Logical Operations CyberSec First Responder - CFR-210 Exam Questions [2026]

QUESTION NO: 1
Organizations should exercise their Incident Response (IR) plan following initial creation. The primary
objective for this first I R plan exercise is to identify:

A. critical steps required in the case of an incident. B. capabilities required to improve response time. C. gaps or overlaps in supporting processes and procedures. D. deficiencies in cyber security incident response team skills.

Correct Answer: B

QUESTION NO: 2
Which of the following is the BEST way to capture all network traffic between hosts on a segmented
network?

A. Router B. HIPS C. Protocol analyzer D. Firewall

Correct Answer: B

QUESTION NO: 3

The above Linux command is used to search for:

A. 1Pv4 addresses. B. 1Pv6 addresses. C. MAC addresses. D. memory addresses.

Correct Answer: C

QUESTION NO: 4
A logfile generated from a Windows server was moved to a Linux system for further analysis. A system
administrator is now making edits to the file with vi and notices the file contains numerous instances of
Ctrl-M (AM) characters. Which of the following command line tools is the administrator MOST likely to use
to remove these characters from the logfile? (Choose two.)

A. cut B. tr C. awk D. unix2dos E. cat

Correct Answer: B,E

QUESTION NO: 5
A forensics investigator has been assigned the task of investigating a system user for suspicion of using a
company-owned workstation to view unauthorized content. Which of the following would be a proper
course of action for the investigator to take?

A. Confiscate the workstation while the suspected employee is out of the office, and perform a search on
the asset. B. Confiscate the workstation while the suspected employee is out of the office, and perform the search
on bit-for-bit image of the hard drive. C. Notify the user that the workstation is being confiscated to perform an investigation, providing complete
transparency as to the suspicions. D. Notify the user that their workstation is being confiscated to perform an investigation, providing no
details as to the reasoning.

Correct Answer: A

QUESTION NO: 6
A company website was hacked via the SQL query below:

Which of the following did the hackers perform?

A. Performed an XSS attack B. Cleared tracks of [email protected] entries C. Deleted the entire members table D. Deleted the email password and login details

Correct Answer: A

QUESTION NO: 7
During review of a company's web server logs, the following items are discovered:
2 015-03-01 03:32:11 www.example.com/index.asp?id=-999 or 1=convert(int,@@version)-
2 015-03-01 03:35:33 www.example.com/index.asp?id=-999 or 1=convert(int,db_name())-
2 015-03-01 03:38:25 www.example.com/index.asp?id=-999 or 1=convert(int,user_name())-
Which of the following is depicted in the log example above?

A. A web application scan B. An administrator using the web interface for application maintenance C. An attempt at enumeration via SQL injection D. Normal web application traffic

Correct Answer: C

QUESTION NO: 8
An incident responder needs to quickly locate specific data in a large data repository. Which of the
following Linux tool should be used?

A. man B. grep C. find D. cat

Correct Answer: B

QUESTION NO: 9
A SOC analyst reviews vendor security bulletins and security blog articles against the company's
deployed system and software base. Based on current attack patterns, three vulnerabilities, including a
zero-day vulnerability, have been upgraded to high priority. Which of the following should the SOC analyst
recommend? (Choose two.)

A. Implement DNS filtering B. Implement application whitelisting C. Update IPS rules D. Reboot affected servers E. Patch affected systems

Correct Answer: A,E

QUESTION NO: 10
During the identification phase, it is discovered that port 23 is being used maliciously. Which of the
following system hardening techniques should be used to remediate the issue?

A. Patch the system B. Disable unnecessary services C. Configure DNS filtering D. Configure black hole routing

Correct Answer: A