COMPTIA SECURITY+ CERTIFICATION EXAM –QUESTIONS AND CORRECT ANSWERS (VERIFIED ANSWERS) PLUS RATIONALES 2026
Q&A | INSTANT DOWNLOAD PDF.
CORE DOMAINS
General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and
OversightIdentity and Access ManagementNetwork Security OperationsCloud and Hybrid Environment SecurityLegal, Risk, and Compliance
INTRODUCTION
The CompTIA Security+ certification exam is a global benchmark for validating the foundational skills required to perform core security functions and
pursue an IT security career. This assessment focuses on the practical, hands-on ability to solve real-world security problems, ensuring candidates
possess the knowledge to secure networks, devices, and devices. The exam structure utilizes multiple-choice and complex performance-based
scenarios to evaluate technical expertise across various domains. By emphasizing threat management, cryptography, and risk mitigation, this exam
prepares professionals to make informed, ethical decisions in high-pressure environments, maintaining the integrity, availability, and confidentiality of
critical organizational data.
SECTION ONE: QUESTIONS 1–100
1. An organization is implementing a new security policy that requires all employees to use a physical token in addition to their password to
access the internal network. Which of the following best describes this security control?
A. Single-factor authentication
B. Biometric authentication
C. Multi-factor authentication
D. Implicit deny
🟢 C. Multi-factor authentication
🔴 RATIONALE: Multi-factor authentication (MFA) requires two or more different categories of credentials (something you know, something you
have, or something you are). A password and a physical token satisfy this requirement.
2. A security analyst discovers an unauthorized device plugged into a network switch in a restricted area. The device is capturing traffic and
sending it to an external IP address. Which type of attack is occurring?
A. Phishing
B. On-path attack
C. Bluejacking
D. Logic bomb
,🟢 B. On-path attack
🔴 RATIONALE: An on-path attack (formerly Man-in-the-Middle) involves an attacker placing themselves between two communicating parties to
intercept or alter the data being transmitted.
3. Which of the following cryptographic algorithms is considered asymmetric?
A. AES
B. DES
C. RSA
D. Blowfish
🟢 C. RSA
🔴 RATIONALE: RSA (Rivest-Shamir-Adleman) is a widely used asymmetric algorithm based on public and private key pairs, whereas AES, DES,
and Blowfish are symmetric algorithms.
4. A technician is configuring a wireless access point. Which of the following encryption protocols provides the highest level of security?
A. WEP
B. WPA
C. WPA2
D. WPA3
🟢 D. WPA3
🔴 RATIONALE: WPA3 is the most modern and secure wireless encryption protocol, offering improved protection against brute-force attacks and
enhanced individual data encryption.
5. An executive receives an email that appears to be from the company's CEO, asking for an urgent wire transfer to a specific vendor. The email
uses a similar domain name but is off by one character. This is an example of:
A. Smishing
B. Vishing
C. Whaling
D. Tailgating
🟢 C. Whaling
🔴 RATIONALE: Whaling is a specific type of spear phishing that targets high-level executives or individuals with significant access to sensitive data
or financial resources.
6. Which of the following is a detective security control?
, A. Security guards
B. CCTV cameras
C. Firewalls
D. Encryption
🟢 B. CCTV cameras
🔴 RATIONALE: CCTV cameras are detective controls because they record and identify security incidents after or as they occur. Firewalls and
encryption are preventive, and guards are physical/preventive.
7. During a risk assessment, a company determines that the cost of implementing a safeguard for a specific server exceeds the value of the
data on that server. The company decides to take no further action. Which risk response was used?
A. Mitigation
B. Avoidance
C. Acceptance
D. Transfer
🟢 C. Acceptance
🔴 RATIONALE: Risk acceptance is the decision to acknowledge a risk but take no action to mitigate it, usually because the cost of the control
outweighs the potential loss.
8. A software developer is using a technique that ensures sensitive data, such as credit card numbers, is replaced with non-sensitive
placeholders while maintaining the data's original format. What is this called?
A. Masking
B. Tokenization
C. Hashing
D. Salting
🟢 B. Tokenization
🔴 RATIONALE: Tokenization replaces sensitive data with unique symbols (tokens) that retain all the essential information about the data without
compromising its security.
9. Which of the following describes a vulnerability that is unknown to the software vendor and for which no patch currently exists?
A. Zero-day
B. Buffer overflow
C. SQL injection
D. Cross-site scripting
Q&A | INSTANT DOWNLOAD PDF.
CORE DOMAINS
General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and
OversightIdentity and Access ManagementNetwork Security OperationsCloud and Hybrid Environment SecurityLegal, Risk, and Compliance
INTRODUCTION
The CompTIA Security+ certification exam is a global benchmark for validating the foundational skills required to perform core security functions and
pursue an IT security career. This assessment focuses on the practical, hands-on ability to solve real-world security problems, ensuring candidates
possess the knowledge to secure networks, devices, and devices. The exam structure utilizes multiple-choice and complex performance-based
scenarios to evaluate technical expertise across various domains. By emphasizing threat management, cryptography, and risk mitigation, this exam
prepares professionals to make informed, ethical decisions in high-pressure environments, maintaining the integrity, availability, and confidentiality of
critical organizational data.
SECTION ONE: QUESTIONS 1–100
1. An organization is implementing a new security policy that requires all employees to use a physical token in addition to their password to
access the internal network. Which of the following best describes this security control?
A. Single-factor authentication
B. Biometric authentication
C. Multi-factor authentication
D. Implicit deny
🟢 C. Multi-factor authentication
🔴 RATIONALE: Multi-factor authentication (MFA) requires two or more different categories of credentials (something you know, something you
have, or something you are). A password and a physical token satisfy this requirement.
2. A security analyst discovers an unauthorized device plugged into a network switch in a restricted area. The device is capturing traffic and
sending it to an external IP address. Which type of attack is occurring?
A. Phishing
B. On-path attack
C. Bluejacking
D. Logic bomb
,🟢 B. On-path attack
🔴 RATIONALE: An on-path attack (formerly Man-in-the-Middle) involves an attacker placing themselves between two communicating parties to
intercept or alter the data being transmitted.
3. Which of the following cryptographic algorithms is considered asymmetric?
A. AES
B. DES
C. RSA
D. Blowfish
🟢 C. RSA
🔴 RATIONALE: RSA (Rivest-Shamir-Adleman) is a widely used asymmetric algorithm based on public and private key pairs, whereas AES, DES,
and Blowfish are symmetric algorithms.
4. A technician is configuring a wireless access point. Which of the following encryption protocols provides the highest level of security?
A. WEP
B. WPA
C. WPA2
D. WPA3
🟢 D. WPA3
🔴 RATIONALE: WPA3 is the most modern and secure wireless encryption protocol, offering improved protection against brute-force attacks and
enhanced individual data encryption.
5. An executive receives an email that appears to be from the company's CEO, asking for an urgent wire transfer to a specific vendor. The email
uses a similar domain name but is off by one character. This is an example of:
A. Smishing
B. Vishing
C. Whaling
D. Tailgating
🟢 C. Whaling
🔴 RATIONALE: Whaling is a specific type of spear phishing that targets high-level executives or individuals with significant access to sensitive data
or financial resources.
6. Which of the following is a detective security control?
, A. Security guards
B. CCTV cameras
C. Firewalls
D. Encryption
🟢 B. CCTV cameras
🔴 RATIONALE: CCTV cameras are detective controls because they record and identify security incidents after or as they occur. Firewalls and
encryption are preventive, and guards are physical/preventive.
7. During a risk assessment, a company determines that the cost of implementing a safeguard for a specific server exceeds the value of the
data on that server. The company decides to take no further action. Which risk response was used?
A. Mitigation
B. Avoidance
C. Acceptance
D. Transfer
🟢 C. Acceptance
🔴 RATIONALE: Risk acceptance is the decision to acknowledge a risk but take no action to mitigate it, usually because the cost of the control
outweighs the potential loss.
8. A software developer is using a technique that ensures sensitive data, such as credit card numbers, is replaced with non-sensitive
placeholders while maintaining the data's original format. What is this called?
A. Masking
B. Tokenization
C. Hashing
D. Salting
🟢 B. Tokenization
🔴 RATIONALE: Tokenization replaces sensitive data with unique symbols (tokens) that retain all the essential information about the data without
compromising its security.
9. Which of the following describes a vulnerability that is unknown to the software vendor and for which no patch currently exists?
A. Zero-day
B. Buffer overflow
C. SQL injection
D. Cross-site scripting
