Free GDSA Practice Test 2026 — GIAC Defensible Security Architect Exam Questions

Master the GIAC Defensible Security Architect (GDSA) exam with free practice questions covering all 8 official GDSA domains. Each question includes a detailed explanation aligned with SANS SEC530 — no signup required.

GDSA Exam Overview

Practice by GDSA Domain

Zero Trust Architecture and Networking (16%)

Free GDSA practice questions on Zero Trust pillars, microsegmentation, software-defined perimeters, identity-aware proxies, and policy enforcement points. Practice this domain →

Layer 1, Layer 2, and Layer 3 Defense (16%)

Free GDSA practice questions on switch security, VLAN hardening, 802.1X/NAC, routing security, ARP/MAC protections, and physical-layer controls. Practice this domain →

Network Defenses, Proxies, Firewalls, and Remote Access (16%)

Free GDSA practice questions on next-gen firewalls, forward and reverse proxies, VPN and remote access, IDS/IPS, and TLS inspection. Practice this domain →

Data Discovery, Governance, Mobility, and Data-Centric Security (14%)

Free GDSA practice questions on data classification, DLP, data governance, encryption at rest and in transit, rights management, and mobile data security. Practice this domain →

Cloud-Based and Hybrid Security Architecture (12%)

Free GDSA practice questions on cloud security controls, hybrid architecture, CASB, cloud IAM, shared responsibility, and cloud network security. Practice this domain →

Fundamental Security Architecture Concepts (10%)

Free GDSA practice questions on defense in depth, threat modeling, security frameworks, risk management, and security design principles. Practice this domain →

Zero Trust Endpoints and Host Hardening (10%)

Free GDSA practice questions on endpoint hardening, EDR, application whitelisting, host firewalls, patch management, and privileged access. Practice this domain →

IPv6 and Modern Network Risks (6%)

Free GDSA practice questions on IPv6 addressing, IPv6 security risks, dual-stack risks, SLAAC and RA Guard, and modern network threats. Practice this domain →

8 Free GDSA Sample Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank.

Sample Question 1 — Cloud-Based and Hybrid Security Architecture

A retailer lifted a claims-processing application from on-premises virtual machines into an IaaS environment. A review found the cloud instances are still unpatched, security rules are overly broad, and workload logs are not being collected. Operations argues that because the application is now in the cloud, the provider owns server security. The application cannot be rewritten this quarter. What is the best architecture decision to close the most important gap?

  1. A. Rely on provider-managed infrastructure controls and focus on application fixes and user training.
  2. B. Add a perimeter firewall to the cloud subnet and defer host, identity, and logging work.
  3. C. Establish customer-managed patching, network controls, IAM, and centralized logging for the IaaS instances. (Correct answer)
  4. D. Plan a future move to SaaS so the provider will own server security and monitoring immediately.

Correct answer: C

Explanation: Correct answer (C): In IaaS, the provider secures the underlying infrastructure, but the customer still owns major responsibilities including guest OS patching, workload configuration, network controls, identity, and logging. The current gap is not the cloud platform itself but the missing customer-managed security baseline. Establishing patching, tighter access control, and centralized logging improves both prevention and detection without requiring application refactoring. Why the other options are wrong: - Option A: This repeats the shared-responsibility mistake in the stem. Provider-managed infrastructure does not remove customer responsibility for instance hardening, access control, and telemetry in IaaS. - Option B: A subnet firewall may help with some north-south filtering, but it does not solve the unpatched hosts, broad trust relationships, or missing workload logs. It is too narrow for the stated problem. - Option D: A future SaaS move may change responsibility boundaries later, but it does nothing to reduce the present risk in the current IaaS deployment.

Sample Question 2 — Data Discovery, Governance, Mobility, and Data-Centric Security

A manufacturer has had several recent data leaks through email attachments and USB copies. Leadership wants the security team to deploy broad DLP controls immediately, but the team does not yet know which files contain sensitive data, where those files reside, or which business processes move them. What is the best first architectural step?

  1. A. Conduct data discovery and flow mapping, classify sensitive data, and then tune channel-specific DLP policies (Correct answer)
  2. B. Deploy network egress DLP immediately and block large outbound transfers until classifications mature
  3. C. Encrypt all file shares immediately and defer formal classification until incident volume decreases
  4. D. Add a reverse proxy for collaboration tools and tune upload alerts before labeling the data

Correct answer: A

Explanation: Correct answer (A): DLP policy quality depends on knowing which data is sensitive, where it resides, and how it moves. The most defensible first step is to discover and classify the data, map its flows, and then apply DLP policies by channel. That sequencing improves detection accuracy, aligns controls to real business workflows, and reduces disruption from poorly targeted blocking. Why the other options are wrong: - Option B: Network egress DLP can help, but deploying it before classification usually creates noisy or incomplete policies and misses non-network channels such as endpoint actions. - Option C: Encryption is useful for confidentiality, but it does not identify sensitive content, define business rules, or replace classification and DLP policy design. - Option D: A reverse proxy may improve visibility for one channel, but it does not solve the broader problem of unknown data locations, unknown sensitivity, and multiple leakage paths.

Sample Question 3 — Fundamental Security Architecture Concepts

A manufacturing company has strong internet perimeter filtering, but once an attacker phished one employee, the attacker could reach file servers, engineering workstations, and IT management systems over the internal network. Leadership wants the single best architectural change to make a similar compromise less damaging without assuming the perimeter will always hold. What should the security architect recommend first?

  1. A. Segment critical systems from user networks and enforce access rules with monitoring between the segments (Correct answer)
  2. B. Increase perimeter firewall strictness and block more outbound traffic from the internet edge
  3. C. Replace user antivirus with a newer endpoint tool and keep the internal network largely unchanged
  4. D. Require longer employee passwords and keep broad internal network reachability for productivity

Correct answer: A

Explanation: Correct answer (A): Flat internal networks increase blast radius after a single host is compromised. The most defensible first architectural improvement is to separate critical systems from general user networks and apply explicit enforcement plus monitoring between them. That recommendation assumes compromise is possible, directly limits lateral movement, and improves validation of whether segmentation is working instead of relying only on the perimeter. Why the other options are wrong: - Option B: A stronger perimeter may reduce some external attack paths, but it does little once an attacker already has a foothold on the internal network. The scenario specifically shows perimeter-only security was insufficient. - Option C: Improving endpoint protection can help, but leaving the network flat means a successful bypass still gives an attacker broad access. The question asks for the best architectural change to reduce damage after compromise. - Option D: Better passwords may reduce some account abuse, but they do not address the main architectural weakness: broad internal reachability after a single workstation is compromised.

Sample Question 4 — IPv6 and Modern Network Risks

A financial firm says it does not use IPv6, but endpoint scans show dual-stack workstations with active IPv6 services and successful host-to-host connectivity over IPv6. Firewall reviews, ACL baselines, and segmentation standards currently cover only IPv4. The firm cannot risk breaking modern operating system functionality with an unvalidated enterprise-wide shutdown. What is the best first architecture action?

  1. A. Create explicit IPv6 ingress, egress, and east-west policy with logging and enforcement parity to the existing IPv4 design (Correct answer)
  2. B. Keep the current IPv4 deny rules because applications were validated only over IPv4 and should follow the same path
  3. C. Move all user systems into separate VLANs and postpone IPv6 policy work until the business requests formal IPv6 deployment
  4. D. Disable all IPv6 functions across the enterprise immediately and address application failures through exception requests afterward

Correct answer: A

Explanation: Correct answer (A): Dual-stack hosts create a second communication path even when the organization thinks it is IPv4-only. Because IPv4 controls do not automatically apply to IPv6, the first defensible step is to build explicit IPv6 policy parity for ingress, egress, and east-west traffic and include logging so the existing security design intent covers both protocol families. This reduces attack surface without taking the operational risk of an unvalidated enterprise-wide IPv6 shutdown. Why the other options are wrong: - Option B: Incorrect. Application validation over IPv4 does not constrain IPv6 behavior, and IPv4 deny rules do not automatically govern IPv6 traffic. - Option C: Incorrect. VLAN changes alone do not provide IPv6 policy enforcement, routing control, or logging parity. Hosts may still communicate over unmanaged IPv6 paths. - Option D: Incorrect. The stem explicitly says an unvalidated shutdown is too risky. Disabling core IPv6 everywhere without validation can break modern operating systems and services.

Sample Question 5 — Layer 1, Layer 2, and Layer 3 Defense

A company has many open office network jacks in shared workspaces. During a red-team exercise, a tester plugged a laptop into an unused cubicle port and immediately reached the internal user network. The company also has printers and badge readers that cannot run a supplicant. The security architect wants the best architecture change to reduce unauthorized network attachment without breaking those devices. What should the architect recommend?

  1. A. Deploy 802.1X on access ports and place non-supplicant devices into tightly restricted roles or segments (Correct answer)
  2. B. Increase perimeter firewall inspection for inbound and outbound traffic at the Internet edge
  3. C. Move all office systems into a larger shared VLAN so routing policy becomes easier to manage
  4. D. Rely on quarterly switch configuration audits to identify unauthorized endpoint connections

Correct answer: A

Explanation: Correct answer (A): 802.1X is the best architecture change because the failure occurred at the wired access layer: an attacker gained access simply by plugging into an open port. Port-based access control directly addresses that problem. In a defensible design, devices that cannot run a supplicant, such as printers and badge readers, are not left on open access ports; they are placed into tightly restricted roles or segments based on their function. This improves prevention at the point of attachment rather than relying on downstream controls. Why the other options are wrong: - Option B: Perimeter firewall inspection does not stop a device that is already plugged into an internal access port. This is a perimeter-only response to an access-layer problem. - Option C: A larger shared VLAN increases blast radius and does not add attachment control. It makes the unauthorized access problem worse, not better. - Option D: Audits can validate hardening, but they do not enforce access decisions at the port and do not prevent unauthorized attachment in real time.

Sample Question 6 — Network Defenses, Proxies, Firewalls, and Remote Access

A hospital has perimeter next-generation firewalls and endpoint antivirus, but most internal systems still share a flat internal network. After a phishing compromise, an attacker moved from a user workstation to file servers before the SOC had enough evidence to respond. The security architect can fund one architecture change this quarter. Which change would BEST reduce similar lateral movement while also improving detection?

  1. A. Tighten internet-edge firewall rules and block more outbound ports from the campus network
  2. B. Add internal segmentation around workstation-to-server and server-to-server paths, with sensors at those boundaries (Correct answer)
  3. C. Require MFA on the VPN and force full-tunnel remote access for all employees
  4. D. Place a WAF in front of the hospital's public web applications and tune the signatures

Correct answer: B

Explanation: Correct answer (B): Internal segmentation at meaningful trust boundaries is the best choice because the problem is east-west movement inside the network, not just north-south exposure. Adding sensors at those internal choke points improves visibility into pivoting activity while the segmentation reduces how far a compromised workstation can reach. This is a core defensible architecture principle: containment and telemetry must exist inside the network, not only at the perimeter. Why the other options are wrong: - Option A: This improves north-south filtering, but it does not materially contain or reveal lateral movement that happens after an attacker is already inside the network. - Option C: VPN MFA is valuable for remote access, but the incident described began with phishing and then spread internally. It does not solve flat-network lateral movement. - Option D: A WAF helps protect published web applications from application-layer attacks, but it does not address workstation-to-server pivoting inside the hospital network.

Sample Question 7 — Zero Trust Architecture and Networking

A company supports a remote workforce through a legacy VPN. Users authenticate with MFA, but once connected they can reach broad internal network ranges, including many systems unrelated to their jobs. After a recent phishing incident, the security architect is asked to reduce lateral movement risk without breaking remote access for business applications. Which architecture change is the best fit for a Zero Trust approach?

  1. A. Keep the VPN and add stricter password complexity so authenticated users remain on the same internal network segments
  2. B. Replace broad VPN access with identity-aware access to specific applications based on user identity, device health, and session context (Correct answer)
  3. C. Keep the VPN and add more perimeter firewall rules so authenticated users continue to receive internal network connectivity
  4. D. Require MFA more often on the VPN so authenticated users can still reach the full internal network after login

Correct answer: B

Explanation: Correct answer (B): Zero Trust removes implicit trust based on network location. In this scenario, the problem is not weak initial authentication; it is that VPN users receive broad network reach after login. The best architectural change is to move from network-level connectivity to application-specific, identity-aware access that evaluates user identity, device health, and session context. That supports least privilege and reduces lateral movement because successful authentication no longer grants unnecessary east-west access. Why the other options are wrong: - Option A: Password complexity does not address the architectural flaw. Users would still land on broadly trusted internal network segments after connecting. - Option C: Perimeter firewall tuning may help some north-south exposure, but it does not solve the core issue that authenticated VPN users still gain internal network access they do not need. - Option D: More frequent MFA strengthens authentication cadence, but it does not by itself enforce least-privilege application access or contain misuse from an already-authenticated endpoint.

Sample Question 8 — Zero Trust Endpoints and Host Hardening

A hybrid enterprise patched operating systems monthly but experienced two initial-access incidents through an outdated browser component and a document viewer on remote laptops. Leadership wants one program change that will most directly reduce similar compromises without waiting for users to return to the office. Which change is best?

  1. A. Automate patching for operating systems and common third-party applications on remote endpoints (Correct answer)
  2. B. Patch operating systems more often and leave third-party applications to manual updates
  3. C. Require all remote users to reconnect to VPN each morning before starting work
  4. D. Increase email phishing simulations and keep the current endpoint update process

Correct answer: A

Explanation: Correct answer (A): The incidents came through non-OS software, so the strongest corrective action is automated patch management that covers both operating systems and commonly exploited third-party applications. Remote and hybrid work increases the importance of endpoint-native maintenance because users are often outside direct enterprise network visibility. Broadening patch coverage closes a common initial-access path more effectively than VPN process changes or awareness alone. Why the other options are wrong: - Option B: Improving only OS patch speed still leaves a major exposed surface, since browsers and document tools were the actual initial-access vectors. - Option C: VPN use may help with routing or policy delivery, but it does not remediate vulnerable applications already running on the laptop. - Option D: User awareness can reduce some risky behavior, but it does not correct known exploitable software exposure on endpoints.

Quick 10-Question GDSA Practice Test

Take a free 10-question GDSA quick-start practice test covering all 8 GDSA domains. Get instant scoring with detailed explanations — perfect for a quick readiness check.

Why Choose FlashGenius for GDSA?

Start your free GDSA practice test now | 10-question quick start | All Sample Tests