Security+ Practice Questions (2026): 10 Free SY0-701 Questions with Answers
Ten exam-style questions across all five CompTIA Security+ domains — each with the correct answer and a plain-English explanation on click. Score yourself at the end to see if you are exam-ready.
The CompTIA Security+ (SY0-701) exam is the entry gate to a cybersecurity career and one of the most widely held security certifications in the world. It rewards people who understand security controls in practice — identifying threats, hardening architecture, running security operations, and managing risk — not people who only memorised definitions. The exam even opens with performance-based questions (PBQs): interactive, scenario tasks such as configuring a firewall rule or matching attacks to mitigations.
Below are 10 free Security+ practice questions written in the same style as the real exam, spread across all five domains of the SY0-701 blueprint and weighted toward the two heaviest — Security Operations and Threats, Vulnerabilities & Mitigations. Read each one, pick your answer, then hit Show answer & explanation. Keep score — there is a readiness check at the bottom.
10 Security+ practice questions
An attacker intercepts a wire-transfer request in transit and silently changes the destination account number before it reaches the bank. Which pillar of the CIA triad has been violated?
- Confidentiality
- Integrity
- Availability
- Non-repudiation
Show answer & explanation
Integrity means data is not altered by an unauthorised party; changing the account number breaks it. Confidentiality (A) is about unauthorised disclosure — the attacker modified the data, not merely read it. Availability (C) concerns uptime and access, which were unaffected. Non-repudiation (D) is a valuable property but is not one of the three CIA pillars, which makes it the trap answer here.
Employees find their documents encrypted with a new file extension and an on-screen note demanding cryptocurrency in exchange for the decryption key. Which type of malware is this?
- Rootkit
- Ransomware
- Spyware
- Logic bomb
Show answer & explanation
Ransomware encrypts victim data and extorts payment for the decryption key — exactly the behaviour described. A rootkit (A) hides an attacker's presence with elevated privileges but does not demand ransom. Spyware (C) covertly collects information rather than encrypting files. A logic bomb (D) is dormant code that fires on a trigger such as a date; the defining traits here — encryption plus a ransom note — point to ransomware.
An employee receives a phone call from someone claiming to be the IT help desk, invoking the CIO's name and urgent language to pressure them into revealing their VPN password “to fix an outage.” Which social-engineering technique is this?
- Phishing
- Tailgating
- Vishing
- Watering-hole attack
Show answer & explanation
Vishing (voice phishing) is social engineering conducted over the phone, here reinforced by impersonation, authority (the CIO's name) and urgency. Phishing (A) refers specifically to fraudulent email or messages, not a live call. Tailgating (B) is following someone through a physical door. A watering-hole attack (D) compromises a website the target group is known to visit. The delivery channel — a phone call — makes this vishing.
A credentialed vulnerability scan flags a server as vulnerable to a critical CVE. On investigation, the patch is already installed, the vulnerable service is disabled, and the finding cannot be reproduced. How should the analyst classify this result?
- Zero-day
- True positive
- False negative
- False positive
Show answer & explanation
A false positive is a finding the scanner reports as a vulnerability that does not actually exist in the environment — exactly the case when the patch is present and the service disabled. A true positive (B) would be a real, confirmed vulnerability. A false negative (C) is the dangerous opposite: a real vulnerability the scanner missed. A zero-day (A) is an unknown flaw with no fix available, which contradicts “the patch is already installed.”
You need a network security control that sits inline and can automatically drop malicious packets in real time, not merely generate an alert for analysts to review afterward. Which control meets this requirement?
- IDS (intrusion detection system)
- IPS (intrusion prevention system)
- SIEM
- Network TAP
Show answer & explanation
An IPS is deployed inline and can block or drop malicious traffic automatically as it passes through. An IDS (A) only detects and alerts — it is typically out-of-band and cannot stop traffic on its own. A SIEM (C) aggregates and correlates logs for analysis but does not sit inline dropping packets. A network TAP (D) is a passive device that copies traffic for monitoring and cannot block anything.
You must encrypt several terabytes of data at rest in a database as efficiently as possible while keeping strong protection. Which algorithm is the appropriate choice for the bulk encryption?
- RSA-4096
- AES-256
- SHA-256
- Base64
Show answer & explanation
AES-256 is a symmetric block cipher — fast and well suited to encrypting large volumes of data at rest. RSA-4096 (A) is asymmetric and far too slow for bulk data; asymmetric crypto is used to exchange or protect the symmetric key, not to encrypt terabytes. SHA-256 (C) is a hashing algorithm that provides integrity, not confidentiality, and is one-way, so it cannot be reversed to read the data. Base64 (D) is encoding, not encryption, and offers no confidentiality at all.
A login policy requires users to enter a password and then approve a prompt on a registered hardware security key. Which statement best describes this authentication scheme?
- Single-factor, because both steps are just part of logging in
- Multifactor: something you know plus something you have
- Multifactor: something you know plus something you are
- Two-factor, but both factors are “something you know”
Show answer & explanation
True MFA combines factors from different categories. A password is “something you know” and a hardware security key is “something you have,” so this is genuine multifactor authentication. It is not single-factor (A). It is not “something you are” (C) — that category is biometrics such as a fingerprint or face, which is not used here. And it is not two knowledge factors (D); a password plus a PIN would be two of the same factor and would not qualify as true MFA.
A security team needs one platform that ingests logs from firewalls, servers, and endpoints, correlates events across all of them, and raises alerts when a pattern matches a detection rule. They want centralised visibility and correlation, but explicitly do not want automated response playbooks. Which solution fits best?
- SOAR
- SIEM
- DLP
- NAC
Show answer & explanation
A SIEM (Security Information and Event Management) centralises log collection, normalises and correlates events across sources, and generates alerts on rule matches — precisely what is described. SOAR (A) is the tempting distractor: it layers automated orchestration and response playbooks on top, but the requirement explicitly excludes automated response, so SIEM is the better answer. DLP (C) prevents data exfiltration; NAC (D) controls device admission to the network — neither performs cross-source log correlation.
During an incident, analysts have confirmed that a workstation is infected and actively beaconing to a command-and-control server. Following the standard incident-response process, what is the immediate next step after detection and analysis?
- Eradication — wipe and rebuild the machine
- Recovery — restore the machine to production
- Containment — isolate the host from the network
- Lessons learned — write the post-incident report
Show answer & explanation
The incident-response lifecycle runs Preparation → Detection/Analysis → Containment → Eradication → Recovery → Lessons Learned. Once a compromise is confirmed, containment comes first: isolate the host to cut off the C2 channel and prevent lateral movement. Eradication (A) — removing the malware — comes after containment, not before. Recovery (B) restores systems only once the threat is eliminated. Lessons learned (D) is the final phase, held after the incident is closed.
After applying controls, a company still faces residual risk of a costly data breach. Leadership decides to purchase a cyber-insurance policy so that a third party absorbs the financial impact if a breach occurs. Which risk-management strategy is this?
- Risk avoidance
- Risk acceptance
- Risk transference
- Risk mitigation
Show answer & explanation
Buying insurance shifts the financial impact of a risk to a third party — the definition of risk transference. Risk avoidance (A) means eliminating the activity that creates the risk altogether. Risk acceptance (B) means acknowledging the residual risk and choosing to take no further action. Risk mitigation (D) means applying controls to reduce likelihood or impact — which the company already did; the insurance addresses only what remains.
What these questions cover
The 10 questions are weighted to mirror the real SY0-701 blueprint, so your score here is a rough proxy for the live exam. These are the five domains and their exact exam weights (objectives version 5.0):
Beyond the questions above, make sure your prep also covers zero-trust architecture, public-key infrastructure (PKI) and digital certificates, single sign-on and federation, hardening and secure baselines, and governance topics such as security agreements (SLA, MOU, MSA, BPA) and data-privacy roles — all of which appear on SY0-701.
Score yourself
Count how many of the 10 you got right before revealing the answer. Then read the band you land in honestly — the goal is a real pass, not a good feeling.
Want the full Security+ SY0-701 question bank?
These 10 are a taster. The ExamCert Security+ app runs hundreds of exam-style questions with explanations, timed mocks, PBQ-style scenarios, and weak-domain tracking — the real exam interface, on your phone.
Security+ exam FAQ
How many questions are on the Security+ SY0-701 exam?
The SY0-701 exam has a maximum of 90 questions and a 90-minute time limit. It mixes standard multiple-choice questions with performance-based questions (PBQs) — interactive, scenario-driven tasks that usually appear first and carry more weight than a single multiple-choice item.
What score do I need to pass Security+?
A scaled score of 750 on a scale of 100 to 900. Because the score is scaled, 750 out of 900 is not a simple percentage of questions correct — harder items and performance-based questions carry more weight toward the total.
Is SY0-701 still the current Security+ exam in 2026?
Yes. SY0-701 (objectives version 5.0) launched in November 2023 and is the active CompTIA Security+ exam throughout 2026. Its five domains weight heaviest toward Security Operations (28%) and Threats, Vulnerabilities & Mitigations (22%), so focus your study there.
Are practice questions enough to pass Security+?
They are essential but not sufficient. SY0-701 tests applied knowledge, including hands-on PBQs — so pair a strong question bank with practice on real concepts (firewall rules, log analysis, mapping attacks to mitigations) and use the questions to find and close weak domains.
ExamCert Team — we build exam-style practice banks and prep apps for 90+ IT certifications. Questions here are original, written to match the SY0-701 objectives; they are not real exam items.
Related: Security+ exam guide · Security+ study guide · Security+ exam cost 2026 · Free practice tests
