Overview
The CompTIA Security+ (SY0-701) is the most widely recognised entry-level cybersecurity certification in the world. It satisfies DoD 8570/8140 baseline requirements, is vendor-neutral, and is a standard qualification in cybersecurity, IT administration, and security operations roles.
The exam has up to 90 questions (multiple choice and performance-based), a 90-minute time limit, and a passing score of 750/900.
Security+ is a scenario-based exam. Questions do not ask "what is phishing" but "a user received an email appearing to come from HR requesting credentials. Which type of attack is this, and what control would prevent it?" The difference matters for how you study.
Exam Domains
| Domain | Weight |
|---|---|
| Security Operations | 28% |
| Threats, Vulnerabilities, and Mitigations | 22% |
| Security Program Management and Oversight | 20% |
| Security Architecture | 18% |
| General Security Concepts | 12% |
Security Operations is the largest domain and rewards candidates with actual IT operations experience. Don't neglect Security Program Management: 20% on governance and compliance is larger than most candidates expect.
Domain 1: Security Operations (28%)
Identity and Access Management
- Authentication factors: Something you know (password), have (token/smart card), are (biometric), somewhere you are (geolocation)
- MFA types: TOTP (HOTP/TOTP apps), hardware tokens, push notifications, FIDO2/passkeys
- IAM models: RBAC (role-based), ABAC (attribute-based), DAC (owner-controlled), MAC (system-enforced labels)
- PAM (Privileged Access Management): Just-in-time access, session recording, credential vaulting
- Directory services: LDAP for querying directories; SAML/OAuth 2.0/OIDC for federated identity
Vulnerability Management
- Scan types: Authenticated vs unauthenticated; credentialed scans find more vulnerabilities
- CVSS scoring: Base score factors (attack vector, attack complexity, privileges required, user interaction, impact)
- Remediation priority: Critical → High → Medium → Low; factor in exploitability and asset criticality
- Patch management: Emergency patching for actively exploited CVEs; scheduled patching for everything else
Incident Response Phases
The CompTIA IR lifecycle appears directly and indirectly throughout the exam:
- Preparation: Policies, playbooks, training, tooling
- Detection and Analysis: SIEM alerts, log correlation, IOC identification
- Containment: Isolation (network segmentation, endpoint quarantine)
- Eradication: Remove malware, close attack vectors
- Recovery: Restore from clean backups, verify systems
- Post-Incident Activity: Lessons learned, root cause analysis, documentation update
Questions often describe a scenario mid-incident and ask what the correct next step is. Know which phase each action belongs to.
Digital Forensics
- Order of volatility: CPU registers → RAM → swap/page file → disk → remote logs → archive media (most volatile first)
- Chain of custody: Documentation of evidence handling from collection to court
- Legal holds: Preserve data relevant to active or anticipated litigation; halt normal deletion schedules
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
Attack Types
| Attack | Key Characteristics |
|---|---|
| Phishing | Email-based social engineering |
| Spear phishing | Targeted phishing using personal details |
| Vishing | Voice-based phishing |
| Smishing | SMS-based phishing |
| Whaling | Phishing targeting executives |
| Business Email Compromise | Impersonating trusted internal contacts to redirect payments |
| Credential stuffing | Using leaked username/password pairs against other services |
| Password spraying | One common password tried across many accounts |
| Pass-the-hash | Using captured NTLM hash without cracking it |
| Kerberoasting | Extracting and offline-cracking Kerberos service tickets |
Malware Categories
- Ransomware: Encrypts data, demands payment; defence: offline backups, EDR, email filtering
- RAT (Remote Access Trojan): Persistent backdoor; often delivered via phishing
- Rootkit: Hides presence by operating at OS or hypervisor level
- Fileless malware: Lives in memory; uses LOLBins (living off the land binaries like PowerShell)
- Worm: Self-replicates across networks without user interaction; defence: network segmentation
Application Vulnerabilities
- SQL injection: Unsanitised user input in SQL queries; prevent with parameterised queries
- XSS (Cross-Site Scripting): Injecting scripts into web pages; prevent with output encoding and CSP
- CSRF: Tricking authenticated users into submitting requests; prevent with anti-CSRF tokens
- IDOR: Accessing objects by manipulating identifiers without authorisation checks
- Buffer overflow: Writing past allocated memory; prevent with input validation, ASLR, DEP
- Race condition: Exploiting timing between check and use (TOCTOU)
Domain 3: Security Program Management and Oversight (20%)
Governance Frameworks
- NIST CSF: Identify, Protect, Detect, Respond, Recover; commonly referenced in exam scenarios
- ISO 27001: Information security management system (ISMS) standard
- CIS Controls: Prioritised security controls; CIS Benchmarks for system hardening
- SOC 2: Trust Services Criteria for service organisations (availability, confidentiality, integrity, privacy, security)
Risk Management
- Risk = Likelihood × Impact
- Risk responses: Avoid, mitigate, transfer (insurance, contractual), accept
- Qualitative vs quantitative risk analysis: Qualitative uses ratings (High/Medium/Low); quantitative uses ALE (Annualised Loss Expectancy = ARO × SLE)
- Business Impact Analysis: Identify critical functions, determine RTO and RPO, rank by priority
Data Privacy and Compliance
- GDPR: EU regulation; requires consent, breach notification within 72 hours, right to erasure
- HIPAA: US healthcare data; PHI protection requirements; BAA required with business associates
- PCI-DSS: Payment card data; 12 requirements covering network security, access control, monitoring
- Data classification: Public, Internal, Confidential, Restricted (labels vary by organisation)
Domain 4: Security Architecture (18%)
Network Security Design
- Zero trust: Never trust, always verify; assume breach; least-privilege access to every resource
- Network segmentation: VLANs, micro-segmentation, security zones (DMZ, trusted, untrusted)
- Firewall types: Packet filtering → stateful inspection → NGFW (application awareness + IPS) → WAF (Layer 7 web traffic)
- IDS vs IPS: IDS detects and alerts; IPS detects and blocks inline
- SASE: Combines SD-WAN with cloud-delivered security (CASB, SWG, ZTNA) for distributed workforces
Cloud Security
- Shared responsibility model: Cloud provider secures the infrastructure; customer secures data, access, and configuration
- CASB (Cloud Access Security Broker): Visibility and control over cloud app usage; DLP enforcement
- Cloud misconfigurations: Open S3 buckets, permissive IAM policies, unencrypted databases; most cloud breaches originate here
- Container security: Image scanning, least-privilege service accounts, namespace isolation, network policies
Secure Protocols
| Protocol | Use | Secure Alternative |
|---|---|---|
| HTTP | Web | HTTPS (TLS) |
| FTP | File transfer | SFTP / FTPS |
| Telnet | Remote access | SSH |
| LDAP | Directory | LDAPS |
| SNMPv1/v2 | Network monitoring | SNMPv3 |
| DNS | Name resolution | DNSSEC / DoH |
Domain 5: General Security Concepts (12%)
Cryptography
- Symmetric encryption: Same key for encrypt and decrypt; fast; AES (128/256-bit) is the standard
- Asymmetric encryption: Public/private key pair; RSA, ECC; slower but solves key distribution
- Key exchange: Diffie-Hellman (and ECDH) enables shared secret negotiation over an untrusted channel
- Hashing: One-way; SHA-256/SHA-3 for integrity; MD5/SHA-1 are deprecated for security use
- Digital signatures: Sign with private key, verify with public key; provides authenticity + non-repudiation
- Perfect Forward Secrecy: Session keys derived independently; past sessions safe even if long-term key is compromised
PKI
- CA hierarchy: Root CA (offline) → Intermediate CA → End-entity certificates
- Certificate fields: Subject, issuer, validity, public key, extensions, signature
- Revocation: CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol)
- Certificate pinning: Hard-code expected certificate or public key in the application; prevents MITM even with compromised CAs
Common Exam Traps
- Authentication vs Authorisation: Authentication proves identity; authorisation grants permissions
- Symmetric vs Asymmetric speed: Symmetric is much faster; asymmetric is used to exchange symmetric session keys (TLS handshake)
- IDS vs Firewall: A firewall controls traffic flow; an IDS only detects and alerts
- Non-repudiation: Requires digital signatures (asymmetric crypto); MAC/HMAC cannot provide non-repudiation because both parties share the key
Study Plan (6 Weeks)
| Week | Focus |
|---|---|
| 1 | General Security Concepts: cryptography, PKI, authentication |
| 2 | Threats and Vulnerabilities: attack types, malware, application flaws |
| 3 | Security Architecture: network design, zero trust, cloud security |
| 4 | Security Operations: incident response, IAM, vulnerability management |
| 5 | Governance and Compliance: frameworks, risk management, data privacy |
| 6 | Practice exams, PBQ practice, review weak domains |
Practice Exam Strategy
- Performance-based questions appear first and take longer. Budget 5–10 minutes each and don't let them derail your pacing on the multiple choice section
- For scenario questions, identify the single most relevant constraint before looking at answers
- Keywords to watch: "prevent" (proactive control), "detect" (monitoring/IDS), "respond" (IR phase), "least privilege," "compliance requirement," "no additional cost"
- Wrong answers are often correct security practices applied in the wrong context
Use the SY0-701 practice exams to identify which domains need more work. Aim for 80%+ across all five domains before you book.