← CompTIA Security+ SY0-701 · Security+ Advanced

CompTIA Security+ SY0-701 Advanced Quiz

Learning Objectives

Master Security+ exam scenarios: threat intelligence, governance, risk, and compliance.

CompTIA Security+ SY0-701 certification badge
Time left --:--:--
Question 1 / 60 · 60 unanswered
Question 1 of 60
A security analyst discovers that a threat actor used DNS over HTTPS (DoH) to exfiltrate data from a compromised host, bypassing traditional DNS monitoring. Which detection approach is MOST effective against DoH-based data exfiltration?
1 / 60
Question 2 of 60
An organization deploys a SIEM with 200+ correlation rules. The security operations team is overwhelmed by 10,000+ alerts per day with a 95% false positive rate. Which approach MOST effectively improves alert fidelity?
2 / 60
Question 3 of 60
A security analyst discovers that a web application uses JWT (JSON Web Tokens) with the 'alg' header set to 'none', effectively disabling signature verification. Which attack does this enable?
3 / 60
Question 4 of 60
A forensic analyst examines a Windows system for evidence of anti-forensics techniques. The analyst discovers that the $LogFile, $MFT, and $UsnJrnl NTFS metadata files have been wiped. What does this MOST likely indicate?
4 / 60
Question 5 of 60
An organization's threat hunting team identifies that a threat actor established persistence using a Windows Management Instrumentation (WMI) event subscription that triggers a PowerShell script whenever a user logs in. Which forensic artifact would MOST conclusively confirm this persistence mechanism?
5 / 60
Question 6 of 60
A red team successfully bypasses a web application firewall by encoding their SQL injection payload using URL encoding and Unicode normalization to evade signature detection. Which defense MOST effectively addresses WAF bypass techniques?
6 / 60
Question 7 of 60
An organization's incident response plan specifies that all evidence must be collected following the order of volatility. A responder must choose between capturing network connections, running processes, RAM, and the swap file. Which should be captured FIRST?
7 / 60
Question 8 of 60
An organization implements a bug bounty program. Which security concept does this BEST exemplify compared to traditional penetration testing?
8 / 60
Question 9 of 60
A security architect evaluates a proposed microservices architecture where services authenticate to each other using long-lived API keys stored in environment variables. Which security improvement MOST significantly reduces the risk of credential compromise?
9 / 60
Question 10 of 60
Which advanced Security+ SY0-701 topic describes using machine learning models trained on normal network and user behavior to detect novel threats that have no known signatures?
10 / 60
Question 11 of 60
A security analyst examines a suspicious email that passed through the organization's email gateway undetected. The email contained a PDF with an embedded JavaScript that triggered a zero-day vulnerability in the PDF reader. Which email security control gap does this expose?
11 / 60
Question 12 of 60
A security engineer reviews an application's authentication flow and discovers that after successful MFA, the application issues a session token that is valid for 30 days without re-authentication. An attacker who steals this token has 30-day access. Which principle does this MOST violate?
12 / 60
Question 13 of 60
An organization detects that an attacker performed a Kerberoasting attack against its Active Directory environment. Which condition in the AD environment made this attack possible?
13 / 60
Question 14 of 60
A security architect designs a PKI hierarchy for an organization with 50,000 employees globally. Which design decision MOST improves resilience and operational security?
14 / 60
Question 15 of 60
Which Security+ SY0-701 cryptographic primitive enables two parties to establish a shared encryption key over an untrusted channel without any prior shared secret, providing perfect forward secrecy when combined with ephemeral key pairs?
15 / 60
Question 16 of 60
A security team deploys a deception technology platform including canary tokens — specifically, fake AWS credentials embedded in publicly accessible configuration files. Which attacker action would these canary tokens MOST effectively detect?
16 / 60
Question 17 of 60
Which Security+ SY0-701 architectural pattern uses policy decision points (PDPs) and policy enforcement points (PEPs) to implement continuous, context-aware access control aligned with Zero Trust principles?
17 / 60
Question 18 of 60
An organization's cloud security team discovers that a developer accidentally published a Terraform state file to a public GitHub repository. The state file contains plaintext AWS access keys, database passwords, and API tokens. Which immediate response actions are required?
18 / 60
Question 19 of 60
A penetration tester gains access to an internal network after exploiting a vulnerability in an externally facing web application. The tester then enumerates internal systems to identify additional targets. Which kill chain phase does this describe?
19 / 60
Question 20 of 60
Which Security+ SY0-701 attack technique leverages legitimate cloud services — such as GitHub, Google Drive, or Pastebin — as command-and-control infrastructure to blend malicious traffic with legitimate HTTPS traffic to trusted destinations?
20 / 60
Question 21 of 60
A penetration tester successfully performs an NTLM relay attack against a domain environment, gaining access to a domain-joined server without knowing any credentials. Which Active Directory misconfiguration MOST directly enabled this attack?
21 / 60
Question 22 of 60
Which Security+ SY0-701 concept describes the use of threat intelligence to proactively search for indicators of compromise within an environment before alerts are triggered?
22 / 60
Question 23 of 60
An attacker exploits a Server-Side Request Forgery (SSRF) vulnerability in a web application to access the cloud metadata service endpoint (169.254.169.254) and retrieve IAM role credentials. Which security control MOST directly prevents this cloud-specific SSRF impact?
23 / 60
Question 24 of 60
An organization implements software-defined WAN (SD-WAN) to connect 50 branch offices. Which security risk is UNIQUE to SD-WAN deployments compared to traditional MPLS WAN?
24 / 60
Question 25 of 60
An organization runs a critical application that processes credit card transactions. The application vendor announces a critical RCE vulnerability but will not release a patch for 60 days due to testing requirements. Which compensating control strategy BEST reduces risk during this period?
25 / 60
Question 26 of 60
A security engineer implements certificate pinning in a mobile application to prevent MitM attacks. During a penetration test, the tester successfully bypasses the pinning using a Frida script that hooks the certificate validation function at runtime. Which additional control would make this bypass significantly harder?
26 / 60
Question 27 of 60
A security architect must choose between storing encryption keys in a software key management service (KMS) versus hardware security modules (HSMs). Which factor MOST strongly justifies the significantly higher cost of HSMs?
27 / 60
Question 28 of 60
A penetration tester discovers an IDOR (Insecure Direct Object Reference) vulnerability in a healthcare application where changing the patient ID in the URL (from /records?id=1001 to /records?id=1002) reveals another patient's records. Which vulnerability class does IDOR belong to?
28 / 60
Question 29 of 60
Which cryptographic attack against RSA encryption exploits the mathematical relationship between related RSA keys to recover private key material when two RSA moduli share a common prime factor?
29 / 60
Question 30 of 60
An incident response team discovers that an attacker used a compromised service account to move laterally across 47 servers over 8 days. The account had Domain Admin privileges granted for 'a quick project' 2 years ago and never revoked. Which governance failures DIRECTLY contributed to this breach?
30 / 60
Question 31 of 60
Which Security+ SY0-701 attack exploits the trust that end users place in a certificate authority by obtaining a fraudulently issued certificate for a domain the attacker does not own, enabling undetected HTTPS MitM attacks?
31 / 60
Question 32 of 60
Which Security+ SY0-701 privacy engineering concept requires that data collection, storage, and processing be designed to protect privacy from the ground up — rather than adding privacy controls as an afterthought?
32 / 60
Question 33 of 60
A blue team analyst is investigating an alert from the EDR tool showing that svchost.exe is running from C:\Users\user\AppData\Local\Temp\svchost.exe rather than C:\Windows\System32\svchost.exe. Which attack technique does this MOST likely indicate?
33 / 60
Question 34 of 60
Which Security+ SY0-701 cryptographic concept ensures that even if a long-term private key is compromised, past encrypted communications cannot be decrypted by an attacker who captures the historic ciphertext?
34 / 60
Question 35 of 60
An organization discovers that an employee with legitimate database access has been exfiltrating customer data by executing queries during normal business hours, mimicking legitimate reporting activity. Which control would MOST effectively detect this insider threat?
35 / 60
Question 36 of 60
A security analyst uses the MITRE ATT&CK Navigator to map detection coverage. The analyst identifies that Technique T1078 (Valid Accounts) has no corresponding detection rule in the SIEM. Which threat does this detection gap MOST expose the organization to?
36 / 60
Question 37 of 60
An organization implements continuous automated compliance monitoring using Infrastructure as Code scanning. Which security benefit does this provide over periodic manual compliance audits?
37 / 60
Question 38 of 60
A security team performs a purple team exercise targeting its identity infrastructure. The red team successfully extracts the NTDS.dit database from a domain controller, offline crack domain accounts, and use DCSync to simulate a pass-the-hash attack. Which combination of controls would MOST comprehensively address ALL three attack paths?
38 / 60
Question 39 of 60
A security engineer must implement secure inter-service communication in a containerized microservices environment where services authenticate each other's identity before processing requests. Which solution provides BOTH mutual authentication AND encryption?
39 / 60
Question 40 of 60
Which Security+ SY0-701 cryptographic concept allows a sender to encrypt a message so that multiple different recipients can each decrypt it with their own private key, without the sender needing multiple encryption keys?
40 / 60
Question 41 of 60
A security team discovers that an insider threat stole intellectual property by encoding it in image files using steganography before exfiltrating via email. Which detection capability would MOST likely have identified this technique?
41 / 60
Question 42 of 60
Which Security+ SY0-701 attack technique attempts to exhaust application resources by sending a large volume of requests that trigger computationally expensive operations — such as hash computation or regex matching — on the server?
42 / 60
Question 43 of 60
Which Security+ SY0-701 security governance document establishes quantitative security objectives, defines metrics for measuring control effectiveness, and tracks security program performance over time?
43 / 60
Question 44 of 60
An organization experiences a ransomware attack that encrypts all file servers. The security team discovers that backups stored on network-attached storage were also encrypted because the backup service account had write access to the backup share. Which backup architecture change would have PREVENTED backup encryption?
44 / 60
Question 45 of 60
Which Security+ SY0-701 concept describes the structured process of identifying, classifying, and preserving electronically stored information in anticipation of litigation?
45 / 60
Question 46 of 60
An organization deploys a cloud-native application using serverless functions (FaaS). Which security challenge is UNIQUE to serverless architectures compared to traditional server-based deployments?
46 / 60
Question 47 of 60
A threat intelligence analyst receives a report that a threat actor group uses a specific file hash, IP address, and registry key as indicators of compromise. Thirty days later, the attacker changes these indicators but uses the same overall attack methodology. Which intelligence concept explains why TTPs are more durable than IoCs?
47 / 60
Question 48 of 60
A security architect designs authentication for a new mobile banking application. Which authentication design provides the strongest protection against both account takeover and SIM-swapping attacks?
48 / 60
Question 49 of 60
An attacker performs a watering hole attack against a manufacturing company's supply chain partners. Which attack pattern does this represent?
49 / 60
Question 50 of 60
A security analyst performing threat intelligence analysis maps a recent intrusion to a known APT group's TTP profile. The attacker used spear phishing → Cobalt Strike beacon → LSASS dump → DCSync → domain compromise over 3 weeks. Which threat intelligence framework BEST structures this analysis?
50 / 60
Question 51 of 60
An organization's DevSecOps team wants to automatically identify and prevent secrets (API keys, passwords, private keys) from being committed to source code repositories. Which solution operates at the correct point in the pipeline to prevent this before code is pushed?
51 / 60
Question 52 of 60
Which Security+ SY0-701 governance principle requires organizations to formally document their risk appetite — the level of risk they are willing to accept in pursuit of business objectives — before making risk treatment decisions?
52 / 60
Question 53 of 60
A security engineer must implement key management for a system that processes payments for a healthcare organization subject to both PCI DSS and HIPAA. Which key management practice satisfies BOTH frameworks' requirements?
53 / 60
Question 54 of 60
Which Security+ SY0-701 privacy concept requires organizations to implement technical and administrative controls that allow data subjects to request deletion of their personal data from all systems where it is stored?
54 / 60
Question 55 of 60
Which Security+ SY0-701 concept describes configuring network devices and applications to automatically block traffic from IP addresses that exhibit scanning behavior or repeated authentication failures?
55 / 60
Question 56 of 60
An organization's security team discovers that their EDR tool failed to detect a sophisticated attacker who used process hollowing to inject into a trusted Windows process. Which detection capability would MOST likely have caught this technique?
56 / 60
Question 57 of 60
Which Security+ SY0-701 attack exploits insecure deserialization vulnerabilities in web applications, potentially leading to remote code execution when malicious serialized objects are processed by the application?
57 / 60
Question 58 of 60
An organization implements a zero-knowledge proof system for authentication that allows a user to prove knowledge of a secret without revealing the secret itself. Which authentication problem does this MOST directly solve compared to traditional password authentication?
58 / 60
Question 59 of 60
A security architect must design a system handling patient health records that must satisfy HIPAA's minimum necessary standard and right of access requirements while preventing unauthorized internal access. Which access control model BEST satisfies ALL requirements?
59 / 60
Question 60 of 60
A security program manager tracks that the mean time to detect (MTTD) security incidents has increased from 8 hours to 47 hours over the past quarter. Which program areas warrant IMMEDIATE investigation to understand this trend?
60 / 60