50 Cybersecurity Apprentice Practice Questions: Question Bank 2025

A user reports they can browse websites by domain name (e.g., www.example.com) but cannot access a web server by its IP address. What is the MOST likely issue?

Which statement BEST describes the purpose of a subnet mask in IPv4 networking?

A security analyst is reviewing a report that states "an attacker tricked a user into entering credentials on a fake login page." Which attack type is being described?

Which practice BEST supports the principle of least privilege?

A remote employee connects to a public Wi-Fi network and needs to access internal company applications securely over the internet. Which technology is MOST appropriate?

A company wants to reduce the risk of compromised passwords leading to account takeover for a cloud application. Which control is MOST effective to add?

A SOC analyst sees repeated authentication failures from many different IP addresses targeting one user account over a short period. What activity does this MOST likely indicate?

An organization wants to limit lateral movement if one workstation becomes infected. Which network design approach BEST supports this goal?

A company deploys a next-generation firewall and wants to enforce policy based on the application (e.g., allow Microsoft Teams but block unknown remote-access tools), not just ports. Which capability enables this approach?

After a malware alert, an analyst needs to preserve evidence so it can be used in an investigation without being challenged as altered. What is the BEST action to support evidence integrity?

A user reports they can access websites by IP address (e.g., http://93.184.216.34) but not by domain name (e.g., http://example.com). Which issue is most likely?

Which statement best describes multi-factor authentication (MFA)?

Which action is the BEST immediate response when you suspect your corporate laptop is infected with malware?

A company wants to reduce the risk of lateral movement if a user device is compromised. Which network design choice best supports this goal?

Your SOC sees an alert indicating a user entered valid credentials on a lookalike login page hosted on an external domain. What type of attack is this MOST consistent with?

An administrator wants to ensure only approved applications can access the internet, even if they use non-standard ports. Which Palo Alto Networks capability best matches this requirement?

A user receives an email attachment named "Invoice.pdf.exe" and asks if it is safe to open. What is the BEST guidance?

A firewall policy allows TCP/80 and TCP/443 from the internet to a public web server. Users report that browsing works, but file downloads are intermittently blocked. The security team suspects the traffic is being decrypted and inspected. Which technology is MOST likely responsible for blocking specific file types during web sessions?

A security analyst wants to determine whether a spike in outbound traffic from a single endpoint is data exfiltration or a legitimate backup job. Which FIRST step is most appropriate to reduce false conclusions?

A company is designing a remote-access solution. They want users to access internal applications securely from unmanaged personal devices, and they want to minimize risk by not exposing the internal network broadly. Which approach best aligns with these goals?

A user says they can access a website by IP address but not by its hostname. Which network service is MOST likely causing the problem?

Which choice BEST describes multi-factor authentication (MFA)?

A company wants to reduce the chance that a single compromised user account can cause widespread damage. Which control BEST supports this goal?

A security analyst notices a user clicked a link in an email and then their browser was redirected to a page requesting credentials. Which tactic is MOST consistent with this activity?

A firewall policy allows outbound web browsing. Users report that modern websites fail intermittently, while older sites work. The security team suspects issues with encrypted traffic negotiation and blocking. Which firewall feature would MOST directly help by identifying applications regardless of port and enabling safer policy decisions?

Your SOC receives an alert for a suspicious file downloaded via a browser. You want to reduce endpoint risk by preventing known malware from executing. Which control MOST directly matches this goal?

A company wants to improve security monitoring. Which logging practice BEST supports effective incident investigation while minimizing confusion during triage?

A remote employee connects to the corporate network over a public Wi-Fi hotspot. The company requires that all traffic between the user and the company be protected from eavesdropping. Which solution BEST meets this requirement?

A firewall is configured with a rule that allows traffic from the internet to an internal web server. Users report the site is reachable, but the server team says the source IPs in the web logs are always the firewall’s IP address instead of the real client IPs. Which configuration is MOST likely causing this?

An organization is creating an incident response plan. During an active malware incident, which action should occur FIRST to reduce further harm while preserving the ability to investigate?

A user cannot reach an internal web server by its hostname (intranet.company.local) but can reach it by IP address. Which component is MOST likely failing?

Which action BEST supports the principle of least privilege?

A security analyst wants to confirm that a downloaded installer has not been modified in transit. Which control MOST directly provides this assurance?

Which statement BEST describes why multi-factor authentication (MFA) is effective?

A small office network has a switch connecting multiple PCs and a router connecting to the internet. Users report that local file sharing works, but no one can access external websites. Which issue is the MOST likely cause?

An organization wants to reduce the risk of malware spreading from employee laptops to critical servers. Which approach BEST supports this goal?

During an investigation, you find repeated failed logins from many different IP addresses against a single user account. What type of attack does this MOST closely indicate?

A company wants to improve detection of suspicious activity by correlating events from firewalls, servers, and endpoints in one place. Which solution BEST fits this requirement?

A security team is designing an internet-facing web application. They want to protect against common web attacks (for example, injection and cross-site scripting) while allowing legitimate web traffic. Which technology is MOST appropriate?

A user receives an email that appears to be from the CEO asking for urgent purchase of gift cards and instructing them not to tell anyone. The sender address is slightly misspelled, and the email creates pressure to act quickly. What is the BEST immediate action?

A user is browsing a website and sees the lock icon in the browser address bar. What does this MOST directly indicate?

Which action is an example of the 'least privilege' principle?

Which network protocol is primarily used to translate a domain name (e.g., www.example.com) into an IP address?

A company wants to reduce the risk of credential theft from phishing. Which control provides the BEST additional protection if a password is compromised?

A junior analyst sees repeated failed login attempts from many different IP addresses against a single user account over a short period. What type of attack does this MOST likely represent?

A remote employee connects to a corporate VPN. They can reach internal IP addresses by ping, but cannot access internal websites by name (e.g., intranet.corp). Which issue is MOST likely?

A security team wants to prevent users from downloading unknown executable files while still allowing business-related web browsing. Which approach BEST aligns with modern Palo Alto Networks security concepts?

A security tool reports an alert with 'low confidence, high severity'. What is the BEST next step for a junior analyst?

A company is designing network segmentation. They want to separate IoT devices from user workstations and only allow IoT devices to reach a specific update server. Which design BEST supports this goal?

A security team wants to inspect encrypted outbound web traffic for threats while minimizing privacy impact and operational risk. Which is the MOST appropriate best-practice approach?