CompTIA Security+ (SY0-701) FAQ — Deep-Dive Answers

What does SY0-701 actually cover?

Security+ validates baseline, vendor-neutral security skills across: threats/attacks, secure architecture/design, implementation (endpoint/network/cloud/IAM/crypto), operations & incident response, and governance/risk/compliance (GRC). Expect scenario questions that test judgment, not memorization alone.

Who should take Security+?

Early-career analysts/engineers, help desk/desktop pros moving into security, career-switchers with solid IT fundamentals, and students seeking a recognized security baseline.

Are there prerequisites?

No formal prerequisite exam. You’ll do best with ~1 year of IT/networking and basic Linux/Windows familiarity.

What is the exam format? Are PBQs included?

Yes—multiple-choice (single/multiple response) and several performance-based questions (PBQs). PBQs simulate tasks such as selecting controls, reading logs, interpreting packet traces, or ordering incident response steps. If a PBQ is time-consuming, flag and return after your first pass.

How many questions and how long is the exam? What’s the passing score?

CompTIA can vary item counts and timing by form; the exam uses a scaled score model. Focus on readiness and consistency rather than a specific number.

How is SY0-701 different from SY0-601?

701 emphasizes modern architectures (zero trust, cloud-native controls, identity-first security), IR/forensics workflows, and governance/risk clarity. Depth over trivia, with more scenario framing.

What depth should I expect per domain?

• Threats, Attacks, Vulnerabilities: attacker goals/TTPs, social engineering, malware/ransomware flow, web/app attacks (XSS/SQLi/CSRF/SSRF), wireless and network attacks, supply chain and cloud misconfig.
• Architecture & Design: segmentation/microsegmentation, zero trust components, secure network/cloud patterns, resilient/immutable infrastructure, secure data lifecycle.
• Implementation: IAM (MFA, federation/SSO, RBAC/ABAC), endpoint controls (EDR, application allow-listing), network security (NGFW/WAF/VPN/NAC), crypto/PKI/TLS, email/web/DNS protections, automation.
• Operations & IR: monitoring/telemetry, SIEM/UEBA/SOAR, evidence handling, containment→eradication→recovery, BCP/DR.
• GRC: policies/standards/procedures, frameworks (NIST/ISO/CIS), risk treatments, privacy concepts, audits.

What’s the best way to study?

A 3–5 week plan works for most:

• Week 1: Threats + Network/Wireless fundamentals
• Week 2: Architecture/Zero Trust + IAM
• Week 3: Crypto/PKI/TLS + Implementation
• Week 4: IR/Forensics + GRC; full mock #1
• Week 5 (optional): Polish weak domains; full mock #2

Daily cadence: read 45–60 min → 20–25 mixed questions → build 2–bullet “rules of thumb” from misses.

How should I practice PBQs?

Rehearse workflows (not single facts):

• Choose least-privilege access (RBAC/ABAC) for a given scenario.
• Read a short log/pcap, identify the attack stage, pick the next action.
• Order IR phases correctly and map containment vs eradication steps.
• Build a mini lab (VMs + open-source tools) and practice.

What is Zero Trust in practical terms?

• Verify explicitly (strong identity, continuous signal).
• Least privilege by default (role/attribute policies).
• Assume breach (segment, monitor, contain).
• Enforce close to the resource (microsegmentation, PEP/PDP).
  Pick answers that reduce implicit trust (flat networks, wide admin) and increase identity- + context-aware enforcement.

IAM quick answers

• MFA factors: know / have / are / do / where.
• SAML vs OAuth 2.0 vs OIDC: SAML = web SSO (XML assertions). OAuth 2.0 = delegation. OIDC = login on top of OAuth (JSON ID token).
• RBAC vs ABAC: RBAC = roles; ABAC = attributes/policy (time, device posture, location).
• Privileged access: use JIT/JEA, PIM, session recording, credential vaults.
• 802.1X/NAC: authenticate devices/users before network access; posture checks.

Crypto/PKI/TLS essentials

• Hashing (integrity), HMAC (integrity + auth), AES-GCM (symmetric AEAD), RSA/ECC (asymmetric), ECDHE (forward secrecy), TLS 1.3 (modern suites).
• PKI: roots/intermediates/leaves; CRL vs OCSP/OCSP stapling; SAN, wildcard, code-signing, client certs.
• Common pitfalls: using outdated ciphers, self-signed certs externally, not validating cert chains, forgetting revocation.

Network & wireless quick picks

• Prefer: NGFW with least-privilege rules, WAF for web apps, VPN (IPsec/IKEv2 or TLS), 802.1X for access, WPA3 for Wi-Fi, disable WPS, detect evil twins.
• Segment: VLANs/subnets; microsegment critical apps; restrict east–west traffic.
• Email/DNS/Web: SPF/DKIM/DMARC; DNS filtering; TLS, HSTS, CSP; SWG/CASB for SaaS.

Cloud & container security FAQs

• Shared responsibility: provider secures of the cloud, customer secures in the cloud (varies by IaaS/PaaS/SaaS).
• Data protection: encrypt at rest/in transit; KMS/HSM; tokenization; keys and access are your crown jewels.
• CSPM/CASB: detect misconfig, enforce policy, visibility into SaaS usage.
• Containers: signed minimal images, image scanning (SCA), runtime rules (seccomp/AppArmor), secrets in vaults, short-lived credentials.

Vulnerability scanning vs Penetration testing—what’s the difference?

• Vulnerability scan: breadth; unauth/auth scans; CVSS risk rating; continuous.
• Pen test: authorized exploitation to prove impact; clear scope/ROE; often periodic.
  If asked in a scenario, scans identify, pen tests validate risk with proof.

What should I memorize for Incident Response?

• Phases: Preparation → Identification → Containment → Eradication → Recovery → Lessons learned.
• Order of volatility: CPU/cache → RAM → disk → remote logs/cloud → archives.
• Chain of custody: track who/what/when, hash evidence, time-sync, write blockers.
  During an incident, contain before eradicate; preserve evidence if policy demands.

Risk & BCP/DR essentials

• Treatments: accept • avoid • transfer • mitigate.
• Control types: preventive • detective • corrective • deterrent • compensating.
• BIA outputs: RTO (time) and RPO (data loss window); choose backup/site strategy accordingly.
• Simple math: \[ \text{SLE} = \text{AV} \times \text{EF}, \quad \text{ALE} = \text{SLE} \times \text{ARO} \]

GRC and frameworks—how much detail?

Know purpose and fit (don’t memorize every clause):

• NIST CSF/RMF, ISO/IEC 27001/27002, CIS Controls, SOC 2.
• Regulations: GDPR, HIPAA, PCI DSS, GLBA, SOX.
• Policy vs Standard vs Procedure vs Guideline hierarchy.
• Data roles: owner, steward, custodian, DPO; classification & handling.

Secure coding & DevSecOps—what shows up?

• OWASP-style issues: injection (SQLi), auth/session, access control, crypto failures, XXE/SSRF, deserialization, security misconfig, logging/monitoring gaps.
• Shift left: threat modeling, SAST/SCA/DAST, IaC scanning, signed artifacts, minimal base images, secrets mgmt.
• Golden rules: validate input, parameterize queries, output encode, least-privilege DB creds, fail closed.

What tools should I recognize by name?

Nmap, Wireshark/tcpdump, Zeek, Nessus/OpenVAS, Burp/ZAP, Metasploit, Netcat, Sysinternals (ProcMon/Autoruns), KQL (defender/Log Analytics), Volatility/Autopsy, hash calculators, GPG/OpenSSL, OSQuery.

Common weak spots to fix before test day

• SAML vs OAuth vs OIDC and when to use each
• RBAC vs ABAC vs DAC/MAC
• WPA3/802.1X vs legacy Wi-Fi setups; evil twin defenses
• CSPM/CASB purpose; shared responsibility nuances
• PKI lifecycle and revocation details (OCSP, stapling)
• IR phases vs playbook steps (what’s containment vs eradication)
• Scan vs pen test vs red/blue/purple activities

How do I approach scenario questions?

1. Identify the goal/constraint (e.g., “least privilege,” “reduce risk,” “quick containment”).
2. Eliminate options that violate policy, least privilege, secure defaults, or operability.
3. Prefer answers that are preventive, auditable, and scalable with minimal risk.

Exam-day pacing tips

• First pass fast (~60–70s per item); flag PBQs/long stems.
• Skim long scenarios, then read the final ask to aim your reading.
• Keep a 5–10 minute buffer to revisit flagged items.
• Don’t change answers without a concrete reason from a later question.

How long should I study?

From IT background: 3–4 weeks. From near-zero security: 5–6 weeks with labs. Aim for ~75–80% on mixed sets and at least one full mock at or above target before scheduling.

What should my tiny home lab include?

• 2–3 VMs (Linux + Windows), a basic IDS/packet capture, and a test web/app container.
• Practice log review → alert triage → IR decision, TLS cert handling, least-privilege IAM changes, and container image scanning (open-source tools are fine).

After Security+, what next?

Choose a path: Blue team (CySA+, Blue team training), Red team (PenTest+), Cloud security (provider certs), or Governance (ISO/NIST coursework). Keep a ticketing habit: document findings, evidence, and rationale—this is valued in interviews and on the job.

Quick readiness checklist

• I can explain Zero Trust and apply least-privilege segmentation in a scenario.
• I can pick between SAML / OAuth 2.0 / OIDC for a given use case.
• I understand PKI basics, cert lifecycle, and revocation (OCSP/stapling).
• I can differentiate scan vs pen test and when to use which.
• I know IR phases, order of volatility, and evidence handling basics.
• I can choose secure defaults (WPA3, 802.1X, NGFW/WAF, HSTS/CSP) and justify them.
• I recognize core tools (Nmap, Wireshark, Nessus, Burp, SIEM/UEBA, SOAR) and their purpose.