CompTIA Security+ CompTIA Security+ Practice Test 2025
This is the official CompTIA Security+ CompTIA Security+ question paper for 2025, as set in the Model questions examination. It carries 90 full marks and a time allowance of 90 minutes, across 10 questions. On Kekkei you can attempt this CompTIA Security+ past paper online with a timer, get instant AI feedback and step-by-step solutions, and track the topics where you lose marks — completely free. Whether you are revising for your CompTIA Security+ CompTIA Security+ exam or solving previous years' question papers, this 2025 paper is a great way to practise under real exam conditions.
| Level | CompTIA Security+ |
|---|---|
| Subject | CompTIA Security+ |
| Year | 2025 BS |
| Exam session | Model questions |
| Full marks | 90 |
| Time allowed | 90 minutes |
| Questions | 10, all with step-by-step solutions |
Security+ (SY0-701)
Select the best answer.
An employee receives an email that appears to come from the company's IT department, asking them to click a link and verify their credentials on an internal-looking login page. The email address, upon closer inspection, uses the domain "1t-support.company.com" instead of "it-support.company.com." Which type of attack is this an example of?
Spear phishing
The correct answer is (b) Spear phishing. This is a targeted phishing attack directed at a specific individual within an organization. The attacker has crafted the email to appear as though it comes from the company's own IT department, using a lookalike domain (replacing the letter 'i' with the number '1') to deceive the recipient. Unlike generic phishing, spear phishing targets specific people and uses contextual information about the organization to increase credibility. Vishing refers to voice-based phishing conducted over phone calls. Whaling specifically targets high-level executives. Tailgating is a physical security attack involving following an authorized person through a secured door.
A security engineer needs to encrypt a large volume of data at rest on a file server as quickly as possible. The encryption key will be managed centrally and distributed securely to authorized systems. Which type of encryption is most appropriate for this use case?
Symmetric encryption (AES-256)
The correct answer is (a) Symmetric encryption (AES-256). Symmetric encryption algorithms such as AES-256 use a single shared key for both encryption and decryption. They are significantly faster than asymmetric algorithms and are therefore ideal for encrypting large volumes of data at rest. Asymmetric encryption (RSA) uses a key pair (public and private) and is computationally expensive, making it impractical for bulk data encryption. Hashing (SHA-256) is a one-way function that produces a fixed-size digest and cannot be reversed to recover the original data, so it is not an encryption method. Digital signatures use asymmetric cryptography to verify authenticity and integrity, not to encrypt data at rest.
An organization wants to implement multi-factor authentication (MFA) for all employees accessing the corporate VPN. They already require a password. Which of the following would serve as a valid second factor that is in a DIFFERENT authentication category from the password?
A time-based one-time password (TOTP) from an authenticator app
The correct answer is (c) A time-based one-time password (TOTP) from an authenticator app. MFA requires factors from at least two different categories: something you know, something you have, and something you are. A password is 'something you know.' A TOTP generated by an authenticator app on a registered device represents 'something you have,' because it requires possession of the device running the authenticator. A security question and a PIN are both 'something you know,' which is the same category as the password and would not constitute true multi-factor authentication. A username is an identifier, not an authentication factor at all.
A network administrator configures a firewall with the following rules applied in order:
- ALLOW TCP from 10.0.1.0/24 to any on port 443
- DENY TCP from any to any on port 443
- ALLOW TCP from any to any on port 80
- DENY all
A host at 10.0.2.50 attempts to connect to an external web server on port 443. What will happen to this traffic?
The traffic will be denied by rule 2
The correct answer is (b) The traffic will be denied by rule 2. Firewall rules are evaluated in order from top to bottom, and the first matching rule is applied. Rule 1 allows port 443 traffic only from the 10.0.1.0/24 subnet. Since the source host 10.0.2.50 is not in the 10.0.1.0/24 subnet, rule 1 does not match. Rule 2 then matches because it denies TCP traffic from ANY source to ANY destination on port 443, and the packet is dropped. Rules 3 and 4 are never evaluated because rule 2 already matched. The traffic would not be allowed by rule 3 because rule 3 applies to port 80, not port 443.
During a security incident, the incident response team has confirmed that a workstation has been compromised by malware. They have already identified the scope of the compromise. According to the NIST SP 800-61 incident response lifecycle, what is the NEXT step the team should take?
Containment
The correct answer is (c) Containment. The NIST SP 800-61 incident response lifecycle consists of four phases: (1) Preparation, (2) Detection and Analysis, (3) Containment, Eradication, and Recovery, and (4) Post-Incident Activity. Since the team has already detected the incident and analyzed it to identify the scope (completing the Detection and Analysis phase), the next step is Containment. Containment involves isolating the affected systems to prevent the incident from spreading further, such as disconnecting the compromised workstation from the network. Eradication (removing the malware) and recovery (restoring systems) come after containment. Lessons learned is part of the Post-Incident Activity phase, which occurs after the incident has been fully resolved.
An organization is adopting a zero trust architecture. A security architect states that under zero trust, no user or device should be automatically trusted regardless of their network location. Which of the following practices BEST aligns with this zero trust principle?
Requiring continuous verification of every access request using identity, device posture, and contextual signals
The correct answer is (d) Requiring continuous verification of every access request using identity, device posture, and contextual signals. Zero trust architecture operates on the principle of 'never trust, always verify.' This means that every access request must be authenticated and authorized based on multiple signals, including user identity, device health and compliance, location, and the sensitivity of the resource being accessed. This verification is continuous, not just at the initial login. Granting full network access after VPN authentication contradicts zero trust because it implicitly trusts the user after a single verification step. Allowing unrestricted access within the corporate LAN is the traditional perimeter-based model that zero trust explicitly replaces. Using a single firewall at the perimeter is also a perimeter-based approach that assumes internal traffic is trustworthy.
A vulnerability scanner identifies a flaw in a public-facing web application. The vulnerability has a CVSS v3.1 base score of 9.8. The attack vector is Network, attack complexity is Low, privileges required is None, and user interaction is None. What does this score indicate about the severity and exploitability of this vulnerability?
It is a Critical severity vulnerability that can be exploited remotely with no authentication or user interaction
The correct answer is (a) It is a Critical severity vulnerability that can be exploited remotely with no authentication or user interaction. CVSS (Common Vulnerability Scoring System) v3.1 scores range from 0.0 to 10.0 and are categorized as: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). A score of 9.8 falls into the Critical category. The metrics further describe the exploitability: Attack Vector of Network means it can be exploited remotely over the network. Attack Complexity of Low means there are no special conditions required. Privileges Required of None means no authentication is needed. User Interaction of None means no user action is required for exploitation. This combination represents the most dangerous type of vulnerability: one that can be trivially exploited remotely by any attacker.
A healthcare organization in the United States stores and processes electronic protected health information (ePHI). The organization's compliance officer needs to ensure that appropriate administrative, physical, and technical safeguards are in place. Which regulatory framework is this organization PRIMARILY required to comply with?
HIPAA
The correct answer is (b) HIPAA (Health Insurance Portability and Accountability Act). HIPAA is the primary U.S. federal law that governs the protection of electronic protected health information (ePHI). The HIPAA Security Rule specifically requires covered entities and their business associates to implement administrative safeguards (policies, procedures, workforce training), physical safeguards (facility access controls, workstation security), and technical safeguards (access controls, audit controls, encryption). PCI DSS (Payment Card Industry Data Security Standard) applies to organizations that process, store, or transmit credit card data, not health information. SOX (Sarbanes-Oxley Act) deals with financial reporting and corporate governance for publicly traded companies. GDPR (General Data Protection Regulation) is a European Union regulation for personal data privacy and does not specifically mandate the three safeguard categories described in the question.
A security team is performing a quantitative risk assessment for a critical database server. They determine that the server is valued at $500,000, the exposure factor for a specific threat is 40%, and the annualized rate of occurrence (ARO) for that threat is 0.5. What is the annualized loss expectancy (ALE) for this threat?
$100,000
The correct answer is (c) 500,000 x 0.40 = 200,000. Then, calculate the ALE: ALE = SLE x ARO = 100,000. The ARO of 0.5 means the threat is expected to occur once every two years on average. Therefore, the annualized expected loss from this particular threat is $100,000 per year. This figure helps the organization determine how much it is cost-effective to spend on countermeasures to mitigate this risk.
A web application takes user input from a search form and constructs the following SQL query:
SELECT * FROM products WHERE name = '" + userInput + "';
An attacker enters the following into the search field: ' OR '1'='1' --
What is the result of this input, and which OWASP Top 10 category does this vulnerability fall under?
The query returns all rows from the products table; this is an Injection vulnerability (OWASP A03:2021)
The correct answer is (b) The query returns all rows from the products table; this is an Injection vulnerability (OWASP A03:2021). When the attacker enters the malicious input, the resulting SQL query becomes: SELECT * FROM products WHERE name = '' OR '1'='1' --';. The single quote closes the original string literal, and OR '1'='1' is a condition that is always true, causing the query to return every row in the products table. The -- comments out any remaining SQL, preventing syntax errors. This is a classic SQL injection attack. In the OWASP Top 10 (2021), this falls under A03:2021 - Injection. The vulnerability exists because the application concatenates user input directly into the SQL query without parameterization or input validation. The proper mitigation is to use parameterized queries (prepared statements) or an ORM that handles input escaping.
Frequently asked questions
- Where can I find the CompTIA Security+ CompTIA Security+ question paper 2025?
- The full CompTIA Security+ CompTIA Security+ 2025 (Model questions) question paper is available free on Kekkei. You can read every question online and attempt the paper under timed exam conditions.
- Does the CompTIA Security+ 2025 paper come with solutions?
- Yes. Every question on this CompTIA Security+ past paper includes a step-by-step solution, plus instant AI feedback when you attempt it on Kekkei.
- How many marks is the CompTIA Security+ CompTIA Security+ 2025 paper?
- The CompTIA Security+ CompTIA Security+ 2025 paper carries 90 full marks and is meant to be completed in 90 minutes, across 10 questions.
- Is practising this CompTIA Security+ past paper free?
- Yes — reading and attempting this CompTIA Security+ past paper on Kekkei is completely free.