Page 1 of 115
COMPTIA SECURITY+ PRACTICE EXAM 2026
QUESTIONS LATEST EXAM SOLVED QUESTIONS &
ANSWERS VERIFIED 100% GRADED A+
When selecting a technical solution for identity management, an architect
chooses to go from an in-house to a third-party SaaS provider.
Which of the following risk management strategies is this an example of?
A. Acceptance
B. Mitigation
C. Avoidance
D. Transference
Answer: D. Transference (Risk Transference: Shifting risk through contracts or
insurance.)
Terms: SaaS: Software as a Service - Cloud-based software delivery over the
internet.
Wrong Answers: Risk Acceptance: Acknowledging and tolerating certain risks
without mitigation.
Risk Mitigation: Reducing impact and likelihood of identified risks.
Risk Avoidance: Choosing not to engage in high-risk activities.
A cybersecurity analyst reviews the log files from a web server and sees a
series of files that indicates a directory-traversal attack has occurred.
Which of the following is the analyst MOST likely seeing?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Terms:
Directory Traversal Attack: Exploiting web app vulnerabilities to access unauthorized
files.
A smart switch has the ability to monitor electrical levels and shut off power to
a building in the event of power surge or other fault situation. The switch was
installed on a wired network in a hospital and is monitored by the facilities
, Page 2 of 115
department via a cloud application. The security administrator isolated the
switch on a separate VLAN and set up a patch routine.
Which of the following steps should also be taken to harden the smart switch?
A. Set up an air gap for the switch.
B. Change the default password for the switch.
C. Place the switch In a Faraday cage.
D. Install a cable lock on the switch
Answer: B. Change the default password for the switch.
Terms: Smart Switch: Enhanced network switch with management and security
features.
Wrong answers:
Air Gap: Physically isolating for enhanced security, no direct communication.
Faraday Cage: Shields electronics from electromagnetic interference.
To secure an application after a large data breach, an e-commerce site will be
resetting all users' credentials.
Which of the following will BEST ensure the site's users are not compromised
after the reset?
A. A password reuse policy
B. Account lockout after three failed attempts
C. Encrypted credentials in transit
D. A geofencing policy based on login history
Answer:
A. A password reuse policy
Implementing a password reuse policy would help ensure that users do not reuse
their old passwords, strengthening the security of their accounts after the reset.
An analyst visits an internet forum looking for information about a tool. The
analyst finds a threat that appears to contain relevant information.
One of the posts says the following:
Which of the following BEST describes the attack that was attempted against
the forum readers?
A. SOU attack
B. DLL attack
C. XSS attack
D. API attack
Answer: C. XSS attack
Wrong Answers:
SOU - Fake Term
DLL attack - Fake Term - Dynamic Link Library (DLL: Code and data file for shared
, Page 3 of 115
functionality in Windows.)
API Attack: Unauthorized attempts to exploit vulnerabilities in an Application
Programming Interface.
In which of the following situations would it be BEST to use a detective control
type for mitigation?
A. A company implemented a network load balancer to ensure 99.999%
availability of its web application.
B. A company designed a backup solution to increase the chances of restoring
services in case of a natural disaster.
C. A company purchased an application-level firewall to isolate traffic between
the accounting department and the information technology department.
D. A company purchased an IPS system, but after reviewing the requirements,
the appliance was supposed to monitor, not block, any traffic.
E. A company purchased liability insurance for flood protection on all capital
assets.
Answer: D. A company purchased an IPS system, but after reviewing the
requirements, the appliance was supposed to monitor, not block, any traffic.
Terms: Network Load Balancer: Distributes traffic for efficient resource use.
A software developer needs to perform code-execution testing, black-box
testing, and non-functional testing on a new product before its general release.
Which of the following BEST describes the tasks the developer is conducting?
A. Verification
B. Validation
C. Normalization
D. Staging
Answer: A. Verification
Terms:
Code Execution Testing: Identifying vulnerabilities for unauthorized code execution.
Black-Box Testing: Assessing system functionality without internal code knowledge.
Non-functional Testing: Evaluating aspects like performance and security beyond
specific functionalities.
Wrong Answers:
Validation: Confirming accuracy, authenticity, or compliance.
Normalization: Organizing data to reduce redundancy and improve efficiency.
Staging: Pre-production testing environment for controlled releases.
Which of the following is MOST likely to outline the roles and responsibilities
of data controllers and data processors?
A. SSAE SOC 2
B. PCI DSS
C. GDPR
D. ISO 31000
, Page 4 of 115
Answer: C. GDPR - General Data Protection Regulation: EU regulation for privacy
and personal data protection.
Wrong Answers:
SSAE SOC 2: Service Organization Control 2 - Framework for securing data,
emphasizing trust service criteria.
PCI DSS: Payment Card Industry Data Security Standard - Security standards for
handling credit card information.
ISO 31000: International standard for effective risk management.
Which of the following cloud models provides clients with servers, storage,
and networks but nothing else?
A. SaaS
B. PaaS
C. IaaS
D. DaaS
Answer: C. IaaS
Infrastructure as a Service (IaaS) provides clients with virtualized computing
resources over the Internet. Clients have control over the operating systems,
applications, and network infrastructure, while the cloud service provider manages
the underlying physical hardware.
Wrong Ans:
- *SaaS (Software as a Service):* Provides access to software applications over the
Internet. Users typically access the software through a web browser, and the
software is hosted and maintained by a third-party provider.
- *PaaS (Platform as a Service):* Offers a platform allowing customers to develop,
run, and manage applications without dealing with the complexity of building and
maintaining the underlying infrastructure.
- *DaaS (Desktop as a Service):* Delivers virtualized desktop environments over
the Internet. Users can access their desktop environments from various devices, and
the infrastructure is hosted by a service provider.
A network administrator has been alerted that web pages are experiencing
long load times.
After determining it is not a routing or DNS issue, the administrator logs in to
the router, runs a command, and receives the following output:
"CPU 0 percent busy, from 300 sec ago
1 sec ave: 99 percent busy
5 sec ave: 97 percent busy
1 min ave: 83 percent busy"
Which of the following is the router experiencing?
COMPTIA SECURITY+ PRACTICE EXAM 2026
QUESTIONS LATEST EXAM SOLVED QUESTIONS &
ANSWERS VERIFIED 100% GRADED A+
When selecting a technical solution for identity management, an architect
chooses to go from an in-house to a third-party SaaS provider.
Which of the following risk management strategies is this an example of?
A. Acceptance
B. Mitigation
C. Avoidance
D. Transference
Answer: D. Transference (Risk Transference: Shifting risk through contracts or
insurance.)
Terms: SaaS: Software as a Service - Cloud-based software delivery over the
internet.
Wrong Answers: Risk Acceptance: Acknowledging and tolerating certain risks
without mitigation.
Risk Mitigation: Reducing impact and likelihood of identified risks.
Risk Avoidance: Choosing not to engage in high-risk activities.
A cybersecurity analyst reviews the log files from a web server and sees a
series of files that indicates a directory-traversal attack has occurred.
Which of the following is the analyst MOST likely seeing?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Terms:
Directory Traversal Attack: Exploiting web app vulnerabilities to access unauthorized
files.
A smart switch has the ability to monitor electrical levels and shut off power to
a building in the event of power surge or other fault situation. The switch was
installed on a wired network in a hospital and is monitored by the facilities
, Page 2 of 115
department via a cloud application. The security administrator isolated the
switch on a separate VLAN and set up a patch routine.
Which of the following steps should also be taken to harden the smart switch?
A. Set up an air gap for the switch.
B. Change the default password for the switch.
C. Place the switch In a Faraday cage.
D. Install a cable lock on the switch
Answer: B. Change the default password for the switch.
Terms: Smart Switch: Enhanced network switch with management and security
features.
Wrong answers:
Air Gap: Physically isolating for enhanced security, no direct communication.
Faraday Cage: Shields electronics from electromagnetic interference.
To secure an application after a large data breach, an e-commerce site will be
resetting all users' credentials.
Which of the following will BEST ensure the site's users are not compromised
after the reset?
A. A password reuse policy
B. Account lockout after three failed attempts
C. Encrypted credentials in transit
D. A geofencing policy based on login history
Answer:
A. A password reuse policy
Implementing a password reuse policy would help ensure that users do not reuse
their old passwords, strengthening the security of their accounts after the reset.
An analyst visits an internet forum looking for information about a tool. The
analyst finds a threat that appears to contain relevant information.
One of the posts says the following:
Which of the following BEST describes the attack that was attempted against
the forum readers?
A. SOU attack
B. DLL attack
C. XSS attack
D. API attack
Answer: C. XSS attack
Wrong Answers:
SOU - Fake Term
DLL attack - Fake Term - Dynamic Link Library (DLL: Code and data file for shared
, Page 3 of 115
functionality in Windows.)
API Attack: Unauthorized attempts to exploit vulnerabilities in an Application
Programming Interface.
In which of the following situations would it be BEST to use a detective control
type for mitigation?
A. A company implemented a network load balancer to ensure 99.999%
availability of its web application.
B. A company designed a backup solution to increase the chances of restoring
services in case of a natural disaster.
C. A company purchased an application-level firewall to isolate traffic between
the accounting department and the information technology department.
D. A company purchased an IPS system, but after reviewing the requirements,
the appliance was supposed to monitor, not block, any traffic.
E. A company purchased liability insurance for flood protection on all capital
assets.
Answer: D. A company purchased an IPS system, but after reviewing the
requirements, the appliance was supposed to monitor, not block, any traffic.
Terms: Network Load Balancer: Distributes traffic for efficient resource use.
A software developer needs to perform code-execution testing, black-box
testing, and non-functional testing on a new product before its general release.
Which of the following BEST describes the tasks the developer is conducting?
A. Verification
B. Validation
C. Normalization
D. Staging
Answer: A. Verification
Terms:
Code Execution Testing: Identifying vulnerabilities for unauthorized code execution.
Black-Box Testing: Assessing system functionality without internal code knowledge.
Non-functional Testing: Evaluating aspects like performance and security beyond
specific functionalities.
Wrong Answers:
Validation: Confirming accuracy, authenticity, or compliance.
Normalization: Organizing data to reduce redundancy and improve efficiency.
Staging: Pre-production testing environment for controlled releases.
Which of the following is MOST likely to outline the roles and responsibilities
of data controllers and data processors?
A. SSAE SOC 2
B. PCI DSS
C. GDPR
D. ISO 31000
, Page 4 of 115
Answer: C. GDPR - General Data Protection Regulation: EU regulation for privacy
and personal data protection.
Wrong Answers:
SSAE SOC 2: Service Organization Control 2 - Framework for securing data,
emphasizing trust service criteria.
PCI DSS: Payment Card Industry Data Security Standard - Security standards for
handling credit card information.
ISO 31000: International standard for effective risk management.
Which of the following cloud models provides clients with servers, storage,
and networks but nothing else?
A. SaaS
B. PaaS
C. IaaS
D. DaaS
Answer: C. IaaS
Infrastructure as a Service (IaaS) provides clients with virtualized computing
resources over the Internet. Clients have control over the operating systems,
applications, and network infrastructure, while the cloud service provider manages
the underlying physical hardware.
Wrong Ans:
- *SaaS (Software as a Service):* Provides access to software applications over the
Internet. Users typically access the software through a web browser, and the
software is hosted and maintained by a third-party provider.
- *PaaS (Platform as a Service):* Offers a platform allowing customers to develop,
run, and manage applications without dealing with the complexity of building and
maintaining the underlying infrastructure.
- *DaaS (Desktop as a Service):* Delivers virtualized desktop environments over
the Internet. Users can access their desktop environments from various devices, and
the infrastructure is hosted by a service provider.
A network administrator has been alerted that web pages are experiencing
long load times.
After determining it is not a routing or DNS issue, the administrator logs in to
the router, runs a command, and receives the following output:
"CPU 0 percent busy, from 300 sec ago
1 sec ave: 99 percent busy
5 sec ave: 97 percent busy
1 min ave: 83 percent busy"
Which of the following is the router experiencing?
