The email security team receives a suspicious invoice attachment from a vendor. The attachment is not blocked by signature-based detection, but the team wants to observe its behavior in a safe environment before delivery to users. What tool best fits this requirement?

Network access control for unmanaged devices

NAC controls device access to the network, but it does not analyze the behavior of a file attachment.

A data loss prevention rule on outbound email

DLP is useful for preventing sensitive data exfiltration, not for safely executing suspicious attachments for analysis.

An intrusion prevention system placed on the Wi-Fi network

IPS can block known network attacks, but it does not open or execute email attachments in a protected environment.

What does this SY0-701 question test?

Static NAT maps one inside address to one outside address.

What is the correct answer to this question?

The correct answer is: Sandboxing the attachment in an isolated analysis environment — Sandboxing is the right choice because it allows security staff to open or execute the attachment in an isolated environment and observe what it does without risking the production network or user devices. This is especially useful when signature-based detection does not already identify the threat. The analysis can reveal payload delivery, file drops, network callbacks, and other malicious behaviors that help determine whether the message should be blocked. Why others are wrong: NAC is about controlling which devices can connect to a network, not analyzing file behavior. DLP focuses on sensitive data leaving the organization, so it does not solve the problem of detonation and observation. IPS can stop certain network attacks, but it is not the right tool for safely inspecting a suspicious attachment before it reaches users.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.