Try 85 free CompTIA CySA+ CS0-004 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length CompTIA CySA+ CS0-004 practice exam includes 85 original IT Mastery questions across the exam domains.
Use these questions for self-assessment, scope review, and deciding what to drill next.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA CySA+ CS0-004 on Web View full CompTIA CySA+ CS0-004 practice page
| Domain | Weight |
|---|---|
| Security Operations | 34% |
| Vulnerability Management | 26% |
| Incident Response and Management | 24% |
| Reporting and Communication | 16% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Security Operations
A SOC analyst is reviewing a correlated alert for a workstation and a file server. Which adversary pattern is best supported by the exhibit?
Exhibit: Correlated endpoint and identity events
08:14 WS-042 winword.exe spawned powershell.exe; outbound to 198.51.100.27
08:18 WS-042 unsigned temp process requested read access to lsass.exe
08:23 FS-03 successful admin logon from WS-042 using j.santos-admin
08:24 FS-03 new remote service created by j.santos-admin
08:25 FS-03 service launched binary from ADMIN$ share
Options:
A. Credential access followed by lateral movement
B. Web application exploitation from the internet
C. Persistence through scheduled task creation
D. DNS tunneling for data exfiltration
Best answer: A
Explanation: The exhibit shows a sequence of TTPs rather than a single indicator. A document process spawning PowerShell suggests initial execution from a user-opened file. The unsigned process reading lsass.exe points to credential access. The later successful admin logon from the same workstation to a file server, followed by remote service creation and execution from ADMIN$, supports lateral movement using obtained credentials. This pattern is more specific than simply labeling the activity as malware execution because the decisive evidence is the transition from credential access on one host to remote execution on another host.
winword.exe, not an internet-facing application server.Topic: Reporting and Communication
A vulnerability analyst is preparing a report for the application owner. The report must support remediation while minimizing disclosure of sensitive data.
Exhibit: Validated finding
Asset: payroll-web01.example.com (internet-facing)
Finding: Exposed Git metadata directory
Request: GET https://payroll-web01.example.com/.git/config
Result: 200 OK
Observed content: [remote "origin"] url = https://<token>@git.example.com/payroll/app.git
Recommended fix: Block web access to .git paths and remove exposed metadata
Which evidence should be included in the vulnerability report?
Options:
A. Sanitized asset, path, HTTP 200 result, and redacted snippet
B. Full .git/config contents including the token value
C. Command sequence to recursively download the exposed repository
D. Sample source files retrieved from the payroll repository
Best answer: A
Explanation: Actionable vulnerability evidence should identify what is affected, prove the condition, and guide remediation without spreading secrets or sensitive business data. In this case, the report needs the affected asset, vulnerable path, successful response, and a redacted content sample showing that Git metadata is exposed. The token and repository contents are not needed to validate the finding for the application owner and would increase data exposure if included in tickets, emails, or dashboards. The remediation note should point to blocking access to .git paths and removing exposed metadata.
The key balance is evidence sufficiency: include enough proof to reproduce and prioritize the issue, but redact secrets and avoid exploit-enabling detail.
Topic: Vulnerability Management
A vulnerability team scans from the corporate security VLAN. The environment includes a PCI segment and an OT segment that block inbound connections from the corporate VLAN except to approved management hosts. The latest report shows many assets in those segments as unreachable, and the few detected hosts have only banner-based findings. Policy prohibits broad firewall exceptions. What action should the analyst take?
Options:
A. Open temporary any-to-any firewall rules from the scanner during scans
B. Continue external scans but increase the scan intensity setting
C. Deploy scan engines inside each segment with approved local credentials
D. Accept the report as evidence that the segments have low vulnerability exposure
Best answer: C
Explanation: Network segmentation directly affects vulnerability scan visibility. If firewalls block the scanner, unreachable hosts and banner-only results usually indicate limited coverage, not low risk. The best action is to place a scanner or scan engine where it can reach the protected assets through approved paths and use credentials valid for that segment. This supports authenticated checks without weakening the segmentation boundary. The existing results should be interpreted as incomplete coverage until the scanner placement and credential scope match the segmented architecture.
Topic: Incident Response and Management
A SOC analyst is building an incident timeline for a workstation after an EDR alert. The analyst needs to determine when the suspicious activity escalated from initial execution to credential-access behavior.
Exhibit: Endpoint timeline
Time (UTC) Source Event
08:57:12 EDR Unsigned script launched by WINWORD.EXE
08:59:40 Proxy Workstation connected to new external domain
09:04:18 EDR PowerShell spawned from script host
09:07:51 EDR Process opened LSASS with credential-dump-like access
09:12:22 SIEM Multiple successful logons to file servers using same user
Which evidence best identifies when the activity escalated?
Options:
A. Connection to a new external domain
B. Process opened LSASS with credential-dump-like access
C. PowerShell spawned from script host
D. Unsigned script launched by WINWORD.EXE
Best answer: B
Explanation: Timeline analysis separates the first suspicious event from later changes in attacker behavior. In this exhibit, the unsigned script and child PowerShell process help show initial execution, while the external connection may support command-and-control investigation. The clearest escalation point is the event where a process opened LSASS with credential-dump-like access, because that changes the activity from execution and connectivity into credential-access behavior. The later file-server logons may show impact or lateral movement after credentials were potentially obtained, but they do not mark the first observed escalation into credential access.
The key takeaway is to choose the evidence that best marks the behavior change being investigated, not simply the earliest or most severe-looking event.
Topic: Incident Response and Management
A SOC has contained an incident by removing public access to an internet-facing CMS server. Evidence shows a web shell uploaded through a vulnerable plugin, a malicious cron job that recreates the shell, and one compromised CMS administrator account. EDR shows no rootkit or lateral movement, and a vendor patch is available. Which eradication action is the BEST professional decision before recovery?
Options:
A. Block the observed source IPs and restore the CMS from backup
B. Reimage every server in the subnet before restoring service
C. Remove the shell, delete the cron job, patch the plugin, and rotate credentials
D. Keep the server isolated and monitor for new shell activity
Best answer: C
Explanation: Eradication removes the attacker’s presence and the conditions that allow it to return. In this scenario, the key evidence identifies four eradication targets: the uploaded web shell, the cron-based persistence, the vulnerable plugin, and the compromised administrator account. Because EDR and integrity checks do not indicate rootkit activity or lateral movement, a subnet-wide rebuild is not supported by the available evidence. The system should not move to recovery until the malicious artifacts are removed, persistence is disabled, the vulnerable component is patched or securely removed, and exposed credentials are rotated. Validation can then confirm the issue does not recur before service restoration.
Topic: Vulnerability Management
A vulnerability analyst is planning a credentialed active scan for several newly inventoried assets. Which scheduling action is best supported by the exhibit?
Exhibit: Scan planning notes
| Asset group | Business role | Availability notes | Prior scan impact |
|---|---|---|---|
POS-API | Payment authorization | Peak use 8 a.m.-8 p.m.; maintenance Sunday 1-3 a.m. | CPU saturation during full port scan |
HR-WEB | Employee portal | Low use after 7 p.m. weekdays | No issues |
DEV-WIKI | Internal documentation | Nonproduction | No issues |
Options:
A. Exclude POS-API from scanning until the next quarter
B. Scan all asset groups immediately to reduce exposure time
C. Schedule POS-API during its Sunday maintenance window
D. Run the scan during POS-API peak hours with default settings
Best answer: C
Explanation: Scan scheduling should account for operational criticality, expected load, and previous scan impact. POS-API supports payment authorization, has a documented peak usage period, and previously experienced CPU saturation from a full port scan. A credentialed active scan against that system should be coordinated for the maintenance window, with appropriate throttling or scope controls if needed. Lower-risk systems can be scheduled more flexibly, but the decisive issue in the exhibit is the operational risk to the payment API.
The key takeaway is to reduce business interruption while still preserving scan coverage.
Topic: Security Operations
A SOC analyst is reviewing a reported email that claims employees must revalidate payroll information. The legitimate payroll portal is https://payroll.contoso.com.
Exhibit: Email link evidence
Displayed sender: HR Benefits <benefits@contoso-mail.example>
Visible link: https://bit.ly/4x7Qp2
URL resolver result: https://payro11-contoso.example/session
Domain age: registered yesterday
Attachments: none
Which monitoring action best maps to this evidence?
Options:
A. Suppress messages that pass sender authentication
B. Detect short URLs redirecting to lookalike payroll domains
C. Prioritize failed-login alerts for the payroll portal
D. Sandbox executable attachments from HR-themed messages
Best answer: B
Explanation: The core indicator is social engineering infrastructure: a URL shortener hides the destination, and the resolved destination is a typosquatted lookalike of the real payroll portal. The domain payro11-contoso.example uses characters that visually resemble “payroll” and was registered yesterday, which strengthens suspicion. Monitoring should focus on resolving shortened links and comparing final destinations against protected brands, known portals, and newly registered domains. This directly addresses the evidence without shifting to unrelated controls. Attachment sandboxing is useful for malware delivery, but the message has no attachment. Login monitoring may become relevant later, but the visible evidence is a phishing link designed to collect credentials.
Topic: Reporting and Communication
A vulnerability analyst is preparing an action plan for a critical finding on an externally exposed customer portal. The technical fix is available, but the infrastructure team has not scheduled the change.
Exhibit: Remediation notes
| Item | Detail |
|---|---|
| Finding | Critical web framework CVE |
| Asset owner | Internal e-commerce team |
| Hosting model | Managed hosting provider |
| Contract clause | Provider performs OS and middleware patching only during approved monthly maintenance windows |
| Responsibility note | Customer may not directly patch managed images |
Which issue should the analyst identify as the primary remediation inhibitor?
Options:
A. Contractual agreement limiting patch responsibility and timing
B. Absence of an available technical fix
C. Insufficient asset ownership information
D. Lack of vulnerability validation evidence
Best answer: A
Explanation: The core issue is a contractual remediation inhibitor. Even though the asset has an internal owner and a fix is available, the contract states that the managed hosting provider performs OS and middleware patching only during approved monthly maintenance windows. It also prevents the customer from directly patching the managed images. That affects both responsibility and timing, so the action plan should call out the contractual dependency and coordinate escalation or scheduling through the provider. The closest distractors fail because the exhibit already provides ownership and fix availability.
Topic: Security Operations
A SOC analyst is triaging medium-severity indicators involving a payroll user who handles employee PII. The incident playbook requires validated evidence before declaring an account-compromise incident, and payroll processing should not be interrupted without cause.
| Source | Indicator |
|---|---|
| Email gateway | User received a credential-themed message and clicked the URL |
| IdP | Several denied MFA prompts from an unfamiliar ASN |
| Help desk | Caller requested a password reset but failed identity verification |
| SaaS audit | No confirmed file download or mailbox rule change yet |
What is the BEST next decision?
Options:
A. Treat the email click as a standalone phishing event
B. Close the case because no data download is confirmed
C. Declare a major incident and disable payroll access
D. Correlate the indicators into a timeline before declaring
Best answer: D
Explanation: Social engineering, identity, and email indicators should be correlated when each signal is suggestive but not independently conclusive. In this case, the email click, MFA prompts, and failed help desk reset attempt all involve the same sensitive user and may represent a coordinated account takeover attempt. However, the SaaS audit does not yet show confirmed data access or persistence. The analyst should build a short timeline across the email gateway, IdP, help desk record, and SaaS logs, then validate whether the activity supports incident declaration and containment. This avoids both overreacting to medium-confidence alerts and ignoring a pattern that could become high confidence when viewed together.
Topic: Security Operations
A SOC is improving monitoring for a cloud application that uses SSO through the corporate IdP. Analysts must detect possible account compromise and also explain why a user was allowed to perform sensitive actions. The solution must support investigations without collecting application content. Which monitoring action best maps to these requirements?
Options:
A. Capture full application session content for privileged users
B. Perform quarterly manual reviews of privileged accounts
C. Correlate IdP sign-in logs with app audit and entitlement-change logs
D. Deploy network IDS signatures for the application login URL
Best answer: C
Explanation: IAM-focused investigations usually need both authentication and authorization evidence. IdP sign-in logs show who authenticated, from where, with which MFA or conditional access result, and whether patterns suggest compromise. Application audit logs show what actions occurred, while entitlement-change logs show role, group, or policy changes that explain why access was permitted. Correlating these sources in a SIEM or UEBA workflow supports account compromise detection and access investigations without collecting sensitive application content. Network-only monitoring can miss identity context, and periodic reviews are not timely enough for SOC detection.
Topic: Incident Response and Management
A SOC analyst is preparing an incident update after a high-severity alert on a finance workstation. Evidence confidence is medium: a phishing email was delivered, the user opened the attachment, a payload was downloaded, the host began beaconing to an external IP, and there were failed SMB attempts to a file server. No data transfer has been confirmed. Which summary best uses the Cyber Kill Chain for incident analysis?
Options:
A. Replace the timeline with CVSS and EPSS scores for the attachment vulnerability.
B. Focus only on the phishing email because Cyber Kill Chain analysis stops at delivery.
C. Sequence the activity through delivery, exploitation, installation, and command and control; note possible actions on objectives without claiming exfiltration.
D. Classify the entire incident as actions on objectives because the file server was targeted.
Best answer: C
Explanation: The Cyber Kill Chain helps analysts organize attacker activity as a progression, commonly from reconnaissance and weaponization through delivery, exploitation, installation, command and control, and actions on objectives. In this scenario, the evidence supports several observed stages: email delivery, attachment execution, payload installation/download, and command-and-control beaconing. The failed SMB attempts may indicate movement toward objectives, but the analyst should avoid overstating impact because no data transfer is confirmed. The framework is useful for structuring the timeline, identifying where the intrusion was detected, and deciding what evidence is still needed. It does not replace impact validation or justify claiming exfiltration without proof.
Topic: Vulnerability Management
A financial services company is standardizing application security across several development teams. The security manager asks the vulnerability team to assess current software assurance practices, identify gaps in governance and verification activities, and build a maturity roadmap. The manager does not need a list of code-level flaws or runtime web findings for a single application. Which method best fits these requirements?
Options:
A. Run a SAST scan in the CI pipeline
B. Schedule authenticated web vulnerability scans
C. Perform a SAMM assessment
D. Run a DAST scan against staging URLs
Best answer: C
Explanation: SAST, DAST, and SAMM serve different application security vulnerability management needs. SAST analyzes source code, bytecode, or binaries to find implementation flaws before the application runs. DAST tests a running application from the outside to identify observable runtime issues, such as injection or authentication weaknesses. SAMM, commonly associated with OWASP SAMM, is a maturity model used to evaluate software assurance practices across teams and plan improvements. The stem asks for a program-level assessment of governance, verification, gaps, and roadmap planning, not a defect list for one application. That maps to SAMM rather than a scanner activity.
Topic: Vulnerability Management
A vulnerability analyst is planning a quarterly scan of internal Linux and Windows servers. System owners have approved scanning during a maintenance window and will provide least-privilege service accounts. The report must identify missing OS patches, weak local configurations, and installed software versions with the lowest practical false-positive rate. Which scan method best maps to these requirements?
Options:
A. Run a credentialed vulnerability scan
B. Run passive network discovery only
C. Run a non-credentialed vulnerability scan
D. Run only an external perimeter scan
Best answer: A
Explanation: Credentialed scanning is the best fit when authorization exists and the goal is deeper host visibility. With approved service accounts, the scanner can authenticate to systems and inspect local patch state, installed packages, registry or configuration settings, and other details that unauthenticated network probing may miss or infer incorrectly. This often improves finding depth and reduces false positives compared with non-credentialed scanning. The key constraint is authorization: credentials should be approved, scoped, and protected. In this scenario, those conditions are met, and the required findings depend on authenticated access.
Topic: Vulnerability Management
A vulnerability analyst is reviewing an SCA finding for a customer-facing application. The product owner asks which risk-treatment response should be recorded.
Exhibit: Finding summary
| Field | Evidence |
|---|---|
| Asset | Public image-upload API |
| Context | Parses customer-supplied images |
| Finding | Critical RCE in image library |
| Threat intel | Active exploitation reported |
| Fix status | Patched version available; no API-breaking change |
| Risk appetite | No deferral for actively exploited internet-facing RCE when a fix exists |
Options:
A. Mitigate by expediting the component upgrade and validation
B. Avoid the risk by retiring the upload feature
C. Accept the risk with a time-bound exception
D. Transfer the risk through cyber insurance
Best answer: A
Explanation: Risk treatment should match both the vulnerability evidence and the organization’s risk appetite. Here, the affected component is in a public service that parses untrusted customer files, the issue is a critical RCE, threat intelligence reports active exploitation, and a compatible patched version is available. The stated appetite explicitly disallows deferral for this condition. That makes mitigation through expedited remediation and validation the appropriate response. Acceptance conflicts with the policy, transfer does not reduce the technical exposure, and avoidance is not supported when a practical fix is available.
Topic: Vulnerability Management
A vulnerability management team is reviewing whether any scheduled scans should be retimed for the next quarter. Which scan timing adjustment is best supported by the exhibit?
Exhibit: Scan plan excerpt
| Target | Exposure and business context | Current timing |
|---|---|---|
payments-api | Internet-facing, Tier 1 revenue service, releases twice weekly | Monthly, Monday 10:00 a.m. |
erp-db | Internal-only, Tier 1 finance database | Weekly, Saturday 2:00 a.m. |
ot-sensor-net | Isolated safety-sensitive OT segment | Quarterly passive scan during maintenance |
dev-wiki | Internal low-criticality collaboration site | Monthly, Sunday 1:00 a.m. |
Options:
A. Change ot-sensor-net to weekly active scans
B. Reduce payments-api scans because it is business-critical
C. Scan payments-api more frequently outside peak hours
D. Move erp-db scans to Monday business hours
Best answer: C
Explanation: Scan planning should account for exposure, criticality, and operational sensitivity. An externally exposed, business-critical service that changes often has a larger attack surface and should usually be assessed more frequently than a monthly cadence. Because it is also a Tier 1 revenue service, the timing should avoid peak business hours or be coordinated with change windows to reduce service impact. The isolated OT segment is already scheduled for passive scans during maintenance, which matches its safety-sensitive and isolated context. The internal finance database already has an off-hours weekly cadence, so the exhibit does not support moving it into business hours.
Topic: Vulnerability Management
A vulnerability analyst identifies a critical remote-code-execution vulnerability on a legacy inventory server. The vendor patch cannot be installed until the next maintenance window. The risk owner asks for a compensating control that is technical, can be enforced immediately, and reduces network exploitability without relying on process approval or facility restrictions. Which action best meets the requirements?
Options:
A. Restrict inbound access with firewall rules
B. Require badge access to the server room
C. Record a formal risk exception
D. Send administrators a remediation reminder
Best answer: A
Explanation: Control categories matter when selecting compensating measures. A technical control is enforced by technology, such as firewalls, access controls, segmentation, endpoint protection, or configuration settings. In this scenario, the requirement is to reduce network exploitability before the patch window, so limiting inbound access to only required sources directly addresses the vulnerable attack path. An administrative control, such as a risk exception or reminder, may support governance but does not itself block exploitation. A physical control, such as badge access, protects physical interaction with the asset but does not reduce remote network exposure. The key takeaway is to match both the control type and the risk reduction requirement.
Topic: Security Operations
A SOC analyst is reviewing why a cloud activity feed suddenly shows fewer events in the SIEM. The API collector reports successful requests, but detections that depend on this feed are missing expected context.
Exhibit: API collector excerpt
10:00 GET /v2/audit/events?since=09:55 -> 200 OK
items=1000 truncated=true nextPageToken="abc123"
collector action: stored 1000 events; next run at 10:05
10:05 GET /v2/audit/events?since=10:00 -> 200 OK
items=1000 truncated=true nextPageToken="def456"
collector action: stored 1000 events; next run at 10:10
SIEM baseline: 3,000-4,000 events per 5 minutes
Which issue is most directly supported by the exhibit?
Options:
A. The endpoint is blocked by a network firewall
B. The SIEM parser is rejecting malformed JSON
C. The collector is not handling API pagination
D. The API credentials have expired
Best answer: C
Explanation: API-based telemetry integrations must account for API response behavior, not just HTTP success. A 200 OK status means the request succeeded, but the response also says truncated=true and provides a nextPageToken. That indicates more results are available for the same time window. Because the collector stores only the first 1,000 events and moves to the next scheduled run, the SIEM receives an incomplete activity feed. The operational fix would be to update the integration to follow pagination tokens and then backfill the affected windows where feasible. Successful authentication and connectivity do not prove complete telemetry ingestion.
200 OK responses with event data.Topic: Incident Response and Management
An analyst is triaging a possible malware incident. Business impact rules require approval before enterprise-wide blocks or mass account actions unless multiple assets or active lateral movement are confirmed. Based on the handover, which containment action is most appropriate now?
Exhibit: Incident handover
Time: 09:40 UTC
Confirmed: EDR alert on WS-042 only
Process: powershell.exe -> unknown C2-like domain
User: j.singh, standard user
Correlated hosts: none with same process/domain in last 24h
Auth logs: no unusual logons for j.singh observed
Status: memory capture not started; scoping query still running
Options:
A. Reimage WS-042 before collecting additional evidence
B. Disable all accounts in the user’s department
C. Place WS-042 in EDR network isolation
D. Block the domain across all enterprise egress points
Best answer: C
Explanation: Local containment applies controls to confirmed affected assets, such as isolating a single endpoint through EDR, while scoping continues. The exhibit shows one confirmed host, no matching activity on other hosts, no unusual authentication activity, and a scoping query still in progress. That supports containing WS-042 without immediately applying enterprise-wide controls that could interrupt business operations or exceed the stated approval rule. Enterprise-wide containment is more appropriate when evidence shows broader spread, active lateral movement, or an approved need to block a high-confidence indicator across the environment. Reimaging is not the first containment step because evidence collection and impact assessment are still incomplete.
Topic: Security Operations
A SOC analyst receives an IDS alert for internal enumeration. The source is an unmanaged MAC address on a conference-room switch port assigned to the corporate access VLAN. Architecture notes state that ZTNA/SASE is used for user application access, and unmanaged conference-room devices should be placed in a guest VLAN with no east-west access. Firewall logs show blocked TCP 445 probes from the device toward a payroll server subnet. What is the best professional decision?
Options:
A. Quarantine the switch port and validate the device onsite
B. Tune the IDS rule to suppress conference-room scans
C. Close the alert because the firewall blocked the probes
D. Disable the payroll subnet until forensics are complete
Best answer: A
Explanation: Network architecture context changes the meaning of the indicator. In this environment, unmanaged conference-room devices should land in a guest VLAN and should not have east-west access to internal server networks. The IDS alert is not just generic scanning: it comes from an unexpected device on the wrong VLAN and targets a sensitive payroll subnet over SMB. Because the firewall blocked the probes, full business disruption is not justified, but the device still represents a possible rogue asset or NAC misconfiguration. The best action is to quarantine the access port or move it to an isolation VLAN, then validate the physical device and preserve relevant switch, NAC, IDS, and firewall evidence.
Topic: Incident Response and Management
During incident analysis, the SOC has confirmed a phishing email, a command-and-control domain, a malware family match, and affected finance workstations. The incident lead wants a framework-based mapping that helps analysts organize the evidence while avoiding unsupported claims about who is behind the activity or why they acted. Which action best fits the requirement?
Options:
A. Use the Diamond Model to infer attacker motivation
B. Use the Cyber Kill Chain to confirm the attacker’s objective
C. Use MITRE ATT&CK to assign the closest threat group
D. Use the Diamond Model and mark the adversary as unknown
Best answer: D
Explanation: The Diamond Model is useful when analysts need to structure incident evidence without overstating what is known. It maps relationships among four core features: adversary, infrastructure, capability, and victim. In this scenario, the victim systems, infrastructure, and capability are supported by evidence, but the adversary and intent are not. Marking the adversary as unknown preserves analytic rigor and lets the team add confidence levels or hypotheses later if stronger evidence appears. The key is to separate observed facts from assumptions.
Topic: Incident Response and Management
A SOC L2 analyst is coordinating an active incident. EDR and CASB both show that a compromised service account exported customer records from a CRM system to external storage. The CRM contains regulated PII, and the account is now disabled. The network team is blocking the destination, but data owners have not finished impact validation. The incident plan says regulatory contact must be handled by Legal/Privacy, not by SOC. What is the BEST next coordination action?
Options:
A. Keep the incident within technical teams until validation is complete.
B. Brief the incident commander and Legal/Privacy while containment continues.
C. Have the SOC notify regulators immediately with current indicators.
D. Downgrade the case because the account is disabled.
Best answer: B
Explanation: Technical escalation handles containment, investigation, and remediation tasks such as disabling accounts, blocking destinations, and preserving evidence. This scenario also has confirmed indicators of customer-record export from a regulated PII system, so it creates executive and regulatory communication needs. The SOC should not contact regulators directly when the plan assigns that responsibility to Legal/Privacy, and it should not wait silently within technical teams when a potentially reportable exposure is already supported by multiple tools. The best coordination step is to involve the incident commander and Legal/Privacy so leadership, regulatory, and customer communication decisions follow the approved process while containment continues.
Topic: Security Operations
During triage of a suspected insider incident, analysts discover that several endpoint log files may have been modified before review. The SOC is redesigning logging so future investigations can verify that collected events are authentic and unchanged after creation or ingestion. Retention and alert correlation are already sufficient. Which control decision best addresses this requirement?
Options:
A. Synchronize all systems to the same NTP source
B. Increase log retention from 90 days to 1 year
C. Normalize log fields before SIEM ingestion
D. Sign log events and store them in immutable storage
Best answer: D
Explanation: Log integrity controls help analysts trust evidence during triage and incident investigation. Cryptographic signing or hashing can show whether a log event or batch has changed, and immutable or append-only storage reduces the chance that privileged users can rewrite evidence after collection. These controls directly support authenticity and tamper detection. Time synchronization and normalization are important for correlation and analysis quality, but they do not prove that the records were not modified.
Topic: Security Operations
A SOC manager is evaluating where to add AI assistance during triage. The team must follow the approved policy and cannot reduce validation requirements. Which AI-assisted use case is the best next action supported by the exhibit?
Exhibit: AI usage note and SOC pain point
| Item | Detail |
|---|---|
| Approved data | Sanitized SIEM events in the internal AI workspace |
| Required control | Analyst validates conclusions before case closure |
| Prohibited action | Sending raw logs or customer data to public AI tools |
| Current bottleneck | Analysts spend 25 minutes per alert correlating events and building timelines |
Options:
A. Allow AI to close low-severity alerts without review
B. Send raw alert exports to a public AI tool for clustering
C. Correlate sanitized SIEM events and draft timelines for analyst validation
D. Generate executive summaries before triage is complete
Best answer: C
Explanation: AI can support security operations when the use case fits an approved workflow and includes governance controls. In this scenario, the policy allows sanitized SIEM events in an internal AI workspace and requires analyst validation before closure. The operational problem is event correlation and timeline building during triage, so using AI to correlate events and draft a timeline is aligned with both the bottleneck and the controls. The AI output should accelerate analysis, not replace analyst judgment or bypass data-handling rules.
The key takeaway is that AI-assisted SOC work must be scoped to approved data, validated by humans, and tied to a real operational need.
Topic: Vulnerability Management
A vulnerability manager is reconciling findings for an internet-facing checkout API that handles cardholder data. There is no confirmed data exfiltration, and the business owner requests minimal downtime during a sales event. Which prioritization decision is BEST?
| Tool | Output | Evidence |
|---|---|---|
| SAST | Possible SQL injection in checkout/search | Unparameterized query path |
| DAST | SQL injection confirmed | Payload changed response timing |
| WAF | Blocked injection attempts | 37 attempts in 24 hours |
| SCA | Database driver CVE | High CVSS, no observed exploit path |
Options:
A. Defer action until the SAST finding is manually reproduced
B. Declare a breach and take the checkout API offline immediately
C. Prioritize the SQL injection for same-day remediation with a temporary WAF control
D. Prioritize the database driver CVE because it has the highest CVSS score
Best answer: C
Explanation: Evidence-based prioritization weighs severity, confidence, exposure, exploit activity, and business impact together. Here, SAST indicates a possible coding flaw, DAST confirms the weakness is exploitable, and WAF telemetry shows active attempts against an internet-facing API that handles cardholder data. That combination makes the SQL injection the top remediation priority. A temporary WAF control is appropriate as risk reduction, but it should not replace fixing the vulnerable code. The driver CVE may still need tracking, but the exhibit does not show an observed exploit path or the same confidence level for that issue. Taking the service offline would overreact without evidence of compromise or exfiltration.
Topic: Security Operations
A SOC analyst receives an alert that an engineering workstation in a water treatment plant is making unusual outbound connections. The workstation is used to manage PLCs that are currently controlling an active chemical dosing process. The plant manager states that unplanned interruption could create a safety hazard. What should the analyst do first?
Options:
A. Deploy an emergency patch to the engineering workstation
B. Immediately disconnect the workstation from the control network
C. Escalate to the OT incident lead and collect passive evidence
D. Run an authenticated vulnerability scan of the PLC subnet
Best answer: C
Explanation: In OT, ICS, and SCADA environments, the first response must be cautious because availability and physical safety can be more important than rapid isolation. Suspicious activity still requires action, but containment that could interrupt PLC operations should be coordinated with the OT incident lead, plant operations, and established playbooks. Passive evidence collection, such as reviewing existing logs, network telemetry, and endpoint alerts, helps scope the incident without changing the state of safety-sensitive systems. Any blocking, isolation, or shutdown should be approved through the OT response process unless there is an immediate life-safety emergency requiring a predefined emergency action.
Topic: Incident Response and Management
An IR lead is deciding when to move from containment to eradication for a compromised application server. The business owner is asking for the server to be returned to service as soon as possible.
Exhibit: Incident handover
Asset: APP-07
Finding: Web shell and scheduled-task persistence confirmed
Containment: EDR network isolation enabled
Evidence: Memory capture complete; disk image complete; hashes recorded
Logs: Web, EDR, and authentication logs exported
Scope: No other confirmed compromised hosts; monitoring rules active
Legal hold: Preserve captured evidence; no live observation requirement
What is the best next action?
Options:
A. Keep the host isolated until the final report is approved
B. Begin eradication and rebuild from a known-good baseline
C. Restore network access to validate application functionality
D. Repeat forensic acquisition before any remediation
Best answer: B
Explanation: Eradication should begin after the organization has contained the affected system and preserved the evidence needed for investigation, legal, and reporting purposes. The exhibit shows network isolation is in place, memory and disk captures are complete, hashes are recorded, relevant logs are exported, and there is no requirement to observe the attacker live. At that point, the IR team can remove the attacker’s foothold by rebuilding from a known-good baseline, removing persistence, rotating affected credentials, and then moving toward recovery with monitoring in place. The key timing issue is not to remediate too early and destroy evidence, but also not to delay eradication once evidence and containment requirements are satisfied.
Topic: Incident Response and Management
A SOC team completed eradication for a malware incident by removing the affected host from the network, deleting known malicious files, and applying the vendor patch tied to the initial entry point. During the 48-hour continuous monitoring period, the same command-and-control domain appears again from the rebuilt host, and a second workstation shows the same process hash. What should the analyst do next?
Options:
A. Close the incident because the patch was applied
B. Reopen the incident and return to analysis and containment
C. Extend monitoring until the recurrence pattern is clearer
D. Notify executives that recovery is complete
Best answer: B
Explanation: Continuous monitoring after eradication is meant to confirm that the threat has been removed and that no related activity remains. Recurring command-and-control traffic from a rebuilt host, plus the same process hash on another workstation, indicates that eradication may have missed persistence, lateral movement, or additional compromised assets. The analyst should not treat this as normal post-recovery noise. The best next step is to reopen or continue the incident workflow, update scope, preserve relevant evidence, and move back into analysis and containment before attempting another eradication cycle. Monitoring alone is useful only when no recurrence is observed or when it supports active investigation.
Topic: Security Operations
A SOC analyst is reviewing a low-volume data access alert during detection and analysis. The affected user has legitimate access to an M&A document repository and is listed in HR records as leaving the company in two weeks. EDR shows no malware, MFA was successful, and downloads occurred outside normal work hours to an approved cloud-sync client. Disabling the account immediately would interrupt an active deal review. Which classification and next action is the BEST professional decision?
Options:
A. False positive; document the approved cloud-sync client and close the alert
B. Advanced persistent threat; begin host eradication and credential reset immediately
C. Suspected insider threat; preserve evidence and escalate per insider-threat workflow
D. Commodity malware incident; isolate the endpoint and reimage it
Best answer: C
Explanation: Insider threat indicators often involve authorized access used in a risky or unauthorized way, especially when paired with context such as impending departure, sensitive data, unusual timing, or abnormal volume. APT activity is more associated with external, sustained intrusion patterns such as stealthy footholds, lateral movement, command-and-control, custom tooling, or credential abuse without a legitimate business context. Here, the user has valid access, MFA succeeded, no malware is present, and the business impact of immediate lockout is high. Preserving logs, maintaining chain of custody, and escalating to the insider-threat process allow HR, legal, and security to coordinate a proportional response.
Topic: Reporting and Communication
A vulnerability analyst is preparing a remediation action plan for a high-risk finding on a warehouse order-fulfillment system. Which recommendation best applies the business process interruption concern shown in the exhibit?
Exhibit: Remediation planning notes
| Item | Detail |
|---|---|
| Asset | WMS-APP01, shipping label API |
| Risk | High severity; active exploitation reported |
| Business impact | Downtime stops outbound shipments |
| Remediation note | Patch requires OS update and vendor plug-in testing |
| Recovery note | Rollback may take up to 2 hours |
| Available window | Sunday 02:00-04:00 with business owner approval |
| Current controls | API gateway, EDR, SIEM alerting |
Options:
A. Lower the finding severity because patching is disruptive
B. Defer remediation until the next quarterly cycle
C. Use the approved window with testing and interim monitoring
D. Patch immediately during business hours
Best answer: C
Explanation: Remediation planning must account for both security risk and operational impact. The exhibit shows a high-risk vulnerability with active exploitation, so ignoring or indefinitely delaying it is not appropriate. It also shows that patching can interrupt outbound shipments and may require a lengthy rollback, so an immediate untested business-hours change creates avoidable business disruption. A sound action plan uses the approved maintenance window, validates the vendor plug-in dependency before deployment, confirms rollback readiness, and maintains interim monitoring or gateway controls until remediation is complete.
The key takeaway is that degraded functionality is a remediation inhibitor, not a reason to dismiss the risk.
Topic: Incident Response and Management
A SOC analyst is handling a high-confidence EDR alert on a finance workstation that stores sensitive documents. Evidence shows a phishing-delivered payload executed and established outbound command-and-control traffic, but there is no sign of lateral movement. The incident playbook says confirmed execution plus command-and-control requires endpoint isolation, evidence preservation, and escalation to the IR lead before eradication. The analyst can map the activity to both MITRE ATT&CK and the Cyber Kill Chain. What is the BEST professional decision?
Options:
A. Delay containment until one framework is selected as authoritative
B. Begin eradication immediately because two frameworks confirm compromise
C. Use both mappings and follow the playbook response step
D. Declare a reportable breach based only on dual-framework mapping
Best answer: C
Explanation: Attack methodology frameworks help analysts organize and communicate adversary behavior, but they do not automatically change the incident response step. In this scenario, both MITRE ATT&CK and the Cyber Kill Chain can describe the observed execution and command-and-control activity. The decisive facts are the high-confidence evidence, sensitive endpoint, and playbook instruction to isolate, preserve evidence, and escalate before eradication. Using multiple frameworks can improve shared understanding, but the analyst should not pause for framework selection or skip required containment and evidence handling.
Topic: Reporting and Communication
A vulnerability analyst is preparing a weekly SLA report for the CISO and application owners on May 12. The report must show whether remediation commitments are being met, not just whether findings are still open.
SLA rules:
| ID | Severity / exposure | SLA due | Current status |
|---|---|---|---|
| VM-101 | Critical / external | May 6 | Verified fixed May 6 |
| VM-102 | Critical / external | May 7 | Open, no exception |
| VM-103 | High / internal | May 10 | Verified fixed May 11 |
| VM-104 | Critical / external | May 12 | Exception approved May 10-May 25 |
Which report statement is the best professional decision?
Options:
A. Report three SLA breaches: VM-102, VM-103, and VM-104.
B. Report one SLA breach: VM-102 only.
C. Report zero SLA breaches because no critical finding lacks a workaround.
D. Report two SLA breaches: VM-102 and VM-103.
Best answer: D
Explanation: SLA reporting should measure the commitment defined by the SLA, including due dates, verification status, and approved exceptions. VM-101 was verified fixed on its due date, so it met the commitment. VM-102 is open after its due date with no exception, so it is an SLA breach. VM-103 is closed, but verification occurred one day after the due date, so it still breached the SLA. VM-104 has an approved exception that began before the due date and is still active, so it should be reported as exception-paused rather than breached. The useful report should also support follow-up by showing which owners need action and which items are governed by exceptions.
Topic: Reporting and Communication
A vulnerability analyst must brief the CIO and application owners. They requested a nontechnical update that identifies top risks, month-over-month trends, remediation status, and blockers for decisions. They do not want host-level details unless requested.
| Area | Current risk | 30-day trend | Remediation status |
|---|---|---|---|
| Payments API | Critical, internet-facing | Up from High | 6 overdue; legacy dependency blocker |
| HR portal | High, internal | Flat | 3 on track |
| Dev tools | Medium | Down from High | 8 remediated |
| Kiosk app | Low, isolated | Flat | Exception approved |
Which action best meets the briefing requirement?
Options:
A. Send the raw scanner export grouped by CVE
B. Present a ranked scorecard with trends, status, and blockers
C. Delay the briefing until all patch dates are confirmed
D. Report only newly discovered critical vulnerabilities
Best answer: B
Explanation: A risk scorecard should convert technical vulnerability data into decision-ready communication. For this audience, the analyst should emphasize the highest business risk first: the internet-facing Payments API is critical, worsening, overdue, and blocked by a legacy dependency. The update should also show trends and remediation status across the other areas so stakeholders can see whether risk is increasing, stable, or improving.
Raw host or CVE-level detail is useful for technical teams, but it does not meet the stated executive and owner briefing requirement. The key is to communicate risk, progress, and decisions needed, not just vulnerability counts.
Topic: Reporting and Communication
A vulnerability analyst is updating a quarterly risk scorecard for executive leadership. The current draft ranks teams only by the number of critical and high CVSS findings. The CIO says the scorecard must reflect which unresolved findings are most likely to disrupt revenue-generating services or expose regulated data. Which action best meets this requirement?
Options:
A. Report only vulnerabilities with public exploit code
B. Add business impact factors to the scorecard ranking
C. Group findings by scanner plugin family
D. Sort all findings strictly by CVSS base score
Best answer: B
Explanation: A risk scorecard for leadership should translate technical vulnerability data into business risk. CVSS severity is useful, but it does not fully show whether an affected asset supports revenue, handles regulated data, has compensating controls, or is externally exposed. In this scenario, the CIO is asking for prioritization based on potential business disruption and data impact, so the scorecard should incorporate business impact factors alongside technical severity. The key takeaway is that technical severity helps rank flaws, but business impact helps rank organizational risk.
Topic: Vulnerability Management
A vulnerability analyst reviews a credentialed baseline scan for two internet-facing payment application servers. The scan has high confidence and reports TLS 1.0 enabled, while the approved configuration standard requires TLS 1.2 or higher only. The GRC system shows no approved exception, and the application owner says a production change freeze starts tonight. What is the BEST follow-up action?
Options:
A. Update the baseline to allow TLS 1.0 temporarily
B. Suppress the finding until the change freeze ends
C. Immediately isolate both servers from the internet
D. Validate evidence and open a remediation ticket against the baseline
Best answer: D
Explanation: Baseline and compliance scan conflicts should be handled through evidence validation and the organization’s configuration governance process. Here, the scan is credentialed and high confidence, the servers are internet-facing payment systems, and the approved standard does not allow TLS 1.0. Because no exception exists, the analyst should confirm the evidence and create a remediation item tied to the approved baseline, including the business constraint of the change freeze for scheduling or risk handling. The analyst should not ignore the finding, but also should not bypass normal change and incident processes unless there is evidence of active compromise or an emergency condition.
Topic: Security Operations
A SOC analyst used an AI assistant during alert triage. Based on the exhibit, what is the best interpretation and next action?
Exhibit: AI usage note
Tool used: Public generative AI chat
Prompt included: EDR alert text, internal hostnames, user email,
OAuth bearer token, private IPs, command line
AI response: "This is likely benign admin activity. Close the ticket."
Citations/evidence: None
SOC policy: Do not submit secrets, PII, or internal identifiers to
unapproved AI tools. Validate AI output before closure.
Options:
A. Ask the same AI tool for a more detailed explanation
B. Use the AI response as the incident root cause
C. Close the ticket because the AI labeled it benign
D. Treat it as data exposure and re-triage the alert
Best answer: D
Explanation: The core issue is AI-related data exposure combined with unvalidated AI output. The prompt included secrets, PII, and internal identifiers in a public generative AI tool, which can violate policy and expose sensitive information. The AI also gave a high-confidence closure recommendation without evidence or citations, so the analyst should not rely on it for disposition. The appropriate response is to handle the submitted token and sensitive details as potentially exposed, follow the organization’s exposure process, and re-triage the alert using approved tooling and validated evidence. The key takeaway is that AI can assist SOC work only when data handling rules and analyst validation are preserved.
Topic: Vulnerability Management
A vulnerability analyst must inventory devices on a sensitive ICS network segment. Operations has prohibited any scanning method that sends packets to devices because some controllers have crashed during past probes. The analyst may connect a sensor to a SPAN port and review existing network traffic. Which scan type best meets these requirements?
Options:
A. Passive network scanning
B. Credentialed vulnerability scanning
C. External perimeter scanning
D. Active discovery scanning
Best answer: A
Explanation: Passive scanning is the best fit when the requirement is to observe traffic without interacting directly with the target systems. In this scenario, the ICS segment is sensitive and operations has explicitly prohibited sending packets to devices. A sensor on a SPAN port can collect existing communications and infer assets, services, and some behaviors with lower operational risk. Active methods, including discovery probes and many vulnerability scans, directly send traffic to targets and can disrupt fragile systems. The key distinction is interaction: passive observes; active probes.
Topic: Incident Response and Management
A SOC completed eradication for a phishing-led malware incident and is in continuous monitoring before restoring access to a sensitive payroll file share. The business wants restoration today, but the incident lead requires no recurring campaign IoCs from the affected segment before recovery.
Monitoring summary:
| Evidence | Result |
|---|---|
| Reimaged servers | No EDR detections for 12 hours |
| DNS/proxy logs | One non-quarantined laptop contacted the original C2 domain 20 minutes ago |
| Asset note | Laptop was offline during the eradication sweep |
| Data sensitivity | Payroll PII on the affected share |
What is the BEST professional decision?
Options:
A. Declare the incident closed and document the laptop as residual risk
B. Reopen analysis and keep recovery on hold for the affected segment
C. Wipe all endpoints enterprise-wide before any restoration
D. Proceed with recovery because the servers show no EDR detections
Best answer: B
Explanation: Continuous monitoring after eradication is meant to validate that the threat has stopped recurring before recovery expands business access. In this scenario, the clean server telemetry is helpful but not sufficient because a non-quarantined laptop contacted the original C2 domain 20 minutes ago and was offline during the sweep. That evidence suggests a missed infected asset or incomplete scope, especially with payroll PII involved. The professional decision is to pause recovery for the affected segment, reopen analysis, investigate the laptop, and update containment or eradication as needed. Business pressure matters, but it does not outweigh fresh high-relevance evidence tied to the same campaign.
Topic: Security Operations
A SOC analyst is triaging a beaconing alert in a hybrid cloud environment. Which interpretation of the responsibility boundary should guide the next action?
Exhibit: Incident handover note
| Fact | Detail |
|---|---|
| Asset | pay-api-02 cloud IaaS VM |
| Connectivity | Peered to on-prem payment database network |
| Alert | Repeated outbound connections to a known C2 IP |
| Ownership note | Customer owns guest OS, app, IAM, and cloud firewall rules; provider owns physical host and hypervisor |
Options:
A. Isolate the VM with customer-managed cloud controls
B. Open a provider case to patch the application
C. Request physical host logs before containment
D. Escalate only to the on-prem database team
Best answer: A
Explanation: In a hybrid cloud incident, the analyst must separate where the affected workload runs from who controls each layer. The exhibit identifies pay-api-02 as a cloud IaaS VM, not an on-prem server or SaaS application. For IaaS, the customer is responsible for the guest OS, application, IAM, and customer-configured network controls such as cloud firewall or security group rules. Because the alert shows active C2 connections from that VM, containment can begin through customer-managed cloud controls while guest-level evidence is preserved. The cloud provider owns the physical host and hypervisor, but that boundary does not prevent immediate customer-side containment.
Topic: Reporting and Communication
A vulnerability management analyst is preparing an action plan for a critical vulnerability in a customer order-processing application. The application is internet-facing and handles regulated customer data, but the vendor patch requires a service restart and has caused checkout failures in the test environment. The business owner states that an unplanned outage during business hours would stop revenue processing. Which remediation plan is the BEST professional decision?
Options:
A. Delay all remediation until the vendor releases a new patch
B. Mark the vulnerability as accepted because patching affects revenue
C. Deploy the patch immediately to production during business hours
D. Schedule a tested maintenance window with interim compensating controls
Best answer: D
Explanation: Remediation planning must account for both security risk and business process interruption. The vulnerability is critical, internet-facing, and involves regulated data, so ignoring it or accepting it is not appropriate without formal risk approval. However, the patch has already caused checkout failures in testing, so forcing it into production during business hours could create a major outage. A strong action plan should coordinate with the business owner, schedule a controlled maintenance window, validate the patch, define rollback criteria, and apply interim compensating controls such as WAF rules, access restrictions, enhanced monitoring, or temporary segmentation where appropriate. The key is to reduce exposure while avoiding an avoidable disruption to a revenue-critical process.
Topic: Security Operations
A CASB alert reports that a finance employee uploaded customers_export.csv to an unsanctioned personal cloud drive and enabled an anonymous public link. DLP inspection shows high-confidence matches for customer names, dates of birth, and tax IDs. The employee is reachable and says the file was shared to meet a vendor deadline, but the vendor is not approved for this data. What is the BEST professional decision?
Options:
A. Disable all cloud uploads for the finance department
B. Wait for the employee’s manager to approve removal
C. Quarantine the file and escalate a data exposure incident
D. Delete the file and close the alert as accidental
Best answer: C
Explanation: The alert indicates likely sensitive information exposure: high-confidence DLP matches for regulated identifiers, an unsanctioned storage location, and an anonymous public link. The right response is proportionate containment plus escalation. Quarantining or otherwise removing public access limits further disclosure, while opening an incident allows evidence preservation, scoping, privacy/legal review, vendor validation, and any required notification workflow. The employee’s stated business reason may explain intent, but it does not authorize sharing sensitive data with an unapproved vendor through a public link.
A broad departmental block may be considered later if policy gaps are found, but the immediate decision should reduce exposure and follow the incident process.
Topic: Security Operations
A SOC analyst is reviewing a data protection alert for a finance user after an unusually large outbound transfer.
Exhibit: DLP/CASB alert
| Field | Value |
|---|---|
| User | fin-analyst7 |
| File | customer_refunds_q4.csv |
| Data match | 18,420 customer names, emails, and bank account numbers |
| Sensitivity label | Confidential-PII |
| Destination | Personal cloud storage tenant, not sanctioned |
| Transfer | 1.6 GB over TLS |
| Business justification | No approved ticket found |
Which interpretation is best supported by the exhibit?
Options:
A. Confirmed credential theft requiring password reset only
B. Routine finance backup to an approved storage service
C. Low-risk transfer because TLS encrypted the session
D. Potential sensitive data exfiltration to an unauthorized destination
Best answer: D
Explanation: Data protection analysis focuses on the data type, classification, destination, authorization, and exposure path. The exhibit shows a file labeled Confidential-PII containing bank account numbers and other customer identifiers being transferred to a personal cloud tenant that is not sanctioned. TLS protects data in transit from network interception, but it does not make an unauthorized destination acceptable or prevent exposure after upload. The lack of an approved ticket strengthens the suspicion that this is unauthorized disclosure or exfiltration rather than normal business activity. The priority would be containment and escalation through the data-loss or incident response process, not treating encryption as sufficient protection.
Topic: Security Operations
A SOC analyst receives a DLP alert:
User: jlee
Endpoint: managed laptop
File label: Confidential-HR
DLP match: employee tax IDs (high confidence)
Action observed: upload to personal cloud storage
Transfer status: partial success
The requirements are to stop additional exposure, avoid unnecessarily viewing regulated data, and retain evidence for privacy/legal review. Which action best meets these requirements?
Options:
A. Block the destination with DLP/CASB controls and preserve alert metadata.
B. Encrypt future HR files and close the alert as protected data.
C. Run a vulnerability scan on the laptop for missing patches.
D. Download the uploaded file and manually inspect every tax ID.
Best answer: A
Explanation: Data protection during suspected exfiltration should limit further disclosure while minimizing unnecessary access to sensitive content. In this case, the DLP evidence already shows a high-confidence match for regulated employee tax IDs and a partial upload to unsanctioned personal cloud storage. The best next action is to use DLP or CASB enforcement to stop additional transfers and preserve alert metadata, logs, file labels, hashes, user identity, timestamps, and destination details for incident, privacy, and legal review. Manual content inspection can increase exposure and should be avoided unless explicitly authorized and necessary.
Topic: Reporting and Communication
A vulnerability analyst is preparing an update for the application owner of an internet-facing customer portal. The scanner finding is confirmed, rated critical, and has known exploitation in the wild. The vendor patch is available, but deployment depends on the database team completing a tested driver upgrade. The remediation SLA is 7 days, and the portal processes customer PII. Which stakeholder communication is the BEST professional decision?
Options:
A. Recommend taking the portal offline until all teams finish
B. State the risk, dependency, SLA, and required owner action
C. Send the full scanner output and request immediate patching
D. Tell the owner the issue is critical and must be fixed soon
Best answer: B
Explanation: Effective vulnerability stakeholder communication should be specific, risk-based, and actionable. In this scenario, the application owner needs to understand that the confirmed critical vulnerability affects an internet-facing system with PII and known exploitation, which explains business risk and urgency. The message also needs to identify the database driver upgrade as a remediation dependency, tie the work to the 7-day SLA, and request a concrete action such as coordinating with the database team and confirming a patch window. A vague warning does not help the owner make decisions, and an overbroad shutdown recommendation may disrupt business without being justified by the stated facts.
Topic: Vulnerability Management
A vulnerability analyst is preparing evidence for an ISO 27000 series-aligned ISMS review. The organization uses baseline scans to verify that in-scope servers follow approved hardening standards.
Exhibit: Baseline scan summary
| Item | Result |
|---|---|
| Scope | 42 production Linux servers |
| Baseline | Approved secure configuration standard |
| Deviations | 6 servers allow password SSH login |
| Business owner | Application Services |
| Exception record | Not found |
| Last review | 9 months ago |
Which interpretation is best supported by the exhibit?
Options:
A. Exclude the servers from future baseline scans
B. Escalate only if a CVE is also detected
C. Declare the Linux server scope compliant with ISO 27001
D. Treat the deviations as ISMS control evidence requiring risk treatment
Best answer: D
Explanation: ISO 27000 series context focuses on an information security management system (ISMS), not just a one-time technical scan. Baseline scanning provides evidence that security controls are operating as expected, or that deviations need action. In this exhibit, password SSH login violates the approved baseline on six in-scope servers, and no exception record exists. That means the finding should be documented, assigned to the business owner, and handled through remediation, risk acceptance, or another approved risk treatment path. The scan result supports control monitoring and continual improvement; it does not by itself prove ISO compliance or replace management review.
Topic: Security Operations
A SOC receives about 300 daily medium-severity identity alerts for “admin login from unusual country.” Analysts close most after manually checking MFA status, approved travel, corporate VPN egress, and asset criticality. Leadership wants faster triage, but the SOC lead does not want to suppress alerts until 30 days of baseline data is reviewed. Which action is the BEST professional decision?
Options:
A. Enrich alerts with identity, VPN, travel, MFA, and asset context
B. Raise the rule severity only when MFA fails
C. Create a dashboard showing daily alert counts by country
D. Disable the rule for countries with frequent VPN egress
Best answer: A
Explanation: Data enrichment is the best fit when analysts spend most of their time gathering context rather than deciding from the alert itself. Adding identity details, approved travel, VPN egress, MFA status, and asset criticality to the alert improves triage speed without changing detection logic or suppressing evidence. That also supports the SOC lead’s requirement to keep collecting baseline data for 30 days before tuning the rule.
Rule or alert tuning may be appropriate later, after the team confirms patterns and false-positive drivers. A dashboard helps trend analysis, but it does not remove the repetitive manual lookups causing analyst inefficiency.
Topic: Incident Response and Management
During a lessons-learned review, an organization found that an attacker exploited a 60-day-old critical VPN vulnerability. The vulnerability scanner reported the finding twice, but no remediation ticket was opened because the VPN appliance had no assigned owner or documented exception in the CMDB. The business wants to reduce recurrence without forcing emergency downtime for every high-severity finding. Which corrective action best maps to these findings?
Options:
A. Block the attacker IPs and reset VPN user passwords
B. Require asset owners and risk-based remediation tickets with exception tracking
C. Mandate immediate patching for all high and critical findings
D. Increase vulnerability scans from monthly to weekly
Best answer: B
Explanation: Post-incident corrective actions should target the root cause of recurrence, not only the symptoms of the completed incident. Here, the scanner worked, but the process failed because the affected asset had no accountable owner and no ticket or exception workflow. Requiring asset ownership and creating risk-based remediation tickets closes that gap: findings become assigned work, tracked to completion, and exceptions are visible for risk acceptance or compensating controls. This also respects the business constraint by avoiding automatic emergency downtime for every high finding. The key takeaway is to improve the vulnerability-to-remediation workflow that failed during the incident.
Topic: Vulnerability Management
A vulnerability management analyst is reviewing a critical SQL injection finding on an internet-facing customer portal that processes PII. The application owner provides a completed change ticket showing the code fix was deployed during the approved maintenance window. Policy requires validation evidence before closure, and the next scheduled external scan is five days away. What is the BEST professional decision?
Options:
A. Mark the vulnerability as risk accepted until the next scan
B. Escalate to incident response and take the portal offline
C. Close the finding because the change ticket is complete
D. Keep the finding pending validation and request targeted retesting
Best answer: D
Explanation: Remediation completion means the owner performed the planned fix, such as deploying code or applying a patch. Remediation effectiveness means evidence shows the fix actually removed or reduced the vulnerability in the affected environment. In this scenario, the system is internet-facing, handles PII, and the finding is critical, so waiting five days or closing from a change ticket alone does not meet the validation requirement. A targeted retest or validation scan is the appropriate next step, with the finding left open or pending validation until evidence supports closure. The key distinction is that implementation records support completion, while testing evidence supports effectiveness.
Topic: Incident Response and Management
A SOC has completed recovery from a credential-theft incident that led to unauthorized access to a customer database containing PII. The business had a 4-hour service degradation, legal requires fact-based documentation, and leadership wants actionable changes rather than blame. Which input set would BEST support the post-incident review for lessons learned and process improvement?
Options:
A. Raw SIEM logs and packet captures without triage notes
B. Names of analysts on shift and the first missed alert
C. Executive summary slides and public relations talking points
D. Validated timeline, evidence, impacts, gaps, metrics, and stakeholder feedback
Best answer: D
Explanation: A useful post-incident review should be evidence-based, outcome-focused, and improvement-oriented. For this scenario, the review needs inputs that show what happened, how the organization responded, what impact occurred, and where controls or processes failed. A validated timeline, preserved evidence references, containment and recovery actions, customer or business impact, response metrics, root cause or contributing factors, and stakeholder feedback help the team identify practical changes such as alert tuning, playbook updates, access-control improvements, training, or escalation changes. The goal is not to assign blame or create only an executive narrative; it is to improve detection, response, recovery, and communication.
Topic: Reporting and Communication
A SOC team is investigating a suspected data exposure involving a customer portal. The incident is declared, but the scope and data types are not yet confirmed. The communication plan requires updates to executives, legal, privacy, and the service owner through approved internal channels only. Customer-facing statements must be approved by legal and public relations. Which communication action best preserves accuracy, confidentiality, and stakeholder trust?
Options:
A. Post full technical details in the company-wide chat
B. Send a concise internal update with confirmed facts, unknowns, actions, and next update time
C. Notify all customers immediately that their data was exposed
D. Wait to communicate until root cause is fully confirmed
Best answer: B
Explanation: Incident communications should be timely, accurate, need-to-know, and aligned with the communication plan. In this scenario, the incident is real enough to require stakeholder updates, but the customer impact is not confirmed and external messaging needs legal and public relations approval. A good update separates confirmed facts from unknowns, states current actions, identifies who is handling approvals, and sets the next update time. This builds trust because stakeholders are not left guessing, while confidentiality is preserved by using approved internal channels and limiting sensitive details. The key takeaway is to communicate what is known and what is being done, without speculating or bypassing approval paths.
Topic: Vulnerability Management
A vulnerability analyst is reprioritizing findings before the weekly patch window. The scanner rates all four findings as high severity, but the team must patch only one system tonight. Which finding should be raised to the top priority based on the available evidence?
| Finding | Evidence |
|---|---|
| Internet-facing VPN | Confirmed vulnerable version; threat intel reports active exploitation in the wild |
| Internal wiki | Scanner flags XSS; manual validation could not reproduce it |
| Dev database | Missing patch; isolated subnet; no exploit activity reported |
| Email gateway | Previous scan missed the issue, but current check shows the compensating control blocks the vulnerable path |
Options:
A. Dev database
B. Internet-facing VPN
C. Internal wiki
D. Email gateway
Best answer: B
Explanation: Vulnerability priority should be adjusted using more than scanner severity. Confirmed exploitability, internet exposure, and active exploitation increase urgency because the likelihood of compromise is higher. Manual validation that cannot reproduce a finding lowers confidence and may indicate a false positive. Isolation and no known exploitation can reduce near-term priority, even if remediation is still needed. A compensating control that blocks the vulnerable path reduces immediate risk and should be documented and monitored.
The key takeaway is to prioritize the confirmed, exposed, actively exploited issue before lower-confidence or better-contained findings.
Topic: Incident Response and Management
During incident analysis, a SOC analyst is mapping observed behavior to MITRE ATT&CK. Which tactic and technique are most directly supported by the child process activity in the exhibit?
Exhibit: Endpoint event
Host: FIN-WS-022
Time: 2026-05-28 09:14:22 UTC
Process tree: OUTLOOK.EXE -> WINWORD.EXE -> powershell.exe
Command line: powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand <redacted>
Network: powershell.exe connected to files.example.net over HTTPS
Analyst note: User opened invoice.docm two minutes earlier
Options:
A. Persistence - Boot or Logon Autostart Execution
B. Initial Access - Phishing: Spearphishing Attachment
C. Exfiltration - Exfiltration Over Web Service
D. Execution - Command and Scripting Interpreter: PowerShell
Best answer: D
Explanation: MITRE ATT&CK mapping should describe the specific behavior supported by the evidence, not only the broader incident story. The decisive event is WINWORD.EXE spawning powershell.exe with hidden window and encoded command parameters. That is use of a command and scripting interpreter, specifically PowerShell, under the Execution tactic. The phishing document is relevant context for how the activity may have started, but the question asks about the child process activity. A network connection from PowerShell may be suspicious, but the exhibit does not show data theft or enough detail to classify exfiltration.
Topic: Security Operations
A SOC analyst is triaging a secret-scanning alert for a private source-code repository. The scanner found a possible cloud access key in a recent commit, but it only provides the key ID and a masked value. The related service supports customer billing, and the data warehouse it accesses contains regulated customer data. No suspicious access has been confirmed yet. What is the BEST validation step?
Options:
A. Ask the developer whether the secret is real.
B. Paste the masked value into a cloud API test.
C. Revoke all billing service credentials immediately.
D. Check IAM/secrets inventory and audit logs for active status and unexpected use.
Best answer: D
Explanation: When identity or secrets evidence is incomplete, the strongest validation step confirms both authenticity and potential impact using authoritative sources. Here, the scanner provides only a key ID and a masked value, so the analyst should verify whether the key exists and is active in IAM or the secrets-management system, then review audit logs for abnormal source IPs, users, services, or access patterns. This addresses data sensitivity and exposure without causing an avoidable outage in a billing workflow. If the key is active or suspicious use is found, rotation, containment, and escalation can follow through the incident process.
Topic: Incident Response and Management
A SOC analyst is assessing incident impact for a customer-facing CRM application after a suspected compromise of an application server. Which impact assessment is best supported by the evidence?
Exhibit: Incident handover excerpt
10:14 WAF: suspicious SQL pattern from app01 to crm-db
10:17 DB audit: svc-report queried customer_id, email, phone, ssn_last4
10:17 DB audit: 48,732 rows returned to app01
10:20 EDR: app01 sent 226 MB to 203.0.113.77 over HTTPS
10:25 App monitor: CRM login and order workflows healthy
10:31 DB integrity check: no modified schema or failed checks
Options:
A. No material incident impact
B. Availability impact to CRM services
C. Confidentiality impact to customer data
D. Integrity impact to CRM records
Best answer: C
Explanation: Incident impact should be tied to observable effects on confidentiality, integrity, availability, and business operations. The exhibit shows sensitive customer fields were queried in bulk and a large outbound transfer followed from the application server, which supports a confidentiality impact. The same evidence does not show data tampering: the integrity check found no schema changes or failed checks. It also does not show an outage because login and order workflows remained healthy. The supported assessment is potential customer data exposure, even if follow-up scoping is still needed to confirm exactly what left the environment.
Topic: Security Operations
A SOC is tuning SIEM ingestion after monthly storage use doubled. The team must preserve events needed for account-compromise and malware investigations while reducing low-value duplicate telemetry. Which logging configuration change is best supported by the exhibit?
| Source | Current collection | Analyst note |
|---|---|---|
| Domain controllers | Successful/failed logons, account changes | Needed for identity timelines |
| EDR | Full process telemetry and detections | Detections useful; raw process telemetry duplicated in XDR |
| Firewall | Allowed and denied flows | Denied inbound used often; routine allowed web egress rarely used |
| DNS resolver | Internal client queries | Needed for beaconing investigations |
Options:
A. Keep all current logging unchanged and expand SIEM hot storage retention.
B. Drop successful logons and DNS queries; keep only failures, detections, and denied firewall events.
C. Keep full EDR telemetry and all firewall flows; suppress account-change events.
D. Keep identity, DNS, EDR detections, and denied firewall events; suppress duplicate process telemetry and routine allowed egress.
Best answer: D
Explanation: Effective logging configuration balances investigative value against volume. The exhibit identifies identity events and DNS queries as necessary for account-compromise and malware timelines, so removing them would create visibility gaps. EDR detections and denied firewall events are also specifically useful. The best tuning target is the data called out as duplicated or low value: raw EDR process telemetry already retained in XDR and routine allowed web egress that rarely supports investigations. This approach reduces noise and storage burden without discarding events that analysts rely on for triage, scoping, and incident reconstruction.
Topic: Security Operations
A SOC receives hundreds of phishing alerts each day. Analysts need a repeatable way to enrich URLs with threat-intelligence data, check whether recipients clicked, open a case, and request approval before quarantining messages across the email platform. Which approach best maps to these requirements?
Options:
A. Run weekly vulnerability scans of mail servers
B. Deploy new SIEM correlation rules only
C. Manage the email platform with infrastructure as code
D. Implement a SOAR playbook with approval gates
Best answer: D
Explanation: SOAR is used when security operations need repeatable workflows that coordinate actions across multiple tools. In this scenario, the SOC must enrich indicators, query user activity, create cases, and take an email-platform action only after approval. That combination points to orchestration plus automation, not just alerting. A SOAR playbook can automate low-risk steps, standardize analyst handoffs, preserve an audit trail, and pause for human authorization before quarantine actions.
Infrastructure as code is useful for consistent deployment and configuration of infrastructure, but it is not the best fit for day-to-day alert triage and response workflow coordination.
Topic: Vulnerability Management
A vulnerability analyst reviews an approved external Masscan sweep of the company-owned perimeter. The scanner was configured for TCP SYN discovery across all TCP ports. Based on the asset notes, which interpretation is best supported by the output?
Exhibit: Scan output and expected exposure
198.51.100.10 payroll-db expected: no Internet TCP listeners
198.51.100.20 web-portal expected: 80/tcp, 443/tcp
198.51.100.30 vpn-gw expected: 443/tcp
masscan results:
open tcp 1433 198.51.100.10
open tcp 80 198.51.100.20
open tcp 443 198.51.100.20
open tcp 443 198.51.100.30
Options:
A. Declare all findings acceptable because Masscan only detects ports
B. Close VPN gateway port 443 as an unexpected service
C. Prioritize validation of exposed SQL on payroll-db
D. Treat web-portal as noncompliant due to HTTP and HTTPS
Best answer: C
Explanation: Masscan output primarily tells the analyst which IP and TCP port combinations responded to the scan. Here, the web portal and VPN gateway match the expected externally exposed services, but payroll-db is expected to have no Internet-facing TCP listeners. Seeing 1433/tcp open on that asset strongly suggests an unexpected SQL Server exposure or a misidentified asset. The next analyst-depth action is to validate ownership and service details with a targeted scan or asset check, then prioritize remediation because the exposure violates the expected perimeter profile. Masscan does not confirm a vulnerability by itself, but it provides enough evidence to flag the unexpected externally reachable service.
80/tcp and 443/tcp are explicitly allowed for the web portal.443/tcp is listed as expected for the VPN gateway.Topic: Vulnerability Management
A vulnerability analyst must validate remediation for a finding that reported legacy TLS support on an Internet-facing payment portal. Which evidence best confirms the vulnerability has been addressed?
Exhibit: Validation scan summary
Original finding
Asset: pay.example.com:443
Fail condition: TLS 1.0 or TLS 1.1 accepted
Post-change validation
Scanner: same external scanner and profile
Target status: reachable
TLS 1.0: rejected
TLS 1.1: rejected
TLS 1.2: accepted
TLS 1.3: accepted
Options:
A. Change ticket is closed by the system owner
B. SIEM shows no TLS alerts for 24 hours
C. Post-change scan shows TLS 1.0 and 1.1 rejected
D. Load balancer configuration file was updated
Best answer: C
Explanation: Remediation validation should prove that the original vulnerability condition is no longer present. The original finding was based on the portal accepting TLS 1.0 or TLS 1.1 from an external perspective. The post-change scan uses the same scanner and profile, confirms the target was reachable, and shows both legacy protocols are rejected while modern protocols still work. That directly validates the fix without relying only on process status or assumed configuration state.
Closed tickets and configuration changes are useful supporting records, but they do not prove the exposed service behavior changed. Lack of alerts is also weak evidence because it depends on detection coverage and traffic patterns.
Topic: Security Operations
A SOC analyst is reviewing a network alert from a branch office. The branch uses ZTNA for managed devices, an internet-only guest Wi-Fi VLAN, and an IoT VLAN that should only reach the print server.
Exhibit: SIEM alert
Alert: Internal service sweep
Source IP: 10.44.70.23
Source MAC OUI: Unknown
Switch/AP: BR-12-F2-AP03
VLAN: GUEST-WIFI
ZTNA device identity: none
DHCP lease age: 8 minutes
Observed traffic: TCP SYNs to 10.44.20.0/24 ports 22, 445, 3389
Firewall result: 312 denies, 4 allows to legacy printer subnet
Which interpretation and next action are best supported by the exhibit?
Options:
A. IoT printer discovery traffic; tune the alert to suppress print scans.
B. External reconnaissance blocked at the edge; close the alert as contained.
C. Managed endpoint failing ZTNA posture; register the device and allow access.
D. Unmanaged guest device enumerating internal services; quarantine the client and review segmentation.
Best answer: D
Explanation: Network architecture context changes the meaning of the indicators. A guest Wi-Fi client with no ZTNA identity should not initiate connections to internal server subnets, especially to administrative and file-sharing ports such as 22, 445, and 3389. The unknown OUI and very recent DHCP lease increase suspicion that this is an unmanaged or rogue client. The firewall denies show most traffic was blocked, but the four allows to a legacy printer subnet indicate the guest segmentation policy may have an exception or misconfiguration. The appropriate SOC action is to contain the client at the wireless/NAC layer and validate the guest-to-internal rules, not to treat the scan as normal ZTNA or IoT behavior.
Topic: Reporting and Communication
A vulnerability report identifies that the public customer portal still allows TLS 1.0 and TLS 1.1 on its internet-facing load balancer. Leadership asks for an action-plan item that can be tracked in the remediation report. Which item best meets that requirement?
Options:
A. Improve encryption standards across public applications during the next infrastructure refresh.
B. Document a risk exception for weak TLS because no exploitation has been observed.
C. Ask the SOC to monitor for suspicious logins to the customer portal.
D. Disable TLS 1.0/1.1 on the portal load balancer; Network Engineering owner; due March 15; validate with a rescan.
Best answer: D
Explanation: A strong remediation action-plan item should be specific, accountable, time-aware, and aligned to the documented finding. For a weak TLS configuration on a public load balancer, the tracked item should name the exact remediation, assign an owner, set a due date, and define how completion will be verified. This makes the item actionable for remediation teams and measurable for reporting. Monitoring logins may be useful operationally, but it does not remediate the weak protocol finding. A broad encryption improvement or unsupported exception does not provide enough detail or alignment for tracking closure.
Topic: Security Operations
A SOC analyst is tuning endpoint monitoring after several alerts for svchost.exe. The requirement is to distinguish normal Windows service-host activity from a rogue process that is masquerading as a system process, without disrupting legitimate services.
Exhibit: EDR process observations
| Image name | Path | Parent | Signature |
|---|---|---|---|
| svchost.exe | C:\Windows\System32\svchost.exe | services.exe | Microsoft signed |
| svchost.exe | C:\Users\Public\svchost.exe | WINWORD.EXE | Unsigned |
Which monitoring action best meets the requirement?
Options:
A. Run only a weekly vulnerability scan against the endpoint
B. Alert on mismatched path, parent process, signature, and command line
C. Suppress all alerts for processes named svchost.exe
D. Terminate every svchost.exe process with network activity
Best answer: B
Explanation: System process analysis should validate whether the process behavior matches the expected baseline for that operating system. A legitimate Windows svchost.exe commonly runs from C:\Windows\System32, is Microsoft signed, and is spawned by normal service-control parents such as services.exe. A process with the same name running from a user-writable path, launched by an Office application, and lacking a valid signature is suspicious because it suggests masquerading. Monitoring should correlate image path, parent-child relationship, digital signature, command line, hash reputation, and network behavior before taking action.
Name-based allowlisting or blocking is too coarse because attackers often reuse trusted process names.
Topic: Vulnerability Management
A vulnerability analyst is validating remediation for a critical web finding. The latest scanner report shows no remaining critical findings, but the team must confirm that authenticated pages were tested before closing the ticket.
Exhibit: Scan summary
Target: https://app.example.com
Scan type: DAST, authenticated profile
Result: 0 critical findings
Crawl depth: 12 URLs discovered
Expected protected URLs: about 200
Authentication status: session expired after login
HTTP responses for /admin/*: 401 Unauthorized
Previous finding path: /admin/export
Options:
A. Fix the scan authentication and rerun the authenticated test
B. Mark the previous finding as a false positive
C. Close the ticket because the scanner found no critical findings
D. Escalate as active exploitation of the web application
Best answer: A
Explanation: Scanner output must be interpreted in context. A clean result is not reliable when the scan did not exercise the affected scope. Here, the authenticated session expired, /admin/* returned 401 responses, and the previous vulnerable path was under /admin/export. That means the tool did not adequately test the area needed to validate remediation. The appropriate follow-up is to correct the credential/session issue and rerun the authenticated scan against the protected URLs. A true remediation decision should be based on a complete test of the relevant attack surface, not just the absence of findings in a partial scan.
Topic: Reporting and Communication
A vulnerability management lead must report whether application teams met remediation commitments for the month. The SLA states: Critical findings must be remediated within 7 days, High findings within 30 days. Approved risk exceptions are excluded from SLA compliance but must be disclosed separately. Which monitoring action best maps to these requirements?
Options:
A. Measure the month-end change in critical and high finding counts
B. Measure the average age of all currently open findings
C. Measure the total number of vulnerabilities closed during the month
D. Measure SLA attainment by severity using due dates and exception status
Best answer: D
Explanation: SLA reporting should show whether each remediation commitment was met against the defined deadline. For vulnerability remediation, that means tracking findings by severity, due date, current status, and closure date. Critical and High findings have different SLA windows, so the report should calculate attainment separately or in a way that preserves those thresholds. Approved risk exceptions should not be counted as successful remediations, but they also should not be treated as SLA misses if the policy excludes them; they should be disclosed separately for governance visibility.
Volume, aging, and trend metrics are useful supporting indicators, but they do not directly prove whether teams met the promised remediation deadlines.
Topic: Incident Response and Management
A ransomware incident affected a file server that supports payroll processing. The incident handler has confirmed containment, eradicated the malicious persistence mechanism, and preserved required forensic images. Payroll must resume today, and the backup team has a clean backup from before the first observed compromise. What is the best recovery activity?
Options:
A. Reconnect the server immediately because containment and eradication are complete
B. Rebuild the server, restore the clean backup, validate functionality, and monitor closely
C. Restore only the encrypted files and leave the existing operating system in place
D. Keep the server offline until the full after-action report is approved
Best answer: B
Explanation: Recovery begins after containment and eradication, but it is not just turning systems back on. The analyst should restore service from a trusted state, such as a rebuilt host or known-good image, then restore clean data, validate that business functions work, and monitor for reinfection or missed indicators. This balances the payroll urgency with the need to avoid reintroducing compromised components. Forensic preservation is already complete, so recovery can proceed without waiting for the full post-incident report.
Topic: Reporting and Communication
A SOC manager is updating the incident communication plan after a ransomware tabletop exercise. The exercise showed that technical responders knew whom to call, but business leaders received duplicate updates through unapproved channels and no one knew who owned customer notifications. Which action best addresses the communication-plan gaps?
Options:
A. Create a stakeholder matrix with timing, approved channels, and message owners
B. Publish a post-incident root cause analysis template
C. Require all responders to use the same group chat room
D. Add more technical indicators to the incident severity criteria
Best answer: A
Explanation: An incident communication plan should map stakeholders to the information they need, the timing or triggers for updates, approved communication channels, and assigned responsibilities. In this scenario, the failure was not technical detection or analysis. The gaps were duplicate executive updates, use of unapproved channels, and unclear ownership for customer notifications. A stakeholder matrix or communication plan table is the best fit because it makes communication roles explicit before an incident occurs.
The key takeaway is that incident communication planning is about audience, timing, channel, and ownership, not just the incident response workflow.
Topic: Incident Response and Management
An EDR alert on a payroll workstation shows credential-dumping behavior and outbound traffic to a known malicious domain. The same workstation generated failed admin logons to a domain controller, followed by one successful service-account logon. The domain controller’s EDR sensor is offline, and isolating it would interrupt hospital authentication services. What is the BEST professional decision?
Options:
A. Delete the suspicious process from the workstation
B. Close the alert until the domain controller sensor is restored
C. Immediately isolate the domain controller from the network
D. Isolate the workstation and rapidly scope related domain-controller activity
Best answer: D
Explanation: Containment decisions should match the confidence and impact of the available evidence. The workstation has confirmed malicious behavior, so isolating it is justified. The domain controller has suspicious authentication activity, but the missing EDR telemetry and high business impact make immediate isolation risky without more scoping. A SOC analyst should quickly query SIEM, identity logs, network flows, and available endpoint data to determine whether the service-account logon led to lateral movement, privilege misuse, or additional compromised systems. This supports a reliable decision about whether to isolate, disable accounts, or escalate broader containment. The key is to contain confirmed compromise while avoiding disruptive actions based on incomplete scope.
Topic: Incident Response and Management
A SOC is in the analysis stage of a high-severity incident. EDR has isolated one workstation, and leadership needs a status update within one hour because a file server containing customer PII may have been accessed.
Exhibit: Current timeline
| Time | Event |
|---|---|
| 08:05 | Successful VPN login for user jdoe from unfamiliar country |
| 08:18 | MFA fatigue alerts for jdoe stop after approval |
| 10:47 | EDR detects credential dumping on WS-044 |
| 11:05 | WS-044 isolated |
| 11:20 | File server shows access by jdoe |
Which action is the BEST professional decision?
Options:
A. Declare containment complete because the detected workstation is isolated
B. Reimage all systems accessed by jdoe before further analysis
C. Prioritize VPN, IAM, and file server logs for 08:18-11:20
D. Notify regulators immediately that customer PII was exfiltrated
Best answer: C
Explanation: Timeline gaps should be prioritized when they can change response decisions. Here, the key gap is between the MFA approval and later file server access. That period may show whether the attacker used the VPN session to access additional systems, move laterally, or view sensitive data. Filling that gap supports a defensible containment statement, helps determine eradication actions such as credential reset and session revocation, and prevents premature reporting claims. The one-hour leadership update can state what is known, what remains unknown, and which evidence is being collected. The closest trap is declaring containment complete after isolating one endpoint, but the timeline already shows identity and file server activity outside that host.
Topic: Vulnerability Management
A vulnerability analyst reports a critical vulnerability on a legacy manufacturing server. The vendor confirms that a patch will not be available for 90 days, and replacing the system now would stop production. The server must remain online, but the vulnerability management policy requires exceptions to be time-bound, approved, and monitored. What should the analyst recommend?
Options:
A. Close the finding until the vendor releases a supported patch
B. Downgrade the vulnerability because the system cannot be patched
C. Document a temporary exception with risk acceptance and compensating controls
D. Install an unofficial patch during the next maintenance window
Best answer: C
Explanation: When a vulnerability cannot be remediated within the normal SLA, it should not simply disappear from tracking. A formal exception documents why remediation is delayed, who accepts the risk, how long the exception lasts, and what compensating controls reduce exposure. For this server, appropriate controls might include tighter network segmentation, restricted access, enhanced monitoring, or virtual patching if available. The exception should also include a review date and a plan to validate remediation when a supported patch or replacement is available. The key is to keep the risk visible and managed rather than treating operational constraints as a reason to ignore the finding.
Topic: Incident Response and Management
A SOC analyst confirms high-confidence EDR alerts showing credential misuse and suspicious PowerShell activity on one node of a three-node database cluster that supports order processing. The cluster contains regulated customer data, and disconnecting the wrong node could interrupt active transactions. The incident is still in containment; scope is limited to the one node so far. Which action is the BEST professional decision?
Options:
A. Immediately power off the entire database cluster
B. Block all user access to the order-processing application
C. Wait for full eradication guidance before isolating anything
D. Coordinate isolation with the application owner and infrastructure team
Best answer: D
Explanation: Containment actions should match both the security evidence and the business impact. Here, the evidence is strong enough to justify containment, but the affected system is part of a live database cluster that processes orders and stores regulated data. Because the wrong isolation step could disrupt transactions or damage availability, the SOC should coordinate with the application owner and infrastructure team to isolate the affected node safely, preserve evidence, and maintain service where possible. This is especially important for clustered, production, OT/ICS, cloud, or other highly available systems where security teams may not know operational dependencies. Unilateral shutdown may stop activity quickly, but it can create unnecessary outage risk and complicate recovery.
Topic: Incident Response and Management
A SOC analyst is assigned to acquire evidence from a finance workstation suspected of processing stolen customer records. The host may contain regulated personal data, legal has requested preservation for possible litigation, and the incident commander needs enough evidence to scope the intrusion without broadly exposing the data. What is the best professional decision?
Options:
A. Review customer files directly on the live workstation
B. Collect only screenshots to minimize sensitive data handling
C. Create a forensic image, hash it, encrypt it, and restrict access
D. Attach a full disk copy to the incident ticket
Best answer: C
Explanation: Evidence handling must balance preservation, integrity, and confidentiality. A forensic image supports a defensible investigation because analysts can preserve the original system state, verify integrity with hashes, and perform analysis on a controlled copy. Encrypting the evidence and restricting access protects regulated personal data from unnecessary disclosure. Documentation such as chain of custody should also be maintained because legal has requested preservation. The key takeaway is to collect enough evidence to support scope and legal defensibility, but store and share it using least privilege and strong protection controls.
Topic: Vulnerability Management
A vulnerability analyst is reconciling outputs from several tools before the weekly remediation meeting. Which item should be placed at the top of the remediation queue?
Exhibit: Tool output summary
pay-api container
Web scan: critical framework RCE, CVSS 9.8
SCA: vulnerable package present in production image
ASM: internet-facing payment API
WAF: blocked matching probes in last 24 hours
Status: vendor patch available
hr-db server
Scanner: critical SMB finding, CVSS 10.0
CMDB: isolated admin VLAN; compensating ACL in place
EDR: no related activity
Status: patch awaiting maintenance window
marketing CMS
DAST: reflected XSS, CVSS 6.1
ASM: internet-facing; low data sensitivity
Status: fix scheduled
dev bucket
CSPM: public-read misconfiguration
DLP: no sensitive data found; nonproduction tag
Status: exception expires tomorrow
Options:
A. Close the dev bucket exception first because it expires tomorrow.
B. Patch and redeploy the pay-api container first.
C. Patch the hr-db server first because it has the highest CVSS.
D. Fix the marketing CMS first because it is internet-facing.
Best answer: B
Explanation: Evidence-based prioritization weighs severity with exploitability, exposure, business impact, observed threat activity, and remediation readiness. The pay-api finding is supported by several related outputs: the vulnerable package is confirmed in the production image, the service is internet-facing, it supports payments, matching probes are already being blocked, and a vendor patch is available. That combination creates a higher near-term risk than a higher CVSS score on an isolated system with compensating controls. CVSS is useful, but it should not override context from asset exposure, active exploitation signals, and corroborating tool evidence.
Topic: Security Operations
A SOC analyst reviews an alert showing a development subnet host connected to a production database on TCP 5432. The host belongs to an approved vulnerability scanner, and there is no evidence of data access or malware, but the database stores regulated customer data.
Exhibit: Architecture facts
| Fact | Detail |
|---|---|
| Dev-to-prod path | VPC peering route exists |
| Prod DB rule | Allows TCP 5432 from 10.20.0.0/16 |
| Intended access | Only prod app subnet should connect |
| SIEM coverage | SASE, ZTNA, EDR; no VPC flow logs |
What is the BEST professional recommendation?
Options:
A. Tune the SIEM to suppress future scanner connections
B. Route all workforce web traffic through the SASE platform
C. Document the gap, restrict the DB rule, and add VPC flow logs
D. Declare an incident and isolate the scanner host immediately
Best answer: C
Explanation: The architecture facts point to a segmentation gap and a visibility gap. The production database rule allows the entire development CIDR instead of only the intended production application subnet, so a development scanner can reach a sensitive database through VPC peering. Because SIEM coverage lacks VPC flow logs, this east-west cloud path is not adequately monitored by the existing SASE, ZTNA, and EDR sources. The measured response is to document the finding, request a controlled rule change to least privilege, and add flow logging for that traffic path. There is no evidence in the stem that requires emergency containment, but ignoring or suppressing the event would leave the exposure in place.
Topic: Incident Response and Management
A ransomware containment incident affected a file server. The server has been rebuilt from clean backups, users can access files again, and business operations have resumed. The IR plan requires 24 hours of heightened monitoring and an approved after-action report before an incident can be closed. Which action best matches the current status?
Options:
A. Record restoration and keep the incident open
B. Reopen eradication and rebuild the server again
C. Transfer ownership to vulnerability management
D. Close the incident as fully resolved
Best answer: A
Explanation: Operational restoration means affected services or business processes are usable again. It does not automatically mean the incident is closed. In this scenario, the server is rebuilt and users are working, so recovery has reached a restoration milestone. However, the IR plan still requires 24 hours of monitoring and an approved after-action report. The analyst should document the restoration status, continue required monitoring, and keep the incident open until closure criteria are met.
The key distinction is that restored service is a recovery outcome, while incident closure is a governance decision based on validation, monitoring, documentation, and approvals.
Topic: Vulnerability Management
A vulnerability analyst reviews a DAST result for a public customer portal that stores PII. The scanner reports a critical SQL injection on /search with low confidence. The only evidence is a delayed response during one test request. Application logs show no database errors, and WAF logs show the scanner was challenged and rate-limited at the same time. A release decision is due today. What is the BEST follow-up action?
Options:
A. Perform a targeted authenticated validation with logs correlated
B. Mark the finding as a false positive based on WAF logs
C. Close the scan as clean because no database errors appeared
D. Block the release and require emergency code remediation
Best answer: A
Explanation: Scanner output should be followed up according to confidence, exposure, data sensitivity, and the quality of the test evidence. Here, the portal is public and stores PII, so the finding cannot be ignored. However, the scanner’s only proof is a delayed response, and the WAF challenge/rate limit could explain that delay. The best professional action is a controlled validation: use an approved authenticated test, correlate application, database, and WAF logs, and confirm whether the scanner reached the intended code path. That distinguishes a true positive from a false positive or incomplete test without overreacting to weak evidence.
Topic: Security Operations
A SOC analyst receives the following threat-intelligence note and must decide whether to use it for hunting or response planning. Which interpretation is best supported by the exhibit?
Exhibit: Threat-intelligence note
| Field | Details |
|---|---|
| Timing | Published 18 hours ago; activity observed during the last 72 hours |
| Source | Health-sector ISAC, high confidence; corroborated by vendor advisory |
| Targeting | Healthcare orgs using AcmeVPN; your organization has internet-facing AcmeVPN |
| Content | Valid-account VPN logins, unusual user agent, new domains, and log fields to query |
| Caveat | Listed source IPs are cloud-hosting addresses and may rotate |
Options:
A. Discard the report because the cloud-hosting IPs may rotate.
B. Declare a confirmed incident and isolate the VPN service.
C. Wait 30 days to establish a trend before hunting.
D. Start a targeted VPN hunt using the behaviors and domains.
Best answer: D
Explanation: Threat intelligence is useful for hunting when it is timely, relevant to the environment, reasonably accurate, and actionable. This note meets those conditions: it is recent, applies to the organization’s sector and exposed VPN technology, is high confidence with vendor corroboration, and includes behaviors plus log fields that analysts can query. The rotating cloud IP caveat lowers confidence in those specific IP indicators, but it does not invalidate the broader TTPs, domains, and authentication patterns. The appropriate use is a targeted hunt or response-planning activity, not automatic incident declaration.
Topic: Vulnerability Management
A vulnerability analyst is triaging scanner results before the weekly remediation meeting. The team has limited emergency change capacity and must prioritize externally exposed systems that handle sensitive data.
| Asset | Exposure and data | Finding | Scanner severity | Evidence |
|---|---|---|---|---|
portal01 | Internet-facing; customer PII | SQL injection in search | High | Time-delay proof returned repeatable 8-second delays |
devwiki01 | VPN-only; no sensitive data | Possible RCE in wiki product | Critical | Version inferred from banner only |
intra01 | Internal only; HR data | Missing TLS hardening | Medium | Authenticated config check |
Which action is the BEST professional decision?
Options:
A. Prioritize emergency remediation for portal01 and validate devwiki01
B. Defer portal01 until all Critical findings are remediated
C. Ignore intra01 because Medium findings are not actionable
D. Prioritize devwiki01 because Critical severity always comes first
Best answer: A
Explanation: Scanner severity is an important input, but vulnerability management decisions should combine severity with context: exposure, asset value, data sensitivity, and evidence confidence. Here, portal01 is internet-facing, handles customer PII, and has repeatable proof of SQL injection, so it needs urgent remediation or compensating controls. devwiki01 has a Critical label, but the evidence is banner-based and the asset is VPN-only with no sensitive data, so validation should occur before consuming emergency change capacity. intra01 still needs planned remediation because HR data is sensitive, but the authenticated Medium TLS hardening issue is not the top emergency priority. The key is to prioritize risk, not just the highest scanner label.
Topic: Security Operations
A SOC analyst is triaging a workstation after a user reported opening a suspicious attachment. The analyst needs evidence that most strongly supports declaring the endpoint a suspected host compromise rather than only a suspicious user action. Which endpoint evidence best supports that conclusion?
Options:
A. Office spawned a script that created persistence and beaconed externally
B. The browser history contains a known phishing URL
C. The user received an email with a suspicious attachment
D. Several failed local logon attempts occurred overnight
Best answer: A
Explanation: A suspected host compromise conclusion should be supported by endpoint activity showing code execution or attacker control on the host. In this scenario, the strongest evidence is an Office process spawning a script followed by persistence and external beaconing. That sequence links the user action to execution, host modification, and command-and-control-like behavior. Evidence such as receiving an email or visiting a URL may support exposure or initial access attempts, but it does not by itself prove the endpoint was compromised. Failed logons may be suspicious, but without successful access or malicious process activity, they are weaker evidence for host compromise.
Topic: Security Operations
A SOC manager reviews three months of alerts and finds that analysts handle recurring suspicious OAuth consent alerts inconsistently. The team needs a documented, repeatable process for what evidence to collect, when to escalate to identity engineering, and which containment steps are allowed before escalation. Which action best meets these requirements?
Options:
A. Increase SIEM event retention for identity logs
B. Deploy an AI assistant to summarize alerts
C. Build an executive dashboard for OAuth alert trends
D. Create an OAuth consent triage playbook
Best answer: D
Explanation: Playbook or runbook creation is the right process-improvement action when a recurring security activity needs consistent, documented steps. The scenario is not mainly asking for more data, reporting, or automation. It asks for evidence collection, escalation criteria, and permitted containment actions for a repeatable alert type. A playbook can define the analyst workflow, decision points, required artifacts, handoff path, and authorized actions. Once documented and validated, parts of the workflow may later be automated with SOAR, but the immediate requirement is standardization of human response.
Topic: Security Operations
A SOC analyst is triaging an endpoint alert. The process command line contains powershell.exe -EncodedCommand <long string>, and the alert export is an escaped JSON file. The analyst must reveal the command text and extract indicators from the JSON while avoiding code execution or public disclosure. Which tool or method best fits these requirements?
Options:
A. Run the encoded command in an isolated PowerShell session
B. Submit the command line to a public malware sandbox
C. Open the alert export in Wireshark for packet analysis
D. Use CyberChef with Base64, UTF-16LE, and JSON parsing
Best answer: D
Explanation: Encoded and structured artifacts should be interpreted with decoding and parsing tools before any execution-based analysis is considered. A PowerShell -EncodedCommand value is commonly Base64-encoded text that must be decoded with the correct character encoding, often UTF-16LE. An escaped JSON export should be formatted or parsed so fields, nested objects, URLs, hashes, and other indicators can be reviewed accurately. A tool such as CyberChef is well suited because it supports repeatable decode recipes and structured-data parsing in a controlled workflow. The key requirement is safe interpretation, not detonation or packet inspection.
Topic: Security Operations
A SOC analyst is triaging a 6-minute spike in checkout failures for a cloud-hosted web application behind a managed load balancer and WAF. Which affected layer and validation step are best supported by the correlated indicators?
Exhibit: SIEM correlation
| Source | Indicator |
|---|---|
| NetFlow | Client TCP/443 sessions to load balancer established; retransmits normal |
| Cloud LB | HTTPCode_Target_5XX_Count spiked; HTTPCode_ELB_5XX_Count stayed 0 |
| WAF | No increase in blocked requests or matched rules |
| App logs | ERROR DB_CONN_TIMEOUT inventory-db:5432 after config release 2025.05.28.2 |
Options:
A. Application layer; verify the release and database connectivity
B. Network layer; capture packets between users and the load balancer
C. Security layer; tune the WAF rules blocking checkout traffic
D. Cloud layer; open a provider ticket for load balancer failure
Best answer: A
Explanation: The indicators isolate the failure to the application layer. NetFlow shows client connections to the load balancer are established and retransmissions are normal, so the user-to-load-balancer path is not the strongest suspect. The cloud load balancer metric shows target-generated 5xx responses while the load balancer’s own 5xx metric remains 0, which means the load balancer is receiving errors from the back-end targets rather than failing itself. The WAF has no block spike. The decisive application log shows database connection timeouts immediately after a configuration release, so the next validation should focus on the release, application configuration, and connectivity from the app tier to the database.
Topic: Security Operations
A SOC must improve investigations for a customer-facing service running behind an API gateway, deployed on Kubernetes worker nodes in a cloud virtual network. Analysts need to trace a request from caller identity to API route, container workload, and related cloud control-plane actions. Packet capture in the provider fabric is not available. Which monitoring action best supports this requirement?
Options:
A. Run weekly container image vulnerability scans
B. Ingest API gateway, cloud audit, Kubernetes audit, and container runtime telemetry
C. Enable hypervisor performance counters for all worker nodes
D. Collect only virtual network flow logs from the cloud account
Best answer: B
Explanation: Cross-component cloud investigations require telemetry from each control plane and execution layer involved in the transaction. API gateway logs show caller identity, routes, status codes, and request identifiers. Cloud audit logs show control-plane actions such as role use, storage access, or configuration changes. Kubernetes audit logs show orchestration events, and container runtime or workload telemetry links activity to pods, images, and processes. Time synchronization and correlation IDs make these sources much more useful in a SIEM or XDR workflow. Network flow logs can help, but they usually lack application route, user identity, and container context.
Topic: Vulnerability Management
A vulnerability analyst is preparing the first scan of a newly acquired branch network. The security team does not have a reliable asset inventory, and the network owner wants a low-impact activity to identify live hosts and device types before any vulnerability checks are attempted. Which scan type should the analyst select first?
Options:
A. Compliance baseline scan
B. Web application scan
C. Credentialed vulnerability scan
D. Discovery scan
Best answer: D
Explanation: Discovery scanning fits the requirement because the team needs to map the environment before assessing weaknesses. It focuses on identifying live systems, basic services, and device characteristics so the analyst can build an initial inventory and plan later scans safely. A credentialed vulnerability scan or compliance baseline scan assumes the team already knows the target assets and has enough authorization and context to evaluate them. A web application scan is narrower and would not discover general network devices across the branch. The key takeaway is to discover and enumerate assets first, then perform targeted assessment.
Topic: Reporting and Communication
A vulnerability management team has 1,800 open findings from the latest scan cycle. Management needs a report for the next remediation planning meeting that identifies the top risks to the business. Constraints include limited patch windows, several internet-facing systems, one database containing regulated customer data, and mixed confidence levels in scanner findings. Which reporting approach is the BEST professional decision?
Options:
A. Report every finding in scanner order
B. Delay reporting until every finding is manually validated
C. Rank findings by business risk with evidence and owners
D. Sort all findings by CVSS score only
Best answer: C
Explanation: Top-risk reporting is meant to help management prioritize scarce remediation capacity across many findings. The report should not be a raw scanner dump or a severity-only list. A useful management view ranks findings using business context: internet exposure, asset criticality, regulated data, exploitability or active exploitation, scanner confidence, remediation owner, and SLA impact. This lets leaders decide which risks must be fixed first, which can be scheduled later, and where exceptions or compensating controls may be needed. CVSS is an input, but it does not fully account for business impact or exposure. The key takeaway is to translate many technical findings into an evidence-based, actionable risk priority list.
Topic: Vulnerability Management
A vulnerability analyst is preparing an assessment for a newly acquired office network. The asset inventory is incomplete, and the team must identify live hosts and device types before scheduling authenticated vulnerability checks.
Exhibit: Assessment intake note
Scope: 10.40.0.0/20
Known assets: partial CMDB only
Immediate need: map active IPs, hostnames, OS hints, and open management ports
Constraint: do not attempt login or vulnerability checks yet
Which scan type should the analyst run first?
Options:
A. Web application DAST scan
B. CIS benchmark compliance scan
C. Credentialed vulnerability scan
D. Discovery scan
Best answer: D
Explanation: Discovery scanning is used when the first objective is asset mapping: finding active IP addresses, identifying devices, collecting hostnames, detecting services, and building enough context to plan later assessment work. The exhibit explicitly says the CMDB is partial and the immediate need is to map active systems without login attempts or vulnerability checks. That makes discovery the appropriate first step. Authenticated vulnerability, compliance, and application scans can be valuable later, but they require a clearer target list or a different assessment goal.
Topic: Security Operations
A SOC receives a medium-severity alert for a workstation that made repeated outbound connections to an unknown external host. The EDR record shows only the process name, and the firewall log shows connection times but no payload details. The analyst needs to validate whether the traffic contains suspicious protocol behavior without disrupting the user’s work. What is the best next action?
Options:
A. Run a credentialed vulnerability scan of the workstation
B. Capture traffic with tcpdump and review it in Wireshark
C. Create a SIEM dashboard for firewall connection counts
D. Quarantine the workstation immediately in the EDR console
Best answer: B
Explanation: When the missing evidence is packet-level network behavior, a packet capture and analysis workflow is the best fit. Tools such as tcpdump can collect traffic from the host or a monitored network point, and Wireshark can inspect conversations, protocols, timing, headers, and available payload details. This directly addresses the gap left by EDR and firewall logs while avoiding unnecessary disruption. Quarantine may be appropriate later if the packet evidence confirms malicious activity or risk increases, but it is premature when the stated goal is validation.
Topic: Reporting and Communication
A vulnerability analyst is preparing an action plan for a critical finding on a payment-processing appliance. The operations team cannot apply the recommended fix during the normal remediation window.
Exhibit: Remediation status
| Field | Detail |
|---|---|
| Finding | Critical remote management flaw |
| Asset | Vendor-managed payment appliance |
| Exposure | Internal network only, stores cardholder data |
| Blocker | Contract prohibits customer OS changes |
| Vendor status | Patch not yet released |
| Current control | Management access limited to admin subnet |
What is the best next communication or escalation path?
Options:
A. Wait for the next routine scan cycle
B. Escalate to the vendor manager and risk owner
C. Close the finding as not applicable
D. Direct operations to apply the OS fix anyway
Best answer: B
Explanation: When remediation is blocked by contract terms, governance, legacy constraints, or patch availability, the analyst should not treat the item as a normal patch task. The communication path should move to the parties that can change the constraint or accept the risk, such as the vendor manager, contract owner, system owner, and risk owner. The action plan should document the blocker, current compensating control, required vendor action, target follow-up, and interim risk decision. In this case, the customer cannot change the vendor-managed OS and the patch is unavailable, so escalation and risk tracking are the appropriate next steps. The existing admin-subnet restriction helps reduce exposure, but it does not remove the need for ownership and follow-up.
Use the CompTIA CySA+ CS0-004 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA CySA+ CS0-004 on Web View CompTIA CySA+ CS0-004 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.