Free practice test · no sign-up
CompTIA Security+Free IT Security and Cybersecurity practice test
10 real CompTIA Security+ practice questions with instant answers and explanations — no account, no credit card, no email. Score yourself, then unlock the full bank of 1,126questions whenever you’re ready. The CompTIA Security+ passing score is 750 / 900.
An organization migrates to a new invoicing platform but neglects to install required supporting software components. As a result, the systems become unstable and crash. Which aspect of change management did the organization overlook?
Answer key
All 10 CompTIA Security+ questions & answers
Prefer to just read the answers and explanations? Here’s the full key for this free CompTIA Security+ test.
Q1. An organization migrates to a new invoicing platform but neglects to install required supporting software components. As a result, the systems become unstable and crash. Which aspect of change management did the organization overlook?
Correct answer: D. Dependencies
Applications and services often rely on other components to function correctly. When those required components are absent, the system can become unstable or fail entirely. Allow lists become a problem when needed applications are excluded from them. Service restarts can expose vulnerabilities during system downtime. Legacy applications create risk when vendor support ends.
Q2. An enterprise manages a large number of cryptographic keys, certificates, and other secrets across multiple systems. They want a unified platform to govern and enforce policies over all of these secrets. Which type of solution best addresses this need?
Correct answer: D. KMS
A key management system (KMS) provides centralized control over an organization's cryptographic secrets. Many cloud providers offer KMS solutions to help organizations track, rotate, and enforce policies on their keys and certificates. DLP prevents sensitive data from leaving the organization. A TPM provides a hardware-based security foundation on individual devices. SASE combines network security capabilities with wide-area networking.
Q3. Law enforcement has formally requested that a company produce encrypted data belonging to a specific user. IT staff must retrieve a decryption key from escrow and use it without the user's knowledge. Which document should staff consult before taking this action?
Correct answer: C. Key recovery policy
A key recovery policy provides guidance for situations where stored keys must be accessed on behalf of users, such as during legal investigations, staff departures, or system recovery events. The Sender Policy Framework is an email authentication mechanism. An acceptable use policy defines how employees may use company resources. A Policy Enforcement Point is a component used in access control decisions.
Q4. A security team schedules and executes a routine risk assessment across the organization. Under which category of security control does this activity fall?
Correct answer: D. Managerial
Security controls are grouped into categories: Managerial controls are policy- and procedure-based (e.g., risk assessments, audits) and are established first to guide other controls. Operational controls support day-to-day activities such as backups or system resets. Technical controls enforce access through technology such as firewalls, encryption, and passwords. Physical controls restrict physical entry via measures like fencing or locked doors.
Q5. A security team suspects an insider threat is leaking sensitive records. They plant a fabricated database entry designed to look like real sensitive data and configure their DLP solution to generate an alert if that entry is ever accessed or transmitted. What category of deception technology does this represent?
Correct answer: D. Honeytoken
A honeytoken is a piece of fabricated data crafted to attract an attacker. When the data is accessed or exfiltrated, it triggers alerts from monitoring tools such as IDS, IPS, or DLP solutions. A honeypot is a fully decoy system rather than a single piece of data. An access control list (ACL) governs whether actions are permitted or denied. Tactics, techniques, and procedures (TTPs) describe known attacker methodologies.
Q6. A company wants to give employees the flexibility to install most applications they choose, but wishes to prevent a specific set of known problematic applications from being installed on corporate workstations. Which approach should the company implement?
Correct answer: C. Block list
A block list (deny list) explicitly names applications that are forbidden from running on endpoints. Block lists can be harder to maintain over time because new malware variants can evade them, and they are less effective against zero-day exploits and polymorphic threats. An allow list restricts execution to only approved applications. Quarantine prevents suspect files from causing harm. Isolation involves separating an entire system from the network.
Q7. A network architect wants to consolidate security functions by deploying a single appliance capable of both deep packet inspection and intrusion prevention. Which device type should they select?
Correct answer: C. NGFW
A next-generation firewall (NGFW) integrates multiple security capabilities in one device, including deep packet inspection, IDS/IPS, and anti-malware scanning. This consolidates the security stack and reduces the total number of appliances required. A Layer 4 firewall filters traffic based on IP addresses, ports, and transport-layer protocols only. A WAF is designed specifically to protect web applications. A proxy server intermediates requests between clients and servers.
Q8. Management is concerned that employees may inadvertently or intentionally make system changes that produce unintended consequences. Which activity should be explicitly restricted for standard desktop users?
Correct answer: C. Unauthorized software installations
Installing unapproved software can introduce instability, security vulnerabilities, or compliance violations. A formal change management process helps ensure that all modifications are tested before rollout. MFA is a security best practice for logins and should not be restricted. Desktop users generally require the ability to restart their own applications or systems without affecting other systems.
Q9. A web server is experiencing performance degradation because it must perform all cryptographic operations itself. An administrator wants to move the cryptographic workload to a dedicated, separate device. Which solution should they deploy?
Correct answer: C. HSM
A hardware security module (HSM) is a dedicated device—available as a card, standalone unit, or cloud service—that handles cryptographic processing separately from the host system. Unlike a TPM, which is embedded on the motherboard, an HSM is an external or add-on device. A TPM is an embedded chip that securely stores keys and credentials but is not typically used as a performance offload device. A password vault stores user credentials behind a master password. A password key is simply a secret credential.
Q10. A financial institution mandates that all servers run only the latest operating system. One critical application, however, is incompatible with the current OS version and must run on an older release. The institution places that server in a segregated network segment. Which type of security control does this represent?
Correct answer: C. Compensating
Compensating controls are applied when the preferred control cannot be implemented, often to satisfy compliance requirements. Here, network isolation compensates for the inability to upgrade the OS. Preventative controls stop incidents from occurring (e.g., locked doors). Detective controls identify when an incident has happened (e.g., IDS). Corrective controls restore systems after an incident (e.g., restoring from backup).
Exam facts and objectives sourced from the official CompTIA certification page. Last reviewed June 2026.
Ready for the full CompTIA Security+ bank? Start free.
1,126 questions, timed mock exams, and missed-question review — 30 free questions, no card.
Start free trial