A monthly vulnerability scan identifies a critical vulnerability on a public-facing VPN appliance, but the vendor says no patch is available yet. The service must remain online for remote workers. What is the best compensating control to reduce risk right away?

Ignore the finding until the next quarterly review because there is no patch available.

Risk remains high, and deferring action leaves the exposed system unprotected longer.

Move the appliance to a less critical VLAN and leave all access rules unchanged.

Changing VLANs alone does not reduce attack exposure if the service is still broadly reachable.

Disable logging so that attackers cannot learn the appliance version from log data.

Disabling logs reduces visibility and makes incident response harder without addressing the vulnerability.

What does this SY0-701 question test?

Access ports place end devices into a single VLAN.

What is the correct answer to this question?

The correct answer is: Apply virtual patching or traffic filtering to block exploit attempts until remediation is possible. — When a patch is unavailable, the best immediate step is a compensating control such as virtual patching through IPS or targeted traffic filtering. This reduces exposure to known exploit patterns while the organization plans a vendor fix, replacement, or maintenance window. Because the appliance must remain online, the goal is to lower likelihood without interrupting business access. That is the most practical short-term risk reduction. Why others are wrong: Ignoring the issue leaves a critical internet-facing vulnerability exposed. Reassigning the appliance to another VLAN does not help unless access is also restricted. Disabling logging is counterproductive because it reduces detection and investigation capability while doing nothing to block exploitation attempts.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.