CompTIA Security+ Practice Questions: Threats, Vulnerabilities, and Mitigations Domain

Published: June 12, 2025 | 5 min read

Test your CompTIA Security+ knowledge with 5 practice questions from the Threats, Vulnerabilities, and Mitigations domain. Includes detailed explanations and answers.

CompTIA Security+ Practice Questions

Master the Threats, Vulnerabilities, and Mitigations Domain

Test your knowledge in the Threats, Vulnerabilities, and Mitigations domain with these 5 practice questions. Each question is designed to help you prepare for the CompTIA Security+ certification exam with detailed explanations to reinforce your learning.

Question 1

A security team needs to manage user access to sensitive data efficiently. Which solution should they implement to automate access controls based on user roles?

A) Role-Based Access Control (RBAC)

B) Discretionary Access Control (DAC)

C) Mandatory Access Control (MAC)

D) Attribute-Based Access Control (ABAC)

Show Answer & Explanation

Correct Answer: A

Explanation: CORRECT: RBAC automates access controls by assigning permissions based on user roles. OPTION A: DAC allows users to set permissions, which is not automated. OPTION B: MAC is highly secure but not flexible for automation. OPTION C: ABAC is more complex and based on attributes, not roles.

Question 2

A company wants to ensure that its backup data is protected against unauthorized access. Which of the following methods provides the best protection?

A) Data masking

B) Full disk encryption

C) Access control lists

D) Hashing

Show Answer & Explanation

Correct Answer: B

Explanation: CORRECT: Full disk encryption ensures that backup data is unreadable without the proper decryption key. OPTION A: Data masking is used to obscure data, not encrypt it. OPTION C: Access control lists manage permissions but do not encrypt data. OPTION D: Hashing verifies data integrity, not confidentiality.

Question 3

During a penetration test, the tester discovers a system running an outdated version of an application with known vulnerabilities. What is the best course of action to recommend?

A) Implement network segmentation to isolate the system.

B) Apply the latest security patches to the application.

C) Install a host-based firewall on the system.

D) Disable the application until an upgrade is possible.

Show Answer & Explanation

Correct Answer: B

Explanation: CORRECT: Applying the latest security patches addresses the known vulnerabilities directly. OPTION A: Segmentation can limit exposure but does not fix the vulnerability. OPTION B: A firewall provides some protection but does not address the root issue. OPTION D: Disabling could disrupt operations and is not a sustainable solution.

Question 4

A company is planning to implement a new access control model that grants permissions based on the roles assigned to users. Which model are they planning to use?

A) Discretionary Access Control (DAC)

B) Mandatory Access Control (MAC)

C) Role-Based Access Control (RBAC)

D) Attribute-Based Access Control (ABAC)

Show Answer & Explanation

Correct Answer: C

Explanation: CORRECT: Role-Based Access Control (RBAC) assigns permissions based on user roles within an organization. OPTION A: Discretionary Access Control allows users to set permissions, not based on roles. OPTION B: Mandatory Access Control enforces strict policies without using roles. OPTION C: Attribute-Based Access Control uses attributes, not roles, to grant access. OPTION D: RBAC is the model that uses roles for permission assignment.

Question 5

A company is implementing a new security policy to protect against ransomware attacks. Which of the following practices should be included in the policy?

A) Regular data backups and offline storage

B) Use of a single sign-on (SSO) solution

C) Deployment of a honeypot

D) Implementation of network segmentation

Show Answer & Explanation

Correct Answer: A

Explanation: CORRECT: Regular data backups and offline storage ensure that data can be restored without paying a ransom, mitigating the impact of ransomware. OPTION A: SSO simplifies access management but does not specifically protect against ransomware. OPTION B: A honeypot is used to detect threats but does not prevent ransomware. OPTION C: Network segmentation limits the spread of ransomware but does not protect data. OPTION D: Regular backups and offline storage directly mitigate ransomware impact.

Ready to Accelerate Your CompTIA Security+ Preparation?

Join thousands of professionals who are advancing their careers through expert certification preparation with FlashGenius.

  • ✅ Unlimited practice questions across all CompTIA Security+ domains
  • ✅ Full-length exam simulations with real-time scoring
  • ✅ AI-powered performance tracking and weak area identification
  • ✅ Personalized study plans with adaptive learning
  • ✅ Mobile-friendly platform for studying anywhere, anytime
  • ✅ Expert explanations and study resources
Start Free Practice Now

Already have an account? Sign in here

About CompTIA Security+ Certification

The CompTIA Security+ certification validates your expertise in threats, vulnerabilities, and mitigations and other critical domains. Our comprehensive practice questions are carefully crafted to mirror the actual exam experience and help you identify knowledge gaps before test day.

Ready to Master CompTIA Security+?

Get the complete study strategy and essential resources for exam success.

📚 Read The Ultimate CompTIA Security+ Practice Exam Guide →