the VM hosts a revenue system that cannot be powered off without causing a major outage. What is the best containment action?
223Based on the exhibit, which control would best reduce unauthorized follow-on entry into the records room?
224A SIEM correlates VPN logs and sees the same public IP make one failed login attempt against 56 different user accounts over 25 minutes. The usernames vary, but the password value appears to be the same in each attempt. Ten minutes later, one of those accounts authenticates successfully from the same IP, and no password-reset events are recorded. Which attack pattern is most likely?
225Help desk staff must restart one Windows service and read its event logs on 150 servers, but they should not have local administrator rights or interactive logon to the systems. Which approach best supports this requirement?
226After seizing a suspected insider's laptop, a responder makes a bit-for-bit image of the drive. The legal team asks what step most directly proves the image was not altered after acquisition. What should be done?
227A SOC analyst reviews one user account and sees several failed logins from a single IP, then a successful login from the same IP, followed by a new inbox forwarding rule to an external address. Which two findings most strongly suggest account compromise? Select two.
228Based on the exhibit, what should the team do next to confirm the backups can actually be used during an outage?
229A company is placing a customer-facing web application behind a new security control. The team wants to block malicious HTTP requests such as injection attempts before they reach the application server, with minimal code changes to the app itself. Which control is the best fit?
230A SOC analyst receives an EDR alert showing a finance laptop creating encrypted archives and then attempting SMB connections to several internal file shares. The user is still logged in, and the business wants to stop possible spread without destroying volatile evidence. What should the analyst do first?
231An email attachment from an external supplier is not blocked by signature-based AV, but the SOC wants to see whether it drops files, launches child processes, or contacts suspicious domains before delivery to users. Which control best fits?
232Based on the exhibit, what should the analyst do before opening the forensic image for examination?
233After hours, EDR alerts show a finance laptop encrypting local files and trying SMB connections to nearby workstations. The user is still logged in, and management wants the fastest step that limits spread while preserving evidence. What should the SOC do first?
234Following a ransomware incident, management wants to verify that backups are usable and that a restored file server will meet recovery expectations before declaring the system trusted again. Which action is best?
235A workstation is suspected of running malware and contacting an unknown host. Which two actions belong in the containment phase? Select two.
236After a ransomware event, management wants proof that backups can actually be used before trusting them. Which two activities best validate recoverability? Select two.
237A server room sits below a chilled-water line, and occasional condensation is forming on the pipe during humid afternoons. Facilities wants the earliest warning before water reaches equipment and a way to get an alert even if no one is onsite. Which two controls should be implemented? Select two.
238A post-incident review shows the SOC detected malicious PowerShell activity six hours late because the existing detections did not correlate the encoded command, the unusual outbound connection, and the creation of a scheduled task. Leadership wants the two follow-up actions most likely to improve future response. Select two.
239A SOC analyst confirms that a workstation is encrypting local files and attempting SMB connections to nearby hosts. The user is still logged in, and the business wants to limit spread without destroying evidence. What is the best immediate action?
240A Linux operations team must run a nightly maintenance workflow on 60 servers to rotate logs and restart one service. Security does not allow interactive root logins, and every execution must be auditable. Which two practices best support secure administration? Select two.
241After a ransomware event, the team restores a file server from backup, but management wants proof that the restore process will work before the backups are declared trusted. What should be done next?
242A SIEM report shows this sequence over 25 minutes: the same public IP submitted one failed password attempt against 53 different accounts, then one account successfully authenticated, created an inbox forwarding rule, and downloaded hundreds of messages through the web portal. Which two conclusions are best supported? Select two.
243Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?
244A web team is moving a customer portal behind a new inspection device. They need something that can examine HTTP requests, block malicious patterns like injection attempts, and still allow normal browsing. Which control is most appropriate?
245An email gateway receives a macro-enabled spreadsheet from an external supplier. Signature-based scanning does not flag it, but the security team wants to observe whether it drops files, creates persistence, or contacts suspicious domains before delivery to the user. Which tool best meets this need?
246Following a ransomware incident, management wants proof that the organization can actually recover from its backups before declaring the backups trustworthy. What should the security team do next?
247The web team is placing a public customer portal behind a control that can inspect HTTP requests, block malicious payloads such as SQL injection and cross-site scripting, and still allow legitimate application traffic without rewriting the app. Which control should they deploy?
248A Linux web server was compromised through an outdated package. The team isolated the host, captured evidence, removed a malicious cron job, patched the vulnerable package, and confirmed no persistence remains. Which incident response phase are they primarily in now?
249A SIEM reviews VPN authentication logs and sees 36 different usernames each receive one failed login attempt from the same source IP over 20 minutes, followed by one successful login to an unrelated account. Which attack is most likely?
250An office loses power several times each month, causing servers to shut down without warning. Which control best helps keep the systems running long enough for a safe shutdown?
251A user reports a suspicious pop-up on a workstation and the SOC suspects malware. Which action should the responder take first to contain the threat?
252Match each SOC alert artifact to the most useful investigation pivot. Each pivot should help determine whether the alert is a true incident, a false positive, or part of a broader campaign.
253Employees in a server room often prop the door open while carrying equipment. What control best helps detect and prevent this behavior?
254A SOC analyst notices that log timestamps from different servers do not line up during an investigation. What should be implemented to improve event correlation?
255A branch office loses power briefly several times each month. Which control best helps keep network equipment running long enough for an orderly shutdown?
256A SOC analyst sees 38 failed logins for a finance user account from one public IP address over 4 minutes, followed by one successful login. What should the analyst do first?
257A SOC analyst wants to make sure logs from multiple servers can be compared accurately during an incident review. What should be configured on those systems?
258A critical patch must be applied to a production server next week. What is the best way to reduce the risk of downtime if the patch causes a problem?
259A help desk team needs to update desktops in a call center without interrupting callers during peak hours. What is the best operational approach?
260A laptop is suspected of being compromised, and the responder wants to preserve useful evidence before shutting it down. What should be done first?
261Before applying a critical patch to a production application server, which action best reduces the risk of extended downtime if the patch fails?
262A user reports a ransomware note on one department file share, but other departments are still working normally. What is the best first containment action?
263Match each security monitoring artifact from the SOC alert queue to the best investigation focus.
264A critical patch must be applied to a retail point-of-sale server. What is the best way to reduce business disruption?
265Match each change-management practice to the best description for reducing patching risk in production.
266A server room is sometimes left open while technicians carry equipment in and out. Which control best helps detect and discourage unauthorized entry?
267Match each incident response action to its primary purpose during a suspected endpoint compromise.
268A SIEM alert shows 120 failed logins for one user account from three different countries within 10 minutes, followed by a successful login. What should the analyst do first?
269After a phishing incident, the security team wants to preserve evidence for later review. Which action is most appropriate?
270A SIEM correlation rule alerts when a single user account fails to authenticate 20 times in 5 minutes and then succeeds from the same source IP. What is the most likely reason the team should investigate this event?
271Match each detection pattern to the most likely security issue. Each item has one best match.
272An EDR alert shows a user workstation launching an unfamiliar executable from the Downloads folder and then making repeated outbound connections to an IP address in another country. What is the best first response by the security team?
273An EDR console alerts that powershell.exe launched with an encoded command on a finance workstation, and a minute later the host begins making repeated outbound connections to an unfamiliar IP address. What is the best initial response?
274A hardening script is pushed to a production web server and, within minutes, the application stops accepting secure connections. The team discovers the script disabled a required TLS setting that the legacy application still needs. What should have been in place to reduce the impact of this change?
275An NDR tool shows a production web server sending small, periodic DNS queries to random-looking subdomains under a domain the company does not use. The pattern repeats every 60 seconds, even when normal web traffic is idle. What is the best interpretation and next step?
276A file server begins encrypting documents, and the SOC confirms the activity is malicious. Which incident response step should happen first to limit further damage?
277A SOC analyst receives an alert from the VPN appliance and identity platform. In the last 10 minutes, a user account had 14 failed VPN logons from one country, then one successful login from a different country. The user calls the help desk and says they have not used their account today. What should the analyst do first?
278After a workstation hardening baseline is updated, the security team wants to confirm that finance laptops actually match the new settings. Which control is the best way to verify this?
279A nightly backup job shows "Completed successfully" in the backup console, but a test restore fails with an authentication error after the backup service account password was rotated last week. What is the best next step?
280A manager asks the security team to let Human Resources inspect the files on a laptop suspected of containing stolen customer data before IT touches it. What is the best response?
281An organization is retiring a batch of laptops with SSDs. All of the systems used full-disk encryption and stored sensitive internal documents. What is the best action before the devices leave the company?
282A vulnerability scan finds that an old print server still has SMBv1 enabled. The business says the vendor will not support a patch for at least two months, but the server must stay online. What is the best temporary mitigation?
283A security scan finds a critical patch missing on a public-facing web server. The patch has already been tested in the lab and approved for deployment. What should the operations team do next?
284A security analyst is reviewing incident response procedures. Which three of the following activities are typically performed during the 'Containment, Eradication, and Recovery' phase of the incident response process? (Choose three.)
285An organization is implementing a new Security Information and Event Management (SIEM) system. Which three of the following are primary capabilities that a SIEM provides to support security operations? (Choose three.)
286A company is implementing controls to protect against insider threats. Which three of the following controls are most effective for detecting and preventing data exfiltration by a malicious insider? (Choose three.)
287A security operations center (SOC) analyst is investigating a potential malware outbreak. Which three of the following indicators of compromise (IOCs) would provide the strongest evidence of malicious activity? (Choose three.)
288A security analyst is reviewing the organization's incident response procedures. According to the NIST SP 800-61 framework, which four of the following are recognized phases of the incident response lifecycle? (Choose four.)
289An organization is implementing a Security Information and Event Management (SIEM) system to enhance its security monitoring capabilities. Which four of the following are primary functions of a SIEM? (Choose four.)
290Drag and drop the steps for the RADIUS authentication process into the correct order.
291Drag and drop the steps to implement a backup strategy following the 3-2-1 rule into the correct order.
Security Operations tests your ability to detect, respond to, and recover from real-world security incidents. On the SY0-701 exam it covers incident response (NIST SP 800-61), vulnerability management, SIEM log analysis, data protection, and change management. It is worth 28% of your score — the highest-weighted domain.
The Courseiva SY0-701 question bank contains 291 questions in the Security Operations domain, covering the 28% of the exam attributed to this domain in the official CompTIA blueprint. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Operations domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included