10 free, exam-style CySA Plus (CySA Plus) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CySA Plus practice test to study every exam domain.
A SOC analyst reviews SIEM alerts and notices a workstation is making HTTPS connections to an external IP address every 60 seconds. Each connection transfers less than 1 KB of data. No user activity is occurring on the workstation at the time. Which type of malicious activity does this pattern MOST likely indicate?
Correct answer: A - Command and control beaconing when applied properly
A security analyst investigates a suspicious email reported by an employee. The email header shows the following results: SPF: PASS DKIM: FAIL DMARC: FAIL (policy: quarantine) What does the DKIM failure indicate about this email?
Correct answer: B - The message content was altered after being sent
A company's threat intelligence team discovers that a recent breach used a zero-day exploit, was conducted over several months with careful operational security, and targeted proprietary defense research data. Which threat actor type is MOST consistent with this activity?
Correct answer: A - Nation-state in the typical case
A vulnerability scanner returns the following CVSS v3.1 vector string for a finding on a hypervisor: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H What does the Scope metric value of "Changed" (S:C) indicate about this vulnerability?
Correct answer: B - Exploitation impacts resources beyond the vulnerable component
An organization is migrating workloads to AWS and needs to assess its cloud environment against CIS benchmark security configurations. Which tool is MOST appropriate for this task?
Correct answer: C - Prowler under standard market practice
A vulnerability scan reveals two critical findings: Finding A: CVSS 9.8 on an air-gapped SCADA system with no known public exploit. Finding B: CVSS 7.5 on an internet-facing web server with an active Metasploit module. Which finding should be remediated FIRST, and why?
Correct answer: D - Finding B, because it has a known exploit and external exposure
During a threat hunt, an analyst identifies a C2 server domain used in an attack. The analyst uses this finding to discover the malware family deployed and the adversary group responsible. Which analytical framework supports this type of pivoting between intrusion components?
Correct answer: D - Diamond Model of Intrusion Analysis
A security team arrives on-site to respond to a confirmed endpoint compromise. The affected laptop is still powered on and connected to the network. Following the order of volatility, which evidence source should the team capture FIRST?
Correct answer: C - Contents of system RAM in the typical case
A vulnerability scan identifies a critical remote code execution flaw on a hospital's patient monitoring system. The device vendor states that applying the patch will void the support contract, and the system cannot be taken offline. Which inhibitor to remediation does this scenario BEST represent?
Correct answer: A - Proprietary system when applied properly
After implementing a new EDR solution, a SOC manager reviews quarterly metrics and finds that the average time between an intrusion occurring and the SOC receiving an alert has decreased from 12 days to 36 hours. Which incident response metric reflects this improvement?
Correct answer: B - Mean time to detect under accepted convention
Practice hundreds more CySA Plus questions with instant scoring, weak-area drills, and full exam simulations.