SY0-701 Cheat Sheet
General Security Concepts
Security Controls
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Category and type are two independent axes
Every SY0-701 security control carries one category (who or what enforces it: technical, managerial, operational, or physical) and one type (what it does about an incident: preventive, deterrent, detective, corrective, compensating, or directive). The axes are orthogonal: re-stating a control's purpose never moves its category. A host firewall is technical and preventive; a recording CCTV camera is technical and detective; both stay technical whatever their type.
Trap Letting a control's type drag its category along: calling a CCTV camera "physical" because it watches a door, when CompTIA classes the hardware/software system as technical.
4 questions test this
- A company configures a deny-by-default firewall at its network perimeter that blocks all unauthorized inbound connections. How should this…
- During a risk assessment, a security engineer must classify two controls: a perimeter firewall blocking unauthorized traffic, and a…
- A data center administrator installs a next-generation firewall at the network perimeter to block all unauthorized inbound traffic based on…
- A data center uses proximity badge readers at entry doors and deploys an inline IPS on the core network switch. Which pair of…
- Six control types map to the threat lifecycle
The six SY0-701 types track an incident across time: preventive stops it before it happens, deterrent discourages the attempt, detective discovers it during or after, corrective remediates and restores afterward, compensating substitutes when the required control can't be used, and directive steers behaviour through instruction. Pairing the missing stage to the scenario is the whole game: most stems hinge on before-vs-during-vs-after timing.
2 questions test this
- Technical controls are enforced by hardware, software, or firmware
A control is technical (also called logical) when hardware, software, or firmware enforces it with no person needed at the moment it acts: firewall rules, ACLs, MFA enforcement, encryption, IDS/IPS, and antivirus all qualify. The mechanism runs itself once configured, which is what separates it from an operational control a human performs.
Trap Calling a technical control operational because a person configured or installed it - the category follows who enforces it at run time (the machine), not who set it up.
5 questions test this
- A company configures a deny-by-default firewall at its network perimeter that blocks all unauthorized inbound connections. How should this…
- A security team reviews two detective systems in its data center environment: CCTV cameras monitoring the server room entrance and a…
- During a risk assessment, a security engineer must classify two controls: a perimeter firewall blocking unauthorized traffic, and a…
- A data center administrator installs a next-generation firewall at the network perimeter to block all unauthorized inbound traffic based on…
- A data center uses proximity badge readers at entry doors and deploys an inline IPS on the core network switch. Which pair of…
- Managerial controls are the policies and governance documents
Managerial (administrative) controls are the policies, standards, risk assessments, plans, and approval gates that govern the security program: a security policy, a background-check policy, or a change-management sign-off. The control is the document or decision itself, not whatever technology it tells the organization to deploy.
Trap Classifying a policy by the technology it mandates: a standard that requires a firewall is managerial; the firewall it calls for is technical.
7 questions test this
- A company adopts a risk management framework that requires departments to identify, assess, and report risks to executive leadership…
- A CISO publishes a risk management framework that defines how security risks must be identified, assessed, and treated across the…
- A security manager performs a comprehensive risk assessment to evaluate threats and vulnerabilities across the organization's…
- An organization's security policy requires all employees to complete annual phishing awareness training. The security operations team…
- An organization's CISO selects the NIST Risk Management Framework to guide enterprise-wide risk identification, assessment, and control…
- The CISO publishes an updated acceptable use policy (AUP) that specifies how employees must handle corporate data and use company systems.…
- A security manager uses the NIST Risk Management Framework to conduct a formal risk assessment, document identified threats and…
- Operational controls are tasks people carry out
Operational controls are executed by people as part of day-to-day work: delivering security-awareness training, working a log-review shift, a guard checking badges, or an IR team running the runbook. Security-awareness training stays operational even though its subject is technical, because people deliver and consume it; the category follows who acts, not the topic.
Trap Marking security-awareness training technical because its subject matter is technical - the category follows who performs the control (people), making it operational.
6 questions test this
- An organization has the following security controls in place: A) A board-approved information security policy; B) Daily security log…
- During an audit, a security analyst reviews a documented procedure that guides the security operations center through specific steps for…
- A company delivers quarterly phishing simulation exercises to all employees to help them recognize social engineering attacks before a real…
- A security team delivers quarterly phishing simulation exercises to all employees, teaching them to identify and report suspicious emails…
- A security team conducts monthly classroom sessions teaching employees to recognize social engineering attacks, handle data properly, and…
- An organization's security policy requires all employees to complete annual phishing awareness training. The security operations team…
- Physical controls are tangible real-world barriers
Physical controls are tangible barriers and devices in the real world: fences, locks, bollards, access-control vestibules, badge readers, fire suppression, and CCTV hardware. CompTIA treats access-control hardware at the door (a badge reader, for instance) as physical even though software drives it, because the enforcement object is a physical device at a physical boundary.
Trap Reclassifying a badge reader as technical because software drives it - CompTIA treats the device enforcing entry at a physical boundary as physical.
3 questions test this
- A security team reviews two detective systems in its data center environment: CCTV cameras monitoring the server room entrance and a…
- During a risk assessment, a security engineer must classify two controls: a perimeter firewall blocking unauthorized traffic, and a…
- A data center uses proximity badge readers at entry doors and deploys an inline IPS on the core network switch. Which pair of…
- Pick the type from the scenario's timing word
Match the stem's verb to the type: stop or block before → preventive; discourage, warn off, make them think twice → deterrent; detect, alert, discover, identify after the fact → detective; recover, restore, remediate, fix the damage → corrective; instead of a control you cannot implement → compensating; a policy or procedure telling staff what to do → directive. The verb the question emphasizes, not the device named, decides the type.
6 questions test this
- A security team monitors completion rates of mandatory security awareness training and reports employees who missed the deadline to…
- A company delivers quarterly phishing simulation exercises to all employees to help them recognize social engineering attacks before a real…
- A company configures a deny-by-default firewall at its network perimeter that blocks all unauthorized inbound connections. How should this…
- A data center administrator installs a next-generation firewall at the network perimeter to block all unauthorized inbound traffic based on…
- A security team delivers quarterly phishing simulation exercises to all employees, teaching them to identify and report suspicious emails…
- A security team conducts monthly classroom sessions teaching employees to recognize social engineering attacks, handle data properly, and…
- Compensating means a substitute for a control you can't use
A compensating control is one employed in lieu of a required control, providing equivalent or comparable protection, typically because the primary control can't be implemented, such as isolating a legacy server on its own VLAN with extra monitoring when a vendor patch breaks the app. It is the most over-selected wrong answer, so the exam tell is explicit substitution language: "cannot patch right now," "the vendor no longer supports it," "in place of," "as an alternative to." Without that signal, a different type is correct.
Trap Reaching for compensating on any layered defense: without explicit "in lieu of" or "cannot implement the required control" language in the stem, it is over-selected and wrong.
7 questions test this
- During a compliance audit, an assessor evaluates an alternative control deployed because the organization has a documented technical…
- A payment card processor operates a legacy mainframe that cannot support the encryption algorithm required by its compliance framework. The…
- An organization's security policy mandates biometric scanners for server room access, but installation is delayed by six months. In the…
- During a PCI DSS assessment, an auditor finds that a legacy point-of-sale terminal cannot support the required multifactor authentication…
- Which statement BEST describes the defining characteristic that differentiates compensating controls from deterrent and directive control…
- During a compliance audit, an organization demonstrates that its legacy mainframe cannot support required password complexity standards.…
- A company's legacy point-of-sale system cannot support the encryption standard required by PCI DSS. The security team deploys additional…
- An extra layer is not automatically a compensating control
A control added purely for defense-in-depth, while the required primary control is present and working, is preventive, detective, or whatever it does in its own right, not compensating. Compensating applies only when the primary control is being substituted for; a second layer stacked on a functioning first layer never qualifies on that basis alone.
Trap Calling a redundant second layer compensating because it backs up the first - compensating requires substituting for an absent or infeasible primary control, not reinforcing a working one.
- Directive controls instruct people what to do
Directive controls steer behaviour through instruction: an acceptable-use policy, a posted operating procedure, a standard staff must follow, or an onboarding requirement. The tell is language about telling people what is and isn't allowed; the answer is the instruction itself, not a technical mechanism that enforces it. A firewall blocking the traffic is technical/preventive, while the policy that says "don't use unauthorized apps" is directive.
Trap Picking the technical control that enforces a rule instead of the directive - the policy telling staff what to do is directive, while the firewall enforcing it is technical/preventive.
6 questions test this
- A regulatory body mandates that all financial institutions maintain a written information security program and requires employees to follow…
- An organization publishes a mandatory policy requiring all employees to store work documents exclusively on company-approved cloud…
- An organization's acceptable use policy instructs employees to lock workstations when unattended and prohibits connecting personal devices…
- A CISO publishes a mandatory standard requiring all employees to use approved encrypted channels when transmitting sensitive data and to…
- The CISO publishes an updated acceptable use policy (AUP) that specifies how employees must handle corporate data and use company systems.…
- An organization distributes a mandatory acceptable use policy requiring all employees to use only approved software, access corporate…
- Recording CCTV is detective, never preventive on its own
A closed-circuit camera is technical by category and stays that way. A camera that records for later review is detective; a prominently visible one meant to scare off intruders is deterrent. CCTV is never preventive by itself (recording an intrusion documents it but does nothing to stop it) so "CCTV = preventive" is a stock wrong answer.
Trap Calling a camera preventive: it records or deters but cannot physically block entry, so its type is detective or deterrent, not preventive.
- A login banner or warning sign is deterrent, not preventive
A login banner warning of monitoring, a "Beware of dog" sign, or a no-trespassing sign only discourages. It does nothing to physically block, so its type is deterrent, not preventive. Contrast a lock, which physically stops entry and is therefore preventive; the test is whether the control stops the act or merely warns against it.
Trap Marking a warning banner or no-trespassing sign preventive - it only discourages and cannot stop the act, so its type is deterrent.
3 questions test this
- A company places signs outside its server room that read 'RESTRICTED AREA — All Activity Monitored — Unauthorized Access Subject to…
- A security manager installs prominent signs at all facility entrances warning that the premises are under 24-hour video surveillance and…
- A company displays a banner on all workstation login screens stating that unauthorized access is prohibited and that all user activity is…
- Restore-from-backup and patching are corrective
Restoring from backup, patching the exploited flaw, and an IPS resetting a malicious session all act after the incident, so they are corrective, not preventive. CompTIA frames restoring from backup as corrective even though a backup arguably "prevents" permanent data loss. Reward the after-the-incident action the stem describes, not the backup's general purpose.
Trap Marking restore-from-backup as preventive because backups guard against data loss: the recovery action happens after the incident, making it corrective.
- A policy that mandates a technical control is managerial
A policy or standard that requires a firewall is managerial: the document is the control. The firewall it calls for is technical. Classify the mandate by what it is (a governing document), never by the technology it happens to demand.
Trap Calling a standard technical because it mandates a firewall - the governing document is managerial regardless of the technology it requires.
- Resolve multi-membership by the emphasised verb
Many real controls fit more than one type, so the category is usually fixed and the type follows the scenario's stated objective. A guard is always operational but reads as preventive (turning people away), deterrent (visibly patrolling), or detective (spotting an anomaly) depending on the sentence's emphasis. Anchor on the verb the stem stresses, and never default to compensating unless substitution language is explicit.
- The taxonomy maps onto NIST SP 800-53 control families
The SY0-701 category/type vocabulary lines up with NIST SP 800-53 Rev. 5 control families: Physical and Environmental Protection ≈ physical; Access Control and System and Communications Protection ≈ technical preventive; Audit and Accountability ≈ technical detective; Contingency Planning and Incident Response ≈ corrective; Planning and Program Management policy families ≈ managerial/directive. The mapping is for understanding only: you don't need the two-letter family identifiers for SY0-701.
- Defense in depth wants a deliberate mix of types
A program leaning entirely on preventive technical controls is brittle, and the exam-correct gap is usually missing detective controls (you can't see an incident you failed to prevent) and corrective controls (you can't recover from one). The right answer adds the absent lifecycle stage rather than stacking yet another preventive control on top of the ones already there.
Trap Answering a defense-in-depth gap with another preventive control: the missing piece is almost always the detective or corrective stage, not more prevention.
Fundamental Security Concepts
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Classify every control by which CIA leg it protects
The CIA triad is the three goals every security control serves: confidentiality (preserving authorized restrictions on access and disclosure), integrity (guarding against improper modification or destruction, including authenticity), and availability (timely, reliable access to information). SY0-701 items make you tag a control by its leg: encryption, access control, and masking serve confidentiality; hashing, digital signatures, and checksums serve integrity; redundancy, backups, and DDoS protection serve availability.
Trap Mislabeling which CIA leg a control serves, such as tagging hashing or a digital signature as confidentiality when both serve integrity.
6 questions test this
- After a RADIUS server authenticates a VPN user, it applies role-based policies that restrict the user to only the finance department's…
- An enterprise configures its centralized AAA server to enforce role-based policies ensuring employees can only access documents matching…
- A security team implements centralized audit logging with write-once storage and cryptographic hash chaining for all log entries. Which…
- An administrator forwards all AAA server audit logs to a centralized write-protected server to prevent modification after collection. This…
- A healthcare organization restricts electronic access to patient records so that only physicians assigned to a specific case can view the…
- A security team stores centralized audit logs on write-once, append-only storage and applies strict access controls to prevent unauthorized…
- DAD names the violation of each CIA leg
DAD is the attacker-side mirror of CIA: Disclosure violates confidentiality, Alteration violates integrity, and Denial (or Destruction) violates availability. Use it to label incidents: a data leak is disclosure/confidentiality, tampering is alteration/integrity, and an outage is denial/availability.
Trap Mismatching a DAD term to its CIA leg, such as mapping Alteration to availability instead of integrity.
- The CIA legs trade off; they are not co-maximized
CIA goals are in tension, not three dials all pushed to maximum. Hardening confidentiality with heavy encryption and strict key custody can cost availability if a key is lost, and replicating broadly for availability widens the confidentiality attack surface. Good design balances the legs against data sensitivity and risk appetite rather than maxing one in isolation.
- Non-repudiation proves who acted so they cannot deny it
Non-repudiation is assurance that a party cannot credibly deny having performed an action, such as sending a message or approving a transaction. NIST ties it to proof of origin verifiable by a third party via the signer's private key. It is a goal distinct from confidentiality and integrity: a system can keep data intact and secret yet still fail to prove which user produced it.
8 questions test this
- A healthcare organization requires physicians to digitally sign all prescription approvals and records each signed approval in a…
- During an investigation, an employee denies having deleted sensitive files from a shared drive. The security team presents digitally signed…
- A security architect must select a cryptographic mechanism that simultaneously provides origin authentication, data integrity, and…
- An organization's audit logs show that the account 'admin_shared' deleted critical database records at 2:15 AM. Investigation reveals that…
- A software vendor digitally signs each update package before distribution. When a customer successfully verifies the signature using the…
- A financial institution requires that all electronically submitted contracts be verifiable for authorship and remain unaltered after…
- A development team requires that software updates distributed to customers can be verified as unaltered, traceable to the original…
- A hospital needs to ensure that physicians cannot deny having authorized electronic prescriptions. Which solution BEST provides…
- Use a digital signature when you need integrity AND non-repudiation
A digital signature is the answer when a scenario demands both that a message was not altered and that one specific party demonstrably sent it, because it binds the action to the signer's private key. A plain hash or a symmetric MAC/HMAC gives integrity only: a hash carries no identity, and a MAC's shared key cannot single out one signer.
Trap Offering a hash or HMAC for non-repudiation: both prove integrity, but a shared MAC key can't pin the action to one signer.
6 questions test this
- A healthcare organization requires physicians to digitally sign all prescription approvals and records each signed approval in a…
- A financial institution requires that customers who authorize wire transfers cannot later deny having initiated the transaction. Which…
- An enterprise deploys a contract management system where legal staff create and approve binding agreements. Management requires that every…
- A procurement manager digitally signs a purchase order using their private key. Later, the manager denies approving the purchase. The…
- A financial institution requires that all electronically submitted contracts be verifiable for authorship and remain unaltered after…
- A hospital needs to ensure that physicians cannot deny having authorized electronic prescriptions. Which solution BEST provides…
- AAA runs authentication, then authorization, then accounting
AAA is authentication (proving who a subject is), authorization (determining what that proven identity may do, enforcing least privilege), and accounting/auditing (recording what it actually did). The order is load-bearing: authorization without prior authentication is meaningless, so a stem that authorizes before identifying is wrong.
Trap Conflating authorization with authentication, treating the check of what a subject may do as the same step that proves who it is.
10 questions test this
- A network engineer authenticates to a router using TACACS+ and executes several configuration commands during the session. Later, the IT…
- An organization discovers unauthorized changes to a financial database. Audit logs confirm the changes were made using a service account…
- A network administrator configures a centralized AAA server to record every command executed on network switches, including the user…
- A hospital must ensure that every access to patient records is individually attributable to a specific employee for regulatory compliance.…
- A user logs into a cloud-based financial system and downloads a sensitive quarterly report. The AAA server verified the user's credentials…
- A company's security policy requires that all administrative actions on network devices be individually traceable to the person who…
- An enterprise deploys a contract management system where legal staff create and approve binding agreements. Management requires that every…
- An organization's audit logs show that the account 'admin_shared' deleted critical database records at 2:15 AM. Investigation reveals that…
- A security administrator must ensure that all user activities on the corporate network can be tracked and attributed to specific…
- A security team must generate a detailed record of all user sessions on the corporate network, including login timestamps, resources…
- Know the five authentication factor categories the exam tests
SY0-701 tests five factor categories: something you know (knowledge: password, PIN), something you have (possession: TOTP token, smart card, hardware key), something you are (inherence/biometric: fingerprint, face, iris), somewhere you are (location: GPS/geofence, source IP), and something you do (behavior: typing cadence, gait). NIST's classic three are know/have/are; CompTIA adds location and behavior.
Trap Miscategorizing a factor, such as calling a smart card or hardware token 'something you know' when possession of the device makes it 'something you have'.
- MFA combines factors from different categories, not duplicates
Multi-factor authentication requires more than one distinct TYPE of factor, not two of the same kind. A password plus a PIN is NOT MFA because both are 'something you know'; a password plus a TOTP code IS MFA because it pairs knowledge with possession. The category mix is the testable point, not the number of prompts.
Trap Counting password-plus-security-question (or password-plus-PIN) as MFA: two knowledge factors are still a single category.
- People and systems authenticate by different means
SY0-701 separates authenticating people from authenticating systems. People use passwords, tokens, and biometrics; systems and devices use certificates (PKI), pre-shared keys, or hardware roots of trust, for example a server proving identity in a TLS handshake, or an endpoint presenting a device certificate via 802.1X.
- Zero trust never grants trust from network location
Zero trust grants no implicit trust to an asset or account based solely on its physical or network location or ownership; every request is authenticated and authorized before access. The exam-portable idea: being inside the perimeter earns nothing. A flat internal network with implicit trust is exactly what zero trust replaces.
Trap Assuming traffic from inside the corporate LAN is trusted: under zero trust, internal location grants no implicit trust.
3 questions test this
- An organization's current network architecture automatically grants all internal LAN devices broad access to shared resources without…
- An organization grants all devices on the internal corporate LAN unrestricted access to file servers and databases after initial VPN…
- An organization replaces VLAN-based network segmentation with identity-based micro-segmentation as part of its Zero Trust Architecture.…
- Zero trust separates a control plane from a data plane
Per NIST SP 800-207, a zero-trust architecture uses a control plane to make and communicate access decisions and configure communication paths, kept logically separate from the data plane where application traffic flows once access is enforced. The decision channel and the traffic channel are distinct.
- The policy engine decides; the policy administrator executes
In NIST SP 800-207 the policy engine (PE) makes and logs the ultimate grant/deny/revoke decision using a trust algorithm fed by enterprise policy and external signals. The policy administrator (PA) executes that decision by establishing or tearing down the communication path between subject and resource. Deciding versus enforcing the decision are two distinct logical roles.
Trap Crediting the policy administrator with making the grant/deny decision when it only executes the decision the policy engine reaches.
- PE plus PA form the PDP; the PEP is separate
NIST SP 800-207 groups the policy engine and policy administrator into one logical policy decision point (PDP). The policy enforcement point (PEP) is the distinct component that actually enables, monitors, and terminates the connection between the subject and the protected resource: it acts on the PDP's decision rather than making it.
Trap Having the policy enforcement point decide access when it only acts on the PDP's decision by enabling or terminating the connection.
3 questions test this
- In a Zero Trust Architecture based on NIST SP 800-207, the policy engine and policy administrator operate on the control plane to evaluate…
- In a zero trust architecture as described by NIST SP 800-207, communication is logically separated into a control plane and a data plane.…
- A security architect designing a zero trust architecture must understand how access decisions are structured. According to NIST SP 800-207,…
- Zero-trust access is dynamic and adapts to context
Zero-trust access is governed by dynamic policy evaluated per request, not static perimeter rules. Adaptive identity adjusts trust using context such as device posture, observed behavior, and risk signals, so the same user may be allowed, challenged, or denied depending on conditions at that moment.
- Zero trust grants access per session with least privilege
Among the NIST SP 800-207 tenets the exam leans on: all data sources and computing services are treated as resources; all communication is secured regardless of network location; access to a resource is granted per session with least privilege and does not carry to other resources; and all authentication and authorization are dynamic and strictly enforced before access is allowed.
Trap Assuming one access grant carries over to other resources, when zero trust scopes each grant per session to a single resource.
- Any touch of a decoy is high-confidence evidence of attack
Deception technology plants assets with no legitimate business purpose, so any interaction with them is high-confidence evidence of malicious activity. The false-positive rate is near zero because no normal user has a reason to touch a decoy, which makes deception an early, high-confidence intrusion-detection layer rather than a preventive control.
Trap Classifying deception as a preventive control, when planting decoys detects and alerts on intrusion rather than blocking it.
- Honeypot is one decoy host; honeynet is a decoy network
A honeypot is a single decoy system with no legitimate purpose, alerting on any connection to it. A honeynet is a network of honeypots imitating a realistic environment, luring an intruder into exploring fake systems while generating intelligence on their tactics and lateral-movement patterns.
- Honeyfile is a bait file; honeytoken is a bait record
A honeyfile is a decoy file (such as a fake passwords.txt) that triggers an alert when opened, copied, or exfiltrated. A honeytoken is a bogus data record: a fake credential, fake database row, or canary API key, whose use anywhere reveals a breach.
- A decoy must hold no real data and grant no live access
A deception asset works as a tripwire only if it contains no real data and grants no live access. A poorly isolated honeypot or honeyfile becomes an attacker foothold rather than a detection mechanism, converting your tripwire into their pivot point.
Trap Stocking a honeypot with real credentials or live network reach to make it convincing: that turns the decoy into a usable foothold.
Cryptography and PKI
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Change Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Threats, Vulnerabilities, and Mitigations
Threat Actors and Motivations
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Classify a threat actor on three axes, not one label
SY0-701 Objective 2.1 profiles every actor on three axes, not a single tag: the TYPE (nation-state, unskilled attacker, hacktivist, insider threat, organized crime, shadow IT), the ATTRIBUTES (internal vs. external, resources/funding, level of sophistication/capability), and the MOTIVATION. No one clue names the actor: weigh access, resources, and the stated motive together before choosing a type, because techniques alone overlap across categories.
Trap Naming the actor from a single signal such as a sophisticated tool, when objective 2.1 deliberately separates type, attributes, and motivation.
4 questions test this
- A security team is briefing executive leadership on two organizational risk categories. Which statement BEST distinguishes shadow IT from…
- A security analyst reviews two findings: (1) the marketing team has been uploading customer records to an unauthorized cloud design…
- A security team is evaluating organizational threats. Which statement BEST contrasts shadow IT and unskilled attackers as threat sources?
- A security analyst reviews two incidents: an employee installed an unauthorized wireless access point in a conference room, and an external…
- The nation-state profile is the APT: top resources, longest persistence
Nation-state is the actor type SY0-701 maps to the advanced persistent threat (APT) concept: not a synonym CompTIA lists, but the profile the term describes. NIST defines an APT as an adversary with sophisticated expertise and significant resources that uses multiple attack vectors to pursue its objectives repeatedly over an extended period, adapting to defenders. That means custom tooling, the highest funding and capability, and prolonged stealthy residence; the motivations are espionage and war.
Trap Treating APT as a kind of malware or a single named group, when the term describes the nation-state actor profile of sustained, well-resourced intrusion.
7 questions test this
- During an incident investigation, analysts discover custom zero-day exploits, purpose-built command-and-control infrastructure, and…
- An incident response team discovers a sophisticated implant on a government agency network that uses previously unknown vulnerabilities,…
- A security team is assessing two threat groups. Group A receives government funding, operates dedicated research teams, and targets foreign…
- A threat intelligence analyst is profiling a newly identified threat group. The group's campaigns consistently target government agencies…
- A threat intelligence report describes a group with dedicated research teams that independently discover zero-day vulnerabilities and…
- During an incident investigation, a security team discovers that attackers compromised a pharmaceutical company, maintained covert access…
- A security analyst reviews indicators of compromise from an intrusion at a government defense contractor. The attackers used custom…
- Resources and sophistication rise together at the top tier
For top-tier actors, funding and technical capability move together: nation-states carry the highest resources and sophistication, and organized crime is high on both. The standout exception is the unskilled attacker: low capability that can still inflict high impact by running a borrowed, potent tool, so capability and impact are not the same axis.
Trap Reading high impact as proof of high sophistication, when a low-skill actor wielding a powerful off-the-shelf tool produces the same damage.
- Low sophistication never proves a low-tier actor
Sophistication is a weak identifier on its own: a capable actor may deliberately use crude, commodity tooling for deniability, and an insider may need only a single simple command. High impact does not prove high skill and a low-skill action does not prove an unskilled attacker: the access and the motive carry as much weight as the technique.
Trap Labeling any crude or low-skill action an unskilled attacker, when a capable actor may choose commodity tooling for deniability.
- Organized crime is profit-driven, not statecraft
Organized crime is external, well-funded, and capable, but its defining motivation is money: financial gain, blackmail/extortion, and selling exfiltrated data, the ransomware-as-a-business profile. When its techniques resemble a nation-state's, the discriminator is money versus intelligence: a profit motive points to organized crime, a strategic/espionage motive to a state actor.
Trap Calling a polished, well-resourced intrusion a nation-state attack, when a financial-gain or extortion motive marks it as organized crime.
5 questions test this
- A hospital's incident response team determines that external attackers gained access through a known unpatched VPN vulnerability, deployed…
- A security team is assessing two threat groups. Group A receives government funding, operates dedicated research teams, and targets foreign…
- A cybercriminal group deploys ransomware against hospitals, universities, and retail chains across multiple countries within a single…
- An incident response team investigates an attack where threat actors compromised a hospital network using a publicly available exploit kit,…
- A retail company processes millions of credit card transactions annually but holds no government contracts or classified data. Which threat…
- Hacktivist is defined by cause, not budget or skill
A hacktivist is driven by philosophical or political belief and aims to disrupt, embarrass, or publicize: defacement, data leaks, DDoS. Sophistication and funding vary widely across hacktivists, so infer the type from an ideological/political motive plus a public, attention-seeking outcome, never from skill or resource level.
Trap Ruling out a hacktivist because the operation looked unsophisticated or low-budget, when the cause-driven motive is the defining attribute.
3 questions test this
- An external group launches a distributed denial-of-service attack against a corporation's public website to protest its environmental…
- An external group with no organizational affiliation launches a DDoS attack against a corporation's public website and publishes a…
- A group of activists who oppose a government surveillance program deface several government agency websites, posting messages condemning…
- Insider threat is defined by authorized access
An insider threat is anyone with legitimate, authorized access (employee, contractor, or partner) who uses it to harm the organization. NIST's definition turns on that access being used wittingly or unwittingly, so the defining trait is internal placement that bypasses the perimeter, not technical skill or malicious intent.
Trap Limiting the insider category to direct employees, when contractors and partners holding authorized access also qualify.
6 questions test this
- A security investigation reveals that proprietary engineering designs were leaked to a public forum alongside a political statement…
- A software developer at a defense contractor, personally opposed to the company's weapons programs, copies sensitive project documents and…
- An employee at a defense contractor copies classified documents and leaks them to journalists because the employee believes the government…
- A risk assessment team is comparing the characteristics of insider threats versus hacktivists for an enterprise risk profile. Which…
- An organization suspects a disgruntled employee is exfiltrating proprietary data, but no anomalies appear in firewall logs or IDS alerts.…
- A recently terminated database administrator uses credentials that were not deprovisioned to log in remotely and delete critical customer…
- Insider threats include the careless, not just the malicious
NIST's insider-threat definition covers both witting and unwitting misuse of authorized access, so an employee who clicks a phish or misconfigures a share is an insider-threat exposure even with no ill intent. Malicious insiders add deliberate motives (revenge, financial gain, and espionage) but intent is not required for the category to apply.
Trap Restricting insider threat to disgruntled, deliberate sabotage, when NIST explicitly includes the unwitting, negligent employee.
- Unskilled attacker is SY0-701's term for 'script kiddie'
SY0-701 retires 'script kiddie' and uses 'unskilled attacker' for the low-capability actor who runs tools, scripts, and exploits written by others without understanding the internals. Borrowed tooling can still cause serious damage, so the low skill level does not bound the impact.
Trap Looking for the term 'script kiddie' on the exam, when SY0-701's objective list names this actor 'unskilled attacker.'
5 questions test this
- Firewall logs reveal repeated automated scans from a single external IP address using a widely available open-source vulnerability scanner…
- A security analyst reviews IDS logs and discovers an external IP address running automated SQL injection attacks against multiple…
- A teenager downloads a freely available exploit script from a hacking forum and runs it against a random small business website to impress…
- A security analyst is comparing the risks introduced by shadow IT and unskilled attackers. Which statement BEST differentiates these two…
- A security analyst observes an external IP address running a well-known vulnerability scanning script with default settings against the…
- Shadow IT is a risk condition, not an adversary
Shadow IT is hardware, software, or cloud services deployed inside the organization without IT/security approval: unmanaged, unpatched, and invisible to defenders. SY0-701 lists it among threat actors, but it is a self-inflicted exposure the org creates rather than a hostile person; the actual attacker is whoever later exploits the unmanaged asset.
Trap Picturing shadow IT as an external attacker, when it is an internal, unapproved deployment that merely creates the opening.
7 questions test this
- An IT audit reveals that several departments independently deployed unapproved SaaS applications storing company data outside the…
- A marketing department subscribes to an unapproved cloud file-sharing service to meet a project deadline without notifying the IT…
- A security analyst is comparing the risks introduced by shadow IT and unskilled attackers. Which statement BEST differentiates these two…
- Several departments store sensitive customer records in personal cloud accounts that the IT department has not approved or assessed. Which…
- An organization discovers that employees in several departments have been uploading proprietary product designs to personal cloud storage…
- An organization discovers that multiple employees have been using personal cloud storage accounts to share work documents containing…
- A risk assessment identifies both shadow IT usage and external unskilled attacker probing as active threats. Which characteristic MOST…
- Internal vs. external decides which control fails first
The internal/external attribute determines which control breaks first: an external actor is meant to be stopped at the edge, while an internal (insider) actor sails past the perimeter and is caught only by least privilege, separation of duties, and user-behavior analytics (UEBA). Mapping the attribute to the failing layer is what 'best control' questions test.
Trap Reaching for a firewall or perimeter control to stop an insider, when an internal actor is already past the edge and is checked by least privilege and UEBA.
- Motivation is the strongest disambiguator between actors
When two actor types share a technique, the stated motivation usually decides between them: espionage or war points to a nation-state; financial gain, blackmail, or data resale to organized crime; philosophical/political belief to a hacktivist; revenge to a disgruntled insider. SY0-701 lists these as distinct objective-2.1 motivations precisely so they can separate look-alike actors.
Trap Picking the actor from the shared technique, when the stated motivation is the field that separates look-alike actors.
- Data exfiltration splits by who benefits from the stolen data
Data exfiltration is an objective-2.1 motivation that maps to more than one actor, so it disambiguates by beneficiary: stealing for strategic intelligence implies a nation-state, while stealing to sell or extort implies organized crime. Use statecraft versus profit, not the act of exfiltration itself, to pick between them.
Trap Treating data exfiltration as a single-actor signal, when the beneficiary (strategic intelligence versus profit) decides between nation-state and organized crime.
- 'Ethical' is the authorized tester's motivation, not an attack
The 'ethical' motivation in objective 2.1 describes a penetration tester or bug-bounty researcher operating under rules of engagement: lawful and sanctioned activity. Never map it to a malicious actor or treat the activity as an incident to contain; it is listed to be contrasted with hostile motives, not grouped with them.
Trap Treating authorized, ethical testing as a breach to escalate, when it is sanctioned work performed under rules of engagement.
- Match the mitigation to the actor's defining attribute
Best-control questions chain actor to attribute to control: insider (already inside) maps to least privilege, separation of duties, and UEBA; nation-state/APT (long dwell, custom exploits) to defense in depth and detective/behavioral controls; unskilled attacker (known public exploits) to patch management and hardening; shadow IT (unmanaged assets) to asset discovery, inventory, and acceptable-use policy. The control follows from the attribute, not the actor's name.
Trap Choosing the control by the actor's name, when the defining attribute (already-inside, long dwell, public exploit, unmanaged asset) dictates the best control.
- Nation-states may run financial crime to fund their missions
Although nation-state actors are defined by strategic and espionage objectives, some (notably DPRK-linked groups) also run financially motivated operations such as cryptocurrency theft and even ransomware-as-a-service to fund those missions or mask intelligence-gathering. A financial-gain signal therefore does not by itself rule out a state-sponsored actor; weigh it against targeting and strategic intent.
Trap Ruling out a nation-state the moment a financial motive appears, when state-sponsored groups also run profit operations to fund or mask their missions.
4 questions test this
- Threat intelligence analysts determine that a state-sponsored group has been stealing cryptocurrency to fund its primary mission of…
- A threat intelligence briefing reveals that a government-backed cyber group steals cryptocurrency to fund its primary espionage mission…
- A threat intelligence report describes a group that primarily conducts espionage against foreign governments while also stealing…
- Analysts investigating a breach discover that attackers first quietly exfiltrated defense-related documents from a government contractor,…
- RaaS splits the operator who builds from the affiliate who deploys
Ransomware-as-a-Service is a division-of-labor model: an operator develops and maintains the payload, payment portal, and data-leak site, while affiliates rent those tools (often buying initial network access from access brokers) and carry out the actual intrusions. The affiliate keeps the majority of each ransom and the operator takes a cut (commonly ~30-40%), so the group that deploys ransomware against a target is the affiliate, not the developer.
Trap Attributing the intrusion to the ransomware developer, when under RaaS the affiliate is the party that selects the target and deploys the payload.
5 questions test this
- A criminal group develops ransomware payloads, maintains leak sites, and provides ransom negotiation portals. External cybercriminals…
- A threat intelligence report describes a criminal ecosystem where one group develops ransomware payloads and infrastructure, a second group…
- A threat intelligence report describes a cybercriminal operation where one group develops ransomware payloads and maintains victim payment…
- A cybersecurity investigation reveals that one criminal group developed the ransomware payload, a separate group sold stolen VPN…
- A security analyst investigating a ransomware incident discovers that the attackers obtained the encryption payload, payment portal, and…
Threat Vectors and Attack Surfaces
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A vector is one route; the attack surface is every route summed
A threat vector (attack vector) is the specific route of a single intrusion: one phishing email, one open port, one rogue USB. The attack surface is the aggregate of every reachable entry point: each interface, port, service, account, device, and human. So the vector answers how this one attack got in, while the attack surface is the total exposure you work to shrink. The two terms are not interchangeable on the stem.
Trap Treating "attack vector" and "attack surface" as synonyms: the vector is one path, the surface is the sum of all of them.
- Classify a delivery vector by its channel or its payload container
Message-based vectors deliver lures or payloads over a messaging channel: email, SMS, or instant messaging; file-based vectors hide malicious code inside a document, script, archive, or executable the user opens; image-based vectors conceal payloads within image files via steganography or a malformed parser. The categories overlap deliberately: a phishing email (message-based) can carry a weaponized attachment (file-based), so classify by whichever the stem emphasizes: the delivery channel or the payload's container.
Trap Forcing a phishing email with a malicious attachment into one bucket, when it is both message-based delivery and a file-based payload; classify by what the stem emphasizes.
- Voice-call vectors enable vishing; removable media carries malware in or data out
A voice-call vector is the phone channel exploited for vishing. A removable-device vector (USB sticks and external media) both introduces malware and exfiltrates data, and is countered by device-control/USB-blocking policy, disabling autorun, and physically locking down ports. The removable-media risk is two-directional: it is as much a covert exfiltration path as an infection path.
Trap Treating a USB drive as only an inbound malware-infection risk, overlooking that the same removable media is a covert outbound data-exfiltration path.
- Unsecure-network vectors are fixed by encryption and segmentation, not just logging
Unsecure-network vectors include open or weakly encrypted wireless (including rogue APs and evil-twin APs), flat unsegmented wired LANs that let one foothold reach everything, and discoverable Bluetooth radios. Mitigate by closing the exposure itself: strong encryption (WPA2/WPA3), network segmentation, and disabling unneeded radios. Adding more logging is detective only: it watches the weakness without removing it.
Trap Answering "increase logging/monitoring" to reduce an unsecure-network vector: detection observes the exposure but does not shrink it.
- Every listening port is an entry point: inventory and close what isn't needed
An open (listening) service port is a potential entry point and the first place attackers and assessors probe during discovery. Inventory listening ports and firewall or close anything not required; never leave high-value services such as RDP (3389), SMB (445), or admin consoles directly internet-facing, since those are top targets for brute-force and worm propagation.
- Default credentials are a one-step compromise: change them before deployment
Factory-default usernames and passwords left on routers, IoT devices, databases, and admin consoles let an attacker in with a single publicly known value, and automated malware (e.g. Mirai) scans the internet for exactly these. The control is to change every default credential before the device goes into production: leaving a known default on a reachable device is a major, widely exploited risk.
- Patchable software is a temporary vector; unsupported software is a standing one
Vulnerable software with an available patch is a vector only until you update it. Unsupported (end-of-life) software is a standing vector: the vendor ships no patches at all, so a known CVE stays exploitable indefinitely, which is why the exam-correct treatment for EOL is replacement. When you can't replace it yet, isolate and compensate with segmentation and virtual patching.
Trap Answering "keep patching" for end-of-life software: the vendor issues no patches, so the fix is replacement (or isolation), not a patch that doesn't exist.
- Phishing, vishing, and smishing are the same con over different channels
The three differ only by delivery channel: phishing = fraudulent email, vishing = voice/phone call, smishing = SMS/text. The exam tests the medium word, so a text-message scenario is smishing even when the lure reads exactly like a phishing email. Match the term to the channel named in the stem, not to the content of the message.
Trap Calling a text-message scam "phishing" because the lure sounds email-like: the SMS channel makes it smishing.
5 questions test this
- An employee's corporate mobile phone receives a text message stating: 'ALERT: Your company VPN token expires today. Tap here to renew:…
- An attacker uses a VoIP service to place automated phone calls to hundreds of bank customers. The caller ID is spoofed to display the…
- An employee's corporate mobile phone receives a text message claiming to be from the IT help desk. The message warns that the employee's…
- An employee receives a text message on their corporate phone stating their benefits enrollment expires in one hour and providing a…
- An employee receives a text message on their personal mobile phone stating their corporate account has been compromised and they must…
- Spear phishing is targeted; whaling targets the executive
Spear phishing is phishing aimed at a named individual using researched personal detail, trading volume for higher conviction. Whaling is spear phishing specifically directed at a high-value executive (CEO, CFO). Bulk, generic, untargeted email is plain phishing: the discriminator is how specific and senior the target is.
Trap Labeling a targeted lure aimed at the CFO "spear phishing" when the senior-executive target makes it whaling.
3 questions test this
- A security analyst discovers that several highly personalized emails referencing upcoming board meeting topics were sent exclusively to the…
- A company's chief financial officer receives a personalized email appearing to come from the CEO, urgently requesting a wire transfer to…
- A company's chief financial officer receives an email that appears to be from the CEO. The message references a confidential acquisition…
- Pretexting supplies the fabricated backstory other attacks ride on
Pretexting invents a scenario or backstory that justifies an unusual request, for example posing as IT to "verify" a password. It is channel-agnostic and functions as a building block beneath many other social-engineering attacks rather than only as a standalone technique, so a stem that hinges on the believable cover story (not the delivery channel) is pointing at pretexting.
Trap Classifying an attack by its delivery channel when the stem turns on the fabricated cover story itself, which is what marks it as pretexting.
- Impersonation borrows a person's trust; brand impersonation borrows a company's
Impersonation poses as a specific trusted person (a colleague, the help desk, an executive) while brand impersonation poses as a trusted company using spoofed logos, look-alike sites, or fake support pages. Both work by borrowing existing trust to lower the target's suspicion; the discriminator is whether the disguise is an individual or an organization.
Trap Picking plain impersonation for a spoofed-logo fake support page, when posing as the company rather than a specific person makes it brand impersonation.
- BEC moves money via a spoofed exec or vendor: verify out-of-band
Business email compromise (BEC) spoofs or hijacks an executive or vendor email account to request a wire transfer or a change to payment/banking details. The tell is a money-movement or invoice/banking-change request appearing to come from leadership or a supplier; the exam-correct control is out-of-band verification (call a known number) never a reply to the email itself, which may be attacker-controlled.
Trap Replying to the suspicious email to confirm the wire request: if the account is hijacked, you are confirming with the attacker; verify on a separately known channel.
- A watering-hole attack poisons a site the targets already trust
A watering-hole attack compromises a legitimate third-party website the target group routinely visits, so victims infect themselves while browsing a site they already trust and the attacker never contacts them directly. Because the malware is served from a legitimate, hard-to-blacklist site, the tell is a normally-trusted site suddenly serving malware to a specific population.
Trap Reading a watering-hole attack as direct phishing, when the attacker never contacts victims and instead poisons a trusted site they choose to visit.
5 questions test this
- A threat intelligence team discovers that a professional association website frequently visited by defense industry employees has been…
- A security analyst discovers that a popular industry trade association website has been injected with malicious code. The code targets…
- A threat intelligence team discovers that attackers identified a niche industry conference website regularly visited by employees at a…
- A nation-state threat actor identifies that engineers at a defense contractor frequently visit a specific industry conference website. The…
- A threat intelligence team discovers that a niche technical forum frequently visited by employees of a specific energy company has been…
- Typosquatting registers look-alike domains to catch mistyped URLs
Typosquatting (a form of URL hijacking) registers misspelled or homoglyph domains that mimic a real brand to capture users who mistype an address, then serves a phishing page or drive-by malware. It overlaps with brand impersonation, so the discriminator is the deceptive domain name itself: a look-alike URL rather than a spoofed message or logo alone.
Trap Labeling a mistyped-URL look-alike domain as brand impersonation, when the deceptive domain name itself is the defining feature of typosquatting.
- Misinformation vs. disinformation turns entirely on intent
Misinformation is false information spread without intent to deceive (an honest error passed along); disinformation is deliberately false content spread to mislead, as in a coordinated influence campaign. On SY0-701 the single discriminator is intent: deliberate falsehood is disinformation. Both are recognized threat vectors because they steer human decisions, and the controls are awareness, source verification, and authoritative channels.
Trap Calling deliberately planted false content "misinformation": intentional deception makes it disinformation.
- Social engineering is countered by people and process, not a patch
Social engineering exploits the human (trust, urgency, authority, fear) rather than a software flaw, so the primary controls are security-awareness training plus process controls such as out-of-band verification of payment or credential changes. A technical fix like patching addresses a different problem; on a social-engineering stem the right answer is almost always training and verification procedure.
Trap Choosing "apply a patch" against social engineering: there is no software bug to patch; the exposure is human, so the answer is training and process.
- Supply chain extends your attack surface into trusted third parties
MSPs, hardware vendors, software suppliers, and open-source dependencies are part of your attack surface because compromising any of them reaches you through a trusted channel that installs with full trust. An MSP with broad remote access can breach many customers from one foothold, and a malicious update from a legitimate supplier installs without question: the trust that makes the relationship useful is exactly what the attacker rides in on.
Trap Scoping the attack surface to your own systems only, when trusted MSPs, suppliers, and dependencies reach you through channels that install with full trust.
7 questions test this
- A managed service provider distributes a routine software update to hundreds of client organizations. Analysts later discover that a threat…
- A trusted third-party accounting software vendor unknowingly distributes malware to all customers after an attacker compromises the…
- An organization's endpoint protection software begins exhibiting unusual behavior after a routine vendor-issued update. Investigation…
- During a physical inspection of new network switches procured from a third-party reseller, security engineers discover unauthorized…
- During a security audit, a government agency discovers that newly procured network switches contain modified firmware with an embedded…
- An organization discovers that a critical security appliance began exfiltrating data after applying the latest vendor-provided firmware…
- During a procurement audit, an organization discovers that network switches purchased from an unauthorized reseller contain firmware that…
- Manage supply-chain risk with due diligence, code signing, and an SBOM
Control supply-chain (MSP/vendor/supplier) risk with vendor due-diligence and security attestations, contractual security requirements, least-privilege access for third parties, code signing and integrity verification of updates, and a software bill of materials (SBOM) that enumerates exactly which dependencies you actually run. The SBOM is what lets you answer "are we affected?" fast when a dependency is found vulnerable.
Trap Reaching for a vulnerability scanner to answer "are we affected?" when an SBOM is what instantly enumerates which dependencies you actually run.
6 questions test this
- A company uses several open-source libraries in its customer-facing web application. After a critical vulnerability is disclosed in one…
- A security team learns that a critical vulnerability has been disclosed in a widely used open-source logging library. The team needs to…
- An organization wants to quickly identify which applications are affected whenever a new vulnerability is disclosed in an open-source…
- An organization uses hundreds of open-source libraries across its applications. After a critical zero-day is announced in a popular logging…
- A company purchases commercial software from multiple vendors for use in its enterprise environment. The security team wants to catalog all…
- A critical vulnerability is disclosed in a widely used open-source logging library. The security team must rapidly determine which…
- Reduce the attack surface by removing exposure, not by watching it
The most effective way to reduce an attack surface is to remove or harden entry points: close unused service ports, change default credentials, decommission unsupported software, disable unused Bluetooth/wireless radios, segment the network, and minimize accounts. Adding a detective layer such as more logging does not shrink the surface: it only observes it, so on a "BEST way to reduce the attack surface" item the answer is elimination, not detection.
Trap Picking "add monitoring/logging" as the best way to reduce the attack surface: detection watches exposure without eliminating it.
- Hardware implants and firmware tampering ride in below the OS
A hardware supply-chain compromise inserts unauthorized chips or modified firmware into a device during manufacturing or shipment, before it ever reaches the buyer. Because the implant lives below the OS, it evades antivirus and host IDS and mimics a legitimate component, so detection relies on physical inspection and firmware-integrity checks rather than software scanning, and buying from unauthorized resellers raises the risk.
Trap Trusting antivirus/EDR to catch a firmware implant: it operates beneath the OS, so software scanning can't see it; detection is physical and firmware-integrity based.
8 questions test this
- During an incoming hardware inspection, a security analyst discovers that newly purchased network switches contain firmware not matching…
- During a post-delivery inspection of new servers, a security team finds tiny unauthorized chips designed to resemble legitimate components…
- During a security audit, an analyst discovers unauthorized microchips soldered onto server motherboards received from a third-party…
- During a routine inspection, a security team discovers that newly delivered network switches contain firmware modifications not present in…
- During a physical inspection of new network switches procured from a third-party reseller, security engineers discover unauthorized…
- During a security audit, a government agency discovers that newly procured network switches contain modified firmware with an embedded…
- During a pre-deployment inspection, a security team discovers unauthorized microchips soldered onto newly purchased network switches. The…
- During a procurement audit, an organization discovers that network switches purchased from an unauthorized reseller contain firmware that…
- Dependency confusion wins by publishing a higher-versioned public look-alike
In a dependency-confusion attack the adversary publishes a malicious package to a public repository using the exact name of a victim's internal/private package but with a higher version number. The package manager's resolution logic prefers the higher version, so it fetches the attacker's public package instead of the intended internal one and executes its code during the build. The defense is scoping/namespacing internal packages and pinning trusted sources so a public higher version can't win.
Trap Assuming a private package always beats a public one of the same name: the resolver picks the higher version number, which the attacker simply sets larger.
4 questions test this
- An attacker discovers that a company uses an internal Python package named 'corp-auth-lib' in its build pipeline. The attacker publishes a…
- During a build process, a developer's package manager fetches a malicious package from a public repository instead of the intended internal…
- A development team discovers that their automated build pipeline fetched a malicious package from a public repository. The package shared…
- A security analyst discovers that an internal CI/CD pipeline fetched a malicious package from a public repository instead of the intended…
- Bluesnarfing silently steals data over Bluetooth; bluejacking only pushes messages
Bluesnarfing exploits a Bluetooth connection (often via the OBEX protocol on a discoverable device) to covertly copy data such as contacts, calendar entries, and emails without the owner's consent. Contrast bluejacking, which only pushes unwanted messages to a device and steals nothing; bluesnarfing exfiltrates data. The roughly 10-meter proximity requirement makes crowded public areas the typical setting, and disabling discoverability is the basic defense.
Trap Confusing bluesnarfing with bluejacking: bluejacking merely sends unsolicited messages, while bluesnarfing actually copies data off the device.
4 questions test this
- An employee's smartphone has contacts, calendar entries, and emails silently copied by an unknown nearby device. A forensic review confirms…
- A security team investigates a data theft incident where contacts, calendar entries, and emails were extracted from an employee's…
- An employee reports that their smartphone contacts and calendar entries were accessed by an unknown device while sitting in a public…
- During a trade show, an executive's smartphone has sensitive contacts and calendar entries exfiltrated. Forensic analysis confirms the…
Malware and Malicious Activity
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Vulnerability Types
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Mitigation Techniques
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Indicators of Malicious Activity
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Architecture
Architecture Models
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Choosing a model re-divides responsibility, never removes it
Objective 3.1 tests the security implications of an architecture model, not how to build it. Every model fixes a boundary of responsibility: moving to cloud, SaaS, or a vendor offloads operational work but never deletes a security control. It only changes who owns each one. The exam-correct read of any model is therefore which controls shifted and which stayed with you.
Trap Treating a move to cloud or SaaS as eliminating a security requirement rather than reassigning who performs it.
- On-premises means you own the entire stack
On-premises puts everything on you: physical facility and HVAC, hardware, hypervisor, OS, application, and data. That buys maximum control and visibility (any agent, any log, any packet) but carries the full patching burden, physical-security cost, and capital expense. It is the baseline the cloud models are compared against on 3.1.
Trap Concluding that because on-premises gives you the most control it is automatically the most secure choice, when it also hands you the full patching and physical-security burden.
Cloud divides security into "of the cloud" (the provider owns the physical datacenter, hosts, and virtualization layer) and "in the cloud," which the customer owns. Regardless of service model the customer always retains data, identities, and access management; those never shift to the provider. So a model only moves the lower-stack work, never accountability for who can touch the data.
Trap Assuming the provider's "of the cloud" duties cover your data and identities. Those stay with the customer in every model.
- The service model decides where the responsibility line sits
Service model sets how much you patch: IaaS leaves the customer the guest OS and everything above it (you patch the OS); PaaS hands you only the application and data (the provider patches the OS and runtime); SaaS leaves you essentially data, identities, and configuration. The more the provider manages, the smaller your patchable surface, and the less host-level visibility you keep. "Who patches the OS?" is the classic IaaS-vs-PaaS discriminator.
Trap Saying the customer patches the operating system in PaaS or SaaS. OS patching there belongs to the provider.
- Cloud offloads operations but not data accountability
Outsourcing to SaaS or a third-party vendor offloads day-to-day operations, but the data owner stays legally and contractually accountable for the data: its classification, protection, and compliance follow the owner, not the host. Any answer claiming "the provider assumes responsibility for your data confidentiality or compliance" is wrong by definition.
Trap Picking the option where signing with a cloud or SaaS provider transfers regulatory accountability for the data to that provider.
- Each hybrid or vendor interconnection is inherited risk
Hybrid clouds and third-party vendors stitch separate estates together, and every interconnection and every vendor adds a trust boundary you didn't fully build. The combined system is only as secure as its weakest link, so the security posture is governed by the least-controlled estate, not your strongest one. This is why third-party/supply-chain risk reviews matter most in hybrid designs.
Trap Rating a hybrid design's security by your most-hardened estate when its real posture is set by the least-controlled interconnection or vendor.
- Virtualization gives strong isolation but makes the hypervisor the surface
Virtualization runs full-OS guest VMs on a hypervisor (the component that manages the guests and mediates their access to hardware) giving strong tenant isolation. The new attack surface is the hypervisor itself: a VM escape lets code break out of a guest to reach the hypervisor or co-resident VMs, the worst-case virtualization flaw. VM sprawl and dormant snapshots quietly become unpatched, unmonitored assets.
Trap Assuming strong VM isolation makes the host irrelevant. A hypervisor compromise or VM escape exposes every co-resident guest.
Containers package an app with its dependencies and share the host OS kernel instead of booting a guest OS, making them far lighter and faster than VMs. The tradeoff is weaker isolation: a kernel exploit or container escape has a larger blast radius across every container on that host. Untrusted or unscanned images add supply-chain risk on top.
Trap Treating a container as equivalent isolation to a VM. The shared kernel makes a host-kernel flaw a shared-fate event.
- VM vs container is an isolation-versus-density trade-off
Choose virtualization when you need the strongest isolation between tenants; choose containers when you need density, portability, and fast scaling and can manage image and kernel hygiene. The kernel-sharing that makes containers efficient is exactly what makes their isolation weaker than a VM's, so the right answer follows whether the scenario stresses isolation or speed/scale.
Trap Selecting containers for a scenario that demands the strongest tenant isolation, when the shared kernel makes a VM the stronger boundary.
- Serverless shrinks the patchable surface but removes host visibility
In serverless (FaaS) the provider runs, patches, and scales the host and runtime; you supply only function code and its permissions. There is no persistent server to put an agent or host logs on, so host-level visibility is gone, and the dominant risks become an over-permissive execution role and insecure code dependencies. Least-privilege on the function's role is the control that matters most.
Trap Reaching for host-based agents or OS hardening to secure a serverless function. There is no host you control; secure the role and dependencies.
- Microservices contain blast radius but multiply east-west boundaries
Breaking a monolith into microservices improves fault isolation and limits blast radius, but it multiplies east-west (service-to-service) calls and authentication boundaries. Every inter-service call now needs its own authentication and authorization, which pushes designs toward mutual TLS and internal zero-trust rather than trusting the internal network. More services means more identities and connections to secure, not fewer.
Trap Assuming services inside the same network can trust each other implicitly. Each east-west call still needs authentication and authorization.
- SDN centralizes policy and makes the controller a high-value target
Software-defined networking decouples the control plane from the data (forwarding) plane so policy is programmed centrally and the network becomes directly programmable. That enables fast, consistent policy, but it concentrates power in the logically centralized SDN controller: compromise it and an attacker can reprogram the whole network. Harden and tightly access-control the controller and its northbound APIs.
Trap Treating the SDN controller as just another network device. It is the single point that, if owned, reprograms the entire fabric.
- IaC is reproducible and auditable, but mistakes propagate at scale
Infrastructure as Code defines infrastructure in version-controlled templates, making environments reproducible, reviewable, and auditable. The flip side is scale: one bad definition, a hardcoded secret in a template, or unreviewed drift replicates to every environment the code provisions. So IaC's security depends on template/secrets scanning and peer review in the pipeline, not on the template language itself.
Trap Hardcoding a credential into an IaC template. Version control then copies the secret into every environment and its history.
12 questions test this
- An organization uses Infrastructure as Code (IaC) to manage its production environment. When a security patch is needed, the team deploys…
- A cloud engineering team uses Infrastructure as Code (IaC) to deploy servers following an immutable infrastructure model. When a security…
- A DevOps engineer discovers that API keys and database passwords are hardcoded inside IaC templates stored in the organization's version…
- An organization uses Infrastructure as Code (IaC) templates to provision cloud environments. A developer commits a template containing an…
- A developer hardcodes database credentials directly into an IaC template and commits it to the organization's shared version control…
- A cloud architect proposes replacing traditional patching cycles with an immutable infrastructure model managed through Infrastructure as…
- An organization uses IaC templates stored in version control to manage all cloud infrastructure. An administrator manually changes a…
- A security architect transitions from manually configured on-premises servers to an IaC deployment model where servers are never modified…
- An organization uses IaC templates to provision its cloud infrastructure. A security analyst discovers that a cloud security group now…
- A company follows an immutable infrastructure model using Infrastructure as Code (IaC). When a security patch is needed, the team destroys…
- An organization manages its cloud infrastructure using IaC templates stored in a version-controlled repository. A security analyst…
- A security team discovers that a production cloud firewall has an open port that does not exist in the organization's IaC template.…
- Centralized versus decentralized trades consistency for resilience
Centralized architecture (one management plane, one IdP, one chokepoint) makes consistent policy and monitoring easy but concentrates risk into a single point of failure and a prize target. Decentralized improves resilience and limits blast radius but makes uniform policy and full visibility harder to achieve. Neither is inherently more secure. The right answer follows whether the scenario prioritizes consistency or fault-tolerance.
Trap Declaring centralized architecture inherently more secure because of its single control point, when that same chokepoint is its single point of failure and prize target.
- In ICS/SCADA, availability and safety outrank confidentiality
Operational technology (ICS/SCADA running physical processes) inverts the usual CIA priority: availability and integrity/safety come first, confidentiality last. A controller that keeps the process running safely matters more than a leaked sensor reading, because downtime or tampering can cause physical harm. NIST SP 800-82 is the authoritative reference for securing these systems.
Trap Applying the standard IT CIA ranking to OT and treating confidentiality as the top priority over keeping the process safely running.
- Protect ICS/SCADA by segmentation, not by patching fast
ICS devices run legacy or vendor-validated firmware with lifespans that can exceed 20 years, and many cannot run anti-malware; taking them offline or actively scanning them can disrupt real-time control. Per NIST SP 800-82, the accepted defense is segmentation (isolating OT from corporate IT into zones joined by controlled conduits) plus compensating controls, patching only after vendor validation in planned maintenance windows.
Trap Prescribing an immediate patch-now or active vulnerability scan against a live ICS device. Either can disrupt the real-time process.
- IoT, embedded, and RTOS are resource-constrained and vendor-locked
IoT, embedded systems, and RTOS run on limited CPU, memory, and power, so they often ship with weak or no crypto, no endpoint agent, and default or hardcoded credentials on vendor-locked firmware that may never be patched. Because you can't harden the device itself, the control is to isolate it on a dedicated segment/VLAN and monitor it from the network.
Trap Planning to install an endpoint agent or push regular patches to a constrained IoT/RTOS device that has no capacity or vendor path for either.
13 questions test this
- A hospital deploys hundreds of IoT medical devices that cannot support endpoint security agents. The security team must limit lateral…
- Embedded controllers in a building automation system are running firmware with known critical vulnerabilities. The manufacturer has ceased…
- Compared to traditional enterprise endpoints, which factor MOST contributes to the expanded attack surface when deploying IoT devices in a…
- A security architect is comparing vulnerability management for traditional IT workstations versus IoT embedded systems. Which statement…
- A company connects 2,000 smart building sensors using default credentials and outdated firmware to its corporate network. Which security…
- An organization deploys IoT environmental sensors that lack sufficient memory to run antivirus software or endpoint detection agents. Which…
- A manufacturing organization deploys 200 IoT temperature sensors with 64 KB of memory and proprietary firmware that cannot support endpoint…
- An enterprise connects 500 new IoT environmental sensors to its corporate network. A security analyst warns this significantly increases…
- A security architect evaluates IoT sensors with 256 KB of memory and low-power microcontrollers for a smart building project. Which…
- A hospital deploys network-connected infusion pumps running proprietary embedded firmware. The pumps lack sufficient processing power and…
- A hospital deploys network-connected infusion pumps running a real-time embedded operating system with 256 KB of RAM. The security team…
- After connecting 500 smart building sensors to the corporate network, a security analyst warns the organization's attack surface has…
- An enterprise adds 2,000 IoT environmental sensors to its corporate network for smart building management. A security assessment reveals…
- An air gap removes network reach, not insiders or USB malware
An air gap physically isolates a network (the strongest segmentation, common around critical ICS) and removes the network-borne attack surface. It does not stop an insider, infected removable media/USB (the vector Stuxnet used to cross into air-gapped centrifuge controllers), or a supply-chain compromise. Treat an air gap as removing reachability, not as complete protection.
Trap Calling an air-gapped network immune to malware. Removable media and insiders still bridge the gap, as Stuxnet demonstrated.
Infrastructure Security
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A control only acts on traffic that reaches it
Device placement is the first infrastructure-security decision, because a control can only inspect or block the traffic that physically passes it. Put filtering and inspection capabilities on the trust boundaries between security zones, where traffic crosses and trust changes; a powerful appliance off the data path sees nothing and protects nothing.
Trap Buying a high-end firewall or IPS but cabling it outside the actual traffic path, so it never inspects the flows it was meant to guard.
- Security zones group hosts by trust level
A security zone is a network segment of like trust: the untrusted internet, a public-facing screened subnet (DMZ) for internet-reachable servers, the trusted internal LAN, and a restricted management zone. Filtering controls live at the boundaries between zones, so a compromise in one zone does not flow freely into a more trusted one.
14 questions test this
- A security team discovers that malware on a compromised accounting workstation spread laterally to HR and engineering systems on the same…
- An organization hosts public-facing web servers and internal database servers on the same flat network. The security architect must allow…
- An organization places public-facing web servers on a screened subnet between an external and an internal firewall. Database servers reside…
- A security architect discovers that the web tier and database tier of a three-tier application share the same network segment, allowing…
- A security architect discovers that a compromised workstation in one department VLAN can freely communicate with servers in another…
- A security architect is designing a DMZ to host public-facing web and DNS servers. The design must ensure that a compromised DMZ server…
- A company hosts a public-facing web application. The architecture must ensure external users reach the web front-end but cannot directly…
- A security architect is designing a three-tier architecture where internet-facing web servers must be isolated from the internal database…
- An organization discovers that a compromised workstation in the accounting department scanned and accessed servers in the human resources…
- A security architect is redesigning the corporate network after malware spread laterally from the accounting department to HR across a flat…
- A company hosts internet-facing web servers and internal application servers. Web servers must be reachable from the internet, but…
- An organization hosts a public web application that queries an internal database. The security team must ensure external users reach only…
- A company hosts public-facing web servers and internal database servers on the same VLAN. A security audit finds that a compromised web…
- A penetration test reveals that a compromised workstation in the HR department can freely communicate with servers in the finance and…
- Attack surface = every reachable interface, port, service, protocol
The attack surface is the full set of boundary points an attacker can reach to enter, affect, or extract data from a system (open ports, running services, exposed protocols, and interfaces) and it grows with connectivity. The cheapest reduction is removing reachability: close unused ports, segment zones, and funnel admin access through one entry, rather than bolting on more appliances.
Trap Trying to shrink the attack surface by stacking on more security appliances, when the real reduction is removing reachability by closing unused ports and services.
- Fail-closed protects security; fail-open protects availability
An inline control's failure mode decides what survives an outage: fail-closed (fail-secure) blocks all traffic when the device dies, preserving confidentiality and integrity, while fail-open passes traffic unfiltered, preserving availability. Set a control guarding regulated or sensitive data to fail-closed; choose fail-open only where an outage must never sever a network whose uptime matters more than inspection.
Trap Defaulting an inline appliance to fail-open in front of regulated data, so a device crash silently lets unfiltered traffic straight through.
- Active blocks; passive only observes
An active device can modify or block traffic (drop a session, deny a flow) whereas a passive device only observes and reports. This attribute describes what the device is permitted to do and is independent of where it sits in the path, so blocking requires an active control regardless of placement.
Trap Conflating active/passive with inline/tap, when active versus passive describes what a device may do while inline versus tap describes where it sits in the path.
4 questions test this
- A security architect needs to deploy a network security appliance that can automatically drop malicious packets in real time before they…
- A security team is evaluating whether to deploy a network sensor in IDS mode or IPS mode. Which statement BEST describes the operational…
- A security architect needs to deploy a network appliance that can detect and automatically drop malicious packets before they reach…
- A security architect needs to deploy a network-based intrusion detection system (NIDS) to monitor traffic without affecting network…
- Inline transits traffic; tap/monitor sees a copy
Inline means traffic physically flows through the device, so it can act on each packet; tap/monitor means the device receives a copy through a network tap or switch SPAN/mirror port and can only observe. Blocking therefore needs active-plus-inline placement, while non-disruptive visibility (analysis that can never accidentally drop production traffic) comes from passive-plus-tap.
Trap Expecting a device on a tap or SPAN/mirror port to block traffic, when it only receives a copy and so can observe but never drop the live flow.
4 questions test this
- A security architect needs to deploy a network security appliance that can automatically drop malicious packets in real time before they…
- A security team is evaluating whether to deploy a network sensor in IDS mode or IPS mode. Which statement BEST describes the operational…
- A security architect needs to deploy a network appliance that can detect and automatically drop malicious packets before they reach…
- A security architect needs to deploy a network-based intrusion detection system (NIDS) to monitor traffic without affecting network…
- IDS detects and alerts; IPS blocks in real time
An IDS is passive and detective: it inspects a copied feed of traffic and raises alerts but cannot stop an attack in progress. An IPS has all of an IDS's detection ability plus the power to act: sitting inline, it drops or blocks the malicious session in real time. The deciding word is the verb: detect/alert points to an IDS, stop/block/prevent points to an IPS.
Trap Choosing an IDS to stop or block an active attack. It only watches a copy and alerts, so it can never sever the malicious flow.
3 questions test this
- A security architect needs to deploy a network security appliance that can automatically drop malicious packets in real time before they…
- A security team is evaluating whether to deploy a network sensor in IDS mode or IPS mode. Which statement BEST describes the operational…
- A security architect needs to deploy a network appliance that can detect and automatically drop malicious packets before they reach…
- Jump server = single hardened admin entry point
A jump server (bastion host) is the sole audited entry into a protected zone, usually management: admins authenticate to it and reach internal hosts from there, so SSH/RDP are never exposed per-host and every session funnels through one logged choke point. The jump server itself must be hardened and tightly scoped, since it becomes the single most valuable target.
Trap Exposing SSH/RDP directly on each internal host to ease access, which scatters management ports across the network instead of one audited gateway.
8 questions test this
- A security team mandates that administrators must not connect directly to production servers in a private subnet. Instead, all…
- An organization requires administrators to manage servers in a protected internal network zone. Direct connections from external networks…
- A security architect is designing a three-tier architecture where internet-facing web servers must be isolated from the internal database…
- An organization's security policy prohibits direct SSH connections from administrator workstations to production database servers in an…
- A security architect needs to allow administrators to manage web servers in the DMZ without exposing management ports directly to the…
- An organization requires all administrators to access production servers through a single hardened intermediary host in a dedicated…
- A company policy requires that administrators authenticate through an intermediary system before accessing production servers in a private…
- A security team deploys a hardened host in a dedicated management VLAN. Administrators must first authenticate to this host before…
- Proxy mediates requests; forward vs reverse differ by side
A proxy breaks the direct connection between client and server, accepting traffic on one side, processing it, and forwarding it on the other. A forward proxy sits between internal clients and the internet for egress filtering, caching, and content control; a reverse proxy sits in front of servers for TLS offload, hiding the origin, and distributing requests. Forward serves the clients; reverse serves the servers.
Trap Swapping the two and using a forward proxy to front and shield public servers, a job that belongs to a reverse proxy serving the server side.
- Load balancer distributes connections for availability and scale
A load balancer is active and inline in front of a server pool, spreading incoming connections across members so the service scales out and survives a member failure. It commonly also terminates TLS to offload encryption work and runs health checks, routing traffic only to members that pass them.
Trap Treating a load balancer as a security filtering control, when its job is distributing connections for availability and scale rather than inspecting or blocking attacks.
6 questions test this
- A company deploys a public-facing web application in the DMZ behind a load balancer. The security team wants to centralize TLS certificate…
- A company deploys public-facing web servers behind a load balancer. Security administrators want to reduce the TLS processing burden on the…
- A load balancer distributes traffic across four application servers. One server's web application crashes, but its operating system and…
- An organization deploys public-facing web servers behind a load balancer in its DMZ. To reduce CPU overhead on web servers while…
- An organization wants to centralize TLS certificate management and reduce the cryptographic processing burden on its backend web servers…
- An organization runs a public-facing web application across six backend servers, each maintaining its own TLS certificate. The security…
- Sensors are passive telemetry feeds for monitoring
Sensors are distributed collection points (typically passive, on taps or SPAN ports) that feed traffic telemetry to monitoring tools or a SIEM. They exist to observe and report, not to act: a sensor surfaces what is happening but does not block it, so the blocking decision belongs to an inline control downstream.
Trap Expecting a passive sensor to block or drop traffic, when its tap/SPAN copy lets it only see and report, never intervene.
- Layer 4 firewall is blind to payload content
A layer 4 (transport) firewall filters on IP address, port, protocol, and connection state (fast, but unconcerned with the content of packets). It cannot distinguish a benign HTTP request from one carrying a SQL-injection string, because both ride the same allowed port; stopping a payload-borne attack needs a layer 7 device that inspects the actual data.
Trap Reaching for a layer 4 / stateful firewall to stop SQL injection or other web-app payload attacks it physically cannot read.
- WAF is a layer 7 control for web-application attacks
A web application firewall inspects HTTP/HTTPS payloads (methods, URLs, headers, and body) to block application-layer exploits such as SQL injection and cross-site scripting, the attacks a port/IP filter cannot see. It is the right answer when the threat is a web-app payload attack; deploy it inline in front of the public web tier.
Trap Treating a WAF as a general network firewall. It specializes in HTTP/HTTPS web exploits, not broad IP/port segmentation.
- NGFW adds app awareness, identity, and IPS to stateful filtering
A next-generation firewall extends stateful layer 3–4 filtering with application awareness, user identity, deep packet inspection, and integrated intrusion prevention in a single engine. Choose it when the enterprise perimeter needs policy that decides on the actual application and user, not just IP and port, without stacking separate appliances.
Trap Picking a UTM for an app- and identity-aware enterprise perimeter, when its all-in-one branch focus lacks the deep application and identity policy an NGFW delivers.
- UTM bundles multiple security functions in one box
Unified threat management consolidates firewall, IDS/IPS, antivirus, and content/URL filtering into a single appliance and console, trading best-of-breed depth for simplicity. It fits small offices and branch sites where running and staffing separate appliances is impractical, accepting that one box doing everything is a single point of both failure and performance ceiling.
Trap Putting a single UTM at a high-throughput enterprise core, where its all-in-one inspection becomes the bottleneck and single point of failure.
- Firewall layer determines what it can decide on
Match the firewall to the decision the question demands: IP/port/state only points to a layer 4 (stateful) firewall; HTTP payload attacks point to a WAF or layer 7 device; an app- and identity-aware enterprise perimeter points to an NGFW; an all-in-one for a small or branch site points to a UTM. The layer a device reads bounds the policy it can enforce.
- Screened subnet (DMZ) isolates internet-facing hosts
A screened subnet (DMZ) is a buffer network inserted between the untrusted internet and the internal LAN, behind firewall policy, that holds internet-reachable servers like web and mail. It gives outside users restricted access to public services while shielding internal systems, so compromising a public host does not hand an attacker direct reach into the internal network.
Trap Placing internet-facing servers directly on the internal LAN, so one compromised public host opens a straight path to internal systems.
8 questions test this
- An organization hosts public-facing web servers and internal database servers on the same flat network. The security architect must allow…
- An organization places public-facing web servers on a screened subnet between an external and an internal firewall. Database servers reside…
- A security architect is designing a DMZ to host public-facing web and DNS servers. The design must ensure that a compromised DMZ server…
- A company hosts a public-facing web application. The architecture must ensure external users reach the web front-end but cannot directly…
- A security architect is designing a three-tier architecture where internet-facing web servers must be isolated from the internal database…
- A company hosts internet-facing web servers and internal application servers. Web servers must be reachable from the internet, but…
- An organization hosts a public web application that queries an internal database. The security team must ensure external users reach only…
- A company hosts public-facing web servers and internal database servers on the same VLAN. A security audit finds that a compromised web…
- Port security limits a switch port to approved MAC addresses
Port security is a layer 2 switch control that restricts which and how many MAC addresses may use a physical port, shutting down or restricting the port on a violation: the go-to control for keeping rogue devices in open wall jacks off the network. Because MAC addresses are easily spoofed, it is a basic safeguard rather than strong device authentication; 802.1X with EAP is the stronger answer when the requirement is to admit only authenticated devices.
Trap Relying on MAC-based port security as strong device authentication, when spoofing an allowed MAC defeats it. 802.1X is the real control.
5 questions test this
- A network administrator discovers that employees are connecting unauthorized personal laptops to open Ethernet wall jacks in conference…
- A network administrator discovers unauthorized laptops plugged into open switch ports in conference rooms gaining access to the internal…
- A network administrator discovers that unknown devices are being connected to open switch ports in common areas and gaining unauthorized…
- A network administrator discovers unauthorized personal devices connected to open Ethernet wall jacks in conference rooms. Which network…
- A network administrator discovers unauthorized personal devices connected to open switch ports in shared conference rooms. Which…
Data Protection Strategies
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Resilience and Recovery
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Secure Communication and Network Access
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Operations
Computing Resource Security
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- A secure baseline is established, deployed, then maintained
Objective 4.1 frames the secure baseline as three actions, not a one-time document: establish the hardened reference config, deploy it identically to every in-scope device, and maintain it by continuously checking for and correcting configuration drift. The maintain step is the control's backbone: a baseline that is set once and never re-enforced decays into drift, so continuous compliance checking is part of the baseline, not an add-on.
- Deploy a baseline by golden image, GPO, or MDM profile
Identical, repeatable deployment is what makes a baseline measurable: push it as a golden image for workstations and servers, as Group Policy Objects (GPOs) across a Windows domain, or as an MDM configuration profile for mobile. Every device then boots in the same known-good state, so any later deviation is detectable drift measured against one reference rather than guesswork.
- Hardening removes reachable function and is target-specific
Hardening shrinks the attack surface by disabling unneeded services and ports and constraining what remains, but there is no universal checklist, because the right technique follows the target (workstation vs switch vs server vs cloud vs ICS). The exam rewards matching the measure to the device's constraints; a generic "just harden it" answer ignores that an ICS controller and a workstation accept entirely different controls.
- Harden ICS/SCADA, embedded, and RTOS by isolation, not patching
Operational-technology targets (ICS/SCADA, embedded systems, RTOS) often run for 20+ years on vendor-unsupported software that cannot be patched on a normal cycle, and anti-malware frequently isn't available for PLCs/DCS, so AV/EDR requirements can't be met on those endpoints. The correct hardening is network segmentation/isolation plus compensating controls (e.g., a deep-packet-inspection firewall, Purdue-model zones), because the device can't defend itself.
Trap Applying a workstation playbook to a PLC: "schedule the patch" or "install antivirus" on a SCADA device that supports neither.
5 questions test this
- A manufacturing company must continue operating a legacy SCADA system running unsupported firmware because no compatible replacement is…
- A vulnerability scan reveals a critical flaw in a legacy manufacturing control system running an end-of-life operating system. The vendor…
- A critical vulnerability is discovered on a manufacturing control system, but no vendor patch is available. The security team isolates the…
- An organization operates a legacy manufacturing control system running an end-of-life operating system. The vendor application requires…
- A manufacturing company operates a legacy control system running unsupported firmware that cannot be upgraded due to operational…
- IoT hardening: change defaults and segment onto its own VLAN
IoT devices ship with weak default security at scale, so core hardening is replacing default credentials, applying firmware updates where the vendor offers them, and placing the device on a dedicated/segmented VLAN. Segmentation is the load-bearing control: a compromised sensor confined to its own VLAN cannot pivot into the production network even when it can't otherwise be secured.
Trap Leaning on firmware updates as the primary IoT control, when many IoT devices never receive patches and segmenting them onto their own VLAN is what actually contains a compromise.
- Switch/router hardening locks down the management plane
Network-device hardening disables unused ports, replaces Telnet with SSH so management traffic is encrypted rather than plaintext, changes default credentials, and restricts who can reach the management plane (e.g., dedicated management network/ACLs). The goal is to remove cleartext administration and cut the number of reachable interfaces an attacker can probe.
Trap Keeping Telnet for management because it is on an "internal" network, when Telnet still ships credentials in cleartext that anyone sniffing the segment can read.
- Site survey plus heat map place APs and expose rogues
Securing Wi-Fi starts with measuring the RF environment: a site survey captures real signal strength, interference, and neighboring networks, and a heat map visualizes coverage so access points land where signal is adequate and where rogue APs or interference appear. Coverage that bleeds past the building wall is itself an exposure, letting an outsider reach the SSID from the parking lot.
Trap Treating excess Wi-Fi coverage as purely a performance concern, when signal bleeding into the parking lot is an attack surface, not just wasted range.
- The mobile deployment model sets the control ceiling
The deployment model fixes device ownership, and ownership caps how much the organization may control. BYOD = employee-owned personal device, lowest control (corporate work container, selective wipe only). CYOD = corporate-owned but chosen by the employee from an enterprise-approved list and required to run the management agent; company ownership allows high control (full MDM, full-device wipe), like COPE. COPE = corporate-owned, personally enabled, highest control (full MDM, full-device wipe). Ownership, not who picked the device, is what decides the ceiling.
Trap Calling CYOD employee-owned because the user picks the model: the company buys and owns the device, so it allows a full-device wipe like COPE, unlike employee-owned BYOD.
3 questions test this
- An employee who uses a personal smartphone enrolled in the company's BYOD program resigns. The security administrator must remove all…
- An employee enrolled in the company's BYOD program resigns. The security team must remove corporate email, applications, and data from the…
- An employee's personal smartphone is enrolled in the company's BYOD program through the MDM solution. When the employee leaves the…
- Wipe granularity follows ownership: BYOD (employee-owned) gets a selective wipe; corporate-owned (CYOD/COPE) get a full wipe
Wipe granularity follows ownership. On the employee-owned BYOD device the organization may only selectively/enterprise-wipe the corporate container; it cannot erase the employee's personal data. On corporate-owned devices (CYOD and COPE) it may perform a full-device wipe of the entire user partition. "Remove company data without touching personal files" → BYOD + selective wipe.
Trap Treating CYOD like BYOD: CYOD is corporate-owned (like COPE), so a full-device wipe is allowed. Only on employee-owned BYOD does a full wipe wrongly destroy the employee's personal data.
4 questions test this
- An employee who uses a personal smartphone enrolled in the company's BYOD program resigns. The security administrator must remove all…
- An employee enrolled in the company's BYOD program resigns. The security team must remove corporate email, applications, and data from the…
- An organization implementing a BYOD policy needs to ensure corporate email and documents are isolated from personal applications on…
- An employee's personal smartphone is enrolled in the company's BYOD program through the MDM solution. When the employee leaves the…
- MDM is the engine that enforces mobile policy
Mobile device management (MDM), part of an EMM/UEM suite, pushes the configuration profile and enforces device encryption, passcode/screen-lock timeout, application allow/deny lists (allowlist preferred), and remote lock/wipe. It is the mechanism that turns the deployment-model policy into settings actually applied on the device, rather than a policy that only exists on paper.
5 questions test this
- An organization distributes company-owned smartphones and wants to ensure employees can only install applications that IT has explicitly…
- A security administrator discovers that employees have installed unapproved file-sharing applications on company-issued mobile devices.…
- A healthcare organization's security policy requires that only pre-approved applications can be installed on corporate-managed tablets used…
- A defense contractor requires that classified mobile applications are accessible only when employees are physically inside approved…
- A defense contractor requires that employees' corporate mobile devices automatically disable the camera and block clipboard sharing…
- MDM treats each mobile connection method as attack surface
A mobile device's connection methods (cellular, Wi-Fi, Bluetooth, NFC, and USB tethering) are each a reachable attack surface, and MDM policy can disable or restrict any of them. Turning off unused radios and interfaces is part of mobile hardening: a disabled Bluetooth or NFC stack is one fewer wireless entry point to exploit.
- WPA3 uses SAE to defeat offline PSK dictionary attacks
WPA3-Personal replaces WPA2's pre-shared-key four-way handshake with SAE (Simultaneous Authentication of Equals), a password-authenticated key exchange (the Dragonfly handshake, RFC 7664) that is resistant to offline dictionary attack: an attacker who captures the exchange cannot brute-force the passphrase offline, because any advantage requires live interaction with a participant. WPA3 also adds forward secrecy. "Stop offline cracking of the Wi-Fi passphrase" → WPA3/SAE, not WPA2-PSK.
Trap Picking WPA2-PSK with a longer passphrase: a captured WPA2 handshake still cracks offline; only SAE removes that offline path.
- WPA3-Enterprise authenticates each user via 802.1X/EAP to RADIUS
WPA3-Personal shares one SAE passphrase among everyone; WPA3-Enterprise authenticates each user individually through 802.1X/EAP to a RADIUS (AAA) server, so credentials are per-user and revocable instead of one secret the whole office holds. "Give each wireless user individual, revocable credentials" → WPA3-Enterprise + 802.1X/RADIUS, revoking one user never forces a network-wide passphrase change.
Trap Choosing WPA3-Personal for an office that needs per-user revocation, when its single shared SAE passphrase forces a network-wide change every time one person leaves.
- Input validation is the first-line defense against injection and overflow
Input validation checks input for expected type, length, format, and range before it is processed, preferably with an allow-list (accept known-good) rather than a deny-list that is full of bypassable loopholes. It is the foundational defense against injection and buffer-overflow classes, where crafted oversized or malformed input is the attack, paired with parameterized queries for SQLi specifically. Validate server-side: client-side checks are a usability aid an attacker simply bypasses.
Trap Relying on client-side (JavaScript) validation as the security control: an attacker hits the API directly and skips the browser entirely.
2 questions test this
- Secure session cookies: Secure, HttpOnly, SameSite
Session cookies are hardened with three attributes: Secure (sent only over HTTPS, never plaintext HTTP), HttpOnly (unreadable by JavaScript/
document.cookie, which blunts XSS token theft), and SameSite (limits whether the cookie rides cross-site requests, reducing CSRF exposure). Together they keep the session token off cleartext channels and out of reach of injected scripts and forged cross-site requests.Trap Assuming the Secure flag stops script theft of the cookie, when Secure only forces HTTPS and HttpOnly is what hides the token from JavaScript.
- Sandboxing isolates untrusted code from the host
Sandboxing runs untrusted code or files in an isolated environment with restricted access to host resources, so a malicious payload executes but stays contained. It is the standard way to detonate a suspicious file and observe its behavior before trusting it. "Run an unknown executable safely to watch what it does" → sandbox, not the production host.
- Monitoring is the detective backstop after preventive hardening
Hardening, input validation, and sandboxing are preventive; monitoring the computing resource is the detective layer that confirms it still matches its baseline and surfaces the behavior earlier controls were meant to block but might have missed. It closes objective 4.1's resource-security loop: prevention narrows the openings, monitoring catches what slips through.
Trap Classing monitoring as a preventive control, when it is detective, catching what slipped past hardening rather than blocking it up front.
- Cloud-infrastructure hardening = least privilege plus no public exposure
Hardening cloud infrastructure centers on least-privilege IAM, tight security groups, disabling public access to storage and endpoints, encryption, and logging. Under shared responsibility the provider secures the underlying platform, but the customer owns hardening their own identity, network exposure, and resource configuration: a world-readable storage bucket is the customer's misconfiguration, not the provider's.
Trap Assuming the cloud provider hardens your resources: public buckets, over-broad IAM, and open security groups are the customer's side of shared responsibility.
- MDM geofencing applies policy by device location
Geofencing uses GPS or network location to draw a virtual perimeter around a place, and an MDM automatically tightens or relaxes policy when a managed device crosses that boundary. It is the capability used to suspend sensitive apps, lock the work container, or disable the camera when a device leaves an approved facility: location becomes a policy condition rather than relying on the user to comply.
Trap Confusing geofencing with geotagging, when geofencing enforces policy across a location boundary while geotagging only stamps location metadata onto a file.
5 questions test this
- A defense contractor requires that classified mobile applications automatically lock when an employee's device physically leaves the…
- A defense contractor requires that classified mobile applications are accessible only when employees are physically inside approved…
- A company deploys an MDM policy that automatically disables access to corporate email and locks the work container whenever a managed…
- An organization's MDM solution automatically disables the device camera and restricts corporate email access when managed mobile devices…
- A defense contractor requires that employees' corporate mobile devices automatically disable the camera and block clipboard sharing…
- Containerization and MAM isolate corporate data on personal devices
On employee-owned devices, containerization carves out an encrypted, isolated workspace that separates corporate apps and data from personal content and enables a selective wipe of only the corporate container. Mobile application management (MAM) applies the same app-level data-protection and DLP controls without enrolling the whole device, which sidesteps employees' privacy concerns about IT seeing their personal device, the common adoption blocker for BYOD.
Trap Choosing full-device MDM enrollment for a privacy-sensitive BYOD fleet, when MAM protects corporate apps without enrolling the whole personal device.
9 questions test this
- An organization allows employees to use personal devices for work but must ensure that corporate email and documents remain completely…
- Employees use personal smartphones to access corporate applications but refuse to enroll their devices in the MDM solution due to privacy…
- An organization allows employees to use personal tablets to access corporate applications but does not want to enroll those personal…
- A financial services company implements a BYOD policy and needs corporate applications and data to remain completely isolated from personal…
- Employees at a company use personal smartphones for corporate email and document access but refuse full MDM enrollment due to privacy…
- An organization implementing a BYOD policy needs to ensure corporate email and documents are isolated from personal applications on…
- A financial services company wants to protect corporate data on employees' personal tablets without requiring full device enrollment. The…
- A company needs to enforce data loss prevention policies on corporate applications installed on employee-owned mobile devices, but…
- An organization deploying a BYOD program needs to isolate corporate applications and data from employees' personal content on the same…
Asset Management
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Asset management is a four-stage lifecycle control
SY0-701 objective 4.2 treats asset management as one security control spanning four stages, applied to hardware, software, and data: acquisition/procurement, assignment/accounting, monitoring/tracking, and disposal/decommissioning. Each stage carries a security action, so a gap anywhere (an un-inventoried, un-owned, or un-sanitized asset) is the security weakness the exam probes.
- Procurement is the entry gate for security requirements
Acquisition/procurement is where security requirements are defined and suppliers are vetted for supply-chain risk before anything is bought, keeping unmanaged, unpatchable devices off the network. It also records licensing and warranty; buying around approved procurement is precisely how shadow IT enters.
Trap Treating procurement as a finance-only step rather than the gate that sets security requirements and vets suppliers.
- Every asset needs an assigned owner and a data classification
Assignment/accounting records an owner, the person accountable for the asset's config, patching, access, and disposal decisions, which is a security role, not legal title, plus a data classification, the sensitivity label that drives which controls and which sanitization method apply. An asset with no owner or no classification is a control gap.
Trap Reading ownership as legal title to the hardware rather than accountability for its security decisions.
- You can't protect what isn't in the inventory
An accurate asset inventory is the foundation every other control depends on: vulnerability scanning, patching, and incident scoping all reach only what's recorded. Enumeration (active discovery) keeps the inventory matching reality instead of drifting from it.
7 questions test this
- An organization's patch management reports show 100% compliance across all managed endpoints. A subsequent breach investigation reveals the…
- A security analyst conducts a network discovery scan and identifies 15 devices not listed in the organization's asset inventory, including…
- A security analyst discovers that several departments independently purchased and connected IoT sensors to the corporate network without IT…
- An organization's quarterly vulnerability scans consistently report a low number of findings. However, an external penetration test…
- A security team deploys a continuous network scanning solution that automatically generates alerts when unrecognized devices connect to the…
- An organization runs automated vulnerability scans against all systems registered in its asset inventory. A penetration tester later…
- An organization's vulnerability scanner consistently reports zero critical findings on a particular network subnet. A manual audit reveals…
- Shadow IT and ghost assets are un-tracked risk
Shadow IT (assets brought in without approval) and ghost or orphaned assets (still connected but with no owner or inventory record) sit outside patching and monitoring, which makes them attacker-preferred entry points. Asset tracking and enumeration are what surface them.
Trap Conflating shadow IT (unapproved assets users introduce) with ghost or orphaned assets (formerly tracked, now ownerless but still connected).
8 questions test this
- An organization's patch management reports show 100% compliance across all managed endpoints. A subsequent breach investigation reveals the…
- During a routine software inventory scan, an analyst discovers that multiple employees have installed an unapproved personal messaging…
- During a quarterly network discovery scan, a security analyst identifies 12 devices on the corporate network that are not listed in the…
- A security analyst conducts a network discovery scan and identifies 15 devices not listed in the organization's asset inventory, including…
- A security analyst discovers that several departments independently purchased and connected IoT sensors to the corporate network without IT…
- An organization's quarterly vulnerability scans consistently report a low number of findings. However, an external penetration test…
- A security team deploys a continuous network scanning solution that automatically generates alerts when unrecognized devices connect to the…
- During a routine network scan, a security analyst discovers 15 devices connected to the corporate network that do not appear in the…
- NIST SP 800-88 defines exactly three sanitization categories
Media sanitization has three categories, and they are the basis of every SY0-701 disposal question. Clear applies logical techniques to all user-addressable storage to block simple non-invasive recovery (media stays usable); Purge renders data recovery infeasible even with state-of-the-art lab techniques while leaving media reusable; Destroy reaches that same lab-infeasible bar but also makes the media unusable.
- Clear = overwrite, media stays usable
Clear writes non-sensitive data over all user-addressable storage (or applies a factory reset where rewriting isn't supported) to defeat standard read-back tools. It fits low-confidentiality data that stays under organizational control, and the media remains fully reusable afterward.
Trap Assuming Clear defeats state-of-the-art lab recovery, when it only blocks simple non-invasive read-back tools.
- Purge resists lab recovery yet keeps media reusable
Purge renders data recovery infeasible even with state-of-the-art laboratory techniques while leaving the drive reusable, so it can be redeployed or sold. Its methods are cryptographic erase, block erase / ATA Secure Erase, and degaussing of magnetic media, applied through dedicated sanitize commands, not ordinary file deletion.
Trap Counting an ordinary file deletion or quick format as a Purge technique instead of a dedicated sanitize command.
- Destroy physically ruins the media
Destroy (shred, disintegrate, pulverize, incinerate, or melt) makes data unrecoverable by state-of-the-art lab techniques and leaves the media permanently unusable. Choose it for high-confidentiality data with no reuse need, or for media that cannot be reliably purged.
- Method = data confidentiality + reuse vs. release
SP 800-88 picks the category from two factors: the data's confidentiality and whether the media will be reused or leave organizational control. Low-confidentiality staying internal selects Clear; moderate/high, or any media reused or leaving the org, selects Purge; high-confidentiality with no reuse (or media that can't be reliably purged) selects Destroy.
Trap Choosing the sanitization category from media type alone, ignoring data confidentiality and whether the media will be reused or released.
- Cryptographic erase is a Purge technique
Cryptographic erase (CE) sanitizes by destroying the data's encryption key, leaving only unrecoverable ciphertext: a Purge-level method, not Destroy, that completes in a fraction of a second regardless of disk size. It is valid only when the data was strong-encrypted from the start (e.g. a self-encrypting drive); enabling encryption after sensitive data was already written makes CE unsafe. This is why full-disk encryption at rest enables fast disposal later.
Trap Using cryptographic erase on a drive where encryption was turned on only after sensitive data had already been written in the clear.
- Degaussing does nothing to SSDs/flash
Degaussing destroys magnetic fields, so it purges HDDs and tape but is useless on SSDs and flash, which store data in non-magnetic cells; NIST says it should never be solely relied upon for flash-based media. For SSDs, use the drive's built-in cryptographic or block erase, or physically destroy it.
Trap Reaching for a degausser to sanitize an SSD: a classic SY0-701 wrong answer, since flash isn't magnetic.
- Overwriting is unreliable on SSDs
Wear-leveling on SSDs silently relocates data to spare cells that an overwrite pass can't directly address, so Clear-by-overwrite can leave recoverable data behind. Use the drive's dedicated cryptographic or block erase command instead.
Trap Trusting a multi-pass overwrite to sanitize an SSD, when wear-leveling hides data in spare cells the overwrite can't reach.
- Sanitization must be verified and certified
Sanitization is verified (by full verification or representative sampling (NIST suggests covering at least ~10% of the addressable space), ideally by someone other than who performed it) and documented with a Certificate of Sanitization. The certificate records the media identifier (serial / property number, media type), the category (Clear/Purge/Destroy), the method, the verification method, and the name, date, and signature for both steps. For outsourced destruction, that certificate plus chain of custody is the audit proof, not the vendor's invoice.
Trap Accepting a destruction vendor's invoice or receipt as audit proof instead of the Certificate of Sanitization plus chain of custody.
- Data retention constrains when disposal may happen
Data-retention requirements (legal, regulatory, or business) set the minimum period data must be kept before destruction, and a legal hold freezes deletion of data relevant to litigation. Disposal proceeds only once the retention clock has expired and no hold is in place.
Trap Proceeding with disposal once the retention period expires while a legal hold is still active on that data.
- Keeping data too long vs. destroying too early
Retention is a two-sided balance. Holding data longer than needed enlarges breach blast radius and can violate data-minimization rules; destroying it before a retention requirement is met, or while a legal hold is active, creates spoliation liability. The exam tests recognizing both failure directions.
Trap Treating indefinite retention as the safe default, overlooking the larger breach blast radius and data-minimization violations it causes.
- Pick Purge for reusable media, not Destroy
When a scenario says the media will be reused or sold, the answer is Purge, not Destroy, because Destroy ruins the media, and reaching for a degausser on an SSD is the other classic wrong answer. Anchor disposal choices to data confidentiality, reuse-vs-release, and media type rather than defaulting to the most aggressive option.
Trap Defaulting to Destroy for any sensitive drive even when the media is slated for reuse, where Purge is the correct, media-preserving choice.
Vulnerability Management
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Vulnerability management is a continuous lifecycle, not a one-time scan
SY0-701 objective 4.3 frames vulnerability management as a repeating loop (identify, analyze/prioritize, respond, validate, report, then repeat) so a scan report is an input, not the finish line. The exam-correct stance treats findings as something to confirm, fix, and re-scan rather than blindly patching the raw list. Residual risk and accepted exceptions from one cycle feed the next.
- Credentialed scans cut both false positives and false negatives
A credentialed (authenticated) scan logs into the host and reads installed versions, patch levels, and configuration directly, making it far more accurate than a non-credentialed scan that only probes from outside and over-reports. Authenticated reading lowers BOTH error types: fewer false positives (less guessing from banners) and fewer false negatives (it sees internal flaws an external probe can't). Choose credentialed when accuracy matters.
Trap Assuming a non-credentialed external scan is just as accurate: it over-reports and misses internal flaws a login would reveal.
5 questions test this
- A security analyst runs both a credentialed and a non-credentialed vulnerability scan against the same production server. The credentialed…
- A security team needs to identify all missing patches and software misconfigurations across its internal servers. Which scanning approach…
- A security analyst needs to identify missing security patches on 200 internal servers. The analyst configures the vulnerability scanner…
- A security analyst runs two scans against the same Linux server — one non-credentialed and one credentialed. The credentialed scan reports…
- An organization wants to assess how its public-facing web servers appear to an external attacker who has no insider access or credentials.…
- Active scans send probes; passive scans only observe traffic
An active scan sends packets and probes to the target, which can disrupt fragile or legacy systems, whereas a passive scan watches existing traffic without touching the host. Pick passive for sensitive, legacy, or production-critical systems you cannot risk crashing, accepting that it only sees what crosses the wire. Active gives deeper coverage where the host can tolerate it.
Trap Running an active probe scan against a fragile legacy or OT host you can't afford to crash, where passive observation was the safe choice.
- SAST reads source code; DAST exercises the running app
Static application security testing (SAST) analyzes source code without executing it (white-box, early in the SDLC) and catches code-level flaws like buffer overflows and injection. Dynamic application security testing (DAST) tests the running application from the outside (black-box, later) and catches runtime and configuration flaws. They are complementary: SAST finds the flaw in the code, DAST finds what's exploitable when it runs.
Trap Calling testing of a live running application SAST: exercising the running app from outside is DAST; SAST never executes the code.
- Package/dependency analysis flags vulnerable third-party libraries
Package (software composition) analysis inventories third-party and open-source dependencies and flags those with known CVEs, addressing supply-chain risk in components you did not write. It covers the blind spot SAST and DAST of your own code miss: a vulnerable library you merely imported. This is why a known-vulnerable dependency shows up here, not in a scan of your own source.
Trap Expecting SAST or DAST of your own code to catch a vulnerable imported library, when an unmodified third-party dependency surfaces only in software composition analysis.
- Pen testing actively exploits to prove impact; scanning only detects
A penetration test is a human, per NIST, attempting to "circumvent or defeat the security features of a system", actively exploiting and chaining flaws to prove real-world impact. A vulnerability scan only automatically checks targets against a database of known flaws and reports possible existence. So a stem describing someone who actively exploits to demonstrate impact points to a pen test, not a scan.
Trap Picking vulnerability scanning when the stem says the tester actively exploited flaws to prove impact: that's a penetration test.
- Bug bounty and responsible disclosure intake external researcher reports
Responsible (coordinated) disclosure gives external researchers a structured channel to report flaws, with the issue going public only after the vendor has had time to patch; a bug-bounty program adds a reward for those reports. Both are legitimate identification inputs and beat ignoring or threatening the reporter. Threat feeds and OSINT supply related external context like newly weaponized CVEs.
Trap Treating an external researcher's report as a threat to silence, rather than intake through responsible disclosure or a bug-bounty channel.
- Confirmation matrix maps scanner result against ground truth
The four outcomes pair what the scanner said with what is really there: true positive = a real flaw correctly flagged (remediate); false positive = flagged but absent (noise to verify and dismiss); true negative = correctly reported clean; false negative = a real flaw the scan missed. NIST SP 800-115 defines a false positive as "an alert that incorrectly indicates that a vulnerability is present." Knowing which quadrant a described result lands in is the testable skill.
- A false negative is the most dangerous scan error
A false positive only wastes analyst time verifying a flaw that isn't there, but a false negative is a real, unfound flaw nobody investigates: the genuinely dangerous outcome. Credentialed scanning and follow-up penetration testing exist largely to shrink the false-negative rate by seeing what an external probe misses. When a question ranks the errors by risk, false negative wins.
Trap Ranking a false positive as the worst error: it only wastes time; the false negative is the unfound real flaw nobody chases.
- A CVE names the flaw but assigns no severity
A CVE (Common Vulnerabilities and Exposures) is a unique identifier for one publicly known vulnerability, formatted CVE-YYYY-NNNNN (e.g., CVE-2021-44228 / Log4Shell). The identifier only names and describes the flaw: it carries no severity rating of its own; severity comes separately from CVSS, as enriched in the NVD. A bare CVE number tells you which flaw, never how urgent.
Trap Reading a CVE number as a severity or urgency signal: the CVE only identifies the flaw; CVSS supplies the score.
- CVSS scores severity on a 0.0-10.0 scale
CVSS (Common Vulnerability Scoring System) is, per NVD/NIST, "a method used to supply a qualitative measure of severity," producing a numeric base score from 0.0 to 10.0. The contrast with CVE is the testable pair: a CVE tells you which flaw, CVSS tells you how severe. A 0.0-10.0 number is a CVSS score; a CVE-YYYY-NNNNN token is not.
Trap Reading a CVSS score as the identifier of which vulnerability it is, when CVSS only rates severity and the CVE is what names the flaw.
- Memorize the CVSS v3.x severity bands, especially where Critical starts
CVSS v3.x maps base scores to bands: None = 0.0, Low = 0.1-3.9, Medium = 4.0-6.9, High = 7.0-8.9, Critical = 9.0-10.0. The two boundaries the exam leans on are High starting at 7.0 and Critical starting at 9.0. A score like 8.5 is High, not Critical: the band edges are the trap.
Trap Calling an 8.x score Critical: Critical begins at 9.0; 7.0-8.9 is the High band.
- Highest CVSS is not automatically remediated first
The CVSS base score reflects a vulnerability's intrinsic severity, constant across environments, so it is only a starting point: CVSS is explicitly not a measure of risk. Real prioritization layers on environmental and exposure factors (internet-facing? compensating control present? feature enabled?), asset criticality, organizational impact, and risk tolerance. An isolated Critical can therefore rank below an internet-exposed Medium.
Trap Remediating strictly in descending CVSS order, ignoring that an exposed, business-critical Medium can outrank an isolated Critical.
- Exposure factor is the fraction of asset value lost per event
The exposure factor (EF) is the proportion of an asset's value destroyed if the vulnerability is exploited, expressed 0-1.0 (or 0-100%); it drives the loss math via SLE = Asset Value x EF. As an analysis input it raises remediation priority: more of the asset at stake per event means a more urgent fix. It is one environmental input layered on top of the raw CVSS score, not a severity score itself.
Trap Treating the exposure factor as a standalone severity rating, when EF is only the fraction of asset value lost per event feeding SLE, not a CVSS-style score.
- Patching is one of four vulnerability responses, not the only one
Objective 4.3 tests four legitimate responses: remediate (patch/fix/upgrade, the default and most complete), mitigate (compensating control or segmentation when you can't patch), accept (a documented exception/exemption signed by the risk owner), or transfer (cyber-insurance offsets the financial cost). Patching is the first choice but the wrong single answer when the stem rules it out: match the response to the constraint.
Trap Choosing patch every time, even when the stem says the system can't be patched and a compensating control, exception, or transfer is the fit.
2 questions test this
- When you can't patch now, mitigate by shrinking reachability
When a flaw can't be patched immediately (legacy/EOL system, the patch breaks production, or the maintenance window is weeks away) reduce exposure with compensating controls: network segmentation or isolation, virtual patching at a WAF/IPS, tighter access, or disabling the affected feature. The flaw itself remains, but its reachability and blast radius shrink until a real fix lands.
8 questions test this
- A manufacturing company must continue operating a legacy SCADA system running unsupported firmware because no compatible replacement is…
- A healthcare organization discovers a critical vulnerability on a certified medical imaging system that cannot be patched because doing so…
- A security team's EOL tracking system alerts that a critical database application will lose vendor support in 60 days. A replacement has…
- A vulnerability scan reveals a critical flaw in a legacy manufacturing control system running an end-of-life operating system. The vendor…
- A critical vulnerability is discovered on a manufacturing control system, but no vendor patch is available. The security team isolates the…
- A security analyst discovers that a business-critical application server is running firmware the vendor no longer supports. No further…
- A vulnerability scan reveals that several network switches are running firmware no longer supported by the manufacturer, and no security…
- A manufacturing company operates a legacy control system running unsupported firmware that cannot be upgraded due to operational…
- Risk acceptance is valid only as a documented, signed exception
Accepting a vulnerability's risk is legitimate only as a formal, documented exception/exemption approved by the designated risk owner, with a defined review or expiry date. An informal "we'll fix it later" is not acceptance: the documentation and sign-off are the testable point that distinguishes accepted risk from ignored risk. The exception then becomes residual risk tracked into the next cycle.
Trap Calling an unwritten "we'll get to it later" risk acceptance: without the documented, risk-owner-signed exception it's just unmanaged risk.
- Cyber-insurance transfers the cost, never the flaw
Transfer via cyber-insurance shifts the financial impact of a residual risk to a third party, but it does not remove, fix, or reduce the vulnerability: only the cost is offset if exploitation occurs. The flaw and its likelihood remain exactly as before. Treat transfer as a financial response, not a technical remediation.
Trap Treating buying cyber-insurance as remediating the vulnerability: it offsets loss only; the flaw and its likelihood are untouched.
- Enterprise patching is risk-prioritized preventive maintenance
NIST SP 800-40 Rev.4 frames patch management as "a critical component of preventive maintenance... a cost of doing business", a routine process of identifying, prioritizing, acquiring, installing, and verifying patches, not optional cleanup. Patches should be prioritized by risk rather than applied uniformly. This makes remediation a standing, risk-driven business operation, which is why the exam treats it as expected baseline practice.
Trap Applying every available patch uniformly and immediately, instead of prioritizing the patch backlog by the risk each flaw poses.
- Validate every fix by rescanning before you close the finding
After any remediation, validate that the vulnerability is actually gone via rescanning (the most common and most testable method), audit, or verification, never close a finding on the strength of the patch alone. A patch can fail to apply, miss a host, or be reverted. So "patch applied, what next?" resolves to rescan/verify, then close.
Trap Closing a finding the moment the patch is applied, without a rescan to confirm the flaw is actually gone on every affected host.
6 questions test this
- After a security team applies a critical patch to address a known vulnerability on a production database server, the vulnerability analyst…
- A security team applies a critical patch to 200 servers after a vulnerability scan identifies a remote code execution flaw. The patch…
- A vulnerability scan identifies a critical remote code execution flaw affecting 50 production servers. Following enterprise patch…
- After applying patches to remediate critical vulnerabilities identified during a quarterly scan, a security analyst must confirm the fixes…
- A critical security patch is released for the organization's primary web application framework. The patch management policy requires…
- After a vulnerability analyst applies a critical security patch to a fleet of web servers, the analyst must confirm the fix was successful.…
- Reporting closes the loop and seeds the next cycle
The lifecycle ends with reporting findings, remediation status, and residual risk: per-asset technical detail for the teams that fix things, and aggregated risk and trend data for management and compliance. Residual risk and any accepted exceptions documented here become inputs to the next identification and analysis round, which is what makes the lifecycle continuous rather than linear.
4 questions test this
- After completing quarterly vulnerability scans, a security analyst must communicate findings to executive leadership. Which vulnerability…
- After completing a quarterly vulnerability assessment, a security analyst must prepare reports for different audiences. Which report…
- After completing a quarterly vulnerability remediation cycle, a security analyst must report results to both executive leadership and the…
- A security team must communicate vulnerability management results to executive leadership for a quarterly business review. Which content is…
- Inhibitors to remediation delay a fix even when the flaw is known
Inhibitors to remediation are factors that prevent or postpone applying a fix despite a known vulnerability: uptime/availability SLAs that limit maintenance windows, legacy or proprietary systems, organizational governance and change control, and vendor end-of-life status where no patch will ever ship. When an inhibitor blocks patching, the response shifts to mitigation or a documented exception rather than waiting indefinitely.
Trap Assuming a known vulnerability can always be patched promptly, ignoring inhibitors like uptime SLAs, EOL status, or change-control governance.
14 questions test this
- A security administrator discovers that several production servers are running an operating system that reached end-of-life status three…
- A vulnerability scan identifies several production servers running an operating system that reached end-of-life (EOL) six months ago. Which…
- A vulnerability analyst discovers a critical vulnerability on a manufacturing plant's SCADA system that runs continuous 24/7 production.…
- A vulnerability scan reveals a critical flaw on a production database server. The database administrator states that applying the required…
- A security team's EOL tracking system alerts that a critical database application will lose vendor support in 60 days. A replacement has…
- A vulnerability management team discovers that several production servers are running an operating system that reached end-of-life status…
- A security analyst discovers that a business-critical application server is running firmware the vendor no longer supports. No further…
- During a vulnerability assessment, a security analyst discovers that multiple core network switches are running firmware the vendor no…
- A vulnerability scan identifies a critical flaw on a production database server. The operations team reports that applying the required…
- A vulnerability management team discovers that several servers are running an operating system version that reached end-of-support six…
- A vulnerability management report flags 30 workstations running an operating system that reached end-of-life six months ago. The vendor no…
- A vulnerability management report identifies multiple servers running an operating system that reached end-of-life six months ago. Which…
- A security team's vulnerability management platform flags a business-critical application with an 'end-of-support' tag. The application…
- A vulnerability scan reveals a critical flaw on a legacy industrial control system. The vendor no longer supports the software, and any…
Alerting and Monitoring
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Enterprise Network Security
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Identity and Access Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Automation and Orchestration
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Incident Response
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Investigation Data Sources
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Program Management and Oversight
Security Governance
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Policy → standard → procedure → guideline is the governance hierarchy
Governance documents descend from intent to detail: a policy is management's broad statement of what and why, a standard turns it into a specific measurable rule (e.g., AES-256, passwords ≥14 chars), a procedure gives the numbered step-by-step how-to, and a guideline offers optional advice. Policies, standards, and procedures are mandatory; only the guideline is discretionary, which is the line the exam tests.
Trap Assuming the guideline outranks or precedes the procedure in the hierarchy because it sounds authoritative, when the guideline is the lowest and only optional tier.
- A guideline is the only non-mandatory governance document
Guidelines are recommended best-practice that can be met more than one way, so they are the single discretionary document type. Policies, standards, and procedures are all compulsory. The fastest tell is the verb: "shall/must" marks a mandatory document, "should/may" marks a guideline.
Trap Treating a standard or procedure as optional because it is more detailed than a policy, when only the guideline is discretionary.
3 questions test this
- A security architect distributes a document to IT staff recommending that remote workstations use encrypted DNS and endpoint detection…
- A security manager distributes a document recommending that employees use a corporate-approved password manager to store credentials but…
- During a governance review, a security analyst finds a document that recommends best practices for securing remote workstations but…
- A standard is a specific, measurable, mandatory rule
A standard fixes exactly how strict a policy's intent must be and is compulsory within the organization. Where the policy says "protect data," the standard says AES-256 at rest, passwords ≥14 characters, or RBAC for access. That precision is what makes a policy uniform and auditable. Named SY0-701 examples are password, access control, physical security, and encryption standards.
Trap Classifying a specific measurable rule as a guideline because it reads like best practice, when its mandatory enforceable nature makes it a standard.
- A policy is high-level intent, never the mechanism
A policy is a leadership-approved statement of required outcome and direction written at a broad level; it deliberately leaves the "how" to the standards and procedures beneath it. Named SY0-701 policies include the information security policy, AUP, business continuity, disaster recovery, incident response, SDLC, and change management.
Trap Expecting a policy to name the specific control or technology, when that mechanism belongs to the standard and procedure beneath it.
- Procedures and playbooks are step-by-step instructions
A procedure is the mandatory numbered how-to that implements a standard so the result doesn't depend on who runs it, and a playbook is the procedure variant that codifies repeatable response steps an IR or SOAR workflow executes. SY0-701 examples are change-management and onboarding/offboarding procedures; a checklist counts as a procedure too.
Trap Treating a playbook as a policy: it is an operational procedure that implements policy, not the high-level intent itself.
6 questions test this
- A new security technician needs documentation that explains each sequential step required to securely decommission a server, including…
- A company's password standard requires a minimum length of 15 characters. A separate document provides the exact steps an administrator…
- A company's remote access policy requires multi-factor authentication, and the supporting standard specifies smartcard plus PIN for VPN…
- An organization has an approved security policy requiring encrypted communications and a published standard specifying TLS 1.3. A systems…
- During an internal audit, the auditor finds that the organization has well-documented security policies and supporting standards, but IT…
- A new IT technician must configure a firewall rule change. The technician consults a governance document that provides ordered…
- AUP defines acceptable use of organizational assets
An Acceptable Use Policy (AUP) is an issue-specific policy spelling out permitted and prohibited use of company systems and data, signed by the user. Because it documents what the user agreed to, it is the basis for disciplinary action when someone misuses assets.
Trap Reaching for an NDA as the document that governs day-to-day use of company systems, when the NDA covers confidentiality and the AUP governs acceptable use.
- Policy scope: program, issue-specific, system-specific
Policies are categorized by scope: a program (organizational) policy establishes the security program enterprise-wide, an issue-specific policy governs one topic such as an AUP or email use, and a system-specific policy sets rules for a single system or asset. The scope mirrors the authority of the manager who issues it.
Trap Labeling an AUP a system-specific policy because it constrains how systems are used, when its single-topic focus makes it issue-specific.
- Data owner sets classification; it cannot be delegated
The data owner is the senior business official with operational authority over a data set and is accountable for setting its classification and acceptable use. That managerial accountability stays with the owner and is not handed to IT, so an admin who decides classification is itself a governance failure.
Trap Naming the IT administrator or custodian as the one who classifies data: they implement protection but never own the classification decision.
4 questions test this
- A company acquires a new customer dataset and needs to determine its classification level and define who may access it. Which role has…
- A department head in finance is formally assigned accountability for determining the classification of financial datasets and approving…
- A department head classifies the sensitivity of customer records in the department's database and approves which employees are granted…
- A healthcare organization designates a department director as the data owner for electronic patient records. Which responsibility does this…
- Data custodian/steward implements; never decides classification
The data custodian (steward) is the technical role that carries out the owner's decisions day-to-day, applying access controls, backups, and encryption to protect the data. The custodian enforces protection but never sets the classification or acceptable use; that authority belongs to the owner.
Trap Letting the custodian set or change a data set's classification because they have hands-on access to it, when only the owner holds that decision authority.
- Owner/controller decide, custodian/processor execute
Across the four data roles the dividing line is decide-versus-execute: the owner and controller determine classification and purpose, while the custodian and processor act only on those decisions. Under GDPR the controller "determines the purposes and means of processing" and the processor acts on the controller's instructions, so a scenario that hands a decision to an executing role is describing a control failure.
Trap Assuming a cloud or SaaS vendor that hosts your data becomes the controller: it is normally the processor, and your organization stays the accountable controller.
- Centralized governance favors consistency over flexibility
Centralized governance puts one authority in charge of setting and enforcing policy enterprise-wide, producing uniform, easy-to-audit controls at the cost of speed and local responsiveness. Choose it when consistency and auditability matter most.
Trap Picking centralized governance for its agility and fast local response, when those are the strengths of decentralized governance and centralization trades them away for uniformity.
- Decentralized governance favors agility over uniformity
Decentralized governance lets business units set their own policy within broad guardrails, gaining agility and local responsiveness but risking inconsistent controls and harder auditing. Choose it when units must move independently and speed outranks uniformity.
Trap Choosing decentralized governance when the priority is uniform, easy-to-audit controls, since that consistency is exactly what decentralization sacrifices for speed.
- Boards, committees, and government entities are governance structures
Governance is exercised through structures: boards hold ultimate oversight (e.g., the board of directors), committees such as a security steering or risk committee review and approve policy, and government entities/regulators impose binding external rules where the organization is regulated. Each is a named SY0-701 governance structure.
5 questions test this
- A board of directors establishes a subgroup responsible for reviewing internal audit findings, overseeing the relationship with external…
- An organization creates a cross-functional body with leaders from IT, legal, HR, and finance that meets quarterly to review security…
- An organization establishes a cross-functional group that includes the CISO, CIO, general counsel, and business unit directors. This group…
- Which governance body is PRIMARILY responsible for reviewing audit scope, ensuring auditor independence, and overseeing management's…
- A CISO reports cybersecurity risk metrics exclusively to the IT department. The board of directors receives no information about the…
- Governance includes continuous monitoring and revision
A security program is maintained, not written once: policies are reviewed on a defined cadence and re-examined whenever threats, technology, business needs, or law change. That monitoring-and-revision loop is itself a governance activity owned by the oversight body, not a one-time document.
- External considerations drive which policies are mandatory
Governance must satisfy external forces: regulatory mandates (HIPAA, PCI DSS, SOX), broader legal and contractual obligations, and industry frameworks, and these dictate which policies and standards are non-negotiable regardless of internal preference. On the exam, an external requirement overrides an organization's own appetite for a control.
Trap Allowing the organization's internal risk appetite to waive a control that an external regulation mandates, when the external requirement is non-negotiable.
- Geographic scope: local, regional, national, global
Requirements apply at distinct geographic scopes (local, regional, national, and global), so a multinational must reconcile rules that conflict across borders, such as EU data-residency duties versus another jurisdiction's lawful-access demands. That is why scope is treated as an explicit governance dimension rather than an afterthought.
- SDLC and change-management policies bake security into operations
An SDLC policy forces security to be built into how software is developed rather than bolted on afterward, and a change-management policy blocks unauthorized changes from reaching production. Both are named SY0-701 governance policies that flow down into procedures developers and operators actually follow.
- A CISO reporting to the CIO creates a conflict of interest
When the CISO reports to the CIO, the executive accountable for IT delivery also oversees the function that evaluates IT risk, a separation-of-duties conflict that can pressure the CISO to soften controls and skew risk reporting; SOX audits have flagged this reporting line as a control-design weakness. Reporting higher, to the CEO or board, preserves the CISO's independence and unfiltered risk communication, while the board and senior leadership retain ultimate accountability for cyber risk.
Trap Placing the CISO under the CIO to keep security "close to IT": it undermines the independence the role needs to objectively report risk.
3 questions test this
- An organization's CISO reports to the CIO, who oversees both IT operations and security. During a governance review, auditors flag this…
- A governance audit finds that a company's CISO reports directly to the CIO. The auditor recommends restructuring the CISO's reporting line…
- A multinational corporation wants its Chief Information Security Officer to present cybersecurity risk updates directly to the board…
Risk Management
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- SLE is the dollar loss from one occurrence: AV × EF
Single Loss Expectancy is the monetary loss from a single occurrence of a threat, calculated
SLE = Asset Value (AV) × Exposure Factor (EF), where EF is the fraction (0–1.0) of the asset's value destroyed by one event. A $200,000 asset with EF 0.5 has an SLE of $100,000. SLE is the per-event building block that ARO then annualizes into ALE.Trap Using the full asset value as the SLE and skipping the exposure factor, which overstates per-event loss whenever EF is below 1.0.
4 questions test this
- An organization values a database server at $200,000. A risk assessment determines the exposure factor for a ransomware attack is 50% and…
- A database server is valued at $500,000. A risk analyst determines that a ransomware attack has an exposure factor of 40% and is expected…
- A security analyst determines that a critical database server has an asset value of $200,000 with an exposure factor of 25%. Historical…
- A company's database server has an asset value of $200,000. The security team determines the exposure factor for a specific threat is 50%,…
- ALE annualizes per-event loss: SLE × ARO
Annualized Loss Expectancy is the expected yearly loss from a risk, calculated
ALE = SLE × ARO. An SLE of $100,000 at an ARO of 0.25 (once every four years) yields an ALE of $25,000/yr. ALE is the figure you weigh against a control's annual cost, because both are now expressed per year.Trap Reporting the SLE as the annual loss and forgetting to multiply by ARO, which inflates the yearly figure for any event that does not occur once per year.
7 questions test this
- An organization values a database server at $200,000. A risk assessment determines the exposure factor for a ransomware attack is 50% and…
- An organization's e-commerce platform has a single loss expectancy (SLE) of $120,000 for distributed denial-of-service attacks. Historical…
- Management asks the security team to justify the cost of a proposed $75,000 intrusion prevention system by presenting the expected annual…
- A database server is valued at $500,000. A risk analyst determines that a ransomware attack has an exposure factor of 40% and is expected…
- A security analyst determines that a critical database server has an asset value of $200,000 with an exposure factor of 25%. Historical…
- A company's database server has an asset value of $200,000. The security team determines the exposure factor for a specific threat is 50%,…
- An organization determines that a critical server has an asset value of $500,000 and an exposure factor of 20%. The identified threat has…
- ARO is how many times per year the event is expected
Annualized Rate of Occurrence is the expected frequency of a loss event per year: ARO 0.25 means once every four years, ARO 2 means twice a year. It is the multiplier that converts a per-event SLE into an annual ALE, so a small ARO error swings the whole annualized figure.
Trap Treating ARO as a probability capped at 1.0: a frequent event has ARO above 1 (e.g. 12 for monthly).
4 questions test this
- An organization values a database server at $200,000. A risk assessment determines the exposure factor for a ransomware attack is 50% and…
- An organization's e-commerce platform has a single loss expectancy (SLE) of $120,000 for distributed denial-of-service attacks. Historical…
- A database server is valued at $500,000. A risk analyst determines that a ransomware attack has an exposure factor of 40% and is expected…
- A security analyst determines that a critical database server has an asset value of $200,000 with an exposure factor of 25%. Historical…
- Exposure Factor is the fraction of asset value lost per event
Exposure Factor is the percentage (0%–100%, or 0–1.0) of an asset's value destroyed by a single occurrence of the threat, and it feeds
SLE = AV × EF. A total loss is EF = 1.0; a half-loss is 0.5. EF captures severity-per-event, distinct from ARO, which captures frequency-per-year.Trap Confusing exposure factor with the annualized rate of occurrence, treating a severity-per-event percentage as how often the event happens.
3 questions test this
- An organization values a database server at $200,000. A risk assessment determines the exposure factor for a ransomware attack is 50% and…
- A database server is valued at $500,000. A risk analyst determines that a ransomware attack has an exposure factor of 40% and is expected…
- A security analyst determines that a critical database server has an asset value of $200,000 with an exposure factor of 25%. Historical…
- Justify a control when its cost is below the ALE it removes
The cost/benefit test for a safeguard is
net benefit = (ALE before − ALE after) − annual control cost: implement it when the annual cost is less than the ALE reduction it buys. A $10,000/yr control that removes a $25,000 ALE nets $15,000/yr, so it pays off; a $40,000/yr control against that same risk does not. Cost and benefit must both be annualized to compare.- Quantitative analysis uses dollars; qualitative uses high/med/low
Quantitative risk analysis assigns monetary values (AV, SLE, ALE) so risks compare directly against control cost, but it demands high-quality loss data to be meaningful. Qualitative analysis instead rates likelihood and impact on relative scales (high/medium/low), often plotted on a heat map: faster, needs no dollar data, but not directly comparable to spend. Most programs blend both.
Trap Swapping the two methods, calling the high/medium/low heat-map approach quantitative when it is qualitative analysis that needs no dollar data.
2 questions test this
- Use qualitative analysis when reliable loss data is unavailable
When monetary loss data is scarce or unreliable, a qualitative assessment is the honest choice, because manufacturing precise AV/EF/ARO figures from guesswork produces false confidence. Quantitative techniques generally require high-quality data to be meaningful, so absent that data the relative high/medium/low rating is more defensible than a fabricated dollar figure.
Trap Forcing a quantitative ALE from invented AV/ARO numbers: precise-looking dollars built on guesses mislead decision-makers.
- SY0-701 names four risk assessment cadences
Objective 5.2 tests four assessment types by their trigger and timing: ad hoc (event-triggered, e.g. after a breach or major change), one-time (a single bounded engagement), recurring (a fixed schedule such as quarterly or annual), and continuous (ongoing near-real-time monitoring that feeds risk decisions). The cadence is chosen to match how fast the relevant risk changes.
- There are exactly four risk treatment strategies
After analysis, the risk owner picks one of four responses: mitigate (apply controls to reduce likelihood or impact), transfer (shift the financial impact to a third party, e.g. insurance), avoid (stop the activity that creates the risk), or accept (formally take on the residual risk). These four are the only sanctioned treatments; any plan reduces to one of them.
- Risk acceptance requires a documented, signed-off exception
Acceptance is legitimate only as a documented exception/exemption, approved by the designated risk owner, with a defined review or expiry date. An informal "we'll fix it later" is not acceptance; the formal documentation and sign-off are the testable point, and they make the accepted residual risk auditable rather than forgotten.
Trap Treating an unwritten "we'll get to it" as risk acceptance: without a signed exception and review date it is just an unmanaged gap.
- Transfer offsets financial impact but leaves the vulnerability
Risk transfer (cyber-insurance or a contractual clause) shifts the financial impact of residual risk to a third party, but it is not remediation: the underlying vulnerability stays in place and likelihood is unchanged. It pays for the loss; it does not stop the loss from happening, so it pairs with, rather than replaces, technical controls.
Trap Picking cyber-insurance as the fix for a vulnerability: it covers the cost but the exploitable flaw is still there.
5 questions test this
- A company's risk assessment identifies a high probability of financial loss from a data breach affecting its e-commerce platform.…
- After a quantitative risk assessment, an organization determines that its critical customer database faces a potential $3 million loss from…
- After a risk assessment identifies a potential $2 million financial loss from a data breach, a company purchases a cybersecurity insurance…
- After completing a business impact analysis, an organization determines that a data breach could result in $5 million in financial losses.…
- After implementing firewall rules, endpoint protection, and network segmentation to reduce the likelihood of a data breach, an organization…
- Avoidance eliminates the risk by stopping the activity
Risk avoidance removes a risk entirely by ceasing the activity that creates it: retiring an unsupported product, cancelling a project, or declining to enter a market. It is the only strategy that drives residual risk to zero, but at the cost of forgoing whatever value the activity would have produced, so it is reserved for risks that outweigh their reward.
Trap Confusing avoidance with mitigation, treating added controls that merely reduce a risk as if they eliminated the activity and drove residual risk to zero.
- Senior leadership sets risk appetite, not the security team
Risk appetite is the board/senior-leadership statement of the types and amount of risk, at a broad level, the organization is willing to accept in pursuit of its objectives. It is a governance decision, expressed qualitatively or quantitatively, and security teams operate within it rather than setting it. Appetite is the strategic ceiling that downstream treatment choices must respect.
Trap Assuming the security or IT team defines risk appetite: appetite is owned by the board/senior leadership; security executes within it.
- SY0-701 names three risk-appetite postures
Objective 5.2 lists three appetite postures: expansionary (willing to take on more risk for growth or reward), conservative (minimize risk even at the cost of opportunity), and neutral (a balanced middle stance). The chosen posture shapes which treatment strategies the organization favors: an expansionary firm accepts more, a conservative one mitigates or avoids more.
- Risk tolerance is the acceptable variance around appetite
Risk tolerance is the acceptable level of deviation from the risk appetite for a specific risk or category: the per-risk wiggle room around the strategic line. Appetite sets the broad, organization-wide willingness; tolerance bounds how far an individual risk may stray before action is required, and exceeding tolerance triggers escalation.
Trap Confusing tolerance with appetite, treating the broad organization-wide willingness as if it were the per-risk acceptable deviation around it.
- The risk register records an owner, KRIs, and a threshold per risk
The risk register is the living record of each identified risk and its treatment. Objective 5.2 tests three fields per entry: the risk owner (the one accountable individual who approves treatment or acceptance), the key risk indicators (KRIs) that signal movement, and the risk threshold that, when crossed, triggers action. It is the single source of truth that lets risks aggregate up the enterprise.
- A KRI warns of rising risk; a KPI measures control performance
A Key Risk Indicator (KRI) is a forward-looking metric signaling that a risk is climbing toward its threshold, so it warns before the loss. A Key Performance Indicator (KPI) measures how well a control or process is performing today. The distinction is direction: a KRI is predictive of future risk, a KPI is a current-state measure of effectiveness.
Trap Using a KPI as an early-warning signal: a KPI reports current control performance, not the rising-risk forecast a KRI gives.
- Each risk has exactly one accountable risk owner
Every risk in the register is assigned a single risk owner: the accountable individual who decides the treatment and signs off any acceptance. Naming one owner is what makes a documented exception valid and prevents a risk from falling between teams; shared or unassigned ownership is the failure mode the register exists to close.
Trap Assigning a risk to a committee or shared team instead of one accountable owner, which is the diffused-ownership failure the register is meant to prevent.
- A BIA yields RTO, RPO, MTTR, and MTBF
A Business Impact Analysis identifies critical processes and the consequences of their disruption, producing four recovery metrics: RTO and RPO are targets you set (how fast to restore, how much data loss is tolerable), while MTTR and MTBF are measured system properties (time to repair, time between failures). The BIA's outputs drive continuity and recovery design, including how much redundancy to fund.
Trap Treating MTTR and MTBF as targets you set like RTO and RPO, when they are measured properties of the system rather than goals chosen by the business.
13 questions test this
- A risk manager conducts a business impact analysis across all organizational systems. Which outcome BEST describes the primary deliverable…
- A BIA determines that a financial transaction database can tolerate a maximum of two hours of data loss during a disruption. Which recovery…
- An organization's risk manager initiates a business impact analysis across all business units. Which outcome is the PRIMARY purpose of…
- A storage system has experienced three failures over 9,000 hours of continuous operation. The IT team uses this data to plan proactive…
- An organization begins the business impact analysis process as part of its continuity planning effort. Which activity should be the PRIMARY…
- A BIA team calculates that a critical application server has an MTBF of 500 hours and an MTTR of 10 hours. The organization wants to…
- An organization must identify which business processes are essential to its mission and quantify the potential impact of IT system…
- A BIA specifies that the organization's financial trading platform can tolerate a maximum of 15 minutes of data loss. The current disaster…
- During a BIA, stakeholders require that the e-commerce platform be restored within 4 hours after any outage. The operations team reports…
- An organization needs to identify which business processes are most critical and determine the maximum allowable downtime for each before…
- A data center manager reviews hardware specifications showing that enterprise-grade switches average 25,000 hours of continuous operation…
- A risk manager is initiating a business impact analysis for the organization's critical systems. Which outcome is the PRIMARY focus of the…
- A BIA determines that an organization's customer order database can tolerate no more than four hours of data loss after a disruption. Which…
- Risk reporting frames impact to the right audience
Risk reporting communicates the register's state at the altitude each audience needs: executives and the board see aggregated business-impact framing (ALE, appetite-vs-actual, overdue treatments), while operational teams see specific KRIs and per-control status. Consistent impact-and-frequency documentation is what lets individual registers roll up into one enterprise view, so the same risk reads correctly at every level.
- NIST SP 800-30 and SP 800-37 frame the risk process
NIST SP 800-30 is the Guide for Conducting Risk Assessments, while NIST SP 800-37 defines the Risk Management Framework (RMF), sequencing seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Together they supply the assessment method and the lifecycle that underpin SY0-701's risk-management vocabulary.
Trap Swapping the two documents, attributing the Risk Management Framework to SP 800-30 when it is SP 800-37 that defines the RMF.
- MTBF, MTTR, RTO, and RPO each measure a distinct recovery quantity
MTBF is average uptime between repairable failures (total operational time ÷ number of failures); MTTR is the average time to restore a failed system. RTO is the maximum acceptable time to restore operations after a disruption, and RPO is the point in time to which data must be recovered (the tolerable data loss, in time). When measured MTTR exceeds the RTO, high-availability failover is needed to close the gap.
Trap Confusing RPO with RTO, treating the tolerable data-loss point as if it were the time allowed to restore operations.
16 questions test this
- An organization tracks that replacing a failed firewall appliance takes an average of 45 minutes from failure detection through full…
- After reviewing BIA results, the incident response team finds that the average time to restore the organization's email system after each…
- A BIA determines that a financial transaction database can tolerate a maximum of two hours of data loss during a disruption. Which recovery…
- A storage system has experienced three failures over 9,000 hours of continuous operation. The IT team uses this data to plan proactive…
- During a BIA, the continuity team determines that the payment processing system must be restored within 90 minutes of any disruption to…
- A BIA team calculates that a critical application server has an MTBF of 500 hours and an MTTR of 10 hours. The organization wants to…
- A BIA specifies that the organization's financial trading platform can tolerate a maximum of 15 minutes of data loss. The current disaster…
- A critical application server has an MTBF of 2,000 hours and an MTTR of 10 hours. Management wants to improve system availability based on…
- An organization's BIA reveals that a critical application server has a measured MTTR of 8 hours, but the RTO for that server is 2 hours.…
- During a BIA, stakeholders require that the e-commerce platform be restored within 4 hours after any outage. The operations team reports…
- A company's BIA determines that its financial database can tolerate no more than two hours of data loss during a system failure. Which…
- A data center manager reviews hardware specifications showing that enterprise-grade switches average 25,000 hours of continuous operation…
- An organization's BIA reveals that its order management system must be fully operational within four hours after any disruption and that no…
- A server in a data center operated for a total of 6,000 hours and experienced three failures over the past year. Which metric and value…
- A BIA determines that an organization's customer order database can tolerate no more than four hours of data loss after a disruption. Which…
- A data center tracks that its primary storage array operated for 6,000 total hours and experienced four unplanned failures during that…
Third-Party Risk Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Compliance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Audits and Assessments
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Security Awareness
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.