COMPTIA SECURITY+
CompTIA Security+ (SY0-701) Certification Exam
2026/2027
Cybersecurity Review with Questions & Verified Answers
2026/2027 Edition - Official Exam 2026/2027
90 75% N/A
QUESTIONS PASSING SCORE RECERTIFICATION
TABLE OF CONTENTS
Section 1 General Security Concepts Q1-18
Section 2 Threats, Vulnerabilities, and Mitigations Q19-36
Section 3 Security Architecture Q37-54
Section 4 Security Operations Q55-72
Section 5 Security Program Management and Oversight Q73-90
Instructions: Select the single best answer for each question. This exam is designed for CompTIA Security+ (SY0-701)
certification preparation. Passing score: 75% (68 questions correct).
CompTIA Security+ -- 2026/2027 | Passing Score: 75% | Page 1 of 47
,SECTION 1 | General Security Concepts | Q1-Q18 | CompTIA Security+ 2026/2027
Q1 Question 1 of 90
A network administrator at a mid-sized financial firm configures a firewall rule that blocks all
inbound traffic except on ports 80 and 443. The security team later discovers unauthorized
outbound connections on port 53. Which principle did the administrator fail to implement?
A. Fail-open design
B. Defense in depth
C. Separation of duties
D. Least functionality
Correct Answer: D
Rationale:
Least functionality dictates that systems should operate with only the minimum features and services
required. By allowing outbound DNS traffic without restrictions, the administrator violated this principle, as
DNS tunneling can exfiltrate data. Defense in depth would add layers but does not specifically address
unnecessary service exposure.
Q2 Question 2 of 90
An organization deploys a security solution that inspects encrypted traffic by terminating TLS at a
gateway, inspecting the payload, and re-encrypting before forwarding. A compliance auditor raises
concerns about this architecture. The primary risk introduced by this design is which of the
following?
A. Certificate pinning conflicts
B. Man-in-the-middle exposure
C. Key escrow requirement
D. Replay attack vulnerability
Correct Answer: B
Rationale:
Terminating TLS at a gateway creates a deliberate man-in-the-middle position, meaning if the gateway is
compromised, all encrypted traffic can be intercepted. Certificate pinning conflicts are a secondary concern.
The gateway does not inherently create replay vulnerability, and key escrow is unrelated to this architecture.
CompTIA Security+ -- 2026/2027 | Passing Score: 75% | Page 2 of 47
,SECTION 1 | General Security Concepts | Q1-Q18 | CompTIA Security+ 2026/2027
Q3 Question 3 of 90
A security analyst reviews access logs and notices that a user account made 4,000 failed login
attempts over two hours, then successfully authenticated at 2:00 AM. The most effective
immediate control to prevent this type of attack is which of the following?
A. Password complexity policy
B. Account lockout threshold
C. Multifactor authentication
D. Time-based access restriction
Correct Answer: D
Rationale:
Account lockout threshold directly prevents brute-force attacks by locking the account after a specified
number of failed attempts, stopping the attack before success. Time-based restrictions would not address the
brute-force method itself. MFA adds a layer but does not stop the brute-force attempt against the password
factor.
Q4 Question 4 of 90
During a risk assessment, a healthcare organization identifies that its patient record system has an
unpatched vulnerability with a CVSS score of 9.8. The system contains data protected under
HIPAA. The organization decides to implement a web application firewall as an interim measure.
This approach is best described as which type of control?
A. Preventive control
B. Detective control
C. Compensating control
D. Corrective control
Correct Answer: D
Rationale:
A web application firewall placed in front of an unpatched system is a compensating control because it
provides alternative protection when the primary control (patching) cannot be immediately applied. Preventive
controls stop incidents before they occur in the primary design, while detective controls identify incidents after
they happen. Corrective controls restore systems after an incident.
CompTIA Security+ -- 2026/2027 | Passing Score: 75% | Page 3 of 47
, SECTION 1 | General Security Concepts | Q1-Q18 | CompTIA Security+ 2026/2027
Q5 Question 5 of 90
A company implements a zero-trust architecture and requires all users to authenticate through a
centralized identity provider before accessing any internal resource. The identity provider issues
time-limited tokens that must be validated by each service. This architecture primarily enforces
which security concept?
A. Continuous verification
B. Implicit trust zones
C. Perimeter-based defense
D. Role-based isolation
Correct Answer: A
Rationale:
Zero-trust architecture requires continuous verification of identity and context for every access request,
eliminating implicit trust. Implicit trust zones contradict zero-trust principles. Perimeter-based defense is the
traditional model that zero-trust replaces. Role-based isolation is a component but not the primary concept
enforced.
Q6 Question 6 of 90
An incident response team at an e-commerce company discovers that an attacker exploited a race
condition in the checkout application to purchase items at incorrect prices. The team's first priority
in containment should be which of the following?
A. Patching the application code
B. Disabling the affected transaction pathway
C. Notifying affected customers
D. Isolating the web server from the network
Correct Answer: B
Rationale:
Disabling the affected transaction pathway immediately stops further exploitation while preserving evidence
and allowing the business to continue other operations. Patching requires development time and testing
before deployment. Customer notification is important but comes after containment. Full server isolation may
disrupt legitimate business unnecessarily.
CompTIA Security+ -- 2026/2027 | Passing Score: 75% | Page 4 of 47