What does DNS provide?
List of local RIP tables
Translation of a domain name into an IP address
Creation of an IPSec tunnel between networks
Network scanning for any vulnerabilities
DNS provides translation between human-readable domain names and IP addresses. For example, users remember domain names, while network communication requires IP addresses to route traffic. DNS resolves the name to the address needed for the connection. DNS does not provide local RIP tables; RIP is a routing protocol. It does not create IPsec tunnels; VPN technologies and protocols such as IKE and IPsec handle that. DNS also does not scan networks for vulnerabilities. From a security perspective, DNS is highly important because many attacks rely on domain names for phishing, malware delivery, command-and-control, or data exfiltration. DNS logs can help investigators identify suspicious lookups, newly registered domains, and connections to known malicious infrastructure. DNS security controls may block or sinkhole malicious domains before a connection is established. In simple terms, DNS is the phonebook of network communication, but it is also a valuable security telemetry source. Reference/topics: Network Fundamentals 2.4, DNS; Cybersecurity 1.3, C2 and common attack types.
Which tool resides on a host to identify malicious activity?
Instruction Detection System (IDS)
Unified threat detection device
Endpoint protection agent
Next-generation firewall appliance
An endpoint protection agent is software installed directly on a host, such as a workstation, laptop, or server, to monitor local activity and identify malicious behavior. Because it resides on the endpoint, it can observe processes, files, registry changes, network connections, and user activity that may not be visible to a perimeter security device. This makes it especially useful for detecting malware execution, suspicious scripts, privilege abuse, and post-compromise activity. An IDS may detect suspicious patterns, but the answer is not precise because IDS can be network-based or host-based and is not necessarily an agent. A next-generation firewall appliance is typically deployed inline at a network control point, not directly on the host. “Unified threat detection device†is not the standard course term for a host-resident control. The Palo Alto Networks Cybersecurity Apprentice blueprint places endpoint protection components under Endpoint Security and also recognizes host-based detection concepts under cybersecurity threat detection systems. Reference: Cybersecurity Apprentice Datasheet, Endpoint Security 4.3 and Cybersecurity 1.4.
Which activity increases the ability of endpoint protection to successfully identify threats?
Creating honeypots
Implementing virtualization
Encoding null routes
Applying security updates
Applying security updates improves endpoint protection by closing known vulnerabilities, updating defensive components, and reducing the number of exploitable weaknesses on the host. Endpoint protection relies on current software, current detection logic, and patched operating systems or applications to recognize and resist common attack techniques. When systems remain unpatched, attackers can use known exploits that security tools may detect but cannot always prevent from succeeding if the vulnerable component remains exposed. Honeypots are deception systems used to attract or study attackers, but they do not directly improve endpoint protection on user devices. Virtualization can isolate workloads or support testing, but it is not the best answer for improving endpoint threat identification. Null routes are network routing controls used to discard traffic and are unrelated to endpoint detection capability. Security updates are a basic but essential endpoint security component because they reduce attack surface and improve compatibility with modern protections. Reference/topics: Endpoint Security 4.3, security updates and antivirus; Cybersecurity 1.5, threat prevention practices.
Which event would generate a false positive alert?
A firewall categorizes a benign application as malicious.
A network sensor is unable to identify a custom application.
A network tunnel accidentally switches from one route to another.
An employee attempts to access an unauthorized application.
A false positive occurs when a security control identifies normal or benign activity as malicious. If a firewall categorizes a benign application as malicious, it generates an alert or enforcement decision that incorrectly indicates threat activity. That is the definition of a false positive. A network sensor being unable to identify a custom application is a visibility or classification limitation, but not necessarily a false positive unless it incorrectly labels the traffic as malicious. A tunnel switching routes may be a network event or availability issue. An employee attempting to access an unauthorized application may be a true policy violation, even if it is not malicious. False positives matter because they consume analyst time, reduce trust in alerts, and contribute to alert fatigue. SOC teams reduce false positives by tuning rules, improving context, using baselines, adding allow lists carefully, and refining detection logic. Reference/topics: Security Operations 6.4, false positive and false negative alerts; Network Security 3.2, firewall policy enforcement.
Which type of device does a Host-Based Intrusion Detection System (HIDS) monitor?
Appliance
Computer
Switch
Router
A Host-Based Intrusion Detection System monitors an individual host, which is typically a computer, server, or endpoint device. Its purpose is to inspect activity occurring on that system rather than traffic across an entire network segment. A HIDS can evaluate system logs, file integrity, configuration changes, authentication events, and suspicious local behavior. This distinguishes it from a Network-Based Intrusion Detection System, which observes packets traversing a network link or segment. A switch and router are network infrastructure devices, and while they may generate logs or support monitoring, they are not the primary monitored object of a HIDS. The term “appliance†is too broad and usually refers to a dedicated hardware or virtual security device. Palo Alto Networks lists IDS, HIDS, and NIDS as common threat detection systems in the Cybersecurity Apprentice Cybersecurity domain, requiring candidates to distinguish where each system operates and what it observes. Reference: Cybersecurity Apprentice Datasheet, Cybersecurity 1.4.
Why is it important to have a clear and well documented incident response plan?
It increases storage for logs and incident events.
It provides additional methods to identify users.
It increases code deployment efficiency.
It reduces the time required to contain and identify a breach.
A clear and well-documented incident response plan reduces the time required to identify, contain, and recover from a breach. During an incident, confusion costs time. A documented plan defines roles, escalation paths, communication requirements, evidence handling, containment steps, decision authority, and recovery procedures. This allows teams to act quickly and consistently instead of improvising under pressure. Increasing log storage may support investigations, but it is not the purpose of the response plan. User identification methods belong to identity security. Code deployment efficiency is a CI/CD concern. Incident response plans also support training and tabletop exercises, allowing teams to rehearse before real attacks occur. After incidents, the plan can be updated with lessons learned so future response improves. The value of the plan is operational readiness: everyone knows who does what, when to escalate, and how to reduce damage. Reference/topics: Security Operations 6.3, incident response plan; Security Operations 6.1, investigate, mitigate, improve.
Batch 7 — Questions 86–100
What is the purpose of the IKE protocol?
To manage IP addresses and assign them to devices
To authenticate users accessing a wireless network
To establish authenticated communication channels
To translate domain names into IP addresses
Internet Key Exchange, or IKE, is used to establish authenticated security associations for encrypted communications, most commonly in IPsec VPN environments. Its role is to help peers authenticate each other, negotiate cryptographic parameters, and create the secure channel that will protect traffic between devices or sites. This makes answer C correct. IKE does not assign IP addresses to devices; that function belongs to DHCP. It does not translate domain names into IP addresses; that is the role of DNS. It also is not primarily a wireless user authentication protocol, although authentication is a component of IKE negotiation between VPN peers. In practical terms, IKE is part of the trust-building process before encrypted VPN traffic can safely pass. Palo Alto Networks places IKE in the Network Security domain under tunneling protocols, alongside SSH and TLS, because these protocols support protected communication across untrusted networks. Reference: Cybersecurity Apprentice Datasheet, Network Security 3.4.
Which stage of the cyber attack lifecycle is characterized by an attacker passing instructions back and forth between infected devices and their own infrastructure?
Command-and-control (C2)
Exploitation
Reconnaissance
Weaponization and Delivery
Command-and-control is the lifecycle stage where compromised systems communicate with attacker-controlled infrastructure. This communication may deliver commands, retrieve additional malware, update configuration, report system status, or prepare for lateral movement and data theft. The phrase “passing instructions back and forth†is the defining signal for C2. Exploitation is the moment an attacker uses a weakness to compromise a system. Reconnaissance is pre-attack information gathering. Weaponization and Delivery involve preparing and transmitting the malicious payload to the target. C2 traffic is a high-value detection opportunity because it often requires outbound communication to domains, IP addresses, or protocols that differ from normal business activity. Defenders look for beaconing patterns, suspicious DNS queries, unusual destinations, and connections to known malicious infrastructure. Disrupting C2 can limit an attacker’s ability to operate even after initial compromise. Reference/topics: Cybersecurity 1.2, cyber attack lifecycle; Cybersecurity 1.3, command and control.
Which concept is a strategic approach to cybersecurity that continuously validates every stage of a digital interaction?
Incident response plan implementation
Zero Trust adoption
Compliance planning
Operations playbook development
Zero Trust is a strategic security approach based on continuous validation rather than implicit trust. Instead of assuming that users, devices, applications, or workloads are trustworthy because they are inside a network boundary, Zero Trust requires verification throughout the digital interaction. This includes validating identity, device posture, application access, least privilege, segmentation, and ongoing behavior. Incident response plans are important after suspicious activity or incidents occur, but they are not the continuous trust validation model. Compliance planning maps controls to regulatory or framework requirements, but compliance alone does not guarantee continuous security verification. Operations playbooks guide repeatable SOC actions, but they are procedural tools rather than the strategic architecture described in the question. Zero Trust adoption changes how access decisions are made: trust is earned, scoped, and re-evaluated, not permanently granted. Reference/topics: Cybersecurity 1.6, Zero Trust; Identity Security 7.1 and 7.2, IAM, MFA, RBAC, least privilege.
What is the purpose of continuous deployment in the CI/CD lifecycle?
Maintaining a state in which any version of the software can be deployed to a production environment.
Merging code changes into a central repository
Packaging code into a Docker container for deployment
Automatically deploying every change that passes the automated tests to production, minimizing lead time
Continuous deployment is the CI/CD practice in which every code change that successfully passes automated tests and quality gates is automatically released to production. The purpose is to reduce lead time, accelerate delivery, and make deployments smaller, more frequent, and more repeatable. This differs from continuous delivery, where software is kept in a deployable state but production release may still require manual approval. Merging code changes into a central repository is continuous integration. Packaging code into a Docker container may be part of a pipeline, but it is not the defining purpose of continuous deployment. Maintaining a deployable state describes continuous delivery more closely than continuous deployment. From a security perspective, CI/CD must include guardrails such as code scanning, dependency checks, secrets detection, image scanning, and deployment policy enforcement. Rapid deployment without security checks can spread defects quickly, while secure CI/CD improves both speed and control. Reference/topics: Cloud Security 5.6, CI/CD; Identity Security 7.4, secrets management in CI/CD pipelines.
Which activity is a core component of the Improve function in security operations?
Deploying new security tools and technologies
Performing routine hardware upgrades
Updating incident response plans based on lessons learned
Training users on basic cybersecurity awareness
The Improve function focuses on learning from operations and incidents to strengthen future performance. Updating incident response plans based on lessons learned is a direct example. After an incident, the SOC and response teams should review what happened, what worked, what failed, what was delayed, and which controls or procedures need revision. That feedback can improve playbooks, escalation paths, logging requirements, alert logic, containment steps, and communication plans. Deploying new tools may support improvement, but tool deployment alone is not the core Improve activity. Routine hardware upgrades are IT maintenance tasks. User awareness training is valuable prevention, but the specific Improve function in security operations is more closely tied to operational feedback and process refinement. A mature SOC treats incidents as learning opportunities. The goal is not only to close the current case, but to reduce the chance, duration, or impact of similar incidents in the future. Reference/topics: Security Operations 6.1, Improve function; Security Operations 6.3, incident response plan.
What are two of the four Cs of cloud-native security? (Choose two.)
Configurations
Code
Connections
Clusters
Two of the four Cs of cloud-native security are Code and Clusters. The four-Cs model is commonly used to organize cloud-native security responsibilities across layers: cloud, cluster, container, and code. Code is the application logic and dependencies that developers produce, and it must be secured through review, scanning, dependency management, and secrets control. Cluster refers to the orchestration environment that runs workloads, commonly Kubernetes, and must be secured through access control, configuration hardening, network policy, and runtime monitoring. Configurations are extremely important in cloud security, but “Configurations†is not one of the four Cs in this model. Connections are also important, especially for service communication and network policy, but they are not one of the named four Cs. The model is useful because cloud-native risk is layered: weak code, vulnerable containers, misconfigured clusters, or insecure cloud infrastructure can each become an attack path. Reference/topics: Cloud Security 5.5, CNSP; Cloud Security 5.4, container, microservice, and cloud terms.
What is a desired outcome of automation in a security operations center (SOC)?
Increased number of alerts
Increased MTTR
Increased efficiency
Increased false positives
The desired outcome of SOC automation is increased efficiency. Automation allows repetitive, time-sensitive, and well-defined tasks to be executed consistently without requiring manual analyst effort every time. Examples include indicator enrichment, alert deduplication, ticket creation, endpoint isolation, user notification, or evidence collection. Automation should reduce workload, improve response speed, and help analysts spend more time on judgment-heavy investigation. Increasing the number of alerts is not desirable; alert volume should be reduced or better prioritized. Increasing MTTR is also undesirable because mean time to respond or recover should decrease as processes mature. Increasing false positives is harmful because it consumes analyst time and can cause alert fatigue. In a mature SOC, automation is often paired with playbooks and SOAR tooling so that repeatable response steps can be executed reliably while still allowing analyst approval for sensitive actions. Reference/topics: Security Operations 6.2, automation and AI; Security Operations 6.6, SOAR and SIEM.
A hub operates on which OSI layer?
Layer 1
Layer 2
Layer 3
Layer 4
A hub operates at Layer 1, the Physical layer of the OSI model. It repeats electrical or signaling information received on one port out to other ports without understanding frames, MAC addresses, IP addresses, sessions, or applications. Because a hub does not make intelligent forwarding decisions, every connected device receives the same signal, creating a shared collision domain in older Ethernet environments. This differs from a switch, which operates primarily at Layer 2 and forwards frames based on MAC addresses. Routers operate at Layer 3 using IP addressing and routing tables. Layer 4 devices or functions evaluate transport information such as TCP or UDP ports. The purpose of knowing where devices sit in the OSI model is to understand what data each device can inspect and what security decisions it can support. A hub provides connectivity but not meaningful segmentation or filtering. Reference/topics: Network Fundamentals 2.6, OSI model; Network Fundamentals 2.7, devices operating at Layers 1 through 4.
Which statement best distinguishes a Host-Based Intrusion Detection System (HIDS) from a Network-Based Intrusion Detection System (NIDS)?
Network-Based is installed on an individual endpoint to monitor all inbound/outbound traffic of that device.
Host-Based is installed on an individual endpoint to monitor all inbound/outbound traffic of that traffic.
Host-Based directly integrates with the endpoint and is known as the last line of defense.
Network-Based directly integrates with the endpoint and is known as the last line of defense.
A HIDS directly integrates with an endpoint or host and monitors activity on that system. It can evaluate logs, file changes, processes, authentication activity, configuration changes, and local indicators that may not be visible on the network. This makes it a last line of defense because it can detect suspicious activity after traffic has reached the host or when malicious activity occurs locally. A NIDS monitors traffic on a network segment rather than being installed on each individual endpoint. Answer A incorrectly describes network-based detection as endpoint-installed. Answer B is awkwardly worded and less precise than answer C. Answer D incorrectly assigns endpoint integration to NIDS. HIDS and NIDS are complementary. NIDS provides broad network visibility, while HIDS provides deep host-level visibility. Security teams use both types of telemetry to understand attack scope and confirm whether suspicious network behavior resulted in endpoint compromise. Reference/topics: Cybersecurity 1.4, IDS, HIDS, and NIDS; Endpoint Security 4.3, host-based controls.
Syslog would be used for which activity?
Transferring log events within networks
Securing endpoints via runtime protection
Securing logs collected from endpoints
Connecting to a system remotely
Syslog is used to send log messages from systems, network devices, applications, and security tools to a centralized collector or logging platform. Its primary purpose is event transfer and collection, making answer A correct. Security operations teams rely on log events to investigate alerts, correlate activity, build timelines, identify indicators of compromise, and support compliance or audit requirements. Syslog itself does not provide endpoint runtime protection; endpoint agents or EDR tools handle that. It also does not inherently secure logs, although logs sent via protected transport or stored in controlled platforms can be secured by other mechanisms. Remote system access is typically associated with protocols such as SSH or RDP, not syslog. In SOC environments, syslog is often one of the inputs into SIEM platforms, where events from many sources are normalized, searched, correlated, and retained. Reference/topics: Security Operations 6.5, function of syslog; Security Operations 6.6, SIEM and SOAR.
What is the primary purpose of an Intrusion Prevention System (IPS)?
Detecting malicious traffic before reaching trusted network
Filtering malicious traffic before reaching trusted network
Building code for server infrastructure
Deploying scanners for server infrastructure
An Intrusion Prevention System is designed to inspect traffic and actively stop malicious activity before it reaches protected systems. The key distinction is prevention: an IPS can block, drop, reset, or otherwise filter traffic that matches known exploit patterns, malicious signatures, protocol anomalies, or policy violations. Answer A describes detection, which is closer to the function of an IDS. An IDS monitors and alerts, while an IPS operates inline and can enforce a blocking decision. Building code for server infrastructure and deploying scanners are not IPS functions. In practice, IPS capabilities are often integrated into next-generation firewalls so that threat prevention occurs at network enforcement points. IPS is especially important for reducing exploit exposure against servers, applications, and internal systems because it can interrupt attacks in transit. However, IPS does not replace patching; it reduces risk while vulnerabilities are being fixed or when unknown exposure exists. Reference/topics: Cybersecurity 1.5, intrusion prevention systems; Cybersecurity 1.4, IDS/HIDS/NIDS comparison.
In which cloud service model does a company use hardware resources from a cloud service provider?
Platform as a service (PaaS)
Software as a service (SaaS)
Network as a service (NaaS)
Infrastructure as a service (IaaS)
Infrastructure as a Service provides cloud-hosted infrastructure resources such as compute, storage, and networking. In IaaS, the customer uses provider-operated hardware resources without owning the physical servers, racks, power, cooling, or data center facilities. The customer typically remains responsible for securing operating systems, applications, data, identities, and workload configurations. PaaS provides a managed platform for developing and deploying applications, where the provider handles more of the runtime environment. SaaS delivers a complete application that customers consume directly. NaaS delivers networking capabilities as a service. The phrase “hardware resources from a cloud service provider†points directly to IaaS because the customer consumes virtualized infrastructure backed by provider hardware. Security teams must understand IaaS because it creates a shared responsibility boundary: the provider secures the physical infrastructure, while the customer secures what they build, configure, and run on top of it. Reference/topics: Cloud Security 5.2, IaaS, PaaS, SaaS, NaaS; Cloud Security 5.3, shared responsibility.
Why would an organization implement a demilitarized zone (DMZ)?
To provision multiple external zones that allow for destination NAT
To facilitate the use of SD-WAN departments within an organization
To allow effective communications with other organizations
To protect internal resources while still allowing access to public-facing internet services
A DMZ is implemented to host public-facing services while reducing direct exposure to the internal trusted network. Web servers, mail gateways, VPN portals, or other externally accessible systems may be placed in a DMZ so internet users can reach required services without being allowed directly into internal resources. The DMZ acts as a controlled buffer zone between untrusted external networks and trusted internal networks. Destination NAT may be used with DMZ services, but provisioning external zones for NAT is not the core reason. SD-WAN departments is not a valid DMZ purpose. Communication with other organizations may occur through public services, but the security purpose is controlled exposure and internal protection. DMZ design supports segmentation, firewall policy, logging, and containment. If a public-facing server is compromised, proper DMZ controls reduce the attacker’s ability to pivot into sensitive internal systems. Reference/topics: Network Security 3.1, zone segmentation; Network Security 3.2, firewall policy enforcement.
What is an effective use case of URL filtering?
Monitoring threat logs and traffic logs
Restricting access to phishing websites
Acting as a sandbox for potentially malicious files
Discovering internet of things (IoT) devices
Restricting access to phishing websites is an effective URL filtering use case. URL filtering evaluates web destinations by category, reputation, risk, or policy and can block users from visiting malicious or prohibited sites. Phishing sites are designed to steal credentials or sensitive information, so blocking known or suspected phishing URLs reduces the chance that users will submit passwords or tokens to attacker-controlled pages. Monitoring threat logs and traffic logs is a security operations activity, not the direct purpose of URL filtering. Sandboxing potentially malicious files is a malware analysis function. Discovering IoT devices is asset visibility or IoT security, not URL filtering. URL filtering is especially valuable when combined with user awareness, DNS security, browser protection, and identity-based policy. Because phishing often starts with a link, controlling access to risky web destinations is a practical prevention layer. Reference/topics: Network Security 3.3, URL filtering; Cybersecurity 1.3, social engineering and phishing.
What is the primary goal of the Weaponization and Delivery stage in the cyber attack lifecycle?
Developing and testing malware for bypassing defenses
Ensuring compliance with Security policies
Distributing compromised hardware to targets
Creating a malicious payload by using vulnerabilities
The Weaponization and Delivery stage focuses on preparing and transmitting the attack mechanism that will be used against the target. In this phase, the attacker turns knowledge gathered during reconnaissance into a usable malicious payload. That payload may exploit a software vulnerability, embed malicious code into a document, or prepare a link, file, or package that can compromise the victim once executed or accessed. The correct answer is D because it combines the creation of a malicious payload with the use of vulnerabilities, which is the operational purpose of weaponization. Developing and testing malware is related, but it is narrower and does not fully capture delivery to the target. Compliance with security policies is a defensive governance activity, not an attacker lifecycle phase. Distributing compromised hardware can occur in some supply chain attacks, but it is not the primary definition of this lifecycle stage. Palo Alto Networks requires candidates to identify and describe stages of the cyber attack lifecycle under the Cybersecurity domain. Reference: Cybersecurity Apprentice Datasheet, Cybersecurity 1.2.
Which scenario is an example of east-west traffic?
A virtual machine (VM) communicates with a host on the internet.
A traffic pattern passes through perimeter-focused defense.
A host computer communicates with an infected offsite server.
A host computer communicates with a virtual machine (VM) in the same network.
East-west traffic refers to communication that occurs inside an environment, such as between internal hosts, workloads, virtual machines, or servers. A host computer communicating with a virtual machine in the same network is east-west because the traffic stays internal rather than entering or leaving through a perimeter. This type of traffic is especially important in modern data centers and cloud environments because attackers often move laterally after compromising one system. North-south traffic, by contrast, moves between an internal environment and an external network such as the internet. A VM communicating with a host on the internet is north-south. Traffic passing through perimeter-focused defenses is also typically north-south. A host communicating with an infected offsite server leaves the local environment and is therefore not east-west. Security designs increasingly inspect east-west traffic because perimeter defenses alone cannot stop lateral movement once an internal foothold exists. Reference/topics: Network Fundamentals 2.2, north-south and east-west traffic flow patterns.
Which pillar should a company focus on first when establishing a new security operations department?
Technology
Processes
People
Business
People should be the first pillar when establishing a security operations department. Tools and processes matter, but a SOC ultimately depends on skilled people who understand the environment, interpret alerts, make decisions, communicate risk, and improve operations. Without defined roles, responsibilities, escalation paths, and analyst capability, even advanced technology can become noisy and ineffective. Processes come next because people need repeatable methods for triage, investigation, mitigation, and improvement. Technology should support those people and processes, not replace them. Business context is also essential because the SOC must prioritize what matters most to the organization, but the first practical foundation is staffing and capability. A strong SOC needs analysts, incident responders, engineers, threat intelligence support, leadership, and clear ownership. Security operations is not just a tool stack; it is an operating function that converts telemetry into risk reduction. Reference/topics: Security Operations 6.1, SOC functions; Security Operations 6.2, optimizing SOC performance.
Batch 8 — Questions 101–113
Which attack takes place in the Exploitation phase of the cyber attack lifecycle?
Weaponized PDF file executing on a target
Malicious phishing link sent to a target
Polymorphic malware altering its structure on a target after gaining access
Undisclosed software vulnerability used to gain remote access to a target
Exploitation occurs when an attacker takes advantage of a vulnerability to cause unauthorized behavior, such as code execution, authentication bypass, privilege escalation, or remote access. An undisclosed software vulnerability used to gain remote access is a clear example of exploitation because the attacker is actively using a weakness to compromise the target. A malicious phishing link sent to a target is delivery, because it attempts to place the attack mechanism in front of the victim. A weaponized PDF executing may overlap with exploitation depending on the payload, but the strongest answer is the use of a software vulnerability to gain access. Polymorphic malware changing its structure after access is more closely related to evasion and persistence after compromise. The exam objective requires candidates to distinguish lifecycle stages by attacker intent: reconnaissance gathers, weaponization prepares, delivery transmits, exploitation triggers compromise, installation persists, command-and-control manages, and actions on objectives achieve the mission. Reference/topics: Cybersecurity 1.2, attack lifecycle; Cybersecurity 1.1, vulnerabilities and exploits.
What is a function of a Network-Based Intrusion Detection System (NIDS)?
Scanning and quarantining infected files on a host machine
Proxying traffic before reaching an internal network
Blocking malicious traffic from entering a network in real time
Monitoring network traffic and reporting results to an administrator
A Network-Based Intrusion Detection System monitors network traffic and reports suspicious findings to administrators or security tools. It observes packets traversing a network segment and compares activity against signatures, patterns, protocol anomalies, or behavior models. Because it is detection-focused, a NIDS typically alerts rather than blocks traffic inline. Scanning and quarantining infected files on a host machine is an endpoint security function. Proxying traffic before it reaches an internal network is a proxy function. Blocking malicious traffic in real time is more closely associated with an IPS or firewall. A NIDS is useful because it can provide visibility across multiple hosts without installing an agent on each one. However, encrypted traffic, high throughput, and east-west blind spots can limit visibility if sensors are not placed correctly. SOC teams use NIDS alerts as evidence during investigation and correlation. Reference/topics: Cybersecurity 1.4, NIDS and other threat detection systems; Security Operations 6.3, alerts and events.
What are two functions of VPN gateways? (Choose two.)
Certificate refresh
Site-to-Site connectivity
Remote access
URL filtering
VPN gateways commonly provide site-to-site connectivity and remote access. Site-to-site VPN connects networks across encrypted tunnels, such as branch office to headquarters or cloud network to data center. Remote access VPN allows individual users to securely connect to enterprise resources from outside the corporate network. Certificate refresh may support authentication infrastructure in some environments, but it is not a primary VPN gateway function in this question. URL filtering controls web access based on categories or reputation and is a separate network security function. VPN gateways terminate encrypted tunnels, authenticate peers or users, and route protected traffic into the appropriate network. They are important because they allow secure communication over untrusted networks, but they must be configured carefully. Weak authentication, overly broad access, split tunneling misconfiguration, or poor logging can turn VPN access into a major risk path. Reference/topics: Network Security 3.3, VPNs; Network Security 3.4, IKE and tunneling protocols.
Which type of segmentation divides traffic based on the interface on which a packet is received or sent?
Zone
Port
Application
Role
Zone segmentation groups traffic based on logical security zones, commonly tied to interfaces or interface groups. A firewall can apply policy depending on the source zone and destination zone, such as trust, untrust, DMZ, data center, or guest. If a packet enters or exits through an interface assigned to a specific zone, that zone becomes part of the policy decision. Port-based segmentation would focus on physical or logical ports, but in firewall security design, zones are the standard construct for interface-based policy grouping. Application segmentation divides traffic based on the application being used. Role-based segmentation uses user or device roles. Zone segmentation is powerful because it allows administrators to express trust boundaries and enforce policy between parts of the network. It is often combined with VLANs, IP subnets, and application-aware controls to create layered segmentation. Reference/topics: Network Security 3.1, zone segmentation; Network Security 3.2, firewall policy enforcement.
Which components are secured by the cloud provider in a shared responsibility model?
Virtual machines
On-premises connectivity to hosts
Website authentication
Host servers
In the cloud shared responsibility model, the provider secures the underlying cloud infrastructure, including physical host servers. These servers are part of the provider-operated environment that supports customer workloads. Customers generally do not manage physical access, hardware maintenance, power, cooling, or the foundational physical network in public cloud services. Virtual machines are usually customer-managed in IaaS because the customer controls the guest operating system, configuration, applications, and data. On-premises connectivity to hosts remains the customer’s responsibility because it involves the customer’s network, VPN, routing, or direct connectivity. Website authentication is an application and identity responsibility controlled by the customer or application owner. The provider secures the cloud; the customer secures what they deploy and configure in the cloud. Understanding this boundary prevents dangerous assumptions, such as believing the provider automatically secures customer workloads or identities. Reference/topics: Cloud Security 5.3, shared responsibility model; Cloud Security 5.2, IaaS and SaaS.
How is Zero Trust implemented on a network?
By assigning all security to a proxy solution
By designating failover paths
By inspecting and validating traffic continuously
By removing excess network devices
Zero Trust is implemented by continuously inspecting and validating traffic, identity, device posture, application access, and behavior. The model does not assume trust based on network location. Instead, every access request should be verified, authorized, and limited to what is necessary. Assigning all security to a proxy solution is too narrow; Zero Trust is an architecture and operating model, not a single product. Designating failover paths improves availability, but it does not implement Zero Trust. Removing excess network devices may simplify infrastructure but does not create continuous validation. In a network context, Zero Trust commonly includes segmentation, least privilege access, strong authentication, application-aware policy, traffic inspection, and continuous monitoring. The goal is to reduce implicit trust and limit the blast radius if a user, device, or workload is compromised. A helpful analogy: Zero Trust is not one locked front door; it is badge checks throughout the building. Reference/topics: Cybersecurity 1.6, Zero Trust; Network Security 3.1 and 3.2.
What is a self-contained operating environment that behaves like a computer separate from the physical host?
WAN accelerator
Virtual Machine (VM)
Hypervisor
Container
A virtual machine is a self-contained operating environment that behaves like a separate computer while running on a physical host. A VM includes its own guest operating system, virtual CPU, memory, storage, and network interfaces. Multiple VMs can run on a single physical server through a hypervisor, which allocates and manages physical resources. A hypervisor enables virtualization, but it is not the guest operating environment itself. A container packages an application and dependencies while sharing the host operating system kernel, making it lighter than a VM. A WAN accelerator improves performance over wide area links and is unrelated to virtualization. VMs are foundational to cloud computing because they allow providers to abstract physical hardware and offer flexible compute resources to customers. Security teams must secure VMs by hardening guest operating systems, patching, controlling access, monitoring activity, and applying cloud network policies. Reference/topics: Cloud Security 5.4, virtualization and virtual machine; Cloud Security 5.2, IaaS.
What are two components of a cloud-native security platform (CNSP)? (Choose two.)
Asset inventory
VPN
Endpoint security
Identity and access management (IAM)
A cloud-native security platform commonly includes asset inventory and identity and access management visibility or control. Asset inventory is essential because cloud environments are dynamic: workloads, containers, storage buckets, APIs, and services can appear or change rapidly. Security teams must know what exists before they can protect it. IAM is also critical because cloud access is heavily identity-driven. Overprivileged roles, exposed keys, weak permissions, and unmanaged service accounts can create major risk. A VPN may secure connectivity, but it is not a core CNSP component. Endpoint security protects user devices and hosts, but CNSP focuses on cloud-native assets, configurations, workloads, identities, and runtime risk. CNSP helps secure cloud applications across posture, workload, identity, and runtime layers. In practical terms, it answers questions such as: what cloud assets exist, who can access them, are they misconfigured, and are they behaving safely at runtime? Reference/topics: Cloud Security 5.5, CNSP; Identity Security 7.1, IAM components.
TESTED 02 Jul 2026