cysa+ practice test Practice Exam: Test Your Knowledge 2025

A security analyst is reviewing logs and notices multiple failed SSH login attempts from various IP addresses targeting the same administrative account within a 10-minute window. Which type of attack is MOST likely occurring?

During a vulnerability assessment, a security analyst discovers that several web servers are running with default configurations and unnecessary services enabled. Which vulnerability management principle should be applied FIRST to address this finding?

An organization has detected a security incident involving potential data exfiltration. According to incident response best practices, which phase should occur immediately after the incident has been contained?

A security analyst needs to communicate the results of a vulnerability scan to executive management. Which of the following should be emphasized in the report to ensure appropriate business context?

A company's SIEM has generated an alert indicating that a user account accessed resources from two different countries within a 30-minute timeframe. What type of indicator is this MOST likely representing?

A security analyst is conducting a vulnerability assessment and discovers that a critical database server has a high-severity SQL injection vulnerability. However, the server is only accessible from the internal network and requires multi-factor authentication. How should the analyst adjust the risk rating?

During log analysis, a security analyst observes the following HTTP request: 'GET /search.php?query=<script>alert(document.cookie)</script>'. Which vulnerability is the attacker attempting to exploit?

An organization is implementing a vulnerability management program. Which metric would be MOST useful for measuring the program's effectiveness over time?

A security team has isolated a compromised server during incident response. Forensic analysis reveals that the attacker achieved initial access three months ago but only recently began malicious activities. What should be the PRIMARY concern when determining the scope of the incident?

A security analyst needs to create a dashboard for the IT operations team to monitor security events. Which of the following metrics would be MOST appropriate to include?

A security analyst is investigating suspicious network traffic and observes periodic DNS queries to a domain with a randomly generated name every 60 seconds from an internal workstation. Which threat activity is MOST likely occurring?

During a compliance audit, it is discovered that vulnerability scan results show several systems with missing patches. The IT team claims these systems are isolated in a separate VLAN with strict access controls. What should the security analyst recommend?

An incident response team is analyzing a ransomware attack. Which of the following data sources would provide the BEST information about the initial infection vector?

A security analyst needs to present vulnerability trends to different stakeholders. Which approach BEST demonstrates appropriate audience-based communication?

A security operations center (SOC) is experiencing alert fatigue due to high volumes of false positives from their SIEM. Which approach would MOST effectively reduce false positives while maintaining security visibility?

A penetration test reveals that an organization's web application is vulnerable to both SQL injection and cross-site scripting. The development team can only address one vulnerability this quarter due to resource constraints. Using risk-based prioritization, which factors should the security analyst consider MOST when making a recommendation?

During threat hunting activities, a security analyst discovers PowerShell commands encoded in Base64 executing on multiple workstations. The commands are launching from scheduled tasks created by a legitimate administrative account. What is the MOST likely scenario, and what should be the immediate next step?

An organization has implemented a vulnerability management program with quarterly scans. A zero-day vulnerability is announced affecting a critical business application. The vendor states a patch will be available in six weeks. What is the BEST course of action?

During forensic analysis of a security incident, the incident response team needs to preserve evidence from a running database server that cannot be shut down due to business requirements. Which approach BEST balances evidence preservation with business continuity?

A security analyst is preparing an annual security metrics report for the board of directors. The report includes numerous technical metrics like mean time to detect (MTTD), mean time to respond (MTTR), and number of incidents by type. The previous year's presentation received feedback that board members struggled to understand the security posture. How should the analyst improve the report?