Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSY0-701Exam Questions

CompTIA · Free Practice Questions · Last reviewed May 2026

SY0-701 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

90 exam questions
90 min time limit
Pass: 750/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. General Security Concepts2. Threats, Vulnerabilities, and Mitigations3. Security Architecture4. Security Operations5. Security Program Management and Oversight
1

Domain 1: General Security Concepts

12% of exam · 6 sample questions below

All General Security Concepts questions
Q1
mediumFull explanation →

A security engineer writes a script that computes SHA-256 hashes of critical server configuration files every night and sends an alert if any hash value has changed since the previous night. Which security goal is this control primarily designed to protect?

A

Confidentiality

B

Integrity

Integrity ensures that data has not been tampered with or altered by unauthorized parties. Comparing hashes allows the engineer to detect any unauthorized changes to the configuration files, directly supporting the integrity goal. This is the correct answer.

C

Availability

D

Authentication

Why: The script computes SHA-256 hashes of configuration files and compares them nightly to detect any unauthorized or accidental changes. This directly protects the integrity of the files by ensuring they have not been modified, which is the core security goal of integrity. Confidentiality and availability are not addressed by hash comparison.
Q2
mediumFull explanation →

A financial institution updates its access control policy to require that two different system administrators must approve and execute any changes to the core transaction processing database. Which security principle is this practice primarily designed to enforce?

A

Defense in depth

B

Separation of duties

Correct. Separation of duties ensures that no single person has exclusive authority over critical functions. By splitting approval and execution between two administrators, the risk of unauthorized or malicious changes is significantly reduced.

C

Least privilege

D

Need to know

Why: Requiring two different system administrators to approve and execute changes to the core transaction processing database enforces separation of duties. This principle ensures that no single individual has the authority to perform both the approval and execution steps, reducing the risk of fraud, error, or unauthorized modifications. In a financial institution, this is critical for maintaining the integrity of transaction data and complying with regulatory standards like SOX or PCI DSS.
Q3
mediumFull explanation →

A security architect is designing the network security posture for a new branch office. The plan includes a next-generation firewall at the perimeter, an intrusion prevention system on the internal network, mandatory multi-factor authentication for all remote access, and quarterly security awareness training for employees. The architect explains that these controls are independent of each other so that a failure in any single control does not leave the entire network unprotected. Which security concept is the architect primarily implementing?

A

Least privilege

B

Defense in depth

Defense in depth uses multiple overlapping and independent security controls to protect an environment, ensuring that if one control fails, others continue to provide protection. The architect's design directly implements this principle.

C

Zero trust

D

Separation of duties

Why: The architect is implementing defense in depth by layering multiple independent security controls—a next-generation firewall (NGFW) at the perimeter, an intrusion prevention system (IPS) on the internal network, mandatory multi-factor authentication (MFA) for remote access, and quarterly security awareness training. The key phrase 'independent of each other so that a failure in any single control does not leave the entire network unprotected' directly describes the principle of layered defenses, where no single point of failure compromises overall security. This approach ensures that if an attacker bypasses the NGFW, the IPS or MFA may still prevent or detect the breach.
Q4
mediumFull explanation →

A security analyst at a hospital is reviewing user permissions in the electronic health record (EHR) system. The analyst discovers that all nursing staff accounts are members of the 'Administrators' group, which grants full read and write access to all patient records, as well as the ability to modify system configuration settings. The nursing staff's job responsibilities only require viewing and updating records for patients currently assigned to them. Which security principle is most directly violated by this configuration?

A

Defense in depth

B

Least privilege

The principle of least privilege dictates that users should have only the minimum permissions needed to perform their duties. Granting nursing staff full administrative rights violates this principle because the staff only need limited, role-specific access to patient records.

C

Non-repudiation

D

Availability

Why: The principle of least privilege dictates that users should be granted only the minimum permissions necessary to perform their job functions. In this case, nursing staff only need read and write access to records of currently assigned patients, but membership in the 'Administrators' group grants full read/write access to all patient records and the ability to modify system configuration settings, which far exceeds their job requirements. This directly violates least privilege by providing excessive, unnecessary privileges that increase the risk of unauthorized access or accidental misconfiguration.
Q5
mediumFull explanation →

A defense contractor is deploying a new document management system that will store classified military intelligence. The security policy requires that user access to each document is strictly determined by the document's classification label (e.g., Confidential, Secret, Top Secret) and the user's verified security clearance level. Furthermore, system administrators must not be able to change these access rules or grant themselves access to documents above their clearance. Which access control model is best suited for this requirement?

A

Discretionary Access Control (DAC)

B

Role-Based Access Control (RBAC)

C

Mandatory Access Control (MAC)

MAC is the correct model. It uses system-enforced security labels (clearance for users, classification for documents) and prevents any user, including administrators, from overriding the access rules.

D

Attribute-Based Access Control (ABAC)

Why: Mandatory Access Control (MAC) is the correct choice because it enforces access decisions based on security labels (e.g., classification levels) and user clearances, which are centrally managed and cannot be overridden by users or administrators. In this scenario, the system must strictly enforce that a user's clearance level matches or exceeds the document's classification label, and administrators cannot modify these rules or elevate their own access—a core property of MAC systems like SELinux or those implementing Bell-LaPadula.
Q6
mediumFull explanation →

A security analyst is investigating a data integrity incident where an attacker exploited a vulnerability in a web application to alter customer account balance records in the database. The analyst identifies the exact records that were modified and restores those records from a verified read-only backup taken prior to the attack. Which security goal is the analyst primarily addressing by restoring the records from backup?

A

Confidentiality

B

Integrity

Integrity ensures data is accurate and has not been improperly altered. By restoring the database to a state before the unauthorized modifications, the analyst is directly correcting a breach of integrity.

C

Availability

D

Non-repudiation

Why: Restoring the altered customer account balance records from a verified read-only backup directly addresses the integrity security goal. Integrity ensures that data is accurate and has not been modified by unauthorized parties. By reverting the records to their pre-attack state, the analyst is correcting the unauthorized modifications, thereby restoring the trustworthiness of the data.

Want more General Security Concepts practice?

Practice this domain
2

Domain 2: Threats, Vulnerabilities, and Mitigations

22% of exam · 6 sample questions below

All Threats, Vulnerabilities, and Mitigations questions
Q1
mediumFull explanation →

A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?

A

SQL injection

Correct. The log entries show SQL syntax such as `OR '1'='1'` and `DROP TABLE`, which are classic indicators of SQL injection attempts. This attack exploits improper input sanitization to manipulate database queries.

B

LDAP injection

C

Command injection

D

Cross-site scripting (XSS)

Why: The repeated requests contain classic SQL injection payloads, such as `' OR '1'='1' --` (used to bypass authentication or extract data) and `'; DROP TABLE Users; --` (used to delete database tables). The HTTP 200 responses with unexpected data confirm that the application is vulnerable to SQL injection, as the injected SQL code is being executed against the backend database. This attack targets the SQL database layer, not LDAP directories or operating system commands.
Q2
mediumFull explanation →

A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?

A

Stack canaries

Correct. Stack canaries are placed before the return address on the stack. If a buffer overflow overwrites the canary, the program terminates, preventing control-flow hijacking. This is a highly effective runtime defense against stack-based buffer overflows.

B

Transport Layer Security (TLS)

C

Code signing

D

Data Execution Prevention (DEP)

Why: Stack canaries are the most effective runtime control for detecting and preventing buffer overflow exploitation. When a buffer overflow overwrites the stack, it corrupts a canary value placed between the buffer and the return address; before the function returns, the canary is checked, and if altered, the program terminates immediately, preventing arbitrary code execution.
Q3
mediumFull explanation →

A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?

A

Deploying a stronger email spam filter that blocks all emails from unrecognized domains

B

Requiring multi-factor authentication (MFA) for all corporate email accounts

C

Implementing a policy that all financial transfers over a certain threshold must be verbally verified via a known phone number before execution

An out-of-band verification procedure, such as calling the requester on a known phone number, directly addresses the impersonation risk by confirming the request through an independent communication channel.

D

Enabling Transport Layer Security (TLS) encryption for all outgoing email communications

Why: Option C is correct because the attack is a business email compromise (BEC) using a lookalike domain. A policy requiring verbal verification via a known phone number adds a human out-of-band check that bypasses the email channel entirely, preventing the fraudulent transfer even if the email appears legitimate. This control directly addresses the social engineering aspect of the attack, which technical controls alone cannot fully mitigate.
Q4
mediumFull explanation →

A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?

A

Spear phishing

B

Vishing

Vishing (voice phishing) is a social engineering attack conducted over the phone. The attacker impersonates a trusted entity to trick the victim into revealing sensitive information such as passwords and MFA codes.

C

Pretexting

D

Tailgating

Why: B is correct because vishing (voice phishing) is a social engineering attack conducted over the phone, where the attacker impersonates a trusted entity (IT support) to trick the victim into revealing sensitive information such as credentials and MFA codes. The request for the current MFA code is a key indicator, as it would allow the attacker to bypass multi-factor authentication in real time.
Q5
mediumFull explanation →

A security analyst is reviewing the source code of a custom authentication service. The service uses a function that compares a user-supplied password to the stored password hash by iterating through each byte and returning false immediately upon the first mismatch. The analyst measures the function's execution time and discovers it varies measurably depending on how many initial bytes match. Which type of attack is this vulnerability most likely to facilitate?

A

Brute-force attack

B

Dictionary attack

C

Replay attack

D

Timing attack

A timing attack exploits measurable variations in the time it takes to execute a cryptographic operation. In this case, the early-exit comparison enables an attacker to deduce the correct secret byte by byte, making it the correct classification.

Why: The vulnerability is a timing attack because the comparison function returns false immediately upon the first mismatched byte, causing execution time to vary based on how many initial bytes match. An attacker can measure these timing differences to iteratively guess each byte of the password hash, effectively reducing the search space from exponential to linear. This is a classic side-channel attack that exploits observable timing variations in cryptographic or authentication operations.
Q6
mediumFull explanation →

A security analyst is reviewing the results of a dynamic application security test (DAST) on a new e-commerce application. The report indicates that the application's product search functionality is vulnerable to blind SQL injection. The analyst is tasked with recommending a remediation to the development team. The developers currently concatenate user input directly into SQL queries. Which of the following recommendations would most effectively and permanently mitigate this vulnerability?

A

Implement a web application firewall (WAF) rule to block suspicious SQL keywords in search parameters.

B

Sanitize user input by escaping single quotes and other special characters before concatenation.

C

Replace dynamic SQL queries with parameterized prepared statements.

Parameterized prepared statements ensure that user input is always treated as data, not executable code. The database compiles the SQL statement with parameter placeholders, and the actual values are bound separately. This completely prevents SQL injection because the input cannot alter the query structure. This is the industry-standard permanent fix.

D

Encode all user input using HTML entity encoding before database operations.

Why: Option C is correct because parameterized prepared statements separate SQL logic from user input, ensuring that input is always treated as data, not executable code. This permanently prevents SQL injection by design, regardless of the input content, unlike input filtering or WAF rules which can be bypassed.

Want more Threats, Vulnerabilities, and Mitigations practice?

Practice this domain
3

Domain 3: Security Architecture

18% of exam · 6 sample questions below

All Security Architecture questions
Q1
mediumFull explanation →

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

A

Place both the web server and the database server in the same DMZ segment and rely on host-based firewalls for protection.

B

Place the web server in the DMZ and the database server on the internal network. Configure the firewall to allow inbound traffic from the web server to the database server on the required port only.

This architecture follows the principle of defense in depth. The DMZ provides an additional security layer for the web server, while the database is isolated on the internal network with a restrictive firewall rule that limits access to only the web server, reducing the attack surface.

C

Connect both servers to a single internal VLAN and use a reverse proxy to forward external traffic to the web server.

D

Use a site-to-site VPN to connect the web server and database server, and place both behind a single NAT gateway.

Why: Option B is correct because it implements a tiered network architecture where the web server resides in the DMZ (a semi-trusted zone) and the database server is placed on the internal network, isolated from direct internet access. The firewall is configured with a stateful rule that permits only the web server's IP and the specific database port (e.g., TCP 3306 for MySQL or 1433 for MSSQL), preventing any direct inbound connections from the internet to the database. This minimizes the attack surface by ensuring that even if the web server is compromised, the database is not directly reachable from external hosts.
Q2
mediumFull explanation →

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

A

Least privilege

B

Defense in depth

Correct. The design uses network segmentation, firewalls, and encryption to create multiple layers of defense. This is the core concept of defense in depth, ensuring that a failure in one layer does not compromise the entire system.

C

Separation of duties

D

Zero trust

Why: The design enforces defense in depth by layering multiple security controls: a DMZ isolates public-facing web servers from internal networks, a stateful firewall restricts inbound traffic to HTTP/HTTPS only, and outbound connections from web servers to internal application servers are limited to a specific TCP port with TLS encryption. This layered approach ensures that even if one control fails (e.g., a web server is compromised), the attacker still faces additional barriers to reach sensitive internal systems.
Q3
mediumFull explanation →

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

A

Implement a next-generation firewall and require all remote traffic to pass through it with strict rules.

B

Deploy a secure web gateway and require all remote users to browse through a proxy.

C

Use a software-defined perimeter that authenticates each user and device before granting access only to specific applications.

A software-defined perimeter (SDP) or zero trust network access (ZTNA) solution authenticates and authorizes each connection request individually, creating an encrypted tunnel only to the requested application. This prevents lateral movement because the user never receives a network-level address on the internal LAN.

D

Enable multi-factor authentication for VPN and implement a VPN concentrator with split tunneling.

Why: Option C is correct because a software-defined perimeter (SDP) implements zero trust by authenticating both the user and device before granting access to specific applications, not the entire network. This prevents lateral movement by ensuring that even after authentication, the endpoint can only reach the allowed application, not the full LAN. This aligns with the zero trust principle of 'never trust, always verify' and micro-segmentation.
Q4
mediumFull explanation →

A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?

A

Trusted Platform Module (TPM)

B

Hardware Security Module (HSM)

C

Secure enclave (e.g., Intel SGX)

A secure enclave, such as Intel Software Guard Extensions (SGX), creates hardware-enforced encrypted regions of memory that protect code and data from access by the host OS, hypervisor, or other processes, even if those lower layers are compromised.

D

UEFI Secure Boot

Why: Secure enclave technology, such as Intel SGX, provides hardware-enforced isolation by creating trusted execution environments (TEEs) within the CPU. Code and data inside an enclave are encrypted in memory and decrypted only within the processor, ensuring that even a compromised hypervisor or host OS cannot access the transaction data during runtime. This meets the requirement for processor and memory isolation in a shared cloud environment.
Q5
mediumFull explanation →

A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

A

Deploy a VPN concentrator and require all administrators to connect to the VPN before initiating SSH sessions directly to the servers.

B

Deploy a jump server (bastion host) in a management subnet and require all administrative SSH connections to originate from the jump server, with the jump server accessible only via the corporate VPN.

This is the correct architecture. The jump server acts as a secure intermediary. No SSH traffic from the internet reaches the target servers; all connections must first authenticate to the VPN, then to the jump server, and finally the jump server initiates outbound SSH to the target servers. This eliminates direct inbound SSH and provides a centralized audit point.

C

Replace SSH with a web-based console proxy that uses HTTPS and multi-factor authentication, and allow direct internet access to the console proxy on port 443.

D

Configure each Linux server with a public IP address but restrict inbound SSH to the known public IP addresses of the administrators' corporate laptops.

Why: Option B is correct because it eliminates direct inbound SSH from the internet by placing a jump server (bastion host) in a management subnet that is only accessible via the corporate VPN. Administrators must first connect to the VPN, then SSH to the jump server, and from there initiate SSH sessions to the target Linux servers. This architecture ensures no SSH port is exposed to the public internet, meeting the primary security goal.
Q6
mediumFull explanation →

A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?

A

A stateless network ACL that allows inbound traffic from the ALB's subnet only.

B

A stateful security group that allows inbound traffic from the ALB's security group only.

Correct. Security groups are stateful and can use another security group as a source. This configuration cleanly allows only traffic originating from the ALB, automatically handles return traffic, and is the recommended cloud-native approach for controlling instance-level access.

C

A web application firewall (WAF) that inspects all traffic for SQL injection.

D

A host-based firewall on each web server that allows traffic from the ALB's private IP address.

Why: Option B is correct because a stateful security group in AWS can reference another security group as a source, allowing inbound traffic only from instances associated with the ALB's security group. This ensures that web servers accept traffic exclusively from the ALB, while the ALB itself can accept HTTP/HTTPS from the internet via its own security group rules. Stateful filtering automatically allows return traffic, simplifying rule management and meeting the requirement precisely.

Want more Security Architecture practice?

Practice this domain
4

Domain 4: Security Operations

28% of exam · 6 sample questions below

All Security Operations questions
Q1
mediumFull explanation →

A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?

A

Disable the software updater immediately to prevent further registry modifications.

B

Create an exception rule in the EDR to suppress future alerts for this process.

C

Investigate the user's recent activity and check for signs of process hollowing or DLL injection.

This is the correct next step. The analyst should examine the process's behavior in depth, including checking for anomalies such as unexpected command-line arguments, suspicious parent processes, or indicators of code injection, before concluding whether the alert is a false positive.

D

Isolate the workstation from the network and reimage the system immediately.

Why: Option C is correct because the EDR alert indicates a legitimate process (Updater.exe) modifying a critical persistence registry key (Run). Even with a known good hash, the process could be compromised via process hollowing or DLL injection, where malicious code runs under the guise of a trusted executable. Investigating user activity and checking for these attack techniques is the appropriate next step to confirm whether the behavior is benign or indicative of a threat.
Q2
mediumFull explanation →

A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?

A

Immediately block the IP address at the perimeter firewall.

B

Investigate whether any of the attempted accounts correspond to actual domain users.

This is the correct first step. If any of the random account names match legitimate domain accounts, it indicates a targeted attack and possible credential compromise. Even if no failures are logged, a successful authentication might have been recorded separately. This investigation guides subsequent containment and remediation.

C

Run a full antivirus scan on the domain controller.

D

Notify the company's legal department for law enforcement involvement.

Why: Option B is correct because the analyst must first determine if any of the randomly generated account names match existing domain user accounts. If a match is found, it indicates a targeted password-spraying or brute-force attack against valid accounts, requiring immediate account lockdown and credential reset. This investigation step aligns with the incident response process of identification before containment or escalation.
Q3
mediumFull explanation →

A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?

A

Increase the failed attempt threshold to 20 attempts within the same 5-minute window.

B

Modify the rule to trigger only when the failed attempts originate from multiple distinct source IP addresses.

This is correct because a genuine brute-force attack often uses a distributed set of source IPs to evade rate limiting, whereas a legitimate user mistyping typically connects from a single IP. This change filters out most false positives while still detecting distributed attacks.

C

Modify the rule to trigger only when the failed attempts are against multiple distinct user accounts.

D

Add an exception to suppress alerts for any user account that has a valid password reset request within the same time period.

Why: Option B is correct because brute-force attacks often distribute failed attempts across multiple source IP addresses to evade detection, while legitimate users typically mistype from a single IP. By requiring failed attempts from multiple distinct source IPs, the rule filters out accidental mistypes (single IP) and still catches distributed brute-force attacks, which is a common evasion technique.
Q4
mediumFull explanation →

A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?

A

Capture a full memory dump of the server

Correct. Memory is the most volatile data and should be captured first to preserve evidence such as running processes, network connections, and malware in memory. Any delay or system shutdown may cause this data to be lost.

B

Shut down the server to prevent further damage

C

Create a forensic disk image of the hard drive

D

Run a full antivirus scan on the system

Why: The order of volatility dictates that the most volatile data (memory) must be captured first because it contains critical evidence like running processes, network connections, and encryption keys that will be lost when the system is powered off. A full memory dump preserves this volatile data before any other actions that could alter the system state.
Q5
mediumFull explanation →

A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?

A

Immediately block the user account and the source IP address at the CASB.

B

Contact the user directly by phone to verify whether they initiated the download.

C

Initiate the organization's incident response process for a potential data exfiltration event.

Correct. The combination of anomalous data volume and unusual geolocation strongly suggests a security incident. The analyst should follow the incident response plan, which typically includes preserving logs, engaging the incident response team, and escalating per policy.

D

Disable the SharePoint document library and remove all user permissions to prevent further data loss.

Why: Option C is correct because the combination of a massive data download (500 GB vs. a 10 MB baseline) and a session originating from a country with no business presence strongly indicates a potential data exfiltration event. Initiating the incident response process ensures that the organization follows a structured, documented procedure to contain, analyze, and remediate the threat, preserving forensic evidence and coordinating response actions. The CASB log provides the initial indicators, but the incident response plan is the appropriate framework for handling such high-risk anomalies.
Q6
mediumFull explanation →

A security analyst in the SOC is investigating a potential DNS tunneling incident. The analyst has identified a workstation that is making thousands of DNS queries to an external domain with base64-encoded subdomains. The analyst suspects that sensitive files from the workstation are being exfiltrated by encoding their contents into the subdomains of the DNS queries. Which of the following log sources will provide the most definitive evidence to confirm that the contents of a specific sensitive file are being transmitted in the DNS queries?

A

The DNS server logs showing the queried domains and subdomains.

B

The workstation's process creation logs showing which process initiated the DNS queries.

C

A full packet capture of the network traffic from the workstation showing the complete DNS messages.

A full packet capture includes the entire DNS query packet, including the complete subdomain portion. The analyst can extract and decode the base64-encoded subdomain data and compare it directly to the contents of a sensitive file on the workstation to definitively confirm data exfiltration.

D

The firewall logs showing outbound connections from the workstation to the external DNS server on port 53.

Why: Option C is correct because a full packet capture (PCAP) contains the complete DNS query and response messages, including the raw payload of the subdomain fields. This allows the analyst to extract the base64-encoded data from the subdomains and decode it to verify that it matches the contents of the suspected sensitive file. DNS server logs (option A) typically only record the queried domain names, not the full DNS message payload, and may truncate long subdomains. Process creation logs (option B) show which executable made the queries but not the data being sent. Firewall logs (option D) only show connection metadata (source, destination, port) and never the DNS query content.

Want more Security Operations practice?

Practice this domain
5

Domain 5: Security Program Management and Oversight

All Security Program Management and Oversight questions
Q1
mediumFull explanation →

A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?

A

Request the provider to sign a contractual service-level agreement (SLA) that guarantees encryption compliance.

B

Accept the SOC 2 Type II report as sufficient and proceed without further review.

C

Review the detailed control descriptions and auditor test results within the SOC 2 Type II report that address encryption of data in transit and at rest.

A SOC 2 Type II report includes a detailed description of controls, the control objectives, and the results of the auditor’s testing over a period of time. Reviewing these specific sections allows the company to verify that encryption controls are designed and operating effectively, which satisfies due diligence requirements for third-party risk management.

D

Conduct an independent penetration test on the provider’s infrastructure before signing the contract.

Why: Option C is correct because a SOC 2 Type II report includes detailed control descriptions and independent auditor test results that specifically verify whether encryption controls (TLS 1.2+ for data in transit and AES-256 for data at rest) are designed and operating effectively over a period of time. Reviewing these granular details allows the company to confirm compliance with its specific encryption requirements, which is a core component of due diligence in vendor risk management.
Q2
mediumFull explanation →

A security manager is evaluating the effectiveness of a new security awareness training program that all employees completed last quarter. The company has been conducting monthly phishing simulation campaigns for the past year. Which of the following metrics would provide the strongest evidence that the training is achieving its intended goal of changing employee behavior?

A

95% of employees completed the training within the deadline.

B

The number of employees reporting phishing attempts to the SOC increased by 40%.

C

The percentage of employees who clicked on a simulated phishing email decreased from 18% to 6%.

A significant drop in the click-through rate on simulated phishing emails directly demonstrates that employees are less susceptible to phishing attacks, which is the desired behavioral outcome of the training.

D

The number of helpdesk tickets related to password resets decreased by 10%.

Why: Option C directly measures the reduction in risky behavior (clicking phishing links) after training, which is the core goal of security awareness training. A drop from 18% to 6% demonstrates a measurable behavior change, not just knowledge acquisition. This aligns with the Kirkpatrick Model's 'Behavior' level of evaluation, which is the strongest indicator of training effectiveness.
Q3
mediumFull explanation →

After completing a vulnerability scan, a security analyst discovers that a legacy customer-facing application running on an unsupported operating system contains a critical remote code execution vulnerability. The application is essential to daily operations and cannot be patched or upgraded in the near term. Management has approved the purchase of a hardware-based network firewall that will be placed in front of the application to restrict inbound traffic to only authorized source IP addresses and port numbers. Which risk management strategy does this action primarily represent?

A

Risk acceptance

B

Risk mitigation

Correct. By deploying a firewall to restrict access, the organization is reducing the likelihood that the vulnerability can be exploited. This is a risk mitigation strategy using a compensating control.

C

Risk avoidance

D

Risk transference

Why: The security team is implementing a hardware-based network firewall to restrict inbound traffic to only authorized source IP addresses and port numbers. This directly reduces the likelihood of exploitation by limiting the attack surface, which is the essence of risk mitigation — applying controls to reduce the risk to an acceptable level. Patching or upgrading is not feasible, so compensating controls like network segmentation and access control lists (ACLs) are used to mitigate the vulnerability.
Q4
mediumFull explanation →

A security manager is preparing a quarterly report for the board of directors on the effectiveness of the organization's security program. The manager has access to detailed technical data, including firewall log statistics, patch compliance percentages, and number of phishing simulation clicks. Which of the following would be the most appropriate way to present this information to the board?

A

Provide a list of all firewall rule changes made during the quarter.

B

Show a trend chart of the number of security incidents categorized by severity, along with average time to resolve.

This option provides a high-level, actionable summary that demonstrates the security program's effectiveness. Incident trends by severity and resolution time are key performance indicators that the board can use to assess risk reduction and operational maturity.

C

Include raw logs of the top 10 most frequent alerts from the SIEM.

D

Describe the technical architecture of the intrusion prevention system.

Why: Option B is correct because it presents security program effectiveness in a business-relevant format: trend charts of incidents by severity and resolution times directly address risk reduction and operational efficiency, which board members need for strategic oversight. Unlike raw technical data, this aggregated, visualized information enables non-technical stakeholders to assess whether the security program is improving over time.
Q5
mediumFull explanation →

A security manager is leading a risk assessment for the organization. The team identifies a legacy application that contains a known critical vulnerability. The vendor has discontinued support and no patch is available. The manager calculates that the annualized loss expectancy (ALE) for exploiting this vulnerability is $50,000. Implementing a third-party web application firewall (WAF) as a compensating control would cost $80,000 per year. The organization's leadership decides that accepting the risk is the most cost-effective approach. Which of the following documents should the security manager update to formally record this risk acceptance decision and obtain the necessary sign-off?

A

Business impact analysis (BIA)

B

Risk register

Correct. The risk register is used to track identified risks, their characteristics, and the chosen treatment. Updating it with the acceptance decision, rationale, and approval is essential for risk governance.

C

Security baseline configuration document

D

Incident response plan

Why: The risk register is the correct document to update because it formally tracks identified risks, their assessed impact, and the chosen risk response (acceptance). Recording the decision to accept the $50,000 ALE risk and obtaining sign-off ensures auditability and accountability, which is a key requirement in risk management frameworks like NIST SP 800-37.
Q6
mediumFull explanation →

A security manager at a financial services company is proposing a new policy that would require annual background checks for all employees with access to sensitive customer payment data. The proposed policy, if implemented, would increase the organization's operational costs by approximately $200,000 per year. The manager needs to obtain formal approval to implement this policy. Which of the following groups is MOST likely to have the authority to approve this policy and allocate the necessary budget?

A

Board of directors

The board of directors has the fiduciary responsibility and ultimate authority to approve significant policy changes that require a substantial budget allocation, such as a $200,000 annual expense for background checks. This is correct because the policy crosses functional areas (security, HR, finance) and requires formal governance approval.

B

Chief Information Security Officer (CISO)

C

IT steering committee

D

Security operations team

Why: The board of directors holds the ultimate fiduciary responsibility and authority over significant financial commitments and strategic policy changes. A $200,000 annual cost increase requires approval at the highest governance level, as it impacts the organization's budget and risk posture. The board is the only group with the formal power to allocate such a substantial operational expense and approve a new policy affecting all employees with access to sensitive payment data.

Want more Security Program Management and Oversight practice?

Practice this domain

Frequently asked questions

How many questions are on the SY0-701 exam?

The SY0-701 exam has 90 questions and must be completed in 90 minutes. The passing score is 750/1000.

What types of questions appear on the SY0-701 exam?

Multiple-choice and performance-based questions covering threats, cryptography, PKI, identity, network architecture, cloud security, and incident response. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are SY0-701 questions organised by domain?

The exam covers 5 domains: General Security Concepts, Threats, Vulnerabilities, and Mitigations, Security Architecture, Security Operations, Security Program Management and Oversight. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SY0-701 exam questions?

No. These are original exam-style practice questions written against the official CompTIA SY0-701 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice SY0-701?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SY0-701 questionsTake a timed practice test