The exam describes a device access scenario and asks which NAC agent type to use. The answer is determined entirely by two keywords in the scenario: who owns the device and whether software can be installed.
- Corporate-managed device, software installation permitted → Persistent agent. Permanently installed, continuously monitors, receives updates.
- Guest, contractor, BYOD, or “no software installation allowed” → Dissolvable agent. Downloaded at login, runs without installation, self-terminates when session ends.
- Active Directory environment, assessment only at login/logoff → Agentless NAC. No agent at all; uses AD integration. Cannot assess non-domain devices or check real-time process state.
Common distractors to reject:
- “EDR agent” as an answer to a posture assessment question — EDR is a behavioral monitoring tool, not a NAC posture assessment mechanism. Wrong category entirely.
- Agentless NAC for contractors — contractors are typically not in the corporate AD, so agentless NAC cannot assess them at all.
- Persistent agent for guest devices — guest devices cannot have software permanently installed by the host organization.
The exam will present a scenario where traditional antivirus did NOT detect an attack and ask what technology would have. The answer structure is always the same:
- New malware binary, no prior signature → AV fails (no signature) → EDR succeeds (behavioral analysis + ML detect the behavior)
- Fileless attack in memory (no file written to disk) → AV fails (nothing to scan) → EDR succeeds (monitors memory and process behavior)
- Polymorphic malware (changes signature each run) → AV fails (signature never matches) → EDR succeeds (behavior remains consistent even if binary changes)
- Office macro spawning a shell process → AV fails (macro is in a legitimate document) → EDR succeeds (abnormal parent-child process relationship is detectable)
Key EDR capability question mappings:
- “How did the attacker get in and what exactly did they do?” → Root cause analysis
- “Ransomware encrypted files; restore them automatically” → Automated rollback (VSS snapshots)
- “Isolate the infected endpoint immediately” → Automated isolation
- “Trigger a SOAR playbook when EDR detects a threat” → API-driven response
The exam will use specific language patterns that signal XDR is the answer. The signal is always some combination of multiple security domains being mentioned together in the same detection or investigation context:
- Endpoint + network + cloud mentioned together → XDR correlates all three domains
- “Unified view”, “single pane of glass”, or “single platform” covering multiple tool types → XDR
- Multi-stage attack spanning email, endpoint, lateral movement, cloud storage → XDR detects the connected chain; no single tool would see all stages
- “Reduces false positives by correlating context across tools” → XDR (context from multiple domains validates or dismisses single-domain alerts)
XDR vs. SIEM distinction (the exam may offer both):
- SIEM also collects multi-source logs — but SIEM relies on manually written correlation rules, requires analyst effort to connect cross-domain events, and is primarily a log aggregation and alerting platform.
- XDR natively integrates with security tools, automatically correlates cross-domain events, and provides automated response capabilities — not just alerting.
- Exam language: “automatically correlates”, “natively integrated”, “cross-domain detection” = XDR. “Aggregates logs”, “correlation rules”, “analyst reviews alerts” = SIEM.
The exam uses UBA in scenarios where all traditional controls have been bypassed because the attacker is using legitimate credentials or a legitimate user is behaving badly. The trigger is: no rule was broken, no signature was matched, but something is clearly wrong.
- “Impossible travel” — same account authenticated from two countries within minutes → UBA detects the physical impossibility
- Unusual access volume — user accessed 10× more files than normal average → UBA detects statistical anomaly
- After-hours access — account that works 9–5 connects at 3 AM → UBA detects time-of-day deviation
- New resource access — user accesses a database or server they have never touched before → UBA detects scope expansion
- Service account interactive login — an account that never generates interactive sessions authenticates to a workstation → UBA detects account type behavioral mismatch
Why UBA is the answer for insider threat and credential theft: Both involve an account with valid permissions performing actions those permissions technically allow. No ACL is violated. No malware signature fires. No rule is broken. Only a deviation from established behavioral baseline is visible — which is exactly what UBA monitors.