10 free, exam-style CompTIA Security+ (SECURITY Plus) practice questions with answers and explanations. No signup required. Work through them below, then take the full free SECURITY Plus practice test to study every exam domain.
An organization is implementing Zero Trust architecture. A user requests access to a sensitive database. Which Zero Trust component is responsible for making the actual decision to allow or deny that access?
Correct answer: A - The Policy Engine
A SIEM analyst notices that a finance employee successfully authenticated to the corporate VPN from New York at 9:00 AM, then authenticated again from Tokyo at 9:15 AM. No travel is recorded in the HR system. Which indicator of compromise does this BEST represent?
Correct answer: D - Impossible travel detection
A startup is choosing between AWS EC2 (IaaS), Azure App Service (PaaS), and Microsoft 365 (SaaS) for different workloads. Which model places the GREATEST share of security responsibility on the customer?
Correct answer: A - IaaS, because the customer manages the OS upward
A network engineer is configuring an IPsec VPN tunnel between two offices. The traffic must be both encrypted in transit and authenticated for integrity. Which IPsec component provides confidentiality, which AH cannot provide on its own?
Correct answer: B - The Encapsulating Security Payload (ESP)
A user authenticates to the corporate portal by entering their password and then approving a push notification on their authenticator app. Which combination of authentication factors is being used?
Correct answer: C - Something you know plus something you have
A developer is integrating a third-party application that needs to access a user's calendar data on their behalf, without ever seeing the user's password. Which protocol BEST fits this use case, and how does it differ from OpenID Connect (OIDC)?
Correct answer: A - OAuth 2.0 - handles authorization (delegated access); OIDC builds on OAuth and adds authentication
An organization configures DMARC with a policy of 'p=reject'. For DMARC to actually reject a forged email, the message must fail authentication checks performed by which two underlying technologies that DMARC builds on?
Correct answer: B - SPF and DKIM for sender authentication
A SOC analyst detects active ransomware encrypting files on three workstations. Following CompTIA's incident response process, the team's IMMEDIATE next action is to disconnect the affected hosts from the network. Which IR phase does this action represent?
Correct answer: C - The Containment phase
A risk analyst is calculating the Annualized Loss Expectancy for a server. The server is valued at $200,000. A flood would destroy 25% of its value. Floods occur in this region approximately once every two years. What is the ALE?
Correct answer: A - $25,000 per year
A company is establishing a long-term relationship with a managed service provider. They expect to issue multiple specific projects to this vendor over several years. They want a single contract that sets the overall terms - pricing, liability, confidentiality, dispute resolution - so each individual project can be authorized quickly without renegotiating those terms. Which document is MOST appropriate?
Correct answer: D - A Master Service Agreement (MSA)
Practice hundreds more SECURITY Plus questions with instant scoring, weak-area drills, and full exam simulations.