CompTIA SY0-701 - CompTIA Security+ Exam 2026

A false negative occurs when a security control or scanning tool fails to detect a vulnerability that actually exists. In vulnerability scanning, this means the scan reports a system as secure even though it is vulnerable. Therefore, a result that shows no known vulnerability is an example of a false negative if a vulnerability is present but undetected.

CompTIA Security+ SY0-701 explains that false negatives are particularly dangerous because they provide a false sense of security, potentially leaving systems exposed to exploitation. Causes of false negatives include outdated vulnerability signatures, misconfigured scanners, credentialed scan failures, or unsupported legacy systems.

Option A describes a false positive, where a vulnerability is reported but does not exist. Option B may indicate an outdated scan result, not necessarily a false negative. Option D is incorrect because zero-day vulnerabilities do not have known remediations and are typically not detected by signature-based scanners.

Thus, the correct example of a false negative is C: A result that shows no known vulnerability.

File Integrity Monitoring (FIM) is the best tool for detecting unauthorized file deletions, modifications, or improper permission changes within network shares. FIM works by creating cryptographic hashes and baselines for protected files or directories and then continuously monitoring for deviations. Any unauthorized deletion, modification, or permission change triggers alerts.

Security+ SY0-701 identifies FIM as a foundational integrity control used in compliance frameworks (PCI-DSS, HIPAA) and operational security monitoring. Because the organization is experiencing unpredictable changes to shared files and permissions, FIM provides visibility and accountability for who changed what and when.

DLP (A) prevents data leakage but does not detect permission changes. EDR (B) focuses on endpoint threat behavior, not file integrity on network shares. ACLs (D) define permissions but do not track changes or detect unauthorized modifications.

Therefore, C: FIM is the correct choice.

IPSec is a protocol suite that provides secure communication over IP networks. IPSec can be used to create virtual private networks (VPNs) that encrypt and authenticate the data exchanged between two or more parties. IPSec can also provide data integrity, confidentiality, replay protection, and access control. A security consultant can use IPSec to gain secure, remote access to a client environment by establishing a VPN tunnel with the client’s network. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 8: Secure Protocols and Services, page 385 1

Zero Trust is based on the principle of “never trust, always verify.” Option B is correct because access is granted only after strong identity verification, policy evaluation, and continuous monitoring. Zero Trust rejects the old perimeter assumption that users or devices inside the internal network should automatically be trusted. Access decisions should consider identity, device posture, location, sensitivity of the resource, session risk, and ongoing behavior. MFA is commonly used in Zero Trust, but option C is too narrow because Zero Trust applies beyond remote access and beyond MFA alone. Role-based limitations and periodic reviews are useful, but option D does not capture continuous verification. Option A is the opposite of Zero Trust because it assumes internal trust after initial authentication.

Management review is a critical step in the change management process. Before implementing any design change, management reviews help evaluate the potential impact, security implications, and alignment with organizational goals and policies. This review ensures that the change is justified, risks are understood, and proper approvals are obtained.

Load testing is a performance test, maintenance notifications are communication steps, and procedure updates are documentation activities — all important but generally occur after management has approved the change.

The significance of management involvement in change governance is a foundational concept in the Security Program Management and Oversight domain of the SY0-701 exam【6:Chapter 16†CompTIA Security+ Study Guide】.

SOAR (Security Orchestration, Automation, and Response) platforms enable security teams to automate workflows, prioritize alerts, and manage remediation activities, helping to handle the volume of cloud misconfiguration alerts efficiently.

CASB (A) provides visibility and control for cloud services but is less focused on orchestration. IAM (B) manages identities and permissions, and XDR (D) is extended detection but does not provide workflow automation.

SOAR integration is critical for cloud security operations discussed in Security Operations【6:Chapter 14†CompTIA Security+ Study Guide】.

A honeytoken is a form of deception technology in which a fake asset (such as credentials, files, or database records) is planted in a system or network to detect unauthorized access or malicious activity. The fake password stored in a hidden spreadsheet, with monitoring for access, is a classic example of a honeytoken. It is not an interactive system (like a honeypot or honeynet) but rather a marker or tripwire intended to alert the security team to suspicious behavior. This method helps identify attackers and their methods early in the intrusion process.

The requirements point to a cloud-delivered, remote-user-first architecture that provides secure connectivity and security controls as an integrated service. Secure Access Service Edge (SASE) matches this because it combines remote connectivity capabilities (often replacing or modernizing traditional VPN approaches) with cloud-based security services, including firewalling, in a way that supports distributed users and resilient global access. The Study Guide explicitly states: “Secure Access Service Edge (SASE… ) combines virtual private networks, SD-WAN, and cloud-based security tools like firewalls, cloud access security brokers (CASBs), and zero-trust networks to provide secure access for devices regardless of their location.” This directly aligns with a fully remote workforce (“regardless of their location”), VPN capability, and an integrated firewall (“cloud-based security tools like firewalls”).

Why the other options don’t fit as well: IPS is a specific protective control, not an end-to-end remote access architecture; SIEM is for log aggregation/correlation and monitoring, not VPN + firewall delivery; and CASB is a component used to enforce cloud policy, but the guide distinguishes it as a policy enforcement point rather than a full connectivity + firewall architecture: “A CASB is a policy enforcement point…” . Therefore, SASE is the best match.

The log entries clearly show an attacker attempting to access sensitive system files by manipulating the filename parameter. The use of ../../../ is a classic indicator of a directory traversal attack, also called path traversal. This technique is used to move outside the intended web directory and access restricted locations on the server’s filesystem.

In this case, the attacker is attempting to read:

/etc/passwd — contains user account information

/etc/shadow — contains hashed password entries and is even more sensitive

The CompTIA Security+ SY0-701 exam describes directory traversal as an attack where unvalidated user input allows navigation to system directories, often using sequences like ../ to bypass file path restrictions. This is exactly what is shown in the logs.

File injection (A) would involve inserting malicious files or code, not reading system files.

Privilege escalation (B) requires exploiting a system to gain higher privileges, not just reading files.

Cookie forgery (D) involves manipulating session cookies and does not match the observed behavior.

Because the attacker is using path traversal patterns to access protected files, the correct answer is C. Directory traversal.

The best answer is A. Implementing an update after a board grants approval.

Change management is the formal process used to request, review, approve, test, document, and implement changes to systems and environments in a controlled manner. A common example is submitting a proposed change to a change advisory board (CAB) or other approval authority, receiving approval, and then implementing the update according to procedure.

This answer reflects the structured governance process that Security+ associates with proper change management.

Why the other options are incorrect:

B. Setting a new password for a userThis is a routine administrative or support task, not a formal example of change management.

C. Performing a penetration test before deploying a patchPenetration testing is a security assessment activity. It may support decision-making, but it is not itself the best example of the change management process.

D. Auditing all system equipment before sending the list to the Chief Executive OfficerThis is closer to inventory or audit work, not change management.

From a SY0-701 perspective, change management is about controlled, approved, and documented changes to the environment. Therefore, A is the correct answer.

The best answer is B. Providing an alternative security measure when standard remediation is not feasible.

A compensating control is a substitute safeguard used when the preferred or required control cannot be implemented immediately or at all. It helps reduce risk in another way until proper remediation is possible, or when direct remediation is impractical.

Examples include:

increasing monitoring when a system cannot be patched

segmenting a legacy application that cannot be upgraded

restricting access to a vulnerable system that must remain in service

Why the other options are incorrect:

A. Reducing the attack surface by isolating vulnerable components within a segmented environmentThis can be an example of a compensating control, but it does not define the overall role as clearly as B.

C. Delaying remediation timelines by replacing affected systems in a maintenance windowThis describes scheduling or change timing, not compensating controls.

D. Remediating software flaws by modifying source code to remove insecure functionsThis is direct remediation, not a compensating control.

From the SY0-701 perspective, compensating controls are used when the ideal fix is not possible, so B is the best explanation.

SQL injection is a type of attack that exploits a database misconfiguration or a flaw in the application code that interacts with the database. An attacker can inject malicious SQL statements into the user input fields or the URL parameters that are sent to the database server. These statements can then execute unauthorized commands, such as reading, modifying, deleting, or creating data, or even taking over the database server. SQL injection can compromise the confidentiality, integrity, and availability of the data and the system. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 215 1