CompTIA SY0-701 Practice Test 2026

Explanation:
The vendor is assisting the internal red team without being given "too much detail" about the infrastructure — but some information may still be provided. This describes a partially-known environment (also called gray-box testing). The tester has limited knowledge (e.g., IP ranges, application types) but not full internal details.

Correct Option:

B. Partially-known environment –
In penetration testing, a partially-known (gray-box) environment means the tester has some knowledge of the target (e.g., network diagrams, API documentation) but not complete details. This balances realism and efficiency, allowing focused testing without the full insider view of a white-box test.

Incorrect Options:

A. Passive reconnaissance –
Passive recon is an information-gathering technique (using public sources), not a penetration testing method based on knowledge level.

C. Integrated testing –
Integrated testing is not a standard penetration testing method; it might refer to combining physical/social/network testing.

D. Defensive testing –
Defensive testing (blue team) focuses on detection and response, not a knowledge-level classification.

Reference:
CompTIA SY0-701 Objective 4.3 – Explain penetration testing methods. Gray-box (partially-known) testing provides limited information to the tester. (See also NIST SP 800-115, Section 5.2 – Penetration Testing Approaches.)

Explanation:

B) Situational awareness is the correct answer.
The issues reported—employees not displaying badges and tailgating (where an unauthorized person follows an authorized person into a secured area)—directly indicate a lack of situational awareness. Employees are not paying attention to their surroundings, security protocols, or potential risks. Training focused on situational awareness would address:

The importance of visibly displaying badges for identification and accountability.

Recognizing and preventing tailgating by verifying that only authorized individuals enter.

Being mindful of physical security practices and reporting suspicious behavior.

Why the others are incorrect:

A) Social engineering:
While tailgating can be a form of social engineering (e.g., an attacker manipulating an employee to gain access), the core issue here is employees' failure to adhere to physical security norms, not necessarily falling victim to manipulation. The training need is broader awareness of physical surroundings, not just defense against deception.

C) Phishing:
This is a cyber threat involving deceptive emails or messages, unrelated to physical security concerns like badge display or tailgating.

D) Acceptable use policy:
This typically governs the proper use of IT resources (e.g., internet, email) and is not directly relevant to physical access control or badge policies.

Reference:
This question tests knowledge of Domain 5.5: Explain the importance of physical security controls and Domain 5.4: Explain the importance of personnel management and security awareness training. Situational awareness is a key component of physical security training, emphasizing vigilance and adherence to protocols like badge visibility and access control, as outlined in the SY0-701 objectives.

Explanation:
Time-based tokens (D) is the correct answer. This typically refers to using an authenticator app (like Google Authenticator, Microsoft Authenticator, or Authy) that generates a temporary, one-time password (TOTP) based on a shared secret and the current time. Let's evaluate it against the requirements:

Works across SaaS and internal network applications:
TOTP is a standard protocol supported by virtually all SaaS applications (e.g., Google Workspace, Salesforce) and can be integrated with internal applications using directories like Active Directory or RADIUS servers.

Device manufacturer agnostic:
Authenticator apps are available as software applications for iOS, Android, and sometimes desktop OSs. They do not require specific hardware from a particular manufacturer.

Offline capabilities:
Once the authenticator app is initially set up (which requires a one-time internet connection to sync the secret seed), it can generate codes completely offline. It uses the device's internal clock, not a network connection, to create the time-based codes. This is crucial for remote employees who may have unreliable internet access.

Why the others are incorrect:

A) Username and password:
While this method is universal and offline, it does not "improve" security—it is the basic factor that multi-factor authentication (MFA) is designed to strengthen. It fails to meet the implicit requirement for stronger authentication.

B) Biometrics:
Biometrics (e.g., fingerprint, facial recognition) are often not device manufacturer agnostic. They rely on specific hardware sensors (e.g., Apple's Face ID, Windows Hello) that are built into particular devices. A remote employee using a non-compatible device would be locked out. They also generally lack offline capabilities for network applications, as they typically authenticate to the device itself, not to remote services without an internet connection.

C) SMS verification:
SMS-based codes (or voice calls) require a cellular network connection to receive the code. This lacks offline capabilities, making it unsuitable for environments with poor or no cell service. It also carries security risks like SIM swapping attacks.

Reference:
This question tests knowledge of Domain 2.4: Explain authentication and authorization controls and Domain 3.6: Given a scenario, implement authentication and authorization solutions. Time-based one-time passwords (TOTP) are a core MFA method highlighted in the SY0-701 objectives for providing a good balance of security, usability, and availability, especially for remote workforce scenarios.

Explanation:
Hardcoded credentials in source code (e.g., connection strings) are a coding flaw that should be caught before deployment. Static analysis (Static Application Security Testing or SAST) examines source code without executing it, identifying hardcoded secrets, insecure functions, and other vulnerabilities during the development phase, preventing them from reaching production.

Correct Option:

C. Static analysis –
Static analysis tools scan source code, bytecode, or binaries for patterns of known vulnerabilities, including hardcoded credentials (e.g., password= in clear text), SQL injection flaws, buffer overflows, etc. It is performed early in the SDLC, allowing developers to fix issues before code is compiled or deployed.

Incorrect Options:

A. Vulnerability scan –
Vulnerability scanning typically targets running systems (network or web apps) for missing patches and misconfigurations. It may detect hardcoded credentials in production but is not a development-phase prevention method.

B. Penetration test –
Penetration testing is a human-led, dynamic attack simulation. It is costly, time-consuming, and performed later in the lifecycle, not as a routine code-level prevention tool.

D. Quality assurance (QA) –
QA focuses on functional and performance testing (e.g., unit tests, integration tests). While QA might catch some issues, it is not specifically designed to find hardcoded credentials.

Reference:
CompTIA SY0-701 Objective 4.3 – Explain testing techniques. Static analysis (SAST) identifies hardcoded secrets and code-level vulnerabilities during development. (See also NIST SP 800-218, Secure Software Development Framework, Practice PW.4 – Scan Code.)

Explanation:
The scenario describes a concern about insider threat—specifically, employees accessing systems and information they should not be accessing, based on their job roles. The key requirement is to detect this unusual and potentially malicious activity.

A. UBA (User Behavior Analytics) (Correct):
UBA (often part of a broader UEBA - User and Entity Behavior Analytics) is specifically designed for this purpose. It uses machine learning and analytics to establish a baseline of normal behavior for each user. It can then detect anomalies and deviations from this baseline, such as:

Accessing systems or data the user normally doesn't access (a potential indicator of privilege misuse).

Accessing data at unusual times.

Downloading large volumes of sensitive information.

This makes UBA the best tool for detecting the type of activity the executives are concerned about.

Why the other options are incorrect:

B. EDR (Endpoint Detection and Response) (Incorrect):
EDR tools are fantastic for detecting and investigating malicious activity on endpoints (e.g., laptops, servers), such as malware execution, ransomware attacks, and exploitation. While it might eventually catch an insider exfiltrating data, its primary focus is on threat-based activity, not on profiling normal user behavior to detect policy violations like accessing unauthorized projects.

C. NAC (Network Access Control) (Incorrect):
NAC is a preventive control. It governs which devices are allowed to connect to a network and what level of access they have based on their compliance with security policies. It is not designed to detect what users do after they have been granted access to the network and systems. Its role is to enforce access policies at the point of connection.

D. DLP (Data Loss Prevention) (Incorrect):
DLP is primarily focused on preventing the exfiltration of sensitive data. It would alert if an employee tried to email, upload, or print sensitive project information. However, it is not primarily designed to detect the initial access or viewing of sensitive information within authorized systems, which is the core concern in this scenario. UBA would detect the unauthorized access, and DLP would then prevent the data from leaving.

Reference:
This question falls under Domain 4.0: Security Operations, specifically covering security monitoring and the tools used for advanced threat detection, including insider threats. UBA/UEBA is a critical capability for identifying anomalous user behavior that other security tools might miss.

Explanation
The attacker is using the technique of impersonation. Impersonation is a social engineering tactic where an attacker pretends to be someone else, typically a figure of authority or trust, to manipulate a victim into performing an action or divulging information.
In this case, the attacker is specifically impersonating the CEO, a high-level authority figure, to add urgency and legitimacy to the fraudulent request (buying gift cards).
The channel used is a voice call, which is a common method for this type of impersonation attack.

Why the Other Options Are Incorrect
A. Smishing:
This is a specific form of phishing conducted via SMS (text messages). Since the attack in the question is carried out via a phone call, not a text message, this term is incorrect.

B. Disinformation:
This is the broader practice of spreading false or misleading information. While the attacker is certainly using disinformation (the lie that they are the CEO), this term is too vague. "Impersonation" is the specific technique being used to deliver that disinformation.

D. Whaling:
This is a type of phishing attack that specifically targets high-profile individuals like CEOs and CFOs. The key differentiator is the target. In a whaling attack, the CEO would be the victim. In this scenario, the attacker is pretending to be the CEO, and the employee is the target. Therefore, this is an impersonation attack, not a whaling attack.

Reference
This aligns with the CompTIA Security+ (SY0-701) Exam Objectives, specifically under:
1.1 Compare and contrast common social engineering techniques.
The objectives list and define techniques such as Phishing (vishing, smishing), Impersonation, and other social engineering attacks.

Key Distinction:
Impersonation: Pretending to be someone else (e.g., "Hi, this is the CEO").
Whaling:
Phishing that targets a "big fish" or whale (e.g., sending a deceptive email to the CEO to trick them into wiring money).

Explanation:

A. Attack surface reduction (Correct):
The guidance provided directly reduces the number of ways an attacker can potentially target the organization. Each action minimizes a different vector of attack: Decommissioning unused web servers removes entire systems that could be discovered and exploited.

Closing unused ports reduces the number of entry points on existing systems that an attacker could probe or use.

Removing contact info from domain records is a form of operational security (OPSEC) that helps protect against social engineering and phishing attacks by making it harder for threat actors to identify and target specific individuals.

Collectively, these actions are classic examples of proactively shrinking the organization's attack surface.

B. Vulnerability assessment (Incorrect):
A vulnerability assessment is the process of identifying and classifying security weaknesses (e.g., finding the unused servers and open ports). The guidance in the question is the set of remediation actions taken after such an assessment has been completed. It is the "what to do" based on the assessment's findings.

C. Tabletop exercise (Incorrect):
A tabletop exercise is a discussion-based meeting where key personnel walk through simulated emergency scenarios to test an incident response plan. It is focused on preparedness and response, not on implementing technical security controls based on penetration test results.

D. Business impact analysis (Incorrect):
A Business Impact Analysis (BIA) is a process that identifies and evaluates the potential effects of an interruption to critical business operations. It's used to prioritize recovery efforts and inform disaster recovery planning. It is a business continuity activity, not a technical remediation step following a penetration test.

Reference:
This question falls under Domain 2.0: Threats, Vulnerabilities, and Mitigations. It specifically addresses the concept of attack surface analysis and reduction, which involves identifying and minimizing the ways a system can be exploited.

Explanation:
When justifying a budget request for non-compliance with data privacy regulations (e.g., GDPR, CCPA, HIPAA), the most direct and quantifiable consequence is fines (administrative penalties). Regulators impose monetary fines based on severity and duration of non-compliance. Fines are a concrete, measurable risk that boards understand for budget justification.

Correct Option:

A. Fines –
Data privacy laws carry specific financial penalties (e.g., GDPR up to €20 million or 4% of global annual revenue). Fines are a direct, legal consequence of non-compliance, unlike reputational damage which is indirect. Boards respond to quantifiable financial risks, making fines the most compelling justification for additional resources.

Incorrect Options:

B. Reputational damage –
Reputational damage is a consequence, but it is indirect, difficult to quantify, and may not occur immediately. It is less direct than fines for justifying a budget in this context.

C. Sanctions –
Sanctions typically refer to trade restrictions against countries or entities, not data privacy violations. Privacy non-compliance leads to fines, not sanctions.

D. Contractual implications –
While non-compliance may breach contracts with partners (e.g., requiring data protection), this is less direct than regulatory fines. Fines are imposed by law regardless of contracts.

Reference:
CompTIA SY0-701 Objective 5.1 – Explain compliance consequences. Direct financial penalties (fines) are consequences of non-compliance with data privacy regulations. (See also GDPR Article 83 – General Conditions for Imposing Administrative Fines.)

Explanation:
A reflected denial-of-service (DoS) attack involves an attacker sending spoofed requests to a third-party server (in this case, a DNS server), which then responds to the victim's IP address. The victim's system (here, the company's DNS server) is flooded with unsolicited responses, overwhelming its network interface.

Why it fits the scenario:

Minimal CPU, disk, and memory usage:
The server's resources are not strained because it is not processing complex queries; it is simply receiving a massive volume of inbound traffic.

Flooded network interface with inbound traffic:
This indicates a network-level flood, typical of reflected attacks where responses are sent to the victim.

Only a small number of DNS queries sent:
The attacker is spoofing the source IP address (the company's DNS server) when sending queries to other DNS servers, which then "reflect" responses back to the victim.

The other options do not align with the symptoms:

A. Concurrent session usage:
This would typically strain CPU and memory resources (e.g., from handling many connections), not just the network interface.

B. Secure DNS cryptographic downgrade:
This refers to attacks forcing DNS to use weaker encryption (e.g., DoT/DoH to plaintext), but it would not cause a network flood.

C. On-path resource consumption:
This involves an attacker intercepting and consuming resources (e.g., MITM attacks), but it would not explain the unsolicited inbound traffic flood.

Reference:
This question falls under Exam Objective 4.2: Explain the purpose of mitigation techniques used to secure the enterprise. Reflected DoS attacks (including DNS amplification) are a common threat, and CompTIA emphasizes understanding their mechanisms and impact on network resources.

Explanation:
Tokenization replaces sensitive data (e.g., credit card number, SSN) with a non-sensitive token (a randomly generated reference value). The original data is stored securely in a token vault. The token itself has no exploitable value, reducing risk and compliance scope (e.g., PCI DSS) because systems handling tokens do not contain real sensitive data.

Correct Option:

B. It replaces the original data with reference values that do not hold exploitable meaning –
Tokens are meaningless references that map to the original data only through a tokenization system. If a database of tokens is stolen, attackers gain nothing useful. This allows merchants to process transactions without storing actual PANs, reducing breach impact.

Incorrect Options:

A. It permanently deletes sensitive information –
Tokenization does not delete data; it stores the original in a secure vault. Deletion is data destruction, not tokenization.

C. It stores data across multiple cloud environments –
That describes redundancy or multi-cloud, not tokenization.

D. It converts data into ciphertext using symmetric encryption –
That describes encryption, not tokenization. Encryption is reversible with a key; tokens require a separate vault lookup.

Reference:
CompTIA SY0-701 Objective 2.1 – Explain data protection. Tokenization replaces sensitive data with non-sensitive placeholders. (See also NIST SP 800-188, De-Identification, and PCI Tokenization Guidelines.)