Try 90 free CompTIA SecurityX CAS-005 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length CompTIA SecurityX CAS-005 practice exam includes 90 original IT Mastery questions across the exam domains.
Use these questions for self-assessment, scope review, and deciding what to drill next.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Need concept review first? Read the CompTIA SecurityX CAS-005 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA SecurityX CAS-005 on Web View full CompTIA SecurityX CAS-005 practice page
| Domain | Weight |
|---|---|
| Governance, Risk, and Compliance | 20% |
| Security Architecture | 27% |
| Security Engineering | 31% |
| Security Operations | 22% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Security Architecture
A financial services company is moving payment-processing APIs to a public cloud landing zone. On-premises applications must reach the APIs without public internet exposure, all north-south traffic must be inspected and logged by the SOC, workload accounts must remain segmented, and the connectivity design must tolerate a circuit or edge-device failure. Which connectivity design is the BEST professional decision?
Options:
A. Use one private circuit directly into the production workload VPC
B. Build full-mesh peering between on-premises networks and each workload account
C. Publish the APIs through a public WAF and restrict source IPs
D. Use diverse private circuits into a transit hub with centralized inspection and VPN backup
Best answer: D
Explanation: The best design separates connectivity, inspection, and workload segmentation. Diverse private circuits provide resilient customer-to-cloud transport, while a cloud transit hub or equivalent routing layer centralizes attachment management. Sending routes through an inspection VPC/security zone lets the SOC enforce policy and collect logs before traffic reaches segmented workload accounts. A backup IPsec VPN can preserve degraded service if a dedicated circuit or edge device fails. This design also avoids direct public exposure and avoids coupling on-premises routing to individual workload accounts.
The key takeaway is to terminate hybrid connectivity at a controlled transit and inspection boundary, not directly inside application environments.
Topic: Security Operations
A financial services team is hardening a customer-facing application after a dependency compromise. Requirements: eliminate embedded database passwords, ensure compromised application instances cannot retain long-lived credentials, stop processing if required credentials cannot be obtained, and reduce reachable code and services without blocking normal releases. Which approach best maps to these requirements?
Options:
A. Cache the last known database password locally so the application can continue during secrets-service outages.
B. Use workload identity with a secrets manager issuing short-lived database credentials, fail startup on retrieval failure, and disable unused components.
C. Store encrypted database passwords in environment variables and rotate them during quarterly maintenance windows.
D. Place a WAF in front of the application and increase runtime logging for database errors.
Best answer: B
Explanation: The requirements point to an attack-surface reduction design, not only a perimeter or monitoring control. Workload identity removes static application-held secrets, and a secrets manager can issue scoped, short-lived database credentials that are rotated automatically. Failing startup or request processing when credentials cannot be retrieved is fail secure because the application stops rather than operating with unsafe assumptions. Disabling unused modules, ports, jobs, or services supports least functionality, while narrowly scoped database access enforces least privilege. The key distinction is avoiding long-lived or locally cached secrets while reducing what an attacker can reach after compromise.
Topic: Security Engineering
A software vendor ships a customer-specific agent package through a download portal. A security engineer reviews the packaging design before approving distribution.
Exhibit: Packaging note
Package contents: config.json + agent binary
config.json: bootstrap_token = Base64(XOR(token, static string))
Static string: embedded in agent binary
Integrity: SHA-256 checksum stored beside package
Requirement: token confidentiality if copied; verifiable vendor origin
Which action is best supported by the exhibit?
Options:
A. Keep the design because the token is not plaintext
B. Hash the token before placing it in config.json
C. Use KMS-backed secret encryption and package signing
D. Store the checksum in a separate folder
Best answer: C
Explanation: Obfuscation is not encryption. In this design, anyone who obtains the package can recover the bootstrap token because the transformation is reversible and the static value needed to reverse it is shipped with the binary. The adjacent checksum can detect accidental changes, but it does not prove vendor origin or prevent an attacker from replacing both the package and checksum. The requirements call for two cryptographic protections: confidentiality for the token and authenticity/integrity for the package. A KMS-backed encryption or secret-delivery design protects the token with controlled key access, while a digital signature lets customers verify that the package came from the vendor and was not altered. Encoding or relocating files does not create cryptographic trust.
Topic: Governance, Risk, and Compliance
A global retailer’s security office reports recurring KRI breaches for payment applications, but remediation exceptions remain open for multiple quarters. Internal audit asks whether the governance process demonstrates management commitment and clear RACI ownership. Based on the exhibit, which action is MOST appropriate?
Exhibit: Governance excerpt
Policy: Risks above appetite require documented acceptance by an accountable business executive. KRI breaches must be reported to the executive risk committee until remediated.
| Activity | Security governance | App owner | Executive risk committee |
|---|---|---|---|
| Escalate KRI breach | A/R | I | I |
| Approve risk acceptance | A/R | C | I |
| Fund remediation plan | R | C | I |
Options:
A. Increase KRI reporting from monthly to weekly
B. Assign executive accountability for acceptance and remediation funding
C. Notify the risk committee only after remediation is complete
D. Make security governance responsible for funding remediation
Best answer: B
Explanation: The core issue is not report frequency; it is governance accountability. The policy requires an accountable business executive to accept risks above appetite, and it requires continued reporting to the executive risk committee. The RACI instead makes security governance accountable and responsible for escalation and risk acceptance, while business and executive stakeholders are only consulted or informed. That weakens management commitment because security can report the risk but should not own the business decision to accept or fund it. A better RACI would keep security responsible for measurement, reporting, and tracking while assigning accountability for acceptance and remediation funding to the appropriate business executive or executive risk committee.
Topic: Governance, Risk, and Compliance
A financial services company is reviewing an AI customer-support pilot before expanding it to regulated products. Which interpretation and action are best supported by the exhibit?
Exhibit: AI support pilot review
| Finding | Evidence |
|---|---|
| Prompt content | Full chats include names, account IDs, and disputes |
| Model path | External hosted model; no approved data-processing addendum |
| Tool access | Agent can issue credits and close tickets through an API |
| Workflow | Actions run automatically when confidence is above 80% |
| Staff guidance | “Use the AI recommendation as final unless escalated” |
Options:
A. Approve expansion because the confidence threshold provides risk-based authorization
B. Keep automation but retrain the model using more customer chat history
C. Pause expansion and add DLP, contractual controls, least-privilege tools, and human approval
D. Require encryption in transit and allow the workflow to proceed unchanged
Best answer: C
Explanation: The pilot has three AI adoption risks at once. Full regulated customer context is being sent to an external model without an approved data-processing agreement, creating sensitive information disclosure risk. The agent can take business-impacting actions through an API without human approval, which is excessive agency. Staff are also instructed to treat model recommendations as final, which creates overreliance on probabilistic output. The appropriate governance response is to stop expansion until data minimization/DLP, contractual safeguards, least-privilege tool permissions, logging, and human approval for material actions are in place.
A confidence score is not an authorization control; it cannot replace policy, accountability, or human oversight for regulated decisions.
Topic: Security Engineering
A security engineering team is automating vulnerability scanning and reporting across cloud workloads and on-premises endpoints. The workflow must normalize findings from two scanners, map affected software to standard product identifiers, assign comparable severity for remediation SLAs, and keep benchmark/compliance evidence machine-readable for auditors. Which data source strategy is BEST?
Options:
A. Use scanner plugin IDs and custom severity labels
B. Use SCAP content with CPE, CVE, CVSS, OVAL, and XCCDF
C. Use CVSS scores as the only reporting field
D. Use XCCDF checklists for all vulnerability records
Best answer: B
Explanation: SCAP is the best fit when vulnerability automation needs standardized, machine-readable data across tools. In this scenario, CPE normalizes affected products and platforms, CVE identifies the vulnerability consistently, and CVSS supports comparable severity and SLA prioritization. OVAL can describe technical checks for system state, while XCCDF supports structured benchmark and compliance reporting. Using the SCAP family avoids tying the workflow to one scanner’s proprietary identifiers while still supporting audit evidence and automated remediation reporting.
The key distinction is that CVSS, CVE, CPE, OVAL, and XCCDF each solve part of the reporting problem; SCAP brings them together for interoperable automation.
Topic: Security Engineering
A retailer’s cloud API gateway uses mutual TLS to reach an on-premises payment service through an IPS. After an automated client-certificate rotation, only newly deployed workloads fail with handshake_failure; legacy workloads still connect. The team must preserve Zero Trust mTLS, avoid payload decryption, and minimize production changes during peak checkout. Which evidence would be the BEST to collect first?
Options:
A. IDS/IPS signature alerts for the payment network segment
B. Server-side TLS handshake logs with client-certificate validation details
C. NetFlow records between the gateway and payment service
D. Decrypted packet captures of failed payment API requests
Best answer: B
Explanation: For an mTLS diagnosis after certificate rotation, the most useful first evidence is handshake-level validation data from the TLS endpoint. Server-side TLS logs can show the presented client certificate, chain-building result, trust anchor, SAN or subject mapping, revocation status, SNI, and TLS alert reason without decrypting application payloads or weakening the control. This fits the operational constraint because it is targeted, low-impact evidence that distinguishes a certificate identity problem from a transport or IPS issue. Network flow or IDS data may confirm connectivity or alerts, but it usually cannot explain why the TLS endpoint rejected the client certificate.
handshake_failure after rotation points first to mTLS validation.Topic: Security Architecture
A healthcare company is terminating a cloud analytics vendor that received nightly exports of regulated claims data. The security architect reviews the storage configuration before approving data destruction evidence. Which interpretation is best supported by the exhibit?
Exhibit: Object storage review
| Control | Current state |
|---|---|
| Public access block | Enabled |
| Default encryption | Provider-managed keys |
| Versioning | Enabled |
| Current-object lifecycle | Expire after 7 days |
| Noncurrent-version lifecycle | Not configured |
| Replication | Enabled to vendor-owned account |
Options:
A. Access logs prove active exfiltration
B. Remanence persists in versions and replicas
C. Public anonymous exposure is confirmed
D. Encryption is absent for stored objects
Best answer: B
Explanation: The exhibit points to cloud data remanence and leakage risk, not confirmed public exposure. Current objects expire after 7 days, but versioning keeps prior object versions unless a noncurrent-version lifecycle or explicit deletion process removes them. Replication to a vendor-owned account also creates another storage location outside the company’s direct administrative boundary. Before accepting destruction evidence, the architect should require removal or cryptographic unrecoverability of noncurrent versions and replicated copies, plus validation from the vendor-owned account. Public access blocking reduces anonymous exposure, and provider-managed encryption indicates encryption is present, although it does not by itself prove data has been destroyed. The key takeaway is that lifecycle rules must cover every retained copy, not only the current object view.
Topic: Security Engineering
A financial services company will let a third-party analytics provider compute monthly fraud-risk aggregates over sensitive transaction records. Requirements are:
Which cryptographic approach best satisfies these requirements?
Options:
A. Send signed S/MIME reports to the provider
B. Require mutual TLS for all provider API connections
C. Use homomorphic encryption for supported aggregate computations
D. Use envelope encryption with cloud-managed data keys
Best answer: C
Explanation: The core requirement is protection for data in use while an untrusted third party performs limited computations. Homomorphic encryption is designed for this pattern: the data owner encrypts the dataset, the provider performs supported operations directly on ciphertext, and only the data owner decrypts the resulting aggregate output. This fits the stated tolerance for batch processing and the limited need for sums and counts. Encryption at rest and transport controls are still important, but they do not prevent exposure once data is decrypted for processing in the provider environment. The key distinction is whether plaintext ever becomes available to the processing party.
Topic: Security Architecture
A financial services company is moving customer-facing APIs to managed containers and serverless functions in a public cloud while keeping a tokenization service on-premises. Deployments must use IaC pipelines, customer data stores must not become public, auditors require evidence of configuration drift and excessive privileges, and operations cannot add high-latency inline inspection to every request. Which cloud control strategy is the BEST professional decision?
Options:
A. Route all container and serverless traffic through virtual IDS appliances
B. Rely on provider compliance reports and quarterly penetration testing
C. Use policy-as-code gates, cloud guardrails, and continuous CSPM/CIEM monitoring
D. Enable storage encryption and grant developers temporary cloud administrator access
Best answer: C
Explanation: The best strategy maps controls to the cloud shared-responsibility boundary and the deployment model. Policy-as-code in IaC pipelines proactively finds misconfigurations before deployment. Cloud guardrails, such as organization policies and preventive identity/storage controls, block prohibited states like public data stores. CSPM and CIEM provide detective evidence for drift and excessive privileges without forcing all serverless and container traffic through latency-sensitive inline devices. This approach also preserves operational scalability because it integrates with automated deployment and monitoring rather than relying on periodic manual review.
Topic: Security Operations
A financial services portal stores customer-provided profile text that must remain unchanged for legal and audit reasons. The same stored value is rendered in an HTML page body, an HTML attribute, and a JavaScript string. Recent testing shows stored XSS is possible, but the business requirement is to preserve international characters and permitted punctuation. Which mitigation best maps to these requirements?
Options:
A. Reject all characters except letters and numbers
B. Apply context-aware output encoding at each render sink
C. Replace database queries with parameterized queries
D. Add WAF signatures for common script tags
Best answer: B
Explanation: Stored XSS is best mitigated at the point where untrusted data is rendered, especially when the stored value must remain intact. Because the same value appears in multiple contexts, one generic escaping rule is not enough; HTML body, HTML attribute, and JavaScript string contexts require different encoders or a safe templating framework that applies the right encoding automatically. This approach preserves international characters and allowed punctuation while preventing the browser from interpreting the data as executable code. Input validation can still reduce obviously invalid data, but it should not be the primary control when valid business data can contain characters that are dangerous only in certain output contexts.
Topic: Governance, Risk, and Compliance
A financial services company plans to adopt generative AI assistants for contract review, employee communications, and developer productivity. The board approves adoption only if regulated personal data and privileged content are not sent to unapproved models, material AI-assisted outputs are disclosed and auditable, high-impact employment and customer decisions receive human review, and access aligns with SSO and acceptable-use policy.
Which approach best maps to these requirements?
Options:
A. Allow any AI service if users manually anonymize prompts first
B. Use annual AI awareness training and review incidents afterward
C. Deploy internal models and remove disclosure and audit obligations
D. Implement AI governance with approved-model access, SSO, DLP, logging, and human review
Best answer: D
Explanation: AI adoption governance should combine policy requirements with technical enforcement. In this scenario, the organization needs an approved AI use process, identity-based access, data-loss prevention for prompts and uploads, audit logging, disclosure rules, and mandatory human review for high-impact decisions. This addresses privacy obligations, privileged-data handling, acceptable-use alignment, and ethical accountability without blocking legitimate business use. A purely technical deployment is insufficient if it lacks disclosure, auditability, and decision oversight; a purely training-based approach is also insufficient because it depends on users to consistently enforce sensitive-data and model-approval boundaries.
Topic: Security Engineering
A payment microservice stopped reaching a processor API 10 minutes after a new outbound security stack was enabled. DNS, firewall, IDS/IPS, and proxy controls were all changed in the same window. The service uses mutual TLS and certificate pinning to the processor endpoint. Which troubleshooting action should be prioritized?
Exhibit: Change-window evidence
| Control | Evidence |
|---|---|
| DNS resolver | api.processor.example validates and resolves |
| Firewall | Allows app subnet to proxy on TCP 443 |
| IDS/IPS | Alerted on TLS anomaly; action = monitor |
| Proxy | TLS decrypt enabled; upstream handshake logged as client_cert_required then pinning failure |
Options:
A. Open direct Internet egress from the app subnet
B. Test a scoped TLS decryption bypass for the processor endpoint
C. Disable the IDS/IPS TLS anomaly signature globally
D. Replace the DNS record with a static host override
Best answer: B
Explanation: When several network controls changed together, prioritize the control with evidence that matches the application failure mode and avoid broad changes first. The resolver is validating and resolving the name, so DNS is not the first suspect. The firewall is allowing the expected path to the proxy, and the IDS/IPS alert is monitor-only, so neither explains a blocked TLS session. The proxy log shows TLS decryption plus client_cert_required and pinning failure, which is a strong fit for an application using mutual TLS and certificate pinning. A scoped no-decrypt test for that endpoint validates the root cause while preserving least privilege and minimizing blast radius. Broadly disabling inspection or opening direct egress would be less controlled and less evidence-driven.
Topic: Security Engineering
A finance workstation group has the following EDR evidence. The business requires containment without a sitewide network outage, preservation of endpoint evidence for IR, and a host control that reduces repeat execution across the same group.
| Evidence | Detail |
|---|---|
| Office child process | excel.exe -> powershell.exe with encoded command |
| Credential access | rundll32.exe comsvcs.dll, MiniDump targeting lsass.exe |
| Lateral movement | Remote service created from the host to an admin share |
| Evasion | Attempt to stop the EDR sensor service |
Which implementation best maps to these requirements?
Options:
A. Full subnet ACL deny rule at the core firewall
B. Immediate workstation reimage from the gold image
C. EDR host isolation with anti-tamper, ASR, and LSASS protection
D. WAF rule blocking encoded PowerShell requests
Best answer: C
Explanation: The endpoint evidence maps to multiple host-based TTPs: Office spawning PowerShell suggests unauthorized execution, comsvcs.dll dumping lsass.exe indicates credential dumping, remote service creation indicates lateral movement, and stopping the EDR sensor indicates defensive evasion. The requirements call for targeted containment, evidence preservation, and prevention on similar endpoints. EDR host isolation limits command-and-control and lateral movement without taking down the whole subnet, while anti-tamper, attack surface reduction controls, and LSASS protection directly reduce the observed behaviors. Reimaging may be needed later, but it can destroy volatile evidence and does not first contain peer-to-peer movement.
Topic: Security Engineering
A platform team migrated a payment reconciliation job from a VM using a static access key to a Kubernetes workload identity. The job now fails only when it tries to assume the cloud role used for decrypting settlement files. Based on the exhibit, which action best resolves the subject access control issue?
Exhibit: IAM trust summary and token evidence
{
"trustCondition": {
"issuer": "https://oidc.cluster.example/id/prod",
"aud": "sts.example.com",
"sub": "system:serviceaccount:payments:recon-job"
},
"presentedTokenClaims": {
"issuer": "https://oidc.cluster.example/id/prod",
"aud": "sts.example.com",
"sub": "system:serviceaccount:settlement:recon-job"
},
"decision": "Deny: subject claim did not match trust condition"
}
Options:
A. Grant the role broader decrypt permissions on the key
B. Rotate the former VM static access key
C. Update the role trust condition for the new service account subject
D. Add a human MFA exception for the job owner
Best answer: C
Explanation: This is a workload identity trust failure, not a data-plane permission failure. The access decision denies the role assumption because the presented token’s subject claim is system:serviceaccount:settlement:recon-job, while the role trust condition still expects system:serviceaccount:payments:recon-job. Since the security token service rejects the subject before issuing role credentials, changing key permissions would not help. The safe fix is to update the trust policy to the intended Kubernetes service account subject, after confirming that the new namespace and service account are the approved identity for this job.
The key troubleshooting point is to separate authentication/trust-policy evaluation from downstream authorization to the decrypt key.
Topic: Security Operations
A hybrid-cloud incident involves a finance executive account and regulated file storage. The incident commander must maintain dispatch operations while stopping active data access.
| Time | Artifact |
|---|---|
| 10:02 | EDR alerts on browser credential theft from the executive laptop |
| 10:13 | Cloud audit shows OAuth app InvoiceSync granted broad file access by the executive |
| 10:18 | InvoiceSync downloads finance files from a regulated repository |
| 10:30 | Help desk resets the executive password |
| 10:44 | Downloads continue through the same OAuth app |
A recent exercise found that tenant-wide token revocation disrupts the dispatch SaaS. The approved playbook requires evidence preservation before destructive actions and allows targeted SOAR containment. Which response action is BEST?
Options:
A. Preserve artifacts, disable InvoiceSync, revoke affected tokens, and hunt related grants
B. Reset the executive password again and monitor for new downloads
C. Reimage the executive laptop and close the incident after clean EDR results
D. Globally revoke all sessions and suspend IdP federation to SaaS apps
Best answer: A
Explanation: The decisive artifact is continued file access after the password reset, which indicates the attacker is using a persisted OAuth consent grant or token path rather than only the user’s current password. The best response is targeted containment: preserve endpoint and cloud audit evidence, disable the malicious OAuth application or service principal, revoke affected refresh/session tokens, and hunt for the same grant or indicators across other identities. This follows the exercise outcome by avoiding tenant-wide disruption to dispatch operations while still stopping active regulated-data access. Password-only or endpoint-only actions do not remove the cloud authorization path.
Topic: Security Engineering
A financial services company uses TLS with ECDHE for cloud APIs and IPsec with elliptic-curve certificates for partner connectivity. Some exchanged records must remain confidential for 25 years, and threat modeling identifies well-funded adversaries capable of recording traffic now. The security team must improve resilience without disrupting all integrations in the next quarter. Which decision is BEST?
Options:
A. Replace only certificate authorities with larger elliptic-curve keys
B. Start crypto inventory and deploy hybrid PQC for long-lived data paths
C. Encrypt archived records again with the current TLS session keys
D. Keep ECDHE because it already provides forward secrecy
Best answer: B
Explanation: PQC matters because sufficiently capable quantum computers would threaten widely deployed public-key schemes based on discrete logarithms, including Diffie-Hellman, ECDH, and elliptic-curve signatures. Forward secrecy limits damage from later private-key compromise, but it does not protect recorded key exchanges if the underlying public-key exchange can later be broken. For data that must remain confidential for decades, the practical risk is harvest-now-decrypt-later: adversaries can store traffic today and attempt decryption later. A crypto inventory plus hybrid PQC migration targets the exposed, long-lived data flows first while maintaining compatibility with partners and cloud services during transition. The key takeaway is to prioritize crypto agility and hybrid transition for long-retention confidentiality, not assume current DH/ECC mechanisms are quantum-resilient.
Topic: Security Architecture
A healthcare company is preparing a data-retention cleanup before migrating file shares and SaaS collaboration sites to a new platform. Compliance needs an inventory of locations containing PHI and payment data, including repositories with unknown owners. The business has not approved blocking, quarantining, or user workflow changes yet. Which DLP approach best maps to these requirements?
Options:
A. Run DLP discovery scans across repositories
B. Block USB transfers from endpoints
C. Inspect outbound email and web uploads
D. Quarantine sensitive files in place
Best answer: A
Explanation: The core requirement is data discovery: finding where regulated data exists before migration and cleanup. DLP used during discovery scans file shares, object stores, databases, or SaaS repositories to identify and classify sensitive content, often producing ownership and remediation reports. This fits the stated need for an inventory across unknown repositories while avoiding enforcement actions that could disrupt business workflows.
DLP for data in transit is better when the goal is to monitor or block movement through email, web uploads, or network channels. Enforcement against stored files is appropriate after policy approval and ownership decisions are clear.
Topic: Security Engineering
A financial services firm is migrating cryptography for customer APIs. Requirements: maintain a partner connection that supports only TLS 1.2 with ECDHE and AES-GCM for the next 12 months; meet a regulator’s expectation for approved, validated cryptographic modules for current protected data; and reduce “harvest now, decrypt later” risk for records requiring 15-year confidentiality. Which migration approach best maps to these requirements?
Options:
A. Create an unmonitored legacy endpoint using static RSA for the partner
B. Adopt a crypto-agile, phased hybrid migration with time-bound legacy exceptions
C. Replace all API endpoints with post-quantum-only key exchange immediately
D. Keep the current TLS profile until every partner supports post-quantum cryptography
Best answer: B
Explanation: The best migration path is crypto-agile and phased: keep regulator-accepted, validated classical cryptography for current compliance; introduce hybrid classical/post-quantum protection for capable clients and high-value long-retention data; and place the legacy partner on a tightly scoped, monitored, time-bound exception with migration milestones. Hybrid migration is useful when quantum risk is material but interoperability and validation expectations still require classical algorithms. Crypto agility also reduces future rework by making algorithms, libraries, certificates, and policies easier to replace as standards and validations mature. A compatibility exception should not become a permanent weak endpoint or bypass monitoring.
Topic: Governance, Risk, and Compliance
A healthcare insurer is reviewing which AI data flows are allowed for a claims-assistant pilot. Which interpretation is supported by the exhibit?
Exhibit: AI data-handling standard and architecture note
Restricted data: PHI, payment card data, secrets
Restricted data may be sent to an AI service only when all are true:
- Enterprise tenant with DPA and no model training on customer content
- Approved region and retention of 30 days or less
- DLP/tokenization applied before prompt submission
AI outputs inherit the highest classification of any prompt or retrieval source used.
Endpoint A: public chatbot; prompts may improve service; no DLP
Endpoint B: private LLM gateway; DPA; no training; approved region;
14-day logs; DLP tokenizes member IDs; RAG uses claims DB
Options:
A. Use Endpoint B with DLP, and treat RAG outputs as Restricted.
B. Downgrade Endpoint B outputs because prompts are tokenized.
C. Use Endpoint A if analysts remove direct identifiers first.
D. Block all AI use because Restricted data includes PHI.
Best answer: A
Explanation: The standard allows Restricted data exposure to an AI service only when specific governance and technical safeguards are present: enterprise contractual protection, no customer-content training, approved retention and region, and DLP/tokenization before submission. Endpoint B meets those stated conditions; Endpoint A does not because it is a public chatbot, may train on prompts, and lacks DLP. The output rule is equally important: AI responses are not automatically lower risk just because the prompt was tokenized. If the model uses RAG over a Restricted claims database, the response inherits that Restricted classification and must be protected accordingly. The key distinction is controlled exposure versus prohibited exposure, not a blanket ban on AI processing.
Topic: Security Engineering
A security architect is reviewing a recommendation after repeated IDS alerts for suspected DNS tunneling from branch subnets. The proposed fix is to add the observed domains to a DNS blocklist and lower IDS noise. Evidence shows endpoints are also making DNS-over-HTTPS connections directly to public resolvers over TCP/443. The business requires centralized DNS logging, support for internal split-horizon zones, and a fix for the underlying bypass rather than only blocking current indicators. Which recommendation should replace the proposed fix?
Options:
A. Add the observed domains to the sinkhole list
B. Raise IDS severity for DNS tunneling signatures
C. Force DNS resolution through approved resolvers and restrict DNS/DoH egress
D. Disable DNS-over-HTTPS in managed browsers only
Best answer: C
Explanation: The core issue is not only the suspicious domains; it is uncontrolled DNS egress that lets endpoints bypass enterprise resolvers, filtering, and logging. A stronger network security recommendation is to require clients to use approved recursive resolvers for DNS, allow those resolvers to reach external DNS services as needed, and block or proxy direct client DNS and DNS-over-HTTPS egress. This supports split-horizon internal zones because clients still query enterprise resolvers, and it improves detection because DNS telemetry becomes centralized. Indicator blocking and IDS tuning may be useful follow-up actions, but they address symptoms after traffic has already bypassed the intended control boundary.
Topic: Security Engineering
A hybrid enterprise uses a cloud IdP, FIDO2 MFA, compliant-device checks, SCIM provisioning, and a PAM platform for production database access. After an IAM migration, one DBA can sign in to the PAM portal but cannot check out production database credentials.
| Evidence | Value |
|---|---|
| IdP sign-in | Success; FIDO2 and compliant device satisfied |
| SCIM record | active=true; subject matches PAM account |
| SAML assertion | groups=["Employees"]; roles=[] |
| PAM policy | Allow checkout when roles contains PAM.DB.Prod |
| Entitlement source | DBA is in an on-prem group nested under PAM.DB.Prod; IdP emits app roles only from direct assignments |
Which is the most likely cause of the failure?
Options:
A. SAML signature validation failed
B. Missing role claim from nested-group mapping
C. Conditional access blocked the sign-in
D. SCIM deprovisioning disabled the PAM account
Best answer: B
Explanation: This is an authorization failure after successful authentication. The IdP sign-in shows that FIDO2 MFA and device compliance passed, and the SCIM record confirms the PAM account is active and correctly matched. The decisive evidence is the SAML assertion: roles=[] while the PAM policy requires roles to contain PAM.DB.Prod. Because the user’s entitlement exists only through a nested on-premises group and the IdP emits app roles only from direct assignments, the required role is not present at the policy decision point. The failure is therefore caused by claims/entitlement transformation, not by MFA, provisioning, or token validation.
Topic: Security Engineering
A reorganization changed the IdP group for an application team. Authorized developers can authenticate through SSO but can no longer deploy to their nonproduction Kubernetes namespace.
Requirements:
claims-devExhibit:
SAML group claim: claims-dev-deployers
Existing binding: group=ClaimsPlatform-Developers -> Role=deployer, namespace=claims-dev
Denied action: update deployment in namespace claims-dev
Options:
A. Issue static Kubernetes service account tokens to the team
B. Bind the new IdP group to cluster-admin temporarily
C. Add the developers to the old IdP group permanently
D. Update the namespace RoleBinding to the new IdP group
Best answer: D
Explanation: The corrective action should fix the broken authorization mapping at the trust boundary without changing the privilege scope. The users are already authenticating through SSO, and the denied action is a namespace deployment. Updating the RoleBinding to reference the current IdP group preserves federation, PAM approval, and auditability while keeping access limited to the existing deployer role in claims-dev. This is a least-privilege repair, not a workaround. Expanding to clusterwide administration, reviving stale group membership, or bypassing SSO with static tokens would restore access but create unnecessary privilege or accountability risk.
Topic: Security Architecture
A financial services company is moving an analytics API to a cloud object store that contains regulated customer PII. Policy requires PII buckets to use the tenant-approved customer-managed key (CMK) and requires automated evidence that the exact control is enforced. Which action best corrects the implementation before go-live?
Exhibit:
| Control area | Requirement | Current state |
|---|---|---|
| Data protection | Encrypt PII with CMK pii-prod-key | Bucket shows encrypted=true; key type is provider-managed |
| Pipeline identity | Deploy only from protected main | OIDC trust restricted to protected main |
| Validation | Prove required encryption control | CSPM check passes if any encryption is enabled |
Options:
A. Restrict the deploy role to the protected main branch.
B. Add API gateway rate limiting for the analytics API.
C. Accept the bucket because encryption at rest is enabled.
D. Use pii-prod-key and validate the key ID in CSPM.
Best answer: D
Explanation: The flaw is not the absence of encryption; it is a mismatch between the required data-protection control and the validation logic. The policy requires regulated PII to be encrypted with the tenant-approved CMK pii-prod-key, but the current bucket uses provider-managed encryption. The CSPM rule is also too broad because it passes any encrypted bucket, which can create false assurance. Correcting the implementation requires both changing the IaC or bucket configuration to use the approved CMK and updating control validation to assert the expected key identifier. The pipeline identity row is already compliant, so changing it would not address the failed requirement.
Topic: Security Engineering
A manufacturing company needs better security visibility for an aging bottling line. The line uses PLCs, HMIs, and a vendor engineering workstation that cannot tolerate added software or unplanned traffic.
Exhibit: Operations constraints
| Constraint | Detail |
|---|---|
| PLC vendor notice | Active probes may trigger watchdog resets |
| Maintenance | One 4-hour outage every 6 months |
| Endpoint support | No third-party agents on PLCs or HMIs |
| Security goal | Detect unauthorized logic changes and abnormal control commands |
| Network access | Core switch supports SPAN/TAP to a sensor VLAN |
Which monitoring design best satisfies the goal with the lowest operational risk?
Options:
A. Deploy passive ICS-aware sensors from SPAN/TAP feeds and alert on baselined command deviations
B. Install EDR agents on HMIs and PLCs with tamper protection enabled
C. Apply firmware patches immediately when released and monitor reboot success
D. Run weekly credentialed vulnerability scans against PLCs and HMIs during production
Best answer: A
Explanation: OT and ICS monitoring must preserve safety and availability when endpoints cannot safely accept agents, active scans, or routine patching. The exhibit states that active probes can reset PLCs, third-party agents are not allowed, and downtime is scarce. A passive, out-of-band sensor connected to SPAN/TAP traffic can observe ICS protocol commands, engineering workstation activity, and baseline deviations without transmitting probes to controllers or modifying endpoints. This supports detection of unauthorized logic changes and abnormal control commands while respecting operational constraints.
The key trade-off is visibility without interference: passive monitoring is preferred until changes can be validated during approved maintenance windows or in a test environment.
Topic: Security Engineering
A manufacturing company must harden embedded temperature controllers that support a safety-critical production line. The controllers cannot be replaced this year, and downtime is limited to one quarterly maintenance window.
Exhibit: Controller assessment
| Finding | Detail |
|---|---|
| Firmware | Vendor-certified image only; no current patch available |
| Resources | CPU averages 82%; 64 MB free storage |
| Management | Telnet enabled; default SNMP community present |
| Connectivity | Must send Modbus/TCP only to the historian |
| Support | No EDR, MDM, or local firewall agent supported |
Which hardening action best fits these constraints?
Options:
A. Create an isolated zone with allowlisted historian traffic and disable Telnet/SNMP defaults
B. Enable full-disk encryption and continuous local malware scanning
C. Schedule weekly firmware updates from the vendor portal
D. Deploy a standard EDR agent with behavioral blocking enabled
Best answer: A
Explanation: Constrained embedded and OT devices often cannot accept normal endpoint agents, frequent patching, or compute-heavy controls. The exhibit shows no supported EDR, high CPU use, limited storage, and no current vendor patch, so hardening should use supported device configuration plus compensating controls around the device. An isolated network zone, strict allowlisting to the historian, and removal of insecure management defaults reduce attack surface without changing the certified firmware or adding unsupported software. Passive monitoring could also complement this design, but the decisive action is to restrict reachable paths and disable exposed legacy services where supported.
Topic: Security Engineering
A manufacturer must harden a production line with PLCs, smart sensors, and an embedded HMI. The devices have limited CPU and storage, cannot run endpoint agents, and can only be patched during two planned outages per year. Safety and uptime take priority, but vendors still need controlled remote troubleshooting access. Which approach best maps to these requirements?
Options:
A. Move device management to a cloud IoT agent on each controller
B. Enable automatic firmware updates immediately after vendor release
C. Use OT segmentation, protocol allowlists, passive monitoring, and a jump host
D. Deploy EDR agents and authenticated scanners on all embedded devices
Best answer: C
Explanation: Constrained OT and embedded devices often cannot support normal enterprise hardening assumptions such as host agents, frequent patching, or heavy authenticated scans. The best fit is to reduce exposure and monitor safely around the devices: isolate them into OT zones, restrict communications to required protocols and peers, use passive monitoring where active probing could affect operations, and route vendor access through a controlled jump host with strong authentication and logging. This creates compensating controls without changing fragile endpoints or disrupting safety-critical operations. Agent-based security and rapid patch cycles may be desirable in IT systems, but they create operational risk when the platform cannot support them.
Topic: Governance, Risk, and Compliance
A global insurer is standardizing data lifecycle governance for a hybrid claims platform. Production must retain regulated claim records for 7 years, support legal holds, and remain recoverable. Nonproduction teams need realistic test coverage but must not store customer identifiers or create unmanaged data copies. Audit requires evidence of where sensitive data exists and when it is disposed of. Which approach is the BEST professional decision?
Options:
A. Keep nonproduction datasets indefinitely and purge production records after 7 years
B. Classify data, mask nonproduction copies, and automate retention, legal hold, and disposal evidence
C. Replicate production data to nonproduction with encryption and matching access controls
D. Tokenize all production fields and disable backups containing regulated records
Best answer: B
Explanation: Data lifecycle governance should control data from creation through retention, use, archival, legal hold, and disposal across environments. In this scenario, production needs regulated retention and recoverability, while nonproduction needs minimized exposure. The best control set combines classification and tagging for visibility, irreversible masking or synthetic data for nonproduction, automated retention and legal-hold policies for production, and audit evidence for disposal. This aligns governance with operational needs instead of relying only on encryption or manual process. Encryption protects copies but does not justify unnecessary sensitive-data proliferation.
Topic: Security Operations
A threat-hunting team must operationalize a detection from malware triage without relying on unstable infrastructure indicators. Which rule-based approach best fits the available evidence and detection need?
Exhibit: Triage summary
Artifacts: 9 quarantined Windows PE files
Common traits: PE section name .xdata2, string "sync_guard_481", import VirtualAlloc
Network: TLS payload encrypted; C2 domains already rotated
Goal: scan file shares, EDR quarantine, and memory dumps for related samples
Options:
A. Write a Snort rule for C2 packet content
B. Write a Rita profile for beaconing analysis
C. Write a YARA rule for the PE and string traits
D. Write a Sigma rule for SIEM process events
Best answer: C
Explanation: YARA is the best fit when the evidence consists of file or memory characteristics and the detection goal is to scan binaries, quarantine repositories, or memory dumps. The exhibit provides stable static traits: PE section naming, an embedded string, and an imported API. The network indicators are explicitly unstable because the C2 domains rotated and the TLS payload is encrypted. Sigma would be better for normalized log events in a SIEM, Rita for analyzing beaconing patterns from network metadata, and Snort for packet-level network signatures. The key takeaway is to match the rule language to both the evidence type and where detection will run.
Topic: Security Operations
A financial services company receives four correlated security alerts during business hours. The customer portal must remain available if clean capacity exists, and the incident response plan requires immediate escalation for suspected compromise involving regulated customer data.
| Asset | Criticality / data | Current evidence | Vulnerability context |
|---|---|---|---|
| Cloud API pod | Tier 0 / customer PII | Unsigned process, outbound beaconing, new service token use | Internet-facing RCE, patch failed |
| Build server | Tier 1 / source code | No malware; scanner finding only | Critical CVE, isolated subnet |
| HR file share | Tier 2 / employee data | Failed logins from one user | Fully patched |
| Marketing VM | Tier 3 / public data | Malware quarantined by EDR | Outdated plugin |
Which response action is the BEST professional decision?
Options:
A. Take the entire customer portal offline immediately
B. Contain the cloud API pod and fail traffic to clean capacity
C. Patch the build server before starting containment
D. Investigate the HR failed logins as the first priority
Best answer: B
Explanation: Response prioritization should weigh asset criticality, business impact, data classification, current compromise evidence, residual risk, and vulnerability context together. The cloud API pod has the strongest combination: Tier 0 criticality, regulated customer PII, active malware-like behavior, suspicious token use, and an unpatched internet-facing RCE. Because clean capacity exists, containment can be targeted by isolating the affected pod, preserving evidence, rotating related credentials, and shifting traffic without unnecessarily taking down the portal. The build server has serious vulnerability risk, but no active compromise evidence in the scenario. The HR and marketing events have either weaker evidence, lower criticality, or successful containment already.
Topic: Security Operations
A public customer portal uses a third-party component with an exploitable deserialization flaw. The vendor patch will not be available for 60 days, and the business will not accept downtime. Risk governance requires a documented temporary response that provides equivalent risk reduction, is reviewed by the control owner, and expires when the vendor patch is deployed. Which approach best maps to these requirements?
Options:
A. Remediate by replacing the component immediately
B. Implement a documented compensating control
C. Mitigate by lowering the service rate limit
D. Monitor for exploitation attempts only
Best answer: B
Explanation: Attack-surface reduction responses differ by whether they remove the weakness, reduce exposure, substitute an approved control, or only observe risk. Here, the vulnerable component cannot be patched or replaced for 60 days, but the portal must stay online and governance requires documented, temporary, equivalent risk reduction with ownership and expiration. That maps to a compensating control, such as a tightly scoped virtual patch, request validation, segmentation, or other approved substitute control that remains in place until true remediation is possible. Remediation would remove the flaw directly. Mitigation would reduce likelihood or impact but may not meet the stated equivalence and governance requirements. Monitoring alone is detective and does not reduce the attack surface.
Topic: Security Architecture
A financial services company is implementing Zero Trust access for a high-risk loan-origination API. Requirements: only corporate-managed devices in the asset inventory may connect; device health must be attested at access time; user identity and device identity must both influence authorization; and stolen credentials from an unmanaged device must not be sufficient. Which approach best maps to these requirements?
Options:
A. Use device inventory, device certificates, and posture attestation as PDP signals
B. Permit only source IP ranges from corporate offices and VPN concentrators
C. Review the CMDB quarterly and disable stale user accounts
D. Require phishing-resistant MFA for all users before API access
Best answer: A
Explanation: Zero Trust access decisions should evaluate the subject, the object, and contextual trust signals continuously. For this scenario, the decisive requirement is not only strong user authentication; it is proving that the endpoint is a known, managed asset with current health attestation. A practical pattern is to register assets, issue device-bound credentials, collect MDM/EDR posture signals, and feed those signals to the policy decision point before the policy enforcement point allows API access. This prevents valid user credentials from being enough when the request originates from an unknown or noncompliant device. Static network location and periodic inventory review do not provide access-time device assurance.
Topic: Security Engineering
A finance firm is hardening Windows jump servers after an intrusion in which the actor used PowerShell and rundll32 from user-writable directories to stage tools and run unsigned credential-dumping scripts. Administrators must still run approved signed automation from a controlled repository, and the SOC needs block/allow telemetry. Which endpoint/server control best meets these requirements?
Options:
A. Full-disk encryption with TPM-backed key protection
B. Application control with signed allowlists and script path restrictions
C. Monthly vulnerability scanning with emergency patch exceptions
D. Network IDS signatures for PowerShell command strings
Best answer: B
Explanation: The core control is application control for TTP-driven hardening. When attackers abuse legitimate interpreters or binaries to execute unapproved code, the host should enforce what may run, from where, and under which signing conditions. A signed allowlist can permit approved administrative automation while blocking unsigned scripts and execution from user-writable staging paths. Enforcement events also give the SOC useful telemetry for attempted bypasses. Full-disk encryption protects offline data, patching reduces known vulnerabilities, and network IDS may detect some command patterns, but none reliably prevents unauthorized local execution on the jump servers.
Topic: Governance, Risk, and Compliance
A SaaS provider is preparing for an external ISO/IEC 27001 certification audit in 90 days. Management wants to reduce audit risk without changing the audit scope. The compliance team must verify that in-scope controls map to the Statement of Applicability, evidence shows control operation, and gaps are assigned corrective actions before the certification body arrives. Which compliance activity best supports this objective?
Options:
A. Perform e-discovery and legal hold for retained customer records.
B. Conduct an audit-readiness assessment with evidence testing and corrective-action tracking.
C. Recalculate enterprise risk appetite for all business units.
D. Issue updated acceptable-use guidelines to all employees.
Best answer: B
Explanation: An audit-readiness assessment is the best fit when the goal is to prepare for an external audit or certification without changing scope. It checks whether required controls are mapped to the applicable framework or Statement of Applicability, whether evidence is complete and credible, and whether control gaps have owners and corrective-action plans. This activity supports the certification objective by reducing evidence failures and unresolved findings before the auditor begins formal testing. Policy updates, legal holds, and enterprise risk appetite work may be valid governance activities, but they do not directly validate audit evidence and control operation for the stated certification scope.
Topic: Security Architecture
A financial services firm is redesigning authorization for a shared analytics platform used by employees, contractors, and a regulated third-party audit team. The security architect must recommend the access control model that best satisfies the governance requirements in the exhibit.
Exhibit: Authorization policy notes
| Requirement | Detail |
|---|---|
| Data labels | Public, internal, restricted, regulated |
| User context | Employment type, department, clearance, training status |
| Request context | Purpose of use, device posture, location, time |
| Governance | Central policy evaluation and auditable decisions |
Options:
A. MAC
B. DAC
C. RBAC
D. ABAC
Best answer: D
Explanation: Attribute-based access control (ABAC) fits this architecture because the access decision depends on multiple dynamic attributes, not just a static role or owner preference. The exhibit requires policy evaluation using user attributes, data labels, request purpose, device posture, location, and time. ABAC can express these conditions centrally and produce auditable allow or deny decisions across mixed populations such as employees, contractors, and auditors.
RBAC may still be used as one input, such as department or job function, but it is too coarse by itself for this context-rich governance requirement.
Topic: Security Architecture
A financial services company is moving a VM-based payment service to Kubernetes, serverless functions, and an automated CI/CD pipeline. Requirements include no long-lived build secrets, workload-level attribution for cloud actions, logs that survive pod or function teardown, and prevention of privileged containers before deployment. Which implementation approach best maps to these requirements?
Options:
A. Rely on VM host agents, subnet firewalls, and manual change approval.
B. Embed shared cloud API keys and log agents in hardened base images.
C. Use CI/CD OIDC federation, workload identities, admission policy, and platform log forwarding.
D. Forward only application logs to the SIEM after deployment.
Best answer: C
Explanation: Container orchestration, serverless, and CI/CD change where controls must attach. Pods and functions are ephemeral, so logs should be collected through platform-native streams and centralized before workloads disappear. CI/CD should use federated, short-lived credentials rather than stored cloud keys. Workloads should receive distinct identities so cloud actions are attributable and least-privilege policies can be enforced. Admission or policy-as-code controls are needed before containers run, especially to block privileged runtime settings.
The key takeaway is to shift identity, logging, and runtime controls into the orchestration, serverless, and pipeline control planes instead of relying on static VM-era controls.
Topic: Security Engineering
An enterprise is integrating a legacy SaaS case-management platform with corporate IAM. Requirements include browser-based SSO, no SaaS-stored enterprise passwords, and a signed XML assertion from the corporate IdP containing NameID, authentication context, and group attributes. The project does not require delegated API access or privileged-session brokering. Which implementation best maps to these requirements?
Options:
A. Configure SAML federation between the IdP and SaaS SP
B. Extend Kerberos delegation to the SaaS tenant
C. Place SaaS access behind a PAM session proxy
D. Use OAuth 2.0 client credentials for the SaaS
Best answer: A
Explanation: SAML is the best fit when an enterprise IdP must provide browser-based SSO to a SaaS service provider using signed XML assertions that carry authentication and attribute statements. The SaaS application trusts the IdP’s assertion instead of storing enterprise passwords, and the assertion can include identifiers, authentication context, and group claims for authorization decisions. OAuth is primarily for delegated authorization to APIs, not user authentication assertions for SSO. Kerberos is typically suited to internal realm-based authentication, not direct SaaS federation across organizational boundaries. PAM is valuable for controlling privileged accounts and recording administrative sessions, but it does not provide the primary federation mechanism described here.
Topic: Security Operations
A SOC receives a TAXII feed entry from a new threat-intelligence provider that lists IPs and file hashes associated with active ransomware operations. The organization wants to use the intelligence quickly but must avoid disrupting partner integrations or triggering containment on indicators that are not relevant to its environment.
Which approach best maps to these requirements?
Options:
A. Enrich and score the indicators before enforcement
B. Wait until three external feeds report each indicator
C. Auto-block all indicators tagged as ransomware
D. Convert the indicators directly into endpoint isolation rules
Best answer: A
Explanation: Threat intelligence should be operationalized through a triage and enrichment process before enforcement. For a new provider, the SOC should assess source reputation, stated confidence, indicator age, campaign context, and whether internal telemetry shows matching activity against relevant assets. This supports fast action without treating every external indicator as equally trustworthy or applicable. The output can drive graduated responses, such as monitoring, alerting, blocking, or containment, based on confidence and local relevance.
The key distinction is that intelligence is not a control by itself; it becomes useful when validated against the organization’s environment and risk tolerance.
Topic: Security Engineering
A healthcare consortium wants a cloud analytics provider to run predefined risk-scoring calculations across patient datasets from multiple hospitals. The provider must not see raw records or intermediate values during processing, and hospitals must retain control of decryption keys. Which implementation best maps to these requirements?
Options:
A. Use homomorphic encryption and decrypt only the final results
B. Run the analytics inside a provider-managed secure enclave
C. Replace identifiers with tokens before sending the dataset
D. Use TLS for uploads and encrypt the cloud storage volume
Best answer: A
Explanation: Homomorphic encryption is designed for cases where computation must occur without exposing the underlying plaintext to the processing party. In this scenario, the analytics provider needs to calculate risk scores, but confidentiality requirements prohibit access to raw patient records and intermediate values. The hospitals can encrypt the data, retain the private keys, allow only approved computations over ciphertext, and decrypt the final permitted results. This directly addresses data confidentiality during processing, not just at rest or in transit. A secure enclave may reduce exposure, but it still shifts trust to the provider’s hardware and enclave management rather than keeping the data cryptographically protected throughout computation.
Topic: Security Operations
A manufacturer detects that several identical PLC gateway appliances sent command sequences outside normal maintenance windows. The appliances use soldered flash storage, expose no supported shell, and have only volatile logs that were lost after power cycling. Production is running on spare gateways, legal has placed two suspect devices under evidence hold, and the incident team must determine whether firmware tampering created the command channel before redeploying the model. Which artifact-analysis approach is the BEST professional decision?
Options:
A. Run data recovery against enterprise file-share backups
B. Perform JTAG-based hardware acquisition of firmware for comparison and analysis
C. Disassemble a workstation memory image from an operator laptop
D. Decompile the vendor management console application used by administrators
Best answer: B
Explanation: Hardware analysis with JTAG is appropriate when the decisive evidence is likely inside an embedded device or controller and normal logical access is unavailable, unsafe, or forensically insufficient. In this scenario, the lost volatile logs, soldered flash, lack of shell access, and firmware-tampering hypothesis make a controlled hardware acquisition from preserved suspect devices the best next step. The acquired firmware can be hashed, compared to a known-good image, and selectively reverse engineered or disassembled if anomalies are found. This approach preserves production resilience by using spares and supports legal evidence handling. Decompiling unrelated management software or recovering file shares does not directly answer whether the gateway firmware was modified.
Topic: Security Engineering
A security engineering team is deploying a SOAR playbook that will remediate critical vulnerabilities by updating cloud security groups and triggering on-premises patch jobs. The current plan runs automatically in production using a broad admin token and records only the final ticket status. Requirements include audit evidence, Zero Trust least privilege, change approval for production-impacting actions, rollback within 15 minutes, and proof that controls still work after remediation. Which correction is the BEST professional decision?
Options:
A. Add detailed SOAR logs but keep the existing admin token and workflow
B. Run the playbook fully automatically and email the owner afterward
C. Gate risky actions with approval, scoped credentials, logging, rollback, and validation
D. Disable SOAR remediation and require all fixes through manual tickets
Best answer: C
Explanation: Safe security automation should be treated like controlled production change, especially when it modifies access paths and triggers patching across hybrid infrastructure. The best correction keeps automation for speed but adds guardrails: risk-based human approval for production-impacting steps, least-privilege service credentials, centralized audit logging, defined rollback steps, and post-remediation validation that the intended controls and services still operate. This satisfies operational resilience and GRC requirements while preserving the response-time benefits of SOAR. Merely notifying owners or logging final status does not prove authorization, reversibility, or effectiveness. Fully manual remediation may reduce automation risk, but it fails the operational goal when controlled automation can meet the constraints.
Topic: Security Engineering
A manufacturer is migrating order processing to a cloud API, but an on-premises ERP module can only use a deprecated TLS profile for the next 90 days. Orders contain regulated customer data, the business cannot pause fulfillment, Zero Trust policy requires explicit trust across cloud/on-prem boundaries, and the audit committee will approve only time-bound exceptions with measurable remediation. Which decision is BEST?
Options:
A. Use a segmented crypto gateway temporarily, then upgrade ERP cryptography
B. Disable the ERP integration until native TLS is upgraded
C. Make the crypto gateway the permanent control boundary
D. Allow the deprecated TLS profile on the cloud API
Best answer: A
Explanation: A compensating control reduces risk when the ideal control cannot be implemented immediately; it should be scoped, monitored, documented, and time-bound. In this scenario, a segmented cryptographic gateway can terminate modern cloud-side TLS, tightly restrict legacy traffic to the ERP enclave, log usage, and support an approved exception during the 90-day window. The permanent design correction is not the gateway itself; it is upgrading or replacing the ERP cryptographic stack so the system natively supports the required TLS profile and removes the exception. The key distinction is temporary risk reduction versus eliminating the root cryptographic design weakness.
Topic: Governance, Risk, and Compliance
A company wants to centralize customer support investigations in a third-party SaaS ticketing platform. Which interpretation should drive the next architecture decision?
Exhibit: Compliance and design notes
| Item | Note |
|---|---|
| Data flow | Customer app logs are attached to tickets unchanged |
| Data classes | EU PII and occasional payment card data may appear in logs |
| Requirements | DPA/SCCs for PII processors; avoid expanding PCI scope; legal holds require exportable immutable records |
| Vendor state | SOC 2 report is available; DPA is not executed; log redaction is optional |
Options:
A. Add regulated-data filtering and complete vendor oversight before production
B. Approve the design because the vendor has a SOC 2 report
C. Retain all ticket data indefinitely to satisfy legal holds
D. Exclude the SaaS from audit scope because it is externally hosted
Best answer: A
Explanation: Compliance requirements can directly change security architecture and operations. Here, unchanged log attachments may expose EU PII and payment card data to a third-party processor. A SOC 2 report helps vendor assurance, but it does not replace a DPA/SCCs, PCI scoping controls, data minimization, or legal-hold evidence requirements. The architecture should prevent unnecessary regulated data from entering the SaaS, execute required third-party agreements, and ensure exportable immutable records for holds. The key takeaway is that compliance obligations are design inputs, not after-the-fact audit paperwork.
Topic: Security Architecture
A financial services company is moving regulated customer datasets to cloud object storage exposed through internal APIs. Developers deploy with infrastructure as code across multiple cloud accounts, and recent incidents involved publicly reachable buckets that were detected only after CSPM alerts reached the SOC. Audit requires evidence that noncompliant configurations are blocked before production, but the delivery team cannot add manual approval gates. What is the BEST professional decision?
Options:
A. Increase SIEM correlation for CSPM and API gateway alerts
B. Run post-deployment DLP discovery scans on object storage
C. Schedule quarterly cloud architecture reviews for storage services
D. Enforce policy-as-code guardrails in CI/CD and cloud organization controls
Best answer: D
Explanation: The goal is to prevent exposed storage from reaching production without slowing delivery. Policy-as-code checks in the pipeline, combined with cloud organization guardrails such as mandatory encryption, public-access blocks, and deployment deny policies, are preventive controls that fit IaC-driven operations. They also create repeatable evidence for audit because each deployment decision can be logged and tied to a policy version. Detective controls such as CSPM, SIEM correlation, and DLP scans remain useful, but they identify problems after resources exist. The key distinction is selecting a control strategy that acts before the risky cloud state is created.
Topic: Security Operations
A SOC engineer is reviewing a behavior analytics alert for a production service account. The account owner confirms no approved maintenance or migration was scheduled during the alert window.
Exhibit: 30-day baseline vs. current activity
| Signal | Baseline | Current window |
|---|---|---|
| Logon type | Noninteractive from app nodes | Interactive VPN login |
| Source device | app-prd-01, app-prd-02 | Unmanaged laptop |
| Typical destinations | Invoice DB and KMS only | 37 internal servers and file share |
| Data movement | Less than 200 MB/hour | 18 GB read from finance share |
| Peer group | No admin tooling | Remote shell launched |
Which interpretation is best supported by the exhibit?
Options:
A. Expected vulnerability scanning from a service identity
B. Normal baseline drift from seasonal finance activity
C. Service account compromise with lateral movement risk
D. False positive caused by missing peer-group history
Best answer: C
Explanation: Behavior analytics is strongest when multiple independent signals deviate from both the entity baseline and its peer group. Here, a service account that normally performs noninteractive application activity from known production nodes is now using an unmanaged VPN endpoint, accessing many unrelated servers, reading a large volume from a finance share, and launching remote shell tooling. Those changes align with credential misuse and possible lateral movement, not ordinary workload variation.
The key is not one anomaly by itself; it is the combined pattern across identity, device, network, application access, and data movement. Baseline drift should be considered only when there is a known business change and the new behavior is consistent with the account’s role.
Topic: Governance, Risk, and Compliance
A risk committee is reviewing incidents after deploying a customer-support LLM that can search tickets and submit refund requests through approved tools. Which interpretation best distinguishes an AI model threat from AI-enabled attacks?
Exhibit: Incident summary
| Case | Observation |
|---|---|
| 1 | Caller used a cloned executive voice to pressure Finance. |
| 2 | User prompt caused the LLM to ignore policy text and call the refund tool. |
| 3 | Phishing emails used AI-generated fluent localization. |
| 4 | Bot varied password-reset answers using generated text. |
Options:
A. Case 1 is a model threat because synthetic media impersonated leadership.
B. Case 3 is a model threat because generative AI improved phishing quality.
C. Case 4 is a model threat because AI automated account-recovery abuse.
D. Case 2 is a model threat because the AI system behavior and tool use were manipulated.
Best answer: D
Explanation: AI model threats target the AI system itself: its prompts, model behavior, training or context data, guardrails, tool permissions, or decision boundaries. In the exhibit, the refund case manipulates the deployed LLM so it disregards policy and uses an approved tool incorrectly, making it a model/application threat such as prompt injection or excessive agency. The other cases use AI as an enabler to improve attacks against people, systems, or processes, such as voice impersonation, phishing, or automated account abuse. The key distinction is whether the AI component is the target/control failure or merely the attacker’s productivity tool.
Topic: Security Architecture
A manufacturer is replacing shared supplier accounts for a design portal. Requirements: suppliers authenticate with their own identity providers, the manufacturer controls which contract roles can access each project, and access from unmanaged devices must be blocked. The draft design authorizes access when a supplier presents a valid federated identity token signed by a trusted IdP certificate.
Which correction best maps the requirements to the right controls?
Options:
A. Issue client certificates and authorize any certificate from the supplier CA
B. Federate authentication, enforce local authorization, and require device attestation
C. Trust supplier group claims as the sole project authorization source
D. Synchronize supplier passwords into the manufacturer directory
Best answer: B
Explanation: The design confuses certificate trust and federated authentication with authorization. A trusted IdP signing certificate helps validate that the token came from an accepted issuer and that the user was authenticated by that IdP. It does not decide what the user may access inside the manufacturer’s projects. The manufacturer should use federation for authentication, then apply its own authorization policy or entitlement mapping at the portal/API policy enforcement point. Device attestation should be a separate conditional-access signal to verify managed posture before granting access. This separates identity proof, access decision, and device trust instead of overloading one mechanism.
Topic: Governance, Risk, and Compliance
A B2B SaaS provider is adding embedded payment checkout. PANs will enter only an isolated cloud segment, be tokenized, and then be sent to a payment processor; no other platform services will store PANs. The acquiring bank requests validation of controls for any environment that stores, processes, or transmits cardholder data. Which approach best maps to these requirements?
Options:
A. Issue a SOC 2 Type II report for the entire SaaS platform
B. Scope and validate the segmented cardholder data environment under PCI DSS
C. Use the CIS Controls as the external compliance attestation
D. Certify the corporate ISMS against ISO/IEC 27001
Best answer: B
Explanation: PCI DSS is the appropriate mapping when the requirement is specifically about cardholder data and an acquiring bank needs validation. The key boundary is the cardholder data environment (CDE): systems that store, process, or transmit PANs, plus connected systems that can affect CDE security. Segmentation can reduce scope, but it must be designed and validated; it does not remove PCI obligations for the checkout segment. SOC 2, ISO/IEC 27001, and CIS Controls can support broader assurance or maturity goals, but they do not replace PCI DSS for payment-card compliance.
Topic: Security Operations
A SOC is triaging a possible source code exfiltration case. The response plan requires a discreet escalation only when artifacts indicate insider risk, while preserving evidence and avoiding unnecessary user notification.
Exhibit: Triage artifacts
| Source | Finding |
|---|---|
| HR feed | Developer gave notice 3 days ago |
| Repository audit | 18 private repos cloned after midnight |
| DLP | Archive uploaded to personal storage |
| IAM | MFA satisfied from normal device/location |
| EDR | No malware or credential-dumping alerts |
Which response approach best maps to these requirements and artifacts?
Options:
A. Treat the event as external account compromise and force password resets
B. Escalate to the insider-threat playbook with HR/legal coordination
C. Open a malware containment case and isolate all build servers
D. Notify the developer immediately and request business justification
Best answer: B
Explanation: The strongest indicator set points to possible insider misuse rather than external compromise or malware. The user authenticated normally from a known device and location, but the behavior changed in a risk-relevant way: bulk repository cloning after hours, upload to personal storage, and recent resignation. That combination supports a discreet insider-threat escalation, typically involving security, HR, legal, and evidence preservation. Immediate user notification can tip off the subject and risk evidence destruction, while broad malware containment does not match the observed artifacts. The key is not any single event, but the correlation of authorized access with anomalous data movement and employment context.
Topic: Security Operations
A threat hunting lead must decide how to use external intelligence before opening an enterprise hunt. The company relies on a logistics vendor for federated SSO access to cloud collaboration data.
Exhibit: External intelligence summary
| Source | Intelligence | Handling / confidence |
|---|---|---|
| ISAC advisory | Sector actor uses compromised vendor SSO accounts, cloud discovery, and unauthorized OAuth consent grants | TLP:AMBER; high confidence |
| Dark web monitor | Two contractor emails tied to the logistics vendor posted with password hashes 8 hours ago | Source reliability B |
| OSINT post | Claims the company was breached; screenshots match a 2022 public demo | Low confidence |
| Threat intel platform | 38 IPs tagged as commodity scanners; last seen 90 days ago | Medium confidence |
Which action is BEST supported by the exhibit?
Options:
A. Hunt for vendor-federated account abuse and suspicious OAuth grants
B. Initiate breach notification based on the OSINT post
C. Block all threat-platform IPs at the perimeter
D. Publish the ISAC advisory and leaked emails publicly
Best answer: A
Explanation: External intelligence should be prioritized by relevance, confidence, freshness, and fit to internal exposure. Here, the strongest hunt lead combines high-confidence ISAC reporting about sector-specific vendor SSO abuse with recent dark web exposure of identities tied to the same vendor relationship. The operational action should validate internal evidence: vendor-federated sign-ins, anomalous cloud discovery activity, new OAuth consent grants, conditional-access failures, and activity from the exposed identities. This uses external intelligence to drive a focused internal hunt rather than treating every feed item as equally actionable.
Stale commodity-scanner IPs may be useful for enrichment, but they do not match the most material risk in the exhibit.
Topic: Security Operations
A SOC analyst is triaging a suspected payment-fraud email that appears to come from the CFO. The organization’s legitimate CFO address is avery.kim@meridian.example. Which interpretation is best supported by the header evidence?
Exhibit: Email header excerpt
From: "Avery Kim" <avery.kim@meridian.example>
Reply-To: payments@meridian-payments.example
Return-Path: <bounce@mailer.vendor-news.example>
Received: from mta.vendor-news.example (198.51.100.24)
Authentication-Results: mx.meridian.example;
spf=pass smtp.mailfrom=mailer.vendor-news.example;
dkim=pass header.d=vendor-news.example;
dmarc=fail header.from=meridian.example
Options:
A. The corporate From domain was spoofed through unrelated mail infrastructure.
B. The CFO mailbox sent the message from an approved corporate relay.
C. The email is trustworthy because SPF and DKIM both passed.
D. The Reply-To mismatch proves the attachment executed malware.
Best answer: A
Explanation: Email-header analysis should distinguish authentication for the envelope or signing domain from alignment with the visible From domain. In this exhibit, SPF passes for mailer.vendor-news.example, and DKIM passes for vendor-news.example; neither aligns with meridian.example. DMARC fails for header.from=meridian.example, so the evidence supports spoofing of the corporate From identity rather than successful corporate authentication. The appropriate incident-analysis conclusion is to scope similar messages, preserve the headers, and use the sending infrastructure and reply-to domain as indicators while avoiding unsupported claims of mailbox compromise or malware execution.
vendor-news.example, not for the visible corporate From domain.Topic: Security Operations
A global manufacturer is threat hunting a suspected state-sponsored intrusion across on-premises AD, cloud identity logs, and EDR data. The IR lead believes the actor may have read-only access to a service desk mailbox and normal change tickets. Legal approved limited ISAC sharing, but leadership wants to preserve visibility, avoid tipping off the actor, and keep containment plans confidential. What is the BEST professional decision?
Options:
A. Use an isolated IR workspace and share sanitized indicators out-of-band
B. Block all suspected indicators immediately before completing the hunt
C. Document SIEM queries and containment timing in standard change tickets
D. Ask ISAC members to run the exact internal detection logic
Best answer: A
Explanation: Counterintelligence-aware threat hunting protects the defender’s visibility and intent as carefully as the investigation itself. If the adversary may monitor routine collaboration systems, using normal tickets or broadly visible workspaces can reveal what telemetry exists, what gaps remain, and when containment will occur. The best approach is to separate sensitive hunt coordination from potentially compromised channels, restrict details to a need-to-know group, and share only sanitized indicators through an approved out-of-band path. ISAC sharing can still occur, but it should avoid internal query logic, sensor coverage, response timing, and other details that would help the actor adapt.
The key takeaway is to support collaboration without disclosing defensive tradecraft or response plans.
Topic: Security Architecture
A multinational manufacturer is redesigning data controls for a hybrid analytics platform. Access decisions and DLP rules consume object metadata, not file paths. Regulated workforce records must be treated as Restricted. Which architecture action is best supported by the exhibit?
Exhibit: Label/tag review
| Item | Observation |
|---|---|
| Taxonomy | Restricted = regulated PII/workforce data |
| Required tags | classification, owner, retention |
| Ingestion finding | Payroll export tagged classification=Confidential; owner missing |
| Source catalog | Payroll export contains employee IDs and salary data |
| ABAC rule | Deny external access when classification=Restricted |
| DLP rule | Block egress when classification=Restricted |
Options:
A. Grant access only to the payroll project group.
B. Use folder location as the DLP trigger.
C. Enforce authoritative classification tagging during ingestion.
D. Encrypt payroll exports with a platform-managed key.
Best answer: C
Explanation: Classification models and metadata tags become security control inputs when ABAC and DLP policies depend on them. In this exhibit, the payroll export contains regulated workforce data but is tagged Confidential, not Restricted, and the required owner tag is missing. That means both external-access denial and egress blocking can fail because the policies evaluate the wrong label. The design should map from the authoritative source catalog during ingestion, require mandatory tags, and validate or quarantine objects that lack required metadata. Encryption or project membership may be useful supporting controls, but they do not correct the policy-decision input.
Topic: Security Operations
A security operations team must choose the first vulnerability response for the next maintenance window. The organization’s policy prioritizes issues by exploitability, asset importance, exposure, and compensating controls.
Exhibit: Vulnerability triage summary
| Finding | Asset context | Exposure and controls |
|---|---|---|
| RCE in API framework | Tier 0 payment API processing card data | Internet-facing; exploit in active campaigns; WAF rule disabled; hotfix available |
| SQL injection in HR portal | Tier 1 employee self-service app | VPN-only; parameterized query wrapper blocks known payloads; patch available |
| Stored XSS in wiki | Tier 3 public knowledge site | Internet-facing; no sensitive sessions; CSP enforced; vendor fix pending |
| Weak TLS cipher on DB listener | Tier 0 database cluster | Private subnet only; listener restricted to app servers; config change available |
Options:
A. Reconfigure the database listener to remove the weak cipher
B. Apply the payment API hotfix and re-enable a WAF rule
C. Patch the HR portal SQL injection during the next cycle
D. Wait for the wiki vendor fix and increase CSP reporting
Best answer: B
Explanation: Vulnerability response priority should be driven by combined risk, not severity labels alone. The payment API is a Tier 0 asset, handles regulated payment data, is internet-facing, has active exploitation, lacks its WAF compensating control, and has a hotfix available. That combination creates the highest near-term likelihood and impact and also offers a feasible control action. The database issue affects a critical asset, but exposure is restricted and a weaker cryptographic configuration is less urgent than actively exploited RCE. The HR and wiki findings have either limited exposure, effective controls, lower asset importance, or no immediate fix. The key is to prioritize the response that most reduces exploitable business risk now.
Topic: Security Architecture
A regulated SaaS provider is hardening its CI/CD platform after finding that internal package names could be confused with public packages and that deployment jobs accepted unsigned build outputs. Requirements: approved open-source dependencies must remain available through a cache, internal package resolution must stay inside the enterprise boundary, and production must accept only artifacts built by approved isolated runners with verifiable source and dependency provenance. Which control best maps to these requirements?
Options:
A. Private dependency proxy with signed provenance enforcement
B. Nightly SCA scans with release SBOM generation
C. Internal mirror of all public registry packages
D. Developer MFA with protected source branches
Best answer: A
Explanation: The core control is software supply-chain provenance enforcement at the package and artifact boundaries. A private dependency proxy or repository manager can prevent dependency confusion by resolving internal namespaces internally and allowing only approved upstream packages into the cache. Signed provenance, such as an in-toto/SLSA-style attestation, binds the artifact to its source, build runner, and dependency inputs. Verifying that attestation before deployment reduces unsigned artifact and untrusted build-runner risk. SBOMs and SCA are useful visibility controls, but they do not by themselves enforce where packages resolve or whether a production artifact came from an approved build path.
Topic: Governance, Risk, and Compliance
A multinational insurer wants employees to use approved generative AI tools for software assistance and customer-support drafting. Constraints: regulated customer data and proprietary source code must not leave approved boundaries, usage must be auditable for compliance, and the business does not want a blanket ban that drives shadow AI. Which response is the BEST professional decision?
Options:
A. Implement an AI acceptable-use standard with approved tools, DLP controls, logging, and risk-based reviews
B. Allow each business unit to approve AI tools independently if productivity improves
C. Deploy an internal model and exempt it from monitoring because data stays on premises
D. Block all public AI sites and prohibit employee AI use until regulations mature
Best answer: A
Explanation: The core concept is risk-based AI governance. The insurer needs to reduce misuse, sensitive-data disclosure, and compliance gaps without eliminating legitimate business value. A practical response combines governance and technical enforcement: define acceptable use, limit use to approved AI services, apply DLP and data-classification rules, log prompts and responses where appropriate, and require higher scrutiny for high-risk use cases. This also reduces shadow AI because employees have a sanctioned path. A total ban is usually brittle and may push use into unmanaged channels, while unmanaged local approvals create inconsistent risk acceptance. An internal model can reduce some data exposure risk, but it still needs monitoring, access control, and abuse-case governance.
Topic: Security Engineering
A legal team must send acquisition documents to outside counsel using normal enterprise email. The security architect must select the cryptographic protection that satisfies the policy excerpt.
Exhibit: Messaging protection policy
| Requirement | Detail |
|---|---|
| Confidentiality scope | Message content and attachments must remain protected after delivery |
| Sender assurance | Recipients must verify the sender and detect tampering |
| Keying model | Outside counsel users have individual public certificates |
| Operations constraint | Do not require a new file-sharing portal |
Which protection best meets these requirements?
Options:
A. Mandatory SMTP STARTTLS between mail gateways
B. S/MIME encryption with sender digital signatures
C. Site-to-site IPsec between mail gateways
D. Password-protected archives sent as attachments
Best answer: B
Explanation: The policy requires message-level protection, not just transport protection. S/MIME fits because each message and attachment can be encrypted to the recipients’ public certificates, so confidentiality persists after the email leaves the sender’s mail gateway. The sender can also digitally sign the message, allowing recipients to validate sender identity and detect content tampering. This directly uses the stated enterprise PKI without adding a separate portal or shared-password process.
Tunnel or transport encryption protects only specific network paths; it does not keep the email encrypted at rest in mailboxes or after forwarding. The key takeaway is to match the cryptographic control to the data state and trust boundary.
Topic: Security Architecture
A financial services company is redesigning a customer API path after several brief outages during traffic spikes. Security leadership wants deeper Layer 7 inspection, but the business will not accept added single points of failure or missed recovery objectives.
Exhibit: Architecture note
| Item | Current state / requirement |
|---|---|
| Traffic path | CDN → WAF → API gateway → services |
| Inspection | Full TLS inspection on one inline WAF cluster |
| Latency target | p95 under 120 ms end to end |
| Availability | Regional failover required within 5 minutes |
| Recovery | WAF policy/config must be reproducible in a new region |
Which action best addresses the trade-off shown in the exhibit?
Options:
A. Move all inspection to asynchronous log analysis
B. Disable TLS inspection during peak traffic periods
C. Deploy active-active WAFs with IaC-managed policy replication
D. Place a larger WAF appliance in the primary region
Best answer: C
Explanation: The architecture needs a control that keeps Layer 7 inspection without making the WAF a fragile choke point. Active-active WAF placement across resilient paths supports availability and failover, while infrastructure-as-code or equivalent configuration automation makes policy recovery reproducible in another region. This also allows capacity to scale horizontally, which is usually a better fit for latency-sensitive traffic than relying on one larger inline device.
Asynchronous analysis can improve detection, but it does not provide the same preventative inspection on the request path. The key takeaway is to pair inspection depth with resilient placement and repeatable recovery, not to remove inspection or increase only appliance size.
Topic: Security Architecture
A global manufacturer is replacing MPLS backhaul for 80 branches and a hybrid workforce. Users need direct access to SaaS and selected private applications, while security requires identity-aware access, device-posture checks, DLP, web filtering, and consistent logging without forcing all traffic through the data center. Which architecture best maps to these requirements?
Options:
A. Adopt a SASE architecture with integrated ZTNA and cloud security controls
B. Use SDN controllers to program internal data center segmentation
C. Deperimeterize by removing network boundary controls from branch traffic
D. Deploy SD-WAN only to optimize branch-to-cloud routing
Best answer: A
Explanation: SASE is the best fit when access architecture must combine distributed connectivity with consistent security policy enforcement. In this scenario, users and branches need direct SaaS and private-app access without data center backhaul, but the organization still requires identity-aware controls, posture checks, DLP, web filtering, and centralized visibility. SASE typically integrates capabilities such as ZTNA, secure web gateway, CASB, firewall-as-a-service, and SD-WAN-style connectivity into a cloud-delivered model. The key is not merely improving routing; it is moving policy enforcement closer to users, devices, and cloud applications while preserving centralized governance. SD-WAN can be part of SASE, but by itself it does not satisfy the full security-control requirement.
Topic: Security Architecture
A financial services company must keep a legacy loan-processing system online for 9 months while a replacement is built. Review the architecture note and select the best risk interpretation and action.
Exhibit: Legacy system architecture note
| Area | Current state |
|---|---|
| Platform | Unsupported OS; vendor forbids OS patching and EDR agents |
| Data | Customer PII; high business criticality |
| Network | Same VLAN as modern app servers; outbound Internet allowed |
| Access | Admin RDP from IT subnet; partner VPN HTTPS inbound |
| Monitoring | Local logs only; no centralized telemetry |
| Finding | Critical RCE exists; no vendor patch available |
Options:
A. Accept the risk because migration is scheduled
B. Create a segmented compensating-control enclave
C. Increase scanning frequency on the existing VLAN
D. Install EDR and apply emergency OS patches
Best answer: B
Explanation: Legacy components change architecture risk because normal control assumptions may no longer hold: patching, endpoint agents, supported logging, and vendor remediation are unavailable. In this exhibit, the system handles regulated data, has a critical unpatched RCE, permits broad network reachability, and lacks centralized telemetry. The appropriate architecture response is a time-bound compensating-control enclave: isolate the asset, restrict inbound and outbound paths, require controlled administrative access, add network-based detection or virtual patching, and document the residual risk through migration. Scanning can help track exposure, but it does not compensate for exploitable reachability and missing telemetry.
Topic: Security Operations
A global enterprise is onboarding audit logs from a new SaaS identity platform into its SIEM and SOAR pipeline. The logs will drive account-takeover playbooks, must satisfy a 1-year retention requirement, and will be correlated with on-premises directory and EDR events. Which onboarding control is the BEST professional decision before allowing the data source to support response decisions?
Options:
A. Enable SOAR actions immediately and tune mappings after alerts fire
B. Require an evidence-based parser and retention acceptance test
C. Accept the SaaS provider’s dashboard as the validation record
D. Store the logs as raw archive data until an incident occurs
Best answer: B
Explanation: A monitoring pipeline governance gate should prove that a new source is operationally usable before it affects incident response. For this SaaS identity feed, the control should require representative sample events, parser validation, field normalization to the enterprise schema, retention-policy evidence, and successful searches or correlation tests in the SIEM. Because the data will trigger SOAR account-takeover actions, the organization also needs test evidence before automation can act on the events. Raw ingestion alone is not enough; the response team must know that the events are correctly interpreted, retained for the required period, and queryable during investigations. The key takeaway is to gate production response use on verified telemetry quality, not on availability of logs alone.
Topic: Governance, Risk, and Compliance
An enterprise SaaS provider is rationalizing its compliance roadmap after acquiring an on-premises data center and expanding its cloud service to EU customers. The CISO needs actionable secure build baselines, a board-level view of cybersecurity outcomes, a certifiable security management standard, customer-facing assurance over control operating effectiveness, and privacy obligations for personal data. Which selection is the BEST professional decision?
Options:
A. ISO/IEC 27001, CIS Benchmarks, GDPR, NIST CSF, and SOC 2 Type II
B. NIST CSF, SOC 2 Type II, GDPR, CIS Benchmarks, and ISO/IEC 27001
C. CIS Benchmarks, NIST CSF, ISO/IEC 27001, SOC 2 Type II, and GDPR
D. SOC 2 Type II, GDPR, CIS Controls, ISO/IEC 27001, and NIST CSF
Best answer: C
Explanation: Compliance and governance artifacts serve different purposes and should not be treated as interchangeable mandates. CIS Benchmarks provide prescriptive configuration guidance for hardening systems. NIST CSF is commonly used to organize cybersecurity outcomes and communicate program posture. ISO/IEC 27001 is an industry standard for an information security management system and can support certification. SOC 2 Type II is an attestation report used to provide customers assurance that controls operated effectively over time. GDPR is a privacy regulation governing personal-data processing for EU data subjects. Matching each artifact to its role avoids audit gaps and prevents engineering teams from using high-level frameworks as build standards.
Topic: Security Engineering
A SaaS provider is redesigning encryption for a multi-tenant analytics platform. Requirements: cryptographic overhead must stay low for high-volume reads, EU customer data must remain controlled by EU-held keys, deletion requests must make active data and backups unrecoverable within 30 days, and auditors need key-use evidence. Which approach best maps to these requirements?
Options:
A. Salted hashing of all regulated fields before storage
B. Envelope encryption with regional HSM/KMS keys and per-tenant data keys
C. Full homomorphic encryption for all stored records and queries
D. Global HSM-backed master key shared across all tenants
Best answer: B
Explanation: Envelope encryption is the best fit when performance, key jurisdiction, auditability, and data lifecycle controls must all be balanced. Bulk data is encrypted with efficient symmetric data encryption keys, while regional HSM/KMS-held key encryption keys protect and audit those data keys. Keeping EU key material in an EU-controlled boundary addresses the legal constraint. Per-tenant data keys also support targeted rotation and crypto-erasure: destroying the relevant data key can make encrypted copies in backups unrecoverable without rewriting every backup immediately. The key takeaway is to separate fast data encryption from governed key control.
Topic: Security Architecture
A manufacturer is moving regulated order-processing applications from two data centers into several cloud landing-zone accounts. The design must keep workload subnets off the public internet, inspect customer-to-cloud and inter-cloud workload traffic, maintain dev/prod route isolation, and tolerate loss of one carrier or cloud edge. Which connectivity design best meets these requirements?
Options:
A. A single private circuit terminating in the production workload network
B. Internet VPNs directly into each workload network with local firewalls
C. Public application endpoints with IP allowlists and cloud WAF inspection
D. Dual private links into a segmented transit hub with centralized inspection
Best answer: D
Explanation: The strongest design is a hub-and-spoke or transit architecture using redundant private connectivity into a cloud transit layer. Segmented route tables or equivalent routing domains keep dev and prod separated, while centralized inspection points enforce enterprise policy before traffic reaches workload networks or crosses between cloud networks. Dual carriers, diverse paths, and redundant cloud edge attachments address operational resilience without changing the security model. Direct per-workload connections may look simple, but they make inspection and consistent route control harder at scale. Public endpoints with allowlists and WAF controls help application-layer exposure, but they do not meet the requirement to keep workload connectivity private.
Topic: Security Operations
An enterprise uses a deployment broker to integrate cloud CI jobs with on-prem production orchestration. CI jobs have tenant-scoped tokens; the broker has a privileged service identity because it must reach production systems. Zero Trust policy requires authorization at each service boundary, but the broker currently validates only that a request came from an approved CI tenant.
Incident evidence: A low-privileged build job submitted a deployment request that referenced a production secret bundle. The broker fetched and applied the bundle using its own identity. The build job had no direct permission to read or deploy the bundle.
Which decision best identifies the attack pattern and addresses the root weakness?
Options:
A. Classify as confused deputy and require broker authorization on the caller’s behalf.
B. Classify as unsafe deserialization and block untrusted deployment metadata.
C. Classify as an implant and rebuild broker hosts from known-good images.
D. Classify as TOCTOU and lock the manifest between validation and deployment.
Best answer: A
Explanation: This is a confused deputy pattern: a less-privileged subject caused a more-privileged service to perform an action the subject could not perform directly. The decisive weakness is not that the broker is privileged; it is that the broker authorizes the request source but does not authorize the requested object and action against the original caller’s permissions. A durable fix preserves operational integration while adding caller-aware authorization, such as propagating identity/claims, checking policy at the broker, and constraining the broker’s delegated access to only approved resources. The key takeaway is to enforce authorization at the service boundary where privilege is exercised.
Topic: Governance, Risk, and Compliance
A multinational enterprise is automating its risk dashboard. Audit findings show that cloud instances, endpoints, and SaaS integrations are tracked in separate tools, and several high-risk systems have no business owner or data classification. The CISO wants governance decisions to reflect configuration drift, asset criticality, control exceptions, and ownership without relying on quarterly spreadsheets. Which approach best maps these requirements?
Options:
A. Require annual control attestations from each application owner.
B. Increase unauthenticated vulnerability scan frequency for all network ranges.
C. Feed reconciled asset and configuration evidence into GRC continuous monitoring workflows.
D. Forward all configuration-change logs directly to the SIEM.
Best answer: C
Explanation: The core need is governance-grade risk visibility from configuration-management and asset-inventory evidence. A continuous monitoring approach should reconcile CMDB, cloud inventory, endpoint, SaaS, and scanner data; require ownership and classification metadata; and route drift or missing-control evidence into GRC workflows for risk acceptance, remediation, or exception tracking. This changes governance decisions from periodic self-reporting to evidence-backed prioritization based on asset criticality and control state. Vulnerability scanning and SIEM ingestion can provide useful signals, but they do not by themselves establish ownership, classification, exception status, or risk-register linkage.
Topic: Security Engineering
A security engineering team has funding for one hardware-security mitigation package this quarter. Prioritize the asset group that creates the greatest combined risk from business impact, physical exposure, and firmware integrity weakness.
Exhibit: Asset hardware risk summary
| Asset group | Criticality | Physical exposure | Firmware/security state |
|---|---|---|---|
| Retail payment terminals | High | Public counters | USB service port; unsigned firmware updates; TPM unused |
| Code-signing HSMs | High | Locked data center cage | FIPS-validated; signed firmware; tamper response enabled |
| Executive laptops | Medium | Frequent travel | Secure Boot and TPM-backed disk encryption enabled |
| Lobby sensors | Low | Public areas | Unsigned firmware; isolated telemetry VLAN |
Options:
A. Replace the code-signing HSMs with newer tamper-resistant modules.
B. Harden retail payment terminals with signed firmware and TPM attestation.
C. Prioritize tamper-evident casings for lobby sensors.
D. Add self-encrypting drives to the executive laptop fleet.
Best answer: B
Explanation: Hardware-security prioritization should combine asset criticality, physical access risk, and firmware trust. The retail payment terminals have high business and compliance impact, are physically reachable by untrusted people, and allow unsigned firmware updates through a service port while leaving the TPM unused. A mitigation package that enforces signed firmware and uses a hardware root of trust for measured boot or attestation directly reduces the most dangerous path: local tampering leading to persistent firmware compromise. The HSMs are highly critical, but their existing controls and restricted location reduce the immediate gap. The laptops and sensors have some exposure, but lower criticality or existing hardware controls make them less urgent.
Topic: Security Operations
A security operations team is onboarding a trusted ISAC feed into its threat-intelligence platform. Review the sharing plan and choose the best interpretation.
Exhibit: Threat-intel sharing plan
IoC content:
- indicator object with pattern, valid_from, labels, confidence
- relationships to malware and campaign objects
Exchange method:
- partners poll /taxii2/collections/{collection-id}/objects
- HTTPS with token-based authentication
- incremental updates by collection
Options:
A. TAXII collection metadata replaces STIX relationships.
B. STIX is only for detection-rule syntax.
C. TAXII structures the IoCs; STIX transports them.
D. STIX structures the IoCs; TAXII transports them.
Best answer: D
Explanation: STIX and TAXII solve different parts of threat-intelligence sharing. STIX is the content model: it represents cyber threat intelligence as structured objects such as indicators, malware, campaigns, observed data, relationships, confidence, and time validity. TAXII is the exchange mechanism: it defines services, collections, API endpoints, and transport behavior for sharing that STIX content between organizations or platforms. In the exhibit, fields such as indicator, pattern, valid_from, and relationships are STIX concepts, while /taxii2/collections/{collection-id}/objects, HTTPS, authentication, and incremental polling describe TAXII transport. The key distinction is data structure versus delivery channel.
Topic: Security Engineering
A hybrid enterprise uses mTLS from on-premises Kubernetes workloads to a cloud API through a zero trust access proxy. After a planned intermediate CA rotation, 40% of workloads fail while others continue to connect. Network telemetry shows successful DNS resolution and TCP handshakes to the proxy, but the failing pods log:
TLS alert: unknown_ca
verify error: unable to get local issuer certificate
negotiated protocol: none
The security team must restore service without weakening certificate validation. What is the BEST professional decision?
Options:
A. Re-enable legacy cipher suites on the proxy
B. Update the workload trust bundle and validate the full chain
C. Fail traffic over to the secondary network path
D. Temporarily disable mTLS verification for affected pods
Best answer: B
Explanation: The decisive evidence is that DNS and TCP connectivity succeed, but TLS fails with unknown_ca and unable to get local issuer certificate immediately after an intermediate CA rotation. That points to a PKI trust-chain problem: affected workloads do not trust the issuing intermediate or lack the needed chain in their trust store. The best response is to update and validate the workload trust bundle, confirm the presented certificate chain, and use controlled deployment automation so mTLS remains intact. A cipher mismatch would usually show no shared cipher or handshake algorithm errors, while a network outage would fail before TLS negotiation. The key takeaway is to map the failure layer before changing network paths or weakening cryptographic controls.
Topic: Security Architecture
A financial services company is tightening its CI/CD controls after a supplier advisory affected a transitive library used by several internal services. The requirement is to fail builds when a dependency, including a transitive dependency, has a known severe vulnerability or prohibited license, and to produce evidence that the dependency graph was evaluated at build time. Which software assurance control best maps to these requirements?
Options:
A. Dynamic application security testing
B. Software composition analysis
C. Software bill of materials generation
D. Static application security testing
Best answer: B
Explanation: Software composition analysis (SCA) is the best fit when the assurance requirement focuses on third-party and open-source components. SCA tools inspect dependency manifests, lock files, package metadata, and resolved transitive dependency graphs, then compare them with vulnerability and license intelligence. In a CI/CD pipeline, SCA can enforce policy by failing a build when a dependency violates risk or license rules and can preserve evidence of what was evaluated. An SBOM is often an output or supporting artifact, but generating an SBOM alone does not necessarily enforce vulnerability or license policy. SAST and DAST are useful for application weakness detection, but they do not directly satisfy the dependency governance requirement.
Topic: Governance, Risk, and Compliance
A regulated enterprise has repeated outages after emergency firewall and cloud IAM updates. Auditors require evidence of who approved each change, which business service was affected, the rollback plan, and whether the implemented state matches the authorized baseline. Which approach best maps to these requirements?
Options:
A. Create a vulnerability exception workflow for unpatched systems
B. Implement ITIL change enablement with CMDB-backed configuration management
C. Adopt COBIT goals cascading for board-level control objectives
D. Expand asset lifecycle tracking for procurement and disposal events
Best answer: B
Explanation: The requirements are operational governance controls around change and configuration state, not only high-level governance objectives. ITIL change enablement provides the process for request, approval, emergency handling, implementation, rollback, and post-change review. Configuration management and a CMDB map configuration items to business services, owners, dependencies, and authorized baselines so auditors can trace what changed, who approved it, and whether production still matches the approved state. This also supports accountability through RACI assignments for change owner, approver, implementer, and reviewer. COBIT can frame governance objectives, but it does not by itself provide the operational change record and CI relationship evidence required here.
Topic: Governance, Risk, and Compliance
A financial services company is updating data lifecycle governance for regulated customer records stored in SaaS platforms and cloud object storage. The architecture team submits the following component for approval. Which assessment is best supported by the exhibit?
Exhibit: Proposed governance component
| Organizational requirement | Proposed component |
|---|---|
| Accountable owner per data class | Not specified |
| Approved retention and disposal rules | Object lifecycle deletes after 7 years |
| Legal hold before disposal | DLP label blocks external sharing |
| Audit evidence in GRC system | Monthly storage screenshots |
Options:
A. Approve it if screenshots are retained for audit review.
B. Approve it because deletion and DLP enforce lifecycle controls.
C. Reject it until ownership, legal hold, and GRC evidence are defined.
D. Replace data owners with cloud IAM resource owners.
Best answer: C
Explanation: A governance component must define accountability, decision rights, standards, exceptions, and evidence expectations; technical controls can enforce those decisions but cannot replace them. In the exhibit, lifecycle deletion may support disposal, and DLP may reduce disclosure risk, but neither establishes the required data owner, approved retention authority, legal-hold process, or auditable GRC record. Screenshots are weak point-in-time evidence and do not show approval, exception handling, or control ownership. The appropriate assessment is that the proposal is incomplete as governance work, even if some technical controls are useful implementation mechanisms.
Topic: Security Operations
A global manufacturer operates a hybrid SIEM/SOAR for cloud workloads and on-premises OT jump hosts. Automated blocking is allowed only for high-confidence indicators with internal confirmation, SOC engineering capacity is limited, and executives want a quarterly risk trend rather than raw alert counts.
| Feedback item | Observation |
|---|---|
| Feed Alpha | 4,000 low-confidence IPs; 82% false positives; many cloud scanner ranges |
| Feed Beta | 120 indicators; 3 matched confirmed intrusions; timely sector reporting |
| Hunt gap | New sector TTP maps to exposed VPN logs; no detection coverage |
Which action is the BEST professional decision?
Options:
A. Disable both feeds until the next quarterly review and continue FIFO hunts
B. Re-score sources, tune noisy rules, prioritize the VPN TTP hunt, and report residual risk
C. Auto-block all Alpha and Beta indicators and report prevented connections
D. Keep rules unchanged, raise sector-tagged alert severity, and report alert volume
Best answer: B
Explanation: Threat-intelligence feedback should drive a closed-loop operating model: validated sources become more trusted, noisy sources are down-scored or constrained, detection rules are tuned using observed false positives, and hunts are prioritized by exposure plus coverage gaps. In this scenario, Feed Alpha should not drive broad blocking because it is low-confidence and noisy. Feed Beta deserves higher confidence because it correlated with confirmed intrusions. The exposed VPN TTP with no coverage should move up the hunt backlog because it represents a current sector-relevant gap. Executives should receive residual-risk trends and control-coverage changes, not raw alert counts that can increase as noise increases.
Topic: Governance, Risk, and Compliance
A financial services company is approving an AI model that scores account-takeover risk. Scores above 90 can automatically lock a customer account until identity proofing is completed. Which interpretation is best supported by the exhibit?
Exhibit: Governance review note
| Requirement or finding | Detail |
|---|---|
| Policy requirement | User-impacting automated actions require auditable, feature-level rationale. |
| Model A | 91% detection; supports per-decision feature attribution. |
| Model B | 96% detection; vendor exposes only a risk score and confidence value. |
| Proposed selection | Model B, due to higher detection performance. |
Options:
A. Model B satisfies policy through confidence scoring.
B. Model B creates an explainability governance risk.
C. Either model is acceptable if the vendor is contracted.
D. Model A is prohibited because it has lower detection.
Best answer: B
Explanation: Explainable AI governance focuses on whether stakeholders can understand and audit why a model produced a user-impacting decision. In this scenario, account lockout is an adverse operational action, and the policy explicitly requires auditable, feature-level rationale. Model B has better detection performance, but a risk score and confidence value do not explain which factors drove a specific decision. That makes it a non-explainable or insufficiently explainable option for this use case unless the process is changed, compensating human review is added, or the vendor provides adequate explanation evidence. Accuracy improves security outcomes, but it does not replace explainability requirements for regulated or customer-impacting automation.
Topic: Security Architecture
A manufacturer is onboarding a design partner that needs access to two internal engineering portals and one SaaS repository for 6 months. Requirements are:
Which access-control approach best satisfies these requirements?
Options:
A. Local manufacturer accounts with quarterly access reviews
B. Shared partner service account with repository-level permissions
C. Federated SSO with conditional access and SCIM/JIT provisioning
D. Site-to-site VPN with IP allow listing only
Best answer: C
Explanation: The core concept is federated logical access with lifecycle-aware authorization. A federation trust lets the partner authenticate users with its own identity provider, so the manufacturer does not store partner passwords. The manufacturer can still act as the policy enforcement point by applying MFA, device posture, and project-based authorization before granting access to portals and SaaS resources. SCIM or just-in-time provisioning helps create, update, and disable application access based on identity-state changes, reducing orphaned access when the partner disables a user.
The key takeaway is that federation solves authentication ownership, but conditional access and provisioning are needed to satisfy the enforcement and deprovisioning requirements.
Topic: Governance, Risk, and Compliance
A security architect is threat-modeling a new employee benefits portal before production release. Which finding best describes the attack surface issue supported by the exhibit?
Exhibit: Architecture and review notes
Flow: Browser user -> SSO -> API gateway -> Benefits API -> HR database
Trust boundary: Internet users cross into internal API tier at the gateway
Input: Browser sends documentUrl and returnUrl parameters to Benefits API
Code review: API fetches documentUrl using its service identity, then stores parsed PII
Controls: Validates SSO employee claim; no URL allowlist; no egress filtering
User factor: Help desk tells users to paste document links from any cloud drive
Options:
A. Cloud-drive usage creates the primary acceptable-use issue
B. User-controlled URLs create SSRF and confused-deputy risk
C. Shared SSO creates a federation trust failure
D. PII storage creates the primary encryption gap
Best answer: B
Explanation: The exhibit shows an attack surface expansion at the Internet-to-internal API trust boundary. The risky element is not merely that users submit data; it is that the internal Benefits API performs outbound fetches to user-controlled documentUrl values using its own service identity. Without URL allowlisting and egress filtering, an attacker could try to make the service reach internal endpoints, metadata services, or unintended external hosts. That is a classic SSRF/confused-deputy pattern because a trusted component is induced to act on an untrusted user’s behalf. The help desk behavior increases likelihood by normalizing arbitrary links, but the architectural root issue is the untrusted-to-trusted data flow and missing control point.
Topic: Security Architecture
A financial services company is redesigning a hybrid application after a compromised internal host reached a database tier laterally. Remote user access is already handled by SASE/ZTNA; the new control must address workload-to-workload traffic.
Exhibit: Architecture requirements
| Requirement | Constraint |
|---|---|
| Allow only approved service flows | Policy must follow workload identity |
| Reduce east-west blast radius | Includes same-subnet traffic |
| Support data center and cloud workloads | Avoid broad network reachability |
Which architecture approach best satisfies the requirements?
Options:
A. Require always-on VPN from all managed endpoints
B. Implement identity-based microsegmentation with default-deny workload policies
C. Create larger VLAN zones with ACLs between subnet boundaries
D. Add site-to-site VPN tunnels between cloud and data centers
Best answer: B
Explanation: The exhibit points to microsegmentation because the control must limit workload-to-workload movement and follow workload identity rather than only subnet location. Traditional segmentation can reduce exposure between network zones, but it often depends on routing or VLAN boundaries and may not control traffic between systems in the same subnet. VPN approaches solve secure connectivity problems, such as remote endpoint access or network-to-network transport, but they do not by themselves enforce least-privilege east-west application flows. The key takeaway is to match the control to the trust boundary: workload boundaries require microsegmentation, not broader connectivity controls.
Topic: Security Engineering
A hybrid enterprise uses an on-premises directory federated to a cloud IdP and a PAM platform for just-in-time administration. After a directory-sync rule change, on-call DBAs cannot elevate to the production database restart role. The PAM denial shows required group claim not present. Requirements are 2-hour elevation, MFA from a compliant device, per-user auditability, and access only to restart production database services. Which corrective action is BEST?
Options:
A. Create a shared local database restart account
B. Assign DBAs permanent cloud database administrator rights
C. Restore the federated group claim and PAM role mapping
D. Exclude DBAs from the conditional access policy
Best answer: C
Explanation: The core issue is an IAM claim-to-role mapping failure, not a need for more privilege. The PAM platform denies elevation because the federated assertion no longer includes the group claim that proves eligibility for the specific restart role. Restoring that claim and its PAM mapping preserves least privilege, JIT elevation, MFA/compliant-device enforcement, and per-user audit trails. It also fixes the root cause introduced by the directory-sync rule change instead of weakening identity controls or granting standing administrative access. The key takeaway is to repair the broken authorization signal at the correct trust boundary.
Topic: Security Architecture
A global financial firm is redesigning a customer-facing authentication service. Requirements include surviving a full regional outage with minimal user disruption, scaling during unpredictable login spikes, integrating with existing cloud and on-premises identity providers, and avoiding dependence on local server session state. Data residency rules require customer data to remain in its assigned geography. Which architecture best maps to these requirements?
Options:
A. Single-region cluster using proprietary identity connectors
B. Active-passive deployment in one geography with nightly backups
C. Active-active regional deployment with stateless service nodes
D. Persistent session affinity to vertically scaled regional servers
Best answer: C
Explanation: The core resilient design pattern is an active-active, geographically distributed service tier with non-persistent compute and state externalized to controlled data stores. Stateless nodes can be added or replaced quickly, which supports burst scaling and fast recovery. Regional placement can respect data residency by keeping customer state in the assigned geography while still allowing traffic steering and failover for service availability. Standards-based federation or API integration also preserves interoperability with cloud and on-premises identity providers.
A design that depends on local session state, a single geography, or proprietary connectors creates recovery and interoperability risk. The key takeaway is to separate replaceable compute from governed, replicated state.
Topic: Security Operations
A security operations team receives a threat-intelligence package after suspicious activity appears in a hybrid environment. Which interpretation is best supported by the exhibit?
Exhibit: TIP intake summary
Source: ISAC TAXII collection ingested into TIP
STIX objects: malware label "RiftLoader"; 3 hashes; 2 C2 domains
Shared content: Sigma rule for unusual PowerShell child process
Shared content: YARA rule for packed loader pattern
Shared content: Snort rule for HTTP beacon pattern
Local evidence: Sigma and Snort alerts on 4 hosts; YARA match on 1 binary
Attribution note: "Possible overlap with multiple intrusion sets; confidence: low; actor unknown"
Options:
A. Pause detection work until the TIP assigns actor confidence.
B. Treat TAXII delivery as validation of the responsible actor.
C. Tune detections and scope hosts while treating attribution as unconfirmed.
D. Attribute the activity to the malware author named in STIX.
Best answer: C
Explanation: Sigma, YARA, and Snort evidence most directly supports detection engineering: creating, tuning, validating, and deploying analytics for SIEM, file/malware matching, and network IDS use cases. STIX describes threat-intelligence objects, TAXII transports them, and a TIP manages them, but those mechanisms do not prove who conducted the activity. In the exhibit, local Sigma, YARA, and Snort matches are actionable for scoping and detection improvement. The attribution note explicitly says the activity overlaps multiple intrusion sets and has low confidence. Actor attribution would require stronger corroboration, such as consistent infrastructure ownership, unique tradecraft, campaign timing, or trusted intelligence with high-confidence sourcing.
Topic: Security Architecture
A financial services company is exposing a claims API to two external processors. Requirements: authenticate each processor’s service identity, avoid shared secrets, prevent a token issued by one processor’s IdP from being accepted for the other, and revoke access without changing application code. Which control approach best maps to these requirements?
Options:
A. Create one shared SAML trust for both processors’ users
B. Allow any public CA client certificate and authorize by source IP range
C. Use partner-scoped OIDC federation plus mTLS client certificates at the API gateway
D. Issue one long-lived API key to each processor and rotate it quarterly
Best answer: C
Explanation: Federation and certificate controls define where trust begins and ends. Partner-scoped federation lets the company trust claims only from the intended processor’s identity provider, rather than treating all external tokens as equivalent. mTLS at the API gateway authenticates the calling service with a certificate and allows revocation through PKI controls without changing the API code. Mapping the certificate identity and federated issuer to a specific partner prevents one organization’s token or certificate from crossing into another partner’s authorization boundary. The key takeaway is to combine federation for identity claims with certificate-based service authentication at the enforcement point.
Topic: Governance, Risk, and Compliance
A financial services company is reviewing a threat-modeling output for a hybrid claims API scheduled for release in six weeks. The API processes regulated customer data through a cloud API gateway, cloud microservice, site-to-site VPN, and on-premises mainframe adapter. Risk appetite allows go-live only if high-risk cross-boundary authorization gaps have an assigned treatment owner before production.
Threat-model summary: A stolen partner OAuth token could invoke high-value account updates from untrusted networks. Existing controls include WAF inspection, centralized logging, and mTLS between the gateway and service, but no policy enforcement point exists before the mainframe adapter.
Which recommendation is the BEST professional decision?
Options:
A. Delay release until all medium and low findings are remediated.
B. Record a policy exception and revisit during the annual review.
C. Conditionally approve with an owned PEP/token-binding treatment before go-live.
D. Approve unchanged based on the existing WAF, mTLS, and logging.
Best answer: C
Explanation: A useful threat-modeling output should connect environment-specific trust boundaries, abuse cases, existing controls, and risk appetite to concrete decisions. Here, the key issue is not generic API exposure; it is a high-risk cross-boundary authorization weakness before a regulated on-premises system. WAF inspection, logging, and service-to-service mTLS help, but they do not prove the partner identity, device context, or authorization decision at the mainframe adapter. The best decision is conditional approval tied to an accountable treatment plan, such as adding a policy enforcement point and strengthening token binding before go-live. This supports architecture, risk, and governance without forcing unnecessary remediation of every lower-risk item.
Topic: Security Operations
A manufacturer finds an unknown DLL on a compromised jump host used for OT administration. Two cloud workloads show outbound connections to the same rare domains. Legal requires evidence preservation and prohibits disclosure to public analysis services. The SOC needs actionable IoCs within hours and wants to know whether this is a variant of malware from a prior intrusion. Which action is BEST?
Options:
A. Delay response until manual reverse engineering proves actor attribution.
B. Quarantine the jump host and block only the DLL hash across EDR.
C. Analyze a forensic copy in an isolated sandbox and compare extracted IoCs and code similarity internally.
D. Upload the DLL to a public malware sandbox and use the community verdict.
Best answer: C
Explanation: The best professional decision is to separate evidence preservation from analysis by keeping the original artifact intact and analyzing a verified forensic copy. An isolated, instrumented sandbox can safely observe file, registry, process, and network behavior without exposing OT or cloud environments. Controlled egress or simulated internet services can reveal command-and-control patterns while respecting legal restrictions against public submission. Extracted IoCs can then be converted into detections and compared with internal YARA rules, prior samples, strings, imports, functions, or code similarity indicators to assess whether the DLL is a variant of known malware. Attribution can be informed by these clues, but rapid containment and reliable internal evidence come first.
Topic: Security Architecture
A financial services company hosts a regulated payment service in a hybrid environment. Requirements state that only the payment API subnet may reach the cardholder database, denied connection attempts must appear in the SIEM within 5 minutes, and validation must run after each deployment without disrupting production. Which approach best validates the effectiveness of these controls?
Options:
A. Review firewall rules against the approved network diagram
B. Run safe segmentation probes and measure SIEM log-latency results
C. Perform external vulnerability scans and trend critical CVEs
D. Conduct an annual red-team exercise against the payment application
Best answer: B
Explanation: Control effectiveness validation should test whether the implemented control behaves as intended and whether required evidence is produced. In this scenario, the key controls are network segmentation and logging. Safe, repeatable probes from representative network locations can confirm that the payment API subnet is allowed, other paths are denied, and the denied attempts reach the SIEM within the required time. This maps to the deployment-driven requirement without relying only on design review or waiting for an annual exercise. Vulnerability trends and red-team findings may be useful security inputs, but they do not directly prove this specific segmentation and logging control objective after each deployment.
Topic: Security Engineering
A security engineer is reviewing an attestation failure for a field laptop that handles regulated design files. The user reports briefly leaving the device unattended in a conference room; the laptop later booted normally but failed conditional access.
Exhibit: Hardware attestation summary
| Signal | Finding |
|---|---|
| Secure Boot state | Enabled |
| Boot source | Removable USB device |
| TPM PCR baseline | PCR[0], PCR[2], PCR[4] changed |
| UEFI update log | No approved capsule update |
| OS EDR startup | First event after boot gap |
| Firmware setup | External boot allowed |
Which interpretation is best supported by the exhibit?
Options:
A. TPM hardware replacement need
B. USB boot shim or bootkit risk
C. Transient EMI measurement noise
D. Normal Secure Boot behavior
Best answer: B
Explanation: Measured boot uses TPM PCR values to record early boot components, including firmware and bootloader stages. Secure Boot being enabled does not eliminate risk if removable boot is allowed and the measured boot baseline changes unexpectedly. In this exhibit, the device booted from USB, key PCRs changed, and there is no approved UEFI update to explain the change. That combination supports an evil-maid style USB boot shim or bootkit risk, requiring containment and trusted firmware/boot-chain validation before the device is trusted again. A normal OS malware finding would not fully explain the pre-OS measurement drift and boot-source evidence.
Topic: Governance, Risk, and Compliance
A healthcare analytics company is selecting a new cloud-based data processor for regulated patient data. Legal requires evidence that the company reasonably investigated the vendor before signing and can show ongoing reasonable protection after onboarding. Which approach best satisfies both due diligence and due care for this compliance decision?
Options:
A. Purchase cyber insurance covering vendor-caused breaches
B. Document management’s formal risk acceptance after contract signing
C. Perform vendor risk assessment, contract controls, and recurring evidence reviews
D. Require the vendor to sign a confidentiality statement
Best answer: C
Explanation: Due diligence is the reasonable investigation performed before a decision, such as assessing a vendor’s security posture, compliance evidence, subprocessors, and data-handling practices. Due care is the ongoing reasonable action taken to protect the organization and affected data after the decision, such as contractual security obligations, audit rights, control monitoring, remediation tracking, and periodic evidence reviews. In this scenario, the company must prove both that it selected the processor responsibly and that it continues to oversee the processor’s protection of regulated patient data. A vendor risk assessment plus enforceable contract controls and recurring reviews maps to both concepts. Insurance, confidentiality language, or late risk acceptance may support risk management, but they do not replace reasonable investigation and continuing oversight.
Topic: Security Engineering
A security engineer is reviewing endpoint privilege management for corporate laptops. Which action is best supported by the exhibit to reduce endpoint risk without blocking legitimate administration?
Exhibit: Endpoint privilege review
| Finding | Detail |
|---|---|
| Incident pattern | Malware used persistent local admin rights to disable EDR and dump credentials. |
| Operations need | Desktop support must run signed driver installers and network repair tools during outages. |
| Policy constraint | No standing local administrator access for daily user accounts. |
| Audit need | Privileged actions must include user, device, command, and ticket context. |
Options:
A. Use just-in-time elevation for approved admin tasks with full session logging
B. Keep desktop support in the local Administrators group on all laptops
C. Block all elevation requests and require device reimaging for repairs
D. Rely on EDR tamper protection while leaving privileges unchanged
Best answer: A
Explanation: Endpoint privilege management reduces blast radius by removing persistent administrative rights and brokering elevation only when needed. In this scenario, the risk comes from standing local admin privileges being abused to disable controls and access credentials, but operations still require timely driver and repair work. A just-in-time or just-enough administration model can permit specific signed tools or commands, require ticket or MFA context, and log the user, device, command, and approval trail. This satisfies the audit and operational requirements while reducing the attacker’s ability to reuse a privileged token after compromise. Pure blocking would harm availability, and unchanged privileges would leave the root risk in place.
Topic: Security Engineering
A security engineer is reviewing an endpoint hardening plan for regulated workstations and production servers. The plan must support incident reconstruction, drift detection, and exposure reduction without relying on manual quarterly reviews.
Exhibit: Proposed endpoint plan
| Area | Proposed control |
|---|---|
| Malware prevention | EDR prevention mode enabled |
| Logs | Local retention for 24 hours only |
| Baselines | Golden image checklist at build time |
| Drift | Manual quarterly spot checks |
| Exposure | Vulnerability scans exclude enrolled endpoints |
Which change should the engineer require before approval?
Options:
A. Increase EDR blocking sensitivity and extend local quarantine retention.
B. Schedule an annual penetration test covering a sample of endpoints.
C. Require full-disk encryption and TPM-backed key storage on all endpoints.
D. Add centralized logging, desired-state management, and continuous endpoint exposure monitoring.
Best answer: D
Explanation: The endpoint plan has preventive controls, but it does not create durable evidence or continuously validate endpoint state. For regulated servers and workstations, local 24-hour logs are insufficient for incident reconstruction, a build-time checklist does not prevent or detect configuration drift, and excluding enrolled endpoints from vulnerability scanning removes attack-surface visibility after deployment. The approval condition should add centralized log forwarding/retention, configuration management or desired-state enforcement, and continuous vulnerability or exposure monitoring. These controls complement EDR prevention by proving what happened, whether endpoints remain compliant, and which exploitable conditions still exist.
Topic: Security Architecture
A retailer is redesigning the ingress path for a public e-commerce site and partner API. The security team must block common web attacks before they reach the application tier, enforce API authentication and rate limits, and give monitoring tools visibility into HTTP requests after TLS is decrypted.
Exhibit: Current ingress notes
| Item | Current state |
|---|---|
| Traffic path | Internet → CDN → edge firewall → L4 load balancer → web/API tier |
| TLS handling | Pass-through to web/API tier |
| Monitoring | IDS tap before edge firewall sees encrypted CDN-to-origin traffic |
| Gap | No API policy enforcement before the application tier |
Options:
A. Place vulnerability scanners inline before the load balancer
B. Place WAF/API gateway before the web tier and mirror post-decryption traffic to collectors
C. Deploy NAC between the CDN and the edge firewall
D. Move the IDS tap outside the CDN and keep TLS pass-through
Best answer: B
Explanation: The required controls operate at different points in the ingress path. A WAF and API gateway must see application-layer requests before they reach the web/API tier so they can enforce web attack protections, authentication, and rate limits. Because the existing load balancer passes TLS through to the application tier, the IDS tap in front of the firewall only observes encrypted traffic and CDN source behavior. Moving application-layer termination/enforcement to a WAF/API gateway tier and mirroring decrypted traffic to collectors provides both prevention and visibility without making scanners or NAC perform inline web enforcement. The key placement principle is to align the component with the layer and trust boundary where it can actually inspect and enforce.
Topic: Security Architecture
A global software company is replacing its flat VPN with SASE-delivered Zero Trust access for cloud admin consoles and an on-premises source-code system. Access must be granted only from managed employee laptops and approved ephemeral CI runners, must survive normal autoscaling, and must not rely on network location because developers work from many regions. Which design is the BEST professional decision?
Options:
A. Feed verified asset inventory and attestation signals into the access policy engine
B. Require phishing-resistant MFA for all users and remove device checks
C. Manually approve each new CI runner in the CMDB
D. Allow access only from corporate egress IP addresses
Best answer: A
Explanation: Zero Trust access should evaluate both the subject and the asset requesting access. For employee laptops, the policy decision point can consume MDM/EDR enrollment, hardware-backed device identity, patch posture, and attestation results. For ephemeral CI runners, it should use workload identity and automated attestation from the approved build environment rather than static host records. This supports cloud and on-premises access consistently, avoids trusting network location, and scales with autoscaling while denying unmanaged or cloned assets.
The key takeaway is that asset management must be dynamic and policy-consumable, not just a passive CMDB record.
Use the CompTIA SecurityX CAS-005 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA SecurityX CAS-005 on Web View CompTIA SecurityX CAS-005 Practice Test
Read the CompTIA SecurityX CAS-005 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.