CompTIA Security+ Practice Test of the Day 260320

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.4 (Explain security alerting and monitoring concepts and tools.) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260320

10 questions • Single best answer

Question 1

A SOC analyst at a large enterprise is tasked with centralizing log data from hundreds of network devices, servers, and cloud workloads to enable real-time correlation and alerting. The current environment relies on individual teams manually reviewing logs from each system in isolation, which has resulted in several security incidents going undetected for days. Management has approved the purchase of a new security tool that will ingest, normalize, and correlate events across all sources from a single console. Which tool BEST fits this requirement?

A. Vulnerability scanner B. Security information and event management (SIEM) C. Data loss prevention (DLP) D. Simple Network Management Protocol (SNMP) manager

Question 2

A security analyst working in a mid-sized company's SOC has noticed that the intrusion detection system generates over 2,000 alerts per day, but fewer than 50 are found to be genuine threats after investigation. The remaining alerts are triggered by legitimate business activities — such as large scheduled file transfers, authorized remote access sessions, and routine vulnerability scans — that the detection rules were not originally configured to account for. The analyst wants to reduce the volume of low-value noise without disabling detection rules entirely. Which monitoring activity BEST describes what the analyst should perform?

A. Quarantine B. Archiving C. Alert tuning D. Benchmarking

Question 3

A network security engineer at a financial institution is implementing a solution to detect unusual outbound traffic patterns without capturing the full content of network packets. The organization's compliance requirements prohibit deep packet inspection on certain network segments that carry sensitive financial data. The engineer wants to collect metadata about traffic flows — including source IP, destination IP, port numbers, protocol type, and byte counts — to baseline normal behavior and flag deviations. Which tool or technology is BEST suited for this purpose?

A. Antivirus B. NetFlow C. File integrity monitoring (FIM) D. Security Content Automation Protocol (SCAP)

Question 4

An analyst in a SOC receives an alert indicating that a workstation in the accounting department has begun communicating with a known command-and-control (C2) IP address that matches an indicator of compromise from a recent threat intelligence feed. The endpoint detection and response (EDR) platform confirms that the system has active network connections to the suspicious host and that several unusual processes are running in memory. The analyst needs to immediately halt the potential spread of infection while preserving the system for forensic investigation. Which alert response action should the analyst take FIRST?

A. Reimage the endpoint immediately to restore a known-good state B. Disable the user's Active Directory account to prevent credential misuse C. Quarantine the affected system to isolate it from the network D. Archive the endpoint's logs to the SIEM before taking any action

Question 5

A network administrator at a healthcare organization is configuring a monitoring solution for the enterprise's routers, switches, and network appliances. Rather than the monitoring system repeatedly polling each device at regular intervals to check status, the organization wants devices to proactively notify the monitoring platform when a specific condition occurs — such as a link going down, CPU utilization exceeding a defined threshold, or repeated authentication failures. Which mechanism enables network devices to push unsolicited event notifications to a central management station when predefined conditions are met?

A. NetFlow exports B. SNMP traps C. Syslog forwarding D. SCAP benchmarks

Question 6

A vulnerability management team at a government contractor is conducting internal vulnerability scans on Windows servers that are part of a classified network segment. During the initial scan run without providing any authentication credentials to the scanner, the results appear sparse and miss several known vulnerabilities that were confirmed in a previous manual audit — including outdated software versions, missing patches, and weak local user configurations. The team lead explains that the scanner's findings are limited because it cannot access detailed system configuration data without proper access. Which type of scan would provide the MOST comprehensive and accurate vulnerability results?

A. Passive network scan B. External unauthenticated scan C. Credentialed (authenticated) scan D. Agentless scan using SNMP

Question 7

The security team at a law firm recently discovered that several confidential client case files had been sent to personal Gmail accounts by employees working remotely over a period of weeks. The firm's existing endpoint security tools were not configured to inspect the content of outbound emails or browser-based file uploads, which allowed the transfers to go undetected. The CISO has directed the team to implement a solution that can inspect, classify, and block the unauthorized transmission of sensitive documents based on content-aware policies — regardless of whether the transfer occurs via email, cloud storage, or web upload. Which tool BEST addresses this requirement?

A. Security information and event management (SIEM) B. Host-based intrusion prevention system (HIPS) C. Data loss prevention (DLP) D. Vulnerability scanner

Question 8

A federal agency's information security team is working to automate compliance checks against NIST configuration baselines across thousands of endpoints distributed across multiple data centers. The team wants to use a standardized, machine-readable framework that allows security policies to be expressed consistently, evaluated automatically against endpoints, and integrated with the agency's compliance reporting dashboard. The solution must also be compatible with industry-standard vulnerability enumeration databases such as CVE and CCE. Which framework or protocol is specifically designed to support this type of automated security configuration assessment and reporting?

A. Simple Network Management Protocol (SNMP) B. Security Content Automation Protocol (SCAP) C. NetFlow D. Syslog

Question 9

A security operations team is evaluating whether to use an agent-based or agentless approach to monitor a new cloud environment consisting of thousands of short-lived virtual machines that are part of an autoscaling group. The VMs are spun up and terminated dynamically within minutes based on application demand, making software installation and lifecycle management on each instance operationally impractical. The cloud provider offers native API-based log collection, flow log export, and event streaming services. Which monitoring approach is MOST appropriate for this environment, and what is the PRIMARY reason for that choice?

A. Agent-based monitoring, because agents provide more granular kernel-level telemetry than API-based methods B. Agentless monitoring, because it does not require software installation or lifecycle management on ephemeral instances C. Host-based IDS on each instance, because it provides the most comprehensive per-host visibility D. SNMP polling, because it collects configuration and performance data from all running instances

Question 10

A compliance officer at a publicly traded company informs the security operations team that industry regulations require all security event logs to be retained for a minimum of seven years and must remain available and retrievable for regulatory audit on demand. The SOC currently retains logs in a hot-storage SIEM for only 90 days before they are automatically purged, creating a significant compliance gap. The team needs to implement a long-term log retention strategy that satisfies the regulatory mandate while managing storage costs through the use of lower-cost, less frequently accessed storage tiers. Which monitoring activity BEST describes the practice of moving completed log data to long-term, cost-effective storage while preserving its integrity for future retrieval?