Which term describes detective and preventive security controls that use an agent or network configuration to monitor hosts, allowing for more accurate credentialed scanning, but consumes some host resources and is detectable by threat actors?

• A. Network-based control
• B. Credentialed scanning
• C. Host-based control
• D. Active security control

Answer: (D)

Host-based controls involve security measures that reside on endpoints or rely on endpoint configurations to monitor the system. By using an agent installed on each host or a specific network configuration targeting the host, these controls can perform credentialed scanning—checking the system from within with valid credentials to assess things like patches, configurations, and policies with greater accuracy. Since the code and processes run on the host, they consume some CPU, memory, and I/O resources, and the presence of the agent or its activity can be detected by threat actors who monitor for unusual processes or services. This approach contrasts with network-based controls, which monitor traffic and do not require an agent on each host, and with credentialed scanning as a technique, which is about how you assess posture rather than the control’s placement. An “active security control” is a broad label for mechanisms that actively monitor or enforce policies, but the described setup specifically points to host-based controls due to the agent on the host and the credentialed access it enables.