The best answer is B. Providing an alternative security measure when standard remediation is not feasible.

A compensating control is a substitute safeguard used when the preferred or required control cannot be implemented immediately or at all. It helps reduce risk in another way until proper remediation is possible, or when direct remediation is impractical.

Examples include:

increasing monitoring when a system cannot be patched

segmenting a legacy application that cannot be upgraded

restricting access to a vulnerable system that must remain in service

Why the other options are incorrect:

A. Reducing the attack surface by isolating vulnerable components within a segmented environmentThis can be an example of a compensating control, but it does not define the overall role as clearly as B.

C. Delaying remediation timelines by replacing affected systems in a maintenance windowThis describes scheduling or change timing, not compensating controls.

D. Remediating software flaws by modifying source code to remove insecure functionsThis is direct remediation, not a compensating control.

From the SY0-701 perspective, compensating controls are used when the ideal fix is not possible, so B is the best explanation.

Risk tolerance is the correct answer because the organization is defining an acceptable threshold for deployment. The system is allowed onto the network only after Category 1 vulnerabilities are reduced to zero. That means the organization is not saying all risk must be eliminated; it is saying a specific level of risk is unacceptable, while deployment is permitted once the risk falls within the approved threshold. Risk avoidance would mean not deploying the system or eliminating the activity entirely. Risk transference would shift financial or operational risk to another party, such as through insurance or outsourcing. Risk reporting is communication of risk status, not the decision threshold itself. This is a classic example of risk tolerance criteria.

===============

A qualitative risk analysis assigns descriptive ratings such as high, medium, or low to risks based on their likelihood and impact without numerical calculations.

Including MTTR/MTBF (A) and ALE/ARO (D) are quantitative methods using metrics. Risk registers (B) document risks but don’t specify analysis type.

Qualitative and quantitative risk methods are fundamental in SY0-701 risk management【6:Chapter 17†CompTIA Security+ Study Guide】.

SSO stands for single sign-on, which is a method of authentication that allows users to access multiple applications or services with one set of credentials. SSO reduces the number of credentials employees need to maintain and simplifies the login process. SSO can also improve security by reducing the risk of password reuse, phishing, and credential theft. SSO can be implemented using various protocols, such as SAML, OAuth, OpenID Connect, and Kerberos, that enable the exchange of authentication information between different domains or systems. SSO is commonly used for accessing SaaS applications, such as Office 365, Google Workspace, Salesforce, and others, using domain credentials123.

B. LEAP stands for Lightweight Extensible Authentication Protocol, which is a Cisco proprietary protocol that provides authentication for wireless networks. LEAP is not related to SaaS applications or domain credentials4.

C. MFA stands for multi-factor authentication, which is a method of authentication that requires users to provide two or more pieces of evidence to prove their identity. MFA can enhance security by adding an extra layer of protection beyond passwords, such as tokens, biometrics, or codes. MFA is not related to SaaS applications or domain credentials, but it can be used in conjunction with SSO.

D. PEAP stands for Protected Extensible Authentication Protocol, which is a protocol that provides secure authentication for wireless networks. PEAP uses TLS to create an encrypted tunnel between the client and the server, and then uses another authentication method, such as MS-CHAPv2 or EAP-GTC, to verify the user’s identity. PEAP is not related to SaaS applications or domain credentials.

References = 1: Security+ (SY0-701) Certification Study Guide | CompTIA IT Certifications 2: What is Single Sign-On (SSO)? - Definition from WhatIs.com 3: Single sign-on - Wikipedia 4: Lightweight Extensible Authentication Protocol - Wikipedia : What is Multi-Factor Authentication (MFA)? - Definition from WhatIs.com : Protected Extensible Authentication Protocol - Wikipedia

A false positive is a result that indicates a vulnerability or a problem when there is none. In this case, the vulnerability scanning report shows that the telnet service on port 23 is open and uses an insecure network protocol. However, the security analyst performs a test using nmap and a script that checks for telnet encryption support. The result shows that the telnet server supports encryption, which means that the data transmitted between the client and the server can be protected from eavesdropping. Therefore, the reported vulnerability is a false positive and does not reflect the actual security posture of the server. The security analyst should verify the encryption settings of the telnet server and client and ensure that they are configured properly3. References: 3: Telnet Protocol - Can You Encrypt Telnet?

The best answer is C. Firewall logs.

The PowerShell command shown is suspicious because it uses:

-exec bypass to bypass PowerShell execution policy

IEX (Invoke-Expression) to execute downloaded content in memory

Net.WebClient.DownloadString() to retrieve a remote script from the IP address 176.30.40.50

The question asks which logs will help confirm an established connection to that IP address. The best source for confirming that network communication actually occurred is firewall logs, because they record allowed and blocked inbound or outbound network connections between systems and remote IP addresses.

Why the other options are incorrect:

A. System event logsThese may show local operating system events, but they are not the best source for confirming a network connection to a specific external IP.

B. EDR logsEDR logs may show suspicious PowerShell execution and related behavior, and in some environments they may also show network activity. However, when the question specifically asks to confirm an established connection to a particular IP, firewall logs are the most direct and standard answer.

D. Application logsApplication logs generally track application-specific events and are not the best source for validating outbound network connections to a suspicious IP.

From a Security+ perspective, suspicious script execution should be correlated with network logs to validate command-and-control or malware download activity. That makes firewall logs the best choice.

Poor input validation in databases typically leads to SQL Injection (SQLi) vulnerabilities, where attackers manipulate input fields to execute arbitrary SQL commands and gain unauthorized data access or control.

XSS (A) affects web applications ' output rendering, command injection (B) affects OS commands, and buffer overflow (C) affects memory management, so they don ' t directly relate to database input validation.

SQLi is a critical vulnerability extensively covered in the Application Security domain【6:Chapter 6†CompTIA Security+ Study Guide】.

The log entries show repeated attempts to access directories using patterns such as ../, which is a common directory traversal attack technique. Directory traversal (or path traversal) aims to access files and directories outside the web server ' s root directory by manipulating file paths. The ../ sequence is used to move up one directory level, which attackers exploit to try and retrieve sensitive files.

A supply chain vendor is a third-party entity that provides goods or services to an organization, such as a SaaS provider. A supply chain vendor can pose a risk to the new system if the vendor has poor security practices, breaches, or compromises that could affect the confidentiality, integrity, or availability of the system or its data. The organization should perform due diligence and establish a service level agreement with the vendor to mitigate this risk. The other options are not specific to the scenario of using a SaaS provider, but rather general risks that could apply to any system.

SCAP (Security Content Automation Protocol) is designed to automate vulnerability management, configuration assessment, and compliance checking. According to CompTIA Security+ SY0-701, SCAP standardizes how vulnerability information is expressed, measured, and shared, allowing security tools to automatically scan systems, identify weaknesses, and assess compliance against predefined baselines.

SCAP integrates multiple standards such as CVE, CVSS, CPE, and XCCDF, enabling automated vulnerability scanning, scoring, and reporting across large environments. This makes it a core technology for continuous vulnerability management and compliance automation.

CVE (A) is a catalog of known vulnerabilities, not an automation framework. OSINT (C) provides publicly available intelligence but does not automate remediation or assessment. CVSS (D) provides severity scoring but does not automate vulnerability management.

Because SCAP enables automated identification, assessment, and reporting of vulnerabilities, the correct answer is B: SCAP.

Scheduled downtime is a planned period of time when a system or service is unavailable for maintenance, updates, upgrades, or other changes. Scheduled downtime gives administrators a set period to perform changes to an operational system without disrupting the normal business operations or affecting the availability of the system or service. Scheduled downtime also allows administrators to inform the users and stakeholders about the expected duration and impact of the changes. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, Chapter 12: Security Operations and Administration, page 579 1

The best answer is C. Configure a NAC solution to enforce 802.1X authentication with device certificates and implement endpoint security checks.

NAC (Network Access Control) is used to verify devices before granting them access to the network. A strong NAC deployment should validate both identity and security posture. Enforcing 802.1X authentication ensures that devices must authenticate before connecting, and using device certificates strengthens trust in the device itself. Endpoint security checks add posture assessment, such as confirming antivirus, patch level, or compliance state.

This is the most secure and effective approach because it prevents unauthorized or noncompliant devices from joining the network in the first place.

Why the other options are incorrect:

A. Deploy a NAC solution to block wireless connections until devices can be verified against the baseline configuration.This only addresses wireless access and is too limited. Unauthorized devices could still attempt access in other ways.

B. Set the NAC solution to only accept handshakes initiated from a static set of IP addresses.IP addresses are not a reliable basis for device trust and can be spoofed or reassigned.

D. Implement a NAC solution that redirects all devices to the guest Wi-Fi for holding until a security analyst can validate the security compliance.Redirecting all devices is not practical or efficient, and guest Wi-Fi is not the best control for secure admission.

From a Security+ perspective, the strongest NAC implementation uses 802.1X, certificates, and posture assessment, making C correct.

Shadow IT refers to the use of information technology systems, devices, software, applications, and services without explicit IT department approval. This is the most likely cause of introducing vulnerabilities on a corporate network by deploying unapproved software, as such software may not have been vetted for security compliance, increasing the risk of vulnerabilities.

References =

CompTIA Security+ SY0-701 Course Content: The concept of Shadow IT is discussed as a significant risk due to the introduction of unapproved and potentially vulnerable software into the corporate network​​.

A full inventory of all hardware and software is essential for measuring the overall risk to an organization when a new vulnerability is disclosed, because it allows the security analyst to identify which systems are affected by the vulnerability and prioritize the remediation efforts. Without a full inventory, the security analyst may miss some vulnerable systems or waste time and resources on irrelevant ones. Documentation of system classifications, a list of system owners and their departments, and third-party risk assessment documentation are all useful for risk management, but they are not sufficient to measure the impact of a new vulnerability. References: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 1221; Risk Assessment and Analysis Methods: Qualitative and Quantitative3