SANS SEC530 Defensible Security Architecture and
Engineering Study Guide
Updated 2026/2027 Syllabus | 100+ Exam Questions with
Answers
This study guide covers all core domains of the SANS SEC530 certification exam,
including Zero Trust Architecture, threat modeling, network security hardening,
application security, data protection, and security monitoring. Each question is followed
by ANSWER ✓ as requested.
Domain 1: Zero Trust Architecture & Core Principles
Q1: An organization is moving away from a traditional perimeter-based security
model. Which statement best encapsulates the foundational assumption of a Zero
Trust Architecture (ZTA)?
A) The internal network is a safe zone, and external connections are the primary threat.
B) Trust is established solely by the user's IP address being within the corporate range.
C) The network is always considered hostile, and access to any resource must be
continuously verified.
D) A strong VPN is sufficient to secure all remote and internal traffic.
ANSWER ✓ C) The network is always considered hostile, and access to any resource
must be continuously verified.
Rationale: ZTA is built on the principle of "never trust, always verify." It assumes the
network is always hostile, whether internal or external, and requires continuous
verification of identity, device health, and context for every access request .
Q2: A security architect is implementing micro-segmentation within a data center.
What is the primary security goal this control achieves?
,A) It increases network throughput by isolating broadcast domains.
B) It prevents lateral movement by restricting an attacker's ability to pivot from a
compromised host to others.
C) It simplifies firewall rule management by consolidating all servers into a single zone.
D) It replaces the need for host-based firewalls on critical assets.
ANSWER ✓ B) It prevents lateral movement by restricting an attacker's ability to pivot
from a compromised host to others.
Rationale: Micro-segmentation creates granular security zones for individual workloads or
groups of assets. Its main defensive purpose is to contain breaches by limiting an
attacker's ability to move laterally (east-west traffic) within the network after an initial
compromise .
Q3: In a Zero Trust model, a Software-Defined Perimeter (SDP) is used to:
A) Replace the physical network infrastructure with a virtual one.
B) Make applications and infrastructure invisible to unauthorized users by requiring
device attestation and authentication before granting network access.
C) Provide a faster alternative to IPsec VPNs without any security trade-offs.
D) Automatically patch all internet-facing servers.
ANSWER ✓ B) Make applications and infrastructure invisible to unauthorized users by
requiring device attestation and authentication before granting network access.
Rationale: An SDP creates an identity- and context-based perimeter around assets. It hides
network resources from unauthorized discovery and only allows access after a device and
user have been verified, effectively creating a "dark cloud" .
Q4: When discussing the DISA Zero Trust pillars, which pillar encompasses controls
like Local Admin Password Solution (LAPS) to manage privileged access on
endpoints?
A) Data
B) Network/Environment
,C) User
D) Device
ANSWER ✓ D) Device
Rationale: The Device pillar in DISA's Zero Trust framework includes endpoint hardening,
configuration management, and privileged access management controls such as LAPS .
Q5: What is the centralized control component of Zero Trust architecture called?
A) Data plane
B) Control plane
C) Management plane
D) Security plane
ANSWER ✓ B) Control plane
Rationale: In a zero trust architecture, the control plane manages centralized decisions
regarding access, authentication, and policy enforcement. It is responsible for verifying
trust continuously before granting access, while the data plane handles actual traffic flow .
Q6: Which of the following is NOT a DISA Zero Trust pillar?
A) User
B) Device
C) Perimeter Gateway
D) Data
ANSWER ✓ C) Perimeter Gateway
Rationale: The DISA Zero Trust pillars are: User, Device, Network/Environment,
Applications and Workloads, Data, Visibility and Analytics, and Automation and
Orchestration. Traditional perimeter concepts like "Perimeter Gateway" are not pillars in
Zero Trust architecture .
, Q7: According to Zero Trust principles, what must be true about all traffic?
A) All traffic must be allowed for business continuity.
B) All traffic must be inspected and secured.
C) Only inbound traffic requires inspection.
D) Only traffic crossing the perimeter needs encryption.
ANSWER ✓ B) All traffic must be inspected and secured.
Rationale: Zero Trust mandates that all traffic must be secured regardless of origin or
destination. This includes east-west traffic within the data center and internal network
traffic, not just north-south perimeter traffic .
Q8: What is "variable trust" in the context of Zero Trust architecture?
A) Trust levels that change based on user mood.
B) Access controlled by a dynamic scoring system similar to credit scores, evaluating
multiple factors.
C) Trust that decreases over time without reason.
D) A binary trust decision (trusted or untrusted).
ANSWER ✓ B) Access controlled by a dynamic scoring system similar to credit scores,
evaluating multiple factors.
Rationale: Variable trust means access decisions are based on a continuous evaluation of
multiple factors including user identity, device health, location, behavior, and other
contextual data—not a simple binary trusted/untrusted decision .
Q9: What does "trust over time" refer to in Zero Trust?
A) Trust increases as a user stays longer in the organization.
B) The longer a machine or user is in production, the more likely it is compromised or
deviates from baseline.
C) Trust is established once and remains forever.
D) Time-based one-time passwords for authentication.
Engineering Study Guide
Updated 2026/2027 Syllabus | 100+ Exam Questions with
Answers
This study guide covers all core domains of the SANS SEC530 certification exam,
including Zero Trust Architecture, threat modeling, network security hardening,
application security, data protection, and security monitoring. Each question is followed
by ANSWER ✓ as requested.
Domain 1: Zero Trust Architecture & Core Principles
Q1: An organization is moving away from a traditional perimeter-based security
model. Which statement best encapsulates the foundational assumption of a Zero
Trust Architecture (ZTA)?
A) The internal network is a safe zone, and external connections are the primary threat.
B) Trust is established solely by the user's IP address being within the corporate range.
C) The network is always considered hostile, and access to any resource must be
continuously verified.
D) A strong VPN is sufficient to secure all remote and internal traffic.
ANSWER ✓ C) The network is always considered hostile, and access to any resource
must be continuously verified.
Rationale: ZTA is built on the principle of "never trust, always verify." It assumes the
network is always hostile, whether internal or external, and requires continuous
verification of identity, device health, and context for every access request .
Q2: A security architect is implementing micro-segmentation within a data center.
What is the primary security goal this control achieves?
,A) It increases network throughput by isolating broadcast domains.
B) It prevents lateral movement by restricting an attacker's ability to pivot from a
compromised host to others.
C) It simplifies firewall rule management by consolidating all servers into a single zone.
D) It replaces the need for host-based firewalls on critical assets.
ANSWER ✓ B) It prevents lateral movement by restricting an attacker's ability to pivot
from a compromised host to others.
Rationale: Micro-segmentation creates granular security zones for individual workloads or
groups of assets. Its main defensive purpose is to contain breaches by limiting an
attacker's ability to move laterally (east-west traffic) within the network after an initial
compromise .
Q3: In a Zero Trust model, a Software-Defined Perimeter (SDP) is used to:
A) Replace the physical network infrastructure with a virtual one.
B) Make applications and infrastructure invisible to unauthorized users by requiring
device attestation and authentication before granting network access.
C) Provide a faster alternative to IPsec VPNs without any security trade-offs.
D) Automatically patch all internet-facing servers.
ANSWER ✓ B) Make applications and infrastructure invisible to unauthorized users by
requiring device attestation and authentication before granting network access.
Rationale: An SDP creates an identity- and context-based perimeter around assets. It hides
network resources from unauthorized discovery and only allows access after a device and
user have been verified, effectively creating a "dark cloud" .
Q4: When discussing the DISA Zero Trust pillars, which pillar encompasses controls
like Local Admin Password Solution (LAPS) to manage privileged access on
endpoints?
A) Data
B) Network/Environment
,C) User
D) Device
ANSWER ✓ D) Device
Rationale: The Device pillar in DISA's Zero Trust framework includes endpoint hardening,
configuration management, and privileged access management controls such as LAPS .
Q5: What is the centralized control component of Zero Trust architecture called?
A) Data plane
B) Control plane
C) Management plane
D) Security plane
ANSWER ✓ B) Control plane
Rationale: In a zero trust architecture, the control plane manages centralized decisions
regarding access, authentication, and policy enforcement. It is responsible for verifying
trust continuously before granting access, while the data plane handles actual traffic flow .
Q6: Which of the following is NOT a DISA Zero Trust pillar?
A) User
B) Device
C) Perimeter Gateway
D) Data
ANSWER ✓ C) Perimeter Gateway
Rationale: The DISA Zero Trust pillars are: User, Device, Network/Environment,
Applications and Workloads, Data, Visibility and Analytics, and Automation and
Orchestration. Traditional perimeter concepts like "Perimeter Gateway" are not pillars in
Zero Trust architecture .
, Q7: According to Zero Trust principles, what must be true about all traffic?
A) All traffic must be allowed for business continuity.
B) All traffic must be inspected and secured.
C) Only inbound traffic requires inspection.
D) Only traffic crossing the perimeter needs encryption.
ANSWER ✓ B) All traffic must be inspected and secured.
Rationale: Zero Trust mandates that all traffic must be secured regardless of origin or
destination. This includes east-west traffic within the data center and internal network
traffic, not just north-south perimeter traffic .
Q8: What is "variable trust" in the context of Zero Trust architecture?
A) Trust levels that change based on user mood.
B) Access controlled by a dynamic scoring system similar to credit scores, evaluating
multiple factors.
C) Trust that decreases over time without reason.
D) A binary trust decision (trusted or untrusted).
ANSWER ✓ B) Access controlled by a dynamic scoring system similar to credit scores,
evaluating multiple factors.
Rationale: Variable trust means access decisions are based on a continuous evaluation of
multiple factors including user identity, device health, location, behavior, and other
contextual data—not a simple binary trusted/untrusted decision .
Q9: What does "trust over time" refer to in Zero Trust?
A) Trust increases as a user stays longer in the organization.
B) The longer a machine or user is in production, the more likely it is compromised or
deviates from baseline.
C) Trust is established once and remains forever.
D) Time-based one-time passwords for authentication.
