CertHead

CompTIA Security+ (SY0-701) practice questions

983 exam-style questions across all 5 official exam domains, with full answer explanations. Try the samples below, then drill any domain.

Practice by domain

Sample questions

Question 1 · Difficulty 3/5

A hospital recently completed a risk assessment, implemented role-based access control lists on its electronic health record system, and hired an armed security guard to monitor the server room entrance. Which control category does the risk assessment belong to? (Select the best answer.)
  1. Physical
  2. Technical
  3. Operational
  4. Managerial
Show answer & explanation

Correct answer: D

Managerial
A risk assessment is a managerial (also called administrative) control because it is a planning and oversight activity used to guide security decision-making, not an enforcement mechanism. The access control lists are technical controls enforced by the system. The armed guard is a physical control providing a tangible deterrent at the entry point. Operational controls are carried out by people in day-to-day procedures, such as incident response handoffs or backup verification steps.

Question 2 · Difficulty 3/5

A threat intelligence team receives a report describing a multi-year intrusion campaign against aerospace manufacturers in three countries. The attackers used zero-day exploits, custom implants, and carefully maintained persistence while exfiltrating only technical design documents. No ransom demand was ever issued. Which threat actor type best fits this profile? (Select the best answer.)
  1. Organized crime
  2. Hacktivist
  3. Nation-state
  4. Unskilled attacker
Show answer & explanation

Correct answer: C

Nation-state
Nation-state actors are characterized by significant resources, long dwell times, custom tooling (including zero-day exploitation), and an espionage-focused goal of stealing sensitive intellectual property rather than demanding payment. Organized crime groups prioritize monetization (ransomware, fraud) and rarely invest in years-long covert campaigns. Hacktivists seek public visibility for political causes and typically deface websites or leak data rather than silently exfiltrate classified documents. Unskilled attackers lack the capability to develop zero-days or custom implants.

Question 3 · Difficulty 3/5

An organization hosts a web application on a public cloud platform using an Infrastructure as a Service (IaaS) model. A penetration test reveals that the operating system on several virtual machines has not been patched in eight months. Who is responsible for remediating this finding under the shared responsibility model? (Select the best answer.)
  1. The cloud provider, because it manages all compute infrastructure in an IaaS deployment.
  2. The customer, because guest operating system patching is a customer-owned control in IaaS.
  3. The third-party penetration testing firm, because it identified the vulnerability during the engagement.
  4. The cloud provider, because hypervisor-level vulnerabilities always cascade to guest operating systems.
Show answer & explanation

Correct answer: B

The customer, because guest operating system patching is a customer-owned control in IaaS.
In an IaaS model, the cloud provider is responsible for the physical hardware, networking fabric, and hypervisor layer, but the customer owns the guest operating system, middleware, runtime, and applications running on top. Operating system patching therefore falls squarely on the customer. The penetration testing firm discovers and reports findings but has no remediation authority or obligation. Hypervisor vulnerabilities are a provider concern, but they are distinct from guest OS patch management, which the customer controls independently.

Question 4 · Difficulty 3/5

An organization uses a configuration management tool to push approved hardening templates to all newly provisioned Linux servers automatically. Six months later, an internal audit reveals that several servers have settings that differ from the approved template. Which maintenance-phase control would most directly prevent this configuration drift from recurring? (Select the best answer.)
  1. Continuous compliance scanning with automated remediation to enforce the approved baseline
  2. Increasing the frequency of vulnerability scans to weekly instead of monthly
  3. Requiring change-advisory board approval before any new server is provisioned
  4. Restricting SSH access to servers so that only the configuration management service account can log in
Show answer & explanation

Correct answer: A

Continuous compliance scanning with automated remediation to enforce the approved baseline
Continuous compliance scanning (using tools such as OpenSCAP, Ansible, or comparable agent-based solutions) periodically compares live system state against the approved baseline and can automatically revert or flag deviations, directly addressing configuration drift. Increasing vulnerability scan frequency detects software weaknesses but does not compare or enforce configuration settings. Change-advisory board approval controls the provisioning process but does not detect drift on already-running systems. Restricting SSH access reduces the attack surface but does not prevent authorized processes or local changes from causing drift, nor does it detect or correct deviations once they occur.

Question 5 · Difficulty 3/5

A company's operations were severely disrupted after a ransomware attack encrypted its primary database servers. During the post-incident review, executives discover no documented procedure exists for restoring systems to normal operation after a declared disaster. Which policy document is most urgently absent? (Select the best answer.)
  1. Incident response policy
  2. Disaster recovery policy
  3. Business continuity policy
  4. Change management policy
Show answer & explanation

Correct answer: B

Disaster recovery policy
A disaster recovery policy and its supporting plans focus on restoring IT systems, infrastructure, and data after a disruptive event, which is exactly the gap identified. An incident response policy covers how to detect, contain, and eradicate an active threat, which addresses the attack itself rather than the restoration of systems afterward. A business continuity policy focuses on maintaining or resuming critical business functions during a disruption, not specifically on the technical restoration of systems. Change management policy governs controlled modifications to systems in normal operations and is unrelated to post-disaster recovery.

Ready to test yourself for real?

The free quiz pulls live questions from the same banks — no account required.

Start the free quiz