Loading page
10 free CompTIA Security+ SY0-701 practice questions for Domain 3, Security Architecture, which is about 18% of the exam. Each question has the correct answer and a clear explanation. No account or signup needed.
Last updated June 2026
Which device filters traffic between networks and tracks the state of active connections so it can allow return traffic for sessions it already approved?
Correct answer: A. Stateful firewall
A stateful firewall tracks connection state and permits return traffic for established sessions, unlike a stateless packet filter. Switches, hubs, and repeaters move traffic but do not enforce stateful policy.
Which technology creates an encrypted tunnel so a remote employee can securely reach the corporate network over the public Internet?
Correct answer: A. VPN
A VPN (virtual private network) encrypts traffic in a tunnel across an untrusted network. A VLAN segments a LAN, NAT translates addresses, and a DMZ is an isolated subnet for public services.
Which server sits between internal users and the Internet, forwarding their web requests on their behalf and able to cache and filter content?
Correct answer: A. Forward proxy
A forward proxy represents internal clients when they reach out to the Internet, adding caching and content filtering. A reverse proxy fronts internal servers for inbound clients, and a jump server is a hardened admin gateway.
Encrypting information while it travels across a network protects data in which state?
Correct answer: A. Data in transit
Data in transit is data moving across a network, protected by transport encryption such as TLS. Data at rest is stored data, and data in use is data actively being processed in memory.
Under the cloud shared responsibility model for Infrastructure as a Service (IaaS), who is responsible for securing the data and applications the customer places in the cloud?
Correct answer: A. The customer
In IaaS, the provider secures the underlying infrastructure while the customer secures their operating systems, applications, and data. Responsibility is shared, but data and apps belong to the customer.
Which technique distributes incoming requests across multiple backend servers to improve performance and avoid overloading any single one?
Correct answer: A. Load balancing
A load balancer spreads traffic across multiple servers, supporting both performance and availability. Port mirroring copies traffic for monitoring, VLAN tagging labels segmented traffic, and NAT maps addresses.
Which technology provides fault tolerance by mirroring or striping data across multiple physical disks so a single disk failure does not lose data?
Correct answer: A. RAID
RAID combines disks for redundancy and performance so one drive can fail without data loss. Backups protect against larger loss but are not real-time fault tolerance, and journaling and deduplication serve other purposes.
Which type of system directly controls physical industrial processes, such as a water treatment plant, and often runs legacy software that is hard to patch?
Correct answer: A. ICS/SCADA
Industrial control systems (ICS), often managed by SCADA, run physical processes and are frequently legacy and fragile, requiring special protections such as isolation. The other options are general-purpose IT systems.
Which technology packages an application with its dependencies to run in isolation on a shared host operating system kernel, without a full guest OS for each instance?
Correct answer: A. Containerization
Containers share the host kernel and isolate applications with their dependencies, making them lightweight. A virtual machine runs a full guest OS on a hypervisor, which is heavier.
To protect the confidentiality and integrity of data sent to a public web application, which protocol should be implemented?
Correct answer: A. TLS (HTTPS)
TLS encrypts and authenticates web traffic (HTTPS), protecting it in transit. Telnet, FTP, and SNMPv1 all transmit data, including credentials, in cleartext.
SecPlus Mastery covers all five SY0-701 domains with over 1,000 practice questions, timed mock exams, and spaced review that targets your weak spots so you walk in ready.
Original practice questions aligned to the CompTIA Security+ SY0-701 objectives. CompTIA and Security+ are trademarks of CompTIA, used here for identification only.