CompTIA Security+ Practice Test of the Day 260505

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 3.2 (Given a scenario, apply security principles to secure enterprise infrastructure) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260505

10 questions • Single best answer

Question 1

A network security engineer at a regional hospital is redesigning the network to better isolate medical devices from general office traffic. The engineer wants to ensure that if an attacker compromises a workstation in the administrative zone, they cannot directly reach devices in the clinical zone. Which concept BEST describes the strategy being implemented?

A. Security zone segmentation B. Attack surface reduction C. Fail-closed configuration D. Software-defined networking (SDN)

Question 2

A security administrator is configuring an inline IPS appliance positioned between the internet and the company's internal network. The organization explicitly prioritizes preventing unauthorized access over maintaining service continuity. If the IPS appliance experiences a hardware failure, which failure mode should the administrator configure?

A. Fail-open, so traffic continues to flow uninterrupted during the outage B. Fail-closed, so all traffic is blocked until the appliance is restored C. Active-passive clustering, so a standby unit takes over automatically D. Tap mode, so traffic is mirrored to a secondary monitoring device

Question 3

An analyst in a SOC observes that the company's security system is generating alerts for suspicious port scanning activity originating from an external IP address, but no traffic is being automatically blocked. The analyst confirms the device receives traffic via a network tap rather than being placed in the direct traffic path. Which type of device is MOST likely generating these alerts?

A. Next-generation firewall (NGFW) configured at Layer 7 B. Intrusion prevention system (IPS) operating in inline mode C. Intrusion detection system (IDS) operating in passive mode D. Unified threat management (UTM) appliance

Question 4

A financial institution's security team must perform routine administrative tasks on servers located in a highly restricted network segment that is logically isolated from the general corporate environment. Direct connections from standard employee workstations to these servers are prohibited by policy. Which appliance should the team deploy to provide controlled, auditable access to the restricted segment?

A. Load balancer B. Proxy server C. Reverse proxy D. Jump server

Question 5

A penetration tester reports that a company's public-facing e-commerce site is vulnerable to cross-site scripting (XSS) and SQL injection attacks. The development team cannot patch the application until the next release cycle, which is several weeks away. Which security control would BEST protect the application from these specific attacks in the interim?

A. Web application firewall (WAF) B. Next-generation firewall (NGFW) C. Intrusion prevention system (IPS) D. Unified threat management (UTM)

Question 6

A university's IT department discovers that any device can connect to the campus wired network simply by plugging into an Ethernet jack. The department wants to implement a standard that requires both users and devices to authenticate before the switch port grants network access. Which technology should be deployed to enforce this requirement?

A. MAC address filtering with a static allow list B. 802.1X port-based Network Access Control C. Network segmentation using VLANs D. IPSec enforcement at the network gateway

Question 7

A company's remote workforce requires secure, encrypted access to internal file servers and business applications over the public internet. The security team mandates that both user identity and device health be verified before access is granted, and all transmitted data must be protected in transit. Which solution BEST meets these requirements?

A. SSH tunneling configured for individual application services B. SD-WAN with QoS prioritization for remote endpoints C. TLS-based remote access VPN with device authentication D. SASE with cloud-delivered policy enforcement

Question 8

The CISO of a retail chain with 50 branch locations wants to replace the company's costly MPLS-based WAN. The new solution must support dynamic path selection across multiple internet connections at each branch, reduce dependence on routing all traffic through a central data center, and integrate security inspection locally at branch sites. Which technology BEST meets these requirements?

A. Hub-and-spoke site-to-site IPSec VPN over the internet B. Secure access service edge (SASE) C. MPLS with dedicated firewall appliances added at each branch D. Software-defined wide area network (SD-WAN)

Question 9

A small manufacturing company with limited IT staff needs to replace several aging point solutions — including a stateful firewall, a gateway antivirus scanner, an IDS/IPS, and a web content filter — with a single consolidated appliance. Budget constraints make deploying and managing multiple dedicated devices impractical. Which type of appliance is designed specifically for this consolidation scenario?

A. Next-generation firewall (NGFW) B. Web application firewall (WAF) C. Network-based intrusion prevention system (NIPS) D. Unified threat management (UTM)

Question 10

A security team wants to inspect all outbound web traffic from internal employees to the internet, enforce acceptable use policies, block access to known malicious domains, and reduce bandwidth consumption by caching frequently accessed web content. No management of inbound traffic from external clients is required. Which device BEST meets all of these requirements?