Which tunnel protocol is used to secure communications over HTTPS?
IKE
GRE
SSH
TLS
TLS, or Transport Layer Security, is the protocol used to secure HTTPS communications. HTTPS is HTTP carried over TLS, which provides encryption, integrity protection, and server authentication through certificates. TLS prevents eavesdroppers from easily reading web traffic and helps ensure that clients are communicating with the intended server rather than an impostor. IKE is used in IPsec VPN negotiation to establish authenticated security associations. GRE is a tunneling protocol that encapsulates traffic but does not inherently provide encryption. SSH secures remote shell and administrative sessions, and can support tunneling, but it is not the protocol that secures HTTPS. TLS is central to modern web security because web applications, APIs, SaaS platforms, and identity providers depend on protected browser-to-server communication. However, TLS must be deployed correctly with valid certificates, strong protocol versions, and secure cipher suites. Reference/topics: Network Security 3.4, tunneling protocols including TLS, SSH, and IKE; Network Security 3.3, secure web access.
Batch 5 — Questions 56–70
Which attack takes place in the Exploitation phase of the cyber attack lifecycle?
Weaponized PDF file executing on a target
Malicious phishing link sent to a target
Polymorphic malware altering its structure on a target after gaining access
Undisclosed software vulnerability used to gain remote access to a target
Exploitation occurs when an attacker takes advantage of a vulnerability to cause unauthorized behavior, such as code execution, authentication bypass, privilege escalation, or remote access. An undisclosed software vulnerability used to gain remote access is a clear example of exploitation because the attacker is actively using a weakness to compromise the target. A malicious phishing link sent to a target is delivery, because it attempts to place the attack mechanism in front of the victim. A weaponized PDF executing may overlap with exploitation depending on the payload, but the strongest answer is the use of a software vulnerability to gain access. Polymorphic malware changing its structure after access is more closely related to evasion and persistence after compromise. The exam objective requires candidates to distinguish lifecycle stages by attacker intent: reconnaissance gathers, weaponization prepares, delivery transmits, exploitation triggers compromise, installation persists, command-and-control manages, and actions on objectives achieve the mission. Reference/topics: Cybersecurity 1.2, attack lifecycle; Cybersecurity 1.1, vulnerabilities and exploits.
Which concept is a strategic approach to cybersecurity that continuously validates every stage of a digital interaction?
Incident response plan implementation
Zero Trust adoption
Compliance planning
Operations playbook development
Zero Trust is a strategic security approach based on continuous validation rather than implicit trust. Instead of assuming that users, devices, applications, or workloads are trustworthy because they are inside a network boundary, Zero Trust requires verification throughout the digital interaction. This includes validating identity, device posture, application access, least privilege, segmentation, and ongoing behavior. Incident response plans are important after suspicious activity or incidents occur, but they are not the continuous trust validation model. Compliance planning maps controls to regulatory or framework requirements, but compliance alone does not guarantee continuous security verification. Operations playbooks guide repeatable SOC actions, but they are procedural tools rather than the strategic architecture described in the question. Zero Trust adoption changes how access decisions are made: trust is earned, scoped, and re-evaluated, not permanently granted. Reference/topics: Cybersecurity 1.6, Zero Trust; Identity Security 7.1 and 7.2, IAM, MFA, RBAC, least privilege.
What is the function of an antivirus solution?
Regulating traffic based on security rules
Providing users protection against DNS poisoning
Protecting user credentials
Detecting malicious files using malware signatures
The function of an antivirus solution is to detect malicious files using malware signatures and related detection methods. Signature-based detection compares files or code patterns against known malware indicators. Antivirus may also include heuristic, reputation-based, or behavioral detection, but known malware signature scanning is the classic function. Regulating traffic based on security rules is a firewall function. Protecting against DNS poisoning is handled through DNS security, secure resolver behavior, validation mechanisms, and network protections. Protecting user credentials is primarily an identity security function involving MFA, password management, phishing resistance, and access controls. Antivirus is a core endpoint security component because malicious files commonly reach users through downloads, attachments, removable media, compromised websites, or unauthorized software. It helps prevent execution, quarantine malicious content, and alert administrators. While modern endpoint platforms go beyond antivirus, the foundational antivirus role remains malware file detection and prevention on the device. Reference/topics: Endpoint Security 4.3, antivirus; Cybersecurity 1.5, threat prevention practices.
Which packets are considered east-west traffic in a data center?
Those originating from the internet destined to the public IP address of a virtual server
Those sent from a virtual desktop to a cloud-based proxy
Those sent from a cloud-based server to a virtual desktop
Those that move between virtual servers across a virtual switch
East-west traffic is internal traffic moving between systems within the same environment or data center. Packets moving between virtual servers across a virtual switch are east-west because they remain inside the data center or virtualized environment. This traffic may never pass through a traditional perimeter firewall unless the architecture specifically routes it through inspection points. Internet-originated traffic to a public IP address is north-south because it enters the environment from outside. Traffic from a virtual desktop to a cloud-based proxy leaves toward an external or cloud service, making it north-south or external service traffic. Traffic from a cloud-based server to a virtual desktop crosses environment boundaries and is not the clearest east-west example. East-west visibility is critical because attackers who compromise one workload often attempt lateral movement to other internal systems. Segmentation, internal firewalls, workload security, and telemetry help control this risk. Reference/topics: Network Fundamentals 2.2, east-west and north-south traffic; Cloud Security 5.4, virtualization.
In which cloud service model does a company use hardware resources from a cloud service provider?
Platform as a service (PaaS)
Software as a service (SaaS)
Network as a service (NaaS)
Infrastructure as a service (IaaS)
Infrastructure as a Service provides cloud-hosted infrastructure resources such as compute, storage, and networking. In IaaS, the customer uses provider-operated hardware resources without owning the physical servers, racks, power, cooling, or data center facilities. The customer typically remains responsible for securing operating systems, applications, data, identities, and workload configurations. PaaS provides a managed platform for developing and deploying applications, where the provider handles more of the runtime environment. SaaS delivers a complete application that customers consume directly. NaaS delivers networking capabilities as a service. The phrase “hardware resources from a cloud service provider” points directly to IaaS because the customer consumes virtualized infrastructure backed by provider hardware. Security teams must understand IaaS because it creates a shared responsibility boundary: the provider secures the physical infrastructure, while the customer secures what they build, configure, and run on top of it. Reference/topics: Cloud Security 5.2, IaaS, PaaS, SaaS, NaaS; Cloud Security 5.3, shared responsibility.
What is a desired outcome of automation in a security operations center (SOC)?
Increased number of alerts
Increased MTTR
Increased efficiency
Increased false positives
The desired outcome of SOC automation is increased efficiency. Automation allows repetitive, time-sensitive, and well-defined tasks to be executed consistently without requiring manual analyst effort every time. Examples include indicator enrichment, alert deduplication, ticket creation, endpoint isolation, user notification, or evidence collection. Automation should reduce workload, improve response speed, and help analysts spend more time on judgment-heavy investigation. Increasing the number of alerts is not desirable; alert volume should be reduced or better prioritized. Increasing MTTR is also undesirable because mean time to respond or recover should decrease as processes mature. Increasing false positives is harmful because it consumes analyst time and can cause alert fatigue. In a mature SOC, automation is often paired with playbooks and SOAR tooling so that repeatable response steps can be executed reliably while still allowing analyst approval for sensitive actions. Reference/topics: Security Operations 6.2, automation and AI; Security Operations 6.6, SOAR and SIEM.
What is an initial action when investigating a security incident?
Identify indicators of compromise.
Create a timeline of events.
Write a threat intelligence report.
Remove threats from the system.
An initial action in incident investigation is to identify indicators of compromise, often called IOCs. IOCs are observable artifacts that suggest malicious activity, such as suspicious IP addresses, domains, file hashes, registry keys, process names, login patterns, or unusual network connections. Identifying IOCs helps determine whether an incident exists, what systems may be affected, and what evidence should be collected next. Creating a timeline is important, but it normally depends on first gathering relevant indicators and event data. Writing a threat intelligence report is a later analytical or communication activity. Removing threats from the system is part of containment or eradication and should be performed carefully after enough evidence is preserved and scope is understood. In security operations, moving too quickly to remove artifacts can destroy evidence and weaken understanding of the incident. The investigation process should establish source, scope, impact, and containment priorities. Reference/topics: Security Operations 6.1, investigate and mitigate; Security Operations 6.3, incident response plan.
Batch 4 — Questions 41–55
Which cloud computing model allows a single organization to keep its data in a private environment but also access the scalability and cost-effectiveness of public resources?
Hybrid
Public
Community
Private
A hybrid cloud model combines private cloud or private infrastructure with public cloud resources. It allows an organization to keep sensitive workloads or data in a controlled private environment while using public cloud capacity for elasticity, scalability, geographic reach, or cost optimization. This model is common when organizations have regulatory requirements, legacy systems, or sensitive datasets that cannot be moved fully into a public cloud, but still need the flexibility of public services. A public cloud is shared provider-operated infrastructure available to many customers. A private cloud is dedicated to one organization but does not inherently provide public cloud scalability unless integrated with it. A community cloud is shared by organizations with common requirements, such as sector-specific compliance needs. Hybrid cloud security requires consistent visibility, identity controls, policy enforcement, and shared responsibility awareness across both private and public components. Reference/topics: Cloud Security 5.1, cloud-computing deployment models; Cloud Security 5.3, shared responsibility model.
What is a software service that defines user or group identities in software environments and associates permissions?
IAM
WAN
IKE
DNS
Identity and Access Management, or IAM, defines and manages identities, groups, roles, authentication methods, and permissions in software environments. IAM determines who a user or service is and what resources that identity is allowed to access. It commonly includes user lifecycle management, authentication, authorization, role-based access control, federation, single sign-on, and access policy enforcement. WAN refers to a wide area network and has no direct role in defining user identities. IKE is used to establish authenticated communication channels for IPsec VPNs. DNS translates domain names to IP addresses. IAM is central to modern cybersecurity because identity often becomes the new perimeter in cloud and SaaS environments. If attackers compromise credentials or overprivileged identities, they may access sensitive data without exploiting a traditional network vulnerability. Strong IAM requires least privilege, MFA, access reviews, logging, and proper lifecycle management. Reference/topics: Identity Security 7.1, IAM components; Identity Security 7.1.5, RBAC.
Which type of device does a Host-Based Intrusion Detection System (HIDS) monitor?
Appliance
Computer
Switch
Router
A Host-Based Intrusion Detection System monitors an individual host, which is typically a computer, server, or endpoint device. Its purpose is to inspect activity occurring on that system rather than traffic across an entire network segment. A HIDS can evaluate system logs, file integrity, configuration changes, authentication events, and suspicious local behavior. This distinguishes it from a Network-Based Intrusion Detection System, which observes packets traversing a network link or segment. A switch and router are network infrastructure devices, and while they may generate logs or support monitoring, they are not the primary monitored object of a HIDS. The term “appliance” is too broad and usually refers to a dedicated hardware or virtual security device. Palo Alto Networks lists IDS, HIDS, and NIDS as common threat detection systems in the Cybersecurity Apprentice Cybersecurity domain, requiring candidates to distinguish where each system operates and what it observes. Reference: Cybersecurity Apprentice Datasheet, Cybersecurity 1.4.
What is responsible for securing web access for managed and unmanaged devices?
IDS
Cloud workload protection (CWP)
Enterprise browser
VLAN
An enterprise browser secures web access by applying organizational security controls directly within the browser experience. This is especially useful for both managed and unmanaged devices because browser-based controls can protect access to SaaS applications, web resources, and sensitive data even when the endpoint is not fully controlled by the organization. Enterprise browsers may enforce policy, isolate risky activity, control downloads and uploads, inspect web sessions, and reduce data leakage. An IDS detects suspicious activity but does not secure browser access. Cloud workload protection protects workloads such as servers, containers, or cloud runtime environments, not user web browsing. VLANs segment network traffic but do not provide browser-level controls for managed and unmanaged devices. As work increasingly happens through web and SaaS applications, securing the browser becomes an important way to control user interaction with enterprise resources. Reference/topics: Network Security 3.6, enterprise browsers; Network Security 3.3, URL filtering and proxies.
What is the primary responsibility of the cloud provider in the cloud shared responsibility model?
Configuring application-level security settings
Securing underlying physical servers and network infrastructure
Providing end-user training on application usage
Monitoring and managing user access and permissions
In the cloud shared responsibility model, the cloud provider is primarily responsible for the security of the cloud: the physical facilities, host servers, storage hardware, networking equipment, and foundational infrastructure used to deliver services. Therefore, securing underlying physical servers and network infrastructure is the provider responsibility. Customers are responsible for security in the cloud, which includes how they configure services, protect data, manage identities, and secure applications. Application-level settings are usually controlled by the customer or application owner. User access and permissions are identity-layer responsibilities and normally remain with the customer, even if the provider supplies IAM tools. End-user training is an organizational governance responsibility, not a provider obligation. The exact division changes by service model: SaaS shifts more operational responsibility to the provider, while IaaS leaves more configuration and workload security responsibility with the customer. Reference/topics: Cloud Security 5.3, cloud shared responsibility model; Cloud Security 5.2, SaaS, PaaS, IaaS, NaaS.
What is a function of least privilege in Identity and Access Management (IAM)?
Providing temporary access to resources for all users
Granting users permission to all resources in the network
Ensuring network users have the same access level for simplicity
Allowing users the minimum permissions necessary to perform their jobs
Least privilege means users, services, and systems receive only the permissions required to perform their legitimate duties. This reduces risk because a compromised account or misused identity has a smaller blast radius. For example, an employee who only needs to read reports should not have administrator rights to modify databases or deploy code. Temporary access may be part of just-in-time access, but providing temporary access to all users is not least privilege. Granting permission to all resources is the opposite of least privilege. Giving every user the same access level may simplify administration, but it creates excessive privilege and increases exposure. Least privilege should be enforced through IAM policies, RBAC, privileged access management, access reviews, and strong authentication. It is one of the most important identity security principles because many breaches become severe only after attackers obtain accounts with broader permissions than necessary. Reference/topics: Identity Security 7.2.3, least privilege; Identity Security 7.1.5, RBAC.
How is Zero Trust implemented on a network?
By assigning all security to a proxy solution
By designating failover paths
By inspecting and validating traffic continuously
By removing excess network devices
Zero Trust is implemented by continuously inspecting and validating traffic, identity, device posture, application access, and behavior. The model does not assume trust based on network location. Instead, every access request should be verified, authorized, and limited to what is necessary. Assigning all security to a proxy solution is too narrow; Zero Trust is an architecture and operating model, not a single product. Designating failover paths improves availability, but it does not implement Zero Trust. Removing excess network devices may simplify infrastructure but does not create continuous validation. In a network context, Zero Trust commonly includes segmentation, least privilege access, strong authentication, application-aware policy, traffic inspection, and continuous monitoring. The goal is to reduce implicit trust and limit the blast radius if a user, device, or workload is compromised. A helpful analogy: Zero Trust is not one locked front door; it is badge checks throughout the building. Reference/topics: Cybersecurity 1.6, Zero Trust; Network Security 3.1 and 3.2.
Which type of attack involves employees using their credentials to copy proprietary software onto an external drive?
Insider threat
Social engineering
Spear phishing
Identity theft
An insider threat involves a trusted user, such as an employee, contractor, or partner, misusing authorized access to harm the organization or expose sensitive assets. In this scenario, employees use valid credentials to copy proprietary software onto an external drive. The issue is not that an attacker stole their identity or tricked them through phishing; the users already have access and are misusing it. Social engineering manipulates people into taking unsafe actions. Spear phishing is a targeted form of social engineering, typically involving crafted messages to steal credentials or deliver malware. Identity theft involves unauthorized use of someone else’s identity. Insider threats are difficult because activity may appear legitimate at first: the user logs in normally and accesses systems they may be permitted to use. Controls such as least privilege, DLP, behavior analytics, logging, removable media restrictions, and strong offboarding processes help reduce insider risk. Reference/topics: Cybersecurity 1.3, insider threat; Network Security 3.5, DLP; Identity Security 7.2.3, least privilege.
Which device reads information from packets at the application layer of the OSI model to determine if traffic should be forwarded?
Switch
Next-generation firewall
WAN accelerator
Router
A next-generation firewall is designed to inspect traffic at higher layers, including application-layer information, before deciding whether traffic should be forwarded. It can identify applications, users, content, and threats instead of relying only on ports and IP addresses. This application awareness enables more precise policy decisions, such as allowing sanctioned business applications while blocking evasive or risky applications using the same port. A switch forwards frames using Layer 2 information. A router forwards packets based on Layer 3 addresses and routing decisions. A WAN accelerator improves performance over wide area links and does not primarily make application-layer security enforcement decisions. The application-layer capability is what makes NGFW policy more effective than traditional port-based filtering. In modern networks, many applications use web ports, so inspecting only TCP 80 or 443 is insufficient. Reference/topics: Network Security 3.2, NGFWs; Network Fundamentals 2.6 and 2.7, OSI model and network devices.
In infrastructure as a service (IaaS), which cloud component is the cloud service provider responsible for securing in the shared responsibility model?
Physical wires and switches in the provider’s infrastructure
API requests between microservices, such as back-end business logic traffic
Database queries between cloud application services and external-facing web services
Traffic from workloads to third-party services on the internet, such as authentication providers
In IaaS, the cloud provider is responsible for securing the physical infrastructure that supports the service, including physical wires, switches, data centers, servers, and foundational hardware. Customers consume virtualized compute, storage, and networking but do not manage the provider’s physical facilities or underlying hardware fabric. API requests between microservices, database queries between application services, and workload traffic to third-party services are customer or application-owner responsibilities because they involve workload architecture, application logic, network policy, identity, and data protection. The shared responsibility model is especially important in IaaS because customers have significant control over operating systems, applications, configurations, and traffic flows. A common mistake is assuming the provider secures everything simply because the workload runs in the cloud. In reality, the provider secures the cloud infrastructure, while the customer secures what they deploy, configure, and expose. Reference/topics: Cloud Security 5.3, shared responsibility model; Cloud Security 5.2, IaaS.
Which type of segmentation divides traffic based on the interface on which a packet is received or sent?
Zone
Port
Application
Role
Zone segmentation groups traffic based on logical security zones, commonly tied to interfaces or interface groups. A firewall can apply policy depending on the source zone and destination zone, such as trust, untrust, DMZ, data center, or guest. If a packet enters or exits through an interface assigned to a specific zone, that zone becomes part of the policy decision. Port-based segmentation would focus on physical or logical ports, but in firewall security design, zones are the standard construct for interface-based policy grouping. Application segmentation divides traffic based on the application being used. Role-based segmentation uses user or device roles. Zone segmentation is powerful because it allows administrators to express trust boundaries and enforce policy between parts of the network. It is often combined with VLANs, IP subnets, and application-aware controls to create layered segmentation. Reference/topics: Network Security 3.1, zone segmentation; Network Security 3.2, firewall policy enforcement.
What is an example of a vulnerability?
Code misconfiguration
Trojan
Attack on flawed code
Virus
A vulnerability is a weakness that can be exploited by a threat actor. A code misconfiguration is a vulnerability because it represents an error or unsafe condition in how software, infrastructure, or access is configured. Examples include exposed administrative interfaces, missing authentication checks, overly permissive storage permissions, or insecure default settings. A trojan and a virus are forms of malware, not vulnerabilities. An attack on flawed code is an exploit or exploitation attempt, because it uses the weakness rather than being the weakness itself. The distinction is important: vulnerability is the condition, exploit is the method used to take advantage of it, and threat actor is the entity performing the action. Security programs reduce risk by discovering vulnerabilities, prioritizing them by severity and exposure, and applying remediation such as patching, configuration changes, compensating controls, or access restrictions. Reference/topics: Cybersecurity 1.1, vulnerabilities and exploits; Cybersecurity 1.3, common attack types.
What are two internet of things (IoT) devices? (Choose two.)
Laptop
Router
Security camera
Patient imaging machine
Internet of Things devices are specialized connected devices that communicate over networks but are not general-purpose user workstations. A security camera is a common IoT device because it collects video, connects to a network, and is often managed remotely. A patient imaging machine is also an IoT or medical IoT device because it is a specialized connected system used in healthcare environments to collect or process clinical data. These devices often have embedded operating systems, unique protocols, long replacement cycles, and limited local security controls. A laptop is an endpoint, but it is a general-purpose computing device rather than a typical IoT device. A router is a network infrastructure device; although some consumer routers have smart features, the certification context distinguishes infrastructure devices from IoT examples. IoT security matters because these devices can expand the attack surface, may be difficult to patch, and often require visibility and segmentation. Palo Alto Networks places IoT devices and endpoints under the Endpoint Security domain. Reference: Cybersecurity Apprentice Datasheet, Endpoint Security 4.1.
What does DNS provide?
List of local RIP tables
Translation of a domain name into an IP address
Creation of an IPSec tunnel between networks
Network scanning for any vulnerabilities
DNS provides translation between human-readable domain names and IP addresses. For example, users remember domain names, while network communication requires IP addresses to route traffic. DNS resolves the name to the address needed for the connection. DNS does not provide local RIP tables; RIP is a routing protocol. It does not create IPsec tunnels; VPN technologies and protocols such as IKE and IPsec handle that. DNS also does not scan networks for vulnerabilities. From a security perspective, DNS is highly important because many attacks rely on domain names for phishing, malware delivery, command-and-control, or data exfiltration. DNS logs can help investigators identify suspicious lookups, newly registered domains, and connections to known malicious infrastructure. DNS security controls may block or sinkhole malicious domains before a connection is established. In simple terms, DNS is the phonebook of network communication, but it is also a valuable security telemetry source. Reference/topics: Network Fundamentals 2.4, DNS; Cybersecurity 1.3, C2 and common attack types.
Which components are secured by the cloud provider in a shared responsibility model?
Virtual machines
On-premises connectivity to hosts
Website authentication
Host servers
In the cloud shared responsibility model, the provider secures the underlying cloud infrastructure, including physical host servers. These servers are part of the provider-operated environment that supports customer workloads. Customers generally do not manage physical access, hardware maintenance, power, cooling, or the foundational physical network in public cloud services. Virtual machines are usually customer-managed in IaaS because the customer controls the guest operating system, configuration, applications, and data. On-premises connectivity to hosts remains the customer’s responsibility because it involves the customer’s network, VPN, routing, or direct connectivity. Website authentication is an application and identity responsibility controlled by the customer or application owner. The provider secures the cloud; the customer secures what they deploy and configure in the cloud. Understanding this boundary prevents dangerous assumptions, such as believing the provider automatically secures customer workloads or identities. Reference/topics: Cloud Security 5.3, shared responsibility model; Cloud Security 5.2, IaaS and SaaS.
Which event would generate a false positive alert?
A firewall categorizes a benign application as malicious.
A network sensor is unable to identify a custom application.
A network tunnel accidentally switches from one route to another.
An employee attempts to access an unauthorized application.
A false positive occurs when a security control identifies normal or benign activity as malicious. If a firewall categorizes a benign application as malicious, it generates an alert or enforcement decision that incorrectly indicates threat activity. That is the definition of a false positive. A network sensor being unable to identify a custom application is a visibility or classification limitation, but not necessarily a false positive unless it incorrectly labels the traffic as malicious. A tunnel switching routes may be a network event or availability issue. An employee attempting to access an unauthorized application may be a true policy violation, even if it is not malicious. False positives matter because they consume analyst time, reduce trust in alerts, and contribute to alert fatigue. SOC teams reduce false positives by tuning rules, improving context, using baselines, adding allow lists carefully, and refining detection logic. Reference/topics: Security Operations 6.4, false positive and false negative alerts; Network Security 3.2, firewall policy enforcement.
Which tool resides on a host to identify malicious activity?
Instruction Detection System (IDS)
Unified threat detection device
Endpoint protection agent
Next-generation firewall appliance
An endpoint protection agent is software installed directly on a host, such as a workstation, laptop, or server, to monitor local activity and identify malicious behavior. Because it resides on the endpoint, it can observe processes, files, registry changes, network connections, and user activity that may not be visible to a perimeter security device. This makes it especially useful for detecting malware execution, suspicious scripts, privilege abuse, and post-compromise activity. An IDS may detect suspicious patterns, but the answer is not precise because IDS can be network-based or host-based and is not necessarily an agent. A next-generation firewall appliance is typically deployed inline at a network control point, not directly on the host. “Unified threat detection device” is not the standard course term for a host-resident control. The Palo Alto Networks Cybersecurity Apprentice blueprint places endpoint protection components under Endpoint Security and also recognizes host-based detection concepts under cybersecurity threat detection systems. Reference: Cybersecurity Apprentice Datasheet, Endpoint Security 4.3 and Cybersecurity 1.4.
What does NAT convert?
Port to port
Port to IP address
IP address to IP address
IP address to port
NAT, or Network Address Translation, converts one IP address to another IP address. It is commonly used to translate private internal addresses to public addresses when devices access the internet. NAT can also be used for inbound access to internal services through destination NAT. Some NAT implementations use port address translation, where multiple internal private addresses share one public IP address by tracking different ports, but the fundamental NAT function is IP address translation. Therefore, “IP address to IP address” is the best answer. NAT does not simply convert ports to ports or IP addresses to ports as its main purpose. NAT helps conserve public IPv4 addresses and can hide internal addressing schemes, but it should not be treated as a complete security control. Security still requires firewall policies, logging, segmentation, and threat prevention. NAT changes addressing; it does not decide whether traffic is safe. Reference/topics: Network Fundamentals 2.4, NAT; Network Security 3.2, firewall policy.
What is a documented strategy outlining how an organization will detect, respond to, and recover from cybersecurity attacks or other disruptions?
Security framework alignment
MTTR
MTTD
Incident response plan
An incident response plan is the documented strategy that defines how an organization detects, analyzes, contains, eradicates, recovers from, and learns from cybersecurity incidents or disruptive events. It assigns responsibilities, escalation paths, communication rules, evidence-handling expectations, and recovery procedures so that teams can act quickly under pressure. MTTR, or mean time to respond/recover, is a performance metric that measures how long response or recovery takes. MTTD, or mean time to detect, measures detection speed. Security framework alignment helps map controls and practices to recognized standards, but it is not the operational response document itself. A strong incident response plan reduces confusion during an event because teams do not need to invent roles and procedures while an attack is unfolding. It also improves post-incident review by creating a baseline for what should have happened. Reference/topics: Security Operations 6.3, incident response plan and disaster recovery plan; Security Operations 6.1, investigate, mitigate, improve functions.
Which layer exists in the OSI model but not in the TCP/IP model?
Network
Application
Transport
Presentation
The Presentation layer exists in the OSI model but is not represented as a separate layer in the TCP/IP model. The OSI model uses seven layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application. The Presentation layer is responsible for data formatting, translation, encoding, compression, and encryption-related representation functions. In the TCP/IP model, these responsibilities are generally absorbed into the Application layer rather than separated into their own layer. The Network, Transport, and Application concepts all exist in both models, although naming and boundaries differ. For example, TCP/IP uses an Internet layer that maps closely to the OSI Network layer, and it has a Transport layer for protocols such as TCP and UDP. Understanding these differences matters because security controls often operate at different layers. Palo Alto Networks includes the TCP/IP model and OSI model, as well as devices operating across Layers 1 through 4, in the Network Fundamentals domain. Reference: Cybersecurity Apprentice Datasheet, Network Fundamentals 2.6 and 2.7.
Which device is an endpoint?
Smart light bulb
Smart plug
Display monitor
Smart watch
A smartwatch is an endpoint because it is a network-connected computing device used by an individual and capable of running software, storing data, communicating with other systems, and interacting with user accounts or services. Endpoint security includes more than traditional desktops and laptops; it also covers mobile devices and connected personal devices that can introduce risk. A smart light bulb and smart plug are better categorized as IoT devices because they are specialized connected devices with embedded functionality and limited general-purpose user computing capability. A display monitor is normally a peripheral, not an endpoint, because it does not independently process network traffic or host applications in the same way. The key endpoint concept is that the device sits at the edge of the network where users, applications, identities, and data interact. Attackers often target endpoints because they provide a practical path into accounts, applications, and internal systems. Reference/topics: Endpoint Security 4.1, IoT devices and endpoints; Endpoint Security 4.2, objectives of endpoint security.
Which device operates at OSI Layer 2?
Hub
Switch
Router
Modem
A switch operates primarily at OSI Layer 2, the Data Link layer. It forwards Ethernet frames based on MAC addresses and builds a MAC address table to determine which port should receive traffic. This makes switching more efficient than a hub, which operates at Layer 1 and repeats signals without understanding frames. A router operates at Layer 3 by forwarding packets based on IP addresses and routing tables. A modem is generally associated with physical or access-layer signal conversion rather than Layer 2 switching. Layer 2 switching is important for local network communication, VLAN segmentation, and broadcast domain control. Security teams need to understand Layer 2 because attacks such as MAC flooding, VLAN hopping, and ARP spoofing can occur at this level. While switches are not the same as firewalls, proper switch configuration supports network segmentation and reduces unnecessary traffic exposure. Reference/topics: Network Fundamentals 2.7, devices operating Layers 1 through 4; Network Security 3.1, VLANs.
What is a function of a cloud-native security platform (CNSP)?
Protecting applications at runtime
Generating cost analysis
Sandboxing ransomware
Executing penetration testing
A cloud-native security platform protects cloud-native applications across their lifecycle, including runtime. Runtime protection means monitoring and securing workloads while they are actively running, such as containers, microservices, serverless functions, Kubernetes clusters, and cloud workloads. This can include detecting suspicious process behavior, enforcing workload policies, identifying misconfigurations, controlling network connections, and responding to active threats. Cost analysis may exist in cloud management platforms, but it is not a core CNSP security function. Sandboxing ransomware is a malware analysis technique, not the defining role of a cloud-native security platform. Penetration testing may be part of security assessment, but CNSP is designed for continuous visibility, posture, identity, workload, and runtime security rather than one-time offensive testing. CNSP matters because cloud-native environments are dynamic: workloads scale, containers are replaced, APIs interact continuously, and identities drive access. Security must therefore be integrated into build, deploy, and runtime phases. Reference/topics: Cloud Security 5.5, CNSP; Cloud Security 5.4, containers, microservices, APIs.
TESTED 16 Jul 2026
