The latest changes and updates from the administration for this exam.
Latest Update: Jun 20 2026
All questions are working fine.
Correct AnswerB
A is incorrect: Feed-forward neural networks process inputs through layers in a single forward pass without maintaining any memory or state between inputs. Each input is processed independently, making feed-forward networks unable to model temporal dependencies or sequential relationships. Detecting anomalous patterns across ordered system call sequences requires an architecture designed to maintain temporal context.
B is correct: LSTM networks are specifically designed to learn temporal dependencies in sequential data while addressing the vanishing gradient problem that affects standard RNNs. This architecture uses memory cells with gating mechanisms to selectively retain or discard information across long sequences. For system call analysis, LSTMs effectively capture the ordered temporal context required to distinguish normal process behavior from anomalous activity.
C is incorrect: GANs are composed of a generator and discriminator network trained in opposition, primarily used for generating synthetic data that resembles training samples. While GANs have security applications in data augmentation and adversarial testing, they are not designed for sequential anomaly detection. Detecting anomalous process behavior from system call sequences requires an architecture that models temporal dependencies across ordered events.
D is incorrect: CNNs are designed for processing grid-like data such as images by applying convolutional filters to extract spatial patterns and features. While CNNs can be adapted for certain sequential tasks, they do not inherently model temporal dependencies or maintain state across long sequences. Analyzing ordered system call sequences requires an architecture with built-in temporal memory capabilities.
Correct AnswerA
A is correct: Cross-tool access exploitation due to inconsistent permissions best describes this security risk. In hybrid MLOps environments, multiple tools manage different pipeline stages, and access controls are often configured independently in each system. When a user has limited permissions in one tool but elevated permissions in another, this inconsistency can be exploited to manipulate model deployments indirectly, bypassing the intended access restrictions across the overall pipeline workflow. Reference: https://cloudsecurityalliance.org/artifacts/machine-learning-ops-overview
B is incorrect: Data poisoning involves injecting malicious or corrupted data into training datasets to manipulate model behavior during the training phase. While the data engineer has access to data systems, the described risk specifically concerns the inconsistency between permissions in the data versioning system and the CI/CD deployment platform, not the manipulation of training data content. The primary concern is unauthorized deployment capability. Reference: https://cloudsecurityalliance.org/artifacts/machine-learning-ops-overview
C is incorrect: Model extraction involves systematically querying a deployed model to reconstruct its parameters or approximate its decision boundaries. The scenario describes a mismatch in permissions between the data versioning system and the CI/CD platform, not excessive access to a deployed model's inference endpoint. The security risk is centered on the deployment pipeline access controls, not on post-deployment model querying or endpoint exposure. Reference: https://cloudsecurityalliance.org/artifacts/machine-learning-ops-overview
D is incorrect: Privilege escalation through an unpatched vulnerability involves exploiting a software flaw to gain higher permissions than originally granted. In this scenario, the data engineer's elevated CI/CD permissions are the result of misconfigured access controls across separate tools, not a software vulnerability being exploited. The permissions were intentionally configured but without coordination between tools, making this a governance and configuration issue. Reference: https://cloudsecurityalliance.org/artifacts/machine-learning-ops-overview
Correct AnswerC
A is incorrect: Recording alert ingestion volume measures platform throughput but does not document the reasoning behind individual escalation decisions. Compliance teams need to understand why a specific incident was escalated, not how many alerts were processed overall, making aggregate ingestion metrics insufficient for satisfying the audit trail requirement.
B is incorrect: Disabling automated escalation removes the efficiency benefits of AI-driven SOAR workflows entirely and is an unnecessarily drastic response. The compliance requirement for documented rationale can be effectively met by adding explainability features to the existing automated process rather than abandoning automation altogether.
C is correct: Configuring the AI to produce explainable outputs is correct. Explainable AI provides documented rationale that auditors and analysts can review, including the specific factors such as alert severity, threat intelligence correlation, asset criticality, and confidence scores that contributed to the escalation decision. This transparency directly supports audit trails and accountability in automated security workflows, satisfying compliance documentation requirements.
D is incorrect: Assigning identical severity ratings to all incidents eliminates the nuanced, risk-based decision-making that AI-driven triage provides and does not explain why any particular incident was escalated. This approach would remove the analytical value of the AI model and would not satisfy the requirement for documented, decision-specific rationale.
Correct AnswerD
A is incorrect: A misconfigured learning rate would typically cause training instability, failure to converge, or significant and erratic performance degradation across all input types. The described outcome is a controlled slight decrease in clean accuracy with a corresponding improvement in adversarial robustness, which is the normal and expected accuracy-robustness tradeoff documented in adversarial training research. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2023/final
B is incorrect: Data poisoning typically causes the model to produce specific targeted misclassifications or significantly degrades overall performance in unpredictable ways. The described pattern of slightly reduced clean accuracy alongside improved adversarial robustness is the expected outcome of properly executed adversarial training, not a sign of malicious data manipulation within the training pipeline. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2023/final
C is incorrect: Overfitting typically manifests as strong performance on training data but poor generalization to new unseen data. The scenario describes a different and well-documented pattern: reduced clean accuracy with improved adversarial robustness. This tradeoff is inherent to adversarial training regardless of adversarial example diversity, as the model's decision boundaries are broadened to accommodate perturbations. Reference: https://learn.microsoft.com/en-us/security/engineering/threat-modeling-aiml
D is correct: The accuracy-robustness tradeoff is a well-documented phenomenon where improving a model's resistance to adversarial perturbations through adversarial training results in a slight decrease in accuracy on clean, unperturbed data. This occurs because adversarial training smooths the model's decision boundaries to increase resilience against perturbations, which can reduce precision on standard inputs. This tradeoff is expected and should be managed during model hardening. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2023/final
Correct AnswerC
A is incorrect: This is incorrect. GDPR Article 22 addresses data subject rights related to automated decision-making, not financial compensation mechanisms. While GDPR Article 82 provides a separate right to compensation for damages caused by GDPR violations, this compensation is sought from the data controller or processor, not issued directly by the supervisory authority. Reference: https://gdpr.eu/article-82-right-to-compensation/
B is incorrect: This is incorrect. GDPR Article 22 provides individual data subjects with the right to challenge automated decisions affecting them personally and to obtain human intervention. It does not grant any individual the authority to demand that an organization permanently disable an AI system or cease using automated processing for all other applicants. Reference: https://gdpr.eu/article-22-automated-individual-decision-making/
C is correct: This is correct. GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them. A loan denial based solely on AI output constitutes such a decision. The data subject can request human intervention, express their point of view, and contest the decision under the safeguards required by this article. Reference: https://gdpr.eu/article-22-automated-individual-decision-making/
D is incorrect: This is incorrect. GDPR Article 22 and related transparency provisions require organizations to provide meaningful information about the logic, significance, and consequences of automated processing. However, there is no right to receive the complete training dataset, as disclosing full training data could violate other data subjects' privacy rights and potentially expose proprietary information. Reference: https://gdpr.eu/article-22-automated-individual-decision-making/
Correct AnswerB
A is incorrect: Replacing the AI system entirely is a disproportionate response that eliminates the benefits of AI-driven triage without first understanding the nature and extent of the detected bias. The appropriate first step is to audit the system to determine whether the bias can be corrected through model adjustments, data remediation, or process controls rather than abandoning the AI approach before investigating the root cause of the disparate outcomes. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf
B is correct: Performing a bias audit is the correct first response. When an AI system produces disparate outcomes for a specific demographic group, the organization must first systematically assess the scope and nature of the bias before taking corrective action. A bias audit analyzes model predictions across protected classes such as ethnicity, race, gender, and age to determine whether the model exhibits disparate treatment or disparate impact, providing the evidence-based foundation needed for selecting appropriate remediation strategies. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf
C is incorrect: Encrypting demographic attributes protects the confidentiality of sensitive patient data but does not address the underlying bias in the model's decision-making process. Even with encrypted demographic attributes, the model may still rely on correlated proxy variables that produce the same biased risk scores. Encryption is a data security control that addresses confidentiality, not a fairness or bias mitigation measure that addresses discriminatory model outputs across protected classes. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf
D is incorrect: Retraining the model without first conducting a formal bias audit may not resolve the underlying issue and is a premature corrective action. Without understanding the root cause of the bias through a systematic audit, retraining could perpetuate or even exacerbate discriminatory outcomes. The bias could stem from proxy variables, flawed feature engineering, or label bias rather than insufficient training data diversity, making retraining without a prior audit an incomplete response. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1270.pdf
Correct AnswerA
A is correct: This scenario demonstrates AI-driven automation because the agent performs dynamic contextual analysis, including complex cognitive tasks like decoding obfuscated scripts, and delivers a reasoned verdict with an explanation. These capabilities require AI-driven reasoning that goes beyond what predefined static playbooks can accomplish, as rule-based automation cannot dynamically interpret and analyze obfuscated content or provide contextual explanations.
B is incorrect: This scenario describes traditional rule-based automation where a specific trigger condition activates a predefined action. The playbook follows a deterministic if-then logic path: if the alert matches a known indicator, then execute the block action. There is no dynamic reasoning, contextual analysis, or adaptive decision-making involved, making this a standard example of rule-based SOAR automation.
C is incorrect: Collecting and storing logs on a fixed schedule is a routine scripted data collection task that follows a predefined execution path with no dynamic reasoning or adaptive behavior. This represents basic scheduled automation that operates identically regardless of context or threat conditions, making it a standard example of traditional scripted automation rather than AI-driven automation.
D is incorrect: Assigning incidents to an on-call analyst based on a predefined rotation schedule is a simple rule-based automation task that follows fixed logic without any reasoning, adaptation, or contextual analysis. Incident assignment by rotation is a common deterministic automation use case within SOAR platforms that does not require any AI-driven capabilities to function effectively.
Correct AnswerD
A is incorrect: Limiting the SOAR platform to ticketing and documentation underutilizes its orchestration and automation capabilities. While documentation is an important function, the primary value of SOAR in a multi-tool environment is automating and coordinating active response actions across the EDR, firewall, and other tools based on AI-driven decision logic.
B is incorrect: Configuring each tool to respond independently without SOAR coordination defeats the purpose of orchestration and can lead to conflicting or redundant response actions. The value of a SOAR platform lies in its ability to centralize decision-making and coordinate actions across tools, ensuring consistent and efficient responses driven by the AI decision node's classification.
C is incorrect: SOAR platforms are designed for orchestration and automation, not to replace dedicated detection tools like SIEM and EDR. SIEM provides log aggregation and correlation for threat detection, while EDR provides endpoint-level visibility and response. SOAR complements these tools by orchestrating their actions through playbooks rather than duplicating their core detection capabilities.
D is correct: The SOAR platform's primary role is to orchestrate coordinated response actions across multiple integrated security tools based on the AI decision node's output. When the AI classifies a threat, the SOAR platform can simultaneously trigger the EDR to isolate an endpoint, update firewall rules to block malicious IPs, and create a ticket in the ticketing system, ensuring a cohesive multi-tool response to the incident.
Correct AnswerA
A is correct: The primary goal of ML-based alert scoring is to reduce false positives without sacrificing the ability to detect genuine threats. A successful implementation demonstrates a measurable decrease in the false positive rate, meaning analysts spend less time on benign alerts, while the true positive detection rate remains stable, ensuring actual security incidents are still identified and escalated for investigation.
B is incorrect: While analysts may spend more time on higher-fidelity alerts that warrant deeper investigation, an overall increase in per-alert investigation time is not the primary success metric for ML-based triage. The key indicator is the reduction in time wasted on false positives combined with maintained detection capability, not the amount of time spent investigating each individual alert.
C is incorrect: Reducing the volume of ingested log data is not a valid indicator of ML-based scoring effectiveness and could actually harm security posture by reducing visibility. Effective ML alert scoring works by intelligently prioritizing events after ingestion, not by limiting the data that is collected. Reducing data ingestion could cause the organization to miss critical threat indicators entirely.
D is incorrect: An increase in total alert volume would indicate the opposite of effective alert fatigue reduction. Successful ML-based alert scoring should reduce the number of alerts requiring analyst attention by suppressing false positives and prioritizing genuine threats, not generate additional alerts that further burden the SOC team with more items to review.
Correct AnswerD
A is incorrect: Both PGD and FGSM are evasion attack methods that craft adversarial examples by perturbing inputs during inference. Neither method targets training data integrity. Data poisoning is a separate attack category that corrupts training data. PGD and FGSM both operate on inference-time inputs, differing only in their optimization approach: single-step versus iterative multi-step. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2023/final
B is incorrect: PGD is a white-box attack method that requires full access to the model's gradients. It leverages gradient information at each iteration to progressively refine adversarial perturbations toward a stronger attack. PGD's strength derives from its iterative gradient-based optimization approach, not from operating without model access. Both PGD and FGSM are gradient-based white-box attack methods. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2023/final
C is incorrect: FGSM actually produces weaker single-step perturbations compared to PGD's iterative approach. FGSM does not inherently generate larger perturbations. The vulnerability gap exists because FGSM-based adversarial training does not expose the model to the sophisticated iterative optimization that PGD employs, leaving the model insufficiently hardened against stronger multi-step attacks. Reference: https://learn.microsoft.com/en-us/security/engineering/threat-modeling-aiml
D is correct: Projected Gradient Descent (PGD) is a multi-step iterative attack that repeatedly applies gradient-based optimization to find stronger adversarial perturbations within a defined perturbation budget. The Fast Gradient Sign Method (FGSM) is a single-step attack that produces comparatively weaker adversarial examples. A model trained only with FGSM-generated examples gains basic robustness but may not withstand the stronger perturbations that iterative PGD optimization produces. Reference: https://csrc.nist.gov/pubs/ai/100/2/e2023/final
