Advanced CompTIA CySA+ Multiple Choice
Questions (MCQs) with Answers and
Explanations for Cybersecurity Analyst
Certification Exams
1. A security analyst notices repeated authentication failures followed by a successful login
from the same external IP address. Which attack technique is most consistent with this
behavior?
A. Pass-the-hash attack
B. SQL injection
C. Cross-site scripting
D. Password spraying
Explanation: Password spraying involves attempting a small number of common passwords
against many accounts to avoid account lockouts. A successful login following multiple failures
from the same source is indicative of this technique.
2. During an investigation, analysts observe a host generating DNS requests to domains
consisting of random characters. Which activity is most likely occurring?
A. ARP poisoning
B. Session hijacking
C. Command-and-control communication using DNS tunneling
D. VLAN hopping
Explanation: Malware often uses DNS tunneling and algorithmically generated domains to
communicate with command-and-control servers while bypassing traditional filtering
mechanisms.
3. Which SIEM capability is primarily responsible for identifying complex attack patterns
across multiple systems?
A. Packet fragmentation
B. Hashing
, C. Tokenization
D. Correlation analysis
Explanation: Correlation analysis combines logs and events from different sources to detect
suspicious patterns that may not be apparent when examining individual records.
4. An organization wishes to reduce the mean time to respond to security incidents through
automation. Which technology provides the most direct benefit?
A. IDS
B. NAC
C. DLP
D. SOAR
Explanation: Security Orchestration, Automation, and Response platforms automate workflows
and response actions, improving efficiency and reducing response times.
5. Which attack attempts to exploit trust relationships by inserting malicious SQL
statements into application inputs?
A. Buffer overflow
B. Directory traversal
C. XML injection
D. SQL injection
Explanation: SQL injection attacks manipulate database queries through unsanitized user
inputs, potentially exposing or modifying sensitive information.
6. A vulnerability scan identifies CVE entries with a CVSS score of 9.8. How should these
findings generally be categorized?
A. Informational
B. Low severity
C. Medium severity
D. Critical severity
Questions (MCQs) with Answers and
Explanations for Cybersecurity Analyst
Certification Exams
1. A security analyst notices repeated authentication failures followed by a successful login
from the same external IP address. Which attack technique is most consistent with this
behavior?
A. Pass-the-hash attack
B. SQL injection
C. Cross-site scripting
D. Password spraying
Explanation: Password spraying involves attempting a small number of common passwords
against many accounts to avoid account lockouts. A successful login following multiple failures
from the same source is indicative of this technique.
2. During an investigation, analysts observe a host generating DNS requests to domains
consisting of random characters. Which activity is most likely occurring?
A. ARP poisoning
B. Session hijacking
C. Command-and-control communication using DNS tunneling
D. VLAN hopping
Explanation: Malware often uses DNS tunneling and algorithmically generated domains to
communicate with command-and-control servers while bypassing traditional filtering
mechanisms.
3. Which SIEM capability is primarily responsible for identifying complex attack patterns
across multiple systems?
A. Packet fragmentation
B. Hashing
, C. Tokenization
D. Correlation analysis
Explanation: Correlation analysis combines logs and events from different sources to detect
suspicious patterns that may not be apparent when examining individual records.
4. An organization wishes to reduce the mean time to respond to security incidents through
automation. Which technology provides the most direct benefit?
A. IDS
B. NAC
C. DLP
D. SOAR
Explanation: Security Orchestration, Automation, and Response platforms automate workflows
and response actions, improving efficiency and reducing response times.
5. Which attack attempts to exploit trust relationships by inserting malicious SQL
statements into application inputs?
A. Buffer overflow
B. Directory traversal
C. XML injection
D. SQL injection
Explanation: SQL injection attacks manipulate database queries through unsanitized user
inputs, potentially exposing or modifying sensitive information.
6. A vulnerability scan identifies CVE entries with a CVSS score of 9.8. How should these
findings generally be categorized?
A. Informational
B. Low severity
C. Medium severity
D. Critical severity
