Free GDSA Fundamental Security Architecture Concepts Practice Test 2026 — GIAC Defensible Security Architect Questions

This free GDSA Fundamental Security Architecture Concepts practice test covers core security architecture concepts including defense in depth, threat modeling, frameworks, risk management, and design principles. Each question includes a detailed explanation with defensible-architecture context — perfect for GDSA exam prep.

Key Topics in GDSA Fundamental Security Architecture Concepts

6 Free GDSA Fundamental Security Architecture Concepts Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank for the Fundamental Security Architecture Concepts domain (10% of the exam).

Sample Question 1 — Fundamental Security Architecture Concepts

A manufacturing company has strong internet perimeter filtering, but once an attacker phished one employee, the attacker could reach file servers, engineering workstations, and IT management systems over the internal network. Leadership wants the single best architectural change to make a similar compromise less damaging without assuming the perimeter will always hold. What should the security architect recommend first?

  1. A. Segment critical systems from user networks and enforce access rules with monitoring between the segments (Correct answer)
  2. B. Increase perimeter firewall strictness and block more outbound traffic from the internet edge
  3. C. Replace user antivirus with a newer endpoint tool and keep the internal network largely unchanged
  4. D. Require longer employee passwords and keep broad internal network reachability for productivity

Correct answer: A

Explanation: Correct answer (A): Flat internal networks increase blast radius after a single host is compromised. The most defensible first architectural improvement is to separate critical systems from general user networks and apply explicit enforcement plus monitoring between them. That recommendation assumes compromise is possible, directly limits lateral movement, and improves validation of whether segmentation is working instead of relying only on the perimeter. Why the other options are wrong: - Option B: A stronger perimeter may reduce some external attack paths, but it does little once an attacker already has a foothold on the internal network. The scenario specifically shows perimeter-only security was insufficient. - Option C: Improving endpoint protection can help, but leaving the network flat means a successful bypass still gives an attacker broad access. The question asks for the best architectural change to reduce damage after compromise. - Option D: Better passwords may reduce some account abuse, but they do not address the main architectural weakness: broad internal reachability after a single workstation is compromised.

Sample Question 2 — Fundamental Security Architecture Concepts

A security architect is given budget to improve internal security after several near-miss incidents. Different teams want microsegmentation, new endpoint tools, and a larger SIEM, but the company has no shared map of critical assets, trust boundaries, or major application flows. What is the best first architectural step?

  1. A. Perform threat modeling to identify critical assets, trust boundaries, key flows, and likely attack paths (Correct answer)
  2. B. Purchase the broadest platform and rely on default policies to discover misuse over time
  3. C. Deploy controls uniformly to all systems first and refine the design after user complaints
  4. D. Expand internet-edge filtering first because most attacks begin outside the organization

Correct answer: A

Explanation: Correct answer (A): Threat modeling should come before major control-selection decisions. Without understanding asset criticality, trust boundaries, important flows, and realistic attack paths, the organization risks spending budget on controls that are poorly placed or low value. A defensible architecture begins by identifying what matters most and how an attacker could reach or abuse it, then selecting controls based on that analysis. Why the other options are wrong: - Option B: Tool-first decisions often create coverage gaps or wasted spend when the organization has not identified what needs protection and how attackers are likely to move. - Option C: Uniform deployment may look fair, but architectural prioritization should account for asset criticality and the most important attack paths rather than treating all systems identically. - Option D: Edge filtering may help some external threats, but the scenario lacks the foundational analysis needed to decide whether that is the highest-value investment.

Sample Question 3 — Fundamental Security Architecture Concepts

An enterprise can fund only one of the following improvements this quarter. The current environment already has reasonable blocking controls, but investigations are slow because defenders lack useful telemetry when attackers use approved tools and valid credentials. Which investment best improves the architecture based on that gap?

  1. A. Add visibility that produces usable telemetry for validation, investigation, and response across key control points (Correct answer)
  2. B. Add another blocking layer at the perimeter and accept limited insight into internal activity
  3. C. Delay security changes and rely on annual penetration tests to show whether controls still work
  4. D. Focus only on hardening end-user passwords because valid credentials are difficult to detect anyway

Correct answer: A

Explanation: Correct answer (A): The scenario identifies a detection and investigation weakness, not a primary prevention gap. In a defensible architecture, prevention, detection, and response must be balanced. Adding telemetry at key control points helps validate existing controls, reveals abuse of trusted channels or approved tools, and improves investigation and response when attackers bypass blocking controls or use legitimate credentials. Why the other options are wrong: - Option B: Another blocking layer may be helpful in a different scenario, but it does not address the stated problem: poor visibility and slow investigations after suspicious activity occurs. - Option C: Periodic testing is useful, but it does not provide the ongoing telemetry needed to detect and investigate real attacks in daily operations. - Option D: Password improvements can reduce some risk, but the scenario already states that attackers may use valid credentials, making visibility and response capability more important here.

Sample Question 4 — Fundamental Security Architecture Concepts

A CIO says the company already has defense-in-depth because it owns a firewall, web filter, endpoint tool, and DLP product. A security architect reviewing recent incidents finds that these tools operate independently, cover different asset scopes inconsistently, and do not support each other when one fails. Which response best reflects sound architecture judgment?

  1. A. Redesign the controls so complementary layers protect important assets even when one layer is bypassed (Correct answer)
  2. B. Keep the same design because owning several security products is the main requirement for layered defense
  3. C. Replace all current tools with one integrated platform to avoid complexity in the architecture
  4. D. Move most controls to the perimeter because centralization is more important than internal layering

Correct answer: A

Explanation: Correct answer (A): Defense-in-depth is not the mere presence of multiple products. It is the intentional placement of complementary controls across layers so that failure or bypass of one control does not create total compromise. The right architectural response is to redesign coverage around important assets, access paths, and supporting telemetry so the layers reinforce each other. Why the other options are wrong: - Option B: Owning multiple tools does not guarantee layered defense if the tools are misaligned, inconsistently deployed, or unable to support detection and response when bypassed. - Option C: An integrated platform may simplify operations, but it does not automatically create defensible architecture and may even increase single-point dependency if used as the only answer. - Option D: Perimeter centralization can be useful, but relying mainly on the edge contradicts the need to protect assets internally and assume compromise is possible.

Sample Question 5 — Fundamental Security Architecture Concepts

An organization reports that its environment is segmented because finance, HR, and engineering are placed in separate VLANs. During an internal assessment, testers move between these groups using broadly permitted routing and shared administrative credentials, and the SOC cannot clearly see cross-segment policy violations. What is the best architectural conclusion?

  1. A. The design needs explicit access enforcement and monitoring, because grouping alone has not meaningfully limited movement (Correct answer)
  2. B. The design is already sufficiently segmented, and the main problem is that the testers were unusually skilled
  3. C. The best fix is to keep the VLAN design and add stronger internet filtering at the network perimeter
  4. D. The best fix is to merge the segments to simplify routing and reduce operational overhead for the SOC

Correct answer: A

Explanation: Correct answer (A): Logical grouping without meaningful enforcement and visibility is weak segmentation. In this scenario, broad routing and shared administrative access undermine separation, while missing telemetry prevents the SOC from validating whether policy is working. Stronger segmentation requires explicit access control, reduced shared privilege, and monitoring of inter-segment activity so it actually limits lateral movement and supports detection. Why the other options are wrong: - Option B: The issue is architectural, not merely the skill of the testers. Broad routing and shared credentials show the segments are not enforcing real boundaries. - Option C: Perimeter filtering does not address internal cross-segment movement, which is the specific weakness exposed in the assessment. - Option D: Merging the groups would increase reachability and blast radius, moving the architecture in the wrong direction.

Sample Question 6 — Fundamental Security Architecture Concepts

A healthcare enterprise cannot redesign its entire environment this year. The architect must choose where limited funding will produce the largest immediate reduction in enterprise risk. One option protects general employee workstations uniformly. Another option hardens and tightly controls the administrative path used to manage the electronic health record platform and its supporting servers. Which choice is best?

  1. A. Prioritize the administrative path to the electronic health record environment because it controls high-value systems (Correct answer)
  2. B. Apply identical controls to all systems first because fairness matters more than asset criticality in architecture
  3. C. Delay architectural prioritization until every workstation can receive the same level of protection
  4. D. Focus only on the guest wireless network because it is more exposed than the internal administrative path

Correct answer: A

Explanation: Correct answer (A): When resources are constrained, defensible architecture should prioritize the paths and systems whose compromise would create the greatest impact. Securing the administrative path to high-value clinical systems yields more immediate enterprise risk reduction than spreading the same controls evenly across lower-value assets. This reflects asset criticality, trust-boundary awareness, and risk-based prioritization. Why the other options are wrong: - Option B: Uniform treatment may appear consistent, but it ignores asset criticality and the outsized risk of privileged paths into the most sensitive environment. - Option C: Waiting for perfect uniformity delays risk reduction on the most important systems and is inconsistent with constrained, risk-based architecture planning. - Option D: Guest networks can matter, but the scenario makes clear that the administrative path to the electronic health record platform is the more consequential target.

How to Study GDSA Fundamental Security Architecture Concepts

Combine these GDSA Fundamental Security Architecture Concepts practice questions with hands-on lab work and the SANS SEC530 course. The GDSA exam emphasizes practical defensible-architecture decisions, so always ask which option is most defensible, most resilient, and aligned with Zero Trust principles.

About the GDSA Exam

Other GDSA Domains

Start the free GDSA Fundamental Security Architecture Concepts practice test now | 10-question quick start | All GDSA domains | All Sample Tests