00:20:00

CompTIA Security+ Practice Test (SY0-701)

Use the form below to configure your CompTIA Security+ Practice Test (SY0-701). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

Logo for CompTIA Security+ SY0-701 (V7)
Questions
Number of questions in the practice test
Free users are limited to 20 questions, upgrade to unlimited
Seconds Per Question
Determines how long you have to finish the practice test
Exam Objectives
Which exam objectives should be included in the practice test

CompTIA Security+ SY0-701 (V7) Information

CompTIA Security+ Certification Exam Overview

The CompTIA Security+ certification is a vendor-neutral credential that validates foundational security skills and knowledge. The current version of the exam is SY0-701. The SY0-701 exam is a computer-based test that consists of up to 90 questions, with a duration of 90 minutes. Candidates must achieve a minimum passing score of 750 points on a scale of 100-900.

Question Types on the Security+ Exam

The Security+ exam includes two primary types of questions:

  • Multiple-Choice/Multiple-Selection Questions: These questions require candidates to select one or more correct answers from a list of options.
  • Performance-Based Questions (PBQs): These questions involve solving problems in a simulated IT environment, such as command prompt or networking environments. PBQs are also featured in other CompTIA exams, like A+ and Network+.

Exam Prerequisites

CompTIA does not enforce any prerequisites for the Security+ exam. However, it is recommended that candidates have the CompTIA Network+ certification and at least two years of experience in IT administration with a focus on security. Additionally, CompTIA suggests that candidates be at least 13 years old.

Security+ Exam Domains

The SY0-701 exam focuses on five primary domains:

  • General Security Concepts (12%)
  • Threats, Vulnerabilities, and Mitigations (22%)
  • Security Architecture (18%)
  • Security Operations (28%)
  • Security Program Management and Oversight (20%)

These domains are detailed in the exam objectives, which outline the scope of the test, including domain weighting, test objectives, and example topics.

Exam Renewal Policy

The Security+ certification, along with other CompTIA certifications, must be renewed every three years. The bridge exam scheme was retired on December 31, 2010. Post-January 1, 2011, all new certifications are valid for three years from the date of certification. Renewal can be achieved by passing the latest version of the exam or through the Continuing Education (CE) program. This program allows candidates to keep their skills current through various activities that demonstrate industry knowledge.

Testing Centers

CompTIA exams, including Security+, are available exclusively through Pearson VUE testing centers since July 9, 2012. Exams can be scheduled online, by phone, or at the testing center. Candidates can choose between in-person exams at Pearson VUE centers or online testing.

The CompTIA Security+ certification ensures that IT professionals possess the essential security skills and knowledge required to protect and manage today's increasingly complex IT environments.

More reading:

Free CompTIA Security+ SY0-701 (V7) Practice Test

Press start when you are ready, or press Change to modify any settings for the practice test.

  • Questions: 20
  • Time: Unlimited
  • Included Topics:
    General Security Concepts
    Threats, Vulnerabilities, and Mitigations
    Security Architecture
    Security Operations
    Security Program Management and Oversight
Question 1 of 20

What does the concept of ongoing supportability in the context of cybersecurity operations entail?

  • The initial implementation of security controls in a new system.

  • The capacity for continued maintenance and updates of security systems and processes.

  • The periodic change in security policies dictated by organizational structure.

  • The step-by-step playbook used for responding to security incidents.

Question 2 of 20

An organization seeks a solution to automate vulnerability assessments and ensure consistent security configurations across various systems and tools. Which of the following would BEST help achieve this goal?

  • Deploy an Endpoint Detection and Response solution

  • Utilize a Configuration Management Database (CMDB)

  • Implement the Security Content Automation Protocol (SCAP)

  • Set up a Network Access Control system

Question 3 of 20

Which of the following is a decoy system designed to attract and analyze the behavior of attackers?

  • Honeypot

  • Honeynet

  • Honeyfile

  • Honeytoken

Question 4 of 20

When setting up a network device monitoring strategy, which approach enables the automatic receipt of alerts upon specific event occurrences without requiring a management system to initiate a check?

  • Implementing a widely-used, original version of the network management protocol to ensure compatibility.

  • Adopting a notification-by-acknowledgment mode for transmitting event data from network devices.

  • Scheduling the management system to regularly query the network devices for updates.

  • Enabling the network devices to send notifications independently using an advanced version emphasizing security with authentication and encryption.

Question 5 of 20

What is it called when a business opts to take no action in response to a risk following an assessment?

  • Transfer

  • Accept

  • Avoid

  • Mitigate

Question 6 of 20

During a risk assessment it was concluded that the value of an asset was less than the cost of the security control needed to protect it from an identified risk. Because of this, it has been decided not to use the control but still utilize the asset. What type of risk management strategy is being used?

  • Avoidance

  • Mitigation

  • Acceptance

  • Transference

Question 7 of 20

Your organization has decided to migrate to a cloud service model. As the IT security professional, you are reviewing the shared responsibility matrix provided by the potential cloud service provider. According to the matrix, which of these responsibilities would typically be managed by your organization rather than the provider in an Infrastructure as a Service (IaaS) model?

  • Patching of the host operating system

  • Environmental control of the hardware

  • Physical security of the data center

  • Virtualization platform management

Question 8 of 20

Which of the following best describes controls that are designed to establish security policies, procedures, and guidelines?

  • Operational Controls

  • Technical Controls

  • Physical Controls

  • Managerial Controls

Question 9 of 20

A company's primary security measure for their sensitive server room is a biometric access control system. Due to a recent natural disaster, the biometric system is temporarily unavailable. Which of the following would be the BEST compensating control to implement immediately to ensure that only authorized personnel can access the server room while maintaining a similar level of security?

  • Implement a sign-in/out log that is monitored by a security guard.

  • Set up a temporary key code lock on the server room door.

  • Replace the biometric system with a standard key lock.

  • Disable access to the server room until the system is repaired.

  • CCTV

Question 10 of 20

An organization wants to ensure that its employees adhere to the company's acceptable use guidelines. Which of the following controls would BEST help achieve this goal?

  • Encrypting network communications with SSL/TLS.

  • Setting up surveillance cameras in work areas.

  • Installing antivirus software on all employee computers.

  • Implementing security policies and conducting regular compliance audits.

Question 11 of 20

You administer several customer-facing web applications hosted at account.example.com, checkout.example.com, and helpdesk.example.com. You want each subdomain to present a trusted HTTPS connection without requesting, tracking, or renewing a separate certificate every time a new subdomain is deployed. Which type of certificate issued by a public certificate authority best meets this requirement?

  • Multi-domain (SAN) certificate

  • Root certificate

  • Self-signed certificate

  • Wildcard certificate

Question 12 of 20

An organization's network has been infected with a software that propagates itself across computers, encrypting files and demanding payment for the decryption key. Which of the following BEST describes this type of malicious code?

  • Ransomware

  • Virus

  • Worm

  • Trojan

Question 13 of 20

What is the primary benefit of using containerization in a security architecture?

  • It integrates all applications into one operating system for better performance.

  • It automates the process of data recovery.

  • It isolates applications to enhance security and manageability.

  • It completely eliminates the need for physical servers.

  • It allows unlimited data storage capacity.

  • It ensures that applications have direct access to hardware resources.

Question 14 of 20

During a recent audit of security logs, an analyst discovers that certain log entries are sporadically missing over the past month. Understanding the importance of logs for detecting and troubleshooting anomalies, which of the following is the BEST explanation for the missing logs?

  • Time synchronization issues between servers

  • Scheduled maintenance activities

  • Log tampering by an unauthorized party

  • Log rotation configured without proper archiving

Question 15 of 20

A systems administrator observes that every Friday afternoon, right after the stock market closes, a series of unauthorized transactions and excessive resource utilization occurs on a finance company's trading application server. What type of malware is most likely responsible for this recurring incident?

  • Worm

  • Logic bomb

  • Spyware

  • Trojan

Question 16 of 20

You receive a call and the caller ID indicates that it is from your bank. You answer and are told that your account has been compromised. The person on the phone says that before they can proceed you need to verify your account number and security pin. What term best describes this type of social engineering attack?

  • Whaling

  • Smishing

  • Phishing

  • Vishing

  • Spear phishing

Question 17 of 20

An organization is conducting a Business Impact Analysis. Which metric should be determined to establish the maximum time frame that a critical system can be disrupted before severe impact to business operations occurs?

  • Establishing the data backup frequency is necessary for scheduling maintenance windows.

  • Determining the maximum tolerable downtime for critical systems, otherwise known as the Recovery Time Objective, is essential for prioritizing their restoration.

  • Assessing the annual likelihood of a system failure occurring will forecast the potential interruptions in operations.

  • Calculating the cost of system outages per day can provide insight into potential financial losses.

Question 18 of 20

Which statement BEST describes an organization's obligation to comply with a country's information-security laws and regulations when it conducts business within that country's borders?

  • An organization can choose which nation's laws it will follow, provided it documents the decision in a written risk acceptance.

  • Compliance is required only if the organization stores data physically inside the country's borders; remote or cloud-based activities are exempt.

  • They apply to any organization that conducts business or processes data within the country, regardless of where the organization is headquartered.

  • They apply only to organizations that are incorporated in that country; foreign firms may rely solely on their home-country laws.

Question 19 of 20

XYZ Corporation utilizes a primary and secondary data center for their mission-critical systems to maintain uptime in case of failure. When the primary data center experiences an outage, systems automatically switch to the secondary data center without manual intervention. Which type of failover strategy is XYZ Corporation employing?

  • Active-active configuration

  • Automatic failover

  • Active-passive configuration

  • Manual failover

Question 20 of 20

Which social engineering attack is most effectively combated by implementing strong organizational verification procedures and training employees to confirm requests through multi-channel verifications?

  • Phishing

  • Shadow IT

  • Piggybacking

  • Business Email Compromise (BEC)