Security Study Guide

CompTIA Security+ SY0-701 Study Guide

CompTIA Security+ SY0-701 validates the baseline knowledge needed to perform core security functions and pursue an IT security career. It is vendor-neutral and covers threats, cryptography, identity and access management, secure architecture, security operations, and governance. It is aimed at junior security analysts, systems administrators, and anyone establishing foundational cybersecurity competency.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice CompTIA Security+ SY0-701 questions free Create free account

Domain 1: General Security Concepts

Key concepts you must know · 123 practice questions

The CIA triad is Confidentiality (only authorized parties access data), Integrity (data is not altered without detection), and Availability (data and systems are accessible when needed); non-repudiation is added to prove a party cannot deny an action.
The AAA framework separates Authentication (proving identity), Authorization (what an identity may access), and Accounting (logging what was done); RADIUS and TACACS+ implement AAA, with TACACS+ encrypting the full payload and separating the three functions.
Security control categories are Technical, Managerial, Operational, and Physical; control types are Preventive, Detective, Corrective, Deterrent, Compensating, and Directive (e.g., a guard is deterrent/preventive, a CCTV camera is detective/deterrent).
Least privilege grants users only the minimum access needed for their role; separation of duties splits sensitive tasks among people to prevent fraud; defense in depth layers multiple controls so failure of one does not expose the system.
Zero Trust assumes no implicit trust based on network location and verifies every request; its planes are the Control Plane (Policy Engine, Policy Administrator, Policy Decision Point) and the Data Plane (Policy Enforcement Point and the subject/system).
Access control models: MAC uses labels/clearances set by a central authority (highest security, least flexible), DAC lets owners set permissions, RBAC assigns access by job role, ABAC evaluates attributes/policies, and rule-based applies admin-defined rules.
Symmetric encryption (AES, ChaCha20) uses one shared key and is fast for bulk data; asymmetric encryption (RSA, ECC) uses a public/private key pair for key exchange and digital signatures but is slower.
A digital signature is created by hashing data and encrypting the hash with the sender's private key; the recipient verifies it with the sender's public key, providing integrity, authentication, and non-repudiation.
PKI binds public keys to identities through certificates; a Certificate Authority (CA) issues and signs them, a Registration Authority (RA) validates requests, and certificate status is checked via CRL or OCSP (OCSP stapling improves performance).
Hashing (SHA-256, SHA-3) is one-way and verifies integrity; salting adds random data before hashing to defeat rainbow tables; key stretching (PBKDF2, bcrypt, scrypt, Argon2) slows brute-force attacks on passwords.
A gap analysis compares the current security posture against a target state (often defined by a framework or standard) to produce a prioritized roadmap of improvements.
Physical security controls include access control vestibules (mantraps) to prevent tailgating/piggybacking, bollards, fencing, lighting, and sensors (infrared, pressure, microwave, ultrasonic).
Change management requires an approval process, ownership, impact analysis, test/backout plans, and a maintenance window; unmanaged change is a frequent source of outages and security gaps.
Deception technologies include honeypots (decoy systems), honeynets (decoy networks), honeyfiles (bait files), and honeytokens (bait data) used to detect and study attacker behavior.

Domain 2: Threats, Vulnerabilities, and Mitigations

Key concepts you must know · 118 practice questions

Threat actor types differ by motivation and resources: nation-states/APTs have the most resources and persistence, organized crime seeks financial gain, hacktivists pursue ideology, insiders abuse legitimate access, and unskilled attackers (script kiddies) use existing tools.
Malware types: a virus needs a host file and user action, a worm self-replicates across networks without user interaction, a Trojan hides in legitimate software, ransomware encrypts data for payment, and a rootkit intercepts/modifies system calls to hide at the kernel level.
Social engineering: phishing (email), spear phishing (targeted), whaling (executives), vishing (voice), smishing (SMS), pretexting (fabricated scenario), and Business Email Compromise (BEC) impersonating an executive for fraudulent wire transfers.
An on-path (man-in-the-middle) attack intercepts and can modify traffic between two parties; a replay attack reuses captured valid data, mitigated with timestamps, nonces, and session tokens.
Password attacks: credential stuffing reuses breached username/password pairs across sites, password spraying tries a few common passwords against many accounts, and brute force tries all combinations; MFA is the strongest mitigation.
SQL injection is mitigated with parameterized queries (prepared statements) and input validation; cross-site scripting (XSS) is mitigated with input validation and output encoding; CSRF is mitigated with anti-CSRF tokens.
A supply chain attack compromises a trusted vendor, software update mechanism, or dependency to reach downstream customers (e.g., poisoned updates or malicious open-source packages).
Email authentication uses SPF (authorized sending IPs), DKIM (cryptographic signature), and DMARC (alignment policy and reporting) together to reduce spoofing and phishing.
A vulnerability scan identifies potential weaknesses non-intrusively, while a penetration test actively exploits them to demonstrate real-world risk; pen test engagement scopes include known (white box), partially known (gray box), and unknown (black box).
Indicators of compromise (IoCs) include unexpected privileged account use at odd hours, access to files outside a user's normal scope, impossible-travel logins, account lockouts, and unusual outbound traffic.
A zero-day exploits a vulnerability with no available patch; defenses rely on layered controls, behavior-based detection, and segmentation rather than signatures.
CVSS scores rate vulnerability severity from 0 to 10 (Critical 9.0+, High 7.0-8.9); CVE is the public identifier for a specific known vulnerability.
Race conditions include time-of-check to time-of-use (TOCTOU) flaws; buffer overflows are mitigated with bounds checking, ASLR, and DEP/NX.
Mitigation techniques include segmentation, access control, application allowlisting, isolation/quarantine, patching, encryption, monitoring, least privilege, and decommissioning of unused systems.

Domain 3: Security Architecture

Key concepts you must know · 113 practice questions

An IDS passively monitors and alerts on suspicious traffic, while an IPS sits inline and can actively block it; detection is either signature-based (known patterns) or anomaly/behavior-based (deviations from a baseline).
A screened subnet (DMZ) hosts internet-facing servers in an isolated zone separate from the internal network; a bastion host/jump server is a hardened, controlled entry point for managing systems in a secured zone.
Network segmentation and microsegmentation divide the network into isolated zones to limit lateral movement and reduce the blast radius of a breach; VLANs and firewall rules enforce the boundaries.
Cloud service models: IaaS gives the customer the most control (manages OS up), PaaS provides a managed platform for apps, and SaaS gives the least control; the shared responsibility model defines who secures what.
Encryption in transit uses TLS (and IPsec for VPNs) to protect data moving across networks; encryption at rest uses full-disk encryption, database/file encryption, or TDE; data in use can be protected with secure enclaves.
High availability is achieved with redundancy: failover clusters, load balancers across multiple instances, RAID for disks, redundant power (UPS, generators), and geographic site redundancy.
Recovery objectives: RPO is the maximum acceptable data loss measured in time (drives backup frequency), and RTO is the maximum acceptable downtime to restore a function.
Recovery sites: a hot site is fully equipped with replicated data for near-immediate failover, a warm site has hardware but needs data/config loading, and a cold site has space/power but no equipment.
Containers share the host kernel, so a kernel-level exploit can affect all containers on that host; mitigations include image scanning in the CI/CD pipeline, minimal base images, and runtime isolation.
Infrastructure as Code (IaC) defines infrastructure in version-controlled templates for consistent, repeatable, auditable deployments and reduces configuration drift.
Embedded, ICS/SCADA, and IoT systems are hard to patch and often run legacy firmware; protect them with network segmentation, monitoring, and compensating controls rather than frequent patching.
A VPN with always-on connection and split tunneling disabled forces all traffic through the corporate gateway for inspection; SSL/TLS inspection decrypts traffic at a proxy to scan it before re-encrypting.
Secure design principles include fail-secure/fail-safe defaults, secure-by-default configurations, attack-surface reduction, and minimizing implicit trust between components.
Resilience and capacity planning cover people, technology, and infrastructure; backups should follow the 3-2-1 rule and be tested with regular restore exercises.

Domain 4: Security Operations

Key concepts you must know · 138 practice questions

A SIEM aggregates and normalizes logs from many sources and applies correlation rules to detect patterns indicating an incident; SOAR adds automated playbooks to orchestrate and speed up response, reducing mean time to respond (MTTR).
The NIST incident response lifecycle is Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident Activity (lessons learned).
The first containment action for a compromised host is to isolate it from the network while preserving evidence; do not power off immediately if volatile data (memory) must be captured.
The order of volatility for evidence collection is most-volatile-first: CPU registers/cache, then RAM, then network state/connections, then disk, then logs/archives, then backups.
Chain of custody is a documented record of who handled evidence, when, and what actions were taken, establishing the evidence was not altered and making it admissible.
MFA combines factors from different categories: something you know (password/PIN), something you have (token/smart card/phone), and something you are (biometric); two of the same category is not true MFA.
Single sign-on (SSO) lets users authenticate once to access multiple applications; federation (SAML, OAuth 2.0, OpenID Connect) extends identity across organizations, where OAuth handles authorization and OIDC adds authentication.
EDR/XDR continuously monitors and records endpoint activity to detect, investigate, and respond to threats; UEBA detects anomalous user and entity behavior.
Secure data destruction methods include shredding and incineration for physical media, degaussing for magnetic media, crypto-erase for self-encrypting drives, and certified wiping; choose by media type and sensitivity.
Vulnerability management workflow: identify (scan), analyze and prioritize (CVSS, exposure, threat intel), remediate or apply compensating controls, then validate and report; recurring scans confirm fixes.
Hardening includes disabling unused services/ports, changing default credentials, restricting SSH/RDP to specific management subnets or jump hosts, applying baselines (CIS benchmarks), and enforcing least functionality.
Identity lifecycle covers provisioning, periodic access reviews/attestation, just-in-time access, privileged access management (PAM) with credential vaulting, and timely deprovisioning when roles change or employment ends.
Automation and orchestration improve security operations by enforcing consistent configurations, reducing manual errors, and accelerating ticketing, onboarding/offboarding, and incident response.
Log sources for monitoring include firewall, IDS/IPS, endpoint, DNS, authentication (Active Directory/LDAP showing lockouts and privilege changes), application, and OS logs; ensure accurate time sync (NTP) for correlation.

Domain 5: Security Program Management and Oversight

Key concepts you must know · 123 practice questions

Risk management responses are accept, avoid, transfer (e.g., cyber insurance or contractual shift to a vendor), and mitigate (apply controls); residual risk is what remains after controls are applied.
Quantitative risk uses SLE = Asset Value x Exposure Factor, ARO = annual frequency, and ALE = SLE x ARO; qualitative risk uses ratings like low/medium/high on a risk matrix.
A Business Impact Analysis (BIA) identifies critical business functions and the impact of their disruption, producing the RTO, RPO, MTD (maximum tolerable downtime), and MTBF/MTTR metrics that drive continuity planning.
Governance documents form a hierarchy: policies state high-level objectives, standards define mandatory requirements, procedures give step-by-step instructions, and guidelines offer recommendations; an Acceptable Use Policy (AUP) governs use of company IT resources.
Common frameworks/regulations: NIST CSF (Identify, Protect, Detect, Respond, Recover), ISO 27001, PCI DSS for cardholder data, HIPAA for health data, GDPR for EU personal data, and SOX for financial reporting.
Third-party/vendor risk management uses due diligence, contracts, and assurance reports; a SOC 2 Type II report evaluates the operating effectiveness of controls over a period of time, unlike Type I (a point in time).
Vendor agreements: SLA defines performance/uptime guarantees, MOU/MOA states intent, MSA sets overarching terms, NDA protects confidentiality, BPA governs a business partnership, and a DPA defines how personal data is processed.
Security awareness training (including simulated phishing campaigns) reduces human-related incidents; employees who fail should receive targeted follow-up training and retesting.
Data roles: the data owner is accountable for the data, the data controller determines purpose and means of processing, the data processor acts on the controller's behalf, the custodian manages it day-to-day, and the DPO oversees privacy compliance.
Data classification (e.g., public, internal, confidential, restricted) categorizes data by sensitivity and impact of disclosure to apply appropriate handling, labeling, and protection controls.
A data retention policy defines how long each data type must be kept and when it is securely destroyed, balancing legal/regulatory holds against minimizing exposure.
Compliance failures can bring fines, sanctions, reputational damage, loss of license, and contractual penalties; audits (internal and external) and assessments verify ongoing compliance.
Privacy concepts include data sovereignty (data is subject to the laws of the country where it is stored), data minimization, purpose limitation, and the right to be forgotten under regulations like GDPR.
Attestation and reporting, internal/external audits, regulatory examinations, and penetration testing provide independent evidence that the security program is effective and compliant.

CompTIA Security+ SY0-701 exam tips

Watch for qualifier words like BEST, MOST, FIRST, and PRIMARY; multiple answers may be technically valid, so pick the one that most directly addresses the scenario's specific goal.
Performance-based questions (PBQs) appear first and carry the most weight; if one stalls you, flag it, finish the multiple-choice questions, and return so you do not run out of the 90 minutes.
Memorize the incident response order (Preparation; Detection/Analysis; Containment, Eradication, Recovery; Lessons Learned) and the order of volatility, because process-sequence questions are common.
Know the math cold: SLE = AV x EF and ALE = SLE x ARO, plus the differences between RTO, RPO, MTD, MTBF, and MTTR; these are quick points if you have the formulas memorized.
Distinguish closely paired terms (IDS vs IPS, symmetric vs asymmetric, MAC vs DAC vs RBAC vs ABAC, vulnerability scan vs pen test, SOC 2 Type I vs Type II) since the exam tests these contrasts directly.

Study guide FAQ

What is the passing score and format of the SY0-701 exam?

You need a 750 on a scale of 100-900, with up to 90 questions answered in 90 minutes. The exam mixes multiple-choice and performance-based questions (PBQs); there is no penalty for guessing, so answer every question.

How long is the Security+ certification valid and how do I renew it?

The certification is valid for three years from the date you pass. You renew it through CompTIA's Continuing Education (CE) program by earning 50 CEUs, completing higher-level certifications, or retaking the current exam version.

Do I need experience or other certifications before taking Security+?

There are no formal prerequisites, but CompTIA recommends Network+ and about two years of IT experience with a security focus. Hands-on familiarity with networking, operating systems, and basic security concepts makes the material much easier to absorb.

Which domain should I focus on most?

Security Operations (Domain 4) is the largest at 28% of the exam, followed by General Security Concepts (12%), Threats/Vulnerabilities/Mitigations (22%), Security Architecture (18%), and Security Program Management (20%). Prioritize Domains 4, 2, and 5, but expect scenario questions that blend topics across all five.

Test yourself: 615 CompTIA Security+ SY0-701 practice questions