CompTIA CySA+ CS0-003 (CS0-003) — Questions 376450

503 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQhard

A vulnerability assessment identifies that an external-facing server has an outdated TLS version configured. The server supports TLS 1.0 and SSL 3.0. Which of the following is the MOST secure configuration change?

A.Upgrade to TLS 1.3 and disable all others
B.Disable TLS 1.0 and keep SSL 3.0
C.Enable TLS 1.2 and disable SSL 3.0 and TLS 1.0
D.Disable SSL 3.0 and enable TLS 1.2
AnswerC

Eliminates all insecure protocols and enables a secure one.

Why this answer

Option C is correct because it disables the insecure SSL 3.0 and TLS 1.0 protocols while enabling TLS 1.2, which is currently the most widely supported secure TLS version. TLS 1.2 provides strong cipher suites and has no known practical vulnerabilities like POODLE (SSL 3.0) or BEAST (TLS 1.0). This configuration balances security with compatibility for modern clients.

Exam trap

Cisco often tests the distinction between 'disabling only the most vulnerable protocol' (Option D) versus 'disabling all insecure protocols and enabling a secure one' (Option C), trapping candidates who forget that TLS 1.0 is also considered deprecated and insecure.

How to eliminate wrong answers

Option A is wrong because upgrading directly to TLS 1.3 may break compatibility with many existing clients and servers that do not yet support TLS 1.3, and the question asks for the 'most secure' change given the current state, not a future-proof upgrade. Option B is wrong because keeping SSL 3.0 enabled leaves the server vulnerable to the POODLE attack (CVE-2014-3566), which allows plaintext recovery from encrypted sessions. Option D is wrong because it only disables SSL 3.0 but does not explicitly disable TLS 1.0, leaving the server vulnerable to the BEAST attack (CVE-2011-3389) and other TLS 1.0 weaknesses.

377
MCQmedium

Network flow records show one database server sending large encrypted outbound transfers to an unfamiliar autonomous system during off-hours. Which next step gives the BEST triage value? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Assume encryption means the transfer is safe
B.Disable all outbound internet access for the organisation
C.Delete historical flow records to reduce SIEM cost
D.Correlate flow volume with database audit logs and the destination reputation
AnswerD

Flow data identifies suspicious transfer volume; database audit logs and destination context help determine whether sensitive data may have left.

Why this answer

Option D is correct because correlating flow volume with database audit logs and destination reputation provides direct evidence of whether the encrypted outbound transfer is legitimate database replication or exfiltration. This approach leverages existing security controls (flow records, audit logs, threat intelligence) to validate the activity without assuming encryption implies safety or disrupting operations.

Exam trap

Cisco often tests the misconception that encryption guarantees safety (Option A) or that immediate blocking (Option B) is the best triage step, when in fact correlation with multiple data sources (Option D) is the proper detection engineering approach to reduce false positives while preserving signal.

How to eliminate wrong answers

Option A is wrong because encryption does not imply safety; attackers commonly use encryption to hide exfiltration, and assuming otherwise ignores the suspicious timing (off-hours) and unfamiliar ASN. Option B is wrong because disabling all outbound internet access is a drastic, disruptive response that would block legitimate business operations and is not a triage step; it violates the principle of least disruption during investigation. Option C is wrong because deleting historical flow records destroys forensic evidence needed for root cause analysis and compliance, and does not address the immediate triage need.

378
MCQhard

While supporting a hybrid workforce, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which evidence should guide the decision?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

The correct first step is to disable or rotate the compromised cloud access key and review actions performed with it. This immediately revokes the attacker's access, preventing further unauthorized use, while the review of logs and API calls determines the scope of the breach. Waiting or blocking the developer's laptop does not address the exposed credential or the active threat from the unfamiliar IP.

Exam trap

Cisco often tests the principle of immediate containment over investigation or blame; the trap here is choosing a delay tactic (Option A) or a non-technical, irrelevant action (Option C) instead of the direct, credential-focused containment step.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially leading to data exfiltration, resource abuse, and escalating costs. Option C is wrong because blocking the developer's laptop from Wi-Fi does not revoke the compromised cloud access key; the key can still be used from any other device or IP, and this action does not address the root cause or the ongoing threat.

379
Matchingmedium

Match each security control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Recovery

Administrative

Technical

Why these pairings

Controls are categorized by their function and nature.

380
MCQhard

An analyst is preparing a report that includes Personally Identifiable Information (PII) from a data breach. The report will be shared with external auditors. Which of the following is the BEST practice for handling PII in the report?

A.Include full PII in the report for complete transparency
B.Encrypt the report and send it via email to auditors
C.Use tokenization or pseudonymization to mask PII while preserving analytical value
D.Remove all PII entirely, leaving only anonymized records
AnswerC

Enables audit without exposing sensitive data.

Why this answer

Option C is correct because tokenization or pseudonymization replaces PII with non-sensitive placeholders that retain referential integrity and analytical utility, allowing auditors to perform their review without exposing actual personal data. This approach balances transparency requirements with data minimization principles mandated by regulations like GDPR and PCI DSS, unlike full disclosure or simple encryption which still exposes the original data to the recipient.

Exam trap

CompTIA often tests the misconception that encryption alone is sufficient for data protection in reports, but the trap here is that encryption only secures data in transit or at rest, not after decryption by the recipient, whereas tokenization/pseudonymization provides persistent masking even after the data is accessed.

How to eliminate wrong answers

Option A is wrong because including full PII violates the principle of data minimization and unnecessarily exposes sensitive data to external parties, increasing breach risk and non-compliance with privacy regulations. Option B is wrong because encrypting the report only protects data in transit; once decrypted by the auditors, the full PII is exposed in plaintext, offering no ongoing protection against misuse or further disclosure. Option D is wrong because removing all PII entirely destroys the analytical value needed for audit correlation and verification, effectively rendering the report useless for its intended purpose.

381
Multi-Selectmedium

A security analyst is prioritizing vulnerabilities for remediation. Which TWO factors should be considered HIGHEST when determining prioritization? (Choose two.)

Select 2 answers
A.CVSS base score
B.Number of false positives associated with the scan
C.System owner's preference
D.Age of the vulnerability
E.Known exploit availability
AnswersA, E

CVSS score provides a standardized severity rating.

Why this answer

The CVSS base score provides a standardized, quantitative measure of a vulnerability's severity based on intrinsic characteristics like attack vector and complexity. Prioritizing by CVSS score ensures that remediation efforts focus on vulnerabilities with the highest potential impact, aligning with industry best practices for risk-based vulnerability management.

Exam trap

Cisco often tests that candidates confuse vulnerability age with exploit maturity, but age alone is irrelevant without evidence of active exploitation or a functional exploit in the wild.

382
Multi-Selecteasy

A security analyst is reviewing a vulnerability scan report and must prioritize remediation efforts. Which TWO factors are most important for prioritizing vulnerability remediation?

Select 2 answers
A.Time since vulnerability published
B.CVSS base score
C.Vendor patch release date
D.Number of hosts affected
E.Availability of public exploit code
AnswersB, E

CVSS base score is a key indicator of severity and is widely used for prioritization.

Why this answer

The CVSS base score (B) provides a standardized, vendor-neutral severity rating (0-10) that reflects the intrinsic characteristics of a vulnerability, such as attack vector, complexity, and impact on confidentiality, integrity, and availability. This score is a primary factor for prioritization because it allows analysts to compare vulnerabilities across different systems and prioritize those with the highest potential for damage, independent of environmental factors.

Exam trap

CompTIA often tests the distinction between intrinsic severity (CVSS base score) and external risk factors (exploit availability), leading candidates to mistakenly prioritize the number of affected hosts (D) or patch release date (C) over these two key factors.

383
MCQmedium

Refer to the exhibit. A security analyst is reviewing SIEM logs and notices repeated entries from the same source IP. Which of the following actions should the analyst take NEXT?

A.Immediately block the source IP at the firewall
B.Check the baseline behavior of the source IP
C.Update the signature database
D.Isolate the affected system for forensic analysis
AnswerB

Comparing against baseline helps determine if the activity is truly anomalous and justifies further action.

Why this answer

Option B is correct because the first step in incident response is to validate whether the activity is malicious by comparing it against a known baseline. Repeated entries from the same source IP could indicate a benign automated process (e.g., a legitimate monitoring tool or scheduled scan) rather than an attack. Checking the baseline behavior prevents unnecessary disruption and aligns with the NIST SP 800-61 incident response framework's emphasis on identification and analysis before containment.

Exam trap

CompTIA often tests the candidate's ability to resist the impulse to immediately block or contain, emphasizing that verification against a baseline is the mandatory next step before any action in the incident response process.

How to eliminate wrong answers

Option A is wrong because immediately blocking the source IP without verifying the baseline could disrupt legitimate services (e.g., a corporate VPN concentrator or authorized vulnerability scanner) and violates the principle of least disruption during initial triage. Option C is wrong because updating the signature database is a preventive maintenance task for IDS/IPS systems, not a reactive step for analyzing a specific repeated log entry; it does not help determine if the source IP's behavior is anomalous. Option D is wrong because isolating the affected system for forensic analysis is a containment step that should only occur after confirming the activity is malicious; premature isolation can cause unnecessary downtime and data loss if the system is not actually compromised.

384
MCQhard

A new cloud log source is onboarded, but analytics fail because source IP, user, and action fields are mapped inconsistently. What should the engineer fix?

A.Log normalization and field mapping in the parser
B.Disable all enrichment lookups
C.Increase the dashboard refresh interval
D.Move logs to cold storage immediately
AnswerA

Detection rules depend on consistent normalized fields across sources.

Why this answer

Log normalization and field mapping in the parser ensure that source IP, user, and action fields from the new cloud log source are consistently transformed into the schema expected by the SIEM or analytics platform. Without this, the analytics engine cannot correlate or alert on the data because the fields are not recognized or are mapped to incorrect attributes, leading to failed analytics.

Exam trap

Cisco often tests the misconception that analytics failures are due to display or enrichment issues, when the real problem is almost always a parsing or normalization mismatch at the ingestion layer.

How to eliminate wrong answers

Option B is wrong because disabling all enrichment lookups would remove valuable context (e.g., geo-IP, threat intelligence) but does not fix the root cause of inconsistent field mapping; the logs would still be parsed incorrectly. Option C is wrong because increasing the dashboard refresh interval only changes how often the dashboard updates its display; it has no effect on how the raw log data is parsed or normalized, so the analytics would still fail.

385
Multi-Selectmedium

A vulnerability manager is prioritizing remediation. Which factors should influence risk-based priority? (Choose three.)

Select 3 answers
A.Internet exposure of the affected asset
B.Alphabetical order of the CVE identifier
C.Known exploitation in the wild
D.Business criticality of the affected service
AnswersA, C, D

External reachability increases likelihood of attack.

Why this answer

Internet exposure of the affected asset is a critical factor because assets reachable from the public internet have a larger attack surface and are more likely to be targeted by automated scanners and exploit kits. Risk-based prioritization weighs the likelihood of exploitation, and an internet-facing system inherently faces a higher threat level than an internal-only asset. This aligns with the CVSS environmental metrics (Modified Attack Vector) and common vulnerability scoring frameworks that adjust severity based on network accessibility.

Exam trap

Cisco often tests the misconception that all CVSS scores are equal regardless of context, but the trap here is that candidates might think alphabetical order or CVE age is relevant, when in fact only exploitability, exposure, and business impact drive true risk-based priority.

386
Drag & Dropmedium

Arrange the steps for a typical digital forensics investigation process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Digital forensics follows identification, preservation, collection, examination, and presentation.

387
Multi-Selectmedium

Which TWO of the following are essential steps in the incident response phase of 'Containment, Eradication, and Recovery'? (Choose two.)

Select 2 answers
A.Reimage all systems in the environment
B.Disconnect the organization from the internet
C.Remove malicious files and artifacts from affected systems
D.Collect and preserve forensic evidence
E.Isolate affected systems from the network
AnswersC, E

Eradication removes the threat.

Why this answer

Option C is correct because removing malicious files and artifacts from affected systems is a core step in the eradication phase, ensuring that the root cause of the incident is eliminated and the system can be safely restored to normal operations. This step directly addresses the removal of malware, persistence mechanisms, and unauthorized changes that were identified during analysis.

Exam trap

CompTIA often tests the distinction between 'containment' actions (like isolation) and 'eradication' actions (like removal of artifacts), and the trap here is that candidates confuse 'collecting forensic evidence' (which belongs to the identification phase) with a step in the containment/eradication process.

388
MCQeasy

During a post-compromise review, a laptop may contain evidence for a legal investigation. What should the responder document during acquisition? During post-incident improvement, which decision is most defensible? which action should be prioritized before closure?

A.Only the laptop colour
B.Only the ticket priority
C.Only the user's job title
D.Who collected it, when, where, hash values, transfer details, and storage location
AnswerD

Chain of custody records evidence handling and integrity from collection onward. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because forensic acquisition requires a complete chain of custody to ensure evidence integrity and admissibility in legal proceedings. Documenting who collected the evidence, when and where it was collected, cryptographic hash values (e.g., SHA-256) to verify data integrity, transfer details (e.g., write-blocker used, network path), and storage location provides a defensible record that meets legal and organizational standards.

Exam trap

CompTIA often tests the misconception that minimal documentation (like color or job title) is sufficient, when in fact comprehensive chain-of-custody details are required for legal defensibility.

How to eliminate wrong answers

Option A is wrong because documenting only the laptop color provides no forensic value and fails to establish chain of custody or evidence integrity. Option B is wrong because documenting only the ticket priority is irrelevant to forensic acquisition and does not capture any evidence-handling details. Option C is wrong because documenting only the user's job title ignores critical acquisition metadata such as collector identity, timestamps, hash values, and storage location, making the evidence indefensible in court.

389
MCQeasy

A security analyst is reviewing vulnerability scan results and sees a critical vulnerability on a web server with a CVSS score of 9.8. The server is a legacy system that cannot be patched without causing application downtime. The business requires the application to remain available. Which of the following is the BEST course of action?

A.Remove the system from the network.
B.Disable the vulnerable service on the server.
C.Accept the risk and do nothing.
D.Implement a virtual patch using a web application firewall.
AnswerD

Virtual patching via WAF mitigates vulnerability while maintaining availability.

Why this answer

Option D is correct because a virtual patch via a web application firewall (WAF) can inspect and block exploit attempts against the vulnerability without modifying the legacy server's code or binaries. This allows the business-critical application to remain available while mitigating the 9.8 CVSS risk at the network layer, typically using signature-based or behavioral rules to intercept malicious payloads targeting the flaw.

Exam trap

CompTIA often tests the misconception that a critical vulnerability always requires immediate patching or removal, when in reality compensating controls like a WAF virtual patch are the preferred risk treatment for legacy systems that cannot be taken offline.

How to eliminate wrong answers

Option A is wrong because removing the system from the network would cause the exact application downtime the business requires to avoid, and it is an overly drastic measure when a compensating control exists. Option B is wrong because disabling the vulnerable service on the server would likely break the application's functionality, as the service is presumably the core web server process, and this also fails to address the business requirement for availability. Option C is wrong because accepting the risk and doing nothing ignores the critical severity (CVSS 9.8) and the high likelihood of exploitation, which is irresponsible without first attempting a compensating control like a WAF.

390
MCQmedium

A security analyst needs to report a critical vulnerability to the executive team. The report should balance technical details with business impact. Which of the following is the BEST approach?

A.Simply state the vulnerability exists and a patch is available
B.Write a 50-page report covering every technical detail and mitigation option
C.Explain the vulnerability in terms of potential business impact and recommended risk treatment
D.Provide a full technical analysis of the vulnerability and remediation steps
AnswerC

This aligns with executive needs: risk, cost, and decision-making.

Why this answer

Option C is correct because it directly addresses the core requirement of balancing technical details with business impact. For a critical vulnerability, the executive team needs to understand the potential financial, operational, and reputational risks, not just the technical flaw. This approach aligns with the NIST risk management framework, which emphasizes communicating risk in terms of business context to enable informed decision-making on risk treatment (e.g., accept, mitigate, transfer, avoid).

Exam trap

CompTIA often tests the distinction between technical completeness and audience-appropriate communication, trapping candidates who choose Option D because they mistake 'full technical analysis' for the best approach, when the question explicitly requires balancing technical details with business impact for an executive audience.

How to eliminate wrong answers

Option A is wrong because simply stating a vulnerability exists and a patch is available lacks the necessary business context and risk assessment; executives need to understand the potential impact on operations, compliance, and revenue to prioritize remediation. Option B is wrong because a 50-page report with every technical detail is excessive and counterproductive for an executive audience, who require concise, actionable summaries focused on risk and business outcomes, not exhaustive technical minutiae. Option D is wrong because providing a full technical analysis and remediation steps, while thorough, fails to translate the vulnerability into business terms; it omits the critical risk treatment recommendation and does not help executives weigh the cost of remediation against potential business disruption.

391
Multi-Selectmedium

Which conditions should push a vulnerability higher in the remediation queue? (Choose three.)

Select 3 answers
A.The asset supports a critical business process
B.The affected asset is internet-facing
C.Exploitation is observed in the wild
D.The CVE number is easy to remember
AnswersA, B, C

Business impact increases priority.

Why this answer

A is correct because assets supporting critical business processes have a higher impact on organizational operations if compromised. Vulnerability management prioritization frameworks, such as those aligned with the CVSS environmental score, assign greater weight to business criticality. Remediating vulnerabilities on these assets first reduces the risk of significant downtime, data loss, or regulatory non-compliance.

Exam trap

Cisco often tests the distinction between factors that increase likelihood (e.g., internet-facing, active exploitation) versus factors that increase impact (e.g., critical business process), and candidates may mistakenly prioritize vulnerabilities based solely on CVSS base score without considering environmental or threat intelligence inputs.

392
Multi-Selecthard

A vulnerability assessment has identified multiple issues. Which THREE actions are appropriate steps in the remediation process? (Choose three.)

Select 3 answers
A.Create a change request to apply the necessary patch or configuration change
B.Rescan the system immediately to confirm the vulnerability
C.Uninstall the affected software or service to remove the vulnerability
D.Research the vulnerability to understand its impact and remediation
E.Verify the remediation by performing a follow-up scan or test
AnswersA, D, E

Formal change management helps track and approve modifications.

Why this answer

Option A is correct because in a structured remediation process, applying a patch or configuration change requires a formal change request to ensure proper testing, approval, and documentation, minimizing the risk of unintended disruptions. This aligns with change management best practices in vulnerability management, where uncoordinated changes can introduce new vulnerabilities or break existing functionality.

Exam trap

Cisco often tests the misconception that immediate rescanning or drastic removal are valid remediation steps, when in fact the correct sequence requires research, controlled change implementation, and verification.

393
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the evidence source phase, Which evidence source best supports or refutes the detection?

A.The SIEM parser is always broken
B.A scheduled password rotation completed successfully
C.Credential access or lateral movement activity that warrants high-priority investigation
D.The file share requires more storage capacity
AnswerC

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

The deception credential is a honeytoken—a fake credential placed in a file share to detect unauthorized use. Since no legitimate user should know it, any authentication attempt using it indicates an attacker has accessed the file share (credential access) and is attempting to move laterally (lateral movement). This warrants high-priority investigation because it directly signals a breach in progress.

Exam trap

Cisco often tests the distinction between a detection artifact (like a honeytoken) and a configuration issue (like a broken parser), so candidates mistakenly attribute the alert to a technical failure rather than recognizing it as a deliberate security control triggering on malicious activity.

How to eliminate wrong answers

Option A is wrong because a broken SIEM parser would cause missing or malformed logs, not the generation of an authentication event using a deception credential; the detection itself is valid. Option B is wrong because a scheduled password rotation would change the credential's password, but the deception credential is a static honeytoken not subject to rotation, and its use would still be malicious regardless of rotation status.

394
MCQmedium

A security analyst at a financial institution is responsible for vulnerability management. The company has a policy that all critical vulnerabilities must be remediated within 72 hours. The weekly vulnerability scan identifies a critical vulnerability on a file server that hosts sensitive customer data. The vulnerability is a remote code execution in the operating system. The server is running a legacy OS that is no longer supported by the vendor. The system owner states that the application on the server cannot be migrated to a newer OS for at least six months. The server cannot be taken offline because it is used by the compliance team for daily audits. Which of the following should the analyst recommend to best address the risk?

A.Remove the server from the network immediately.
B.Implement compensating controls such as network segmentation and host-based firewall rules.
C.Accept the risk and document the exception.
D.Apply a custom patch developed by the manufacturer.
AnswerB

Reduces risk while awaiting migration.

Why this answer

Option B is correct because when a critical vulnerability cannot be patched due to legacy OS constraints, compensating controls are the best approach to reduce risk. Network segmentation isolates the server from untrusted hosts, and host-based firewall rules restrict inbound/outbound traffic to only necessary ports and IPs, mitigating the remote code execution vector without taking the server offline.

Exam trap

CompTIA often tests the concept that compensating controls are the appropriate response when patching is impossible and business continuity is critical, tricking candidates into choosing risk acceptance (C) without considering that compensating controls must be implemented first.

How to eliminate wrong answers

Option A is wrong because immediately removing the server from the network would halt compliance audits, violating business requirements and potentially causing regulatory issues; it is an extreme measure not aligned with risk acceptance or compensating controls. Option C is wrong because accepting risk and documenting an exception without implementing any technical safeguards ignores the policy requiring remediation within 72 hours and leaves sensitive customer data exposed to remote code execution. Option D is wrong because the OS is no longer supported by the vendor, so no custom patch is available; applying an unsupported or unofficial patch could introduce instability or security flaws and is not a recommended practice.

395
MCQeasy

An analyst needs to identify which process on a Windows system is making outbound connections to the internet. Which tool should be used?

A.netstat -an
B.Task Manager
C.Resource Monitor
D.Performance Monitor
AnswerC

Displays network activity per process.

Why this answer

Resource Monitor (resmon.exe) provides a real-time view of network activity, including which processes are making outbound TCP and UDP connections, along with the remote addresses and ports. Unlike netstat, it directly associates network connections with specific process names and allows filtering by process, making it the most efficient tool for identifying the exact process responsible for outbound internet traffic.

Exam trap

CompTIA often tests the distinction between tools that show aggregate network usage (Task Manager) versus those that show per-connection process mapping (Resource Monitor), leading candidates to choose Task Manager because they associate it with network activity without realizing it lacks connection-level detail.

How to eliminate wrong answers

Option A is wrong because netstat -an shows all active connections and listening ports but does not display the process name or PID by default; without the -b or -o flags, it cannot identify which process owns a connection. Option B is wrong because Task Manager's default view shows CPU, memory, disk, and network utilization per process, but it does not list individual outbound connections or remote addresses, only aggregate network usage. Option D is wrong because Performance Monitor is designed for long-term performance logging and analysis of system counters, not for real-time identification of specific process-to-remote-address connections.

396
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Only user password age reports
B.Only physical datacenter access logs
C.Container runtime events, Kubernetes audit logs, and network flow from the pod
D.Only monthly vulnerability scan summaries
AnswerC

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Container runtime events (e.g., `docker events` or CRI-O logs) capture the unexpected shell execution and host filesystem mount. Kubernetes audit logs record the API calls that initiated the pod, revealing the attacker's initial access vector. Network flow logs from the pod (e.g., via Calico or Cilium) show the outbound connections to the unknown IP, linking the lateral movement to the compromised container.

Together, these three telemetry sources provide the complete chain of events needed for root-cause analysis.

Exam trap

Cisco often tests the misconception that a single log source (e.g., only network flows) is sufficient for root-cause analysis, when in reality a combination of container runtime, Kubernetes audit, and network telemetry is required to reconstruct the full attack chain.

How to eliminate wrong answers

Option A is wrong because user password age reports are irrelevant to container workload activity; they track local user account password expiration policies and cannot capture runtime events, mounts, or network flows inside a pod. Option B is wrong because physical datacenter access logs record who entered the facility, not what happens inside a container; they provide no visibility into shell execution, filesystem mounts, or outbound connections from a workload.

397
Multi-Selecteasy

Which TWO of the following are best practices for secure log management? (Choose TWO)

Select 2 answers
A.Enable log encryption in transit and at rest
B.Implement log aggregation from multiple sources
C.Disable logging on non-critical systems to save space
D.Store logs on the same server for easy access
E.Use a common log format for all sources
AnswersA, B

Encryption protects log integrity and confidentiality.

Why this answer

Option A is correct because encrypting logs in transit (e.g., using TLS/SSL for syslog over TCP 6514) and at rest (e.g., AES-256 encryption on the storage volume) ensures confidentiality and integrity, preventing unauthorized access or tampering. This aligns with security frameworks like NIST SP 800-92 and PCI DSS requirements for protecting log data.

Exam trap

CompTIA often tests the misconception that 'common log format' is a security best practice, but it is actually an operational convenience; the trap is confusing operational efficiency with security controls.

398
Multi-Selectmedium

Which TWO of the following are key phases of the incident response process as defined by NIST?

Select 2 answers
A.Recovery
B.Containment
C.Preparation
D.Eradication
E.Post-Incident Activity
AnswersC, E

One of the four main phases.

Why this answer

The NIST SP 800-61 Rev. 2 incident response lifecycle consists of four key phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Option C (Preparation) is correct because it is the foundational phase where policies, tools (e.g., SIEM, EDR), and communication plans are established before any incident occurs. Option E (Post-Incident Activity) is correct because it includes lessons learned, evidence retention, and report generation to improve future response efforts.

Exam trap

Cisco often tests the distinction between the four key NIST phases and the sub-steps within the third phase, causing candidates to mistakenly select Containment, Eradication, or Recovery as separate key phases instead of recognizing they are combined.

399
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Run authenticated scans using least-privilege scanner credentials
B.Increase only the port range
C.Disable host firewalls permanently
D.Trust the unauthenticated result as complete
AnswerA

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans only enumerate open ports and services visible without credentials, missing the patch status of installed software because they cannot query the Windows registry or WMI for installed updates. Running authenticated scans with least-privilege credentials allows the scanner to log into each target and retrieve detailed patch data via the Windows Update Agent API or registry keys, revealing missing patches that were previously invisible. This directly addresses the security manager's suspicion of missing patch data without introducing unnecessary risk.

Exam trap

Cisco often tests the misconception that increasing scan depth (e.g., port range or intensity) compensates for lack of authentication, but the trap here is that patch data is only accessible through authenticated access, not by broader network scanning.

How to eliminate wrong answers

Option B is wrong because increasing only the port range expands the network-layer scan but still cannot access patch-level information without authentication; it only finds more open ports, not missing patches. Option C is wrong because permanently disabling host firewalls exposes the servers to network-based attacks and does not enable the scanner to retrieve patch data—authentication is required, not firewall bypass. Option D is wrong because trusting the unauthenticated result as complete ignores the fundamental limitation that unauthenticated scans cannot assess patch status, leaving the organization vulnerable to known exploits that the scanner missed.

400
MCQhard

A security analyst is reviewing SIEM alerts and sees multiple failed logon events from a single external IP address across several user accounts within two minutes. The source IP is from a known malicious geolocation. What type of attack is most likely occurring?

A.Password spraying attack
B.Distributed denial-of-service (DDoS) attack
C.Brute-force attack
D.Pass-the-hash attack
AnswerC

Multiple failed logon attempts from one IP across accounts indicates a brute-force attack.

Why this answer

The scenario describes multiple failed logon attempts from a single external IP against several user accounts within a short time window. This pattern is characteristic of a brute-force attack, where an attacker systematically tries common or guessed passwords across multiple accounts to gain unauthorized access. The single source IP and rapid sequence of failures distinguish it from a password spraying attack, which spreads attempts across many accounts slowly to avoid lockout thresholds.

Exam trap

The trap here is confusing a brute-force attack with a password spraying attack; CompTIA often tests this by emphasizing the speed and source IP concentration versus the slow, distributed nature of password spraying.

How to eliminate wrong answers

Option A is wrong because a password spraying attack uses a small number of common passwords against many accounts over an extended period to evade account lockout, not rapid attempts from one IP against multiple accounts. Option B is wrong because a DDoS attack aims to overwhelm a service with traffic to cause denial of service, not to authenticate via logon events. Option D is wrong because a pass-the-hash attack involves capturing and reusing NTLM or Kerberos hashes to authenticate without knowing the plaintext password, which does not generate failed logon events from a single external IP.

401
MCQhard

A company policy requires that all security incidents be reported to management within one hour of detection. An analyst discovers a low-severity incident (a single malware download attempt blocked by antivirus) at 4:55 PM on a Friday. The analyst is about to leave for the weekend. What should the analyst do?

A.Document the incident in the ticketing system and report it the next business day.
B.Report the incident immediately according to policy, even if it means staying late.
C.Report the incident via email and ignore it until Monday.
D.Wait until Monday morning to report, as it is low severity.
AnswerB

Complying with policy ensures timely reporting, which is mandatory.

Why this answer

Option B is correct because the company policy explicitly requires reporting all security incidents within one hour of detection, regardless of severity. The analyst must report the incident immediately, even if it means staying late, as policy compliance is mandatory and low-severity incidents still represent a security event that could indicate broader compromise or be part of a larger attack chain. Delaying reporting violates the policy and could lead to disciplinary action or missed escalation windows.

Exam trap

The trap here is that candidates assume low-severity incidents can be deferred or handled casually, but Cisco tests strict adherence to policy timelines regardless of severity, emphasizing that all incidents must be reported within the specified window.

How to eliminate wrong answers

Option A is wrong because documenting the incident in the ticketing system but delaying the report until the next business day violates the one-hour reporting policy, and low severity does not exempt the analyst from timely notification. Option C is wrong because reporting via email and then ignoring the incident until Monday fails to ensure the incident is properly tracked, escalated, or remediated, and it does not constitute a complete report within the required timeframe. Option D is wrong because waiting until Monday morning to report, even for a low-severity incident, directly contradicts the policy that mandates reporting within one hour of detection, and severity does not override the reporting requirement.

402
MCQhard

Based on the exhibit, which vulnerability should the analyst prioritize for remediation?

A.Squid http proxy 3.5.20
B.OpenSSH 7.4
C.Apache httpd 2.4.6
D.MySQL 5.5.62
AnswerD

MySQL 5.5.62 is end-of-life and has multiple critical remote code execution vulnerabilities.

Why this answer

MySQL 5.5.62 is end-of-life (EOL) and no longer receives security patches, making it vulnerable to known exploits such as CVE-2016-6662 (privilege escalation via crafted my.cnf) and CVE-2016-6663 (privilege escalation via REPAIR TABLE). The analyst should prioritize this because the lack of vendor support means any discovered vulnerability will remain unpatched, posing a critical risk to data confidentiality and integrity.

Exam trap

CompTIA often tests the concept that end-of-life software with no vendor support is a higher priority than older but still-supported versions, even if the latter have known CVEs, because unsupported software will never receive patches for future vulnerabilities.

How to eliminate wrong answers

Option A is wrong because Squid http proxy 3.5.20 is not the highest priority; while it may have vulnerabilities, it is not EOL and typically has a lower CVSS score compared to an unsupported database. Option B is wrong because OpenSSH 7.4, though older, is still supported in many enterprise distributions (e.g., RHEL 7 backports security fixes) and does not represent an immediate EOL risk like MySQL 5.5.62. Option C is wrong because Apache httpd 2.4.6 is also still supported in some long-term support distributions (e.g., RHEL 7) and does not carry the same criticality as an unsupported database server that stores sensitive data.

403
MCQmedium

A server team needs to fix an OpenSSL vulnerability across Linux hosts. What should the technical remediation section include? If the primary audience is business service owner, which content choice is most appropriate?

A.Only estimated financial loss
B.Only a red/yellow/green chart
C.Affected assets, package versions, patch commands or vendor guidance, validation method, and rollback notes
D.Only the CVE headline
AnswerC

Technical teams need precise, actionable remediation steps and a way to confirm success. The report should be tuned to business service owner while preserving factual accuracy.

Why this answer

Option C is correct because a technical remediation section must provide actionable steps for the server team to fix the OpenSSL vulnerability. It includes affected assets (specific Linux hosts), package versions (e.g., openssl-1.1.1k), patch commands (e.g., 'yum update openssl' or 'apt-get upgrade openssl'), vendor guidance (e.g., Red Hat or Ubuntu advisories), validation method (e.g., 'openssl version' or 'openssl version -a'), and rollback notes (e.g., 'yum history undo' or snapshot restore). For a business service owner, this content is most appropriate because it translates technical actions into clear, auditable steps that demonstrate risk mitigation and operational planning.

Exam trap

Cisco often tests the distinction between a technical remediation section (actionable steps for engineers) and a business impact summary (for executives), so candidates mistakenly pick a single metric or chart instead of the comprehensive, executable plan required for the server team.

How to eliminate wrong answers

Option A is wrong because only estimated financial loss is a business impact metric, not a technical remediation step; it fails to provide the server team with any actionable commands or procedures to fix the OpenSSL vulnerability. Option B is wrong because only a red/yellow/green chart is a status summary or risk heatmap, not a remediation plan; it lacks the specific package versions, patch commands, and validation methods needed to execute the fix. Option D is wrong because only the CVE headline (e.g., CVE-2022-3786) identifies the vulnerability but gives no technical steps to remediate it; the server team needs patch commands and rollback procedures, not just a reference number.

404
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Only DHCP logs from the London office
B.The organisation's public DNS zone file
C.Only the user's browser cache
D.Sign-in logs, MFA result, device details, and mailbox audit events
AnswerD

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option D is correct because the scenario describes a potential account takeover or lateral movement, where an impossible travel event (logins from London and Singapore within 12 minutes) is followed by a suspicious mailbox forwarding rule. The analyst must first verify the sign-in logs for authentication details, MFA results to check if the MFA was bypassed or prompted, device details to identify if a known or managed device was used, and mailbox audit events to confirm the forwarding rule creation and its origin. These combined data sources provide the most direct evidence to determine if the activity is malicious or a false positive.

Exam trap

CompTIA often tests the misconception that network-level logs (like DHCP or DNS) are sufficient for investigating user account anomalies, but the correct approach requires focusing on authentication and audit logs that directly capture user identity and actions.

How to eliminate wrong answers

Option A is wrong because DHCP logs only show IP address assignments and cannot provide authentication context, MFA results, or mailbox audit events needed to investigate the impossible travel and forwarding rule. Option B is wrong because the organization's public DNS zone file contains domain name mappings and is irrelevant to user authentication events or mailbox rule changes; it would not help trace the user's activity. Option C is wrong because the user's browser cache is a client-side artifact that may show browsing history but cannot reveal server-side authentication logs, MFA challenges, or mailbox audit events, and it is not a reliable source for enterprise security investigations.

405
MCQeasy

While supporting a hybrid workforce, a company wants to test whether legal, PR, IT, and executives understand their roles during a ransomware incident without touching production systems. What exercise is best? During post-incident improvement, which decision is most defensible? which evidence should guide the decision?

A.Tabletop exercise using a realistic ransomware scenario
B.Purchasing a new SIEM without testing procedures
C.Annual password reset only
D.Full destructive malware detonation in production
AnswerA

Tabletops validate decision paths and communication without operational disruption. In post-incident improvement, responders need action that reduces risk while preserving the investigation record.

Why this answer

A tabletop exercise (option A) is the correct choice because it simulates a realistic ransomware scenario in a discussion-based format, allowing legal, PR, IT, and executives to validate their roles and decision-making processes without impacting production systems. This aligns with NIST SP 800-61r2 guidelines for testing incident response plans through low-impact, discussion-driven exercises, ensuring cross-functional coordination without risking data integrity or availability.

Exam trap

Cisco often tests the distinction between 'testing the plan' (tabletop) and 'testing the technology' (SIEM purchase or password reset), where candidates mistakenly choose a technical solution like a new SIEM because they focus on detection tools rather than validating human roles and decision-making processes.

How to eliminate wrong answers

Option B is wrong because purchasing a new SIEM without testing procedures introduces untested technology into the environment, which can create false positives/negatives and operational gaps, and does not validate human roles during an incident. Option C is wrong because an annual password reset only addresses a single authentication control and does not test the multi-team response, communication, or decision-making required during a ransomware incident, leaving critical gaps in legal, PR, and executive coordination.

406
Drag & Dropmedium

Arrange the steps for a typical penetration testing engagement in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Penetration testing follows a structured methodology: recon, scanning, exploitation, post-exploitation, and reporting.

407
Multi-Selecthard

A threat hunter suspects data exfiltration over HTTPS from a database server. Which data sources are most useful? (Choose two.)

Select 2 answers
A.Database audit logs showing queried objects and accounts
B.Printer toner status
C.Building temperature logs
D.NetFlow or proxy logs showing destination, volume, and timing
AnswersA, D

Database logs reveal whether sensitive data was accessed before transfer.

Why this answer

Database audit logs record which objects (tables, columns) were queried and by which accounts, directly revealing unauthorized access or unusual data retrieval patterns that could indicate exfiltration. NetFlow or proxy logs capture destination IP addresses, data volumes, and timing of HTTPS sessions, allowing the hunter to spot large or anomalous outbound transfers to suspicious hosts, even though the payload is encrypted.

Exam trap

Cisco often tests the misconception that encrypted traffic (HTTPS) is completely opaque, leading candidates to overlook metadata sources like NetFlow or proxy logs that can reveal exfiltration patterns without decryption.

408
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
B.Delete the server from the scan scope
C.Change the severity to informational automatically
D.Close the finding because the owner disagrees
AnswerA

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option A is correct because the best validation method is to independently verify the server's TLS configuration by manually testing with a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to negotiate TLS 1.0. This eliminates false positives from automated scanners that may rely on banner grabbing or outdated fingerprints, and directly confirms whether the service accepts TLS 1.0 handshakes at the protocol level.

Exam trap

The trap here is that candidates assume the scanner's automated result is always accurate and choose to change severity or remove the finding, rather than understanding that validation through independent protocol negotiation is the required step before any risk-based prioritization.

How to eliminate wrong answers

Option B is wrong because deleting the server from the scan scope ignores the potential vulnerability entirely, failing to validate the finding and leaving the organization exposed if TLS 1.0 is actually enabled. Option C is wrong because automatically changing the severity to informational without validation could mask a real risk; severity should be based on verified technical evidence, not automated assumptions, and this bypasses proper risk assessment.

409
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Close the finding because the owner disagrees
B.Change the severity to informational automatically
C.Delete the server from the scan scope
D.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
AnswerD

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option D is correct because the best validation method is to manually test the service using a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to negotiate TLS 1.0. This directly verifies whether the server truly rejects TLS 1.0 handshakes, eliminating false positives from scanner misconfiguration or version negotiation quirks. Relying on the owner's assertion or altering the finding without technical proof would violate vulnerability management best practices.

Exam trap

CompTIA often tests the misconception that a service owner's claim or a scanner's default severity should override manual technical verification, tempting candidates to choose administrative actions (A, B, C) instead of the rigorous validation step (D).

How to eliminate wrong answers

Option A is wrong because closing a finding solely because the owner disagrees ignores the need for technical validation and hides potential risk. Option B is wrong because automatically changing severity to informational without testing conceals the actual risk level and violates the principle of risk transparency. Option C is wrong because deleting the server from scan scope removes visibility entirely, which is an extreme and inappropriate response that does not address the underlying protocol weakness.

410
Multi-Selectmedium

A Security Operations Center (SOC) analyst is tuning a SIEM rule to reduce false positives. Which three of the following are valid approaches to improve the signal-to-noise ratio of a detection rule? (Choose three.)

Select 3 answers
.Adding a whitelist for known benign source IP addresses or user accounts.
.Increasing the severity level of the alert to ensure faster response.
.Adjusting the time window for event correlation to reduce overlapping alerts.
.Removing the rule entirely to eliminate all associated noise.
.Refining the event frequency threshold to require a higher number of occurrences.
.Adding additional event sources to broaden the scope of detection.

Why this answer

Adding a whitelist for known benign source IP addresses or user accounts is a valid approach because it directly reduces false positives by excluding traffic that is known to be safe from triggering the rule. This improves the signal-to-noise ratio by ensuring that only truly suspicious activity generates alerts, without altering the detection logic itself.

Exam trap

CompTIA often tests the misconception that increasing severity or adding more data sources improves detection quality, when in fact these actions can degrade the signal-to-noise ratio by amplifying noise or misdirecting analyst attention.

411
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For validation, Which action should be taken before closing or downgrading the finding?

A.Create a duplicate ticket for every asset
B.A retest showing the vulnerable condition is no longer present
C.Close it immediately based on the email
D.Wait one year before testing
AnswerB

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

Option B is correct because the vulnerability manager must obtain objective evidence that the fix was successfully applied and the vulnerability is no longer exploitable. A retest—typically performed via authenticated scanning or manual verification—confirms the absence of the vulnerable condition, aligning with the remediation validation phase in the vulnerability management lifecycle. Closing based solely on a team's email (Option C) violates the principle of verify, not trust, and could leave residual risk unaddressed.

Exam trap

Cisco often tests the principle that vulnerability closure requires independent verification (retest) rather than accepting a team's assertion, and the trap here is that candidates may think an email confirmation is sufficient because it comes from the responsible team, ignoring the need for objective evidence.

How to eliminate wrong answers

Option A is wrong because creating a duplicate ticket for every asset introduces unnecessary administrative overhead and does not provide any validation that the patch was applied or effective; it merely duplicates work without confirming remediation. Option C is wrong because closing a finding based solely on an email from the team bypasses the required verification step; the vulnerability manager must independently confirm the fix through a retest or equivalent evidence, as the team's claim could be mistaken or incomplete.

412
MCQmedium

A vulnerability scanner reports that an internal web application is vulnerable to SQL injection. The development team says they fixed it by input sanitization. Which of the following should the analyst do FIRST?

A.Update the vulnerability report
B.Perform a manual penetration test
C.Rescan the application to confirm remediation
D.Review the code changes
AnswerC

Rescanning provides immediate evidence of whether the vulnerability is resolved.

Why this answer

Option C is correct because the first step after a claimed fix is to verify the remediation by rescanning the application with the same vulnerability scanner. This provides objective evidence that the SQL injection vector is no longer exploitable, confirming the input sanitization was effective before any further actions are taken.

Exam trap

CompTIA often tests the misconception that reviewing code changes is the immediate next step, but the correct first action is always to verify the fix with the same scanning tool to maintain an objective audit trail.

How to eliminate wrong answers

Option A is wrong because updating the vulnerability report without verifying the fix could propagate false information and lead to compliance issues. Option B is wrong because performing a manual penetration test is a valid next step but should come after automated rescanning to confirm the basic fix, as it is more resource-intensive and may miss simple residual issues. Option D is wrong because reviewing code changes is a development task and not the analyst's first action; the analyst should first confirm the fix via scanning to maintain an objective security posture.

413
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For validation, Which action should be taken before closing or downgrading the finding?

A.Ship the image and document nothing
B.Validate exploitability and rebuild from a patched base image where feasible
C.Only rename the image tag
D.Ignore all base-image vulnerabilities
AnswerB

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option B is correct because the best next step is to validate whether the vulnerable OpenSSL binary is actually exploitable in the container's runtime context (e.g., it may be a statically linked unused library or a dead code path). If the binary is truly unused, the team should still rebuild from a patched base image where feasible to maintain a clean supply chain and avoid false-positive fatigue; if it is used, the vulnerability must be remediated. This balances security rigor with operational pragmatism, aligning with vulnerability management best practices for containerized environments.

Exam trap

CompTIA often tests the misconception that a vulnerability can be safely ignored simply because the application team claims the binary is unused, without requiring validation or a documented risk acceptance process.

How to eliminate wrong answers

Option A is wrong because shipping the image without documentation violates security policy and audit requirements, leaving no record of the risk acceptance decision. Option C is wrong because renaming the image tag does not change the vulnerable base layer; the CVE remains present and exploitable if the binary is used. Option D is wrong because ignoring all base-image vulnerabilities is negligent; even if this specific CVE is not exploitable, other vulnerabilities in the same base layer could be active, and blanket ignoring undermines the CI pipeline's security gates.

414
MCQmedium

A deception credential placed in a file share is used to authenticate to a server. No legitimate user should know the credential. What does this most likely indicate? In the detection engineering phase, Which detection or tuning approach would reduce noise without losing the signal?

A.Credential access or lateral movement activity that warrants high-priority investigation
B.The file share requires more storage capacity
C.A scheduled password rotation completed successfully
D.The SIEM parser is always broken
AnswerA

Use of a honey credential is a high-fidelity signal because legitimate workflows should not touch it.

Why this answer

A deception credential is a deliberately planted fake credential (e.g., a honey token) that no legitimate user should ever use. When it is used to authenticate to a server, it indicates that an attacker has discovered the credential and is attempting to use it for lateral movement or credential access. This is a high-fidelity alert that warrants immediate investigation because it directly signals unauthorized activity.

Exam trap

Cisco often tests the concept that deception credentials are not used by legitimate users or automated processes, so any authentication with them is malicious; the trap is confusing this with routine administrative actions like password rotation or storage issues.

How to eliminate wrong answers

Option B is wrong because the file share requiring more storage capacity is a capacity management issue, not a security detection concern; it would not generate an authentication event. Option C is wrong because a scheduled password rotation would use legitimate, known credentials and would not involve a deception credential that no legitimate user should know; password rotation tools do not authenticate with honey tokens.

415
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Remediate alphabetically by CVE ID
B.Remediate only vulnerabilities with vendor logos in the report
C.Prioritize the KEV/high-EPSS issue after confirming asset exposure
D.Always sort only by CVSS base score
AnswerC

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option C is correct because CISA KEV and high EPSS indicate active exploitation in the wild, making the medium CVSS vulnerability a higher operational priority than non-exploitable high CVSS issues. The analyst must first confirm asset exposure to ensure the vulnerability actually affects the environment before recommending remediation. This aligns with risk-based vulnerability management (RBVM) principles, which prioritize exploitability and threat intelligence over CVSS base score alone.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the trap here is that a medium CVSS vulnerability with KEV/high EPSS is more urgent than high CVSS issues that are not exploitable in the environment.

How to eliminate wrong answers

Option A is wrong because sorting alphabetically by CVE ID ignores all risk factors (CVSS, KEV, EPSS, exploitability) and would waste resources on low-priority findings. Option B is wrong because vendor logos in a report do not correlate with exploitability or business risk; a vulnerability may lack a vendor logo yet still be actively exploited and critical to remediate.

416
MCQhard

File shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to stop the ransomware from encrypting more data and spreading laterally. Isolating the workstation (e.g., disabling its network interface or disconnecting the cable) and terminating its active SMB sessions to file servers cuts off the encryption process at the source, preventing further damage while preserving forensic evidence.

Exam trap

Cisco often tests the principle that containment must be immediate and technical (e.g., isolating the host) rather than investigative (scanning) or restorative (backups), and the trap here is that candidates may think scanning or restoring is a valid first step, when in fact it wastes critical time during active encryption.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans is a time-consuming, passive step that does nothing to halt active encryption or lateral movement; containment must come first. Option B is wrong because restoring backups before isolating the host risks re-infection if the ransomware is still active on the network, and it violates the containment-first principle of incident response. Option C is wrong because emailing the ransom note to all users is not a containment action; it may cause panic, spread misinformation, and does not stop the encryption or disable the attacker's access.

417
Multi-Selectmedium

During the post-incident analysis phase of an incident response process, which of the following activities are considered essential best practices? Choose all that apply. (There are four correct answers.)

Select 4 answers
.Creating a detailed timeline of the incident from detection to containment and recovery.
.Identifying gaps in existing security controls that allowed the incident to occur.
.Updating playbooks and incident response plans based on lessons learned.
.Performing a root cause analysis to determine the underlying cause of the incident.
.Immediately deleting all logs related to the incident to free up storage space.
.Notifying law enforcement and regulatory bodies before conducting any internal investigation.

Why this answer

A detailed timeline is essential for reconstructing the sequence of events, identifying the initial compromise vector, and measuring response effectiveness. It provides a factual basis for all subsequent analysis and reporting, ensuring that the incident response team can accurately assess the scope and impact of the incident.

Exam trap

CompTIA often tests the distinction between 'immediate containment actions' and 'post-incident analysis best practices,' where candidates mistakenly select actions that are appropriate during the containment phase (like preserving evidence) but not during the analysis phase, or they confuse notification requirements with internal investigation priorities.

418
Multi-Selecthard

An emergency patch may break a revenue-critical system. Which actions balance risk and availability? (Choose two.)

Select 2 answers
A.Test the patch in a representative staging environment
B.Apply temporary compensating controls while preparing deployment
C.Disable monitoring to avoid alerts during the change
D.Ignore active exploitation until the next annual review
AnswersA, B

Testing reduces outage risk.

Why this answer

Option A is correct because testing the emergency patch in a representative staging environment that mirrors the production system's configuration, dependencies, and load allows you to identify potential breaking changes before deployment. This balances risk by validating the patch's impact on revenue-critical systems while maintaining availability, as any failures are contained in the test environment. Option B is correct because applying temporary compensating controls—such as additional monitoring, rate limiting, or failover mechanisms—provides a safety net that reduces the blast radius of a potential patch failure, enabling you to proceed with deployment while preserving system availability.

Exam trap

Cisco often tests the misconception that disabling monitoring reduces operational overhead during changes, but the trap here is that it actually increases risk by removing the ability to detect and respond to failures, which is essential for maintaining availability in revenue-critical systems.

419
MCQmedium

An EDR alert shows powershell.exe launched by winword.exe with an encoded command line and outbound HTTPS shortly after a user opened an email attachment. What is the BEST first analytic pivot? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Disable the SIEM parser for PowerShell events
B.Reimage every workstation in the department
C.Close the alert because HTTPS is expected traffic
D.Decode the command and inspect the process tree, parent document, and network destination
AnswerD

Encoded PowerShell launched by Office is a high-signal chain; decoding and process-tree review confirms intent and scope.

Why this answer

Option D is correct because the encoded PowerShell command is the primary indicator of malicious intent; decoding it reveals the attacker's instructions. Inspecting the process tree (winword.exe spawning powershell.exe) confirms the infection vector (phishing attachment), and analyzing the parent document and network destination identifies the payload and C2 server. This sequence directly addresses root-cause analysis by tracing the attack from initial access to execution.

Exam trap

CompTIA often tests the misconception that encoded commands or HTTPS traffic are inherently benign, tempting candidates to dismiss the alert or take premature remediation steps instead of performing forensic analysis.

How to eliminate wrong answers

Option A is wrong because disabling the SIEM parser for PowerShell events would blind the security team to future attacks, not investigate the current alert. Option B is wrong because reimaging every workstation is a drastic remediation step that should only occur after confirming the scope of compromise through forensic analysis, not as a first analytic pivot. Option C is wrong because HTTPS is commonly used by malware to blend in with legitimate traffic; assuming it is benign ignores the context of an encoded PowerShell launch from a document reader.

420
Multi-Selecthard

A team requests a patch exception for a legacy application. What should be required? (Choose two.)

Select 2 answers
A.Documented compensating controls and monitoring
B.A time-bound owner-approved risk acceptance
C.Removal of the asset from inventory
D.Permanent suppression from all reports
AnswersA, B

Controls reduce risk while the vulnerability remains.

Why this answer

A is correct because when a patch cannot be applied to a legacy application, compensating controls (e.g., network segmentation, host-based firewall rules, or input validation) must be documented to mitigate the specific vulnerabilities the patch would address. Monitoring must also be implemented to detect any exploitation attempts against those unpatched weaknesses, ensuring the residual risk is continuously observed. This aligns with the vulnerability management lifecycle where exceptions require evidence of alternative risk reduction, not just a waiver.

Exam trap

Cisco often tests that candidates confuse 'compensating controls' with 'removal from inventory' as a quick fix, but the trap here is that removing the asset is a separate action (decommissioning), not a valid component of a patch exception process.

421
Matchingmedium

Match each incident response phase to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish policies and tools

Identify potential incidents

Isolate affected systems

Remove threat from environment

Restore normal operations

Why these pairings

These phases form the incident response lifecycle.

422
MCQmedium

During forensic acquisition, which of the following types of data is considered the MOST volatile?

A.Network connections.
B.Disk.
C.Page file.
D.RAM.
AnswerD

RAM is volatile and changes constantly; it is the most volatile.

Why this answer

RAM (Random Access Memory) is the most volatile data because it loses its contents immediately when power is removed. In forensic acquisition, the order of volatility dictates that RAM must be captured first, as it contains running processes, open network connections, and decrypted data that cannot be recovered from disk. Network connections, while volatile, are a subset of the data stored in RAM and are less critical to capture first.

Exam trap

CompTIA often tests the order of volatility by making candidates confuse 'network connections' as the most volatile because they change rapidly, but the key is that network connection data is stored in RAM, making RAM itself the most volatile component that must be acquired first.

How to eliminate wrong answers

Option A is wrong because network connections are a type of data that resides in RAM and are therefore less volatile than RAM itself; they are captured as part of the RAM dump. Option B is wrong because disk data is non-volatile and persists after power loss, making it the least volatile among the options. Option C is wrong because the page file (swap file) is stored on disk and is non-volatile; it is a secondary storage mechanism, not primary memory.

423
MCQeasy

During an incident response, the team identifies that a workstation was compromised via a phishing email. Which of the following should be performed immediately after containment?

A.Notify law enforcement about the phishing campaign.
B.Collect forensic evidence from the workstation.
C.Conduct a root cause analysis of the phishing email.
D.Eradicate the malware from the workstation.
AnswerD

Eradication follows containment to remove the threat.

Why this answer

Option D is correct because, immediately after containment, the priority is to eradicate the malware from the workstation to prevent reinfection or lateral movement. Containment isolates the system, but eradication removes the malicious artifacts (e.g., registry keys, scheduled tasks, or malicious binaries) to ensure the system is clean before recovery. This step aligns with the NIST SP 800-61 incident response lifecycle, where eradication follows containment to eliminate the threat's foothold.

Exam trap

CompTIA often tests the order of the incident response phases (containment, eradication, recovery, lessons learned) and the trap here is that candidates mistakenly choose 'Collect forensic evidence' (Option B) because they confuse the need for evidence with the immediate priority of removing the active threat after containment.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a post-incident activity that occurs after eradication and recovery, not immediately after containment; premature notification can delay technical response and may not be required for every phishing incident. Option B is wrong because collecting forensic evidence should occur before containment (or during containment with proper imaging), not after containment, as containment actions (e.g., disconnecting the network) can alter volatile data if evidence collection is delayed. Option C is wrong because conducting a root cause analysis is part of the lessons-learned phase, which happens after eradication and recovery; performing it immediately after containment wastes time that should be spent removing the active threat.

424
Multi-Selectmedium

A vulnerability manager wants accurate Linux package findings. Which scan conditions are important? (Choose two.)

Select 2 answers
A.Authenticated access to inspect installed packages
B.Scanner account permissions sufficient for inventory commands
C.Only scanning ICMP echo replies
D.Changing server hostnames randomly
AnswersA, B

Local package state usually requires credentials.

Why this answer

For accurate Linux package findings, the vulnerability scanner must have authenticated access (e.g., via SSH with valid credentials) to inspect installed packages directly from the package manager database (e.g., RPM or dpkg). Without authentication, the scanner can only perform unauthenticated network-based checks, which cannot reliably determine installed software versions or patch levels. Authenticated access ensures the scanner can execute commands like 'rpm -qa' or 'dpkg -l' to enumerate packages with high accuracy.

Exam trap

Cisco often tests the misconception that unauthenticated network scans (e.g., banner grabbing or ICMP) can replace authenticated scans for accurate software inventory, but only authenticated access with proper permissions yields reliable package-level findings.

425
MCQmedium

Based on the exhibit, which type of issue is most likely affecting the server's network performance?

A.Faulty network cable or interface
B.Duplex mismatch between the server and switch
C.Incorrect TCP/IP configuration
D.Outdated network driver
AnswerA

High CRC and frame errors suggest physical layer problems.

Why this answer

The exhibit shows excessive CRC errors and runts on the server's network interface, which are classic symptoms of a faulty physical layer component such as a damaged cable or failing NIC. These errors indicate that frames are being corrupted during transmission, and the interface is discarding them, leading to retransmissions and degraded performance. A faulty cable or interface directly causes these physical-layer issues, unlike configuration or driver problems.

Exam trap

CompTIA often tests the distinction between physical-layer errors (CRC, runts) and data-link layer issues (duplex mismatch, collisions), leading candidates to mistakenly choose duplex mismatch when the exhibit shows CRC errors instead of late collisions.

How to eliminate wrong answers

Option B is wrong because a duplex mismatch typically causes late collisions and FCS errors, not CRC errors and runts; the interface counters would show alignment errors and excessive collisions. Option C is wrong because incorrect TCP/IP configuration (e.g., wrong subnet mask, gateway, or DNS) would cause connectivity failures or routing issues, not physical-layer CRC errors. Option D is wrong because an outdated network driver might cause performance issues or interface resets, but it would not generate CRC errors or runts at the hardware level; those are physical-layer phenomena.

426
Matchingmedium

Match each network protocol to its well-known port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

22

443

53

25

3389

Why these pairings

These are standard well-known port assignments.

427
Multi-Selectmedium

An organization has just experienced a successful phishing attack that led to credential theft. The incident response team is performing analysis. Which three of the following indicators of compromise (IOCs) would be most relevant to investigate? (Choose three.)

Select 3 answers
.Unusual outbound network connections from user workstations.
.A spike in failed login attempts from a single IP address.
.New scheduled tasks created on endpoints without user knowledge.
.Emails with similar subject lines being sent from internal accounts.
.A sudden increase in available disk space on file servers.
.The antivirus definition file being updated automatically.

Why this answer

Unusual outbound network connections from user workstations are a key IOC because after credential theft, attackers often use stolen credentials to establish remote access or exfiltrate data, generating connections to command-and-control (C2) servers or unexpected external IPs. New scheduled tasks created on endpoints without user knowledge indicate persistence mechanisms, as attackers commonly use schtasks.exe or at.exe to maintain access and execute malicious code at regular intervals. Emails with similar subject lines being sent from internal accounts suggest lateral phishing or spam campaigns using compromised accounts to spread malware or harvest additional credentials, a classic post-exploitation behavior.

Exam trap

CompTIA often tests the distinction between indicators of a successful attack (post-compromise IOCs like lateral movement and persistence) versus indicators of an attempted attack (like brute-force failures), so candidates mistakenly choose failed login attempts instead of recognizing that credential theft leads to successful logins and internal propagation.

428
MCQeasy

A user opens an invoice document and shortly afterward the endpoint runs wscript.exe from the user's profile. Which detection logic is most relevant? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Successful DHCP renewal
B.A password expiry warning
C.High CPU usage on the print server
D.Office document spawning a script interpreter from a user context
AnswerD

Office-to-script process chains are common initial execution patterns for phishing payloads.

Why this answer

Option D is correct because the scenario describes a classic technique where a malicious macro or script embedded in an Office document executes wscript.exe (Windows Script Host) from the user's profile. This detection logic directly identifies the suspicious parent-child process relationship of an Office application spawning a script interpreter, which is a strong indicator of a script-based attack, such as a macro virus or initial access payload.

Exam trap

CompTIA often tests the concept of process lineage and anomalous parent-child relationships, where candidates may mistakenly focus on system-level performance or network events instead of recognizing that the key indicator is the Office document spawning a script interpreter from the user's profile.

How to eliminate wrong answers

Option A is wrong because a successful DHCP renewal is a routine network operation that does not involve process execution anomalies or user-initiated scripts, making it irrelevant to detecting a malicious script spawned from an Office document. Option B is wrong because a password expiry warning is an authentication event unrelated to process creation or script execution, and it does not indicate any compromise or suspicious activity on the endpoint. Option C is wrong because high CPU usage on the print server is a performance metric for a different system component and has no direct correlation with a user endpoint running wscript.exe from a script interpreter invoked by an Office document.

429
MCQmedium

A security analyst discovers a server that is missing multiple critical patches. The server hosts a legacy application that cannot be patched immediately due to compatibility issues. Which of the following is the BEST approach to manage the vulnerability risk?

A.Apply a virtual patch using a WAF
B.Implement network segmentation and increase monitoring
C.Disable the server until a patch is available
D.Remove the server from the network
AnswerB

This reduces risk by isolating the server and enabling detection of attacks.

Why this answer

Option B is the best approach because network segmentation isolates the vulnerable legacy server from critical assets, reducing the attack surface, while increased monitoring allows the security team to detect and respond to any exploitation attempts in real time. This balances risk acceptance with active defense, which is a core principle of vulnerability management when patching is not immediately feasible.

Exam trap

The trap here is that candidates often choose 'Apply a virtual patch using a WAF' because they overestimate the scope of WAF protection, forgetting that it only covers web-based attacks and not OS-level or protocol-level vulnerabilities.

How to eliminate wrong answers

Option A is wrong because a WAF (Web Application Firewall) applies virtual patches only at the application layer (HTTP/HTTPS), and cannot protect against vulnerabilities in other services (e.g., SMB, RDP, or OS-level exploits) that the legacy server may expose. Option C is wrong because disabling the server entirely disrupts business operations and is an overly drastic measure that does not align with risk management best practices unless the vulnerability is critical and actively exploited. Option D is wrong because removing the server from the network completely halts its function and is equivalent to decommissioning, which is not a temporary risk management strategy and ignores the need to maintain business continuity.

430
Drag & Dropmedium

Arrange the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment involves asset identification, threat/vulnerability identification, likelihood/impact analysis, risk calculation, and prioritization.

431
MCQmedium

A security analyst notices that an IDS is generating a high number of false positives for legitimate encrypted traffic. Which tuning method should the analyst use to reduce false positives without reducing detection capability?

A.Whitelist the source IP addresses of known, trusted servers.
B.Disable the signatures that trigger for encrypted traffic.
C.Increase the sensitivity threshold for the encrypted traffic signatures.
D.Enable full packet capture and analyze the encrypted traffic manually.
AnswerA

Whitelisting reduces false positives by exempting known benign traffic.

Why this answer

Whitelisting the source IP addresses of known, trusted servers reduces false positives by instructing the IDS to ignore alerts for encrypted traffic from those specific hosts. This approach preserves detection capability because the IDS continues to apply all signatures to traffic from other, potentially malicious sources. It is a targeted tuning method that does not disable detection mechanisms or alter sensitivity thresholds, which could otherwise miss real threats.

Exam trap

CompTIA often tests the misconception that disabling signatures or increasing thresholds is an acceptable tuning method, but the trap here is that those actions reduce detection capability, whereas whitelisting trusted sources is the only option that maintains full detection for untrusted traffic.

How to eliminate wrong answers

Option B is wrong because disabling signatures that trigger for encrypted traffic would eliminate detection of any malicious activity hidden within that encrypted stream, such as command-and-control traffic or data exfiltration, thus reducing detection capability. Option C is wrong because increasing the sensitivity threshold for encrypted traffic signatures would actually make the IDS less likely to trigger on any encrypted traffic, potentially missing real attacks while still generating false positives for legitimate traffic that exceeds the new threshold. Option D is wrong because enabling full packet capture and manually analyzing encrypted traffic is not a tuning method; it is a resource-intensive forensic approach that does not reduce false positives in real-time and does not scale for ongoing operations.

432
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For validation, Which action should be taken before closing or downgrading the finding?

A.Run only unauthenticated scans forever
B.Disable SSH on all servers
C.Assume the hosts have no vulnerabilities
D.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
AnswerD

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

Option D is correct because SSH hardening (e.g., disabling password authentication, restricting ciphers, or enforcing key-based login) can break credentialed scans if the scanner's account permissions, allowed authentication methods, or sudo command restrictions are not aligned with the new configuration. Reviewing these settings ensures the scanner can authenticate and execute privileged commands, restoring scan coverage without compromising security.

Exam trap

Cisco often tests the misconception that a scan failure after hardening means the hosts are secure, when in reality the failure is a connectivity or authentication issue that must be resolved to maintain visibility.

How to eliminate wrong answers

Option A is wrong because running only unauthenticated scans forever would miss critical vulnerabilities that require authenticated access (e.g., local privilege escalation, missing patches), violating best practices for comprehensive vulnerability management. Option B is wrong because disabling SSH on all servers would break remote administration and defeat the purpose of scanning; SSH is the standard secure remote access protocol, and disabling it is not a viable remediation. Option C is wrong because assuming hosts have no vulnerabilities after a scan failure is a dangerous assumption; the scan failure indicates a configuration issue, not an absence of vulnerabilities, and could lead to unpatched systems being exploited.

433
MCQmedium

A vendor shares indicators marked TLP:AMBER+STRICT. How should the SOC handle them? In the root-cause analysis phase, Which finding would most directly explain the activity?

A.Publish the indicators on a public GitHub repository
B.Send the indicators to all customers
C.Ignore the indicators because TLP markings are optional
D.Use them internally with only people who need to know and avoid wider redistribution
AnswerD

TLP:AMBER+STRICT restricts sharing to the recipient organisation on a need-to-know basis.

Why this answer

TLP:AMBER+STRICT restricts sharing to recipients within the organization who need to know, prohibiting further redistribution outside the organization. The SOC must use these indicators internally only with personnel who require them for detection and response, avoiding any external sharing. This ensures compliance with the Traffic Light Protocol (TLP) standard defined by FIRST.org.

Exam trap

CompTIA often tests the misconception that TLP markings are optional or advisory, when in fact they are binding protocols that dictate strict handling and redistribution rules, especially with the 'STRICT' qualifier.

How to eliminate wrong answers

Option A is wrong because publishing indicators on a public GitHub repository violates the TLP:AMBER+STRICT restriction, which explicitly forbids sharing outside the organization. Option B is wrong because sending indicators to all customers would constitute unauthorized redistribution beyond the intended recipients, breaching the 'strict' constraint. Option C is wrong because TLP markings are mandatory for handling sensitive information; ignoring them could lead to data leaks and non-compliance with security policies.

434
Multi-Selectmedium

Which THREE of the following are essential tools and technologies used in a Security Operations Center (SOC) for monitoring and detection?

Select 3 answers
A.Firewall
B.Endpoint Detection and Response (EDR)
C.Intrusion Detection/Prevention System (IDS/IPS)
D.Security Information and Event Management (SIEM) system
E.Vulnerability scanner
AnswersB, C, D

Host-level monitoring and detection.

Why this answer

Endpoint Detection and Response (EDR) is essential in a SOC because it provides continuous monitoring and analysis of endpoint activities, enabling detection of advanced threats such as fileless malware and ransomware. EDR tools collect telemetry data from endpoints, correlate it with threat intelligence, and allow for automated response actions, which are critical for real-time incident detection and investigation.

Exam trap

CompTIA often tests the distinction between tools that provide continuous monitoring and detection (SIEM, EDR, IDS/IPS) versus tools that are preventive or periodic (firewall, vulnerability scanner), leading candidates to incorrectly include the latter as essential SOC monitoring technologies.

435
MCQhard

During a forensic investigation, an analyst finds a suspicious registry key that runs a program at startup. What is the best way to determine if the program is malicious?

A.Search the startup folder for the file
B.Compute the hash of the executable and query threat intelligence
C.Execute the program in a sandbox and observe behavior
D.Check the file's last modified timestamp
AnswerB

Hash check indicates known malicious status.

Why this answer

Computing the hash of the executable and querying threat intelligence (e.g., VirusTotal, AlienVault OTX) provides a definitive, objective indicator of known maliciousness by comparing the file's cryptographic fingerprint against global threat databases. This is the fastest and most reliable method to determine if the program is malicious without risking execution or relying on circumstantial evidence.

Exam trap

Cisco often tests the distinction between 'best first step' and 'thorough analysis'—candidates mistakenly choose sandbox execution (Option C) because it seems more comprehensive, but the exam prioritizes speed and safety via hash-based threat intelligence queries.

How to eliminate wrong answers

Option A is wrong because searching the startup folder only confirms the file's location, not its maliciousness; legitimate programs also reside there. Option C is wrong because executing the program in a sandbox, while useful for behavioral analysis, is time-consuming and could still expose the system to risk if the sandbox is misconfigured; it is not the 'best' first step. Option D is wrong because the last modified timestamp is metadata that can be easily altered (timestomping) and provides no indication of malicious intent.

436
MCQhard

A container workload unexpectedly starts a shell, mounts the host filesystem, and attempts outbound connections to an unknown IP. Which telemetry is MOST useful? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Only physical datacenter access logs
B.Container runtime events, Kubernetes audit logs, and network flow from the pod
C.Only monthly vulnerability scan summaries
D.Only user password age reports
AnswerB

Runtime, orchestration, and network telemetry together show process execution, privilege context, and external communication.

Why this answer

Option B is correct because container runtime events (e.g., Docker/containerd exec logs) capture the unexpected shell launch, Kubernetes audit logs record the pod creation and mount operations, and network flow logs (e.g., NetFlow, eBPF-based tools) reveal the outbound connection to the unknown IP. Together, these provide the granular, real-time telemetry needed to detect and investigate the compromise, unlike static or coarse-grained logs.

Exam trap

Cisco often tests the misconception that any single log source (e.g., only network flows or only audit logs) is sufficient, when in reality container compromises require correlating runtime, orchestration, and network telemetry to fully understand the attack chain.

How to eliminate wrong answers

Option A is wrong because physical datacenter access logs only track physical entry and have no visibility into container-level activities like shell execution, filesystem mounts, or outbound network flows. Option C is wrong because monthly vulnerability scan summaries are point-in-time snapshots of known CVEs and cannot capture dynamic runtime events such as a shell spawning or live network connections. Option D is wrong because user password age reports are identity management artifacts unrelated to runtime container behavior or network telemetry.

437
Multi-Selectmedium

What should be included in incident scoping for ransomware? (Choose three.)

Select 3 answers
A.Initial infected host and user context
B.The brand of office chairs near the server room
C.Backup integrity and last known clean restore point
D.Shares or systems touched by the compromised account
AnswersA, C, D

The starting point helps identify root cause.

Why this answer

Option A is correct because identifying the initial infected host and user context is critical for understanding the attack vector, containing the threat, and preventing further spread. In ransomware incidents, the first compromised system often reveals the entry point (e.g., phishing email, RDP brute force) and the user account used, which helps scope the blast radius and prioritize remediation.

Exam trap

Cisco often tests the ability to filter out irrelevant physical or administrative details (like office chairs) that distract from the core technical scoping steps required in incident response.

438
Matchingmedium

Match each attack type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Deceptive email to steal credentials

Malware that encrypts data for ransom

Overwhelming a service with traffic

Injecting malicious SQL queries

Intercepting communication between parties

Why these pairings

These are common attack vectors covered in CySA+.

439
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.A software bill of materials
B.A building floor plan
C.A password complexity screenshot only
D.A DNS MX record report
AnswerA

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory (often in SPDX or CycloneDX format) that lists all third-party libraries, their versions, and dependencies. In a regulated environment, this provides the security team with the visibility needed to assess vulnerabilities (e.g., Log4Shell) and ensure compliance with standards like NIST SP 800-53 or FDA cybersecurity guidance. Requesting an SBOM is the standard practice for supply chain risk management.

Exam trap

Cisco often tests the distinction between operational security artifacts (like password policies or DNS records) and the specific supply chain documentation (SBOM) required for software composition analysis, leading candidates to confuse general security controls with component inventory.

How to eliminate wrong answers

Option B is wrong because a building floor plan is a physical security document unrelated to software library inventory or version tracking. Option C is wrong because a password complexity screenshot only verifies a single authentication policy, not the composition of included libraries and their versions. Option D is wrong because a DNS MX record report lists mail exchange servers for email routing, not software components or their versions.

440
Multi-Selecthard

An organization has identified a ransomware outbreak on several workstations. Which TWO actions should the incident response team take immediately?

Select 2 answers
A.Pay the ransom to recover data quickly.
B.Disconnect all network shares to prevent encryption.
C.Contact law enforcement for guidance.
D.Reimage all affected systems immediately.
E.Isolate the affected workstations from the network.
AnswersB, E

Prevents ransomware from encrypting shared data.

Why this answer

Isolating affected systems prevents further spread, and disconnecting network shares stops lateral movement. Contacting law enforcement can be done later; paying ransom is not recommended; reimaging may destroy evidence before investigation.

441
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Increase only the port range
B.Trust the unauthenticated result as complete
C.Run authenticated scans using least-privilege scanner credentials
D.Disable host firewalls permanently
AnswerC

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans rely on network-visible services and banners, which miss registry-level patch data, OS configuration details, and installed updates. Authenticated scans with least-privilege credentials (e.g., using WMI, WinRM, or the Windows Update API) provide deep visibility into missing patches by querying the actual patch database (e.g., via the Microsoft Update Catalog or WSUS). This directly addresses the security manager's suspicion of missing patch data, making option C the correct choice.

Exam trap

Cisco often tests the misconception that increasing scan scope (ports, protocols) or disabling firewalls can substitute for proper authentication, when in fact only credentialed scanning provides the access needed to assess patch levels accurately.

How to eliminate wrong answers

Option A is wrong because increasing the port range only expands the number of ports scanned for open services; it does not enable credential-based access to patch information, so missing patch data remains invisible. Option B is wrong because trusting unauthenticated results as complete ignores the fundamental limitation that unauthenticated scans cannot access registry, file system, or WMI data needed to verify patch levels, leading to false negatives. Option D is wrong because disabling host firewalls permanently is an insecure and drastic measure that does not grant the scanner the necessary privileges to read patch data; it only removes network-level access controls, not the authentication requirement.

442
Multi-Selectmedium

Which three of the following are effective techniques for prioritizing vulnerabilities for remediation in a vulnerability management program? (Choose three.)

Select 3 answers
.Applying the Common Vulnerability Scoring System (CVSS) base score as the sole prioritization metric
.Correlating vulnerabilities with active exploit campaigns and threat intelligence feeds
.Using asset criticality ratings derived from business impact analysis (BIA)
.Prioritizing vulnerabilities based solely on the age of the CVE
.Incorporating compensating controls that may reduce the effective risk of a vulnerability
.Focusing remediation efforts exclusively on vulnerabilities with a CVSS score of 9.0 or higher

Why this answer

Correlating vulnerabilities with active exploit campaigns and threat intelligence feeds is effective because it prioritizes vulnerabilities that are currently being exploited in the wild, which directly reduces the risk of a breach. This approach aligns remediation with real-world attacker behavior rather than theoretical severity.

Exam trap

CompTIA often tests the misconception that CVSS base scores alone are sufficient for prioritization, when in fact they must be combined with asset criticality, threat context, and compensating controls to reflect true organizational risk.

443
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Mark the vulnerability as fixed
B.Documented risk acceptance with compensating controls and a migration/remediation plan
C.Remove the system from future reports
D.Give all users local admin rights
AnswerB

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

When a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally document the risk acceptance, implement compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting), and create a migration or remediation plan to eventually retire or replace the system. This approach transparently acknowledges the residual risk rather than hiding it, aligning with the principle of risk treatment as defined in NIST SP 800-53 and ISO 27005.

Exam trap

Cisco often tests the misconception that removing a system from reports or marking it as fixed is an acceptable shortcut, when in fact the correct process requires formal risk acceptance with compensating controls and a documented plan.

How to eliminate wrong answers

Option A is wrong because marking a vulnerability as 'fixed' when no patch has been applied is a false status that misrepresents the actual risk posture and violates vulnerability management policy. Option C is wrong because removing the system from future reports hides the risk from stakeholders and bypasses the necessary risk acceptance process, which is a security governance failure. Option D is wrong because granting all users local admin rights would increase the attack surface and privilege escalation risk, directly contradicting the principle of least privilege and making the system even more vulnerable.

444
Multi-Selecthard

A SOC team is tuning a SIEM to reduce false positives. Which THREE of the following metrics should the team consider when evaluating detection effectiveness? (Choose THREE)

Select 3 answers
A.False Positive Rate
B.Number of detected events
C.Precision
D.Mean Time to Detect (MTTD)
E.True Positive Rate (Recall)
AnswersA, C, E

Measures the proportion of negatives incorrectly flagged as positive.

Why this answer

A is correct because False Positive Rate (FPR) measures the proportion of benign events incorrectly flagged as malicious, directly indicating how much noise the SIEM generates. Reducing FPR is a primary goal when tuning detection rules to minimize analyst fatigue and improve alert fidelity.

Exam trap

CompTIA often tests the distinction between metrics that measure detection accuracy (FPR, Precision, Recall) versus metrics that measure operational efficiency (MTTD, event volume), leading candidates to mistakenly include MTTD or raw event counts as effectiveness metrics.

445
MCQmedium

A UEBA rule flags a user authenticating from London and Singapore within 12 minutes, followed by a mailbox forwarding rule creation. What should the analyst investigate first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Only the user's browser cache
B.The organisation's public DNS zone file
C.Sign-in logs, MFA result, device details, and mailbox audit events
D.Only DHCP logs from the London office
AnswerC

Impossible travel plus forwarding rule creation is a strong account-compromise pattern; identity and mailbox audit data confirm whether the activity is malicious.

Why this answer

Option C is correct because the alert indicates a potential account compromise (impossible travel from London to Singapore in 12 minutes) followed by a suspicious mailbox rule creation. The clearest next triage step is to examine sign-in logs for authentication source IPs and timestamps, MFA result to verify if the second factor was passed, device details to check for known or managed devices, and mailbox audit events to confirm who created the forwarding rule and when. This combination directly validates whether the user's credentials were used from two geographically impossible locations and whether the mailbox rule was created by the legitimate user or an attacker.

Exam trap

Cisco often tests the concept that during alert triage, the analyst must correlate multiple log sources (authentication, MFA, device, and mailbox audit) rather than focusing on a single, irrelevant log type like DHCP or DNS, which do not provide the necessary evidence for impossible travel and mailbox rule investigations.

How to eliminate wrong answers

Option A is wrong because browser cache only stores local web data (cookies, history) and cannot provide evidence of authentication source IPs, MFA status, or mailbox rule creation events; it is irrelevant for investigating impossible travel and mailbox forwarding. Option B is wrong because the organization's public DNS zone file contains DNS records (A, MX, CNAME) for external resolution and has no relation to user authentication logs, MFA results, or mailbox audit events; it cannot help triage the alert. Option D is wrong because DHCP logs from the London office only record IP address assignments within that subnet and do not include authentication details, MFA results, or mailbox audit events; they cannot confirm the user's identity or the mailbox rule creation.

446
Multi-Selectmedium

Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)

Select 2 answers
A.SBOM generation and review for released builds
B.Manual badge checks at the office door
C.Software composition analysis with policy gates
D.DNS MX record rotation
AnswersA, C

SBOMs support dependency tracking and downstream risk review.

Why this answer

A is correct because SBOM (Software Bill of Materials) generation and review provides a detailed inventory of all components in a build, enabling teams to identify and block vulnerable dependencies before release. This aligns with supply chain security best practices, as SBOMs allow automated comparison against vulnerability databases (e.g., NVD) to enforce policy gates early in the pipeline.

Exam trap

Cisco often tests the distinction between pipeline-level controls (automated, code-focused) and physical or administrative controls, so candidates may mistakenly select a non-technical option like badge checks because they confuse 'pipeline' with general security procedures.

447
MCQeasy

The CISO asks whether incident response is improving quarter over quarter. Which metric is most relevant? If the primary audience is SOC manager, which content choice is most appropriate?

A.Mean time to detect, mean time to respond, containment time, and recurrence rate
B.Number of desktop wallpapers changed
C.Number of unused dashboards
D.Total coffee consumed by analysts
AnswerA

These KPIs show detection and response effectiveness over time. The report should be tuned to SOC manager while preserving factual accuracy.

Why this answer

Mean time to detect (MTTD), mean time to respond (MTTR), containment time, and recurrence rate are the core operational metrics that directly measure the effectiveness and efficiency of an incident response program. For a SOC manager assessing quarter-over-quarter improvement, these metrics provide actionable insight into detection speed, response agility, containment effectiveness, and whether incidents are being fully remediated to prevent repeats.

Exam trap

Cisco often tests the distinction between operational incident response metrics and irrelevant administrative or cosmetic metrics, trapping candidates who confuse 'activity tracking' with 'performance measurement'.

How to eliminate wrong answers

Option B is wrong because the number of desktop wallpapers changed is an endpoint configuration or user-experience metric, not an incident response performance indicator; it has no bearing on detection, response, or containment. Option C is wrong because the number of unused dashboards is a reporting tool hygiene metric, irrelevant to measuring incident response maturity or improvement over time.

448
MCQeasy

After a high-priority SOC escalation, file shares show rapid encryption and ransom-note creation from one workstation. What is the best immediate containment action? During containment, which decision is most defensible? which response best matches incident-response practice?

A.Run vulnerability scans on every subnet first
B.Restore backups before isolating the host
C.Email all users the ransom note
D.Isolate the workstation and disable its active sessions to file servers
AnswerD

Containment should stop encryption spread while preserving evidence for analysis. In containment, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority in a ransomware incident is to contain the threat by isolating the infected workstation from the network to prevent further encryption of file shares. Disabling active sessions to file servers (e.g., using SMB session termination or firewall rules) stops the lateral movement and encryption of shared data. This aligns with the NIST SP 800-61 containment strategy, which prioritizes stopping the spread before any other action.

Exam trap

Cisco often tests the misconception that you should run scans or restore backups first, but the trap here is that immediate containment (isolation) is always the priority to stop the spread, not investigation or recovery.

How to eliminate wrong answers

Option A is wrong because running vulnerability scans on every subnet first wastes critical time during an active ransomware outbreak; scanning does not stop ongoing encryption and is a post-containment step. Option B is wrong because restoring backups before isolating the host would allow the ransomware to continue encrypting newly restored files, and backups should only be used after containment to ensure a clean restore point. Option C is wrong because emailing all users the ransom note is not a containment action; it may cause panic, spread misinformation, and does not stop the encryption process.

449
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For validation, Which action should be taken before closing or downgrading the finding?

A.Wireless spectrum analysis
B.Database transaction log backups
C.Software composition analysis in the CI/CD pipeline
D.Physical badge access reviews
AnswerC

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it specifically scans open-source libraries and their dependencies for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures that vulnerable libraries are identified automatically before the code is deployed, aligning with the shift-left security principle.

Exam trap

Cisco often tests the distinction between vulnerability identification (SCA) and operational controls (backups, spectrum analysis), leading candidates to confuse general security practices with the specific need for open-source library scanning.

How to eliminate wrong answers

Option A is wrong because wireless spectrum analysis is used to detect rogue access points, interference, or unauthorized wireless devices, not to analyze software libraries. Option B is wrong because database transaction log backups are a data recovery and integrity measure, not a method for identifying vulnerabilities in open-source code.

450
Multi-Selecthard

A web application DAST scan reports stored XSS. Which evidence helps confirm exploitability? (Choose two.)

Select 2 answers
A.Payload persists and executes when another user views the affected page
B.The vulnerable parameter and output encoding context are identified
C.The server has a large disk
D.The application uses HTTPS
AnswersA, B

Stored execution against another user validates impact.

Why this answer

Option A is correct because stored XSS is confirmed exploitable only when the injected payload (e.g., <script>alert(1)</script>) is persistently stored on the server (e.g., in a database or file) and then rendered and executed in the browser of another user who views the affected page. This demonstrates that the attack can impact victims beyond the tester, proving the vulnerability is not self-inflicted or limited to the attacker's session.

Exam trap

Cisco often tests the distinction between identifying a vulnerability's context (Option B) and actually proving it is exploitable (Option A), leading candidates to confuse analysis steps with exploitation evidence.

Page 5

Page 6 of 7

Page 7

All pages