CompTIA CySA+ CS0-003 (CS0-003) — Questions 151225

503 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.Confidential unrelated customer data
B.Internal blame speculation
C.A public press statement draft first
D.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
AnswerD

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option D is correct because it provides a structured, factual communication that addresses the legal and privacy stakeholder's need for accountability, risk assessment, and contractual compliance. The timeline and evidence establish the sequence of events, service impact quantifies the breach of SLA, required corrective actions demonstrate remediation steps, and contractual follow-up triggers legal review of penalties or liabilities. This approach avoids speculation and focuses on verifiable data, which is critical for legal teams to assess regulatory obligations (e.g., GDPR breach notification timelines) and potential litigation.

Exam trap

CompTIA often tests the misconception that legal stakeholders need immediate public relations content or internal blame assignments, but the trap here is that legal teams require objective, evidence-based data to assess liability and regulatory compliance, not subjective or premature communications.

How to eliminate wrong answers

Option A is wrong because disclosing confidential unrelated customer data would violate data protection laws (e.g., GDPR Article 5) and is irrelevant to the vendor's outage; legal stakeholders need only data directly tied to the incident. Option B is wrong because internal blame speculation is subjective, unverifiable, and could create legal liability or prejudice; legal teams require objective facts, not finger-pointing. Option C is wrong because drafting a public press statement before internal legal review risks premature disclosure, misrepresentation, or admission of fault, which could harm regulatory defense or contractual negotiations.

152
Multi-Selecthard

Which THREE elements are essential components of a comprehensive post-incident report?

Select 3 answers
A.Root cause analysis
B.Timeline of events leading up to and during the incident
C.List of all employee usernames and passwords
D.Budget report for the incident response team
E.Lessons learned and recommendations for improvement
AnswersA, B, E

Identifies underlying issue.

Why this answer

Root cause analysis (RCA) is essential because it identifies the underlying technical failure—such as a misconfigured firewall rule, an unpatched CVE, or a phishing campaign—that allowed the incident to occur. Without RCA, the report would only describe symptoms, not the fundamental vulnerability that must be addressed to prevent recurrence.

Exam trap

CompTIA often tests the distinction between operational necessities (like budgets or credential lists) and the mandatory technical/analytical components of a post-incident report, trapping candidates who confuse administrative tasks with incident documentation requirements.

153
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Ignore all base-image vulnerabilities
B.Ship the image and document nothing
C.Only rename the image tag
D.Validate exploitability and rebuild from a patched base image where feasible
AnswerD

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option D is correct because it follows a defensible vulnerability management process: first validate whether the OpenSSL CVE is actually exploitable in the context of the application (e.g., the vulnerable binary may be present but never executed), then rebuild the image from a patched base image to eliminate the risk entirely. This balances security with operational pragmatism, ensuring the pipeline remains secure while avoiding unnecessary delays.

Exam trap

Cisco often tests the misconception that 'not used' means 'no risk'—candidates may choose to ignore or rename the image, but the correct approach is to validate exploitability and then remediate by rebuilding from a patched base image.

How to eliminate wrong answers

Option A is wrong because ignoring all base-image vulnerabilities violates security policy and leaves the organization exposed to known exploits, even if the vulnerable binary is unused—attackers could still leverage it via other paths. Option B is wrong because shipping the image without documentation creates an audit trail gap; if the CVE is later exploited, there is no evidence of a risk-based decision, making the program indefensible. Option C is wrong because renaming the image tag does not change the underlying vulnerable binary—it only obscures the issue, and vulnerability scanners will still flag the same CVE based on the image digest.

154
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For control selection, Which control best addresses the stated weakness without hiding risk?

A.A DNS MX record report
B.A software bill of materials
C.A building floor plan
D.A password complexity screenshot only
AnswerB

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A software bill of materials (SBOM) provides a formal, machine-readable inventory of all components, libraries, and versions used in a software product. This directly gives the security team the visibility needed for vulnerability management in a regulated environment, aligning with frameworks like NIST SP 800-53 and Executive Order 14028.

Exam trap

Cisco often tests the distinction between operational artifacts (like DNS records) and software composition artifacts (like SBOMs), trapping candidates who confuse network visibility with application-level visibility.

How to eliminate wrong answers

Option A is wrong because a DNS MX record report only reveals mail exchange server configurations, not software libraries or versions. Option C is wrong because a building floor plan describes physical layout, not software composition. Option D is wrong because a password complexity screenshot only shows password policy settings, not the included libraries and their versions.

155
MCQhard

An incident may involve regulated personal data. Who should be engaged early to determine notification obligations? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.Legal, privacy, and compliance stakeholders
B.Only the graphic design team
C.Only the facilities manager
D.Only the vulnerability scanner vendor
AnswerA

Notification decisions depend on law, contract, data type, jurisdiction, and timing. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

When an incident involves regulated personal data, legal, privacy, and compliance stakeholders must be engaged early because they determine notification obligations under laws such as GDPR, HIPAA, or CCPA. These stakeholders assess the data type, jurisdiction, and breach thresholds to decide if and when to notify regulators and affected individuals. In the context of CS0-003, this aligns with the Reporting and Communication domain, where timely stakeholder involvement is critical for legal compliance and risk mitigation.

Exam trap

Cisco often tests the misconception that only technical teams (e.g., IT or security) handle breach response, but the trap here is that notification obligations are a legal/compliance function, not a technical one, so candidates must recognize the need for legal and privacy stakeholders early.

How to eliminate wrong answers

Option B is wrong because the graphic design team has no role in determining legal notification obligations for data breaches; their focus is on visual assets, not regulatory compliance. Option C is wrong because the facilities manager handles physical security and building operations, not the legal or privacy aspects of personal data incidents. Option D is wrong because the vulnerability scanner vendor provides technical scanning tools but lacks the authority or expertise to interpret data protection laws or define notification requirements.

156
Multi-Selecthard

A vulnerability scan of a segmented OT network must avoid disrupting fragile devices. Which controls are appropriate? (Choose two.)

Select 2 answers
A.Use approved safe-check profiles or passive discovery where required
B.Scan from random external hosts
C.Run aggressive exploit checks without approval
D.Coordinate test windows and scope with OT owners
AnswersA, D

Non-intrusive methods reduce disruption risk.

Why this answer

Option A is correct because safe-check profiles (e.g., Nessus 'safe checks' mode) disable active exploits and denial-of-service tests, while passive discovery (e.g., using NetFlow or SNMP traps) never sends packets to fragile OT devices. This prevents disruption to legacy PLCs, RTUs, or other industrial controllers that may crash under aggressive scanning.

Exam trap

Cisco often tests the misconception that scanning from random external hosts improves stealth or coverage, but in OT segmentation, the priority is avoiding disruption—not hiding the scan source.

157
MCQhard

While supporting a hybrid workforce, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which evidence should guide the decision?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority in a ransomware incident is to stop the spread of encryption. Isolating the workstation (e.g., disabling its network interface or physically unplugging it) and terminating its active SMB sessions to file servers prevents the ransomware from encrypting additional shares. This containment step preserves evidence and limits damage without relying on potentially compromised backups or alerting the attacker.

Exam trap

Cisco often tests the principle that containment (stopping the spread) must precede eradication or recovery, tempting candidates to choose a proactive but premature action like scanning or restoring backups.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans during an active ransomware outbreak wastes critical time and does not stop ongoing encryption; scanning should occur after containment. Option B is wrong because restoring backups before isolating the host risks re-encrypting the restored data if the ransomware is still active on the network; isolation must come first. Option C is wrong because emailing the ransom note to all users is not a containment action and may cause panic, spread misinformation, or inadvertently alert the attacker; it also does not stop the encryption process.

158
MCQeasy

Which of the following is the BEST method to prioritize vulnerabilities for remediation?

A.By asset criticality and exploitability
B.By availability of patch
C.By CVSS score
D.By number of affected hosts
AnswerA

This combines impact and likelihood, reflecting true risk.

Why this answer

Option B is correct because prioritizing by asset criticality and exploitability (risk) is more effective than any single factor. CVSS alone (A) is insufficient; number of hosts (C) and patch availability (D) are secondary.

159
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Delete the host from the SIEM asset inventory
B.Search only for successful HTTP 200 responses
C.Block all DNS traffic from the subnet
D.Correlate DNS query logs with endpoint process and network connection telemetry
AnswerD

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Option D is correct because correlating DNS query logs with endpoint process and network connection telemetry provides direct evidence of command-and-control (C2) beaconing. The algorithmically generated domains (DGA) and NXDOMAIN responses are strong indicators of an infected host attempting to contact a C2 server that is currently offline or unreachable. By linking the DNS queries to the specific process generating them and the subsequent network connections, the analyst can confirm malicious activity rather than benign misconfiguration.

Exam trap

Cisco often tests the misconception that NXDOMAIN responses alone are sufficient to confirm C2, when in fact correlation with endpoint and network telemetry is required to distinguish DGA beaconing from legitimate DNS failures or misconfigured clients.

How to eliminate wrong answers

Option A is wrong because deleting the host from the SIEM asset inventory would remove visibility into the suspicious activity, not validate or investigate it. Option B is wrong because searching only for successful HTTP 200 responses would miss the majority of DGA-based C2 traffic, which often results in NXDOMAIN or other non-200 responses when the C2 server is not reachable. Option C is wrong because blocking all DNS traffic from the subnet is an overly aggressive response that would disrupt legitimate network operations and does not help validate the specific beaconing behavior.

160
MCQeasy

During a post-incident review, the security team needs to communicate findings to the IT operations team. Which communication method is MOST effective for this audience?

A.A presentation with graphs and trends
B.A detailed technical report including indicators of compromise and remediation procedures
C.An informal email with bullet points and no specific actions
D.A one-page executive summary with risk ratings
AnswerB

Provides the precise information needed by operations.

Why this answer

The IT operations team needs actionable technical details to implement remediation and prevent recurrence. A detailed technical report with indicators of compromise (IoCs) and remediation procedures provides the precise commands, log entries, and configuration changes required for their work, making it the most effective method for this audience.

Exam trap

CompTIA often tests the distinction between audience-appropriate communication formats, and the trap here is that candidates may choose the executive summary (Option D) thinking it's concise, but fail to recognize that the IT operations team requires the full technical depth of a detailed report to perform their duties effectively.

How to eliminate wrong answers

Option A is wrong because a presentation with graphs and trends is more suitable for executive or management briefings, lacking the specific technical details (e.g., file hashes, IP addresses, registry keys) that the IT operations team needs to act. Option C is wrong because an informal email with bullet points and no specific actions omits critical remediation steps and IoCs, leaving the IT operations team without clear guidance on what to do. Option D is wrong because a one-page executive summary with risk ratings is designed for non-technical stakeholders, not for the IT operations team who require in-depth technical data to perform system changes.

161
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is executive leadership, which content choice is most appropriate?

A.SLA compliance by severity, asset owner, and business unit
B.A list of all closed tickets with no dates
C.A vendor price comparison
D.A report sorted only by scanner plugin ID
AnswerA

SLA reporting connects remediation timeliness to accountability. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option A is correct because it directly maps to the requirement of showing whether critical findings are fixed within policy timelines. SLA compliance by severity, asset owner, and business unit provides the necessary metrics to track remediation against defined service-level agreements, which is exactly what a vulnerability programme needs to demonstrate adherence to policy timelines. For executive leadership, this content choice is most appropriate as it offers a high-level, actionable view of compliance status across organizational units without technical noise.

Exam trap

Cisco often tests the misconception that any list of closed tickets is sufficient for compliance reporting, but without date fields or SLA context, such a list is useless for proving policy adherence.

How to eliminate wrong answers

Option B is wrong because a list of all closed tickets with no dates provides no temporal context to assess whether fixes were completed within policy timelines; it fails to show SLA compliance or any measure of timeliness. Option C is wrong because a vendor price comparison is irrelevant to tracking vulnerability remediation timelines or SLA compliance; it addresses procurement concerns, not the operational effectiveness of a vulnerability management programme.

162
MCQhard

An incident may involve regulated personal data. Who should be engaged early to determine notification obligations? If the primary audience is executive leadership, which content choice is most appropriate?

A.Only the facilities manager
B.Legal, privacy, and compliance stakeholders
C.Only the vulnerability scanner vendor
D.Only the graphic design team
AnswerB

Notification decisions depend on law, contract, data type, jurisdiction, and timing. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

When an incident involves regulated personal data (e.g., PII, PHI, or GDPR-protected data), legal, privacy, and compliance stakeholders must be engaged early to determine statutory notification obligations. These stakeholders interpret applicable regulations (such as GDPR Article 33, HIPAA Breach Notification Rule, or state breach notification laws) to decide if, when, and how to notify affected parties and regulators. Executive leadership requires a concise summary of legal exposure and required actions, not operational details.

Exam trap

Cisco often tests the misconception that technical teams (like vulnerability scanner vendors) or operational staff (like facilities managers) can handle compliance decisions, when in fact only legal, privacy, and compliance stakeholders have the authority to interpret breach notification laws.

How to eliminate wrong answers

Option A is wrong because the facilities manager has no authority or expertise to evaluate data privacy laws or notification triggers; their role is limited to physical security and building access, not regulatory compliance. Option C is wrong because a vulnerability scanner vendor provides technical scanning tools but lacks legal standing and knowledge of jurisdiction-specific data breach notification requirements; they cannot determine if a breach triggers mandatory reporting under laws like GDPR or CCPA.

163
Multi-Selectmedium

A security analyst is reviewing logs from a network intrusion detection system (NIDS) and sees the following alert: "ET TROJAN Possible ZeuS/Poison Ivy Activity". The analyst wants to verify if the traffic is malicious. Which TWO of the following actions should the analyst take? (Select two.)

Select 2 answers
A.Disable the NIDS signature to prevent false positives.
B.Perform a packet capture of the session for further analysis.
C.Check the source IP against threat intelligence feeds.
D.Restart the NIDS service.
E.Correlate the alert with other logs (e.g., firewall, proxy).
AnswersC, E

Helps confirm if the source is known malicious.

Why this answer

Option C is correct because checking the source IP against threat intelligence feeds (e.g., AlienVault OTX, VirusTotal, or commercial feeds) allows the analyst to determine if the IP is known for hosting ZeuS/Poison Ivy command-and-control (C2) infrastructure. This action directly validates whether the alert corresponds to a known malicious entity, reducing reliance on signature-based detection alone.

Exam trap

Cisco often tests the distinction between reactive analysis (packet capture) and proactive verification (threat intelligence correlation), trapping candidates who think packet capture is the first step instead of a follow-up action.

164
MCQeasy

A SOC analyst receives an alert about a potential data exfiltration via DNS tunneling. Which of the following tools would best help the analyst investigate the alert?

A.Endpoint Detection and Response (EDR)
B.Antivirus logs
C.NetFlow
D.PCAP capture
AnswerD

Full packet capture allows examination of DNS payloads to detect tunneling.

Why this answer

PCAP capture (D) is the correct tool because DNS tunneling involves encoding data within DNS queries and responses, which can only be fully analyzed by inspecting the raw packet payloads. PCAP files allow the analyst to examine the actual DNS packet contents, including query names, response records, and timing patterns, which are essential for detecting anomalous DNS traffic indicative of tunneling.

Exam trap

Cisco often tests the distinction between metadata-only tools (NetFlow) and full-packet capture (PCAP), expecting candidates to recognize that only PCAP provides the granularity needed for protocol-specific abuse like DNS tunneling.

How to eliminate wrong answers

Option A is wrong because EDR focuses on endpoint-level events (processes, file changes, registry modifications) and cannot directly inspect network-level DNS packet payloads for tunneling patterns. Option B is wrong because antivirus logs primarily detect known malware signatures and file-based threats, not network protocol anomalies like DNS tunneling. Option C is wrong because NetFlow provides metadata (source/destination IPs, ports, byte counts) but lacks the packet-level detail needed to see the actual data being tunneled within DNS queries.

165
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Kerberoasting reconnaissance or ticket harvesting
B.ARP spoofing
C.Pass-the-hash using NTLM only
D.DNS cache poisoning
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

The alert describes a workstation requesting a high number of Kerberos service tickets for many SPNs without subsequent service access. This is characteristic of Kerberoasting reconnaissance, where an attacker with domain credentials (e.g., a compromised user account) requests TGS tickets for service accounts to extract their NTLM hashes offline for cracking. The lack of actual service access confirms the tickets are being harvested, not used for legitimate authentication.

Exam trap

Cisco often tests the distinction between Kerberoasting (Kerberos-based hash harvesting) and pass-the-hash (NTLM hash reuse), leading candidates to confuse the two when the scenario involves Kerberos ticket requests without service access.

How to eliminate wrong answers

Option B is wrong because ARP spoofing is a link-layer attack that manipulates MAC-to-IP mappings to intercept traffic, not a method for requesting Kerberos service tickets or harvesting SPN hashes. Option C is wrong because pass-the-hash using NTLM only involves replaying an NTLM hash to authenticate without knowing the plaintext password, but it does not explain the high volume of Kerberos TGS requests for multiple SPNs, which is specific to Kerberoasting.

166
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is executive leadership, which content choice is most appropriate?

A.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
B.Internal blame speculation
C.A public press statement draft first
D.Confidential unrelated customer data
AnswerA

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option A is correct because executive leadership requires a concise, actionable summary that focuses on business impact and remediation steps, not technical details. The communication must include the timeline of the outage, service impact (e.g., affected systems, downtime duration), evidence (e.g., logs, monitoring data), required corrective actions from the vendor, and contractual follow-up (e.g., SLA breach, penalties). This aligns with the NIST Incident Response framework's post-incident activity phase, where clear accountability and remediation are critical for vendor management.

Exam trap

Cisco often tests the distinction between internal operational communication (for technical teams) and executive-level reporting, where candidates mistakenly include technical jargon or blame instead of focusing on business impact and contractual accountability.

How to eliminate wrong answers

Option B is wrong because internal blame speculation is unprofessional, lacks factual basis, and violates incident response best practices (e.g., NIST SP 800-61), which emphasize objective analysis over finger-pointing. Option C is wrong because a public press statement draft is premature and inappropriate for internal communication to executive leadership; it should be developed later with legal and PR teams, not as the primary content for vendor-focused communication.

167
MCQeasy

After a high-priority SOC escalation, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which response best matches incident-response practice?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority in incident response is to contain the breach by disabling or rotating the compromised cloud access key, which prevents further unauthorized use. Reviewing actions performed with the key is essential to assess the scope of the incident, such as data exfiltration or resource manipulation, aligning with the NIST SP 800-61 containment, eradication, and recovery phases. This approach follows the SANS PICERL model, where containment (disabling the key) precedes eradication and recovery.

Exam trap

Cisco often tests the misconception that physical or network-level controls (like blocking Wi-Fi) are sufficient for cloud credential exposure, when in fact the correct first step is to invalidate the credential itself through rotation or disabling.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase violates the fundamental incident response principle of immediate containment; it allows the attacker continued access, potentially leading to greater data loss or resource abuse, and delays critical forensic analysis. Option C is wrong because blocking the developer's laptop from Wi-Fi does not address the root cause—the compromised cloud access key—and may hinder legitimate incident response activities; the key remains active and usable from any IP, including the attacker's, making this action ineffective for containment.

168
Multi-Selecthard

An application has a high CVSS vulnerability, but a WAF rule blocks known exploit payloads. What should the team still do? (Choose two.)

Select 2 answers
A.Validate the WAF rule against bypass and false-positive risk
B.Remove the application from vulnerability scans
C.Mark the vulnerability as permanently remediated
D.Track the vulnerability until the underlying flaw is fixed
AnswersA, D

Compensating controls need effectiveness testing.

Why this answer

A WAF rule blocking known exploit payloads does not guarantee complete protection, as attackers can craft bypass techniques such as encoding, parameter pollution, or using different HTTP methods. Validating the rule against bypass and false-positive risks ensures the WAF is effective without disrupting legitimate traffic, which is critical for maintaining both security and availability.

Exam trap

Cisco often tests the misconception that a compensating control like a WAF rule is equivalent to a permanent fix, leading candidates to incorrectly mark the vulnerability as remediated without addressing the root cause in the application code.

169
MCQhard

While supporting a hybrid workforce, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. If the system is powered off, all evidence of the malware's execution (e.g., injected code, network connections, running processes) is lost forever. This follows the order of volatility (RFC 3227), which prioritizes capturing the most ephemeral data before any other forensic step.

Exam trap

Cisco often tests the order of volatility (RFC 3227) by presenting plausible but non-volatile evidence options (like disk images or logs) to trick candidates into ignoring the critical need to capture RAM first when dealing with memory-resident threats.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic analysis and provide no technical evidence of fileless malware activity. Option C is wrong because archived monthly reports are historical, non-volatile data that do not capture the current in-memory state of the system; they cannot reveal active processes, network connections, or injected code that define fileless malware.

170
Multi-Selecthard

A vulnerability appears critical but the vulnerable feature is disabled. What should the analyst document before downgrading? (Choose two.)

Select 2 answers
A.Approval and rationale for the severity change
B.Deletion of the original scanner finding
C.The analyst's personal preference for fewer tickets
D.Evidence that the affected feature or code path is not reachable
AnswersA, D

Governed downgrades need documented justification.

Why this answer

Option A is correct because when a vulnerability is critical but the vulnerable feature is disabled, the analyst must document the approval and rationale for the severity change to maintain an accurate risk register and audit trail. This ensures that the decision to downgrade is justified, traceable, and compliant with organizational change management policies, preventing arbitrary adjustments that could obscure true risk posture.

Exam trap

Cisco often tests the misconception that deleting or ignoring a scanner finding is acceptable when a vulnerability is not exploitable, but the correct approach is to document the rationale and obtain approval for a severity downgrade while preserving the finding for audit and compliance purposes.

171
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is SOC manager, which content choice is most appropriate?

A.No action because the incident is closed
B.Named owner, due date, acceptance criteria, and retest plan
C.A vague recommendation to improve security
D.Deletion of the integration record
AnswerB

Corrective actions should be accountable and verifiable. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option B is correct because a failed alert integration represents a gap in detection capability that must be formally remediated. Assigning a named owner ensures accountability, a due date enforces timely resolution, acceptance criteria define what constitutes success, and a retest plan verifies that the fix works. Without these elements, the same failure could recur, leaving the SOC blind to future incidents.

Exam trap

Cisco often tests the misconception that closing an incident means the problem is solved, when in fact post-incident corrective actions must address root causes with measurable, accountable steps to prevent recurrence.

How to eliminate wrong answers

Option A is wrong because closing the incident does not resolve the underlying technical failure; the integration will remain broken, creating a persistent blind spot in monitoring. Option C is wrong because a vague recommendation lacks the specificity needed to implement a fix—no owner, no deadline, and no measurable success criteria means the issue will likely be ignored or forgotten. Option D is wrong because deleting the integration record removes the alert channel entirely, which could violate compliance requirements (e.g., PCI DSS logging mandates) and eliminates any chance of restoring the integration.

172
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Wait one year before testing
B.Close it immediately based on the email
C.Create a duplicate ticket for every asset
D.A retest showing the vulnerable condition is no longer present
AnswerD

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

Option D is correct because the vulnerability manager must obtain objective evidence that the vulnerability has been remediated. A retest, either automated or manual, confirms that the specific vulnerable condition (e.g., a missing patch, misconfiguration, or outdated library) is no longer present on the asset. This aligns with the NIST SP 800-115 and PCI DSS 11.3.2 requirement for verification of remediation before closure.

Exam trap

Cisco often tests the misconception that a verbal or written claim of a patch is sufficient, but the correct answer always requires technical verification via a retest or rescan.

How to eliminate wrong answers

Option A is wrong because waiting one year before testing violates the principle of timely remediation verification; vulnerabilities must be confirmed fixed promptly to prevent exploitation windows. Option B is wrong because closing based solely on an email lacks technical evidence; the vulnerability manager must verify the fix via a scan or manual check, as email can be spoofed or the patch may not have been applied correctly. Option C is wrong because creating a duplicate ticket for every asset does not verify the fix; it only duplicates administrative overhead and does not confirm the vulnerability is resolved on any asset.

173
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.A vague recommendation to improve security
B.Deletion of the integration record
C.Named owner, due date, acceptance criteria, and retest plan
D.No action because the incident is closed
AnswerC

Corrective actions should be accountable and verifiable. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option C is correct because a post-incident report identifying an unowned failed alert integration requires a corrective action that assigns clear accountability and a measurable remediation plan. Naming an owner, setting a due date, defining acceptance criteria, and scheduling a retest ensure the integration is properly configured and monitored, directly addressing the root cause of the alert failure. This aligns with the NIST Incident Response Lifecycle's post-incident activity phase, which mandates actionable follow-up items to prevent recurrence.

Exam trap

Cisco often tests the concept that corrective actions must be specific, assignable, and verifiable (SMART criteria), and the trap here is that candidates may choose a vague or destructive option (like deletion) instead of recognizing the need for accountable ownership and a measurable fix.

How to eliminate wrong answers

Option A is wrong because a vague recommendation to improve security lacks specificity and does not assign ownership or a measurable plan, making it impossible to verify that the alert integration failure is actually resolved. Option B is wrong because deleting the integration record would remove evidence needed for forensic analysis and compliance, and it does not fix the underlying ownership and configuration issues that caused the alert to fail.

174
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include?

A.No action because the incident is closed
B.A vague recommendation to improve security
C.Deletion of the integration record
D.Named owner, due date, acceptance criteria, and retest plan
AnswerD

Corrective actions should be accountable and verifiable.

Why this answer

Option D is correct because a post-incident finding of an unowned alert integration indicates a process gap that must be closed with a named owner, a due date, acceptance criteria, and a retest plan. This ensures accountability, a measurable fix, and verification that the integration is properly configured and monitored, preventing future failures.

Exam trap

Cisco often tests the principle that corrective actions must be specific, measurable, and accountable, so the trap is choosing a vague or dismissive option (like 'no action' or 'vague recommendation') instead of the one that enforces ownership and verification.

How to eliminate wrong answers

Option A is wrong because closing the incident does not resolve the root cause; without corrective action, the failed integration will recur. Option B is wrong because a vague recommendation lacks the specificity needed to assign ownership, set a deadline, or define success criteria, making it unenforceable and unverifiable. Option C is wrong because deleting the integration record removes evidence of the failure and does not address the underlying lack of ownership or configuration issue.

175
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Risk owner, reason, compensating controls, review date, and expiry
B.No mention of the accepted risk
C.A permanent exception with no review
D.Only the analyst's personal opinion
AnswerA

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option A is correct because when a business owner accepts delayed remediation for a production system, the risk acceptance must be formally documented to maintain an accurate risk register and audit trail. The report must include the risk owner (who accepted the risk), the reason for the delay, any compensating controls in place to mitigate the risk during the delay, a review date to reassess the risk, and an expiry date to ensure the acceptance does not become permanent. This aligns with risk management frameworks like NIST SP 800-37 and ISO 27005, which require explicit documentation of risk acceptance decisions.

Exam trap

Cisco often tests the misconception that risk acceptance can be undocumented or permanent, but the exam requires candidates to recognize that formal documentation with a review date and expiry is mandatory for auditability and compliance with frameworks like PCI DSS or FedRAMP.

How to eliminate wrong answers

Option B is wrong because omitting the accepted risk from the report violates the principle of transparency in risk management; the report must include the risk to ensure all stakeholders are aware of the deferred remediation and its potential impact. Option C is wrong because a permanent exception with no review contradicts the requirement for periodic reassessment; risk acceptance must have a defined expiry and review date to prevent indefinite exposure to unmitigated vulnerabilities.

176
MCQhard

During a post-incident review, the team finds that the detection was delayed by 4 hours because the SIEM rule had a low priority and was not monitored after hours. Which improvement is most effective?

A.Increase the priority of the rule
B.Add automated response actions to the rule
C.Include the rule in a watchlist
D.Implement 24/7 SOC operations
AnswerD

Ensures that alerts are monitored around the clock.

Why this answer

Option B is correct because implementing 24/7 SOC coverage directly addresses the lack of after-hours monitoring. Other options do not resolve the root cause of off-hours detection gaps.

177
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.Number of unused dashboards
B.Total coffee consumed by analysts
C.Number of desktop wallpapers changed
D.Mean time to detect, mean time to respond, containment time, and recurrence rate
AnswerD

These KPIs show detection and response effectiveness over time. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option D is correct because Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), containment time, and recurrence rate are standard, quantifiable metrics that directly measure the efficiency and effectiveness of an incident response program. These metrics allow the CISO to track improvements quarter over quarter by showing whether the team is detecting and containing incidents faster and with fewer repeat events. For a legal/privacy audience, these metrics are also critical because they demonstrate due diligence, regulatory compliance, and risk reduction in measurable terms.

Exam trap

CompTIA often tests the distinction between operational metrics (like MTTD/MTTR) and irrelevant or distracting metrics (like coffee consumption or wallpaper changes) to see if candidates understand which KPIs are meaningful for incident response improvement and stakeholder reporting.

How to eliminate wrong answers

Option A is wrong because the number of unused dashboards is a metric related to SIEM or monitoring tool utilization, not incident response performance; it does not measure detection speed, response time, or containment effectiveness. Option B is wrong because total coffee consumed by analysts is a non-technical, irrelevant metric that has no bearing on incident response outcomes or legal/privacy reporting requirements. Option C is wrong because the number of desktop wallpapers changed is a trivial endpoint configuration change, completely unrelated to incident response metrics such as detection, response, containment, or recurrence.

178
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
B.Only the CVE headline
C.Only a red/yellow/green chart
D.Only estimated financial loss
AnswerA

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option A is correct because a technical remediation section for an OpenSSL vulnerability must include affected assets (specific Linux hosts and package versions), the exact patch commands or vendor guidance (e.g., 'yum update openssl' or 'apt-get upgrade openssl'), a validation method (e.g., 'openssl version -a' or running a vulnerability scanner), and rollback notes (e.g., 'yum history undo' or snapshot restoration). For a legal/privacy stakeholder audience, the most appropriate content choice is a red/yellow/green chart (Option C) that summarizes risk posture without overwhelming technical detail, but the question asks for the technical remediation section content, not the stakeholder-appropriate summary.

Exam trap

Cisco often tests the distinction between 'what should be in a technical remediation section' versus 'what is appropriate for a specific audience'; the trap here is that candidates see 'legal/privacy stakeholder' and assume the answer must be a simplified chart, but the question explicitly asks for the technical remediation section content, not the stakeholder-facing summary.

How to eliminate wrong answers

Option B is wrong because including only the CVE headline (e.g., 'CVE-2022-3786') provides no actionable steps for the server team to remediate the vulnerability; it lacks package versions, patch commands, validation, or rollback procedures. Option C is wrong because a red/yellow/green chart is a high-level risk communication tool for non-technical stakeholders, not a technical remediation section; it omits the specific commands, affected assets, and validation steps needed by the server team to fix the OpenSSL flaw.

179
MCQeasy

A security analyst detects unusual outbound traffic from a workstation. Which immediate action should the analyst take?

A.Run a full antivirus scan
B.Create a memory dump
C.Disconnect the network cable
D.Reimage the system
AnswerC

Immediate containment prevents further data loss.

Why this answer

Option C is correct because disconnecting the network cable immediately isolates the workstation from the network, containing potential data exfiltration or lateral movement. This is the first step in incident response containment, as it stops the suspicious outbound traffic without destroying volatile evidence like running processes or network connections.

Exam trap

CompTIA often tests the distinction between containment, eradication, and recovery phases; the trap here is that candidates confuse immediate containment (disconnect) with forensic collection (memory dump) or remediation (reimage), leading them to choose a later-phase action instead of the first response step.

How to eliminate wrong answers

Option A is wrong because running a full antivirus scan takes time and may alert the attacker or trigger destructive actions before containment; it also does not stop ongoing outbound traffic. Option B is wrong because creating a memory dump is a forensic step that should occur after containment, not as an immediate action, and it does not halt the suspicious traffic. Option D is wrong because reimaging the system destroys all evidence and prevents forensic analysis of the incident; it is a recovery step, not an immediate containment action.

180
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Wait for the next quarterly review
B.Delete all audit logs to reduce liability
C.Restrict public access and determine whether sensitive data was accessed
D.Rotate database administrator passwords only
AnswerC

The priority is exposure containment and impact assessment.

Why this answer

Option C is correct because the immediate priority is to eliminate the public read access vulnerability to prevent further unauthorized data exposure. After restricting access, the team must determine whether sensitive data was accessed by reviewing access logs (e.g., AWS CloudTrail or GCP Audit Logs) to assess the scope of potential breach, which is a standard incident response step. This approach directly mitigates the weakness without concealing risk, aligning with vulnerability management best practices.

Exam trap

Cisco often tests the misconception that deleting audit logs reduces liability, but in reality, it destroys evidence and violates compliance requirements, making Option B a tempting but dangerous distractor.

How to eliminate wrong answers

Option A is wrong because waiting for the next quarterly review leaves a publicly accessible storage bucket containing customer exports exposed, violating data protection requirements and increasing the risk of a data breach. Option B is wrong because deleting audit logs to reduce liability destroys forensic evidence needed to determine if sensitive data was accessed, which is a violation of legal hold and compliance obligations (e.g., GDPR, HIPAA) and constitutes spoliation of evidence.

181
MCQhard

A security analyst is investigating a potential data breach and needs to collect evidence from a compromised Windows server. The server is still running, and the analyst wants to capture memory, network connections, and process list without writing unnecessary data to disk. Which of the following sequences of commands (tools) should the analyst use to adhere to order of volatility?

A.tasklist, netstat -an, then memory dump
B.memory dump, disk image, then network connections
C.memory dump, netstat -an, then tasklist
D.netstat -an, tasklist, then memory dump
AnswerC

Memory is most volatile, followed by network connections, then process list.

Why this answer

Option C is correct because it follows the order of volatility (OOV) principle, which dictates that the most volatile data (memory) should be captured first, followed by network connections (netstat -an), and then the process list (tasklist). Memory is lost when the system is powered off, so it must be collected before any other evidence. Network connections and process lists are less volatile but still transient, and capturing them after memory ensures minimal data loss while avoiding unnecessary writes to disk that could overwrite evidence.

Exam trap

CompTIA often tests the misconception that network connections or process lists are more volatile than memory, leading candidates to choose options that capture them first, but memory is the most volatile because it is lost on power loss and contains critical runtime artifacts like decrypted data and active malware code.

How to eliminate wrong answers

Option A is wrong because it starts with tasklist and netstat -an before memory dump, violating the order of volatility by capturing less volatile data first while the most volatile evidence (memory) is left until last, risking loss if the system crashes or is shut down. Option B is wrong because it includes disk image, which is non-volatile and should be collected after volatile data; placing it before network connections and after memory dump ignores the OOV hierarchy and wastes time on persistent storage while transient data decays. Option D is wrong because it captures netstat -an and tasklist before memory dump, again violating OOV by prioritizing network and process data over the most critical volatile evidence (memory), which could be lost before it is collected.

182
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Database transaction log backups
B.Software composition analysis in the CI/CD pipeline
C.Physical badge access reviews
D.Wireless spectrum analysis
AnswerB

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it automatically scans the application's dependencies against known vulnerability databases (e.g., NVD, OSS Index) to identify vulnerable open-source libraries. Integrating SCA into the CI/CD pipeline ensures vulnerabilities are caught before deployment, aligning with the 'shift left' security principle. This is the only option that directly addresses the need to find vulnerable open-source libraries at the build stage.

Exam trap

Cisco often tests the distinction between vulnerability scanning (SCA) and unrelated operational controls (backups, physical security) to see if candidates understand that each control serves a specific domain within vulnerability management.

How to eliminate wrong answers

Option A is wrong because database transaction log backups are a data recovery and integrity control, not a mechanism for identifying vulnerable open-source libraries; they do not analyze dependencies or check for known CVEs. Option C is wrong because physical badge access reviews control physical access to facilities, not software supply chain security; they have no relevance to scanning open-source libraries for vulnerabilities in a CI/CD pipeline.

183
MCQeasy

The analyst sees this alert from a vulnerability scanner. What is the MOST immediate action?

A.Report the finding to management
B.Isolate web01 from the network
C.Investigate if any exploit code exists
D.Upgrade web01 to version 2.3.4
AnswerC

Determining exploitability helps prioritize response.

Why this answer

The correct answer is C because the most immediate action when a vulnerability scanner alert is received is to investigate whether any exploit code exists for the identified vulnerability. This determines the urgency and risk level: if exploit code is publicly available, the vulnerability is likely to be actively targeted, requiring rapid remediation. Without this investigation, the team cannot prioritize the response effectively, as the vulnerability may be theoretical or require complex exploitation.

Exam trap

CompTIA often tests the misconception that the first step after a vulnerability scan is to patch or isolate, but the correct immediate action is always to assess exploitability and risk before taking remediation steps.

How to eliminate wrong answers

Option A is wrong because reporting to management is a secondary step after technical validation and risk assessment; immediate reporting without investigation delays critical response. Option B is wrong because isolating web01 from the network is a drastic action that may be unnecessary if the vulnerability is not exploitable or if the service is critical; isolation should only occur after confirming active exploitation or high risk. Option D is wrong because upgrading to version 2.3.4 assumes a patch exists and is the correct fix, but the immediate priority is to understand the threat level, not to apply an unverified update that could introduce instability or incompatibility.

184
MCQmedium

A vulnerability programme wants to show whether critical findings are fixed within policy timelines. Which report is best? If the primary audience is business service owner, which content choice is most appropriate?

A.SLA compliance by severity, asset owner, and business unit
B.A report sorted only by scanner plugin ID
C.A vendor price comparison
D.A list of all closed tickets with no dates
AnswerA

SLA reporting connects remediation timeliness to accountability. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option A is correct because an SLA compliance report by severity, asset owner, and business unit directly maps to the requirement of showing whether critical findings are fixed within policy timelines. This report allows the vulnerability program to track remediation against defined service-level agreements (SLAs), and the breakdown by business unit and asset owner provides the business service owner with actionable, ownership-specific data to drive accountability and resource allocation.

Exam trap

Cisco often tests the distinction between technical raw data (e.g., plugin ID sort) and business-oriented, decision-support reports (e.g., SLA compliance by business unit) to see if candidates understand that reporting must be tailored to the audience's role and responsibility.

How to eliminate wrong answers

Option B is wrong because a report sorted only by scanner plugin ID is purely technical and lacks any context of severity, asset ownership, or business unit; it cannot demonstrate compliance with policy timelines or provide the business service owner with the necessary business-level view. Option C is wrong because a vendor price comparison is unrelated to vulnerability remediation timelines or SLA compliance; it addresses procurement decisions, not operational reporting on finding remediation.

185
MCQmedium

You are a security analyst for a mid-sized financial services company. At 2:30 PM, the endpoint detection and response (EDR) console alerts on three workstations in the accounting department, indicating that files are being encrypted with a '.encrypt' extension and a ransom note named 'READ_ME_NOW.html' has been dropped. The workstations are connected to a file server that hosts shared financial records and a domain controller that handles authentication. The file server and domain controller have not shown signs of compromise yet. Your incident response plan states that containment must begin within 15 minutes of detection. Based on your analysis of the EDR telemetry, the encryption process appears to be spreading via SMB connections from the first infected workstation. Which of the following is the BEST immediate containment action to prevent further spread while preserving evidence?

A.Immediately isolate the three workstations by disconnecting their network cables at the patch panel or disabling their switch ports.
B.Shut down the file server and domain controller to protect critical systems from potential encryption.
C.Power off the three infected workstations immediately to contain the encryption process.
D.Apply the latest SMB vulnerability patch to the file server and domain controller to block the propagation vector.
AnswerA

Isolating at the network level stops lateral movement and preserves the system state for evidence collection.

Why this answer

Option A is correct because immediately isolating the three infected workstations at the network level (disconnecting cables or disabling switch ports) stops the SMB-based encryption propagation without destroying volatile forensic data. This containment action preserves the running processes, memory, and disk state for later analysis, which would be lost if the systems were powered off. The 15-minute containment window makes network isolation the fastest and most effective method to halt lateral movement while maintaining evidence integrity.

Exam trap

CompTIA often tests the distinction between containment (stopping the spread) and eradication (removing the threat), and the trap here is that candidates confuse immediate containment with remediation actions like patching or shutting down systems, which either take too long or destroy evidence.

How to eliminate wrong answers

Option B is wrong because shutting down the file server and domain controller would disrupt business operations for all users, not just the infected workstations, and would not stop the encryption already running on the three workstations; it also destroys volatile evidence on those critical servers. Option C is wrong because powering off the infected workstations destroys volatile evidence (memory, active network connections, running processes) that is crucial for forensic analysis and attribution, and it does not prevent the encryption process from having already spread via SMB if other systems are already compromised. Option D is wrong because applying a patch is a remediation step, not an immediate containment action; it takes time to download and install, and it does not stop the active encryption and propagation that is already occurring over SMB connections from the infected workstations.

186
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Host-based file integrity monitoring only
B.Inline IPS mode with drop rules for all signatures
C.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
D.A vulnerability scanner run once per quarter
AnswerC

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Option C is correct because Suricata or Snort configured in IDS (Intrusion Detection System) mode on a monitored network tap or SPAN port passively inspects packet payloads against signatures and generates alerts without blocking traffic. This matches the requirement to detect exploit traffic and alert, not block. IDS mode uses a copy of the traffic, so it cannot drop packets, fulfilling the 'without blocking traffic' constraint.

Exam trap

Cisco often tests the distinction between IDS and IPS modes, where candidates mistakenly choose inline IPS (Option B) thinking it provides better detection, but the question explicitly requires no blocking, making passive IDS the only correct choice.

How to eliminate wrong answers

Option A is wrong because host-based file integrity monitoring (e.g., Tripwire, AIDE) monitors file changes on a single host, not network packet payloads, so it cannot detect exploit traffic traversing the network. Option B is wrong because inline IPS mode with drop rules for all signatures actively blocks traffic, which violates the explicit requirement to 'generate alerts without blocking traffic'; IPS mode sits in the data path and can drop packets, which is the opposite of the passive detection needed.

187
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Use only a firewall deny rule for port 443
B.Create a CVE entry
C.Create and test a YARA rule against known-good and known-bad samples
D.Tune DHCP lease duration
AnswerC

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By creating and testing a YARA rule against known-good and known-bad samples, the analyst can reliably detect related files from the same campaign, as YARA allows for pattern matching across multiple files. This method is the most appropriate for the given task of detecting related files based on unique strings and byte patterns.

Exam trap

Cisco often tests the distinction between network-level controls (like firewall rules) and host-level detection methods (like YARA), leading candidates to mistakenly choose a network-based solution for a file-analysis task.

How to eliminate wrong answers

Option A is wrong because a firewall deny rule for port 443 only blocks traffic on that port and does not perform any file-level pattern matching or detection of related malware samples. Option B is wrong because a CVE entry is a record for a specific vulnerability, not a method for detecting related files based on strings and byte patterns; creating a CVE entry would not help in identifying or correlating malware samples.

188
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Use only the vendor marketing page
B.Environmental scoring and compensating-control review
C.Change all findings to low severity
D.Ignore the vulnerability because it is internal
AnswerB

Environmental factors help translate generic severity into local risk.

Why this answer

Option B is correct because CVSS base scores assume a default, worst-case environment. For a vulnerability with a 9.8 base score that is only reachable from a restricted admin subnet, an environmental scoring (CVSS v3.1 Environmental Metric Group) adjusts the severity based on the actual attack surface, and a compensating-control review documents whether existing controls (e.g., network ACLs, jump-box restrictions) mitigate the risk. This analysis is essential for stakeholder management to justify the risk acceptance or remediation priority, and the resulting documentation (e.g., risk acceptance form signed by the authorizing official) keeps the program defensible under audit.

Exam trap

Cisco often tests the misconception that a high CVSS base score always requires immediate patching regardless of environment, but the trap here is that candidates ignore the need for environmental scoring and compensating-control documentation to justify a delayed remediation in a segmented network.

How to eliminate wrong answers

Option A is wrong because a vendor marketing page is not a valid source for vulnerability analysis; it lacks technical detail and does not account for the organization's specific network segmentation or compensating controls, making it useless for defensible risk management. Option C is wrong because arbitrarily changing all findings to low severity violates vulnerability management policy and audit requirements; it bypasses proper risk assessment and would be flagged as a control failure during compliance reviews.

189
MCQmedium

A CVSS 9.8 vulnerability affects an internal service reachable only from a restricted admin subnet. Which additional analysis is most useful? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Ignore the vulnerability because it is internal
B.Use only the vendor marketing page
C.Environmental scoring and compensating-control review
D.Change all findings to low severity
AnswerC

Environmental factors help translate generic severity into local risk.

Why this answer

Option C is correct because a CVSS 9.8 vulnerability (critical, with network attack vector, low complexity, no privileges required, and no user interaction) that is only reachable from a restricted admin subnet requires environmental scoring to adjust the base score based on the actual attack surface (e.g., modified attack vector to 'adjacent network' or 'local') and a compensating-control review to verify that existing security measures (e.g., strict ACLs, jump-box requirements, network segmentation) effectively mitigate the risk. This approach aligns with the CVSS specification (v3.1) for environmental metrics and NIST SP 800-30 guidance for risk assessment, ensuring that the residual risk is accurately understood before selecting controls.

Exam trap

Cisco often tests the misconception that a high CVSS score always demands immediate patching regardless of environment, when in fact environmental scoring and compensating controls can legitimately reduce the effective risk, and candidates must recognize that ignoring or reclassifying findings is never the correct approach.

How to eliminate wrong answers

Option A is wrong because ignoring a vulnerability solely because it is internal violates the principle of defense in depth; internal threats (e.g., compromised admin credentials, insider misuse) can still exploit a critical vulnerability, and the CVSS base score already accounts for network reachability, not trust zones. Option B is wrong because vendor marketing pages are promotional and lack objective, technical details about exploitability, mitigations, or environmental factors; relying on them would bypass authoritative sources like the CVE entry, vendor security advisories, or CVSS vector strings. Option D is wrong because changing all findings to low severity is a form of risk hiding that obscures true exposure, violates vulnerability management policy (e.g., PCI DSS Requirement 6.2), and prevents proper prioritization; severity should be based on actual risk, not arbitrary reclassification.

190
MCQmedium

Refer to the exhibit. The JSON firewall rule is applied to a network segment. A security analyst needs to ensure that traffic from a new subnet 10.0.1.0/24 to the same destination is also allowed. Which of the following modifications should the analyst make?

A.Change destination_port to 80
B.Add a second rule with source_ip "10.0.1.0/24"
C.Change source_ip to "10.0.0.0/23"
D.Change source_ip to "any"
AnswerC

The /23 subnet encompasses both 10.0.0.0/24 and 10.0.1.0/24.

Why this answer

Option C is correct because changing the source_ip to '10.0.0.0/23' expands the allowed source range to include both the original subnet (likely 10.0.0.0/24) and the new subnet 10.0.1.0/24, as a /23 prefix covers addresses from 10.0.0.0 to 10.0.1.255. This is the most efficient modification, requiring only a single rule change without adding complexity or reducing security posture.

Exam trap

CompTIA often tests the candidate's understanding of CIDR aggregation by presenting a scenario where adding a new subnet is required, and the trap is that candidates may incorrectly choose to add a second rule (Option B) instead of recognizing that a single prefix change (Option C) is the most efficient and secure modification.

How to eliminate wrong answers

Option A is wrong because changing the destination_port to 80 would alter the allowed service, potentially blocking the intended traffic if the original rule was for a different port (e.g., 443), and does not address the source subnet requirement. Option B is wrong because adding a second rule with source_ip '10.0.1.0/24' would work but is less efficient than modifying the existing rule; however, the question asks for a modification to the existing rule, not an addition, and adding a rule could lead to rulebase bloat and order-dependent issues. Option D is wrong because changing source_ip to 'any' would allow traffic from all source IPs, which violates the principle of least privilege and unnecessarily broadens the security risk, potentially allowing malicious traffic from any network.

191
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For control selection, Which control best addresses the stated weakness without hiding risk?

A.The number of installed fonts
B.Whether the hostname is shorter
C.The colour of the scanner dashboard
D.Asset criticality, exposure, and business impact
AnswerD

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Remediation priority is determined by risk, which is a function of asset criticality, exposure, and business impact. The public payment API has high business impact and external exposure, making it a priority over the isolated lab server, regardless of technical similarities. This aligns with the CVSS environmental metrics and organizational risk management frameworks.

Exam trap

Cisco often tests the concept that identical technical vulnerabilities can have vastly different remediation priorities based on asset context, not on superficial attributes like hostname or UI settings.

How to eliminate wrong answers

Option A is wrong because the number of installed fonts is a cosmetic or resource attribute with no bearing on vulnerability severity, exploitability, or business risk. Option B is wrong because hostname length is irrelevant to security posture or remediation priority; it does not affect exposure, criticality, or impact. Option C is wrong because the colour of the scanner dashboard is a UI theme setting that has no technical relationship to vulnerability prioritization or control selection.

192
Multi-Selectmedium

Which three of the following are best practices for integrating vulnerability scanning into a continuous integration/continuous deployment (CI/CD) pipeline? (Choose three.)

Select 3 answers
.Scanning only the production environment after deployment to ensure real-world security
.Embedding static application security testing (SAST) into the build phase to catch code-level vulnerabilities early
.Using container image scanning tools to detect known vulnerabilities in base images before deployment
.Disabling all vulnerability scanning during development to accelerate build times
.Automating dynamic application security testing (DAST) in a staging environment that mirrors production
.Scanning dependencies only when a new vulnerability disclosure is published

Why this answer

Embedding SAST into the build phase is a best practice because it allows developers to identify and fix code-level vulnerabilities (e.g., SQL injection, buffer overflows) early in the development lifecycle, reducing remediation cost and preventing insecure code from progressing further down the pipeline. This shift-left approach aligns with DevSecOps principles by catching flaws before they reach integration or production environments.

Exam trap

CompTIA often tests the misconception that security scanning should be deferred to later stages (like production) to avoid slowing down development, but the correct approach is to integrate scanning early and often (shift-left) while using automated gates to maintain both speed and security.

193
MCQmedium

After containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because before recovery, you must remove the persistence mechanism (the scheduled task), rotate the stolen service account credentials to prevent re-entry, and verify that no other hosts are compromised using the same foothold. This ensures the attacker cannot regain access after the host is restored to production, which is a fundamental step in the eradication phase of incident response.

Exam trap

CompTIA often tests the misconception that isolation alone is sufficient to close an incident, but the trap here is that persistence and credential theft require active eradication and credential rotation before recovery can be considered safe.

How to eliminate wrong answers

Option A is wrong because reconnecting a compromised host without completing eradication and recovery steps risks re-infection and lateral movement, violating containment best practices. Option B is wrong because disabling logging during containment destroys forensic evidence and violates the principle of preserving data integrity for post-incident analysis. Option C is wrong because closing the incident after isolation without performing eradication and verification leaves persistence mechanisms and stolen credentials intact, allowing the attacker to regain access.

194
Multi-Selecthard

A responder is acquiring evidence from a potentially compromised server. Which actions support forensic integrity? (Choose two.)

Select 2 answers
A.Calculate and record hashes of acquired images
B.Disable all logging before acquisition
C.Maintain chain-of-custody documentation
D.Edit suspicious files to see whether malware reacts
AnswersA, C

Hashes support integrity verification.

Why this answer

Calculating and recording hashes (e.g., SHA-256) of acquired disk images ensures data integrity by providing a cryptographic fingerprint that can be used later to verify that the evidence has not been altered. This is a foundational step in forensic acquisition, as any modification to the image will produce a different hash, proving tampering or corruption.

Exam trap

Cisco often tests the misconception that disabling logging helps preserve the integrity of the acquisition process, when in fact it destroys potential evidence and violates forensic best practices.

195
MCQmedium

A security analyst is configuring a vulnerability scan for a demilitarized zone (DMZ) containing public-facing web servers. The analyst wants to minimize the risk of causing a denial-of-service condition on the servers. Which of the following scan settings should be configured?

A.Enable a full port scan.
B.Disable safe checks to speed up the scan.
C.Increase the scan timeout values.
D.Limit the number of concurrent checks.
AnswerD

This reduces the load and lowers the risk of DoS.

Why this answer

Limiting the number of concurrent checks (option D) reduces the simultaneous requests sent to the target servers, which prevents overwhelming the web server's connection pool or CPU. This is the most direct way to minimize the risk of a denial-of-service condition during a vulnerability scan, especially in a DMZ with public-facing servers that may have limited resources.

Exam trap

CompTIA often tests the misconception that increasing timeout values or disabling safe checks will reduce the risk of denial-of-service, when in fact these settings either increase load or remove protections, making the scan more dangerous.

How to eliminate wrong answers

Option A is wrong because enabling a full port scan increases the number of probes sent to all 65,535 ports, which can overwhelm the server and cause a denial-of-service condition. Option B is wrong because disabling safe checks removes the scanner's built-in safeguards that prevent dangerous or intrusive tests, increasing the risk of crashing the server. Option C is wrong because increasing scan timeout values only extends the wait time for responses, which does not reduce the load on the server and may actually prolong the scan's impact.

196
Multi-Selecthard

A cloud workload identity begins accessing secrets outside its normal application scope. Which evidence should be reviewed? (Choose two.)

Select 2 answers
A.Cloud audit logs for secret-read operations
B.Legacy fax transmission logs
C.Recent role assignment or policy changes for the workload identity
D.The colour of the application logo
AnswersA, C

Secret-read events show what was accessed.

Why this answer

Cloud audit logs record all API calls, including secret-read operations. If a workload identity is accessing secrets outside its normal scope, the audit logs will show the specific secret-read API calls (e.g., GetSecretValue in AWS Secrets Manager or accessSecretVersion in Google Cloud Secret Manager) made by that identity. Reviewing these logs directly confirms the anomalous access pattern and identifies which secrets were retrieved, providing the primary evidence of the breach.

Exam trap

Cisco often tests the distinction between 'what happened' (audit logs) and 'why it could happen' (policy changes), and the trap here is that candidates may overlook the policy change evidence because they focus only on the direct access logs, missing the root cause of the permission misconfiguration.

197
Multi-Selecthard

A vulnerability dashboard for executives should avoid raw technical overload. Which views are useful? (Choose two.)

Select 2 answers
A.A list of scanner process IDs
B.Unfiltered plugin-output text
C.Critical exposure trend by business service
D.SLA compliance and overdue remediation by owner
AnswersC, D

Trends show whether risk is moving.

Why this answer

Option C is correct because executive dashboards must communicate risk in business terms, not technical raw data. A trend of critical exposures by business service translates vulnerability severity into operational impact, enabling prioritization of remediation resources without requiring technical expertise. This aligns with the Reporting and Communication domain's emphasis on tailoring information to the audience.

Exam trap

Cisco often tests the distinction between raw technical data (useful for analysts) and summarized business-contextual views (useful for executives), trapping candidates who think any vulnerability data is appropriate for all audiences.

198
MCQhard

After a high-priority SOC escalation, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which response best matches incident-response practice?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because forensic acquisition requires a complete chain of custody to ensure evidence admissibility in legal proceedings. The responder must document who collected the evidence, the exact date/time, the physical location, cryptographic hash values (e.g., SHA-256) to verify integrity, transfer details (e.g., write-blocker used, destination media), and the final storage location. This aligns with NIST SP 800-86 and ISO 27037 forensic best practices.

Exam trap

CompTIA often tests the misconception that only minimal metadata (like color or priority) is sufficient, when in fact the full chain-of-custody documentation (who, when, where, hashes, transfer, storage) is mandatory for legally defensible evidence.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because recording only the ticket priority ignores all critical forensic metadata required for legal admissibility. Option C is wrong because noting only the user's job title does not capture who handled the evidence, when, or how it was preserved, making the evidence indefensible in court.

199
Matchingmedium

Match each security tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Network scanning and enumeration

Packet analysis

Exploitation framework

Web application security testing

Intrusion detection and prevention

Why these pairings

These are common tools used in security assessments and defense.

200
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Ship the image and document nothing
B.Validate exploitability and rebuild from a patched base image where feasible
C.Only rename the image tag
D.Ignore all base-image vulnerabilities
AnswerB

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option B is correct because the best next step is to validate whether the OpenSSL vulnerability is actually exploitable in the context of the application, and if so, rebuild from a patched base image. This balances security with operational efficiency by not blocking the pipeline unnecessarily for unused binaries, while still ensuring that truly exploitable vulnerabilities are remediated. The question asks for the 'BEST next step' for the team, not the scanner configuration, so validating exploitability before acting is the most appropriate response.

Exam trap

Cisco often tests the distinction between 'next step for the team' versus 'tool configuration change'—the trap here is that candidates may focus on the scanner configuration (e.g., ignoring base-image vulns) instead of the proper validation process, leading them to pick D or A.

How to eliminate wrong answers

Option A is wrong because shipping the image without any documentation or validation ignores the vulnerability entirely, which violates secure development practices and could lead to undetected risk. Option C is wrong because renaming the image tag does not change the vulnerable binary in the base layer; it only obscures the issue without remediation. Option D is wrong because ignoring all base-image vulnerabilities is overly permissive and could allow critical CVEs to be deployed, even if the application team claims the binary is unused—this claim must be validated, not blindly accepted.

201
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Move logs to cold storage immediately
B.Disable all enrichment lookups
C.Log normalization and field mapping in the parser
D.Increase the dashboard refresh interval
AnswerC

Detection rules depend on consistent normalized fields across sources.

Why this answer

The correct answer is C because inconsistent mapping of source IP, user, and action fields indicates a parsing or normalization issue. In detection engineering, log normalization and field mapping in the parser ensure that all logs conform to a consistent schema, allowing analytics to correctly correlate and alert on the data. This directly addresses the root cause without discarding or altering the underlying signal.

Exam trap

Cisco often tests the misconception that tuning or storage changes (like cold storage or dashboard intervals) can fix data quality issues, when in fact the root cause is almost always a parsing or normalization problem in the ingestion pipeline.

How to eliminate wrong answers

Option A is wrong because moving logs to cold storage does not fix field mapping inconsistencies; it only archives data, making it inaccessible for real-time analytics and potentially losing the signal. Option B is wrong because disabling all enrichment lookups would remove valuable context (e.g., geo-IP, threat intelligence) that enhances detection, increasing noise and reducing signal quality. Option D is wrong because increasing the dashboard refresh interval only changes how often the UI updates, not the underlying data parsing or mapping; it does not resolve the inconsistency and may delay visibility into alerts.

202
MCQhard

In a regulated payment environment, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise (A) is the correct choice because it allows the company to validate roles, communication paths, and decision-making processes for a ransomware incident without any risk to production systems. This aligns with the need to test understanding across legal, PR, IT, and executives in a regulated environment where touching live systems is prohibited. Full destructive detonation (D) would violate regulatory compliance and cause data loss, while purchasing a new SIEM (B) or an annual password reset (C) does not test incident response roles at all.

Exam trap

The trap here is that candidates may confuse a 'test' with a technical simulation or live-fire exercise, overlooking that a tabletop exercise is the only safe and compliant method to validate human roles and decision-making in a regulated environment without impacting production systems or evidence integrity.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures does not validate any incident response roles or processes; it is a procurement action that introduces new technology without addressing the specific need to test stakeholder understanding during a ransomware incident. Option C is wrong because an annual password reset is a routine security hygiene task that does not simulate a ransomware scenario or test the coordination of legal, PR, IT, and executive teams; it has no bearing on incident response role validation. Option D is wrong because full destructive malware detonation in production would cause actual data encryption, system downtime, and potential regulatory violations, directly contradicting the requirement to avoid touching production systems and risking evidence loss.

203
MCQhard

A SOC wants a SOAR playbook for suspected phishing that reduces analyst workload but avoids destructive action before confirmation. Which actions are appropriate for the first automated phase? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Close all similar alerts as duplicates
B.Disable the reporting user's account immediately
C.Automatically delete all messages from the sender across all mailboxes
D.Enrich URLs, detonate attachments in a sandbox, and collect mailbox search counts
AnswerD

Early automation should gather context and evidence while keeping analysts in control of disruptive actions.

Why this answer

Option D is correct because the first automated phase of a SOAR playbook for suspected phishing should focus on enrichment and triage without taking destructive action. Enriching URLs (e.g., via VirusTotal or URL scan APIs), detonating attachments in a sandbox (e.g., using Cuckoo or FireEye), and collecting mailbox search counts (e.g., via EWS or Graph API) provide critical threat intelligence while preserving evidence and avoiding premature containment. This aligns with the containment trade-off phase, where the goal is to balance rapid response with forensic integrity.

Exam trap

Cisco often tests the misconception that immediate destructive actions (like deletion or account disablement) are appropriate for phishing containment, when in fact the correct approach is to use non-destructive enrichment and soft containment to preserve evidence and avoid false positives.

How to eliminate wrong answers

Option A is wrong because closing all similar alerts as duplicates prematurely assumes the phishing is benign, which can suppress legitimate threats and bypass analyst review, violating the principle of avoiding destructive action before confirmation. Option B is wrong because disabling the reporting user's account immediately is a reactive, potentially disruptive action that could lock out a legitimate user and does not address the phishing threat itself, nor does it preserve evidence for investigation. Option C is wrong because automatically deleting all messages from the sender across all mailboxes is a destructive action that removes evidence (e.g., headers, metadata) needed for forensic analysis and could delete legitimate emails if the sender is spoofed or compromised.

204
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is executive leadership, which content choice is most appropriate?

A.Raw packet captures from the scan
B.A list of analyst shift times only
C.Every command the scanner executed
D.Business risk, customer impact assessment, remediation status, and remaining exposure
AnswerD

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option D is correct because executive leadership requires a high-level summary that translates technical findings into business impact. The executive summary should focus on business risk, customer impact assessment, remediation status, and remaining exposure, as these directly inform strategic decisions without overwhelming non-technical stakeholders with raw data.

Exam trap

Cisco often tests the distinction between technical detail and executive-level communication, trapping candidates who think more data (e.g., packet captures or command logs) is always better, when in fact leadership needs concise, risk-focused summaries.

How to eliminate wrong answers

Option A is wrong because raw packet captures are low-level network data that require deep technical analysis and are irrelevant for an executive audience; they belong in a technical report for security analysts. Option B is wrong because a list of analyst shift times provides no insight into the vulnerability, its impact, or remediation, and is operationally irrelevant to the executive summary. Option C is wrong because listing every command the scanner executed is excessive technical detail that does not convey the severity, business risk, or remediation progress, and would confuse rather than inform leadership.

205
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.A raw CSV of 20,000 findings
B.A screenshot of every scanner page
C.A list of tool login names
D.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
AnswerD

Board reporting should connect investment to measurable risk reduction. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option D is correct because it directly answers the board's question about whether cyber risk is decreasing by showing a trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service. This provides a clear, quantitative, and business-aligned view of risk reduction, which is essential for executive reporting. For a technical remediation owner, this content is most appropriate as it focuses on actionable metrics (e.g., SLA compliance, residual risk per service) that directly guide patching and mitigation priorities.

Exam trap

Cisco often tests the distinction between raw data (e.g., CSV, screenshots) and actionable, risk-based reporting; the trap here is that candidates may think providing all raw findings (Option A) is thorough, but it fails to answer the board's specific question about risk reduction and is not tailored for a technical remediation owner's workflow.

How to eliminate wrong answers

Option A is wrong because a raw CSV of 20,000 findings is overwhelming, lacks aggregation, and does not show risk trends or business impact, making it unsuitable for executive decision-making. Option B is wrong because a screenshot of every scanner page is unstructured, non-analytical, and fails to provide a consolidated view of risk reduction or SLA performance. Option C is wrong because a list of tool login names is irrelevant to demonstrating risk reduction and provides no data on vulnerabilities, exposures, or remediation effectiveness.

206
MCQmedium

Refer to the exhibit. An analyst reviews the output from a netstat command on a server. Which connection is MOST likely indicative of command and control (C2) activity?

A.10.0.0.5:22 to 10.0.0.1:50001
B.10.0.0.5:54321 to 198.51.100.20:4444
C.All connections are normal.
D.10.0.0.5:3389 to 192.168.1.10:54321
AnswerB

External IP on port 4444 from an ephemeral port is suspicious and common for C2.

Why this answer

Option B is correct because the connection from a high ephemeral port (54321) on the server to an external IP (198.51.100.20) on port 4444 is a classic indicator of C2 activity. Port 4444 is commonly associated with Metasploit's default reverse shell listener and other malware frameworks, while the use of a non-standard high source port and an external destination suggests outbound beaconing or command reception.

Exam trap

CompTIA often tests the candidate's ability to recognize that not all high-port connections are malicious; the trap here is that options A and D use high ephemeral ports but are normal internal administrative traffic, leading candidates to incorrectly flag them as suspicious instead of focusing on the external destination and the specific C2-associated port 4444.

How to eliminate wrong answers

Option A is wrong because SSH (port 22) from the server to an internal IP on a high ephemeral port is a normal administrative connection within the local network, not indicative of C2. Option C is wrong because not all connections are normal; option B clearly shows suspicious characteristics. Option D is wrong because RDP (port 3389) from the server to an internal IP on a high ephemeral port is a standard remote desktop session within the local subnet, not C2 traffic.

207
Multi-Selectmedium

During a threat hunting exercise, a security analyst discovers unusual outbound traffic from a server that typically only communicates internally. Which three of the following are effective actions to validate and respond to this finding? (Choose three.)

Select 3 answers
.Check the server’s process list and running services for unknown or suspicious processes.
.Immediately block all outbound traffic from the server at the network perimeter.
.Review recent DNS logs to identify the domains being queried by the server.
.Perform a vulnerability scan on the server to identify missing patches.
.Compare the outbound traffic against known threat intelligence feeds for malicious destinations.
.Disable the server’s network interface and reimage it immediately.

Why this answer

Checking the server’s process list and running services (Option 1) is effective because it directly identifies any unauthorized or malicious processes that may be generating the unusual outbound traffic. Reviewing recent DNS logs (Option 3) helps correlate the outbound traffic with domain queries, revealing potential command-and-control (C2) destinations. Comparing outbound traffic against threat intelligence feeds (Option 5) validates whether the destination IPs or domains are known malicious indicators, providing context for the anomaly.

Exam trap

CompTIA often tests the distinction between validation/response actions and premature containment or remediation steps; candidates may incorrectly choose immediate blocking or reimaging because they confuse incident response phases (e.g., skipping analysis and jumping to eradication).

208
Multi-Selecthard

A third-party supplier needs incident information to fix an integration. What should be shared? (Choose two.)

Select 2 answers
A.Internal blame discussions
B.Credentials for unrelated systems
C.Required remediation outcome and deadline
D.Relevant timeline and technical evidence tied to the integration
AnswersC, D

Clear expectations support accountability.

Why this answer

Option C is correct because sharing the required remediation outcome and deadline ensures the third-party supplier understands the expected fix and urgency, aligning with incident response communication best practices. This enables the supplier to prioritize their work and deliver a solution that meets the organization's security and operational requirements, without exposing unnecessary internal details.

Exam trap

Cisco often tests the principle of 'need-to-know' in incident communication, where candidates mistakenly think sharing all technical details or internal discussions is helpful, but the trap is that only evidence and outcomes tied directly to the affected integration should be shared.

209
Multi-Selecteasy

Which THREE of the following are common challenges in vulnerability management? (Select THREE)

Select 3 answers
A.Inability to scan all systems
B.Lack of asset inventory
C.Too many false positives
D.Excessive budget
E.Patch compatibility issues
AnswersB, C, E

Without a complete inventory, some vulnerabilities may go unmanaged.

Why this answer

Option B is correct because without a complete and accurate asset inventory, vulnerability management cannot identify which systems require scanning or patching. An asset inventory provides the foundational data for vulnerability scanning scope, and its absence leads to blind spots where unmanaged systems remain unpatched and vulnerable.

Exam trap

CompTIA often tests the distinction between operational difficulties (like scanning all systems) and foundational management challenges (like lack of asset inventory), tempting candidates to select 'Inability to scan all systems' as a core challenge when it is actually a downstream effect.

210
MCQeasy

An analyst runs a command to check active network connections on a Linux host and sees many ESTABLISHED connections to an external IP on port 443. Which command was most likely used?

A.netstat -anp
B.ipconfig /all
C.nmap -sT
D.tcpdump -i eth0
AnswerA

netstat shows active connections.

Why this answer

The `netstat -anp` command displays all active network connections (`-a`), shows numeric addresses and port numbers (`-n`), and includes the process ID and program name (`-p`). This makes it the correct tool for an analyst to quickly identify established TCP connections to an external IP on port 443, as it directly lists the state (ESTABLISHED), remote address, and associated process.

Exam trap

Cisco often tests the distinction between commands that *show* current connections (like `netstat`) versus commands that *probe* or *capture* network traffic (like `nmap` or `tcpdump`), leading candidates to confuse scanning tools with monitoring tools.

How to eliminate wrong answers

Option B is wrong because `ipconfig /all` is a Windows command that displays network interface configuration (IP address, MAC, DHCP, DNS), not active network connections or their states. Option C is wrong because `nmap -sT` performs a TCP connect scan to probe open ports on a target, but it does not show the host's own current active connections; it is a scanning tool, not a connection monitoring tool. Option D is wrong because `tcpdump -i eth0` captures raw packets on the specified interface, which can show traffic to port 443, but it does not summarize established connections in a human-readable list; it requires further analysis to identify connection states.

211
Multi-Selecthard

After a data breach incident, a post-incident review team is collecting lessons learned. Which THREE items should be included in the lessons learned documentation?

Select 3 answers
A.Individual performance evaluations of team members
B.Timeline of events during the incident
C.Legal liability of the organization
D.Root cause analysis of the breach
E.Recommendations for process improvements
AnswersB, D, E

A timeline helps understand the sequence of events and identify gaps.

Why this answer

Option B is correct because the timeline of events is a critical component of lessons learned documentation. It provides a chronological sequence of actions, detections, and responses during the incident, which is essential for identifying gaps in detection, delays in response, and opportunities for improvement. Without a precise timeline, the team cannot accurately assess the effectiveness of their incident response procedures or the speed of containment.

Exam trap

CompTIA often tests the distinction between operational improvement items (timeline, root cause, recommendations) and administrative or legal items (performance reviews, liability) to see if candidates understand that lessons learned focus on process, not blame or legal exposure.

212
MCQhard

An incident responder is collecting evidence from a compromised Linux server. The server is still running. Which order of collection adheres to the order of volatility?

A.Memory → network connections → disk → swap space.
B.Disk → memory → network connections → swap space.
C.Memory → network connections → swap space → disk.
D.Network connections → memory → disk → swap space.
AnswerC

This order follows the standard order of volatility: memory, network connections, swap, disk.

Why this answer

Option C is correct because the order of volatility (OOV) dictates that the most volatile data (memory/registers) must be collected first, followed by network connections, then swap space, and finally disk. Memory contains running processes and encryption keys that vanish on power loss; network connections change rapidly; swap space persists longer but is still more volatile than disk. This sequence ensures maximum preservation of ephemeral evidence before it is lost.

Exam trap

Cisco often tests the misconception that swap space is less volatile than disk because it is on disk, but swap is actually more volatile due to frequent overwriting by the kernel's paging mechanism.

How to eliminate wrong answers

Option A is wrong because it places disk before swap space, but swap space is more volatile than disk (swap is a temporary extension of RAM and may contain residual data that is overwritten quickly). Option B is wrong because it starts with disk, which is the least volatile, violating the OOV principle that the most volatile (memory) must be collected first. Option D is wrong because it collects network connections before memory, but memory (RAM) is more volatile than network connection state (which can be re-queried) and must be captured first to avoid losing critical in-memory artifacts.

213
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Decode the command and inspect the process tree, parent document, and network destination
B.Disable the SIEM parser for PowerShell events
C.Reimage every workstation in the department
D.Close the alert because HTTPS is expected traffic
AnswerA

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option A is correct because the first analytic pivot in a suspected malware infection via phishing must decode the encoded PowerShell command to understand the attacker's intent, inspect the process tree to confirm parent-child relationships (winword.exe spawning powershell.exe), analyze the parent document for malicious macros or exploits, and examine the network destination to identify potential C2 infrastructure. This approach aligns with the Pyramid of Pain and ensures the analyst gathers actionable intelligence before any containment or tuning decisions.

Exam trap

Cisco often tests the misconception that HTTPS traffic is safe or that encoded commands are too complex to analyze quickly, leading candidates to dismiss the alert or take overly aggressive actions like reimaging without investigation.

How to eliminate wrong answers

Option B is wrong because disabling the SIEM parser for PowerShell events would blind the security team to all PowerShell activity, including legitimate administrative scripts, and would prevent detection of future attacks using similar techniques. Option C is wrong because reimaging every workstation is a drastic, untargeted response that wastes resources and does not address the root cause or provide forensic evidence; it should only be considered after analysis confirms widespread compromise. Option D is wrong because HTTPS traffic is not inherently benign; attackers commonly use HTTPS to encrypt C2 communications and evade network detection, so closing the alert without investigation would miss a potential breach.

214
MCQhard

An endpoint is actively beaconing to a known malicious IP and spawning credential-dumping tools. The business owner wants evidence preserved. What is the BEST containment action? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Power off the machine immediately in every case
B.Network-isolate the endpoint through EDR while preserving disk and memory evidence
C.Run disk cleanup to remove temporary files
D.Allow the host to run until the next maintenance window
AnswerB

EDR isolation limits attacker communication without immediately destroying volatile forensic context.

Why this answer

Network-isolating the endpoint via EDR preserves volatile memory and disk evidence while stopping the active beaconing and credential dumping. This allows forensic acquisition without the risk of the attacker wiping data or triggering anti-forensic mechanisms, which powering off (Option A) would cause by losing memory evidence. The isolation action provides the clearest next triage step because the analyst can then safely collect a memory dump and disk image for analysis.

Exam trap

Cisco often tests the misconception that powering off is the safest containment action, but the trap here is that it destroys volatile evidence and may trigger anti-forensic scripts, making network isolation the correct choice for evidence preservation.

How to eliminate wrong answers

Option A is wrong because powering off the machine destroys volatile memory evidence (e.g., running processes, network connections, decrypted credentials) and may trigger anti-forensic shutdown routines, losing critical forensic data. Option C is wrong because running disk cleanup removes temporary files that could contain evidence of the beaconing or credential dumping, actively destroying forensic artifacts. Option D is wrong because allowing the host to continue until the next maintenance window risks data exfiltration, lateral movement, or the attacker wiping evidence, and violates the principle of immediate containment.

215
Multi-Selecteasy

Which TWO of the following are common indicators of compromise (IOCs) that can be identified through log analysis?

Select 2 answers
A.Unexpected changes to file hashes
B.Expired SSL certificates
C.Scheduled backup completion logs
D.Use of strong passwords
E.Unusual outbound network connections
AnswersA, E

Indicates possible malware modification.

Why this answer

Unexpected changes to file hashes (A) are a key indicator of compromise because they suggest that a file has been modified, potentially by malware or an attacker. Log analysis can detect these changes by comparing current file hashes against a known-good baseline, revealing unauthorized alterations that may indicate a security breach.

Exam trap

CompTIA often tests the distinction between operational anomalies (like expired certificates) and true security indicators (like hash changes), expecting candidates to recognize that only events directly tied to unauthorized access or malicious modification qualify as IOCs.

216
MCQmedium

After a high-priority SOC escalation, a web server contains a new file that executes commands through a query parameter. What evidence best confirms web-shell activity? During recovery, which decision is most defensible? which response best matches incident-response practice?

A.Only printer logs
B.Only the CEO's mailbox audit events
C.Web access logs, file timestamps, process execution, and outbound connections from the web service account
D.Only SSL certificate metadata
AnswerC

A web shell leaves evidence across file, web, process, and network telemetry. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option C is correct because web-shell activity requires correlating multiple evidence sources: web access logs show the initial malicious request (e.g., a POST to a PHP file with a query parameter like `?cmd=whoami`), file timestamps confirm when the shell was created, process execution logs (e.g., Sysmon Event ID 1) reveal the spawned child processes (e.g., cmd.exe, powershell.exe), and outbound connections from the web service account (e.g., netstat or firewall logs) indicate command-and-control (C2) or data exfiltration. This multi-source correlation aligns with the NIST SP 800-61 incident-response methodology for validating a compromise.

Exam trap

Cisco often tests the misconception that a single log source (like web access logs alone) is sufficient to confirm a web shell, when in fact incident-response best practice requires correlating multiple evidence types (file, process, network) to rule out false positives and establish a complete attack chain.

How to eliminate wrong answers

Option A is wrong because printer logs (e.g., SNMP or print job records) are unrelated to web-server command execution and provide no evidence of web-shell activity. Option B is wrong because the CEO's mailbox audit events (e.g., Exchange or Outlook logs) only track email access or modifications, not server-side command execution or file creation. Option D is wrong because SSL certificate metadata (e.g., issuer, subject, validity period) only confirms encryption configuration, not whether a web shell was uploaded or executed.

217
MCQhard

A security analyst needs to share threat intelligence data with a partner organization as part of an information sharing agreement. Which of the following is the most critical consideration before sharing the data?

A.The volume of data being shared
B.The classification level and handling restrictions
C.The data format (e.g., STIX, TAXII)
D.The geographic location of the partner
AnswerB

Proper classification ensures the data is handled appropriately, protecting sensitive information.

Why this answer

The classification level and handling restrictions are the most critical consideration because threat intelligence often contains sensitive information such as indicators of compromise (IOCs) that may be classified or subject to legal handling requirements (e.g., TLP markings). Sharing data without verifying classification could violate security policies, breach confidentiality agreements, or expose critical vulnerabilities to unauthorized parties, undermining the trust and legality of the information-sharing agreement.

Exam trap

CompTIA often tests the misconception that technical interoperability (e.g., STIX/TAXII format) is the primary concern, when in reality classification and handling restrictions are the non-negotiable first step to ensure legal and policy compliance.

How to eliminate wrong answers

Option A is wrong because the volume of data being shared is a logistical concern (e.g., bandwidth or storage), not a security or compliance priority; classification and handling restrictions take precedence regardless of size. Option C is wrong because the data format (e.g., STIX/TAXII) is a technical interoperability choice that facilitates automated sharing but does not address the fundamental requirement to protect sensitive data from unauthorized disclosure. Option D is wrong because the geographic location of the partner is relevant to jurisdictional legal considerations (e.g., GDPR, data sovereignty) but is secondary to ensuring the data's classification and handling restrictions are properly enforced before any sharing occurs.

218
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Defer all remediation until the monthly patch window
C.Start with the oldest medium vulnerability
D.Remediate only low-risk internal findings to improve closure rate
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The VPN appliance with a critical unauthenticated remote-code-execution flaw that is actively exploited in the wild represents an immediate and severe risk to the organization's security posture. An internet-facing device with such a vulnerability can be compromised by any attacker on the internet without authentication, leading to full system compromise and potential lateral movement into the internal network. Prioritizing remediation of this flaw over internal-only medium vulnerabilities aligns with risk-based vulnerability management principles, as the likelihood and impact of exploitation are far higher.

Exam trap

Cisco often tests the misconception that all vulnerabilities should be patched in order of severity score or age, rather than considering the business context of internet exposure and active exploitation, leading candidates to choose a technically correct but risk-ignorant option like 'start with the oldest medium vulnerability'.

How to eliminate wrong answers

Option B is wrong because deferring remediation until the monthly patch window ignores the active exploitation of a critical vulnerability, leaving the organization exposed to immediate compromise; vulnerability management requires expedited handling of actively exploited flaws outside of regular patching cycles. Option C is wrong because starting with the oldest medium vulnerability disregards the severity and exploitability of the critical flaw; age alone does not determine risk, and a medium internal vulnerability poses far less immediate danger than an internet-facing critical RCE. Option D is wrong because remediating only low-risk internal findings to improve closure rate is a metric-driven approach that sacrifices security; it fails to address the most urgent threat and could lead to a false sense of security while the critical flaw remains unpatched.

219
MCQeasy

A security engineer needs to implement a baseline configuration for all new Linux servers. Which of the following should be included in the baseline to reduce the attack surface?

A.Enable strong password policies for all users.
B.Enable comprehensive audit logging.
C.Disable all unnecessary services and daemons.
D.Configure disk encryption for all data volumes.
AnswerC

Reducing services minimizes potential entry points.

Why this answer

Disabling all unnecessary services and daemons directly reduces the attack surface by eliminating potential entry points for exploitation. Each running service represents a vector for attacks, such as buffer overflows or misconfigurations, and removing them minimizes the number of listening ports and active processes. This aligns with the principle of least functionality, a core security baseline for Linux servers.

Exam trap

CompTIA often tests the distinction between preventive controls (reducing attack surface) and detective or corrective controls (logging, encryption), leading candidates to choose strong password policies or audit logging as the primary method to reduce attack surface.

How to eliminate wrong answers

Option A is wrong because enabling strong password policies, while important for user authentication, does not reduce the attack surface of the server itself; it addresses credential security but not the number of exploitable services. Option B is wrong because comprehensive audit logging is a detective control that helps identify incidents after they occur, not a preventive measure that reduces the attack surface. Option D is wrong because configuring disk encryption protects data at rest from physical theft, but it does not reduce the number of running services or network-accessible ports, which is the primary goal of attack surface reduction.

220
MCQmedium

The board asks whether cyber risk is decreasing after a vulnerability-management investment. Which presentation is strongest? If the primary audience is SOC manager, which content choice is most appropriate?

A.Trend in exploitable critical exposure, remediation SLA performance, and residual risk by business service
B.A screenshot of every scanner page
C.A list of tool login names
D.A raw CSV of 20,000 findings
AnswerA

Board reporting should connect investment to measurable risk reduction. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option A is correct because it directly addresses the board's question about whether cyber risk is decreasing by presenting trend data on exploitable critical exposures, remediation SLA performance, and residual risk by business service. This combination provides a clear, measurable view of risk reduction over time, which is exactly what a SOC manager needs to justify the vulnerability-management investment. The focus on residual risk by business service ties technical findings to business impact, making the data actionable for both technical and executive audiences.

Exam trap

Cisco often tests the misconception that more data (e.g., raw CSV or screenshots) is better for reporting, when in fact the strongest presentation for a SOC manager is a summarized, trend-based view that ties technical metrics to business risk.

How to eliminate wrong answers

Option B is wrong because a screenshot of every scanner page is an overwhelming, unstructured dump of raw scanner output that does not summarize risk trends or provide actionable insights for the board or SOC manager. Option C is wrong because a list of tool login names is irrelevant to demonstrating risk reduction; it is an administrative detail that does not address the board's question about cyber risk. Option D is wrong because a raw CSV of 20,000 findings is too granular and lacks aggregation, trend analysis, or business context, making it impossible for the board or SOC manager to quickly assess whether risk is decreasing.

221
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Sigma rule
B.CVSS vector string
C.OpenIOC package only
D.YARA rule
AnswerA

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are the correct choice because they are designed as a portable, generic detection format that can be converted into queries for multiple SIEM platforms (e.g., Splunk, QRadar, Elastic) without vendor lock-in. This aligns directly with the threat hunter's requirement for a portable detection that can be easily translated across different environments. In contrast, the other options are either scoring systems, forensic artifacts, or file-specific signatures that lack this cross-platform conversion capability.

Exam trap

Cisco often tests the distinction between detection formats (Sigma) and forensic/indicator formats (OpenIOC, YARA) or scoring systems (CVSS), so candidates mistakenly choose OpenIOC or YARA because they associate them with threat hunting, but they lack the SIEM-agnostic conversion capability that Sigma provides.

How to eliminate wrong answers

Option B is wrong because a CVSS vector string is a vulnerability severity scoring metric (based on CVSS v3.1 specification), not a detection artifact for suspicious process execution. Option C is wrong because an OpenIOC package is a forensic indicator format that is primarily used for endpoint detection and response (EDR) tools, not designed for easy conversion across multiple SIEM platforms. Option D is wrong because a YARA rule is a pattern-matching rule for identifying malware based on file or memory characteristics, not a portable detection format for process execution events like rundll32.

222
Multi-Selectmedium

A phishing detection rule looks only for known malicious URLs and misses newly registered lookalike domains. Which improvements help? (Choose two.)

Select 2 answers
A.Add domain age and lookalike/typosquatting checks
B.Use attachment sandboxing and URL detonation results
C.Allow all newly registered domains
D.Trust emails with company logos automatically
AnswersA, B

New and visually similar domains are common phishing indicators.

Why this answer

Option A is correct because phishing detection rules that rely solely on static URL blacklists cannot catch newly registered lookalike domains. By incorporating domain age checks (e.g., domains registered less than 30 days ago are suspicious) and lookalike/typosquatting detection (e.g., using Levenshtein distance or homoglyph analysis), the rule can proactively identify malicious domains that have not yet been reported or blacklisted.

Exam trap

Cisco often tests the misconception that static blacklists are sufficient for phishing detection, when in fact attackers exploit the delay between domain registration and blacklist updates, making proactive checks like domain age and lookalike analysis essential.

223
MCQeasy

Which SIEM component is responsible for centralizing and correlating logs from multiple sources?

A.Data retention system
B.Aggregation tier
C.Normalization component
D.Correlation engine
AnswerD

Correlates events from multiple sources.

Why this answer

The correlation engine is the SIEM component specifically designed to centralize and analyze logs from multiple sources, applying rules and statistical analysis to identify relationships and patterns indicative of security incidents. It ingests normalized data from the aggregation tier and uses correlation rules to detect complex threats like multi-stage attacks or lateral movement across different systems.

Exam trap

The trap here is that candidates confuse the aggregation tier (which centralizes logs) with the correlation engine (which analyzes them), leading them to pick Option B because they focus on the word 'centralizing' without recognizing that correlation is the key function for identifying relationships.

How to eliminate wrong answers

Option A is wrong because the data retention system is responsible for storing historical log data for compliance and forensic analysis, not for centralizing or correlating logs in real-time. Option B is wrong because the aggregation tier collects and consolidates logs from various sources into a central location, but it does not perform the analysis or correlation to identify relationships between events. Option C is wrong because the normalization component converts disparate log formats into a common schema (e.g., CEF or LEEF) to enable consistent processing, but it does not centralize or correlate logs across sources.

224
MCQeasy

While supporting a hybrid workforce, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which evidence should guide the decision?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because before recovery, you must remove the persistence mechanism (the scheduled task) to prevent re-infection, rotate the stolen service account credentials to close the attacker's access, and verify no other hosts are compromised via the same account. This aligns with the NIST SP 800-61 recovery phase, which requires eliminating all footholds and validating the scope of compromise before returning the host to production.

Exam trap

Cisco often tests the misconception that isolation alone is sufficient for recovery, but the trap here is that persistence and credential theft require active removal and verification before the host can be safely reintegrated.

How to eliminate wrong answers

Option A is wrong because reconnecting a host that still has active persistence (scheduled task) and compromised credentials would immediately re-expose the network to the attacker. Option B is wrong because disabling logging during containment destroys forensic evidence and violates the principle of preserving data integrity for post-incident analysis. Option C is wrong because closing the incident after isolation without removing persistence and rotating credentials leaves the attacker with a persistent backdoor and valid credentials, ensuring a repeat compromise.

225
Multi-Selecthard

A security analyst has identified a critical vulnerability that affects multiple systems. The analyst needs to report the vulnerability to management. Which THREE elements should be included in the vulnerability report? (Choose three.)

Select 3 answers
A.Number of affected systems and their criticality
B.Specific patch installation dates for each system
C.Organizational risk appetite
D.Recommended remediation steps and timeline
E.CVSS score and vector string
AnswersA, D, E

Shows the scope of impact.

Why this answer

Option A is correct because a vulnerability report must convey the scope and business impact of the issue. Including the number of affected systems and their criticality (e.g., system classification, data sensitivity, or role in the network) allows management to prioritize remediation based on risk exposure. Without this context, management cannot assess the urgency or allocate resources effectively.

Exam trap

CompTIA often tests the distinction between management-level reporting and technical operational details, causing candidates to mistakenly include granular patch dates (Option B) instead of focusing on the elements that drive decision-making.

Page 2

Page 3 of 7

Page 4

All pages