Log in Start practising free
CompTIA CySA+

Security Operations

65 free practice questions with explanations

Practise all 65 questions free →

PassNova has 65 free CompTIA CySA+ practice questions on Security Operations, each with a clear explanation. Practise them in the browser with instant feedback — 100% free, no sign-up, on any device. Updated for 2026.

Sample questions

Security Operations: example questions & answers

Here are 6 example questions from this topic. Practise the full set of 65 free in the browser.

  1. During log analysis an analyst observes hundreds of failed logins for many usernames from one source IP, each username tried only once or twice. Which attack does this pattern most likely indicate?

    • A SQL injection
    • B Password spraying
    • C Pass-the-hash
    • D Kerberoasting

    Answer: Password spraying tries a small number of common passwords across many accounts to avoid lockouts, producing few attempts per user but many users from one source.

  2. An analyst wants to understand the tactics, techniques, and procedures (TTPs) used by adversaries and map observed behaviour to known attacker methods. Which framework is purpose-built for this?

    • A PCI DSS
    • B ISO 9001
    • C COBIT
    • D MITRE ATT&CK

    Answer: MITRE ATT&CK is a curated knowledge base of adversary tactics and techniques used to classify and map observed attacker behaviour.

  3. A threat intelligence feed provides IP addresses, file hashes, and domains associated with active campaigns. What are these data points collectively known as?

    • A Indicators of compromise (IoCs)
    • B Service level objectives
    • C Acceptable use policies
    • D Recovery point objectives

    Answer: Atomic artifacts such as malicious IPs, hashes, and domains that signal a possible intrusion are called indicators of compromise (IoCs).

  4. An analyst is performing malware analysis by executing a suspicious binary inside an isolated sandbox and watching its network and file system activity. Which analysis type is this?

    • A Regression testing
    • B Differential cryptanalysis
    • C Dynamic (behavioural) analysis
    • D Static code review

    Answer: Running a sample in a controlled environment to observe its runtime behaviour is dynamic (behavioural) analysis, as opposed to static analysis which inspects code without execution.

  5. Which classification of threat actor is typically the best resourced, most persistent, and most likely to use custom zero-day exploits over long campaigns?

    • A Nation-state advanced persistent threat (APT)
    • B Script kiddie
    • C Hacktivist
    • D Opportunistic insider

    Answer: Nation-state APTs have substantial funding and patience, enabling custom tooling, zero-days, and long-term persistence against high-value targets.

  6. An analyst notices that an internal host is making periodic outbound HTTPS connections to an unknown domain at exactly regular intervals. Which malicious activity does this beaconing behaviour most strongly suggest?

    • A An ARP spoofing attack
    • B Command-and-control (C2) communication
    • C A routine certificate renewal
    • D DNS cache poisoning

    Answer: Regular, periodic outbound connections to an unknown host are classic beaconing, indicating a compromised host checking in with a command-and-control server.

Start practising Security Operations →
More CompTIA CySA+ topics

Practise another topic

Vulnerability Management51 questions Incident Response & Management50 questions Reporting & Communication34 questions
← Back to CompTIA CySA+