Free GDSA Zero Trust Architecture and Networking Practice Test 2026 — GIAC Defensible Security Architect Questions

This free GDSA Zero Trust Architecture and Networking practice test covers Zero Trust models, microsegmentation, software-defined perimeters, identity-aware proxies, and policy enforcement across networks. Each question includes a detailed explanation with defensible-architecture context — perfect for GDSA exam prep.

Key Topics in GDSA Zero Trust Architecture and Networking

6 Free GDSA Zero Trust Architecture and Networking Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank for the Zero Trust Architecture and Networking domain (16% of the exam).

Sample Question 1 — Zero Trust Architecture and Networking

A company supports a remote workforce through a legacy VPN. Users authenticate with MFA, but once connected they can reach broad internal network ranges, including many systems unrelated to their jobs. After a recent phishing incident, the security architect is asked to reduce lateral movement risk without breaking remote access for business applications. Which architecture change is the best fit for a Zero Trust approach?

  1. A. Keep the VPN and add stricter password complexity so authenticated users remain on the same internal network segments
  2. B. Replace broad VPN access with identity-aware access to specific applications based on user identity, device health, and session context (Correct answer)
  3. C. Keep the VPN and add more perimeter firewall rules so authenticated users continue to receive internal network connectivity
  4. D. Require MFA more often on the VPN so authenticated users can still reach the full internal network after login

Correct answer: B

Explanation: Correct answer (B): Zero Trust removes implicit trust based on network location. In this scenario, the problem is not weak initial authentication; it is that VPN users receive broad network reach after login. The best architectural change is to move from network-level connectivity to application-specific, identity-aware access that evaluates user identity, device health, and session context. That supports least privilege and reduces lateral movement because successful authentication no longer grants unnecessary east-west access. Why the other options are wrong: - Option A: Password complexity does not address the architectural flaw. Users would still land on broadly trusted internal network segments after connecting. - Option C: Perimeter firewall tuning may help some north-south exposure, but it does not solve the core issue that authenticated VPN users still gain internal network access they do not need. - Option D: More frequent MFA strengthens authentication cadence, but it does not by itself enforce least-privilege application access or contain misuse from an already-authenticated endpoint.

Sample Question 2 — Zero Trust Architecture and Networking

A hybrid enterprise wants to "implement Zero Trust everywhere" in one quarter. The network is partially flat, application dependencies are not well documented, and several critical business services run across both data center and cloud environments. Leadership wants a defensible first phase that reduces risk without causing major outages. What is the best starting point?

  1. A. Begin enterprise-wide micro-segmentation immediately and refine rules later as outages reveal missing dependencies
  2. B. Identify high-value assets, map their transaction flows, and implement policy and telemetry around those protect surfaces first (Correct answer)
  3. C. Increase external firewall filtering first and postpone internal policy changes until all applications are cloud migrated
  4. D. Require every user to re-enroll in MFA first and defer segmentation and telemetry until the identity project is complete

Correct answer: B

Explanation: Correct answer (B): A defensible Zero Trust rollout is usually phased, not enterprise-wide on day one. The strongest starting point is to identify protect surfaces, validate the flows they require, and place policy and telemetry around those high-value assets first. That reduces risk while limiting operational disruption. It also avoids the common failure of deploying segmentation before understanding dependencies. Why the other options are wrong: - Option A: Immediate enterprise-wide micro-segmentation without validated dependencies is likely to break business services and create false confidence rather than a defensible rollout. - Option C: Stronger external filtering does not address the stated internal trust and hybrid dependency issues. The problem is broader than internet-edge exposure. - Option D: MFA is valuable, but deferring segmentation and telemetry leaves lateral movement and enforcement visibility gaps largely unresolved.

Sample Question 3 — Zero Trust Architecture and Networking

A critical internal application cannot support modern identity protocols, but it must remain accessible to a limited set of employees and administrators. The current design places the application on a broadly reachable internal network segment because it "cannot do Zero Trust." The security architect needs the best compensating control strategy without rewriting the application this year. Which approach is best?

  1. A. Place the application behind a controlled access gateway or reverse proxy, restrict network paths to it, and isolate its administration workflows (Correct answer)
  2. B. Leave the application on the current segment, require stronger user passwords, and rely on endpoint antivirus for misuse detection
  3. C. Move the application to a different subnet, keep broad internal access, and depend on annual access reviews for control assurance
  4. D. Publish the application through the existing VPN, keep current network reachability, and require MFA only at the VPN entry point

Correct answer: A

Explanation: Correct answer (A): When a legacy application cannot natively support modern identity protocols, Zero Trust does not require leaving it broadly trusted. The defensible approach is to use compensating controls: put access behind a gateway or reverse proxy, restrict network paths, and isolate administration. That reduces implicit trust and limits attack surface without forcing a full application rewrite. It is a practical Zero Trust pattern for legacy environments. Why the other options are wrong: - Option B: Password strength and antivirus do not address the main architectural issue: the application remains broadly reachable on the internal network. - Option C: A subnet move without meaningful access restriction preserves broad trust. Annual reviews are governance activities, not adequate runtime enforcement for this risk. - Option D: VPN MFA improves the front door only. It still grants network-level reachability and does not provide application-specific containment.

Sample Question 4 — Zero Trust Architecture and Networking

A security architect has implemented initial Zero Trust policies around several sensitive applications, but leadership wants evidence that the controls are actually being enforced and that attackers are not bypassing them through internal paths. Most application traffic is encrypted end-to-end, and the team cannot broadly decrypt internal traffic for operational reasons. Which telemetry combination is the best fit?

  1. A. Rely mainly on perimeter firewall alerts and monthly vulnerability scan results to confirm that internal policy is working
  2. B. Collect authentication logs, policy decision logs, east-west flow records, endpoint telemetry, and administrative session records (Correct answer)
  3. C. Depend mainly on packet payload inspection at the internet edge and disable internal flow collection because traffic is encrypted
  4. D. Use only operating system event logs from servers and assume that application encryption removes the need for network visibility

Correct answer: B

Explanation: Correct answer (B): Zero Trust requires telemetry that can validate policy decisions and detect bypass attempts, especially on internal paths. Even when traffic is encrypted, architects can still rely on strong non-payload signals such as authentication events, policy decision logs, east-west flow metadata, endpoint telemetry, and administrative session records. This provides the layered visibility needed to confirm enforcement and detect abnormal internal movement without broad decryption. Why the other options are wrong: - Option A: Perimeter alerts and vulnerability scans do not provide the internal enforcement visibility needed to verify Zero Trust controls around sensitive applications. - Option C: Edge packet inspection alone misses many internal paths, and encryption does not eliminate the value of flow metadata or host-based signals. - Option D: Server logs are useful, but using only host logs creates blind spots around policy decisions, connection patterns, and internal movement.

Sample Question 5 — Zero Trust Architecture and Networking

A company recently deployed MFA for all employees. Executives now believe credential theft risk is largely solved, but the security architect is concerned that a compromised endpoint or stolen session token could still be used to abuse privileged access. Which additional design choice best reflects Zero Trust thinking?

  1. A. Reduce standing admin rights, separate privileged accounts from daily-use accounts, and use time-bound elevation where feasible (Correct answer)
  2. B. Keep current admin rights, extend MFA token lifetimes, and depend on yearly access certification for privileged users
  3. C. Keep shared admin accounts, require more complex passwords, and assume MFA prevents most post-login abuse scenarios
  4. D. Maintain broad administrator access, add login banners, and rely on acceptable-use policy acknowledgments for deterrence

Correct answer: A

Explanation: Correct answer (A): MFA materially improves authentication, but it does not eliminate token theft, session hijacking, or misuse from an already-authenticated endpoint. Zero Trust assumes compromise remains possible, so privileged access must be designed to minimize blast radius. Reducing standing privilege, separating admin identities from daily-use accounts, and using time-bound elevation are the strongest choices because they limit what an attacker can do after gaining a foothold. Why the other options are wrong: - Option B: Longer token lifetimes increase exposure, and yearly certification is too slow and administrative to control real-time privileged risk. - Option C: Shared admin accounts and stronger passwords do not solve post-login abuse from stolen tokens or compromised endpoints. - Option D: Banners and policy acknowledgments are weak deterrents and do not meaningfully reduce technical privilege abuse.

Sample Question 6 — Zero Trust Architecture and Networking

A company already uses SSO with MFA for access to internal and SaaS applications. During an incident, attackers reused an already-authenticated browser session from an infected laptop to access sensitive applications. The security architect must strengthen the access model without forcing every application team to redesign immediately. Which change best improves Zero Trust enforcement?

  1. A. Base access mainly on successful user authentication and keep sessions valid until normal expiration to avoid user disruption
  2. B. Continuously reevaluate device health and session context for access to sensitive resources, and reduce session scope when risk changes (Correct answer)
  3. C. Rely on yearly endpoint replacement cycles so infected devices are gradually removed from the environment over time
  4. D. Require users to complete MFA only at the start of the workday and assume later application access remains appropriately trusted

Correct answer: B

Explanation: Correct answer (B): Zero Trust is not a one-time login event. In this scenario, attackers abused an already-authenticated session from an infected device, so the right improvement is continuous verification of device health and session context for sensitive access. Reassessing risk during the session and reducing scope when conditions change helps contain post-authentication abuse without requiring every individual application to be rewritten immediately. Why the other options are wrong: - Option A: This preserves static trust after authentication, which is exactly what failed during the incident. - Option C: Endpoint refresh cycles are far too slow to address active session abuse from currently compromised devices. - Option D: MFA only at the start of the day remains a one-time trust decision and ignores changing device posture and session risk.

How to Study GDSA Zero Trust Architecture and Networking

Combine these GDSA Zero Trust Architecture and Networking practice questions with hands-on lab work and the SANS SEC530 course. The GDSA exam emphasizes practical defensible-architecture decisions, so always ask which option is most defensible, most resilient, and aligned with Zero Trust principles.

About the GDSA Exam

Other GDSA Domains

Start the free GDSA Zero Trust Architecture and Networking practice test now | 10-question quick start | All GDSA domains | All Sample Tests