100+ Free ISTQB CT-SEC Practice Questions

Pass your ISTQB Certified Tester — Security Tester Specialist (CT-SEC) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~60-70% Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Which of the following best describes the primary objective of security testing within the SDLC?

To prove the absence of all vulnerabilities in the application

To identify security risks and verify that security controls function as intended

To replace functional testing once authentication is added

To penetrate production systems without prior authorization

to track

2026 Statistics

Key Facts: ISTQB CT-SEC Exam

Exam Questions

ISTQB

65%

Passing Score

ISTQB

60-90 min

Exam Duration

ISTQB (varies by region)

$200-$249

Exam Fee

ISTQB / local exam board

CTFL

Prerequisite

ISTQB Foundation Level required

Lifetime

Validity

Does not expire

The CT-SEC exam has 40 multiple-choice questions in 60-90 minutes with a 65% passing score. Domains include security testing process, risk assessment, security test types, OWASP Top 10 2021, authentication/authorization testing, encryption testing, session management, security tools, and DevSecOps. Prerequisite: ISTQB Foundation (CTFL). Exam fee is $200-$249. Certification is lifetime.

Sample ISTQB CT-SEC Practice Questions

Try these sample questions to test your ISTQB CT-SEC exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which of the following best describes the primary objective of security testing within the SDLC?

A.To prove the absence of all vulnerabilities in the application

B.To identify security risks and verify that security controls function as intended

C.To replace functional testing once authentication is added

D.To penetrate production systems without prior authorization

Explanation: Security testing aims to identify security risks, verify implemented controls, and provide stakeholders with evidence that security objectives are met. Testing cannot prove the absence of vulnerabilities. It supplements (not replaces) functional testing. Penetration testing of production systems always requires explicit authorization (rules of engagement).

2In the STRIDE threat modeling methodology, what does the letter 'R' represent?

A.Risk acceptance

B.Repudiation

C.Reverse engineering

D.Remote code execution

Explanation: STRIDE is a threat classification developed by Microsoft: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. Repudiation refers to a user denying having performed an action when no audit trail exists to prove otherwise. The control is non-repudiation through logging, signed transactions, and immutable audit logs.

3Which OWASP Top 10 2021 category replaces the older 'Sensitive Data Exposure' category?

A.A01: Broken Access Control

B.A02: Cryptographic Failures

C.A03: Injection

D.A04: Insecure Design

Explanation: In OWASP Top 10 2021, A02:2021 Cryptographic Failures replaced the previous 'Sensitive Data Exposure' category. The rename refocuses on the root cause (failures in cryptography, key management, weak ciphers, missing TLS) rather than the symptom (data exposure). A01 is Broken Access Control (now #1), A03 is Injection, and A04 is the new Insecure Design category.

4A tester finds that an application returns full stack traces, including database connection strings, when an error occurs. Which OWASP Top 10 2021 category does this BEST map to?

A.A01: Broken Access Control

B.A05: Security Misconfiguration

C.A07: Identification and Authentication Failures

D.A09: Security Logging and Monitoring Failures

Explanation: Verbose error pages, stack traces, and exposed configuration details fall under A05:2021 Security Misconfiguration. Default error handlers should be replaced with generic error responses; detailed errors should only appear in server-side logs. This category also covers default credentials, unnecessary features, and missing security headers.

5What is the key difference between a vulnerability assessment and a penetration test?

A.Vulnerability assessments use automated tools; penetration tests do not

B.Vulnerability assessments identify and catalog weaknesses; penetration tests actively exploit them

C.Penetration tests are static; vulnerability assessments are dynamic

D.Vulnerability assessments require authorization; penetration tests do not

Explanation: A vulnerability assessment focuses on discovering and cataloging weaknesses (often broad and automated). A penetration test goes further by actively exploiting selected vulnerabilities to demonstrate real-world impact, chain weaknesses, and reach defined objectives. Both require authorization; pen tests typically use both automated tools and manual techniques.

6Which security testing technique analyzes the source code without executing it?

A.DAST

B.SAST

C.IAST

D.RASP

Explanation: SAST (Static Application Security Testing) analyzes source code, bytecode, or binaries without executing the application. DAST (Dynamic) tests a running application from the outside. IAST (Interactive) instruments the running application to combine internal visibility with runtime testing. RASP (Runtime Application Self-Protection) defends rather than tests.

7What does SCA (Software Composition Analysis) primarily detect?

A.Hard-coded passwords in source code

B.Known vulnerabilities in third-party and open-source components

C.Race conditions in multi-threaded code

D.Improper TLS configuration on web servers

Explanation: SCA tools (e.g., OWASP Dependency-Check, Snyk, Black Duck) inventory third-party and open-source components and match them against vulnerability databases (CVE, NVD, GHSA). They detect vulnerable dependencies and licensing issues. Hard-coded secrets are typically caught by SAST or secret scanners, race conditions by SAST or specialized tools, and TLS misconfig by DAST or scanners like SSL Labs.

8A CVSS v3.1 base score of 9.8 indicates which severity rating?

A.Low

B.Medium

C.High

D.Critical

Explanation: CVSS v3.1 severity ratings are: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). A 9.8 score indicates a Critical vulnerability, typically representing remotely exploitable issues with low attack complexity that require no privileges or user interaction and result in high impact to confidentiality, integrity, and availability.

9A web application accepts a user-supplied URL and fetches its contents server-side. An attacker uses this to reach the cloud metadata endpoint at 169.254.169.254. Which OWASP Top 10 2021 category is this?

A.A01: Broken Access Control

B.A03: Injection

C.A10: Server-Side Request Forgery (SSRF)

D.A06: Vulnerable and Outdated Components

Explanation: This is a classic SSRF attack (A10:2021). The attacker abuses server-side URL fetching to access internal resources, such as cloud metadata services that expose IAM credentials. Mitigations include allowlisting target hosts, blocking link-local/private IP ranges, requiring IMDSv2 in AWS, and disabling unused URL schemes.

10Which of the following is the BEST example of horizontal privilege escalation?

A.A standard user gains administrator access

B.User A modifies the URL parameter to view User B's invoice

C.An attacker exploits a buffer overflow to execute arbitrary code

D.A read-only user gains write access through a misconfigured ACL

Explanation: Horizontal privilege escalation occurs when a user accesses resources of another user at the same privilege level (e.g., User A reading User B's invoice via IDOR). Vertical privilege escalation moves between privilege tiers (standard to admin). Both are forms of Broken Access Control (A01:2021).

About the ISTQB CT-SEC Exam

The ISTQB Certified Tester — Security Tester Specialist (CT-SEC) validates the ability to plan, design, and execute security tests across the SDLC. It covers security risk assessment, threat modeling (STRIDE, PASTA, attack trees), security test types (SAST, DAST, IAST, SCA, RASP, vulnerability assessment, penetration testing), OWASP Top 10 2021, authentication and authorization testing, input validation, encryption testing, session management, security tools (OWASP ZAP, Burp Suite, Nmap, Nessus), DevSecOps integration, and CWE/CVE/CVSS reporting.

Questions

40 scored questions

Time Limit

60-90 minutes

Passing Score

65%

Exam Fee

$200-$249 (ISTQB / Pearson VUE / Kryterion)

ISTQB CT-SEC Exam Content Outline

~15%

Security Testing Process & Risk Assessment

Security objectives in the SDLC, defense in depth, security test plans, risk-based testing, CVSS v3.1 scoring, CVE/CWE taxonomy, risk registers, and traceability

~15%

Threat Modeling

STRIDE, DREAD, PASTA, attack trees, kill chain, MITRE ATT&CK, abuse and misuse cases

~20%

Security Test Types

Vulnerability assessment vs penetration testing vs ethical hacking; SAST, DAST, IAST, SCA, RASP; black-box vs white-box; security regression

~20%

OWASP Top 10 2021 & Defects

Broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, auth failures, integrity failures, logging/monitoring failures, SSRF

~15%

Authentication, Authorization & Sessions

Password policies (NIST SP 800-63B), MFA, RBAC/ABAC, IDOR, privilege escalation, JWT, OAuth 2.0/PKCE, SAML, session fixation

~10%

Input Validation & Encryption

XSS, SQLi, XXE, command injection, path traversal, fuzzing, TLS configuration, certificate pinning, password storage (Argon2id, bcrypt)

~5%

Security Tools & DevSecOps

OWASP ZAP, Burp Suite, Nmap, Nikto, Nessus, OpenVAS, Wireshark, sqlmap, security gates, SBOM, secrets management, MTTR

How to Pass the ISTQB CT-SEC Exam

What You Need to Know

Passing score: 65%
Exam length: 40 questions
Time limit: 60-90 minutes
Exam fee: $200-$249

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

ISTQB CT-SEC Study Tips from Top Performers

1Memorize the OWASP Top 10 2021 categories (A01-A10) and one example mitigation each

2Understand the difference between SAST, DAST, IAST, SCA, and RASP — and when each is appropriate

3Practice CVSS v3.1 vector reading and severity bands (None / Low / Medium / High / Critical)

4Know the four phases of the threat modeling methodologies: STRIDE classification, DREAD scoring, PASTA stages, attack trees

5Get hands-on with OWASP ZAP or Burp Suite Community on OWASP Juice Shop / DVWA / WebGoat

6Study the OWASP ASVS verification levels (L1, L2, L3) and NIST SP 800-63B password recommendations

7Expect questions on DevSecOps integration: security gates in CI/CD, SBOMs, secrets management, MTTR

Frequently Asked Questions

What is the ISTQB CT-SEC exam?

The CT-SEC (Certified Tester Security Tester Specialist) is an ISTQB advanced specialist certification for security testers. It validates the ability to plan, design, and execute security tests across the SDLC, including risk assessment, threat modeling, OWASP Top 10, SAST/DAST/IAST/SCA, authentication and authorization testing, encryption testing, and DevSecOps integration.

How many questions are on the CT-SEC exam?

The CT-SEC exam typically has 40 multiple-choice questions to be completed in 60-90 minutes. The passing score is 65%. Non-native English speakers usually receive a 25% time extension under ISTQB rules. Confirm exact format with your local exam provider as numbers may vary by region.

Are there prerequisites for the CT-SEC exam?

Yes. Candidates must hold the ISTQB Foundation Level (CTFL) certificate. Many local boards also recommend (or require) several years of practical software testing or security experience before sitting for the specialist exam.

What topics are on the CT-SEC exam?

Major topics: security testing process within the SDLC, security risk assessment (CVSS, CWE/CVE), threat modeling (STRIDE, PASTA, attack trees), security test types (vulnerability assessment, penetration testing, SAST, DAST, IAST, SCA, RASP), OWASP Top 10 2021, authentication and authorization testing, input validation, encryption and TLS, session management, security tools, and DevSecOps integration.

How should I prepare for the CT-SEC exam?

Plan 30-50 hours of study over 4-6 weeks if you already have some security testing experience. Read the official CT-SEC syllabus from istqb.org, review OWASP Top 10 2021, OWASP ASVS, OWASP Cheat Sheets, and NIST SP 800-63B. Practice with OWASP ZAP/Burp Suite on a deliberately vulnerable app like OWASP Juice Shop or DVWA. Complete 100+ practice questions and target 80%+ before scheduling.

Does the CT-SEC certification expire?

No — like other ISTQB certifications, CT-SEC does not expire. Once you pass, the credential is valid for life. However, the security landscape evolves rapidly, so continued professional development is essential to remain effective in real-world security testing.