cysa+ practice test Intermediate Practice Exam: Medium Difficulty 2025

A SOC analyst sees a successful VPN login from an unusual country followed by access to a payroll file share. There is no malware alert, but the account normally logs in only from the corporate office. Which action best balances rapid risk reduction with preserving evidence for investigation?

A SIEM rule triggers when a single host makes hundreds of DNS queries for random-looking subdomains of a rarely used external domain. The host then initiates periodic outbound HTTPS connections to a single IP. Which hypothesis is MOST likely and should be investigated first?

A company is implementing endpoint logging improvements. The security team wants to detect credential dumping and lateral movement without overwhelming storage. Which configuration is the BEST starting point?

After deploying new EDR, multiple endpoints alert on PowerShell launching with an encoded command. The command ultimately downloads a script from an internal admin share used by IT. What is the BEST next step to reduce false positives while maintaining detection coverage?

A vulnerability scan shows a critical CVE on an internet-facing web server. The vendor patch requires downtime and cannot be applied for two weeks due to a change freeze. Which compensating control BEST reduces risk in the interim?

A scan reports hundreds of vulnerabilities across endpoints, including many “medium” findings on kiosk systems and a few “high” findings on a database server containing regulated data. What is the BEST approach to prioritize remediation?

During a routine scan, the security team discovers an unmanaged host with SMB open and no recent patches. The host is not in the CMDB. Which action is BEST to both reduce risk and improve future vulnerability management?

A company uses a ticketing workflow for vulnerability remediation. Patch teams frequently close tickets as “fixed,” but rescans still show the same findings. Which improvement BEST addresses this problem?

Multiple users report they cannot open documents and see a ransom note. The incident handler needs to contain the spread while keeping business-critical systems available. Which action is the BEST initial containment step?

After an incident is resolved, leadership asks for a report explaining what happened, the business impact, and how recurrence will be prevented. Which report component BEST communicates actionable prevention steps to both technical and non-technical stakeholders?