A small company can only remediate two findings this week. Which two should be fixed first based on risk to the business? Select two.

An internal training VM used by one student with a medium vulnerability and no sensitive data

This system has limited exposure and low business impact, so it is not as urgent as a production-facing issue.

A discontinued server already removed from the network but still listed in inventory

This item may need cleanup, but it no longer presents an active security risk because it is not currently in service.

A low-severity cosmetic issue on a noncritical dashboard page

Cosmetic problems may affect usability, but they do not usually create meaningful security exposure or urgent business risk.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: An internet-facing VPN appliance with a critical vulnerability and a public exploit — The two highest-priority items are the internet-facing VPN appliance with a public exploit and the active production print server using a default administrator password. Both combine easy attack paths with business impact. Risk prioritization starts with exposure, exploitability, and the value of the system. A vulnerable public service can be attacked from anywhere, while default credentials on a live server can lead to fast unauthorized access. Why others are wrong: The training VM has lower exposure and little business impact, so it is not an urgent fix. A disconnected server is no longer an active operational risk, even if inventory records should be cleaned up later. A cosmetic dashboard issue is inconvenient, but it is not a meaningful security weakness compared with exposed exploit paths or default credentials.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.