CompTIA CySA+ CS0-003 (CS0-003) — Questions 76150

503 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Multi-Selecthard

An attacker used a stolen cloud token. Which evidence helps determine blast radius? (Choose two.)

Select 2 answers
A.The user's monitor brightness
B.Permissions assigned to the principal during the compromise window
C.Audit events performed by the token or principal
D.The logo on the cloud provider website
AnswersB, C

Permissions bound the maximum possible access.

Why this answer

Option B is correct because the permissions assigned to the principal (e.g., an IAM role or user) during the compromise window directly define what actions the attacker could perform with the stolen token. Cloud providers like AWS evaluate permissions at the time of the API call, so the blast radius is limited to the resources and actions allowed by the policies attached at that moment. Without knowing these permissions, you cannot determine which data or services were accessible.

Exam trap

Cisco often tests the misconception that physical or environmental factors (like monitor brightness) are relevant to cloud security incidents, leading candidates to select irrelevant options when they should focus on authorization and logging mechanisms.

77
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Always sort only by CVSS base score
B.Remediate alphabetically by CVE ID
C.Prioritize the KEV/high-EPSS issue after confirming asset exposure
D.Remediate only vulnerabilities with vendor logos in the report
AnswerC

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option C is correct because it combines external threat intelligence (CISA KEV and EPSS) with internal context (asset exposure) to prioritize a medium-severity vulnerability that is actively exploited and has a high probability of exploitation. This approach aligns with the NIST framework for risk-based vulnerability management, which emphasizes that not all high-CVSS vulnerabilities are exploitable in a given environment, while lower-scored vulnerabilities in KEV pose immediate risk.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the trap here is that candidates overlook the criticality of threat intelligence (KEV and EPSS) and environmental context, leading them to choose a high-CVSS-only approach despite non-exploitability.

How to eliminate wrong answers

Option A is wrong because sorting solely by CVSS base score ignores environmental context and threat intelligence; a high-CVSS vulnerability that is not exploitable in the environment wastes remediation resources, while a medium-CVSS vulnerability in CISA KEV with high EPSS represents active risk. Option B is wrong because remediating alphabetically by CVE ID is arbitrary and has no correlation with exploitability, asset criticality, or threat intelligence; it would treat a low-risk CVE the same as a critical actively exploited one.

78
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Inline IPS mode with drop rules for all signatures
B.A vulnerability scanner run once per quarter
C.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
D.Host-based file integrity monitoring only
AnswerC

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Option C is correct because the requirement is to detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Suricata or Snort in IDS (Intrusion Detection System) mode, deployed on a network tap or SPAN port, passively analyzes packet payloads against signatures and generates alerts without any inline blocking action. This matches the 'detect only, no block' requirement exactly.

Exam trap

Cisco often tests the distinction between IDS and IPS modes, where candidates mistakenly choose inline IPS because they think 'detection' implies blocking, but the key phrase 'without blocking traffic' explicitly rules out any inline deployment.

How to eliminate wrong answers

Option A is wrong because inline IPS mode with drop rules actively blocks traffic, which violates the requirement to 'generate alerts without blocking traffic.' Option B is wrong because a vulnerability scanner run once per quarter is a proactive assessment tool that checks for known vulnerabilities in systems, not a real-time network sensor that detects exploit traffic using packet payload signatures; it cannot generate alerts on live exploit traffic.

79
MCQhard

A company uses a SIEM platform that ingests logs from various sources. The SOC team receives an alert for a high number of failed login attempts (over 100 in 5 minutes) on the domain controller from a single IP address. The analyst investigates and finds that the failed attempts are for multiple different usernames, including some disabled accounts. The source IP is traced to an external VPN service. The analyst also notices that a few accounts had successful logins from the same IP after the failed attempts. Which of the following is the MOST likely attack type?

A.Brute-force attack.
B.Kerberoasting.
C.Password spraying.
D.Pass-the-hash.
AnswerC

Attacker tries common passwords across many accounts to avoid lockout.

Why this answer

The attack involves a single external IP attempting logins with multiple different usernames (including disabled accounts) and eventually succeeding on a few. This is characteristic of a password spraying attack, where an attacker tries a small number of common passwords against many accounts to avoid triggering account lockout policies. The use of an external VPN service indicates the attacker is anonymizing their origin, and the successful logins after failures confirm the attack's objective.

Exam trap

CompTIA often tests the distinction between brute-force (many passwords, one user) and password spraying (one password, many users), and candidates mistakenly choose brute-force because they see 'failed login attempts' without analyzing the username distribution.

How to eliminate wrong answers

Option A is wrong because a brute-force attack typically targets a single username with many password attempts, not multiple usernames with a few attempts each. Option B is wrong because Kerberoasting targets service accounts by requesting Kerberos service tickets (TGS-REP) for offline cracking, not by performing login attempts against a domain controller. Option D is wrong because pass-the-hash uses captured NTLM hashes to authenticate without needing the plaintext password, and would not generate failed login attempts or target multiple disabled accounts.

80
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is business service owner, which content choice is most appropriate?

A.Only the analyst's personal opinion
B.Risk owner, reason, compensating controls, review date, and expiry
C.No mention of the accepted risk
D.A permanent exception with no review
AnswerB

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option B is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk acceptance decision. This includes the risk owner (who accepted the risk), the reason for acceptance, any compensating controls in place, a review date to reassess the risk, and an expiry date for the acceptance. This aligns with risk management frameworks like NIST SP 800-37 and ISO 27005, which require traceability and accountability for accepted risks.

Exam trap

Cisco often tests the misconception that risk acceptance means the risk is simply ignored or not reported, but the correct approach is to formally document the acceptance with all required metadata to maintain accountability and audit readiness.

How to eliminate wrong answers

Option A is wrong because including only the analyst's personal opinion violates the principle of objective risk reporting; risk acceptance decisions must be based on business context and documented facts, not subjective views. Option C is wrong because omitting the accepted risk from the report would hide a critical security decision from stakeholders, breaking audit trails and compliance requirements (e.g., PCI DSS, SOX) that mandate clear documentation of risk acceptance.

81
Multi-Selectmedium

A phishing incident led to credential theft. Which containment actions are appropriate? (Choose two.)

Select 2 answers
A.Reset affected credentials and revoke active sessions
B.Delete all user mailboxes
C.Disable DNS for the entire company indefinitely
D.Search for mailbox rules or OAuth grants created after compromise
AnswersA, D

This cuts off stolen-session and password access.

Why this answer

Option A is correct because immediately resetting compromised credentials and revoking active sessions (e.g., via Azure AD 'Revoke-AzureADUserAllRefreshToken' or Active Directory 'Reset-ADAccountPassword' combined with 'Revoke-AuthenticationTokens') invalidates the attacker's access tokens and session cookies, preventing further lateral movement or data exfiltration. This aligns with the NIST SP 800-61 containment phase, which prioritizes cutting off attacker access while preserving forensic evidence.

Exam trap

Cisco often tests the distinction between 'containment' (stopping the attack) and 'eradication' (removing the root cause), and the trap here is that candidates may choose overly aggressive actions like deleting mailboxes or disabling DNS, mistaking brute-force disruption for precise containment.

82
MCQeasy

A penetration testing team has completed an internal assessment and provided a report with several high-risk findings. One finding indicates that a web application is vulnerable to SQL injection. The application is used by external customers to submit orders. The development team has reviewed the finding and states that it will take three weeks to fix the code and deploy a patch. The security operations center (SOC) has observed increased scanning activity targeting the application's IP address from external sources. The company's risk tolerance for web application vulnerabilities is low. Which of the following should the analyst recommend as the immediate next step?

A.Deploy a web application firewall (WAF) with rules to block SQL injection attempts.
B.Increase logging and monitoring for SQL injection attempts.
C.Disable the web application until the patch is deployed.
D.Request the development team to expedite the patch within one week.
AnswerA

Provides immediate protection via virtual patching.

Why this answer

Deploying a WAF with rules to block SQL injection attempts is the immediate next step because it provides a virtual patch that mitigates the vulnerability while the development team works on the permanent code fix. Given the low risk tolerance and active external scanning, this reduces the attack surface without taking the application offline, which would disrupt customer order submissions.

Exam trap

The trap here is that candidates may choose to disable the application (Option C) thinking it is the safest approach, but Cisco tests the balance between security and business continuity, where a compensating control like a WAF is the preferred immediate step when a patch is not immediately available.

How to eliminate wrong answers

Option B is wrong because increasing logging and monitoring does not actively block SQL injection attempts; it only detects them after the fact, which is insufficient given the low risk tolerance and active scanning. Option C is wrong because disabling the web application would cause immediate business disruption for external customers submitting orders, which is not necessary when a WAF can provide temporary protection. Option D is wrong because requesting the development team to expedite the patch within one week ignores the reality that the fix requires three weeks; rushing could introduce new vulnerabilities or incomplete fixes, and it does not address the immediate threat from active scanning.

83
MCQhard

After containing a ransomware outbreak, the incident response team needs to restore encrypted files. They have verified clean backups from two weeks ago, but some critical files were modified on the day of the attack. What is the best approach?

A.Restore from backups and then apply all available updates
B.Restore critical files from backup and manually update them using change logs
C.Attempt to decrypt files using the ransom key
D.Restore all files from backups
AnswerB

Preserves recent changes while using clean backups for the majority of files.

Why this answer

Option B is correct because restoring critical files from backup and manually updating them using change logs preserves the modifications made on the day of the attack, which are not present in the two-week-old backups. This approach ensures data integrity by combining the clean baseline from backups with the legitimate changes recorded in change logs, avoiding data loss while maintaining security.

Exam trap

CompTIA often tests the misconception that restoring from the most recent clean backup is always sufficient, ignoring the need to preserve post-backup legitimate changes, which leads candidates to choose Option D.

How to eliminate wrong answers

Option A is wrong because applying all available updates after restoration does not recover the modifications made on the day of the attack; updates address vulnerabilities, not data changes. Option C is wrong because attempting to decrypt files using the ransom key is unreliable, as the attacker may not provide the key, the key may be invalid, or decryption could further corrupt files; it also violates the principle of not negotiating with attackers. Option D is wrong because restoring all files from backups would overwrite the critical files modified on the day of the attack, resulting in permanent data loss of those legitimate changes.

84
MCQmedium

A security analyst notices that a system is sending a large amount of data to an external IP address via DNS tunneling. Which containment technique is most appropriate?

A.Change the DNS server settings
B.Disconnect the system from the network
C.Block the external IP at the firewall
D.Disable the DNS service on the system
AnswerB

Immediate isolation prevents any further data exfiltration.

Why this answer

Disconnecting the system from the network (Option B) is the most appropriate containment technique because it immediately stops all data exfiltration, including DNS tunneling traffic, without relying on any other network component. DNS tunneling works by encoding data within DNS queries and responses, so simply changing DNS server settings or blocking the external IP may not stop the attack if the malware uses fallback resolvers or rotates IPs. Disconnecting the system ensures the threat is isolated at the host level, preventing further data loss while preserving forensic evidence.

Exam trap

CompTIA often tests the principle that containment must be immediate and host-level for active data exfiltration, and the trap here is that candidates choose firewall-based blocking (Option C) thinking it stops the traffic, but fail to realize the attacker can easily change IPs or use multiple resolvers, making host isolation the only sure containment.

How to eliminate wrong answers

Option A is wrong because changing the DNS server settings does not stop the tunneling if the malware already has a hardcoded external resolver or uses direct IP connections to the command-and-control server; it also may disrupt legitimate DNS resolution for other systems. Option C is wrong because blocking the external IP at the firewall is a reactive measure that can be bypassed by the attacker using multiple IP addresses, domain generation algorithms (DGAs), or rotating resolvers; it also does not stop data already in transit. Option D is wrong because disabling the DNS service on the system would break all legitimate DNS resolution for that host, potentially alerting the user or causing system instability, and the malware could still tunnel data over other protocols or use raw sockets.

85
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Change all findings to low severity
B.Ignore the vulnerability because it is internal
C.Environmental scoring and compensating-control review
D.Use only the vendor marketing page
AnswerC

Environmental factors help translate generic severity into local risk.

Why this answer

Option C is correct because CVSS 9.8 indicates a critical base score, but the actual risk depends on the environment. An environmental score (CVSS v3.1 Environmental Metric Group) adjusts the base score based on modified impact metrics, while a compensating-control review evaluates whether existing controls (e.g., network ACLs, host-based firewalls, or IDS/IPS) reduce exploitability. This analysis prevents unnecessary remediation effort and aligns with the principle of risk-based vulnerability management.

Exam trap

Cisco often tests the misconception that a high CVSS base score always demands immediate patching, but the trap here is that environmental scoring and compensating controls can lower the effective risk, making a risk-based analysis more useful than blindly applying the base score.

How to eliminate wrong answers

Option A is wrong because changing all findings to low severity disregards the CVSS base score and the potential for lateral movement or privilege escalation, violating the NIST SP 800-40 guidance on prioritizing vulnerabilities. Option B is wrong because ignoring the vulnerability assumes internal services are safe, but a restricted subnet does not eliminate risk from insider threats, credential theft, or misconfiguration that could expose the service. Option D is wrong because vendor marketing pages are promotional and lack objective, standardized severity data; relying on them would violate the CVSS scoring methodology and introduce bias.

86
MCQeasy

A malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response is determined by business impact, privilege level, asset criticality, and spread potential, not by timing or trivial factors. A domain admin workstation has elevated privileges and access to sensitive systems, making the same malware far more dangerous than on an isolated kiosk. During recovery, prioritizing based on these factors ensures defensible decisions align with risk management frameworks like NIST SP 800-61.

Exam trap

CompTIA often tests the misconception that alert timing or hostname order determines severity, but the trap here is confusing operational convenience (e.g., first-come-first-serve) with risk-based prioritization required by incident response best practices.

How to eliminate wrong answers

Option A is wrong because the order of alert arrival is irrelevant to severity; incident response prioritizes risk, not chronology. Option C is wrong because alphabetical order of hostnames has no bearing on security impact or recovery priority. Option D is wrong because an analyst's dashboard theme is a UI preference, not a technical factor for severity assessment or defensible recovery decisions.

87
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.The firewall vendor invoice
B.The risk register with owner, justification, expiry date, and compensating controls
C.The incident containment playbook only
D.The phishing training completion list
AnswerB

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch, the risk must be documented in the risk register with an owner, justification, an expiry date, and compensating controls. This ensures the risk is tracked, reviewed, and mitigated within an acceptable timeframe, which is a core requirement of vulnerability management governance.

Exam trap

Cisco often tests the distinction between operational documentation (risk register) and reactive documentation (incident playbook), tricking candidates into choosing the incident playbook because they confuse risk acceptance with incident response.

How to eliminate wrong answers

Option A is wrong because the firewall vendor invoice is a financial document unrelated to risk acceptance or vulnerability management decisions. Option C is wrong because the incident containment playbook is used for active security incidents, not for documenting accepted risks from delayed patching. Option D is wrong because the phishing training completion list tracks user awareness training, not the formal acceptance of a specific vulnerability risk.

88
MCQhard

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Close all similar alerts as duplicates
B.Disable the reporting user's account immediately
C.Automatically delete all messages from the sender across all mailboxes
D.Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
AnswerD

Early automation should gather context and evidence while keeping analysts in control of disruptive actions.

Why this answer

Option D is correct because enrichment (URL reputation, sandbox detonation) and mailbox search counts are non-destructive, automated actions that gather threat intelligence without altering systems. This aligns with the SOC's requirement to reduce analyst workload while avoiding destructive actions before confirmation. In the detection engineering phase, tuning to reduce noise without losing signal involves adjusting thresholds or whitelisting benign indicators based on enrichment results.

Exam trap

CompTIA often tests the distinction between investigative actions (enrichment, sandboxing) and destructive actions (deletion, account disablement), where candidates mistakenly choose destructive options thinking they are efficient, but the question explicitly requires avoiding destructive action before confirmation.

How to eliminate wrong answers

Option A is wrong because closing all similar alerts as duplicates without analysis can suppress genuine threats, violating the principle of avoiding destructive action before confirmation and potentially losing signal. Option B is wrong because immediately disabling the reporting user's account is a destructive action that disrupts operations and is premature without confirmation of a threat. Option C is wrong because automatically deleting all messages from the sender across all mailboxes is a destructive action that could remove legitimate emails and is irreversible, contradicting the requirement to avoid destructive action before confirmation.

89
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Remediate only vulnerabilities with vendor logos in the report
B.Always sort only by CVSS base score
C.Remediate alphabetically by CVE ID
D.Prioritize the KEV/high-EPSS issue after confirming asset exposure
AnswerD

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option D is correct because the CISA Known Exploited Vulnerabilities (KEV) catalog combined with a high Exploit Prediction Scoring System (EPSS) score indicates active exploitation in the wild, which is a higher priority than static CVSS base scores. The analyst must first confirm that the asset is exposed in the environment before recommending remediation, as a vulnerability that is not exploitable due to compensating controls or network segmentation should not be prioritized. This approach aligns with the NIST SP 800-40 risk-based prioritization framework, which emphasizes threat intelligence over severity alone.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, when in reality threat intelligence (KEV, EPSS) and environmental context (asset exposure, compensating controls) are more critical for effective vulnerability management.

How to eliminate wrong answers

Option A is wrong because vendor logos in a report do not correlate with exploitability or risk; they are marketing artifacts and ignoring vulnerabilities without logos would leave critical unpatched issues. Option B is wrong because sorting solely by CVSS base score ignores environmental context, exploitability (EPSS), and active exploitation (KEV), leading to misallocation of resources on high-severity but non-exploitable findings. Option C is wrong because sorting alphabetically by CVE ID is arbitrary and has no relationship to risk, exploitability, or business impact; it would treat a low-severity CVE the same as a critical one.

90
Multi-Selecteasy

An end-user reports receiving an email with an unexpected attachment and urgent language requesting to click a link. Which TWO indicators confirm this is likely a phishing email?

Select 2 answers
A.Personalized greeting using the recipient's name.
B.Unexpected attachment.
C.Internal sender address.
D.Corporate logo in the email.
E.Urgent language.
AnswersB, E

Unexpected attachments are a common phishing tactic.

Why this answer

Option B is correct because unexpected attachments are a classic indicator of phishing, as attackers often use them to deliver malware or initiate social engineering attacks. The email's urgent language (Option E) is also correct, as it pressures the recipient to bypass normal security checks and click a malicious link or open the attachment without verifying the sender.

Exam trap

CompTIA often tests the misconception that personalized greetings or corporate logos are reliable indicators of legitimacy, when in fact these can be easily fabricated by attackers using open-source intelligence (OSINT) or simple HTML/CSS replication.

91
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Remediate only low-risk internal findings to improve closure rate
B.Patch or mitigate the VPN appliance immediately and verify exposure is removed
C.Start with the oldest medium vulnerability
D.Defer all remediation until the monthly patch window
AnswerB

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

Option B is correct because the vulnerability is a critical unauthenticated remote-code-execution (RCE) flaw on an internet-facing VPN appliance that is actively exploited in the wild. According to the CVSS scoring system, such a flaw (typically CVSS 9.0–10.0) poses an immediate and severe risk to the organization's perimeter, and remediation must be prioritized over all internal-only medium vulnerabilities. The principle of risk-based prioritization dictates that externally exploitable, actively weaponized vulnerabilities must be patched or mitigated first to prevent a likely breach.

Exam trap

The trap here is that candidates may mistakenly prioritize remediation by age or internal-only status, failing to recognize that a critical, actively exploited, internet-facing RCE flaw demands immediate action over any medium or low-risk internal findings, regardless of their age or quantity.

How to eliminate wrong answers

Option A is wrong because remediating only low-risk internal findings ignores the critical external RCE flaw, leaving the organization exposed to active exploitation and potential full compromise of the network perimeter. Option C is wrong because starting with the oldest medium vulnerability disregards the severity and exploitability of the critical flaw; age alone does not determine risk, and a medium internal vulnerability poses far less immediate danger than an actively exploited RCE on an internet-facing device. Option D is wrong because deferring all remediation until the monthly patch window would leave the critical VPN vulnerability unaddressed for weeks, during which attackers could easily exploit it to gain unauthorized access, violating the principle of timely remediation for critical, actively exploited flaws.

92
Multi-Selectmedium

A SOC is onboarding endpoint logs into a SIEM. Which fields are most important for process-chain investigations? (Choose three.)

Select 3 answers
A.Parent process name and command line
B.Monitor refresh rate
C.User and host identifiers
D.Child process command line
AnswersA, C, D

Parent context shows how execution began.

Why this answer

Parent process name and command line are critical for process-chain investigations because they establish the lineage of an execution event. In a SIEM, these fields allow analysts to trace how a process was spawned, identifying whether it originated from a legitimate application (e.g., explorer.exe) or a suspicious parent (e.g., wscript.exe launching cmd.exe). Without this context, it is impossible to reconstruct the attack kill chain from initial execution to lateral movement or privilege escalation.

Exam trap

Cisco often tests the distinction between fields that are merely available in logs versus those that are essential for reconstructing process ancestry; candidates mistakenly choose generic fields like 'source IP' or 'timestamp' instead of the specific parent/child process fields required for chain-of-execution analysis.

93
MCQeasy

A security analyst has identified a large number of false positives in a vulnerability scan report. Which of the following is the BEST way to reduce false positives in future scans?

A.Manually verify each vulnerability before reporting
B.Increase the frequency of vulnerability scans
C.Exclude the false positives from the report
D.Tune the vulnerability scanner's configuration
AnswerD

Proper tuning reduces false positives by adjusting detection parameters.

Why this answer

Tuning the vulnerability scanner's configuration (option D) is the best approach because it allows the analyst to adjust scan parameters such as credential settings, plugin thresholds, and network timeouts to match the target environment. This reduces false positives by ensuring the scanner accurately identifies real vulnerabilities rather than reporting benign deviations or configuration mismatches. For example, enabling authenticated scans with valid credentials eliminates many false positives related to missing patches that are actually installed.

Exam trap

CompTIA often tests the misconception that manual verification or exclusion is a valid long-term fix, but the correct answer always involves adjusting the scanner's configuration to prevent false positives at the source.

How to eliminate wrong answers

Option A is wrong because manually verifying each vulnerability before reporting is a post-scan validation step, not a method to reduce false positives in future scans; it adds overhead without addressing the root cause of scanner misconfiguration. Option B is wrong because increasing scan frequency does not improve accuracy—it only repeats the same flawed scan logic more often, potentially generating even more false positives. Option C is wrong because excluding false positives from the report merely hides the problem without fixing the scanner's detection rules or tuning parameters, leading to continued inaccurate results.

94
MCQeasy

After a high-priority SOC escalation, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. If the system is powered off, this evidence is lost forever. Capturing memory with tools like FTK Imager or LiME and recording network connections (netstat -ano) and running processes (tasklist /v) preserves the malware's execution context for analysis.

Exam trap

Cisco often tests the principle of 'order of volatility' (RFC 3227) by presenting plausible but non-volatile options (like logs or disk images) to distract from the correct answer, which is always the most ephemeral data first.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence collection and provide no technical data for malware analysis. Option C is wrong because archived monthly reports are historical business documents, not real-time system state, and cannot capture volatile evidence like memory-resident malware. Option D is wrong because the office seating plan has no bearing on digital forensic evidence collection and is unrelated to incident response procedures.

95
MCQmedium

A company wants to ensure that all servers are patched within 30 days of a critical patch release. The security team must verify compliance without causing downtime. Which of the following is the best approach?

A.Perform manual patch verification on a rotating schedule.
B.Conduct automated vulnerability scanning of the server IP ranges.
C.Deploy an agent-based patch management solution to all servers.
D.Implement network segmentation to isolate unpatched servers.
AnswerB

Automated scanning is non-intrusive and can identify missing patches.

Why this answer

Automated vulnerability scanning provides a non-intrusive method to check patch levels without affecting system availability. Manual checks are inefficient; agent-based solutions are effective but may introduce overhead; network segmentation does not verify patch compliance.

96
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is executive leadership, which content choice is most appropriate?

A.A permanent exception with no review
B.Risk owner, reason, compensating controls, review date, and expiry
C.Only the analyst's personal opinion
D.No mention of the accepted risk
AnswerB

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option B is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk owner, the reason for the delay, any compensating controls in place, a scheduled review date, and an expiry date. This ensures accountability, traceability, and that the risk is not permanently ignored, aligning with risk management frameworks like NIST SP 800-37 or ISO 27001.

Exam trap

Cisco often tests the misconception that risk acceptance can be permanent or that a single opinion suffices, but the exam requires documentation of ownership, controls, and a mandatory review/expiry cycle to ensure governance and auditability.

How to eliminate wrong answers

Option A is wrong because a permanent exception with no review violates the principle of continuous monitoring and risk acceptance; risk acceptance must be time-bound and reviewed periodically to ensure compensating controls remain effective. Option C is wrong because including only the analyst's personal opinion lacks objective evidence, stakeholder accountability, and fails to meet compliance or audit requirements for risk acceptance documentation.

97
MCQhard

During a post-compromise review, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise is the correct choice because it simulates a realistic ransomware scenario in a discussion-based format, allowing legal, PR, IT, and executives to validate their incident response roles and decision-making processes without impacting production systems. This aligns with NIST SP 800-61 Rev. 2 guidance on testing communication and coordination during incident response, ensuring stakeholders understand their responsibilities before a real event.

Exam trap

Cisco often tests the distinction between testing the plan (tabletop) versus testing the technology (simulation or live-fire), and the trap here is assuming that any security improvement (like a new SIEM) inherently validates stakeholder roles, when in fact it only addresses detection capability without testing human decision-making.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures does not test stakeholder roles or understanding; it introduces a new tool without validation of detection rules, log sources, or integration, which could lead to false positives or missed alerts during an incident. Option C is wrong because an annual password reset only addresses credential hygiene and does not evaluate the cross-functional coordination, legal obligations, or PR communication required during a ransomware incident, nor does it test the incident response plan.

98
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Assume the hosts have no vulnerabilities
B.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
C.Run only unauthenticated scans forever
D.Disable SSH on all servers
AnswerB

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

After SSH hardening, the credentialed scan fails because the scanner's authentication methods (e.g., password, public key) or sudo commands may be restricted. Option B is correct because reviewing scanner account permissions, allowed authentication methods, and sudo command restrictions directly addresses the root cause—ensuring the scanner can authenticate and execute privileged commands without bypassing security controls.

Exam trap

Cisco often tests the misconception that after hardening, you should revert to unauthenticated scans or ignore the issue, rather than systematically adjusting scanner credentials and permissions to maintain authenticated scanning without weakening security.

How to eliminate wrong answers

Option A is wrong because assuming hosts have no vulnerabilities ignores the purpose of vulnerability scanning and could leave critical unpatched flaws undetected, violating risk management principles. Option C is wrong because running only unauthenticated scans forever hides deep vulnerabilities (e.g., missing patches, misconfigurations) that require authenticated access to detect, thus failing to provide comprehensive visibility.

99
Multi-Selecthard

A SOC is tuning a detection for suspected DNS tunnelling. Which evidence points are useful before escalating the alert? (Choose two.)

Select 2 answers
A.The user's monitor size
B.Volume and timing of queries to the same domain or name server
C.Query length and entropy compared with normal DNS traffic
D.The colour scheme of the SIEM dashboard
AnswersB, C

Regular high-volume queries support a tunnelling or beaconing hypothesis.

Why this answer

Option B is correct because DNS tunnelling often relies on a high volume of queries to a single domain or name server to exfiltrate data or establish a command-and-control channel. Anomalous query timing—such as regular, machine-like intervals—combined with an unusual query count per minute compared to baseline user behaviour is a strong indicator of automated tunnelling activity. SOC analysts should correlate volume and timing with other suspicious patterns before escalating.

Exam trap

Cisco often tests the distinction between observable network-level indicators (like query volume, length, and entropy) and irrelevant physical or user-specific attributes, leading candidates to mistakenly consider non-technical options like monitor size as plausible evidence.

100
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Disable all application authentication
B.Treat absence of findings as proof of security
C.Reduce the scan to only the landing page
D.Authenticated scanning with a test account and session handling
AnswerD

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners require authenticated access to crawl and test pages behind login forms. By configuring authenticated scanning with a test account and session handling (e.g., using cookies or OAuth tokens), the scanner can traverse protected routes and detect vulnerabilities such as SQL injection or XSS on authenticated pages. This directly addresses the stated weakness without masking risk.

Exam trap

CompTIA often tests the misconception that a DAST scanner's lack of findings on public pages implies the entire application is secure, when in fact the scanner never accessed the authenticated areas, so the risk remains hidden.

How to eliminate wrong answers

Option A is wrong because disabling all application authentication would remove the security control entirely, exposing the application to unauthorized access and violating security best practices. Option B is wrong because treating absence of findings as proof of security is a false sense of security; the scanner simply did not test the authenticated pages, so no conclusion about their security can be drawn. Option C is wrong because reducing the scan to only the landing page ignores the majority of the application's attack surface, leaving authenticated pages untested and vulnerabilities undiscovered.

101
MCQhard

In a regulated payment environment, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which action best reduces risk without losing evidence?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because after containing a compromised host, the recovery phase requires removing the persistence mechanism (the scheduled task), rotating the stolen service account credentials to prevent re-authentication, and verifying that no other hosts are compromised via lateral movement. This ensures the threat is fully eradicated before returning the host to production, which is critical in a regulated payment environment where PCI DSS or similar standards mandate thorough remediation.

Exam trap

CompTIA often tests the misconception that containment (isolation) alone is sufficient for recovery, but the exam emphasizes that eradication (removing persistence and rotating credentials) and validation (checking other hosts) are mandatory steps before declaring recovery complete.

How to eliminate wrong answers

Option A is wrong because reconnecting the host without completing eradication and verification reintroduces the compromised system to the network, risking data exfiltration or further lateral movement. Option B is wrong because disabling logging destroys forensic evidence needed for post-incident analysis and compliance reporting, violating regulatory requirements like PCI DSS 10.2. Option C is wrong because closing the incident after isolation without removing persistence and rotating credentials leaves the backdoor active, allowing the attacker to regain access via the scheduled task or stolen account.

102
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For validation, Which action should be taken before closing or downgrading the finding?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Start with the oldest medium vulnerability
C.Remediate only low-risk internal findings to improve closure rate
D.Defer all remediation until the monthly patch window
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The critical unauthenticated remote-code-execution (RCE) vulnerability on the internet-facing VPN appliance poses an immediate and active threat, as it is being exploited in the wild. According to the CVSS scoring system and industry best practices (e.g., PCI DSS, NIST SP 800-115), vulnerabilities that are remotely exploitable, have high impact, and are actively exploited must be prioritized over internal-only medium-severity issues. Remediating this flaw first reduces the attack surface exposed to the internet and prevents potential compromise of the entire network.

Exam trap

Cisco often tests the candidate's ability to apply risk-based prioritization over a simple 'patch oldest first' or 'close low-hanging fruit' mentality, trapping those who ignore the criticality of actively exploited, internet-facing vulnerabilities.

How to eliminate wrong answers

Option B is wrong because prioritizing the oldest medium vulnerability ignores the risk severity and exploitability; a critical RCE on an internet-facing device should always take precedence over internal medium issues, regardless of age. Option C is wrong because remediating only low-risk internal findings to improve closure rate is a metric-driven approach that neglects the most dangerous threat; this would leave a critical, actively exploited vulnerability unpatched, which could lead to a full network breach.

103
MCQhard

A security analyst discovers that a data breach involving personally identifiable information (PII) of European Union citizens occurred two weeks ago but was not detected until now due to a monitoring gap. The company is subject to GDPR, which requires notification to the relevant supervisory authority within 72 hours of becoming aware of the breach. The analyst reports this to the CISO, who decides to delay notification for another week to prepare a more comprehensive response. The analyst believes this violates regulatory requirements. The analyst has documented the breach details and is concerned about the legal and financial penalties for non-compliance. The company's legal department has a strong compliance focus. The analyst has a duty to escalate within the organization. The organization has a whistleblower policy and an ethics hotline. What should the analyst do?

A.Document the decision and the delay, then proceed with the notification after one week as instructed.
B.Escalate the matter to the company's legal department and explain the regulatory requirement for timely notification.
C.Report the incident to the data protection authority (DPA) immediately, bypassing the CISO, as required by GDPR.
D.Follow the CISO's orders and delay the notification.
AnswerB

Legal can advise on compliance and potentially override the CISO's decision while respecting internal channels.

Why this answer

Option B is correct because the analyst has a duty to escalate within the organization, and the legal department is the appropriate internal authority to address compliance with GDPR's 72-hour notification requirement. By escalating to legal, the analyst ensures the regulatory obligation is formally raised without bypassing internal hierarchy, which aligns with the company's compliance focus and whistleblower policy. This approach balances the CISO's decision with the legal imperative to notify the supervisory authority within the mandated timeframe.

Exam trap

CompTIA often tests the distinction between internal escalation and external reporting, where the trap is that candidates may choose Option C (direct DPA notification) because they confuse an individual's ethical duty with the organizational process required by GDPR, but the correct action is to escalate internally first to allow the organization to fulfill its legal obligation as the data controller.

How to eliminate wrong answers

Option A is wrong because it instructs the analyst to accept a deliberate delay that violates GDPR's explicit 72-hour notification requirement, which could lead to severe penalties under Article 83(4) of the GDPR (up to 10 million EUR or 2% of annual global turnover). Option C is wrong because bypassing the CISO and reporting directly to the DPA violates the organization's internal escalation procedures and could undermine the chain of command; GDPR requires the data controller (the company) to notify, not an individual analyst acting unilaterally. Option D is wrong because blindly following the CISO's order to delay notification for a week constitutes willful non-compliance with GDPR, exposing the company to regulatory fines and the analyst to potential personal liability under Article 82.

104
Multi-Selectmedium

Which sources improve asset criticality context for vulnerability prioritization? (Choose two.)

Select 2 answers
A.CMDB or asset inventory with business service mapping
B.Random public IP reputation of unrelated hosts
C.Data classification or sensitivity labels for hosted data
D.Employee lunch preferences
AnswersA, C

Service mapping links technical assets to business impact.

Why this answer

A CMDB or asset inventory with business service mapping provides direct context about which assets support critical business functions, enabling prioritization of vulnerabilities based on potential business impact. This aligns with the FAIR model for risk quantification, where asset criticality is a key factor in determining the likelihood and magnitude of loss.

Exam trap

Cisco often tests the distinction between contextual relevance (like business impact and data sensitivity) versus generic threat intelligence (like IP reputation) that lacks direct linkage to the asset's role or data value.

105
Multi-Selectmedium

A CISO wants a concise incident update during active containment. Which elements should be included? (Choose three.)

Select 3 answers
A.Every raw log line collected so far
B.Containment actions completed and pending
C.Known decisions or approvals needed
D.Current impact and affected services
AnswersB, C, D

Status shows risk reduction progress.

Why this answer

During active containment, the CISO needs a concise update focused on actions taken and pending, not raw data. Option B is correct because containment actions completed and pending directly inform the CISO of the current response status, enabling rapid decision-making without sifting through logs.

Exam trap

Cisco often tests the distinction between raw data (logs) and actionable intelligence (status updates), trapping candidates who think more data is better for a concise executive update.

106
MCQmedium

During a vulnerability assessment, a security analyst discovers that a network device is running an outdated firmware version with known exploits. The device is critical to production and cannot be rebooted during business hours. Which of the following is the BEST approach to remediate this vulnerability?

A.Schedule the firmware upgrade during the next maintenance window
B.Apply the firmware patch immediately without rebooting
C.Implement a virtual patch via the IDS/IPS until a full patch is possible
D.Request a hotfix from the vendor that does not require a reboot
AnswerA

This balances security with operational continuity.

Why this answer

Option A is correct because scheduling the firmware upgrade during the next maintenance window aligns with change management best practices for critical production devices that cannot tolerate downtime during business hours. This approach ensures the vulnerability is remediated in a controlled manner, minimizing operational risk while still addressing the known exploit.

Exam trap

CompTIA often tests the distinction between remediation (removing the vulnerability) and mitigation (reducing risk without removal), leading candidates to mistakenly choose a compensating control like virtual patching instead of scheduling a proper firmware upgrade.

How to eliminate wrong answers

Option B is wrong because applying a firmware patch without rebooting is typically not feasible; most firmware updates require a system reboot to load the new code into memory and complete the installation. Option C is wrong because implementing a virtual patch via IDS/IPS is a compensating control that only detects or blocks exploit attempts, not a remediation that removes the underlying vulnerability. Option D is wrong because requesting a hotfix that does not require a reboot is unrealistic for firmware-level vulnerabilities; firmware updates inherently involve low-level code changes that necessitate a restart to take effect.

107
MCQmedium

During incident response, a team isolates a host but needs to preserve volatile evidence. What should be done first?

A.Capture a memory dump
B.Disconnect from the network
C.Reimage the hard drive
D.Reboot the system
AnswerA

Memory dump preserves volatile evidence.

Why this answer

When a host is isolated during incident response, the first priority is to capture volatile data before it is lost. A memory dump preserves the contents of RAM, which includes running processes, network connections, open files, and encryption keys. This data is critical for forensic analysis and disappears when the system is powered off.

Disconnecting the network (option B) is important but should follow memory capture because network activity is part of the volatile state.

Exam trap

CompTIA often tests the order of volatility (OOV) by making candidates think network isolation is the immediate priority, but the trap is that volatile memory must be captured first because network state is part of that volatile data and disconnecting the network changes the system's state before evidence is collected.

How to eliminate wrong answers

Option B is wrong because disconnecting the network should occur after capturing memory; network state (active connections, IP addresses, ports) is volatile and would be lost if the network cable is pulled first. Option C is wrong because reimaging the hard drive destroys all evidence, including non-volatile data, and is a recovery step, not a preservation step. Option D is wrong because rebooting the system clears RAM, destroying the very volatile evidence you need to preserve, and may trigger anti-forensic mechanisms.

108
MCQmedium

After a major security incident, a post-incident review reveals that communication between the SOC and the network operations center (NOC) was slow and unclear. Which document should be updated to improve future incident response?

A.Disaster recovery plan (DRP)
B.Communication management plan
C.Business continuity plan (BCP)
D.Incident response plan (IRP)
AnswerB

This plan governs communication during incidents, making it the appropriate document to update.

Why this answer

The communication management plan defines roles, responsibilities, escalation paths, and communication channels (e.g., secure chat, phone bridges, ticketing systems) between teams like the SOC and NOC during an incident. Since the review specifically identified slow and unclear inter-team communication, updating this plan directly addresses the root cause by clarifying protocols, contact lists, and expected response times, ensuring faster and clearer coordination in future incidents.

Exam trap

CompTIA often tests the distinction between the incident response plan (which covers technical response steps) and the communication management plan (which covers inter-team coordination), leading candidates to mistakenly choose the IRP when the question specifically highlights communication failures.

How to eliminate wrong answers

Option A is wrong because the disaster recovery plan (DRP) focuses on restoring IT infrastructure and systems after a disaster (e.g., data center outage), not on improving real-time communication workflows between operational teams during a security incident. Option C is wrong because the business continuity plan (BCP) ensures critical business functions continue during a disruption (e.g., alternate site operations), but does not address the specific communication breakdown between SOC and NOC. Option D is wrong because the incident response plan (IRP) outlines technical steps for detecting, containing, and eradicating threats (e.g., playbooks, containment procedures), but it does not typically detail inter-team communication protocols; that is the role of the communication management plan.

109
MCQhard

A security analyst is reviewing the output of a vulnerability scan and notices that a critical vulnerability on a Linux server has been reported as 'Confirmed' by the scanner. The analyst checks the system and finds that the actual vulnerability does not exist because a kernel upgrade was applied via a yum update but the scanner did not detect the change. Which of the following is the MOST likely cause?

A.The vulnerability database was not updated before the scan
B.The scanner is configured to alert on missing patches only
C.The scanner was not configured with proper credentials for authenticated scanning
D.The scanner's plugins for Linux are outdated
AnswerC

Without credentials, the scanner may detect outdated service banners even if patched.

Why this answer

Option C is correct because the vulnerability scanner reported a 'Confirmed' critical vulnerability that no longer exists after a kernel upgrade via yum. This indicates the scanner performed an unauthenticated scan, relying on banner grabbing or service version detection, which cannot verify the actual installed kernel version. With proper credentials (e.g., SSH keys or a service account), the scanner would have performed an authenticated scan, queried the package manager (rpm -q kernel), and correctly identified that the kernel was updated, thus not flagging the vulnerability.

Exam trap

CompTIA often tests the distinction between authenticated and unauthenticated scanning, and the trap here is that candidates assume a 'Confirmed' status means the scanner has verified the vulnerability through deep inspection, when in fact it may only indicate that the scanner's unauthenticated checks matched a signature, not that it has actual system-level access to confirm the patch state.

How to eliminate wrong answers

Option A is wrong because the vulnerability database being outdated would cause the scanner to miss new vulnerabilities or report false negatives, not to falsely confirm a vulnerability that was already patched. Option B is wrong because the scanner is configured to alert on missing patches only; this would mean it only reports vulnerabilities when patches are absent, but here the patch was applied, so the scanner should not have alerted at all. Option D is wrong because outdated plugins for Linux would likely cause the scanner to miss vulnerabilities or report incorrect severity, but the core issue is the lack of authenticated access to verify the kernel version, not the plugin version.

110
MCQhard

You are a senior security analyst at a mid-sized financial company. The SOC has been alerted by the EDR system about anomalous behavior on a domain controller (DC) that runs Windows Server 2019. The alert indicates that a process named 'svchost.exe' spawned a PowerShell process that executed a one-liner to connect to an external IP address (203.0.113.5) over TCP port 443. Further investigation shows that the DC's event logs have gaps of about 10 minutes each, and the local administrator account 'Administrator' was used to log in from a workstation named 'WKSTN-FIN-12' at the time of the event. The company has strict policies: all administrative access must be via dedicated jump hosts, and privileged accounts are monitored. Upon checking, 'WKSTN-FIN-12' is assigned to an employee in the finance department who has no administrative privileges. The employee reports that they did not log in recently. The CISO wants a swift containment and eradication without losing forensic evidence. Based on this scenario, which of the following is the BEST first course of action?

A.Isolate the domain controller from the network by disabling its network interface.
B.Capture a memory dump of the domain controller for offline analysis.
C.Power down the domain controller to prevent further damage.
D.Reset the password for the local Administrator account and revoke the user's access.
AnswerA

Isolation contains the threat while preserving evidence for analysis.

Why this answer

Isolating the domain controller by disabling its network interface is the best first step because it immediately halts any ongoing malicious communication (e.g., C2 traffic over TCP 443) while preserving the volatile state of the system for forensic acquisition. This action prevents further data exfiltration or lateral movement without destroying evidence like memory or logs, which would occur with a power-down. It also aligns with the CISO's requirement for swift containment without losing forensic evidence.

Exam trap

CompTIA often tests the distinction between containment and forensic preservation, trapping candidates who choose memory capture (Option B) as a first step instead of immediate isolation, or who mistakenly think powering down (Option C) preserves evidence when it actually destroys volatile data.

How to eliminate wrong answers

Option B is wrong because capturing a memory dump is a forensic step that should follow containment, not precede it; performing it first could allow the attacker to continue exfiltrating data or executing commands while the dump is taken. Option C is wrong because powering down the domain controller destroys volatile evidence (e.g., memory, active network connections) and may trigger anti-forensic mechanisms, violating the requirement to preserve forensic evidence. Option D is wrong because resetting the password and revoking access does not stop the active malicious process (PowerShell connecting to 203.0.113.5) or the potential persistence mechanism; it only addresses the compromised credential, leaving the threat active.

111
Multi-Selectmedium

A tabletop exercise reveals that no one knows who can approve public statements. What should be updated? (Choose two.)

Select 2 answers
A.The office seating plan only
B.Contact list and escalation matrix
C.The malware signature database only
D.Incident communication plan with named approval roles
AnswersB, D

Responders need current contacts and escalation paths.

Why this answer

The tabletop exercise revealed a gap in the incident response process: no one knows who can approve public statements. This is a procedural and communication failure, not a technical one. Updating the incident communication plan with named approval roles (Option D) directly addresses this by defining the specific person or role authorized to speak publicly.

The contact list and escalation matrix (Option B) must also be updated to ensure the correct approver can be reached quickly, as it provides the hierarchical path and contact details needed to execute the plan.

Exam trap

Cisco often tests the distinction between technical controls (like signature databases) and procedural/communication controls (like approval roles and contact lists), trapping candidates who confuse operational security tools with incident management processes.

112
MCQhard

During a post-incident review, the team identifies that the incident response plan was not followed correctly due to unclear communication channels. Which recommendation BEST addresses this issue?

A.Update the incident response plan to define specific communication channels and escalation paths
B.Implement multi-factor authentication for all accounts
C.Replace the current SIEM tool with a faster one
D.Conduct more frequent vulnerability scans
AnswerA

Directly resolves the ambiguity in communication.

Why this answer

Option A is correct because the root cause identified in the post-incident review is unclear communication channels, which directly violates the communication and escalation procedures defined in the incident response plan. Updating the plan to specify exact communication channels (e.g., dedicated Slack channel, email distribution list, or phone tree) and escalation paths (e.g., tier-1 analyst → SOC manager → CISO) ensures that all team members know how and when to communicate during an incident, preventing delays and miscoordination.

Exam trap

Cisco often tests the distinction between procedural improvements (like updating the IR plan) versus technical controls (like MFA or SIEM upgrades), and the trap here is that candidates mistakenly choose a technical solution (e.g., faster SIEM) when the root cause is a process/communication failure.

How to eliminate wrong answers

Option B is wrong because multi-factor authentication (MFA) is an access control mechanism that strengthens authentication but does not address communication channel clarity or escalation paths during incident response. Option C is wrong because replacing the SIEM tool with a faster one focuses on detection speed and log analysis performance, not on the procedural communication failures identified in the review. Option D is wrong because conducting more frequent vulnerability scans improves proactive threat identification and patch management, but it does not resolve the operational breakdown in how the team communicates and escalates during an active incident.

113
MCQeasy

A small business with 50 employees uses a single Windows Server 2019 as a domain controller and file server. The company recently experienced a ransomware attack that encrypted all files on the server. The IT manager restored the files from a backup that was taken two days before the attack. However, the next day, the files were encrypted again. The analyst suspects the ransomware may have persisted or re-entered. The network is air-gapped from the internet, but employees use USB drives. Which of the following is the MOST likely reason for the re-infection?

A.The backup itself contained the ransomware.
B.An employee inserted an infected USB drive after the restoration.
C.The ransomware was still active in memory on the server.
D.The domain controller was not fully patched.
AnswerB

With air-gap, USB is the only vector for re-introduction.

Why this answer

Option B is correct because the network is air-gapped from the internet, leaving USB drives as the primary vector for reintroducing malware. If an employee inserted an infected USB drive after the restoration, the ransomware could execute and re-encrypt the files. The air-gap eliminates internet-based re-entry, and the backup was clean since it restored files without immediate re-encryption until the next day.

Exam trap

The trap here is that candidates may assume the backup was infected (Option A) or that patching (Option D) is the root cause, but the air-gap and USB vector point directly to physical media reintroduction, not network-based persistence or patch status.

How to eliminate wrong answers

Option A is wrong because if the backup contained the ransomware, the files would have been encrypted immediately upon restoration, not the next day. Option C is wrong because ransomware that persists only in memory would be wiped by a server reboot during the restoration process, and it cannot survive a reboot without writing to disk. Option D is wrong because while an unpatched domain controller is a security risk, the air-gapped network prevents remote exploitation, and the attack vector is local via USB drives, not network-based patching issues.

114
MCQhard

During an active incident, a security analyst discovers that the attacker has exfiltrated data. The analyst must communicate this to the incident response team. Which method of communication is MOST appropriate?

A.Update the incident ticket and wait for the team to review
B.Send a detailed email to the incident response team
C.Use a predefined secure messaging channel or phone call to escalate
D.Post the information on a public forum for awareness
AnswerC

Real-time communication is critical during incidents.

Why this answer

During an active incident, speed and security are critical. A predefined secure messaging channel or phone call ensures immediate, confidential communication without the delays or exposure risks of email or ticketing systems. This aligns with NIST SP 800-61 incident response guidelines, which prioritize real-time, out-of-band communication for sensitive updates.

Exam trap

CompTIA often tests the misconception that email or ticketing systems are sufficient for urgent incident communication, when in fact they lack the speed, security, and out-of-band nature required during an active data exfiltration event.

How to eliminate wrong answers

Option A is wrong because updating an incident ticket and waiting introduces unacceptable latency; the team may not see it promptly, and the ticket system could be monitored by the attacker. Option B is wrong because email is not real-time and can be intercepted, delayed, or logged, violating the need for secure, immediate escalation during an active breach. Option D is wrong because posting on a public forum violates confidentiality and could alert the attacker or expose sensitive data, directly contradicting incident response protocols.

115
MCQmedium

After a risk assessment, a security analyst recommends accepting a low-risk finding. The system owner disagrees. Which communication strategy should the analyst use?

A.Escalate the disagreement to the CISO immediately
B.Agree with the system owner and change the recommendation
C.Present the risk assessment data and cost-benefit analysis to justify acceptance
D.Insist that the finding must be mitigated due to policy
AnswerC

Facts help stakeholders understand the decision.

Why this answer

Option C is correct because the security analyst should use data-driven communication to resolve disagreements over risk acceptance. By presenting the risk assessment data and a cost-benefit analysis, the analyst provides objective evidence that the low-risk finding does not warrant mitigation, aligning with the NIST risk management framework's emphasis on informed decision-making. This approach respects the system owner's concerns while justifying the acceptance based on technical and business rationale.

Exam trap

The trap here is that candidates may choose immediate escalation (A) or policy insistence (D) because they confuse risk acceptance with risk avoidance, failing to recognize that data-driven justification is the standard professional approach for resolving such disagreements.

How to eliminate wrong answers

Option A is wrong because immediately escalating to the CISO bypasses collaborative resolution and may be seen as adversarial, which is not the first step in a professional disagreement over a low-risk finding. Option B is wrong because agreeing and changing the recommendation without justification undermines the risk assessment process and could lead to unnecessary resource expenditure or overlooked risks. Option D is wrong because insisting on mitigation due to policy ignores the risk assessment's conclusion that the finding is low-risk, and policy often allows for risk acceptance when justified by data.

116
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Disable all application authentication
B.Treat absence of findings as proof of security
C.Authenticated scanning with a test account and session handling
D.Reduce the scan to only the landing page
AnswerC

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners cannot access authenticated pages without valid session credentials. Configuring authenticated scanning with a test account and proper session handling (e.g., via cookies, tokens, or form-based login) allows the scanner to crawl and test behind the login wall, ensuring coverage of all application states. This is the standard remediation for the described limitation.

Exam trap

The trap here is that candidates may assume any authentication bypass or disabling security is acceptable, when the correct approach is to provide the scanner with legitimate credentials and session management to test authenticated areas safely.

How to eliminate wrong answers

Option A is wrong because disabling authentication eliminates the security boundary entirely, which is not a valid remediation and would expose the application to real-world attacks. Option B is wrong because absence of findings from an unauthenticated scan does not prove security; it only indicates that the scanner could not reach protected areas, leaving vulnerabilities hidden. Option D is wrong because reducing the scan to only the landing page ignores all other pages and functionality, defeating the purpose of a comprehensive DAST assessment.

117
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Treat absence of findings as proof of security
B.Authenticated scanning with a test account and session handling
C.Reduce the scan to only the landing page
D.Disable all application authentication
AnswerB

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners require authenticated sessions to crawl and test pages behind login forms. Without session handling (e.g., cookies, tokens), the scanner only sees public content. Configuring authenticated scanning with a test account and proper session management (e.g., OWASP ZAP's session handling rules or Burp Suite's authentication pre-script) allows the scanner to maintain state and reach restricted pages, enabling full coverage of the application's attack surface.

Exam trap

The trap here is that candidates may think 'no findings' means the application is secure, but Cisco tests the understanding that DAST results are only as good as the scope of pages the scanner can actually reach, and that authenticated scanning is mandatory for comprehensive testing.

How to eliminate wrong answers

Option A is wrong because treating an absence of findings as proof of security ignores the possibility that unauthenticated scans miss critical vulnerabilities in protected areas, leading to a false sense of security. Option C is wrong because reducing the scan to only the landing page deliberately avoids testing the authenticated portions of the application, which is the opposite of the required action and would leave high-risk areas untested.

118
Multi-Selecthard

A remediation report shows repeated SLA breaches by one business unit. Which recommendations are appropriate? (Choose two.)

Select 2 answers
A.Automatically accept all future risk permanently
B.Review ownership, resourcing, and change-window constraints
C.Hide the business unit from future reports
D.Create an agreed corrective action plan with dates
AnswersB, D

Persistent breaches often reflect operational blockers.

Why this answer

Option B is correct because reviewing ownership, resourcing, and change-window constraints directly addresses the root causes of repeated SLA breaches. SLA breaches often stem from inadequate staffing, misaligned change windows, or unclear ownership of remediation tasks, not from technical failures alone. This recommendation aligns with the reporting and communication domain's emphasis on actionable, root-cause analysis rather than superficial fixes.

Exam trap

Cisco often tests the misconception that hiding or ignoring non-compliant data is an acceptable reporting strategy, when in fact the exam emphasizes transparency and root-cause analysis as the only valid path to remediation.

119
Multi-Selectmedium

A detection engineer is writing a Sigma rule for suspicious rundll32 usage. Which fields should be included? (Choose two.)

Select 2 answers
A.Command line containing unusual DLL path or URL pattern
B.Desk phone extension
C.Laptop battery health
D.Image or process name matching rundll32.exe
AnswersA, D

Command-line arguments distinguish abuse from normal use.

Why this answer

Sigma rules for suspicious rundll32 usage focus on detecting abnormal command-line arguments, such as DLL paths from unusual locations (e.g., temp directories, network shares) or URLs that indicate remote payload retrieval. The 'Command line' field is critical because rundll32.exe is a legitimate Windows binary often abused by attackers to execute malicious DLLs, and anomalous patterns in its arguments are a strong indicator of compromise.

Exam trap

Cisco often tests the distinction between relevant process-level telemetry (command line, parent process) and irrelevant hardware or peripheral data, so candidates must recognize that Sigma rules are strictly for log-based detection of execution artifacts, not system health or inventory fields.

120
Matchingmedium

Match each vulnerability scanning concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Alert on non-existent vulnerability

Missed actual vulnerability

Scan with authenticated access

Scan without authenticated access

Standard severity rating for vulnerabilities

Why these pairings

Understanding these concepts is critical for interpreting scan results.

121
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is SOC manager, which content choice is most appropriate?

A.A report sorted only by scanner plugin ID
B.SLA compliance by severity, asset owner, and business unit
C.A list of all closed tickets with no dates
D.A vendor price comparison
AnswerB

SLA reporting connects remediation timeliness to accountability. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option B is correct because the vulnerability program needs to demonstrate that critical findings are remediated within policy timelines, which requires a report showing SLA compliance. For a SOC manager, the most appropriate content includes severity, asset owner, and business unit breakdowns, enabling them to track accountability and prioritize remediation efforts across the organization.

Exam trap

Cisco often tests the distinction between a report that merely lists findings (like sorted by plugin ID) versus one that demonstrates compliance with a policy timeline, and candidates may confuse a technical sort with a business-oriented SLA report.

How to eliminate wrong answers

Option A is wrong because sorting by scanner plugin ID only groups findings by technical signature, not by severity or SLA status, so it cannot show whether critical findings are fixed within policy timelines. Option C is wrong because a list of all closed tickets with no dates lacks any temporal context, making it impossible to determine if remediation met policy deadlines. Option D is wrong because a vendor price comparison is irrelevant to vulnerability remediation tracking and SLA compliance reporting.

122
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For validation, Which action should be taken before closing or downgrading the finding?

A.Wait for the next quarterly review
B.Rotate database administrator passwords only
C.Delete all audit logs to reduce liability
D.Restrict public access and determine whether sensitive data was accessed
AnswerD

The priority is exposure containment and impact assessment.

Why this answer

Option D is correct because the immediate priority is to restrict public read access to the storage bucket to prevent further unauthorized exposure, then determine whether sensitive customer data was accessed by reviewing access logs (e.g., AWS CloudTrail or S3 server access logs). This aligns with incident response best practices: contain the threat first, then assess impact. Without confirming data access, the team cannot properly scope the breach or notify affected parties.

Exam trap

CompTIA often tests the misconception that rotating credentials (Option B) is the primary fix for a misconfiguration, when the actual first step is to remove the public access and investigate exposure.

How to eliminate wrong answers

Option A is wrong because waiting for the next quarterly review violates incident response principles; a public bucket with customer exports requires immediate containment, not delayed action. Option B is wrong because rotating database administrator passwords does not address the root cause—public read access on a storage bucket—and is irrelevant to the misconfiguration. Option C is wrong because deleting audit logs destroys forensic evidence needed to determine if sensitive data was accessed, which could violate compliance requirements (e.g., GDPR, HIPAA) and hinder investigation.

123
Multi-Selectmedium

A security analyst is reviewing the output of a recent vulnerability scan and correlating it with threat intelligence feeds. Which four of the following actions are most appropriate for an effective security operations workflow? (Choose four.)

Select 4 answers
.Prioritize remediation based on the CVSS score alone.
.Correlate detected vulnerabilities with active exploitation in the wild.
.Verify the scan results by performing manual validation on critical hosts.
.Apply patches to all identified vulnerabilities immediately without testing.
.Assess compensating controls already in place before scheduling remediation.
.Assign vulnerability remediation tasks based on asset criticality and exposure.

Why this answer

Correlating detected vulnerabilities with active exploitation in the wild is correct because it allows the analyst to prioritize vulnerabilities that are currently being used by threat actors, moving beyond theoretical risk to real-world urgency. This aligns with threat-informed defense, where vulnerability management is driven by actual attack patterns rather than static severity scores.

Exam trap

CompTIA often tests the misconception that CVSS score alone is sufficient for prioritization, but the exam emphasizes that effective security operations require contextual factors like active exploitation, asset criticality, and compensating controls.

124
Multi-Selecthard

Which THREE of the following are common indicators of a data exfiltration attempt? (Choose three.)

Select 3 answers
A.Outbound connections to IP addresses associated with known C2 servers
B.DNS queries with high entropy subdomains
C.Increased use of encrypted communication protocols
D.Unusually large outbound data transfers during off-hours
E.Multiple failed login attempts from a single source
AnswersA, B, D

Direct indication of malicious activity.

Why this answer

Option A is correct because outbound connections to IP addresses associated with known command-and-control (C2) servers are a classic indicator of data exfiltration. Once an attacker establishes a C2 channel, they can use it to tunnel stolen data out of the network. Security tools like firewalls and threat intelligence feeds flag these connections based on known malicious IP addresses or domains.

Exam trap

CompTIA often tests the distinction between indicators of exfiltration (data leaving) versus indicators of initial access or lateral movement, so candidates may confuse failed logins (Option E) with exfiltration when it actually points to a different phase of the attack chain.

125
Multi-Selecteasy

Which TWO of the following are key components of an incident communication plan?

Select 2 answers
A.Escalation contact list
B.Pre-approved public statements or scripts
C.Network topology diagrams
D.Encryption keys for secure communications
E.System event logs
AnswersA, B

An escalation contact list ensures the right people are notified based on incident severity.

Why this answer

An incident communication plan must include an escalation contact list (A) to ensure that the right stakeholders—such as the incident response team, legal counsel, and executive management—are notified promptly based on the severity of the incident. Pre-approved public statements or scripts (B) are critical to maintain consistent, accurate, and legally vetted messaging to external parties (e.g., customers, media, regulators) during a crisis, preventing unauthorized disclosures that could worsen the situation.

Exam trap

CompTIA often tests the distinction between operational/forensic artifacts (like network diagrams, logs, or encryption keys) and the structured communication components (contacts and scripts) that are explicitly defined in the incident communication plan, leading candidates to mistakenly include technical tools as part of the plan.

126
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Kerberoasting reconnaissance or ticket harvesting
B.ARP spoofing
C.Pass-the-hash using NTLM only
D.DNS cache poisoning
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

The SIEM alert describes a workstation requesting a high number of Kerberos service tickets (TGS-REQ) for many different Service Principal Names (SPNs) without subsequent service access. This is classic Kerberoasting reconnaissance: an attacker with valid domain credentials (e.g., after initial compromise) requests TGS tickets for accounts with SPNs, then extracts and cracks the NTLM hash embedded in the ticket offline. The lack of service access confirms the tickets were harvested for offline cracking, not for legitimate use.

Exam trap

Cisco often tests the distinction between Kerberoasting (which uses Kerberos TGS requests and offline cracking) and pass-the-ticket or pass-the-hash attacks, leading candidates to confuse the harvesting phase with credential reuse attacks.

How to eliminate wrong answers

Option B is wrong because ARP spoofing is a Layer 2 attack that manipulates MAC-to-IP mappings to intercept traffic; it does not involve Kerberos service ticket requests or SPN enumeration. Option C is wrong because pass-the-hash using NTLM only reuses an NTLM hash to authenticate without needing Kerberos tickets; it does not generate a burst of TGS-REQ for multiple SPNs, and the alert specifically mentions Kerberos service tickets, not NTLM authentication.

127
MCQmedium

In a regulated payment environment, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

In a fileless malware incident, the malware resides in volatile memory (RAM) and active system processes, leaving no persistent artifacts on disk. Capturing volatile memory (e.g., via `memdump` or `LiME`) and active network/process state (e.g., `netstat`, `ps`, `lsof`) preserves the most ephemeral evidence before it is lost upon shutdown or power loss. This aligns with the NIST SP 800-86 forensic order of volatility, which mandates collecting volatile data first.

Exam trap

Cisco often tests the order of volatility (OOV) principle, and the trap here is that candidates may mistakenly prioritize disk-based evidence (e.g., logs or reports) over volatile memory, not realizing that fileless malware leaves no disk footprint and that powering off the server would destroy the primary evidence source.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence of fileless malware and do not capture volatile runtime data. Option C is wrong because archived monthly reports are static, non-volatile records that do not contain real-time process or memory state, and they can be collected later without risk of data loss. Option D is wrong because the office seating plan has no bearing on digital forensic evidence and would not aid in detecting or analyzing fileless malware.

128
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For validation, Which action should be taken before closing or downgrading the finding?

A.Run authenticated scans using least-privilege scanner credentials
B.Trust the unauthenticated result as complete
C.Disable host firewalls permanently
D.Increase only the port range
AnswerA

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans rely on network-level probes and can only detect vulnerabilities visible without credentials, such as open ports or banner information. Patch status for Windows servers requires authenticated access to query the registry, WMI, or the Windows Update API. Using least-privilege scanner credentials enables the scanner to perform authenticated checks, revealing missing patches that were previously hidden.

Exam trap

Cisco often tests the misconception that unauthenticated scans are sufficient for vulnerability management, when in fact they miss the majority of patch-related findings that require credentialed access.

How to eliminate wrong answers

Option B is wrong because trusting an unauthenticated result as complete ignores the fundamental limitation that uncredentialed scans cannot assess patch levels, leading to a false sense of security. Option C is wrong because permanently disabling host firewalls would expose the servers to network-based attacks and violates the principle of defense in depth; firewall rules should be configured to allow scanner traffic, not disabled entirely.

129
Multi-Selectmedium

An IDS signature fires on outbound traffic but analysts suspect a false positive. Which validation steps are appropriate? (Choose two.)

Select 2 answers
A.Assume all signatures are always correct
B.Check whether the destination and application protocol match the rule intent
C.Disable every IDS rule from the same vendor
D.Inspect packet payload or session metadata around the alert
AnswersB, D

Protocol and destination context help identify misfired signatures.

Why this answer

Option B is correct because validating whether the destination and application protocol match the rule intent directly confirms if the IDS signature fired on legitimate traffic or a false positive. For example, if a signature is designed to detect SQL injection over HTTP but the outbound traffic is HTTPS or a different protocol, the alert is likely a false positive. This step aligns with standard validation procedures in security operations, where analysts verify the context of the alert against the signature's defined criteria.

Exam trap

The trap here is that candidates may assume all IDS alerts are accurate or overreact by disabling rules, but Cisco tests the understanding that validation requires contextual verification against the signature's intended scope, not blanket assumptions or drastic actions.

130
MCQeasy

An organization's incident response playbook specifies that after a confirmed malware infection, the infected system should be isolated from the network. Which action best achieves isolation?

A.Uninstall the operating system and reimage.
B.Disable the network interface card (NIC) via software.
C.Pull the power cord from the infected system.
D.Delete the infected user's account.
AnswerB

Disabling the NIC cuts network connectivity while preserving forensic data.

Why this answer

Disabling the network interface card (NIC) via software immediately stops all network traffic to and from the infected system, effectively isolating it from the network while preserving the system's state for forensic analysis. This action aligns with the incident response playbook's requirement for network isolation without destroying volatile data or evidence.

Exam trap

Cisco often tests the distinction between 'isolation' (stopping network communication while preserving the system) and 'eradication' (removing the malware or rebuilding the system), leading candidates to confuse reimaging or power-off actions with proper isolation.

How to eliminate wrong answers

Option A is wrong because uninstalling the OS and reimaging destroys all data on the system, including forensic evidence, and does not achieve immediate network isolation. Option C is wrong because pulling the power cord causes a hard shutdown, which loses volatile memory data (e.g., running processes, network connections) and may prevent proper forensic collection. Option D is wrong because deleting the infected user's account does not stop network traffic from the system itself; the malware can still communicate over the network using other system accounts or services.

131
MCQeasy

A security team is reviewing firewall logs and identifies traffic to a known malicious IP address from an internal workstation running a critical business application that cannot be interrupted. Which of the following is the most appropriate immediate action?

A.Add a firewall rule to block the malicious IP
B.Shut down the workstation
C.Disconnect the network cable
D.Run an antivirus scan
AnswerA

Blocking just the malicious IP minimizes disruption while preventing further communication.

Why this answer

Adding a firewall rule to block the malicious IP is the most appropriate immediate action because it stops the outbound traffic to the known malicious address without disrupting the critical business application running on the workstation. This approach maintains availability (a key CIA triad principle) while mitigating the threat at the network layer, which is faster and less invasive than host-level changes. It also preserves the workstation's state for potential forensic analysis.

Exam trap

CompTIA often tests the principle of 'least disruption' in incident response, where candidates mistakenly choose to shut down or disconnect the system (options B or C) because they focus solely on containment, forgetting the critical business application's availability requirement.

How to eliminate wrong answers

Option B is wrong because shutting down the workstation would interrupt the critical business application, violating availability requirements, and could destroy volatile evidence in memory. Option C is wrong because disconnecting the network cable would also interrupt the application's network connectivity, potentially causing service disruption, and does not provide a targeted block against the specific IP. Option D is wrong because running an antivirus scan is a reactive, host-based step that takes time and may not immediately stop ongoing malicious traffic; it also risks alerting an attacker or interfering with the application's processes.

132
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For validation, Which action should be taken before closing or downgrading the finding?

A.A building floor plan
B.A password complexity screenshot only
C.A software bill of materials
D.A DNS MX record report
AnswerC

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A Software Bill of Materials (SBOM) is the correct request because it provides a formal, machine-readable inventory of all included libraries, components, and their versions used in the software product. In a regulated environment (e.g., healthcare, finance), this visibility is essential for vulnerability management, license compliance, and supply chain risk assessment, as mandated by frameworks like NIST SP 800-53 or FDA premarket cybersecurity guidance.

Exam trap

The trap here is that candidates may confuse a security configuration artifact (like a password policy screenshot) with a comprehensive software inventory document, failing to recognize that only an SBOM provides the library-level visibility required for supply chain risk management in regulated environments.

How to eliminate wrong answers

Option A is wrong because a building floor plan is a physical security artifact that has no relevance to software composition, library versions, or vulnerability management in a regulated environment. Option B is wrong because a password complexity screenshot only verifies a single authentication policy setting; it provides no insight into the software's included libraries, their versions, or supply chain risks, which is the core requirement of the question.

133
MCQhard

A company uses a centralized logging solution. A security analyst receives a log from a host indicating a user account 'jsmith' was created locally on a server. The analyst suspects this is a backdoor account. Which of the following log sources would provide the most context to confirm the creation method and identify the responsible process?

A.Sysmon Event ID 1 (Process creation)
B.Network logs
C.Application logs
D.Windows Security Event Logs (Event ID 4720)
AnswerA

Sysmon process creation logs include the parent process, providing context for how the account was created.

Why this answer

Sysmon Event ID 1 captures every process creation event with detailed command-line arguments, parent process information, and hashes. This allows the analyst to see exactly which executable (e.g., net.exe, powershell.exe, or a custom script) created the 'jsmith' user account and what command-line parameters were used, providing definitive evidence of the creation method and responsible process.

Exam trap

CompTIA often tests the distinction between detection (Event ID 4720) and forensic attribution (Sysmon Event ID 1), leading candidates to choose the security log that confirms the event occurred rather than the log that reveals how and by what process it was executed.

How to eliminate wrong answers

Option B is wrong because network logs only show traffic flows and IP addresses, not local process execution or user creation commands. Option C is wrong because application logs record events from specific applications (e.g., IIS, SQL Server) and do not capture system-level process creation or local account management activities. Option D is wrong because Windows Security Event Log 4720 only records that a user account was created, but does not reveal the parent process, command line, or the executable responsible for the creation.

134
MCQhard

After a data breach involving customer PII, the incident response team has contained the incident and eradicated the malware. What is the NEXT step in the remediation process?

A.Close the vulnerability that was exploited.
B.Restore systems from clean backups.
C.Conduct a root cause analysis.
D.Notify all affected customers.
AnswerA

Closing the vulnerability is a key remediation step to prevent reinfection.

Why this answer

Option D is correct because closing the vulnerability prevents recurrence. Root cause analysis is part of post-incident, customer notification is legal/compliance, and system restoration is part of recovery.

135
MCQhard

During a post-compromise review, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action should be prioritized before closure?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity is best confirmed by correlating web access logs (showing the suspicious file being accessed with a query parameter), file timestamps (indicating when the file was created or modified), process execution logs (showing commands spawned by the web service account), and outbound connections (indicating data exfiltration or command-and-control traffic). This multi-source evidence provides a complete chain of compromise, unlike a single log source.

Exam trap

The trap here is that candidates may think a single log source (like web access logs alone) is sufficient, but Cisco tests the need for multi-source correlation to confirm web-shell activity, as a single log can be misleading or incomplete.

How to eliminate wrong answers

Option A is wrong because printer logs are unrelated to web-server command execution and would not capture web-shell activity, which involves HTTP requests, file creation, and process execution. Option B is wrong because the CEO's mailbox audit events pertain to email activity, not web-server file manipulation or command execution via query parameters. Option D is wrong because SSL certificate metadata only records certificate issuance and validity, not the runtime behavior of a web shell executing commands.

136
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For validation, Which action should be taken before closing or downgrading the finding?

A.Use only the vendor marketing page
B.Environmental scoring and compensating-control review
C.Change all findings to low severity
D.Ignore the vulnerability because it is internal
AnswerB

Environmental factors help translate generic severity into local risk.

Why this answer

Option B is correct because CVSS base scores assume a default environment, but an internal service restricted to a trusted admin subnet may have a lower actual risk. Environmental scoring (CVSS v3.1 environmental metrics) adjusts the base score for factors like modified attack vector and modified confidentiality/integrity/availability requirements, while a compensating-control review verifies whether existing controls (e.g., network ACLs, host-based firewalls, VPNs) effectively mitigate the vulnerability. This combined analysis determines if the finding can be downgraded or closed without introducing residual risk.

Exam trap

Cisco often tests the misconception that a high CVSS base score automatically mandates immediate remediation, without considering environmental modifiers or existing compensating controls that can lower the effective risk.

How to eliminate wrong answers

Option A is wrong because vendor marketing pages are promotional and lack objective, technical details about exploitability, attack surface, or compensating controls; they do not provide the environmental context or control validation needed for risk-based decision-making. Option C is wrong because changing all findings to low severity without performing an environmental scoring and compensating-control review is arbitrary and violates the principle of risk-based vulnerability management; it ignores the actual exploitability and impact within the specific deployment environment.

137
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is executive leadership, which content choice is most appropriate?

A.Only estimated financial loss
B.Only the CVE headline
C.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
D.Only a red/yellow/green chart
AnswerC

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option C is correct because a technical remediation section must provide actionable steps to resolve the vulnerability. This includes identifying affected assets and package versions, specifying patch commands or vendor guidance, outlining a validation method (e.g., checking the OpenSSL version with `openssl version`), and including rollback notes to revert changes if the patch fails. Without these details, the remediation cannot be executed reliably by the server team.

Exam trap

Cisco often tests the distinction between technical remediation content and executive-level reporting, trapping candidates who confuse the audience (executives) with the content needed for the server team's technical remediation section.

How to eliminate wrong answers

Option A is wrong because estimated financial loss belongs in a risk assessment or business impact analysis, not in the technical remediation section, which focuses on the steps to fix the vulnerability. Option B is wrong because only the CVE headline (e.g., CVE-2022-3786) is insufficient for remediation; it lacks the specific commands, package versions, and validation steps needed to patch OpenSSL on Linux hosts.

138
MCQmedium

During a containment phase of an incident response, the team needs to prevent an infected host from communicating with a command-and-control server. The host is a critical database server that cannot be taken offline. Which of the following containment strategies is most appropriate?

A.Pull the network cable
B.Disable the database service
C.Isolate the host by VLAN
D.Block the C2 IP at the firewall
AnswerD

Blocking only the C2 IP allows legitimate traffic while preventing command-and-control communication.

Why this answer

Blocking the C2 IP at the firewall is the most appropriate strategy because it disrupts the command-and-control communication without taking the critical database server offline. This network-layer containment allows the host to continue serving its database functions while preventing outbound traffic to the malicious IP, aligning with the need for a surgical containment approach.

Exam trap

CompTIA often tests the distinction between network-level containment (firewall block) and host-level isolation (VLAN or cable pull), trapping candidates who think VLAN isolation is always non-disruptive when it often requires port reconfiguration that can drop active sessions.

How to eliminate wrong answers

Option A is wrong because pulling the network cable completely disconnects the host from the network, which would take the critical database server offline and violate the requirement that it cannot be taken offline. Option B is wrong because disabling the database service stops the server's primary function, effectively taking it offline, which contradicts the scenario's constraint. Option C is wrong because isolating the host by VLAN typically requires reconfiguring the switch port or moving the host to a separate VLAN, which can disrupt network connectivity and may not be feasible without taking the host offline or causing significant service interruption.

139
MCQhard

In a regulated payment environment, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity requires evidence of both the initial compromise (web access logs showing the malicious file request, file timestamps indicating creation/modification) and the subsequent command execution (process execution logs from the web service account, outbound connections from that account). This combination confirms the attacker used the query parameter to execute commands and exfiltrate data, which is the core indicator of a web shell in a regulated payment environment.

Exam trap

Cisco often tests the concept that web-shell detection requires correlating multiple log sources (web, file, process, network) rather than relying on a single log type, and the trap here is assuming that any single log (like printer logs or mailbox audits) could provide sufficient evidence of command execution.

How to eliminate wrong answers

Option A is wrong because printer logs are unrelated to web-server command execution; they record print jobs, not HTTP requests, process execution, or network connections, so they cannot confirm web-shell activity. Option B is wrong because the CEO's mailbox audit events only track email access and actions, not web server file creation, query parameter manipulation, or command execution; they are irrelevant to detecting a web shell on a web server.

140
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest? If the primary audience is business service owner, which content choice is most appropriate?

A.A screenshot of every scanner page
B.A raw CSV of 20,000 findings
C.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
D.A list of tool login names
AnswerC

Board reporting should connect investment to measurable risk reduction. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option C is correct because it directly addresses the board's question about whether cyber risk is decreasing by presenting a trend in exploitable critical exposures (showing direction of risk), remediation SLA performance (showing operational effectiveness), and residual risk by business service (showing risk remaining after investment). This aligns with the primary audience of business service owners, who need aggregated, risk-focused metrics rather than raw technical data. The use of residual risk by business service ties vulnerability management outcomes to business impact, which is essential for executive decision-making.

Exam trap

Cisco often tests the misconception that more data equals better reporting, but the trap here is that raw technical outputs (scanner screenshots or CSV dumps) fail to communicate risk reduction to a non-technical audience, while trend-based, business-aligned metrics directly answer the board's question.

How to eliminate wrong answers

Option A is wrong because a screenshot of every scanner page provides overwhelming, unaggregated technical detail that obscures risk trends and does not answer whether cyber risk is decreasing; it represents a failure to distill scanner output into actionable business intelligence. Option B is wrong because a raw CSV of 20,000 findings is data, not information—it lacks trend analysis, risk prioritization, and business context, making it impossible for a service owner to assess risk reduction without extensive manual analysis.

141
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.A list of all closed tickets with no dates
B.SLA compliance by severity, asset owner, and business unit
C.A vendor price comparison
D.A report sorted only by scanner plugin ID
AnswerB

SLA reporting connects remediation timeliness to accountability. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

B is correct because SLA compliance by severity, asset owner, and business unit directly maps to the requirement of showing whether critical findings are fixed within policy timelines. This report filters by severity (e.g., critical), includes time-bound metrics (SLA compliance), and can be broken down by asset owner and business unit to demonstrate accountability and policy adherence. For legal/privacy stakeholders, this content provides auditable evidence of remediation timelines, which is essential for regulatory compliance and risk management.

Exam trap

Cisco often tests the misconception that any list of closed tickets is sufficient for compliance reporting, but the trap here is that without date fields and severity-based SLA filtering, you cannot prove policy adherence—candidates overlook the need for time-bound, severity-specific metrics in legal/privacy contexts.

How to eliminate wrong answers

Option A is wrong because a list of all closed tickets with no dates lacks any temporal context, making it impossible to determine whether critical findings were fixed within policy timelines; it provides no SLA compliance or severity filtering. Option C is wrong because a vendor price comparison is irrelevant to vulnerability remediation timelines and policy compliance; it addresses procurement or cost analysis, not security operations or legal/privacy reporting needs.

142
Multi-Selecthard

A Kubernetes audit alert shows a service account creating privileged pods. Which checks are most relevant? (Choose two.)

Select 2 answers
A.The number of comments in application code
B.User profile pictures in the HR system
C.Pod spec fields such as privileged mode, hostPath, and hostNetwork
D.Recent role binding or cluster role binding changes
AnswersC, D

These fields indicate high-risk container privileges.

Why this answer

Option C is correct because privileged pods can bypass container security boundaries, and hostPath or hostNetwork access can lead to host-level compromise. The audit alert specifically flags a service account creating such pods, which violates the principle of least privilege and indicates a potential security incident that requires immediate investigation of the pod spec fields.

Exam trap

Cisco often tests the ability to distinguish between operational metrics (like code comments or HR data) and security-relevant configuration fields, trapping candidates who confuse general IT audit items with Kubernetes-specific security indicators.

143
Multi-Selectmedium

Which measures help reduce recurring vulnerabilities from unsupported software? (Choose two.)

Select 2 answers
A.Lifecycle tracking for end-of-support dates
B.Permanent acceptance without review
C.Migration plan with business owner accountability
D.Changing scanner colours to red
AnswersA, C

Lifecycle visibility enables proactive replacement.

Why this answer

Lifecycle tracking for end-of-support dates (Option A) is correct because it enables organizations to proactively identify when software will no longer receive security patches. By monitoring these dates, vulnerability management teams can schedule migrations or upgrades before the vendor ceases support, directly reducing the window of exposure to unpatched vulnerabilities. This aligns with the NIST SP 800-53 CM-8 control for configuration management and asset lifecycle tracking.

Exam trap

Cisco often tests the misconception that 'permanent acceptance' is a valid risk treatment for unsupported software, when in fact it violates the principle of continuous vulnerability management and is never an acceptable long-term strategy without compensating controls.

144
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.The risk register with owner, justification, expiry date, and compensating controls
B.The firewall vendor invoice
C.The incident containment playbook only
D.The phishing training completion list
AnswerA

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch, the risk register must be updated with the owner, justification, expiry date, and compensating controls. This documentation ensures the decision is defensible during audits or incidents, as it captures the explicit risk acceptance and the temporary controls in place until the patch is applied.

Exam trap

Cisco often tests the misconception that any documentation (like an invoice or playbook) can substitute for the formal risk register entry required to track accepted risks and compensating controls.

How to eliminate wrong answers

Option B is wrong because a firewall vendor invoice is a procurement document, not a stakeholder management or risk acceptance record; it does not capture the rationale, owner, or compensating controls for a delayed patch. Option C is wrong because the incident containment playbook only outlines steps to respond to an active incident, not the proactive risk acceptance and compensating controls needed to keep the program defensible.

145
Multi-Selecteasy

Which TWO of the following are best practices for securing a network firewall configuration? (Choose two.)

Select 2 answers
A.Implement a default deny rule for inbound and outbound traffic
B.Apply least privilege access by restricting ports and IP addresses
C.Enable continuous monitoring of firewall logs
D.Allow all traffic by default and block specific threats
E.Use default vendor passwords for initial access
AnswersA, B

Ensures only explicitly permitted traffic passes.

Why this answer

A default deny rule for inbound and outbound traffic ensures that only explicitly permitted traffic is allowed, which is the foundation of a secure firewall configuration. This approach aligns with the principle of least privilege and prevents unauthorized access or data exfiltration by blocking all traffic that is not specifically required. Without a default deny rule, any misconfiguration or unanticipated traffic could bypass security controls.

Exam trap

CompTIA often tests the distinction between operational practices (like log monitoring) and configuration best practices, leading candidates to mistakenly select continuous monitoring as a configuration control rather than a detection control.

146
MCQmedium

Refer to the exhibit. A security analyst is reviewing firewall logs and notices this entry. What should the analyst do next?

A.Investigate the internal host for possible RDP compromise
B.Escalate to incident response immediately
C.Check if there is a business need for RDP access to the external IP
D.Block all traffic to 203.0.113.50
AnswerA

An outbound RDP connection from an internal host is suspicious and warrants investigation of the host.

Why this answer

The firewall log shows an inbound RDP connection (TCP port 3389) from an external IP (203.0.113.50) to an internal host (192.168.1.10). RDP is a high-risk protocol often targeted for brute-force attacks and remote compromise. The analyst should first investigate the internal host for signs of RDP compromise, such as unauthorized access, lateral movement, or data exfiltration, before taking other actions.

Exam trap

Cisco often tests the principle of 'investigate before escalate'—the trap here is that candidates may jump to blocking or escalating without first verifying the internal host's compromise status, which is the foundational step in incident response.

How to eliminate wrong answers

Option B is wrong because escalating to incident response immediately is premature without first confirming that the RDP connection was unauthorized or malicious; the log entry alone does not indicate a confirmed incident. Option C is wrong because checking for a business need for RDP access to the external IP is irrelevant—the connection is inbound from an external IP to an internal host, and the priority is to assess the internal host's security state, not to justify the external IP's access. Option D is wrong because blocking all traffic to 203.0.113.50 is an overly aggressive response that could disrupt legitimate services and should only be done after investigation confirms malicious intent.

147
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.A DNS MX record report
B.A software bill of materials
C.A building floor plan
D.A password complexity screenshot only
AnswerB

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A software bill of materials (SBOM) is a formal, machine-readable inventory of all components, libraries, and versions used in a software product. In a regulated environment, an SBOM provides the security team with the visibility needed to assess vulnerabilities, track supply chain risks, and ensure compliance with standards like NIST SP 800-53 or FDA guidance. Requesting an SBOM directly addresses the need for library and version transparency.

Exam trap

Cisco often tests the distinction between operational artifacts (like DNS records or floor plans) and security-specific artifacts (like SBOMs), trapping candidates who confuse general IT documentation with targeted vulnerability management tools.

How to eliminate wrong answers

Option A is wrong because a DNS MX record report lists mail exchange servers for a domain and has no relation to software libraries or versions; it is a network infrastructure query, not a software composition artifact. Option C is wrong because a building floor plan is a physical security document showing facility layouts and has no relevance to software component visibility or vulnerability management.

148
MCQeasy

After a high-priority SOC escalation, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which response best matches incident-response practice?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response is determined by business impact, privilege level, asset criticality, and spread potential, not by timing or naming. The domain admin workstation has high privilege and criticality, and the same malware on a kiosk suggests lateral movement potential, making it a higher priority regardless of alert order.

Exam trap

Cisco often tests the misconception that alert timing or hostname order determines priority, when in reality severity must be driven by risk-based factors like business impact and privilege level.

How to eliminate wrong answers

Option A is wrong because the order in which alerts arrive has no bearing on severity; incident response prioritizes based on risk, not chronology. Option C is wrong because alphabetical order of hostnames is irrelevant to security impact and would ignore the critical difference between a kiosk and a domain admin workstation.

149
Multi-Selecthard

A scanner reports a critical issue on a network device. Which steps help validate the finding before closure? (Choose two.)

Select 2 answers
A.Suppress all network-device findings permanently
B.Close it because the device is expensive
C.Confirm the firmware or software version on the device
D.Check vendor advisory applicability and configuration requirements
AnswersC, D

Version evidence verifies whether the vulnerable build is present.

Why this answer

Option C is correct because confirming the firmware or software version on the device is a critical validation step. The scanner may report a vulnerability based on version detection, but the actual installed version could differ due to patching or backporting. Verifying the exact version ensures the finding is not a false positive before closure.

Exam trap

CompTIA often tests the misconception that scanner findings are always accurate and can be closed without manual verification, leading candidates to skip validation steps like version confirmation and vendor advisory checks.

150
MCQhard

Refer to the exhibit. A security auditor finds this IAM policy attached to a user account. Which of the following describes the primary security concern?

A.The policy is missing a NotAction element
B.The policy allows read-only access
C.The policy uses a wildcard resource
D.The policy allows all S3 actions, which can lead to data exposure
AnswerD

s3:* includes destructive actions like DeleteBucket and PutObject.

Why this answer

Option B is correct because the policy allows all S3 actions on all resources (s3:* on Resource "*"), which means the user can read, write, delete, and modify any S3 bucket. This extreme level of access can lead to data exposure or deletion. The wildcard resource (C) is part of the problem but the combination of all actions is the core issue.

Page 1

Page 2 of 7

Page 3

All pages