CompTIA Security+ Practice Test of the Day 260505

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 3.2 (Given a scenario, apply security principles to secure enterprise infrastructure) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260505

10 questions • Single best answer

Question 1

A network security engineer redesigning a hospital network wants to ensure that if an attacker compromises a workstation in the administrative zone, they cannot directly reach devices in the clinical zone. Which concept BEST describes this strategy?

A. Security zone segmentation B. Attack surface reduction C. Fail-closed configuration D. Software-defined networking (SDN)

Question 2

A security administrator is configuring an inline IPS appliance positioned between the internet and the company's internal network. The organization explicitly prioritizes preventing unauthorized access over maintaining service continuity. If the IPS appliance experiences a hardware failure, which failure mode should the administrator configure?

A. Fail-open, so traffic continues to flow uninterrupted during the outage B. Fail-closed, so all traffic is blocked until the appliance is restored C. Active-passive clustering, so a standby unit takes over automatically D. Tap mode, so traffic is mirrored to a secondary monitoring device

Question 3

A SOC analyst observes a security device generating alerts for suspicious port scanning but not blocking any traffic. The device receives traffic via a network tap, not inline. Which device type is MOST likely generating these alerts?

A. Next-generation firewall (NGFW) configured at Layer 7 B. Intrusion prevention system (IPS) operating in inline mode C. Intrusion detection system (IDS) operating in passive mode D. Unified threat management (UTM) appliance

Question 4

A financial institution's security team must perform administrative tasks on servers in a highly restricted, logically isolated network segment. Direct connections from standard workstations to these servers are prohibited by policy. Which appliance should be deployed to provide controlled, auditable access?

A. Load balancer B. Proxy server C. Reverse proxy D. Jump server

Question 5

A penetration tester reports a company's public-facing e-commerce site is vulnerable to XSS and SQL injection. The development team cannot patch the application until the next release cycle several weeks away. Which security control BEST protects the application from these attacks in the interim?

A. Web application firewall (WAF) B. Next-generation firewall (NGFW) C. Intrusion prevention system (IPS) D. Unified threat management (UTM)

Question 6

A university's IT department discovers that any device can connect to the campus wired network by plugging into an Ethernet jack. They want to require both users and devices to authenticate before the switch port grants network access. Which technology should be deployed?

A. MAC address filtering with a static allow list B. 802.1X port-based Network Access Control C. Network segmentation using VLANs D. IPSec enforcement at the network gateway

Question 7

A company's remote workforce needs secure, encrypted access to internal file servers and applications over the public internet. Both user identity and device health must be verified before access is granted, and all transmitted data must be protected in transit. Which solution BEST meets these requirements?

A. SSH tunneling configured for individual application services B. SD-WAN with QoS prioritization for remote endpoints C. TLS-based remote access VPN with device authentication D. SASE with cloud-delivered policy enforcement

Question 8

A retail chain CISO wants to replace a costly MPLS-based WAN. The solution must support dynamic path selection across multiple internet connections per branch, reduce dependence on central data center routing, and integrate local security inspection at branch sites. Which technology BEST meets these requirements?

A. Hub-and-spoke site-to-site IPSec VPN over the internet B. Secure access service edge (SASE) C. MPLS with dedicated firewall appliances added at each branch D. Software-defined wide area network (SD-WAN)

Question 9

A small manufacturing company with limited IT staff needs to replace a stateful firewall, gateway antivirus, IDS/IPS, and web content filter with a single consolidated appliance. Budget constraints make managing multiple dedicated devices impractical. Which appliance type is designed for this consolidation?

A. Next-generation firewall (NGFW) B. Web application firewall (WAF) C. Network-based intrusion prevention system (NIPS) D. Unified threat management (UTM)

Question 10

A security team wants to inspect all outbound web traffic from internal employees, enforce acceptable use policies, block known malicious domains, and cache frequently accessed content to reduce bandwidth. No management of inbound traffic is required. Which device BEST meets all of these requirements?