CompTIA Updated CY0-001 Exam Questions and Answers by evalyn

Basic Concept: An on-path (formerly man-in-the-middle) attack intercepts communication between two parties, allowing the attacker to read, modify, or inject content. In the context of a generative AI application, an on-path attack on the session between user and AI service can manipulate prompts being sent to the model or responses being returned to users. CompTIA SecAI+ covers AI-specific attack vectors under securing AI systems.

Why B is Correct: Session hijacking involves an attacker taking control of an active user session by capturing or forging session tokens. In this attack, the attacker intercepts the communication channel between users and the AI application, allowing them to modify prompts sent to the model or replace legitimate model responses with offensive content. This explains why outputs seem unrelated to prompts and contain offensive material.

Why A is Wrong: Application server hijacking involves gaining unauthorized control of the server hosting the application. While severe, this would typically manifest as complete service disruption or data exfiltration rather than targeted modification of individual user session content.

Why C is Wrong: Domain hijacking involves unauthorized transfer of a domain name registration, redirecting all users to a different IP address. This would affect all users simultaneously and typically redirect to a completely different site rather than manipulating individual AI responses.

Why D is Wrong: Model hijacking refers to attacks that steal or replicate an AI model, not to intercepting and modifying the communication between users and an existing model during active sessions.

Basic Concept: Security assessment of AI-generated code requires a systematic review of the code itself to understand what has been generated and identify potential vulnerabilities before remediation steps are taken. Security assessments follow a structured methodology beginning with understanding the current state. CompTIA SecAI+ Study Guide covers AI-generated code security assessment under AI-assisted security.

Why D is Correct: Performing a source code review is the first and most fundamental step in assessing AI-generated code security. Before removing secrets, enforcing access controls, or scanning for sensitive data, the analyst must understand what the AI tool has generated by reviewing the code for security vulnerabilities, insecure patterns, logic flaws, and policy violations. The review provides the baseline knowledge needed to prioritize and direct all subsequent remediation actions.

Why A is Wrong: Removing hard-coded secrets is a specific remediation action for a specific finding. This step should come after the source code review has identified the presence and location of hard-coded secrets, not before the initial assessment reveals whether they exist.

Why B is Wrong: Enforcing access controls for code repositories is a security hardening measure for the repository infrastructure. It protects access to existing code but does not constitute an assessment of what the AI tool has generated from a security standpoint.

Why C is Wrong: Enabling sensitive data discovery scans repositories for PII and sensitive information patterns. While valuable as part of the assessment, it is a specific automated scanning tool best used after or alongside a manual code review that provides contextual understanding of the codebase.

Basic Concept: Deepfakes are AI-generated synthetic media that convincingly replace or manipulate a person ' s likeness, voice, or actions in images and videos. Creating realistic deepfakes requires generative AI techniques capable of learning and reproducing complex data distributions. CompTIA SecAI+ Exam Objectives cover deepfake technology under basic AI concepts.

Why A is Correct: Generative Adversarial Networks (GANs) are the primary technology behind deepfakes. A GAN consists of two competing neural networks: a generator that creates synthetic content and a discriminator that evaluates whether content is real or fake. Through adversarial training, the generator continuously improves at creating convincing synthetic media such as realistic human faces, voice clones, and video manipulations indistinguishable from authentic recordings.

Why B is Wrong: Multi-shot prompting is a prompting technique where multiple examples are provided to an LLM to guide its responses. It is an inference technique for language models and has no role in generating synthetic video or image deepfake content.

Why C is Wrong: Prompt engineering is the practice of crafting effective prompts to guide LLM outputs. It is a communication strategy for working with text-based AI systems, not a technology for generating synthetic media.

Why D is Wrong: Transfer learning is a training technique that repurposes knowledge from one domain to another, improving model performance with limited data. While it can be used in model training pipelines, it is not the core technology that enables deepfake generation.

Basic Concept: Modern penetration testing increasingly leverages AI to automate the reconnaissance, exploitation, and pivoting process. AI-assisted automated penetration testing can adapt its strategy based on previous results, simulating intelligent adversary behavior more realistically than static scripts. CompTIA SecAI+ covers AI-assisted offensive security techniques.

Why D is Correct: Automated penetration testing uses AI to systematically discover and attempt to exploit vulnerabilities while adapting tactics based on the results of previous attempts. The described behavior — looking at the current state, suggesting attack vectors, and adjusting based on outcomes — precisely describes an adaptive AI-driven penetration testing tool that iteratively explores the attack surface, mimicking how an advanced persistent threat would operate.

Why A is Wrong: Manual signature matching compares network traffic or files against a database of known threat signatures. It is a passive detection technique used by defensive tools like IDS/IPS, not an adaptive offensive technique for bypassing organizational boundaries.

Why B is Wrong: Code quality testing analyzes source code for bugs, vulnerabilities, and adherence to coding standards. It is a development quality assurance activity, not an offensive security technique for testing organizational security boundaries.

Why C is Wrong: Fraud detection uses ML to identify suspicious patterns in transactions or user behavior for defensive purposes. It is a preventive security measure, not an offensive technique for penetration testing.