CompTIA Security+ Practice Test of the Day 070225

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on subdomain 4.3 (Explain various activities associated with vulnerability management) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 070225

10 questions • Single best answer

Question 1

A vulnerability scanner reports a critical finding on a web server. The analyst manually verifies that the vulnerable software version is installed and is accessible from the network with no mitigating controls in place. What type of scan result is this?

A. False positive B. False negative C. True positive D. Compensating control finding

Question 2

A vulnerability scan detects a critical flaw in a legacy ICS system used on the factory floor. The vendor no longer supports the system and patching would void its operational certification. The security team places the system on an isolated VLAN with strict firewall rules permitting only required traffic. What vulnerability response strategy is this?

A. Patching B. Risk acceptance with documentation C. Vulnerability exception D. Segmentation as a compensating control

Question 3

An organization offers monetary rewards to independent security researchers who responsibly disclose vulnerabilities in the company's public-facing applications. Researchers submit findings through a dedicated portal, and the security team validates and remediates before public disclosure. What type of program is this?

A. Penetration testing engagement B. Information-sharing organization C. Bug bounty program D. Threat intelligence subscription

Question 4

A vulnerability is assigned a CVSS base score of 9.8. Across hundreds of findings in this month's scan report, the security team must determine remediation priority. What does the CVSS score PRIMARILY indicate in this context?

A. The vulnerability has been actively exploited in the wild B. The vulnerability has been patched by the vendor C. The severity of the vulnerability based on standardized scoring criteria, suggesting it warrants urgent attention D. The vulnerability affects all operating systems equally

Question 5

A critical vulnerability finding on a web server was logged six weeks ago. The server was patched three weeks ago. To confirm the remediation was successful and the finding is no longer valid, what action should the analyst take?

A. Mark the finding as a false positive B. Grant a formal exception for the finding C. Apply a compensating control pending the next scheduled scan D. Rescan the system to validate the vulnerability is no longer present

Question 6

A threat intelligence analyst discovers the organization's VPN credentials listed for sale on an underground cybercriminal forum. What type of threat intelligence source enabled this discovery?

A. Open-source intelligence (OSINT) B. Information-sharing organization feed C. Dark web monitoring D. Proprietary vendor threat intelligence

Question 7

A vulnerability scan reports a critical finding on a server located in an air-gapped test lab with no connection to production or external networks. The security team decides not to patch due to the isolated environment. What vulnerability management response does this represent?

A. Compensating control implementation B. Risk mitigation through patching C. Segmentation D. Exception or exemption based on environmental context

Question 8

A security testing tool executes a web application in a staging environment, automatically sending thousands of malformed inputs, unexpected data types, and boundary values to application endpoints to identify crashes and unexpected behavior. What type of application security testing is this?

A. Static code analysis B. Package monitoring C. Dynamic analysis D. Manual code review

Question 9

A penetration tester uses tools such as search engines, LinkedIn, and publicly available DNS records to gather information about a target organization's employees, technology stack, and external IP ranges without sending any packets directly to the target. What reconnaissance technique is this?

A. Active reconnaissance B. Network enumeration C. Passive reconnaissance via OSINT D. Social engineering

Question 10

A vulnerability report provides findings ranked by exposure factor, industry impact, environmental variables, and CVSS scores to help the security team focus limited resources on the most organizationally relevant risks first. What vulnerability reporting concept drives this approach?

A. CVE enumeration B. Responsible disclosure compliance C. Vulnerability prioritization D. Bug bounty program management

Take more CompTIA Security+ practice tests

CompTIA Security+ Practice Test of the Day 070225

Related Posts