PBQs are the most-feared question type on every IT certification exam. Six interactive simulations — click into any one to try it live. No account, no email, no card.
✓ Real exam-style interfaces · ✓ No signup required · ✓ Works on mobile + desktop
Each demo is a real working PBQ — same component the actual exam runner uses.
CompTIA CertMaster-style PBQ — click any host in a live network diagram to isolate an infected workstation, block its C2 traffic at the perimeter firewall, and revoke its file-server access.
Tests: Incident response, network segmentation, ACL configuration under time pressure — the exact PBQ format on Security+, CySA+, and CCNA exams.
Architect a 3-zone network for a credit union — place web, mail, database and admin hosts in the right zone (DMZ / Internal / Management) and write the inter-zone firewall rules.
Tests: Network segmentation, defence-in-depth, ACL design between trust zones — a top-weighted Security+ objective.
Stand up SSL-VPN for 200 hybrid workers — pick the right encryption, configure MFA + posture checks, scope file-server access, and open the right perimeter port.
Tests: Secure remote access, IPsec vs SSL-VPN trade-offs, split-tunnel risk, MFA + endpoint posture — Security+ Domain 3 / 4.
Lock down a corporate WiFi — pick WPA3 + 802.1X, wire RADIUS, set rogue-AP detection, and harden the controller.
Tests: Wireless security, 802.1X / EAP, RADIUS, rogue-AP defence — Security+ Domain 3 Architecture.
Scope HR, Marketing and Contractor access across a payroll DB, file shares and the HR portal — RBAC, MFA, audit log placement.
Tests: Identity and access management, RBAC, MFA-where, least privilege — Security+ Domain 4 / 1.
Wire Firewall, IDS, AD, web server, and endpoint logs into a SIEM — pick the right sources, retention, severity thresholds, and alert routes.
Tests: Detection engineering, SIEM tuning, log source selection, alert fatigue management — Security+ Domain 4 Operations.
Replace flat perimeter trust with identity-driven micro-segmentation — IdP, policy engine, conditional access, continuous verification.
Tests: Zero-trust principles, IdP integration, policy decision/enforcement, device posture — Security+ Domain 3.
Stand up a 2-tier PKI — keep the root CA offline, issue from a sub-CA, configure OCSP + CRL, scope cert lifetimes.
Tests: Public-key infrastructure, root vs intermediate CA, revocation (OCSP / CRL), cert lifecycle — Security+ Domain 1.
Lock down an AWS-style VPC — public/private/DB subnets, security groups, NAT GW vs IGW, IAM roles instead of keys.
Tests: Cloud network security, well-architected pillars, security groups vs NACLs, IAM least privilege — Security+ Domain 3.
Wire primary and DR sites — 3-2-1 backups, RPO / RTO targets, automated failover, immutable snapshots.
Tests: Resilience design, 3-2-1 rule, RPO vs RTO, DR site sizing — Security+ Domain 3 / 5.
Stop credential-harvest phishing — enforce SPF / DKIM / DMARC, scan attachments, quarantine policy, user reporting.
Tests: Email security, anti-phishing controls, SPF/DKIM/DMARC, user training — Security+ Domain 2 Threats.
A real-looking Cisco ASA firewall admin console — 5 tabs of toggles, dropdowns, radios, and multi-select. The hardest PBQ format on the exam.
Tests: End-to-end device configuration, security hardening, the kind of multi-screen lab task you see on Security+, CySA+ and Cisco exams.
Configure ALLOW/DENY rules with source, destination, port, protocol — exactly the PBQ format Security+ candidates see.
Tests: Network security policy design, ACL ordering, implicit-deny rule placement.
Type real Linux or Windows commands into a fake terminal, read output, identify the root cause.
Tests: Live-system troubleshooting, log inspection, command-line investigation under pressure.
Place network devices into the correct zones (DMZ, Internal, Secure) by dragging chips between panels.
Tests: Network segmentation, zone-based architecture, security boundaries.
Assign IP addresses, subnet masks, and gateways across a multi-device topology.
Tests: IPv4 addressing, subnetting, gateway routing logic, default-gateway placement.
Read realistic /var/log/auth.log entries and answer 4 questions about the attack pattern.
Tests: Pattern recognition in log data, attack identification, incident-response triage.
Walk through a real troubleshooting wizard, picking the right next step at each decision point.
Tests: CompTIA 6-step troubleshooting methodology, decision-making under uncertainty.
~30%
of your exam score
PBQs typically account for a third of the points on Security+, CySA+, Network+ and similar exams.
~5–7
PBQs per exam
You typically get 5–10 PBQs in a real CompTIA / Cisco sitting — front-loaded at the start.
0 min
of practice for most students
Most textbooks and free practice tests skip PBQs entirely. Walking in cold is the #1 cause of first-attempt failure.