CAS-004 · topic practice

Security Operations practice questions

Practise CompTIA SecurityX CAS-004 Security Operations practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Operations

What the exam tests

What to know about Security Operations

Security Operations questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Operations exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Operations questions

20 questions · select your answer, then reveal the explanation

During an incident response engagement, the security team identifies that a compromised host has been communicating with multiple external IP addresses using encrypted channels. The team needs to determine which processes initiated the connections. Which type of evidence collection should be performed first to preserve the most volatile data?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is investigating a potential advanced persistent threat (APT) that has evaded traditional signature-based defenses. The analyst hypothesizes that the attacker is using a specific technique from the MITRE ATT&CK framework: process injection. Which threat hunting methodology is most appropriate for this scenario?

Question 3mediummultiple choice
Read the full Ansible explanation →

A security operations center (SOC) is implementing a SOAR platform to automate responses to phishing incidents. The playbook will include steps to automatically quarantine suspicious emails, delete them from user mailboxes, and block the sender's domain. Which element should the SOAR playbook incorporate to ensure the automated response does not cause unintended disruption?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A vulnerability management team is prioritizing patches for a large number of vulnerabilities discovered in a quarterly scan. A critical vulnerability in a widely used application has a CVSS base score of 9.8, but it is not currently being exploited in the wild and the application is not directly exposed to the internet. According to CVSS scoring principles, which factors should the team consider to adjust the priority?

During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which technique is most commonly used for lateral movement in a Windows environment?

An organization is deploying deception technology to detect lateral movement by attackers. Which of the following would be the most effective to detect an attacker who has gained access to the internal network and is attempting to move to a sensitive server?

A security analyst is reviewing logs from a SIEM and notices that a user account has been successfully authenticated from two different geographic locations within a short time span, which is impossible. The SIEM uses user behavior analytics (UBA). What type of anomaly is this most likely to detect?

Which of the following best describes the purpose of the STIX and TAXII standards in threat intelligence sharing?

A security team is conducting a penetration test against a client's web application. During the reconnaissance phase, the tester discovers a subdomain that hosts a development version of the application with debug mode enabled. Which type of reconnaissance does this activity represent?

During a digital forensics investigation of a compromised Linux server, the investigator needs to preserve the evidence in a forensically sound manner. The server is still running. Which of the following should the investigator do first?

Which of the following is a key benefit of using an Extended Detection and Response (XDR) solution over traditional Endpoint Detection and Response (EDR)?

A security analyst is using Volatility to analyze a memory dump from a compromised Windows system. The analyst suspects that a rootkit is hiding processes. Which Volatility plugin should the analyst use to detect hidden processes?

Question 13mediummulti select
Read the full Ansible explanation →

A security operations team is developing a SOAR playbook to automate response to a detected ransomware outbreak. The team wants to ensure the playbook can contain the threat quickly while minimizing business disruption. Which TWO actions should the playbook include as automated responses? (Select TWO.)

A security analyst is reviewing a malware sample in a sandbox environment. The analyst notes that the malware attempts to check for the presence of a debugger and modifies its behavior if one is detected. Additionally, the malware uses encrypted strings and resolves API calls dynamically. Which THREE analysis techniques would be most effective for understanding this malware's capabilities? (Select THREE.)

A penetration tester is planning a test for a client that has a critical web application. The rules of engagement specify that the tester must avoid causing a denial of service (DoS). Which THREE actions are appropriate for the tester to include in the scope? (Select THREE.)

During a security incident, the incident response team has identified the root cause and removed the threat from all affected systems. Which phase of the incident response lifecycle involves returning systems to normal operation and monitoring for any signs of recurrence?

A security analyst is using the MITRE ATT&CK framework to categorize adversary behavior observed in recent incidents. The analyst notes that the adversary used spearphishing with a malicious attachment to gain initial access, then executed a PowerShell script to download additional tools. Which ATT&CK tactic is the PowerShell execution associated with?

A security engineer is configuring a SIEM correlation rule to detect a potential data exfiltration attempt. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address that has never been communicated with before, within a 5-minute window. Additionally, the external IP should not be on any whitelist. Which correlation logic best implements this detection?

During a penetration test, the tester has gained initial access to a web server and wants to move laterally to a database server. Which of the following techniques would be most effective for identifying valid credentials that could be reused on the database server?

A security analyst is reviewing a suspicious executable file. The analyst performs static analysis by examining the file's strings and imports. Which of the following findings would most strongly suggest the file is packed or obfuscated?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Operations sessions

Start a Security Operations only practice session

Every question in these sessions is drawn from the Security Operations domain — nothing else.

Related practice questions

Related CAS-004 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CAS-004 exam test about Security Operations?
Security Operations questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Operations questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Operations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CAS-004 topics?
Use the topic links above to move to related areas, or go back to the CAS-004 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CAS-004 exam covers. They are not copied from any real exam or dump site.
CompTIA SecurityX CAS-004 Security Operations Practice Questions with Explanations | Courseiva