CompTIA Security+ Practice Test (SY0-701)
Use the form below to configure your CompTIA Security+ Practice Test (SY0-701). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

CompTIA Security+ SY0-701 Information
CompTIA Security+ Certification Exam Overview
The CompTIA Security+ certification is a vendor-neutral credential that validates foundational security skills and knowledge. The current version of the exam is SY0-701. The SY0-701 exam is a computer-based test that consists of up to 90 questions, with a duration of 90 minutes. Candidates must achieve a minimum passing score of 750 points on a scale of 100-900.
Question Types on the Security+ Exam
The Security+ exam includes two primary types of questions:
- Multiple-Choice/Multiple-Selection Questions: These questions require candidates to select one or more correct answers from a list of options.
- Performance-Based Questions (PBQs): These questions involve solving problems in a simulated IT environment, such as command prompt or networking environments. PBQs are also featured in other CompTIA exams, like A+ and Network+.
Exam Prerequisites
CompTIA does not enforce any prerequisites for the Security+ exam. However, it is recommended that candidates have the CompTIA Network+ certification and at least two years of experience in IT administration with a focus on security. Additionally, CompTIA suggests that candidates be at least 13 years old.
Security+ Exam Domains
The SY0-701 exam focuses on five primary domains:
- General Security Concepts (12%)
- Threats, Vulnerabilities, and Mitigations (22%)
- Security Architecture (18%)
- Security Operations (28%)
- Security Program Management and Oversight (20%)
These domains are detailed in the exam objectives, which outline the scope of the test, including domain weighting, test objectives, and example topics.
Exam Renewal Policy
The Security+ certification, along with other CompTIA certifications, must be renewed every three years. The bridge exam scheme was retired on December 31, 2010. Post-January 1, 2011, all new certifications are valid for three years from the date of certification. Renewal can be achieved by passing the latest version of the exam or through the Continuing Education (CE) program. This program allows candidates to keep their skills current through various activities that demonstrate industry knowledge.
Testing Centers
CompTIA exams, including Security+, are available exclusively through Pearson VUE testing centers since July 9, 2012. Exams can be scheduled online, by phone, or at the testing center. Candidates can choose between in-person exams at Pearson VUE centers or online testing.
The CompTIA Security+ certification ensures that IT professionals possess the essential security skills and knowledge required to protect and manage today's increasingly complex IT environments.
More reading:
Scroll down to see your responses and detailed results
Free CompTIA Security+ SY0-701 Practice Test
Press start when you are ready, or press Change to modify any settings for the practice test.
- Questions: 15
- Time: Unlimited
- Included Topics:General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight
Which type of security control is primarily intended to discourage a potential attacker from attempting to breach your security perimeter?
- You selected this option
Detective
- You selected this option
Corrective
- You selected this option
Deterrent
- You selected this option
Compensating
- You selected this option
Preventive
- You selected this option
Directive
Answer Description
A deterrent control is designed to discourage potential attackers from attempting a security breach, making it the correct answer. Deterrent controls include things like warning signs or false/visible security measures that increase the perceived risk for attackers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some examples of deterrent controls?
How do deterrent controls differ from preventive controls?
What is the role of perception in deterrent controls?
A company is evaluating options for remote employees to securely access the corporate network. Which of the following solutions would provide the BEST security for sensitive corporate data while maintaining reliable connectivity?
- You selected this option
Utilizing remote access software without two-factor authentication for user convenience
- You selected this option
Installing a jump server that remote employees can connect to before accessing the corporate network
- You selected this option
Allowing remote access through a basic tunneling protocol with no additional encryption
- You selected this option
Implementing a Virtual Private Network (VPN) with strong encryption standards for remote connections
Answer Description
A Virtual Private Network (VPN) creates a secure tunnel between the remote user's device and the corporate network, encrypting data in transit, which helps protect sensitive corporate data from eavesdropping and man-in-the-middle attacks. Remote access and tunneling protocols can be part of a VPN solution, emphasizing the importance of encryption and a secure tunnel. A jump server, even though it acts as a bridge between different security zones, does not inherently encrypt traffic and is less suited as a comprehensive solution for remote employees' secure connectivity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Virtual Private Network (VPN)?
What are strong encryption standards in VPNs?
What are the risks of using basic tunneling protocols without encryption?
As a security administrator, you've implemented a new company policy to review firewall logs daily. During this review, you notice numerous login attempts from foreign IP addresses outside of business hours. Based on this information, which of the following actions should be prioritized to enhance network security?
- You selected this option
Review the latest operating system patches for all company servers
- You selected this option
Conduct an additional security awareness training session focusing on foreign cyber threats
- You selected this option
Update the firmware on the firewall to the latest version
- You selected this option
Configure account lockout thresholds to prevent brute-force attacks
Answer Description
While all the options might be relevant in different scenarios, the priority action would be to configure account lockout thresholds to prevent brute-force attacks since the observed behavior suggests an attempt to gain unauthorized access by trying multiple combinations of usernames and passwords. Updating firewall firmware and reviewing OS patch levels are routine maintenance tasks that do not directly address the issue of unauthorized access attempts. While conducting user security awareness training is important, it doesn't directly mitigate the observed login attempts from foreign IP addresses.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are account lockout thresholds?
What constitutes a brute-force attack?
How do I know if a foreign IP address is a threat?
The Information Security Policies should be reviewed and updated on a one-time basis only to ensure their effectiveness over time.
- You selected this option
True
- You selected this option
False
Answer Description
Information Security Policies need to be monitored and reviewed on a recurring basis, not just one-time. This is because the threat landscape, technology, and business processes are continually evolving, and policies must adapt to remain effective. A one-time review would not suffice to accommodate the dynamic nature of information security.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to continuously review Information Security Policies?
What factors should be considered during the review of Information Security Policies?
How often should Information Security Policies be reviewed?
An employee in a financial institution accidentally visited a website by mistyping the URL of a popular financial news portal. Subsequently, the employee reported that their workstation displayed unusual behavior, such as the browser opening on its own and displaying advertisements. The IT security team suspects a security incident through domain impersonation. What is the likely method used by the threat actor to compromise the employee's workstation?
- You selected this option
Domain kiting
- You selected this option
Typosquatting
- You selected this option
Phishing attempt through a deceptive email
- You selected this option
Domain slamming
Answer Description
Typosquatting relies on users making mistakes while typing a URL, leading them to land on a malicious site that mimics a legitimate one. Once the user visits the fake website, the threat actor can execute various malicious activities including malware infection. Incorrect spelling variants in URLs are a hallmark of this technique, therefore, visiting a website with a misspelled URL that resulted in these symptoms indicates a typosquatting attack. Misdirecting and phishing attempts, while also deceptive, typically involve more direct interaction, such as fake emails or links, not the accidental misspelling of a URL. Similarly, domain kiting and domain slamming are related to domain registration practices, not user typos.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Typosquatting and how does it work?
What are common signs of a typosquatting attack?
How can employees protect themselves from typosquatting?
Which state describes information that is being processed by an application?
- You selected this option
Data in use
- You selected this option
Data at rest
- You selected this option
Encrypted data
- You selected this option
Data in transit
Answer Description
The correct answer is 'Data in use'. Data in use refers to information that is currently being processed by an application, being in the immediate memory or CPU, and it is not at rest or in the process of being transmitted. 'Data at rest' describes data that is stored on a physical medium and is not actively being accessed or processed. 'Data in transit' refers to data that is moving through the network or telecommunication channels. 'Encrypted data' is a state that can apply to any of the three data states (at rest, in use, or in transit) and merely specifies that the data is encrypted, not that it is being processed by an application.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean when we say 'data in use'?
How does 'data at rest' differ from 'data in use'?
What are some security concerns for 'data in use'?
A company is planning to implement a new online transaction processing system that will handle sensitive customer payment information. The system is expected to be highly available and scalable during peak transaction periods. To meet these requirements while considering security, which architecture model should the company consider adopting?
- You selected this option
Microservices
- You selected this option
Monolithic
- You selected this option
Serverless
- You selected this option
On-premises
Answer Description
The correct answer is 'Microservices' because this architecture model provides the ability to scale components independently and ensure high availability. Microservices facilitate continuous delivery and deployment practices that are ideal for online transaction systems with variable load patterns. This architecture enables quick updates and robust security measures for each service without affecting the entire system. 'Monolithic' architecture would be challenging to scale and update without downtime, making it less suitable for high-availability systems. 'Serverless' focuses on event-driven execution, which may lead to unpredictable costs for high-traffic systems and may have limitations around compliance control. 'On-premises' is not an architecture model; it is a deployment method that can still use various architectural models, including microservices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the key benefits of using a Microservices architecture?
How does Microservices architecture enhance security for sensitive information?
What challenges can arise when implementing a Microservices architecture?
During a security assessment, you identified that an employee's desktop application for managing customer data allows for executing arbitrary database queries by modifying inputs within the application. This vulnerability can be exploited by attackers to manipulate or exfiltrate sensitive data from the company database. Which specific type of vulnerability does this scenario describe?
- You selected this option
Buffer overflow
- You selected this option
Cross-site scripting (XSS)
- You selected this option
Directory traversal
- You selected this option
SQL injection (SQLi)
Answer Description
The correct answer is SQL injection (SQLi). This occurs when an attacker is able to insert or manipulate SQL queries using input fields exposed by the application. It is a form of injection attack that makes it possible to execute malicious SQL statements that can control a web application's database server.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the potential impacts of SQL injection attacks?
How can organizations defend against SQL injection vulnerabilities?
What does 'input validation' mean in the context of SQL injection?
Which authentication protocol uses a ticket-granting service as part of its mechanism to provide access to resources across a network?
- You selected this option
Kerberos
- You selected this option
Simple Sign-On
- You selected this option
Network Access Token
- You selected this option
Direct Access
Answer Description
This protocol is known for using a trusted third-party ticket-granting service to provide secure access to resources. It mitigates the risk of eavesdropping and replay attacks by avoiding the need to transmit passwords over the network. Instead, a client requests an access ticket from the ticket-granting service, which if granted, allows the client to access the desired service using that ticket. In contrast, Direct Access grants remote access to internal networks over IPv6 transitions, Simple Sign-On represents a one-time authentication process across multiple systems, which is not particularly related to ticket-granting, and Network Access Token is a made-up term not associated with a real-world authentication protocol.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What exactly is a ticket-granting service in Kerberos?
How does Kerberos mitigate eavesdropping and replay attacks?
What are some alternatives to Kerberos for network authentication?
Which of the following BEST describes the responsibility of an Owner in the context of data management and protection within an organization?
- You selected this option
Conducting periodic audits and reviews of access controls and security measures
- You selected this option
Designing and implementing the system's technical architecture that supports data processing requirements
- You selected this option
Determining the classification of the data and the necessary controls for its protection
- You selected this option
Executing routine tasks such as data backups and applying security patches to the data management systems
Answer Description
The Owner of a system or data is primarily responsible for determining the classification of the data and the controls necessary to protect it. They make decisions on how the data should be handled, dictate access controls, and are often decision-makers on acceptable risk levels for their data. While they may delegate certain tasks to others like Custodians or Processors, the Owner retains the ultimate responsibility for the data's security.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does it mean to classify data in an organization?
What are some examples of controls that an Owner may implement for data protection?
What is the difference between an Owner and a Custodian in data management?
In the event of failure, the external firewall is configured to stop allowing traffic to pass through. This is an example of what concept?
- You selected this option
Fail-safe
- You selected this option
Fail-closed
- You selected this option
Fail-on
- You selected this option
Fail-open
Answer Description
If a system is configured to fail-closed (also called fail-secure) in the event of a failure it will “close” and no longer allow access/pass traffic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does fail-closed mean?
What are other fail modes like fail-open?
Why is fail-closed often preferred in security?
During a routine audit, your security team has discovered an unauthorized active directory tool being used by the marketing department to synchronize contact information across platforms. The team suspects that this is a case of Shadow IT. What is the PRIMARY risk associated with this discovery?
- You selected this option
Security breaches due to unauthorized applications bypassing organizational security processes
- You selected this option
Increased IT budget due to additional user licenses required for the unauthorized tool
- You selected this option
Decreased usage of IT-approved communication tools
- You selected this option
Increased productivity and efficiency within the marketing department
Answer Description
The primary risk associated with Shadow IT is the potential for security breaches due to the use of unauthorized applications or systems that have not been vetted by the organization's security protocols. These tools might not be compliant with the organization’s security policies, may not be regularly patched or updated, and could lead to the exposure of sensitive data.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What exactly is Shadow IT?
How can unauthorized applications lead to security breaches?
What steps can organizations take to mitigate the risks associated with Shadow IT?
Which type of attack involves attempting possible combination of letters, numbers, and symbols until the correct password is found, often leading to unauthorized system access?
- You selected this option
Phishing
- You selected this option
Brute force attack
- You selected this option
Dictionary attack
- You selected this option
Spoofing
Answer Description
A brute force attack is a trial-and-error method used to decode encrypted data such as passwords. This type of attack systematically checks all possible combinations to discover the correct one, which can eventually allow an attacker to gain unauthorized access. This definition aligns with the description of a brute force attack.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some common strategies to prevent brute force attacks?
How does a brute force attack differ from other types of attacks, like phishing?
What tools can be used to carry out brute force attacks?
A screened subnet is intended to act as an isolated network segment separating a private network from untrusted external networks.
- You selected this option
False
- You selected this option
True
Answer Description
The correct answer is true. A screened subnet, typically known as an area outside the internal network but inside the external firewall, is designed to host services that need to be accessible from both internal users and the public internet. By isolating this network segment, organizations create an additional security layer. Traffic between the internal network and the external networks, such as the internet, must go through this subnet, which is controlled by firewalls to ensure proper security measures are in place and direct connectivity is restricted.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a screened subnet and how does it function in network security?
What role do firewalls play in a screened subnet?
Why is isolating a network segment important for security?
A financial organization is transitioning its customer-facing portal to a cloud-based service. Considering the data's sensitive nature and regulatory compliance needs, which task would typically be under the organization's control after the migration?
- You selected this option
Maintaining the environmental controls such as humidity and temperature within the data center.
- You selected this option
Ensuring the physical servers hosting the service are up-to-date with the latest firmware patches.
- You selected this option
Implementing secure coding practices and patch management for the portal's codebase.
- You selected this option
Upgrading network infrastructure components like routers and switches to support higher data throughput.
Answer Description
Since the question context is a cloud service environment without specifying the model, it's important to choose a task that's universally in the customer's purview. Patch management for applications and ensuring the security of the client's data are responsibilities that generally fall to the customer, regardless of the cloud service model they are using. The cloud provider is commonly responsible for the physical infrastructure, but responsibility for application-level security measures, including secure coding practices, remains with the customer.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are secure coding practices?
What is patch management and why is it important?
What are the different cloud service models and their responsibilities?
Nice!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.