Overview
The CompTIA Security+ (SY0-701) is the most widely recognised entry-level cybersecurity certification in the world. It satisfies DoD 8570/8140 baseline requirements, is vendor-neutral, and is a standard qualification in cybersecurity, IT administration, and security operations roles.
The exam has up to 90 questions (multiple choice and performance-based), a 90-minute time limit, and a passing score of 750/900.
Security+ is a scenario-based exam. Questions do not ask "what is phishing" but "a user received an email appearing to come from HR requesting credentials — which type of attack is this, and what control would prevent it." The difference matters for how you study.
Exam Domains
| Domain | Weight |
|---|---|
| Security Operations | 28% |
| Threats, Vulnerabilities, and Mitigations | 22% |
| Security Program Management and Oversight | 20% |
| Security Architecture | 18% |
| General Security Concepts | 12% |
Security Operations is the largest domain and rewards candidates with actual IT operations experience. Don't neglect Security Program Management: 20% on governance and compliance is larger than most candidates expect.
Domain 1: Security Operations (28%)
Identity and Access Management
- Authentication factors: Something you know (password), have (token/smart card), are (biometric), somewhere you are (geolocation)
- MFA types: TOTP (HOTP/TOTP apps), hardware tokens, push notifications, FIDO2/passkeys
- IAM models: RBAC (role-based), ABAC (attribute-based), DAC (owner-controlled), MAC (system-enforced labels)
- PAM (Privileged Access Management): Just-in-time access, session recording, credential vaulting
- Directory services: LDAP for querying directories; SAML/OAuth 2.0/OIDC for federated identity
Vulnerability Management
- Scan types: Authenticated vs unauthenticated; credentialed scans find more vulnerabilities
- CVSS scoring: Base score factors (attack vector, attack complexity, privileges required, user interaction, impact)
- Remediation priority: Critical → High → Medium → Low; factor in exploitability and asset criticality
- Patch management: Emergency patching for actively exploited CVEs; scheduled patching for everything else
Incident Response Phases
The CompTIA IR lifecycle appears directly and indirectly throughout the exam:
- Preparation: Policies, playbooks, training, tooling
- Detection and Analysis: SIEM alerts, log correlation, IOC identification
- Containment: Isolation (network segmentation, endpoint quarantine)
- Eradication: Remove malware, close attack vectors
- Recovery: Restore from clean backups, verify systems
- Post-Incident Activity: Lessons learned, root cause analysis, documentation update
Questions often describe a scenario mid-incident and ask what the correct next step is. Know which phase each action belongs to.
Digital Forensics
- Order of volatility: CPU registers → RAM → swap/page file → disk → remote logs → archive media (most volatile first)
- Chain of custody: Documentation of evidence handling from collection to court
- Legal holds: Preserve data relevant to active or anticipated litigation; halt normal deletion schedules
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
Attack Types
| Attack | Key Characteristics |
|---|---|
| Phishing | Email-based social engineering |
| Spear phishing | Targeted phishing using personal details |
| Vishing | Voice-based phishing |
| Smishing | SMS-based phishing |
| Whaling | Phishing targeting executives |
| Business Email Compromise | Impersonating trusted internal contacts to redirect payments |
| Credential stuffing | Using leaked username/password pairs against other services |
| Password spraying | One common password tried across many accounts |
| Pass-the-hash | Using captured NTLM hash without cracking it |
| Kerberoasting | Extracting and offline-cracking Kerberos service tickets |
Malware Categories
- Ransomware: Encrypts data, demands payment; defence: offline backups, EDR, email filtering
- RAT (Remote Access Trojan): Persistent backdoor; often delivered via phishing
- Rootkit: Hides presence by operating at OS or hypervisor level
- Fileless malware: Lives in memory; uses LOLBins (living off the land binaries like PowerShell)
- Worm: Self-replicates across networks without user interaction; defence: network segmentation
Application Vulnerabilities
- SQL injection: Unsanitised user input in SQL queries; prevent with parameterised queries
- XSS (Cross-Site Scripting): Injecting scripts into web pages; prevent with output encoding and CSP
- CSRF: Tricking authenticated users into submitting requests; prevent with anti-CSRF tokens
- IDOR: Accessing objects by manipulating identifiers without authorisation checks
- Buffer overflow: Writing past allocated memory; prevent with input validation, ASLR, DEP
- Race condition: Exploiting timing between check and use (TOCTOU)
Domain 3: Security Program Management and Oversight (20%)
Governance Frameworks
- NIST CSF: Identify, Protect, Detect, Respond, Recover — commonly referenced in exam scenarios
- ISO 27001: Information security management system (ISMS) standard
- CIS Controls: Prioritised security controls; CIS Benchmarks for system hardening
- SOC 2: Trust Services Criteria for service organisations (availability, confidentiality, integrity, privacy, security)
Risk Management
- Risk = Likelihood × Impact
- Risk responses: Avoid, mitigate, transfer (insurance, contractual), accept
- Qualitative vs quantitative risk analysis: Qualitative uses ratings (High/Medium/Low); quantitative uses ALE (Annualised Loss Expectancy = ARO × SLE)
- Business Impact Analysis: Identify critical functions, determine RTO and RPO, rank by priority
Data Privacy and Compliance
- GDPR: EU regulation; requires consent, breach notification within 72 hours, right to erasure
- HIPAA: US healthcare data; PHI protection requirements; BAA required with business associates
- PCI-DSS: Payment card data; 12 requirements covering network security, access control, monitoring
- Data classification: Public, Internal, Confidential, Restricted (labels vary by organisation)
Domain 4: Security Architecture (18%)
Network Security Design
- Zero trust: Never trust, always verify; assume breach; least-privilege access to every resource
- Network segmentation: VLANs, micro-segmentation, security zones (DMZ, trusted, untrusted)
- Firewall types: Packet filtering → stateful inspection → NGFW (application awareness + IPS) → WAF (Layer 7 web traffic)
- IDS vs IPS: IDS detects and alerts; IPS detects and blocks inline
- SASE: Combines SD-WAN with cloud-delivered security (CASB, SWG, ZTNA) for distributed workforces
Cloud Security
- Shared responsibility model: Cloud provider secures the infrastructure; customer secures data, access, and configuration
- CASB (Cloud Access Security Broker): Visibility and control over cloud app usage; DLP enforcement
- Cloud misconfigurations: Open S3 buckets, permissive IAM policies, unencrypted databases; most cloud breaches originate here
- Container security: Image scanning, least-privilege service accounts, namespace isolation, network policies
Secure Protocols
| Protocol | Use | Secure Alternative |
|---|---|---|
| HTTP | Web | HTTPS (TLS) |
| FTP | File transfer | SFTP / FTPS |
| Telnet | Remote access | SSH |
| LDAP | Directory | LDAPS |
| SNMPv1/v2 | Network monitoring | SNMPv3 |
| DNS | Name resolution | DNSSEC / DoH |
Domain 5: General Security Concepts (12%)
Cryptography
- Symmetric encryption: Same key for encrypt and decrypt; fast; AES (128/256-bit) is the standard
- Asymmetric encryption: Public/private key pair; RSA, ECC; slower but solves key distribution
- Key exchange: Diffie-Hellman (and ECDH) enables shared secret negotiation over an untrusted channel
- Hashing: One-way; SHA-256/SHA-3 for integrity; MD5/SHA-1 are deprecated for security use
- Digital signatures: Sign with private key, verify with public key; provides authenticity + non-repudiation
- Perfect Forward Secrecy: Session keys derived independently; past sessions safe even if long-term key is compromised
PKI
- CA hierarchy: Root CA (offline) → Intermediate CA → End-entity certificates
- Certificate fields: Subject, issuer, validity, public key, extensions, signature
- Revocation: CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol)
- Certificate pinning: Hard-code expected certificate or public key in the application; prevents MITM even with compromised CAs
Common Exam Traps
- Authentication vs Authorisation: Authentication proves identity; authorisation grants permissions
- Symmetric vs Asymmetric speed: Symmetric is much faster; asymmetric is used to exchange symmetric session keys (TLS handshake)
- IDS vs Firewall: A firewall controls traffic flow; an IDS only detects and alerts
- Non-repudiation: Requires digital signatures (asymmetric crypto); MAC/HMAC cannot provide non-repudiation because both parties share the key
Study Plan (6 Weeks)
| Week | Focus |
|---|---|
| 1 | General Security Concepts: cryptography, PKI, authentication |
| 2 | Threats and Vulnerabilities: attack types, malware, application flaws |
| 3 | Security Architecture: network design, zero trust, cloud security |
| 4 | Security Operations: incident response, IAM, vulnerability management |
| 5 | Governance and Compliance: frameworks, risk management, data privacy |
| 6 | Practice exams, PBQ practice, review weak domains |
Practice Exam Strategy
- Performance-based questions appear first and take longer. Budget 5–10 minutes each and don't let them derail your pacing on the multiple choice section
- For scenario questions, identify the single most relevant constraint before looking at answers
- Keywords to watch: "prevent" (proactive control), "detect" (monitoring/IDS), "respond" (IR phase), "least privilege," "compliance requirement," "no additional cost"
- Wrong answers are often correct security practices applied in the wrong context
Use the SY0-701 practice exams to identify which domains need more work. Aim for 80%+ across all five domains before you book.