6/28/25, 2:10
PM
CEH MODULE 12 STUDY GUIDE EXAM QUESTIONS AND
ANSWERS WITH COMPLETE SOLUTIONS VERIFIED LATEST
UPDATE 2025/2026
Which type of intrusion C
detection system can
monitor and alert on
attacks, but
cannot stop them?
(A) Detective
(B) Intuitive
(C) Passive
(D) Reactive
Which solution can be used B
to emulate computer
services, such as mail and
ftp, and to capture
information related to
logins or actions?
(A) Firewall
(B) Honeypot
(C) Intrusion Detection System
(IDS)
(D) DeMilitarized Zone (DMZ)
1/36
,6/28/25, 2:10
PM
Sean who works as a network D
administrator has just
deployed an IDS in his
organization's network.
Sean deployed an IDS that
generates four types of
alerts that include: true
positive, false positive, false
negative, and true
negative.In which of the
following conditions does
the IDS generate a true
positive alert?
(A) A true positive is a
condition occurring when
an event triggers an alarm
when no actual attack is
in progress.
(B) A true positive is a
condition occurring when
an IDS identifies an
activity as
acceptable behavior and
the activity is acceptable.
(C) A true positive is a
condition occurring when
an IDS fails to react to an
actual
attack event.
(D) A true positive is a
condition occurring when
an event triggers an
alarm and causes the IDS
2/36
,6/28/25, 2:10
PM
to react as if a real attack is
in progress.
What is the main advantage D
that a network- based
IDS/IPS system has over a
host-
based solution?
(A) They are easier to install
and configure.
(B)They are placed at
the boundary, allowing
them (C) to inspect all
traffic.
(D) They do not use host
system resources.
(E) They will not
interfere with user
interfaces.
Javier is asked to explain to A
IT management as to why
he is suggesting replacing
the existing company
firewall. Javier states that
many external attackers
are using forged
internet addresses against
the firewall and is
concerned that this
technique is highly
effective against the
existing firewall. What type
of firewall Javier would
have
3/36
, 6/28/25, 2:10
PM
deployed?
(A) Circuit-level proxy
firewall is deployed
because it prevents these
types of attacks.
(B) Host-based firewall
is deployed because
the attackers are inside
the network.
(C) Host-based firewall
is deployed because
the attackers are
outside the network.
(D) Packet filtering firewall
is deployed because it is
unable to prevent these
types of attacks.
Teyla is a security analyst B
for BAYARA Company. She
is responsible for the
firewall, antivirus, IPS, and
web filtering security
controls. She wants to
protect the employees
from a new phishing
attack.What should Teyla do?
(A) Block outbound traffic to
the ports 80 and 443 in
the firewall.
(B) Use the web filtering
application to
4/36
PM
CEH MODULE 12 STUDY GUIDE EXAM QUESTIONS AND
ANSWERS WITH COMPLETE SOLUTIONS VERIFIED LATEST
UPDATE 2025/2026
Which type of intrusion C
detection system can
monitor and alert on
attacks, but
cannot stop them?
(A) Detective
(B) Intuitive
(C) Passive
(D) Reactive
Which solution can be used B
to emulate computer
services, such as mail and
ftp, and to capture
information related to
logins or actions?
(A) Firewall
(B) Honeypot
(C) Intrusion Detection System
(IDS)
(D) DeMilitarized Zone (DMZ)
1/36
,6/28/25, 2:10
PM
Sean who works as a network D
administrator has just
deployed an IDS in his
organization's network.
Sean deployed an IDS that
generates four types of
alerts that include: true
positive, false positive, false
negative, and true
negative.In which of the
following conditions does
the IDS generate a true
positive alert?
(A) A true positive is a
condition occurring when
an event triggers an alarm
when no actual attack is
in progress.
(B) A true positive is a
condition occurring when
an IDS identifies an
activity as
acceptable behavior and
the activity is acceptable.
(C) A true positive is a
condition occurring when
an IDS fails to react to an
actual
attack event.
(D) A true positive is a
condition occurring when
an event triggers an
alarm and causes the IDS
2/36
,6/28/25, 2:10
PM
to react as if a real attack is
in progress.
What is the main advantage D
that a network- based
IDS/IPS system has over a
host-
based solution?
(A) They are easier to install
and configure.
(B)They are placed at
the boundary, allowing
them (C) to inspect all
traffic.
(D) They do not use host
system resources.
(E) They will not
interfere with user
interfaces.
Javier is asked to explain to A
IT management as to why
he is suggesting replacing
the existing company
firewall. Javier states that
many external attackers
are using forged
internet addresses against
the firewall and is
concerned that this
technique is highly
effective against the
existing firewall. What type
of firewall Javier would
have
3/36
, 6/28/25, 2:10
PM
deployed?
(A) Circuit-level proxy
firewall is deployed
because it prevents these
types of attacks.
(B) Host-based firewall
is deployed because
the attackers are inside
the network.
(C) Host-based firewall
is deployed because
the attackers are
outside the network.
(D) Packet filtering firewall
is deployed because it is
unable to prevent these
types of attacks.
Teyla is a security analyst B
for BAYARA Company. She
is responsible for the
firewall, antivirus, IPS, and
web filtering security
controls. She wants to
protect the employees
from a new phishing
attack.What should Teyla do?
(A) Block outbound traffic to
the ports 80 and 443 in
the firewall.
(B) Use the web filtering
application to
4/36
