CCOA Exam Prep Free practice test →

Free CCOA Practice Questions

10 free, exam-style Certified Cybersecurity Operations Analyst (CCOA) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CCOA practice test to study every exam domain.

These 10 free CCOA questions are organized by exam domain, so you can see how each part of the Certified Cybersecurity Operations Analyst blueprint is tested. Reveal the answer and explanation under each question.

Domain 1: Technology Essentials 25% of exam

Question 1

During a threat-hunting exercise, an analyst uses Wireshark to examine captured network traffic and observes a single internal host sending TCP SYN packets to ports 22, 80, 443, 445, 3389, and 8080 on multiple internal servers within a 10-second window, with no corresponding SYN-ACK responses. What does this activity MOST likely indicate?

  1. A misconfigured load balancer distributing health checks to backend servers
  2. A network reconnaissance scan attempting to identify open services on internal hosts
  3. Normal DNS resolution traffic being misinterpreted due to an incorrect display filter
  4. A distributed denial-of-service attack targeting multiple servers simultaneously
Show answer & explanation

Correct answer: B - A network reconnaissance scan attempting to identify open services on internal hosts

Question 2

An analyst investigating a suspected data exfiltration incident needs to examine the contents of HTTP communication between an internal workstation and an external server captured in a PCAP file. Which Wireshark technique is MOST effective for reconstructing and reading the full HTTP request and response exchange?

  1. Applying the display filter 'http.request.method == GET' to isolate download requests
  2. Using the Statistics > Protocol Hierarchy window to identify the HTTP traffic percentage
  3. Right-clicking an HTTP packet and selecting Follow > TCP Stream to view the full session
  4. Navigating to Statistics > Conversations to identify the top data-transferring endpoints
Show answer & explanation

Correct answer: C - Right-clicking an HTTP packet and selecting Follow > TCP Stream to view the full session

Domain 2: Cybersecurity Principles and Risks 20% of exam

Question 3

According to ISACA, what is the ULTIMATE goal of an organization's cybersecurity governance program?

  1. Ensuring compliance with all applicable regulatory frameworks
  2. Minimizing the annual frequency and impact of security incidents
  3. Creating value for the organization and its stakeholders
  4. Aligning the cybersecurity strategy with industry best practices
Show answer & explanation

Correct answer: C - Creating value for the organization and its stakeholders

Question 4

An organization's data center houses a server worth $600,000. A risk assessment determines that a specific threat event would damage 30% of the server's value and is expected to occur twice per year. What is the Annualized Loss Expectancy (ALE) for this risk?

  1. $180,000
  2. $360,000
  3. $90,000
  4. $600,000
Show answer & explanation

Correct answer: B - $360,000

Domain 3: Adversarial Tactics, Techniques, and Procedures 10% of exam

Question 5

An analyst observes that an attacker has gained initial access through a phishing email, then used PowerShell to download additional tools, created a scheduled task for persistence, and is now executing Mimikatz to extract credentials from memory. In the MITRE ATT&CK framework, which tactic does the Mimikatz activity MOST directly map to?

  1. Execution
  2. Privilege Escalation
  3. Credential Access
  4. Collection
Show answer & explanation

Correct answer: C - Credential Access

Domain 4: Incident Detection and Response 34% of exam

Question 6

A security analyst has completed an incident investigation involving a ransomware attack that encrypted 40 file servers. The incident response team is now conducting the post-incident review. What is the PRIMARY objective of this phase?

  1. Collecting digital evidence to support potential legal proceedings against the attacker
  2. Identifying which employee action caused the initial infection to assign accountability
  3. Deriving improvements to the incident response process based on lessons learned
  4. Calculating the total financial impact of the incident for insurance reimbursement
Show answer & explanation

Correct answer: C - Deriving improvements to the incident response process based on lessons learned

Question 7

An analyst receives an alert about a compromised workstation that is actively communicating with a known command-and-control server. The analyst must collect forensic evidence before containment. Which data source should the analyst acquire FIRST?

  1. Full disk image using a forensic write-blocker
  2. Volatile memory (RAM) using a memory acquisition tool
  3. Copies of relevant Windows Event Log .evtx files
  4. Network traffic capture from the perimeter firewall
Show answer & explanation

Correct answer: B - Volatile memory (RAM) using a memory acquisition tool

Question 8

A SOC analyst notices that a workstation is making HTTPS connections to the same external IP address at exactly 60-second intervals, each transferring approximately 200 bytes of data. No user activity correlates with the connections. What should the analyst investigate this activity as?

  1. A certificate validation loop caused by an expired intermediate CA certificate
  2. Automated software update checks performed by a legitimate application
  3. Command-and-control beaconing from a potentially compromised endpoint
  4. A bandwidth monitoring agent reporting utilization metrics to a cloud dashboard
Show answer & explanation

Correct answer: C - Command-and-control beaconing from a potentially compromised endpoint

Domain 5: Securing Assets 11% of exam

Question 9

An organization restricts access to its cloud-based HR system based on the employee's department, the sensitivity classification of the data being requested, the geographic location of the login attempt, and the time of day. Which access control model does this BEST represent?

  1. Role-Based Access Control (RBAC)
  2. Rule-Based Access Control (RuBAC)
  3. Discretionary Access Control (DAC)
  4. Mandatory Access Control (MAC)
Show answer & explanation

Correct answer: D - Mandatory Access Control (MAC)

Question 10

A vulnerability scanner identifies a Critical-severity CVE on an internet-facing web server. The analyst notes that the CVSS Base Score is 9.8, but the organization has implemented a WAF in front of the server and the application only processes non-sensitive public data. Which CVSS metric component should the analyst use to reflect these organizational factors when reporting risk to management?

  1. Temporal Metrics, because the mitigating controls reduce exploitability over time
  2. Base Metrics, because the WAF changes the inherent attack complexity
  3. Environmental Metrics, because they tailor the score to the organization's specific context
  4. Threat Metrics, because the WAF reduces the probability of active exploitation
Show answer & explanation

Correct answer: C - Environmental Metrics, because they tailor the score to the organization's specific context

Ready for the real thing?

Practice hundreds more CCOA questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing