CompTIA Security+ Exam Questions & ANSWERs – Cybersecurity | UMGCFULL ORIGINAL PRACTICE EXAM (SY0-701 Style) — Form C (90 Questions AND WELL VERIFIED ANSWERS ALREADY GRADED A+ ACTUAL 2026!!!!

CompTIA Security+ Exam Questions &
ANSWERs – Cybersecurity | UMGCFULL
ORIGINAL PRACTICE EXAM (SY0-701 Style) —
Form C (90 Questions AND WELL VERIFIED
ANSWERS ALREADY GRADED A+ ACTUAL
2026!!!!


PBQ-Style Set (Questions 1–8)

Q1 (PBQ — Firewall egress policy)

You manage outbound rules. Requirements:

• Users can browse web: TCP 80/443 to internet

• DNS must go only to internal resolver 10.10.10.53 (UDP/TCP 53)

• Block all outbound SMTP (TCP 25) except mail server 10.10.20.25

• Default deny

Which rule order best meets requirements?

A.
1 Allow ANY → ANY TCP 80,443
2 Allow ANY → 10.10.10.53 UDP/TCP 53
3 Deny ANY → ANY TCP 25
4 Allow 10.10.20.25 → ANY TCP 25
5 Deny ANY → ANY ANY

B.
1 Allow 10.10.20.25 → ANY TCP 25
2 Deny ANY → ANY TCP 25
3 Allow ANY → ANY TCP 80,443
4 Allow ANY → 10.10.10.53 UDP/TCP 53
5 Deny ANY → ANY ANY

C.
1 Deny ANY → ANY ANY

,2 Allow ANY → ANY TCP 80,443
3 Allow ANY → 10.10.10.53 UDP/TCP 53
4 Allow 10.10.20.25 → ANY TCP 25

D.
1 Allow ANY → ANY TCP 25
2 Allow ANY → ANY TCP 80,443
3 Allow ANY → 10.10.10.53 UDP/TCP 53
4 Deny ANY → ANY ANY

ANSWER: B
Rationale: SMTP allow must come before SMTP deny. Default deny must be last. Rule B matches all
requirements.



Q2 (PBQ — Incident triage)

You receive alerts:

• EDR: winword.exe spawned powershell.exe -enc ...

• DNS: many random subdomain queries

• Firewall: outbound 443 to a new IP never seen before

What is the best immediate action sequence? A. Reimage the host immediately; delete logs
B. Isolate host from network; capture volatile data; preserve logs; begin containment-wide hunt
C. Ignore until user complains
D. Shut down the entire subnet permanently

ANSWER: B
Rationale: Containment first (isolation), preserve evidence, then expand to hunting/IOC blocking.
Reimaging too early destroys evidence.



Q3 (PBQ — IAM design)

A company wants:

• Admin tasks done from a controlled system

• All admin sessions recorded

• No direct RDP/SSH from the internet

Best design? A. Open RDP to the internet with strong passwords
B. Bastion/jump host + PAM + MFA + session recording
C. Shared admin account for convenience
D. Disable logs to save storage

, ANSWER: B
Rationale: Bastion reduces attack surface; PAM limits/controls privileged access; session recording
supports auditing.



Q4 (PBQ — Cloud misconfiguration)

You must prevent developers from deploying public object storage buckets.

Best preventive control? A. Annual training only
B. Policy-as-code guardrail: deny public ACLs + continuous config evaluation
C. Disable encryption
D. Remove all developer access

ANSWER: B
Rationale: Guardrails prevent the bad state at deploy time and continuously detect drift.



Q5 (PBQ — Data classification)

Match data type → best minimum control:

1. Public marketing brochure

2. Employee SSNs

3. Internal network diagram

4. Source code for a customer-facing app

Controls:
A. No special restrictions beyond integrity checks
B. Strong access control + encryption at rest + limited logging exposure (redaction)
C. Restricted access + encryption + change control + monitoring
D. Restricted access + integrity + secrets management for embedded keys

Best mapping? A. 1-A, 2-B, 3-C, 4-D
B. 1-B, 2-A, 3-D, 4-C
C. 1-A, 2-C, 3-B, 4-D
D. 1-D, 2-B, 3-A, 4-C

ANSWER: A
Rationale: Public data needs integrity; SSNs need strong confidentiality controls; network diagrams are
sensitive (help attackers); source code needs tight access and secure secret handling.



Q6 (PBQ — Authentication choice)

You must protect a web admin portal from password-only compromise and credential stuffing.