A cybersecurity analyst reviews adversary tactics, techniques, and procedures (TTPs) from MITRE ATT&CK and OSINT sources to predict potential threats against their company. Which cybersecurity practice are they performing?

A company's security team detects that a low-privileged user was able to execute admin-level commands using an unpatched vulnerability in a legacy application. Which mitigation strategy would best prevent this in the future?

A penetration tester gains physical access to a target server and installs a small device between the keyboard and USB port to secretly log all keystrokes. Which type of attack is this?

A hacker sets up a rogue access point named "Company_WiFi" near an office building. Employees unknowingly connect to it, allowing the hacker to intercept login credentials. Which attack is being performed?

A security analyst suspects an attacker has embedded malicious code within image files shared on a public forum. Which tool would best detect this activity?

A cybersecurity team proactively searches for threats within the network before an alert is triggered. Which strategy are they using?

A security analyst creates an exact bit-for-bit copy of a compromised hard drive for forensic analysis. Which process is being performed?

During a red team exercise, an attacker successfully gains initial access to a network but remains hidden for months while collecting information. Which phase of the Cyber Kill Chain is this?

A company requires that all contractors use a company-provided laptop with full-disk encryption before accessing sensitive systems. Which security control is being enforced?

A SIEM alerts the security team about high-volume outbound traffic from a single workstation. Which incident response phase should the team follow next?

A company implements passwordless authentication where users verify their identities using cryptographic key pairs stored on hardware tokens. Which authentication method is being used?

An attacker sends a specially crafted URL containing malicious JavaScript, which executes when viewed by an admin on a web-based management portal. What type of attack is this?

A security team identifies multiple unused services running on an exposed web server. Which security principle is being violated?

A company enforces strict USB policies, yet a user accidentally installs malware from a USB device that appeared to be a standard keyboard. Which attack technique was used?

An attacker gains access to a system and modifies the boot process to execute malware before the operating system loads. Which type of attack is being used?

A hacker captures multiple encrypted messages from a company’s wireless network and attempts to decrypt them by analyzing patterns in ciphertext. Which attack is being performed?

An employee with high-level access has been secretly collecting sensitive data over time and selling it to competitors. Which insider threat type best describes this situation?

A company moves sensitive applications to a cloud provider but wants full control over security configurations and OS-level access. Which cloud model should they choose?

A user reports being unable to access a system, even though their username and password are correct. The administrator finds that the account was locked due to excessive failed login attempts from different geographic locations. Which attack type is most likely responsible?

A security analyst notices encrypted traffic leaving the network at odd intervals to a known command-and-control (C2) server. Which technique is most likely being used by the attacker?