Back to Systems Security Certified Practitioner SSCP questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Systems Security Certified Practitioner SSCP practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

14
scenario questions
SSCP
exam code
ISC2
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SSCP topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Read the full VPN explanation →

A network engineer is troubleshooting a site-to-site VPN that is failing to establish. The pre-shared key is correct and both sides use IKEv2. The VPN logs show 'no proposal chosen'. What is the most likely cause?

Question 2hardmultiple choice
Full question →

Refer to the exhibit. An administrator runs an OpenSSL s_client command and receives the output shown. What is the most likely cause of the 'unable to get local issuer certificate' error?

Exhibit

Refer to the exhibit.

```
openssl s_client -connect server.example.com:443
CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Francisco, O = Example Inc, CN = server.example.com
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=California/L=San Francisco/O=Example Inc/CN=server.example.com
   i:/C=US/O=Example Root CA/CN=Example Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBxTCCAS0CAQAwDQYJKoZIhvcNAQELBQAwHzENMAsGA1UEAwwEUm9vdDEPMA0G
A1UEChMGVGVzdCBDQTAeFw0yNDAxMDEwMDAwMDBaFw0yNTAxMDEwMDAwMDBaMD8x
CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTYW4g
RnJhbmNpc2NvMQ0wCwYDVQQDDARUZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQC0Yj1J2K1F1L2y3Y4Z5X6Z7Q8a9b0c1d2e3f4g5h6i7j8k9l0m1n2o3p4
q5r6s7t8u9v0w1x2y3z4A5B6C7D8E9F0G1H2I3J4K5L6M7N8O9P0QCAwEAATAN
BgkqhkiG9w0BAQsFAAOBgQBmJ6k7L8P9Q0R1S2T3U4V5W6X7Y8Z9a0b1c2d3e4f5
g6h7i8j9k0l1m2n3o4p5q6r7s8t9u0v1w2x3y4z5A6B7C8D9E0F1G2H3I4J5K6L7
M8N9O0P1Q2R3S4T5U6V7W8X9Y0Z1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r
```
Question 3hardmultiple choice
Full question →

Your organization has a mixed environment of Windows and Linux servers. You receive an alert from the EDR that a Linux server is beaconing to a suspicious IP. The server runs a critical application that cannot be taken offline. The security team needs to investigate while maintaining availability. You have access to a jump box with network monitoring tools. Which course of action is most appropriate?

Question 4mediummultiple choice
Open the full VLAN trunking answer →

A security analyst is troubleshooting a network issue where users on VLAN 10 cannot reach a server on VLAN 20. The router has an ACL applied to the interface connected to VLAN 10. Which step should the analyst take first to isolate the problem?

Question 5hardmultiple choice
Full question →

An organization uses role-based access control (RBAC). After a merger, a user account from the acquired company is migrated into the parent company's domain. The user is assigned to multiple roles, but is unable to access a critical application that requires a specific role. The administrator verified that the user's account is enabled and the application server is reachable. What is the MOST likely cause?

Question 6mediummultiple choice
Read the full VPN explanation →

A company's VPN logs show that a user's account authenticated from two different geographic locations within a span of 10 minutes. The distances between locations make physical travel impossible. The security team investigates and finds that the user's password is complex and not shared. What is the MOST likely explanation?

Question 7hardmultiple choice
Full question →

During a security audit, it is discovered that a system administrator shared their personal credentials with a colleague to troubleshoot an issue after hours. This violates the company's policy regarding password sharing. Which control would BEST prevent this type of incident in the future?

Question 8mediummultiple choice
Full question →

An organization's help desk receives multiple reports of employees unable to access a critical internal application. The IT team confirms the application server is running. What is the FIRST step in the incident response process?

Question 9mediummultiple choice
Full question →

Refer to the exhibit. A security administrator is troubleshooting connectivity to a web server. Users report they can access the website via HTTP and HTTPS, but cannot establish new SSH connections. Which of the following best explains this issue?

Network Topology
0.0.0.0/0 0.0.0.0/0 tcp dpt:80ACCEPT tcp0.0.0.0/0 0.0.0.0/0 tcp dpt:443DROP tcpRefer to the exhibit.```iptables -L -nChain INPUT (policy ACCEPT)target prot opt source destination
Question 10hardmultiple choice
Full question →

A Windows workstation is unable to authenticate to a Kerberos-based application. The time on the workstation is 5 minutes ahead of the domain controller. What is the impact?

Question 11mediummultiple choice
Full question →

Refer to the exhibit. A user reports being unable to remote desktop (RDP) into a Windows server. Given the event log, what is the most likely cause?

Exhibit

Event 4625, Microsoft-Windows-Security-Auditing
Account For Which Logon Failed:
    Security ID:        S-1-5-21-123456789-123456789-123456789-1105
    Account Name:       jdoe
    Account Domain:     CORP
Failure Information:
    Failure Reason:     The user has not been granted the requested logon type at this computer.
    Status:             0xC000015B
    Sub Status:         0x0
Question 12easymultiple choice
Full question →

A user reports they cannot access the internet. The network administrator verifies that the user's workstation has an IP address of 192.168.1.100/24 and a default gateway of 192.168.1.1. The administrator can ping the default gateway but cannot ping 8.8.8.8. What is the most likely cause?

Question 13mediummultiple choice
Full question →

A network administrator is unable to ping the server at 10.2.2.100 from a host on the 192.168.1.0/24 network. Based on the exhibit, what is the most likely cause?

Exhibit

Refer to the exhibit.

Router# show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.1.1.2 to network 0.0.0.0

     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C       10.1.1.0/24 is directly connected, GigabitEthernet0/0
O       10.2.2.0/24 [110/20] via 10.1.1.2, 00:05:12, GigabitEthernet0/0
S       10.3.3.0/24 [1/0] via 10.1.1.2
C       192.168.1.0/24 is directly connected, GigabitEthernet0/1
Question 14hardmultiple choice
Full question →

A mid-sized company has deployed a web application that handles sensitive customer data. The application uses TLS to encrypt data in transit. Recently, the company received a penetration test report indicating that an attacker could potentially downgrade the TLS connection to an older, weaker version (e.g., TLS 1.0) by performing a man-in-the-middle attack. The application server runs on Windows Server 2022 with IIS 10. The security team wants to disable all versions of TLS below 1.2 on the server. However, after making registry changes to disable TLS 1.0 and 1.1, some legacy clients that only support TLS 1.0 are unable to connect. The business requires that these legacy clients still be able to access the application securely, but the security team insists on disabling weak protocols. The server currently has a valid certificate from a public CA. Which of the following is the most appropriate course of action?

These SSCP practice questions are part of Courseiva's free ISC2 certification practice question bank. Courseiva provides original exam-style SSCP questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.