security+ practice test Advanced Practice Exam: Hard Questions 2025

A security engineer is designing authentication for a healthcare SaaS that must minimize account takeover while supporting multiple enterprise customers using their own identity providers. The SaaS must enforce least privilege, reduce password handling by the SaaS, and provide strong session controls (revocation and short-lived access). Which approach best meets these requirements?

A company suspects a supply chain compromise after a routine update. Several endpoints began making outbound connections to rare domains immediately after installing a vendor package. The organization wants to (1) rapidly reduce risk of execution, (2) preserve evidence for later analysis, and (3) minimize business disruption. Which response sequence is MOST appropriate?

A red team demonstrates that an internal web app is vulnerable to SSRF. From a compromised app server, they access the cloud instance metadata service and retrieve temporary credentials, then enumerate storage buckets. The organization wants to prevent this class of attack with the LEAST operational overhead while maintaining functionality. Which control is BEST?

During a penetration test, an attacker uses a low-privileged domain account to request Kerberos service tickets for multiple SPNs and then performs offline password cracking. The security team wants to reduce the likelihood and impact of this technique without breaking service functionality. Which action is MOST effective?

A cloud-hosted microservices application uses mutual TLS between services. After migrating to a service mesh, engineers notice intermittent authentication failures between workloads when pods reschedule. Logs show certificate validation errors shortly after scaling events. The organization wants a resilient design that reduces manual certificate management. Which solution BEST addresses the issue?

A financial firm must store encryption keys for a database that contains regulated data. Requirements include: keys must not be exportable, access must be auditable, cryptographic operations should be offloaded from application servers, and keys must survive instance replacement. Which architecture BEST fits?

An organization is implementing Zero Trust access for third-party vendors to administer a subset of internal systems. Vendors frequently change IP addresses, and the organization wants to avoid broad network-level VPN access. The solution must continuously evaluate device posture and user risk before granting access to specific applications. Which approach BEST meets these goals?

A SOC is investigating suspicious PowerShell activity. EDR shows a script executed with no file written to disk, followed by a connection to an external host over HTTPS. Proxy logs show the destination uses domain fronting (SNI and Host header mismatch). The SOC wants to improve detection and containment for this technique with minimal false positives. Which action is BEST?

A ransomware event encrypted a subset of file servers and attempted to delete backups. The organization uses immutable object storage for backups plus on-prem snapshots. Investigators find that backup deletion requests succeeded for some on-prem repositories using a service account that had broad permissions. The organization wants to harden recovery and reduce blast radius while keeping backup operations manageable. Which change is MOST effective?

A multinational company is rolling out a data classification and handling program. Business units complain that previous controls slowed product delivery. The CISO wants governance that drives consistent controls, measurable risk reduction, and clear exceptions without becoming a bottleneck. Which approach is BEST?