CYSA Verified Multiple Choice and
Conceptual Actual Exam Questions With
Reviewed 100% Correct Detailed Answers
Guaranteed Pass!!Current Update
1. Q: A systems administrator reports suspicious PowerShell activity, including
obfuscated commands and unexpected outbound connections. Which
scanning tool would best detect living-off-the-land attacks like this?
A: A host-based behavior analytics tool with PowerShell script detection
capabilities.
Rationale: Behavior analytics tools can flag abnormal PowerShell usage rather
than relying solely on signature-based detection.
2. Q: A SIEM is loudly alerting with multiple port scan attempts from a single
IP to various internal servers. What’s your first triage step?
A: Check the asset inventory to identify whether the target IPs are active
production systems or unused assets.
Rationale: Understanding the context (e.g., critical asset versus retired
device) helps prioritize your response.
3. Q: You suspect a fileless attack is persistently hiding in system memory. Which
forensic tool should you use?
A: Volatility for memory image analysis.
Rationale: Volatility can extract running processes, hidden threads, and injected
code—ideal for detecting memory-resident threats.
,4. Q: During threat modeling, you discover that a user’s password hashes are
easily accessible by unauthorized staff. Which STRIDE threat category applies?
A: Tampering – unauthorized modification or access to sensitive data.
Rationale: STRIDE maps threat types to specific risks; exposed hashes represent
an integrity violation.
5. Q: You receive alerts for both a single low-level phishing email and a DoS attack
against public web servers. Which incident gets higher priority?
A: The DoS attack takes precedence.
Rationale: A service outage affecting public-facing infrastructure impacts
availability and poses larger business risk.
6. Q: You want to detect lateral movement within the corporate network. Where
should you place your network monitors?
A: Use internal network sensors (managed by your IDS/IPS) to inspect East–West
(lateral) traffic.
Rationale: Monitoring internal traffic is essential for detecting internal threats and
lateral attacks.
7. Q: Brute-force login attempts are flooding your web portal. What mitigation
should you implement?
A: Implement account lockout policies and CAPTCHA on login pages.
Rationale: Enabling lockouts slows brute-force attempts and CAPTCHA counters
automated scripts.
8. Q: You suspect DNS queries are being used for sensitive data exfiltration. What
analysis would confirm this?
A: Analyze unusually long or randomly structured DNS query names.
, Rationale: DNS tunneling often uses encoded or lengthy hostnames to conceal
transmitted data.
9. Q: A new application sends logs in XML format. How can your SIEM ingest them
correctly?
A: Create or import a custom parser for that XML log format.
Rationale: Proper log parsing ensures that field data are correctly categorized and
searchable.
10. Q: You discover an unpatched CVE in a third-party web server. What is the
primary risk now?
A: The vulnerability exists, but exploitation depends on whether an exploit packet
is available. It's currently an exposed risk.
Rationale: Distinguishing between a vulnerability (potential risk) and an exploit
(actual attack vector) is crucial for accurate risk assessment.
A newly hired cybersecurity manager oversees the organization's operational
control responsibilities. Which of the following is an example of this
responsibility?
A. Monitoring the network for unauthorized access attempts
B. Conducting a risk assessment to identify potential vulnerabilities in the system
C. Installing antivirus software on all company computers
D. Creating a strong password policy for employees to follow - ANSWER A.
Monitoring the network for unauthorized access attempts
Conceptual Actual Exam Questions With
Reviewed 100% Correct Detailed Answers
Guaranteed Pass!!Current Update
1. Q: A systems administrator reports suspicious PowerShell activity, including
obfuscated commands and unexpected outbound connections. Which
scanning tool would best detect living-off-the-land attacks like this?
A: A host-based behavior analytics tool with PowerShell script detection
capabilities.
Rationale: Behavior analytics tools can flag abnormal PowerShell usage rather
than relying solely on signature-based detection.
2. Q: A SIEM is loudly alerting with multiple port scan attempts from a single
IP to various internal servers. What’s your first triage step?
A: Check the asset inventory to identify whether the target IPs are active
production systems or unused assets.
Rationale: Understanding the context (e.g., critical asset versus retired
device) helps prioritize your response.
3. Q: You suspect a fileless attack is persistently hiding in system memory. Which
forensic tool should you use?
A: Volatility for memory image analysis.
Rationale: Volatility can extract running processes, hidden threads, and injected
code—ideal for detecting memory-resident threats.
,4. Q: During threat modeling, you discover that a user’s password hashes are
easily accessible by unauthorized staff. Which STRIDE threat category applies?
A: Tampering – unauthorized modification or access to sensitive data.
Rationale: STRIDE maps threat types to specific risks; exposed hashes represent
an integrity violation.
5. Q: You receive alerts for both a single low-level phishing email and a DoS attack
against public web servers. Which incident gets higher priority?
A: The DoS attack takes precedence.
Rationale: A service outage affecting public-facing infrastructure impacts
availability and poses larger business risk.
6. Q: You want to detect lateral movement within the corporate network. Where
should you place your network monitors?
A: Use internal network sensors (managed by your IDS/IPS) to inspect East–West
(lateral) traffic.
Rationale: Monitoring internal traffic is essential for detecting internal threats and
lateral attacks.
7. Q: Brute-force login attempts are flooding your web portal. What mitigation
should you implement?
A: Implement account lockout policies and CAPTCHA on login pages.
Rationale: Enabling lockouts slows brute-force attempts and CAPTCHA counters
automated scripts.
8. Q: You suspect DNS queries are being used for sensitive data exfiltration. What
analysis would confirm this?
A: Analyze unusually long or randomly structured DNS query names.
, Rationale: DNS tunneling often uses encoded or lengthy hostnames to conceal
transmitted data.
9. Q: A new application sends logs in XML format. How can your SIEM ingest them
correctly?
A: Create or import a custom parser for that XML log format.
Rationale: Proper log parsing ensures that field data are correctly categorized and
searchable.
10. Q: You discover an unpatched CVE in a third-party web server. What is the
primary risk now?
A: The vulnerability exists, but exploitation depends on whether an exploit packet
is available. It's currently an exposed risk.
Rationale: Distinguishing between a vulnerability (potential risk) and an exploit
(actual attack vector) is crucial for accurate risk assessment.
A newly hired cybersecurity manager oversees the organization's operational
control responsibilities. Which of the following is an example of this
responsibility?
A. Monitoring the network for unauthorized access attempts
B. Conducting a risk assessment to identify potential vulnerabilities in the system
C. Installing antivirus software on all company computers
D. Creating a strong password policy for employees to follow - ANSWER A.
Monitoring the network for unauthorized access attempts
