CompTIA Security+ Practice Test (SY0-701)
Use the form below to configure your CompTIA Security+ Practice Test (SY0-701). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
CompTIA Security+ SY0-701 (V7) Information
CompTIA Security+ Certification Exam Overview
The CompTIA Security+ certification is a vendor-neutral credential that validates foundational security skills and knowledge. The current version of the exam is SY0-701. The SY0-701 exam is a computer-based test that consists of up to 90 questions, with a duration of 90 minutes. Candidates must achieve a minimum passing score of 750 points on a scale of 100-900.
Question Types on the Security+ Exam
The Security+ exam includes two primary types of questions:
- Multiple-Choice/Multiple-Selection Questions: These questions require candidates to select one or more correct answers from a list of options.
- Performance-Based Questions (PBQs): These questions involve solving problems in a simulated IT environment, such as command prompt or networking environments. PBQs are also featured in other CompTIA exams, like A+ and Network+.
Exam Prerequisites
CompTIA does not enforce any prerequisites for the Security+ exam. However, it is recommended that candidates have the CompTIA Network+ certification and at least two years of experience in IT administration with a focus on security. Additionally, CompTIA suggests that candidates be at least 13 years old.
Security+ Exam Domains
The SY0-701 exam focuses on five primary domains:
- General Security Concepts (12%)
- Threats, Vulnerabilities, and Mitigations (22%)
- Security Architecture (18%)
- Security Operations (28%)
- Security Program Management and Oversight (20%)
These domains are detailed in the exam objectives, which outline the scope of the test, including domain weighting, test objectives, and example topics.
Exam Renewal Policy
The Security+ certification, along with other CompTIA certifications, must be renewed every three years. The bridge exam scheme was retired on December 31, 2010. Post-January 1, 2011, all new certifications are valid for three years from the date of certification. Renewal can be achieved by passing the latest version of the exam or through the Continuing Education (CE) program. This program allows candidates to keep their skills current through various activities that demonstrate industry knowledge.
Testing Centers
CompTIA exams, including Security+, are available exclusively through Pearson VUE testing centers since July 9, 2012. Exams can be scheduled online, by phone, or at the testing center. Candidates can choose between in-person exams at Pearson VUE centers or online testing.
The CompTIA Security+ certification ensures that IT professionals possess the essential security skills and knowledge required to protect and manage today's increasingly complex IT environments.
More reading:
Free CompTIA Security+ SY0-701 (V7) Practice Test
- 20 Questions
- Unlimited
- General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and Oversight
Which of the following best describes controls that are designed to establish security policies, procedures, and guidelines?
Technical Controls
Physical Controls
Managerial Controls
Operational Controls
Answer Description
Managerial controls are designed to establish security policies, procedures, and guidelines within an organization. They help in the strategic alignment of security practices with business operations and in ensuring that organizational security objectives are met. They are essential for the governance of security within the company.
Technical controls, on the other hand, involve the use of technology to enforce security measures, such as firewalls and encryption. Operational controls are more about implementing and maintaining day-to-day security tasks. Physical controls include tangible measures like locks, biometrics, and surveillance systems.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Can you explain the difference between managerial and operational controls?
Why are managerial controls important for organizational security?
How do technical and managerial controls complement each other?
During the analysis phase after a vulnerability scan, a security administrator is preparing a report for the management team. Which element would BEST assist in the risk prioritization of the findings?
Present the findings using a standardized severity rating to assess the risk level of the vulnerabilities.
Categorize the vulnerabilities based on the part of the network infrastructure they affect.
Group vulnerabilities by the operating system of the affected devices for clarity.
Focus on vulnerabilities that have been exploited in the wild and which could lead to potential data loss.
Answer Description
Including a recognized severity scoring system such as the Common Vulnerability Scoring System provides an objective measure of how serious each vulnerability is, allowing management to compare issues consistently and focus remediation on the highest-risk items first. Categorizing by network segment or operating system helps with organization but does not directly quantify risk. Concentrating only on vulnerabilities already exploited in the wild highlights immediate threats but may overlook new, highly critical issues that lack published exploits. Therefore, a standardized severity rating is the most effective tool for overall risk prioritization.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a standardized severity rating in vulnerability assessment?
Why is CVSS widely used for risk prioritization?
How does focusing on exploited vulnerabilities differ from using a severity rating?
A web developer implements a form where users select their country from a drop-down menu. The developer believes this is secure from SQL injection because the user cannot type into the field. Why is this security measure insufficient on its own?
SQL injection attacks can only be performed on text input fields, not selection menus.
An attacker can intercept and modify the HTTP request before it reaches the server.
JavaScript-based validation on the form would prevent this attack.
Drop-down menus are only secure when used with numeric values.
Answer Description
This security measure is insufficient because client-side restrictions, such as using a drop-down menu, can be bypassed. An attacker can use a tool like a web proxy to intercept the HTTP request after it is sent from the browser and modify the value for the 'country' parameter to a malicious SQL string before it reaches the server. Therefore, all input must be validated and sanitized on the server-side, and parameterized queries should be used to prevent SQL injection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is server-side input validation and why is it important?
What is a web proxy, and how can it be used in an attack?
What are parameterized queries, and how do they prevent SQL injection?
A system administrator is setting up a web server for an internal development and testing environment. The administrator needs to enable HTTPS to simulate the production environment, but wants to avoid the cost and validation process of a public Certificate Authority (CA). Which of the following certificate types is the most suitable choice for this scenario?
Wildcard certificate
Domain Validation (DV) certificate
Self-signed certificate
Extended Validation (EV) certificate
Answer Description
A self-signed certificate is the most appropriate choice for this scenario. Since the server is for internal testing only, public trust from a third-party CA is not required. A self-signed certificate provides the necessary encryption for HTTPS traffic within this closed environment without incurring costs or requiring an external validation process. Wildcard, Extended Validation (EV), and Domain Validation (DV) certificates are all types issued by a trusted third-party CA and are intended for use on public-facing servers where establishing trust for external users is essential.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a self-signed certificate?
Why are self-signed certificates not ideal for public-facing servers?
What is the main difference between a self-signed certificate and a CA-signed certificate?
Which term describes the specific upper limit of risk exposure that an organization is willing to accept for a given activity, beyond which additional mitigation or other action must be taken?
Risk appetite
Risk threshold
Risk tolerance
Key risk indicator (KRI)
Answer Description
Risk threshold sets the measurable boundary between acceptable and unacceptable risk. When exposure rises above this threshold, the organization must treat, transfer, avoid, or otherwise address the risk.
- Risk appetite is the broad, overall level of risk an organization is willing to pursue or retain.
- Risk tolerance defines the amount of variation from objectives that can be absorbed for individual risks.
- A key risk indicator (KRI) is a metric that signals increasing or decreasing risk but does not set the boundary itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the relationship between risk threshold and risk appetite?
How is a risk threshold determined in an organization?
How does a key risk indicator (KRI) differ from a risk threshold?
A security engineer must recommend a network edge device for a branch office. Management wants a single appliance that not only performs stateful packet filtering but can also automatically block attacks using an integrated intrusion prevention system. Which firewall type best satisfies these requirements?
Layer 4 firewall
Next-generation firewall (NGFW)
Layer 7 firewall
Web application firewall (WAF)
Answer Description
A next-generation firewall (NGFW) combines traditional stateful packet inspection with application awareness and an embedded intrusion prevention system (IPS). This allows the device to identify, block, and log malicious traffic in real time. WAFs specialize in HTTP/S protection, Layer 7 firewalls add deep packet inspection but may lack a full IPS, and basic Layer 4 firewalls are limited to port- and protocol-based filtering.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between a traditional firewall and an NGFW?
What role does an IPS play in an NGFW?
How does an NGFW enhance security compared to Layer 4 and Layer 7 firewalls?
Your company has given you the responsibility to implement an appropriate access control scheme. The company wants to control access and permissions for employees based on job function. Which of the following should you use?
RBAC
MAC
RuBAC
DAC
Answer Description
Role based access control (RBAC) is an access control scheme that controls access and permissions by assigning them based on roles. Individuals are assigned roles which grants them the permissions and access assigned to that role(s).
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between RBAC and RuBAC?
How does RBAC differ from MAC and DAC?
What are the benefits of using RBAC in a company setting?
Your organization is assessing a potential security incident that could impact the confidentiality of client data. The security team needs to evaluate the probability and impact of the incident occurring to prioritize their response. What information is MOST crucial for assessing the probability of this security incident happening?
Vendor-provided statistical data on the overall security posture of their systems
The likelihood of a threat exploiting a particular vulnerability within the system
Geographic location data related to cyber threat origins
Historical data regarding past security incidents of similar nature
Answer Description
Knowing the likelihood of a threat exploiting a vulnerability directly informs the probability of a security incident. It provides a measure of how often a threat could succeed, given the opportunity, which is essential for risk assessment in order to prioritize actions and resource allocation. Historical data and trend analysis could also support this assessment by looking at past occurrences, but they are secondary to understanding the current likelihood. Vendor-provided statistics and geographic location data might have some impact on probability; however, without the specific context of likelihood, they provide less direct information for assessing the probability of an incident.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a vulnerability in the context of cybersecurity?
How is the likelihood of a threat exploiting a vulnerability calculated?
Why is understanding vulnerabilities more important than relying on historical data?
What does the term 'impossible travel' signify in the context of security monitoring?
A security measure taken after multiple unsuccessful login attempts from different locations
A type of race condition vulnerability exploited during security checks
A method by which session hijacking attacks are performed on multiple accounts at once
A warning sign that a user account is accessed from two distant places in a period too short for regular travel, hinting at credential misuse
Answer Description
'Impossible travel' refers to a situation where a user account is accessed from geographically distant locations within a timeframe that is too short for normal travel to occur, suggesting the use of compromised credentials. This is an important red flag for security analysts as it may indicate an account takeover by an unauthorized user. In contrast, 'Concurrent session usage' may raise concern but does not imply physical impossibility, 'Account lockout' is a response to suspicious activities and itself is not an indicator, and 'Time-of-check (TOC)' relates to a specific vulnerability type concerning the timing of security checks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What tools can detect 'impossible travel' events?
How do security analysts verify if 'impossible travel' is a real threat?
How can organizations prevent 'impossible travel' scenarios?
During a routine internal audit, the IT team uncovers a hidden snippet of code buried deep within the organization's payroll application. The code is programmed to automatically trigger on a specific calendar date and completely erase all employee payroll records if it activates. Which category of malicious software best describes this threat?
Trojan horse
Logic bomb
Spyware
Ransomware
Answer Description
Logic bombs are covert code segments inserted into legitimate software that remain dormant until a predefined condition-such as a particular date, system event, or absence of a file-is met. When the trigger occurs, the bomb executes its destructive payload, like deleting records. Ransomware demands payment, Trojan horses disguise themselves to gain access, and spyware surreptitiously collects information; none rely solely on a conditional time-based trigger.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of a logic bomb?
How is a logic bomb different from a Trojan horse?
How can organizations detect and prevent logic bombs?
Which of the following statements BEST explains why legacy hardware systems remain attractive targets for cybercriminals?
Their proprietary hardware makes exploits prohibitively expensive, so attackers avoid them.
They often lack security patches and modern controls, making them easier to exploit.
They are less likely to be targeted because outdated technology deters attackers.
They are automatically isolated from networks, preventing remote attacks.
Answer Description
Legacy hardware frequently runs unsupported operating systems or firmware that no longer receive security patches. Because known vulnerabilities remain uncorrected and modern security controls (such as endpoint detection, strong authentication, or encryption) are often absent, attackers can exploit these weaknesses with minimal effort. In many organizations these older systems still process critical data, so a successful compromise can yield high value to the attacker. Therefore, the lure for cybercriminals is the combination of easier exploitation and potentially lucrative data or disruption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why don’t legacy systems receive security patches anymore?
What modern security controls are often missing in legacy systems?
Why do organizations continue to use legacy systems despite the risks?
A company is transitioning to automated management of its cloud environments. The technology involves defining configuration files that are both human-readable and machine-executable to automatically manage the provisioning and updating of resources. What is this method called and what is a key security practice that must be incorporated to ensure infrastructure integrity?
Automated scripting with direct deployment access
Infrastructure as Code with rigorous source control management
Manual configuration via graphical user interfaces with version tracking
Procedural scripting with centralized change management
Answer Description
The practice described is known as Infrastructure as Code, where infrastructure management tasks are automated through human-readable definition files. A crucial security practice to incorporate in this method is the use of source control management to maintain the integrity and versioning of the infrastructure code. This includes implementing commit policies, review processes, and potentially automated security testing to prevent unauthorized or malicious alterations that could lead to security breaches.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Infrastructure as Code (IaC), and why is it beneficial?
How does source control management enhance the security of Infrastructure as Code (IaC)?
What are examples of tools used for Infrastructure as Code (IaC), and how do they support automation?
Which of the following BEST represents the concept of likelihood when performing a risk assessment?
Determining the potential impact on the company's reputation if a security incident were to occur.
Calculating the monetary loss that could occur if a threat exploits a vulnerability.
Assessing the cost and benefits of implementing additional security controls to address vulnerabilities.
Evaluating the probability that a vulnerability will be exploited by a threat within a given time frame.
Answer Description
Likelihood refers to the probability that a potential vulnerability could be exploited by a threat actor within a given time frame. Calculating likelihood involves evaluating how exposed the vulnerability is, the presence and capabilities of threat actors, the effectiveness of current controls, and the historical data of security incidents similar to the one being assessed. While options such as evaluating the impact of the threat and considering the cost of potential security controls are also parts of risk assessment, they do not directly relate to the determination of likelihood.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What factors influence the calculation of likelihood in a risk assessment?
How is likelihood different from impact in risk assessment?
Why is historical data important in determining likelihood?
The network administrator at a small organization prefers to allow resource owners to personally assign and revoke access permissions to files on a network share. Which access control model should they implement to accommodate individual control by resource owners?
Rule-Based Access Control
Mandatory Access Control
Discretionary Access Control
Role-Based Access Control
Answer Description
The network administrator's preference is indicative of the Discretionary Access Control (DAC) model, where resource owners have the freedom to provide or restrict access to other users at their discretion. While Role-Based Access Control (RBAC) autonomously assigns permissions based on the user's role and does not cater to individual resource owner preferences, it is not the best fit for the scenario described. Similarly, Rule-Based Access Control typically works alongside other mechanisms, applying rules (like time-of-day restrictions) that do not relate to individual owner discretion. The Mandatory Access Control (MAC) model enforces access decisions made by a central authority based on security labels, not by individual resource owners, and is thus also not suitable for this situation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Discretionary Access Control (DAC)?
How does DAC compare to Role-Based Access Control (RBAC)?
What are potential vulnerabilities of Discretionary Access Control?
Which of the following BEST illustrates the purpose of performing regular self-assessments of security governance within an organization?
To assess individual employee compliance with security training requirements on an annual basis.
To reactively provide details to stakeholders following a security breach or incident.
To ensure that all new technological implementations are secure before they go live into the production environment.
To measure and analyze the effectiveness and compliance of the security governance against internal standards and regulatory requirements.
Answer Description
Regular self-assessments allow an organization to measure and analyze the effectiveness, efficiency, and compliance of its security governance against internal standards and regulatory requirements. This proactive approach serves to identify gaps or weaknesses before they can be exploited, providing an opportunity for improvements and risk mitigation strategies to be implemented. Assessments focused only on technology do not capture the full scope of security governance, and limiting assessments to after an incident occurs would not provide the proactive benefits of regular, preemptive analysis and adjustments.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is security governance important for an organization?
What are some examples of internal standards and regulatory requirements in security governance?
What are the main components of a regular self-assessment in security governance?
Crucial Technologies has an outside team coming in to conduct penetration testing. It has been decided that the engagement is going to be black box testing. This type of testing involves which of the following?
Fully known environment
Unknown environment
Known environment
Partially known environment
Answer Description
When a penetration test is black box testing no prior knowledge is given to the testers. They go into the test with a completely unknown environment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is black box penetration testing?
How does black box testing differ from white box testing?
What are the advantages of black box testing?
In common transport or communication security protocols such as TLS, SSH, and IPsec, which type of cryptographic algorithm is primarily responsible for encrypting the bulk data after the initial key-exchange phase is complete?
Hashing algorithms (e.g., SHA-256, SHA-3)
Key-stretching algorithms (e.g., PBKDF2, bcrypt)
Asymmetric encryption algorithms (e.g., RSA, ECDSA)
Symmetric encryption algorithms (e.g., AES, ChaCha20)
Answer Description
The bulk data that flows after a secure session has been established is encrypted with symmetric algorithms (for example, AES or ChaCha20). Asymmetric algorithms (such as RSA or ECDHE) are used only during the handshake to authenticate the parties and to agree on a shared secret. Hashing algorithms provide integrity, and key-stretching algorithms strengthen stored secrets but do not directly encrypt transit traffic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are symmetric encryption algorithms preferred for bulk data encryption in protocols like TLS and IPsec?
How is the shared key established between parties in protocols like TLS?
What role do hashing algorithms play in protocols like TLS and IPsec?
A security team is evaluating new perimeter security solutions to replace their traditional firewall. The primary goal is to gain visibility into and control over the specific web applications being used (e.g., social media, streaming services) and to block threats that leverage application-layer protocols. Which of the following firewall types is specifically designed to meet these requirements?
Circuit-level gateway
Stateful inspection firewall
Stateless packet-filtering firewall
Next-generation firewall (NGFW)
Answer Description
The correct choice is a Next-Generation Firewall (NGFW). NGFWs are advanced firewalls that operate up to Layer 7 (the application layer) of the OSI model. Unlike traditional firewalls that are limited to inspecting traffic based on ports and IP addresses (Layers 3 and 4), NGFWs can perform deep packet inspection (DPI) to identify the specific applications in use and enforce security policies on them. They also integrate other security features like an intrusion prevention system (IPS) to block application-layer attacks. Stateless and stateful firewalls are older technologies that lack this deep application awareness. A circuit-level gateway operates at the session layer (Layer 5) and does not inspect application content.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is deep packet inspection (DPI) in the context of NGFWs?
How does a Next-Generation Firewall (NGFW) differ from a traditional stateful firewall?
What role does an Intrusion Prevention System (IPS) play in a Next-Generation Firewall?
Within the context of information security, which term is used to describe enforceable directives issued by a government entity that organizations are legally bound to follow?
Mandates
Guidelines
Frameworks
Regulations
Answer Description
The correct answer is 'Regulations'. Regulations are specific, enforceable requirements laid down by governmental authorities, and organizations must adhere to them to ensure compliance within various domains, including data protection and privacy. 'Guidelines' offer advice or suggestions but are not legally enforceable. 'Frameworks' provide a structured approach to addressing complex issues but also lack the force of law. While 'Mandates' require action, the term is broad and may not necessarily pertain to legally enforceable directives from a government body in the way 'regulations' do.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some examples of common regulations in information security?
How are regulations different from guidelines in information security?
What role do frameworks play in relation to regulations?
Within a corporate environment, information such as internal memos, organizational policies, and general employee communications is accessible to all staff members. However, this information is not intended for public distribution. Which of the following data classifications best describes this type of information?
Public
Confidential
Restricted
Internal
Answer Description
The correct answer is 'Internal'. 'Internal' data is information intended for circulation only within an organization and is not meant for public release. 'Public' data can be shared with anyone without restriction. 'Confidential' data is sensitive information that is typically restricted to specific teams or authorized individuals. 'Restricted' data is the most sensitive category, requiring strict access controls, as its unauthorized disclosure could cause significant harm to the organization.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the primary purpose of 'Internal' data classification?
How does 'Internal' data differ from 'Public' data?
Why is 'Restricted' data classification more sensitive than 'Internal' data?
Nice!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.