CompTIA Security+ Practice Test (SY0-701)
Use the form below to configure your CompTIA Security+ Practice Test (SY0-701). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
CompTIA Security+ SY0-701 (V7) Information
CompTIA Security+ Certification Exam Overview
The CompTIA Security+ certification is a vendor-neutral credential that validates foundational security skills and knowledge. The current version of the exam is SY0-701. The SY0-701 exam is a computer-based test that consists of up to 90 questions, with a duration of 90 minutes. Candidates must achieve a minimum passing score of 750 points on a scale of 100-900.
Question Types on the Security+ Exam
The Security+ exam includes two primary types of questions:
- Multiple-Choice/Multiple-Selection Questions: These questions require candidates to select one or more correct answers from a list of options.
- Performance-Based Questions (PBQs): These questions involve solving problems in a simulated IT environment, such as command prompt or networking environments. PBQs are also featured in other CompTIA exams, like A+ and Network+.
Exam Prerequisites
CompTIA does not enforce any prerequisites for the Security+ exam. However, it is recommended that candidates have the CompTIA Network+ certification and at least two years of experience in IT administration with a focus on security. Additionally, CompTIA suggests that candidates be at least 13 years old.
Security+ Exam Domains
The SY0-701 exam focuses on five primary domains:
- General Security Concepts (12%)
- Threats, Vulnerabilities, and Mitigations (22%)
- Security Architecture (18%)
- Security Operations (28%)
- Security Program Management and Oversight (20%)
These domains are detailed in the exam objectives, which outline the scope of the test, including domain weighting, test objectives, and example topics.
Exam Renewal Policy
The Security+ certification, along with other CompTIA certifications, must be renewed every three years. The bridge exam scheme was retired on December 31, 2010. Post-January 1, 2011, all new certifications are valid for three years from the date of certification. Renewal can be achieved by passing the latest version of the exam or through the Continuing Education (CE) program. This program allows candidates to keep their skills current through various activities that demonstrate industry knowledge.
Testing Centers
CompTIA exams, including Security+, are available exclusively through Pearson VUE testing centers since July 9, 2012. Exams can be scheduled online, by phone, or at the testing center. Candidates can choose between in-person exams at Pearson VUE centers or online testing.
The CompTIA Security+ certification ensures that IT professionals possess the essential security skills and knowledge required to protect and manage today's increasingly complex IT environments.
More reading:
Free CompTIA Security+ SY0-701 (V7) Practice Test
- 20 Questions
- Unlimited
- General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight
A large multinational corporation is experiencing a persistent wave of cyber-attacks characterized by website defacements and data leaks. These incidents are accompanied by messages expressing opposition to the corporation's involvement in various international projects. What type of threat actor is most likely responsible for these activities?
Hacktivist
Organized crime
Nation-state
Insider threat
Answer Description
The correct answer is Hacktivist. Hacktivists are often motivated by philosophical or political beliefs, which lead them to target organizations or governments that they perceive as acting against their values or agendas. The nature of these attacks, including website defacements and public message spreads, are typical of hacktivist groups that aim to broadcast a political message or to create awareness about their cause. The other options listed do not align as closely with the details given.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What distinguishes a hacktivist from other types of threat actors?
Why is an insider threat not the correct answer in this scenario?
How do hacktivist tactics differ from those used by nation-states?
As the lead security analyst at a financial institution, you have been tasked with evaluating the effectiveness of the implemented security controls. During the audit, you need to verify that access control policies are correctly enforced and that there are no deviations from the standard configurations across all servers. Which of the following audit practices would be the MOST effective for this purpose?
Conducting a configuration audit
Undertaking an operational audit
Executing a financial audit
Performing a performance audit
Answer Description
A configuration audit specifically assesses configurations against established security baselines and policies, ensuring that systems are compliant with the required security settings. This would detect deviations in access control policies and configurations from the standard across servers. A performance audit, while it assesses the efficiency and effectiveness of an organization's processes, would not focus solely on security settings and policies. A financial audit is concerned with the financial accounts and transactions of an organization, and while an operational audit evaluates the operational aspects of an organization, it does not concentrate on access control policies and system configurations to the extent necessary for the given task.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a configuration audit?
How do access control policies relate to configuration audits?
What are examples of tools used for conducting configuration audits?
You are a security consultant for a small company. The owner says attackers recently gained access to the company's email account. Soon after, the attackers took control of the company's website and say they will restore it only after they receive a payment. The hosting provider confirms that the web servers are healthy and no unusual logins have occurred, yet users cannot reach the company's site. Based on this information, which type of attack has most likely been carried out against the website?
DNS hijacking
Cross-site scripting (XSS)
Session hijacking
Man-in-the-middle (MitM)
Answer Description
The symptoms point to DNS hijacking. By compromising the organization's domain-registrar or authoritative DNS settings, the attackers redirected the company's domain away from its legitimate web servers. Because the web servers are still functioning and no suspicious logins are recorded, the problem lies with the DNS records, not the host itself. Man-in-the-middle, session hijacking, and cross-site scripting would not make the site completely unreachable or allow the attackers to demand a ransom for restoring access to the entire domain.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNS hijacking?
How does DNS hijacking differ from a man-in-the-middle attack?
What are some ways to defend against DNS hijacking?
A security operations center (SOC) manager notices that analysts spend significant time manually reviewing logs from firewalls, servers, and intrusion-detection systems. To accelerate incident detection and improve response times, which type of system should the organization deploy to automatically correlate and analyze security events from these diverse sources?
A threat intelligence platform
A compliance reporting tool
A Security Information and Event Management (SIEM) solution
A network protocol analyzer
Answer Description
A Security Information and Event Management (SIEM) solution centrally collects, stores, and analyzes log and event data from many devices, applies correlation rules, and generates alerts, enabling faster, more accurate incident detection. Threat-intelligence platforms focus on aggregating external threat feeds rather than internal event correlation; network protocol analyzers (sniffers) capture raw packets for troubleshooting but do not perform multi-source event analytics; compliance reporting tools generate regulatory reports and lack real-time correlation features.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a system that provides centralized event and log data analysis?
How does a SIEM system correlate events from multiple sources?
How is a SIEM different from a threat intelligence platform?
During a security assessment, a consultant documents every web API, open port, user interface, and wireless connection that an attacker could attempt to leverage to compromise the organization's network. Which term best describes this collection of potential entry points?
Security perimeter
Risk exposure
Defense in depth
Attack surface
Answer Description
The correct answer is Attack surface. The attack surface encompasses all possible points where an attacker could attempt to access or extract data from a system. By identifying and minimizing the attack surface, organizations can reduce the risk of security breaches.
- Security perimeter refers to the boundary that separates the protected environment from the outside world.
- Defense in depth is a layered security approach that implements multiple security measures.
- Risk exposure pertains to the potential loss resulting from threats exploiting vulnerabilities, not the vulnerabilities themselves.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an attack surface in cybersecurity?
How is an attack surface different from a security perimeter?
Why is minimizing the attack surface important?
A security administrator is reviewing protection mechanisms for a database containing sensitive financial records. The main concern is that an attacker could steal the server's hard drives and access the database files directly. To mitigate this specific threat, which security control should the administrator prioritize?
Data in transit encryption
Data in use encryption
Data masking
Data at rest encryption
Answer Description
The scenario describes a threat to data that is stored on physical media (hard drives), which is known as 'data at rest'. Therefore, implementing data at rest encryption is the appropriate control to ensure the data is unreadable if the drives are stolen. Data in transit encryption protects data as it moves over a network, which does not apply to stolen physical media. Data in use encryption protects data while it is being actively processed in memory (RAM), not while it is stored on a disk. Data masking is a technique used to substitute sensitive data with fictitious data, typically for development or testing, and it does not protect the original source data files from being read if they are stolen.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between data at rest, data in transit, and data in use?
What encryption methods are commonly used to protect data at rest?
How does encrypted storage differ from encryption for data at rest?
When using security controls, at times you will need additional controls to make up for the shortcoming of existing controls. This is called what kind of control?
Compensating
Corrective
Preventive
Detective
Answer Description
When an existing security control is found to not mitigate risk down to an acceptable level, a compensating control can be used to bring the risk to the desired level.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a compensating control?
How do compensating controls differ from corrective controls?
Can compensating controls be used in place of all other security controls?
Crucial Technologies has an outside team coming in to conduct penetration testing. It has been decided that the engagement is going to be black box testing. This type of testing involves which of the following?
Known environment
Unknown environment
Partially known environment
Fully known environment
Answer Description
When a penetration test is black box testing no prior knowledge is given to the testers. They go into the test with a completely unknown environment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is black box penetration testing?
How does black box testing differ from white box testing?
What are the advantages of black box testing?
Which of the following cryptographic attacks specifically involves finding two different inputs that produce the same hash output?
Downgrade attack
Collision attack
Birthday attack
Man-in-the-middle attack
Answer Description
A collision attack occurs when an attacker finds two distinct inputs that hash to the same output. This undermines the uniqueness property of a hash function, which is critical for tasks like verifying the integrity of data or digital signatures. Downgrade attacks involve forcing a system to abandon a higher security level in favor of a lower, less secure state. Birthday attacks exploit the mathematics behind the birthday problem in probability theory to find collisions in hash functions, but do not necessarily find two distinct inputs that produce the same hash output; they are just more likely to find a collision given a certain number of attempts. Collision attacks directly find the two distinct inputs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a hash function used for in cryptography?
How is a collision attack different from a birthday attack?
Why are collision attacks considered significant threats in cryptography?
Which of the following is the most direct benefit of providing regular security awareness training to all employees in an organization?
It removes the need for technical security controls such as firewalls.
It completely prevents all forms of social engineering attacks without further action.
It increases employee compliance with corporate security policies and procedures.
It shifts all information-security responsibility to the IT department alone.
Answer Description
Security awareness training educates personnel about corporate security policies, common threats, and safe practices. By making employees aware of their responsibilities and the consequences of non-compliance, organizations see higher adherence to security policies and procedures. Training does not eliminate the need for technical controls, guarantee perfect security, or shift responsibility to a single department; instead, it complements other controls by improving human behavior and reducing policy violations.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is regular security awareness training important for organizations?
What are some examples of social engineering attacks covered in security training?
How does security awareness training complement technical controls like firewalls?
Which of the following BEST describes a logic bomb in the context of malicious code?
A candidate should recognize how a logic bomb behaves compared with other common malware types.
Continuously records every keystroke typed by the user and sends the data to an attacker.
Immediately encrypts user data upon infection and demands payment for decryption.
Executes its malicious payload only when a predefined condition (date, event, or system state) is met.
Automatically replicates itself across network hosts without user interaction.
Answer Description
A logic bomb remains dormant until a predefined condition-such as a specific date, time, system state, or user action-is met, at which point it executes its malicious payload. It does not replicate like a worm, continuously collect keystrokes like a keylogger, or immediately encrypt files for ransom. Its defining feature is conditional activation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How is a logic bomb different from a worm?
What are examples of predefined conditions that can trigger a logic bomb?
Why is a logic bomb harder to detect compared to other types of malware?
A software development team has decided to rearchitect its customer-facing web application to improve scalability and security. They plan to break the application into a set of small, independently deployable services, with each service focused on a single business capability and communicating through lightweight REST APIs. Which architecture model are they adopting?
Function as a Service (FaaS)
Microservices
Monolithic Architecture
Service-Oriented Architecture (SOA)
Answer Description
The correct answer is 'Microservices' because this pattern organizes an application as a suite of small, independently deployable services that communicate through lightweight mechanisms and are each built around a distinct business capability. Monolithic architecture combines all components into one tightly coupled application, Function as a Service focuses on single event-driven functions within a serverless platform, and Service-Oriented Architecture refers to a broader, service-based integration approach that does not necessarily require fine-grained, independently deployable services.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How do microservices communicate with each other?
What is the main difference between microservices and monolithic architecture?
Are microservices and Service-Oriented Architecture (SOA) the same?
Under industry-recognized change-management best practices, how should an IT operations team handle minor configuration adjustments-such as tweaking an application parameter or updating a log path-in order to maintain security and accountability?
Only emergency changes require documentation; routine or minor changes can be applied directly to production systems without formal review.
Minor configuration changes may skip the change-management process as long as they are performed by senior administrators and recorded in personal notes.
The change-management process is required only when introducing new hardware platforms; software configuration tweaks are exempt.
All configuration changes, including minor adjustments, must be documented and processed through the established change-management workflow, even if the review is expedited.
Answer Description
Best practice requires that every change to a production system be routed through the organization's documented change-management process. Even though minor or "standard" changes may follow a streamlined or pre-approved workflow, they must still be logged, evaluated for risk, and retained in change records so that the environment can be audited, problems traced, and rollbacks performed if necessary. Allowing any change-no matter how small-to bypass documentation undermines accountability and can introduce hidden vulnerabilities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it important to document even minor configuration changes?
What is a streamlined or pre-approved workflow in change-management?
What could happen if minor configuration changes bypass the change-management process?
A finance department employee receives an instant message from what appears to be a senior executive asking for verification of their login credentials to resolve an urgent issue. What type of attack is the employee experiencing?
Denial-of-Service
Man-in-the-Middle
Vishing
Phishing
Answer Description
Phishing involves sending deceptive messages, like instant messages, to trick individuals into revealing sensitive information such as login credentials. In this scenario, the attacker impersonates a senior executive to gain trust and elicit the employee's credentials, which is characteristic of a phishing attack. Vishing refers to phishing conducted via voice calls, Denial-of-Service attacks aim to disrupt service availability, and Man-in-the-Middle attacks involve intercepting communications between two parties without their knowledge.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is phishing and how does it work?
How can someone spot the signs of a phishing attempt?
What are some ways to prevent falling victim to phishing attacks?
A cybersecurity analyst at a multinational corporation is tasked with reviewing the company's compliance posture. The company operates in the healthcare, finance, and retail sectors across North America and Europe. Which of the following statements accurately describes the regulatory landscape the analyst must consider?
The company must comply with a complex mix of sector-specific and region-specific regulations, such as HIPAA, GLBA, and GDPR.
Regulatory obligations are standardized globally by the ISO 27001 framework, making compliance uniform across all sectors.
The company can achieve global compliance by adhering to the single most stringent regulation, such as GDPR.
The company is only subject to the laws of the country where its corporate headquarters is located.
Answer Description
The correct statement is that the company must comply with a complex mix of sector-specific and region-specific regulations. For instance, its healthcare operations in the U.S. would be subject to the Health Insurance Portability and Accountability Act (HIPAA), while its financial services would need to comply with the Gramm-Leach-Bliley Act (GLBA). Retail operations handling payment cards must adhere to the Payment Card Industry Data Security Standard (PCI DSS). Furthermore, because the company deals with data from European citizens, it must comply with the General Data Protection Regulation (GDPR), which has extraterritorial scope. Regulations are not uniform; they are tailored to specific industries and geographical locations. Adhering only to the strictest regulation or the laws of the headquarters' country is insufficient, and ISO 27001 is a framework, not a replacement for legal statutes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between sector-specific and region-specific regulations in cybersecurity?
How does GDPR’s extraterritorial scope affect companies outside of Europe?
What role does the ISO 27001 framework play in regulatory compliance?
A healthcare company needs to ensure the privacy of its patients' health records. When deploying a new online patient portal, which measure is most effective for protecting the privacy of health records while they are being accessed and transmitted through the portal?
Applying data masking techniques to the records before storage
Encrypting data in transit
Implementing geographic restrictions on where the health records can be accessed
Requiring multi-factor authentication for user access to the portal
Answer Description
Encrypting data in transit is the most effective measure because it prevents unauthorized parties from intercepting and reading health information as it travels over the network. Data masking mainly protects data in storage or non-production environments, geographic restrictions primarily address legal or compliance boundaries, and multi-factor authentication verifies user identity but does not protect the content of data packets during transmission.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is encrypting data in transit important for protecting privacy?
What is the difference between data encryption and data masking?
How does multi-factor authentication enhance security if it doesn’t protect data in transit?
A company's proprietary application is critical for daily operations, but it runs on an operating system that no longer receives vendor updates. The company's IT team is currently unable to upgrade the system or migrate the application due to compatibility issues. What is the most effective risk mitigation strategy the IT team should implement to secure the legacy system against potential threats?
Conduct regular security audits on the system to ensure compliance with security policies
Increase security monitoring specifically targeting the unsupported system to detect anomalies
Encourage users to employ stronger passwords for system access
Implement network segmentation and restrict the system's network connectivity to essential services
Answer Description
Implementing network segmentation and limiting the legacy system's connectivity to essential services is the correct answer. This approach reduces the risk of attacks from both internal and external threat vectors, as it would prevent the potentially compromised system from affecting unrelated parts of the network. While increasing security monitoring is a useful tactic, it does not directly mitigate the exposure of the legacy system to threats. Conducting regular security audits on the system is a good practice, but it does not provide real-time protection against threats. Encouraging the use of strong passwords is important but does not address the specific risks associated with an unsupported operating system.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is network segmentation effective for securing legacy systems?
What are the risks of running a legacy system without updates?
How does restricting connectivity to essential services enhance security?
What term is used to describe the enhancement of a security team's effectiveness by employing tools and methods that allow fewer staff members to manage more resources?
Staff scaling
Workforce multiplier
Team augmentation
Resource allocation
Answer Description
The term 'Workforce multiplier' refers to methods and tools that extend the effectiveness and efficiency of a security team, enabling them to handle more work with fewer resources. This is crucial for modern security operations where the volume of threats and alerts can be overwhelming for small teams. By using automation, orchestration, and other advanced tools, even a limited staff can effectively manage and secure a large set of resources.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a workforce multiplier in cybersecurity?
How does automation help as a workforce multiplier?
What is the difference between workforce multipliers and traditional resource scaling?
A security analyst is reviewing intrusion detection system logs and must correlate them with recorded network traffic to determine the scope of a suspected breach. Which of the following data will be MOST useful for matching the IDS alert timestamps to the captured traffic?
Traffic flow metadata collected from network devices such as switches and routers
User account changes logged in the authentication server records
Application error messages captured by the system's event logs
Device configuration settings from the network management system
Answer Description
Traffic-flow metadata-such as timestamps, source and destination IP addresses, and port numbers-directly aligns network conversations with IDS alert times, making it the most effective data set for correlation. Logs of user account changes, device configuration files, and application error messages provide context but do not map cleanly to specific network sessions, so they are less helpful for time-based traffic correlation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is traffic flow metadata?
How does traffic flow metadata help correlate IDS alerts?
Why are user account changes or application error logs less useful in this scenario?
A systems administrator observes that every Friday afternoon, right after the stock market closes, a series of unauthorized transactions and excessive resource utilization occurs on a finance company's trading application server. What type of malware is most likely responsible for this recurring incident?
Trojan
Worm
Logic bomb
Spyware
Answer Description
A logic bomb is a type of malware that is designed to execute a malicious action when certain conditions are met, such as a specific time or event. The recurring nature of the incident every Friday suggests that it is triggered by a time-based event, characteristic of a logic bomb. Other types of malware like Trojans, worms, or spyware do not have this inherent behavior tied to a specific condition and typically execute or propagate without a specific trigger event.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What makes a logic bomb different from other types of malware?
How can systems administrators detect and prevent logic bombs?
Why is it important to address insider threats related to logic bombs?
That's It!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.