CompTIA Security+ Practice Test of the Day 260508

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 4.1 (Given a scenario, apply common security techniques to computing resources) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260508

10 questions • Single best answer

Question 1

A security engineer building a cloud-hosted application platform must ensure all instances adhere to the organization's minimum security requirements from the moment they are provisioned. Management wants a repeatable, consistent approach across all deployments. What should the engineer do FIRST?

A. Configure a SIEM to alert when systems deviate from expected configurations B. Establish a secure baseline configuration and automate its deployment to all instances C. Implement network segmentation to isolate newly provisioned systems D. Enable host-based firewalls on all deployed systems as a standalone control

Question 2

A security analyst discovers dozens of IoT sensors recently added to a manufacturing plant's production floor are still using factory-default credentials and have no patch management process in place. Which hardening action addresses the MOST critical vulnerabilities?

A. Implement WPA3 encryption on the wireless network used by the sensors B. Deploy a network access control (NAC) solution to quarantine unregistered devices C. Change default credentials on all IoT devices and establish a patch management process D. Place all IoT devices behind a unified threat management (UTM) appliance

Question 3

Employees at a hybrid organization use personal smartphones to access corporate email and cloud storage. The security team cannot enforce policies on unowned devices, but the CISO wants control over work applications without requiring corporate device ownership. Which mobile deployment model BEST fits this?

A. Corporate-owned, personally enabled (COPE) B. Choose your own device (CYOD) C. Bring your own device (BYOD) with MDM enrollment D. Company-issued devices with full-disk encryption enforced by policy

Question 4

A law firm's network administrator is replacing WPA2-Personal, which relies on a shared passphrase vulnerable to offline dictionary attacks. The administrator is evaluating WPA3 to improve authentication strength. Which WPA3 feature provides the MOST significant security improvement over WPA2-Personal?

A. TKIP-based encryption replacing AES to support legacy client devices B. Simultaneous Authentication of Equals (SAE) replacing the Pre-Shared Key handshake C. 802.1X port-based authentication integrated with a RADIUS server D. WEP compatibility mode enabled for older wireless adapters

Question 5

Attackers have been distributing tampered versions of tools similar to one a cybersecurity firm distributes to customers. The development team wants customers to verify the authenticity and integrity of the software before installation. Which application security control BEST addresses this requirement?

A. Static code analysis integrated into the CI/CD pipeline B. Code signing using a trusted digital certificate C. Input validation applied to all runtime data processed by the tool D. Sandboxing the tool's execution in an isolated container on the customer's system

Question 6

A water treatment facility is integrating ICS with a plant management network. A security assessment finds the ICS components run proprietary firmware that cannot receive OS patches. Which combination of compensating controls BEST mitigates the risk from these unpatched systems?

A. Deploy antivirus software on all ICS controllers and enable automatic signature updates B. Implement network segmentation and application allow listing to restrict ICS communications C. Migrate ICS workloads to a cloud platform with managed patch and update services D. Enable WPA3 on all wireless interfaces used by ICS sensors to encrypt data in transit

Question 7

A penetration tester demonstrates that session tokens in a banking app's cookies can be read by injected JavaScript, enabling XSS-based session hijacking. The development team needs an immediate fix that prevents client-side scripts from accessing cookie values. Which control BEST addresses this?

A. Implement a Content Security Policy (CSP) header to restrict script execution sources B. Apply the HttpOnly attribute to all session cookies C. Set the SameSite=Strict attribute on session cookies D. Enforce server-side input validation on all form submissions

Question 8

A SOC team receives a suspicious executable as an email attachment. They need to observe its runtime behavior — network connections, registry changes, and files created — without exposing production systems. Which technique BEST supports safe analysis?

A. Run the executable on a spare workstation isolated by physically unplugging its Ethernet cable B. Execute the file in a sandboxed environment designed to monitor and contain runtime behavior C. Upload the file to a public antivirus scanning platform for multi-engine signature analysis D. Detonate the file on a virtual machine connected to the production network to observe real interactions

Question 9

A network engineer reviewing layer-2 switching infrastructure finds all ports are on VLAN 1, management interfaces use Telnet instead of SSH, and many unused ports are enabled. Which hardening action addresses the GREATEST security risk and should be prioritized first?

A. Disable all unused switch ports to prevent unauthorized physical device connections B. Disable Telnet and enable SSH for all switch management interfaces C. Reassign all ports from the default VLAN 1 to purpose-specific VLANs D. Enable Spanning Tree Protocol (STP) PortFast on access-layer switch ports

Question 10

A security team managing 500 workstations needs real-time visibility to detect configuration drift, identify unauthorized software, and capture host-based events for investigation — all simultaneously. Which monitoring approach BEST satisfies all three requirements?

A. Deploy a SIEM that aggregates firewall and perimeter network device logs from all three locations B. Implement endpoint agents that continuously monitor host behavior and forward events to a centralized security platform C. Conduct monthly manual audits of a randomly selected sample of workstations for compliance verification D. Enable Windows Event Logging locally on all workstations without forwarding logs to a centralized collector