Mixed Exam Strategy and Missed-Question Remediation
Key Takeaways
- Mixed questions force topic-switching: a technical control, governance, operations, identity, and risk item can appear back to back.
- Read qualifiers first: first, next, best, most likely, most secure, least privilege, compensating, and residual risk all change the correct answer.
- When two answers are true, choose the one matching the phase, available evidence, and stated constraint.
- Remediation must separate knowledge gaps from reading errors, process errors, and weak scenario judgment.
- Review low-confidence correct answers like misses; a lucky guess hides the same weakness.
Why Mixed Questions Feel Hard
SY0-701 items often feel hard because several options are technically related. The exam wants the best answer for the exact timing, role, and constraint in the stem, not merely a true statement. Two answers can both be correct in isolation; only one fits the scenario.
Qualifier Words That Change the Answer
| Word or phrase | Meaning for your answer |
|---|---|
| First | Earliest safe action in the process |
| Next | What follows from the current evidence and phase |
| Best | Strongest fit across security, business, and constraints |
| Most likely | Explanation best supported by the clues |
| Most secure | Highest-security option if constraints allow |
| Least privilege | Minimum access required for the task |
| Compensating | Alternative control when the preferred one is infeasible |
| Residual risk | Risk remaining after controls are applied |
| Detective | Identifies activity that occurred |
| Preventive | Blocks activity before it occurs |
Missing a single qualifier (especially "first," "next," or "not") is the most common avoidable error on this exam.
When Two Answers Are True
Ask these questions in order:
| Decision question | Why it helps |
|---|---|
| What phase are we in? | IR and vuln management have ordered steps |
| What evidence already exists? | Do not jump beyond what the logs support |
| What is the business constraint? | Downtime, legacy, cost, compliance shift the answer |
| What is the least-privilege version? | Broad access is rarely best |
| Is this asking cause, control, or next step? | Separates diagnosis from remediation |
Worked Close-Answer Scenario
A finance user reports a suspicious login alert. Logs show a successful login from a new country, a successful MFA push, creation of a mailbox forwarding rule, and several mailbox searches. The user denies traveling or approving the prompt.
| Answer | Evaluation |
|---|---|
| Reset the password only | Incomplete; sessions, tokens, and the rule persist |
| Disable the account, revoke sessions, preserve logs, remove malicious rules | Best: contains and preserves evidence |
| Delete the mailbox to stop access | Excessive; destroys evidence |
| Ignore it because MFA succeeded | Wrong; push fatigue or relay phishing can pass MFA |
You have enough evidence to contain and preserve, not enough justification to destroy data. The best answer matches the evidence and the incident phase.
Missed-Question Remediation Framework
Label every missed item and every low-confidence correct item.
| Label | Diagnostic question | Repair action |
|---|---|---|
| Knowledge | Did I not know the term, port, or process? | Add a card or table row |
| Reading | Did I miss first, next, best, not, or least? | Restate the task before answering |
| Scenario | Knew the concept but chose the wrong fit? | Write why the correct answer fits the constraints |
| Process | Skipped a required order of operations? | Drill the IR or vuln-management sequence |
| Overreach | Chose a broad or destructive answer? | Practice least privilege and evidence preservation |
| Guess | Right without confidence? | Review it like a miss |
Common Traps and Better Patterns
| Trap | Better pattern |
|---|---|
| "MFA succeeded, so it is safe" | Logs and user denial can still indicate compromise |
| "Encrypt everything" | Encrypt when it addresses the stated at-rest or in-transit risk |
| "Patch immediately" | Validate, prioritize, plan, remediate, rescan by risk |
| "Block all traffic" | Meet the business need with least-privilege rules |
| "Delete the evidence" | Preserve logs and artifacts before destructive action |
| "Shared admin is easier" | Use named accounts, PAM, MFA, and logging |
Final Mixed-Set Routine
- Mark every miss and every low-confidence correct answer.
- Label the error type from the framework above.
- Write a one-sentence reusable rule.
- Redo only similar questions after a delay.
- Track whether the same error type repeats.
The exam is not asking whether you have seen the exact scenario. It asks whether you can read the role of each clue: logs mean use evidence; job duties mean least privilege and separation of duties; a legacy constraint means compensating controls and documented residual risk; an incident phase means the action that belongs to that phase.
Pacing Inside the Mixed Section
After the PBQ cluster, the multiple-choice block is where you recover time. With roughly 60 seconds per question across the up-to-90-item, 90-minute exam, the multiple-choice items should average well under a minute so you bank a buffer for the items you flagged. Use a two-pass rule: answer every item on the first pass, mark anything that takes more than 90 seconds, and return to the marked set with whatever buffer you saved. Because the exam is scaled to a 750 passing score on the 100-900 range, leaving no item blank matters; an educated guess after eliminating two distractors has a far better expected value than a blank.
The Distractor Patterns to Recognize
Most SY0-701 wrong answers fall into a few families: the too-broad answer (open all ports, grant admin), the destructive answer (delete logs or mailboxes), the premature answer (eradicate before contain, patch before validate), and the plausible-but-off-phase answer (a control that is correct later in the process). When you can name which family a distractor belongs to, eliminating it is fast and reliable. Pair that with the qualifier reading above, and most close two-answer questions resolve cleanly.
Logs show a suspicious login, the user denies it, a mailbox forwarding rule was created, and several mailbox searches ran. Which is the strongest next step?
Which words in a stem should change how you select an answer? Select three.
Select all that apply
You answered a practice question correctly but guessed between two choices. How should it be handled in remediation?
You've completed this section
Continue exploring other exams