Free CompTIA CySA+ (CS0-003) Practice Test To Ace The Exam

The CompTIA CySA+ CS0-003 Practice Test is the single most effective tool for cybersecurity analysts looking to validate their skills and earn this prestigious certification. If you are preparing for the CS0-003 exam, you know that understanding theory is not enough; you must be able to apply that knowledge to complex, scenario-based questions.

Note: You can access the full, free interactive practice test at the bottom of this post.

Free CompTIA CySA+ (CS0-003) Practice Test to Ace the Exam

Why the CompTIA CySA+ (CS0-003) Practice Test is Essential

The Cybersecurity Analyst (CySA+) certification verifies that successful candidates have the knowledge and skills required to leverage intelligence and threat detection techniques, analyze and interpret data, identify and address vulnerabilities, suggest preventative measures, and effectively respond to and recover from incidents.

Our CompTIA CySA+ (CS0-003) Practice Test mirrors the actual exam’s focus on these critical domains. By simulating real-world scenarios, we help you transition from memorizing definitions to thinking like an analyst. Below, we explore several key topics covered in the exam to give you a preview of what you need to master.

Detecting Anomalous Behavior and “Impossible Travel”

One of the first lines of defense for a security analyst is the ability to interpret SIEM (Security Information and Event Management) logs. A common scenario you will encounter involves analyzing login patterns.

For instance, if a user account logs in from North America, Europe, and Asia within a 15-minute window, this is a clear indicator of Impossible Travel. This term describes a situation where a user appears to access a system from geographically distant locations in a timeframe that is physically impossible. This is a high-fidelity indicator of a compromised account.

Preventing Data Exfiltration with DLP

Protecting sensitive data, such as Credit Card Numbers (CHD) or Personally Identifiable Information (PII), is paramount. When an organization needs to prevent this data from leaving the network via email, deploying a Data Loss Prevention (DLP) solution is the correct technical control.

Unlike an Intrusion Prevention System (IPS), which focuses on network traffic exploits, or a Web Application Firewall (WAF), which protects web apps, DLP systems are specifically designed to inspect content and block messages that violate data handling policies.

Vulnerability Management: False Positives vs. True Risks

Automated vulnerability scanners are powerful, but they lack context. A scanner might report a critical SQL injection vulnerability on a web server because the code appears susceptible. However, if a manual verification reveals that a WAF is in place effectively blocking all SQL injection attempts, the scanner has produced a False Positive.

A skilled analyst must be able to differentiate between a true positive (a real, exploitable vulnerability) and a false positive (a reported vulnerability that is not actually exploitable due to compensating controls).

Threat Intelligence Standards: STIX

To share threat intelligence effectively across different organizations and tools, standardized formats are required. The Structured Threat Information eXpression (STIX) is the standard that uses JSON to define objects like ‘attack-pattern’, ‘malware’, and ‘threat-actor’.

When combined with TAXII (Trusted Automated Exchange of Intelligence Information), STIX allows for the automated exchange of cyber threat intelligence, a key component of modern security operations.

Digital Forensics: Uncovering Hidden Evidence

When investigating a compromised workstation, knowing where to look for evidence is crucial. If you are trying to determine if a specific malicious executable was ever present, even if it has been deleted, Slack Space is often the least reliable place to find definitive proof compared to structured artifacts.

While slack space can contain fragments of deleted data, structured sources like the Master File Table (MFT), Windows Registry, or Event Logs provide more concrete records of a file’s existence and execution history. https://csrc.nist.gov/pubs/sp/800/86/final

Understanding Recovery Objectives: RPO vs. RTO

Disaster recovery policies are defined by specific metrics. If a policy states that backups must ensure no more than 4 hours of data loss and systems must be operational within 2 hours, this defines:

Recovery Point Objective (RPO): 4 hours (acceptable data loss).
Recovery Time Objective (RTO): 2 hours (acceptable downtime).

Confusing these two is a common mistake on the CompTIA CySA+ CS0-003 Practice Test. Remember: RPO is about data, and RTO is about time.

Identifying Attack Vectors

The CySA+ exam requires you to identify various attack types based on logs or behavior:

Lateral Movement: When an attacker compromises a web server and uses it to scan and attack other servers in the DMZ.
Directory Traversal: Seeing log entries like GET /view.php?file=../../../../etc/passwd indicates an attempt to access files outside the web root.
SYN Flood: A flood of TCP SYN packets with spoofed IPs designed to exhaust server resources.
DNS Tunneling: Hiding data exfiltration within normal-looking DNS query traffic to bypass network monitoring.

Risk Management Strategies

Not every risk needs to be mitigated. If a risk has a high impact but a very low probability, and the cost of mitigation exceeds the potential loss, management may choose Risk Acceptance. This is a valid strategy where the organization acknowledges the risk but decides to take no action, documenting the decision.

Conclusion

Passing the CySA+ requires more than just luck; it requires deep understanding and practice. The topics discussed above are just a fraction of what you will face. To ensure you are fully prepared, you need to test yourself against the full range of questions. Please do not forget to checkout other free CompTIA Certifications on CertyBuddy.com: https://certybuddy.com/practice-tests/?vendor=comptia

Ready to certify? Take the free CompTIA CySA+ CS0-003 Practice Test, Quiz, and Flashcards below to start your path to success!

/65

Master the Exam with This Free CompTIA CySA+ CS0-003 Practice Test

This protocol ensures a loop-free topology in an Ethernet network by disabling redundant data paths.

1 / 65

What is the primary function of the Spanning Tree Protocol (STP) in a switched network?

To aggregate multiple physical links into a single logical link for increased bandwidth.

To prevent layer 2 loops in networks with redundant switch paths.

To segment the network into multiple VLANs for security.

To provide Quality of Service (QoS) by prioritizing voice and video traffic.

This CVSS metric describes the proximity an attacker needs to be to the target to exploit the vulnerability.

2 / 65

An analyst is reviewing the CVSS v3.1 score for a vulnerability. The Attack Vector (AV) metric is rated as ‘Network’ (N). What does this imply about the vulnerability?

The vulnerability is exploitable from a remote network, such as the internet.

The attacker must be on the same logical network segment as the victim.

The attacker requires legitimate user credentials to exploit the vulnerability.

The attacker must have physical access to the target system.

This authentication factor is based on ‘something you are’.

3 / 65

An organization wants to use a physical access control method that identifies individuals based on their unique physical characteristics. Which of the following technologies should they implement?

Key fobs

Iris scanner

Smartcards with a PIN

Proximity cards

This type of threat occurs without malicious intent from the person involved.

4 / 65

Which of the following would be considered an ‘accidental’ threat to an organization’s security?

A software vulnerability in a web server that allows remote code execution.

An employee clicking on a phishing link and entering their credentials.

A nation-state actor launching a sophisticated cyber-espionage campaign.

A disgruntled former employee using their old credentials to delete files.

Consider the strategy where a conscious, informed decision is made to not alter the risk’s state.

5 / 65

An organization’s risk assessment identifies a high-impact risk with a very low probability of occurrence. Management decides that the cost of mitigating the risk far exceeds the potential loss. They document this decision and continue operations. What risk management strategy has been employed?

Risk Mitigation

Risk Transference

Risk Acceptance

Risk Avoidance

This term describes an attacker’s movement from one system to others within the same trusted environment.

6 / 65

An analyst is investigating an attack where the adversary compromised a public-facing web server and then used it to scan and attack other servers in the same DMZ. What is this phase of the attack called?

Lateral movement

Initial compromise

Data exfiltration

Persistence

This reconnaissance technique aims to get a full ‘phonebook’ of the target organization’s network assets.

7 / 65

A threat actor performs a DNS zone transfer against a company’s public DNS server. What is the primary type of information the actor is trying to obtain?

Real-time network traffic data for the company's domain.

The cryptographic keys used for DNSSEC.

A complete list of all hostnames and IP addresses for the company's domain.

The passwords for the DNS server's administrative accounts.

This technology focuses on integrating different security tools and automating the actions an analyst would typically perform manually.

8 / 65

A security team is using a Security Orchestration, Automation, and Response (SOAR) platform. What is a primary benefit of this technology?

It provides deep visibility into endpoint process execution and system behavior.

It aggregates logs from across the enterprise for centralized analysis.

It automates and standardizes incident response actions and workflows using playbooks.

It scans endpoints for known vulnerabilities and configuration issues.

This term refers to an isolated testing environment where the effects of running a program are contained.

9 / 65

An organization wants to analyze potentially malicious files in a safe environment that mimics a user’s workstation, allowing them to observe the file’s behavior without risk to the corporate network. What should they use?

A clean room

A honeypot

A screened subnet (DMZ)

A sandbox

The attack focuses on abusing the initial step of the TCP three-way handshake.

10 / 65

An attacker sends a flood of TCP SYN packets to a server with spoofed source IP addresses. The server responds with SYN-ACK packets to these fake addresses and keeps waiting for the final ACK, eventually exhausting its resources. What type of attack is this?

Ping of Death Attack

Teardrop Attack

DDoS Amplification Attack

SYN Flood Attack

The name of this standard explicitly refers to the markup language it uses for its assertions.

11 / 65

A company wants to implement Single Sign-On (SSO) for its cloud-based applications. They need a standard that uses XML-based assertions to exchange authentication and authorization data between an identity provider (IdP) and a service provider (SP). Which technology should they use?

OAuth (Open Authorization)

RADIUS

Kerberos

SAML (Security Assertion Markup Language)

This type of scan goes beyond looking at open ports from the outside and requires authenticated access to the target system.

12 / 65

A security analyst is tasked with performing a credentialed vulnerability scan of a Windows server. What is a key requirement for this type of scan to be successful?

The target server must have all host-based firewall rules disabled.

The scan must be conducted by a PCI DSS Approved Scanning Vendor (ASV).

The scanner must be on the same physical network segment as the target server.

The scanner needs an account on the target server with sufficient privileges to access configuration files and registry settings.

Differentiate between the objective related to data loss tolerance and the objective related to service restoration time.

13 / 65

A company has a policy that backups must ensure no more than 4 hours of data can be lost in a disaster. The policy also states that the system must be fully operational again within 2 hours of a failure. What do these two policy statements define?

MTTR of 2 hours and MTBF of 4 hours

RPO of 2 hours and RTO of 4 hours

RPO of 4 hours and RTO of 2 hours

SLE of 4 hours and ARO of 2 hours

Consider the two states of data: when it is being stored and when it is being moved.

14 / 65

An organization’s security policy states that all sensitive data must be encrypted both when it is stored on disk and when it is being transmitted over the network. What two concepts does this policy address?

Data in transit and data in process

Data at rest and data leakage

Data at rest and data in transit

Data at rest and data in use

Consider the readiness of the IT infrastructure at each type of recovery site.

15 / 65

Which of the following describes a key difference between a hot site and a cold site for disaster recovery?

A hot site is geographically close to the primary site, while a cold site is far away.

A hot site uses cloud infrastructure (IaaS), while a cold site uses physical, on-premises hardware.

A hot site has fully configured and running computer systems and data, while a cold site is just a facility with space and utilities.

A hot site has power and cooling, while a cold site does not.

Consider the combination of vulnerability severity, potential impact, and the ease with which an attacker can exploit it.

16 / 65

A security analyst is reviewing a vulnerability scan report for an internet-facing web server. Which of the following findings should be prioritized for immediate remediation?

A high-severity vulnerability (CVSS 8.8) that allows remote code execution and has a publicly available exploit.

An informational finding indicating that the server's operating system version is detectable.

A low-severity vulnerability (CVSS 3.1) in an internal administrative service that is blocked by the firewall.

A medium-severity vulnerability (CVSS 6.5) in a deprecated software library that is not used by the web application.

This security model operates on the principle of ‘never trust, always verify’.

17 / 65

Which of the following BEST describes the concept of a ‘zero-trust’ architecture?

A network architecture with a very strong perimeter firewall but no internal security controls.

A policy that prohibits the use of any third-party or open-source software within the organization.

A security model that never grants trust to any user or device by default and requires continuous verification for every access request, regardless of location.

An architecture where all internal network traffic is encrypted using IPsec.

This attack manipulates the Layer 2 to Layer 3 address resolution process on a local network.

18 / 65

A penetration tester gains access to a network segment and wants to intercept traffic between a client workstation and a server. The tester sends unsolicited ARP reply packets to both the client and the server, associating the tester’s MAC address with the other’s IP address. What attack is being performed?

MAC Flooding

DHCP Spoofing

IP Spoofing

ARP Poisoning

This type of control identifies that a security policy has been violated.

19 / 65

Which of the following is an example of a detective security control?

A video surveillance camera recording.

An access control list (ACL) on a firewall.

A security awareness training program.

Full-disk encryption on a laptop.

This control type pertains to protecting facilities, equipment, and other tangible assets.

20 / 65

What type of security control is a security guard who patrols a data center?

Operational Control

Managerial Control

Physical Control

Technical Control

This type of malware gets its name from its ability to gain ‘root’ access and then install a ‘kit’ of tools to maintain that access covertly.

21 / 65

A security analyst is investigating a suspected malware infection. The malware appears to have modified core operating system files to hide its presence, making it invisible to standard antivirus scans and file system browsers. What type of malware is most likely involved?

Rootkit

Trojan

Spyware

Worm

This property is achieved by using ephemeral keys for each communication session.

22 / 65

Which cryptographic concept ensures that if a server’s long-term private key is compromised, past session keys encrypted with it cannot be decrypted?

Key Escrow

Digital Signature

Perfect Forward Secrecy (PFS)

Homomorphic Encryption

The name of this attack is an analogy to hunting very large and important targets.

23 / 65

A penetration tester wants to use a social engineering technique where they send a targeted email to a high-level executive, pretending to be the company’s legal counsel, to trick them into opening a malicious attachment. What is this specific type of attack called?

Vishing

Watering hole attack

Whaling

Smishing

This technique is essentially a managed on-path attack used for security purposes.

24 / 65

A security team needs to analyze network traffic but finds that it is encrypted with TLS. To inspect this traffic for threats, they implement a device that sits between the users and the internet, decrypts the traffic, inspects it, and then re-encrypts it before sending it to the destination. What is this process called?

Network Tapping

TLS Inspection (or SSL Inspection)

IPsec Tunneling

Port Mirroring

Think of this as a specific set of instructions for a common type of security event, much like a coach’s guide for a specific game situation.

25 / 65

Which of the following describes a ‘playbook’ in the context of incident response?

A comprehensive inventory of all IT assets within the organization.

A high-level policy document that grants authority to the incident response team.

A detailed, step-by-step guide tailored to a specific type of security incident, such as ransomware or a phishing attack.

A report summarizing the lessons learned after an incident has been resolved.

Consider the physical constraints of moving between the login locations in the given time.

26 / 65

An analyst reviews SIEM logs and notices that a single user account has logged in from IP addresses in North America, Europe, and Asia within a 15-minute window. Which type of indicator is this?

Lateral movement

Privilege escalation

Impossible travel

Resource inaccessibility

This solution focuses on visibility and behavioral analysis rather than just static file scanning.

27 / 65

An organization uses an Endpoint Detection and Response (EDR) solution. What is a primary capability of an EDR tool that distinguishes it from traditional antivirus software?

It automatically applies operating system security patches.

It blocks users from visiting malicious websites.

It provides continuous monitoring and recording of endpoint activities to detect suspicious behaviors and assist in investigations.

It scans files for known malware signatures.

Consider the discrepancy between the automated scan’s report and the actual exploitability of the system.

28 / 65

During a vulnerability scan, a tool reports a critical SQL injection vulnerability on a web server. However, upon manual verification, the security analyst determines that a Web Application Firewall (WAF) is in place and effectively blocks all SQL injection attempts. What has the vulnerability scanner produced?

A true positive

A false positive

A true negative

A false negative

This principle ensures that any traffic not explicitly permitted is blocked by a final, default rule.

29 / 65

A firewall is configured to block all incoming traffic by default and only allow traffic to specific ports and services that are explicitly defined in the ruleset. What is this security principle called?

Least privilege

Implicit allow

Defense in depth

Implicit deny

Consider which security control requires access to the underlying operating system, which is abstracted away in a serverless model.

30 / 65

A company is moving to a serverless computing architecture using a Function-as-a-Service (FaaS) provider. Which security tool would be LEAST effective in this new environment?

Cloud Access Security Broker (CASB)

Host-based Intrusion Prevention System (HIPS)

Static code analyzer for the functions

Identity and Access Management (IAM)

One is the weakness, and the other is the entity or event that could take advantage of that weakness.

31 / 65

What is the primary difference between a threat and a vulnerability in the context of risk management?

A vulnerability is a weakness or gap in security, while a threat is an actor or event that can exploit that weakness.

A threat is an external danger, while a vulnerability is an internal weakness.

A threat has a high CVSS score, while a vulnerability has a low CVSS score.

A vulnerability is a potential for harm, while a threat is the actual harm that has occurred.

Think about techniques used to protect sensitive data when it’s being used in non-production environments.

32 / 65

What is the primary purpose of data obfuscation techniques like tokenization and masking?

To ensure the integrity of data by creating a cryptographic hash.

To encrypt data so that it can only be read by authorized parties.

To reduce the amount of storage space required for data.

To de-identify sensitive data, reducing its risk if exposed, while still allowing it to be used in test or analytics environments.

This final step in the incident response cycle is focused on continuous improvement.

33 / 65

What is the primary goal of the ‘lessons learned’ phase of an incident response process?

To identify and punish the individuals responsible for the incident.

To identify gaps in security controls and response procedures and make improvements to prevent future incidents.

To document the incident timeline for legal proceedings against the attacker.

To calculate the total financial cost of the incident for insurance purposes.

This type of control aims to guide the behavior of individuals within an organization.

34 / 65

A company’s acceptable use policy (AUP) is an example of which type of security control?

Directive control

Corrective control

Preventive control

Detective control

Look at the pattern used in the URL to navigate the file system.

35 / 65

An analyst is reviewing Apache web server logs and finds the entry: `GET /view.php?file=../../../../etc/passwd`. What type of attack is being attempted?

Command Injection

SQL Injection

Cross-Site Scripting (XSS)

Directory Traversal

This term describes the gradual accumulation of access permissions beyond what is needed for a user’s current role.

36 / 65

During an internal audit, an analyst discovers that a database administrator who moved to the marketing department three months ago still has administrative access to the production databases. This is an example of what security issue?

Permission creep (or Privilege creep)

Separation of duties

Role-based access control (RBAC)

Privilege escalation

Think about the step that focuses on bringing the affected services back to a normal operational state.

37 / 65

An incident response team has contained a malware outbreak and removed the malicious software from all affected systems. According to the NIST incident response lifecycle, what is the next major phase they should enter?

Post-Incident Activity

Detection & Analysis

Recovery

Preparation

This attack targets the boundary between the virtualized guest and the physical host.

38 / 65

A company uses a single physical server to host multiple virtual machines (VMs), each running a different application. An attacker finds a vulnerability that allows them to break out of one of the guest VMs and access the underlying host operating system. What is this type of attack called?

Snapshot vulnerabilities

VM sprawl

VM escape

Resource exhaustion

The goal is to minimize the number of entry points an attacker could potentially exploit.

39 / 65

A security analyst is hardening a Linux server. Which action would be most effective at reducing the server’s attack surface?

Implementing a complex password policy for all user accounts.

Configuring centralized logging to a remote SIEM server.

Encrypting the entire hard drive using full-disk encryption.

Disabling or uninstalling unnecessary services and applications.

Think about what happens if an attacker compromises one system on a segmented network versus a flat network.

40 / 65

What is the primary security benefit of using network segmentation?

It encrypts all traffic between network segments.

It authenticates all devices before they connect to the network.

It reduces the attack surface by containing threats.

It improves network performance by reducing latency.

This term describes technology assets that are outside the ownership and control of the IT department.

41 / 65

An attacker uses a compromised IoT device within a corporate network to launch a denial-of-service attack against an external website. The organization has no visibility into the IoT device’s activities because it was installed by an employee without IT’s knowledge. What is this IoT device an example of?

Honeypot

Insider Threat

Advanced Persistent Threat (APT)

Shadow IT

This three-part acronym is used in threat intelligence to characterize the behavior of a threat actor.

42 / 65

A document describes how an attacker group uses a specific strain of malware, delivered via spear-phishing emails, to establish a command-and-control channel over DNS, and then moves laterally using stolen credentials. This description of the adversary’s methods is an example of what?

Attack Surface

Tactics, Techniques, and Procedures (TTPs)

Indicators of Compromise (IoCs)

Common Vulnerabilities and Exposures (CVE)

This method uses a common and often unrestricted network protocol as a covert communication channel.

43 / 65

An attacker compromises a user’s workstation that has access to a financial database. To exfiltrate large amounts of data without being detected by network monitoring tools, the attacker hides the data within normal-looking DNS query traffic. What is this technique called?

Domain Generation Algorithm (DGA)

DNS Cache Poisoning

DNS Hijacking

DNS Tunneling

The principle is to collect the most ephemeral data before it disappears.

44 / 65

During an incident, the response team needs to collect evidence from a running server. According to the order of volatility, which of the following data sources should be collected FIRST?

Running processes and network connections

Archived logs on a remote SIEM

CPU registers and cache

Hard drive image

Consider which artifact is a remnant of file storage rather than a structured record of system activity or file system metadata.

45 / 65

An analyst is examining a disk image from a compromised Windows workstation. To determine if a specific malicious executable was ever present, even if deleted, which forensic artifact is LEAST likely to contain evidence of the file’s existence?

Slack Space

Windows Registry

Event Logs

Master File Table (MFT)

The key requirement is to control the egress of specific types of information based on its content.

46 / 65

A security team is implementing a solution to prevent sensitive data, such as credit card numbers (CHD), from being sent out of the network via email. The solution should be able to inspect outbound traffic content and block messages that violate policy. What type of technology should they deploy?

Security Information and Event Management (SIEM)

Data Loss Prevention (DLP)

Web Application Firewall (WAF)

Intrusion Prevention System (IPS)

This concept provides the foundational, unchangeable anchor for a chain of cryptographic verifications.

47 / 65

What is the primary purpose of a ‘root of trust’ in a secure boot process?

To provide a secure, immutable starting point for verifying the integrity of the boot chain.

To act as a Certificate Authority (CA) for issuing digital certificates to system components.

To securely log all boot-related events for later forensic analysis.

To store cryptographic keys for full-disk encryption.

This technique involves using tools that are already part of the native operating system.

48 / 65

A security analyst is investigating a breach and finds that the attacker used living-off-the-land (LotL) techniques. What does this mean?

The attacker physically broke into the data center to access the servers directly.

The attacker leveraged legitimate, pre-installed system tools like PowerShell and WMI to conduct their attack.

The attacker used custom-written, advanced malware that is not detected by antivirus software.

The attacker purchased an exploit kit from a dark web marketplace.

This type of document provides specific, compulsory requirements that must be met to comply with a higher-level goal.

49 / 65

A security policy document that states, ‘All servers must be hardened by disabling unnecessary services and applying security patches within 30 days of release,’ is an example of what?

A guideline

A standard

A procedure

A policy

This phase involves actively triggering a vulnerability to gain unauthorized access.

50 / 65

A threat actor uses a zero-day exploit to compromise a system and then installs malware. Which phase of the Cyber Kill Chain does the use of the zero-day exploit represent?

Exploitation

Installation

Weaponization

Reconnaissance

Look for the wireless security mode designed for corporate environments that integrates with a centralized authentication server.

51 / 65

A company wants to secure its wireless network for corporate users, requiring each user to authenticate with their own unique domain credentials. Which authentication method should be used?

WPA3-Enterprise (802.1X)

MAC Filtering

WPA3-Personal (SAE)

Captive Portal

This port is commonly used for remote administration of Windows machines.

52 / 65

An analyst runs the `netstat -an` command on a Windows server and sees a connection in the `LISTENING` state on port 3389. What service is most likely running?

Secure Shell (SSH)

Remote Desktop Protocol (RDP)

MySQL Database

Microsoft SQL Server

This term refers to a complete and exact replica of a storage device, captured in a way that is admissible as evidence.

53 / 65

During an investigation, an analyst needs to create a bit-for-bit, forensically sound copy of a hard drive. What is this copy called?

A snapshot

A backup

A clone

An image

This attack leverages third-party servers and protocol characteristics to magnify its impact on the target.

54 / 65

An analyst is reviewing logs from a Network Time Protocol (NTP) server and sees a massive number of responses being sent to a single target IP address, which is not the IP that sent the original requests. The requests were small, but the responses are large. What type of attack is likely occurring?

Reflected and Amplified DDoS Attack

Credential Replay Attack

On-path Attack

DNS Tunneling

The ‘P’ in IPS stands for ‘Prevention,’ which implies an active response capability.

55 / 65

What is the primary security advantage of using an Intrusion Prevention System (IPS) over an Intrusion Detection System (IDS)?

An IPS provides more detailed logs and alerts than an IDS.

An IPS uses signature-based detection, while an IDS uses behavior-based detection.

An IPS is a host-based solution, while an IDS is a network-based solution.

An IPS can actively block malicious traffic in real-time, while an IDS can only detect and alert.

This is the very first broadcast message a client sends out to find a server.

56 / 65

An analyst is examining network traffic with Wireshark and wants to identify which host initiated a DHCP IP address lease process. What type of message should the analyst filter for?

DHCPACK

DHCPDISCOVER

DHCPOFFER

DHCPREQUEST

This technique separates the structure of the database query from the data provided by the user.

57 / 65

A software developer wants to prevent SQL injection attacks. The application takes user input and uses it to query a database. Which of the following is the MOST effective mitigation technique?

Implementing a web application firewall (WAF).

Using parameterized queries (prepared statements).

Validating user input to ensure it contains only alphanumeric characters.

Encrypting the user input before adding it to the SQL query string.

The `ps` command is used to inspect system processes.

58 / 65

An analyst uses the command `ps -aux | grep apache` on a Linux server. What is the analyst attempting to do?

Search the system logs for entries related to Apache.

Find all files on the system named 'apache'.

List the contents of the Apache configuration file.

Check if the Apache web server process is running.

Think about the level of the technology stack where the customer’s responsibility begins.

59 / 65

An organization is using a cloud service where the provider manages the hardware, network, and virtualization layer, but the organization is responsible for managing the operating system, middleware, and applications. What cloud service model is this?

Software as a Service (SaaS)

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Function as a Service (FaaS)

This term reflects the amount of time the vendor has had to prepare a fix before the vulnerability is exploited in the wild.

60 / 65

A company is concerned about attacks that exploit unpublished software vulnerabilities for which no patch exists. What is the term for this type of vulnerability?

Common Vulnerability and Exposure (CVE)

Misconfiguration

Legacy system vulnerability

Zero-day vulnerability

Think about the standards specifically designed for structuring and exchanging threat data between different tools and organizations.

61 / 65

An organization wants to adopt a threat intelligence sharing standard that uses JSON and defines objects like ‘attack-pattern’, ‘malware’, and ‘threat-actor’ to describe cybersecurity threats. Which standard fits this description?

CVSS (Common Vulnerability Scoring System)

NIST RMF

OpenIOC

STIX (Structured Threat Information eXpression)

This dynamic testing method is akin to ‘stress testing’ an application’s input handling capabilities.

62 / 65

An analyst is using a tool to test a web application by sending it a large amount of malformed and random data to see if it crashes or behaves unexpectedly. What is this technique called?

Fuzzing

Static Code Analysis

Vulnerability Scanning

Port Scanning

This term combines software development, IT operations, and security into a single, continuous process.

63 / 65

An organization is building a software application and wants to ensure security is integrated into every phase of the development lifecycle, from design and coding to testing and deployment. What is this methodology called?

Vulnerability Management

Agile Development

DevSecOps

Waterfall Model

This device acts as a one-way gate for data, allowing it to be read but not altered.

64 / 65

A security analyst needs to create a forensic copy of a hard drive while ensuring the original drive is not modified in any way during the imaging process. What tool should be used?

A hardware write blocker.

A file integrity monitoring tool like Tripwire.

A crossover cable.

A software-based disk cloning utility running on the suspect's live OS.

Think about the level of abstraction and what components are virtualized in each technology.

65 / 65

Which of the following describes the difference between containers and traditional virtual machines (VMs)?

Containers run on a Type 1 hypervisor, while VMs run on a Type 2 hypervisor.

Containers provide stronger security isolation than VMs.

Containers are less portable than VMs because they are tied to specific hardware.

Containers share the host operating system's kernel, while each VM has its own full guest OS.

Your score is