CompTIA Security+ SY0-801: Threats, Vulnerabilities, and Attacks

Topic snapshot

Sample questions

These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: Threats, Vulnerabilities, and Attacks

A vulnerability management team found a high-severity vulnerability on a legacy web server that is internet-facing and processes customer PII. The vendor patch may require downtime during a business-critical week, but a compensating control may be available. The team must recommend whether to remediate now, apply mitigation until the change window, or monitor. Which information would be most useful for the decision?

Options:

• A. Scanner severity, plugin ID, and first-discovered date only

• B. Exploitability, exposure, asset criticality, compensating controls, and patch feasibility

• C. Total number of open ports on the server

• D. Whether similar servers passed the last quarterly scan

Best answer: B

Explanation: Vulnerability prioritization should use context, not just a scanner label. For a decision between remediation, mitigation, and monitoring, the team needs information that shows actual likelihood and impact: whether the issue is exploitable, whether the asset is exposed, what sensitive data or business function is affected, whether compensating controls reduce risk, and whether patching is feasible within operational constraints. In this scenario, downtime risk and customer PII both matter, so the best information supports a balanced risk treatment decision rather than a simple severity sort.

• Scanner-only data is incomplete because severity and discovery date do not show business impact, exposure, or available mitigations.
• Open port counts may support exposure analysis, but port quantity alone does not determine vulnerability risk or treatment.
• Quarterly scan comparison may show trend history, but it does not address current exploitability, data sensitivity, or patch feasibility.

Question 2

Topic: Threats, Vulnerabilities, and Attacks

A security analyst is reviewing an identity-provider alert after several users report suspicious cloud-file access. Which action best addresses the vulnerability shown in the exhibit?

Exhibit: OAuth application consent summary

Options:

• A. Patch the endpoint hypervisor on affected laptops

• B. Disable Bluetooth pairing on managed mobile devices

• C. Restrict user consent and revoke the app grants

• D. Rotate the corporate wireless pre-shared key

Best answer: C

Explanation: The core issue is identity-provider OAuth consent exposure. An unverified application has user-approved access to mail, files across the tenant, and offline access, which can allow continued API access even when the user is not actively signed in. Because admin approval was not required, multiple users could grant high-impact permissions without review. The appropriate response is to restrict or require approval for risky app consent and revoke the existing excessive grants for the affected app. Wireless, virtualization, and Bluetooth controls do not address the identity-provider permission path shown in the evidence.

• Wireless key rotation addresses shared Wi-Fi credential exposure, but the exhibit shows cloud app permissions granted through the IdP.
• Hypervisor patching addresses virtualization vulnerabilities, but no host escape, VM, or hypervisor finding is shown.
• Bluetooth disablement may reduce mobile-device attack surface, but the evidence concerns OAuth scopes and consent governance.

Question 3

Topic: Threats, Vulnerabilities, and Attacks

A company is deploying an LLM-based assistant that summarizes customer support tickets and can draft recommended account actions. Requirements include reducing customer data exposure, preventing unsafe automated changes, and ensuring recommendations are not accepted solely because the model produced them. Which safeguard set best meets these requirements?

Options:

• A. Full ticket access with periodic output spot checks

• B. Redaction, least-privilege tool access, and human approval

• C. User awareness training without technical restrictions

• D. Higher model confidence thresholds for automatic actions

Best answer: B

Explanation: AI-related security risk should be reduced with layered governance and technical controls, not trust in the model’s output alone. For an LLM assistant handling customer tickets, sensitive data should be minimized or redacted before processing, any connected tools should use least privilege, and high-impact actions should require human approval or validation. These safeguards address data loss, model misuse, and overreliance on generated recommendations. Confidence scores or occasional review can support monitoring, but they do not replace access control, data protection, and accountable approval steps.

• Confidence-only gating still relies on the model’s self-assessment and may allow unsafe automated changes.
• Full ticket access increases data exposure and spot checks may miss harmful or sensitive outputs.
• Training alone is useful governance support, but it does not enforce data minimization or action limits.

Question 4

Topic: Threats, Vulnerabilities, and Attacks

A security analyst is reviewing an AI-generated vulnerability summary after it recommended emergency patching for a server. Based on the exhibit, what is the most appropriate interpretation?

Exhibit: AI output validation

User prompt: Summarize critical findings for WEB-14.
AI output: WEB-14 is vulnerable to CVE-2026-41721.
Citation provided: Vendor advisory VA-2026-41721.
Asset inventory: No WEB-14 asset found; WEB-04 exists.
Approved vulnerability feeds: No matching CVE or advisory.
AI service logs: No external tool calls; no unusual file access.
IdP/network alerts: No anomalies for the AI service account.

Options:

• A. Model compromise through unauthorized access

• B. Prompt injection with data exfiltration

• C. Bias caused by skewed training data

• D. Hallucination requiring source validation

Best answer: D

Explanation: The exhibit supports a hallucination: the AI produced plausible-sounding but unsupported facts, including a nonexistent asset and vulnerability reference. Direct compromise indicators would include signs such as unusual service-account activity, unauthorized file access, unexpected external tool calls, abnormal network traffic, or evidence that a prompt changed system behavior. Those are not present here. An explainability problem would focus on inability to trace how a valid answer was produced, while bias would involve unfair or systematically skewed outcomes. The immediate risk is that staff may act on fabricated output unless they validate it against authoritative sources.

• Prompt injection is not supported because the exhibit shows no malicious prompt effect, external tool use, or data movement.
• Model compromise is not supported because identity, file-access, and network telemetry show no anomalies.
• Bias is not supported because there is no evidence of unfair or skewed treatment of groups, data, or outcomes.

Question 5

Topic: Threats, Vulnerabilities, and Attacks

A company wants to reduce successful phishing and browser-based attacks while preserving normal work with vendor invoices and web portals. Which user-facing control approach best matches the evidence?

Exhibit: Security review summary

Options:

• A. Disable browser access to all external vendor portals

• B. Enable QR/link scanning, attachment sandboxing, macro blocking, external banners, and a report button

• C. Allow vendor email unchanged and increase annual awareness training

• D. Block all external email attachments and embedded images by default

Best answer: B

Explanation: The best approach layers user-facing and content controls around the actual exposure paths. QR-code and URL scanning help catch image-based and link-based phishing before users reach credential-harvesting sites. Attachment sandboxing checks files without banning legitimate invoices, and macro blocking fits the stated business fact that macros are not required. External sender banners and a phishing report button help users recognize and quickly escalate suspicious messages. This preserves normal vendor communication while reducing the attack surface at the points users interact with most.

• Blocking all attachments overcorrects because the business still needs vendor invoice files and images.
• Training alone misses technical controls for links, QR images, attachments, and browser redirection.
• Disabling vendor portals prevents legitimate work because users must access external HTTPS portals.

Question 6

Topic: Threats, Vulnerabilities, and Attacks

A vulnerability analyst must recommend one emergency remediation for tonight. The organization’s policy says CVSS scores support prioritization, but exposure, exploit activity, data sensitivity, and business impact must also be considered.

Which recommendation is the BEST professional decision?

Options:

• A. Patch CVE-2026-3010 tonight

• B. Delay all patches pending rescoring

• C. Patch CVE-2026-1042 tonight

• D. Patch CVE-2026-2099 tonight

Best answer: C

Explanation: CVSS provides a structured way to compare technical severity, and CVE identifiers help track the specific vulnerability and remediation guidance. Prioritization should not rely on the base score alone. In this case, the portal finding has a slightly lower CVSS base score than the dev wiki, but it is internet-facing, involves PII, has reported active exploitation, and can be patched with minimal availability impact. Those factors increase practical risk and make it the best emergency change. The higher-scored internal wiki still matters, but its exposure and business impact are lower under the stated facts.

• Highest score only fails because CVSS base score does not include all environmental and business context.
• Proof-of-concept only is less urgent here because the print server is internal and segmented with no active exploitation stated.
• Waiting for rescoring ignores available evidence and delays remediation of an actively exploited, exposed system.

Question 7

Topic: Threats, Vulnerabilities, and Attacks

A security analyst reviews several related reports: employees found a benefits flyer in the lobby with a QR code, the code opened a lookalike single sign-on page, and affected users later had suspicious cloud logins. Mobile device checks found no new apps or malware indicators. Which action best maps to the attack category shown by the evidence?

Options:

• A. Patch the single sign-on application servers

• B. Disable lobby Wi-Fi until the investigation closes

• C. Deploy mobile antimalware to all affected phones

• D. Run the phishing response process for the QR-code campaign

Best answer: D

Explanation: The core skill is separating the attack category from the affected or involved asset. The phones scanned the QR code, and the SSO brand was impersonated, but the decisive evidence is a lure that directs users to a fake login page to steal credentials. That is QR-code phishing, also called quishing, within social engineering indicators. The best operational action is to handle it through the phishing response process, such as removing the lure, blocking the landing site, identifying affected users, and resetting or protecting exposed accounts. Treating the phones, SSO servers, or lobby network as the primary attack type would chase the wrong problem.

• Mobile focus fails because the phones were used to scan the code, but no mobile malware indicators were found.
• SSO patching fails because impersonation of the login page does not show a vulnerability in the real SSO servers.
• Lobby Wi-Fi fails because the flyer’s QR code, not the wireless network, is the delivery mechanism shown in the facts.

Question 8

Topic: Threats, Vulnerabilities, and Attacks

A SOC analyst is preparing an incident summary after a small breach. Evidence shows a phishing email, a login from a commercial VPN exit node in another country, and commodity malware that is widely available. No ransom note, public claim, insider evidence, or unique tooling has been found. Which attribution statement is most appropriate?

Options:

• A. Nation-state actor using foreign infrastructure

• B. Unknown actor using phishing and commodity malware

• C. Financially motivated group preparing ransomware

• D. Malicious insider abusing authorized access

Best answer: B

Explanation: Actor attribution should be limited to what the evidence can support. In this case, the observed facts identify a likely access vector (phishing), an infrastructure clue (commercial VPN exit node), and a tool type (commodity malware). Those facts do not establish who sponsored the activity, whether the actor is internal or external with certainty, what the actor intended, or whether the actor has advanced capability. A foreign VPN endpoint is weak attribution evidence because attackers commonly route traffic through third-party services. The safest assessment is to record the known behaviors and leave motive and actor type as undetermined until stronger evidence appears.

• Foreign VPN overreach fails because infrastructure location does not prove a nation-state sponsor.
• Insider assumption fails because no evidence shows authorized internal misuse or insider involvement.
• Ransomware prediction fails because no ransom note, encryption activity, or extortion indicator is present.

Question 9

Topic: Threats, Vulnerabilities, and Attacks

A company is piloting an internal LLM assistant that summarizes customer support tickets and drafts remediation steps. Tickets may contain PII, and a test ticket successfully caused the assistant to reveal text from another ticket. Support leaders want to continue the pilot, but security policy requires auditability and human approval before customer-impacting actions. Which decision is BEST?

Options:

• A. Add DLP, least-privilege retrieval, logging, and human approval gates

• B. Block all LLM use until the vendor guarantees accurate outputs

• C. Continue the pilot with a banner that model responses may be wrong

• D. Fine-tune the model on all historical tickets to improve context

Best answer: A

Explanation: AI-related security risk is reduced by combining governance and technical safeguards instead of trusting model output by itself. In this scenario, the assistant has already shown cross-ticket data exposure and may generate customer-impacting remediation steps. Appropriate safeguards include data loss prevention for PII, least-privilege access to ticket data, logging for auditability, and a human approval gate before actions affect customers. These controls let the business continue a controlled pilot while limiting data leakage, prompt-injection impact, and hallucination risk. A warning banner alone does not enforce policy, while blocking all AI use may be unnecessary if compensating controls can manage the risk.

• Warning-only control fails because it informs users but does not prevent data leakage or enforce approval.
• Total blocking overreacts to a pilot that can continue with scoped safeguards and oversight.
• More training data increases exposure of sensitive ticket content and does not solve prompt injection or hallucination by itself.

Question 10

Topic: Threats, Vulnerabilities, and Attacks

A security analyst reviews web application events after a DLP alert reported that system files were accessed through the customer portal.

Exhibit: Web log excerpt

10:14:03 GET /download?file=invoice_1042.pdf user=jsmith status=200 bytes=82,144
10:16:27 GET /download?file=../../../../etc/passwd user=jsmith status=200 bytes=2,948
10:16:31 GET /download?file=../../../../etc/shadow user=jsmith status=403 bytes=512
10:17:02 GET /download?file=..%2f..%2f..%2fapp%2fconfig.yml user=jsmith status=200 bytes=6,331

Which application attack indicator is best supported by the exhibit?

Options:

• A. Directory traversal

• B. Buffer overflow

• C. Replay attack

• D. SQL injection

Best answer: A

Explanation: Directory traversal occurs when an application accepts file path input and fails to restrict it to an approved directory. The exhibit shows normal file download behavior followed by requests containing ../../../../ and encoded ..%2f sequences. Those patterns attempt to move up the directory tree and retrieve sensitive local files such as /etc/passwd or application configuration files. The 200 responses show that at least some unauthorized file reads succeeded, while the 403 response shows one attempted file was blocked. The key indicator is path manipulation, not database syntax, repeated authentication material, or memory corruption.

• SQL injection fails because the input does not include database operators, query fragments, or evidence of database error behavior.
• Replay attack fails because the log does not show reused tokens, repeated signed requests, or duplicated authentication exchanges.
• Buffer overflow fails because there is no oversized input, crash, memory error, or abnormal process termination shown.

Continue with full practice

Use the CompTIA Security+ SY0-801 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try CompTIA Security+ SY0-801 on Web View CompTIA Security+ SY0-801 Practice Test

Related focused pages

• Free CompTIA Security+ SY0-801 Full-Length Practice Exam
• General Security Concepts
• Security Architecture
• Security Operations
• Security Program Oversight

Free review resource

Use the full IT Mastery practice page above for the latest review links and practice page.