CompTIA Security+ Practice Test of the Day 260518

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.3 (Explain various activities associated with vulnerability management) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260518

10 questions • Single best answer

Question 1

A penetration tester is scoping an engagement for a regional bank. The client wants visibility into known weaknesses across web servers without authorizing active exploitation of those flaws. Which activity BEST fits this requirement?

A. Penetration testing B. Bug bounty program C. Vulnerability scanning D. System/process audit

Question 2

A DevSecOps engineer submits an application build for review before deployment. An automated tool analyzes the source code without executing it, flagging insecure functions and hardcoded credentials. Which application security technique is being used?

A. Dynamic analysis B. Fuzzing C. Package monitoring D. Static analysis

Question 3

A security team receives scan results showing 60 findings across production systems. With limited remediation resources, the team needs to determine which vulnerabilities to address first. Which framework provides standardized severity scores to guide prioritization?

A. Common Vulnerability Enumeration (CVE) B. Common Vulnerability Scoring System (CVSS) C. Exposure factor calculation D. OSINT threat feeds

Question 4

A vulnerability scanner flags a critical command injection flaw in a web application. The security team investigates and confirms all user inputs are properly validated and sanitized. What type of finding has the scanner produced?

A. True positive B. False negative C. Zero-day vulnerability D. False positive

Question 5

A SaaS company wants independent security researchers to identify and report vulnerabilities in its public-facing applications in exchange for financial rewards. Which program should the company establish to formalize this effort?

A. Penetration testing contract B. Bug bounty program C. Information-sharing organization membership D. Scheduled system audit

Question 6

An analyst wants to identify CVEs being actively discussed and traded on underground forums before they appear in public feeds. Which threat intelligence source provides this type of early visibility?

A. OSINT feeds B. Information-sharing organization C. Dark web monitoring D. Proprietary/third-party feed

Question 7

A DevSecOps team integrates dozens of open-source libraries into their application. They want automated alerts when a newly disclosed vulnerability affects any of those dependencies. Which application security technique directly addresses this?

A. Static analysis B. Package monitoring C. Dynamic analysis D. Fuzzing

Question 8

A medical facility's vulnerability scan identifies a critical flaw in a legacy imaging device that cannot be patched without voiding its FDA certification. The security team isolates the device on a dedicated VLAN. What remediation approach is being applied?

A. Full patching B. Risk transfer through insurance C. Compensating control with a documented exception D. Rescanning to validate remediation

Question 9

After patching 12 critical vulnerabilities from last month's scan, the compliance manager requests documented evidence that the findings are resolved. What is the MOST appropriate next step?

A. Archive the original scan report B. Submit patch notes to the change management system C. Rescan the patched systems to validate remediation D. Issue a risk acceptance memo for remaining findings

Question 10

A vulnerability carries a CVSS base score of 8.9 but affects a system that is air-gapped with no network connectivity. Which analysis factor allows the analyst to adjust the effective risk rating for the organization's environment?