SANS SEC530 LATEST 2026 EXAM QUESTIONS AND
ANSWERS GUARANTEE A+
✔✔What would be one of the first steps for a security architect when building or
redesigning a security architecture to secure an organization?
A) Remove unnecessary egress traffic
B) Perform a perimeter pen test
C) Deploy patches to external systems
D) Identify critical assets - ✔✔D) Identify critical assets
✔✔Which of the following is a method of detecting a BYOAP problem on a network?
A) Multiple VPN connections from the internal network.
B) Multiple URL requests from the same source IP.
C) Multiple SSIDs in the area.
D) Multiple user agent strings from the same IP address. - ✔✔D) Multiple user agent
strings from the same IP address.
✔✔What could be implemented to mitigate the risk of one client pivoting to another on
the same network?
A) Host-based antipivot
B) Next-gen antivirus
C) NAC controls
D) Private VLANs - ✔✔D) Private VLANs
✔✔What is the term used for when the red team is working together with the blue team
through simulation of specific threat scenarios?
A) Purple teaming
B) Black-hat teaming
C) Defensive teaming
D) Multi-front teaming - ✔✔A) Purple teaming
✔✔When discussing Prevention (P), Detection (D), and Response (R) in a time-based
security model, which of the following must be true to achieve a possible effective
security?
A) P<D+R
B) P=D+R
C) P>D+R
D) P=D=R - ✔✔C) P>D+R
✔✔Which of the following is known as a Rubber Ducky?
,A) USB keyboard
B) Respberry Pi device
C) Trojan horse executable
D) Rogue AP - ✔✔A) USB keyboard
✔✔Which OSI layer would include ARP cache poisoning and MAC address spoofing
attacks?
A) Layer 4
B) Layer 3
C) Layer 2
D) Layer 5 - ✔✔C) Layer 2
✔✔Which of these methods for delivering software patches in a Windows enterprise
should an organization utilize?
A) Windows Server Update Services
B) Windows Update Delivery Optimization
C) Windows 10 P2P Patching
D) System Patch Management Services - ✔✔B) Windows Update Delivery Optimization
✔✔Which project documents common tactics, techniques, and procedures that
advanced persistent threat groups used against enterprise networks?
A) DEF3NSE
B) DET3CT
C) ATP&CK
D) ATT&CK - ✔✔D) ATT&CK
✔✔Which type of analysis is less common and is based around presumption of
compromise that the network is already owned?
A) Perimeter analysis
B) Infection analysis
C) Risk analysis
D) Egress analysis - ✔✔D) Egress analysis
✔✔Which of the following tools is used by attackers to perform ARP spoofing?
A) Burp Suite
B) Aircrack
C) Ettercap
D) Snort - ✔✔C) Ettercap
,✔✔What does ARP spoofing require that makes many organizations consider it low
probability / low risk?
A) ARP spoofing is an antiquated attack and is no longer a risk for organizations.
B) ARP spoofing only works on network switches.
C) ARP spoofing requires local Layer 2 access.
D) ARP spoofing only works on wireless network. - ✔✔C) ARP spoofing requires local
Layer 2 access.
✔✔Which of the following strategies can eliminate duplicate flow logs?
A) Switching to NetFlow V9.
B) Using SDN fabrics.
C) Purchasing a commercial solution.
D) Changing flow logs to only be on internal traffic. - ✔✔D) Changing flow logs to only
be on internal traffic.
✔✔Which of the following Cisco commands is used to enable DHCP snooping on a
switch to mitigate the rogue DHCP server attack?
A) ip mitigate dhcp-snooping
B) ip enable snooping
C) ip config dhcp snooping
D) ip dhcp snooping - ✔✔D) ip dhcp snooping
✔✔Which specific security architecture is usually (and too narrowly) referenced when
describing secure architecture?
A) Product-based architecture
B) Host-based architecture
C) Application-based architecture
D) Network-based architecture - ✔✔D) Network-based architecture
✔✔Which of the statements regarding NetFlow is correct?
A) NetFlow v12 is the latest NetFlow version.
B) NetFlow is an open standard invented by Palo Alto Networks.
C) NetFlow v5 and v9 are commonly used today.
D) NetFlow v9 supports layer 3 NetFlow and IPv4 only. - ✔✔C) NetFlow v5 and v9 are
commonly used today.
✔✔Which of the following types of wireless network communication is described as low-
power, low-bandwidth, and short-range?
A) Zigbee
, B) 802.11
C) Bluetooth
D) Infrared - ✔✔A) Zigbee
✔✔Which of the following components are required to collect flow data?
A) Flow exporter, flow collector, flow analyzer
B) Flow filter, flow controller, flow analyzer
C) Flow importer, flow exporter, flow collector
D) Flow viewer, flow director, flow filter - ✔✔A) Flow exporter, flow collector, flow
analyzer
✔✔Which wireless communication method handles authentication by using 802.1X and
RADIUS?
A) WPA
B) WPA2 Enterprise
C) WPA2 Personal
D) WEP - ✔✔B) WPA2 Enterprise
✔✔Which of the following is the best practice for remote connections?
A) Set "ssh authentication-retries" to 0 in the configuration.
B) Use SSHv2 and disable SSHv1.
C) Use the RSA key size 512 bits in configuration.
D) Use telnet or SSHv2. - ✔✔B) Use SSHv2 and disable SSHv1.
✔✔Which of the following are a benefit and a drawback of SLAAC IPv6 address
assignments?
A) Benefit: SLAAC requires no DHCP infrastructure. Drawback: SLAAC causes privacy
concerns.
B) Benefit: SLAAC fixes privacy concerns of IPv6. Drawback: SLAAC requires DHCP
infrastructure.
C) Benefit: SLAAC eliminates the need for IPv6 Global Unicast temporary addresses.
Drawback: SLAAC causes privacy concerns.
D) Benefit: SLAAC eliminates the need for IPv6 Global Unicast temporary addresses.
Drawback: SLAAC fixes privacy concerns of IPv6. - ✔✔A) Benefit: SLAAC requires no
DHCP infrastructure. Drawback: SLAAC causes privacy concerns.
✔✔Which considerations should guide the design of network segmentation?
A) Higher segmentation adds complexity, while insufficient segmentation can result in
an indefensible network.
ANSWERS GUARANTEE A+
✔✔What would be one of the first steps for a security architect when building or
redesigning a security architecture to secure an organization?
A) Remove unnecessary egress traffic
B) Perform a perimeter pen test
C) Deploy patches to external systems
D) Identify critical assets - ✔✔D) Identify critical assets
✔✔Which of the following is a method of detecting a BYOAP problem on a network?
A) Multiple VPN connections from the internal network.
B) Multiple URL requests from the same source IP.
C) Multiple SSIDs in the area.
D) Multiple user agent strings from the same IP address. - ✔✔D) Multiple user agent
strings from the same IP address.
✔✔What could be implemented to mitigate the risk of one client pivoting to another on
the same network?
A) Host-based antipivot
B) Next-gen antivirus
C) NAC controls
D) Private VLANs - ✔✔D) Private VLANs
✔✔What is the term used for when the red team is working together with the blue team
through simulation of specific threat scenarios?
A) Purple teaming
B) Black-hat teaming
C) Defensive teaming
D) Multi-front teaming - ✔✔A) Purple teaming
✔✔When discussing Prevention (P), Detection (D), and Response (R) in a time-based
security model, which of the following must be true to achieve a possible effective
security?
A) P<D+R
B) P=D+R
C) P>D+R
D) P=D=R - ✔✔C) P>D+R
✔✔Which of the following is known as a Rubber Ducky?
,A) USB keyboard
B) Respberry Pi device
C) Trojan horse executable
D) Rogue AP - ✔✔A) USB keyboard
✔✔Which OSI layer would include ARP cache poisoning and MAC address spoofing
attacks?
A) Layer 4
B) Layer 3
C) Layer 2
D) Layer 5 - ✔✔C) Layer 2
✔✔Which of these methods for delivering software patches in a Windows enterprise
should an organization utilize?
A) Windows Server Update Services
B) Windows Update Delivery Optimization
C) Windows 10 P2P Patching
D) System Patch Management Services - ✔✔B) Windows Update Delivery Optimization
✔✔Which project documents common tactics, techniques, and procedures that
advanced persistent threat groups used against enterprise networks?
A) DEF3NSE
B) DET3CT
C) ATP&CK
D) ATT&CK - ✔✔D) ATT&CK
✔✔Which type of analysis is less common and is based around presumption of
compromise that the network is already owned?
A) Perimeter analysis
B) Infection analysis
C) Risk analysis
D) Egress analysis - ✔✔D) Egress analysis
✔✔Which of the following tools is used by attackers to perform ARP spoofing?
A) Burp Suite
B) Aircrack
C) Ettercap
D) Snort - ✔✔C) Ettercap
,✔✔What does ARP spoofing require that makes many organizations consider it low
probability / low risk?
A) ARP spoofing is an antiquated attack and is no longer a risk for organizations.
B) ARP spoofing only works on network switches.
C) ARP spoofing requires local Layer 2 access.
D) ARP spoofing only works on wireless network. - ✔✔C) ARP spoofing requires local
Layer 2 access.
✔✔Which of the following strategies can eliminate duplicate flow logs?
A) Switching to NetFlow V9.
B) Using SDN fabrics.
C) Purchasing a commercial solution.
D) Changing flow logs to only be on internal traffic. - ✔✔D) Changing flow logs to only
be on internal traffic.
✔✔Which of the following Cisco commands is used to enable DHCP snooping on a
switch to mitigate the rogue DHCP server attack?
A) ip mitigate dhcp-snooping
B) ip enable snooping
C) ip config dhcp snooping
D) ip dhcp snooping - ✔✔D) ip dhcp snooping
✔✔Which specific security architecture is usually (and too narrowly) referenced when
describing secure architecture?
A) Product-based architecture
B) Host-based architecture
C) Application-based architecture
D) Network-based architecture - ✔✔D) Network-based architecture
✔✔Which of the statements regarding NetFlow is correct?
A) NetFlow v12 is the latest NetFlow version.
B) NetFlow is an open standard invented by Palo Alto Networks.
C) NetFlow v5 and v9 are commonly used today.
D) NetFlow v9 supports layer 3 NetFlow and IPv4 only. - ✔✔C) NetFlow v5 and v9 are
commonly used today.
✔✔Which of the following types of wireless network communication is described as low-
power, low-bandwidth, and short-range?
A) Zigbee
, B) 802.11
C) Bluetooth
D) Infrared - ✔✔A) Zigbee
✔✔Which of the following components are required to collect flow data?
A) Flow exporter, flow collector, flow analyzer
B) Flow filter, flow controller, flow analyzer
C) Flow importer, flow exporter, flow collector
D) Flow viewer, flow director, flow filter - ✔✔A) Flow exporter, flow collector, flow
analyzer
✔✔Which wireless communication method handles authentication by using 802.1X and
RADIUS?
A) WPA
B) WPA2 Enterprise
C) WPA2 Personal
D) WEP - ✔✔B) WPA2 Enterprise
✔✔Which of the following is the best practice for remote connections?
A) Set "ssh authentication-retries" to 0 in the configuration.
B) Use SSHv2 and disable SSHv1.
C) Use the RSA key size 512 bits in configuration.
D) Use telnet or SSHv2. - ✔✔B) Use SSHv2 and disable SSHv1.
✔✔Which of the following are a benefit and a drawback of SLAAC IPv6 address
assignments?
A) Benefit: SLAAC requires no DHCP infrastructure. Drawback: SLAAC causes privacy
concerns.
B) Benefit: SLAAC fixes privacy concerns of IPv6. Drawback: SLAAC requires DHCP
infrastructure.
C) Benefit: SLAAC eliminates the need for IPv6 Global Unicast temporary addresses.
Drawback: SLAAC causes privacy concerns.
D) Benefit: SLAAC eliminates the need for IPv6 Global Unicast temporary addresses.
Drawback: SLAAC fixes privacy concerns of IPv6. - ✔✔A) Benefit: SLAAC requires no
DHCP infrastructure. Drawback: SLAAC causes privacy concerns.
✔✔Which considerations should guide the design of network segmentation?
A) Higher segmentation adds complexity, while insufficient segmentation can result in
an indefensible network.
