Domain 6 Capstone: Security Assessment and Testing
Executive Pattern Summary
Domain 6 is the verification domain. Every control, every policy, and every process from the other seven domains exists on paper until Domain 6 proves they work in practice. Before working through these capstone questions, internalize these five decision patterns:
- Assessment type matches the question being asked. Vulnerability assessments answer “what could be exploited?” Penetration tests answer “can it actually be exploited?” Audits answer “are we doing what we said we would do?” Compliance assessments answer “do we meet external mandates?” When a scenario needs one answer, do not select a method that answers a different question.
- Context overrides score. A CVSS base score is a starting point, not a final answer. Environmental factors — data sensitivity, network exposure, business criticality, compensating controls — determine actual organizational risk. The exam always prefers risk-based prioritization over score-based ranking.
- Collection enables everything downstream. You cannot investigate without logs. You cannot report without metrics. You cannot prove compliance without evidence. When a scenario reveals a downstream failure, look upstream for the collection gap.
- Audience determines format. The board needs business risk. Engineers need CVSS and remediation steps. Regulators need compliance evidence. A report that speaks the wrong language to its audience fails regardless of content quality.
- Root cause prevents recurrence. Corrective actions that address symptoms produce recurring findings. When the same issue appears across audit cycles, the problem is not the finding — it is the corrective action that never reached deep enough.
Domain 6 – Capstone Questions
Question 1
A financial institution completed its annual penetration test in March. In June, the institution migrated its core banking application to a new cloud provider and implemented a new API layer for mobile banking. The next penetration test is scheduled for March of the following year.
What is the PRIMARY risk of this timeline?
A. The new cloud and API infrastructure has not been assessed for vulnerabilities, and the annual schedule does not account for the significant environmental change
B. The cloud provider’s own security certifications cover the migrated infrastructure
C. Annual penetration testing frequency exceeds regulatory requirements
D. The mobile banking API will be tested by users who report issues
Answer & reasoning
Correct: A
Major infrastructure changes are assessment triggers. The cloud migration and new API layer introduce entirely new attack surface that the March penetration test did not evaluate. Waiting nine months for the next scheduled test leaves the new infrastructure unassessed. Cloud provider certifications cover the provider’s controls, not the institution’s configuration and integration.
Question 2
An organization’s SIEM forwards all logs to a centralized repository. However, an incident investigation reveals a two-hour gap in firewall logs during the exact window the breach occurred. The firewall was operational during this period.
What is the MOST likely cause?
A. The attacker exploited a zero-day vulnerability that bypassed firewall logging
B. The log forwarding mechanism experienced a failure or the attacker disrupted log transmission between the firewall and the SIEM
C. The SIEM automatically discarded the logs due to storage limitations
D. The firewall vendor does not support real-time log forwarding
Answer & reasoning
Correct: B
A gap in centralized logs while the source device was operational points to a log forwarding failure. This could be an infrastructure issue (network congestion, agent crash) or a deliberate attacker action to disrupt log transmission. Sophisticated attackers may target the log pipeline itself to cover their tracks. This is why log integrity monitoring and forwarding health checks are important components of log management architecture.
Question 3
A penetration testing team is given user-level credentials and documentation about the internal network architecture but no source code or administrative access. They are asked to simulate what a compromised employee account could achieve.
Which type of penetration test is this?
A. Black box
B. White box
C. Gray box
D. Red team engagement
Answer & reasoning
Correct: C
Gray box testing provides partial knowledge — in this case, user credentials and architecture documentation without source code or admin access. This simulates an insider threat or compromised user scenario. Black box would provide no information. White box would include full source code, admin credentials, and complete documentation. A red team engagement typically includes adversarial objectives beyond technical testing.
Question 4
A security manager needs to report to the CFO about the organization’s vulnerability management program. The manager has data showing 3,400 open vulnerabilities across 800 systems, with CVSS scores ranging from 2.1 to 9.8.
How should this information be presented to the CFO?
A. Present the full vulnerability list sorted by CVSS score
B. Provide a summary showing total vulnerability count by severity tier
C. Focus on financial exposure: what business systems are at risk, what the potential cost of exploitation would be, and whether the trend is improving or worsening
D. Delegate the presentation to a technical team member who understands CVSS
Answer & reasoning
Correct: C
The CFO needs financial and business context, not technical details. Presenting vulnerability data in terms of business systems at risk, potential financial impact, and trend direction enables the CFO to make resource allocation decisions. Raw vulnerability counts and CVSS scores are meaningless to a financial executive. The security manager should own this communication, not delegate it.
Question 5
An organization uses both SAST and DAST in its application security testing program. SAST runs during the build phase, and DAST runs against the staging environment before production deployment. A vulnerability is discovered in production that neither tool caught.
Which additional testing method would MOST likely have detected this gap?
A. More frequent SAST scans during development
B. IAST, which monitors code execution paths during testing to correlate inputs with internal behavior
C. Replacing DAST with manual penetration testing
D. Running SAST against the production environment
Answer & reasoning
Correct: B
IAST combines aspects of both SAST and DAST by instrumenting the running application and observing how external inputs interact with internal code paths. It can detect vulnerabilities that SAST misses (because it lacks runtime context) and that DAST misses (because it cannot see internal code execution). Adding IAST provides a complementary detection layer that addresses the gap between static and dynamic analysis.
Question 6
A company’s internal audit function conducts an audit of the IT change management process. The audit reveals that 25% of production changes bypassed the change advisory board approval process. The IT director states that these were emergency changes that could not wait for the regular approval cycle.
What should the audit finding address?
A. Emergency changes should never be permitted regardless of business urgency
B. The IT director is circumventing controls and should be disciplined
C. The change advisory board should meet daily to eliminate the need for emergency changes
D. The change management process should include a defined emergency change procedure with after-the-fact review, and bypasses should be formally documented
Answer & reasoning
Correct: D
Emergency changes are a reality in IT operations. The issue is not that they occur but that they bypass controls without a formal alternative process. A mature change management program includes an emergency change procedure that allows rapid action while maintaining documentation, authorization from designated emergency approvers, and mandatory after-the-fact review. The finding should focus on the process gap, not on prohibiting necessary emergency responses.
Question 7
An organization’s vulnerability management program shows that mean time to remediate critical vulnerabilities has improved from 30 days to 7 days over the past year. However, the number of successful exploits against the organization has not decreased.
What is the MOST likely explanation?
A. The remediation data is inaccurate
B. Attackers are exploiting vulnerabilities within the first 7 days before remediation occurs, indicating a need for compensating controls during the remediation window
C. The vulnerability scanner is not detecting all vulnerabilities
D. Seven days is still too long for critical vulnerability remediation
Answer & reasoning
Correct: B
Faster remediation is positive, but modern attackers often weaponize critical vulnerabilities within hours of disclosure. A seven-day remediation window still leaves a gap where compensating controls — IPS signatures, WAF rules, network segmentation, enhanced monitoring — are needed to protect vulnerable systems until patches are applied. Remediation speed and compensating controls work together; neither alone is sufficient.
Question 8
A third-party vendor provides the organization’s payroll processing service. The organization’s finance team asks the security team for assurance that the vendor’s controls over financial data are operating effectively.
Which report is MOST appropriate to request from the vendor?
A. SOC 2 Type II
B. SOC 1 Type II
C. SOC 3
D. ISO 27001 certificate
Answer & reasoning
Correct: B
SOC 1 examines controls relevant to user entities’ financial reporting. A payroll processing service directly affects the organization’s financial statements, making SOC 1 the appropriate report. SOC 2 evaluates Trust Services Criteria (security, availability, etc.) but is not specifically designed for financial reporting controls. Type II (operating effectiveness over a period) provides stronger assurance than Type I (design at a point in time).
Question 9
During an ISO 27001 certification audit, the auditor requests evidence that the organization conducts regular risk assessments. The security manager produces a risk register that was last updated 18 months ago. The auditor notes that two major system deployments and a cloud migration occurred during that period with no corresponding risk assessment updates.
What finding will the auditor most likely issue?
A. A major nonconformity — the risk assessment process is not aligned with organizational changes as required by the ISMS
B. An observation suggesting more frequent reviews
C. No finding — 18 months is within acceptable intervals
D. A minor nonconformity for documentation formatting
Answer & reasoning
Correct: A
ISO 27001 requires risk assessments to be performed when significant changes occur. Two major deployments and a cloud migration without corresponding risk assessment updates represent a fundamental ISMS process failure. This is a major nonconformity because the risk assessment process — a core ISMS requirement — is not functioning as designed. An observation would understate the severity.
Question 10
A security team implements breach attack simulation (BAS) to continuously validate its detection capabilities. After the first month, BAS results show that 40% of simulated attack techniques are not detected by the SIEM or endpoint detection tools.
What is the MOST appropriate response?
A. Replace the SIEM and endpoint detection products
B. Disable BAS simulations that are not being detected
C. Prioritize the undetected techniques by risk and develop detection rules, then use BAS to verify the new rules work
D. Accept the 60% detection rate as adequate for the current threat environment
Answer & reasoning
Correct: C
BAS exists specifically to identify detection gaps. A 40% miss rate provides actionable intelligence about where detection capabilities need improvement. The response should prioritize the undetected techniques by risk (which ones are most likely to be used against your organization?), develop and deploy detection rules, and then re-run BAS to validate the improvements. This creates a continuous improvement cycle.
Question 11
An organization runs authenticated vulnerability scans monthly across its internal network. The security team notices that three database servers consistently show zero vulnerabilities despite running software that is two major versions behind the current release.
What is the MOST likely explanation?
A. The database software is genuinely free of known vulnerabilities
B. The scanner credentials do not have sufficient access to fully assess the database servers, producing false negatives
C. The database servers are protected by network firewalls that prevent vulnerability scanning
D. Older software versions are more stable and therefore more secure
Answer & reasoning
Correct: B
Software that is two major versions behind will have known vulnerabilities. Zero findings on these systems is almost certainly a false negative caused by insufficient scan credentials. The scanner account may lack the database-level access needed to enumerate installed versions and check for database-specific vulnerabilities. The solution is to verify and upgrade the scanner’s credentials or deploy database-specific scanning plugins.
Question 12
A security architect recommends implementing continuous auditing of firewall rule changes to replace the current quarterly manual review process. The network operations manager objects, stating that the quarterly review has been effective for years.
What is the STRONGEST argument for continuous auditing in this scenario?
A. Quarterly reviews only catch unauthorized or erroneous changes after they have been in place for up to 90 days, during which the organization is exposed to the resulting risk
B. Continuous auditing is required by all major regulatory frameworks
C. Continuous auditing is less expensive than quarterly manual reviews
D. Quarterly reviews require too much staff time and disrupt operations
Answer & reasoning
Correct: A
The primary argument for continuous auditing over periodic review is the time gap. A quarterly review means an unauthorized or erroneous firewall rule change could persist for up to 90 days before anyone notices. Continuous auditing detects changes as they occur, dramatically reducing the exposure window. This is a risk-based argument, which is always the strongest justification on the CISSP exam.
Question 13
An auditor discovers that an organization’s security awareness program achieves 97% completion but phishing simulation click rates have remained steady at 22% for the past two years. The program consists of an annual online module with a multiple-choice quiz.
What does this data tell the auditor about the program?
A. The program is effective because completion rates exceed organizational targets
B. The 22% click rate is acceptable for most industries
C. The program measures participation but is not changing employee behavior — the training format needs to evolve beyond annual passive content delivery
D. Phishing simulations are an unfair test of training effectiveness
Answer & reasoning
Correct: C
High completion with stagnant behavioral metrics indicates the training is not producing its intended outcome. Employees are completing the module but not changing their behavior. The KPI (completion rate) looks good while the KRI (phishing click rate) shows the risk is unchanged. Effective programs include frequent reinforcement, role-specific scenarios, immediate feedback on phishing simulations, and varied delivery methods — not just an annual checkbox exercise.
Question 14
A healthcare organization needs to verify that its patient data handling procedures comply with HIPAA requirements. An internal team has proposed conducting the assessment themselves to save costs.
When would an external third-party assessment be necessary instead?
A. When the organization needs independent assurance for regulators, business partners, or patients that the internal team cannot provide due to lack of independence
B. External assessment is always required for HIPAA compliance
C. Only if the internal team lacks technical skills
D. External assessment is never required for HIPAA
Answer & reasoning
Correct: A
While HIPAA does not specifically mandate external assessments, there are situations where internal assessment is insufficient: when regulators, business partners, or covered entity relationships require independent assurance. Internal assessments lack the independence that external stakeholders expect. The decision between internal and external should be based on who needs the assurance and whether internal independence is sufficient for that audience.
Question 15
A development team deploys code to production weekly. The security team currently performs DAST scans against the staging environment before each deployment. Last month, a critical vulnerability was introduced in a Friday deployment and was not discovered until the following Wednesday’s vulnerability scan.
What addition to the testing pipeline would BEST address this gap?
A. Daily vulnerability scans of the production environment
B. Manual penetration testing after each deployment
C. Restricting deployments to once per month
D. SAST integrated into the CI/CD pipeline to catch code-level vulnerabilities before they reach staging
Answer & reasoning
Correct: D
SAST in the CI/CD pipeline catches code-level vulnerabilities during the build phase, before the code ever reaches staging or production. If the vulnerability was a coding flaw, SAST would have flagged it before the Friday deployment. This shifts security testing left in the pipeline, complementing the existing DAST scans in staging. Daily production scans would detect the issue faster but not prevent it. Manual pen testing for weekly deployments is impractical.
Question 16
An organization’s remediation process requires system owners to close vulnerability tickets in the tracking system once a patch is applied. A quarterly audit reveals that 30% of tickets marked “closed” still show the same vulnerability on subsequent scans.
What process improvement is needed?
A. Increase the remediation SLA to give system owners more time
B. Transfer remediation responsibility from system owners to the security team
C. Accept that some patches fail and adjust reporting to account for the 30% failure rate
D. Require verification scanning before tickets can be closed — a patch applied but not confirmed is not a remediation
Answer & reasoning
Correct: D
Tickets closed without verification are assumptions, not confirmed remediations. Adding a verification scan requirement before ticket closure ensures that patches were actually applied successfully and the vulnerability is resolved. A 30% failure rate indicates that patches are failing silently — applied incorrectly, reverted by configuration management tools, or overridden by subsequent changes. Verification closes this accountability gap.
Question 17
During a regulatory examination, examiners request the organization’s incident response logs for the past 24 months. The security team discovers that log retention was set to 12 months, and older incident data has been purged.
What governance failure does this represent?
A. Data retention policies were not aligned with regulatory requirements for the organization’s industry
B. The incident response team failed to properly document incidents
C. The SIEM vendor should be held responsible for insufficient storage
D. The examiners are making an unreasonable request
Answer & reasoning
Correct: A
Data retention policies must account for all applicable regulatory requirements. If the regulator expects 24 months of incident data, the organization’s retention policy should retain data for at least that period. Setting retention at 12 months without confirming regulatory requirements is a governance oversight. The security team should have verified retention requirements against all applicable regulations during policy development.
Question 18
A company runs a bug bounty program alongside its annual penetration test. The bug bounty program has produced 45 valid vulnerability reports in the past year, while the penetration test found 12 vulnerabilities. Management questions the value of the penetration test.
What is the BEST response to management?
A. Discontinue the penetration test since the bug bounty program finds more vulnerabilities
B. Increase the penetration test budget to match the bug bounty program’s output
C. Combine both programs into a single assessment
D. The penetration test provides structured, time-bound assessment with guaranteed coverage of defined scope, while the bug bounty provides ongoing discovery of opportunistic findings — both serve different purposes
Answer & reasoning
Correct: D
Penetration tests and bug bounties serve complementary purposes. A penetration test provides structured assessment of a defined scope within a defined timeframe, ensuring specific areas are thoroughly tested. A bug bounty provides continuous, crowd-sourced discovery but with no guarantee of coverage or scope consistency. Volume of findings is not the right comparison metric — each program fills a different assessment need.
Question 19
An internal auditor reviewing the organization’s vulnerability management process asks for evidence of how vulnerabilities are prioritized. The security team shows a process that ranks all vulnerabilities solely by CVSS base score — critical vulnerabilities are remediated first, followed by high, medium, and low.
What observation should the auditor make?
A. The process is sound and follows industry best practice
B. CVSS scores should not be used in vulnerability management at all
C. The process should also incorporate environmental factors such as asset criticality, data classification, network exposure, and threat intelligence to produce risk-based prioritization
D. Only critical vulnerabilities require tracking and remediation
Answer & reasoning
Correct: C
CVSS base scores measure intrinsic vulnerability severity but ignore organizational context. A critical vulnerability on an air-gapped test system has different actual risk than a high vulnerability on an internet-facing payment server. Risk-based prioritization adds environmental factors (asset value, data classification, exposure, threat intelligence, compensating controls) to produce priorities that reflect actual organizational risk, not just theoretical severity.
Question 20
An organization has passed its SOC 2 Type II audit for three consecutive years. During the fourth year, the security team makes significant infrastructure changes including a new cloud provider, a new identity management system, and a new endpoint detection platform. The audit manager suggests skipping the internal readiness assessment since the organization has a strong audit history.
Why is skipping the readiness assessment a poor decision?
A. Readiness assessments are required by the SOC 2 standard
B. Three years of passing audits have no relevance to the current year
C. The audit firm will refuse to conduct the examination without a readiness assessment
D. The significant infrastructure changes mean the control environment has fundamentally changed, and previous audit results do not validate the current state
Answer & reasoning
Correct: D
Significant infrastructure changes invalidate prior audit assurance. A new cloud provider, identity system, and endpoint platform mean the control environment is fundamentally different from what was audited previously. Prior passing results validated the old environment. The readiness assessment is essential to identify gaps in the new environment before the formal audit occurs. Past performance does not guarantee current compliance after major changes.