The best answer is B. Providing an alternative security measure when standard remediation is not feasible.
A compensating control is a substitute safeguard used when the preferred or required control cannot be implemented immediately or at all. It helps reduce risk in another way until proper remediation is possible, or when direct remediation is impractical.
Examples include:
increasing monitoring when a system cannot be patched
segmenting a legacy application that cannot be upgraded
restricting access to a vulnerable system that must remain in service
Why the other options are incorrect:
A. Reducing the attack surface by isolating vulnerable components within a segmented environmentThis can be an example of a compensating control, but it does not define the overall role as clearly as B.
C. Delaying remediation timelines by replacing affected systems in a maintenance windowThis describes scheduling or change timing, not compensating controls.
D. Remediating software flaws by modifying source code to remove insecure functionsThis is direct remediation, not a compensating control.
From the SY0-701 perspective, compensating controls are used when the ideal fix is not possible, so B is the best explanation.
