This scenario describes Platform as a Service (PaaS) because the provider delivers a managed platform where developers can deploy and run custom applications while the provider manages the underlying infrastructure components-servers, operating systems, storage, and often middleware/runtime components. The customer is responsible for application code and logic (and usually data and application configuration), but not for provisioning or maintaining the base compute and OS layers.
The key phrasing is: "developers can deploy and test custom applications without managing the underlying servers, operating systems, or storage," and "the firm controls the application logic but not the runtime infrastructure." That is the hallmark responsibility split of PaaS: the provider handles infrastructure and platform operations, enabling rapid development and deployment through managed runtimes, build/deploy pipelines, and scalable services.
Why the other models don't fit:
IaaS (A) would require the customer to manage the OS and many platform components (patching, runtime configuration, middleware), even though the provider supplies the virtualized infrastructure. The scenario explicitly says they do not manage OS or servers.
SaaS (C) provides a complete finished application that the customer uses; customers typically cannot deploy their own custom application logic onto it in the way described.
XaaS (D) is a broad umbrella term, not the specific NIST-style service model classification being asked.
Therefore, the correct answer is B. Platform as a Service (PaaS).

The most likely missing BYOD guideline is reviewing application permissions before installation. In CEH mobile security guidance, a major risk in BYOD environments is the introduction of untrusted or malicious applications that abuse the mobile permission model to access corporate data, intercept authentication tokens, read storage, capture keystrokes via accessibility services, or communicate externally. When users install apps without scrutinizing requested permissions, they may unknowingly grant excessive privileges that enable data theft or access-control bypass, especially if the app leverages OS weaknesses or misconfigurations.
The scenario states Javier "installs a malicious app that bypasses access controls" and gains access to sensitive financial data because devices "lack a specific security measure to restrict app access." This maps directly to a policy gap around controlling and validating apps and their permission requests. CEH emphasizes that organizations should reduce attack surface by limiting app privileges, avoiding sideloading from untrusted sources, and enforcing least privilege through user awareness and enterprise controls such as MDM application allowlisting and permission governance. Reviewing permissions is the user-facing guideline that prevents employees from granting dangerous access (for example, SMS, storage, contacts, accessibility, device admin, or VPN configuration permissions) that can enable credential theft or unauthorized data access.
Option B adds an extra layer for local access but does not stop a malicious app with granted permissions from accessing corporate data. Option C helps if a device is physically stolen, but it does not prevent malicious apps already running under the user context. Option D protects data at rest, yet a malicious app can still exfiltrate data once it is decrypted and accessed by the user session. Therefore, permission review is the most directly relevant missing BYOD guideline.

CEH v13 identifies covert channels in legacy industrial protocols as among the hardest sniffing techniques to detect. Modbus, widely used in OT and ICS environments, lacks authentication and encryption, making it ideal for covert communication.
Attackers can manipulate function codes and payload timing to exfiltrate data without triggering traditional IDS signatures. CEH v13 highlights that OT protocols often bypass deep inspection tools, making covert channels extremely stealthy.
Other options are less realistic or less persistent in modern enterprise environments.

Fragmentation is a well-known firewall and IDS evasion technique covered in CEH materials. The attacker breaks a malicious packet into smaller IP fragments so that simple filtering devices, especially those relying mainly on basic header checks or stateless rules, may fail to reconstruct the original payload and therefore miss the malicious content. To counter this, defenses must track packet state and perform reassembly or validation of fragmented traffic so the security control can evaluate the complete communication stream rather than isolated fragments.
Stateful Packet Inspection is the control most aligned with this requirement. A stateful inspection firewall maintains a state table of active connections and monitors traffic as part of an ongoing session. Because it tracks session context, it can handle fragmented packets more effectively by correlating fragments to the original flow and applying policy after reconstructing or normalizing traffic. In CEH-aligned descriptions, this directly reduces the effectiveness of fragmentation-based evasion, overlapping with the concept of traffic normalization that removes ambiguity attackers try to exploit.
Deep Packet Inspection examines payload beyond headers, but the key success factor in stopping fragmentation evasion is state tracking and reassembly, which is characteristic of stateful inspection and state- aware security devices. Signature-based and anomaly-based detection can help detect malicious patterns or unusual behavior, but without reliable reassembly and session context, fragmented payloads may not match signatures and may appear benign in isolation. Therefore, the most likely measure used to identify and block fragmented packets in this scenario is Stateful Packet Inspection.

The IT team's requirement is automatic, real-time detection of abnormal session activity using predefined rules and traffic signatures. That description aligns most directly with an Intrusion Detection System (IDS), particularly a network IDS (NIDS) that monitors traffic, compares it to known patterns (signatures) and/or behavioral rules, and generates alerts when suspicious activity is detected. Session hijacking attempts often produce recognizable anomalies-unexpected packet sequences, suspicious flags, unusual injection patterns, resets, or protocol misuse-that IDS rules can be designed to detect across many hosts and segments without requiring an analyst to manually inspect each capture.
The scenario explicitly contrasts this desired capability with "manual analysis," which rules out option B.
Tools like packet sniffers are valuable for investigation and confirmation, but they do not provide organization-wide automated alerting by themselves. An IDS is built for continuous monitoring and alert generation, making it appropriate for detecting red-team-simulated packet injection and session manipulation attempts.
Why the other options are less suitable:
Checking for predictable session tokens (A) is an application-layer defensive review (and a good hardening practice), but it does not automatically detect packet injection behaviors occurring on the network in real time.
Monitoring for ACK storms (C) can be one specific indicator in some TCP manipulation or desynchronization scenarios, but it is too narrow and does not represent a general detection system. The requirement is broader: a monitoring system that flags suspicious session activity using rules and signatures-an IDS fits that role.
Manual packet analysis (B) is explicitly what they want to avoid.
Therefore, the correct answer is D. Use an Intrusion Detection System (IDS).