The latest changes and updates from the administration for this exam.
Latest Update: Jun 20 2026
All questions are working fine.
Correct AnswerD
A is incorrect: This incorrectly states that agentic AI cannot integrate with external tools. In practice, agentic AI actively connects to and orchestrates multiple tools across an organization's security environment through protocols such as Model Context Protocol (MCP) and standard APIs. Integration with external tools is essential for agentic AI to gather evidence, enrich investigations, and execute response actions across the security ecosystem.
B is incorrect: This incorrectly characterizes both technologies. Agentic AI is specifically designed to operate with a high degree of autonomy and can initiate investigations and take actions without requiring prior human approval for each step. Rule-based automation, while it does execute predefined actions automatically, is limited to its programmed logic and is not more autonomous than agentic AI. Human oversight in agentic AI is maintained at strategic checkpoints rather than for every action.
C is incorrect: This reverses the actual relationship between these two automation approaches. Agentic AI does not require predefined playbooks because its core capability is dynamic reasoning and autonomous decision-making. Rule-based automation is the approach that relies on predefined playbooks with fixed logic paths. Additionally, rule-based automation uses static if-then conditions, not neural networks, for its decision-making processes.
D is correct: Agentic AI dynamically reasons through context and adapts its investigation steps, which is the key differentiator from rule-based automation. Unlike traditional SOAR playbooks that follow rigid, pre-scripted workflows, agentic AI assesses context, connects patterns across disconnected data, and determines the best path to investigate a threat, adapting in real time. Rule-based automation executes fixed if-then logic and cannot adjust to unforeseen scenarios, whereas agentic AI autonomously interprets findings and modifies its approach as new information emerges during an investigation.
Correct AnswerA
A is correct: Implementing role-based access control with least-privilege permissions directly addresses the over-permissioning finding. RBAC assigns different levels of access based on user roles, ensuring each user has only the minimum permissions necessary for their tasks. Data scientists evaluating models should receive read-only access, while write permissions should be restricted to authorized deployment engineers, reducing the attack surface for model theft and unauthorized modifications to production artifacts. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
B is incorrect: A data loss prevention system can detect and alert on unauthorized data transfers or potential model exfiltration from the repository. While DLP is valuable for monitoring suspicious download activity, it is a detective control rather than a preventive one. It does not address the root cause of overly permissive access rights identified in the audit, and all users would still retain their excessive write permissions to production models. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
C is incorrect: Migrating to a private cloud with network isolation adds a layer of infrastructure-level security by restricting network-level access to the repository. However, this does not resolve the internal permissions issue where data scientists have excessive write privileges within the repository. Network isolation protects against external threats but does not enforce granular role-based permissions within the authorized user population already accessing the repository. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
D is incorrect: Encrypting model artifacts with customer-managed keys protects data confidentiality at rest by preventing unauthorized access to the raw model data. However, encryption alone does not address the access control deficiency identified in the audit. Users with legitimate repository credentials would still retain overly broad read-write permissions regardless of whether the underlying storage is encrypted, as encryption and access controls serve complementary but distinct security functions. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
Correct AnswerB
A is incorrect: AI-assisted malware that queries an external LLM API for code generation does not require specialized hardware to execute on endpoints. The malware runs standard code on the target system and makes API calls to a remote LLM service for its mutation capabilities. Sandbox environments can execute and analyze such malware normally, though dynamic mutation may produce different code in each execution cycle.
B is correct: When malware integrates an LLM to dynamically rewrite its source code during each execution, every variant becomes structurally unique with a different signature. Signature-based security tools rely on matching known patterns or file hashes, making them fundamentally unable to keep pace with continuously mutating code. This represents the primary detection challenge of AI-assisted malware engines and requires organizations to prioritize behavioral analysis approaches.
C is incorrect: While AI-assisted mutation changes the code structure, the malware's runtime behaviors such as file access patterns, network connections, and process manipulation remain observable. Behavioral analysis tools detect what malware does rather than what its code looks like. AI-generated code mutation cannot eliminate the fundamental malicious actions the malware must perform to accomplish its objectives on the target system.
D is incorrect: LLM-based code mutation affects the malware's own source code structure and does not inherently encrypt command-and-control traffic. Network intrusion detection operates independently of the malware's internal code mutation capabilities. While some malware may use encrypted communications, this is a separate capability from LLM-driven code obfuscation and is not a direct consequence of AI-assisted source code mutation.
Correct AnswerC
A is incorrect: Dense layers connect every neuron in one layer to every neuron in the next and are typically used at the end of a network for classification decisions. Placing dense layers before convolutional layers is architecturally backwards and would prevent the convolutional layers from extracting the local spatial patterns they are designed to detect from the input data.
B is incorrect: Dropout layers are a regularization technique that randomly deactivates neurons during training to prevent overfitting, and embedding layers convert categorical data into dense vector representations. Neither layer type applies filters to detect local patterns in data or reduces feature dimensionality, so this combination does not match the described functionality.
C is correct: In this architecture, convolutional layers apply learned filters across the input data to extract local patterns and features such as recurring byte sequences in packet payloads. The subsequent pooling layers then reduce the dimensionality of these extracted feature maps while preserving the most significant information, creating a compact representation for the classification stage.
D is incorrect: Recurrent layers are designed to process sequential data by maintaining hidden states across time steps, not to apply filters for local pattern detection in packet data. Placing recurrent layers before convolutional layers does not match the described workflow of first extracting local patterns through filtering and then performing dimensionality reduction before classification.
Correct AnswerA
A is correct: Evaluating whether a series of related alerts represents lateral movement is the most appropriate task for AI reasoning. This task requires judgment, synthesis, and interpretation of ambiguous data across multiple signals to determine whether individual events form a coherent attack pattern. AI-based reasoning can analyze complex relationships between alerts that deterministic rules cannot effectively capture, making it well suited for contextual assessment tasks.
B is incorrect: Looking up an IP address against a threat intelligence blocklist is a deterministic task that produces the same result for the same input every time. The result is a straightforward lookup that returns whether the IP is listed or not, requiring no interpretation or judgment. This type of task should be handled by a direct API call within the SOAR playbook rather than consuming AI reasoning resources.
C is incorrect: Retrieving asset ownership records from a configuration management database is a straightforward data retrieval operation that produces the same result for the same query. This deterministic step requires no analysis, interpretation, or contextual reasoning, making it inappropriate for the AI reasoning component of the playbook and better suited as a standard automated enrichment lookup step.
D is incorrect: Submitting a file hash to a sandbox service and returning the analysis verdict is a structured, repeatable process that follows a consistent workflow regardless of the specific input. While the sandbox itself performs analysis, the SOAR playbook step is a standard API call that submits data and receives a structured result, making it a deterministic task rather than one that benefits from AI-based reasoning.
Correct AnswerD
A is incorrect: Encrypting audit logs at rest protects the confidentiality of log data by preventing unauthorized users from reading the log contents. However, encryption alone does not prevent a compromised account or malicious insider with decryption access from modifying or deleting the logs. This scenario specifically describes log manipulation to conceal tampering evidence, which requires integrity controls rather than confidentiality controls alone.
B is incorrect: Replicating logs to a secondary data center provides redundancy and disaster recovery capabilities against hardware failure or regional outages. However, if logs are tampered with before or during replication, the replicated copies will also contain the manipulated data. Synchronous replication addresses availability concerns but does not inherently guarantee the integrity of the log content against deliberate modification by an adversary.
C is incorrect: Extending log retention periods ensures historical data remains available for forensic analysis over longer timeframes, which supports compliance and investigation needs. However, longer retention does not prevent an attacker from modifying or deleting existing log entries within the retention window. Retention policies address data availability concerns, not the data integrity protections needed to prevent active log tampering.
D is correct: Immutable, append-only log storage with cryptographic integrity verification directly prevents log tampering. Once written, immutable logs cannot be modified or deleted, and cryptographic checks such as hash chains or digital signatures enable detection of any unauthorized alterations. This is the recommended best practice for ensuring audit log integrity in AI systems, especially when attackers may manipulate monitoring data to hide drift or anomalies in data pipelines across hybrid environments.
Correct AnswerD
A is incorrect: While NLP has emerging applications in security operations such as querying policies or summarizing incidents in natural language, it is not the primary mechanism for dynamic playbook selection in SOAR platforms. The described requirement calls for automated classification of incident attributes to select playbooks, not conversion of verbal analyst instructions into playbook actions.
B is incorrect: While generative AI can assist in drafting playbook templates during development, creating entirely new playbooks for every unique incident introduces significant risk from untested response actions and lack of validation. SOAR best practices rely on predefined and tested playbooks that AI selects based on incident classification rather than generating new untested playbooks for each event.
C is incorrect: Continuously modifying playbook logic after every execution would compromise the consistency, auditability, and reliability of automated response workflows. Playbook modifications should follow a controlled change management process with proper testing. The described requirement is about dynamically selecting the appropriate existing playbook, not altering playbook logic after each run.
D is correct: AI-driven incident classification analyzes the characteristics of incoming incidents, including alert type, affected assets, and indicators of compromise, then maps them to the most appropriate predefined response playbook. This enables dynamic response orchestration by automatically selecting and executing the correct workflow for each incident type without requiring manual analyst intervention for initial playbook selection.
Correct AnswerA
A is correct: Storing secrets in a dedicated secrets manager and using CI/CD environment variable injection is the most appropriate remediation. According to security best practices for MLOps, credentials should never be hardcoded in source code or notebooks. Secret managers such as HashiCorp Vault or AWS Secrets Manager provide centralized, encrypted credential storage with access control, rotation, and auditing capabilities. Injecting secrets through the CI/CD pipeline at runtime ensures credentials are never persisted in code repositories while maintaining secure, automated access for training jobs. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
B is incorrect: Restricting repository access with RBAC is an important security layer, but it does not remediate the underlying vulnerability of hardcoded secrets. Even with restricted access, any authorized user who can view the notebooks can see the plaintext credentials. Hardcoded secrets also risk exposure through version control history, log files, or accidental sharing. The proper remediation is to remove credentials from code and use a dedicated secrets manager. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
C is incorrect: Moving credentials to a shared configuration file alongside model artifacts in the registry simply relocates the hardcoded secrets rather than solving the problem. The credentials remain stored in plaintext or weakly protected form within the registry, creating a new exposure point. This approach also risks credentials being distributed with model artifacts during deployment. The correct remediation uses a dedicated secrets manager with proper access controls and injection mechanisms. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
D is incorrect: Encrypting notebooks and source code at rest protects the files from unauthorized access at the storage level, but it does not address the root problem of hardcoded secrets. Once a user with legitimate access opens the encrypted file, the credentials are fully visible in plaintext within the code. The security best practice is to remove secrets from code entirely and use a secrets manager, not to encrypt files that still contain embedded credentials. Reference: https://cheatsheetseries.owasp.org/cheatsheets/Secure_AI_Model_Ops_Cheat_Sheet.html
Correct AnswerD
A is incorrect: Deploying separate security tools for each environment can address environment-specific requirements but risks introducing policy fragmentation and inconsistency. Different tools may enforce different policy interpretations, creating the same type of coverage gaps the organization is trying to eliminate. A unified policy-as-code approach ensures consistent security standards regardless of the target environment, which separate tools cannot inherently guarantee. Reference: https://docs.aws.amazon.com/whitepapers/latest/build-secure-enterprise-ml-platform/automation-pipelines.html
B is incorrect: Manual security reviews by dedicated analysts can be thorough but do not scale effectively and are prone to human error and interpretation inconsistency. Different analysts may apply policies differently, and manual reviews create deployment bottlenecks that slow the MLOps pipeline. Automated policy-as-code enforcement provides consistent, scalable, and auditable security controls that eliminate the variability inherent in manual review processes. Reference: https://docs.aws.amazon.com/whitepapers/latest/build-secure-enterprise-ml-platform/automation-pipelines.html
C is incorrect: Routing all traffic through a centralized on-premises proxy adds a single inspection point but creates a performance bottleneck and single point of failure for the deployment pipeline. This approach does not address the root cause of inconsistent policy application at each environment. It inspects traffic in transit without ensuring that the security configurations applied at each deployment target are consistent and standardized. Reference: https://docs.aws.amazon.com/whitepapers/latest/build-secure-enterprise-ml-platform/automation-pipelines.html
D is correct: Enforcing security policies as code through the CI/CD pipeline is the best approach for maintaining consistency across hybrid environments. Policy as code and infrastructure as code ensure that identical security configurations, access controls, and compliance checks are applied automatically and uniformly regardless of the target environment. This eliminates manual configuration drift between on-premises and cloud systems and provides version-controlled, auditable security enforcement. Reference: https://docs.aws.amazon.com/whitepapers/latest/build-secure-enterprise-ml-platform/automation-pipelines.html
Correct AnswerB
A is incorrect: Training the LLM exclusively on internal incident data may improve domain relevance but does not directly address output consistency. LLMs trained on more specific data can still produce variable outputs for similar inputs due to their inherent probabilistic architecture. The consistency concern is best addressed through workflow design that constrains how the LLM formats its outputs, not solely through training data changes.
B is correct: Embedding the LLM within a deterministic workflow that enforces structured outputs is the best design approach for managing consistency. This pattern uses the overall playbook structure to maintain predictable, auditable execution while confining the LLM's probabilistic reasoning to bounded steps where judgment is needed. By enforcing structured output formats such as predefined severity labels and required justification fields, the workflow constrains variability while benefiting from AI reasoning capabilities.
C is incorrect: Allowing the LLM to independently manage the full playbook workflow increases inconsistency rather than reducing it. LLMs are probabilistic by nature and may follow different reasoning paths for similar inputs. Giving an LLM end-to-end control without deterministic guardrails reduces auditability, introduces unpredictable behavior, and undermines the consistency that security operations require for reliable incident handling.
D is incorrect: Deploying multiple competing LLMs and randomly selecting outputs would increase inconsistency rather than reduce it. Each model may classify the same incident differently based on its unique architecture and training data, and random selection adds another layer of variability. This approach offers no mechanism for enforcing structured outputs and would make triage decisions more difficult to audit and explain.
