CompTIA Security+ Practice Test (SY0-701)
Use the form below to configure your CompTIA Security+ Practice Test (SY0-701). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.

CompTIA Security+ SY0-701 Information
CompTIA Security+ Certification Exam Overview
The CompTIA Security+ certification is a vendor-neutral credential that validates foundational security skills and knowledge. The current version of the exam is SY0-701. The SY0-701 exam is a computer-based test that consists of up to 90 questions, with a duration of 90 minutes. Candidates must achieve a minimum passing score of 750 points on a scale of 100-900.
Question Types on the Security+ Exam
The Security+ exam includes two primary types of questions:
- Multiple-Choice/Multiple-Selection Questions: These questions require candidates to select one or more correct answers from a list of options.
- Performance-Based Questions (PBQs): These questions involve solving problems in a simulated IT environment, such as command prompt or networking environments. PBQs are also featured in other CompTIA exams, like A+ and Network+.
Exam Prerequisites
CompTIA does not enforce any prerequisites for the Security+ exam. However, it is recommended that candidates have the CompTIA Network+ certification and at least two years of experience in IT administration with a focus on security. Additionally, CompTIA suggests that candidates be at least 13 years old.
Security+ Exam Domains
The SY0-701 exam focuses on five primary domains:
- General Security Concepts (12%)
- Threats, Vulnerabilities, and Mitigations (22%)
- Security Architecture (18%)
- Security Operations (28%)
- Security Program Management and Oversight (20%)
These domains are detailed in the exam objectives, which outline the scope of the test, including domain weighting, test objectives, and example topics.
Exam Renewal Policy
The Security+ certification, along with other CompTIA certifications, must be renewed every three years. The bridge exam scheme was retired on December 31, 2010. Post-January 1, 2011, all new certifications are valid for three years from the date of certification. Renewal can be achieved by passing the latest version of the exam or through the Continuing Education (CE) program. This program allows candidates to keep their skills current through various activities that demonstrate industry knowledge.
Testing Centers
CompTIA exams, including Security+, are available exclusively through Pearson VUE testing centers since July 9, 2012. Exams can be scheduled online, by phone, or at the testing center. Candidates can choose between in-person exams at Pearson VUE centers or online testing.
The CompTIA Security+ certification ensures that IT professionals possess the essential security skills and knowledge required to protect and manage today's increasingly complex IT environments.
More reading:
Scroll down to see your responses and detailed results
Free CompTIA Security+ SY0-701 Practice Test
Press start when you are ready, or press Change to modify any settings for the practice test.
- Questions: 15
- Time: Unlimited
- Included Topics:General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight
A company wants to provide their employees flexibility to work from anywhere within their large corporate campus. As a part of this policy, employees aren’t allowed to take company equipment off of the company grounds. Which mobile device management figure should the company implement to most effectively enforce this policy?
- You selected this option
Application management
- You selected this option
Geofencing
- You selected this option
Geolocation
- You selected this option
Content management
- You selected this option
Remote wipe
Answer Description
Geofencing allows for the setup of a virtual perimeter which can be configured to notify if a device leaves the indicated area. This differs from geolocation which will just show the current location of a device. Geolocation could be used for the purpose in the question but is not the most effective choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What exactly is geofencing and how does it work?
How does geolocation differ from geofencing?
What are some practical applications of geofencing in a corporate environment?
Disabling unnecessary services and ports on a server is a recommended practice to reduce its attack surface.
- You selected this option
False
- You selected this option
True
Answer Description
Disabling unnecessary services and ports on a server is indeed a recommended best practice in the security field, as it minimizes the number of potential entry points for an attacker, thus reducing the server's attack surface. Services and ports that are not needed for the server's operation can become vulnerabilities if they are left enabled and unsecured.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an attack surface?
What are some examples of unnecessary services and ports?
How can one safely disable services and ports?
What is a key benefit of implementing automation in the process of increasing an organization's computing resources?
- You selected this option
Allows for increased hands-on configuration time for IT staff
- You selected this option
Ensures consistent application of security settings and policies
- You selected this option
Decreases the overall cost of the IT budget
- You selected this option
Reduces the need for security monitoring tools
Answer Description
By using automation during the process of scaling computing resources, organizations can ensure that security baselines and policies are consistently applied across all new systems, reducing the chance of human error and maintaining security standards. This consistency is crucial as it helps in preventing configuration drift and the resulting vulnerabilities that may arise from manual intervention. Other options, albeit relevant to automation or security, do not directly address the core advantage of securing the scale-out process with automation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is automation in IT resource scaling?
What are security baselines and why are they important?
What is configuration drift and how does it affect security?
Your company is engaging a vendor to develop a proprietary network security solution. Which document is primarily responsible for defining the tasks to be completed, the deliverables expected, and a timeline for when these milestones should be achieved?
- You selected this option
Agreement for Services
- You selected this option
Statement of Work
- You selected this option
Confidentiality Agreement
- You selected this option
Partnership Agreement
Answer Description
The correct document for outlining the specific tasks, deliverables, and timeline in a vendor agreement is the Statement of Work. This document plays a crucial role in setting clear expectations and project details before work commences, ensuring that both parties are aligned on what is to be delivered, when, and in what manner. An agreement for services, on the other hand, defines the level of service performance and quality assurances rather than detailing the project specifics. A confidentiality agreement focuses on the protection of proprietary and sensitive information shared during the engagement and does not detail project specifics. A partnership agreement outlines the general terms of the partnership and cooperation between two entities, which again does not focus on the provision of services for a particular project like a Statement of Work does.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the key components included in a Statement of Work?
How does a Statement of Work differ from an Agreement for Services?
Why is a Statement of Work essential in vendor engagements?
Which form of access control is specifically designed to adapt in real-time to the perceived threat level, improving the security stance by continuously evaluating the risk and context associated with user access requests?
- You selected this option
Mandatory access control (MAC)
- You selected this option
Adaptive Policy-driven access control
- You selected this option
Discretionary access control (DAC)
- You selected this option
Role-based access control (RBAC)
Answer Description
Adaptive Policy-driven access control, also known as risk-adaptive access control, is correct because it incorporates real-time risk assessments based on context, such as user behavior, device security status, and data sensitivity, to adapt access permissions dynamically, thereby limiting the scope of threats by granting access based on policies that respond to perceived risk levels. While Role-based access control (RBAC) is statically designed based on predefined roles and Discretionary access control (DAC) is based on the resource owner's discretion, neither adapts dynamically to changing threat landscapes. Mandatory access control (MAC) is policy-based but not adaptive to real-time risks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What factors are considered in Adaptive Policy-driven access control?
How does Adaptive Policy-driven access control differ from Role-based access control (RBAC)?
Can Adaptive Policy-driven access control be implemented in existing systems?
Which part of the AAA security framework refers to what a user is allowed to do on the network?
- You selected this option
Authorization
- You selected this option
Accounting
- You selected this option
Non-repudiation
- You selected this option
Authentication
Answer Description
Authorization is the component of AAA that indicates what a user is authorized to do on the network aka their permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the AAA security framework?
What are some examples of authorization methods?
What is the difference between authorization and authentication?
A company is looking to protect its customers' credit card information within its database while still using the data for transactional processes. Which method ensures the original data cannot be derived from the information stored in the database without access to a separate mapping system?
- You selected this option
Tokenization
- You selected this option
Format-Preserving Encryption
- You selected this option
One-way Hashing
- You selected this option
Data Masking with Fixed Mask Characters
Answer Description
Tokenization transforms sensitive data into a token, which is a unique identifier that has no meaningful value outside of the tokenization system. Unlike encryption that can be reversed with the decryption key, tokenized data requires access to the original mapping in the tokenization system to convert it back, ensuring enhanced security by preventing reverse-engineering of the tokens if the database is compromised. In the case of protecting credit card information, tokenization is ideal because the tokens can be used for transactional processes without exposing actual credit card numbers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What exactly is tokenization and how does it work?
What are the advantages of using tokenization for payment information?
How does tokenization differ from encryption, and why is it more secure in certain cases?
Which technology is used to securely transmit data over untrusted networks by encrypting the data before sending it?
- You selected this option
File transfer protocol (FTP)
- You selected this option
Virtual Private Network (VPN)
- You selected this option
Remote desktop
- You selected this option
Secure Shell (SSH)
Answer Description
The correct answer is Virtual Private Network (VPN) because it ensures that data transmitted over an unsecured network is encrypted and thus kept secure from interception. A VPN creates a secure tunnel for data packets to travel through an untrusted network, such as the internet, by encrypting the data before it is sent and decrypting it upon receipt.
Remote desktop is incorrect because it is a service that allows a user to connect to and control a computer from a remote location, but by itself does not provide encryption of data in transit.
File transfer protocol (FTP) is incorrect as it is used to transfer files between computers on a network but does not inherently provide encryption for data in transit.
Secure Shell (SSH) is incorrect because, while it does provide secure data communication through encryption, it is mainly intended for secure command execution and file transfer on remote computers, not for creating secure tunnels for general data traffic like a VPN does.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is encryption in the context of a VPN?
How does a VPN create a secure tunnel for data?
What are the differences between a VPN and other secure protocols like SSH?
Which of the following techniques involves replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security?
- You selected this option
Encryption
- You selected this option
Tokenization
- You selected this option
Salting
- You selected this option
Anonymization
Answer Description
Tokenization is the correct method for replacing sensitive data with a unique identifier that is not sensitive, known as a token, which has no extrinsic or exploitable meaning or value. The process allows businesses to work with the essential information without exposing sensitive data—enhancing security while minimizing the impact on systems that need to use the data. Encryption, in contrast, protects data by converting it into a coded format that can be decrypted only with a key, making it different from tokenization. Salting is used to enhance the security of a hashing process by adding a unique value to the end of the password before hashing occurs, thus providing no data obfuscation or replacement on its own. Anonymization is the process of removing personally identifiable information from data sets, so that the people whom the data describe remain anonymous, which is a broader concept than tokenization and does not necessarily use a token to replace sensitive data.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is tokenization exactly, and how is it implemented in systems?
How does tokenization differ from encryption in data protection?
What are the advantages of using tokenization for data security?
An organization is considering acquiring new hardware components from an unfamiliar manufacturer. As the security analyst, you are tasked with evaluating potential risks before making the purchase. Which of the following actions should you take to conduct a thorough supply chain analysis?
- You selected this option
Verify that the equipment integrates with the organization's current network setup.
- You selected this option
Arrange a demonstration of the equipment's features by the vendor's sales team.
- You selected this option
Examine the vendor's component sourcing and manufacturing processes for security vulnerabilities.
- You selected this option
Investigate the vendor's compliance with international trade regulations and industry standards.
Answer Description
Examining the vendor's component sourcing and manufacturing processes for security vulnerabilities is essential in a supply chain analysis. This helps identify risks such as counterfeit parts, tampered hardware, or insecure manufacturing practices that could compromise the organization's security. Investigating trade compliance focuses on legal and regulatory adherence, not specific security risks in the supply chain. Arranging a product demonstration assesses functionality but does not reveal underlying security issues. Verifying compatibility ensures the hardware works with existing systems but does not address potential security vulnerabilities introduced by the new hardware.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are common security vulnerabilities I should look for in a vendor's component sourcing and manufacturing processes?
How can I determine if a vendor complies with industry standards and regulations related to cybersecurity?
What steps can I take to conduct a more comprehensive supply chain analysis?
A financial company has decided to implement an additional security layer for accessing its internal customer database system to ensure that only authenticated and authorized employees can view sensitive customer information. The system now requires an access code from a hardware token in addition to the username and password. This change primarily strengthens which element of AAA?
- You selected this option
Authorization
- You selected this option
Accounting
- You selected this option
Authentication
- You selected this option
Non-repudiation
Answer Description
The correct answer is 'Authentication' because the implemented access code from a hardware token is an additional authentication factor that must be presented along with the username and password. This is known as multi-factor authentication (MFA), which significantly increases the security by requiring multiple forms of verification before granting access.
The incorrect choices are: 'Authorization' refers to granting or denying rights to a user, resource, or service once authentication has been successful. 'Accounting' involves tracking user activities and resource usage, which could be for billing or auditing purposes. 'Non-repudiation' ensures that a person or entity cannot deny sending a message or transaction, which is not directly enhanced by the addition of a hardware token.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is multi-factor authentication (MFA)?
What are the main components of the AAA framework?
How does an access code from a hardware token enhance security?
A security analyst notices unauthorized applications running on company-issued mobile devices. Further investigation reveals that default security features have been bypassed on these devices. Which of the following is the MOST likely cause?
- You selected this option
The devices are infected with malware
- You selected this option
The devices have outdated firmware
- You selected this option
The devices are connected to an unsecured Wi-Fi network
- You selected this option
The devices have been jailbroken
Answer Description
Jailbreaking removes the manufacturer's restrictions on mobile devices, allowing users to install unauthorized applications and bypass security features. This poses significant security risks as it can lead to the installation of unverified apps that may contain malware or compromise the device's integrity.
An outdated firmware might have vulnerabilities but does not directly lead to bypassing default security features in this manner. Malware infection could cause unauthorized applications to run but would not typically result in bypassed security features across multiple devices without additional indicators. Connecting to an unsecured Wi-Fi network exposes devices to network-based attacks but does not allow for bypassing of security features or installation of unauthorized applications on the device itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does jailbreaking a device mean?
What are the risks associated with unauthorized applications on mobile devices?
How do manufacturers implement security features on mobile devices?
A system administrator has been notified that an audit has found certain files containing proprietary source code to be accessible by all employees through a shared network drive. The source code should only be accessible to members of the development team. To align with best practices for permissions management, which of the following actions should the system administrator implement FIRST to remediate this issue?
- You selected this option
Set up an alert system to monitor file access patterns and flag any unauthorized attempts
- You selected this option
Modify the permissions on the files to restrict access solely to the development team
- You selected this option
Disable the shared network drive until a full user account review can be performed
- You selected this option
Initiate a company-wide training on the importance of data confidentiality
Answer Description
The first and most effective action to address the issue is to modify the permissions on the files to ensure that only the development team has access. This alteration directly addresses the problem identified during the audit by enforcing proper access controls, thereby preventing unauthorized access to sensitive information. Disabling the shared network drive would remove access for the authorized development team and is not a precise method of access control. Performing a user account review may surface additional issues but will not rectify the immediate concern of unauthorized access to the proprietary source code. Monitoring the file access patterns is a reactive approach and would not prevent further unauthorized access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are permissions management best practices?
What is the principle of least privilege?
What are the risks of leaving proprietary source code exposed to all employees?
What is a potential consequence for an organization that fails to comply with the license terms for a software product it uses?
- You selected this option
Password expiration
- You selected this option
Loss of license
- You selected this option
Network latency issues
- You selected this option
Reduction in workforce
Answer Description
Loss of license is a potential consequence for an organization that fails to adhere to the terms set forth in the license agreement of a software product. This can occur if the organization uses more copies than allowed, fails to pay the required fees, or breaches any other terms of the license. Loss of license means the organization would no longer have the legal right to use the software, which could lead to operational disruptions and the need to find alternative solutions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are software license agreements?
What are some common reasons organizations lose software licenses?
What impact can losing a software license have on an organization?
What aspect of data retention policies is MOST crucial for ensuring compliance with legal and regulatory frameworks?
- You selected this option
The storage costs associated with different types of data
- You selected this option
The categorization of data as sensitive, confidential, or public
- You selected this option
The encryption strength used to protect data during the retention period
- You selected this option
The length of time that data must be stored before it can be destroyed or archived
Answer Description
Data retention timeframes are pivotal to compliance since they dictate the specific duration for which data must be stored according to various legal and regulatory frameworks. Organizations are often required to retain certain records for a defined period to comply with laws and industry regulations. Retaining data for either too short or too long a period can lead to non-compliance and associated penalties. Having too broad or too narrow scopes in retention policies can be non-compliant or inefficient, respectively, but the actual retention period is the key factor that relates directly to legal and regulatory requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are legal and regulatory frameworks, and why do they matter for data retention?
What could happen if organizations retain data for too long or too short a duration?
How can organizations determine the appropriate data retention period?
Nice!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.