SY0-701 Exam Overview
Prepare for the Comptia SY0-701 certification exam
with our comprehensive study guide. This study material contains 609 practice questions
sourced from real exams and expert-verified for accuracy. Each question includes the correct answer
and a detailed explanation to help you understand the material thoroughly.
The SY0-701 exam — Security+ — is offered by Comptia.
Passing this exam earns you the CompTIA Security+ credential,
an industry-recognized certification that validates your expertise.
Our study materials were last updated on 2026-02-18 to reflect the
most recent exam objectives and content.
About the CompTIA Security+
The CompTIA Security+ is awarded by Comptia
to professionals who demonstrate competence in the skills measured by the SY0-701 exam.
According to the
official Comptia certification page,
this certification validates your ability to work with the technologies covered in the exam objectives.
According to the
Global Knowledge IT Skills and Salary Report,
certified IT professionals earn 15-25% more than their non-certified peers.
Certifications from Comptia are among the most recognized credentials in the IT industry,
with strong demand across enterprise organizations worldwide.
Free Sample — 15 Practice Questions
Preview 15 of 609 questions from the SY0-701 exam.
Try before you buy — purchase the full study guide for all 609 questions with answers and explanations.
Question 542
Which of the following factors are the most important to address when formulating a training curriculum plan for a security awareness program? (Choose two.)
A. Channels by which the organization communicates with customers
B. The reporting mechanisms for ethics violations
C. Threat vectors based on the industry in which the organization operates
D. Secure software development training for all personnel
E. Cadence and duration of training events
F. Retraining requirements for individuals who fail phishing simulations
Show Answer
Correct Answer: C, E
Explanation:
A security awareness curriculum must be built around what threats employees are most likely to face and how the training will be delivered over time. Industry-specific threat vectors ensure the content is relevant and risk-driven, while defining the cadence and duration of training ensures consistent reinforcement without fatigue. Other options are either operational details or niche components, not core curriculum-planning factors.
Question 144
Which of the following allows a systems administrator to tune permissions for a file?
A. Patching
B. Access control list
C. Configuration enforcement
D. Least privilege
Show Answer
Correct Answer: B
Explanation:
An Access Control List (ACL) lets an administrator precisely define which users or groups can access a file and what actions (read, write, execute) they are allowed, which is exactly how file permissions are tuned.
Question 599
Which of the following vulnerabilities is associated with installing software outside of a manufacturer’s approved software repository?
A. Jailbreaking
B. Memory injection
C. Resource reuse
D. Side loading
Show Answer
Correct Answer: D
Explanation:
Installing software outside a manufacturer’s approved repository is known as side loading, which bypasses official distribution channels and associated security controls. The other options describe different concepts (jailbreaking, memory injection, resource reuse) not specifically defined by installing unapproved software.
Question 263
Which of the following would a security administrator use to comply with a secure baseline during a patch update?
A. Information security policy
B. Service-level expectations
C. Standard operating procedure
D. Test result report
Show Answer
Correct Answer: C
Explanation:
A secure baseline is enforced through documented, repeatable procedures. A Standard Operating Procedure (SOP) provides step-by-step instructions for performing patch updates in a consistent and secure manner, ensuring compliance with the established secure baseline. Policies are high-level, service-level expectations are unrelated to patch execution, and test result reports only document outcomes.
Question 343
A security analyst at an organization observed several user logins from outside the organization's network. The analyst determined that these logins were not performed by individuals within the organization. Which of the following recommendations would reduce the likelihood of future attacks? (Choose two.)
A. Disciplinary actions for users
B. Conditional access policies
C. More regular account audits
D. Implementation of additional authentication factors
E. Enforcement of content filtering policies
F. A review of user account permissions
Show Answer
Correct Answer: B, D
Explanation:
The logins originated from outside the organization and were not legitimate users, indicating compromised credentials or unauthorized access. Conditional access policies can restrict or block access based on conditions such as location, device, or risk, reducing exposure from external or anomalous logins. Implementing additional authentication factors (MFA) adds a strong layer of protection, preventing attackers from successfully logging in even if credentials are stolen.
Question 485
Which of the following should a systems administrator use to ensure an easy deployment of resources within the cloud provider?
A. Software as a service
B. Infrastructure as code
C. Internet of Things
D. Software-defined networking
Show Answer
Correct Answer: B
Explanation:
Infrastructure as Code (IaC) allows a systems administrator to define, provision, and manage cloud resources using code and automation. This enables consistent, repeatable, and rapid deployment of resources within a cloud provider, making deployments easier and less error-prone than manual configuration.
Question 192
A security analyst wants to better understand the behavior of users and devices in order to gain visibility into potential malicious activities. The analyst needs a control to detect when actions deviate from a common baseline. Which of the following should the analyst use?
A. Intrusion prevention system
B. Sandbox
C. Endpoint detection and response
D. Antivirus
Show Answer
Correct Answer: C
Explanation:
The question focuses on understanding the behavior of users and devices and detecting when actions deviate from a normal baseline. Endpoint Detection and Response (EDR) tools are specifically designed to monitor endpoint activity, establish behavioral baselines, and identify anomalous or suspicious behavior on user devices. IPS primarily analyzes network traffic patterns, not detailed user or endpoint behavior, while sandboxing and antivirus are more limited and signature- or sample-focused.
Question 540
A security team is reviewing the findings in a report that was delivered after a third party performed a penetration test. One of the findings indicated that a web application form field is vulnerable to cross-site scripting. Which of the following application security techniques should the security analyst recommend the developer implement to prevent this vulnerability?
A. Secure cookies
B. Version control
C. Input validation
D. Code signing
Show Answer
Correct Answer: C
Explanation:
Cross-site scripting (XSS) occurs when untrusted user input is accepted and rendered by a web application without proper checks. Implementing strong input validation (often combined with sanitization and output encoding) ensures that malicious scripts cannot be submitted or executed through form fields. The other options do not directly prevent XSS.
Question 221
Which of the following data states applies to data that is being actively processed by a database server?
A. In use
B. At rest
C. In transit
D. Being hashed
Show Answer
Correct Answer: A
Explanation:
Data that is actively processed by a database server—such as during queries, updates, or computations—is considered data "in use." "At rest" is stored data, "in transit" is data moving across networks, and "being hashed" is a security operation rather than a data state.
Question 197
An organization is required to provide assurance that its controls are properly designed and operating effectively. Which of the following reports will best achieve the objective?
A. Red teaming
B. Penetration testing
C. Independent audit
D. Vulnerability assessment
Show Answer
Correct Answer: C
Explanation:
An independent audit provides formal assurance that controls are appropriately designed and operating effectively, typically through objective testing by qualified third parties. The other options focus on identifying technical weaknesses rather than providing comprehensive assurance over control design and effectiveness.
Question 519
A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing?
A. Cross-site scripting
B. Buffer overflow
C. Jailbreaking
D. Side loading
Show Answer
Correct Answer: C
Explanation:
The clause prohibits modifying the mobile device operating system. Jailbreaking (and rooting) specifically involves altering OS-level restrictions to gain elevated control, which directly matches the vulnerability being addressed. Side loading concerns installing apps, not OS modification, and the other options are unrelated.
Question 107
An administrator must replace an expired SSL certificate. Which of the following does the administrator need to create the new SSL certificate?
A. CSR
B. OCSP
C. Key
D. CRL
Show Answer
Correct Answer: A
Explanation:
To replace an expired SSL certificate, the administrator must generate a Certificate Signing Request (CSR). The CSR contains the public key and identifying information that a Certificate Authority uses to issue a new SSL certificate. OCSP and CRL are used for certificate status checking, and the private key already exists or is generated locally, not submitted to the CA.
Question 507
Which of the following can be used to identify potential attacker activities without affecting production servers?
A. Honeypot
B. Video surveillance
C. Zero Trust
D. Geofencing
Show Answer
Correct Answer: A
Explanation:
A honeypot is a decoy system intentionally isolated from production that is designed to attract and monitor attacker behavior. Because it is not part of live operations, it allows detection and analysis of malicious activities without impacting production servers. The other options are general security or physical controls and are not specifically meant to safely study attacker techniques.
Question 226
A group of developers has a shared backup account to access the source code repository. Which of the following is best way to secure the backup account if there is an SSO failure?
A. RAS
B. EAP
C. SAML
D. PAM
Show Answer
Correct Answer: D
Explanation:
Privileged Access Management (PAM) is designed to secure shared or highly privileged accounts, such as a backup account used when SSO fails. PAM enforces strong authentication, access controls, credential vaulting and rotation, and provides auditing and session monitoring. The other options focus on authentication or access protocols (RAS, EAP, SAML) and do not address secure management of shared privileged accounts.
Question 286
A security analyst attempts to start a company's database server. When the server starts, the analyst receives an error message indicating the database server did not pass authentication. After reviewing and testing the system, the analyst receives confirmation that the server has been compromised and that attackers have redirected all outgoing database traffic to a server under their control. Which of the following MITRE ATT&CK techniques did the attacker most likely use to redirect database traffic?
A. Browser extension
B. Process injection
C. Valid accounts
D. Escape to host
Show Answer
Correct Answer: B
Explanation:
Redirecting all outgoing database traffic implies the attacker altered the behavior of the running database service or its network calls. In MITRE ATT&CK, this most closely aligns with Process Injection (T1055), where malicious code is injected into a legitimate process to manipulate execution, intercept, or reroute network communications. Valid Accounts explains access, not traffic manipulation; Browser Extension is irrelevant to a database server; and Escape to Host refers to container/VM breakout, which is not described.