CompTIA CySA+ CS0-003 (CS0-003) — Questions 175

503 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
Multi-Selectmedium

A security analyst is reviewing lessons learned after a data breach. Which three of the following are key objectives of a post-incident activity phase? (Choose three.)

Select 3 answers
.Conduct a root cause analysis to identify the underlying vulnerabilities.
.Update incident response playbooks based on findings.
.Discipline the employees responsible for the breach.
.Provide recommendations for security control improvements.
.Delete all logs to prevent future misuse of data.
.Restore affected systems to their pre-incident state immediately.

Why this answer

Conducting a root cause analysis is a key objective of the post-incident activity phase because it identifies the underlying vulnerabilities and weaknesses that allowed the breach to occur. This analysis informs the development of corrective actions to prevent recurrence, which is a core goal of lessons learned. Without this step, the organization cannot effectively harden its defenses against similar attacks.

Exam trap

CompTIA often tests the distinction between the recovery phase (restoring systems) and the post-incident phase (analysis and improvement), leading candidates to mistakenly select 'Restore affected systems' as a post-incident objective.

2
MCQeasy

A security analyst needs to present vulnerability scan results to a non-technical manager. Which of the following is MOST important to include?

A.Summary of critical vulnerabilities with associated business risk and recommended actions
B.Raw scan output with IP addresses and ports
C.Detailed exploit code for critical vulnerabilities
D.List of all CVSS scores with no further explanation
AnswerA

Provides clear decision-support information.

Why this answer

Option D is correct because risk prioritization helps managers allocate resources. Options A, B, C are too technical or lack context.

3
MCQhard

An incident may involve regulated personal data. Who should be engaged early to determine notification obligations? If the primary audience is business service owner, which content choice is most appropriate?

A.Only the graphic design team
B.Legal, privacy, and compliance stakeholders
C.Only the vulnerability scanner vendor
D.Only the facilities manager
AnswerB

Notification decisions depend on law, contract, data type, jurisdiction, and timing. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

When an incident involves regulated personal data, legal, privacy, and compliance stakeholders must be engaged early because they determine notification obligations under frameworks such as GDPR, HIPAA, or CCPA. These stakeholders interpret breach notification timelines (e.g., 72 hours under GDPR Article 33) and assess whether the data type triggers mandatory reporting. The business service owner needs this guidance to avoid regulatory penalties and ensure proper incident response coordination.

Exam trap

Cisco often tests the misconception that technical teams (e.g., vulnerability scanner vendors) handle notification obligations, but in reality, only legal, privacy, and compliance stakeholders have the authority to interpret data protection laws and trigger mandatory reporting.

How to eliminate wrong answers

Option A is wrong because the graphic design team has no role in data privacy or legal notification requirements; they handle visual assets, not regulatory compliance. Option C is wrong because the vulnerability scanner vendor provides technical scanning tools but lacks authority to interpret data protection laws or determine notification obligations. Option D is wrong because the facilities manager oversees physical security and building operations, not the legal or regulatory aspects of personal data breaches.

4
MCQeasy

Refer to the exhibit. The output is from a Linux system running `netstat -an`. Which of the following ports is likely being used for remote command-and-control communication?

A.54321
B.22
C.53
D.80
AnswerA

High port 54321 used in an established connection to an external IP is anomalous and could be C2.

Why this answer

Port 54321 is a high-numbered ephemeral port that is not associated with any standard service, making it a common choice for malware or remote access tools (RATs) to establish command-and-control (C2) communication. In the netstat -an output, an established connection on a non-standard high port from the local system to a remote IP is a strong indicator of C2 activity, as legitimate services typically use well-known ports.

Exam trap

CompTIA often tests the concept that high-numbered ephemeral ports (above 1024) with no associated standard service are strong indicators of C2 activity, tricking candidates into choosing common service ports like 22, 53, or 80 because they are familiar, even though those are legitimate and monitored.

How to eliminate wrong answers

Option B is wrong because port 22 is the default for SSH, a legitimate remote administration protocol, and while it can be abused for C2, it is not the likely port for covert C2 communication in this context. Option C is wrong because port 53 is used for DNS, which is essential for name resolution; although DNS can be tunnelled for C2, the direct use of port 53 for an established connection (not just queries) is less common and would be more conspicuous. Option D is wrong because port 80 is the standard HTTP port for web traffic; while HTTP can be used for C2, it is a well-known port that is heavily monitored and less likely to be used for stealthy C2 compared to a non-standard high port.

5
Multi-Selectmedium

Which actions are appropriate before restoring systems after malware eradication? (Choose two.)

Select 2 answers
A.Disable all monitoring during restoration
B.Reuse known-compromised credentials
C.Validate backups are clean and restorable
D.Verify persistence mechanisms are removed
AnswersC, D

Recovery depends on trustworthy backups.

Why this answer

Option C is correct because restoring from backups that are themselves infected or corrupted would reintroduce the malware or cause system instability. Before restoration, backups must be validated as clean (e.g., scanned with updated antivirus or checked against known file hashes) and restorable (e.g., tested via a restore dry-run or checksum verification). This ensures the recovery process does not perpetuate the incident.

Exam trap

Cisco often tests the misconception that restoring from backups is a straightforward 'plug-and-play' step, but the trap here is that candidates forget to validate backup integrity and to eliminate persistence mechanisms, leading to re-infection or incomplete recovery.

6
MCQmedium

An analyst identifies a security policy violation during a routine audit. The violation does not pose immediate risk. Which of the following is the BEST way to report this finding?

A.Create a formal report with the finding, policy references, and recommended remediation
B.Mention it casually in a team meeting
C.Send an instant message to the system owner
D.Immediately report it to the Chief Information Security Officer
AnswerA

Proper documentation supports compliance and follow-up.

Why this answer

A formal report is the best method for documenting a security policy violation because it provides a permanent, auditable record that includes specific policy references and recommended remediation steps. This aligns with the reporting and communication domain's emphasis on structured, traceable documentation for non-urgent findings, ensuring proper tracking and accountability without causing unnecessary alarm.

Exam trap

CompTIA often tests the distinction between formal reporting for non-urgent findings versus immediate escalation for critical threats, trapping candidates who confuse 'no immediate risk' with 'requires urgent action' or choose informal communication methods.

How to eliminate wrong answers

Option B is wrong because casually mentioning a policy violation in a team meeting lacks formal documentation, making it impossible to track remediation or prove compliance during audits. Option C is wrong because sending an instant message to the system owner is informal and ephemeral, providing no permanent record or policy reference for future review. Option D is wrong because immediately reporting a non-urgent violation to the Chief Information Security Officer escalates unnecessarily, bypassing standard reporting channels and overwhelming leadership with low-priority issues.

7
MCQeasy

A mid-sized e-commerce company uses a multi-cloud environment with AWS and Azure. The vulnerability management team performs monthly authenticated scans using a commercial scanner. During the last scan, a critical remote code execution vulnerability (CVE-2023-XXXX) was identified on an EC2 instance running a legacy application. The application owner states that the instance cannot be patched immediately because the patch would break compatibility with a third-party API. The instance has direct internet access and handles PCI data. The CISO wants to reduce risk to an acceptable level within 48 hours. Which course of action should the analyst recommend?

A.Place the EC2 instance behind a web application firewall (WAF) and restrict inbound access to known IPs using security groups.
B.Decommission the instance and remove the legacy application from service immediately.
C.Apply the vendor-recommended patch after testing in a dev environment within two weeks.
D.Disable TLS 1.0 and enable TLS 1.2 on the instance to reduce the attack surface.
AnswerA

A WAF can mitigate the specific RCE vector, and network restrictions reduce exposure.

Why this answer

Option A is correct because placing the EC2 instance behind a WAF and restricting inbound access to known IPs via security groups provides immediate, compensating controls that reduce the attack surface for the critical RCE vulnerability. Since the instance cannot be patched within 48 hours, this network-layer isolation (WAF filtering malicious payloads, security groups limiting source IPs) aligns with the CISO's risk reduction requirement while maintaining business operations and PCI compliance.

Exam trap

CompTIA often tests the concept that compensating controls (like WAF + security group restrictions) are acceptable for immediate risk reduction when patching is not feasible, and candidates mistakenly choose a delayed patch (Option C) or an irrelevant security fix (Option D) instead of the correct network-layer mitigation.

How to eliminate wrong answers

Option B is wrong because decommissioning the instance immediately would break the legacy application and the third-party API integration, causing unacceptable business disruption and potential PCI data processing failure; the CISO asked for risk reduction, not removal. Option C is wrong because applying the patch in two weeks violates the 48-hour risk reduction mandate and does not address the immediate threat; the analyst must recommend a compensating control, not a delayed patch. Option D is wrong because disabling TLS 1.0 and enabling TLS 1.2 addresses encryption weaknesses, not the remote code execution vulnerability (CVE-2023-XXXX); it does not mitigate the specific RCE attack vector.

8
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Ignore the vulnerability because it is internal
B.Change all findings to low severity
C.Environmental scoring and compensating-control review
D.Use only the vendor marketing page
AnswerC

Environmental factors help translate generic severity into local risk.

Why this answer

Option C is correct because CVSS base scores (like 9.8) do not account for network context or existing security controls. Environmental scoring (CVSS Environmental Metrics) adjusts the base score based on factors like asset criticality and network placement, while a compensating-controls review determines whether firewalls, ACLs, or network segmentation already mitigate the risk. This combined analysis provides the true residual risk for business prioritization.

Exam trap

Cisco often tests the misconception that a high CVSS base score always means urgent remediation, ignoring that environmental scoring and compensating controls can significantly lower the actual risk in a segmented network.

How to eliminate wrong answers

Option A is wrong because internal vulnerabilities can still be exploited by attackers who pivot from a compromised host or by malicious insiders; ignoring them violates the principle of defense in depth. Option B is wrong because arbitrarily changing all findings to low severity disregards the actual exploitability (CVSS 9.8 indicates remote code execution without authentication) and would misallocate security resources. Option D is wrong because vendor marketing pages often downplay risks and lack objective, technical detail; they are not a valid source for risk-based prioritization.

9
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is executive leadership, which content choice is most appropriate?

A.Number of unused dashboards
B.Number of desktop wallpapers changed
C.Total coffee consumed by analysts
D.Mean time to detect, mean time to respond, containment time, and recurrence rate
AnswerD

These KPIs show detection and response effectiveness over time. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are key performance indicators (KPIs) that directly measure the efficiency and effectiveness of an incident response program. These metrics provide quantitative data on how quickly threats are identified, contained, and remediated, and whether the root cause is fully addressed to prevent repeat incidents. For executive leadership, these high-level, trendable metrics are the most relevant for assessing improvement quarter over quarter, as they tie directly to risk reduction and operational maturity.

Exam trap

Cisco often tests the distinction between operational metrics (like MTTD/MTTR) and irrelevant or humorous distractors, trapping candidates who fail to focus on KPIs that directly measure incident response effectiveness for executive reporting.

How to eliminate wrong answers

Option A is wrong because the number of unused dashboards is a metric related to security information and event management (SIEM) or reporting tool utilization, not incident response performance; it does not measure detection, response, or containment speed. Option B is wrong because changing desktop wallpapers is a configuration management or endpoint compliance task unrelated to incident response metrics; it has no bearing on detecting or responding to security incidents. Option C is wrong because total coffee consumed by analysts is a humorous distractor with no technical relevance to incident response KPIs; it does not provide any data on detection time, response time, containment, or recurrence.

10
MCQmedium

A company uses a mix of Windows and Linux servers. The vulnerability scanner reports a critical remote code execution vulnerability in Apache Struts (CVE-2017-5638) on a web server located in the DMZ. This server is behind a load balancer with an identical twin server that does not appear vulnerable. The security team needs to implement immediate remediation while minimizing downtime. What should the analyst do?

A.Re-image the server with a hardened operating system
B.Implement a virtual patch via web application firewall (WAF) rules
C.Shut down the vulnerable server until a patch can be tested
D.Apply the vendor patch immediately during business hours
AnswerB

A virtual patch blocks the exploit at the network layer, providing immediate protection while allowing time for proper patching.

Why this answer

Option B is correct because implementing a virtual patch via WAF rules can immediately block exploitation attempts against CVE-2017-5638 (Apache Struts) without modifying the server or taking it offline. The WAF inspects HTTP requests for malicious Content-Type headers used in the exploit and drops them, providing protection while the identical twin server remains unaffected and the vulnerable server can be patched later with minimal downtime.

Exam trap

The trap here is that candidates may choose immediate patching (Option D) without considering the requirement to minimize downtime, or they may choose shutdown (Option C) thinking it's the safest, but the scenario explicitly prioritizes uptime over a full patch cycle.

How to eliminate wrong answers

Option A is wrong because re-imaging the server with a hardened OS does not address the specific Apache Struts vulnerability and introduces significant downtime, which contradicts the requirement to minimize downtime. Option C is wrong because shutting down the vulnerable server would cause an outage for the DMZ web service, and the load balancer would route all traffic to the twin server, potentially overloading it or exposing a single point of failure. Option D is wrong because applying the vendor patch immediately during business hours risks service disruption if the patch introduces compatibility issues or requires a restart, and the scenario explicitly calls for minimizing downtime.

11
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Kerberoasting reconnaissance or ticket harvesting
B.ARP spoofing
C.DNS cache poisoning
D.Pass-the-hash using NTLM only
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

The alert describes a workstation requesting a high number of Kerberos service tickets (TGS-REQ) for many different Service Principal Names (SPNs) without subsequently accessing those services. This pattern is classic for Kerberoasting reconnaissance, where an attacker with valid domain credentials (e.g., a compromised user account) enumerates SPNs to request TGS tickets for accounts that have servicePrincipalName attributes set. The attacker then extracts the encrypted ticket data offline to crack the associated service account passwords.

The lack of corresponding service access confirms the tickets were harvested, not used for legitimate authentication.

Exam trap

The trap here is that candidates may confuse Kerberoasting with other credential-based attacks like pass-the-hash or golden ticket attacks, but the key differentiator is the high volume of TGS requests for multiple SPNs without actual service access, which is unique to Kerberoasting reconnaissance.

How to eliminate wrong answers

Option B is wrong because ARP spoofing is a Layer 2 attack that manipulates the ARP cache to intercept traffic on a local network segment; it does not involve Kerberos service ticket requests or SPN enumeration. Option C is wrong because DNS cache poisoning corrupts DNS resolution data to redirect traffic to malicious hosts; it does not generate Kerberos TGS requests or target SPNs. Option D is wrong because pass-the-hash using NTLM only involves replaying NTLM hashes for authentication without requiring Kerberos tickets; it does not produce a burst of TGS-REQ messages for multiple SPNs.

12
Multi-Selecteasy

Which THREE of the following are common containment techniques used during incident response?

Select 3 answers
A.Disconnect the network cable
B.Shut down the system
C.Reimage the system
D.Block IP addresses at the firewall
E.Change passwords for compromised accounts
AnswersA, D, E

Immediate isolation of a host.

Why this answer

Disconnecting the network cable is a common containment technique because it immediately isolates the affected system from the network, preventing the spread of malware or unauthorized access. This physical disconnection ensures that no further network-based communication can occur, which is critical for containing incidents like ransomware or data exfiltration. It is a rapid, low-level action that does not rely on software or OS controls, making it effective even if the system is compromised.

Exam trap

CompTIA often tests the distinction between containment, eradication, and recovery phases, so the trap here is confusing actions like shutting down or reimaging (which belong to later phases) with true containment techniques that isolate the threat without destroying evidence.

13
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is business service owner, which content choice is most appropriate?

A.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
B.Internal blame speculation
C.Confidential unrelated customer data
D.A public press statement draft first
AnswerA

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option A is correct because it aligns with the structured communication framework required for vendor management during an outage. The business service owner needs a clear timeline, quantified service impact (e.g., number of affected users, duration), evidence (e.g., logs, monitoring data), required corrective actions to prevent recurrence, and contractual follow-up (e.g., SLA breach, credits). This ensures accountability and supports informed decision-making without speculation or unnecessary data.

Exam trap

Cisco often tests the candidate's ability to distinguish between operational, evidence-based communication and emotional or premature responses, with the trap being that test-takers may choose 'internal blame speculation' (Option B) thinking it shows accountability, but it actually violates professional incident management protocols.

How to eliminate wrong answers

Option B is wrong because internal blame speculation is unprofessional, lacks technical substance, and violates incident communication best practices by focusing on fault rather than resolution and evidence. Option C is wrong because sharing confidential unrelated customer data violates data privacy regulations (e.g., GDPR, HIPAA) and is irrelevant to the vendor's remediation failure. Option D is wrong because a public press statement draft is premature and inappropriate for internal communication to a business service owner; it bypasses the need for factual, technical details and could cause reputational harm if released without verification.

14
Multi-Selectmedium

An analyst is creating a detection for suspicious PowerShell. Which conditions improve fidelity? (Choose two.)

Select 2 answers
A.PowerShell installed on the endpoint
B.The host has more than one local user profile
C.Outbound network connection shortly after script execution
D.Encoded command execution launched from Office or a browser process
AnswersC, D

Network activity after suspicious execution strengthens the signal.

Why this answer

Option C is correct because an outbound network connection shortly after PowerShell script execution is a strong indicator of post-exploitation activity, such as beaconing to a command-and-control (C2) server or exfiltrating data. This behavioral pattern significantly improves detection fidelity by reducing false positives, as legitimate administrative scripts rarely establish immediate outbound connections.

Exam trap

The trap here is that candidates may confuse common environmental characteristics (like PowerShell being installed or multiple user profiles) with actual suspicious behavior, failing to recognize that fidelity requires indicators of malicious intent rather than mere presence or configuration differences.

15
MCQmedium

During incident response, the team identifies that an attacker used a compromised third-party vendor account to access the network. Which of the following should the team do first?

A.Change all system passwords
B.Revoke the vendor's access
C.Conduct forensic analysis on the vendor's account
D.Notify law enforcement
AnswerB

Stops the attacker from using the compromised account.

Why this answer

The immediate priority is to contain the breach by revoking the compromised third-party vendor's access. This stops the attacker from using the valid session or credentials to move laterally or exfiltrate data. Changing all system passwords (A) is too broad and time-consuming, while forensic analysis (C) and law enforcement notification (D) are secondary steps that occur after containment.

Exam trap

CompTIA often tests the 'containment before eradication' principle, and the trap here is that candidates choose forensic analysis (C) first, mistakenly thinking evidence preservation is more urgent than stopping the active attack.

How to eliminate wrong answers

Option A is wrong because changing all system passwords is a broad, time-consuming action that does not immediately stop the attacker's active session; the attacker may still have tokens or session cookies that bypass password changes. Option C is wrong because conducting forensic analysis on the vendor's account before revoking access allows the attacker to continue their malicious activities, violating the containment-first principle of incident response. Option D is wrong because notifying law enforcement is a post-containment step; the team must first stop the active threat before involving external parties.

16
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Give all users local admin rights
B.Mark the vulnerability as fixed
C.Remove the system from future reports
D.Documented risk acceptance with compensating controls and a migration/remediation plan
AnswerD

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

Option D is correct because when a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally document the risk acceptance, including compensating controls (e.g., network segmentation, host-based firewall rules) and a migration or remediation plan. This documentation is essential for stakeholder management to demonstrate due diligence and maintain a defensible security posture against audits or compliance reviews.

Exam trap

CompTIA often tests the misconception that removing a system from reports or marking a vulnerability as fixed is acceptable, but the correct approach is always to formally document risk acceptance with compensating controls and a migration plan.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would increase the attack surface and eliminate any privilege boundaries, directly violating the principle of least privilege and making the system more vulnerable to exploitation. Option B is wrong because marking the vulnerability as fixed when no patch has been applied is a false declaration; vulnerabilities must be remediated, mitigated, or accepted, not falsely closed. Option C is wrong because removing the system from future reports hides the risk from stakeholders and auditors, undermining transparency and the defensibility of the vulnerability management program.

17
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Time synchronization and timezone normalization across log sources
B.Delete one source from the timeline
C.Assume the firewall logs are falsified
D.Prioritize only the source with the highest EPS
AnswerA

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

The five-minute discrepancy between firewall and endpoint events for the same connection is a classic symptom of clock drift or misconfigured time synchronization. The analyst should first check NTP (Network Time Protocol) settings and timezone normalization across all log sources to ensure timestamps are aligned. Without synchronized time, correlation of events during incident reconstruction is unreliable, making this the foundational step in root-cause analysis.

Exam trap

Cisco often tests the misconception that timestamp discrepancies are due to log falsification or that deleting or prioritizing logs is a valid troubleshooting step, when the correct first action is always to verify time synchronization and normalization across all sources.

How to eliminate wrong answers

Option B is wrong because deleting one source from the timeline removes potentially critical evidence and does not resolve the underlying time discrepancy; it merely hides the symptom. Option C is wrong because assuming the firewall logs are falsified without evidence is a premature conclusion that ignores the more common and plausible cause of clock drift or misconfiguration. Option D is wrong because prioritizing the source with the highest Events Per Second (EPS) does not address timestamp alignment; EPS measures log volume, not temporal accuracy, and could lead to overlooking valid data from lower-volume sources.

18
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Search only for successful HTTP 200 responses
B.Delete the host from the SIEM asset inventory
C.Block all DNS traffic from the subnet
D.Correlate DNS query logs with endpoint process and network connection telemetry
AnswerD

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Correlating DNS query logs with endpoint process and network connection telemetry (Option D) provides direct evidence of command-and-control (C2) beaconing by linking the algorithmically generated domain (AGD) queries to a specific process initiating outbound connections. This cross-referencing validates whether the DNS activity is part of a malware's C2 channel, as legitimate applications rarely generate hundreds of NXDOMAIN responses at fixed intervals. The SOC analyst can confirm the detection by identifying the parent process (e.g., a suspicious executable) and matching its network connections to the queried domains.

Exam trap

The trap here is that candidates often focus on the DNS NXDOMAIN responses alone and choose a reactive action like blocking traffic (Option C) or deleting the host (Option B), instead of recognizing that correlation with endpoint telemetry is required to validate the detection before any response.

How to eliminate wrong answers

Option A is wrong because searching only for successful HTTP 200 responses ignores the core indicator of C2 beaconing—the repeated NXDOMAIN responses—and would miss malware that uses DNS tunneling or fails to resolve before switching domains. Option B is wrong because deleting the host from the SIEM asset inventory removes visibility into the suspicious activity, destroying evidence and preventing further analysis of the beaconing behavior. Option C is wrong because blocking all DNS traffic from the subnet is an overly disruptive response that would break legitimate network operations and does not help validate the detection; it should only be considered as a containment step after confirmation.

19
Multi-Selectmedium

An organization has detected a ransomware outbreak that has encrypted critical file servers. The incident response team has activated the plan. Which three of the following actions should be taken during the containment and eradication phases? (Choose three.)

Select 3 answers
.Isolate affected systems from the network immediately.
.Power down all systems to prevent further encryption.
.Identify the initial infection vector through log analysis.
.Restore encrypted data from verified, offline backups.
.Notify law enforcement before any containment actions.
.Disable the antivirus software to reduce system load.

Why this answer

Isolating affected systems from the network immediately is correct because it stops the ransomware from spreading laterally to other hosts via SMB, RDP, or other network protocols. This containment step is critical to limit the scope of the outbreak and protect unencrypted assets.

Exam trap

CompTIA often tests the distinction between containment (immediate isolation) and eradication (removal and restoration), and the trap here is that candidates confuse 'powering down' as a valid containment step when it actually destroys forensic evidence and is not recommended in ransomware response.

20
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is SOC manager, which content choice is most appropriate?

A.Only estimated financial loss
B.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
C.Only the CVE headline
D.Only a red/yellow/green chart
AnswerB

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option B is correct because a technical remediation section for an OpenSSL vulnerability must include specific, actionable steps: affected assets and package versions to identify scope, patch commands or vendor guidance to apply the fix, a validation method (e.g., openssl version -a or a vulnerability scanner) to confirm remediation, and rollback notes for safety. This ensures the SOC manager can direct the server team with precise, auditable instructions, aligning with the Reporting and Communication domain's requirement for clear, technical content in incident response.

Exam trap

The trap here is that candidates may choose a high-level summary (like a chart or CVE headline) thinking it suffices for a SOC manager, but Cisco tests that technical remediation must include specific, executable steps (package versions, commands, validation) even when the audience is a manager, because the manager needs to verify and delegate the work accurately.

How to eliminate wrong answers

Option A is wrong because estimated financial loss belongs in a business impact analysis or executive summary, not in a technical remediation section; it provides no actionable steps for fixing the OpenSSL vulnerability. Option C is wrong because only the CVE headline (e.g., CVE-2024-XXXX) lacks the necessary details—affected package versions, patch commands, validation, and rollback—needed for the server team to execute the fix. Option D is wrong because a red/yellow/green chart is a high-level status indicator for dashboards, not a technical remediation; it omits the specific commands, version checks, and rollback procedures required to patch OpenSSL across Linux hosts.

21
Multi-Selectmedium

During a weekly security briefing, a junior analyst presents vulnerability scan results to a mixed audience of technical and non-technical stakeholders. Which three of the following communication practices should the analyst follow? (Choose three.)

Select 3 answers
.Use technical jargon to demonstrate expertise and build credibility
.Provide a high-level executive summary with business risk context
.Focus only on critical and high-severity vulnerabilities
.Visualize data using charts and graphs to highlight trends
.Differentiate between managed and unmanaged risks
.Present every low-severity finding in detail to be thorough

Why this answer

Providing a high-level executive summary with business risk context is correct because non-technical stakeholders need to understand the impact of vulnerabilities in terms of potential financial, operational, or reputational harm, not just technical severity scores. This aligns with the CompTIA CS0-003 objective of tailoring communication to the audience, ensuring that decision-makers can prioritize remediation based on business risk rather than raw CVSS numbers.

Exam trap

CompTIA often tests the misconception that 'focusing only on critical and high-severity vulnerabilities' is sufficient for a mixed audience, but the trap is that this ignores the need to communicate managed vs. unmanaged risks and to provide context for all findings, not just the highest severity ones.

22
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For business prioritization, Which recommendation gives the best risk-based order of work?

A.The incident containment playbook only
B.The firewall vendor invoice
C.The risk register with owner, justification, expiry date, and compensating controls
D.The phishing training completion list
AnswerC

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch due to contractual constraints, the risk register must be updated to document the risk owner, justification, expiry date, and compensating controls. This ensures the risk is tracked, reviewed, and mitigated within an acceptable timeframe, aligning with vulnerability management and risk acceptance processes.

Exam trap

Cisco often tests the distinction between operational documents (playbooks, training logs) and governance artifacts (risk register), leading candidates to choose a familiar-sounding option like the incident containment playbook instead of the correct risk management process.

How to eliminate wrong answers

Option A is wrong because the incident containment playbook is used for active incident response, not for documenting accepted risks or deferred patches. Option B is wrong because the firewall vendor invoice is a billing document, not a risk management artifact, and has no role in tracking risk acceptance. Option D is wrong because the phishing training completion list tracks user awareness training, not risk acceptance decisions for patch delays.

23
Multi-Selectmedium

A SOAR playbook enriches suspicious IP addresses. Which enrichment sources are useful? (Choose two.)

Select 2 answers
A.Threat intelligence reputation and first-seen date
B.Internal asset and previous-seen telemetry
C.Random social media comments about cybersecurity
D.Office chair inventory
AnswersA, B

Reputation and recency help judge maliciousness.

Why this answer

Threat intelligence reputation feeds (e.g., VirusTotal, AlienVault OTX) provide a risk score and first-seen date for an IP, which helps determine if it is known for malicious activity and how recently it became active. Internal asset and previous-seen telemetry (e.g., from a SIEM or asset management database) reveals if the IP belongs to an internal host or has been observed in past incidents, enabling context-aware response. Both sources directly support enrichment by adding authoritative, actionable data to the playbook.

Exam trap

Cisco often tests the distinction between authoritative, structured enrichment sources (threat intel feeds, internal logs) versus irrelevant or untrusted data (social media, physical inventory) to see if candidates understand that SOAR automation requires reliable, machine-readable inputs.

24
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Close the alert because HTTPS is expected traffic
B.Disable the SIEM parser for PowerShell events
C.Decode the command and inspect the process tree, parent document, and network destination
D.Reimage every workstation in the department
AnswerC

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option C is correct because the encoded PowerShell command is the most direct artifact of the attacker's intent; decoding it reveals the executed payload, while inspecting the process tree confirms the parent-child relationship (winword.exe spawning powershell.exe), the parent document identifies the phishing vector, and the network destination pinpoints the C2 server. This triage provides the evidence needed for containment without destroying forensic data.

Exam trap

Cisco often tests the misconception that HTTPS traffic is inherently safe or that immediate containment (like reimaging) is always the best first step, when in reality the priority is to preserve and analyze volatile evidence before taking irreversible actions.

How to eliminate wrong answers

Option A is wrong because outbound HTTPS from a PowerShell process spawned by winword.exe is highly anomalous—attackers frequently use HTTPS to blend in with legitimate traffic, so closing the alert ignores a clear indicator of compromise. Option B is wrong because disabling the SIEM parser for PowerShell events would blind the security team to all future PowerShell activity, including legitimate administrative tasks, and does nothing to address the current alert. Option D is wrong because reimaging every workstation is an extreme, untargeted response that destroys volatile evidence (e.g., memory, process trees, network connections) and is premature before confirming the scope of the infection.

25
Multi-Selecthard

A SIEM receives endpoint, firewall, identity, and cloud logs for the same incident, but timestamps do not align across sources. Which actions should the analyst take before finalizing the timeline? (Choose two.)

Select 2 answers
A.Assume the latest arriving event happened last
B.Verify time synchronization and timezone parsing for each source
C.Discard every source except the firewall
D.Normalize events to a common timestamp standard such as UTC
AnswersB, D

Clock drift and timezone conversion errors can reorder events.

Why this answer

Option B is correct because without verifying time synchronization (e.g., NTP configuration) and timezone parsing for each log source, the analyst cannot trust the chronological order of events. A SIEM relies on accurate timestamps to correlate logs from endpoints, firewalls, identity systems, and cloud platforms; misaligned timestamps can lead to incorrect incident reconstruction.

Exam trap

Cisco often tests the misconception that you can simply trust the order logs arrive in the SIEM, but the trap is that arrival order does not equal occurrence order due to network latency, buffering, and clock skew.

26
Multi-Selecthard

An analyst suspects DNS tunnelling but wants to avoid over-escalating normal CDN behaviour. Which comparisons help? (Choose two.)

Select 2 answers
A.Baseline query length, entropy, and subdomain uniqueness for the host
B.Compare query rate and destination domains against peer hosts
C.Check whether the user likes the website
D.Count the number of icons on the desktop
AnswersA, B

Tunnelling often creates abnormal label characteristics.

Why this answer

DNS tunnelling encodes non-DNS data (e.g., file exfiltration or C2 commands) into DNS queries, often producing abnormally long, high-entropy subdomains. Comparing current query length, entropy, and subdomain uniqueness against a baseline for the same host helps distinguish tunnelling from legitimate CDN traffic, which typically uses short, predictable subdomains. This approach focuses on the structural characteristics of the queries themselves, avoiding false positives from normal CDN behaviour.

Exam trap

The trap here is that candidates may confuse DNS tunnelling detection with generic anomaly detection, overlooking the need for a host-specific baseline to avoid flagging legitimate CDN traffic that naturally has higher query rates or longer subdomains.

27
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.CVSS vector string
B.YARA rule
C.Sigma rule
D.OpenIOC package only
AnswerC

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are platform-agnostic, portable detection signatures written in YAML that can be automatically converted into queries for multiple SIEM platforms (Splunk, QRadar, Elastic, etc.). This makes them the ideal choice for a threat hunter who needs a single detection artifact for suspicious rundll32 execution that can be deployed across different SIEM environments without manual rewriting.

Exam trap

Cisco often tests the distinction between endpoint-focused artifacts (YARA, OpenIOC) and SIEM-portable detection formats (Sigma), trapping candidates who confuse YARA's binary pattern matching with log-based SIEM detection.

How to eliminate wrong answers

Option A is wrong because CVSS vector strings describe vulnerability severity (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and are not used for detection logic or SIEM conversion. Option B is wrong because YARA rules are designed for file/process memory pattern matching on endpoints, not for portable SIEM query conversion; they lack native support for log field mapping and SIEM syntax translation. Option D is wrong because OpenIOC packages are XML-based and tightly coupled to specific IOC structures (e.g., registry keys, file hashes) and are not as easily converted across diverse SIEM platforms as Sigma rules, which have a dedicated conversion ecosystem (sigmac, pySigma).

28
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Disable all outbound internet access for the organisation
B.Delete historical flow records to reduce SIEM cost
C.Correlate flow volume with database audit logs and the destination reputation
D.Assume encryption means the transfer is safe
AnswerC

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option C is correct because correlating the outbound flow volume with database audit logs allows you to verify whether the encrypted transfers correspond to legitimate database activity (e.g., scheduled backups or replication) or unauthorized data exfiltration. Checking the destination autonomous system's reputation against threat intelligence feeds (e.g., known C2 infrastructure or bulletproof hosting) provides immediate context on whether the traffic is malicious. This dual-correlation approach gives the highest triage value by confirming or refuting the detection without disrupting operations.

Exam trap

Cisco often tests the misconception that encryption implies safety, but the trap here is that encrypted outbound traffic to an unfamiliar ASN during off-hours is a classic data exfiltration indicator, and the correct triage step is to correlate with internal logs and external reputation before taking action.

How to eliminate wrong answers

Option A is wrong because disabling all outbound internet access is a drastic, disruptive response that violates the principle of least privilege and would halt legitimate business operations; triage should first investigate the specific traffic before taking containment actions. Option B is wrong because deleting historical flow records destroys forensic evidence needed for root cause analysis and compliance, and it does not address the suspicious activity. Option D is wrong because encryption alone does not guarantee safety—attackers commonly use TLS/SSL to conceal data exfiltration (e.g., HTTPS tunnels), and the off-hours timing and unfamiliar ASN are strong indicators of malicious intent.

29
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Use only a firewall deny rule for port 443
B.Create a CVE entry
C.Create and test a YARA rule against known-good and known-bad samples
D.Tune DHCP lease duration
AnswerC

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed for malware identification and classification by matching patterns (strings, byte sequences, and regular expressions) in files or processes. Creating and testing a YARA rule against known-good and known-bad samples allows the analyst to detect related files from the same campaign with high precision and low false positives, directly addressing the need to find files sharing unique strings and byte patterns.

Exam trap

Cisco often tests the distinction between network-level controls (firewall rules) and host-level detection methods (YARA), leading candidates to mistakenly choose a network-based option like a firewall rule when the question explicitly asks about file content analysis.

How to eliminate wrong answers

Option A is wrong because a firewall deny rule for port 443 only blocks outbound HTTPS traffic and does not analyze file content or detect malware samples based on strings or byte patterns. Option B is wrong because a CVE entry is a vulnerability identifier for a specific software flaw, not a method for detecting related malware files based on unique strings or byte patterns. Option D is wrong because tuning DHCP lease duration affects IP address assignment and renewal, not file analysis or pattern matching for malware detection.

30
MCQhard

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Allow the host to run until the next maintenance window
B.Run disk cleanup to remove temporary files
C.Network-isolate the endpoint through EDR while preserving disk and memory evidence
D.Power off the machine immediately in every case
AnswerC

EDR isolation limits attacker communication without immediately destroying volatile forensic context.

Why this answer

Option C is correct because network-isolating the endpoint via EDR (e.g., using a firewall rule or agent-based isolation) stops the beaconing to the malicious IP and prevents further credential dumping, while preserving the disk and memory evidence needed for forensic analysis. This balances containment with evidence preservation by keeping the system powered on so volatile data (e.g., running processes, network connections) is not lost, unlike a hard shutdown.

Exam trap

CompTIA often tests the misconception that immediate power-off is the safest containment action, but the trap here is that it destroys volatile evidence, and the correct answer requires balancing containment with evidence preservation through network isolation.

How to eliminate wrong answers

Option A is wrong because allowing the host to run until the next maintenance window fails to contain the active threat, risking lateral movement and data exfiltration. Option B is wrong because running disk cleanup removes temporary files that could contain critical forensic artifacts (e.g., cached credentials, malware remnants), destroying evidence. Option D is wrong because powering off the machine immediately in every case destroys volatile memory evidence (e.g., active network connections, encryption keys, running processes) and may cause data loss from unsaved changes, violating the requirement to preserve evidence.

31
Matchingmedium

Match each analysis technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Matches known patterns

Identifies deviations from baseline

Uses rules to detect suspicious behavior

Monitors actions over time

Applies mathematical models

Why these pairings

Different techniques are used in security monitoring and detection.

32
Multi-Selectmedium

During a security incident, a digital forensics investigator must preserve evidence according to best practices. Which three of the following actions align with proper forensic procedures? (Choose three.)

Select 3 answers
.Calculate and document cryptographic hashes of acquired images.
.Boot the suspect system to check for running processes.
.Maintain a documented chain of custody for all evidence.
.Use a write blocker when creating disk images.
.Store original evidence on the same network as the investigation.
.Reinstall the operating system before imaging to ensure stability.

Why this answer

Calculating and documenting cryptographic hashes (e.g., SHA-256) of acquired images ensures data integrity by providing a verifiable fingerprint that can prove the image has not been altered since acquisition. Maintaining a documented chain of custody tracks every person who handled the evidence, preserving its admissibility in legal proceedings. Using a write blocker when creating disk images prevents any accidental writes to the original media, which is critical to avoid altering the evidence.

Exam trap

CompTIA often tests the misconception that booting a system to check processes is acceptable, but in forensic procedures, any live interaction with the original evidence is prohibited to avoid altering the state.

33
MCQmedium

An organization uses automated patch management for workstations but manual patching for servers. After a critical vulnerability is announced, the security team wants to expedite patching for servers. Which of the following is the BEST approach?

A.Test the patch in a staging environment and then deploy
B.Disable the affected services until the patch can be applied
C.Deploy the patch immediately to all servers
D.Implement virtual patching via an IPS
AnswerA

Testing ensures the patch is safe before production deployment.

Why this answer

Option A is correct because testing the patch in a staging environment before deploying to production servers validates compatibility and stability, reducing the risk of service disruption. This approach balances the urgency of a critical vulnerability with the need to maintain server availability, which is especially important given that manual patching is the standard procedure for servers. Staging allows the security team to identify any conflicts with existing configurations or dependencies before widespread deployment.

Exam trap

The trap here is that candidates may choose immediate deployment (Option C) due to the urgency of a critical vulnerability, overlooking the operational risk of untested patches in a manual patching environment, while CompTIA often tests the principle that security must be balanced with availability and change management processes.

How to eliminate wrong answers

Option B is wrong because disabling affected services may cause significant business disruption and does not address the underlying vulnerability; it is a temporary workaround that still leaves the system vulnerable if the service is re-enabled without patching. Option C is wrong because deploying the patch immediately to all servers without testing can lead to unforeseen compatibility issues, crashes, or service outages, which is particularly risky in a manual patching environment where automated rollback mechanisms may not be in place. Option D is wrong because implementing virtual patching via an IPS only provides a detection and blocking layer at the network level, but does not remediate the actual vulnerability on the server; it can be bypassed and adds latency, making it a compensating control rather than a definitive fix.

34
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Assume the hosts have no vulnerabilities
B.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
C.Disable SSH on all servers
D.Run only unauthenticated scans forever
AnswerB

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

After SSH hardening, credentialed scans fail because the scanner's authentication method (e.g., password or key-based login) may be blocked, or the scanner account lacks necessary sudo privileges. Option B is correct because reviewing scanner account permissions, allowed authentication methods (e.g., ensuring public key authentication is enabled in sshd_config), and sudo command restrictions directly addresses the root cause of scan failures without compromising security.

Exam trap

Cisco often tests the misconception that after hardening, you should disable SSH entirely or assume no vulnerabilities exist, rather than troubleshooting the scanner's authentication configuration.

How to eliminate wrong answers

Option A is wrong because assuming no vulnerabilities ignores the fact that unauthenticated scans may miss critical issues, and the hosts could still be vulnerable; this is a dangerous assumption that violates vulnerability management best practices. Option C is wrong because disabling SSH on all servers would break legitimate administrative access and is an extreme, unnecessary measure that does not solve the scanning issue. Option D is wrong because running only unauthenticated scans forever would produce incomplete results, missing vulnerabilities that require authenticated access (e.g., local privilege escalation or patch-level checks), and is not a sustainable or effective strategy.

35
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.DNS tunnelling
B.Password spraying only
C.MFA fatigue or push-bombing attack
D.SSL certificate expiry
AnswerC

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

Option C is correct because the scenario describes MFA fatigue (also called push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This exploits the human tendency to accept prompts to stop interruptions, bypassing MFA security. The clearest next triage step is to investigate the source IPs and authentication logs for anomalous patterns and immediately revoke the approved session.

Exam trap

Cisco often tests the distinction between credential-based attacks (password spraying) and MFA bypass techniques (push-bombing), trapping candidates who confuse repeated MFA prompts with brute-force login attempts.

How to eliminate wrong answers

Option A is wrong because DNS tunnelling involves encoding data in DNS queries/responses to exfiltrate data or establish C2, not to trigger MFA prompts. Option B is wrong because password spraying only attempts to guess passwords across many accounts without triggering MFA prompts; repeated MFA approvals indicate the attacker already has valid credentials and is exploiting MFA push notifications, not just guessing passwords.

36
MCQmedium

A SOC analyst receives a file from an unknown source via email. The analyst wants to analyze the file without executing it to determine its functionality. Which type of analysis should be performed?

A.Behavioral analysis.
B.Memory analysis.
C.Dynamic analysis.
D.Static analysis.
AnswerD

Static analysis reviews code, headers, and strings without execution.

Why this answer

Static analysis involves examining a file's code, structure, and metadata without executing it, making it the correct choice for determining functionality while avoiding execution risks. Techniques include inspecting strings, headers, and disassembled code to identify malicious indicators like embedded URLs or API calls.

Exam trap

CompTIA often tests the distinction between static and dynamic analysis by emphasizing the 'without executing' condition, leading candidates to confuse behavioral or dynamic analysis as valid options despite the explicit constraint.

How to eliminate wrong answers

Option A is wrong because behavioral analysis requires executing the file in a controlled environment to observe its actions, which contradicts the requirement to analyze without execution. Option B is wrong because memory analysis examines volatile memory (RAM) from a running system, not a file in isolation, and typically requires execution to capture artifacts. Option C is wrong because dynamic analysis involves running the file in a sandbox or debugger to observe runtime behavior, which directly violates the 'without executing it' constraint.

37
MCQeasy

Refer to the exhibit. An analyst reviews file access logs and notices the entries above. Which is the MOST likely conclusion?

A.The file server is misconfigured.
B.It is a false positive due to time zone differences.
C.The user jsmith is performing authorized research.
D.The user jsmith's credentials may have been compromised.
AnswerD

Unusual time and device indicate possible credential misuse.

Why this answer

The exhibit shows file access logs with multiple failed attempts followed by a successful access from an unusual IP address (10.10.10.10) for user jsmith, which is outside the normal corporate subnet. This pattern of brute-force or password-spraying attempts culminating in a successful login from an anomalous location strongly indicates credential compromise, not authorized activity.

Exam trap

CompTIA often tests the distinction between a simple misconfiguration (which would show consistent failures or permission errors) and a security incident (which shows a pattern of failed attempts followed by success from an anomalous source).

How to eliminate wrong answers

Option A is wrong because a misconfigured file server would typically show consistent access failures or permission errors across multiple users, not a pattern of failed logins followed by a single successful login from an unusual IP. Option B is wrong because time zone differences would cause timestamps to appear shifted but would not explain the sequence of multiple failed attempts from a different IP range, nor the successful access from 10.10.10.10. Option C is wrong because authorized research would not involve repeated failed login attempts; legitimate users would either have proper access or request it, not brute-force their way in.

38
MCQmedium

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Treat every HTTP 200 as proof of exploitation
B.Ask users to change passwords without checking logs
C.Review application logs for query errors, authentication events, and abnormal database access
D.Disable the WAF rule because it may be noisy
AnswerC

HTTP 200 can occur for blocked, handled, or successful requests; application and database context determine impact.

Why this answer

Option C is correct because a WAF alert indicates a potential SQL injection attempt, but an HTTP 200 response does not confirm exploitation—it could mean the WAF blocked the payload or the application handled the input safely. Reviewing application logs for query errors, authentication events, and abnormal database access provides direct evidence of whether the injection succeeded, such as seeing SQL error messages in the logs or unauthorized data retrieval. This approach separates true positives (actual compromise) from false positives (blocked or harmless attempts), enabling precise tuning without losing detection of real attacks.

Exam trap

Cisco often tests the misconception that an HTTP 200 status code from a WAF-protected endpoint automatically indicates a successful exploit, when in reality it may reflect WAF blocking or application-level error handling, and candidates must remember that application logs are the definitive source for confirming compromise.

How to eliminate wrong answers

Option A is wrong because treating every HTTP 200 as proof of exploitation ignores that the WAF may have blocked the injection (returning a benign 200) or the application may have sanitized input, leading to false positives; this would cause unnecessary incident response and user disruption. Option B is wrong because asking users to change passwords without checking logs bypasses forensic validation, potentially wasting resources on a non-event and failing to identify whether actual credential compromise occurred; it also violates standard incident response procedures that require evidence-based decisions.

39
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.SLA compliance by severity, asset owner, and business unit
B.A list of all closed tickets with no dates
C.A vendor price comparison
D.A report sorted only by scanner plugin ID
AnswerA

SLA reporting connects remediation timeliness to accountability. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option A is correct because an SLA compliance report by severity, asset owner, and business unit directly maps to the goal of showing whether critical findings are fixed within policy timelines. This report filters by severity (e.g., critical), includes remediation deadlines (SLA), and groups by asset owner and business unit, enabling technical remediation owners to track overdue items and prioritize fixes. It aligns with the NIST SP 800-55 framework for measuring security effectiveness through compliance metrics.

Exam trap

Cisco often tests the distinction between operational metrics (SLA compliance) and raw data (closed tickets) or irrelevant business data (vendor costs), trapping candidates who confuse 'showing compliance' with 'listing activity' or 'financial analysis'.

How to eliminate wrong answers

Option B is wrong because a list of all closed tickets with no dates provides no temporal context to determine if fixes were completed within policy timelines; without timestamps, SLA compliance cannot be measured. Option C is wrong because a vendor price comparison is irrelevant to vulnerability remediation timelines and technical remediation ownership; it addresses procurement, not security operations or SLA adherence.

40
MCQmedium

A security analyst at a small company notices that several workstations in the finance department are communicating with an external IP address known to be associated with a command-and-control server. The analyst checks the host-based firewall logs and sees that outbound connections to that IP are allowed. Which of the following is the BEST immediate action to take?

A.Disconnect the workstations from the network.
B.Block the IP at the perimeter firewall.
C.Update the antivirus definitions.
D.Run a full antivirus scan on the affected workstations.
AnswerA

Immediate containment stops C2 traffic and lateral movement.

Why this answer

Option B is correct because disconnecting the workstations immediately contains the incident, stopping any ongoing C2 traffic and preventing lateral movement. Option A is wrong because blocking a single IP may not be sufficient if the malware uses multiple IPs or domain generation algorithms. Options C and D are slower and do not address the immediate threat.

41
Multi-Selectmedium

A security analyst needs to communicate the results of a vulnerability scan to different stakeholders. Which TWO of the following are appropriate reporting formats for executive-level stakeholders?

Select 2 answers
A.A one-page executive summary with risk ratings and business impact
B.A dashboard showing trend analysis and high-level metrics
C.A detailed remediation checklist for system administrators
D.A raw output from the vulnerability scanner
E.A technical report listing CVSS scores and exploit details
AnswersA, B

Concise and focused on business risk, ideal for executives.

Why this answer

Executive-level stakeholders require high-level, business-focused information to make strategic decisions. A one-page executive summary with risk ratings and business impact (Option A) provides a concise overview of the most critical vulnerabilities, their potential effect on operations, and recommended actions without technical jargon. A dashboard showing trend analysis and high-level metrics (Option B) allows executives to quickly assess the organization's security posture over time, track remediation progress, and identify emerging risks through visual data.

Exam trap

CompTIA often tests the distinction between stakeholder-appropriate reporting formats, and the trap here is that candidates mistakenly choose technical options (like CVSS scores or raw scanner output) because they focus on the data's accuracy rather than the audience's need for actionable, non-technical summaries.

42
MCQhard

A forensic analyst is called to acquire data from a live server that is critical to business operations. The server cannot be powered down. Which acquisition method should the analyst use to minimize alteration of volatile data?

A.Perform a full disk image while the system is running.
B.Dump the system RAM and then shut down for disk imaging.
C.Use a forensic bootable USB to perform a live acquisition.
D.Acquire data over the network using a remote forensic tool.
AnswerC

Live acquisition from a forensic USB captures volatile data with minimal impact.

Why this answer

Option C is correct because using a forensic bootable USB allows the analyst to boot the server into a controlled forensic environment without relying on the compromised or running operating system. This method minimizes alteration of volatile data by loading a trusted kernel that captures RAM contents before any write operations occur, preserving the integrity of the evidence.

Exam trap

CompTIA often tests the misconception that a live acquisition via a bootable USB is equivalent to a 'live response' using the native OS tools, but the key distinction is that a forensic bootable USB bypasses the host OS to minimize alteration of volatile data.

How to eliminate wrong answers

Option A is wrong because performing a full disk image while the system is running will modify volatile data (e.g., pagefile, temporary files, registry hives) and may overwrite unallocated space, violating forensic integrity. Option B is wrong because dumping system RAM and then shutting down for disk imaging causes the loss of all volatile data (e.g., network connections, running processes, encryption keys) upon shutdown, and the shutdown process itself alters the disk state. Option D is wrong because acquiring data over the network using a remote forensic tool introduces network latency, potential packet loss, and may trigger anti-forensic mechanisms or alter memory contents due to the tool's agent installation and network stack activity.

43
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Only the user's browser cache
B.Sign-in logs, MFA result, device details, and mailbox audit events
C.Only DHCP logs from the London office
D.The organisation's public DNS zone file
AnswerB

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option B is correct because the detection of a user authenticating from geographically distant locations within 12 minutes strongly suggests credential theft or token replay, and the subsequent mailbox forwarding rule creation indicates a data exfiltration attempt. The analyst must first correlate sign-in logs (to verify the source IPs and timestamps), MFA results (to check if MFA was satisfied or bypassed), device details (to identify if a known or managed device was used), and mailbox audit events (to confirm who created the forwarding rule and when). This combination directly validates or refutes the UEBA alert by providing the evidence needed to distinguish between a legitimate user with a VPN or a compromised account.

Exam trap

Cisco often tests the misconception that a single log source (like DHCP or browser cache) is sufficient to investigate impossible travel and mailbox rule changes, when in reality multiple correlated evidence sources (sign-in logs, MFA, device details, and audit events) are required to confirm or refute the alert.

How to eliminate wrong answers

Option A is wrong because browser cache only stores local web data (cookies, history, cached pages) and cannot provide authentication timestamps, IP geolocation, MFA status, or mailbox audit trails needed to investigate a cross-geography login and rule creation. Option C is wrong because DHCP logs from the London office only record IP address leases and cannot show authentication events, MFA results, device details, or mailbox changes; they are irrelevant to verifying the Singapore login or the forwarding rule creation.

44
MCQmedium

A company is implementing a security monitoring solution for its cloud infrastructure. The security team wants to detect attempts to disable logging on critical instances. Which of the following should be configured?

A.VPC Flow Logs
B.CloudTrail (API logging)
C.Host-based intrusion detection (HIDS)
D.Scheduled vulnerability scans
AnswerB

API logging records management events including changes to logging configuration.

Why this answer

CloudTrail (API logging) is the correct choice because it records all API calls made to the cloud provider's control plane, including actions that modify logging configurations such as disabling or stopping logging on critical instances. By monitoring CloudTrail events, the security team can detect attempts to disable logging via API calls like `StopLogging` or `UpdateTrail`, enabling timely alerting and response.

Exam trap

Cisco often tests the distinction between data plane monitoring (VPC Flow Logs) and control plane monitoring (CloudTrail), leading candidates to choose VPC Flow Logs because they think 'logging' refers to network logs rather than API activity logs.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata (IP addresses, ports, protocols) at the data plane level, not control plane actions like disabling logging services. Option C is wrong because Host-based intrusion detection (HIDS) monitors system-level activities (file changes, processes) on individual instances, but cannot detect cloud API calls that disable logging at the infrastructure level. Option D is wrong because scheduled vulnerability scans assess known security weaknesses (e.g., missing patches) and do not provide real-time detection of logging configuration changes.

45
MCQeasy

A company has been notified by a partner that sensitive data from their shared database was leaked. The CSIRT has been activated. Who should be notified FIRST according to the incident response plan?

A.The legal department.
B.The incident response team.
C.The affected partner.
D.The CEO.
AnswerB

The IR team is the first point of contact to begin the response process.

Why this answer

According to standard incident response frameworks (NIST SP 800-61, SANS PICERL), the incident response team (CSIRT) must be notified first because they are the trained responders who will contain, analyze, and coordinate the response. In this scenario, the CSIRT has already been activated, but the question asks who should be notified first per the plan—the IR team is the initial point of contact to ensure proper triage and evidence preservation before any external communication occurs.

Exam trap

CompTIA often tests the misconception that external stakeholders (partners, legal, or executives) should be notified immediately, when in fact the IR team must be the first notified to maintain chain of custody and prevent evidence spoliation.

How to eliminate wrong answers

Option A is wrong because the legal department is notified after the IR team has confirmed the incident and gathered initial evidence, not first—premature legal involvement can disrupt technical containment. Option C is wrong because notifying the affected partner first violates confidentiality and could compromise forensic analysis; the IR team must first validate the scope and impact. Option D is wrong because the CEO is a strategic stakeholder notified after technical assessment and legal counsel, not first—operational details must be established before executive escalation.

46
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Disable the SIEM parser for PowerShell events
B.Decode the command and inspect the process tree, parent document, and network destination
C.Reimage every workstation in the department
D.Close the alert because HTTPS is expected traffic
AnswerB

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option B is correct because decoding the encoded PowerShell command reveals the attacker's intent, inspecting the process tree shows the execution chain from winword.exe to powershell.exe, examining the parent document identifies the malicious attachment, and analyzing the network destination uncovers the C2 server. This systematic approach provides the clearest next triage step by correlating the initial infection vector with the subsequent malicious activity, enabling the analyst to contain the threat effectively.

Exam trap

Cisco often tests the candidate's ability to prioritize investigative actions over reactive or destructive measures, trapping those who choose to disable logging or perform mass reimaging instead of conducting a structured forensic analysis.

How to eliminate wrong answers

Option A is wrong because disabling the SIEM parser for PowerShell events would blind the security team to all future PowerShell-based attacks, removing critical visibility without addressing the current alert. Option C is wrong because reimaging every workstation is a drastic, untargeted response that wastes resources and does not help identify the root cause or scope of the incident; it should only be considered after forensic analysis confirms widespread compromise.

47
Multi-Selectmedium

A security analyst is reviewing the results of a vulnerability scan. The scan identified several critical vulnerabilities on a web server that were previously reported three months ago. Which TWO actions should the analyst take to improve the vulnerability management process?

Select 2 answers
A.Exclude the web server from future scans to reduce the number of false positives.
B.Increase the frequency of vulnerability scans from quarterly to monthly.
C.Implement a policy to automatically close vulnerabilities after 90 days if no remediation action is taken.
D.Schedule the next scan to occur during peak business hours to capture real-world traffic.
E.Implement virtual patching or web application firewall rules to mitigate the vulnerabilities.
AnswersB, E

More frequent scans reduce the window of exposure and ensure timely identification of issues.

Why this answer

Option B is correct because increasing scan frequency from quarterly to monthly reduces the window of exposure for newly introduced vulnerabilities. Since the same critical vulnerabilities were present for three months, more frequent scanning ensures faster detection and remediation, aligning with continuous monitoring best practices in vulnerability management.

Exam trap

CompTIA often tests the distinction between remediation (fixing the root cause) and mitigation (reducing risk without fixing), leading candidates to overlook that virtual patching is a valid interim action even though it does not permanently resolve the vulnerability.

48
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is business service owner, which content choice is most appropriate?

A.A list of analyst shift times only
B.Business risk, customer impact assessment, remediation status, and remaining exposure
C.Every command the scanner executed
D.Raw packet captures from the scan
AnswerB

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option B is correct because the executive summary for a business service owner must focus on business risk, customer impact, remediation status, and remaining exposure. Since no exploitation was found, the key message is the potential business impact and the current state of remediation, not technical details. This aligns with the Reporting and Communication domain, where the audience requires actionable business-level information.

Exam trap

Cisco often tests the candidate's ability to tailor communication to the audience; the trap here is that technical details (like scanner commands) seem thorough but are inappropriate for a business-focused executive summary, leading candidates to choose overly technical options.

How to eliminate wrong answers

Option A is wrong because listing analyst shift times is irrelevant to the vulnerability's business impact and does not address the service owner's need to understand risk and remediation. Option C is wrong because providing every command the scanner executed is overly technical, irrelevant to the executive summary, and would overwhelm the business audience with unnecessary operational details.

49
MCQhard

A vulnerability management team uses OpenVAS to scan a network of 500 hosts weekly. The scans are causing network congestion and generating false positives. Which of the following would BEST reduce the impact while maintaining effective vulnerability detection?

A.Disable the vulnerable host discovery phase.
B.Increase the scan interval to monthly.
C.Use credential-based scanning to reduce false positives.
D.Schedule scans during off-peak hours and limit concurrent scans.
AnswerD

This reduces network impact while maintaining scan effectiveness.

Why this answer

Scheduling scans during off-peak hours and limiting concurrent scans directly reduces network congestion by shifting traffic to low-utilization periods and capping the number of simultaneous connections. This approach maintains the weekly scan frequency and full vulnerability coverage, unlike other options that degrade detection effectiveness.

Exam trap

CompTIA often tests the misconception that reducing false positives (credential-based scanning) solves network congestion, but the question specifically asks about reducing impact from congestion, not improving accuracy.

How to eliminate wrong answers

Option A is wrong because disabling the host discovery phase would prevent OpenVAS from identifying live hosts, causing it to skip vulnerability checks on those systems and severely reduce detection coverage. Option B is wrong because increasing the scan interval to monthly would leave hosts unassessed for three weeks, violating the weekly cadence and allowing vulnerabilities to persist longer. Option C is wrong because credential-based scanning reduces false positives by enabling authenticated checks, but it does not address network congestion; in fact, it can increase network traffic due to additional authentication exchanges.

50
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.DNS cache poisoning
B.ARP spoofing
C.Pass-the-hash using NTLM only
D.Kerberoasting reconnaissance or ticket harvesting
AnswerD

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

Option D is correct because the SIEM alert describes a workstation requesting a high number of Kerberos service tickets for many Service Principal Names (SPNs) without subsequent service access. This is classic Kerberoasting reconnaissance: the attacker uses a valid domain account to request TGS tickets for services, then extracts and cracks the service account passwords offline. The lack of corresponding service access confirms the tickets were not used for legitimate authentication.

Exam trap

Cisco often tests the distinction between Kerberos-based attacks (Kerberoasting) and NTLM-based attacks (pass-the-hash), so the trap here is assuming any credential reuse attack is NTLM-based, ignoring that Kerberoasting uses Kerberos tickets for offline cracking.

How to eliminate wrong answers

Option A is wrong because DNS cache poisoning manipulates DNS resolution to redirect traffic, not to request Kerberos tickets for SPNs. Option B is wrong because ARP spoofing operates at Layer 2 to intercept traffic on a local subnet and does not involve Kerberos ticket requests. Option C is wrong because pass-the-hash using NTLM only reuses NTLM hashes for authentication, whereas the alert specifically shows Kerberos service ticket requests (TGS-REQ) for multiple SPNs, which is a Kerberos-specific attack.

51
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Give all users local admin rights
B.Mark the vulnerability as fixed
C.Documented risk acceptance with compensating controls and a migration/remediation plan
D.Remove the system from future reports
AnswerC

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

When a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager should request a documented risk acceptance with compensating controls and a migration/remediation plan. This is the only option that formally acknowledges the risk, implements compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting) to reduce exploitability, and establishes a timeline to decommission or replace the system. This aligns with the risk-based prioritization required for business decisions.

Exam trap

Cisco often tests the misconception that marking a vulnerability as 'fixed' or ignoring it is acceptable when a patch is unavailable, but the correct risk-based approach is to formally accept the risk with compensating controls and a plan to migrate away from the unsupported system.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would drastically increase the attack surface, allowing any user to install malware, modify system files, or disable security controls, which directly contradicts vulnerability management best practices. Option B is wrong because marking the vulnerability as fixed when it is not patched is a false statement that would misrepresent the risk posture, violate compliance requirements (e.g., PCI DSS, SOX), and could lead to audit failures or exploitation.

52
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Named owner, due date, acceptance criteria, and retest plan
B.No action because the incident is closed
C.Deletion of the integration record
D.A vague recommendation to improve security
AnswerA

Corrective actions should be accountable and verifiable. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

A is correct because a failed alert integration indicates a gap in operational ownership, which must be resolved by assigning a named owner, setting a due date, defining acceptance criteria, and planning a retest. This ensures accountability and verifies that the integration is properly restored and monitored, preventing recurrence. Without these elements, the corrective action lacks closure and measurable success criteria.

Exam trap

Cisco often tests the misconception that closing an incident ends all responsibility, but the trap here is that corrective actions must include ownership and verification steps to prevent the same failure from recurring.

How to eliminate wrong answers

Option B is wrong because closing the incident without addressing the root cause (lack of ownership) leaves the vulnerability unpatched and the integration non-functional, violating post-incident remediation best practices. Option C is wrong because deleting the integration record removes the alerting capability entirely, which could blind the security team to future incidents; the corrective action should fix the integration, not eliminate it.

53
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is business service owner, which content choice is most appropriate?

A.Number of desktop wallpapers changed
B.Mean time to detect, mean time to respond, containment time, and recurrence rate
C.Total coffee consumed by analysts
D.Number of unused dashboards
AnswerB

These KPIs show detection and response effectiveness over time. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are the standard operational metrics for measuring incident response effectiveness. These directly quantify how quickly threats are identified, contained, and whether they return, which is exactly what the CISO needs to assess quarter-over-quarter improvement.

Exam trap

Cisco often tests the candidate's ability to distinguish between vanity metrics (like wallpaper changes) and actionable security KPIs, trapping those who confuse IT helpdesk tasks with incident response metrics.

How to eliminate wrong answers

Option A is wrong because the number of desktop wallpapers changed is a trivial, non-security metric that has no bearing on incident response performance or business service health. Option C is wrong because total coffee consumed by analysts is a humorous distractor with no relevance to security operations metrics or service owner reporting.

54
MCQmedium

An analyst is reviewing scan results and finds that a critical vulnerability is present on 50 workstations. The vendor has released a patch, but the IT team is concerned about potential compatibility issues. Which of the following should the analyst recommend?

A.Remove the vulnerable software
B.Test the patch on a subset before full deployment
C.Apply a workaround from the vendor
D.Deploy the patch to all workstations immediately
AnswerB

Pilot testing identifies issues before full rollout.

Why this answer

Option B is correct because the IT team's concern about compatibility issues necessitates a controlled rollout. Testing the patch on a subset of workstations allows the analyst to validate that the patch does not break critical business applications or system functionality before full deployment, aligning with the vulnerability management principle of staged patching to minimize operational risk.

Exam trap

CompTIA often tests the misconception that immediate patching is always the best response, but the trap here is that the question explicitly highlights 'potential compatibility issues,' requiring the candidate to prioritize risk management over speed, making 'test on a subset' the correct choice over 'deploy immediately.'

How to eliminate wrong answers

Option A is wrong because removing the vulnerable software is a drastic measure that may not be feasible if the software is essential for business operations, and it does not address the root cause of the vulnerability in a way that maintains functionality. Option C is wrong because applying a workaround from the vendor is typically a temporary mitigation strategy, not a permanent fix, and may not fully eliminate the vulnerability or could introduce its own compatibility issues. Option D is wrong because deploying the patch to all workstations immediately ignores the IT team's stated concern about potential compatibility issues, which could lead to widespread system instability or application failures across the entire environment.

55
Drag & Dropmedium

Order the steps to perform a vulnerability scan using a tool like Nessus.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability scanning typically involves defining targets, choosing a policy, configuring settings, executing, and analyzing results.

56
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For business prioritization, Which recommendation gives the best risk-based order of work?

A.A DNS MX record report
B.A password complexity screenshot only
C.A software bill of materials
D.A building floor plan
AnswerC

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A Software Bill of Materials (SBOM) provides a formal, machine-readable inventory of all third-party and open-source components, libraries, and their versions used in a software product. In a regulated environment, this is essential for vulnerability management and compliance, as it enables the security team to quickly identify known vulnerabilities (e.g., CVEs) in specific library versions and prioritize remediation based on risk.

Exam trap

Cisco often tests the distinction between operational security artifacts (like DNS records or password screenshots) and the specific artifact needed for software composition analysis, leading candidates to choose a familiar-sounding but irrelevant option.

How to eliminate wrong answers

Option A is wrong because a DNS MX record report lists mail exchange servers for email routing, which has no relevance to tracking software libraries or versions. Option B is wrong because a password complexity screenshot only shows password policy settings, not the included libraries or their versions, and provides no visibility into software composition.

57
MCQhard

A security analyst is reviewing a report from an authenticated vulnerability scan of a Windows domain controller. The report indicates multiple critical vulnerabilities related to Active Directory. The system administrator claims the patches have been applied. Which of the following is the MOST likely cause of the discrepancy?

A.The vulnerabilities are false positives
B.The scan was run with insufficient credentials
C.The scan was run before patch installation
D.The patches require a reboot
AnswerD

Patches often need a reboot; if not rebooted, the vulnerability remains.

Why this answer

The most likely cause is that the patches require a reboot. Many critical Active Directory vulnerabilities, such as those in Kerberos or LSASS, are mitigated by patches that only take effect after a system restart. The authenticated scan detects the vulnerability because the patched files are not yet loaded into memory, even though the patches are installed on disk.

Exam trap

Cisco often tests the concept that patch installation does not equal vulnerability remediation until a reboot occurs, leading candidates to incorrectly assume false positives or credential issues.

How to eliminate wrong answers

Option A is wrong because authenticated vulnerability scans are highly accurate for known CVEs; false positives are rare when proper credentials are used, and the scan specifically targets Active Directory vulnerabilities. Option B is wrong because the scan was explicitly described as authenticated, meaning sufficient credentials were provided to access the domain controller and enumerate patch levels. Option C is wrong because the system administrator claims the patches have been applied, and the scan was run after that claim; if the scan were run before installation, the discrepancy would be expected and not a discrepancy at all.

58
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For business prioritization, Which recommendation gives the best risk-based order of work?

A.A retest showing the vulnerable condition is no longer present
B.Wait one year before testing
C.Create a duplicate ticket for every asset
D.Close it immediately based on the email
AnswerA

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

A retest is required to confirm that the vulnerability has been successfully remediated. Without a retest, the vulnerability manager cannot verify that the patch was applied correctly or that it did not introduce new issues. This aligns with the vulnerability management lifecycle, where closure is only granted after a validated scan or manual test shows the vulnerable condition is eliminated.

Exam trap

Cisco often tests the misconception that simply applying a patch or creating a ticket is sufficient for closure, when in fact a retest is the only way to confirm the vulnerability is truly gone.

How to eliminate wrong answers

Option B is wrong because waiting one year before testing leaves the organization exposed to the critical vulnerability for an unacceptable period, violating the principle of timely remediation and risk reduction. Option C is wrong because creating a duplicate ticket for every asset does not confirm the patch's effectiveness; it only adds administrative overhead without providing any technical verification that the vulnerability is resolved.

59
MCQmedium

A large enterprise with a centralized SOC is responding to a suspected data exfiltration incident. The incident response plan designates the SOC manager as the primary point of contact for all communication. However, during the incident, the marketing department independently publishes a social media post acknowledging the incident, stating that customer data was not compromised, and that the company has everything under control. The SOC analyst discovers this post. The actual investigation is still ongoing, and it is unclear whether customer data was exfiltrated. The company has a strict communication policy that all external statements regarding security incidents must be approved by the incident commander. The marketing department was not aware of the ongoing investigation and acted based on incomplete information. The analyst must consider the potential legal and regulatory implications of the inaccurate statement. The incident commander is currently in a meeting with the CISO and is unavailable. What should the analyst do FIRST?

A.Report the unauthorized communication to the SOC manager and recommend updating the incident communication plan to require approval from the incident commander before any external communication.
B.Inform the marketing department that their post was premature and potentially inaccurate, and ask them to remove it immediately.
C.Post a correction on the company's social media account to clarify that the investigation is ongoing.
D.Ignore the post because it helps maintain customer confidence.
AnswerA

Escalation to the designated communication lead is appropriate; updating the plan prevents recurrence.

Why this answer

Option A is correct because the SOC manager is designated as the primary point of contact for all communication per the incident response plan, and the analyst must first report the unauthorized communication to the SOC manager to ensure proper escalation and documentation. This aligns with the strict communication policy requiring incident commander approval for external statements, and it preserves the chain of command while the incident commander is unavailable. Reporting the breach of protocol allows the SOC manager to initiate corrective actions, such as updating the communication plan, without the analyst exceeding their authority or making unauthorized statements.

Exam trap

CompTIA often tests the principle of 'first report to the designated authority' versus taking direct corrective action, trapping candidates who choose to immediately fix the problem themselves rather than following the incident response plan's communication hierarchy.

How to eliminate wrong answers

Option B is wrong because directly contacting the marketing department to demand removal of the post violates the incident response plan's chain of command, which designates the SOC manager as the primary point of contact; the analyst lacks the authority to instruct other departments. Option C is wrong because posting a correction on social media without incident commander approval violates the strict communication policy and could create additional legal liability by publicly confirming an ongoing investigation with incomplete facts. Option D is wrong because ignoring the post disregards the potential legal and regulatory implications of the inaccurate statement, such as SEC disclosure rules or GDPR misrepresentation penalties, and fails to uphold the duty to report policy violations.

60
Multi-Selectmedium

Which TWO methods help ensure the accuracy of security metrics reported to management?

Select 2 answers
A.Using colorful charts to impress stakeholders
B.Periodic validation of data against original logs
C.Automated data collection from reliable sources
D.Reporting only positive metrics to maintain confidence
E.Manual entry of data from multiple spreadsheets
AnswersB, C

Ensures consistency.

Why this answer

Option B is correct because periodic validation of security metrics against original logs (e.g., firewall logs, IDS/IPS alerts, or authentication logs) ensures data integrity by detecting discrepancies introduced during aggregation or transformation. This practice aligns with the principle of 'trust but verify,' where raw log sources serve as the authoritative baseline for metric accuracy, preventing reporting of corrupted or incomplete data.

Exam trap

CompTIA often tests the misconception that 'automated collection alone guarantees accuracy,' but the trap here is that automation without periodic validation can still propagate errors from misconfigured sources or data pipelines, so both B and C are required for accuracy.

61
MCQhard

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Allow the host to run until the next maintenance window
B.Network-isolate the endpoint through EDR while preserving disk and memory evidence
C.Run disk cleanup to remove temporary files
D.Power off the machine immediately in every case
AnswerB

EDR isolation limits attacker communication without immediately destroying volatile forensic context.

Why this answer

Network-isolating the endpoint through EDR (option B) is the best containment action because it immediately stops the beaconing to the malicious IP and prevents further credential dumping while preserving both disk and memory evidence for forensic analysis. This aligns with incident response best practices where containment must not destroy volatile data (e.g., memory artifacts of running credential-dumping processes) or persistent evidence on disk. EDR isolation typically uses a host-based firewall rule to block all inbound/outbound traffic except to the EDR management channel, ensuring the host is quarantined without powering it off or altering the file system.

Exam trap

Cisco often tests the misconception that 'preserving evidence' means you should not touch the host at all, leading candidates to choose 'allow the host to run' (option A), but the correct priority is to contain the threat immediately while using EDR's isolation feature to preserve both disk and memory evidence without powering down.

How to eliminate wrong answers

Option A is wrong because allowing the host to run until the next maintenance window violates the immediate containment requirement—the host is actively beaconing and dumping credentials, which could lead to lateral movement, data exfiltration, or further compromise of the environment. Option C is wrong because running disk cleanup removes temporary files that may contain critical forensic evidence (e.g., dumped credential hashes, tool artifacts, or malicious scripts), directly contradicting the business owner's requirement to preserve evidence.

62
Multi-Selectmedium

Which three of the following are common challenges when conducting authenticated vulnerability scans in a large, heterogeneous network? (Choose three.)

Select 3 answers
.Credential management and rotation across different operating systems and applications
.Increased network bandwidth consumption due to deeper inspection of system configurations
.Elevated risk of account lockouts or service disruption due to incorrect credentials
.Inability to scan virtualized or cloud-based assets using authenticated methods
.Ensuring the scan account has appropriate privileges without granting excessive permissions
.Authenticated scans always provide 100% accurate vulnerability detection

Why this answer

Correct: Credential management and rotation is a major challenge due to diverse systems and the need for secure storage. Incorrect credentials can cause account lockouts or disrupt services, especially in Active Directory environments. Granting the principle of least privilege to scan accounts is critical but complex across many systems.

Incorrect: Bandwidth increase from authenticated scans is usually minimal; the main impact is on the target system's performance. Most modern scanners support authenticated scanning of virtual and cloud assets via APIs or agent-based methods. Authenticated scans greatly improve accuracy but never guarantee 100% detection due to unknown vulnerabilities or configuration nuances.

63
Multi-Selectmedium

Which metrics best show SOC detection and response effectiveness? (Choose two.)

Select 2 answers
A.Mean time to detect
B.Mean time to contain
C.Number of office printers
D.Total number of email signatures
AnswersA, B

MTTD measures detection speed.

Why this answer

Mean time to detect (MTTD) directly measures how quickly the SOC identifies a security incident from the initial compromise, reflecting the efficiency of detection tools like SIEM and EDR. A lower MTTD indicates faster threat discovery, which is critical for minimizing dwell time and reducing potential damage.

Exam trap

Cisco often tests the distinction between detection metrics (MTTD) and response/containment metrics (MTTC), and candidates may mistakenly include irrelevant operational metrics like printer counts that have no bearing on security operations effectiveness.

64
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.DNS tunnelling
B.MFA fatigue or push-bombing attack
C.Password spraying only
D.SSL certificate expiry
AnswerB

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

B is correct because the scenario describes MFA fatigue (also known as push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This is a social engineering technique that exploits human behavior rather than a technical vulnerability in the MFA system itself. The analyst should classify this as an MFA fatigue attack because the user eventually approved a request they did not initiate, which is the hallmark of this attack vector.

Exam trap

Cisco often tests the distinction between technical exploitation (e.g., DNS tunnelling) and social engineering of MFA (e.g., MFA fatigue), so the trap here is that candidates may confuse repeated MFA prompts with a technical attack like password spraying or DNS tunnelling, rather than recognizing it as a user-targeted social engineering tactic.

How to eliminate wrong answers

Option A is wrong because DNS tunnelling involves encoding data in DNS queries and responses to bypass network security controls, which is unrelated to MFA push notifications or user approval behavior. Option C is wrong because password spraying is a brute-force attack where an attacker tries a few common passwords against many accounts, not a technique that triggers repeated MFA prompts to a single user for social engineering purposes.

65
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Prioritize only the source with the highest EPS
B.Delete one source from the timeline
C.Assume the firewall logs are falsified
D.Time synchronization and timezone normalization across log sources
AnswerD

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

Time discrepancies between log sources are a classic symptom of clock drift or misconfigured time zones. Before assuming data tampering or prioritizing one source, the analyst must verify that all systems use synchronized time (e.g., NTP) and consistent timezone settings. This ensures the timeline is accurate for proper incident reconstruction.

Exam trap

CompTIA often tests the candidate's ability to resist jumping to conclusions about malicious activity (e.g., log falsification) when a simpler, more common technical issue like time synchronization is the likely cause.

How to eliminate wrong answers

Option A is wrong because prioritizing the source with the highest events per second (EPS) does not address the root cause of time misalignment and could discard valuable evidence. Option B is wrong because deleting a source from the timeline destroys evidence and prevents correlation; the goal is to reconcile timestamps, not remove data. Option C is wrong because assuming firewall logs are falsified without evidence is premature and ignores the more common and benign cause of clock drift or timezone mismatch.

66
MCQhard

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Network-isolate the endpoint through EDR while preserving disk and memory evidence
B.Run disk cleanup to remove temporary files
C.Power off the machine immediately in every case
D.Allow the host to run until the next maintenance window
AnswerA

EDR isolation limits attacker communication without immediately destroying volatile forensic context.

Why this answer

Network-isolating the endpoint via EDR (e.g., using a built-in quarantine feature) stops the beaconing to the malicious IP and halts credential dumping while preserving disk and memory evidence for forensic analysis. This is the best containment action because it balances incident response needs (stopping active compromise) with evidence preservation, which is critical for legal or regulatory follow-up. Powering off or deleting files would destroy volatile memory evidence and potentially violate chain-of-custody requirements.

Exam trap

Cisco often tests the misconception that immediate power-off is always the safest containment action, but the trap here is that it destroys volatile evidence and may violate forensic preservation requirements, making network isolation the preferred approach in active incident response.

How to eliminate wrong answers

Option B is wrong because running disk cleanup removes temporary files that may contain critical forensic artifacts (e.g., dumped credentials, malware remnants), destroying evidence and violating preservation requirements. Option C is wrong because powering off the machine immediately destroys volatile memory evidence (e.g., running processes, network connections, injected code) and may trigger anti-forensic mechanisms in malware, whereas network isolation preserves the system state for live analysis.

67
MCQeasy

A company's IDS generated an alert for a potential SQL injection attack on a web application. The security analyst reviews the alert and confirms that the application is protected by a Web Application Firewall (WAF) that filters SQL injection attempts. Which of the following is the best course of action?

A.Block the source IP
B.No action needed
C.Disable the Web Application Firewall
D.Create a custom signature
AnswerB

The WAF is protecting the application, so no action is required.

Why this answer

The WAF is already configured to filter SQL injection attempts, so the alert from the IDS does not indicate a successful attack. Since the WAF is actively blocking the malicious payload, no additional action is required. The IDS alert is a normal byproduct of the WAF's filtering, and the security analyst should confirm that the WAF is functioning correctly rather than taking unnecessary steps.

Exam trap

CompTIA often tests the misconception that any IDS alert requires immediate action, when in fact the presence of compensating controls like a WAF means the alert may be a false positive or a blocked attempt that does not require intervention.

How to eliminate wrong answers

Option A is wrong because blocking the source IP is an overreaction; the WAF is already mitigating the attack, and the source IP may be legitimate or spoofed, leading to potential denial of service for valid users. Option C is wrong because disabling the WAF would remove the protection layer, exposing the application to actual SQL injection attacks. Option D is wrong because creating a custom signature is unnecessary when the WAF's existing signatures are already filtering the SQL injection attempts; custom signatures are typically used for novel or zero-day threats, not for known patterns already covered.

68
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest? If the primary audience is executive leadership, which content choice is most appropriate?

A.A list of tool login names
B.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
C.A raw CSV of 20,000 findings
D.A screenshot of every scanner page
AnswerB

Board reporting should connect investment to measurable risk reduction. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option B is correct because it directly addresses the board's question by showing a trend in exploitable critical exposures (measuring vulnerability reduction), remediation SLA performance (tracking timeliness of fixes), and residual risk by business service (quantifying remaining risk). This provides executive leadership with a clear, high-level view of risk reduction over time, aligning with the CS0-003 domain of Reporting and Communication for a non-technical audience.

Exam trap

Cisco often tests the misconception that executives want raw data or operational details, when in fact they need summarized, trend-based, risk-focused metrics that directly answer the business question of risk reduction.

How to eliminate wrong answers

Option A is wrong because a list of tool login names provides no insight into risk trends or remediation effectiveness; it is an operational detail irrelevant to executive decision-making. Option C is wrong because a raw CSV of 20,000 findings is too granular and unprocessed for executive leadership, who need summarized, actionable metrics rather than raw data dumps.

69
MCQmedium

A web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity is confirmed by correlating multiple evidence sources: web access logs show the initial exploit request with a query parameter (e.g., ?cmd=whoami), file timestamps reveal the creation of the malicious file, process execution logs (e.g., Sysmon Event ID 1) show cmd.exe or PowerShell spawned by the web service account, and outbound connections from that account indicate command-and-control (C2) traffic. This multi-source correlation is essential to distinguish a web shell from legitimate administrative activity.

Exam trap

Cisco often tests the misconception that a single log source (like web access logs alone) is sufficient to confirm web-shell activity, but the trap here is that only correlating multiple evidence types (web logs, file timestamps, process execution, and outbound connections) provides defensible proof for recovery decisions.

How to eliminate wrong answers

Option A is wrong because printer logs are irrelevant to web-shell activity; they record print jobs and device status, not HTTP requests, file creation, or process execution. Option B is wrong because the CEO's mailbox audit events only track email access or sending, which does not capture web server query parameters, file timestamps, or process execution; a web shell operates on the server, not via email.

70
Multi-Selecteasy

A company is implementing a vulnerability management program. Which of the following are essential components of a vulnerability management lifecycle? (Choose three.)

Select 3 answers
A.Vulnerability scanning and assessment.
B.Discovery and inventory of assets.
C.Penetration testing on all systems.
D.Remediation and verification.
E.Automated patch deployment.
AnswersA, B, D

Core activity to identify vulnerabilities.

Why this answer

Vulnerability scanning and assessment is a core component of the vulnerability management lifecycle because it involves actively identifying security weaknesses in systems, applications, and network devices using tools like Nessus or Qualys. This step provides the raw data—CVEs, missing patches, misconfigurations—that drives the entire remediation process. Without regular scanning, the organization cannot maintain an accurate picture of its security posture.

Exam trap

CompTIA often tests the distinction between vulnerability scanning (continuous, automated, non-intrusive) and penetration testing (periodic, manual, intrusive) to see if candidates confuse the two as interchangeable lifecycle components.

71
Multi-Selectmedium

Which TWO of the following are best practices for distributing security reports to stakeholders?

Select 2 answers
A.Post reports on a public website for easy access
B.Use encrypted email for sensitive reports
C.Send reports via instant messaging without encryption
D.Print and leave reports in common areas
E.Grant access via a secure portal with role-based permissions
AnswersB, E

Protects confidentiality.

Why this answer

Option B is correct because encrypted email (e.g., using S/MIME or PGP) ensures that sensitive security reports are protected from unauthorized interception during transit, maintaining confidentiality and integrity as required by security best practices.

Exam trap

CompTIA often tests the misconception that convenience (e.g., public posting or unencrypted messaging) is acceptable for security reports, when in fact any distribution method must enforce confidentiality, integrity, and access control.

72
Multi-Selectmedium

A cybersecurity analyst is preparing a post-incident report for a data breach that affected multiple business units. Which three of the following elements should be included in the report to ensure effective communication and support future prevention? (Choose three.)

Select 3 answers
.A detailed timeline of the incident, including detection and response actions
.The specific usernames and passwords of affected accounts
.Root cause analysis and contributing factors
.Recommendations for remediation and process improvements
.The raw packet capture data from the breach period
.A list of all employees’ personal contact information for notification

Why this answer

A detailed timeline of the incident, including detection and response actions, is correct because it provides a chronological record essential for understanding the sequence of events, assessing response effectiveness, and meeting regulatory reporting requirements. Root cause analysis and contributing factors are correct because they identify the underlying technical or procedural failures (e.g., unpatched vulnerability, misconfigured firewall rule) that must be addressed to prevent recurrence. Recommendations for remediation and process improvements are correct because they translate findings into actionable steps, such as implementing multi-factor authentication or updating incident response playbooks, which directly support future prevention.

Exam trap

CompTIA often tests the distinction between operational data (e.g., raw packet captures, credentials) and actionable intelligence (e.g., timeline, root cause, recommendations) to see if candidates understand that a post-incident report is a high-level communication tool, not a data dump.

73
MCQeasy

A company wants to automate the deployment of security patches to endpoints. Which of the following tools would BEST support this requirement?

A.Enterprise patch management tool
B.Vulnerability scanner
C.Configuration management tool
D.Security information and event management (SIEM) system
AnswerA

Tools like WSUS or SCCM automate patch deployment.

Why this answer

An enterprise patch management tool (e.g., Microsoft WSUS, SCCM, or Ivanti) is specifically designed to automate the deployment, scheduling, and reporting of security patches across endpoints. It directly addresses the requirement by pushing patches to systems based on policy, ensuring compliance, and reducing manual effort.

Exam trap

The trap here is that candidates confuse a vulnerability scanner's ability to detect missing patches with the ability to deploy them, or they overestimate a configuration management tool's patch deployment capabilities, forgetting that patch management requires specialized lifecycle features like approval workflows and rollback support.

How to eliminate wrong answers

Option B is wrong because a vulnerability scanner (e.g., Nessus, Qualys) identifies missing patches and vulnerabilities but does not deploy or automate the installation of patches; it is a detection tool, not a remediation tool. Option C is wrong because a configuration management tool (e.g., Ansible, Puppet) focuses on enforcing desired system states and configurations, but it is not purpose-built for patch deployment and lacks native patch lifecycle management features like approval workflows and rollback capabilities. Option D is wrong because a SIEM system (e.g., Splunk, ArcSight) aggregates and correlates security logs for monitoring and alerting, but it has no mechanism to deploy patches to endpoints.

74
MCQhard

After a high-priority SOC escalation, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which response best matches incident-response practice?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review (PIR) should produce actionable improvements, not generic statements or blame. Specific playbook updates, escalation triggers, owners, and due dates directly address the delayed escalation by refining incident response procedures, ensuring future incidents are escalated faster and with clear accountability. This aligns with NIST SP 800-61 Rev. 2 guidance on lessons learned and process improvement.

Exam trap

CompTIA often tests the concept that post-incident reviews must produce concrete, process-improvement artifacts (like updated playbooks) rather than punitive or vague outputs, and candidates mistakenly choose blame or deletion due to a misunderstanding of incident response maturity.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable, actionable steps to fix the escalation delay or improve the incident response process. Option B is wrong because deletion of all incident tickets destroys forensic evidence, audit trails, and compliance records required for post-incident analysis and potential legal proceedings. Option C is wrong because a blame list of individual analysts fosters a toxic culture, discourages reporting, and violates the principle of a blameless post-mortem focused on process flaws, not individual errors.

75
MCQmedium

After a high-priority SOC escalation, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise is the correct choice because it allows the company to validate the incident response plan, communication workflows, and role-specific responsibilities for legal, PR, IT, and executives during a ransomware scenario without any risk to production systems. This aligns with NIST SP 800-61r2 guidance on using discussion-based exercises to test decision-making and coordination under a simulated crisis, avoiding the operational impact of live malware or system changes.

Exam trap

CompTIA often tests the distinction between 'testing understanding' (tabletop) and 'testing technical controls' (simulation or live fire), so the trap here is that candidates may choose a technical solution like a SIEM purchase or password reset, thinking it improves security posture, when the question explicitly asks about testing role understanding without production impact.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures does not test role understanding or incident response processes; it introduces a new tool without validating workflows, which can lead to misconfigured alerts and missed detections. Option C is wrong because an annual password reset only addresses credential hygiene and does not test the multi-team coordination, legal obligations, or PR communication required during a ransomware incident. Option D is wrong because full destructive malware detonation in production would cause actual data loss, system downtime, and potential regulatory violations, directly contradicting the requirement to avoid touching production systems.

Page 1 of 7

Page 2

All pages