Back to Security+ SY0-701 questions

Scenario-based practice

Drag and Drop Matching Questions

Practise Security+ SY0-701 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SY0-701
exam code
CompTIA
vendor

Scenario guide

How to approach drag and drop matching questions

Matching questions give you two columns — concepts, commands, or protocols on the left, and their definitions or use-cases on the right. You drag each left item to its correct match. These appear on most certification exams and punish superficial memorisation.

Quick answer

Drag and Drop Matching Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SY0-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummatching
Full question →

Match each incident response action to its primary purpose during a suspected endpoint compromise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Contain the incident and limit spread to other systems

Preserve evidence that could disappear after power-off

Eradicate persistence and return the system to a trusted state

Recover business operations and return service to normal

Complete lessons learned and improve future response

Question 2easymatching
Full question →

Match each control type to the most fitting example in a branch office.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Secure boot refuses to start untrusted boot code.

A log review process shows when an administrator changed a firewall rule.

A damaged endpoint is restored from a known-good image.

A camera above the server rack makes misuse less likely.

A written standard tells staff how to handle removable media.

A restricted jump box is used until direct admin access is approved again.

Match each incident response activity to the phase of the incident response lifecycle it best represents. Use each option once.

1. A SOC analyst disables a compromised account, isolates the workstation from the network, and preserves volatile evidence. 2. The team images the infected system, removes the malicious persistence mechanism, and patches the exploited vulnerability. 3. After restoring services, the team reviews timeline gaps, detection delays, and control failures with management. 4. Before the attack occurs, the team verifies contact lists, playbooks, escalation paths, and backup credentials. 5. The team confirms suspicious authentication logs, endpoint alerts, and unusual outbound traffic indicate an active compromise.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Containment

Eradication

Lessons learned

Preparation

Identification

Match each detection pattern to the most likely security issue. Each item has one best match.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Living-off-the-land or fileless malware execution

DNS tunneling or command-and-control beaconing

Password spraying or credential stuffing that succeeded

Compromised privileged credentials with persistence and post-exploitation activity

Question 5mediummatching
Full question →

Match each audit request to the best evidence artifact. 1. Auditors want proof that managers reviewed privileged access last quarter. 2. Auditors want evidence that an emergency firewall change was approved before implementation. 3. Auditors want to verify that annual security training was completed by staff. 4. Auditors want to confirm that records were deleted after the retention period expired.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Access review attestation report

Approved change ticket

LMS completion export

Retention deletion log

Question 6hardmatching
Full question →

Match each procurement or oversight need to the best vendor due diligence artifact or clause. Use each item once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SOC 2 Type II report

Data processing agreement (DPA)

Software bill of materials (SBOM)

Right-to-audit clause

Disaster recovery test report

Question 7mediummatching
Full question →

Match each awareness-program metric to the interpretation the security team should use. 1. 8% of users clicked the simulated phishing link. 2. 34% of users reported the simulation using the report-phish button. 3. The median time from message delivery to first user report was 12 minutes. 4. 96% of staff completed the annual awareness module.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Click rate

Report rate

Time to report

Training completion rate

Question 8mediummatching
Full question →

Match each security monitoring artifact from the SOC alert queue to the best investigation focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Investigate possible script-based malware execution launched through a document

Check for suspicious domain lookups that may indicate command-and-control activity

Look for beaconing behavior from a potentially compromised endpoint

Assess for stolen credentials or credential-stuffing activity

Question 9mediummatching
Full question →

Match each vendor-risk concern to the contractual control that best addresses it. 1. The company wants the right to review the vendor's controls and supporting records after the contract is signed. 2. The company wants to know when the vendor will use subcontractors that may touch its data. 3. The company wants written notice within 24 hours if the vendor suffers an incident affecting company data. 4. The company wants assurance that the vendor's controls are independently assessed each year.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Right-to-audit clause

Subprocessor disclosure requirement

Breach-notification clause

SOC 2 Type II report

Question 10hardmatching
Full question →

Match each risk-register description to the correct risk term. Use each term once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Likelihood

Impact

Inherent risk

Residual risk

Risk appetite

Question 11easymatching
Full question →

Match each access principle to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Give the user only the permissions needed to do the job.

Share only the information required for the assigned task.

Split important steps so one person cannot complete everything alone.

Verify each request instead of trusting a user just because they are internal.

Use multiple protective layers so one failure does not expose everything.

Match each awareness-program metric or pattern to the best interpretation. Use each interpretation once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Improved phishing resistance

Better escalation culture

Faster detection and triage

Targeted refresher coaching needed

Question 13easymatching
Full question →

Match each cloud security concept to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines which security tasks belong to the cloud provider and which remain with the customer

Separates one customer's cloud resources from another customer's resources

Uses the provider's logging service to record workload and control-plane activity

Places workload resources where they are not directly exposed to the internet

Question 14hardmatching
Full question →

Match each business situation to the best risk treatment. Use each treatment once.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Accept risk

Mitigate risk

Transfer risk

Avoid risk

Question 15easymatching
Full question →

Match each control type to the best description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stops a threat before it succeeds.

Identifies an event after or while it is happening.

Fixes a problem after it has occurred.

Discourages an attacker from trying.

Provides an alternate safeguard when the preferred control is not possible.

Question 16easymatching
Full question →

Match each control type to the example that best fits it.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

MFA is required before a user can open the email system.

File integrity monitoring alerts when a protected file changes.

A compromised laptop is reimaged from a standard build.

A login banner warns that activity is monitored and audited.

A procedure tells staff to report lost devices within one hour.

Extra logging is enabled while a missing patch is being scheduled.

Question 17easymatching
Full question →

Match each cryptographic action to the most appropriate use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protect the data if the laptop is stolen.

Check that the file was not changed during download.

Make identical passwords produce different hash values.

Confirm the file came from the expected sender and stayed intact.

Replace an encryption key on a planned schedule.

Question 18easymatching
Full question →

Match each cryptographic concept to its best purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Makes data unreadable to anyone who does not have the correct key.

Creates a fixed-size fingerprint to detect whether data changed.

Adds random data before hashing passwords so identical passwords look different.

Lets others verify who signed the file and that it was not altered.

Replaces an encryption key before its approved lifetime ends.

Question 19easymatching
Full question →

Match each cryptographic primitive to its main purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Producing a fixed-length value used to detect changes.

Using the same secret key to encrypt and decrypt data.

Using a public key and private key pair for encryption or decryption.

Proving who signed something and showing it was not changed.

Creating, storing, rotating, and retiring cryptographic keys safely.

Question 20hardmatching
Full question →

Match each excerpt from a small enterprise security program to the correct governance artifact.

Exhibit

1. All company laptops must use full-disk encryption, automatic screen locking after 10 minutes, and the approved EDR agent.
2. To replace a lost MFA token, the help desk must verify identity, disable the old token, and re-enroll the user before access is restored.
3. Users should avoid storing confidential files on removable media unless there is a documented business need.
4. The engineering team may use one unsupported browser plug-in on two workstations for 30 days while a redesign is completed.
5. Remote access is allowed only through the approved VPN with MFA.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Standard

Procedure

Guideline

Exception

Policy

These SY0-701 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style SY0-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.