LATEST COMPTIA CYSA+ (CS0-003) EXAM
BANK | COMPLETE EXAM BANK WITH
CORRECT ANSWERS AND RATIONALES.
A+ GRADED
1. A security analyst is reviewing logs from a web
application firewall (WAF). Which of the following
HTTP requests indicates a potential SQL injection
attempt?
A) `GET /index.html HTTP/1.1`
B) `GET /search?q=' OR '1'='1 HTTP/1.1`
C) `POST /login HTTP/1.1 with body
username=admin&password=pass`
D) `GET /images/logo.png HTTP/1.1`
Correct answer: B
Rationale: `' OR '1'='1` is a classic SQL injection
tautology that bypasses authentication or retrieves
all rows. WAF should detect this pattern.
2. A security analyst is using a SIEM to investigate a
potential compromise. Which of the following log
sources would provide the most detailed information
about network traffic content (payloads)?
,A) NetFlow
B) Firewall logs
C) Full packet capture (PCAP)
D) Windows Event Logs
Correct answer: C
Rationale: Full packet capture stores entire network
packets, including payloads. NetFlow only provides
metadata (source/destination IP, ports, bytes).
3. A suspicious executable was found on a
workstation. The analyst wants to run it in an isolated
environment to observe its behavior without risking
the production network. This is called:
A) Static analysis
B) Dynamic analysis (sandboxing)
C) Code review
D) Fuzzing
Correct answer: B
Rationale: Dynamic analysis executes malware in a
sandbox or virtual machine to observe behavior
(registry changes, network connections, file system
modifications).
,4. Which of the following is a key difference between
a vulnerability scan and a penetration test?
A) A vulnerability scan actively exploits
vulnerabilities; a penetration test does not
B) A vulnerability scan identifies potential
weaknesses; a penetration test attempts to exploit
them to validate risk
C) A penetration test is fully automated; a
vulnerability scan requires manual testing
D) A vulnerability scan is only for compliance; a
penetration test is never required
Correct answer: B
Rationale: Vulnerability scanning identifies potential
vulnerabilities; penetration testing exploits them to
determine real-world impact and uncover chained
exploits.
5. A security analyst is configuring a vulnerability
scanner to run an authenticated scan on Windows
servers. Which credential type is most appropriate?
A) Guest account with no password
B) Domain administrator account with local
administrator rights
C) Standard user account with no elevated privileges
, D) Anonymous null session
Correct answer: B
Rationale: Authenticated scans require credentials
with administrative privileges to enumerate installed
software, missing patches, registry settings, and
configuration issues.
6. Which of the following describes a false positive in
intrusion detection?
A) An alert is generated for malicious activity that
actually occurred
B) An alert is generated for benign activity that is
incorrectly flagged as malicious
C) Malicious activity occurs but no alert is generated
D) The IDS is in passive mode
Correct answer: B
Rationale: False positive = alert but no actual threat.
False negative = threat but no alert. Both erode trust
in the detection system.
7. A security analyst is tuning a SIEM to reduce noise.
Events that are triggered by scheduled maintenance
tasks are being alerted as potential security
incidents. The analyst should:
BANK | COMPLETE EXAM BANK WITH
CORRECT ANSWERS AND RATIONALES.
A+ GRADED
1. A security analyst is reviewing logs from a web
application firewall (WAF). Which of the following
HTTP requests indicates a potential SQL injection
attempt?
A) `GET /index.html HTTP/1.1`
B) `GET /search?q=' OR '1'='1 HTTP/1.1`
C) `POST /login HTTP/1.1 with body
username=admin&password=pass`
D) `GET /images/logo.png HTTP/1.1`
Correct answer: B
Rationale: `' OR '1'='1` is a classic SQL injection
tautology that bypasses authentication or retrieves
all rows. WAF should detect this pattern.
2. A security analyst is using a SIEM to investigate a
potential compromise. Which of the following log
sources would provide the most detailed information
about network traffic content (payloads)?
,A) NetFlow
B) Firewall logs
C) Full packet capture (PCAP)
D) Windows Event Logs
Correct answer: C
Rationale: Full packet capture stores entire network
packets, including payloads. NetFlow only provides
metadata (source/destination IP, ports, bytes).
3. A suspicious executable was found on a
workstation. The analyst wants to run it in an isolated
environment to observe its behavior without risking
the production network. This is called:
A) Static analysis
B) Dynamic analysis (sandboxing)
C) Code review
D) Fuzzing
Correct answer: B
Rationale: Dynamic analysis executes malware in a
sandbox or virtual machine to observe behavior
(registry changes, network connections, file system
modifications).
,4. Which of the following is a key difference between
a vulnerability scan and a penetration test?
A) A vulnerability scan actively exploits
vulnerabilities; a penetration test does not
B) A vulnerability scan identifies potential
weaknesses; a penetration test attempts to exploit
them to validate risk
C) A penetration test is fully automated; a
vulnerability scan requires manual testing
D) A vulnerability scan is only for compliance; a
penetration test is never required
Correct answer: B
Rationale: Vulnerability scanning identifies potential
vulnerabilities; penetration testing exploits them to
determine real-world impact and uncover chained
exploits.
5. A security analyst is configuring a vulnerability
scanner to run an authenticated scan on Windows
servers. Which credential type is most appropriate?
A) Guest account with no password
B) Domain administrator account with local
administrator rights
C) Standard user account with no elevated privileges
, D) Anonymous null session
Correct answer: B
Rationale: Authenticated scans require credentials
with administrative privileges to enumerate installed
software, missing patches, registry settings, and
configuration issues.
6. Which of the following describes a false positive in
intrusion detection?
A) An alert is generated for malicious activity that
actually occurred
B) An alert is generated for benign activity that is
incorrectly flagged as malicious
C) Malicious activity occurs but no alert is generated
D) The IDS is in passive mode
Correct answer: B
Rationale: False positive = alert but no actual threat.
False negative = threat but no alert. Both erode trust
in the detection system.
7. A security analyst is tuning a SIEM to reduce noise.
Events that are triggered by scheduled maintenance
tasks are being alerted as potential security
incidents. The analyst should:
