Security Operations for CompTIA Security+

This page covers the Security Operations domain of the CompTIA Security+ certification. Master Cybersecurity offers 141 practice questions in this domain, drawn from the same content we use across our timed exam simulations. Below are five sample questions with full answer explanations.

Sample Practice Questions

  1. Question 1

    A data administrator is configuring authentication for a SaaS application and would like to reduce the number of credentials employees need to maintain. The company prefers to use domain credentials to access new SaaS applications. Which of the following methods would allow this functionality?
    1. A. SSO
    2. B. LEAP
    3. C. MFA
    4. D. PEAP
    Explanation

    The correct answer is: A. SSO.

    The method that lets users access SaaS apps with their existing domain credentials is single sign-on (SSO). SSO federates the corporate identity provider to SaaS service providers (commonly via SAML or OIDC) so that one set of credentials grants access to many applications. LEAP is a legacy wireless authentication protocol with known weaknesses. MFA adds factors to one login rather than reducing credential count across many. PEAP is an enterprise wireless authentication protocol. SSO is the SY0-701-named single-credential pattern across applications.

  2. Question 2

    A penetration tester begins an engagement by performing port and service scans against the client environment according to the rules of engagement. Which of the following reconnaissance types is the tester performing?
    1. A. Active
    2. B. Passive
    3. C. Defensive
    4. D. Offensive
    Explanation

    The correct answer is: A. Active.

    Port and service scanning is active reconnaissance. Active reconnaissance interacts with the target — sending packets to enumerate open ports, banner-grab services, and identify versions — and is therefore visible in target logs. Passive reconnaissance collects information without touching the target (OSINT, social media, public DNS). Defensive testing is blue-team work. Offensive testing is the broader category that active reconnaissance sits inside, but active is the specific named type for the scenario.

  3. Question 3

    Which of the following is required for an organization to properly manage its restore process in the event of system failure?
    1. A. IRP
    2. B. DRP
    3. C. RPO
    4. D. SDLC
    Explanation

    The correct answer is: B. DRP.

    The plan required to manage the restore process during a system failure is the disaster recovery plan (DRP). The DRP codifies the technical recovery procedures — restoring data from backups, bringing standby systems online, redirecting traffic to alternate sites — that the team executes during a failure. An IRP handles security incidents. RPO is a recovery-point metric rather than a plan. SDLC governs software development. DRP is the SY0-701-named restore-process plan. The mapping to the SY0-701 objectives is direct and unambiguous, and the platform's monitoring and assurance practices recognize this option as the named answer for the scenario.

  4. Question 4

    Which of the following vulnerabilities is associated with installing software outside of a manufacturer’s approved software repository?
    1. A. Jailbreaking
    2. B. Memory injection
    3. C. Resource reuse
    4. D. Side loading
    Explanation

    The correct answer is: D. Side loading.

    The vulnerability associated with installing software outside the manufacturer's approved repository is side loading. Side loading bypasses the platform's signing, sandboxing, and review checks because the package is delivered through an alternate channel; malicious code that the official store would have caught reaches the device unfiltered. Jailbreaking is the underlying OS modification that can enable side loading on locked-down platforms but is itself a different concept. Memory injection writes code into running processes. Resource reuse is leftover data in shared memory. Side loading is the SY0-701-named off-store-installation vulnerability.

  5. Question 5

    A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks. SIEM alerts have not yet been configured. Which of the following best describes what the security analyst should do to identify this behavior?
    1. A. Digital forensics
    2. B. E-discovery
    3. C. Incident response
    4. D. Threat hunting
    Explanation

    The correct answer is: D. Threat hunting.

    The right activity when a new attacker behavior has not yet been alerted by SIEM is threat hunting. Threat hunting actively searches the available telemetry for indicators of the new tactic — running custom queries, building one-off detections, looking for the artifacts the tactic would leave — and produces both immediate findings and durable detections to add to SIEM. Digital forensics is engaged after an incident is confirmed. E-discovery is a legal-discovery process. Incident response is the broader lifecycle. Threat hunting is the SY0-701-named proactive search for not-yet-alerted behavior.

Other CompTIA Security+ domains

Practice all 141 Security Operations questions · Browse CompTIA Security+