I think answer should be A because of unknown

Sandboxing is a security technique that isolates an application or process from the rest of the system, preventing it from accessing or modifying other resources. It is not a type of security testing, but rather a security mechanism that can be used to protect a system from potentially malicious code or inputs. Sandboxing can be useful for testing applications in a safe environment, but it does not discover unknown malicious attacks by itself.

Using a sandbox for advanced malware detection provides another layer of protection against new security threats—zero-day (previously unseen) malware and stealthy attacks, in particular. And what happens in the sandbox, stays in the sandbox—avoiding system failures and keeping software vulnerabilities from spreading.

Penetration testing, also known as ethical hacking, involves simulating real-world cyberattacks to identify vulnerabilities and weaknesses in an organization's systems, networks, or applications. Penetration testers use various methods and tools to attempt to exploit vulnerabilities in the same way that malicious attackers would. While sandboxing (Option B) can be useful for isolating potentially malicious code or programs in a controlled environment to prevent harm to the system, it is not specifically designed to discover unknown malicious attacks. Sandbox environments are typically used to analyze and evaluate https://www.examtopics.com/exams/isaca/cisa/view/2/#the behavior of suspicious or unknown software in a safe manner.

Penetration testing is the security testing technique that is most effective in discovering unknown malicious attacks.

Sandboxing

unknown malicious attacks, should be A, because they are Unknown, vulnerability scanning it is known things

pen test is for cheking vulnurability not attack. Sandbox is for attack.

A. Penetration testing