SY0-701 CompTIA Security+ Exam 2026 Free Practice Exam Questions (2026 Updated)

The chmod command is used to change file permissions on Unix and Linux systems. If the /etc/shadow file has permissions beyond the baseline recommendation, the systems administrator should use chmod to modify the file ' s permissions, ensuring it adheres to the security baseline and limits access to authorized users only.

References = CompTIA Security+ SY0-701 study materials, focusing on system hardening and file permissions management​​.

The best answer is A. 2.

ARO (Annualized Rate of Occurrence) measures how many times an incident is expected to occur per year.

The company expects:

10 incidents

over 5 years

So the calculation is:

ARO = 10 / 5 = 2

This means the expected annual rate of occurrence is 2 incidents per year.

Why the other options are incorrect:

B. 5This would not represent the yearly average based on the numbers given.

C. 10This is the total number of incidents over five years, not the annualized value.

D. 50This is not supported by the information in the question.

From a Security+ risk calculation standpoint, when a total event count is spread across multiple years, the ARO is found by dividing the total incidents by the number of years. Therefore, A is correct.

The Online Certificate Status Protocol (OCSP) is a technology designed to check the revocation status of digital certificates in real-time without requiring the client to download entire revocation lists. Unlike Certificate Revocation Lists (CRLs), which are periodically updated and can be large, OCSP queries an OCSP responder to receive the status of a specific certificate.

OCSP is considered passive verification because it allows clients to check a certificate ' s current validity status on-demand without maintaining local copies of revocation data. The OCSP responder returns whether the certificate is valid, revoked, or expired.

Trusted Platform Module (TPM) is hardware for secure key storage, and Certificate Signing Request (CSR) is a request for certificate issuance; neither is used for verifying certificate expiration status.

The differences and roles of OCSP and CRLs are thoroughly covered in the Cryptography and PKI chapter of the SY0-701, where OCSP is highlighted as the more efficient and real-time method to verify certificate status passively【6:Chapter 7†CompTIA Security+ Study Guide】.

This is a classic example of Business Email Compromise (BEC), where attackers spoof or compromise trusted email accounts to trick employees into performing unauthorized financial transactions.

Vishing (B) is voice phishing, spear phishing (C) targets individuals with customized messages, and impersonation (D) is a general term for identity deception but BEC specifically describes financial fraud via email.

BEC is a major threat covered in the Threats domain of SY0-701【6:Chapter 2†CompTIA Security+ Study Guide】

The first step in creating an anomaly detection process is building a baseline of normal behavior within the system. This baseline serves as a reference point to identify deviations or anomalies that could indicate a security incident. By understanding what normal activity looks like, security teams can more effectively detect and respond to suspicious behavior.

References =

CompTIA Security+ SY0-701 Course Content: Domain 04 Security Operations​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Monitoring and Baselines​.

To identify authentication weaknesses in a customer-facing web application, the best method is dynamic analysis, also known as Dynamic Application Security Testing (DAST). Dynamic analysis evaluates an application while it is running, allowing testers to observe real-world interactions, session handling, login mechanisms, credential validation, access control failures, and runtime vulnerabilities such as brute-force weaknesses or authentication bypass conditions.

Security+ SY0-701 outlines DAST as the preferred approach for testing live web applications because it uncovers:

Weak session management

Broken authentication flows

Input validation failures

Misconfigurations in login portals

Runtime vulnerabilities that static code review cannot detect

Static analysis (A) only analyzes source code and may overlook logic flaws in authentication. Packet capture (B) inspects network traffic but cannot evaluate internal authentication logic. Agent-based scanning (C) is used for hosts, not web applications. Network-based scanning (E) finds port-level vulnerabilities but cannot assess application authentication mechanisms.

Therefore, dynamic analysis (D) is the most effective and accurate technique for discovering authentication weaknesses in live web applications.

A change management procedure is a set of steps and guidelines that a security administrator should adhere to when setting up a new set of firewall rules. A firewall is a device or software that can filter, block, or allow network traffic based on predefined rules or policies. A firewall rule is a statement that defines the criteria and action for a firewall to apply to a packet or a connection. For example, a firewall rule can allow or deny traffic based on the source and destination IP addresses, ports, protocols, or applications. Setting up a new set of firewall rules is a type of change that can affect the security, performance, and functionality of the network. Therefore, a change management procedure is necessary to ensure that the change is planned, tested, approved, implemented, documented, and reviewed in a controlled and consistent manner. A change management procedure typically includes the following elements:

A change request that describes the purpose, scope, impact, and benefits of the change, as well as the roles and responsibilities of the change owner, implementer, and approver.

A change assessment that evaluates the feasibility, risks, costs, and dependencies of the change, as well as the alternatives and contingency plans.

A change approval that authorizes the change to proceed to the implementation stage, based on the criteria and thresholds defined by the change policy.

A change implementation that executes the change according to the plan and schedule, and verifies the results and outcomes of the change.

A change documentation that records the details and status of the change, as well as the lessons learned and best practices.

A change review that monitors and measures the performance and effectiveness of the change, and identifies any issues or gaps that need to be addressed or improved.

A change management procedure is important for a security administrator to adhere to when setting up a new set of firewall rules, as it can help to achieve the following objectives:

Enhance the security posture and compliance of the network by ensuring that the firewall rules are aligned with the security policies and standards, and that they do not introduce any vulnerabilities or conflicts.

Minimize the disruption and downtime of the network by ensuring that the firewall rules are tested and validated before deployment, and that they do not affect the availability or functionality of the network services or applications.

Improve the efficiency and quality of the network by ensuring that the firewall rules are optimized and updated according to the changing needs and demands of the network users and stakeholders, and that they do not cause any performance or compatibility issues.

Increase the accountability and transparency of the network by ensuring that the firewall rules are documented and reviewed regularly, and that they are traceable and auditable by the relevant authorities and parties.

The other options are not correct because they are not related to the process of setting up a new set of firewall rules. A disaster recovery plan is a set of policies and procedures that aim to restore the normal operations of an organization in the event of a system failure, natural disaster, or other emergency. An incident response procedure is a set of steps and guidelines that aim to contain, analyze, eradicate, and recover from a security incident, such as a cyberattack, data breach, or malware infection. A business continuity plan is a set of strategies and actions that aim to maintain the essential functions and operations of an organization during and after a disruptive event, such as a pandemic, power outage, or civil unrest. References = CompTIA Security+ Study Guide (SY0-701), Chapter 7: Resilience and Recovery, page 325. Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 1.3: Security Operations, video: Change Management (5:45).

The most appropriate method is to use aGroup Policy Object (GPO) with time-of-day restrictions (A). This is a native capability in Windows environments that allows administrators to controlwhen users are allowed to log into domain-joined systems.

This aligns withDomain 3.1: Given a scenario, apply identity and access management (IAM) concepts, especially under“Access controls (e.g., time-based restrictions, GPOs, least privilege).”

Risk tolerance is the correct answer because the organization is defining an acceptable threshold for deployment. The system is allowed onto the network only after Category 1 vulnerabilities are reduced to zero. That means the organization is not saying all risk must be eliminated; it is saying a specific level of risk is unacceptable, while deployment is permitted once the risk falls within the approved threshold. Risk avoidance would mean not deploying the system or eliminating the activity entirely. Risk transference would shift financial or operational risk to another party, such as through insurance or outsourcing. Risk reporting is communication of risk status, not the decision threshold itself. This is a classic example of risk tolerance criteria.

===============

A dashboard is a graphical user interface that provides a visual representation of key performance indicators, metrics, and trends related to security events and incidents. A dashboard can help the board of directors to understand the number and impact of incidents that affected the organization in a given period, as well as the status and effectiveness of the security controls and processes. A dashboard can also allow the board of directors to drill down into specific details or filter the data by various criteria12.

A packet capture is a method of capturing and analyzing the network traffic that passes through a device or a network segment. A packet capture can provide detailed information about the source, destination, protocol, and content of each packet, but it is not a suitable way to present a summary of incidents to the board of directors13.

A vulnerability scan is a process of identifying and assessing the weaknesses and exposures in a system or a network that could be exploited by attackers. A vulnerability scan can help the organization to prioritize and remediate the risks and improve the security posture, but it is not a relevant way to report the number of incidents that occurred in a quarter14.

Metadata is data that describes other data, such as its format, origin, structure, or context. Metadata can provide useful information about the characteristics and properties of data, but it is not a meaningful way to communicate the impact and frequency of incidents to the board of directors. References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 3722: SIEM Dashboards – SY0-601 CompTIA Security+ : 4.3, video by Professor Messer3: CompTIA Security+ SY0-701 Certification Study Guide, page 3464: CompTIA Security+ SY0-701 Certification Study Guide, page 362. : CompTIA Security+ SY0-701 Certification Study Guide, page 97.

Upgrading end-of-support operating systemsisone of the most effective ways to reduce the attack surface. Unsupported OS versionsno longer receive security patches, making them prime targets for attackers.Removing outdated softwareensures that known vulnerabilities cannot be exploited.

A (honeynet)is used for threat analysis, not reducing the attack surface.

B (Group Policy)helps enforce security policies butdoes not address outdated vulnerabilities.

C (High availability)focuses on uptime, not security risk reduction.

Detailed Explanation:Proper data sanitization ensures that sensitive data is securely erased from storage devices, preventing unauthorized access or recovery when the devices are disposed of or reused. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 5: Security Program Management, Section: " Data Sanitization and Disposal Methods " ​​.

The best answer is B. VPN.

A VPN (Virtual Private Network) is the standard solution for securely connecting two separate organizations or networks across an untrusted network, such as the internet. A site-to-site VPN provides:

secure connectivity between both companies

encrypted traffic in transit

protection of data confidentiality and integrity

a practical way to interconnect business networks

Why the other options are incorrect:

A. UTMA unified threat management device offers multiple security features, but it is not specifically the best answer for secure connectivity between two companies.

C. NACNetwork Access Control regulates which devices can connect to a network, but it does not provide intercompany network connectivity.

D. NGFWA next-generation firewall improves traffic inspection and filtering, but it is not by itself the main solution for secure network connectivity between two companies.

From the SY0-701 perspective, when secure communication between separate organizations is required, VPN is the most appropriate infrastructure solution.

Updating wire transfer processes to include verification steps (such as requiring dual approval or verifying account changes via a secondary communication method) canprevent fraudulenttransactions. Attackers often use business email compromise (BEC) or pretexting to trick employees into transferring funds to fraudulent accounts.

Standardizing security incident reportingis useful for tracking security events but does not prevent fraud in real time.

Executing regular phishing campaignsimproves awareness but does not enforce a verification process for financial transactions.

Implementing insider threat detectionfocuses on internal risks but does not specifically prevent external fraud.

Amore secure wire transfer processwith additional verification steps is the most effective measure against fraudulent transactions.

The best answer is D. Conduct a phishing campaign.

To measure whether social engineering awareness training is effective, the best method is to run a simulated phishing campaign. This allows the organization to test employee behavior in a realistic but controlled way. The administrator can track who clicks suspicious links, opens attachments, submits credentials, or reports the email appropriately.

This is a practical and measurable way to evaluate training outcomes because it provides real performance data rather than opinions or assumptions.

Why the other options are incorrect:

A. Set up a honeypot.A honeypot is used to attract attackers or detect malicious activity, not to test employee awareness of social engineering.

B. Send out a survey.A survey may show how confident employees feel, but it does not objectively measure whether they can identify and resist real phishing attempts.

C. Set up a focus group.A focus group can gather feedback, but it is not the best method for testing actual security behavior.

From the SY0-701 perspective, user awareness training effectiveness is best measured through simulated phishing exercises and similar practical assessments.

The employee notices that the links in the email do not correspond to the company ' s official URLs, indicating that this is likely a social engineering attack. Social engineering involves manipulating individuals into divulging confidential information or performing actions that may compromise security. Phishing emails, like the one described, often contain fraudulent links to trick the recipient into providing sensitive information or downloading malware.

Business email refers to business email compromise (BEC), which typically involves impersonating a high-level executive to defraud the company.

Unsecured network is unrelated to the email content.

Default credentials do not apply here, as the issue is with suspicious links, not login credentials​​.

Risk identificationis the first step in the risk management process, where potential threats and vulnerabilities are analyzed to understand their impact on an organization. This includesidentifying assets, evaluating threats, and assessing potential vulnerabilities.

Risk mitigation: Reducing risk by implementing controls.

Risk treatment: Determining how to handle identified risks.

Risk monitoring and review: Ongoing evaluation of risk controls.

 The correct answer is A because multifactor authentication (MFA) is a method of verifying a user’s identity by requiring more than one factor, such as something the user knows (e.g., password), something the user has (e.g., token), or something the user is (e.g., biometric). MFA can prevent unauthorized access even if the user’s password is compromised, as the attacker would need to provide another factor to log in. The other options are incorrect because they do not address the root cause of the attack, which is weak authentication. Permissions assignment (B) is the process of granting or denying access to resources based on the user’s role or identity. Access management © is the process of controlling who can access what and under what conditions. Password complexity (D) is the requirement of using strong passwords that are hard to guess or crack, but it does not prevent an attacker from using a stolen password. References =You can learn more about multifactor authentication and other security concepts in the following resources:

CompTIA Security+ SY0-701 Certification Study Guide, Chapter 1: General Security Concepts1

Professor Messer’s CompTIA SY0-701 Security+ Training Course, Section 1.2: Security Concepts2

Multi-factor Authentication – SY0-601 CompTIA Security+ : 2.43

TOTAL: CompTIA Security+ Cert (SY0-701) | Udemy, Section 3: Identity and Access Management, Lecture 15: Multifactor Authentication4

CompTIA Security+ Certification SY0-601: The Total Course [Video], Chapter 3: Identity and Account Management, Section 2: Enabling Multifactor Authentication5

ALE (Annualized Loss Expectancy) is the risk management metric most helpful when deciding whether the licensing cost of a ransomware prevention solution is justified. ALE calculates the expected yearly financial loss from a particular threat. It is computed as:

ALE = SLE × ARO

SLE (Single Loss Expectancy) estimates the monetary impact of one ransomware incident.

ARO (Annualized Rate of Occurrence) estimates how often the incident is expected to happen each year.

By comparing ALE to the annual licensing cost of the new security solution, the organization can make a financially informed decision based on cost-benefit analysis. If ALE exceeds the solution’s cost, the purchase is justified.

RTO (C) relates to recovery time after outages, not cost justification. SLE (B) is only part of the calculation and insufficient alone. ARO (D) shows frequency but not financial impact.

Security+ SY0-701 highlights ALE as the primary metric for evaluating security investments.

Thus, ALE is the key factor in determining whether purchasing ransomware protection is financially beneficial.

An air-gapped network is a network that is physically isolated from other networks, such as the internet, to prevent unauthorized access and data leakage. However, an air-gapped network can still be compromised by removable devices, such as USB drives, CDs, DVDs, or external hard drives, that are used to transfer data between the air-gapped network and other networks. Removable devices can carry malware, spyware, or other malicious code that can infect the air-gapped network or exfiltrate data from it. Therefore, removable devices are the most common data loss path for an air-gapped network. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 9: Network Security, page 449 1

An engineer should recommend the decommissioning of a network device when the device poses a security risk or a compliance violation to the enterprise environment. A device that cannot meet the encryption standards or receive authorized updates is vulnerable to attacks and breaches, and may expose sensitive data or compromise network integrity. Therefore, such a device should be removed from the network and replaced with a more secure and updated one.

References

CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 2, Section 2.2, page 671

CompTIA Security+ Practice Tests: Exam SY0-701, 3rd Edition, Chapter 2, Question 16, page 512

A false positive is a result that indicates a vulnerability or a problem when there is none. In this case, the vulnerability scanning report shows that the telnet service on port 23 is open and uses an insecure network protocol. However, the security analyst performs a test using nmap and a script that checks for telnet encryption support. The result shows that the telnet server supports encryption, which means that the data transmitted between the client and the server can be protected from eavesdropping. Therefore, the reported vulnerability is a false positive and does not reflect the actual security posture of the server. The security analyst should verify the encryption settings of the telnet server and client and ensure that they are configured properly3. References: 3: Telnet Protocol - Can You Encrypt Telnet?