The correct answer is defense in depth, because the organization is using multiple security layers to stop or limit the attack at different stages. This principle relies on overlapping controls—such as an email filter, web filter, and endpoint detection and response (EDR)—so that if one layer fails, another can block the threat. On the Security+ SY0-701 exam, this concept tests your ability to recognize layered security in a scenario, often contrasted with single-point solutions like a firewall alone. A common trap is choosing "least privilege" or "zero trust" when the exhibit clearly shows sequential controls at different attack phases. Remember the memory tip: "layers like an onion, not a single wall"—defense in depth ensures redundancy by stacking diverse safeguards, making it the clearest principle demonstrated here.
SY0-701 General Security Concepts Practice Question
This SY0-701 practice question tests your understanding of general security concepts. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Security event summary
- Malicious attachment passed the email filter
- Macro execution was blocked by application control
- Process launch was contained by EDR
- Stolen password alone could not reach the admin portal because MFA was required
- Offline backups were used for recovery testing after the incident
Based on the exhibit, which security principle does the organization appear to be using most clearly?
Security event summary
- Malicious attachment passed the email filter
- Macro execution was blocked by application control
- Process launch was contained by EDR
- Stolen password alone could not reach the admin portal because MFA was required
- Offline backups were used for recovery testing after the incident
A
Zero trust, because all access is denied until a user proves identity again.
Why wrong: Zero trust could be part of the design, but the exhibit emphasizes multiple independent safeguards working together. The controls are not only about continuous verification; they also stop threats at different stages, which is broader than a single trust model.
B
Defense in depth, because several different controls stop or limit the attack at different stages.
Defense in depth is demonstrated by multiple layers: email filtering, application control, EDR containment, MFA, and backup recovery. The attack is not stopped by one control alone. Instead, each layer provides a separate barrier or recovery path, reducing the chance that a single failure becomes a full compromise.
C
Least privilege, because the attachment was blocked from having administrator rights.
Why wrong: Least privilege concerns giving users and processes only the rights they need. While that idea may help some controls in the exhibit, it does not fully explain the layered approach shown. The dominant theme is that several defenses worked together across the attack path.
D
Need-to-know, because only the security team should be aware of the incident.
Why wrong: Need-to-know is about limiting information access, not about layering security tools. The exhibit describes technical safeguards that intervene at different points in the attack chain. The issue is resilience through multiple controls, not restricted awareness of the event.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Defense in depth, because several different controls stop or limit the attack at different stages.
The exhibit shows multiple security controls—an email filter blocking the attachment, a web filter blocking the download link, and an endpoint detection and response (EDR) tool blocking execution—each acting at a different stage of the attack chain. This layered approach, where no single control is relied upon to stop the threat, is the hallmark of defense in depth. The correct answer is B because the scenario clearly demonstrates overlapping controls that provide redundancy and mitigate risk at various points.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
Zero trust, because all access is denied until a user proves identity again.
Why it's wrong here
Zero trust could be part of the design, but the exhibit emphasizes multiple independent safeguards working together. The controls are not only about continuous verification; they also stop threats at different stages, which is broader than a single trust model.
✓
Defense in depth, because several different controls stop or limit the attack at different stages.
Why this is correct
Defense in depth is demonstrated by multiple layers: email filtering, application control, EDR containment, MFA, and backup recovery. The attack is not stopped by one control alone. Instead, each layer provides a separate barrier or recovery path, reducing the chance that a single failure becomes a full compromise.
Related concept
Read the scenario before looking for a memorised answer.
✗
Least privilege, because the attachment was blocked from having administrator rights.
Why it's wrong here
Least privilege concerns giving users and processes only the rights they need. While that idea may help some controls in the exhibit, it does not fully explain the layered approach shown. The dominant theme is that several defenses worked together across the attack path.
✗
Need-to-know, because only the security team should be aware of the incident.
Why it's wrong here
Need-to-know is about limiting information access, not about layering security tools. The exhibit describes technical safeguards that intervene at different points in the attack chain. The issue is resilience through multiple controls, not restricted awareness of the event.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse defense in depth with zero trust because both involve multiple controls, but zero trust specifically requires explicit verification for every access request, whereas defense in depth focuses on layered, independent safeguards without necessarily re-verifying identity at each layer.
Trap categories for this question
Command / output trap
Least privilege concerns giving users and processes only the rights they need. While that idea may help some controls in the exhibit, it does not fully explain the layered approach shown. The dominant theme is that several defenses worked together across the attack path.
Detailed technical explanation
How to think about this question
Defense in depth, also known as layered security, leverages multiple independent controls—such as network firewalls, host-based intrusion prevention systems (HIPS), and application whitelisting—to create a cumulative barrier. In practice, this means that even if an attacker bypasses one layer (e.g., the email filter), subsequent layers (e.g., the web proxy or EDR) can still detect and block the threat. This strategy is formalized in frameworks like NIST SP 800-53, which recommends overlapping security functions to achieve resilience against single points of failure.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A SOC analyst notices unusual lateral movement in the network at 2 AM. The IR playbook dictates: identify and contain (isolate the affected machine), then eradicate (remove the malware), then recover (restore from backup), then document. Skipping containment before eradication risks the attacker regaining access. Questions like this test the sequence and rationale of incident response phases.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this SY0-701 question in full detail.
General Security Concepts — This question tests General Security Concepts — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Defense in depth, because several different controls stop or limit the attack at different stages. — The exhibit shows multiple security controls—an email filter blocking the attachment, a web filter blocking the download link, and an endpoint detection and response (EDR) tool blocking execution—each acting at a different stage of the attack chain. This layered approach, where no single control is relied upon to stop the threat, is the hallmark of defense in depth. The correct answer is B because the scenario clearly demonstrates overlapping controls that provide redundancy and mitigate risk at various points.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.