Reinforce SY0-701 concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For SY0-701 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the SY0-701 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your SY0-701 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real SY0-701 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass SY0-701.
Sample cards from the SY0-701 flashcard bank. Read the question, think of the answer, then read the explanation below.
A security engineer writes a script that computes SHA-256 hashes of critical server configuration files every night and sends an alert if any hash value has changed since the previous night. Which security goal is this control primarily designed to protect?
Integrity
The script computes SHA-256 hashes of configuration files and compares them nightly to detect any unauthorized or accidental changes. This directly protects the integrity of the files by ensuring they have not been modified, which is the core security goal of integrity. Confidentiality and availability are not addressed by hash comparison.
A financial institution updates its access control policy to require that two different system administrators must approve and execute any changes to the core transaction processing database. Which security principle is this practice primarily designed to enforce?
Separation of duties
Requiring two different system administrators to approve and execute changes to the core transaction processing database enforces separation of duties. This principle ensures that no single individual has the authority to perform both the approval and execution steps, reducing the risk of fraud, error, or unauthorized modifications. In a financial institution, this is critical for maintaining the integrity of transaction data and complying with regulatory standards like SOX or PCI DSS.
A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?
SQL injection
The repeated requests contain classic SQL injection payloads, such as `' OR '1'='1' --` (used to bypass authentication or extract data) and `'; DROP TABLE Users; --` (used to delete database tables). The HTTP 200 responses with unexpected data confirm that the application is vulnerable to SQL injection, as the injected SQL code is being executed against the backend database. This attack targets the SQL database layer, not LDAP directories or operating system commands.
A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?
Stack canaries
Stack canaries are the most effective runtime control for detecting and preventing buffer overflow exploitation. When a buffer overflow overwrites the stack, it corrupts a canary value placed between the buffer and the return address; before the function returns, the canary is checked, and if altered, the program terminates immediately, preventing arbitrary code execution.
A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?
Implementing a policy that all financial transfers over a certain threshold must be verbally verified via a known phone number before execution
Option C is correct because the attack is a business email compromise (BEC) using a lookalike domain. A policy requiring verbal verification via a known phone number adds a human out-of-band check that bypasses the email channel entirely, preventing the fraudulent transfer even if the email appears legitimate. This control directly addresses the social engineering aspect of the attack, which technical controls alone cannot fully mitigate.
A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?
Vishing
B is correct because vishing (voice phishing) is a social engineering attack conducted over the phone, where the attacker impersonates a trusted entity (IT support) to trick the victim into revealing sensitive information such as credentials and MFA codes. The request for the current MFA code is a key indicator, as it would allow the attacker to bypass multi-factor authentication in real time.
A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?
Place the web server in the DMZ and the database server on the internal network. Configure the firewall to allow inbound traffic from the web server to the database server on the required port only.
Option B is correct because it implements a tiered network architecture where the web server resides in the DMZ (a semi-trusted zone) and the database server is placed on the internal network, isolated from direct internet access. The firewall is configured with a stateful rule that permits only the web server's IP and the specific database port (e.g., TCP 3306 for MySQL or 1433 for MSSQL), preventing any direct inbound connections from the internet to the database. This minimizes the attack surface by ensuring that even if the web server is compromised, the database is not directly reachable from external hosts.
A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?
Defense in depth
The design enforces defense in depth by layering multiple security controls: a DMZ isolates public-facing web servers from internal networks, a stateful firewall restricts inbound traffic to HTTP/HTTPS only, and outbound connections from web servers to internal application servers are limited to a specific TCP port with TLS encryption. This layered approach ensures that even if one control fails (e.g., a web server is compromised), the attacker still faces additional barriers to reach sensitive internal systems.
A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?
Use a software-defined perimeter that authenticates each user and device before granting access only to specific applications.
Option C is correct because a software-defined perimeter (SDP) implements zero trust by authenticating both the user and device before granting access to specific applications, not the entire network. This prevents lateral movement by ensuring that even after authentication, the endpoint can only reach the allowed application, not the full LAN. This aligns with the zero trust principle of 'never trust, always verify' and micro-segmentation.
A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?
Secure enclave (e.g., Intel SGX)
Secure enclave technology, such as Intel SGX, provides hardware-enforced isolation by creating trusted execution environments (TEEs) within the CPU. Code and data inside an enclave are encrypted in memory and decrypted only within the processor, ensuring that even a compromised hypervisor or host OS cannot access the transaction data during runtime. This meets the requirement for processor and memory isolation in a shared cloud environment.
A SOC analyst receives an alert from the EDR system indicating that the process 'C:\Program Files\Vendor\Updater.exe' attempted to modify the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key on a user's workstation. The analyst checks the file hash and finds it matches a known legitimate software updater. Which of the following actions is most appropriate for the analyst to take?
Investigate the user's recent activity and check for signs of process hollowing or DLL injection.
Option C is correct because the EDR alert indicates a legitimate process (Updater.exe) modifying a critical persistence registry key (Run). Even with a known good hash, the process could be compromised via process hollowing or DLL injection, where malicious code runs under the guise of a trusted executable. Investigating user activity and checking for these attack techniques is the appropriate next step to confirm whether the behavior is benign or indicative of a threat.
A SOC analyst is reviewing logs from a Windows domain controller and notices a large number of failed logon attempts (Event ID 4625) from a single source IP address within a five-minute window. The account names used are random strings such as "a1b2c3", "x9y8z7", etc. The analyst then checks the source IP and finds it is a known external address from a foreign country. Which of the following is the most appropriate next step for the analyst to take?
Investigate whether any of the attempted accounts correspond to actual domain users.
Option B is correct because the analyst must first determine if any of the randomly generated account names match existing domain user accounts. If a match is found, it indicates a targeted password-spraying or brute-force attack against valid accounts, requiring immediate account lockdown and credential reset. This investigation step aligns with the incident response process of identification before containment or escalation.
A security operations analyst is tuning a SIEM correlation rule designed to detect brute-force password attacks against domain user accounts. The current rule generates an alert when a single user account has more than 10 failed logon attempts within a 5-minute window. The SOC team is overwhelmed by thousands of alerts each day, the vast majority of which are triggered by legitimate users who accidentally mistype their passwords. Which of the following modifications to the rule would most effectively reduce false positives while still detecting actual brute-force attacks?
Modify the rule to trigger only when the failed attempts originate from multiple distinct source IP addresses.
Option B is correct because brute-force attacks often distribute failed attempts across multiple source IP addresses to evade detection, while legitimate users typically mistype from a single IP. By requiring failed attempts from multiple distinct source IPs, the rule filters out accidental mistypes (single IP) and still catches distributed brute-force attacks, which is a common evasion technique.
A security analyst is responding to a potential ransomware incident on a Windows server that is still running. The analyst needs to preserve forensic evidence for analysis. Which of the following actions should the analyst perform first, based on the order of volatility?
Capture a full memory dump of the server
The order of volatility dictates that the most volatile data (memory) must be captured first because it contains critical evidence like running processes, network connections, and encryption keys that will be lost when the system is powered off. A full memory dump preserves this volatile data before any other actions that could alter the system state.
A security analyst is monitoring logs from the cloud access security broker (CASB) and observes that a user account downloaded 500 GB of data from a highly sensitive SharePoint document library within a single hour. The user's historical baseline shows an average daily download of less than 10 MB. Additionally, the log shows the session originated from an IP address in a country where the company has no employees or business operations. Which of the following actions is the most appropriate for the analyst to take?
Initiate the organization's incident response process for a potential data exfiltration event.
Option C is correct because the combination of a massive data download (500 GB vs. a 10 MB baseline) and a session originating from a country with no business presence strongly indicates a potential data exfiltration event. Initiating the incident response process ensures that the organization follows a structured, documented procedure to contain, analyze, and remediate the threat, preserving forensic evidence and coordinating response actions. The CASB log provides the initial indicators, but the incident response plan is the appropriate framework for handling such high-risk anomalies.
A security analyst in the SOC is investigating a potential DNS tunneling incident. The analyst has identified a workstation that is making thousands of DNS queries to an external domain with base64-encoded subdomains. The analyst suspects that sensitive files from the workstation are being exfiltrated by encoding their contents into the subdomains of the DNS queries. Which of the following log sources will provide the most definitive evidence to confirm that the contents of a specific sensitive file are being transmitted in the DNS queries?
A full packet capture of the network traffic from the workstation showing the complete DNS messages.
Option C is correct because a full packet capture (PCAP) contains the complete DNS query and response messages, including the raw payload of the subdomain fields. This allows the analyst to extract the base64-encoded data from the subdomains and decode it to verify that it matches the contents of the suspected sensitive file. DNS server logs (option A) typically only record the queried domain names, not the full DNS message payload, and may truncate long subdomains. Process creation logs (option B) show which executable made the queries but not the data being sent. Firewall logs (option D) only show connection metadata (source, destination, port) and never the DNS query content.
A company is evaluating a new cloud-based customer relationship management (CRM) provider. The provider’s documentation includes a SOC 2 Type II report, but the company’s compliance team specifically requires evidence that data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Which of the following actions best demonstrates that the company has performed proper due diligence in vendor risk management?
Review the detailed control descriptions and auditor test results within the SOC 2 Type II report that address encryption of data in transit and at rest.
Option C is correct because a SOC 2 Type II report includes detailed control descriptions and independent auditor test results that specifically verify whether encryption controls (TLS 1.2+ for data in transit and AES-256 for data at rest) are designed and operating effectively over a period of time. Reviewing these granular details allows the company to confirm compliance with its specific encryption requirements, which is a core component of due diligence in vendor risk management.
The SY0-701 flashcard bank covers all 5 official blueprint domains published by CompTIA. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
General Security Concepts
Threats, Vulnerabilities, and Mitigations
Security Architecture
Security Operations
Security Program Management and Oversight
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that SY0-701 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.SY0-701 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective SY0-701 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free SY0-701 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1152+ original SY0-701 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official CompTIA exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official SY0-701 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included