Preparing for the CompTIA Security+ certification requires more than just memorizing definitions—it demands the ability to apply concepts in real-world scenarios. In this bonus practice set (351–400), we bring you 50 advanced, exam-style Security+ scenario questions designed to strengthen your skills in:
- Incident response & risk management
- Zero-day exploit handling
- Advanced cryptography & PKI
- Network security & access control
- Governance, risk, and compliance
Whether you are revising for SY0-601 or SY0-701, this set will boost your confidence with realistic exam-style challenges.
🔐 CompTIA Security+ Advanced Scenarios (351–400)
351. A security analyst detects unusual outbound traffic from multiple internal hosts to a foreign IP address. What is the MOST likely cause?
A) DNS poisoning
B) Botnet activity
C) ARP spoofing
D) Data backup replication
✅ Answer: B) Botnet activity
👉 Explanation: Multiple systems communicating with an external IP often indicates a botnet command-and-control (C2) channel.
352. An organization wants to ensure employees cannot exfiltrate sensitive data using USB drives. Which control is MOST effective?
A) DLP software
B) Firewalls
C) IDS/IPS
D) Security awareness training
✅ Answer: A) DLP software
👉 Explanation: Data Loss Prevention (DLP) can block unauthorized file transfers to external media like USBs.
353. A system admin configures multi-factor authentication (MFA) using a fingerprint and a password. This is an example of:
A) Two factors of the same type
B) Single-factor authentication
C) Multi-factor authentication
D) Triple authentication
✅ Answer: C) Multi-factor authentication
👉 Explanation: Fingerprint = “something you are,” Password = “something you know,” which satisfies MFA.
354. A hacker intercepts a session token over an unsecured Wi-Fi network. What attack is this?
A) Session hijacking
B) Replay attack
C) Privilege escalation
D) Pass-the-hash
✅ Answer: A) Session hijacking
👉 Explanation: The attacker takes over the session by stealing tokens transmitted in plaintext.
355. A company needs to provide contractors with temporary access to internal applications. Which authentication method is BEST?
A) Role-based access control (RBAC)
B) Attribute-based access control (ABAC)
C) Time-based access control
D) Rule-based firewall
✅ Answer: B) Attribute-based access control (ABAC)
👉 Explanation: ABAC allows dynamic rules like time, department, and contract status for granting/revoking access.
356. Which of the following BEST mitigates risks from a zero-day vulnerability?
A) Patch management
B) Intrusion prevention system (IPS)
C) Sandboxing
D) Web application firewall (WAF)
✅ Answer: C) Sandboxing
👉 Explanation: Zero-day exploits have no patches yet. Sandboxing can contain unknown threats until a fix is available.
357. A red team successfully bypasses the firewall but is detected by the SIEM. What type of test is this?
A) Penetration test
B) Vulnerability assessment
C) Risk analysis
D) White-box audit
✅ Answer: A) Penetration test
👉 Explanation: A red team simulates real-world attacks to test defenses. Detection means monitoring controls worked.
358. A web server uses a self-signed SSL certificate. What risk does this pose?
A) Brute force
B) MITM attacks
C) SQL injection
D) Replay attack
✅ Answer: B) MITM attacks
👉 Explanation: Without a trusted CA, users cannot verify authenticity, making them vulnerable to spoofing/MITM.
359. Which of the following is an example of non-repudiation?
A) Logging failed login attempts
B) Using digital signatures
C) Encrypting a file
D) Using multifactor authentication
✅ Answer: B) Using digital signatures
👉 Explanation: Digital signatures ensure data origin authenticity, preventing denial of authorship.
360. Which law primarily governs data protection and privacy in Europe?
A) HIPAA
B) GDPR
C) CCPA
D) SOX
✅ Answer: B) GDPR
👉 Explanation: The General Data Protection Regulation (GDPR) enforces strict data privacy rules across the EU.
361. A SIEM alerts that multiple failed logins are followed by a successful login from the same account. What is MOST likely happening?
A) SQL injection
B) Brute force attack
C) Insider threat
D) Replay attack
✅ Answer: B) Brute force attack
👉 Explanation: Repeated failures followed by success often indicate brute forcing.
362. Which authentication protocol provides mutual authentication and is commonly used in Windows domains?
A) Kerberos
B) RADIUS
C) TACACS+
D) LDAP
✅ Answer: A) Kerberos
👉 Explanation: Kerberos provides ticket-based mutual authentication between clients and services.
363. A financial company encrypts its data with AES-256. What type of encryption is this?
A) Asymmetric
B) Symmetric
C) Hashing
D) Steganography
✅ Answer: B) Symmetric
👉 Explanation: AES uses a single secret key for encryption and decryption.
364. An attacker modifies the ARP table to redirect traffic through their system. What attack is this?
A) DNS poisoning
B) ARP spoofing
C) MITM
D) Evil twin
✅ Answer: B) ARP spoofing
👉 Explanation: The attacker sends fake ARP replies to reroute traffic, enabling sniffing or manipulation.
365. A hospital is required to comply with regulations on patient data confidentiality. Which law applies?
A) GDPR
B) HIPAA
C) SOX
D) FERPA
✅ Answer: B) HIPAA
👉 Explanation: The Health Insurance Portability and Accountability Act regulates healthcare data in the US.
366. A company implements hot and cold aisles in its data center. This primarily addresses:
A) Availability
B) Confidentiality
C) Integrity
D) Environmental controls
✅ Answer: D) Environmental controls
👉 Explanation: Hot/cold aisles regulate airflow to prevent overheating.
367. An attacker exploits a vulnerability but leaves no trace in logs. What technique was likely used?
A) Rootkit
B) Worm
C) Trojan horse
D) Botnet
✅ Answer: A) Rootkit
👉 Explanation: Rootkits hide malicious activity by altering system logs and OS behavior.
368. Which hashing algorithm is considered most secure today?
A) MD5
B) SHA-1
C) SHA-256
D) DES
✅ Answer: C) SHA-256
👉 Explanation: MD5 and SHA-1 are broken; SHA-256 remains strong.
369. A user reports a phishing email that looks legitimate but came from an external domain. What BEST prevents this?
A) DLP
B) SPF/DKIM/DMARC
C) SSL/TLS
D) Firewall rules
✅ Answer: B) SPF/DKIM/DMARC
👉 Explanation: Email authentication mechanisms prevent spoofed sender domains.
370. A disaster recovery plan (DRP) defines the maximum tolerable downtime (MTD). This relates to:
A) Availability
B) Confidentiality
C) Risk transfer
D) Integrity
✅ Answer: A) Availability
👉 Explanation: MTD determines how long critical services can be unavailable before severe business impact.
371. A company wants to encrypt emails end-to-end so only the recipient can read them. Which technology is BEST?
A) TLS
B) PGP/GPG
C) IPSec
D) VPN
✅ Answer: B) PGP/GPG
👉 Explanation: Pretty Good Privacy (PGP) uses public/private keys for secure end-to-end email encryption.
372. Which cloud model allows customers to control the OS but not the underlying hardware?
A) IaaS
B) PaaS
C) SaaS
D) FaaS
✅ Answer: A) IaaS
👉 Explanation: Infrastructure as a Service gives control over OS and apps, while hardware is managed by the provider.
373. An employee is using a personal smartphone to access company data. Which policy addresses this?
A) Data classification
B) BYOD policy
C) Retention policy
D) Incident response
✅ Answer: B) BYOD policy
👉 Explanation: Bring Your Own Device (BYOD) policies define security rules for personal device usage.
374. An attacker sends multiple SYN packets without completing the handshake. What attack is this?
A) DDoS
B) SYN flood
C) Man-in-the-middle
D) Session hijacking
✅ Answer: B) SYN flood
👉 Explanation: The attacker consumes server resources by initiating connections but not completing them.
375. Which of the following is an example of least privilege?
A) A user is given admin access only during troubleshooting.
B) Employees share one privileged account.
C) Developers always have root access.
D) An intern is granted database admin rights.
✅ Answer: A) A user is given admin access only during troubleshooting.
👉 Explanation: Least privilege means granting only the minimum necessary permissions for a task.
376. A forensic investigator needs to maintain integrity of evidence. Which practice ensures this?
A) Hashing files (SHA-256)
B) Using disk compression
C) Taking screenshots
D) Encrypting data
✅ Answer: A) Hashing files (SHA-256)
👉 Explanation: Hash values confirm digital evidence has not been tampered with.
377. A company implements RAID 1 storage. What does this provide?
A) High performance
B) Fault tolerance through mirroring
C) Data striping without redundancy
D) Fast write speeds
✅ Answer: B) Fault tolerance through mirroring
👉 Explanation: RAID 1 duplicates data across drives, ensuring redundancy.
378. An attacker exploits a misconfigured cloud storage bucket to access sensitive files. What is this called?
A) Insider threat
B) Misconfiguration vulnerability
C) Drive-by download
D) SQL injection
✅ Answer: B) Misconfiguration vulnerability
👉 Explanation: Open storage buckets are a common misconfiguration risk in cloud environments.
379. Which protocol is commonly used for secure remote device management?
A) FTP
B) SSH
C) Telnet
D) SNMPv1
✅ Answer: B) SSH
👉 Explanation: Secure Shell (SSH) encrypts remote access sessions.
380. Which attack targets IoT devices with weak default passwords?
A) Mirai botnet
B) ARP poisoning
C) DNS hijacking
D) Bluejacking
✅ Answer: A) Mirai botnet
👉 Explanation: Mirai compromised IoT devices by exploiting weak/default credentials.
381. What is the purpose of a jump server (bastion host)?
A) Store encryption keys
B) Provide secure access to internal systems
C) Act as a honeypot
D) Encrypt outgoing traffic
✅ Answer: B) Provide secure access to internal systems
👉 Explanation: Jump servers act as a controlled gateway into sensitive networks.
382. A vulnerability scan identifies missing patches. What type of control is patching?
A) Detective
B) Preventive
C) Corrective
D) Deterrent
✅ Answer: B) Preventive
👉 Explanation: Patching prevents exploitation of known vulnerabilities.
383. A CEO receives a spear-phishing email impersonating the CFO. This is an example of:
A) Whaling
B) Vishing
C) Pharming
D) Tailgating
✅ Answer: A) Whaling
👉 Explanation: Whaling targets high-level executives with spear-phishing attacks.
384. Which disaster recovery site provides the fastest recovery?
A) Cold site
B) Warm site
C) Hot site
D) Cloud storage
✅ Answer: C) Hot site
👉 Explanation: A hot site is fully equipped and ready for immediate use.
385. A vulnerability scan reports a CVSS score of 9.8. How should this be prioritized?
A) Low priority
B) Medium
C) High
D) Critical
✅ Answer: D) Critical
👉 Explanation: Scores above 9.0 are critical and require immediate remediation.
386. Which control type is a fire extinguisher in a data center?
A) Technical
B) Physical
C) Administrative
D) Detective
✅ Answer: B) Physical
👉 Explanation: Fire extinguishers are physical safety controls.
387. Which is the MOST secure way to destroy sensitive data on an SSD?
A) Formatting
B) Overwriting
C) Degaussing
D) Cryptographic erase
✅ Answer: D) Cryptographic erase
👉 Explanation: SSDs require cryptographic erasure since overwriting is unreliable.
388. A user clicks on a malicious ad that downloads malware. What type of attack is this?
A) Drive-by download
B) Keylogging
C) Spyware
D) Trojan
✅ Answer: A) Drive-by download
👉 Explanation: Malicious websites or ads can automatically install malware.
389. Which is an example of a deterrent control?
A) Security cameras
B) Antivirus
C) Firewalls
D) Encryption
✅ Answer: A) Security cameras
👉 Explanation: Cameras discourage malicious activity but don’t stop it directly.
390. A penetration tester cracks a password hash using rainbow tables. What could have prevented this?
A) Key stretching
B) Salting
C) Multi-factor authentication
D) Hashing
✅ Answer: B) Salting
👉 Explanation: Salts ensure unique hashes, making rainbow tables ineffective.
391. A malicious insider deletes critical data. What BEST mitigates this risk?
A) Backups
B) MFA
C) Firewalls
D) IDS
✅ Answer: A) Backups
👉 Explanation: Backups ensure recovery even after insider sabotage.
392. A company restricts user access to files based on job roles. Which model is this?
A) RBAC
B) ABAC
C) DAC
D) MAC
✅ Answer: A) RBAC
👉 Explanation: Role-Based Access Control grants permissions by job role.
393. Which malware encrypts files and demands payment?
A) Worm
B) Ransomware
C) Rootkit
D) Spyware
✅ Answer: B) Ransomware
👉 Explanation: Ransomware locks or encrypts data until ransom is paid.
394. Which wireless security protocol is MOST secure?
A) WEP
B) WPA
C) WPA2
D) WPA3
✅ Answer: D) WPA3
👉 Explanation: WPA3 is the latest and strongest Wi-Fi encryption standard.
395. Which attack relies on manipulating users into giving away information?
A) SQL injection
B) Phishing
C) Buffer overflow
D) Cross-site scripting
✅ Answer: B) Phishing
👉 Explanation: Phishing uses social engineering rather than technical exploits.
396. A cybersecurity team wants to test their incident response plan. Which exercise is MOST realistic?
A) Tabletop exercise
B) Simulation
C) Full-scale test
D) Walkthrough
✅ Answer: C) Full-scale test
👉 Explanation: A full-scale test mimics real-world attacks, validating response effectiveness.
397. A company wants to secure wireless access against rogue APs. Which tool is BEST?
A) WAF
B) Wireless intrusion prevention system (WIPS)
C) SIEM
D) VPN
✅ Answer: B) WIPS
👉 Explanation: WIPS detects and blocks rogue access points.
398. A user installs a mobile app that secretly records keystrokes. What malware is this?
A) Trojan
B) Rootkit
C) Keylogger
D) Worm
✅ Answer: C) Keylogger
👉 Explanation: Keyloggers record user keystrokes to steal credentials.
399. Which of the following is an example of continuous monitoring?
A) Annual penetration testing
B) Daily vulnerability scanning
C) Quarterly audits
D) Yearly compliance review
✅ Answer: B) Daily vulnerability scanning
👉 Explanation: Continuous monitoring involves frequent/ongoing assessments.
400. A disaster recovery plan sets an RPO (Recovery Point Objective) of 1 hour. What does this mean?
A) Systems must be restored within 1 hour.
B) Backups must be taken at least every hour.
C) Data must be fully encrypted for 1 hour.
D) Recovery must occur only after 1 hour.
✅ Answer: B) Backups must be taken at least every hour.
👉 Explanation: RPO defines acceptable data loss measured in time since the last backup.
Congratulations on completing this advanced Security+ practice set (351–400)! By solving these real-world scenario-based questions, you’ve sharpened your ability to think critically and apply security principles under pressure—exactly what the exam demands.
👉 Don’t stop here! Check out our full Security+ practice hub, including:
Batch 1 (1–50): Threats, Attacks & Vulnerabilities
Batch 2 (51–100): Security Architecture & Design
Batch 3 (101–150): Implementation (Access, Authentication, PKI)
Batch 4 (151–200): Operations & Incident Response
Batch 5 (201–250): Governance, Risk & Compliance
Batch 6 (251–300): Cryptography & PKI
Batch 7 (301–350): Mixed Practice Exam (Past Questions)
The more scenarios you practice, the better your chances of passing CompTIA Security+ on your first attempt. Stay consistent, keep learning, and good luck on your certification journey! 🚀