The exam will describe exercises and ask you to identify them. Use this filter: does anything execute on a live system?
- No live systems, discussion only → Tabletop exercise
- Live test environment, real procedures executed → Simulation
- Real attacker vs. real defenses → Red team / purple team exercise
Trick phrase: "Tabletop = Talk Only, No Touch." If the scenario says the team "sat around a table" or "discussed without accessing systems," it is always a tabletop. The word "simulation" in an answer choice does not automatically mean simulation exercise — read whether live systems are involved.
Exam trap: A question may describe a phishing campaign sent to real users and ask whether it is a tabletop or a simulation. Real users receiving real emails = live system interaction = simulation, not tabletop.
Root cause analysis questions test whether you know where to stop asking "why." The answer: keep asking until you reach a process failure or organizational/cultural failure — not a technical configuration.
Pattern recognition for exam questions:
- Any answer that says "the root cause was the misconfigured firewall" → Wrong. That is a proximate cause.
- Any answer that says "the root cause was the change management process failure that allowed an unreviewed change" → Correct. That is a root cause.
- Any answer that says "the root cause was employee negligence" → Wrong. Blame is not a root cause.
Memory hook: RCA produces process improvements, not blame assignments. If the conclusion names a person or a single technical object, dig deeper.
Also remember: multiple root causes are normal. A question presenting one cause and asking what is missing is testing whether you know all contributing causes must be addressed.
This pair is a favorite exam distinction. Both involve threats, but the direction is opposite:
- Threat intelligence → Reactive. Someone already saw the threat, characterized it, and published an IOC. You match against known-bad. Backward-looking.
- Threat hunting → Proactive. An analyst hypothesizes how an unknown threat would behave and goes looking before any alert fires. Forward-looking.
Exam trigger words: "proactive search," "hypothesis-driven," "before any alert" → Threat hunting. "IOC matching," "threat feed," "known malicious indicator" → Threat intelligence.
Both are necessary. The exam may ask which one addresses sophisticated attacks that avoid known-bad indicators → Threat hunting. Which one updates SIEM signatures → Threat intelligence.
Phishing simulation questions will describe results and ask what was tested or what two failures were revealed. Remember: phishing simulations always test two layers simultaneously.
- Layer 1: Humans — did users click? Did users report? Measures security awareness training effectiveness.
- Layer 2: Technology — did the message reach the inbox? Did filters fire? Measures email security control effectiveness.
If an exam question says "the phishing email bypassed filters AND 40% of users clicked," the answer describing only the human failure or only the filter failure is wrong. Two failures = two root causes. Both must be addressed.
Also: a simulation where every email is caught and every user passes reveals nothing useful. Realistic lures are required to measure genuine susceptibility — this may appear as an ethics/methodology question.
Practice Scenarios
An organization runs four training events:
- The CISO, legal team, and IR manager meet for two hours to discuss how they would respond to a ransomware demand, making no system changes.
- The IR team deploys a cloned server environment and executes forensic acquisition and containment procedures against a planted malware sample.
- A security vendor sends 200 crafted phishing emails to employees and records who clicks and which messages reach the inbox.
- An external red team attempts to breach production defenses while the internal security team attempts detection and response.
Classify each (tabletop, simulation, phishing simulation, red team exercise) and order them from lowest to highest cost.
Answer: (1) Tabletop — verbal discussion, no systems. (2) Simulation — live test environment, real procedures. (3) Phishing simulation — real users, real emails, real filters. (4) Red team exercise — real attacker vs. real defenses. Cost order: tabletop (lowest) → simulation → phishing simulation → red team (highest).
A successful data breach investigation reveals the following facts: an attacker exploited an unpatched web application vulnerability; the patch was available for 90 days but had not been applied because the patching team was overwhelmed with other priorities; the exploit triggered a SIEM alert that was marked "acknowledged" by an analyst but never investigated; the attacker exfiltrated data for 3 weeks before discovery because no data loss prevention tool was in place.
Identify all root causes. What does fixing only the unpatched vulnerability miss?
Answer: Three root causes: (1) Patch management process failure — 90-day-old patches not applied indicates a staffing or prioritization process failure, not just one missed patch. (2) Alert handling failure — an acknowledged-but-not-investigated alert indicates a process gap (analyst capacity, triage procedures, or escalation rules). (3) Missing DLP control — exfiltration continued for 3 weeks undetected, indicating a monitoring gap. Fixing only the vulnerability addresses the initial entry point but leaves the patch backlog, the alert handling gap, and the DLP gap all active. The next attacker uses a different vulnerability through the same unpatched backlog.
A security manager reviews the team's capabilities and notices that all threat detection relies on SIEM rules matching against known-bad IP addresses and file hashes. A recent industry report describes a threat actor group that exclusively uses legitimate Windows administration tools (PowerShell, WMI) and never touches known-bad domains or IP addresses.
Why would threat intelligence feeds fail to detect this actor? What capability would detect them? What data sources would that capability use?
Answer: Threat intelligence feeds only detect activity matching already-known-bad indicators (IP addresses, file hashes, domains). An actor using legitimate tools will never match those indicators — their traffic looks like normal administrative activity. The reactive gap means the actor can operate indefinitely without triggering a single alert. Threat hunting would detect them: a hunter hypothesizes "what would WMI/PowerShell lateral movement look like in our environment?" and queries EDR telemetry for PowerShell spawning from unusual parent processes, WMI connections between workstations (not just server-to-server), and accounts performing remote administration at unusual hours. Data sources: EDR process telemetry, SIEM for aggregated correlation, behavioral analytics to baseline what normal PowerShell usage looks like per user/system.