Back to Security+ SY0-701 questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise Security+ SY0-701 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SY0-701
exam code
CompTIA
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SY0-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymulti select
Full question →

An HR analyst must send a salary file to an external auditor. The auditor only needs names, departments, and salary totals, not Social Security numbers or bank account details. Which two actions should the analyst take first? Select two.

Question 2mediummulti select
Full question →

An investigator needs to make a forensic image of a suspect laptop without changing the original drive contents. Which two practices should be used? Select two.

Question 3hardmulti select
Full question →

An operations team manages Linux servers over SSH. The security team wants to stop direct management access from employee laptops, reduce lateral movement if one admin endpoint is compromised, and keep a log of every administrative session. Which two design choices best fit? Select two.

Question 4easymulti select
Full question →

Company-owned tablets run both business apps and approved personal apps. Which two controls best keep company data separated and support selective wipe? Select two.

Question 5hardmulti select
Full question →

During testing of a shopping portal, a POST request to /api/address/update succeeds even when the anti-CSRF token is removed. In a separate test, changing customerId=1842 to customerId=1843 in a GET request returns another user's invoice data. Which two vulnerabilities are present? Select two.

Question 6mediummulti select
Full question →

HR needs to share a copy of employee records with a benefits contractor for testing. The contractor only needs names and coverage selections, not Social Security numbers or bank details. Which two actions best satisfy data handling requirements? Select two.

Question 7hardmulti select
Full question →

EDR reports that a workstation launched PowerShell from a word processor, created a scheduled task named WinUpdateSvc, and began making repeated HTTPS connections to a rare external domain. The user is still logged in to several cloud apps. Which two response actions are best to initiate from the EDR console? Select two.

EDR on a finance workstation shows Outlook launching mshta.exe, followed by a scheduled task named UpdateSvc_91 and repeated HTTPS beacons to a newly registered domain. The user is still working and has not rebooted. Which two telemetry sources would best help the analyst confirm the initial execution path and determine whether the host has communicated with other suspicious infrastructure? Select two.

Question 9mediummulti select
Read the full NAT/PAT explanation →

Employees use a browser SaaS portal, a native mobile app, and an internal API. The company wants one corporate identity, reduced password reuse, and automated removal of access when HR terminates users. Which two solutions best meet the requirement? Select two.

Question 10mediummulti select
Full question →

Field staff use company-owned tablets that also run approved personal apps. Security needs business data isolated from personal data, the ability to wipe only corporate content, and enforcement of screen lock and encryption. Which two controls best fit? Select two.

Question 11hardmulti select
Full question →

The exhibit shows a weekly risk register for a small enterprise. Which three findings should be remediated first based on likelihood of exploitation and business impact? Select three.

Exhibit

Finding 1: Customer portal admin access lacks MFA. Internet-facing, moderate exploitability, high business impact.
Finding 2: Internal training wiki uses default template permissions. Intranet only, low exploitability, low business impact.
Finding 3: Payroll file share inherits broad write permissions. Internal network, easy lateral movement, high business impact.
Finding 4: Conference-room printer uses the default admin password. Internal network, moderate exploitability, medium business impact.
Finding 5: Isolated lab VM runs an outdated package. No production connectivity, contained, low business impact.
Question 12hardmulti select
Full question →

Threat intelligence reports a campaign that rotates domains daily and repacks the malware for each delivery. Analysts also observe the same TLS certificate fingerprint, the same mutex name, and the same JA3 client fingerprint across multiple samples. Which three indicators are most useful to prioritize for hunting or blocking? Select three.

Question 13hardmulti select
Full question →

A team is deploying a containerized API to a public cloud. The service must be reachable only by internal corporate applications, and secrets must not be embedded in images or readable as plaintext by administrators of the underlying host. Which two actions best fit the design? Select two.

Question 14easymulti select
Full question →

A workstation is suspected of running malware and contacting an unknown host. Which two actions belong in the containment phase? Select two.

Question 15mediummulti select
Full question →

A security analyst is reviewing the organization’s security awareness program. Which three of the following are key metrics that demonstrate the effectiveness of the program? (Choose three.)

Question 16mediummulti select
Full question →

An organization is migrating its on-premises infrastructure to a hybrid cloud model. Which three of the following considerations are most important for maintaining a secure security architecture? (Choose three.)

Question 17hardmulti select
Full question →

A baseline review found that standard developer accounts are local administrators, unsigned tools can run from user profile folders, and reimaged systems still end up with unauthorized persistence. Which two changes best improve hardening while preserving developer work? Select two.

Exhibit

Workstation baseline:
- Standard users are local admins
- Executables and scripts run from user-writable paths
- Unauthorized persistence reappears after reimaging
- Developers need to install approved tools, but not arbitrary software
Question 18hardmulti select
Read the full DHCP explanation →

A branch office reports intermittent failures reaching internal sites. DHCP logs show clients receiving leases from an unknown MAC address, and DNS responses for intranet.example resolve to an address owned by the same device. Which two attacks best match the evidence? Select two.

Question 19mediummulti select
Full question →

A business unit wants to keep using a customer portal even though a low-likelihood, high-impact dependency risk was identified. Leadership does not want to stop the service, but it does want to lower exposure and formally document the remaining risk. Which two actions best fit that approach? Select two.

Question 20hardmulti select
Full question →

A company is evaluating a multi-tenant SaaS document platform. The security team wants to reduce the impact of another tenant’s breach and ensure employees who leave are removed from the app within minutes. Which two requirements should the team prioritize? Select two.

These SY0-701 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style SY0-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.