1
WGU D488 Final Exam Actual Exam
2026/2027 | Cybersecurity Architecture
and Engineering | WGU | Questions
with Verified Answers | 100% Correct |
Pass Guaranteed
Q001: Your enterprise is mapping its cyber-risk posture onto the NIST CSF tiers.
The CISO states that risk processes are informal and reactive. Which tier best
describes this state?
A. Tier 4 - Adaptive
B. Tier 2 - Risk Informed
C. Tier 1 - Partial
D. Tier 3 - Repeatable
ANSWER: C
Q002: During the TOGAF Phase C (Information Systems Architecture) security
view, architects discover that PII is stored in unencrypted column-store tables.
Which ADM security technique should be applied first?
A. Business-scenario workshops
B. Threat-modeling with STRIDE
C. SABSA business-attribute profiling
D. SABSA contextual security architecture
ANSWER: B
Q003: A multinational bank is adopting SABSA. The board asks for a matrix that
maps security controls to business risk appetite. Which SABSA layer delivers this
artifact?
A. Contextual
B. Conceptual
, 2
C. Logical
D. Physical
ANSWER: B
Q004: Your cloud team is building a zero-trust network for IaaS workloads. Which
control enforces micro-segmentation at the hypervisor level without VLAN
changes?
A. VXLAN EVPN with MACsec
B. Host-based firewalls enforcing workload identity
C. GRE tunnels to a central IPS
D. Physical appliance in VPC transit gateway
ANSWER: B
Q005: The security team must meet ISO 27001:2022 requirements for
cryptographic policy. Which document mandates periodic key-rotation intervals
and algorithm agility?
A. Statement of Applicability (SoA)
B. Information Security Management System (ISMS) scope statement
C. Risk treatment plan
D. Corrective-action log
ANSWER: A
Q006: A SaaS provider wants to align with CIS Controls v8. Which control group
should be implemented first to satisfy the "Foundational" benchmark?
A. Controlled Use of Administrative Privileges
B. Inventory and Control of Enterprise Assets
C. Secure Configuration
D. Email and Web Browser Protections
ANSWER: B
Q007: Architects are designing a cloud-native application using the STRIDE
model. Which threat category is addressed by implementing OAuth 2.0 with JWT
signatures?
A. Tampering
B. Information Disclosure
C. Repudiation
, 3
D. Elevation of Privilege
ANSWER: A
Q008: Your organization is deploying a blockchain-based supply-chain ledger.
Which cryptographic primitive ensures non-repudiation of smart-contract
executions?
A. Zero-knowledge proofs
B. ECDSA digital signatures
C. SHA-3-512 hash functions
D. AES-256-GCM symmetric encryption
ANSWER: B
Q009: A zero-trust architect must select an authentication factor that resists
phishing and provides cryptographic proof of user presence. Which FIDO2
authenticator type best meets this goal?
A. SMS OTP
B. Roaming hardware security key with attestation
C. TOTP soft-token
D. Push notification to registered mobile
ANSWER: B
Q010: The IAM team is implementing dynamic authorization in a microservices
mesh. Which architecture pattern enforces fine-grained, contextual access
decisions at API runtime?
A. Centralized LDAP bind
B. Policy-Decision Point (PDP) with OPA Rego policies
C. JWT self-contained scopes only
D. Service-account tokens embedded in code
ANSWER: B
Q011: A DevSecOps pipeline requires automated security testing for each commit.
Which tool category BEST validates container-image vulnerabilities pre-
deployment?
A. SAST scanners
B. Container image vulnerability scanners (e.g., Grype, Clair)
C. DAST scanners
WGU D488 Final Exam Actual Exam
2026/2027 | Cybersecurity Architecture
and Engineering | WGU | Questions
with Verified Answers | 100% Correct |
Pass Guaranteed
Q001: Your enterprise is mapping its cyber-risk posture onto the NIST CSF tiers.
The CISO states that risk processes are informal and reactive. Which tier best
describes this state?
A. Tier 4 - Adaptive
B. Tier 2 - Risk Informed
C. Tier 1 - Partial
D. Tier 3 - Repeatable
ANSWER: C
Q002: During the TOGAF Phase C (Information Systems Architecture) security
view, architects discover that PII is stored in unencrypted column-store tables.
Which ADM security technique should be applied first?
A. Business-scenario workshops
B. Threat-modeling with STRIDE
C. SABSA business-attribute profiling
D. SABSA contextual security architecture
ANSWER: B
Q003: A multinational bank is adopting SABSA. The board asks for a matrix that
maps security controls to business risk appetite. Which SABSA layer delivers this
artifact?
A. Contextual
B. Conceptual
, 2
C. Logical
D. Physical
ANSWER: B
Q004: Your cloud team is building a zero-trust network for IaaS workloads. Which
control enforces micro-segmentation at the hypervisor level without VLAN
changes?
A. VXLAN EVPN with MACsec
B. Host-based firewalls enforcing workload identity
C. GRE tunnels to a central IPS
D. Physical appliance in VPC transit gateway
ANSWER: B
Q005: The security team must meet ISO 27001:2022 requirements for
cryptographic policy. Which document mandates periodic key-rotation intervals
and algorithm agility?
A. Statement of Applicability (SoA)
B. Information Security Management System (ISMS) scope statement
C. Risk treatment plan
D. Corrective-action log
ANSWER: A
Q006: A SaaS provider wants to align with CIS Controls v8. Which control group
should be implemented first to satisfy the "Foundational" benchmark?
A. Controlled Use of Administrative Privileges
B. Inventory and Control of Enterprise Assets
C. Secure Configuration
D. Email and Web Browser Protections
ANSWER: B
Q007: Architects are designing a cloud-native application using the STRIDE
model. Which threat category is addressed by implementing OAuth 2.0 with JWT
signatures?
A. Tampering
B. Information Disclosure
C. Repudiation
, 3
D. Elevation of Privilege
ANSWER: A
Q008: Your organization is deploying a blockchain-based supply-chain ledger.
Which cryptographic primitive ensures non-repudiation of smart-contract
executions?
A. Zero-knowledge proofs
B. ECDSA digital signatures
C. SHA-3-512 hash functions
D. AES-256-GCM symmetric encryption
ANSWER: B
Q009: A zero-trust architect must select an authentication factor that resists
phishing and provides cryptographic proof of user presence. Which FIDO2
authenticator type best meets this goal?
A. SMS OTP
B. Roaming hardware security key with attestation
C. TOTP soft-token
D. Push notification to registered mobile
ANSWER: B
Q010: The IAM team is implementing dynamic authorization in a microservices
mesh. Which architecture pattern enforces fine-grained, contextual access
decisions at API runtime?
A. Centralized LDAP bind
B. Policy-Decision Point (PDP) with OPA Rego policies
C. JWT self-contained scopes only
D. Service-account tokens embedded in code
ANSWER: B
Q011: A DevSecOps pipeline requires automated security testing for each commit.
Which tool category BEST validates container-image vulnerabilities pre-
deployment?
A. SAST scanners
B. Container image vulnerability scanners (e.g., Grype, Clair)
C. DAST scanners
