Loading page
A full 30-question CompTIA Security+ SY0-701 practice test spanning all five domains, weighted like the real exam. Every question has the correct answer and a clear explanation. No account, no payment, nothing to install. Work through it, then reveal each answer.
Last updated June 2026
A distributed denial-of-service attack overwhelms a web server so legitimate customers cannot reach the site. Which part of the CIA triad is most directly affected?
Correct answer: C. Availability
Availability means authorized users can access systems and data when needed. A DDoS attack denies that access. Confidentiality is about secrecy and integrity is about data not being altered, neither of which is the primary target here.
A fence around a data center and a security guard at the door are examples of which category of security control?
Correct answer: B. Physical
Physical controls protect people and facilities in the real world, such as fences, locks, guards, and cameras. Technical controls are implemented in hardware or software, managerial controls are policies, and operational controls are processes people carry out.
A security camera records who enters a server room so footage can be reviewed after an incident. Which control function does this best describe?
Correct answer: B. Detective
A detective control identifies and records that an event happened so it can be investigated. A preventive control would stop the entry, a corrective control fixes damage after the fact, and a compensating control is an alternative used when the primary control is not feasible.
Why does a system add a unique random salt to each password before hashing and storing it?
Correct answer: A. So identical passwords produce different hashes and precomputed (rainbow table) attacks fail
A salt is random data added to each password so that two users with the same password get different stored hashes, which defeats rainbow tables and makes mass cracking far harder. Hashes are one-way, so salting has nothing to do with decryption or compression.
An unauthorized person follows an employee through a badge-controlled door before it closes, without presenting any credentials and while the employee is unaware. What is this called?
Correct answer: B. Tailgating
Tailgating is following an authorized person through a secure entry without authenticating. Shoulder surfing is observing someone enter credentials, pretexting is inventing a scenario to extract information, and phishing is a fraudulent message.
An attacker submits ' OR '1'='1 into a website login field and gains access without valid credentials. Which attack is this?
Correct answer: B. SQL injection
SQL injection inserts crafted SQL into an input so the database executes it, here making the WHERE clause always true. XSS injects scripts that run in other browsers, CSRF abuses an authenticated session, and directory traversal reaches files outside the web root.
A flaw is being actively exploited in the wild before the vendor has released any patch or even acknowledged it. What is this known as?
Correct answer: A. A zero-day vulnerability
A zero-day is a vulnerability exploited before a fix is available, so defenders have had zero days to patch. A logic bomb triggers on a condition, a race condition is a timing flaw, and a legacy issue stems from outdated unsupported systems.
An attacker secretly positions themselves between two parties, relaying and potentially altering messages while both believe they are communicating directly. Which attack is this?
Correct answer: B. On-path attack
An on-path attack (formerly man-in-the-middle) intercepts and may modify traffic between two endpoints. A replay attack resends captured data, an amplification attack inflates traffic volume for a DDoS, and a watering hole compromises a site the target visits.
A disgruntled employee with valid access copies confidential customer files to sell to a competitor. Which type of threat actor is this?
Correct answer: C. Insider threat
An insider threat is someone with legitimate access who misuses it. Nation-state actors are well-funded and government-backed, hacktivists are driven by a cause, and script kiddies use existing tools without deep skill.
After compromising a standard user account, an attacker exploits a vulnerability to gain administrator-level rights on the same system. What is this technique called?
Correct answer: B. Privilege escalation
Privilege escalation is gaining higher permissions than originally granted. Lateral movement is spreading to other systems, persistence is maintaining access across reboots, and reconnaissance is gathering information about a target.
Which mitigation most directly reduces the risk that a single stolen password gives an attacker access to an account?
Correct answer: A. Multifactor authentication
Multifactor authentication requires an additional factor beyond the password, so a stolen password alone is not enough to log in. Disk encryption protects data at rest, and a web application firewall filters web traffic, neither of which addresses a reused or stolen credential directly.
Layering multiple independent security controls so that if one fails the others still protect the asset is best described as which strategy?
Correct answer: A. Defense in depth
Defense in depth uses overlapping layers so no single failure exposes the asset. Separation of duties splits a task among people, least privilege limits permissions, and implicit deny blocks anything not explicitly allowed.
Where should a public-facing web server be placed to keep Internet traffic away from the internal network?
Correct answer: B. In a screened subnet (DMZ)
A screened subnet (DMZ) is an isolated network segment between the Internet and the internal LAN for public-facing services, so a compromise of the web server does not directly expose internal systems. Placing it on the LAN or a domain controller would put internal resources at risk.
Which control best protects the confidentiality of data on a laptop if the device is lost or stolen?
Correct answer: A. Full disk encryption
Full disk encryption renders the stored data unreadable without the key, so a thief who removes or boots the drive cannot read it. Antivirus, a screen saver password alone, and a firewall do not protect data that is read directly off the disk.
Which technique divides a network into smaller isolated zones to limit how far an attacker can move after a breach?
Correct answer: A. Segmentation
Segmentation (for example with VLANs or microsegmentation) isolates parts of the network so a compromise in one zone cannot freely reach others. Port mirroring copies traffic for monitoring, link aggregation combines links for bandwidth, and NAT maps addresses.
A backup copies all data that has changed since the last full backup, regardless of any backups taken in between. Which backup type is this?
Correct answer: B. Differential
A differential backup captures everything changed since the last full backup, so restoring needs only the full plus the latest differential. An incremental captures changes since the last backup of any type, a full copies everything, and a snapshot is a point-in-time image.
Which tool collects and correlates log and event data from many sources to support real-time alerting and investigation?
Correct answer: A. SIEM
A SIEM (Security Information and Event Management) aggregates logs from across the environment, correlates them, and raises alerts. DLP prevents data exfiltration, a proxy mediates web requests, and a load balancer distributes traffic.
A user is granted only the permissions required to do their job and nothing more. Which principle does this describe?
Correct answer: A. Least privilege
Least privilege limits each user to the minimum access needed, shrinking what an attacker gains if the account is compromised. Separation of duties splits sensitive tasks, while mandatory vacation and job rotation are controls that expose fraud over time.
Which sequence best represents the order of the incident response process?
Correct answer: A. Preparation, Identification, Containment, Eradication, Recovery, Lessons learned
Incident response runs preparation first, then identification (detection), containment to stop the spread, eradication to remove the cause, recovery to restore operations, and finally lessons learned to improve. Containment must come before eradication and recovery.
Which solution is designed to detect and block sensitive information, such as credit card numbers, from leaving the organization over email or uploads?
Correct answer: A. Data loss prevention (DLP)
DLP inspects data in use, in motion, and at rest to stop sensitive content from being exfiltrated. NAC controls device admission to the network, an IDS alerts on intrusions, and SOAR automates response workflows.
Logging in with a fingerprint is an example of which authentication factor?
Correct answer: C. Something you are
A fingerprint is a biometric trait, which is the "something you are" (inherence) factor. Something you know is a password or PIN, something you have is a token or phone, and somewhere you are is location based.
Regularly applying vendor-released updates to remediate known software vulnerabilities is known as?
Correct answer: A. Patch management
Patch management is the process of identifying, testing, and deploying updates that fix vulnerabilities. Penetration testing simulates attacks, threat hunting proactively searches for hidden threats, and a tabletop exercise rehearses incident response on paper.
Which technology checks a device for compliance, such as current patches and antivirus, before allowing it to connect to the network?
Correct answer: A. Network access control (NAC)
NAC enforces a posture check and admits, quarantines, or blocks devices based on compliance. A VPN encrypts a remote connection, DNS resolves names to addresses, and SSO lets a user authenticate once for many services.
Which mechanism lets a client confirm that a digital certificate has not been revoked by the issuing authority?
Correct answer: A. A certificate revocation list (CRL)
A CRL is a published list of certificates the CA has revoked, so clients can reject them (OCSP is the real-time alternative). A CSR requests a new certificate, a self-signed certificate has no external trust, and a private key is the secret half of a key pair.
After an organization applies controls to reduce a risk, the level of risk that still remains is called?
Correct answer: B. Residual risk
Residual risk is what remains after controls are applied. Inherent risk is the risk before any controls, risk appetite is how much risk the organization is willing to accept, and transferred risk is shifted to a third party such as an insurer.
A company decides not to offer a new online service at all because the associated security risk is unacceptable. Which risk response is this?
Correct answer: B. Risk avoidance
Risk avoidance eliminates the risk by not engaging in the activity. Acceptance takes no action and absorbs the risk, transference shifts it to a third party, and mitigation reduces likelihood or impact with controls.
Which agreement defines the expected level of service, including uptime and response times, between a provider and a customer?
Correct answer: A. Service level agreement (SLA)
An SLA specifies measurable service commitments such as uptime and response times. An MOU is a broad statement of intent, an NDA protects confidential information, and a BPA governs a partnership between businesses.
Who is ultimately responsible for classifying a set of data and deciding who may access it?
Correct answer: A. The data owner
The data owner is accountable for classifying data and authorizing access. The custodian implements and maintains the controls, the processor handles data on behalf of the controller, and the data subject is the individual the data is about.
Which metric defines the maximum acceptable amount of time to restore a system or service after an outage?
Correct answer: A. Recovery time objective (RTO)
RTO is the target time to bring a system back after an outage. RPO is the maximum acceptable amount of data loss measured in time, and MTBF is the average time between failures of a system.
Before signing with a cloud provider, an organization researches the certifications, financial health, and security posture of the vendor. This investigation is best described as?
Correct answer: A. Due diligence
Due diligence is the up-front investigation of a vendor before entering an agreement. Separation of duties splits sensitive tasks, change management governs how changes are approved, and an acceptable use policy defines proper use of systems.
This is a free sample. SecPlus Mastery has over 1,000 practice questions, full timed mock exams that mirror the 90-question format, spaced review that targets your weak spots, and lessons across all five domains.
Want to drill one area at a time? Each domain has its own free question set.
More free study: practice questions by topic, the ports cheat sheet, and the acronyms glossary.
Original practice questions aligned to the CompTIA Security+ SY0-701 objectives. CompTIA and Security+ are trademarks of CompTIA, used here for identification only.