- Home
- Paloalto Networks
- Certified Cybersecurity Associate
- Apprentice
- Apprentice - Palo Alto Networks Cybersecurity Apprentice
Paloalto Networks Apprentice Palo Alto Networks Cybersecurity Apprentice Exam Practice Test
Palo Alto Networks Cybersecurity Apprentice Questions and Answers
Which stage of the cyber attack lifecycle is characterized by attackers passing instructions back and forth between infected devices and their own infrastructure?
Options:
Command and Control (C2)
Weaponization and Delivery
Exploitation
Reconnaissance
Answer:
AExplanation:
Command and Control, or C2, is the phase in which compromised systems communicate with attacker-controlled infrastructure to receive instructions, send status updates, download additional payloads, or coordinate malicious activity. This back-and-forth communication allows attackers to operate the compromised device remotely and adapt their actions after initial compromise. Weaponization and Delivery involve preparing and transmitting the malicious payload, not managing an already infected host. Exploitation is the act of using a vulnerability or weakness to gain unauthorized access. Reconnaissance is information gathering before compromise. C2 is especially important in detection engineering because outbound traffic patterns, unusual domains, beaconing intervals, and connections to suspicious infrastructure can reveal that an endpoint is under external control. Blocking C2 can disrupt an attacker’s ability to move laterally, exfiltrate data, or complete actions on objectives. Reference/topics: Cybersecurity 1.2, cyber attack lifecycle; Cybersecurity 1.3, command and control as a common attack type.
Which components are secured by the cloud provider in a shared responsibility model?
Options:
Virtual machines
On-premises connectivity to hosts
Website authentication
Host servers
Answer:
DExplanation:
In the cloud shared responsibility model, the provider secures the underlying cloud infrastructure, including physical host servers. These servers are part of the provider-operated environment that supports customer workloads. Customers generally do not manage physical access, hardware maintenance, power, cooling, or the foundational physical network in public cloud services. Virtual machines are usually customer-managed in IaaS because the customer controls the guest operating system, configuration, applications, and data. On-premises connectivity to hosts remains the customer’s responsibility because it involves the customer’s network, VPN, routing, or direct connectivity. Website authentication is an application and identity responsibility controlled by the customer or application owner. The provider secures the cloud; the customer secures what they deploy and configure in the cloud. Understanding this boundary prevents dangerous assumptions, such as believing the provider automatically secures customer workloads or identities. Reference/topics: Cloud Security 5.3, shared responsibility model; Cloud Security 5.2, IaaS and SaaS.
What does a host-based firewall primarily attempt to prevent?
Options:
Exhaustion of network memory resources
Privilege escalation
Pop-up advertisements
Unauthorized or suspicious network connections
Answer:
DExplanation:
A host-based firewall controls network connections to and from an individual endpoint or server. Its primary purpose is to prevent unauthorized or suspicious network connections by enforcing local rules based on ports, protocols, applications, network profiles, or direction of traffic. For example, it can block inbound connections to services that should not be exposed or restrict outbound traffic from suspicious applications. Exhaustion of network memory resources describes a denial-of-service concern, not the normal role of a host firewall. Privilege escalation is an endpoint attack technique, but it is usually addressed through patching, least privilege, exploit prevention, and operating system hardening rather than host firewall rules alone. Pop-up advertisements are typically handled by browser controls or anti-adware functions. Host-based firewalls are valuable because they continue to enforce policy even when the device moves between networks, such as home, office, and public Wi-Fi. Reference/topics: Endpoint Security 4.3, host-based firewalls; Endpoint Security 4.2, endpoint security objectives.
What is a result of the Actions on the Objective phase in the cyber attack lifecycle?
Options:
Host sweeps and port scans are performed.
Outbound communication channels are established.
Data is exfiltrated and web property is defaced.
Exploits are launched against a vulnerable application.
Answer:
CExplanation:
Actions on the Objective is the stage where the attacker performs the mission they intended to accomplish. This may include stealing data, encrypting systems for ransom, defacing a website, destroying information, disrupting services, or manipulating business processes. Data exfiltration and web property defacement are clear outcomes of this phase because the attacker has already progressed through earlier stages and is now achieving the final goal. Host sweeps and port scans belong to reconnaissance because they help identify targets. Outbound communication channels are associated with Command and Control, where compromised systems exchange instructions with attacker infrastructure. Exploits launched against a vulnerable application occur during the exploitation phase. Understanding this lifecycle helps defenders align controls: reconnaissance can be limited through exposure management, delivery can be filtered, exploitation can be blocked through patching and IPS, C2 can be detected through outbound monitoring, and actions on objectives can be constrained by segmentation and DLP. Reference/topics: Cybersecurity 1.2, cyber attack lifecycle.
What is the primary responsibility of the cloud provider in the cloud shared responsibility model?
Options:
Configuring application-level security settings
Securing underlying physical servers and network infrastructure
Providing end-user training on application usage
Monitoring and managing user access and permissions
Answer:
BExplanation:
In the cloud shared responsibility model, the cloud provider is primarily responsible for the security of the cloud: the physical facilities, host servers, storage hardware, networking equipment, and foundational infrastructure used to deliver services. Therefore, securing underlying physical servers and network infrastructure is the provider responsibility. Customers are responsible for security in the cloud, which includes how they configure services, protect data, manage identities, and secure applications. Application-level settings are usually controlled by the customer or application owner. User access and permissions are identity-layer responsibilities and normally remain with the customer, even if the provider supplies IAM tools. End-user training is an organizational governance responsibility, not a provider obligation. The exact division changes by service model: SaaS shifts more operational responsibility to the provider, while IaaS leaves more configuration and workload security responsibility with the customer. Reference/topics: Cloud Security 5.3, cloud shared responsibility model; Cloud Security 5.2, SaaS, PaaS, IaaS, NaaS.
What is a software service that defines user or group identities in software environments and associates permissions?
Options:
IAM
WAN
IKE
DNS
Answer:
AExplanation:
Identity and Access Management, or IAM, defines and manages identities, groups, roles, authentication methods, and permissions in software environments. IAM determines who a user or service is and what resources that identity is allowed to access. It commonly includes user lifecycle management, authentication, authorization, role-based access control, federation, single sign-on, and access policy enforcement. WAN refers to a wide area network and has no direct role in defining user identities. IKE is used to establish authenticated communication channels for IPsec VPNs. DNS translates domain names to IP addresses. IAM is central to modern cybersecurity because identity often becomes the new perimeter in cloud and SaaS environments. If attackers compromise credentials or overprivileged identities, they may access sensitive data without exploiting a traditional network vulnerability. Strong IAM requires least privilege, MFA, access reviews, logging, and proper lifecycle management. Reference/topics: Identity Security 7.1, IAM components; Identity Security 7.1.5, RBAC.
What are two components of multi-factor authentication (MFA)? (Choose two.)
Options:
Something you know
Something you observe
Something you have
Something you create
Answer:
A, CExplanation:
Multi-factor authentication uses two or more distinct categories of authentication factors. The standard categories include something you know, such as a password or PIN; something you have, such as a smart card, hardware token, or authenticator device; and something you are, such as a fingerprint or facial biometric. Therefore, “something you know” and “something you have” are valid MFA components. “Something you observe” and “something you create” are not standard MFA factor categories in this context. MFA improves security because a stolen password alone is not enough to authenticate if another independent factor is required. However, not all MFA is equally strong. Push fatigue attacks and phishing can still defeat weak implementations, so phishing-resistant MFA and proper user education are preferred. MFA is one of the most practical identity controls for reducing account takeover risk. Reference/topics: Identity Security 7.1.2, single-factor and multifactor authentication; Identity Security 7.1, IAM components.
Which tunnel protocol is used to secure communications over HTTPS?
Options:
IKE
GRE
SSH
TLS
Answer:
DExplanation:
TLS, or Transport Layer Security, is the protocol used to secure HTTPS communications. HTTPS is HTTP carried over TLS, which provides encryption, integrity protection, and server authentication through certificates. TLS prevents eavesdroppers from easily reading web traffic and helps ensure that clients are communicating with the intended server rather than an impostor. IKE is used in IPsec VPN negotiation to establish authenticated security associations. GRE is a tunneling protocol that encapsulates traffic but does not inherently provide encryption. SSH secures remote shell and administrative sessions, and can support tunneling, but it is not the protocol that secures HTTPS. TLS is central to modern web security because web applications, APIs, SaaS platforms, and identity providers depend on protected browser-to-server communication. However, TLS must be deployed correctly with valid certificates, strong protocol versions, and secure cipher suites. Reference/topics: Network Security 3.4, tunneling protocols including TLS, SSH, and IKE; Network Security 3.3, secure web access.
Batch 5 — Questions 56–70
What is an encrypted connection that secures data transmission between devices over the internet?
Options:
WAN
MPLS
CASB
VPN
Answer:
DExplanation:
A VPN, or virtual private network, creates an encrypted connection that secures data transmission between devices or sites over an untrusted network such as the internet. VPNs are commonly used for remote access by employees and for site-to-site connectivity between offices, cloud networks, or data centers. The encryption protects confidentiality and helps prevent interception or tampering while traffic crosses networks not controlled by the organization. A WAN is a broad network spanning geographic areas and is not inherently encrypted. MPLS is a carrier service used for private network connectivity, but it is not by itself the same as an encrypted VPN. A CASB is a cloud access security broker used to enforce security controls for cloud applications. VPNs are important because they extend trusted access across untrusted transport, but they must still be combined with authentication, authorization, segmentation, endpoint posture checks, and monitoring. Reference/topics: Network Security 3.3, VPNs; Network Security 3.4, tunneling protocols.
Which pillar should a company focus on first when establishing a new security operations department?
Options:
Technology
Processes
People
Business
Answer:
CExplanation:
People should be the first pillar when establishing a security operations department. Tools and processes matter, but a SOC ultimately depends on skilled people who understand the environment, interpret alerts, make decisions, communicate risk, and improve operations. Without defined roles, responsibilities, escalation paths, and analyst capability, even advanced technology can become noisy and ineffective. Processes come next because people need repeatable methods for triage, investigation, mitigation, and improvement. Technology should support those people and processes, not replace them. Business context is also essential because the SOC must prioritize what matters most to the organization, but the first practical foundation is staffing and capability. A strong SOC needs analysts, incident responders, engineers, threat intelligence support, leadership, and clear ownership. Security operations is not just a tool stack; it is an operating function that converts telemetry into risk reduction. Reference/topics: Security Operations 6.1, SOC functions; Security Operations 6.2, optimizing SOC performance.
Batch 8 — Questions 101–113
Which device is an endpoint?
Options:
Smart light bulb
Smart plug
Display monitor
Smart watch
Answer:
DExplanation:
A smartwatch is an endpoint because it is a network-connected computing device used by an individual and capable of running software, storing data, communicating with other systems, and interacting with user accounts or services. Endpoint security includes more than traditional desktops and laptops; it also covers mobile devices and connected personal devices that can introduce risk. A smart light bulb and smart plug are better categorized as IoT devices because they are specialized connected devices with embedded functionality and limited general-purpose user computing capability. A display monitor is normally a peripheral, not an endpoint, because it does not independently process network traffic or host applications in the same way. The key endpoint concept is that the device sits at the edge of the network where users, applications, identities, and data interact. Attackers often target endpoints because they provide a practical path into accounts, applications, and internal systems. Reference/topics: Endpoint Security 4.1, IoT devices and endpoints; Endpoint Security 4.2, objectives of endpoint security.
Which type of device does a Host-Based Intrusion Detection System (HIDS) monitor?
Options:
Appliance
Computer
Switch
Router
Answer:
BExplanation:
A Host-Based Intrusion Detection System monitors an individual host, which is typically a computer, server, or endpoint device. Its purpose is to inspect activity occurring on that system rather than traffic across an entire network segment. A HIDS can evaluate system logs, file integrity, configuration changes, authentication events, and suspicious local behavior. This distinguishes it from a Network-Based Intrusion Detection System, which observes packets traversing a network link or segment. A switch and router are network infrastructure devices, and while they may generate logs or support monitoring, they are not the primary monitored object of a HIDS. The term “appliance” is too broad and usually refers to a dedicated hardware or virtual security device. Palo Alto Networks lists IDS, HIDS, and NIDS as common threat detection systems in the Cybersecurity Apprentice Cybersecurity domain, requiring candidates to distinguish where each system operates and what it observes. Reference: Cybersecurity Apprentice Datasheet, Cybersecurity 1.4.
Which type of segmentation divides traffic based on the interface on which a packet is received or sent?
Options:
Zone
Port
Application
Role
Answer:
AExplanation:
Zone segmentation groups traffic based on logical security zones, commonly tied to interfaces or interface groups. A firewall can apply policy depending on the source zone and destination zone, such as trust, untrust, DMZ, data center, or guest. If a packet enters or exits through an interface assigned to a specific zone, that zone becomes part of the policy decision. Port-based segmentation would focus on physical or logical ports, but in firewall security design, zones are the standard construct for interface-based policy grouping. Application segmentation divides traffic based on the application being used. Role-based segmentation uses user or device roles. Zone segmentation is powerful because it allows administrators to express trust boundaries and enforce policy between parts of the network. It is often combined with VLANs, IP subnets, and application-aware controls to create layered segmentation. Reference/topics: Network Security 3.1, zone segmentation; Network Security 3.2, firewall policy enforcement.
Which stage of the cyber attack lifecycle is characterized by an attacker passing instructions back and forth between infected devices and their own infrastructure?
Options:
Command-and-control (C2)
Exploitation
Reconnaissance
Weaponization and Delivery
Answer:
AExplanation:
Command-and-control is the lifecycle stage where compromised systems communicate with attacker-controlled infrastructure. This communication may deliver commands, retrieve additional malware, update configuration, report system status, or prepare for lateral movement and data theft. The phrase “passing instructions back and forth” is the defining signal for C2. Exploitation is the moment an attacker uses a weakness to compromise a system. Reconnaissance is pre-attack information gathering. Weaponization and Delivery involve preparing and transmitting the malicious payload to the target. C2 traffic is a high-value detection opportunity because it often requires outbound communication to domains, IP addresses, or protocols that differ from normal business activity. Defenders look for beaconing patterns, suspicious DNS queries, unusual destinations, and connections to known malicious infrastructure. Disrupting C2 can limit an attacker’s ability to operate even after initial compromise. Reference/topics: Cybersecurity 1.2, cyber attack lifecycle; Cybersecurity 1.3, command and control.
Which device operates at OSI Layer 2?
Options:
Hub
Switch
Router
Modem
Answer:
BExplanation:
A switch operates primarily at OSI Layer 2, the Data Link layer. It forwards Ethernet frames based on MAC addresses and builds a MAC address table to determine which port should receive traffic. This makes switching more efficient than a hub, which operates at Layer 1 and repeats signals without understanding frames. A router operates at Layer 3 by forwarding packets based on IP addresses and routing tables. A modem is generally associated with physical or access-layer signal conversion rather than Layer 2 switching. Layer 2 switching is important for local network communication, VLAN segmentation, and broadcast domain control. Security teams need to understand Layer 2 because attacks such as MAC flooding, VLAN hopping, and ARP spoofing can occur at this level. While switches are not the same as firewalls, proper switch configuration supports network segmentation and reduces unnecessary traffic exposure. Reference/topics: Network Fundamentals 2.7, devices operating Layers 1 through 4; Network Security 3.1, VLANs.
A data center needs to secure its infrastructure from network-based threats. Which two technologies will address this need? (Choose two.)
Options:
Next-generation firewall
Intrusion prevention system (IPS)
Intrusion detection system (IDS)
Proxy
Answer:
A, BExplanation:
A next-generation firewall and an intrusion prevention system are appropriate technologies for securing data center infrastructure from network-based threats. The NGFW enforces application-aware security policy and can inspect traffic for threats. An IPS inspects traffic inline and blocks malicious packets or exploit attempts before they reach protected systems. An IDS is valuable for detection and alerting, but because it is generally passive, it does not provide the same preventive control as IPS. A proxy can secure certain traffic flows, especially web traffic, but it is not the broadest answer for protecting general data center infrastructure. Data centers require preventive controls because attacks may target public-facing services, internal applications, management interfaces, or east-west workload traffic. NGFW and IPS technologies help reduce exposure by enforcing policy, blocking known threats, and supporting segmentation. Reference/topics: Network Security 3.2, NGFWs; Cybersecurity 1.5, intrusion prevention systems and firewalls.
What is a self-contained operating environment that behaves like a computer separate from the physical host?
Options:
WAN accelerator
Virtual Machine (VM)
Hypervisor
Container
Answer:
BExplanation:
A virtual machine is a self-contained operating environment that behaves like a separate computer while running on a physical host. A VM includes its own guest operating system, virtual CPU, memory, storage, and network interfaces. Multiple VMs can run on a single physical server through a hypervisor, which allocates and manages physical resources. A hypervisor enables virtualization, but it is not the guest operating environment itself. A container packages an application and dependencies while sharing the host operating system kernel, making it lighter than a VM. A WAN accelerator improves performance over wide area links and is unrelated to virtualization. VMs are foundational to cloud computing because they allow providers to abstract physical hardware and offer flexible compute resources to customers. Security teams must secure VMs by hardening guest operating systems, patching, controlling access, monitoring activity, and applying cloud network policies. Reference/topics: Cloud Security 5.4, virtualization and virtual machine; Cloud Security 5.2, IaaS.
What is the purpose of continuous deployment in the CI/CD lifecycle?
Options:
Maintaining a state in which any version of the software can be deployed to a production environment.
Merging code changes into a central repository
Packaging code into a Docker container for deployment
Automatically deploying every change that passes the automated tests to production, minimizing lead time
Answer:
DExplanation:
Continuous deployment is the CI/CD practice in which every code change that successfully passes automated tests and quality gates is automatically released to production. The purpose is to reduce lead time, accelerate delivery, and make deployments smaller, more frequent, and more repeatable. This differs from continuous delivery, where software is kept in a deployable state but production release may still require manual approval. Merging code changes into a central repository is continuous integration. Packaging code into a Docker container may be part of a pipeline, but it is not the defining purpose of continuous deployment. Maintaining a deployable state describes continuous delivery more closely than continuous deployment. From a security perspective, CI/CD must include guardrails such as code scanning, dependency checks, secrets detection, image scanning, and deployment policy enforcement. Rapid deployment without security checks can spread defects quickly, while secure CI/CD improves both speed and control. Reference/topics: Cloud Security 5.6, CI/CD; Identity Security 7.4, secrets management in CI/CD pipelines.
Which two sets of actions are examples of multi-factor authentication (MFA)? (Choose two.)
Options:
Answering a security question and providing a thumbprint
Entering a PIN and scanning a smart card
Scanning the palm of one hand followed by the other hand
Answering three sequential security questions
Answer:
A, BExplanation:
Multi-factor authentication requires two or more different categories of authentication factors. The standard categories are something you know, something you have, and something you are. Answering a security question is something you know, while providing a thumbprint is something you are, so answer A is MFA. Entering a PIN is something you know, while scanning a smart card is something you have, so answer B is also MFA. Scanning the palm of one hand followed by the other hand uses the same factor category twice: biometrics, or something you are. That may be stronger biometric checking, but it is not multi-factor. Answering three sequential security questions also repeats the knowledge factor and therefore remains single-factor authentication. MFA improves identity security because stolen passwords alone are less useful to attackers when another independent proof is required. Strong MFA should use phishing-resistant methods where possible. Reference/topics: Identity Security 7.1.2, single-factor and multifactor authentication.
What does DHCP provide to a client?
Options:
Zone
MAC address
IP address
Port range
Answer:
CExplanation:
DHCP provides IP addressing information to a client. When a device joins a network, it can request configuration from a DHCP server instead of requiring manual assignment. The server leases an IP address to the client and may also provide subnet mask, default gateway, DNS server, lease duration, and other options. DHCP does not provide a MAC address; the MAC address is assigned to the network interface by the hardware vendor. It does not provide a security zone, which is a firewall or segmentation concept. It also does not assign a port range in the normal client addressing process. DHCP is important operationally because it reduces manual configuration and supports scalable network management. It is also useful in investigations because DHCP lease records can help map an IP address observed in logs to the device that used it at a specific time. Reference/topics: Network Fundamentals 2.4, DHCP; Network Fundamentals 2.3, default gateway.
Which device reads information from packets at the application layer of the OSI model to determine if traffic should be forwarded?
Options:
WAN accelerator
Router
Switch
Next-generation firewall
Answer:
DExplanation:
A next-generation firewall evaluates traffic beyond basic ports, protocols, and IP addresses. It can inspect application-layer information to identify the actual application, user context, content, and threat indicators before deciding whether traffic should be allowed, blocked, or further inspected. This is the defining difference between a traditional firewall and an NGFW. A switch primarily forwards frames using Layer 2 information, such as MAC addresses. A router forwards packets using Layer 3 information, such as destination IP addresses and routing tables. A WAN accelerator improves performance across wide area links but is not primarily a security enforcement device that makes application-layer allow/block decisions. Application-aware inspection matters because modern applications may use common ports such as TCP 443, making port-only policy insufficient. NGFWs address this by classifying traffic according to application behavior and enforcing security policy accordingly. Reference/topics: Network Security 3.2, stateful firewalls and next-generation firewalls; Network Fundamentals 2.6 and 2.7, OSI model and devices.
Which statement best distinguishes a Host-Based Intrusion Detection System (HIDS) from a Network-Based Intrusion Detection System (NIDS)?
Options:
Network-Based is installed on an individual endpoint to monitor all inbound/outbound traffic of that device.
Host-Based is installed on an individual endpoint to monitor all inbound/outbound traffic of that traffic.
Host-Based directly integrates with the endpoint and is known as the last line of defense.
Network-Based directly integrates with the endpoint and is known as the last line of defense.
Answer:
CExplanation:
A HIDS directly integrates with an endpoint or host and monitors activity on that system. It can evaluate logs, file changes, processes, authentication activity, configuration changes, and local indicators that may not be visible on the network. This makes it a last line of defense because it can detect suspicious activity after traffic has reached the host or when malicious activity occurs locally. A NIDS monitors traffic on a network segment rather than being installed on each individual endpoint. Answer A incorrectly describes network-based detection as endpoint-installed. Answer B is awkwardly worded and less precise than answer C. Answer D incorrectly assigns endpoint integration to NIDS. HIDS and NIDS are complementary. NIDS provides broad network visibility, while HIDS provides deep host-level visibility. Security teams use both types of telemetry to understand attack scope and confirm whether suspicious network behavior resulted in endpoint compromise. Reference/topics: Cybersecurity 1.4, IDS, HIDS, and NIDS; Endpoint Security 4.3, host-based controls.
Which statement describes both stateful firewalls and stateless firewalls?
Options:
Stateful firewalls encrypt all traffic they inspect; stateless firewalls only pass through unencrypted traffic.
Stateful firewalls are primary hardware appliances; stateless firewalls are exclusively software-based.
Stateful firewalls only allow access to internal applications; stateless firewalls allow connections only to the internet.
Stateful firewalls track and secure ongoing connections; stateless firewalls inspect each packet individually.
Answer:
DExplanation:
Stateful firewalls track connection state, while stateless firewalls evaluate each packet independently against rules. A stateful firewall maintains a state table that records active sessions, allowing it to understand whether a packet is part of an established connection or an unsolicited attempt. This improves security and usability because return traffic for legitimate sessions can be permitted without writing separate broad rules. A stateless firewall does not remember connection context; it checks packet attributes such as source, destination, protocol, and port each time. Firewalls do not inherently encrypt all inspected traffic, so answer A is incorrect. Stateful and stateless capabilities can exist in hardware, software, virtual, or cloud form, so answer B is incorrect. Answer C incorrectly describes access direction rather than inspection behavior. The key distinction is session awareness. Understanding stateful inspection is foundational because NGFW capabilities build on traffic classification, session tracking, and policy enforcement. Reference/topics: Network Security 3.2, stateful firewalls and NGFWs.
What is responsible for securing web access for managed and unmanaged devices?
Options:
IDS
Cloud workload protection (CWP)
Enterprise browser
VLAN
Answer:
CExplanation:
An enterprise browser secures web access by applying organizational security controls directly within the browser experience. This is especially useful for both managed and unmanaged devices because browser-based controls can protect access to SaaS applications, web resources, and sensitive data even when the endpoint is not fully controlled by the organization. Enterprise browsers may enforce policy, isolate risky activity, control downloads and uploads, inspect web sessions, and reduce data leakage. An IDS detects suspicious activity but does not secure browser access. Cloud workload protection protects workloads such as servers, containers, or cloud runtime environments, not user web browsing. VLANs segment network traffic but do not provide browser-level controls for managed and unmanaged devices. As work increasingly happens through web and SaaS applications, securing the browser becomes an important way to control user interaction with enterprise resources. Reference/topics: Network Security 3.6, enterprise browsers; Network Security 3.3, URL filtering and proxies.
Which statement describes network as a service (NaaS)?
Options:
Cloud-delivered infrastructure service providing network resources on demand
Software application that monitors network performance and security
Traditional model in which enterprises own and manage their physical network infrastructure
Set of protocols used to standardize communication within a LAN
Answer:
AExplanation:
Network as a Service is a cloud service model in which networking capabilities are delivered on demand rather than owned and operated entirely through fixed physical infrastructure. NaaS can include virtual routing, secure connectivity, bandwidth services, policy enforcement, remote access, and other network functions consumed as a service. The key concept is elasticity: the customer uses network resources when needed while the provider operates much of the underlying service delivery platform. Answer B describes a monitoring application, not a service model. Answer C describes a traditional enterprise-owned network model, which is the opposite of NaaS. Answer D describes protocol standardization, not cloud-delivered networking. NaaS reflects the broader cloud pattern of abstracting infrastructure into consumable services. In security architecture, NaaS can support distributed users, cloud workloads, and branch connectivity without requiring all enforcement to sit in a single physical data center. Reference/topics: Cloud Security 5.2, cloud service models including NaaS; Network Fundamentals 2.1, SD-WAN and area networks.
What is a purpose of security operations?
Options:
Investigating security events
Tracking assets
Installing endpoint security software
Aligning applications to compliance standards
Answer:
AExplanation:
A core purpose of security operations is investigating security events to determine whether they represent real threats, policy violations, or benign activity. Security operations teams monitor alerts, analyze evidence, investigate suspicious behavior, contain incidents, and improve detection and response processes. Asset tracking is important for security and IT operations, but it is not the main purpose described here. Installing endpoint security software is a deployment task usually handled by endpoint, infrastructure, or IT teams, although the SOC may consume the telemetry. Aligning applications to compliance standards is part of governance, risk, and compliance activities. Security operations is the day-to-day defensive function that turns telemetry into decisions and action. It asks: what happened, what is affected, how severe is it, what should be done, and how can recurrence be reduced? Investigation is therefore central to the SOC mission. Reference/topics: Security Operations 6.1, Identify/Detect, Investigate, Mitigate, Improve; Security Operations 6.3, event and alert.
What is the purpose of the IKE protocol?
Options:
To manage IP addresses and assign them to devices
To authenticate users accessing a wireless network
To establish authenticated communication channels
To translate domain names into IP addresses
Answer:
CExplanation:
Internet Key Exchange, or IKE, is used to establish authenticated security associations for encrypted communications, most commonly in IPsec VPN environments. Its role is to help peers authenticate each other, negotiate cryptographic parameters, and create the secure channel that will protect traffic between devices or sites. This makes answer C correct. IKE does not assign IP addresses to devices; that function belongs to DHCP. It does not translate domain names into IP addresses; that is the role of DNS. It also is not primarily a wireless user authentication protocol, although authentication is a component of IKE negotiation between VPN peers. In practical terms, IKE is part of the trust-building process before encrypted VPN traffic can safely pass. Palo Alto Networks places IKE in the Network Security domain under tunneling protocols, alongside SSH and TLS, because these protocols support protected communication across untrusted networks. Reference: Cybersecurity Apprentice Datasheet, Network Security 3.4.
Which metric measures how long it takes a security team to detect a cybersecurity incident?
Options:
MTTR
MTTD
MFA
NAT
Answer:
BExplanation:
MTTD, or mean time to detect, measures how long it takes a security team to discover a cybersecurity incident or suspicious activity. A lower MTTD indicates that detection controls, monitoring processes, alert quality, and analyst workflows are working effectively. MTTD is important because attackers often cause more damage the longer they remain undetected. MTTR, or mean time to respond or recover, measures how long it takes to respond to or recover from an incident after detection. MFA is multi-factor authentication, an identity security control used to strengthen login security. NAT is network address translation, which converts one IP address to another. Security operations teams use metrics such as MTTD and MTTR to evaluate SOC performance, improve alerting, tune detection logic, and reduce operational delays. Strong logging, SIEM correlation, endpoint telemetry, threat intelligence, and automation can help reduce detection time. Reference/topics: Security Operations, SOC metrics, MTTD, MTTR, incident detection and response.
Which segmentation method will limit the number of devices that can be granted a private IP address in a network?
Options:
NAT
Static routing
IP subnetting
VLAN
Answer:
CExplanation:
IP subnetting divides a larger IP network into smaller logical networks by changing the subnet mask or prefix length. Because each subnet has a defined address range, subnetting directly limits how many usable host addresses are available inside that segment. For example, a smaller subnet provides fewer assignable private IP addresses, which restricts the number of devices that can be placed in that network. NAT translates addresses between networks, but it does not itself define the size of the internal address pool. Static routing controls forwarding paths and does not limit how many devices can receive private IP addresses. VLANs segment Layer 2 broadcast domains, but the host count is ultimately determined by the IP subnet assigned to that VLAN. In secure network design, subnetting is often paired with VLANs and zones so that addressing, routing, and policy enforcement align cleanly. Reference/topics: Network Security 3.1, network segmentation methods; Network Fundamentals 2.4, NAT; Network Fundamentals 2.5, routing.
In which use case would URL filtering be an appropriate solution?
Options:
Redirecting malicious DNS traffic to a sinkhole
Blocking large file transfers over a network
Preventing employees from accessing social media sites during work hours
Encrypting outgoing emails containing confidential information
Answer:
CExplanation:
URL filtering controls access to websites based on URL categories, reputation, policy, or risk. Preventing employees from accessing social media sites during work hours is a direct URL filtering use case because social media domains can be categorized and allowed, blocked, coached, or logged according to organizational policy. Redirecting malicious DNS traffic to a sinkhole is a DNS security function, not URL filtering. Blocking large file transfers is more related to file control, application control, or data loss prevention. Encrypting outgoing emails containing confidential information is a DLP or email security function. URL filtering can also block phishing sites, malware distribution pages, newly registered risky domains, command-and-control URLs, and policy-prohibited categories. Its value is strongest when combined with user identity, application awareness, SSL/TLS inspection where appropriate, and logging. Reference/topics: Network Security 3.3, URL filtering, VPNs, and proxies; Network Security 3.5, DLP.
Batch 6 — Questions 71–85
What is a benefit of SD-WAN versus traditional WANs?
Options:
Reliance on multiple different WAN connection types and licenses is removed.
All physical WAN components can be easily removed and replaced without network disruption.
Administrators can deploy WAN connection policies across an entire network at once.
WANs are physically connected and strengthened against electromagnetic interference.
Answer:
CExplanation:
SD-WAN provides centralized, software-defined control over wide area network connectivity. A major benefit is that administrators can create and deploy policies across many sites consistently, rather than manually configuring each traditional WAN device in isolation. SD-WAN can use multiple transport types, such as broadband, LTE, internet, and MPLS, so it does not remove reliance on diverse connection types; it manages them more intelligently. It also does not mean all physical WAN components disappear. Physical links, edge devices, and provider circuits still exist, but the control and policy model becomes more centralized and flexible. Electromagnetic interference is unrelated to the primary value of SD-WAN. SD-WAN is useful because it can steer application traffic based on performance, cost, availability, or security requirements. For security teams, centralized policy helps reduce configuration drift and supports consistent connectivity decisions across branches and cloud environments. Reference/topics: Network Fundamentals 2.1, WAN, LAN, SD-WAN; Network Security 3.3, VPNs and proxies.
Which OSI layer is used to determine how long communications are open between two devices?
Options:
Transport
Application
Session
Network
Answer:
CExplanation:
The Session layer of the OSI model manages the establishment, maintenance, and termination of sessions between communicating systems. It is associated with determining how long communications remain open, how sessions are coordinated, and how dialog control is maintained. The Transport layer provides end-to-end delivery functions such as segmentation, reliability, flow control, and port-based communication through protocols such as TCP and UDP. The Application layer supports user-facing network services and application protocols. The Network layer handles logical addressing and routing between networks. Although real-world TCP/IP implementations often combine upper-layer functions, the OSI model separates them conceptually to clarify responsibilities. In security analysis, session understanding matters because attackers may hijack sessions, abuse long-lived sessions, or maintain persistence through ongoing connections. Firewalls, proxies, and identity systems often enforce timeout, reauthentication, and session termination policies to reduce risk. Reference/topics: Network Fundamentals 2.6, OSI and TCP/IP models.
What is the purpose of an API?
Options:
It allows operating systems to redesign themselves.
It allows machine learning models to internally check datagrams.
It allows hardware controls to be modified.
It allows software applications to share data.
Answer:
DExplanation:
An API, or application programming interface, allows software applications and services to communicate and share data in a structured way. APIs define how requests are made, what data formats are accepted, what operations are available, and how responses are returned. In cloud and modern application environments, APIs are fundamental because applications often rely on microservices, third-party integrations, identity providers, automation tools, and cloud management platforms. APIs do not allow operating systems to redesign themselves. They are not specifically for machine learning models to check datagrams, and they are not primarily hardware modification controls. From a security perspective, APIs must be protected because they expose application functions and data paths. API security includes authentication, authorization, rate limiting, input validation, logging, and secrets protection. If poorly secured, APIs can expose sensitive data or allow unauthorized actions. Reference/topics: Cloud Security 5.4, common cloud terms including API and microservice; Identity Security 7.4, secrets management.
What is a function of a cloud-native security platform (CNSP)?
Options:
Protecting applications at runtime
Generating cost analysis
Sandboxing ransomware
Executing penetration testing
Answer:
AExplanation:
A cloud-native security platform protects cloud-native applications across their lifecycle, including runtime. Runtime protection means monitoring and securing workloads while they are actively running, such as containers, microservices, serverless functions, Kubernetes clusters, and cloud workloads. This can include detecting suspicious process behavior, enforcing workload policies, identifying misconfigurations, controlling network connections, and responding to active threats. Cost analysis may exist in cloud management platforms, but it is not a core CNSP security function. Sandboxing ransomware is a malware analysis technique, not the defining role of a cloud-native security platform. Penetration testing may be part of security assessment, but CNSP is designed for continuous visibility, posture, identity, workload, and runtime security rather than one-time offensive testing. CNSP matters because cloud-native environments are dynamic: workloads scale, containers are replaced, APIs interact continuously, and identities drive access. Security must therefore be integrated into build, deploy, and runtime phases. Reference/topics: Cloud Security 5.5, CNSP; Cloud Security 5.4, containers, microservices, APIs.
Unlock Apprentice Features
- Apprentice All Real Exam Questions
- Apprentice Exam easy to use and print PDF format
- Download Free Apprentice Demo (Try before Buy)
- Free Frequent Updates
- 100% Passing Guarantee by Activedumpsnet
Questions & Answers PDF Demo
- Apprentice All Real Exam Questions
- Apprentice Exam easy to use and print PDF format
- Download Free Apprentice Demo (Try before Buy)
- Free Frequent Updates
- 100% Passing Guarantee by Activedumpsnet