Back to Systems Security Certified Practitioner SSCP questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Systems Security Certified Practitioner SSCP practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SSCP
exam code
ISC2
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SSCP topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst reviews these logs from a server. What immediate risk is most indicated by this log pattern?

Exhibit

Refer to the exhibit.

Oct 15 09:23:45 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:46 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:47 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:48 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Oct 15 09:23:49 server01 sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Question 2hardmultiple choice
Full question →

A security analyst reviews the firewall log exhibit. Which type of activity is indicated?

Exhibit

Refer to the exhibit.

Exhibit: Firewall log snippet
```
2024-03-15 10:23:45 ALLOW TCP 192.168.1.100:34567 -> 10.0.0.50:3389
2024-03-15 10:23:46 ALLOW TCP 192.168.1.100:34568 -> 10.0.0.50:3389
2024-03-15 10:23:47 ALLOW TCP 192.168.1.100:34569 -> 10.0.0.50:3389
2024-03-15 10:23:48 ALLOW TCP 192.168.1.100:34570 -> 10.0.0.50:3389
2024-03-15 10:23:49 ALLOW TCP 192.168.1.100:34571 -> 10.0.0.50:3389
```
Question 3mediummultiple choice
Full question →

Refer to the exhibit. A security analyst reviews this AWS IAM policy and notices that delete operations on objects in the corporate-bucket are being denied unexpectedly. What is the most likely issue?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::corporate-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::corporate-bucket/*"
    }
  ]
}
Question 4easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A network administrator implements this ACL on a border router. What is the effect?

Exhibit

access-list 101 permit tcp any host 192.168.1.100 eq 22
access-list 101 deny tcp any any eq 22
Question 5mediummultiple choice
Full question →

Based on the exhibit, which security threat is likely being attempted?

Exhibit

Refer to the exhibit.

May 15 10:23:45 server1 sshd[12345]: Failed password for root from 192.168.1.100 port 22 ssh2
May 15 10:23:46 server1 sshd[12345]: Failed password for root from 192.168.1.100 port 22 ssh2
May 15 10:23:47 server1 sshd[12345]: Failed password for root from 192.168.1.100 port 22 ssh2
... (multiple entries within seconds)
Question 6mediummultiple choice
Full question →

Refer to the exhibit. The security analyst sees this event from a user workstation. What is the most likely conclusion?

Exhibit

Event Log: Event ID 4688 - Process Creation
Command Line: cmd.exe /c net localgroup administrators user1 /add
Question 7hardmultiple choice
Full question →

Refer to the exhibit. The security group is attached to a database server. Which hosts can connect to the database?

Exhibit

{
  "SecurityGroupIngress": [
    {"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]},
    {"IpProtocol": "tcp", "FromPort": 3306, "ToPort": 3306, "IpRanges": [{"CidrIp": "10.0.0.0/8"}]}
  ]
}
Question 8mediummultiple choice
Full question →

Refer to the exhibit. The analyst sees this IDS alert. What is the most likely outcome if the target web application is vulnerable?

Exhibit

Refer to the exhibit.
[IDS Alert]
Timestamp: 2025-02-18 14:23:45
Source IP: 10.10.10.5 -> Destination IP: 192.168.1.100
Signature: ET WEB_SPECIFIC SQL Injection Attempt
Payload: ' OR '1'='1' --
Question 9mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst observes this event on a workstation. What is the MOST likely explanation?

Exhibit

Refer to the exhibit.

```
[Windows Security Log]
Event ID: 4688
Process Name: C:\Windows\System32\cmd.exe
Command Line: cmd.exe /c "echo %USERNAME% && whoami"
Parent Process: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
```
Question 10hardmultiple choice
Full question →

Refer to the exhibit. User bob, a member of the projectdev group, attempts to create a new file in /data/project but gets 'Permission denied'. What is the most likely reason?

Exhibit

[user@server ~]$ getfacl /data/project
# file: /data/project
getfacl: Removing leading '/' from absolute path names
# owner: projectadmin
# group: projectdev
user::rwx
user:alice:rwx
group::r-x
mask::rwx
other::---
Question 11hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. A network engineer is configuring a site-to-site VPN. The remote peer is using AES-256 encryption and SHA-1 for integrity. Which configuration parameter is likely misconfigured?

Exhibit

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
crypto map CMAP 10 ipsec-isakmp
 set peer 198.51.100.1
 set transform-set AES256-SHA
 match address 101
Question 12hardmultiple choice
Full question →

Refer to the exhibit. What security issue is present in this firewall policy?

Exhibit

{
  "FirewallPolicies": [
    {
      "Name": "AllowWeb",
      "Source": "0.0.0.0/0",
      "Destination": "10.0.0.0/24",
      "Port": 443,
      "Action": "allow"
    },
    {
      "Name": "BlockSSH",
      "Source": "0.0.0.0/0",
      "Destination": "10.0.0.0/24",
      "Port": 22,
      "Action": "deny"
    }
  ]
}
Question 13mediummultiple choice
Full question →

Refer to the exhibit. Which of the following is most likely a web browsing session?

Exhibit

Proto Local Address          Foreign Address        State
TCP 192.168.1.100:49152   203.0.113.10:80       ESTABLISHED
TCP 192.168.1.100:49153   192.168.1.1:53        TIME_WAIT
TCP 192.168.1.100:49154   74.125.224.72:443     ESTABLISHED
Question 14hardmultiple choice
Full question →

Based on the exhibit, which of the following best describes the firewall configuration?

Network Topology
0 0 ACCEPT alllo * 0.0.0.0/010 840 ACCEPT tcp20 1680 ACCEPT tcp5 420 ACCEPT tcp0 0 DROP alleth0 * 0.0.0.0/0Refer to the exhibit.
Question 15mediummultiple choice
Full question →

Based on the exhibit, which type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

[user@server ~]$ sudo cat /var/log/auth.log | grep 'Failed password' | tail -5
Mar 10 14:23:01 server sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Mar 10 14:23:05 server sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Mar 10 14:23:09 server sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Mar 10 14:23:13 server sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2
Mar 10 14:23:17 server sshd[1234]: Failed password for root from 10.0.0.5 port 22 ssh2

These SSCP practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style SSCP questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.