50 cysa+ practice test Practice Questions: Question Bank 2025

A security analyst is reviewing alerts and sees repeated outbound connections from a user workstation to a newly registered domain over TCP/443 at consistent 60-second intervals. No business application is known to use this domain. Which action is the BEST next step to validate whether this is command-and-control (C2) activity?

A vulnerability scan reports that several internet-facing servers support weak TLS cipher suites. The operations team is concerned about service impact. What is the BEST remediation approach to reduce risk while minimizing downtime?

An organization wants to prioritize patching based on real-world exploitation rather than CVSS score alone. Which data source would MOST directly support this goal?

A SOC lead needs to communicate current detection coverage and gaps to executives in a concise way. Which reporting artifact is MOST appropriate?

During an incident, an analyst suspects a phishing email led to credential theft. Which action BEST preserves evidence while still enabling investigation?

A SOC is tuning detections and wants to reduce false positives from a rule that flags administrative logons after hours. Which change is MOST likely to reduce false positives without significantly reducing true positives?

A vulnerability scanner identifies the same critical finding on multiple Linux servers, but the system owner claims the package is already patched. Which step is the BEST way to resolve the discrepancy?

An analyst is asked to present vulnerability risk to a non-technical business unit leader. Which approach is BEST for effective communication?

A SOC detects suspicious PowerShell activity on a server that hosts a critical revenue-generating application. The IR team must contain the threat but cannot take the application offline. Which containment strategy is MOST appropriate?

A company wants to design an internal process to ensure vulnerability remediation is verifiable and auditable. Which combination of controls BEST meets this requirement?

A SOC analyst is reviewing an alert showing a workstation attempted to connect to multiple external IPs on TCP/445 within two minutes. The connections were blocked by the perimeter firewall. Which type of activity does this MOST likely indicate?

A vulnerability manager must validate that a reported critical vulnerability on a Linux server is not a false positive before escalating to the change board. Which action is the BEST next step?

An incident responder needs to preserve forensic evidence from a potentially compromised employee laptop. Which approach BEST supports evidence integrity and chain of custody?

A security team wants to reduce alert fatigue from a SIEM rule that triggers on any PowerShell execution. Which tuning method is BEST to maintain detection value while reducing noise?

A risk committee asks for a weekly vulnerability report that enables business prioritization. Which combination of elements is MOST useful to include?

During triage, an analyst finds repeated failed logons for a user across many servers, followed by one successful logon to a previously unused server and immediate privilege group changes. What is the BEST classification and first response action?

A new scanning program is causing outages on legacy OT devices when scans run during business hours. What is the BEST adjustment to the vulnerability management process?

A SOC uses an EDR platform that can automatically quarantine hosts. After a recent false positive, leadership requires a change that still enables rapid containment but reduces business disruption. Which approach BEST meets this requirement?

An analyst suspects a web server is compromised and wants to capture volatile evidence before containment. The server hosts a high-traffic application, and downtime must be minimized. What is the BEST next step?

A company relies heavily on cloud services and wants to detect credential misuse without collecting excessive sensitive content. Which telemetry strategy provides the BEST detection value while supporting privacy-by-design?

A SOC analyst observes outbound traffic from a user workstation to a newly registered domain over TCP/443. The TLS certificate is valid, but the JA3 fingerprint is rare in the environment and the destination has no business justification. Which is the BEST next step to validate whether this is command-and-control (C2) activity?

A vulnerability management team must prioritize remediation for hundreds of findings. Leadership wants prioritization based on the likelihood of exploitation in the organization, not just severity. Which approach BEST meets this requirement?

During incident handling, an analyst needs to preserve evidence from a suspected compromised Linux server while minimizing business impact. Which action is MOST appropriate first?

A web application vulnerability scan reports possible SQL injection. The application owner insists the finding is a false positive due to input validation. What is the BEST way for the analyst to confirm the result while minimizing risk to production?

A security team is tuning SIEM alerts and wants to reduce false positives for suspicious PowerShell activity. Which change would be MOST effective without significantly reducing detection coverage?

After a phishing incident, a manager asks for a concise report that explains what happened, the business impact, and what will prevent recurrence. Which deliverable is MOST appropriate?

A company is implementing network segmentation to reduce lateral movement. Which design BEST supports detecting and limiting east-west traffic in a data center?

A vulnerability scanner is missing vulnerabilities on several Windows hosts. The scan shows the hosts are reachable, but authenticated checks fail. Which is the MOST likely cause?

A threat actor is suspected of using living-off-the-land techniques and deleting local logs. Which architecture decision would BEST improve investigation capability and resilience of log evidence?

An incident response team is preparing to engage an external forensics firm during a high-impact breach. Which requirement is MOST important to include in the communication plan to avoid delays and preserve evidence integrity?

An analyst receives an alert that a workstation attempted to connect to hundreds of sequential TCP ports on an internal database server within 30 seconds. The workstation user claims they were only browsing the intranet. Which activity is MOST likely occurring?

A SOC team wants to reduce false positives from known, approved administrative tools (e.g., remote management utilities) that frequently trigger malware-like behavior alerts. Which action is MOST appropriate while maintaining security visibility?

A vulnerability scan identifies that a public-facing web server supports weak TLS ciphers. The application owner says changing configurations could break legacy clients. What is the BEST immediate compensating control to reduce risk while a long-term fix is planned?

During triage, an analyst needs to quickly validate whether a suspicious executable has been observed in other endpoints across the environment. Which data source is MOST useful for rapid enterprise-wide confirmation?

A security engineer is prioritizing remediation for two vulnerabilities on the same host. Vulnerability A has a higher CVSS score, but Vulnerability B is actively exploited in the wild and the host is internet-facing. Which factor should MOST influence remediation priority?

A SIEM correlation rule triggers on a single failed login followed by a successful login from the same IP within 60 seconds, generating excessive alerts. Investigation shows users often mistype passwords once. What is the BEST adjustment to reduce noise while still detecting password guessing?

After a malware containment action, an incident responder must preserve evidence for potential legal action while allowing operations to resume. Which approach BEST balances these requirements?

A CySA+ analyst must present vulnerability status to non-technical executives. Which report element is MOST effective for this audience?

A company wants to detect data exfiltration attempts from a segmented PCI environment. The network design allows only required outbound connections through a proxy. Which architecture change would MOST improve detection fidelity with minimal impact?

A vulnerability management team needs to validate whether a critical patch was actually applied across servers where the package manager reports success. Some servers may have been rolled back by configuration drift. What is the BEST verification method?

An analyst receives an alert that a user successfully authenticated to a SaaS application from two countries within five minutes. The company wants to reduce false positives caused by VPN use while still detecting account takeover. Which approach is BEST?

A vulnerability scan report shows multiple hosts with high-risk findings, but the security engineer suspects some are false positives due to a legacy service banner that is not reliable. What is the BEST next step to validate the findings before prioritizing remediation?

During an incident, the SOC lead needs to ensure collected disk images are admissible for potential legal action. Which action is MOST important to support evidence integrity?

A SIEM rule triggers on PowerShell execution with an encoded command. Initial triage indicates the command is often used by a legitimate endpoint management tool. Which action BEST improves detection while minimizing disruption?

A company is migrating to containers and wants to reduce the risk of vulnerable images being deployed. Which control is MOST effective to implement early in the pipeline?

After an incident, leadership asks for a concise report that communicates business impact, actions taken, and recommendations without exposing sensitive indicators that could aid an attacker if leaked. What report type should the analyst produce?

A vulnerability management program is overwhelmed with recurring findings on endpoints that are frequently offline and miss patch windows. Which metric would BEST demonstrate program health improvement after implementing an always-on patching solution?

An incident responder suspects an attacker used stolen browser session tokens to access corporate email, bypassing MFA. Which data source would MOST directly confirm this technique?

A SOC detects lateral movement using remote service creation on Windows hosts. The organization wants to contain the incident quickly while preserving business-critical servers that must remain online. Which containment strategy is BEST?

A company uses a risk-based approach to prioritize remediation. A newly discovered vulnerability has a moderate CVSS score but is being actively exploited in the wild, and the affected system is internet-facing with sensitive data access. What is the MOST appropriate prioritization decision?