Back to CompTIA SecurityX CAS-004 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise CompTIA SecurityX CAS-004 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

10
scenario questions
CAS-004
exam code
CompTIA
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CAS-004 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

Question 2hardmultiple choice
Full question →

A network administrator is troubleshooting connectivity issues. Based on the exhibit, which of the following is true about the iptables rules?

Exhibit

Refer to the exhibit.

```
# iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   eth1    10.0.1.0/24          0.0.0.0/0            state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            10.0.1.0/24          state ESTABLISHED
```
Question 3easymultiple choice
Full question →

A security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?

Question 4mediummulti select
Study the full ACL explanation →

A network administrator is troubleshooting connectivity to a server at 192.168.1.100. The ACL shown is applied inbound on GigabitEthernet0/0. Which THREE statements are true regarding this ACL configuration? (Choose three.)

Exhibit

Refer to the exhibit.

```
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group ACL-IN in
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.0
!
access-list 100 deny tcp any host 192.168.1.100 eq 22
access-list 100 deny tcp any host 192.168.1.100 eq 3389
access-list 100 permit ip any any
```
Question 5hardmultiple choice
Full question →

A SOC analyst notices that a containerized application is making unexpected outbound connections. The container runs with minimal privileges. Which step should the analyst take first to investigate without compromising the environment?

Question 6hardmultiple choice
Full question →

Refer to the exhibit. A web server is unable to connect to a local database socket. Which of the following actions would MOST likely resolve this issue?

Exhibit

type=AVC msg=audit(1234567890.123:456): avc:  denied  { connectto } for  pid=1234 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=unix_stream_socket
Question 7hardmulti select
Full question →

A CSIRT is developing a threat hunting hypothesis based on the MITRE ATT&CK framework. Which THREE of the following are techniques that threat hunters would commonly investigate for initial access? (Choose three.)

Question 8mediummultiple choice
Full question →

Refer to the exhibit. A security analyst notices that users from the internet can reach the web server at 10.0.1.100 on port 443, but they cannot reach it on port 8443. What is the most likely cause?

Exhibit

access-list extended OUTSIDE-IN
 permit tcp any host 10.0.1.100 eq 443
 permit tcp any host 10.0.1.100 eq 8443
 deny ip any any

A SOC analyst discovers unusual outbound traffic from a host in the production DMZ to an unknown IP address on the internet. The traffic consists of encrypted connections (HTTPS) to a domain that was registered three days ago. The host is a web server that has been fully patched and is configured with a default deny egress firewall policy, but this particular traffic is being allowed because a recently added rule permits outbound HTTPS to any destination for a specific application's updates. The security architect is called in to investigate and must determine the best course of action to identify the scope of the potential compromise and prevent further data exfiltration. The architect has access to network flow data, endpoint detection and response (EDR) telemetry, and firewall logs. What should the security architect do FIRST?

Question 10easymultiple choice
Full question →

A company is deploying a new cloud-based application that processes sensitive customer data. The security architect has proposed a zero-trust architecture to secure remote access. The architecture includes identity-aware proxies, microsegmentation, and continuous monitoring. During the transition, several remote users report being unable to access the application. The security architect verifies that the identity-aware proxy is correctly configured and that users are authenticated via SSO. However, access attempts are still failing. The architect suspects that the issue may be related to the microsegmentation rules. What should the security architect do FIRST to resolve the problem?

These CAS-004 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style CAS-004 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.