Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free F5-401 Security Expert Practice Questions

Pass your F5 Certified Solution Expert — Security (Exam 401) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
F5 does not publicly report pass rates Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

An architect must protect APIs documented with an OpenAPI 3.0 spec. Which Advanced WAF capability automatically constructs URL/parameter/JSON entities from the spec?

A
B
C
D
to track
Same family resources

Explore More F5 Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

F5 201 TMOS Administration

Practice Questions

F5 301B BIG-IP LTM Specialist Maintain & Troubleshoot

Practice Questions

F5 402 Cloud Solutions Expert

Practice Questions

F5 Certified! BIG-IP Administrator (F5-CA, exam 201)

Practice Questions

F5 Certified! Solution Expert (F5-CSE)

Practice Questions

F5 Certified! Technical Professional (F5-CTP)

Practice Questions
2026 Statistics

Key Facts: F5-401 Security Expert Exam

70

Exam Questions

Multiple-choice + scenarios

245/350

Passing Score

Scaled, F5

105 min

Time Limit

F5

$180

Exam Fee

Per attempt

2 yrs

Validity

F5 recertification

Pearson VUE / Certiverse

Test Delivery

In-person or online proctored

F5 Exam 401 (Security Solutions Expert) is the expert-tier F5 credential covering threat analysis, security architecture, Advanced WAF / AFM / APM implementation, and incident response. The exam has 70 questions in 105 minutes with a 245/350 scaled passing score and a $180 fee through Pearson VUE / Certiverse. F5 weights the four domains roughly evenly (~25% each). The credential is valid for two years and signals expert-level competency for security architects working with BIG-IP and F5 Distributed Cloud.

Sample F5-401 Security Expert Practice Questions

Try these sample questions to test your F5-401 Security Expert exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which framework, maintained by MITRE, catalogs adversary tactics, techniques, and procedures (TTPs) used in real-world cyber intrusions?
A.OWASP Top 10
B.NIST CSF
C.MITRE ATT&CK
D.ISO 27001
Explanation: MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Security architects use ATT&CK matrices (Enterprise, Mobile, ICS) to map detections, evaluate coverage, and design defense-in-depth controls. F5 control selections (WAF, AFM, APM) are commonly mapped to ATT&CK techniques such as T1190 Exploit Public-Facing Application or T1110 Brute Force.
2In the STRIDE threat-modeling methodology, which threat category corresponds to an attacker assuming another user's identity?
A.Spoofing
B.Tampering
C.Repudiation
D.Elevation of Privilege
Explanation: STRIDE breaks threats into Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Spoofing covers identity-related threats — impersonating a user, server, or service. Mitigations typically include strong authentication, mutual TLS, and signed tokens, all of which APM and Advanced WAF support.
3Which scoring system produces a base, temporal, and environmental score from 0.0 to 10.0 to express vulnerability severity?
A.EPSS
B.CVSS v3.1
C.CWSS
D.DREAD
Explanation: CVSS v3.1 (Common Vulnerability Scoring System) produces Base, Temporal, and Environmental scores on a 0.0 to 10.0 scale. Base captures intrinsic characteristics, Temporal reflects how the vulnerability evolves (e.g., exploit availability), and Environmental adjusts for the consumer's deployment. F5 401 expects you to interpret CVSS vectors when prioritizing risk.
4Which OWASP Top 10 2021 category did 'Broken Access Control' move to as the #1 risk?
A.A01: Broken Access Control
B.A03: Injection
C.A05: Security Misconfiguration
D.A07: Identification and Authentication Failures
Explanation: In the OWASP Top 10 2021, Broken Access Control moved to A01 — the highest-ranked risk — based on application data showing 94% of tested applications had some form of broken access control. APM access policies, ASM login enforcement, and API security profiles all help mitigate this category.
5Which OWASP API Security Top 10 (2023) category specifically addresses unrestricted access to sensitive business flows like ticket purchase or coupon redemption?
A.API1:2023 Broken Object Level Authorization
B.API4:2023 Unrestricted Resource Consumption
C.API6:2023 Unrestricted Access to Sensitive Business Flows
D.API10:2023 Unsafe Consumption of APIs
Explanation: API6:2023 was new in the 2023 list and addresses business-flow abuse — bots reselling tickets, scraping inventory, or abusing promotional codes. Defenses include behavioral bot defense, rate limiting per business operation, device fingerprinting, and CAPTCHAs, all available in F5 Distributed Cloud Bot Defense and Advanced WAF.
6An organization wants to estimate the probability that a CVE will be exploited in the next 30 days to drive patch prioritization. Which scoring approach is appropriate?
A.CVSS Base score only
B.EPSS (Exploit Prediction Scoring System)
C.CWE Top 25 ranking
D.CIS Critical Security Controls
Explanation: EPSS produces a daily probability (0-1) that a CVE will be exploited in the wild within 30 days, derived from a machine-learning model trained on real exploit telemetry. Combining EPSS with CVSS Base/Temporal scores yields better patch prioritization than CVSS alone — high CVSS but very low EPSS often indicates lower urgency.
7Which threat-modeling methodology emphasizes a seven-stage, business-driven process aligning attacker objectives with assets?
A.STRIDE
B.PASTA
C.Attack Trees
D.DREAD
Explanation: PASTA (Process for Attack Simulation and Threat Analysis) is a seven-stage, risk-centric methodology: define objectives, define technical scope, decompose application, analyze threats, vulnerability analysis, attack modeling, and risk and impact analysis. It explicitly aligns business impact with technical threats and is suited to F5 architecture decisions for high-value applications.
8Which CWE is associated with cross-site scripting (XSS) attacks?
A.CWE-89
B.CWE-79
C.CWE-22
D.CWE-352
Explanation: CWE-79 is 'Improper Neutralization of Input During Web Page Generation' — the canonical CWE for cross-site scripting. CWE-79 consistently ranks high on the CWE Top 25. F5 Advanced WAF mitigates XSS via attack signatures, parameter metacharacter checks, and content profile validation.
9Which F5 threat-intelligence product delivers continuously updated, named campaign signatures targeting active attack groups (e.g., Magecart variants)?
A.F5 IP Intelligence
B.F5 Threat Campaigns
C.F5 SecurityCenter
D.F5 Distributed Cloud Bot Defense
Explanation: F5 Threat Campaigns is a subscription that delivers named-campaign signatures researched by the F5 SOC and Labs teams. Each campaign targets a specific attack pattern (Magecart skimmers, specific CVE exploit traffic, etc.) with high-fidelity signatures intended for immediate enforcement, not staging. It is licensed separately from base Advanced WAF.
10Which technique is BEST classified as 'Initial Access' in the MITRE ATT&CK Enterprise matrix?
A.Credential Dumping
B.Exploit Public-Facing Application (T1190)
C.Lateral Movement via SMB
D.Data Exfiltration over HTTPS
Explanation: T1190 'Exploit Public-Facing Application' is in the Initial Access tactic and covers attackers exploiting an internet-facing service or web application. F5 Advanced WAF, AFM, and Distributed Cloud WAAP directly mitigate this technique by inspecting and blocking exploit traffic before it reaches the application.

About the F5-401 Security Expert Exam

The F5 Certified Solution Expert — Security (Exam 401) validates expert-level skill in designing, implementing, and operating F5 security solutions. The exam covers threat analysis using F5 Labs, MITRE ATT&CK, OWASP Top 10 2021 and OWASP API Top 10 2023, CWE Top 25, and risk scoring with CVSS v3.1 and EPSS; architecting solutions that combine LTM, Advanced WAF (formerly ASM), AFM, APM, BIG-IQ, SSL Orchestrator, DDoS Hybrid Defender, Silverline / Distributed Cloud DDoS, and Distributed Cloud WAAP; implementing WAF policies, L3-L7 DDoS protection, access policies with FIDO2/SAML/OAuth/Kerberos SSO, and SSL/TLS hardening including mTLS and FIPS; and maintaining and optimizing those solutions through tuning, central logging, and incident response.

Assessment

70 multiple-choice and scenario questions covering threat analysis, architecture and control selection, Advanced WAF / AFM / APM implementation, and incident response

Time Limit

105 minutes

Passing Score

245/350

Exam Fee

$180 (F5 / Pearson VUE / Certiverse)

F5-401 Security Expert Exam Content Outline

~25%

Threat Analysis

Threat intelligence (F5 Labs, MITRE ATT&CK, OWASP Top 10 2021, OWASP API Top 10 2023, CWE Top 25), threat modeling (STRIDE, PASTA, attack trees), and risk scoring (CVSS v3.1 base/temporal/environmental, EPSS)

~25%

Architect Solutions

Selecting LTM, Advanced WAF, AFM, APM, BIG-IQ, SSL Orchestrator, DHD, Silverline / Distributed Cloud DDoS, and Distributed Cloud WAAP to meet business and compliance requirements (PCI DSS 4.0, NIST CSF, CIS Controls, GDPR, FIPS 140-3)

~25%

Implementation

Advanced WAF policy lifecycle, automatic policy building, signature staging, Proactive Bot Defense, Anti-Bot Mobile SDK, Brute Force / Credential Stuffing, L7 DoS (TPS, Stress, Behavioral), AFM L3/L4 DDoS vectors and BGP blackholing, APM Visual Policy Editor with AAA, SSO, MFA, FIDO2 passkeys, network/portal/app access, SSL/TLS hardening (TLS 1.2/1.3, mTLS, OCSP stapling, FIPS, SSL Orchestrator chains), API Protection with OpenAPI 3.0, JWT, OAuth

~25%

Maintain and Optimize Solutions

Incident response playbooks, traffic learning tuning, support-ID investigation, central logging via BIG-IQ and SIEM, signature update lifecycle with staging, Threat Campaigns + IP Intelligence subscriptions, behavioral DoS dynamic signatures, post-incident lessons-learned and policy updates

How to Pass the F5-401 Security Expert Exam

What You Need to Know

  • Passing score: 245/350
  • Assessment: 70 multiple-choice and scenario questions covering threat analysis, architecture and control selection, Advanced WAF / AFM / APM implementation, and incident response
  • Time limit: 105 minutes
  • Exam fee: $180

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

F5-401 Security Expert Study Tips from Top Performers

1Master the F5 module decision tree — when to apply LTM, Advanced WAF, AFM, APM, BIG-IQ, SSL Orchestrator, DHD, and Distributed Cloud WAAP — because most 401 scenarios test selection logic
2Memorize Advanced WAF policy lifecycle: automatic policy building modes, signature staging, enforcement readiness period, and traffic learning tuning workflow
3Learn the three L7 DoS approaches (TPS-based, Stress-based, Behavioral) and when each is appropriate; behavioral generates dynamic signatures that auto-expire when stress drops
4Understand APM SSO mechanics in depth: Kerberos constrained delegation (KCD), NTLMv2, Forms, Header SSO, SAML SP/IdP, OAuth Resource Server, and FIDO2/WebAuthn passkeys
5Practice mapping risk to controls: OWASP Top 10 2021 / API Top 10 2023 / CWE Top 25 / MITRE ATT&CK to specific F5 mitigations (Advanced WAF signatures, AFM vectors, APM access checks)
6Work through incident-response scenarios using Support IDs, central BIG-IQ logging, IPI categories, and Threat Campaigns to coordinate cross-device response

Frequently Asked Questions

What is the F5 401 Security Solutions Expert exam?

F5 Exam 401 is the expert-level F5 Certified Solution Expert — Security credential. It validates the ability to evaluate threats, architect F5 security solutions, implement Advanced WAF / AFM / APM controls, and maintain and optimize them in production. The exam has 70 questions in 105 minutes with a 245/350 scaled passing score and is delivered through Pearson VUE / Certiverse for $180.

How is the F5 401 exam scored and what is the passing score?

F5 401 uses a scaled scoring model with a passing score of 245 out of 350. F5 does not publish per-question values; performance is weighted across the four domains (Threat Analysis, Architect Solutions, Implementation, and Maintain and Optimize Solutions) at roughly 25% each.

What topics does the F5 401 Security Expert exam cover?

The exam covers threat analysis (F5 Labs, MITRE ATT&CK, OWASP Top 10 2021, OWASP API Top 10 2023, CWE Top 25, STRIDE/PASTA threat modeling, CVSS v3.1, EPSS), architecture and control selection across LTM, Advanced WAF, AFM, APM, BIG-IQ, DHD, Silverline / Distributed Cloud DDoS, SSL Orchestrator, and Distributed Cloud WAAP, implementation of WAF policies, DDoS protection, access policies (SAML, OAuth, Kerberos, FIDO2 passkeys), SSL/TLS hardening including mTLS and FIPS, API Protection, and maintenance via tuning, logging, and incident response.

How much does the F5 401 exam cost?

The F5 401 Security Solutions Expert exam costs $180 USD per attempt through Pearson VUE / Certiverse. Online proctoring and in-person test centers are both available. Retake policies and waiting periods are set by F5 and Pearson VUE.

How long is the F5 401 certification valid?

The F5 401 credential is valid for 2 years from issuance. Recertification requires passing the current 401 exam or meeting F5's published renewal requirements before expiration.

Do I need prerequisites to attempt F5 401?

F5 strongly recommends holding at least one F5 Certified Technology Specialist (CTS) credential — typically 303-ASM, 304-APM, or 302-DNS — before attempting the 401. The expert-tier exam assumes deep familiarity with BIG-IP modules and prior specialist-level skill.

How should I prepare for the F5 401 exam?

Combine the official F5 401 blueprint with hands-on Advanced WAF, AFM, and APM lab time, study OWASP Top 10 2021 and OWASP API Top 10 2023 alongside MITRE ATT&CK techniques, master CVSS v3.1 and EPSS for risk prioritization, and practice incident-response workflows including support-ID investigation and behavioral L7 DoS analysis. Plan 80-120 hours of focused study over 10-16 weeks.