SY0-701 CompTIA Security+ Exam 2026 Free Practice Exam Questions (2026 Updated)

A Virtual Private Network (VPN) is the best solution to allow remote employees secure access to company resources without interception concerns. A VPN establishes an encrypted tunnel over the internet, ensuring that data transferred between remote employees and the company is secure from eavesdropping.

Proxy server helps with web content filtering and anonymization but does not provide encrypted access.

NGFW (Next-Generation Firewall) enhances security but is not the primary tool for enabling remote access.

Security zone is a network segmentation technique but does not provide remote access capabilities​​​.

When the government bans a vendor, the legal concern is sanctions—laws that restrict purchasing, using, or importing products from certain companies or countries. The general counsel’s job is to ensure the organization is not violating federal restrictions, export controls, trade compliance laws, or sanctions lists such as OFAC or government procurement bans.

Security+ SY0-701 notes that legal and regulatory compliance is a critical part of risk management, especially when handling prohibited vendors or technologies. Continued use of banned devices could expose the organization to legal penalties, fines, or federal investigation.

Data sovereignty (B) refers to data storage location laws, not hardware bans. Cost of replacement (C) is an operational concern, not a legal one. Loss of license (D) typically applies to software, not network hardware.

Therefore, the general counsel’s primary concern is A: Sanctions.

Applying the latest OS updates, patches, and endpoint definitions is the most effective way to prevent known exploits, which are attacks leveraging previously discovered vulnerabilities for which fixes are available.

The correct answer is Acquisition process because supply chain compromise risks originate before systems ever enter the organization’s environment. Within the Security+ SY0-701 objectives, supply chain risk management is a core element of security governance and third-party risk oversight. Reviewing the acquisition process allows an organization to evaluate how vendors are selected, how hardware integrity is validated, and what security assurances are required before purchase and delivery.

The acquisition process includes vendor due diligence, contract requirements, sourcing controls, and verification steps that ensure hardware has not been tampered with, preloaded with malicious firmware, or altered during manufacturing or transit. The SY0-701 study guide emphasizes that organizations must assess supplier trustworthiness, require secure delivery practices, and define security expectations in contracts to reduce the risk of compromised components entering the environment. If the acquisition process is weak, downstream controls become reactive rather than preventive.

Option A, sanitization procedure, applies to data destruction and system disposal, not newly acquired servers. Option C, change management, governs how modifications are introduced into existing systems and does not address risks introduced during procurement. Option D, asset tracking, helps maintain inventory visibility once assets are received but does not prevent compromised hardware from being introduced in the first place.

By reviewing and strengthening the acquisition process first, the company can implement preventive controls such as approved vendor lists, chain-of-custody requirements, hardware integrity checks, and acceptance testing. These measures align with SY0-701 principles of reducing risk at the earliest possible stage and enforcing accountability across third-party relationships.

In summary, supply chain compromise is best mitigated by addressing risks at procurement. The acquisition process is the foundational control point where organizations can limit exposure before servers are deployed into production environments.

Comprehensive and Detailed In-Depth Explanation:

Theright to be forgotten, as outlined in regulations such as theGeneral Data Protection Regulation (GDPR), requires organizations topermanently delete an individual ' s personal dataupon request, unless there is a legal or contractual obligation to retain it.

Purging personally identifiable attributes (A)removes some identifying data but does not fully satisfy the request.

Encrypting the data (B)does not remove it, and the data is still accessible with the decryption key.

Obfuscating data (D)makes data unreadable but does not permanently remove it.

To comply withthe right to be forgotten, organizations mustremove all of the person ' s dataunless an exception applies.

If cadets are using company phone numbers to make unsolicited calls, and the logs confirm the numbers are not being spoofed, it suggests that the SIP (Session Initiation Protocol) server ' s security settings might be weak. This could allow unauthorized access or exploitation of the company ' s telephony services, potentially leading to misuse by unauthorized individuals.

References = CompTIA Security+ SY0-701 study materials, especially on SIP security and common vulnerabilities​​.

A watering-hole attack is a type of cyberattack that targets groups of users by infecting websites that they commonly visit. The attackers exploit vulnerabilities to deliver a malicious payload to the organization’s network. The attack aims to infect users’ computers and gain access to a connected corporate network. The attackers target websites known to be popular among members of a particular organization or demographic. The attack differs from phishing and spear-phishing attacks, which typically attempt to steal data or install malware onto users’ devices1

In this scenario, the compromised industry blog is the watering hole that the attackers used to spread malware across the company’s network. The attackers likely chose this blog because they knew that the employees of the company were interested in its content and visited it frequently. The attackers may have injected malicious code into the blog or redirected the visitors to a spoofed website that hosted the malware. The malware then infected the employees’ computers and propagated to the network.

References1: Watering Hole Attacks: Stages, Examples, Risk Factors & Defense …

The most important consideration when establishing a data privacy program is defining the organization ' s role as a controller or processor. These roles, as outlined in privacy regulations such as the General Data Protection Regulation (GDPR), determine the responsibilities regarding the handling of personal data. A controller is responsible for determining the purpose and means of data processing, while a processor acts on behalf of the controller. This distinction is crucial for compliance with data privacy laws.

Reporting structure for the data privacy officer is important, but it is a secondary consideration compared to legal roles.

Request process for data subject access is essential for compliance but still depends on the organization ' s role as controller or processor.

Physical location of the company can affect jurisdiction, but the role as controller or processor has a broader and more immediate impact​​​.

Homomorphic encryption allows data to be encrypted and manipulated without needing to decrypt it first. This cryptographic technique would allow the financial institution to store customer data securely in the cloud while still permitting operations like searching andcalculations to be performed on the encrypted data. This ensures that the cloud service provider cannot decipher the sensitive data, meeting the institution’s security requirements.

References =

CompTIA Security+ SY0-701 Course Content: Domain 03 Security Architecture​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Cryptographic Techniques​.

The best answer is D. Conduct a phishing campaign.

To measure whether social engineering awareness training is effective, the best method is to run a simulated phishing campaign. This allows the organization to test employee behavior in a realistic but controlled way. The administrator can track who clicks suspicious links, opens attachments, submits credentials, or reports the email appropriately.

This is a practical and measurable way to evaluate training outcomes because it provides real performance data rather than opinions or assumptions.

Why the other options are incorrect:

A. Set up a honeypot.A honeypot is used to attract attackers or detect malicious activity, not to test employee awareness of social engineering.

B. Send out a survey.A survey may show how confident employees feel, but it does not objectively measure whether they can identify and resist real phishing attempts.

C. Set up a focus group.A focus group can gather feedback, but it is not the best method for testing actual security behavior.

From the SY0-701 perspective, user awareness training effectiveness is best measured through simulated phishing exercises and similar practical assessments.

Dynamic analysis is performed on software during execution to identify vulnerabilities based on how the software behaves in real-world scenarios. It is useful in detecting security issues that only appear when the application is running.References: CompTIA SY0-701 Course Content​.

Adding a random string of characters, known as a " salt, " to a password before hashing it is known as salting. This technique strengthens passwords by ensuring that even if two users have the same password, their hashes will be different due to the unique salt, making it much harder for attackers to crack passwords using precomputed tables.References: CompTIA Security+ SY0-701 course content and official CompTIA study resources.

A honeytoken is a form of deception technology in which a fake asset (such as credentials, files, or database records) is planted in a system or network to detect unauthorized access or malicious activity. The fake password stored in a hidden spreadsheet, with monitoring for access, is a classic example of a honeytoken. It is not an interactive system (like a honeypot or honeynet) but rather a marker or tripwire intended to alert the security team to suspicious behavior. This method helps identify attackers and their methods early in the intrusion process.

To identify the exactcommand or input usedduring a SQL injection attack, theapplication log (B)is the most relevant. It records inputs, errors, and processing activities within the application layer.

UnderDomain 2.1, CompTIA emphasizes reviewingapplication logsto detect indicators of malicious activity, includingweb application attackslike SQL injection.

Open service ports directly contribute to an organization’s attack surface because they provide potential entry points that attackers can probe, exploit, or abuse. In the context of the Security+ SY0-701 objectives, the attack surface is defined as the sum of all possible points where an attacker can attempt to enter or extract data from a system. Each open port corresponds to a service or application that is listening for incoming connections, and if that service is unnecessary, misconfigured, unpatched, or weakly protected, it becomes a viable attack vector.

Option D is correct because open ports may expose services that do not need to be accessible, especially if proper access controls, firewall rules, or network segmentation are not in place. For example, leaving management interfaces, legacy services, or test services open can allow attackers to perform reconnaissance, banner grabbing, credential attacks, or exploitation of known vulnerabilities. The SY0-701 study guide emphasizes the principle of minimizing attack surface by disabling unused services, closing unnecessary ports, and applying the principle of least functionality.

Option A is incorrect because endpoint antivirus tools are not responsible for identifying or managing open network ports at an architectural level. Option B is partially true but incomplete; while open ports can allow remote access, not all open ports are remote entry points, and the question asks for the best explanation of how attack surface increases. Option C is incorrect because open ports do not inherently enable updates and, in fact, often increase risk rather than reduce it.

In summary, open service ports increase attack surface by exposing services that attackers can target. Proper port management, firewall enforcement, and regular vulnerability scanning are critical controls emphasized in Security+ SY0-701 to reduce exposure and limit unauthorized access.

A legacy server is a server that is running outdated or unsupported software or hardware, which may pose security risks and compatibility issues. A critical business application is an application that is essential for the operation and continuity of the business, such as accounting, payroll, or inventory management. A legacy server running a critical business application may be difficult to replace or upgrade, but it should not be left unsecured or exposed to potential threats.

One of the best ways to handle a legacy server running a critical business application is to harden it. Hardening is the process of applying security measures and configurations to a system to reduce its attack surface and vulnerability. Hardening a legacy server may involve steps such as:

Applying patches and updates to the operating system and the application, if available

Removing or disabling unnecessary services, features, or accounts

Configuring firewall rules and network access control lists to restrict inbound and outbound traffic

Enabling encryption and authentication for data transmission and storage

Implementing logging and monitoring tools to detect and respond to anomalous or malicious activity

Performing regular backups and testing of the system and the application

Hardening a legacy server can help protect the critical business application from unauthorized access, modification, or disruption, while maintaining its functionality and availability. However, hardening a legacy server is not a permanent solution, and it may not be sufficient to address all the security issues and challenges posed by the outdated or unsupported system. Therefore, it is advisable to plan for the eventual decommissioning or migration of the legacy server to a more secure and modern platform, as soon as possible.

Group policies can inadvertently introduce misconfigurations, such as enabling insecure settings or failing to disable legacy protocols, increasing vulnerabilities.

Zero-day (B) are previously unknown vulnerabilities, malicious updates (C) are attacker-controlled, and supply chain (D) risks come from third-party components.

Misconfiguration vulnerabilities are commonly introduced during changes and are emphasized in Security Operations【6:Chapter 14†CompTIA Security+ Study Guide】.

In this scenario, employees are attempting to navigate to spoofed websites, which is being blocked by the web filter. To address this issue, the administrator should implement security awareness training. Training helps employees recognize phishing and other social engineering attacks, reducing the likelihood that they will attempt to access malicious websites in the future.

Deploying multifactor authentication (MFA) would strengthen authentication but does not directly address user behavior related to phishing websites.

Decreasing the level of the web filter would expose the organization to more threats.

Updating the acceptable use policy may clarify guidelines but is not as effective as hands-on training for improving user behavior​​​.

The best answer is A. To ensure data is securely destroyed when no longer needed .

During asset decommissioning , organizations must manage stored data according to data retention policies . These policies specify how long information must be kept and when it should be securely destroyed after it is no longer required for business, legal, or regulatory purposes.

This is important because it helps:

reduce the risk of data exposure

prevent recovery of sensitive information from retired devices

support legal and regulatory compliance

limit unnecessary data retention and liability

Why the other options are incorrect:

B. To make backup copies of all company data before disposing of hardware Not all data should be retained or backed up indefinitely. Retention policies define what should be kept and what should be destroyed.

C. To allow employees to access old files even after the hardware is recycled This is not the main purpose of retention policies during decommissioning.

D. To keep all customer data available in case it is required in the future Keeping all data forever increases liability and is not proper retention practice.

From a Security+ standpoint, retention policies guide when data should be securely sanitized or destroyed , making A the correct answer.

A Security Information and Event Management (SIEM) solution collects, aggregates, and correlates logs from multiple sources to detect anomalies and generate alerts. SIEMs are essential for security monitoring and incident detection.References: Security+ SY0-701 Course Content​, Security+ SY0-601 Book​.

A logic bomb is a malicious code segment hidden inside legitimate software that triggers under specific conditions (dates, system states, user actions). Because logic bombs require direct access to source code or the development environment, the most likely attacker is a trusted insider—especially a disgruntled developer or administrator with the ability to modify internal applications.

Security+ SY0-701 emphasizes that insider threats have:

Elevated access

Knowledge of internal systems

Ability to manipulate production code

Motivation driven by revenge, termination, or personal grievances

These factors make insiders uniquely capable of embedding logic bombs into internally-developed applications.

Nation-state actors (A) typically target critical infrastructure or advanced espionage, not internal business apps. Organized crime groups (C) seek financial gain and generally do not have internal code access. Hacktivists (D) focus on ideological disruption, typically through external attacks, not internal code manipulation.

Thus, the threat actor most likely to plant a logic bomb in internal software is B: Trusted insider.

The best answer is A. Zero-day.

A zero-day vulnerability is a newly discovered vulnerability for which no patch or official fix is yet available. Because defenders have had zero days to fully remediate it, attackers may be able to exploit it before a vendor releases a patch.

The question specifically states that the vulnerability is new and does not have an available patch, which is the defining clue.

Why the other options are incorrect:

B. XSSCross-site scripting is a specific web application attack type, not a description of whether a patch exists.

C. SQLiSQL injection is also a specific attack type, not the broader vulnerability status being asked about.

D. Buffer overflowBuffer overflow is a type of coding flaw, but again it does not specifically describe the condition of having no patch available.

From a Security+ perspective, when a vulnerability is newly identified and lacks a vendor fix, it is best described as a zero-day.

The best answer is C. WAF.

XSS (Cross-Site Scripting) is a web application attack that injects malicious scripts into web content. A WAF (Web Application Firewall) is specifically designed to inspect, filter, and block malicious HTTP and HTTPS traffic targeting web applications. It can help detect and prevent common attacks such as XSS, SQL injection, and other application-layer threats.

Why the other options are incorrect:

A. NGFWA next-generation firewall provides advanced network security features, but it is not as specifically focused on web application attacks as a WAF.

B. UTMUnified Threat Management combines multiple security features in one platform, but it is not the best answer for preventing a web application attack like XSS.

D. NACNetwork Access Control focuses on controlling which devices can connect to the network. It does not directly prevent XSS.

From the SY0-701 perspective, attacks against web applications are best mitigated by controls specifically designed for application-layer inspection, making WAF the correct answer.

Detailed Explanation:Load balancing improves application availability by distributing traffic across multiple servers. If one server fails, traffic is automatically routed to other available servers with minimal intervention. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 3: Security Architecture, Section: " High Availability Solutions " ​​.

A bastion host is a hardened system placed at a network boundary to absorb attacks and limit exposure. When deployed to mitigate risks from zero-day vulnerabilities, it acts as a compensating control. CompTIA Security+ SY0-701 defines compensating controls as alternative safeguards used when primary controls are insufficient or unavailable—such as when no patch exists for a zero-day.

Detective controls (B) identify issues but do not reduce exposure. Operational controls (C) refer to procedural or human-driven processes. Physical controls (D) secure physical environments (e.g., locks, cameras).

Because a bastion host compensates for the lack of a patch, the correct answer is A: Compensating.