SY0-701 Exam Study Guide Free Practice Test LAST UPDATED DATE Mar 24, 2026
The New SY0-701 2026 Updated Verified Study Guides & Best Courses
CompTIA SY0-701 Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
NEW QUESTION # 251
Which of the following would best ensure a controlled version release of a new software application?
- A. Business continuity planning
- B. Quantified risk analysis
- C. Static code analysis
- D. Change management procedures
Answer: D
Explanation:
Change management procedures establish formal processes for planning, approving, testing, and documenting software releases, ensuring new versions are deployed in a controlled, auditable manner.
NEW QUESTION # 252
Which of the following is the most likely to be included as an element of communication in a security awareness program?
- A. Performing social engineering as part of third-party penetration testing
- B. Reporting phishing attempts or other suspicious activities
- C. Verifying information when modifying wire transfer data
- D. Detecting insider threats using anomalous behavior recognition
Answer: B
Explanation:
A security awareness program is a set of activities and initiatives that aim to educate and inform the users and employees of an organization about the security policies, procedures, and best practices. A security awareness program can help to reduce the human factor in security risks, such as social engineering, phishing, malware, data breaches, and insider threats. A security awareness program should include various elements of communication, such as newsletters, posters, videos, webinars, quizzes, games, simulations, and feedback mechanisms, to deliver the security messages and reinforce the security culture. One of the most likely elements of communication to be included in a security awareness program is reporting phishing attempts or other suspicious activities, as this can help to raise the awareness of the users and employees about the common types of cyberattacks and how to respond to them. Reporting phishing attempts or other suspicious activities can also help to alert the security team and enable them to take appropriate actions to prevent or mitigate the impact of the attacks. Therefore, this is the best answer among the given options.
The other options are not as likely to be included as elements of communication in a security awareness program, because they are either technical or operational tasks that are not directly related to the security awareness of the users and employees. Detecting insider threats using anomalous behavior recognition is a technical task that involves using security tools or systems to monitor and analyze the activities and behaviors of the users and employees and identify any deviations or anomalies that may indicate malicious or unauthorized actions. This task is usually performed by the security team or the security operations center, and it does not require the communication or participation of the users and employees. Verifying information when modifying wire transfer data is an operational task that involves using verification methods, such as phone calls, emails, or digital signatures, to confirm the authenticity and accuracy of the information related to wire transfers, such as the account number, the amount, or the recipient. This task is usually performed by the financial or accounting department, and it does not involve the security awareness of the users and employees. Performing social engineering as part of third-party penetration testing is a technical task that involves using deception or manipulation techniques, such as phishing, vishing, or impersonation, to test the security posture and the vulnerability of the users and employees to social engineering attacks. This task is usually performed by external security professionals or consultants, and it does not require the communication or consent of the users and employees. Therefore, these options are not the best answer for this question. Reference = Security Awareness and Training - CompTIA Security+ SY0-701: 5.2, video at 0:00; CompTIA Security+ SY0-701 Certification Study Guide, page 263.
NEW QUESTION # 253
A company implemented an MDM policy 10 mitigate risks after repealed instances of employees losing company-provided mobile phones. In several cases. The lost phones were used maliciously to perform social engineering attacks against other employees. Which of the following MDM features should be configured to best address this issue? (Select two).
- A. Geolocation
- B. Remote wipe
- C. Application management
- D. Push notifications
- E. Full device encryption
- F. Screen locks
Answer: B,F
Explanation:
Integrating each SaaS solution with an Identity Provider (IdP) is the most effective way to address the security issue. This approach allows for Single Sign-On (SSO) capabilities, where users can access multiple SaaS applications with a single set of credentials while maintaining strong password policies across all services. It simplifies the user experience and ensures consistent security enforcement across different SaaS platforms.
Reference =
CompTIA Security+ SY0-701 Course Content: Domain 05 Security Program Management and Oversight.
CompTIA Security+ SY0-601 Study Guide: Chapter on Identity and Access Management.
NEW QUESTION # 254
An external vendor recently visited a company's headquarters tor a presentation. Following the visit a member of the hosting team found a file that the external vendor left behind on a server. The file contained detailed architecture information and code snippets. Which of the following data types best describes this file?
- A. Public
- B. Proprietary
- C. Government
- D. Critical
Answer: B
Explanation:
The file left by the external vendor, containing detailed architecture information and code snippets, is best described as proprietary data. Proprietary data is information that is owned by a company and is essential to its competitive advantage. It includes sensitive business information such as trade secrets, intellectual property, and confidential data that should be protected from unauthorized access.
Reference = CompTIA Security+ SY0-701 study materials, particularly in the domain of data classification and protection.
NEW QUESTION # 255
Which of the following control types describes an alert from a SIEM tool?
- A. Corrective
- B. Preventive
- C. Detective
- D. Compensating
Answer: C
Explanation:
A SIEM alert is a detective control because it identifies and reports suspicious or malicious activity after it occurs, enabling further investigation and response.
NEW QUESTION # 256
A company's security team is reviewing its business continuity plan and must determine the amount of time needed for operations to resume after a disaster. Which of the following describes the time frame the security team is trying to determine?
- A. Recovery time objective
- B. Mean time between failures
- C. Mean time to repair
- D. Recovery point objective
Answer: A
Explanation:
RTO is the maximum acceptable downtime: the target window within which systems and operations must be restored after a disruption. When the team asks "how long until we're back up?", they're defining the RTO.
NEW QUESTION # 257
During a security incident, the security operations team identified sustained network traffic from a malicious IP address:
10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization's network. Which of the following fulfills this request?
- A. access-list inbound permit ig source 10.1.4.9/32 destination 0.0.0.0/0
- B. access-list inbound deny ig source 10.1.4.9/32 destination 0.0.0.0/0
- C. access-list inbound deny ig source 0.0.0.0/0 destination 10.1.4.9/32
- D. access-list inbound permit ig source 0.0.0.0/0 destination 10.1.4.9/32
Answer: B
NEW QUESTION # 258
An employee in the accounting department receives an email containing a demand for payment tot services performed by a vendor However, the vendor is not in the vendor management database. Which of the following in this scenario an example of?
- A. Impersonation
- B. Ransomware
- C. Pretexting
- D. Invoice scam
Answer: D
Explanation:
The scenario describes an instance where an employee receives a fraudulent invoice from a vendor that is not recognized in the company's vendor management system. This is a classic example of an invoice scam, where attackers attempt to trick organizations into making payments for fake or non- existent services. These scams often rely on social engineering tactics to bypass financial controls.
NEW QUESTION # 259
While a school district is performing state testing, a security analyst notices all internet services are unavailable. The analyst discovers that ARP poisoning is occurring on the network and then terminates access for the host. Which of the following is most likely responsible for this malicious activity?
- A. Shadow IT
- B. Credential stuffing
- C. Unskilled attacker
- D. DMARC failure
Answer: C
Explanation:
ARP poisoning(also known as ARP spoofing) is a basicman-in-the-middle (MITM)attack that involves sending fake ARP responses to redirect traffic. This technique isnot sophisticatedand can be easily executed using freely available tools like Cain & Abel, Ettercap, or Wireshark.
Such attacks are often attempted byunskilled attackers (script kiddies)testing their abilities, especially in environments like schools. The term"unskilled attacker"fits best here, as credential stuffing and DMARC are unrelated to ARP poisoning.
NEW QUESTION # 260
Sine a recent upgrade (o a WLAN infrastructure, several mobile users have been unable to access the internet from the lobby. The networking team performs a heat map survey of the building and finds several WAPs in the area. The WAPs are using similar frequencies with high power settings. Which of the following installation considerations should the security team evaluate next?
- A. New WLAN deployment
- B. Channel overlap
- C. Encryption type
- D. WAP placement
Answer: B
NEW QUESTION # 261
An administrator at a small business notices an increase in support calls from employees who receive a blocked page message after trying to navigate to a spoofed website. Which of the following should the administrator do?
- A. Implement security awareness training.
- B. Deploy multifactor authentication.
- C. Decrease the level of the web filter settings
- D. Update the acceptable use policy
Answer: A
Explanation:
In this scenario, employees are attempting to navigate to spoofed websites, which is being blocked by the web filter. To address this issue, the administrator should implement security awareness training. Training helps employees recognize phishing and other social engineering attacks, reducing the likelihood that they will attempt to access malicious websites in the future.
* Deploying multifactor authentication (MFA) would strengthen authentication but does not directly address user behavior related to phishing websites.
* Decreasing the level of the web filter would expose the organization to more threats.
* Updating the acceptable use policy may clarify guidelines but is not as effective as hands-on training for improving user behavior.
NEW QUESTION # 262
A systems administrator needs to provide traveling employees with a security measure that will protect company devices regardless of where they are working. Which of the following should the administrator implement?
- A. Segmentation
- B. ACL
- C. Isolation
- D. HIPS
Answer: D
Explanation:
A Host-based Intrusion Prevention System (HIPS) runs directly on each device, monitoring and blocking malicious activity locally, ensuring protection regardless of the network the traveling employee uses.
NEW QUESTION # 263
Which of the following would be the best way to block unknown programs from executing?
- A. DLP solution
- B. Access control list
- C. Application allow list.
- D. Host-based firewall
Answer: C
Explanation:
An application allow list is a security technique that specifies which applications are permitted to run on a system or a network. An application allow list can block unknown programs from executing by only allowing the execution of programs that are explicitly authorized and verified. An application allow list can prevent malware, unauthorized software, or unwanted applications from running and compromising the security of the system or the network12.
The other options are not the best ways to block unknown programs from executing:
Access control list: This is a security technique that specifies which users or groups are granted or denied access to a resource or an object. An access control list can control the permissions and privileges of users or groups, but it does not directly block unknown programs from executing13.
Host-based firewall: This is a security device that monitors and filters the incoming and outgoing network traffic on a single host or system. A host-based firewall can block or allow network connections based on predefined rules, but it does not directly block unknown programs from executing1 .
DLP solution: This is a security system that detects and prevents the unauthorized transmission or leakage of sensitive data. A DLP solution can protect the confidentiality and integrity of data, but it does not directly block unknown programs from executing1 .
Reference = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 972: Application Whitelisting - CompTIA Security+ SY0-701 - 3.5, video by Professor Messer3: CompTIA Security+ SY0-701 Certification Study Guide, page 98. : CompTIA Security+ SY0-701 Certification Study Guide, page 99. : CompTIA Security+ SY0-701 Certification Study Guide, page 100.
NEW QUESTION # 264
A security analyst wants to automate a task that shares data between systems. Which of the following is the best option for the analyst to use?
- A. RDP
- B. SFTP
- C. SOAR
- D. API
Answer: D
Explanation:
AnAPI (B)or Application Programming Interface is the best option when you want toautomate data exchangebetween systems. APIs provide structured, secure, and efficient ways for systems to communicate and are widely used in automation and orchestration tasks.
* SOAR (A)is used for broader security orchestration and may use APIs under the hood but is more complex.
* SFTP (C)is for manual/automated file transfers.
* RDP (D)is for remote desktop access, not data automation.
This is referenced inDomain 1.5: Explain the importance of automation and orchestration in cybersecurityunder"Application programming interfaces (APIs)."
NEW QUESTION # 265
While troubleshooting a firewall configuration, a technician determines that a "deny any" policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable.
Which of the following actions would prevent this issue?
- A. Testing the policy in a non-production environment before enabling the policy in the production network
- B. Including an 'allow any1 policy above the 'deny any* policy
- C. Documenting the new policy in a change request and submitting the request to change management
- D. Disabling any intrusion prevention signatures on the 'deny any* policy prior to enabling the new policy
Answer: A
Explanation:
Explanation
A firewall policy is a set of rules that defines what traffic is allowed or denied on a network. A firewall policy should be carefully designed and tested before being implemented, as a misconfigured policy can cause network disruptions or security breaches. A common best practice is to test the policy in a non-production environment, such as a lab or a simulation, before enabling the policy in the production network. This way, the technician can verify the functionality and performance of the policy, and identify and resolve any issues or conflicts, without affecting the live network. Testing the policy in a non-production environment would prevent the issue of the 'deny any' policy causing several company servers to become unreachable, as the technician would be able to detect and correct the problem before applying the policy to the production network.
Documenting the new policy in a change request and submitting the request to change management is a good practice, but it would not prevent the issue by itself. Change management is a process that ensures that any changes to the network are authorized, documented, and communicated, but it does not guarantee that the changes are error-free or functional. The technician still needs to test the policy before implementing it.
Disabling any intrusion prevention signatures on the 'deny any' policy prior to enabling the new policy would not prevent the issue, and it could reduce the security of the network. Intrusion prevention signatures are patterns that identify malicious or unwanted traffic, and allow the firewall to block or alert on such traffic.
Disabling these signatures would make the firewall less effective in detecting and preventing attacks, and it would not affect the reachability of the company servers.
Including an 'allow any' policy above the 'deny any' policy would not prevent the issue, and it would render the 'deny any' policy useless. A firewall policy is processed from top to bottom, and the first matching rule is applied. An 'allow any' policy would match any traffic and allow it to pass through the firewall, regardless of the source, destination, or protocol. This would negate the purpose of the 'deny any' policy, which is to block any traffic that does not match any of the previous rules. Moreover, an 'allow any' policy would create a security risk, as it would allow any unauthorized or malicious traffic to enter or exit the network. References = CompTIA Security+ SY0-701 Certification Study Guide, page 204-205; Professor Messer's CompTIA SY0-701 Security+ Training Course, video 2.1 - Network Security Devices, 8:00 - 10:00.
NEW QUESTION # 266
A company is changing its mobile device policy. The company has the following requirements:
Company-owned devices
Ability to harden the devices
Reduced security risk
Compatibility with company resources
Which of the following would best meet these requirements?
- A. CYOD
- B. COBO
- C. COPE
- D. BYOD
Answer: C
Explanation:
Detailed COPE (Corporate-Owned, Personally Enabled) devices allow companies to manage and harden company-owned devices while still enabling limited personal use, reducing security risks while maintaining compatibility with corporate resources. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section: "Mobile Device Deployment Models".
NEW QUESTION # 267
An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out?
- A. Inventory
- B. Analysis
- C. Compromise
- D. Transfer
- E. Retention
Answer: E
Explanation:
A data retention policy is a set of rules that defines how long data should be stored and when it should be deleted or archived. An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period by following the data retention policy of the organization. This policy helps the organization to comply with legal and regulatory requirements, optimize storage space, and protect data privacy and security.
Reference
CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 3, Section 3.4, page 1211 CompTIA Security+ Practice Tests: Exam SY0-701, 3rd Edition, Chapter 3, Question 15, page 832
NEW QUESTION # 268
A security analyst reviews domain activity logs and notices the following:
Which of the following is the best explanation for what the security analyst has discovered?
- A. The user jsmith's account has been locked out.
- B. An attacker is attempting to brute force ismith's account.
- C. Ransomware has been deployed in the domain.
- D. A keylogger is installed on [smith's workstation
Answer: B
Explanation:
Brute force is a type of attack that tries to guess the password or other credentials of a user account by using a large number of possible combinations. An attacker can use automated tools or scripts to perform a brute force attack and gain unauthorized access to the account. The domain activity logs show that the user ismith has failed to log in 10 times in a row within a short period of time, which is a strong indicator of a brute force attack. The logs also show that the source IP address of the failed logins is different from the usual IP address of ismith, which suggests that the attacker is using a different device or location to launch the attack. The security analyst should take immediate action to block the attacker's IP address, reset ismith's password, and notify ismith of the incident. References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 1, page 14. CompTIA Security+ (SY0-701) Certification Exam Objectives, Domain 1.1, page 2. Threat Actors and Attributes - SY0-601 CompTIA Security+ : 1.1
NEW QUESTION # 269
......
Get Prepared for Your SY0-701 Exam With Actual 765 Questions: https://pass4sure.updatedumps.com/CompTIA/SY0-701-updated-exam-dumps.html