CompTIA Security+ SY0-701 Practice Questions: 20 Free Questions with Answers (2026)

How to Use These Practice Questions

Each question includes a domain label matching the five SY0-701 exam domains. Read the question, choose your answer, then scroll to the explanation. The questions below are weighted to reflect the real exam: Security Operations and Threats/Vulnerabilities are the heaviest domains at roughly 25% each.

These 20 questions are a small sample from the ReadRoost Security+ SY0-701 pack. The complete pack includes over 500 scenario-based questions and 250 flashcards with spaced repetition that adapts to your weak areas. Start your free preview at readroo.st/marketplace/comptia-security-plus-sy0-701.

Questions 1-5: Security Concepts and Threats

Domain: General Security Concepts | Difficulty: Foundation 1. A security administrator is comparing encryption methods. Which statement correctly describes the primary difference between symmetric and asymmetric encryption? A) Symmetric uses one shared key; asymmetric uses public/private key pairs B) Symmetric is more secure than asymmetric C) Asymmetric is faster than symmetric D) Symmetric uses public/private key pairs

Correct Answer: A Symmetric encryption (AES) uses a single shared key for both encryption and decryption, making it fast but challenging for key distribution. Asymmetric encryption (RSA) uses mathematically related public and private keys, enabling secure key exchange but with higher computational overhead.

Domain: General Security Concepts | Difficulty: Foundation 2. An organization needs to ensure that a financial transaction cannot be denied by either party after completion. Which security principle directly addresses this requirement? A) Availability B) Integrity C) Confidentiality D) Non-repudiation

Correct Answer: D Non-repudiation provides cryptographic proof of origin and prevents parties from denying their participation in a transaction. Digital signatures are commonly used to achieve non-repudiation.

Domain: Threats, Vulnerabilities, and Mitigations | Difficulty: Moderate 3. An attacker intercepts communications between a user and a banking website, capturing credentials and session cookies without either party's knowledge. Which attack is being performed? A) Denial of Service B) SQL injection C) Man-in-the-middle (MITM) D) Cross-site scripting

Correct Answer: C MITM attacks position attackers between communicating parties to eavesdrop or modify traffic. Can occur through ARP spoofing, DNS poisoning, or compromised networks. Prevention: TLS encryption, certificate pinning, and network monitoring.

Domain: Threats, Vulnerabilities, and Mitigations | Difficulty: Moderate 4. An attacker compromises a software vendor's update mechanism to distribute malware to all customers installing updates. Which attack vector is being used? A) Supply chain attack B) Logic bomb C) Watering hole D) Drive-by download

Correct Answer: A Supply chain attacks compromise trusted vendors, software, or hardware to reach ultimate targets. By compromising the update mechanism, attackers gain access to all customers' systems through trusted channels.

Domain: Threats, Vulnerabilities, and Mitigations | Difficulty: Foundation 5. A company discovers that attackers exploited a vulnerability in their web server software for which no patch existed at the time of the breach. What type of vulnerability was exploited? A) Backdoor B) Logic bomb C) Rootkit D) Zero-day vulnerability

Correct Answer: D Zero-day vulnerabilities are unknown to vendors and lack available patches at the time of exploitation. They are highly valuable to attackers and dangerous to defenders. Defense requires layered security as patching isn't immediately possible.

Questions 6-10: Threats and Security Architecture

Domain: Threats, Vulnerabilities, and Mitigations | Difficulty: Moderate 6. An application accepts user input directly into SQL queries without validation. An attacker enters: ' OR '1'='1' -- into the username field and gains unauthorized access. Which vulnerability is being exploited? A) SQL injection B) Cross-site scripting C) Buffer overflow D) Cross-site request forgery

Correct Answer: A SQL injection occurs when untrusted user input is concatenated into SQL queries without sanitization. The malicious input modifies the query logic to bypass authentication. Prevention includes parameterized queries and input validation.

Domain: Threats, Vulnerabilities, and Mitigations | Difficulty: Moderate 7. A user receives an email appearing to be from their bank with urgent account verification required. The email contains a link to a website that looks identical to the real bank site but has a slightly different URL. Which attack is this? A) Whaling B) Pharming C) Spear phishing D) Phishing

Correct Answer: D Phishing uses fraudulent communications to trick users into revealing credentials or sensitive information. This example uses typosquatting (similar URLs) to deceive victims. Pharming involves DNS manipulation; spear phishing targets specific individuals.

Domain: Security Architecture | Difficulty: Moderate 8. A DevOps team needs to scan container images for vulnerabilities before deployment to production. Which practice addresses this requirement? A) Container image scanning B) Network segmentation C) Cable management D) Physical security

Correct Answer: A Container image scanning identifies vulnerabilities in container images before deployment. Should be integrated into CI/CD pipelines. Additional container security includes runtime protection, secrets management, and orchestration security.

Domain: Security Architecture | Difficulty: Moderate 9. An organization needs to verify device health and enforce security policies before granting network access. Which technology should be implemented? A) Network Access Control (NAC) B) VPN concentrator C) Proxy server D) Load balancer

Correct Answer: A NAC enforces security policies on devices before granting network access. It verifies device health (antivirus status, patches), authenticates users, and can quarantine non-compliant devices for remediation before full network access.

Domain: Security Architecture | Difficulty: Foundation 10. An organization needs to manage and secure thousands of employee mobile devices accessing corporate data. Which solution provides centralized device management? A) Mobile Device Management (MDM) B) Antivirus software C) Network firewall D) Physical access control

Correct Answer: A MDM provides centralized management of mobile devices including remote configuration, policy enforcement, app management, remote wipe capabilities, and compliance monitoring. Essential for BYOD and corporate device security.

Questions 11-15: Security Architecture and Operations

Domain: Security Architecture | Difficulty: Challenging 11. A cloud-first organization needs to consolidate networking and security functions into a cloud-delivered service for distributed users. Which architecture meets this requirement? A) Traditional MPLS B) Physical DMZ C) On-premises firewall D) SASE (Secure Access Service Edge)

Correct Answer: D SASE converges network (SD-WAN) and security (SWG, CASB, ZTNA, FWaaS) into a cloud-delivered service. It provides secure access regardless of user location, replacing traditional hub-and-spoke architectures.

Domain: Security Operations | Difficulty: Foundation 12. A penetration testing team is conducting an authorized security assessment with full knowledge of the network architecture. Which testing approach is being used? A) White box testing B) Black box testing C) Fuzzing D) Gray box testing

Correct Answer: A White box testing provides testers complete information about systems being tested, simulating insider threats or thorough assessments. Black box provides no information; gray box provides partial information.

Domain: Security Operations | Difficulty: Challenging 13. A vulnerability scanner reports critical vulnerabilities on 50 production servers. The security team needs to prioritize remediation efforts. Which factor should receive highest priority? A) Internet-facing systems with easily exploitable vulnerabilities B) Internal test systems C) Systems with lowest patch levels D) Systems with oldest hardware

Correct Answer: A Risk prioritization considers both likelihood (exploitability) and impact (exposure). Internet-facing systems with easily exploitable vulnerabilities present the highest immediate risk and should be patched first.

Domain: Security Operations | Difficulty: Challenging 14. A security team discovers that sensitive customer data was exfiltrated from a database over several months. The team needs to identify the attack timeline, affected systems, and data accessed. Which process addresses this? A) Password reset campaign B) Firewall rule update C) Routine patching D) Digital forensics investigation

Correct Answer: D Digital forensics scientifically collects, analyzes, and preserves evidence to reconstruct attack timelines, identify affected systems, and determine scope. Results inform incident response, legal proceedings, and prevention improvements.

Domain: Security Operations | Difficulty: Moderate 15. A critical server needs to be restored after a ransomware attack. The organization has full backups from yesterday and incremental backups every 2 hours. Which recovery strategy minimizes data loss? A) Restore the full backup then apply incremental backups up to the incident B) Rebuild from scratch without backups C) Restore only the full backup D) Restore incremental backups only

Correct Answer: A To minimize data loss, restore the last full backup, then sequentially apply incremental backups up to the point before the incident. Verify backup integrity before ransomware encryption occurred.

Questions 16-20: Security Operations and Program Management

Domain: Security Operations | Difficulty: Challenging 16. A security administrator receives an alert about suspicious lateral movement between servers in the data center. Network logs show unusual SMB connections from a compromised workstation. What is the immediate priority? A) Reboot the domain controller B) Update antivirus definitions C) Delete user accounts D) Isolate the compromised workstation and affected servers

Correct Answer: D Immediate containment is critical to prevent further lateral movement and data exfiltration. Isolating affected systems stops the attack progression while preserving evidence for investigation. Other actions follow containment.

Domain: Security Program Management and Oversight | Difficulty: Foundation 17. An organization wants to ensure that no single person can approve and execute high-value financial transactions alone. Which control principle addresses this requirement? A) Defense in depth B) Need to know C) Least privilege D) Separation of duties

Correct Answer: D Separation of duties divides critical functions among different people to prevent fraud and errors. No single person can complete sensitive operations alone. Often implemented with split knowledge for critical operations.

Domain: Security Program Management and Oversight | Difficulty: Foundation 18. A security policy states that all employees must complete annual security awareness training and immediately report suspicious emails. Which type of control is this policy? A) Physical control B) Compensating control C) Administrative/Managerial control D) Technical control

Correct Answer: C Security policies are administrative/managerial controls that establish security direction through governance. Technical controls include firewalls and encryption; physical controls include locks and guards. Policies guide implementation of other controls.

Domain: Security Program Management and Oversight | Difficulty: Moderate 19. An organization processes credit card payments and must protect cardholder data through encryption, access controls, and regular security testing. Which compliance framework applies? A) GDPR B) SOX C) PCI-DSS D) HIPAA

Correct Answer: C PCI-DSS (Payment Card Industry Data Security Standard) secures credit card data with 12 requirements including firewalls, encryption, access control, monitoring, and testing. Compliance is required for all entities handling card data.

Domain: Security Program Management and Oversight | Difficulty: Challenging 20. A vendor assessment reveals that a critical supplier lacks adequate security controls and has no incident response plan. Which process should have identified this risk earlier? A) Penetration testing B) Internal audit C) Third-party risk management D) Vulnerability scanning

Correct Answer: C Third-party risk management assesses vendor security before engagement and monitors ongoing compliance. Supplier vulnerabilities become organizational vulnerabilities. Should include contractual security requirements and periodic reassessment.

How Did You Score?

The passing score for Security+ is 750/900, roughly 83%. If you scored 17/20 or higher on these questions, you are on track. Share your score and challenge a colleague. 17-20 correct: Exam-ready. You have a strong command of security concepts, threats, architecture, and operations. Book your exam with confidence and review any domains where you hesitated. 13-16 correct: Solid foundation but gaps remain. Focus on the domains where you dropped questions, especially Threats and Security Operations since they carry the most exam weight. Professor Messer's free SY0-701 video series and the CompTIA CertMaster labs are excellent resources to close the gap. Under 13 correct: You need more study time before sitting the exam. Build a structured plan covering all five domains. Start with the official CompTIA Security+ objectives, supplement with Professor Messer or Jason Dion's Udemy course, and work through practice questions daily until you consistently score above 85%.

These 20 questions are a sample from the ReadRoost Security+ SY0-701 pack. The complete pack includes over 500 scenario-based questions and 250 flashcards with spaced repetition that adapts to your weak areas. Start your free preview at readroo.st/marketplace/comptia-security-plus-sy0-701.

Building an IT security career path? Start with CompTIA A+ for foundational skills at readroo.st/marketplace/comptia-a-plus-core-1-220-1201-v15, then move to Security+, and advance to CySA+ or CASP+. Browse all CompTIA certifications at readroo.st/marketplace.