Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

CompTIA CY0-001 Exam - Topic 3 Question 2 Discussion

A security architect performs threat modeling of an AI system. The architect needs to determine which attacks can be performed against the system.Which of the following actions should the architect take next?
D) Analyze MITRE Adversarial Threat Landscape for AI Systems (ATLAS) for tactics, techniques, and procedures (TTPs).
A) Leverage a large language model (LLM) to map likely attack paths based on the code base.
B) Quantify the risk of known vulnerabilities identified in the AI system.
C) Identify trust boundaries and perform threat modeling with Open Worldwide Application Security Project (OWASP) Top 10.

CompTIA CY0-001 Exam - Topic 3 Question 2 Discussion

Actual exam question for CompTIA's CY0-001 exam
Question #: 2
Topic #: 3
[All CY0-001 Questions]

A security architect performs threat modeling of an AI system. The architect needs to determine which attacks can be performed against the system.

Which of the following actions should the architect take next?

Show Suggested Answer Hide Answer
Suggested Answer: D

Basic Concept: AI-specific threat modeling requires consulting resources that catalogue adversarial attacks specifically developed for AI and ML systems. General cybersecurity frameworks may miss AI-unique attack vectors such as model inversion, data poisoning, and adversarial examples. CompTIA SecAI+ Study Guide identifies MITRE ATLAS as the authoritative source for AI system TTPs.

Why D is Correct: MITRE ATLAS provides a comprehensive, curated knowledge base of adversarial tactics, techniques, and procedures specifically targeting AI and ML systems, derived from real-world attack case studies. Analyzing ATLAS enables the architect to enumerate realistic AI-specific attacks applicable to the system being threat-modeled, which directly answers the question of which attacks can be performed.

Why A is Wrong: Using an LLM to map attack paths introduces uncertainty and potential hallucination risk. LLMs may generate plausible-sounding but inaccurate attack paths and cannot guarantee comprehensive coverage of AI-specific attack techniques.

Why B is Wrong: Quantifying risk of known vulnerabilities is a risk assessment step that occurs after identifying which attacks are possible. The architect must first identify attack possibilities before quantifying their risk impact.

Why C is Wrong: OWASP Top 10 covers web application vulnerabilities and, in its LLM edition, certain LLM-specific risks. However, MITRE ATLAS provides a more comprehensive and structured catalog of AI and ML-specific adversarial TTPs for systematic threat modeling.


Contribute your Thoughts:

0/2000 characters
Shaun
2 days ago
I practiced a similar question where quantifying risks was emphasized, but I wonder if that’s the best first step here.
upvoted 0 times
...
Cassie
7 days ago
I'm not entirely sure, but I feel like analyzing the MITRE ATLAS could provide valuable insights into specific attack techniques.
upvoted 0 times
...
Santos
12 days ago
I remember we discussed the importance of identifying trust boundaries in threat modeling, so I think option C might be the right choice.
upvoted 0 times
...

Save Cancel