CFR Exam Prep Free practice test →

Free CFR Practice Questions

10 free, exam-style CyberSec First Responder (CFR) practice questions with answers and explanations. No signup required. Work through them below, then take the full free CFR practice test to study every exam domain.

Question 1

A SIEM alert shows a user account logged in from London at 10:00 AM and from Tokyo at 10:15 AM on the same day. This is BEST described as:

  1. A VPN routing anomaly
  2. A time zone misconfiguration
  3. A geo-velocity anomaly
  4. Normal travel behavior
Show answer & explanation

Correct answer: C - A geo-velocity anomaly

Question 2

A company discovers malware on a workstation that encrypts all local files and network shares, then displays a ransom demand. The FIRST containment action should be to:

  1. Disconnect the workstation from the network
  2. Pay the ransom to decrypt the files immediately
  3. Run a comprehensive antivirus scan on the system
  4. Notify law enforcement and regulatory authorities
Show answer & explanation

Correct answer: A - Disconnect the workstation from the network

Question 3

Implementing both a network firewall AND a host-based firewall is an example of:

  1. Redundant and unnecessary security
  2. A compliance violation
  3. Single point of failure
  4. Defense-in-depth strategy
Show answer & explanation

Correct answer: D - Defense-in-depth strategy

Question 4

An analyst needs to collect evidence from a compromised laptop. The laptop is currently running. Which is the correct order of collection from MOST to LEAST volatile?

  1. RAM → Swap files → Disk → Remote logs
  2. RAM → Network connections → Disk → Registry
  3. Swap files → RAM → Network state → Disk
  4. Network traffic → RAM → Swap files → Disk
Show answer & explanation

Correct answer: A - RAM → Swap files → Disk → Remote logs

Question 5

To count the number of unique source IP addresses in an Apache access log, an analyst would MOST likely use which combination of commands?

  1. grep access.log | head -n 10
  2. cat access.log | wc -l | sort
  3. awk '{print $1}' access.log | sort | uniq
  4. tail -f access.log | grep -c IP
Show answer & explanation

Correct answer: C - awk '{print $1}' access.log | sort | uniq

Question 6

An attacker sends a spear-phishing email with a malicious attachment (Initial Access), the user opens it and a macro executes PowerShell (Execution), which downloads and installs a RAT (Persistence). Mapping these to ATT&CK involves:

  1. Categorizing only the initial attack vector used
  2. Identifying tactics and techniques for each step
  3. Documenting only the persistence mechanism established
  4. Prioritizing the highest-impact technique observed
Show answer & explanation

Correct answer: B - Identifying tactics and techniques for each step

Question 7

A security analyst investigates a compromised Windows system and finds Event IDs 4720 (account created) and 4732 (added to admin group) for an unknown account at 3:00 AM. This indicates:

  1. Normal IT operations
  2. Scheduled Active Directory replication
  3. Software installation requiring admin rights
  4. Backdoor admin account creation
Show answer & explanation

Correct answer: D - Backdoor admin account creation

Question 8

A forensic analyst uses Volatility and finds that pslist shows 45 processes but psscan shows 48. The 3 additional processes found by psscan are MOST likely:

  1. Hidden or terminated processes
  2. Duplicate process entries
  3. System services that are hidden
  4. Normal operating system behavior
Show answer & explanation

Correct answer: A - Hidden or terminated processes

Question 9

An organization performs a full backup on Sunday and incremental backups Monday through Saturday. If the system fails on Thursday, restoration requires:

  1. Sunday's full backup plus Monday and Tuesday incrementals only
  2. Sunday's full backup plus Monday through Wednesday incrementals
  3. Sunday's full backup plus all incremental backups through Thursday
  4. Sunday's full backup plus Wednesday's differential and Thursday's incremental
Show answer & explanation

Correct answer: B - Sunday's full backup plus Monday through Wednesday incrementals

Question 10

An organization receives a threat intelligence report indicating a new vulnerability (CVSS 9.8) affects their web server software. What should be the FIRST action?

  1. Immediately shut down all web servers
  2. Conduct a full penetration test
  3. Assess which systems are affected
  4. Notify law enforcement immediately
Show answer & explanation

Correct answer: C - Assess which systems are affected

Ready for the real thing?

Practice hundreds more CFR questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing