1.

A software engineer is creating a CI/CD pipeline to support the

development of a web application The DevSecOps team is required
to identify syntax errors.

Which of the following is the most relevant to the DevSecOps team's

task'

A. Static application security testing

B. Software composition analysis

C. Runtime application self-protection

D. Web application vulnerability scanning

2. An organization is looking for gaps in its detection capabilities

based on the APTs that may target the industry.

Which of the following should the security analyst use to perform

threat modeling?

ATT&CK

OWASP

CAPEC

STRIDE

3. Recent repents indicate that a software tool is being exploited

Attackers were able to bypass user access controls and load a
database. A security analyst needs to find the vulnerability and
recommend a mitigation.

The analyst generates the following output:

Which of the following would the analyst most likely recommend?

Installing appropriate EDR tools to block pass-the-hash attempts

Adding additional time to software development to perform fuzz testing

Removing hard coded credentials from the source code

Not allowing users to change their local passwords

4. A company wants to install a three-tier approach to separate the

web. database, and application servers.

A security administrator must harden the environment which of the

following is the best solution?

Deploying a VPN to prevent remote locations from accessing server VLANs

Configuring a SASb solution to restrict users to server communication

Implementing micro segmentation on the server VLANs

installing a firewall and making it the network core

5. A security architect wants to develop abase line of security

configurations These configurations automatically will be utilized
machine is created.

Which of the following technologies should the security architect

deploy to accomplish this goal?

Short

GASB

Ansible

CMDB

6. A company updates its cloud-based services by saving

infrastructure code in a remote repository. The code is automatically
deployed into the development environment every time the code is
saved lo the repository The developers express concern that the
deployment often fails, citing minor code issues and occasional
security control check failures in the development environment.

Which of the following should a security engineer recommend to

reduce the deployment failures? (Select two).

A. Software composition analysis

B. Pre-commit code linting

C. Repository branch protection

D. Automated regression testing

E. Code submit authorization workflow

F. Pipeline compliance scanning

7. A financial technology firm works collaboratively with business

partners in the industry to share threat intelligence within a central
platform This collaboration gives partner organizations the ability to
obtain and share data associated with emerging threats from a
variety of adversaries.

Which of the following should the organization most likely leverage

to facilitate this activity? (Select two).

A. CWPP

B. YAKA

C. ATTACK

D. STIX

E. TAXII

F. JTAG

8. An organization mat performs real-time financial processing is

implementing a new backup solution.

Given the following business requirements?

* The backup solution must reduce the risk for potential backup
compromise

* The backup solution must be resilient to a ransomware attack.

* The time to restore from backups is less important than the

backup data integrity

* Multiple copies of production data must be maintained

Which of the following backup strategies best meets these

requirement?

A. Creating a secondary, immutable storage array and updating it

with live data on a continuous basis

B. Utilizing two connected storage arrays and ensuring the arrays

constantly sync

C. Enabling remote journaling on the databases to ensure real-time

transactions are mirrored

D. Setting up antitempering on the databases to ensure data cannot

be changed unintentionally

9. During a forensic review of a cybersecurity incident, a security

engineer collected a portion of the payload used by an attacker on a
comprised web server.

Given the following portion of the code:

Which of the following best describes this incident?

A. XSRF attack

B. Command injection

C. Stored XSS

D. SQL injection
10. A security architect for a global organization with a distributed
workforce recently received funding lo deploy a CASB solution.

Which of the following most likely explains the choice to use a

proxy-based CASB?

The capability to block unapproved applications and services is possible

Privacy compliance obligations are bypassed when using a user-based

deployment.

Protecting and regularly rotating API secret keys requires a significant time
commitment

Corporate devices cannot receive certificates when not connected to on-

premises devices

11. A company's security policy states that any publicly available

server must be patched within 12 hours after a patch is released.

A recent llS zero-day vulnerability was discovered that affects all

versions of the Windows Server OS:

Which of the following hosts should a security analyst patch first

once a patch is available?

12. A security review revealed that not all of the client proxy traffic
is being captured.
Which of the following architectural changes best enables the
capture of traffic for analysis?

Adding an additional proxy server to each segmented VLAN

Setting up a reverse proxy for client logging at the gateway

Configuring a span port on the perimeter firewall to ingest logs

Enabling client device logging and system event auditing

13. A company is having issues with its vulnerability management

program New devices/lPs are added

and dropped regularly, making the vulnerability report inconsistent.

Which of the following actions should the company lake to most

likely improve the vulnerability management process'

Request a weekly report with all new assets deployed and decommissioned

Extend the DHCP lease lime to allow the devices to remain with the same
address for a longer period.

Implement a shadow IT detection process to avoid rogue devices on the

network

Perform regular discovery scanning throughout the 11 landscape using the

vulnerability management tool

14. A security analyst Detected unusual network traffic related to

program updating processes The analyst collected artifacts from
compromised user workstations. The discovered artifacts were
binary files with the same name as existing, valid binaries but. with
different hashes which of the following solutions would most likely
prevent this situation from reoccurring?

A. Improving patching processes

B. Implementing digital signature

C. Performing manual updates via USB ports

D. Allowing only dies from internal sources

15. A company isolated its OT systems from other areas of the
corporate network These systems are required to report usage
information over the internet to the vendor.

Which oi the following best reduces the risk of compromise or

sabotage' (Select two).

A. Implementing allow lists

B. Monitoring network behavior

C. Encrypting data at rest

D. Performing boot Integrity checks

E. Executing daily health checks

F. Implementing a site-to-site IPSec VPN

16. A security engineer wants to reduce the attack surface of a

public-facing containerized application.

Which of the following will best reduce the application's privilege

escalation attack surface?

A. Implementing the following commands in the Dockerfile: RUN

echo user: x: 1000: 1000iuser: /home/user: /dew/null > /ete/passwd

B. Installing an EDR on the container's host with reporting

configured to log to a centralized SIFM and Implementing the
following alerting rules TF PBOCESS_USEB=rooC
ALERT_TYPE=critical

C. Designing a muiticontainer solution, with one set of containers

that runs the mam application, and another set oi containers that
perform automatic remediation by replacing compromised
containers or disabling compromised accounts

D. Running the container in an isolated network and placing a load

balancer in a public-facing network. Adding the following ACL to the
load balancer: PZRKZI HTTES from 0-0.0.0.0/0 pert 443

17. A compliance officer is reviewing the data sovereignty laws in

several countries where the organization has no presence.

Which of the following is the most likely reason for reviewing these
laws?

A. The organization is performing due diligence of potential tax

issues.

B. The organization has been subject to legal proceedings in

countries where it has a presence.

C. The organization is concerned with new regulatory enforcement

in other countries

D. The organization has suffered brand reputation damage from

incorrect media coverage

18. A security analyst wants to use lessons learned from a poor

incident response to reduce dwell lime in the future The analyst is
using the following data points

Which of the following would the analyst most likely recommend?

A. Adjusting the SIEM to alert on attempts to visit phishing sites

B. Allowing TRACE method traffic to enable better log correlation

C. Enabling alerting on all suspicious administrator behavior

D. utilizing allow lists on the WAF for all users using GFT methods
19. A security analyst received a notification from a cloud service
provider regarding an attack detected on a web server.

The cloud service provider shared the following information about

the attack:

• The attack came from inside the network.

• The attacking source IP was from the internal vulnerability

scanners.

• The scanner is not configured to target the cloud servers.

Which of the following actions should the security analyst take first?

A. Create an allow list for the vulnerability scanner IPs m order to

avoid false positives

B. Configure the scan policy to avoid targeting an out-of-scope host

C. Set network behavior analysis rules

D. Quarantine the scanner sensor to perform a forensic analysis

20. A company's SICM Is continuously reporting false positives and

false negatives The security operations team has Implemented
configuration changes to troubleshoot possible reporting errors.

Which of the following sources of information best supports the

required analysts process? (Select two).

A. Third-party reports and logs

B. Trends

C. Dashboards

D. Alert failures

E. Network traffic summaries

F. Manual review processes

21. A security analyst needs to ensure email domains that send

phishing attempts without previous communications are not
delivered to mailboxes.

The following email headers are being reviewed

Which of the following is the best action for the security analyst to
take?

A. Block messages from hr-saas.com because it is not a recognized

domain.

B. Reroute all messages with unusual security warning notices to

the IT administrator

C. Quarantine all messages with sales-mail.com in the email header

D. Block vendor com for repeated attempts to send suspicious

messages

22. A company recently experienced an incident in which an

advanced threat actor was able to shim malicious code against the
hardware static of a domain controller The forensic team
cryptographically validated that com the underlying firmware of the
box and the operating system had not been compromised. However,
the attacker was able to exfiltrate information from the server using
a steganographic technique within LOAP.

Which of the following is me b»« way to reduce the risk oi

reoccurrence?

Enforcing allow lists for authorized network pons and protocols

Measuring and attesting to the entire boot chum

Rolling the cryptographic keys used for hardware security modules

Using code signing to verify the source of OS updates

23. A company receives reports about misconfigurations and

vulnerabilities in a third-party hardware device that is part of its
released products.

Which of the following solutions is the best way for the company to
identify possible issues at an earlier stage?

A. Performing vulnerability tests on each device delivered by the

providers

B. Performing regular red-team exercises on the vendor production

line

C. Implementing a monitoring process for the integration between

the application and the vendor appliance

D. Implementing a proper supply chain risk management program

24. Which of the following best explains the business requirement a

healthcare provider fulfills by encrypting patient data at rest?

Securing data transfer between hospitals

Providing for non-repudiation data

Reducing liability from identity theft

Protecting privacy while supporting portability.

25. A user submits a help desk ticket stating then account does not
authenticate sometimes. An analyst reviews the following logs for
the user:

Which of the following best explains the reason the user's access is
being denied?

incorrectly typed password

Time-based access restrictions

Account compromise
Invalid user-to-device bindings

26. A systems administrator works with engineers to process and

address vulnerabilities as a result of continuous scanning activities.
The primary challenge faced by the administrator is differentiating
between valid and invalid findings.

Which of the following would the systems administrator most likely

verify is properly configured?

Report retention time

Scanning credentials

Exploit definitions

Testing cadence

27. A company that relies on an COL system must keep it operating

until a new solution is available.

Which of the following is the most secure way to meet this goal?

Isolating the system and enforcing firewall rules to allow access to only
required endpoints

Enforcing strong credentials and improving monitoring capabilities

Restricting system access to perform necessary maintenance by the IT team

Placing the system in a screened subnet and blocking access from internal
resources

28. A user reports application access issues to the help desk.

The help desk reviews the logs for the user

Which of the following is most likely The reason for the issue?
The user inadvertently tripped the impossible travel security rule in the SSO
system.

A threat actor has compromised the user's account and attempted to lop, m

The user is not allowed to access the human resources system outside of
business hours

The user did not attempt to connect from an approved subnet

29. An organization wants to manage specialized endpoints and

needs a solution that provides the ability to

* Centrally manage configurations

* Push policies.

• Remotely wipe devices

• Maintain asset inventory

Which of the following should the organization do to best meet

these requirements?

Use a configuration management database

Implement a mobile device management solution.

Configure contextual policy management

Deploy a software asset manager

30. A company plans to implement a research facility with

Intellectual property data that should be protected

The following is the security diagram proposed by the security

architect
Which of the following security architect models is illustrated by the
diagram?

Identity and access management model

Agent based security model

Perimeter protection security model

Zero Trust security model

31. A financial services organization is using Al lo fully automate the

process of deciding client loan rates.

Which of the following should the organization be most concerned

about from a privacy perspective?

Model explainability

Credential Theft

Possible prompt Injections

Exposure to social engineering

32. A company wants to use loT devices to manage and monitor

thermostats at all facilities The thermostats must receive vendor
security updates and limit access to other devices within the
organization.

Which of the following best addresses the company's requirements''

Only allowing Internet access to a set of specific domains

Operating lot devices on a separate network with no access to other devices
internally

Only allowing operation for loT devices during a specified time window

Configuring IoT devices to always allow automatic updates

33. An engineering team determines the cost to mitigate certain

risks is higher than the asset values. The team must ensure the
risks are prioritized appropriately.

Which of the following is the best way to address the issue?

Data labeling

Branch protection

Vulnerability assessments

Purchasing insurance

34. Company A acquired Company B and needs to determine how

the acquisition will impact the attack surface of the organization as
a whole.

Which of the following is the best way to achieve this goal? (Select
two).

Implementing DLP controls preventing sensitive data from leaving

Company B's network

A. Documenting third-party connections used by Company B

B. Reviewing the privacy policies currently adopted by Company B

C. Requiring data sensitivity labeling tor all files shared with

Company B

D. Forcing a password reset requiring more stringent passwords for

users on Company B's network

E. Performing an architectural review of Company B's network

35. A secuntv administrator is performing a gap assessment against
a specific OS benchmark.

The benchmark requires the following configurations be applied to

endpomts:

• Full disk encryption * Host-based firewall

• Time synchronization * Password policies

• Application allow listing * Zero Trust application access

Which of the following solutions best addresses the requirements?

(Select two).

CASB

SBoM

SCAP

SASE

HIDS

36. After an incident response exercise, a security administrator

reviews the following table:

Which of the following should the administrator do to beat support

rapid incident response in the future?

A. Automate alerting to IT support for phone system outages.

B. Enable dashboards for service status monitoring

C. Send emails for failed log-In attempts on the public website

D. Configure automated Isolation of human resources systems

37. Company A and Company D ate merging Company A's
compliance reports indicate branch protections are not in place A
security analyst needs to ensure that potential threats to the
software development life cycle are addressed.

Which of the following should me analyst cons<der when

completing this basic?

A. If developers are unable to promote to production

B. If DAST code is being stored to a single code repository

C. If DAST scans are routinely scheduled

D. If role-based training is deployed

38. A security analyst discovered requests associated with IP

addresses known for born legitimate 3nd bot-related traffic.

Which of the following should the analyst use to determine whether

the requests are malicious?

User-agent string

Byte length of the request

Web application headers

HTML encoding field

39. An organization is required to

* Respond to internal and external inquiries in a timely manner

* Provide transparency.

* Comply with regulatory requirements

The organization has not experienced any reportable breaches but

wants to be prepared if a breach occurs in the future.

Which of the following is the best way for the organization to

prepare?
A. Outsourcing the handling of necessary regulatory filing to an
external consultant

B. Integrating automated response mechanisms into the data

subject access request process

C. Developing communication templates that have been vetted by

internal and external counsel

D. Conducting lessons-learned activities and integrating

observations into the crisis management plan

40. A security analyst is reviewing the following event timeline from

an COR solution:

Which of the following most likely has occurred and needs to be

fixed?

The Dl P has failed to block malicious exfiltration and data tagging is not
being utilized property

An EDRbypass was utilized by a threat actor and updates must be installed

by the administrator.

A logic law has introduced a TOCTOU vulnerability and must be addressed by

the COR vendor

A potential insider threat is being investigated and will be addressed by the

senior management team.