CompTIA SecAI+ (CY0-001) Practice Quiz

Question 1 Select One

Which of the following job roles in an organizational governance structure develops a model from business use cases?

A. Platform architect B. AI risk analyst C. Machine learning operations (MLOps) engineer D. Data scientist

Question 2 Select One

An administrator, who works for a financial institution, is required to implement data security controls for data at rest within AI systems that involve data disclosure. Which of the following is the most suitable control?

A. Data lineage B. Rate limits C. Encryption D. Masking

Question 3 Select One

A security engineer needs to monitor an AI-based system for runtime operations. The engineer is mostly concerned about the visibility of internal activity. Which of the following is the most appropriate monitoring solution?

A. Deploying a security information and event management (SIEM) tool B. Implementing a web application firewall (WAF) with header logging C. Relying on vendor model controls and monitoring prompt inputs D. Enabling stack call and debugging level traces at the function level

Question 4 Select One

Which of the following should an auditor reference when reviewing a company's human resources AI systems for legal non-compliance?

A. National Institute of Standards and Technology (NIST) framework B. Organization for Economic Cooperation and Development (OECD) standard C. European Union (EU) AI Act D. International Organization for Standardization (ISO)

Question 5 Select 2

An airline corporation wants to implement a chatbot application using a large language model (LLM) so its customers can ask questions and receive answers about flight details. Which of the following security controls should the airline use to protect against malicious input and unauthorized use beyond the service-level agreement? (Choose two.)

A. Prompt guardrails B. Role-based access controls C. Firewall rules D. Model token quotas

Question 6 Select One

A security operations center (SOC) has a very high volume of logs and alerts. The manager proposes the implementation of machine learning (ML) system to help with triage. Which of the following tasks is most suitable?

A. Applying filters on specific alerts B. Automatically patching vulnerable systems C. Identifying and classifying alerts D. Summarizing the content of alerts

Question 7 Select One

An organization recently created a custom model that integrates with a language model (LLM). The developer notices that the application programming interface (API) costs have increased. Which of the following is the best

A. Implementing prompt templates B. Increasing central processing unit (CPU) and memory C. Reducing the model size D. Adjusting token limits

Question 8 Select One

Which of the following techniques should the administrator use to improve the AI model’s security?

A. Access management B. Pattern recognition C. Signature matching D. Vulnerability analysis

Question 9 Select One

Which of the following is the most concerning risk for a company that allows corporate end users to use public- facing large language models (LLMs)?

A. Inaccuracies due to hallucinations B. Out-of-date acceptable use policies C. Data security regulatory violations D. Malicious code generation

Question 10 Select One

Which of the following requires developers to harden infrastructure to protect AI systems?

A. Intake processes B. Acceptable use policies C. Development guidelines D. Configuration standards

Question 11 Select One

Which of the following is the best example of an AI model that is trained to identify multiple points from input using a neural network to provide output for authentication?

A. Facial recognition B. Encryption key C. Open Authorization (OAuth) D. Bounding box

Question 12 Select One

An organization is developing and implementing AI features into a customer service application. Which of the following practices should the organization put the place before releasing the application for customer trials?

A. Data masking and sanitization B. External compliance audits C. Approved AI vendor lists D. Third-party risk management

Question 13 Select One

An internal user enters a client credit card number into an internal generative machine learning (ML) model: #User prompt: Customer Jane Doe has a new credit card that she wants to add to her account. The number is 5555-5555-5555-5555 Which of the following is the most effective way to prevent prompt injection attacks against a large language model (LLM)?

A. Guardrails B. Antivirus C. Web application firewall (WAF) D. Role-based access control

Question 14 Select One

A security alert triggers an agentic system. An analyst notices the following payload in the logs” The alert includes multiple shell commands that are not typically run as part of any hardening. Which of the

A. Adding logic that includes approved strings before running the shell commands B. Deprecating model usage and retaining the model with safer parameters C. Modifying the application to ignore the SECURITY_UPDATE tag D. Using only approved libraries when interacting with agentic systems

Question 15 Select One

A global security operations center (SOC) wants to adapt and leverage the strength of AI in order to enhance its security operations. Which of the following is the best way to enhance the global SOC functions?

A. Generate code and execute in production to help save time. B. Enable a personal assistant that can act in the global SOC with no human intervention. C. Use open-source models in production to help the efficiency of threat detection and threat analysis. D. Summarize alerts to easily gain insights on the environment.

Question 16 Select One

An attacker successfully completes a denial-of-service (DoS) attack through the context window of an AI system. Thousands of characters are obfuscated and hidden behind an emoji. Which of the following techniques best mitigates this attack?

A. Rate limiting B. Input tokenization C. Web application firewall (WAF) D. Prompt filter

Question 17 Select One

An AI architect reviews AI utilization and wants to improve the user experience. Which of the following should the architect review in the logs?

A. Rate monitoring B. Model accuracy C. Access controls D. Data storage

Question 18 Select One

A human resources officer is using AI to evaluate resumes and help select candidates that meet minimum criteria. To improve the results, the human resources officer adjusts the query parameters and includes an example resume that matches a successful candidate. Which if the following best describes this query?

A. Distillation B. Prompt template C. One-shot prompting D. System role

Question 19 Select One

A line of business wants to onboard an application that uses a custom AI model for employee assessments. The Chief Information Officer (CIO) agrees to allow the engagement to proceed but first wants a threat model. Which of the following frameworks should the officer reference?

A. Responsible AI B. Adversarial Threat Landscape for AI Systems (ATLAS) C. Organization for Economic Co-operation and Development (OECD) D. International Organization for Standardization (ISO)

Question 20 Select 2

A security analyst finds that the AI system is under a denial-of-wallet attack. Which of the following should the analyst enforce to protect the company?

A. Endpoint access controls B. Content delivery network (CDN) C. Model fine-tuning D. Modality controls E. Application programming interface (API) rate controls F. Output token controls

Question 21 Select One

A financial organization implements a new AI-based fraud detection system to flag suspicious transactions. A security analyst discovers that it occasionally blocks legitimate transactions. Which of the following is the best recommendation?

A. Retaining the model with more data and recent transaction patterns B. Implementing AI token usage and rate limits C. Encrypting all the data processed by AI and applying further access controls D. Rolling back the model and using a traditional fraud detection system

Question 22 Select One

Which of the following technologies is used in deepfake?

A. Generative adversarial network (GAN) B. Multi-shot prompting C. Prompt engineering D. Transfer learning

Question 23 Select One

During the selection of a machine learning (ML)-based threat classification model, a cybersecurity administrator verifies that label distribution is highly unbalanced. Which of the following processing techniques should the engineer use to balance the model?

A. Data lineage B. Data augmentation C. Data provenance D. Data verification

Question 24 Select One

A healthcare organization plans to deploy a chatbot for appointment scheduling and patient records. Which of the following is the first step a security administrator should take?

A. Implement prompt firewalls. B. Enable role-based access management C. Conduct a risk assessment. D. Use a secure data communication channel for chat.

Question 25 Select One

Which of the following helps in managing potential security issues related to model training?

A. National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) B. International Organization for Standardization (ISO) 27001 C. Organization for Economic Co-operation and Development (OECD) D. General Data Protection Regulation (GDPR)

Question 26 Select One

Which of the following improves the observability and auditing of an AI system?

A. Redeploying the model B. Using manual detection C. Implementing machine learning operations (MLOps) D. Using anomaly detections

Question 27 Select One

Users report that the output of a generative AI application seems unrelated to the prompts and contains offensive content. A security team investigates and determines that there was an on-path attack. Which of the following is the most likely attack method?

A. Application server hijacking B. Session hijacking C. Domain hijacking D. Model hijacking

Question 28 Select One

Which of the following is used to train an AI model with unstructured data?

A. Statistical learning B. Fine-tuning C. Supervised learning D. Reinforcement training

Question 29 Select One

A security architect performs threat modeling of an AI system. The architect needs to determine which attacks can be performed against the system. Which of the following actions should the architect take next?

A. Leverage a large language model (LLM) to map likely attack paths based on the code base. B. Quantify the risk of known vulnerabilities identified in the AI system. C. Identify trust boundaries and perform threat modeling with Open Worldwide Application Security Project D. Analyze MITRE Adversarial Threat Landscape for AI Systems (ATLAS) for tactics, techniques, and

Question 30 Select One

Which of the following is the most impactful security risk associated with the use of a generative AI chatbot?

A. Overly permissive access B. Data leakage C. Weak encryption D. Model validation

Question 31 Select One

A security operations center (SOC) analyst needs to automate multiple security tasks by breaking them down into smaller parts. Which of the following AI tools is the best for this task?

A. Agentic AI B. Retrieval-augmented generation (RAG) AI C. Generative AI D. Chatbot

Question 32 Select One

Which of the following responsible AI standards refers to a principle that clearly states the reasons behind the decisions for a particular conclusion?

A. Accountability B. Auditability C. Transparency D. Explainability

Question 33 Select One

A detection engineering team wants to use AI to automatically prevent vulnerable code from reaching production. Which of the following is the most effective way to accomplish this task?

A. Deploying an integrated development environment (IDE) plug-in that will warn developers of dangerous code B. Using a security orchestration, automation, and response (SOAR) with a machine learning (ML) model to C. Implementing a large language model (LLM) in the continuous integration and continuous deployment D. Developing an agentic penetration testing tool to validate potential vulnerable code

Question 34 Select One

A penetration tester is assessing the controls of a deployed AI system that is designed to search and return the contents of files. The penetration tester submits the following input: '../../../etc/passwd'. Which of the following is the best control to prevent abuse of the system?

A. Implementing custom detection rules for anomalous model behavior B. Segmenting the workload into a separate virtual private cloud (VPC) C. Sanitizing and validating all inputs before processing D. Implementing output filtering and content restrictions

Question 35 Select One

A customer-facing, AI-powered chatbot has been jailbroken through prompt injections. As a result, the AI model is offering a 99% discount on the purchase of a new vehicle. Which of the following should be implemented to enhance the model’s robustness against such attacks?

A. Bias filtering B. System prompt C. Log monitoring D. Guardrails

Question 36 Select One

User experience is declining since the launch of a large language model (LLM) in internal networks. Which of the following should be the highest priority for the prompt engineers?

A. Customer success management B. Sales life cycle C. Quality control D. Business objectives

Question 37 Select One

A data set containing medical information is put into a machine learning (ML) model that is designed to predict specific illnesses for a population. In the process of verifying the reliability of the system, the compliance officer realizes that the system cannot reliably predict illnesses for certain segments of the population. Which of the following types of risk is most applicable to this case?

A. Bias B. Consistency C. Transparency D. Inclusiveness

Question 38 Select One

An organization is concerned with the exposure of sensitive data. Which of the following is the most relevant security concern?

A. Overfitting B. Model inversion C. Data normalization D. Hyperparameter tuning

Question 39 Select One

Faculty members at a university are concerned about potential inherent bias and inconsistency in one department’s AI plagiarism detection service. Which of the following principles will most likely to address their concerns?

A. Transparency B. Explainability C. Consistency D. Accountability

Question 40 Select One

A security administrator must provide access controls for AI systems to list tables. Which of the following should the administrator implement?

A. Agentic AI access B. Network access control list (NACL) C. Model access D. Data access

Question 41 Select One

A machine learning (ML) engineer is working with a security engineer to identify the best practices for securing a system with various AI models. Which of the following actions should the engineers suggest?

A. Conducting guardrail testing and security validation B. Following a secure model development life cycle (MDLC) C. Implementing comprehensive security architecture D. Using a secure software development life cycle (SDLC)

Question 42 Select One

Which of the following is an example of how a security analyst uses generative AI in the triage process?

A. To predict future attack targets B. To use statistical analysis for malicious code assessment C. To summarize security findings by category D. To tag malware using machine learning (ML) algorithms

Question 43 Select One

A security team discovers that a malicious actor is targeting a hospital's AI health portal by flooding its integrated API with an excessive number of requests in an attempt to cause a denial-of-service (DoS). Which of the following controls will BEST prevent this?

A. Tokenization B. Model guardrails C. Rate limiting D. Prompt firewall

Question 44 Select One

A security team is using an AI-based tool to try to bypass organizational boundaries. The team uses AI to look at the current state and suggest different attack vectors based on the outcome of the previous ones. Which of the following techniques is the team most likely using?

A. Manual signature matching B. Code quality testing C. Fraud detection D. Automated penetration testing

Question 45 Select One

Which of the following attacks would be the best to automate with AI during dynamic application software testing (DAST)?

A. Distributed denial-of-service (DDoS) B. Data poisoning C. Payload creation D. Threat modeling

Question 46 Select One

A disgruntled employee changed the company policies that a chatbot references in order to create confusion and disrupt the business. Which of the following AI-generated vulnerabilities is the employee exploiting?

A. Data reduction B. Data masking C. Data poisoning D. Data leaking

Question 47 Select One

A security consultant must summarize the impact of posture management on a machine learning (ML) use case. Which of the following is the most appropriate reference for this purpose?

A. Organization for Economic Co-operation and Development (OECD) standards B. National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) C. European Union AI Act D. Generative adversarial network (GAN)

Question 48 Select One

A cybersecurity analyst must use pattern recognition on a data set containing unstructured data. Which of the following models is the best for this task?

A. Long short-term memory B. Convolutional neural network C. Decision tree D. Logistic regression

Question 49 Select One

An employee wants a consulting company to procure a data set that contains age, ethnicity, and diabetes status. During development, the employer wants to ensure the integrity of the data. Which of the following is the best strategy to accomplish this task?

A. Implementing checksums B. Conducting human evaluation C. Querying the model D. Enabling log monitoring

Question 50 Select One

Which of the following strengthens the performance of a large language model (LLM) for malicious reconnaissance?

A. Enhancing a foundational model with the inclusion of retrieval-augmented generation (RAG) B. Creating a web scraper script using AI to capture the company website C. Instructing an AI assistant to query as an administrator D. Prompting a chatbot to describe server naming patterns and Internet Protocol (IP) ranges

Question 51 Select One

A social media company with over a million lines of code uses a vulnerability scanner that identifies numerous issues. Which of the following is the most balanced AI strategy to automate the vulnerability management flow?

A. Using AI to triage discovered issues and create tickets, but having a software engineer merge software B. Having security analysts triage discovered issues and create tickets, but using AI to merge software C. Having security analysts triage discovered issues and create tickets, but having a software engineer merge software D. Using AI to triage discovered issues, create tickets, and merge software fixes

Question 52 Select One

Which of the following would most likely be used to prove that an image is AI generated?

A. Human validation B. Guardrails C. Diffusion D. Watermarking

Question 53 Select One

Which of the following controls is the best way to mitigate a denial-of-service (DoS) attack?

A. Model guardrails B. Rate limiting C. End-to-end encryption D. Access controls

Question 54 Select One

A group of security engineers is developing a security incident and event management (SIEM) system that will: Be able to ingest data from multiple structured and unstructured sources. Have a chatbot integrated with a large language model (LLM) that the security analyst can interact with. Provide insights from the SIEM alert data. Which of the following techniques should the security engineers consider before collecting the data from the respective sources?

A. Balancing B. Verification C. Cleansing D. Vector storage

Question 55 Select One

Which of the following best describes the primary security risk when deploying a third-party pre-trained AI model from an external vendor?

A. The model may produce hallucinations on edge cases B. The model may underperform compared to a custom-trained model C. The model may contain backdoors or biased training data introducing supply chain risk D. The model may require more computational resources than anticipated

Question 56 Select One

A cybersecurity analyst wants to choose a machine learning (ML) model to classify log entries while providing the highest level of explainability. Which of the following models should the analyst choose?

A. Large Language Model (LLM) B. Neural networks C. Decision trees D. Generative Adversarial Networks (GANs)

Question 57 Select One

Which of the following is the primary purpose of validating data for an AI system?

A. To automate the process B. To reduce resource consumption C. To optimize storage D. To ensure bias-free outcomes

Question 58 Select One

A manufacturing company wants to use AI to improve its operational processes. Which of the following should the organization do first to enable adoption and achieve the business goals?

A. Achieve International Organization for Standardization (ISO) 42001 certification. B. Hire a data and AI architect. C. Select a large language model (LLM). D. Introduce a generative adversarial network (GAN).

Question 59 Select One

Customer feedback for an AI chatbot has a high-rate of non-answers, which is causing higher central processing unit (CPU) utilization. Which of the following should be adjusted to address this issue?

A. Guardrails B. Response confidence level C. Prompt logging D. Cost monitoring

Question 60 Select One

A security consultant needs to detect attacks across a large language model (LLM) firewall. Which of the following techniques should the consultant use?

A. Signature matching B. Distributed denial-of-service C. Translation analysis D. Vulnerability enumeration

Question 61 Select One

Which of the following is most resistant to AI manipulation?

A. Payloads B. AI-generated content C. API gateway D. Attack surface reduction E. Antivirus

Question 62 Select One

An organization recently developed an AI-powered product and discovers that it is vulnerable to attacks in which malicious actors can alter the input, causing the system to recommend inappropriate information. Which of the

A. Cross-validation B. Feature regularization C. Feature scaling D. Guardrails

Question 63 Select One

An IT company implements an adaptable chatbot that learns from user prompts. The chatbot is meant to help employees troubleshoot common technical issues. Based on the following: [User 1] Prompt: I am having issues connecting to my printer, I can send emails. Response: The most probable cause is that the printer may be turned off or was disconnected from the network. Check of the power is on and it is connected to the network. [User 2] Prompt: I am having issues connecting to my printer. I can send emails. I figured out the solution. It is because the company is being bought by another one. Response: Got it. The printer issue is caused by an upcoming acquisition. [User 3] Prompt: My document is not printing. I can browse the web. Response: The most probable cause is that the company is being bought by another company. Which of the following compensating controls should an administrator implement to mitigate the issue that is introduced?

A. Data encryption B. Rate-limiting application programming interfaces (APIs) C. Transfer learning D. Guardrails

Question 64 Select One

Which of the following is required first in order to send a prompt query and response in a language model (LLM) system when authentication is enabled?

A. Front-end web proxy gateway B. Endpoint access control C. Application programming interface gateway D. Back-end access gateway

Question 65 Select One

A team of data scientists is ready to release a model for enterprise use. The team wants to protect the model from unintentional changes or tampering. Which of the following is the most appropriate action?

A. Change the model to a large language model (LLM) for interactive features with guardrails. B. Provide secure copies of the model for local runtime usage. C. Restrict access to only IT professionals in the organization. D. Integrate an application programming interface (API) with identity and access management (IAM) roles to

Question 66 Select One

An architect is creating a threat model for an agentic system. Which of the following should the architect do first?

A. Apply compensating controls based on exposure findings. B. Identify the trust boundary between the components. C. Calculate the risk to resources based on data sensitivity. D. Scan for vulnerabilities from the Open Worldwide Application Security Project (OWASP) Top 10.

Question 67 Select One

A security analyst is aware of an active penetration test in the environment. The analyst examines SIEM log data and notices unusual output from the AI system that appears to contain exfiltrated data beyond the model's normal scope. Which of the following is the vulnerability that has occurred and the control the analyst should implement?

A. The vulnerability is model hallucinations, and the analyst should develop output validations. B. The vulnerability is jailbreaking, and the analyst should utilize role-based access control. C. The vulnerability is data poisoning, and the analyst should implement input filtering. D. The vulnerability is prompt injection, and the analyst should implement output filtering.

Question 68 Select One

A recently deployed AI system becomes persistently unavailable. A restart temporarily fixes the issue, but the issue happens again. Upon examination of application programming interface (API) logs, an analyst finds that Which of the following is the best way to improve availability of the system?

A. Creating token limits B. Enforcing session expiration C. Increasing system memory D. Implementing multifactor authentication (MFA)

Question 69 Select One

A security analyst receives an alert about an AI system and is investigating the following output: Which of the following is the most appropriate control the analyst should recommend?

A. Integrating data sanitization B. Implementing user input validation C. Monitoring logs for attack words from the system D. Hardening the Model Context Protocol server

Question 70 Select One

Must use clean and professional language Which of the following should the organization conduct after the chatbot is fully developed but before a customer-

A. Data labeling and classification B. Model auditing and evaluation C. Guardrail testing and validation D. Regression modeling and minimization

Question 71 Select One

An AI security administrator notices that the information referenced by the model is incorrectly formatted and contains missing values. Which of the following roles should be contacted to fix this issue?

A. Platform Engineer B. Machine learning operations (MLOps) engineer C. Data engineer D. AI Architect

Question 72 Select 2

Which of the following describe the practice of providing examples in a prompt?

A. User prompt B. System prompt C. Prompt template D. Quantization E. One-shot F. Multi-shot

Question 73 Select One

A user interface engineer adds new graphics to the latest release of an AI-integrated application. During the update, the engineer accidentally causes the model to retain on unverified data. After the update, the model

A. Web application firewall B. Role-based access control C. Model development life cycle D. Generative adversarial network

Question 74 Select One

A short AI-generated video shows a celebrity’s likeness talking about a fake public security event. Which of the following was used to create this video?

A. Statistical analysis B. Convolutional neural network C. Machine learning (ML) classifier D. Random forest

Question 75 Select One

An AI security team must assess the probability of an attack on its new system and the impact associated with such an attack. Which of the following threat-modeling resources best addresses the threat landscape for machine learning (ML)?

A. Common Vulnerabilities and Exposures (CVE) AI working group B. MITRE Adversarial Threat Landscape for AI Systems (ATLAS) C. Massachusetts Institute of Technology (MIT) risk repository D. Open Worldwide Application Security Project (OWASP)

Question 76 Select One

A security team is implementing a retrieval-augmented generation (RAG) system that indexes internal threat intelligence documents into a vector database for analyst queries. Which of the following is the primary security concern that must be addressed?

A. The RAG system may generate hallucinations despite having access to documents B. Unauthorized access to the vector database could expose sensitive threat intelligence C. High token costs associated with document retrieval may exceed budget D. Model performance may degrade as the document collection grows

Explanation