Exam Threat Detection Vulnerability Management
Official Practice Exam Actual Exam 2026/2027
with Detailed Rationales | Complete Exam-Style
Questions | Pass Guaranteed – A+ Graded
══════════════════════════════════════
SECTION 1: SECURITY OPERATIONS & THREAT INTELLIGENCE Q1 – Q10
══════════════════════════════════════
Question 1 of 50
A regional healthcare system's SOC analyst notices that a nurse workstation in the
cardiology department has begun generating 847 failed RDP login attempts per hour from an
internal IP address. The SIEM dashboard shows the source IP belongs to a medical imaging
server that has been offline for maintenance since Tuesday. The analyst also observes that
the same account is attempting lateral movement via SMB to three other workstations in the
same subnet.
A. The failed RDP attempts are likely caused by a misconfigured scheduled task on the
imaging server that is trying to reconnect after maintenance.
B. The activity is most likely a false positive triggered by the imaging server coming back
online and re-establishing normal domain authentication.
C. The failed RDP attempts combined with lateral SMB movement indicate compromised
credentials being used for propagation by an active threat actor.
D. The high volume of failed logins is a benign result of the imaging server automatically
updating its security patches after the maintenance window.
Correct Answer: C
Rationale: The combination of failed RDP attempts from a known-offline server, credential
reuse, and lateral SMB movement is a textbook indicator of compromised credentials being
leveraged for propagation, which aligns with MITRE ATT&CK technique T1021.001. Option A
is a common trap because misconfigured scheduled tasks do cause failed logins, but they do
not explain the lateral SMB movement to multiple workstations. On the exam, always
correlate multiple indicators before dismissing activity as benign; a single anomalous
behavior might be noise, but correlated behaviors across protocols are almost always
malicious.
,Question 2 of 50
A financial services firm has deployed a new cloud-native SIEM that ingests logs from
on-premises firewalls, Azure AD, and AWS CloudTrail. During the first week of operation, the
SOC lead notices that Azure AD sign-in logs are timestamped 4 hours ahead of the firewall
and AWS logs, causing correlation rules to fail. The SIEM vendor confirms all agents are
configured to send UTC timestamps.
A. The Azure AD tenant is configured to use Pacific Standard Time instead of UTC, and the
SIEM is not applying timezone normalization during ingestion.
B. The NTP service on the Azure AD Connect server is unsynchronized, causing drift between
the on-premises and cloud identity timestamps.
C. Azure AD sign-in logs natively record timestamps in the tenant's local timezone, and the
SIEM parser must be configured to convert them to UTC before correlation.
D. The firewall and AWS agents are incorrectly configured to use GMT instead of UTC,
creating a 4-hour discrepancy with the properly configured Azure AD agents.
Correct Answer: C
Rationale: Azure AD sign-in logs record timestamps in the tenant's local timezone by default,
not UTC, which is a well-documented behavior that SIEM parsers must handle during
ingestion. Option A is incorrect because Azure AD does not use PST by default; it uses the
tenant's configured timezone, which could be any region. In production environments, always
verify timezone handling during SIEM onboarding, as timestamp misalignment is one of the
most common causes of failed correlation rules and missed detections.
Question 3 of 50
A retail organization's threat intelligence team subscribes to three commercial threat feeds
and one open-source feed ( Abuse.ch). During a weekly review, the team notices that the
same IP address appears in all four feeds as a known C2 server, but the organization's EDR
has not flagged any endpoint communicating with it. The network team confirms no firewall
blocks are in place for that IP range.
A. The threat feeds are providing stale intelligence, and the IP address was already taken
down by law enforcement before the organization could detect it.
B. The EDR is likely misconfigured to exclude outbound C2 communication from its detection
logic, and the SOC should verify the EDR policy settings.
C. The absence of detection does not mean the IP is benign; the organization should hunt for
historical connections to that IP in proxy and DNS logs.
D. The firewall is silently dropping the C2 traffic without logging it, which explains why the
EDR sees nothing and the network team sees no blocks.
Correct Answer: C
,Rationale: Threat intelligence is most valuable when it drives proactive hunting, not just
reactive alerting; the absence of an EDR detection could mean the C2 was never contacted, or
it could mean the communication was missed, so hunting in proxy and DNS logs is the
correct analyst response. Option B is a tempting trap because EDR misconfiguration is
common, but the question states no firewall blocks exist and the EDR has not flagged
anything, which does not automatically equal misconfiguration. On CySA+, remember that
threat intelligence should always trigger hunting behavior, not just policy changes, and that
multiple data sources must be correlated before concluding an indicator is false.
Question 4 of 50
A manufacturing company's SOC has been running a threat hunting program for six months.
The lead hunter develops a hypothesis that APT29 is targeting their engineering department
based on a suspicious PDF attachment received by a senior engineer. After two weeks of
hunting across endpoint, network, and email logs, no additional indicators of APT29 are
found. The hunter is preparing to close the hunt.
A. The hunter should extend the hunt for another month to ensure no APT29 activity was
missed, as advanced persistent threats often remain dormant for extended periods.
B. The hunter should document the negative findings, archive the data sources queried, and
close the hunt, as the hypothesis was not validated.
C. The hunter should immediately escalate to incident response because the presence of a
suspicious PDF from a known APT group constitutes a confirmed compromise.
D. The hunter should pivot to a new hypothesis that a different APT group is responsible, as
the PDF may have been a misattribution or decoy.
Correct Answer: B
Rationale: Threat hunting is hypothesis-driven, and a critical part of the process is
documenting negative results and closing hunts when the hypothesis is not validated, which
prevents resource drain and maintains program integrity. Option A is incorrect because
extending hunts indefinitely without new indicators violates the principle of time-boxed
hunting and efficient resource allocation. In real-world SOC operations, well-documented
negative hunts are just as valuable as positive ones because they establish baseline
knowledge and prevent repeated work on the same hypothesis.
Question 5 of 50
A university's security operations team has implemented a SOAR platform to automate tier-1
alert triage. The playbook is designed to enrich an alert with threat intelligence, check the
asset's criticality in the CMDB, and either auto-close low-risk alerts or escalate high-risk
alerts to a tier-2 analyst. During the first month, the team notices that 40% of auto-closed
alerts were actually true positives involving compromised student accounts.
, A. The CMDB asset criticality ratings are outdated, causing the playbook to misclassify
high-value student systems as low-risk.
B. The threat intelligence enrichment step is using stale feeds that do not contain the IOCs
associated with the current student account compromise campaign.
C. The playbook's risk scoring logic is insufficient because it does not account for behavioral
indicators of compromise, such as impossible travel or credential stuffing patterns.
D. The auto-close threshold is set too aggressively, and the playbook should require human
approval for all alerts regardless of initial risk score.
Correct Answer: C
Rationale: The playbook is failing because it relies on static asset criticality and IOC
matching without incorporating behavioral analytics, which is essential for detecting account
compromise campaigns that may not match known IOCs. Option A is a common trap
because outdated CMDB data is a real problem, but the issue here is that the alerts were true
positives involving compromised accounts, not that the systems were misclassified as
low-value. When designing SOAR playbooks, always include behavioral indicators alongside
threat intelligence and asset criticality to catch novel attack patterns that static IOCs will
miss.
Question 6 of 50
A municipal government's network security team detects a sudden 300% increase in DNS
query volume from a single department's subnet during off-hours. The queries are all for
domains that have been registered within the last 48 hours and follow a pattern of random
alphanumeric strings. The department's workstations are not running any scheduled backup
or update jobs at that time.
A. The activity is likely caused by a legitimate software update mechanism that uses newly
registered CDN domains for patch distribution.
B. The random alphanumeric domain queries are characteristic of domain generation
algorithm (DGA) behavior used by malware to locate C2 servers.
C. The DNS spike is probably a false positive caused by a misconfigured DNS sinkhole that is
redirecting internal queries to external resolvers.
D. The off-hours timing indicates a legitimate automated vulnerability scanning tool running
outside business hours to avoid network disruption.
Correct Answer: B
Rationale: A sudden spike in DNS queries to randomly generated, recently registered domains
during off-hours is a classic indicator of domain generation algorithm (DGA) activity, which
malware uses to evade static domain blocking and locate active C2 infrastructure. Option D
is a tempting trap because vulnerability scans do run off-hours, but scanners do not generate
random DGA-style domain queries; they query known target IPs or hostnames. In a SOC, DGA