A weekly risk review lists several findings. Which two should be addressed first based on likelihood of exploitation and business impact? Select two.

An internal lab system with an outdated browser component, isolated from production and not customer-facing.

The system has lower business impact and limited exposure because it is isolated from critical production assets.

A training virtual machine used offline once per month in a disconnected lab.

Offline, disconnected assets have far less likelihood of attack and typically lower operational impact.

A documentation site with a spelling error in its banner text.

A cosmetic typo does not materially increase security risk and should not be prioritized over exploitable flaws.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: An internet-facing VPN appliance with a known exploit and no vendor patch available yet. — Prioritization should focus on the issues most likely to be exploited and most damaging if abused. An internet-facing VPN with a known exploit has high exposure, and a public payroll portal using default administrator credentials is effectively already in a compromised state. Both present immediate enterprise risk, while the lab system, offline VM, and banner typo are far less urgent from a risk-management perspective. Why others are wrong: The isolated lab host and disconnected training VM have limited exposure and lower impact, so they are not first-priority items. The spelling error is not a security risk at all. This question tests how to rank findings by likelihood and impact rather than by raw severity labels alone.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.