CISSP · topic practice

Security Assessment and Testing practice questions

Practise Certified Information Systems Security Professional CISSP Security Assessment and Testing practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Assessment and Testing

What the exam tests

What to know about Security Assessment and Testing

Security Assessment and Testing questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Assessment and Testing exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Assessment and Testing questions

20 questions · select your answer, then reveal the explanation

A security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?

A company is implementing a continuous monitoring program for its cloud infrastructure. Which of the following metrics would be MOST useful for detecting unauthorized changes to production systems?

A security assessor is conducting a penetration test and needs to identify live hosts on a network without causing disruption. Which of the following techniques should the assessor use FIRST?

A security team is planning a social engineering test for their organization. Which of the following scenarios would BEST assess the effectiveness of security awareness training?

A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?

A security auditor is reviewing the results of a recently completed internal vulnerability scan. The scan report shows several hosts with the same vulnerability. Which of the following actions should the auditor take FIRST?

A company has implemented a new web application firewall (WAF) and wants to test its effectiveness. Which of the following testing methods would provide the MOST accurate assessment?

Which TWO of the following are key objectives of a security assessment? (Select exactly 2.)

Which THREE of the following are common methods used in security assessment and testing? (Select exactly 3.)

A security analyst receives the IDS alert shown in the exhibit. The analyst checks the web server logs and finds that the request returned a 200 OK status. Which of the following should the analyst do NEXT?

Exhibit

Refer to the exhibit.

```
[IDS Alert]
Timestamp: 2024-03-15 14:32:17
Signature: ET WEB_SERVER SQL Injection Attempt
Source IP: 192.168.1.105
Destination IP: 10.0.0.5
Destination Port: 80
Payload: GET /search.php?q=1' OR '1'='1' HTTP/1.1
```

Exhibit:

A system administrator receives the vulnerability scan report snippet shown in the exhibit. Which of the following actions should the administrator take to remediate the vulnerability?

Exhibit

Refer to the exhibit.

```
[Vulnerability Scan Report - Snippet]
Host: 10.0.0.15
Port: 22/tcp
Service: SSH
Vulnerability: Weak SSH Cryptographic Algorithms
Severity: Medium
CVE: CVE-2016-0777
Fix: Disable weak ciphers (arcfour, blowfish-cbc) and enable strong ones (aes256-ctr, aes128-ctr)
```

Exhibit:
Question 12mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation with a hybrid cloud infrastructure has recently experienced a series of security incidents involving unauthorized access to sensitive customer data. The incidents were traced to compromised credentials of privileged users. The company has implemented multi-factor authentication (MFA) for all privileged accounts, but the attacks persisted. A security assessment team is brought in to evaluate the environment. During the assessment, they discover that some privileged accounts do not require MFA when accessing systems via API calls, and that session tokens for these APIs have a long expiration time of 24 hours. Additionally, the team finds that the logging and monitoring system does not capture API calls from privileged accounts, making it difficult to detect anomalous behavior. The company wants to remediate these issues effectively. Which of the following is the BEST course of action to address the root cause of the incidents?

Drag and drop the steps of the incident response process in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps for a secure password change procedure in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each cryptographic algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric (public-key) cipher

Hash function

Keyed-hash message authentication code

Elliptic curve digital signature algorithm

Match each security assessment type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automated check for known vulnerabilities

Simulated attack to exploit vulnerabilities

Systematic evaluation of compliance with policies

Identification and analysis of risks

A security analyst is tasked with identifying vulnerabilities in a web application that is still in development. The application code is not yet stable, and frequent changes are expected. Which testing approach would be most appropriate to identify vulnerabilities without hindering the development process?

A vulnerability scan report shows that a web server has a critical vulnerability with a CVSS score of 9.8. However, the server is behind a WAF that blocks the attack vector, and the vulnerability is in a deprecated feature that cannot be removed until the next major release. What should the security manager do first?

During a security audit of a financial application, the auditor discovers that the application uses a custom encryption algorithm for storing sensitive data. The developer claims it is more efficient than AES. What should the auditor recommend?

A security analyst reviews system logs and notices multiple failed SSH login attempts from a single IP address over the past hour. The attempts are spaced 30 seconds apart and target different usernames. Which type of attack is most likely occurring?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Assessment and Testing sessions

Start a Security Assessment and Testing only practice session

Every question in these sessions is drawn from the Security Assessment and Testing domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Security Assessment and Testing?
Security Assessment and Testing questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Assessment and Testing questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Assessment and Testing domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.