Try 10 focused CompTIA Security+ SY0-801 questions on Security Operations, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Security+ SY0-801 on Web View full CompTIA Security+ SY0-801 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Security+ SY0-801 |
| Topic area | Security Operations |
| Blueprint weight | 27% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Security Operations for CompTIA Security+ SY0-801. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 27% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.
Topic: Security Operations
A security analyst is triaging a quarantined email attachment. The team needs to understand the file’s behavior before deciding whether to block related indicators across the enterprise.
Exhibit: Triage notes
| Field | Observation |
|---|---|
| File | invoice_Q3.xlsm |
| Source | External sender, new domain |
| Static scan | No known signature match |
| Content | Macro-enabled spreadsheet |
| Requirement | Observe behavior without production impact |
Which action best meets the requirement?
Options:
A. Analyze the file in an isolated sandbox
B. Delete the file and close the ticket
C. Open the file on an analyst workstation
D. Release the file to a pilot user
Best answer: A
Explanation: Sandboxing is the appropriate control when untrusted files or behavior must be executed or observed safely. The exhibit shows a macro-enabled file from an unfamiliar external source with no known signature match, so static detection alone is not enough to understand what it does. Running it in an isolated sandbox lets the team observe actions such as process launches, file changes, registry changes, and network attempts without risking production endpoints. The key requirement is safe behavioral analysis, not normal user testing or immediate closure.
Topic: Security Operations
A SOC receives a vendor advisory stating that a newly exploited vulnerability affects the company’s internet-facing file transfer appliance. The appliance was exposed during the advisory’s exploitation window, but no SIEM correlation rule has generated an alert. The incident lead needs an identification activity to determine whether compromise may have already occurred. Which action best meets this requirement?
Options:
A. Run a vulnerability scan of the appliance
B. Threat hunt using the advisory IOCs and TTPs
C. Wait for the existing SIEM detections to alert
D. Begin full eradication on the appliance
Best answer: B
Explanation: Identification in incident response includes activities that determine whether suspicious or malicious activity is present. In this scenario, the organization has credible external intelligence, an exposed asset, and no existing alert. A threat hunt is the best fit because it proactively searches data sources such as application logs, authentication events, EDR telemetry, and network records for the advisory’s indicators of compromise and attacker behaviors. A vulnerability scan may confirm exposure, but it does not establish whether exploitation already occurred. Waiting for alerts is too passive when the current detections may not cover the new activity. Eradication should follow stronger evidence of compromise or a confirmed incident scope.
Topic: Security Operations
A hospital is upgrading network access controls for wired ports and Wi-Fi. Managed clinical workstations must access internal patient-care systems only if they are domain-joined, patched, and running endpoint protection. Visitors and vendors still need simple Internet access without reaching internal subnets. Which NAC design is the BEST professional decision?
Options:
A. Block all unmanaged devices from connecting to any network
B. Use 802.1X with posture checks and a captive guest portal
C. Allow devices by MAC address and review exceptions monthly
D. Use a captive portal for all wired and wireless users
Best answer: B
Explanation: Network access control should match the trust level and access need. For managed hospital endpoints that reach sensitive internal systems, 802.1X provides stronger network authentication than a web portal, and posture checks can verify required conditions such as patch level and endpoint protection before granting access. Noncompliant devices can be placed in a remediation or restricted network. Visitors and vendors have a different need: simple Internet access without internal access, which is a typical use case for a captive portal tied to a guest network.
The key is combining controls rather than using one weak mechanism for every access type.
Topic: Security Operations
An IAM administrator is reviewing cloud access after HR and ticketing data synced overnight. Company policy requires separated users to be disabled immediately and elevated access to have a current business approval. Which action best addresses the review findings?
| Principal | HR/ticket status | Current access | Last sign-in |
|---|---|---|---|
mchen | Active; Marketing role; no admin approval | Cloud-DB-Admin, Prod-Read | Today |
rpatel | Separated 3 days ago | Prod-Read, VPN-Users | 2 days ago |
svc-build | Service account; DevOps-owned | CI-CD-Deploy | Today |
agarcia | Active; DBA role approved | Cloud-DB-Admin | Today |
Options:
A. Disable rpatel; remove mchen from Cloud-DB-Admin.
B. Remove agarcia from Cloud-DB-Admin.
C. Transfer rpatel’s groups to svc-build.
D. Force password resets for rpatel and mchen.
Best answer: A
Explanation: Account lifecycle reviews compare identity records, business approvals, and assigned permissions. Here, rpatel is separated but still has access, creating an orphaned-account risk that should be removed by disabling or deprovisioning the account. mchen is active but no longer has an approved role for database administration, so that elevated group should be removed to restore least privilege. agarcia has an approved DBA role, and svc-build is an owned service account, so those entries do not show the same issue.
Topic: Security Operations
A company has seen employees connect to an unauthorized access point that advertises the same SSID as the corporate Wi-Fi. Security wants continuous monitoring of wireless channels and automated containment of rogue or evil-twin access points. Which control best meets these requirements?
Options:
A. Host-based intrusion detection system
B. Network intrusion detection system
C. Wireless intrusion prevention system
D. Web application firewall
Best answer: C
Explanation: IDS and IPS choices depend on the monitoring location and whether the requirement is visibility or prevention. A network IDS is mainly passive visibility for network traffic, while an IPS can block or disrupt detected malicious activity inline. For wireless-specific threats, the control must understand Wi-Fi management frames, SSIDs, channels, and rogue access point behavior. Because the scenario requires both continuous wireless monitoring and automated containment, a wireless intrusion prevention system fits better than a general network IDS or host-based control.
The key distinction is wireless prevention, not just traffic alerting.
Topic: Security Operations
A security analyst is preparing evidence for an asset management review. The organization requires every network-connected device to have an approved owner in the asset inventory. The review must identify unauthorized devices, stale inventory records, and devices that are missing from tracking without disrupting production systems. Which evidence source provides the best visibility for this review?
Options:
A. A list of approved software installed on managed workstations
B. Purchase orders for all devices bought in the last quarter
C. NAC and switch-port last-seen records reconciled with the asset inventory
D. A vulnerability scan report from the server subnet
Best answer: C
Explanation: Asset visibility is strongest when observed device activity is reconciled against the authoritative inventory. NAC, switch-port, DHCP, or similar last-seen records show what is actually connected or recently active. Comparing those records to the asset inventory can identify devices on the network with no approved owner, inventory entries that have not been seen recently, and expected assets that are missing from tracking. This approach supports the review without interrupting production because it uses monitoring and asset-tracking evidence rather than intrusive testing or broad enforcement changes.
A purchase record, vulnerability scan, or software list may help with a narrower question, but none provides the same coverage for unauthorized, stale, and missing assets.
Topic: Security Operations
A security analyst is reviewing an unlabeled monitoring deployment. Which mapping correctly identifies each control based on placement and response behavior?
| Control | Placement | Observed behavior |
|---|---|---|
| A | Network SPAN port | Alerts on suspicious traffic only |
| B | Inline network path | Drops packets matching signatures |
| C | Database server agent | Alerts on unauthorized file changes |
| D | Laptop endpoint agent | Blocks suspicious process activity |
| E | Wireless controller | Detects and contains rogue APs |
Options:
A. Control A = NIDS; B = NIPS; C = HIDS; D = HIPS; E = WIPS
B. Control A = NIDS; B = WIPS; C = HIDS; D = HIPS; E = NIPS
C. Control A = NIDS; B = NIPS; C = HIPS; D = HIDS; E = WIPS
D. Control A = NIPS; B = NIDS; C = HIDS; D = HIPS; E = WIPS
Best answer: A
Explanation: Intrusion detection and prevention labels depend on where the control is placed and whether it only alerts or actively responds. A NIDS observes network traffic from a tap or SPAN port and typically alerts. A NIPS sits inline so it can block or drop malicious traffic. A HIDS runs on a host and alerts on local events such as file integrity changes. A HIPS also runs on a host but can prevent activity, such as blocking a process. A WIPS focuses on wireless threats, including rogue access point detection and containment. The key distinction is not just what the control detects, but whether it is network, host, or wireless focused and whether it is passive or inline/active.
Topic: Security Operations
A security team uses the following vulnerability-management workflow:
1. Run authenticated scans each week.
2. Create tickets for critical and high findings.
3. Assign tickets to system owners.
4. Close tickets when the owner states the patch was installed.
An audit finds that some closed critical findings are still exploitable, and leadership lacks an accurate exception list. Which workflow change best addresses the missing steps?
Options:
A. Assign each finding a CVSS score before ticket creation
B. Run unauthenticated scans daily instead of weekly
C. Require asset-owner approval before installing patches
D. Require validation scans and status reporting before closure
Best answer: D
Explanation: A complete vulnerability-management workflow should not stop when an owner says a patch was installed. Remediation must be verified, typically by rescanning, configuration review, or other validation evidence. The workflow also needs reporting so stakeholders can see what is fixed, what remains open, and which exceptions or risk acceptances exist. In this scenario, the failures are closed findings that remain exploitable and missing leadership visibility, so the best update adds verification and reporting before ticket closure. Increasing scan frequency or scoring findings may help other parts of the program, but they do not prove that remediation worked or communicate exception status.
Topic: Security Operations
A security analyst receives automated alerts for unusual outbound traffic from the finance application subnet. The network management dashboard shows the switch uplink at 92% utilization during the same period, but production payment processing must not be interrupted. The team needs packet-level evidence before requesting a firewall block because the subnet handles sensitive financial data. Which action is the BEST professional decision?
Options:
A. Disable the finance subnet uplink until the traffic stops
B. Run a full vulnerability scan against the finance subnet
C. Enable a temporary port mirror to a secured packet analyzer
D. Rely on the dashboard utilization graph as sufficient evidence
Best answer: C
Explanation: The core issue is visibility without disrupting availability. Automated alerts and dashboard metrics show that something unusual may be happening, but they do not provide packet-level evidence. A temporary port mirror (SPAN) can copy traffic from the affected switch port or VLAN to a secured packet analyzer for investigation while keeping production payment processing online. Because the subnet carries sensitive financial data, access to the capture should be controlled and the capture scope should be limited to the investigation need. Blocking or scanning before validating the alert could create unnecessary business impact or miss the immediate traffic evidence.
Topic: Security Operations
A SOC analyst reviews an alert after several users received suspicious invoice messages. No user has opened the attachment. Based on the exhibit, which operational control most directly addresses the affected asset layer?
| Layer | Evidence |
|---|---|
| Endpoint | EDR shows no execution |
| Network | No outbound C2 traffic |
| Application | CRM logs show normal access |
| SPF failed; attachment delivered to inbox |
Options:
A. Add a WAF rule for the CRM application
B. Block outbound traffic to unknown destinations
C. Isolate the users’ endpoints from the network
D. Quarantine failed-SPF messages with risky attachments
Best answer: D
Explanation: The decisive evidence is at the email layer: the sender failed SPF and the attachment was still delivered. Since there is no endpoint execution, no outbound command-and-control traffic, and no application anomaly, the most direct operational control is an email security control that quarantines or blocks suspicious messages before delivery. This applies the control at the affected asset layer instead of reacting at unrelated layers.
Endpoint isolation or network blocking may become appropriate if execution or beaconing occurs, but the current issue is mail delivery policy failure.
Use the CompTIA Security+ SY0-801 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Security+ SY0-801 on Web View CompTIA Security+ SY0-801 Practice Test
Use the full IT Mastery practice page above for the latest review links and practice page.