- A
Perform scheduled restore tests to an isolated environment.
Correct because restore testing proves the backups are usable and helps measure actual recovery time. A backup that has never been restored cannot be assumed to meet the recovery objective.
- B
Keep at least one backup copy offline or immutable.
Correct because offline or immutable copies protect against ransomware and tampering. That increases the odds that a known-good recovery point will still exist when the organization needs it.
- C
Increase retention to keep backups for two years without changing restore testing.
Why wrong: Incorrect because longer retention alone does not prove recoverability. Old backups that are never tested may still fail when restoration is needed.
- D
Move the backup repository onto the same always-mounted file share as production data.
Why wrong: Incorrect because this increases shared exposure and makes both production and backup copies easier to encrypt or delete. It weakens resilience rather than improving it.
- E
Reduce the number of user permissions on the file server without changing backup design.
Why wrong: Incorrect because access reduction may be good hygiene, but it does not directly improve recovery confidence. The question asks about restore assurance and resilience.
Quick Answer
The answer is to perform scheduled restore tests to an isolated environment and keep at least one backup copy offline or immutable. These two actions directly improve recovery confidence because scheduled restore tests validate that backup data is both readable and usable without risking production corruption, while an offline or immutable copy ensures a clean, tamper-proof fallback if the primary backup is compromised by ransomware or human error. On the Security+ SY0-701 exam, this scenario tests your understanding of recovery validation and the 3-2-1 backup rule, often appearing as a multi-select question where distractors include “incremental backups” or “cloud replication” without testing restore speed. A common trap is assuming that simply having backups guarantees RTO compliance; the exam emphasizes that only actual restore testing measures real-world timing. Memory tip: “Test and isolate—don’t just replicate.”
SY0-701 Security Operations Practice Question
This SY0-701 practice question tests your understanding of security operations. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Management wants to ensure a file server backed up every night can actually be restored within a 4-hour recovery time objective after an incident. Which two actions best improve recovery confidence? Select two.
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Perform scheduled restore tests to an isolated environment.
Option A is correct because performing scheduled restore tests to an isolated environment validates that the backup data is both readable and usable without risking corruption of the production environment. This directly confirms the ability to meet the 4-hour RTO by measuring actual restore times and identifying any issues with the backup process or media before a real incident occurs.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
Perform scheduled restore tests to an isolated environment.
Why this is correct
Correct because restore testing proves the backups are usable and helps measure actual recovery time. A backup that has never been restored cannot be assumed to meet the recovery objective.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✓
Keep at least one backup copy offline or immutable.
Why this is correct
Correct because offline or immutable copies protect against ransomware and tampering. That increases the odds that a known-good recovery point will still exist when the organization needs it.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Increase retention to keep backups for two years without changing restore testing.
Why it's wrong here
Incorrect because longer retention alone does not prove recoverability. Old backups that are never tested may still fail when restoration is needed.
- ✗
Move the backup repository onto the same always-mounted file share as production data.
Why it's wrong here
Incorrect because this increases shared exposure and makes both production and backup copies easier to encrypt or delete. It weakens resilience rather than improving it.
- ✗
Reduce the number of user permissions on the file server without changing backup design.
Why it's wrong here
Incorrect because access reduction may be good hygiene, but it does not directly improve recovery confidence. The question asks about restore assurance and resilience.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse backup retention (how long backups are kept) with backup recoverability, assuming that longer retention inherently improves recovery confidence, when in fact only periodic restore testing proves that backups are viable and can meet the RTO.
Detailed technical explanation
How to think about this question
Scheduled restore tests should simulate a full recovery process, including mounting the restored data in an isolated VLAN or sandbox environment, to verify file integrity, permissions, and application dependencies. Under the hood, this often involves using tools like Veeam SureBackup or Windows Server Backup's test restore feature, which automatically runs verification scripts and can measure elapsed time against the RTO. A real-world scenario is a ransomware attack where backups are encrypted; only regular restore tests to an isolated environment would reveal that the offline or immutable copy is actually recoverable within the required timeframe.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A SOC analyst notices unusual lateral movement in the network at 2 AM. The IR playbook dictates: identify and contain (isolate the affected machine), then eradicate (remove the malware), then recover (restore from backup), then document. Skipping containment before eradication risks the attacker regaining access. Questions like this test the sequence and rationale of incident response phases.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Security Operations — study guide chapter
Learn the concepts, then practise the questions
- →
Security Operations practice questions
Targeted practice on this topic area only
- →
All SY0-701 questions
1,152 questions across all exam domains
- →
Security+ SY0-701 study guide
Full concept coverage aligned to exam objectives
- →
SY0-701 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SY0-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
General Security Concepts practice questions
Practise SY0-701 questions linked to General Security Concepts.
Threats, Vulnerabilities, and Mitigations practice questions
Practise SY0-701 questions linked to Threats, Vulnerabilities, and Mitigations.
Security Architecture practice questions
Practise SY0-701 questions linked to Security Architecture.
Security Operations practice questions
Practise SY0-701 questions linked to Security Operations.
Security Program Management and Oversight practice questions
Practise SY0-701 questions linked to Security Program Management and Oversight.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Practice this exam
Start a free SY0-701 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SY0-701 question test?
Security Operations — This question tests Security Operations — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Perform scheduled restore tests to an isolated environment. — Option A is correct because performing scheduled restore tests to an isolated environment validates that the backup data is both readable and usable without risking corruption of the production environment. This directly confirms the ability to meet the 4-hour RTO by measuring actual restore times and identifying any issues with the backup process or media before a real incident occurs.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
3 more ways this is tested on SY0-701
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A technician restores a file server from backup, but the business wants confidence that the recovery process will work during an outage. What should the team do most often to validate the backups?
easy- A.Review the backup vendor brochure for proof that recovery will work.
- ✓ B.Perform regular restore tests using sample files or systems.
- C.Increase the backup retention period without testing restores.
- D.Change the backup password every day and skip verification.
Why B: Option B is correct because the only way to gain confidence that backups can be successfully restored during an actual outage is to perform regular, documented restore tests. This validates the integrity of the backup media, the correctness of the restoration procedure, and the recoverability of data within the required recovery time objective (RTO). Without testing, assumptions about backup reliability remain unverified, which can lead to catastrophic data loss when a real disaster occurs.
Variation 2. Based on the exhibit, what should the team do next to confirm the backups can actually be used during an outage?
easy- A.Increase the retention period before making any restore attempts.
- ✓ B.Perform a test restore to a nonproduction location and verify the recovered files.
- C.Delete older backup sets so the backup window is shorter.
- D.Convert the backups to full backups only so the status report is simpler.
Why B: Option B is correct because the only way to confirm that backups are usable during an outage is to perform a test restore to a nonproduction location and verify the recovered files. This validates the integrity of the backup data, the restore process, and that the files are complete and functional, which is a core principle of backup validation (often called a 'restore test' or 'disaster recovery drill'). Simply reviewing backup status reports or increasing retention does not prove that the data can be successfully restored.
Variation 3. A virtual file server was restored from last night’s backup. The service is online, but some finance users report missing spreadsheet changes and a few files show a 'recovered copy' timestamp. Which two checks should be completed before the team accepts the restore as successful? Select two.
hard- ✓ A.Compare restored data against backup hashes or a manifest to verify that the copy is complete and uncorrupted.
- ✓ B.Run an application-level validation test with finance users or sample transactions to confirm the data is usable.
- C.Assume the restore is acceptable because the file server is online and users can browse shares.
- D.Delete the previous night’s backup so the team will not accidentally restore it again.
- E.Expose the restored server directly to the internet so remote users can test it faster.
Why A: Option A is correct because comparing restored data against backup hashes or a manifest ensures the data integrity and completeness of the restore process. Even though the file server is online, missing spreadsheet changes and 'recovered copy' timestamps suggest possible corruption or incomplete restoration. Verifying hashes (e.g., SHA-256) against a known-good manifest confirms that every file was restored without bit-rot or truncation, which is a standard post-restore validation step in backup and recovery procedures.
Last reviewed: Jun 11, 2026
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.