CompTIA Security+ (SY0-701) Syllabus — Objectives by Domain

Use this syllabus as your source of truth for SY0-701. Work through each domain in order and drill targeted sets after every section.

What’s covered

• General Security Concepts (12%)
• Threats, Vulnerabilities, and Mitigations (22%)
• Security Architecture (18%)
• Security Operations (28%)
• Security Program Management and Oversight (20%)

General Security Concepts (12%)

Practice this topic →

Security Foundations & Principles

• Explain CIA triad, AAA (authentication, authorization, accounting), and non-repudiation with real-world examples.
• Differentiate administrative, technical, and physical controls; preventive, detective, corrective, and compensating types.
• Describe least privilege, separation of duties, due care/due diligence, and security-by-design concepts.
• Map common threats to control families (NIST-like categories) and identify appropriate control layers (defense-in-depth).
• Interpret risk terms: threat, vulnerability, likelihood, impact, risk tolerance, residual risk, and risk transfer.

Cryptography Essentials

• Compare symmetric vs asymmetric crypto; typical algorithms and use cases (confidentiality, integrity, non-repudiation).
• Describe hashing, salting, key stretching, and HMAC; relate to password storage and data integrity.
• Explain TLS basics (handshake, certificates, cipher suites) and common pitfalls (weak ciphers, self-signed certs).
• Differentiate data-at-rest, data-in-transit, and data-in-use protections; full-disk vs file/folder encryption.
• Outline key management practices: rotation, escrow, backup, revocation, destruction; role of HSMs/TPMs.

Identity & Access Basics

• Contrast authentication factors (something you know/have/are/where/behavior) and MFA implementation considerations.
• Differentiate RBAC, ABAC, MAC, and DAC; select models for typical org scenarios.
• Explain SSO, federation, and common protocols (SAML, OIDC, OAuth2) at a conceptual level.
• Describe account lifecycle: provisioning, review, recertification, deprovisioning, and the principle of just-in-time access.
• Identify password policy concepts (complexity, length, history, lockout) and alternative authenticators (biometrics, tokens).

Network Security Basics

• Recognize secure network topologies: DMZ, screened subnet, jump host/bastion, and segmentation/segregation.
• Differentiate stateful firewall, NGFW, WAF, IDS/IPS, and proxy functions at a high level.
• Explain secure remote access options (VPN, split tunnel vs full tunnel, SSH) and related risks.
• Describe secure protocol choices and port associations (HTTPS, SFTP/SCP, SNMPv3, RDP hardening).
• Outline NAC concepts (802.1X, posture checks) and guest vs corporate access policies.

Policies, Standards & Baselines

• Differentiate policies, standards, guidelines, and procedures; map to compliance drivers.
• Explain configuration baselines, secure images, and hardening benchmarks for common platforms.
• Summarize data classification and handling requirements (PII, PHI, confidential, public).
• Identify acceptable use, privacy, and monitoring notifications; employee consent and transparency basics.
• Relate change management concepts (CAB, emergency changes) to risk reduction.

Legal, Ethics & Privacy Fundamentals

• Recognize ethics expectations for security practitioners (need-to-know, minimization, disclosure).
• Explain high-level privacy concepts: data minimization, purpose limitation, retention, subject rights.
• Differentiate internal policy violations vs illegal activity; when to escalate to legal/HR.
• Describe intellectual property and software licensing practices relevant to security.
• Outline logging/monitoring transparency and consent considerations in the workplace.

Threats, Vulnerabilities, and Mitigations (22%)

Practice this topic →

Malware & Exploit Techniques

• Classify malware types (ransomware, trojans, worms, rootkits, fileless) and common indicators of compromise.
• Explain exploit chains: reconnaissance, weaponization, delivery, execution, persistence, privilege escalation, exfiltration.
• Differentiate living-off-the-land techniques and the role of signed/LOLbins in evasion.
• Map endpoint mitigations: EDR, application allow/deny lists, sandboxing, secure boot, measured boot.
• Outline backup/restore strategy considerations to reduce ransomware blast radius.

Social Engineering & Physical Threats

• Identify phishing variants (spear, whaling, vishing, smishing) and pretexting/baiting/tailgating scenarios.
• Evaluate user awareness program elements and metrics for effectiveness.
• Recommend countermeasures: email security gateways, DMARC/DKIM/SPF concepts, banner warnings, callback verification.
• Explain physical controls: badges, mantraps, security guards, CCTV, visitor logs, clean desk.
• Describe insider threat indicators and response patterns.

Network & Wireless Attacks

• Differentiate spoofing, DoS/DDoS, amplification, reflection, and MITM/ARP poisoning attacks.
• Explain DNS-related risks (poisoning, tunneling) and mitigations (DNSSEC concept, egress filtering).
• Describe wireless threats: evil twin, deauth/disassoc, rogue APs; choose resilient configurations (WPA3, 802.1X).
• Outline segmentation and rate limiting to contain and absorb attacks.
• Recommend logging and monitoring points to detect anomalous traffic patterns.

Application, Web, and API Threats

• Recognize common web flaws: injection, XSS, CSRF, IDOR, insecure deserialization, SSRF (conceptual mapping).
• Describe API-specific risks: authZ bypass, excessive data exposure, lack of rate limiting.
• Recommend SDLC controls: code reviews, SAST/DAST, dependency scanning, secrets management.
• Explain secure session management, cookie flags, and CSP basics.
• Relate input validation, output encoding, and parameterized queries to mitigations.

Cloud, Virtualization & Container Risks

• Differentiate shared responsibility across IaaS/PaaS/SaaS; identify common misconfigurations (public buckets, wide IAM).
• Explain VM escape and hypervisor exposure at a high level; isolation hardening concepts.
• Describe container risks: image trust, runtime privileges, secrets management, network policies.
• Recommend cloud-native controls: identity boundaries, KMS usage, WAF, CSPM/CWPP ideas.
• Outline logging/telemetry sources for cloud (audit trails, flow logs) and least-privilege IAM baselines.

Vulnerability Management Lifecycle

• Plan discovery and scanning (authenticated vs unauthenticated) and safe scope definitions.
• Interpret findings with CVSS-like scoring, environmental metrics, exploit maturity, and business context.
• Prioritize remediation: patching, compensating controls, configuration changes, service isolation.
• Validate fixes and manage exceptions/deferrals with documented risk acceptance.
• Track metrics: time to detect/remediate, exposure window, recurring findings.

Security Architecture (18%)

Practice this topic →

Secure Network Design

• Design layered networks using segmentation, VLANs, and zone architectures (user, server, management, DMZ).
• Explain zero-trust principles (never trust, always verify) and microsegmentation concepts.
• Compare firewall placements, routing vs bridging firewalls, and east–west vs north–south inspection.
• Describe out-of-band management networks and jump host patterns.
• Recommend resilience features: HA pairs, redundant paths, QoS for critical services.

Endpoint, Mobile & IoT Architecture

• Plan baseline hardening (services, policies), EDR deployment, and local firewall posture.
• Differentiate full-disk encryption vs file/folder encryption; key escrow and recovery considerations.
• Outline MDM/MAM controls, containerization, and compliance policies for BYOD/COPE.
• Recognize IoT constraints (limited patching, protocols) and network containment strategies.
• Map secure boot/UEFI, measured boot, and attestation concepts.

Identity & Access Architecture

• Select access models (RBAC, ABAC) for business roles and dynamic attributes.
• Explain federation trust flows and IdP/SP roles; high-level SAML vs OIDC selection.
• Plan privileged access management (PAM), session recording, and credential vaulting.
• Integrate MFA and conditional access based on device posture and risk signals.
• Design joiners/movers/leavers workflows and periodic access reviews.

Cryptographic & PKI Architecture

• Describe CA hierarchies, certificate templates, CRL vs OCSP, and pinning concepts.
• Plan key lifecycle: generation, protection, rotation, revocation, archival/destroy; HSM usage.
• Differentiate TLS termination/inspection designs and associated privacy/visibility trade-offs.
• Explain email/document signing and timestamping basics for integrity and non-repudiation.
• Map data classification to crypto controls (field-level, tokenization, format-preserving).

Cloud Security Architecture

• Design VPC/VNet segmentation, private endpoints, and secure egress/ingress patterns.
• Plan identity boundaries (workload identities, service principals) and least-privilege policies.
• Place security services: WAF, API gateways, CASB/SWG; logging pipelines and storage protections.
• Address multi-account/subscription landing zone patterns and guardrails.
• Explain secrets management and rotation for apps and automation pipelines.

Data Protection & Resilience

• Implement DLP policies for endpoints, email, and cloud storage; reduce false positives via tuning.
• Design backup strategies (3-2-1, immutable copies, offline storage) aligned to RPO/RTO.
• Apply masking/tokenization for non-production data and analytics use cases.
• Define secure disposal and sanitization methods for media and cloud snapshots.
• Integrate monitoring/alerting for exfiltration and anomalous access to sensitive repositories.

Security Operations (28%)

Practice this topic →

Monitoring, Detection & Telemetry

• Differentiate SIEM vs log management; create basic correlation/use cases (auth anomalies, rare processes).
• Identify critical log sources (OS, apps, network, cloud, identity) and time sync requirements.
• Explain EDR/NDR concepts and alert triage priorities (true/false positives, severity, confidence).
• Use baseline and behavioral detections to flag anomalies.
• Outline retention, protection, and integrity for logs and audit trails.

Incident Response Lifecycle

• Apply phases: preparation, identification, containment, eradication, recovery, lessons learned.
• Select containment strategies (isolation, segmentation, account disablement) based on impact.
• Coordinate stakeholder comms, regulatory notifications, and executive updates.
• Document incidents with timelines, indicators, and actions; produce post-incident reports.
• Track metrics (MTTD, MTTR) and feed improvements into controls and playbooks.

Digital Forensics Basics

• Maintain chain of custody and evidence handling; hash verification for integrity.
• Prioritize volatile data (order of volatility) and safe acquisition methods.
• Construct event timelines from disparate logs and artifacts.
• Recognize common artifacts: prefetch, registry keys, browser storage, cloud audit logs.
• Identify when to escalate to specialized forensics teams or law enforcement.

Secure Administration & Configuration Management

• Apply least privilege for admins (tiering, separate accounts) and secure remote admin channels.
• Implement change control with approvals, rollback plans, and emergency change handling.
• Describe configuration management/IaC benefits to consistency and drift detection.
• Use secure baselines and continuous compliance scanning for endpoints/servers.
• Integrate vulnerability remediation into patch/change cycles with documented risk acceptance.

Network, Wireless & Edge Operations

• Operate firewalls/IPS/WAF at a high level: rule hygiene, logging, and change review.
• Manage VPNs and remote access; enforce split vs full tunnel policies appropriately.
• Administer wireless securely: WPA3/802.1X, cert-based auth, rogue AP detection.
• Explain proxy/SWG and content filtering roles in egress control.
• Coordinate DDoS response with upstream providers and rate limiting.

BCP/DR, Backups & Recovery Readiness

• Differentiate BCP vs DR; define RTO/RPO per service and align controls.
• Design backup schedules, immutability, offsite replication; test restores regularly.
• Plan failover, runbooks, tabletop exercises, and after-action updates.
• Protect backups from ransomware (isolation, MFA, separate credentials).
• Document critical dependencies and single points of failure for remediation.

Security Program Management and Oversight (20%)

Practice this topic →

Governance, Policy & Compliance

• Develop policy hierarchy (policies, standards, procedures, guidelines) and assign ownership.
• Align controls to common frameworks at a conceptual level; avoid jurisdiction-specific details.
• Define data governance roles (owners, custodians, stewards) and change approval bodies.
• Establish exception management with risk acceptance and time-bound reviews.
• Plan periodic attestation and policy awareness cycles.

Risk Management & Measurement

• Identify assets, threats, and vulnerabilities; estimate likelihood/impact qualitatively.
• Create and maintain a risk register with treatment options (mitigate, transfer, avoid, accept).
• Define KRIs/KPIs for security performance and risk exposure.
• Prioritize investments using risk reduction and business alignment.
• Integrate threat intelligence into risk analysis and control tuning.

Assessments, Audits & Testing

• Differentiate vulnerability scanning vs penetration testing vs red/purple teaming at a high level.
• Plan assessment scope, rules of engagement, and safe testing windows.
• Interpret audit findings and track remediation to closure.
• Coordinate independent assessments and communicate results to stakeholders.
• Document residual risk and verify control effectiveness post-remediation.

Third-Party & Supply Chain Risk

• Assess vendors using questionnaires, evidence requests, and contractual controls (SLAs, right to audit).
• Evaluate data processing agreements and data transfer requirements conceptually.
• Monitor fourth-party dependencies and concentration risks.
• Define onboarding/offboarding controls for external users and integrations.
• Track vendor risk metrics and trigger reassessments on material changes/incidents.

Security Awareness & Culture

• Design role-based training (executives, developers, admins, end users) with measurable outcomes.
• Run phishing simulations ethically; track improvement without shaming.
• Promote a reporting culture (easy pathways, positive reinforcement, rapid feedback).
• Localize content for remote and diverse workforces; ensure accessibility.
• Continuously refresh content to reflect emerging threats and lessons learned.

Program Metrics, Budgeting & Roadmaps

• Select actionable metrics tied to business outcomes (risk reduction, availability, compliance posture).
• Build multi-year security roadmaps with capability maturity targets.
• Prioritize projects by risk, cost, complexity, and dependency mapping.
• Communicate program status to leadership via concise dashboards and narratives.
• Incorporate continuous improvement cycles from incidents, audits, and assessments.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit weak objectives before moving on.