2025 CompTIA Security+ SY0-701 Exam
– 170 Actual Questions with 100%
Verified Answers & Expert Cybersecurity
Rationales | A+ Graded
Question 1
A security analyst discovers an unauthorized device on the corporate network performing
reconnaissance scans. Which action should be recommended to mitigate this threat immediately?
A. Implement a firewall rule to block the device’s IP address
B. Deploy a new intrusion detection system (IDS)
C. Conduct a full network penetration test
D. Update the organization’s antivirus software
Correct Answer: A. Implement a firewall rule to block the device’s IP address
Rationale:
Blocking the unauthorized device’s IP address via a firewall rule is the most immediate
containment action to stop reconnaissance scans, aligning with NIST SP 800-53’s incident
response controls (IR-4). This prevents further unauthorized access or data collection. Option B
is a long-term solution, not immediate. Option C is proactive but not suitable for real-time
mitigation. Option D is irrelevant as reconnaissance scans typically do not involve malware.
Question 2
An organization is adopting a zero-trust architecture. Which principle should be prioritized to
secure access to cloud-based resources?
A. Encrypt all data at rest
B. Implement multi-factor authentication (MFA) for all users
C. Use static IP whitelisting
D. Deploy a new SIEM system
Correct Answer: B. Implement multi-factor authentication (MFA) for all users
, 2
Rationale:
Zero-trust architecture, per NIST SP 800-207, emphasizes continuous identity verification. MFA
ensures robust authentication for all users accessing cloud resources, reducing unauthorized
access risks. Option A addresses data protection, not access control. Option C is less effective
in dynamic cloud environments. Option D supports monitoring but does not enforce access
security.
Question 3
During a ransomware attack that encrypted critical data, what is the BEST first step to mitigate
further damage?
A. Pay the ransom to regain access
B. Isolate the affected systems from the network
C. Run a vulnerability scan on all systems
D. Restore data from the latest backup
Correct Answer: B. Isolate the affected systems from the network
Rationale:
Isolating affected systems prevents ransomware from spreading, as recommended by NIST SP
800-61r2 for incident containment. Option A is discouraged as it funds criminal activity without
guaranteed recovery. Option C is a post-incident action. Option D is a recovery step, not
immediate mitigation.
Question 4
Which security control BEST protects an IoT device ecosystem from unauthorized access in a
healthcare environment?
A. Deploying a host-based intrusion detection system (HIDS)
B. Implementing network segmentation
C. Enabling automatic software updates
D. Using default vendor credentials
Correct Answer: B. Implementing network segmentation
Rationale:
Network segmentation isolates IoT devices, reducing the attack surface in sensitive healthcare
environments, per NIST SP 800-171. This limits lateral movement if a device is compromised.
, 3
Option A is less feasible for resource-constrained IoT devices. Option C addresses
vulnerabilities but not access control. Option D increases risk.
Question 5
To ensure GDPR compliance in a hybrid cloud environment, which of the following should be
implemented?
A. Deploy a web application firewall (WAF)
B. Encrypt all sensitive data in transit and at rest
C. Configure a single sign-on (SSO) system
D. Conduct annual penetration testing
Correct Answer: B. Encrypt all sensitive data in transit and at rest
Rationale:
GDPR (Article 32) mandates encryption for personal data to ensure confidentiality and integrity.
Option A protects web applications but is not GDPR-specific. Option C enhances user
experience but does not address data protection. Option D is proactive but not a direct GDPR
requirement.
Question 6
A system using outdated WPA2 encryption for wireless access is identified. What is the BEST
recommendation to enhance security?
A. Switch to WPA3 encryption
B. Disable wireless access entirely
C. Implement a guest Wi-Fi network
D. Use a stronger password policy
Correct Answer: A. Switch to WPA3 encryption
Rationale:
WPA3 offers stronger encryption and protection against attacks, aligning with NIST SP 800-153.
Option B is impractical. Option C addresses guest access, not core security. Option D is
complementary but less impactful than upgrading encryption.
Question 7
, 4
Which task is a performance-based activity during incident response?
A. Reviewing a risk assessment report
B. Configuring a firewall to block malicious traffic
C. Writing a security policy document
D. Conducting employee security training
Correct Answer: B. Configuring a firewall to block malicious traffic
Rationale:
Performance-based questions test hands-on skills. Configuring a firewall is a technical task for
incident mitigation, per NIST SP 800-115. Option A is analytical. Option C is administrative.
Option D is educational.
Question 8
A phishing email with a malicious attachment is received. Which tool is MOST effective for
real-time detection?
A. Security Information and Event Management (SIEM) system
B. Endpoint Protection Platform (EPP)
C. Network Intrusion Prevention System (NIPS)
D. Data Loss Prevention (DLP) system
Correct Answer: B. Endpoint Protection Platform (EPP)
Rationale:
EPPs detect and block malicious attachments in real time, per NIST SP 800-83. Option A is for
log analysis. Option C focuses on network traffic. Option D prevents data exfiltration, not
phishing detection.
Question 9
What is the PRIMARY purpose of a Security Orchestration, Automation, and Response (SOAR)
platform?
A. To encrypt sensitive data
B. To automate incident response workflows
C. To conduct vulnerability scans
D. To enforce access control policies