AI-Assisted Security for CompTIA SecAI+

Sample Practice Questions

1. Question 1

   A security operations center (SOC) has a very high volume of logs and alerts. The manager proposes the implementation of machine learning (ML) system to help with triage. Which of the following tasks is MOST suitable?
   1. A. Applying filters on specific alerts
   2. B. Automatically patching vulnerable systems
   3. C. Identifying and classifying alerts
   4. D. Summarizing the content of alerts
   Explanation

   The correct answer is: C. Identifying and classifying alerts.

   Identifying and classifying alerts is the most suitable ML task because the core triage problem is mapping a flood of heterogeneous events into known categories of severity, threat type, and asset impact so analysts can prioritize, which is exactly what supervised classifiers and clustering models do well at scale. Applying filters on specific alerts is rule-based logic that does not require ML and does not solve the volume problem when new patterns emerge. Automatically patching vulnerable systems is a remediation action far outside the triage stage and carries change-management risk that should not be delegated to a triage model. Summarizing alert content is useful for analyst readability but does not perform the prioritization decision that triage demands, so on its own it is not the most suitable ML task here.

2. Question 2

   A security administrator needs to improve an AI model. During an initial investigation, the administrator notices that two successive login features are recorded every day, and then a successful login occurs after a specific time interval. All the successful login attempts have been during office hours. Which of the following techniques should the administrator use to improve the AI model’s security?
   1. A. Access management
   2. B. Pattern recognition
   3. C. Signature matching
   4. D. Vulnerability analysis
   Explanation

   The correct answer is: B. Pattern recognition.

   Pattern recognition is the correct technique because the observation describes a repeating sequence, two failed logins followed by a successful login after a specific interval and always during office hours, which is precisely the kind of recurring temporal and behavioral structure that ML-based pattern recognition is designed to learn and then flag when it deviates. Training the model on these features lets it distinguish legitimate user rhythms from credential-stuffing or brute-force precursors. Access management is wrong because it is a governance and identity control function such as provisioning, RBAC, or MFA, not a model-improvement technique. Signature matching is wrong because signatures rely on exact known indicators rather than behavioral baselines and would not capture a time-and-frequency pattern. Vulnerability analysis is wrong because it evaluates weaknesses in systems or software rather than enriching an authentication-anomaly model with behavioral features.

3. Question 3

   A global security operations center (SOC) wants to adapt and leverage the strength of AI in order to enhance its security operations. Which of the following is the best way to enhance the global SOC functions?
   1. A. Generate code and execute in production to help save time.
   2. B. Enable a personal assistant that can act in the global SOC with no human intervention.
   3. C. Use open-source models in production to help the efficiency of threat detection and threat analysis.
   4. D. Summarize alerts to easily gain insights on the environment.
   Explanation

   The correct answer is: D. Summarize alerts to easily gain insights on the environment..

   Summarizing alerts to gain insights is the safest and highest-leverage way to enhance a global SOC because the dominant SOC pain point is analyst fatigue from alert volume, and LLM-based summarization compresses raw events into structured narratives that accelerate triage without granting the model authority to act. It also keeps humans in the decision loop as recommended by NIST AI RMF. Generating code and executing it in production violates change control and gives the model excessive agency under OWASP LLM06. A personal assistant acting with no human intervention is the same excessive-agency anti-pattern and is unacceptable for SOC operations. Using open-source models in production is an implementation choice rather than a SOC enhancement strategy and brings supply-chain and governance risks that the question is not asking about.

4. Question 4

   A financial organization implements a new AI-based fraud detection system to flag suspicious transactions. A security analyst discovers that it occasionally blocks legitimate transactions. Which of the following is the best recommendation?
   1. A. Retaining the model with more data and recent transaction patterns
   2. B. Implementing AI token usage and rate limits
   3. C. Encrypting all the data processed by AI and applying further access controls
   4. D. Rolling back the model and using a traditional fraud detection system
   Explanation

   The correct answer is: A. Retaining the model with more data and recent transaction patterns.

   Retraining the model with more data and recent transaction patterns is the right recommendation because legitimate transactions being blocked indicates the model's decision boundary has drifted relative to current customer behavior, and refreshing the training set with up-to-date labeled examples reduces false positives while preserving fraud detection performance, which is the standard model-maintenance practice in the NIST AI RMF Measure and Manage functions. Implementing token usage and rate limits is an LLM operational control that does not apply to a fraud classifier and would not address accuracy. Encrypting data and tightening access controls improves confidentiality but has no effect on the model's classification quality. Rolling back to a traditional rules-based system abandons the AI investment and typically yields worse precision and recall, so it is a regression rather than a tuning fix.

5. Question 5

   A security operations center (SOC) analyst needs to automate multiple security tasks by breaking them down into smaller parts. Which of the following AI tools is the best for this task?
   1. A. Agentic AI
   2. B. Retrieval-augmented generation (RAG) AI
   3. C. Generative AI
   4. D. Chatbot
   Explanation

   The correct answer is: A. Agentic AI.

   Agentic AI is the best fit because the defining capability of an agent is task decomposition, where a high-level goal is broken into smaller sub-tasks that the agent plans, executes, evaluates, and re-plans using tool calls until the objective is met, which matches the SOC analyst's need to automate multi-step workflows like enrichment, containment, and reporting. Retrieval-augmented generation is a knowledge-grounding pattern that fetches relevant context to answer a single question accurately, not a planning framework. Generative AI is the broader category that produces content from prompts but on its own does not decompose tasks or invoke tools. A chatbot is a conversational interface that responds turn by turn and lacks the autonomous planning and tool-use loop required to execute decomposed security tasks.

Other CompTIA SecAI+ domains

• AI Governance, Risk & Compliance (12 questions)
• Basic AI Concepts Related to Cybersecurity (13 questions)
• Securing AI Systems (38 questions)