CompTIA SY0-701 - CompTIA Security+ Exam 2026

Detailed Explanation:MAC filtering allows network administrators to control device access by specifying allowed MAC addresses. This prevents unauthorized devices, such as a laptop plugged into a network port, from gaining access. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 2: Threats and Vulnerabilities, Section: " Network Access Control Methods " ​​.

The pattern shows rapid, repeated authentication attempts against a database server using the same username (JDoe) and the same password, originating from multiple different IP addresses in a short window. Among the choices, this most closely aligns with a credential replay style attack (often discussed as replaying captured authentication material or repeatedly reusing stolen credentials) rather than an application-layer injection (SQLi/XSS) or a volumetric availability attack (DDoS). The Study Guide describes credential replay as follows: “Credential replay attacks are a form of network attack that requires the attacker to be able to capture valid network data and to re-send it or delay it so that the attacker’s own use of the data is successful.”

In practice, defenders may see replay-like behavior when an attacker (or botnet) repeatedly tries the same captured credential pair (or captured authentication artifact) from different sources. The multiple IPs can indicate automation or distributed infrastructure used to evade rate limits and lockout controls. The other options don’t fit the evidence: XSS requires script injection into web content; SQL injection would show suspicious SQL payloads, not repeated logins; DDoS focuses on overwhelming availability and typically shows traffic floods rather than repeated authentication attempts using a single account credential set. Therefore, the best answer is credential replay.

Comprehensive and Detailed Explanation From Exact Extract:

The described scenario is CYOD (Choose Your Own Device). In a CYOD model, employees may choose from a list of company-approved devices. These devices are vetted for compatibility, security, and organizational standards while still providing some flexibility to employees.

The SY0-701 exam differentiates CYOD from other mobile deployment models:

COPE (D) – Company-Owned, Personally Enabled: devices are company-owned and fully managed, but employees can use them personally.

MDM (A) – Mobile Device Management: a tool, not a deployment model, used for managing configurations and security on devices.

PED (C) – Portable Electronic Device: a generic category, not a deployment strategy.

CYOD strikes a balance between employee preference and maintaining a secure, standardized environment. It reduces risk associated with BYOD while avoiding the rigidity of COPE. CYOD also supports consistent patching, support, and security enforcement because all devices meet the organization’s baseline criteria.

This aligns with the Security Architecture section of SY0-701, where the exam stresses secure device deployment strategies and maintaining uniform controls over endpoint assets.

Effective security governance requires clear assignment of roles and responsibilities, such as owners, controllers, and custodians, to ensure accountability for security-related tasks and data management within the organization. This establishes clear lines of responsibility and authority, which is fundamental to governance frameworks.

A Service Level Agreement (SLA) defines the expectations between service providers and customers, including response times, escalation procedures, and performance metrics. It ensures accountability and measurable service quality.

BPA (Blanket Purchase Agreement) relates to purchasing terms, MOA (Memorandum of Agreement) outlines responsibilities but is less specific on performance, NDA (Non-Disclosure Agreement) covers confidentiality.

SLAs are key in Security Program Management for managing vendor and internal service expectations【6:Chapter 16†CompTIA Security+ Study Guide】.

Hardening access to a new database system requires implementing controls that restrict and secure how administrators and applications connect to the database. A jump server (A) is a hardened intermediary system used to manage access to sensitive systems such as databases. By forcing administrators to authenticate through a controlled, monitored jump host instead of connecting directly, organizations reduce attack surfaces and prevent unauthorized lateral movement. Security+ SY0-701 identifies jump servers as critical in securing high-value systems.

A host-based firewall (E) provides system-level traffic filtering directly on the database server. It allows only trusted IPs, ports, and services to communicate with the database, significantly reducing exposure. This is an essential hardening measure because databases should only accept connections from specific application servers or administrative hosts.

NIDS (B) monitors traffic but does not harden access. Monitoring (C) provides visibility but does not restrict access. A proxy server (D) is not typically used for database access. A WAF (F) protects web applications, not internal database systems.

Thus, A (Jump server) and E (Host-based firewall) are the correct hardening controls.

A hot site is a fully operational data center equipped with hardware, software, and network connectivity, ready for immediate use after a disaster. It allows near-zero downtime, making it ideal for critical systems needing continuous operations.

Warm sites (B) have some infrastructure but require additional setup time. Cold sites (D) provide space and power but no equipment, leading to longer recovery. Geolocation (C) is unrelated.

Hot sites are a key disaster recovery solution discussed in SY0-701 ' s Resilience and Recovery domain【6:Chapter 9†CompTIA Security+ Study Guide】.

Key escrow is a method of storing encryption keys in a secure location, such as a trusted third party or a hardware security module (HSM). Key escrow is important for FDE because it allows the recovery of encrypted data in case of lost or forgotten passwords, device theft, or hardware failure. Key escrow also enables authorized access to encrypted data for legal or forensic purposes.

TPM presence is a feature of some laptops that have a dedicated chip for storing encryption keys and other security information. TPM presence is important for FDE because it enhances the security and performance of encryption by generating and protecting the keys within the chip, rather than relying on software or external devices. TPM presence also enables features such as secure boot, remote attestation, and device authentication. 

AMaster Service Agreement (MSA)establishesthe general terms and conditionsfor ongoing business engagements. This allows companies toreuse the same termsacross multiple contracts, revisiting them periodically for updates.

NDA (B)protects confidential information but does not define service terms.

MOU (C)is a non-binding agreement, often used for partnerships, not formal service contracts.

SLA (D)focuses onservice performance expectations, not overall contract terms.

An SLA (Service-Level Agreement) defines the expected performance, availability, uptime, response times, and responsibilities between a provider and a client. The requirement in the scenario—“97% uptime”—is a classic example of an SLA metric. Security+ SY0-701 emphasizes that SLAs outline measurable service expectations so the client can assess compliance and performance.

A BPA (A) outlines business partnership terms, not performance uptime. An MOU (B) documents mutual understanding but is not legally binding and does not include uptime metrics. An NDA (C) protects confidentiality, not availability or service guarantees.

Thus, the correct answer is D: SLA.

Ransomware-as-a-service is a type of cybercrime where hackers sell or rent ransomware tools or services to other criminals who use them to launch attacks and extort money from victims. This is a typical example of organized crime, which is a group of criminals who work together to conduct illegal activities for profit. Organized crime is different from other types of threat actors, such as insider threats, hacktivists, or nation-states, who may have different motives, methods, or targets. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 17 1

 Non-repudiation is the ability to prove that a message or document was sent or signed by a particular person, and that the person cannot deny sending or signing it. Non-repudiation can be achieved by using cryptographic techniques, such as hashing and digital signatures, that can verify the authenticity and integrity of the message or document. Non-repudiation can be useful for legal, financial, or contractual purposes, as it can provide evidence of the origin and content of the message or document. References = Non-repudiation – CompTIA Security+ SY0-701 – 1.2, CompTIA Security+ SY0-301: 6.1 – Non-repudiation, CompTIA Security+ (SY0-701) Certification Exam Objectives, Domain 1.2, page 2.

An application allow list is a security technique that specifies which applications are permitted to run on a system or a network. An application allow list can block unknown programs from executing by only allowing the execution of programs that are explicitly authorized and verified. An application allow list can prevent malware, unauthorized software, or unwanted applications from running and compromising the security of the system or the network12.

The other options are not the best ways to block unknown programs from executing:

Access control list: This is a security technique that specifies which users or groups are granted or denied access to a resource or an object. An access control list can control the permissions and privileges of users or groups, but it does not directly block unknown programs from executing13.

Host-based firewall: This is a security device that monitors and filters the incoming and outgoing network traffic on a single host or system. A host-based firewall can block or allow networkconnections based on predefined rules, but it does not directly block unknown programs from executing1 .

DLP solution: This is a security system that detects and prevents the unauthorized transmission or leakage of sensitive data. A DLP solution can protect the confidentiality and integrity of data, but it does not directly block unknown programs from executing1 .

References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 972: Application Whitelisting – CompTIA Security+ SY0-701 – 3.5, video by Professor Messer3: CompTIA Security+ SY0-701 Certification Study Guide, page 98. : CompTIA Security+ SY0-701 Certification Study Guide, page 99. : CompTIA Security+ SY0-701 Certification Study Guide, page 100.

To determine whether the connection was successful after a user clicked on a link in a phishing email, the most relevant log source to analyze would be the network logs. These logs would provide information on outbound and inbound traffic, allowing the analyst to see if the user’s system connected to the remote server specified in the phishing link. Network logs can includedetails such as IP addresses, domains accessed, and the success or failure of connections, which are crucial for understanding the impact of the phishing attempt.

References =

CompTIA Security+ SY0-701 Course Content: Domain 04 Security Operations​.

CompTIA Security+ SY0-601 Study Guide: Chapter on Incident Response​.