The latest changes and updates from the administration for this exam.
Latest Update: Jun 20 2026
All questions are working fine.
Correct AnswerA
A is correct: Cross-entity correlation is the correct answer. UEBA platforms aggregate and correlate multiple low-severity behavioral anomalies across different activity types, such as authentication, resource access, and data transfer, to calculate a composite risk score for an entity. While a single anomaly may not indicate a threat, the correlation of multiple deviations from established behavioral baselines increases the confidence that a genuine security incident is occurring. This approach enables the SOC to prioritize investigations based on the combined risk assessment rather than evaluating each anomaly in isolation.
B is incorrect: Static threshold alerting generates alerts based on fixed numerical limits rather than behavioral context. This approach cannot evaluate the combined risk of multiple different types of low-severity anomalies occurring together, such as unusual login timing combined with first-time resource access. UEBA uses dynamic behavioral baselines and cross-activity correlation to assess risk holistically, which is fundamentally different from threshold-based alerting that only monitors single metrics.
C is incorrect: Signature matching relies on predefined patterns of known attacks and cannot dynamically assess the risk of novel activity sequences that have not been previously cataloged. UEBA's advantage over signature-based approaches is its ability to detect previously unknown threat patterns through behavioral analysis and cross-activity anomaly correlation, rather than depending on matching against a static database of known attack sequences that may not include the specific combination observed.
D is incorrect: Network flow inspection focuses on analyzing network traffic characteristics such as packet sizes, protocols, and bandwidth patterns. It does not correlate behavioral anomalies across different activity types like authentication timing, resource access history, and device associations. UEBA operates at the behavioral analysis layer, correlating entity activities across multiple data sources rather than inspecting individual network flow characteristics in transit.
Correct AnswerD
A is incorrect: Adversarial perturbations designed to cause misclassification are characteristic of evasion attacks, which target model integrity by manipulating classification decisions. Attribute inference attacks aim to extract sensitive information about training data records from model responses, not to degrade model accuracy. These represent fundamentally different attack objectives at the inference layer. Reference: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-2e2025.pdf
B is incorrect: High-volume randomized queries from distributed sources are more indicative of a denial-of-service attack, model extraction attempt, or resource exhaustion than an attribute inference attack. Attribute inference requires structured queries with partial knowledge of specific records, not random input flooding. This pattern would appropriately trigger rate-limiting and availability-focused alerts.
C is incorrect: Repeated identical queries suggest automated polling, health monitoring, or availability testing rather than an inference attack. Attribute inference attacks require systematic variation of attribute values in the queries to probe the model's responses for information about unknown attributes. A pattern of identical queries lacks the strategic variation needed for attribute inference.
D is correct: This is the correct indicator to prioritize. An attribute inference attack involves an attacker who has partial knowledge about a training data record and attempts to infer the remaining sensitive attributes by querying the model systematically. NIST AI 100-2 defines attribute inference attacks as attacks that infer sensitive attributes given partial knowledge about the record. Detecting queries with partial records and systematic attribute variation is the most relevant behavioral signal for this attack type. Reference: https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-2e2025.pdf
Correct AnswerA
A is correct: UEBA platforms establish per-entity dynamic baselines because each user, host, and application exhibits unique behavioral patterns. What is normal for one entity may be anomalous for another. For example, a developer regularly accessing code repositories at unusual hours would have a different baseline than a finance analyst who works standard hours. Per-entity baselines ensure that anomaly thresholds are calibrated to each entity's actual behavior, significantly reducing false positives while improving true positive detection rates.
B is incorrect: Per-entity baselines do not eliminate the initial learning period. UEBA systems require a learning period to collect sufficient historical data before behavioral baselines can be established for each entity. This period can range from several days to weeks depending on the data sources and the activity volume of each entity. During this initial phase, anomaly detection capabilities are limited until the system has observed enough data to build reliable behavioral profiles.
C is incorrect: In practice, a single organizational baseline would typically require less storage and processing overhead than maintaining individual dynamic baselines for every entity. Per-entity baselining is more resource-intensive because it builds and continuously updates separate behavioral models for each user, host, and application. The justification for per-entity baselines is improved detection accuracy, not reduced resource consumption compared to organizational baselines.
D is incorrect: While per-entity baselines significantly reduce false positives compared to static organizational thresholds, they do not eliminate false positives entirely. Anomalies flagged by UEBA do not always indicate malicious activity, as legitimate behavioral changes such as new job responsibilities or travel can trigger alerts. Per-entity baselines improve detection accuracy but still require analyst review and triage to determine whether an anomaly represents a genuine threat.
Correct AnswerD
A is incorrect: Increasing the token output limit expands the length of responses the model can generate but does not address the prompt injection vulnerability. Allowing longer outputs could actually worsen the situation by giving the compromised model more space to disclose sensitive internal configuration details. The core issue is that malicious inputs override the system prompt, and increasing output capacity does nothing to validate or filter the inputs causing this behavior. Reference: https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html
B is incorrect: Output caching serves stored responses for frequently asked questions, which can reduce model invocations and improve performance. However, caching is not a security control and does not prevent prompt injection. Novel or crafted inputs that do not match cached queries would still reach the model, allowing the attacker to bypass caching entirely and exploit the injection vulnerability with unique malicious prompts that trigger system prompt disclosure. Reference: https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html
C is incorrect: Mutual TLS authenticates both the client and server in API communications, ensuring secure machine-to-machine connections between the gateway and the model backend. While mTLS strengthens infrastructure security, it does not address prompt injection because the attack occurs within the content of authenticated user requests. The malicious input would still be forwarded from the gateway to the model over the mTLS-secured connection without any content inspection. Reference: https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html
D is correct: Deploying input filtering is the most appropriate control for this scenario. Prompt injection occurs when crafted user inputs manipulate the model into ignoring its system-level instructions and performing unintended actions, such as disclosing internal configuration. Input filtering analyzes incoming prompts for known injection patterns and adversarial structures before they reach the model, blocking or flagging malicious inputs. This control directly addresses the vulnerability at the API gateway layer by preventing harmful prompts from being processed. Reference: https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html
Correct AnswerD
A is incorrect: Governing, mapping, and measuring correspond to three of the four core NIST AI RMF functions, not the risk response options within the Manage function. Monitoring is an ongoing activity within the Manage and Measure functions. These terms describe the organizational structure of the framework's risk management process, not the specific options for responding to individually identified high-priority risks. Reference: https://airc.nist.gov/airmf-resources/playbook/manage/
B is incorrect: Testing, evaluation, verification, and validation (TEVV) are foundational risk management activities integrated throughout the AI lifecycle in the NIST AI RMF. While TEVV tasks provide critical knowledge and feedback for risk management decisions, they are assessment and assurance activities, not the formal risk response options defined by the Manage function for treating identified risks. Reference: https://airc.nist.gov/airmf-resources/playbook/manage/
C is incorrect: These activities describe aspects of risk assessment and incident handling rather than the risk response options defined by the NIST AI RMF Manage function. Identifying and classifying risks are activities associated with the Map function, while prioritizing risks involves both Map and Measure functions. Remediation is a general security term not used as a formal risk response category within the framework. Reference: https://airc.nist.gov/airmf-resources/playbook/manage/
D is correct: Mitigating, transferring, avoiding, or accepting is the correct answer. According to the NIST AI RMF Manage function, risk response options can include mitigating, transferring, avoiding, or accepting identified risks. These responses are developed, planned, and documented for high-priority risks identified by the Map function, using established risk tolerances from the Govern function to guide appropriate treatment decisions. Reference: https://airc.nist.gov/airmf-resources/playbook/manage/
Correct AnswerA
A is correct: FGSM is a single-step gradient-based attack that generates adversarial examples with one computation of the loss gradient. While effective as a baseline, adversarial training using only FGSM-generated examples often does not provide sufficient robustness against stronger multi-step iterative attacks such as Projected Gradient Descent (PGD). PGD applies multiple gradient steps to find more potent adversarial examples closer to the model's true decision boundary. Training with a diverse set of attack methods including iterative techniques provides broader adversarial coverage and more robust model hardening. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
B is incorrect: FGSM adversarial examples are perturbations applied to model inputs within a defined epsilon budget and they are relevant to any domain including network traffic classification. The issue is not that FGSM examples are dissimilar from real traffic, but rather that FGSM as a single-step method does not produce sufficiently strong adversarial examples to prepare the model for more powerful iterative attack strategies. The limitation is in the attack strength and diversity, not in the domain relevance of the generated adversarial examples. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
C is incorrect: Adversarial training can be applied to neural networks of varying depth and complexity. The effectiveness of adversarial training is not dependent on reducing model depth. Deeper models with more capacity may actually benefit more from adversarial training because they can better learn to represent both clean and adversarial feature distributions. The model's continued vulnerability is attributed to the limited adversarial coverage of FGSM-only training rather than to the model's architectural depth or complexity. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
D is incorrect: Adversarial training has been demonstrated to be effective across multiple AI application domains including image classification, natural language processing, malware detection, and network intrusion detection systems. The technique is not limited to any single domain. The model's continued vulnerability is due to the limited diversity of adversarial examples used during training, specifically the reliance on a single-step attack method, not an inherent limitation of adversarial training for network anomaly detection. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2025/final
Correct AnswerB
A is incorrect: Differential privacy adds mathematical noise to training data to protect individual data points from being extracted from the model. While differential privacy is important for protecting data subject privacy during model training, it is a privacy-preserving technique that does not create pipeline activity records or provide the traceability information needed for incident response investigations into a compromised model.
B is correct: Immutable audit logs capturing end-to-end pipeline activities is correct. Immutable audit logs provide a tamper-proof record of all actions, artifacts, and decisions across the ML pipeline, including dataset versions, code commits, training parameters, and approval workflows. During an incident, these logs enable the response team to rapidly trace the compromised model back to its originating components, identify the point of compromise, and determine the scope of impact, directly supporting incident response and forensic investigation obligations.
C is incorrect: Automated model rollback reverts a production deployment to a previous stable version when performance metrics fall below defined thresholds. While rollback helps restore operational capability during an incident, it is a recovery mechanism that does not provide investigators with the forensic details about which datasets, code versions, and approval workflows were associated with the compromised model version.
D is incorrect: Network segmentation separates training infrastructure from production environments to limit lateral movement and reduce the blast radius of a security breach. While segmentation is an important preventive security control, it does not provide the historical artifact records and pipeline activity documentation that incident responders need to trace a compromised model back to its datasets, code, and approval history during an investigation.
Correct AnswerA
A is correct: Storing API keys in a cloud-native secrets management service removes sensitive credentials from source code and centralizes their lifecycle management. The application retrieves the keys securely at runtime through authorized API calls, ensuring credentials are never persisted in code repositories. Secrets management services also enable capabilities such as automated rotation, granular IAM-based access control, versioning, and audit logging of all secret access events. This approach is the industry-standard best practice for handling credentials in AI applications and prevents the common risk of accidental exposure through public repositories.
B is incorrect: Base64 encoding is a reversible encoding scheme, not an encryption method, and provides no meaningful security protection. Anyone who encounters a Base64-encoded value can trivially decode it back to the original API key using freely available tools. Embedding encoded credentials in source code does not address the fundamental vulnerability of storing secrets in code. Automated scanning tools commonly used by attackers can easily detect and decode Base64-encoded secrets in public repositories.
C is incorrect: Generating longer or more complex API keys does not address the fundamental issue of credential exposure in source code. The vulnerability is the storage location of the key, not its cryptographic strength. Even a highly complex key is compromised the moment it is exposed in a source code repository. Increasing key complexity may help against brute-force attacks but is irrelevant when the key is stored in plaintext where attackers can read it directly.
D is incorrect: Restricting repository access limits who can view the source code but does not eliminate the risk of hardcoded API keys. If the repository is accidentally made public, backed up insecurely, cloned to an insecure workstation, or accessed by an attacker who compromises a developer account, the embedded credentials are fully exposed. The security best practice is to remove secrets from code entirely rather than relying on access controls around the repository that contains them.
Correct AnswerA
A is correct: Indirect prompt injection is correct. This attack involves embedding malicious instructions within external content that an LLM processes during normal operation. The attacker concealed commands in a referenced webpage rather than directly interacting with the chatbot, which is the defining characteristic of indirect prompt injection where the attack payload resides in external data sources the AI consumes at inference time.
B is incorrect: A model evasion attack involves crafting adversarial inputs designed to cause a machine learning model to produce incorrect classifications or miss detections. This scenario describes hidden instructions in external content that altered the chatbot output behavior, which is a prompt injection technique rather than an adversarial evasion attack targeting a classification or detection model. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
C is incorrect: Training data poisoning involves corrupting the dataset used to train an AI model, permanently altering its learned behavior across all interactions. This scenario describes manipulation at runtime through hidden instructions in content accessed during operation, not modification of the model training data. The model itself was uncompromised; only its runtime behavior was redirected by injected instructions. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
D is incorrect: Direct prompt injection occurs when an attacker enters malicious commands directly into the LLM user-facing input interface, such as typing instructions into a chatbot window. In this scenario, the attacker never interacted directly with the chatbot but instead concealed instructions in an external webpage the chatbot referenced. The attack pathway through external content distinguishes indirect from direct prompt injection. Reference: https://genai.owasp.org/llmrisk/llm01-prompt-injection/
Correct AnswerD
A is incorrect: Read-only access to the feature store does not allow the user to inject or modify data within it. Adversarial data injection requires write access to the data source, which the user does not have in this scenario. The primary risk stems from the elevated CI/CD permissions, not the restricted feature store access. This distractor incorrectly identifies the lower-privilege system as the attack vector rather than the system where the user holds elevated permissions. Reference: https://cloudsecurityalliance.org/research/topics/devsecops
B is incorrect: CI/CD pipeline execution permissions do not inherently grant the ability to decrypt data stored in the feature store. Decryption requires access to the appropriate encryption keys, which are managed separately through key management services or key vaults. The primary risk of this inconsistent access configuration is the ability to manipulate pipeline workflows and deployment processes, not the bypass of data encryption controls in the feature store. Reference: https://cloudsecurityalliance.org/research/topics/devsecops
C is incorrect: Read-only access to the feature store does not provide a mechanism for escalating privileges within the CI/CD platform. Privilege escalation typically involves moving from a lower-privilege context to a higher-privilege one, but the user already has elevated CI/CD permissions. The actual risk runs in the other direction: the user could exploit their existing elevated CI/CD access to work around feature store restrictions indirectly. Reference: https://cloudsecurityalliance.org/research/topics/devsecops
D is correct: Inconsistent access controls across MLOps tools create cross-tool access exploitation risks. When a user has limited permissions in one system but elevated permissions in another interconnected system, the user can exploit the higher-privilege access to circumvent restrictions in the lower-privilege system. In this scenario, the data scientist could use elevated CI/CD permissions to alter pipeline configurations that manipulate data flows or model deployments, effectively bypassing the intended feature store access restrictions without needing direct write access. Reference: https://cloudsecurityalliance.org/research/topics/devsecops
