SY0-701 · topic practice

Threats, Vulnerabilities, and Mitigations practice questions

The Threats, Vulnerabilities & Mitigations domain of the SY0-701 exam is all about understanding the bad things that can happen to an organization's systems and data, and how to stop them. Think of it as the defensive playbook for cybersecurity. You'll learn about different types of attacks—like phishing, ransomware, and denial-of-service—and the weaknesses (vulnerabilities) they exploit, such as unpatched software or weak passwords. But it's not just about knowing the threats; you also need to know how to fix them. That's where mitigations come in—things like firewalls, encryption, access controls, and security policies. For example, if a company has a vulnerability in its web application, a mitigation might be to apply a patch or use a web application firewall. This domain is the core of what security professionals do every day: identify risks, protect assets, and respond to incidents. Why is this domain so important in real-world IT and security work? Because threats are everywhere. In a typical day, a security analyst might deal with phishing emails, scan for unpatched systems, or configure a VPN to secure remote access. Cloud environments add complexity—misconfigured S3 buckets can expose sensitive data, and compromised API keys can lead to breaches. Understanding these threats and how to mitigate them is critical for roles like security analyst, network administrator, and cloud engineer. Even if you're not in a dedicated security role, knowing these concepts helps you protect your organization from costly incidents. For instance, a simple social engineering attack could trick an employee into revealing credentials, leading to a data breach that costs millions. The SY0-701 exam ensures you have the foundational knowledge to prevent such scenarios. On the exam itself, this domain tests your ability to identify, analyze, and respond to security threats and vulnerabilities. You'll see questions about attack types (e.g., spear phishing vs. whaling), vulnerability scanning tools (like Nessus or OpenVAS), and mitigation techniques (e.g., patch management, network segmentation). You'll also need to understand indicators of compromise (IoCs) and how to interpret them. For example, a question might describe a sudden spike in outbound traffic and ask you to identify the likely attack (data exfiltration) and suggest a mitigation (egress filtering). The exam also covers emerging threats like supply chain attacks and AI-powered malware. You'll need to know not just the definitions, but how to apply them in scenarios—like choosing the best control to prevent a SQL injection attack (parameterized queries) or detecting a man-in-the-middle attack (certificate validation). To study this domain effectively, start by understanding the threat landscape. Make flashcards for common attack types (phishing, ransomware, DDoS, etc.) and their characteristics. Then, focus on vulnerabilities—learn about CVEs, the Common Vulnerability Scoring System (CVSS), and how to prioritize patches. For mitigations, group them into categories: administrative (policies, training), technical (firewalls, IDS/IPS, encryption), and physical (locks, biometrics). Practice with scenario-based questions—many resources offer practice exams that mimic the SY0-701 style. Use the acronym STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to categorize threats, and remember the CIA triad (Confidentiality, Integrity, Availability) as a framework for mitigations. Finally, stay current—follow security news to see real-world examples of attacks and how they were mitigated. This domain is heavy, but with consistent study and hands-on practice (like using a home lab or online sandboxes), you can master it.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Threats, Vulnerabilities, and Mitigations

What the exam tests

What to know about Threats, Vulnerabilities, and Mitigations

Threats, Vulnerabilities & Mitigations covers the identification of various attack types (e.g., phishing, ransomware), the weaknesses they exploit (vulnerabilities like unpatched software), and the controls (mitigations) to prevent or reduce damage, such as firewalls, encryption, and security policies.

Identifying and differentiating between types of social engineering attacks (e.g., spear phishing, vishing, tailgating)

Understanding vulnerability scanning tools and interpreting scan results (e.g., Nessus, OpenVAS)

Applying mitigation techniques for common network attacks (e.g., DDoS mitigation using rate limiting or anycast)

Recognizing indicators of compromise (IoCs) for malware infections (e.g., unusual outbound traffic, registry changes)

Selecting appropriate security controls for application vulnerabilities (e.g., input validation to prevent SQL injection)

Analyzing attack vectors in cloud environments (e.g., misconfigured S3 buckets, compromised API keys)

Watch out for

Common Threats, Vulnerabilities, and Mitigations exam traps

  • Confusing vulnerability scanning with penetration testing—scans identify weaknesses, tests exploit them to verify risk.
  • Assuming all encryption is equally effective—trap questions may ask about weak algorithms like WEP or outdated TLS versions.
  • Mixing up mitigation strategies for different attack types—e.g., using antivirus for a DDoS attack instead of traffic filtering.
  • Overlooking physical security controls—questions might present a technical threat that is best mitigated by a lock or badge reader.

Practice set

Threats, Vulnerabilities, and Mitigations questions

20 questions · select your answer, then reveal the explanation

A security analyst is reviewing web server logs from an e-commerce application. The logs show repeated requests containing URLs with appended strings such as: `' OR '1'='1' --` and `'; DROP TABLE Users; --`. The application returned HTTP 200 responses with unexpected data in several instances. Which type of attack is most likely being attempted?

A security analyst is reviewing the source code of a custom network service written in C. The service allocates a 256-byte buffer and uses the strcpy() function to copy incoming data into that buffer without verifying the length of the input. If an attacker sends a specially crafted payload that exceeds 256 bytes, which security control would be most effective at detecting and preventing the resulting exploitation at runtime?

A CFO at a mid-sized company receives an urgent email that appears to come from the CEO's email address, requesting an immediate wire transfer of $50,000 to a new vendor for a time-sensitive project. The email address displayed is 'ceo@cornpany.com' instead of the legitimate 'ceo@company.com'. The CFO follows the instruction and initiates the transfer. Later, the real CEO denies sending such a request. Which of the following security controls would have been MOST effective in preventing this type of attack from succeeding?

A user receives a phone call from someone who claims to be a member of the company's IT support team. The caller states that the user's account has been compromised and requests the user's username, password, and the current multi-factor authentication (MFA) code to 'verify identity and secure the account.' Which type of social engineering attack is being attempted?

A security analyst is reviewing the source code of a custom authentication service. The service uses a function that compares a user-supplied password to the stored password hash by iterating through each byte and returning false immediately upon the first mismatch. The analyst measures the function's execution time and discovers it varies measurably depending on how many initial bytes match. Which type of attack is this vulnerability most likely to facilitate?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing the results of a dynamic application security test (DAST) on a new e-commerce application. The report indicates that the application's product search functionality is vulnerable to blind SQL injection. The analyst is tasked with recommending a remediation to the development team. The developers currently concatenate user input directly into SQL queries. Which of the following recommendations would most effectively and permanently mitigate this vulnerability?

A security analyst is reviewing authentication logs from a corporate web application. The logs show thousands of failed login attempts over the past hour. Each attempt uses a different username, but all attempts use the same password 'Spring2024!'. The source IP addresses are widely distributed across several different geographic regions. Which type of attack is the analyst most likely observing?

A security analyst is investigating a series of alerts from the web application firewall. Users are reporting that when they view a product review page on the company's e-commerce site, their browser automatically redirects to a malicious website. The analyst examines the database and finds that a product review submitted by a user contains a <script> tag that loads a JavaScript file from an external domain. Which type of attack has occurred?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is reviewing the session management implementation of a web application. The application generates session tokens by computing the MD5 hash of the concatenation of the username and the current server timestamp rounded to the nearest hour. An attacker has obtained a valid session token for her own account and discovers that she can forge tokens for other users by simply substituting the username in the hash calculation with a known target username. Which type of attack is the web application most vulnerable to?

A security analyst is reviewing the source code of a custom web application. The application receives JSON data from users, which includes a 'type' field. The application uses the 'type' field to determine which Java class to instantiate, and then calls a method on that object. The application does not validate or sanitize the 'type' field. An attacker sends a crafted JSON payload that causes the application to instantiate an unexpected class, leading to remote code execution. Which type of vulnerability does this example describe?

A security analyst is investigating a phishing campaign that specifically targets senior executives in a company. The emails appear to come from the CEO and request urgent wire transfers to a fraudulent account. Which of the following best describes this type of attack?

A security analyst discovers that an organization's web application is vulnerable to SQL injection. The application uses a legacy database driver that does not support parameterized queries. Which of the following is the BEST mitigation to prevent this vulnerability?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst reviews authentication logs and discovers hundreds of failed login attempts from a single external IP address within a five-minute window. All attempts target the same username 'jsmith' but use different passwords. Which type of password attack does this pattern most likely indicate?

A security analyst discovers that an attacker maintained persistent access to a corporate network for six months, moving laterally between systems and exfiltrating sensitive data. The attacker used custom malware that evaded antivirus and established multiple backdoors. Which of the following best describes this type of threat actor and their campaign?

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst reviews authentication logs and notices multiple failed login attempts using various usernames from a single IP address over several hours. Eventually, a successful login occurs using a username that had many failed attempts. The organization requires multi-factor authentication (MFA). Which type of attack is most likely indicated by this pattern?

A security analyst receives an alert from the email security gateway about a message sent to an employee. The email has an attachment named 'Invoice_Q4_2024.exe'. The employee claims they did not open the attachment, and the email appears to come from a known vendor's domain but the sender address has a slight typo. Which type of attack is most likely being attempted?

A security analyst notices that several employees have received an email with the subject line 'Urgent: Password Reset Required'. The email contains a link to a website that mimics the company's internal login portal. The email was sent from an external domain and addresses recipients by 'Dear Employee' rather than their actual names. Which type of social engineering attack is being described?

Question 18mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst receives an alert about a user account attempting to access multiple network shares in rapid succession within a short time frame. The analyst reviews the logs and sees that the IP address originates from the internal network, but the user is currently on leave. Which type of attack is most likely occurring?

A security analyst receives a phone call from an individual claiming to be a member of the IT help desk. The caller states that an emergency security update requires the analyst's password immediately, and the request sounds urgent. The analyst notices the caller's voice is unfamiliar and the background noise is inconsistent with an office environment. Which type of social engineering attack is being attempted?

A security analyst is investigating a web application that allows users to input a filename to view its contents. The application passes the user input directly to a system command without sanitization. An attacker submits the input 'file.txt; cat /etc/passwd' and successfully retrieves the contents of the password file. Which type of attack occurred?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Threats, Vulnerabilities, and Mitigations sessions

Start a Threats, Vulnerabilities, and Mitigations only practice session

Every question in these sessions is drawn from the Threats, Vulnerabilities, and Mitigations domain — nothing else.

Related practice questions

Related SY0-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SY0-701 exam test about Threats, Vulnerabilities, and Mitigations?
Threats, Vulnerabilities & Mitigations covers the identification of various attack types (e.g., phishing, ransomware), the weaknesses they exploit (vulnerabilities like unpatched software), and the controls (mitigations) to prevent or reduce damage, such as firewalls, encryption, and security policies.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Threats, Vulnerabilities, and Mitigations questions in a focused session?
Yes — the session launcher on this page draws every question from the Threats, Vulnerabilities, and Mitigations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SY0-701 topics?
Use the topic links above to move to related areas, or go back to the SY0-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SY0-701 exam covers. They are not copied from any real exam or dump site.