cysa+ practice test Practice Exam 2025: Latest Questions

A security analyst wants to quickly identify signs of data exfiltration from internal hosts to the internet using existing perimeter logs. Which indicator would be MOST suspicious?

A vulnerability scanner reports a finding as 'credentialed scan failed' for multiple Linux servers. What is the BEST next step to improve scan accuracy?

During an incident, the SOC lead instructs the team to preserve volatile evidence from a suspected compromised workstation before powering it down. Which action should be performed FIRST?

A security analyst must provide executives with a weekly summary of SOC activity. Which report element is MOST appropriate for that audience?

A SOC is tuning a SIEM rule that triggers on potential brute-force authentication attempts. The current rule generates many false positives due to scheduled tasks. Which adjustment is BEST to reduce false positives while keeping detection value?

A vulnerability management team must prioritize remediation for three findings on an internet-facing server: (1) a critical RCE vulnerability with known exploitation in the wild, (2) a medium-severity information disclosure, and (3) a low-severity missing security header. The server hosts a revenue-generating application. What should be remediated FIRST?

An analyst sees repeated outbound connections from a single endpoint to many external IPs on TCP 25, and email logs show no legitimate SMTP relay configuration for that host. Which containment action is BEST to take immediately?

A security analyst must communicate the results of a phishing simulation to department managers to drive behavior change without exposing individual employees. What is the BEST approach?

A SOC is investigating suspected command-and-control traffic. The proxy logs show periodic HTTPS connections to a domain that was registered recently. TLS inspection is not enabled, but the analyst can see the Server Name Indication (SNI) and JA3/JA3S fingerprints. Which action would provide the BEST additional confirmation with minimal operational impact?

A vulnerability scan identifies a critical vulnerability on a legacy application server. The vendor patch requires an OS upgrade that cannot be completed for 60 days due to operational constraints. Which compensating control is MOST appropriate to reduce risk during the delay?

A SOC analyst is triaging an alert for a suspected malicious PowerShell command. Which data source is MOST likely to provide the full command-line arguments and parent/child process relationships on a Windows endpoint?

During an internal vulnerability scan, multiple servers report the same missing patch, but the system owner insists the patch is installed. The analyst suspects the scanner is failing to properly authenticate. What is the BEST next step to validate this hypothesis?

An incident responder wants to ensure evidence from a compromised laptop is admissible and can be proven unchanged. Which action BEST supports this goal?

A vulnerability manager needs to decide which findings to remediate first across several business units. Which approach BEST aligns with risk-based vulnerability management?

A SIEM use case is generating frequent alerts for successful logins to a privileged account. Investigation shows the activity is normal: the account is used by an automation tool from a fixed set of IP addresses. What is the BEST way to reduce alert fatigue while maintaining security visibility?

A security team detects outbound traffic to a domain that appears newly registered and is not in any threat feeds. Which technique would BEST help determine whether the domain is potentially malicious without directly interacting with it from the corporate network?

After containment of a malware incident, leadership asks for a concise, non-technical summary that explains business impact, actions taken, and next steps. Which report type is MOST appropriate?

A web application vulnerability scan reports a potential SQL injection issue in a login form. The application team claims the backend uses parameterized queries, and there is a WAF in front of the app. What is the BEST next step for the analyst?

An organization wants to improve its ability to detect lateral movement in a hybrid environment. Which architecture change would provide the MOST direct detection benefit while minimizing gaps caused by encrypted traffic?

A responder suspects an attacker used stolen OAuth tokens to access a cloud email service. The organization uses a CASB and has access to cloud audit logs. Which action is MOST effective to contain the incident and reduce the chance of immediate re-access?

During an internal phishing test, multiple users clicked a link and entered credentials into a fake login page. The security team wants to quickly determine whether any of those credentials were used successfully against cloud services after the test. Which data source should the analyst review FIRST?

A vulnerability scanner reports a critical CVE on several Linux servers. The system owner disputes the finding, stating the vulnerable service is not reachable externally. The analyst discovers the package is installed, but the service is disabled and bound only to localhost. What is the BEST way to document this situation while maintaining risk visibility?

After an endpoint detection platform quarantines a suspicious executable, the incident responder needs to preserve evidence for potential legal action. Which action is MOST appropriate to ensure evidence integrity?

A SOC is overwhelmed by alerts. Leadership asks for a repeatable method to prioritize which detections should be tuned or automated first. Which approach is BEST aligned with operational best practices?

An organization is designing segmentation for an OT environment. The goal is to allow business users to view historian dashboards from the corporate network while preventing direct access from corporate endpoints to PLCs and other control devices. Which architecture BEST meets this requirement?