CompTIA Security+ Practice Test of the Day 072525

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.3 (Explain various activities associated with vulnerability management) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 072525

10 questions • Single best answer

Question 1

A vulnerability scanner reports a critical remote code execution flaw on a public-facing web server. The security team investigates and confirms the service flagged is not actually running on that server. The scanner detected the service based on banner information that was not updated after a reconfiguration. Which analysis outcome does this represent?

A. False negative B. True positive C. False positive D. True negative

Question 2

A security engineer scores a newly discovered vulnerability and finds it has a CVSS base score of 9.8. The system it affects processes only internal test data, has no internet exposure, and existing network controls limit lateral movement. After factoring in the environment, which vulnerability management action is MOST appropriate?

A. Patch immediately based on the CVSS base score alone B. Adjust the priority downward based on environmental variables C. Document an exception since the score is above 9.0 D. Transfer the risk to a cyber insurance policy

Question 3

A penetration tester is hired to identify exploitable weaknesses in a bank's public-facing applications. While testing, she discovers a critical authentication bypass vulnerability and submits a detailed report to the bank's security team before the engagement ends. Which responsible disclosure mechanism does this represent?

A. Bug bounty program B. CVE submission C. Penetration testing with responsible disclosure D. Threat intelligence sharing

Question 4

An organization cannot immediately apply a vendor patch for a critical vulnerability in a legacy system due to a maintenance window restriction. The security team blocks external access to the affected port via firewall rules as a temporary measure. Which vulnerability remediation approach is being used?

A. Patching B. Segmentation C. Compensating control D. Exception

Question 5

A security team subscribes to a commercial feed that provides daily updates on newly discovered vulnerabilities, active exploits, and threat actor campaigns targeting their industry sector. Which vulnerability identification method is being used?

A. Penetration testing B. System audit C. Proprietary or third-party threat feed D. OSINT

Question 6

After applying a patch to address a high-severity vulnerability, the security team runs the same vulnerability scanner used in the original assessment against the patched system. The scan returns no finding for the previously identified vulnerability. Which step in the vulnerability management process does this represent?

A. Analysis B. Identification C. Validation of remediation D. Reporting

Question 7

A security tool automatically scans source code in a development repository each time a developer commits a change and flags functions known to be vulnerable, such as deprecated string handling calls. Which application security identification method does this represent?

A. Dynamic analysis B. Package monitoring C. Static analysis D. Penetration testing

Question 8

A vulnerability assessment report assigns each finding a score based on the percentage of asset value that would be lost if a specific threat successfully exploited the vulnerability. Which scoring concept does this represent?

A. CVSS base score B. Risk tolerance C. Exposure factor D. Industry impact

Question 9

A security researcher discovers a zero-day vulnerability in a widely used open-source library. She contacts the library's maintainers privately, gives them 90 days to release a patch, and publishes the technical details publicly only after the patch is released. Which program type formalizes this kind of coordinated disclosure with potential financial rewards?

A. CVE program B. Bug bounty program C. Threat intelligence sharing D. OSINT aggregation

Question 10

A risk manager reviews a vulnerability assessment and finds a critical finding on a server that processes only non-sensitive test data in an isolated lab environment. She documents that the organization will accept the risk, will not patch, and will revisit at the next quarterly review. Which vulnerability response option does this represent?