CompTIA Security+ SY0-701 Practice Test

CompTIA Security+ (SY0-701) focuses on practical security judgment across threats, architecture, implementation, operations, incident response, and governance. If you are searching for SY0-701 sample questions, a practice test, mock exam, or simulator, this is the main IT Mastery page to start on web and continue on iOS or Android with the same IT Mastery account.

Free diagnostic: Try the 90-question CompTIA Security+ full-length practice exam before subscribing. Use it to separate misses around threats, architecture, implementation, operations/incident response, and governance-risk-compliance.

What this SY0-701 practice page gives you

• a direct route into IT Mastery practice for CompTIA Security+
• topic drills, scenario sets, and mixed sets across the full SY0-701 blueprint
• detailed explanations that show why the strongest security answer is correct
• a clear free-preview path before you subscribe
• the same IT Mastery account across web and mobile

SY0-701 exam snapshot

• Vendor: CompTIA
• Official exam name: CompTIA Security+ (SY0-701)
• Exam code: SY0-701
• Question style: multiple-choice and performance-based security scenarios
• Focus: practical security analysis, control selection, and incident-response judgment

Security+ questions usually reward the option that preserves least privilege, secure defaults, layered controls, and the correct order of operational response.

Topic coverage for SY0-701 practice

• Threats, attacks, and vulnerabilities: attacker behavior, common exploit patterns, and security-testing context
• Architecture and design: zero trust, segmentation, cloud and identity design, and resilient patterns
• Implementation: IAM, encryption, PKI, endpoint controls, network controls, and automation
• Operations and incident response: triage, containment, eradication, recovery, monitoring, and evidence handling
• Governance, risk, and compliance: policies, frameworks, audits, privacy, and risk treatment

SY0-701 security-decision filters

Security+ questions usually reward layered, least-privilege decisions in the right operational sequence.

SY0-701 readiness map

How to use the SY0-701 simulator efficiently

1. Start with domain drills so you can lock down identity, crypto, network controls, and incident-response sequencing.
2. Review every miss until you can explain why the best control or response path is stronger, safer, and more realistic than the distractors.
3. Move into scenario sets once you can interpret logs, architectures, and policy trade-offs without overthinking the basics.
4. Finish with timed runs so you can hold layered security reasoning under pressure.

Final 7-day SY0-701 practice sequence

When SY0-701 practice is enough

If you can score above 75% on several unseen mixed attempts and explain the control or response sequence behind each miss, you are likely ready. Do not keep repeating familiar threat scenarios until memory replaces security reasoning from risk, evidence, and sequence.

Focused sample questions

Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.

• Free CompTIA Security+ SY0-701 Full-Length Practice Exam
• General Security Concepts
• Threats and Mitigations
• Security Architecture
• Security Operations
• Security Program Oversight

Free study resources

Need concept review first? Read the CompTIA Security+ SY0-701 Cheat Sheet on Tech Exam Lexicon, then return here for timed mocks, topic drills, and full IT Mastery practice.

Free preview vs premium

• Free preview: a smaller web set so you can validate the question style and explanation depth.
• Premium: the full SY0-701 practice bank, focused drills, mixed sets, timed mock exams, detailed explanations, and progress tracking across web and mobile.

24 SY0-701 sample questions with detailed explanations

Question 1

Topic: Domain 5: Security Program Management and Oversight

A new CISO wants to be ready for an upcoming external regulatory audit. The goals are to verify that security controls actually operate as required by policy and to ensure any gaps are formally corrected and rechecked. Which of the following actions/controls will BEST meet these requirements? (Select TWO.)

Options:

• A. Launch a recurring internal audit program where an independent team tests key security controls against policies and regulations and documents any nonconformities.
• B. Rely solely on annual security awareness training completion rates as evidence that all security policies are being followed.
• C. Run quarterly external penetration tests focused on exploiting technical vulnerabilities in internet-facing systems.
• D. Implement a centralized audit-finding register that assigns each issue an owner, remediation target date, and status, with follow-up testing to confirm closure.
• E. Reduce the scope of the upcoming audit by disabling verbose logging on lower-priority systems until the assessment is complete.

Correct answers: A and D

Explanation: The choice to launch a recurring internal audit program aligns directly with the requirement to verify that security controls operate as required by policy and regulation. Internal auditors act as an independent check on operations, reviewing documentation and performing tests to confirm compliance and control effectiveness.

The choice to implement a centralized audit-finding register with owners, due dates, and follow-up testing addresses the requirement to ensure any gaps are formally corrected and rechecked. This is how audit findings are typically handled in governance programs: they are tracked, remediated, and then retested to verify closure, providing clear evidence for both internal leadership and external auditors.

Question 2

Topic: Domain 3: Security Architecture

Which statement BEST describes how security should be integrated into a DevSecOps software development lifecycle (SDLC)?

Options:

• A. The security team conducts a manual penetration test once per year before the main production release.
• B. Security testing is performed only after all functional testing passes in the staging environment.
• C. Developers perform a one-time security review immediately before deploying the first production release.
• D. Security checks are automated and embedded throughout the pipeline, starting early in development and running on every change.

Best answer: D

Explanation: The option describing security checks that are automated and embedded throughout the pipeline, starting early and running on every change, aligns directly with the DevSecOps concept. It captures both key ideas: early integration within the SDLC and continuous, automated enforcement in the pipeline.

Question 3

Topic: Domain 2: Threats, Vulnerabilities, and Mitigations

Which of the following statements about common web application attacks is INCORRECT? (Select TWO.)

Options:

• A. Directory traversal attacks may use input sequences like ../ (dot-dot-slash) to try to access files outside the intended web root directory.
• B. Reflected cross-site scripting (XSS) can involve malicious JavaScript placed in a URL parameter that a vulnerable site reflects back in the HTTP response to the victim’s browser.
• C. Command injection attacks only affect SQL databases and cannot target operating system commands or other interpreters.
• D. SQL injection often appears as crafted input containing characters such as ' OR 1=1-- intended to alter backend database queries.
• E. Cross-site request forgery (CSRF) usually requires the attacker to install malware on the victim’s browser before any forged requests can be sent.

Correct answers: C and E

Explanation: The statement that CSRF “usually requires the attacker to install malware on the victim’s browser” is incorrect because CSRF relies on normal browser behavior and existing authentication (cookies, sessions), not on compromising the browser. The statement that command injection “only affects SQL databases” is also incorrect because command injection typically targets operating system commands or other interpreters; it is SQL injection that specifically targets databases via SQL queries.

Question 4

Topic: Domain 3: Security Architecture

A security analyst at a 200‑employee company is tasked with hardening all Windows and macOS laptops after a ransomware incident traced to unpatched software and users installing unapproved apps. Management wants a standard secure configuration on every endpoint, to minimize what users can install, and to ensure systems receive patches automatically even when staff work remotely, all without heavy manual effort from IT. Which of the following actions BEST meets these requirements?

Options:

• A. Deploy a host‑based firewall on each laptop and block all outbound traffic except HTTP and HTTPS.
• B. Require users to bring their laptops to the office once a week so IT can manually apply patches and run on‑demand antivirus scans.
• C. Schedule quarterly classroom training sessions to remind users not to install unauthorized software and to apply updates when prompted.
• D. Create and deploy a hardened endpoint baseline using a centralized configuration management tool that removes local administrator rights, uninstalls unnecessary software, disables unused services, and enforces automatic patching.

Best answer: D

Explanation: The option that creates and deploys a hardened endpoint baseline via a centralized configuration management tool is correct because it:

• Implements a secure baseline across all laptops.
• Reduces functionality by removing local admin rights, unnecessary software, and unused services, shrinking the attack surface.
• Enforces automatic patching, addressing the unpatched software issue that led to ransomware.
• Uses centralized management, which scales to all endpoints, including remote workers, and minimizes manual IT effort.

This directly meets all stated requirements: standardized secure configuration, prevention of unapproved installations, automatic patching for remote staff, and low ongoing administrative overhead.

Question 5

Topic: Domain 2: Threats, Vulnerabilities, and Mitigations

A security analyst is reviewing a cloud environment for common misconfigurations. Which of the following findings BEST represents an overly broad IAM policy, violating the principle of least privilege?

Options:

• A. A virtual network where all subnets can communicate with each other over any port and protocol
• B. A managed database instance that is not configured to use encryption for data at rest
• C. An application service account role that grants full administrative access to all cloud services in the account
• D. A storage bucket configured to allow public read access from any internet address

Best answer: C

Explanation: The option describing an application service account role that grants full administrative access to all cloud services in the account is correct because it is clearly an IAM permissions issue.

The discriminating factor is that this finding is about the scope of a role’s permissions (identity and authorization). Giving a service account full administrative access across all services is a textbook example of an overly broad IAM policy and violates least privilege: the account should only have the minimal rights needed for its specific application tasks.

Question 6

Topic: Domain 4: Security Operations

Which of the following statements about the order of volatility in digital forensics is NOT correct?

Options:

• A. Data stored on backup tapes is considered less volatile than information in system RAM.
• B. Data in system memory may be lost simply by powering off or rebooting the system.
• C. A forensics team should typically image long-term backups before collecting data from running processes.
• D. Investigators should prioritize capturing CPU register and live memory contents before imaging disks.

Best answer: C

Explanation: The statement that a forensics team should image long-term backups before collecting data from running processes is incorrect because it reverses the order of volatility. Running processes and RAM are highly volatile and can change or disappear at any moment, so they must be collected first. Backups are among the least volatile data sources and can usually be acquired later without as much risk of loss or alteration.

Question 7

Topic: Domain 4: Security Operations

Which of the following statements about containment during incident response are TRUE and best balance limiting damage with maintaining business operations? (Select TWO.)

Options:

• A. Unplugging all systems from the network is the recommended first response to any suspected intrusion to guarantee containment.
• B. Delaying containment until after a full forensic investigation is finished helps preserve evidence and reduce disruption.
• C. Disabling a single compromised user account is usually preferable to shutting down an entire identity provider service.
• D. Quarantining only confirmed compromised endpoints limits spread while avoiding unnecessary downtime for unaffected systems.
• E. Containment actions should ignore business impact until full eradication is complete.

Correct answers: C and D

Explanation: The statement about quarantining only confirmed compromised endpoints is correct because it applies targeted network isolation: infected systems are contained, but unaffected hosts stay online, which aligns with the goal of minimizing business impact.

The statement about disabling a single compromised user account instead of shutting down the entire identity provider is also correct, as it removes the attacker’s access path while keeping authentication services available for all other users and applications. Both choices reflect the principle of applying the least disruptive control that still effectively contains the threat.

Question 8

Topic: Domain 3: Security Architecture

In containerized application deployments, which option BEST describes the security purpose of image scanning?

Options:

• A. Analyzing container images for known vulnerabilities, malware, and misconfigurations before they are deployed
• B. Isolating containers from each other by giving each container its own dedicated host kernel
• C. Restricting container processes at runtime based on their behavior and allowed system calls
• D. Encrypting all network traffic between containers so that intercepted data cannot be read

Best answer: A

Explanation: The option describing analysis of container images for known vulnerabilities, malware, and misconfigurations before deployment correctly defines image scanning. This aligns with secure container architecture practices that aim to reduce risk by ensuring only vetted, hardened images are allowed into runtime environments.

Question 9

Topic: Domain 4: Security Operations

Which statement BEST defines the principle of least privilege in the context of service accounts and local administrator access?

Options:

• A. Administrative accounts are shared among multiple technicians to simplify operational tasks.
• B. All administrators receive full permissions on all systems so they can respond to any incident quickly.
• C. Users are allowed to access only the specific data that is relevant to their job responsibilities.
• D. Accounts are granted only the minimum permissions needed to perform their specific tasks and no more.

Best answer: D

Explanation: The choice stating that accounts are granted only the minimum permissions needed to perform their specific tasks accurately defines least privilege in a concise way. The option about users accessing only data relevant to their jobs instead describes the need-to-know principle, which is related but focuses specifically on restricting information access rather than overall permissions.

Question 10

Topic: Domain 2: Threats, Vulnerabilities, and Mitigations

A security analyst is investigating user reports that their laptops are repeatedly dropped from the corporate Wi-Fi even though the signal appears strong and the access point remains online. Logs show many unsolicited disconnect events for affected clients. Which type of wireless attack is MOST likely occurring?

Options:

• A. WPS brute-force attack
• B. Rogue access point
• C. Evil twin access point
• D. Deauthentication attack

Best answer: D

Explanation: The choice describing a deauthentication attack is correct because this attack specifically involves sending forged deauthentication (or disassociation) frames to clients or the access point. This causes clients to be dropped from the network repeatedly, even when the AP is working and signal strength is good. The observable sign is frequent, involuntary disconnects without an underlying RF or AP failure, which matches the scenario.

Question 11

Topic: Domain 5: Security Program Management and Oversight

A mid-sized company has a documented disaster recovery plan that lists systems, RTO/RPO targets, and an incident commander role assigned to the operations director. However, during a recent regional power outage, the operations director was unreachable while traveling, and no one was formally authorized to take over their responsibilities. Senior leadership now wants to ensure that key leadership and operational responsibilities are clearly covered if a primary role holder is unavailable during or after a disruptive event, without significantly increasing cost or complexity.

Which of the following changes to the business continuity planning process would BEST meet this requirement?

Options:

• A. Appoint an additional co-incident commander at the same seniority level as the operations director, but do not document responsibilities to keep the plan simple and flexible.
• B. Schedule full failover tests to the disaster recovery site twice per year, including infrastructure and application validation.
• C. Create a written role matrix that identifies primary and backup owners for each critical BC/DR role, defines delegation triggers (for example, unresponsive for 30 minutes), and requires cross-training for all designated backups.
• D. Update the emergency contact list so it includes personal phone numbers and email addresses for all members of the existing BC/DR team.

Best answer: C

Explanation: The option that creates a written role matrix with primary and backup owners, delegation triggers, and required cross-training is correct because it is a textbook application of succession planning and role mapping in BC/DR.

• The role matrix explicitly maps each critical responsibility (for example, incident commander, communications lead, application owner) to a primary and at least one backup.
• Delegation triggers (such as “if the primary cannot be reached within 30 minutes”) clearly define when authority passes to the backup, avoiding delays and confusion.
• Cross-training ensures backups are actually capable of performing the role during and after a disruptive event.

This change directly ensures key responsibilities are covered even if primary role holders are unavailable, and it does so through process and documentation, not costly new tools or major reorganization.

Question 12

Topic: Domain 3: Security Architecture

An organization deploys a mobile device management (MDM) solution that creates a separate encrypted work container on employee-owned smartphones. Corporate apps and data must run only inside this container, which can be remotely wiped without affecting users’ personal photos or apps. Which security concept is MOST clearly illustrated by this control?

Options:

• A. Non-repudiation to prevent users from denying that they performed an action
• B. Data separation and containerization to isolate corporate information from personal data
• C. Single sign-on (SSO) to reduce the number of passwords users must remember
• D. Job rotation to ensure that no single employee performs the same critical role for too long

Best answer: B

Explanation: The choice describing data separation and containerization to isolate corporate information from personal data matches every detail in the scenario:

• It references a separate encrypted work container, which is exactly what mobile containerization provides.
• It focuses on isolating corporate apps and data from personal content.
• It enables selective remote wipe of only the corporate container, which is a key benefit of containerization in MDM/MAM.

This is the primary security concept being tested: using MDM/MAM containerization to enforce logical and cryptographic separation between work and personal data on the same physical device.

Question 13

Topic: Domain 2: Threats, Vulnerabilities, and Mitigations

Which of the following statements about communicating security assessment results are NOT appropriate best practices? (Select TWO.)

Options:

• A. Use clear severity ratings and explain the business impact for each finding.
• B. Highlight any quick wins that can be fixed easily for rapid risk reduction.
• C. Use vague language such as “might be an issue” to avoid alarming stakeholders.
• D. Avoid including remediation guidance so the report stays purely objective.
• E. Group findings by priority and suggest a realistic remediation timeline.

Correct answers: C and D

Explanation: The statement that recommends avoiding remediation guidance is incorrect because a core purpose of an assessment report is to tell stakeholders not only what is wrong but also how to address it. Objectivity comes from evidence and sound reasoning, not from withholding recommendations.

The statement that suggests using vague language like “might be an issue” is also incorrect. Such phrasing downplays risk and can cause confusion or inaction. Good reports use precise, direct language and clearly communicate the level of concern for each finding.

Question 14

Topic: Domain 4: Security Operations

A midsize company has a flat office LAN and handles security incidents with ad-hoc, manual steps. During business hours, the EDR platform alerts on active ransomware behavior on a single accounting workstation that is connected to a shared file server used by the entire finance team. The file server shows no suspicious activity yet, and accounting is currently processing payroll, which must continue with minimal disruption.

Which containment action is the most appropriate next step to reduce risk while maintaining business operations?

Options:

• A. Use the EDR tool to isolate the affected workstation from the network while keeping it powered on for analysis.
• B. Power off every workstation in the finance department immediately to guarantee the malware cannot spread.
• C. Shut down the core switch port for the entire accounting area, disconnecting all finance workstations from the network.
• D. Delay containment until after business hours to avoid interrupting payroll processing.

Best answer: A

Explanation: Using the EDR tool to isolate the affected workstation from the network while keeping it powered on is the best choice because it:

• Directly contains the suspected ransomware on the single compromised host.
• Prevents the malware from reaching the shared file server and other systems.
• Keeps the workstation online enough for remote forensics, preserving volatile data.
• Allows other finance users and the payroll process to continue operating on unaffected systems.

This precisely balances the requirement to contain the incident quickly with the need to minimize business disruption.

Question 15

Topic: Domain 4: Security Operations

Which statement about internal and external communication during a cybersecurity incident is MOST accurate according to a well-defined incident communication plan?

Options:

• A. Internal updates may include detailed technical and investigative information, while external communications are limited to approved, high-level facts and are delivered by designated spokespersons.
• B. Individual analysts may answer questions from customers or the media as long as they share only confirmed information about the incident.
• C. Both internal and external communications should share full technical details of the incident to ensure maximum transparency.
• D. External communications should be sent before internal notifications so employees do not accidentally leak preliminary information.

Best answer: A

Explanation: The option stating that internal updates may include detailed technical and investigative information while external communications are limited to approved, high-level facts delivered by designated spokespersons is correct because it reflects how incident communication plans separate audience, detail level, and roles. Internal teams need specifics to act; external audiences need concise, consistent information provided through an authorized channel to avoid confusion, leaks, or legal issues.

Question 16

Topic: Domain 5: Security Program Management and Oversight

Which data classification label is MOST appropriate for information that can be shared freely outside the organization and does not require access controls to protect it?

Options:

• A. Internal
• B. Restricted
• C. Public
• D. Confidential

Best answer: C

Explanation: The choice labeled Public is correct because public data is designed for open distribution. By definition, it can be shared outside the organization without causing harm, so it does not require strict access controls to protect its confidentiality.

Question 17

Topic: Domain 1: General Security Concepts

Which TWO of the following statements about public key infrastructure (PKI), digital certificates, and certificate authorities are INCORRECT? (Select TWO.)

Options:

• A. PKI allows clients to validate a server’s identity and establish encrypted TLS connections by verifying the server’s certificate back to a trusted CA.
• B. Operating systems and browsers include a built-in trust store of root CA certificates, which they use to decide whether to trust a presented certificate chain.
• C. In PKI, the private key is embedded inside the digital certificate so that anyone can encrypt data to the owner and verify the owner’s signatures.
• D. A certificate that is self-signed by an internal server is automatically trusted by all external internet clients just like a public CA–signed certificate.
• E. A digital certificate is an electronic document that binds an entity’s identity to its public key and is digitally signed by a certificate authority.

Correct answers: C and D

Explanation: The statement claiming that the private key is embedded inside the digital certificate is incorrect because certificates only contain the public key and identity information; exposing the private key in a certificate would destroy confidentiality and non-repudiation. The statement asserting that self-signed certificates are automatically trusted by all external clients is also incorrect because public browsers and operating systems only trust roots in their preconfigured trust stores, and self-signed internal certificates are not included there by default.

Question 18

Topic: Domain 3: Security Architecture

A hospital installs network-connected infusion pumps that use outdated firmware and cannot run endpoint protection. The security team’s primary goal is to prevent any compromise of these pumps from reaching other clinical or business systems. Which control best meets this goal?

Options:

• A. Enable centralized syslog forwarding from the infusion pumps to the hospital’s SIEM for continuous monitoring.
• B. Schedule quarterly internal vulnerability scans targeting all infusion pumps on the production network.
• C. Place the infusion pumps on a dedicated VLAN with strict firewall rules allowing only required traffic to the pump management servers.
• D. Configure complex, unique administrator passwords on all infusion pumps.

Best answer: C

Explanation: The option that places the infusion pumps on a dedicated VLAN with strict firewall rules is correct because it directly implements network segmentation and isolation. By restricting pump communications to only required traffic with specific management servers, it:

• Limits lateral movement opportunities from a compromised pump.
• Reduces exposure of the pumps to unnecessary network traffic.
• Aligns with best practice for specialized medical and industrial equipment that cannot be fully hardened.

This matches the explicit requirement: prevent any compromise of the pumps from reaching other clinical or business systems. The discriminating factor is network isolation, which this control provides and the others do not.

Question 19

Topic: Domain 4: Security Operations

A SOC analyst is reviewing a SIEM alert showing outbound connections from an internal workstation to 203.0.113.55. The SIEM has automatically enriched the alert with several threat intelligence sources, shown below.

Exhibit:

Which statement BEST explains the role of these threat intelligence feeds and information‑sharing communities in identifying and correlating this IOC?

Options:

• A. They mainly provide long‑term archival of firewall configurations, which helps reconstruct how 203.0.113.55 was originally allowed but does not affect IOC confidence.
• B. They independently corroborate the same IP as malicious, increasing confidence that 203.0.113.55 is a high‑priority IOC to investigate and contain.
• C. They guarantee that any IP they list, including 203.0.113.55, can be automatically and permanently blocked without analyst review.
• D. They replace the need to review internal data sources, making the firewall logs for 203.0.113.55 unnecessary for confirming the IOC.

Best answer: B

Explanation: The choice stating that the feeds “independently corroborate the same IP as malicious, increasing confidence that 203.0.113.55 is a high-priority IOC to investigate and contain” matches the exhibit.

All three external sources in the table list 203.0.113.55 as malicious: the open-source feed (high confidence, C2 server), the national CERT bulletin (high confidence, recent incidents), and the industry sharing community (medium confidence, active beacon target). When these are combined with internal firewall logs showing repeated outbound connections from WS-17, the SIEM can correlate and raise the alert’s priority. This is precisely the role of threat intelligence feeds and information-sharing communities: to enrich, corroborate, and prioritize IOCs rather than to act as standalone proof or configuration archives.

Question 20

Topic: Domain 4: Security Operations

A SOC analyst reviews a SIEM alert: a user account shows multiple failed logins from a foreign IP, then a successful VPN login, followed within minutes by large data downloads from a file server. The user reports they did not log in at that time. Which response is the MOST INCORRECT interpretation of this alert?

Options:

• A. Temporarily disable the user account and VPN access, notify the incident response team, and classify this as a likely true positive pending further analysis.
• B. Mark the alert as a false positive and close it because no malware was detected on the user’s endpoint and the VPN login succeeded with valid credentials.
• C. Treat this as a confirmed account compromise (true positive) and immediately escalate the incident for containment and investigation.
• D. Correlate the VPN, file server, and identity logs to confirm the timeline, and keep the alert open as a suspected true positive until evidence proves otherwise.

Best answer: B

Explanation: The choice that marks the alert as a false positive and closes it because no malware was detected and the VPN login used valid credentials is the most incorrect interpretation.

This response:

• Ignores multiple corroborating indicators of compromise (foreign IP, failed attempts, successful VPN login, large data downloads, user denial).
• Assumes that lack of malware detection means no compromise, which is false for credential theft/account takeover.
• Prematurely closes the alert, violating incident response best practices and increasing the risk that an active compromise will persist unnoticed.

At Security+ level, analysts are expected to use corroborating evidence to recognize this as a likely true positive and avoid unsafe dismissal of the alert.

Question 21

Topic: Domain 4: Security Operations

A junior analyst collects a USB drive from an employee’s desk during an internal investigation. The company wants to preserve the drive as potential legal evidence and maintain a clear chain of custody. Which of the following actions should the analyst AVOID? (Select TWO.)

Options:

• A. Copy the contents of the USB drive onto the analyst’s workstation desktop for a quick review before any formal imaging or documentation
• B. Hand the USB drive to a manager in the hallway without logging the transfer, relying on the manager to “remember” when they received it
• C. Record the collection and each subsequent handoff of the USB drive in an evidence log or ticketing system, including dates, times, and names of custodians
• D. Place the USB drive in a tamper‑evident evidence bag, label it with case ID, date, time, and collector, and sign the label
• E. Store the USB drive in a locked evidence cabinet with restricted access and require sign‑in/sign‑out for anyone who accesses it

Correct answers: A and B

Explanation: Copying the contents of the USB drive directly to the analyst’s workstation for a quick review before any formal imaging or documentation is a poor practice. It can change file timestamps, metadata, and even content, making it hard to prove that the evidence is in its original state. This undermines integrity and can be challenged in court.

Handing the USB drive to a manager in a hallway without logging the transfer and relying on memory instead of documentation is also unsafe. This creates a gap in the chain of custody, because there is no reliable record of who controlled the evidence, when, and under what conditions. Such gaps can cause the evidence to be considered unreliable or inadmissible.

Question 22

Topic: Domain 4: Security Operations

A SOC analyst is investigating a potentially compromised user account. The account is cloud-based and can log in from multiple devices and IP addresses. In the SIEM, the analyst wants to see only events related to that specific account from all log sources. Which configuration is MOST appropriate?

Options:

• A. Show only events with critical or high severity from the last 24 hours
• B. Filter events by the IP address of the workstation used in the most recent alert
• C. Filter events where the user field matches the suspected account across all log sources
• D. Aggregate all failed logon events from all users in the environment for the last hour

Best answer: C

Explanation: The choice to filter events where the user field matches the suspected account across all log sources directly aligns with the requirement. The discriminating factor is that the filter is user-centric, not tied to a particular device, IP, or severity level.

Because the account is cloud-based and can log in from various locations, any IP- or host-based filter would miss activity from other devices. A username-based filter works across all log sources that include that username field, giving a complete view of the account’s activity and supporting an effective compromise investigation.

Question 23

Topic: Domain 2: Threats, Vulnerabilities, and Mitigations

A midsize online retailer is building its annual security assessment plan for its customer-facing web applications. Management wants: 1) a routine, low-impact way to automatically identify missing patches and common misconfigurations each month, and 2) a separate engagement once a year where testers attempt to exploit weaknesses like real attackers, under tightly defined rules and change windows. Which of the following actions/controls will BEST meet these requirements? (Select TWO.)

Options:

• A. Schedule an authenticated, automated vulnerability scan of the web servers every month, with potentially disruptive checks disabled.
• B. Enable full packet capture on the internet firewall and review traffic samples quarterly for suspicious patterns.
• C. Rely on the web application firewall’s default signatures to block attacks instead of performing separate security assessments.
• D. Contract an external firm to perform an annual manual penetration test with a signed rules-of-engagement document and defined maintenance windows.
• E. Run automated exploit tools against all production systems every weekend without prior approval so issues are found quickly.

Correct answers: A and D

Explanation: The option that schedules an authenticated, automated monthly vulnerability scan with disruptive checks disabled matches the description of a vulnerability scan: it is routine, largely automated, low‑impact, and focuses on finding missing patches and misconfigurations.

The option that contracts an external firm for an annual manual penetration test with a signed rules‑of‑engagement and defined maintenance windows describes a proper penetration test: a controlled, intrusive assessment where testers attempt to exploit weaknesses like real attackers, under formal ROE to manage risk and scope.

Together, these two actions directly satisfy management’s requirements for both routine automated scanning and controlled, exploit‑focused testing.

Question 24

Topic: Domain 4: Security Operations

A security analyst is investigating suspicious remote logins to a Linux web server from unfamiliar IP addresses. The goal is to understand how accounts were accessed and whether the attacker moved laterally from this host. Which TWO data sources should the analyst prioritize collecting to support this investigation? (Select TWO.)

Options:

• A. Web server access logs that record client IP addresses, timestamps, and requested URLs
• B. Operating system authentication logs that record SSH and local logon attempts and results
• C. Daily configuration backups from core switches and routers
• D. Results of the last quarterly external vulnerability scan against the web server
• E. Historical CPU and memory utilization graphs from the server monitoring tool

Correct answers: A and B

Explanation: The choice describing web server access logs is correct because access logs are the primary record of HTTP(S) activity to the web server, including client IPs, timestamps, requested resources, and often session or username information. This helps answer which remote clients connected, at what times, and what they accessed around the suspicious login period.

The choice describing operating system authentication logs is correct because files such as /var/log/auth.log on Linux record SSH and other authentication events, including successful and failed login attempts, usernames, and (for network logins) source IPs. These logs are essential for determining which accounts were used, whether brute-force or password-guessing occurred, and whether attackers obtained shell access that could be used for lateral movement.

Security+ SY0-701 security response map

Use this map after the sample questions to connect individual items to the Security+ threats, architecture, operations, governance, and incident-response decisions these practice samples test.

    flowchart LR
	  S1["Security scenario or alert"] --> S2
	  S2["Classify threat vulnerability or control domain"] --> S3
	  S3["Assess asset identity data and network impact"] --> S4
	  S4["Apply prevention detection or response control"] --> S5
	  S5["Verify evidence and recovery"] --> S6
	  S6["Update policy training and monitoring"]

Quick Cheat Sheet

Mini Glossary

• DLP: Data loss prevention controls that detect or block risky data movement.
• MFA: Multifactor authentication requiring more than one proof.
• PAM: Privileged access management for high-risk administrative access.
• SIEM: Security information and event management platform for collecting and analyzing logs.
• Zero Trust: Security model that continuously verifies users, devices, and access.

In this section

• CompTIA Security+ SY0-701: General Security Concepts
  Try 10 focused CompTIA Security+ SY0-701 questions on General Security Concepts, with explanations, then continue with IT Mastery.
• CompTIA Security+ SY0-701: Threats and Mitigations
  Try 10 focused CompTIA Security+ SY0-701 questions on Threats and Mitigations, with explanations, then continue with IT Mastery.
• CompTIA Security+ SY0-701: Security Architecture
  Try 10 focused CompTIA Security+ SY0-701 questions on Security Architecture, with explanations, then continue with IT Mastery.
• CompTIA Security+ SY0-701: Security Operations
  Try 10 focused CompTIA Security+ SY0-701 questions on Security Operations, with explanations, then continue with IT Mastery.
• CompTIA Security+ SY0-701: Security Program Oversight
  Try 10 focused CompTIA Security+ SY0-701 questions on Security Program Oversight, with explanations, then continue with IT Mastery.
• Free CompTIA Security+ SY0-701 Full-Length Practice Exam: 90 Questions
  Try 90 free CompTIA Security+ SY0-701 questions across the exam domains, with explanations, then continue with full IT Mastery practice.