Q1. Which tool is BEST for analyzing network traffic for malicious activity? (Q-627fe0)
- A.Nmap
- B.Wireshark✓ Correct
- C.Metasploit
- D.Nessus
Explanation: Wireshark is a packet analyzer for deep traffic inspection. Learn more.
CompTIA CySA+ Practice Questions: Security Operations
64 free, exam-style CompTIA CySA+ (CS0-003) practice questions covering Security Operations. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.
Q2. What does a SIEM primarily help with? (Q-924431)
- A.Vulnerability scanning
- B.Log aggregation and correlation✓ Correct
- C.Penetration testing
- D.Endpoint detection
Explanation: SIEM tools aggregate and correlate logs for threat detection. Learn more.
Q3. Which protocol is commonly exploited in DDoS amplification attacks? (Q-627fe4)
- A.HTTPS
- B.DNS✓ Correct
- C.SSH
- D.FTP
Explanation: DNS amplification abuses open resolvers. Learn more.
Q4. What is the PRIMARY goal of threat hunting? (Q-924435)
- A.To react to alerts
- B.To proactively identify undetected threats✓ Correct
- C.To patch vulnerabilities
- D.To audit compliance
Explanation: Threat hunting proactively searches for adversaries. Learn more.
Q5. What is the PRIMARY use of NetFlow data? (Q-924437)
- A.Malware analysis
- B.Network traffic monitoring✓ Correct
- C.Password cracking
- D.Disk encryption
Explanation: NetFlow provides metadata for traffic analysis. Learn more.
Q6. What does EDR stand for? (Q-924438)
- A.Endpoint Detection and Response✓ Correct
- B.Encrypted Data Recovery
- C.Event Data Repository
- D.Exploit Detection and Remediation
Explanation: EDR monitors endpoints for threats. Learn more.
Q7. Which type of security control is a firewall? (Q-924441)
- A.Administrative
- B.Technical✓ Correct
- C.Physical
- D.Compensating
Explanation: Firewalls are technical controls that filter network traffic. Learn more.
Q8. Which tool would you use to scan for open ports? (Q-924444)
- A.Nessus
- B.Nmap✓ Correct
- C.Wireshark
- D.Burp Suite
Explanation: Nmap is a network scanning tool that identifies open ports. Learn more.
Q9. Which of the following is an example of a technical control? (Q-924453)
- A.Security policy
- B.Firewall rule✓ Correct
- C.Background checks
- D.Security awareness training
Explanation: Firewall rules are technical controls that enforce security policies. Learn more.
Q10. What does SOAR stand for in security operations? (Q-627ffa)
- A.Security Orchestration, Automation, and Response✓ Correct
- B.Systematic Observation and Analysis Reporting
- C.Secure Operations and Asset Recovery
- D.Standardized Operational Assessment Rules
Explanation: SOAR platforms automate and streamline incident response. Learn more.
Q11. Which tool would you use to analyze logs for security events? (Q-924462)
- A.Nmap
- B.SIEM✓ Correct
- C.Metasploit
- D.Wireshark
Explanation: SIEM tools aggregate and analyze logs for threat detection. Learn more.
Q12. Which of the following BEST describes a false positive in security monitoring? (Q-924470)
- A.A threat that was correctly identified
- B.A benign event flagged as malicious✓ Correct
- C.A missed attack
- D.A zero-day exploit
Explanation: False positives are legitimate activities mistakenly classified as threats. Learn more.
Q13. What does the 'S' in 'SOAR' stand for? (Q-628009)
- A.Security✓ Correct
- B.System
- C.Software
- D.Standard
Explanation: SOAR = Security Orchestration, Automation, and Response. Learn more.
Q14. Which protocol is used for network device logging? (Q-924472)
- A.SNMP
- B.Syslog✓ Correct
- C.HTTPS
- D.DNS
Explanation: Syslog is a standard for message logging across network devices. Learn more.
Q15. Which tool is used for network intrusion detection? (Q-924477)
- A.Nessus
- B.Snort✓ Correct
- C.Metasploit
- D.John the Ripper
Explanation: Snort is an open-source NIDS (Network Intrusion Detection System). Learn more.
Q16. Which Windows Event Log tracks authentication attempts? (Q-924484)
- A.System
- B.Application
- C.Security✓ Correct
- D.Setup
Explanation: The Security log records authentication and authorization events. Learn more.
Q17. Which Linux command lists all open network connections? (Q-924485)
- A.netstat -tuln✓ Correct
- B.ls -la
- C.chmod 777
- D.cat /etc/passwd
Explanation: netstat -tuln shows listening ports and active connections. Learn more.
Q18. What does UEBA stand for in security analytics? (Q-628023)
- A.User Entity Behavior Analytics✓ Correct
- B.Unified Event Backup Archive
- C.Universal Encryption Byte Algorithm
- D.User Endpoint Baseline Assessment
Explanation: UEBA detects anomalies in user/entity behavior. Learn more.
Q19. Which Windows command displays active TCP connections? (Q-924493)
- A.ipconfig
- B.netstat -ano✓ Correct
- C.tracert
- D.ping
Explanation: netstat -ano shows active connections and process IDs. Learn more.
Q20. What does FIM stand for in security monitoring? (Q-628031)
- A.File Integrity Monitoring✓ Correct
- B.Forensic Incident Management
- C.Firewall Intrusion Mitigation
- D.Federated Identity Management
Explanation: FIM detects unauthorized changes to critical files. Learn more.
Q21. Which Windows command lists scheduled tasks? (Q-924511)
- A.schtasks✓ Correct
- B.ipconfig
- C.netstat
- D.tracert
Explanation: schtasks displays scheduled tasks, which attackers often abuse for persistence. Learn more.
Q22. Which Windows command lists scheduled tasks? (Q-924529)
- A.schtasks✓ Correct
- B.ipconfig
- C.netstat
- D.tracert
Explanation: schtasks displays scheduled tasks, which attackers abuse for persistence. Learn more.
Q23. Which Windows command lists scheduled tasks? (Q-924539)
- A.schtasks✓ Correct
- B.ipconfig
- C.netstat
- D.tracert
Explanation: schtasks displays scheduled tasks, which attackers abuse for persistence. Learn more.
Q24. Which Windows command lists scheduled tasks? (Q-924549)
- A.schtasks✓ Correct
- B.ipconfig
- C.netstat
- D.tracert
Explanation: schtasks displays scheduled tasks, which attackers abuse for persistence. Learn more.
Q25. What does a sudden increase in failed SSH login attempts from diverse IP addresses indicate?
- A.Normal user behavior
- B.Password spraying attack✓ Correct
- C.DDoS attack
- D.Network misconfiguration
Explanation: Password spraying targets multiple accounts with common passwords across an organization. Learn more.
Q26. What is the PRIMARY benefit of implementing endpoint detection and response (EDR) solutions?
- A.Preventing all malware infections
- B.Providing visibility and response capabilities✓ Correct
- C.Reducing firewall rules
- D.Automating patching
Explanation: EDR solutions provide continuous monitoring and advanced threat detection on endpoints. Learn more.
Q27. Which Windows Event Log would contain information about service failures?
- A.System✓ Correct
- B.Security
- C.Application
- D.Setup
Explanation: The System log records service start/stop events and failures. Learn more.
Q28. Which technique would be MOST effective for detecting DNS tunneling?
- A.Blocking all DNS traffic
- B.Analyzing query lengths and frequencies✓ Correct
- C.Disabling DNS caching
- D.Monitoring TCP connections
Explanation: DNS tunneling often uses unusually long queries or high query volumes. Learn more.
Q29. When reviewing NetFlow data, what would a spike in traffic to TCP port 445 indicate?
- A.Increased web browsing
- B.SMB exploitation attempts✓ Correct
- C.Email server usage
- D.DNS queries
Explanation: Port 445 is used by SMB and is a common target for wormable exploits. Learn more.
Q30. What does a SIEM alert for 'unusual process spawning from Office applications' indicate?
- A.Normal macro operation
- B.Potential macro malware✓ Correct
- C.Software update
- D.Document conversion
Explanation: Malicious Office macros often spawn additional processes like PowerShell or cmd. Learn more.
Q31. Which technique would be MOST effective for detecting living-off-the-land binaries?
- A.Signature-based antivirus
- B.Behavioral analysis✓ Correct
- C.Port scanning
- D.Vulnerability scanning
Explanation: Behavioral analysis can detect when legitimate tools are used maliciously. Learn more.
Q32. When analyzing packet captures, what would a large number of ICMP Echo Requests indicate?
- A.Normal network operation
- B.Ping sweep or DoS attempt✓ Correct
- C.Network congestion
- D.Firewall misconfiguration
Explanation: Excessive ICMP requests may indicate reconnaissance or flood attacks. Learn more.
Q33. What does the presence of unexpected WMI event subscriptions indicate?
- A.Normal monitoring
- B.Persistence mechanism✓ Correct
- C.Software install
- D.Performance tuning
Explanation: Attackers use WMI subscriptions for persistence and execution. Learn more.
Q34. Which technique would detect C2 traffic in encrypted channels?
- A.Decrypting all traffic
- B.Analyzing TLS fingerprints✓ Correct
- C.Blocking encryption
- D.Checking file hashes
Explanation: TLS fingerprinting can identify malicious C2 without decryption. Learn more.
Q35. What is the PRIMARY purpose of threat intelligence in a SIEM?
- A.Reduce storage needs
- B.Provide context for IOCs✓ Correct
- C.Replace correlation rules
- D.Encrypt log data
Explanation: Threat intel enriches alerts with information about known malicious indicators. Learn more.
Q36. When reviewing auth logs, what would failed NTLM followed by successful Kerberos indicate?
- A.Password spray✓ Correct
- B.Normal behavior
- C.Misconfiguration
- D.Token replay
Explanation: This pattern suggests an attacker found valid credentials through spraying. Learn more.
Q37. What does a SIEM alert for 'long PowerShell commands' indicate?
- A.Admin task
- B.Obfuscated script✓ Correct
- C.Software install
- D.System update
Explanation: Attackers often use long, obfuscated PowerShell commands. Learn more.
Q38. Which technique would detect DLL side-loading?
- A.File hashes
- B.DLL load paths✓ Correct
- C.CPU usage
- D.Firewall logs
Explanation: Examining DLL load paths can reveal side-loading attempts. Learn more.
Q39. What is the PRIMARY purpose of a deception technology solution?
- A.Prevent all attacks
- B.Early attacker detection✓ Correct
- C.Reduce firewall rules
- D.Automate patching
Explanation: Deception tech lures attackers into revealing themselves. Learn more.
Q40. When analyzing logs, what does Event ID 4672 followed by PsExec indicate?
- A.Normal admin activity
- B.Lateral movement✓ Correct
- C.Scheduled task
- D.Software install
Explanation: This sequence suggests privilege escalation and lateral movement. Learn more.
Q41. What does a spike in DNS queries for random subdomains indicate?
- A.New website
- B.DNS exfiltration
- C.DGA activity✓ Correct
- D.Resolver issue
Explanation: Domain Generation Algorithms create random domains for C2 communication. Learn more.
Q42. Which log would be MOST useful for investigating web app brute force attacks?
- A.DNS logs
- B.Web server logs✓ Correct
- C.NetFlow
- D.Firewall logs
Explanation: Web server logs record authentication attempts and HTTP status codes. Learn more.
Q43. What is the PRIMARY benefit of canary tokens?
- A.Prevent breaches
- B.Early access detection✓ Correct
- C.Improve performance
- D.Automate patching
Explanation: Canary tokens trigger alerts when accessed, revealing intrusions. Learn more.
Q44. What does a spike in GPO modifications indicate?
- A.Normal maintenance
- B.Policy rollout
- C.Domain admin compromise✓ Correct
- D.New server
Explanation: Attackers with domain admin often modify GPOs for persistence. Learn more.
Q45. Which log source would be MOST valuable for insider threats?
- A.DLP logs✓ Correct
- B.DNS logs
- C.Switch logs
- D.CPU logs
Explanation: DLP logs track attempts to access or transfer sensitive data. Learn more.
Q46. Which technique would detect beaconing malware?
- A.Periodic outbound connections✓ Correct
- B.CPU usage
- C.File hashes
- D.Login times
Explanation: Beaconing creates regular callbacks to C2 servers. Learn more.
Q47. What does unexpected scheduled tasks with obfuscated commands indicate?
- A.System maintenance
- B.Persistence mechanism✓ Correct
- C.Backup process
- D.Software update
Explanation: Attackers use scheduled tasks for persistence with hidden commands. Learn more.
Q48. What is the PRIMARY benefit of network segmentation?
- A.Improve speed
- B.Contain lateral movement✓ Correct
- C.Reduce firewall rules
- D.Simplify logging
Explanation: Segmentation limits how far an attacker can spread. Learn more.
Q49. What does a high volume of requests to pastebin.com indicate?
- A.Research
- B.Data exfiltration✓ Correct
- C.Updates
- D.Web development
Explanation: Attackers often use paste sites to exfiltrate small data amounts. Learn more.
Q50. What does 'unusual after-hours file access' indicate?
- A.Backup
- B.Compromised credentials✓ Correct
- C.Maintenance
- D.Automated process
Explanation: Access during unusual hours may indicate stolen credentials. Learn more.
Q51. Which technique would detect process hollowing?
- A.File hashes
- B.Memory structures✓ Correct
- C.CPU usage
- D.Scheduled tasks
Explanation: Process hollowing can be detected by examining memory structures. Learn more.
Q52. What does a large number of TCP SYN packets without ACKs indicate?
- A.Normal TCP
- B.SYN flood✓ Correct
- C.Congestion
- D.Firewall issue
Explanation: Half-open connections are characteristic of SYN flood attacks. Learn more.
Q53. Which Event Log contains account lockouts?
- A.System
- B.Security✓ Correct
- C.Application
- D.Setup
Explanation: The Security log records authentication events including lockouts. Learn more.
Q54. What does unexpected PowerShell in TEMP directories indicate?
- A.Windows maintenance
- B.Malicious scripts✓ Correct
- C.Software install
- D.Backup
Explanation: Attackers often use PowerShell for fileless attacks in temp folders. Learn more.
Q55. What does 'RDP connections followed by unusual process execution' indicate?
- A.Admin activity
- B.Lateral movement✓ Correct
- C.Maintenance
- D.Deployment
Explanation: This pattern suggests an attacker moving through the network. Learn more.
Q56. Which technique would detect credential dumping?
- A.Monitor LSASS access✓ Correct
- B.Analyze DNS
- C.Review firewall
- D.Check CPU
Explanation: Credential dumping often involves accessing LSASS process memory. Learn more.
Q57. What would multiple SYN packets to sequential ports indicate?
- A.Single packet
- B.Port scan✓ Correct
- C.Established TCP
- D.UDP broadcast
Explanation: Port scans typically involve systematic connection attempts. Learn more.
Q58. What is the PRIMARY purpose of threat hunting?
- A.Respond to alerts
- B.Proactively search for threats✓ Correct
- C.Generate reports
- D.Monitor performance
Explanation: Threat hunting involves actively searching for undetected threats. Learn more.
Q59. Which log file on a Linux system typically records user login sessions?
- A./var/log/syslog
- B./var/log/auth.log
- C./var/log/wtmp✓ Correct
- D./var/log/kern.log
Explanation: /var/log/wtmp maintains a history of all login and logout activities. It is a binary file accessed with the 'last' command. Learn more.
Q60. A SIEM rule triggers only when a failed VPN login is followed by a successful login from a new country. What capability is being used?
- A.Correlation✓ Correct
- B.Disk imaging
- C.Port mirroring only
- D.Password spraying
Explanation: Correlation combines multiple events into a higher-confidence alert that a single log entry might not justify. Learn more.
Q61. Which analytics approach flags activity that differs from a user or host baseline?
- A.UEBA✓ Correct
- B.RAID
- C.VLSM
- D.NTP
Explanation: User and entity behavior analytics compares observed activity with baselines to identify anomalies. Learn more.
Q62. What is the purpose of baselining normal network traffic?
- A.To make abnormal patterns easier to detect✓ Correct
- B.To remove the need for logging
- C.To guarantee zero false positives
- D.To encrypt all packets
Explanation: A baseline helps analysts distinguish expected behavior from unusual spikes, destinations, protocols, or timing. Learn more.
Q63. Which log field is most useful for connecting separate web requests to the same authenticated user?
- A.Session identifier or user ID✓ Correct
- B.Monitor serial number
- C.Printer tray number
- D.CPU fan speed
Explanation: User and session identifiers help analysts correlate related activity across requests and systems. Learn more.
Q64. Which control helps detect unauthorized changes to critical system files?
- A.File integrity monitoring✓ Correct
- B.Screen saver timeout
- C.DHCP reservation
- D.Cable tester
Explanation: File integrity monitoring alerts when important files change unexpectedly. Learn more.
More CompTIA CySA+ practice topics
- Threat Management (53)
- Cloud Security (45)
- Incident Response (44)
- Security Operations and Monitoring (32)
- Access Control (21)
- Network Security (18)
- Risk Management (17)
- Software Security (16)
- Data Security (14)
- Vulnerability Management (11)
- Cryptography (10)
- Compliance (9)
- Threat Intelligence (9)
- Threat Detection (7)
- Threat and Vulnerability Management (5)
- More Practice Questions (15)
- All CompTIA CySA+ topics →