CC · topic practice

Security Operations practice questions

Practise ISC2 Certified in Cybersecurity CC Security Operations practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Operations

What the exam tests

What to know about Security Operations

Security Operations questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Operations exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Operations questions

20 questions · select your answer, then reveal the explanation

Which tier in a Security Operations Center (SOC) is primarily responsible for triaging alerts and determining whether to escalate?

A security analyst notices repeated failed login attempts from an internal IP address to a domain controller, followed by a successful login. Which log type is most likely to provide detailed evidence of this activity?

An organization must comply with PCI DSS log retention requirements. What is the minimum retention period for logs, and how long must they be immediately available for analysis?

A security administrator is implementing measures to protect log integrity. Which of the following is the most effective method to prevent tampering with logs after they are generated?

A company discovers a critical vulnerability in a widely used software application. The vendor has released a patch, but the company's patch management policy requires testing before deployment. What is the best course of action?

Which of the following is an indicator of a phishing email?

What is the primary purpose of using security baselines derived from CIS Benchmarks?

A SOC analyst detects a pattern of outbound traffic from an internal server to a known malicious IP address. Which SOC tier should this alert be escalated to for a deeper investigation?

An organization has a legacy system that cannot be patched due to vendor end-of-life. Which compensating control is most effective at reducing the risk of exploitation via network-based attacks?

Which of the following is a key function of a Security Information and Event Management (SIEM) system?

An employee receives an email from the CEO asking for an urgent wire transfer to a new vendor. The email address is slightly misspelled. What type of attack is this?

A configuration management tool detects that a critical server's security settings have changed from the approved baseline. What is the first action the security team should take?

An organization is implementing a security awareness program. Which THREE topics should be included to address common social engineering attacks? (Select THREE)

A SOC analyst is investigating a potential data exfiltration incident. Which TWO log sources would be most useful for identifying outbound data transfers? (Select TWO)

A security engineer is designing a patch management process. Which TWO steps are part of the standard patch lifecycle? (Select TWO)

A Security Operations Center (SOC) Tier 1 analyst notices an alert for a failed login attempt from an unusual geographic location. What is the primary responsibility of a Tier 1 analyst in this scenario?

A company's SIEM solution aggregates logs from various sources and generates an alert when multiple failed logins occur within a short timeframe. Which log source is most likely to provide the data for this alert?

An organization needs to retain authentication logs for compliance with PCI DSS. What is the minimum retention period required, and how long must the logs be immediately available?

A security analyst needs to ensure that log data cannot be altered after it is written. Which of the following is the most effective method to protect log integrity?

During a patch management cycle, a new vulnerability is disclosed in a widely used web server software. What is the first step an organization should take in the patch lifecycle?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Operations sessions

Start a Security Operations only practice session

Every question in these sessions is drawn from the Security Operations domain — nothing else.

Related practice questions

Related CC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CC exam test about Security Operations?
Security Operations questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Operations questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Operations domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CC topics?
Use the topic links above to move to related areas, or go back to the CC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CC exam covers. They are not copied from any real exam or dump site.