A cold site is a type of backup data center that has the necessary infrastructure to support IT operations, but does not have any pre-configured hardware or software. A cold site is the cheapest option among the backup data center types, but it also has the longest recovery time objective (RTO) and recovery point objective (RPO) values. A cold site is suitable for scenarios where the cost-benefit is the primary requirement and the RTO and RPO values are not very stringent. A cold site can take up to two days or more to restore the normal operations after a disaster. References = CompTIA Security+ SY0-701 Certification Study Guide, page 387; Backup Types – SY0-601 CompTIA Security+ : 2.5, video at 4:50.

Automatically generating WAF rules when applications are deployed is a hallmark of Infrastructure as Code (IaC). IaC allows infrastructure components—including firewalls, WAF policies, and load balancers—to be defined and deployed via code templates rather than manual configuration. In DevSecOps, IaC enables security controls to be embedded into deployment pipelines, ensuring that protections such as WAF rules are created instantly and consistently whenever new application versions are released.

Security+ SY0-701 highlights IaC as a method for automating infrastructure provisioning, standardizing security controls, and reducing configuration drift. This allows development and security teams to collaborate more effectively by treating security policies as code.

IoT (B) refers to smart devices, IoC (C) refers to indicators of compromise, and IaaS (D) refers to cloud compute infrastructure—not automated security policy creation.

Thus, the correct answer is A: IaC.

The best answer is D. WAF.

A WAF (Web Application Firewall) is designed to inspect and filter malicious HTTP and HTTPS traffic aimed at a web application. If a site is receiving a large number of malicious requests that are causing performance problems, a WAF is the best control among these options because it can detect and block harmful web requests before they impact the application.

This can help mitigate attacks such as:

malicious web requests

application-layer abuse

some denial-of-service style request floods

common web exploits

Why the other options are incorrect:

A. IPSecIPSec secures network-layer communications, not malicious web request filtering.

B. TLSTLS encrypts data in transit, but it does not stop malicious requests.

C. SDNSoftware-defined networking helps manage network architecture, but it is not the most direct preventive control for malicious web traffic.

From a Security+ standpoint, malicious requests against a web application are best mitigated by a WAF, so D is correct.

Input sanitization is a critical security measure to prevent SQL injection attacks, which occur when an attacker exploits vulnerabilities in a website ' s input fields to execute malicious SQL code. By properly sanitizing and validating all user inputs, developers can prevent malicious code from being executed, thereby securing the website against such attacks.

References = CompTIA Security+ SY0-701 study materials, particularly in the domain of web application security and common vulnerability mitigation strategies​​.

Quantitative risk analysis involves assigning numeric values to risk components, such as potential financial losses. Estimating the replacement cost of a physical server is part of calculating the potential impact and exposure during this process.

Disaster recovery tests (B) validate recovery procedures, physical security controls review (C) assesses physical protections, and threat modeling (D) identifies potential threats and attack vectors.

Quantitative analysis is a key part of risk management addressed in the SY0-701 Risk Management domain【6:Chapter 17†CompTIA Security+ Study Guide】

Allowing risky protocols like SMB and RDP from the internet to a controlled VLAN is commonly done to create a honeynet, a deliberately vulnerable network environment used to attract attackers and study their behaviors without risking production systems.

Building a file-sharing site (A) or preparing for a pentest (B) typically wouldn ' t require exposing SMB and RDP broadly. SASE integration (C) focuses on cloud security access and doesn ' t involve opening such protocols indiscriminately.

Honeynets are described as a deception technology in the Security Architecture domain【6:Chapter 9†CompTIA Security+ Study Guide】.

User Behavior Analytics (UBA)is specifically designed to detectanomalous or suspicious behaviorsby users that may indicate insider threats. UBA toolsestablish a baseline of normalbehaviorfor users and alert security teams when deviations occur (e.g., accessing sensitive files at odd hours, downloading large volumes of data, etc.).

Malicious insiders often bypass perimeter defenses like firewalls or IDS/IPS systems because they arelegitimate users. UBA offersvisibility into internal behavior patterns, which is essential for detecting these threats.

Risk appetiterefers to thelevel of risk an organization is willing to acceptbefore implementing security measures. When expanding access controls, the company must assess how much risk is acceptable in terms ofdata exposure, unauthorized access, and compliance obligations.

 A user provisioning script is an automation technique that uses a predefined set of instructions or commands to create, modify, or delete user accounts and assign appropriate access or permissions. A user provisioning script can help to streamline account creation by reducing manual errors, ensuring consistency and compliance, and saving time and resources12.

The other options are not automation techniques that can streamline account creation:

Guard rail script: This is a script that monitors and enforces the security policies and rules on a system or a network. A guard rail script can help to prevent unauthorized or malicious actions, such as changing security settings, accessing restricted resources, or installing unwanted software3.

Ticketing workflow: This is a process that tracks and manages the requests, issues, or incidents that are reported by users or customers. A ticketing workflow can help to improve the communication, collaboration, and resolution of problems, but it does not automate the account creation process4.

Escalation script: This is a script that triggers an alert or a notification when a certain condition or threshold is met or exceeded. An escalation script can help to inform the relevant parties or authorities of a critical situation, such as a security breach, a performance degradation, or a service outage.

References = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 1022: User Provisioning – CompTIA Security+ SY0-701 – 5.1, video by Professor Messer3: CompTIA Security+ SY0-701 Certification Study Guide, page 1034: CompTIA Security+ SY0-701 Certification Study Guide, page 104. : CompTIA Security+ SY0-701 Certification Study Guide, page 105.

To ensure that all systems requiring the patch are updated, the systems administrator must maintain an accurate asset inventory. This inventory lists all hardware and software assets within the organization, allowing the administrator to identify which systems are affected by the patch and ensuring that none are missed during the update process.

Network enumeration is used to discover devices on a network but doesn ' t track software that requires patching.

Data certification and procurement process are unrelated to tracking systems for patching purposes​​.

Orchestration is the process of automating multiple tasks across different systems and applications. It can help save time and reduce human error by executing predefined workflows and scripts. In this case, the systems administrator can use orchestration to create accounts for a large number of end users without having to manually enter their information and assign permissions. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 457 1

The best answer is D. Lock the employee ' s account to prevent further unauthorized access.

If credentials have been exposed in a phishing incident, the most urgent priority is to contain the threat by preventing attackers from using those credentials. Locking or disabling the affected account is an immediate response step that reduces the risk of unauthorized access, lateral movement, privilege abuse, or data theft.

Why the other options are incorrect:

A. Notify all employees about the phishing attack and instruct them to avoid suspicious emails.Awareness messaging may be useful later, but it does not immediately contain the compromised account.

B. Wait for confirmation from the employee before making any changes to the account.Waiting introduces unnecessary risk if the credentials are already exposed.

C. Reimage the employee ' s workstation to ensure no malware is present.Reimaging may be appropriate if malware was delivered, but the question specifically says the employee exposed credentials. The first priority is account containment.

From a Security+ incident response perspective, the immediate action after credential compromise is to disable or lock the account, making D the best answer.

The best answer is C. Watering hole.

A watering hole attack occurs when an attacker compromises a website that a targeted group of users commonly visits. The attacker chooses that site because they know the intended victims are likely to access it during normal work activities. Once the site is compromised, the attacker can deliver malware, steal credentials, or exploit browser vulnerabilities.

This exactly matches the scenario in the question: a website that multiple employees frequently visit is targeted for compromise.

Why the other options are incorrect:

A. Supply chainA supply chain attack targets vendors, software providers, or service providers in order to affect downstream customers. That is different from compromising a commonly visited website for a specific group of users.

B. TyposquattingTyposquatting involves creating a fraudulent website with a name similar to a legitimate one so users accidentally visit it. The question describes compromising an existing site people already visit, not creating a lookalike domain.

D. ImpersonationImpersonation involves pretending to be a trusted person or entity. It does not specifically describe compromising a frequently visited website.

From a Security+ perspective, a compromised site used to target a specific population is a classic watering hole attack, so C is correct.