Security+ SY0-701
Compressed Course
CompTIA Security+ SY0-701 Compressed Exam-Preparation Course
Purpose: A start-to-finish revision guide for CompTIA Security+ V7 (SY0-701), synthesized from the provided 1,100-question practice bank and organized around the official exam blueprint. It is designed for fast revision, scenario-based reasoning, and answer elimination.
Source-bank pattern analysis: The question bank repeatedly emphasizes control selection, attack recognition, vulnerability mitigation, segmentation, secure protocols, resilience, identity and access management, monitoring, incident response, forensics, risk management, vendor governance, compliance, and awareness training. Similar ideas have been consolidated so that each decision rule appears once in the clearest possible place.
1. Exam Overview
What the exam is testing
CompTIA Security+ SY0-701 validates whether you can make sound security decisions in realistic business and technical situations. It is not primarily a vocabulary test. Expect questions that ask for the best, most appropriate, or first action when several answers appear plausible.
The exam is vendor-neutral. You must recognize the purpose of controls and tools without relying on a specific product name.
The official exam focus is to verify that you can:
- assess an enterprise security posture and recommend appropriate controls;
- secure hybrid environments, including cloud, mobile, operational technology, and Internet of Things devices;
- operate with an awareness of governance, risk, compliance, and privacy requirements;
- identify, analyze, contain, eradicate, and recover from security events and incidents.
Exam format snapshot
| Item | SY0-701 exam detail |
|---|---|
| Exam version | Security+ V7 |
| Exam code | SY0-701 |
| Maximum number of questions | 90 |
| Time limit | 90 minutes |
| Passing score | 750 on a scale of 100–900 |
| Question styles | Multiple-choice and performance-based questions |
How to think like the exam
Use this decision sequence:
- Identify the exact requirement. Is the question asking about confidentiality, integrity, availability, authentication, authorization, evidence, containment, resilience, compliance, or cost?
- Respect the timing word. “First” usually means stabilize, preserve evidence, or identify scope before making a permanent change. “Best” usually means the option that most directly satisfies the requirement with the least unnecessary risk.
- Prefer least privilege and reduced blast radius. Narrow access, segment networks, isolate suspicious systems, and remove unnecessary exposure.
- Choose the control closest to the problem. A web application attack suggests a web-focused defense. A compromised endpoint suggests endpoint isolation and EDR. A privileged-account risk suggests PAM and just-in-time access.
- Do not solve a governance problem with only a technical tool. A contract, policy, audit, exception, or risk register may be the correct answer.
- Do not overreact. Avoid options that disable logging, destroy evidence, grant broad access, apply untested production changes, or rely on one control only.
- Prefer repeatable and measurable controls. Centralized logging, documented procedures, version control, baselines, automation with guardrails, and validation are stronger than informal manual steps.
How to use this course
Read sections 1–4 in order for a complete foundation. Use sections 5–8 for targeted scenario practice. Use sections 9–10 in the final days before the exam.
A productive revision loop is:
- review one domain;
- answer a focused group of practice questions;
- write down why your best wrong answer was wrong;
- revisit the relevant comparison table;
- repeat until you can explain the decision rule without memorizing the wording.
2. Exam Domains
Official domain priorities
| Domain | Weight | Study priority | Why it matters |
|---|---|---|---|
| 1.0 General Security Concepts | 12% | Foundation | Establishes the language used in every other domain: controls, CIA, AAA, zero trust, change management, and cryptography. |
| 2.0 Threats, Vulnerabilities, and Mitigations | 22% | High | Tests whether you can recognize attack patterns, distinguish vulnerabilities from threats, and choose practical mitigations. |
| 3.0 Security Architecture | 18% | High | Tests design choices for cloud, networks, data protection, resilience, and secure communications. |
| 4.0 Security Operations | 28% | Highest | The largest domain. Focus on hardening, monitoring, IAM, vulnerability management, incident response, automation, and investigation data sources. |
| 5.0 Security Program Management and Oversight | 20% | High | Tests governance, risk, third-party management, compliance, audits, privacy, and awareness. |
What matters most
The source bank and official blueprint point to the following high-value areas:
- Security operations: incident response ordering, log selection, hardening, EDR, SIEM, IAM, PAM, vulnerability remediation, automation, and validation.
- Threat recognition and mitigation: phishing, credential attacks, application attacks, network attacks, malware, social engineering, and supply-chain risk.
- Architecture decisions: segmentation, zero trust, secure protocols, data states, cloud shared responsibility, backups, recovery sites, and availability design.
- Risk and governance: risk treatments, BIA metrics, policy hierarchy, vendor due diligence, contracts, audits, exceptions, awareness, and privacy.
- Foundational reasoning: CIA, AAA, control categories, encryption versus hashing versus signatures, PKI, and change management.
3. Start-to-Finish Study Path
Phase 1: Foundation
Build the vocabulary required to eliminate obviously wrong answers.
Study in this order:
- CIA triad, AAA, non-repudiation, least privilege, separation of duties.
- Control types and categories.
- Hashing, encryption, digital signatures, certificates, PKI, and key management.
- Threat actors, social engineering, malware, password attacks, and common web attacks.
- Network basics: segmentation, DMZ, VPN, TLS, IPSec, firewalls, IDS, IPS, WAF, and NAC.
Checkpoint: You should be able to explain why a hash does not provide confidentiality, why an IDS is not an IPS, and why a broad VPN group conflicts with least privilege.
Phase 2: Intermediate application
Move from definitions to selecting the best control.
Study:
- Endpoint hardening and secure baselines.
- IAM lifecycle, MFA, SSO, federation, PAM, access reviews, and service accounts.
- Vulnerability management: scan, prioritize, remediate, rescan, and verify.
- Monitoring: SIEM, EDR, XDR, logs, packet captures, dashboards, and alerts.
- Data protection: classification, encryption, tokenization, masking, DLP, retention, and disposal.
- Cloud architecture and shared responsibility.
- Risk register, risk treatment, RTO, RPO, MTTR, MTBF, and third-party agreements.
Checkpoint: Given a scenario, you should be able to choose the most relevant control and explain why a generic control is weaker.
Phase 3: Advanced scenario reasoning
Focus on priority, tradeoffs, and sequence.
Study:
- Incident response order: preparation, detection, analysis, containment, eradication, recovery, lessons learned.
- Forensic evidence: preserve before changing, maintain chain of custody, use legal hold when required.
- Architecture tradeoffs: availability versus cost, convenience versus least privilege, rapid automation versus guardrails, temporary exceptions versus permanent bypasses.
- Governance-document selection: policy, standard, procedure, guideline, SLA, NDA, MOU, rules of engagement.
- Recovery design: backup type, immutable or offline copies, replication, journaling, snapshots, warm versus hot versus cold sites.
- Zero trust and segmentation: evaluate identity, device posture, and resource-level authorization continuously.
Checkpoint: You should be able to identify why a technically useful answer may still be wrong because it occurs too early, grants too much access, destroys evidence, or fails to address the underlying cause.
Phase 4: Final review
Use sections 8–10 as a condensed review sheet. Practice mixed scenarios under time pressure. Flag questions containing BEST, FIRST, MOST likely, MOST appropriate, and Select TWO because wording determines the required reasoning style.
4. Core Concepts by Domain
Domain 1: General Security Concepts — 12%
1.1 Security control categories and functions
A control can be categorized by how it is implemented and what it does.
Implementation categories
| Category | Meaning | Examples |
|---|---|---|
| Technical | Implemented with technology | Firewall, MFA, EDR, encryption, access control list |
| Managerial | Administrative oversight and governance | Risk assessment, security policy, vendor review |
| Operational | People-driven process | Awareness training, incident handling procedure, change review |
| Physical | Protects physical access or environment | Locks, bollards, guards, cameras, fencing |
Functional types
| Type | Purpose | Example | Common trap |
|---|---|---|---|
| Preventive | Stops an event before it occurs | MFA, firewall allowlist, locked door | Do not confuse with a control that only alerts afterward. |
| Detective | Identifies an event | IDS alert, log review, motion sensor | Detection does not block the attack. |
| Corrective | Fixes or restores after an event | Patch deployment, restore from backup | Restoration is not the same as prevention. |
| Deterrent | Discourages attempts | Warning sign, visible camera | A deterrent changes behavior but may not stop an attacker. |
| Directive | Tells people what to do | Policy, standard, security procedure | A document does not enforce a technical restriction by itself. |
| Compensating | Alternative when the preferred control is not feasible | Jump host and allowlisting for a legacy system lacking MFA | Use only when the preferred control cannot reasonably be implemented. |
Decision rule
When the question says a preferred control is impossible because of a legacy constraint, choose a compensating control that reduces exposure and is monitored. Never choose “ignore the risk” or “publish the service directly.”
1.2 Fundamental concepts
CIA triad
| Property | Question to ask | Typical failure |
|---|---|---|
| Confidentiality | Was information exposed to an unauthorized party? | Data leak, excessive permissions, unencrypted sensitive data |
| Integrity | Was data changed without authorization? | Tampering, unauthorized database edit, malicious software update |
| Availability | Can authorized users access the system when needed? | Denial of service, outage, ransomware disruption |
AAA
| Element | Purpose | Example |
|---|---|---|
| Authentication | Prove identity | Password, passkey, smart card, biometric |
| Authorization | Determine allowed actions | Role-based permissions, ACL, least privilege |
| Accounting | Record actions | Audit log showing commands used by an administrator |
Non-repudiation
Non-repudiation provides evidence that a specific party performed an action and cannot credibly deny it later. A common mechanism is a digital signature created with the signer’s private key.
Zero trust
Zero trust assumes that network location alone is not proof of trust. Evaluate:
- user identity;
- device health and posture;
- resource sensitivity;
- context such as location and risk;
- least-privilege access;
- continuous verification.
Trap: “The user is on the internal network” is not enough to justify broad access.
Deception and disruption technology
| Technology | Purpose |
|---|---|
| Honeypot | Decoy system intended to attract suspicious activity |
| Honeynet | Network of decoy systems |
| Honeyfile | Decoy file that should not be accessed legitimately |
| Honeytoken | Decoy credential or data element that triggers an alert if used |
1.3 Change management
Security controls can create outages when implemented without review. A sound change process includes:
- request and business justification;
- impact analysis and dependency review;
- approval;
- testing;
- communication;
- implementation during an appropriate window;
- monitoring;
- rollback plan;
- documentation updates;
- version control and audit history.
Exam trap: The fastest technical fix is not always the best answer. If the question emphasizes avoiding an undocumented outage, choose assessment, approval, testing, and rollback.
1.4 Cryptographic solutions
Fast comparison
| Need | Best-fit mechanism |
|---|---|
| Keep data secret | Encryption |
| Detect unauthorized modification | Cryptographic hashing |
| Verify origin and integrity | Digital signature |
| Verify a website or system identity | Certificate and PKI validation |
| Store passwords safely | Salted, slow password-hashing algorithm |
| Encrypt a large archive efficiently | Symmetric encryption with secure key management |
| Protect data in transit | TLS, IPSec, or another approved secure protocol |
Symmetric versus asymmetric cryptography
| Characteristic | Symmetric | Asymmetric |
|---|---|---|
| Keys | Same secret key encrypts and decrypts | Public/private key pair |
| Speed | Faster | Slower |
| Best use | Bulk encryption | Key exchange, digital signatures, identity verification |
| Main challenge | Securely distribute and protect the shared key | More computational overhead and certificate/key management complexity |
Hashing, salting, and signatures
- A hash is one-way and is used to verify integrity.
- A salt makes identical passwords produce different stored hashes and reduces precomputed hash attacks.
- A digital signature provides integrity, authenticity, and non-repudiation. It is not primarily used to keep content secret.
PKI essentials
| Term | Purpose |
|---|---|
| Certificate authority (CA) | Issues and signs certificates |
| Registration authority (RA) | Supports identity verification before certificate issuance |
| Certificate signing request (CSR) | Request used to obtain a certificate |
| Certificate revocation list (CRL) | Published list of revoked certificates |
| Online Certificate Status Protocol (OCSP) | Query a certificate’s revocation status |
| Key escrow | Controlled storage of a cryptographic key for recovery or legal requirements |
Data obfuscation techniques
| Technique | Best use |
|---|---|
| Tokenization | Replace sensitive values with tokens; common for payment data |
| Masking | Hide portions of data from display or testing environments |
| Redaction | Remove sensitive content from a document or output |
| Hashing | Verify integrity or securely store password representations |
| Encryption | Keep the original data confidential while allowing authorized recovery |
Domain 1 traps
- Hashing is not encryption.
- Encoding is not encryption.
- A shared symmetric key does not prove which individual approved a transaction.
- An IDS detects; it does not automatically block.
- Internal network location does not eliminate the need for authorization.
- A compensating control is a governed alternative, not an excuse to ignore risk.
Domain 2: Threats, Vulnerabilities, and Mitigations — 22%
2.1 Threat actors and motivations
| Actor | Common motivation | Characteristics |
|---|---|---|
| Nation-state | Espionage, strategic disruption, geopolitical goals | Highly resourced, patient, capable |
| Organized crime | Financial gain | Ransomware, fraud, credential theft |
| Hacktivist | Ideology or publicity | Defacement, leaks, denial of service |
| Insider threat | Financial gain, revenge, coercion, negligence | Has legitimate access or contextual knowledge |
| Unskilled attacker | Curiosity, reputation, opportunism | Often uses public tools and known weaknesses |
| Competitor | Intellectual property or market advantage | May seek sensitive business information |
| Shadow IT | Convenience rather than malicious intent | Creates unapproved exposure and governance gaps |
Exam reasoning
Do not select an actor based only on technical sophistication. Use motivation, access level, persistence, and target value.
2.2 Threat vectors and social engineering
Social-engineering comparison
| Technique | Clue | Best immediate response |
|---|---|---|
| Phishing | Fraudulent message to many users | Report, analyze, block indicators, coach users |
| Spear phishing | Tailored message to a specific person or group | Verify through a trusted channel |
| Whaling | Targets senior executives | Apply executive-focused awareness and verification controls |
| Smishing | SMS-based social engineering | Avoid clicking; report message |
| Vishing | Voice-call manipulation | Verify caller identity independently |
| Business email compromise | Fraudulent payment or account-change request | Use out-of-band verification and approval workflow |
| Pretexting | Invented scenario to gain trust | Verify identity and authority |
| Tailgating | Unauthorized person follows an authorized person through a door | Challenge or report; enforce badge and visitor process |
| Shoulder surfing | Observing sensitive information physically | Privacy screens, awareness, secure environment |
| Dumpster diving | Searching discarded material | Secure disposal and shredding |
Common attack surfaces
- email and messaging;
- exposed services;
- web applications and APIs;
- removable media;
- cloud configuration;
- wireless networks;
- mobile devices;
- supply chain and third parties;
- physical access;
- unapproved applications and shadow IT.
2.3 Common vulnerabilities
Application and web vulnerabilities
| Vulnerability | What happens | Strong mitigation |
|---|---|---|
| SQL injection | Attacker manipulates database queries through untrusted input | Parameterized queries, input validation, least privilege for database account |
| Cross-site scripting (XSS) | Attacker injects script content executed in another user’s browser | Output encoding, input validation, secure development practices |
| Cross-site request forgery (CSRF) | Browser sends an unwanted authenticated action | Anti-CSRF token, same-site controls, reauthentication for sensitive actions |
| Buffer overflow | Input exceeds allocated memory and may alter execution | Memory-safe coding, input validation, modern compiler and OS protections |
| Race condition / TOC-TOU | Security decision becomes invalid between check and use | Atomic operations, locking, safer design |
| Directory traversal | Attacker accesses unintended paths | Canonicalization, allowlisting, least privilege |
| Insecure API exposure | Excessive permissions or weak authentication expose functions or data | Strong authentication, authorization, rate limiting, validation, API gateway controls |
Configuration and lifecycle vulnerabilities
| Weakness | Risk | Best response |
|---|---|---|
| Default credentials | Easy unauthorized access | Change defaults immediately and manage secrets securely |
| Open ports and unnecessary services | Enlarged attack surface | Disable or remove unused services and protocols |
| Unpatched software | Known weaknesses remain exploitable | Prioritize, patch, test, deploy, and validate |
| End-of-life or legacy system | No vendor support or modern security controls | Replace, isolate, segment, and use compensating controls temporarily |
| Misconfigured cloud storage | Unintended public exposure | Restrict access, review policy, monitor configuration drift |
| Weak permissions | Excessive access and lateral movement | Least privilege, role design, access review |
2.4 Malware and attack patterns
| Attack | Core behavior | Response emphasis |
|---|---|---|
| Ransomware | Encrypts or disrupts systems for extortion | Isolate, preserve evidence, activate incident response, recover from tested clean backups |
| Trojan | Malicious code disguised as legitimate software | Validate software source, endpoint protection, sandboxing |
| Worm | Self-propagates across systems | Segment, patch, isolate, block propagation paths |
| Rootkit | Hides persistent privileged access | Forensic analysis, trusted rebuild where necessary |
| Keylogger | Captures keystrokes | Endpoint protection, MFA, incident investigation |
| Logic bomb | Triggers under defined conditions | Code review, monitoring, access control |
| Fileless malware | Uses legitimate tools or memory | Behavioral detection, EDR, log analysis |
Credential attacks
| Attack | Pattern | Mitigation |
|---|---|---|
| Brute force | Many attempts against one account or service | MFA, rate limiting, lockout, monitoring |
| Password spraying | A few common passwords against many accounts | MFA, password screening, monitoring, lockout strategy |
| Credential stuffing | Reuse of leaked credentials on another service | MFA, password uniqueness, breach monitoring |
| Dictionary attack | Tries likely words and variations | Long passwords/passphrases, MFA |
| Rainbow table attack | Uses precomputed hashes | Salting and slow password hashing |
2.5 Network, wireless, and cryptographic attacks
| Attack | Clue | Mitigation |
|---|---|---|
| On-path / man-in-the-middle | Traffic interception or modification | TLS certificate validation, secure protocols, VPN where appropriate |
| DNS poisoning | Incorrect name resolution directs users elsewhere | DNSSEC where applicable, monitoring, trusted resolvers |
| ARP spoofing | Local network impersonation | Segmentation, switch protections, secure network design |
| Denial of service | Resource exhaustion reduces availability | Rate limiting, upstream filtering, redundancy, scalable architecture |
| Evil twin | Rogue wireless access point imitates a trusted SSID | Enterprise authentication, certificate validation, user awareness, wireless monitoring |
| Replay attack | Captured valid data is reused | Nonces, timestamps, session protections |
| Downgrade attack | Forces weaker protocol or cipher | Disable legacy protocols and enforce modern secure configuration |
| Collision attack | Seeks two inputs with the same hash | Use approved collision-resistant algorithms |
2.6 Mitigation strategy
A practical mitigation sequence:
- remove unnecessary exposure;
- patch or upgrade supported systems;
- segment legacy or high-risk systems;
- use strong authentication and least privilege;
- harden configurations;
- monitor and alert;
- validate remediation through rescanning or testing;
- document temporary exceptions and compensating controls.
Domain 2 traps
- Do not confuse a threat actor with a vulnerability or an attack technique.
- Do not choose encryption as the only answer to an input-validation problem.
- Do not open suspicious files on an administrator workstation; use a sandbox.
- Do not assume a patch is complete until remediation is verified.
- Do not select user training alone when a technical control is required.
- Do not disable logs to improve performance during an incident.
Domain 3: Security Architecture — 18%
3.1 Architecture principles
Secure architecture reduces the chance of compromise and limits the blast radius when compromise occurs.
Core design principles
- least privilege;
- segmentation and isolation;
- defense in depth;
- secure defaults;
- minimized attack surface;
- redundancy and resilience;
- continuous verification;
- data protection throughout its lifecycle;
- centralized visibility;
- separation of duties;
- documented ownership and change control.
3.2 Network architecture patterns
| Pattern | Use it when | Why it works | Common wrong answer |
|---|---|---|---|
| DMZ | Public-facing systems must remain reachable without unrestricted internal access | Separates internet-exposed services from sensitive internal resources | Flat VLAN placing public servers beside databases |
| Network segmentation | You need to limit lateral movement or isolate sensitive systems | Reduces blast radius and enables narrow traffic rules | One large trusted internal network |
| Microsegmentation | Workloads need fine-grained east-west controls | Applies workload-level policy in data center or cloud environments | Relying only on a perimeter firewall |
| Jump host / bastion host | Administrators need controlled access to sensitive or legacy systems | Centralizes access, logging, and policy enforcement | Direct administrative access from any workstation |
| NAC | Devices must meet policy before or during network access | Evaluates identity and posture and can restrict access | Treating any connected device as trusted |
| SASE | Distributed users and branches need cloud-delivered security and network access controls | Integrates secure access with policy enforcement closer to users | Backhauling all traffic without considering performance or distributed policy needs |
| SD-WAN | Branch connectivity needs centrally managed path selection and policy | Improves WAN management and resilience | Treating SD-WAN as a complete substitute for security controls |
Flat network warning
When an answer places public servers, user workstations, and databases on the same VLAN, it is usually wrong. Prefer segmentation with narrowly allowed flows.
3.3 Cloud and virtualization models
Cloud service models
| Model | Customer controls more of | Provider controls more of | Typical customer focus |
|---|---|---|---|
| IaaS | OS, applications, identities, data, many network configurations | Physical infrastructure and core virtualization | Patch guest OS, harden workloads, configure security groups |
| PaaS | Application code, identities, data, configuration | Runtime platform and underlying infrastructure | Secure application, secrets, identities, and data |
| SaaS | User access, configuration, data handling | Application stack and infrastructure | IAM, data classification, sharing settings, retention |
Shared responsibility rule
Cloud adoption does not transfer all security responsibility to the provider. The customer remains responsible for areas such as identities, data classification, secure configuration, access decisions, and appropriate monitoring.
Containers and virtualization
| Technology | Key consideration |
|---|---|
| Virtual machine | Isolate workloads, patch guest OS, secure hypervisor management plane |
| Container | Use trusted images, scan images, minimize privileges, protect secrets, patch base images |
| Infrastructure as code | Store templates in version control, peer review changes, scan configurations, use repeatable deployment |
| Serverless | Secure permissions, input validation, dependencies, secrets, and logging |
3.4 Secure communications
| Requirement | Best-fit protocol or control | Avoid |
|---|---|---|
| Secure web traffic | HTTPS using TLS | Plain HTTP |
| Secure remote shell | SSH | Telnet |
| Secure file transfer through SSH | SFTP or SCP | FTP |
| Secure file transfer with TLS | FTPS | FTP |
| Secure network management | SNMPv3 | Earlier insecure SNMP configurations |
| Secure directory queries | LDAPS or LDAP protected with TLS | Plain LDAP over untrusted networks |
| Network-layer VPN | IPSec | Assuming encryption without key management or authentication |
| Email authenticity | SPF, DKIM, and DMARC together | Relying on only one signal |
Email security roles
| Control | Purpose |
|---|---|
| SPF | Identifies authorized sending systems for a domain |
| DKIM | Adds a cryptographic signature to help verify message integrity and domain association |
| DMARC | Defines policy and reporting for messages that fail alignment checks |
3.5 Data protection architecture
Data states
| Data state | Example | Typical controls |
|---|---|---|
| Data at rest | Database, disk, backup, file | Disk encryption, database encryption, access control, key management |
| Data in transit | Network communication | TLS, IPSec, VPN, secure protocols |
| Data in use | Data actively processed in memory | Strong access control, application isolation, secure execution design |
Classification and handling
The more sensitive the data, the stricter the access, encryption, retention, monitoring, and disposal requirements should be.
| Need | Strong control choice |
|---|---|
| Prevent sensitive data from leaving approved channels | DLP |
| Replace payment data with a non-sensitive substitute | Tokenization |
| Hide selected fields in test or support screens | Masking |
| Remove sensitive content from released documents | Redaction |
| Keep recoverable stored data confidential | Encryption |
3.6 Resilience and recovery architecture
Recovery metrics
| Metric | Meaning | Question clue |
|---|---|---|
| RTO | Maximum acceptable time to restore service | “How quickly must the system return?” |
| RPO | Maximum acceptable data loss measured in time | “How much recent data may be lost?” |
| MTTR | Average time to repair or restore | “How long does recovery typically take?” |
| MTBF | Average operating time between failures | “How frequently does the component fail?” |
Recovery sites
| Site type | Readiness | Cost | Recovery speed |
|---|---|---|---|
| Hot site | Fully prepared and rapidly usable | Highest | Fastest |
| Warm site | Partially prepared | Medium | Moderate |
| Cold site | Basic facility with limited equipment or setup | Lowest | Slowest |
Backup strategies
| Backup type | Captures | Restore consideration |
|---|---|---|
| Full | All selected data | Fastest restore, larger backup window and storage use |
| Incremental | Changes since the most recent backup of any type | Efficient backups, restore may require multiple sets |
| Differential | Changes since the last full backup | Restore usually needs last full plus latest differential |
| Snapshot | Point-in-time state | Useful for rapid rollback but not always a complete off-system backup strategy |
| Replication | Copies data to another system or location | Supports availability but can replicate corruption or ransomware |
| Immutable or offline backup | Protected from routine alteration or deletion | Important for ransomware resilience |
Power and availability
| Control | Best purpose |
|---|---|
| UPS | Immediate short-term power and graceful shutdown or bridge to generator |
| Generator | Longer-duration backup power |
| Redundant links and systems | Reduce single points of failure |
| Load balancing | Distribute traffic and improve availability |
| Clustering | Maintain service across multiple nodes |
Domain 3 traps
- Replication is not the same as a clean ransomware-resistant backup.
- A snapshot is useful but may not satisfy long-term backup requirements by itself.
- A hot site is fast but expensive; a cold site is inexpensive but slow.
- A VPN is not an authorization model. Still apply least privilege.
- The cloud provider does not automatically own every security task.
- Public-facing systems should not sit on the same flat network as critical databases.
Domain 4: Security Operations — 28%
4.1 Secure baselines and hardening
A secure baseline is an approved configuration standard that is established, deployed, monitored, and updated.
Hardening checklist
- patch operating systems, applications, firmware, and dependencies;
- disable unused ports, protocols, services, and accounts;
- remove unnecessary software;
- change default credentials;
- use host firewalls;
- use endpoint protection and EDR where appropriate;
- enforce secure configuration templates;
- protect administrative interfaces;
- separate administrative accounts from ordinary user accounts;
- enable logging and time synchronization;
- validate configuration drift.
Platform-specific focus
| Platform | High-value controls |
|---|---|
| Workstation | Patch, EDR, host firewall, least privilege, application allowlisting where justified |
| Server | Minimal services, secure baseline, restricted administration, monitored logs, backup validation |
| Mobile device | MDM, screen lock, encryption, remote wipe, application policy, update enforcement |
| Network device | Secure management protocol, strong authentication, configuration backup, ACL, logging |
| Cloud resource | Secure identity, least-privilege role, security group review, logging, configuration monitoring |
| Container | Trusted image, image scanning, non-root execution where practical, secrets protection |
| IoT or OT | Asset inventory, segmentation, restricted communication, safe maintenance window, compensating controls |
4.2 Asset lifecycle and disposal
Security operations require an accurate inventory and managed lifecycle.
| Stage | Security focus |
|---|---|
| Acquisition | Approved source, ownership, classification, baseline requirements |
| Assignment | Responsible owner, configuration, access control |
| Monitoring | Inventory updates, patches, changes, vulnerabilities |
| Decommissioning | Remove access, sanitize data, update inventory, retain evidence where required |
| Disposal | Sanitization, destruction, certification, chain of custody where necessary |
Trap: Deleting files is not always sufficient sanitization.
4.3 Monitoring and detection tools
Tool comparison
| Tool | Core purpose | Best scenario | Common confusion |
|---|---|---|---|
| SIEM | Centralize, correlate, alert on, and retain logs | Multiple systems must be analyzed together | SIEM is not an endpoint prevention agent. |
| EDR | Detect, investigate, and respond on endpoints | Isolate a compromised workstation, inspect process behavior | EDR is endpoint-focused, not a network perimeter firewall. |
| XDR | Correlate detections across multiple security layers | Broader investigation across endpoint, identity, email, and network telemetry | Do not assume every organization requires XDR instead of SIEM. |
| IDS | Detect suspicious network activity and alert | Visibility without inline blocking | IDS does not automatically block. |
| IPS | Detect and block suspicious traffic inline | Immediate network enforcement is required | Inline placement can affect traffic if misconfigured. |
| WAF | Protect web applications at the HTTP layer | SQL injection or XSS risk against a web application | A general network firewall is not a complete substitute. |
| Firewall | Enforce allowed and denied network flows | Restrict ports, addresses, protocols, and zones | A firewall does not replace secure application code. |
| DNS filtering | Block access to malicious or prohibited domains | Reduce access to known harmful destinations | It does not fix endpoint compromise already present. |
| DLP | Detect or restrict sensitive-data movement | Prevent regulated data exfiltration | DLP is not a backup solution. |
| NAC | Restrict network access based on identity or posture | Quarantine devices failing policy | NAC is not simply a VPN. |
| Sandbox | Execute suspicious content in an isolated environment | Analyze an unknown attachment safely | Do not open the file on an administrator workstation. |
Logging essentials
Collect the log source most directly related to the question.
| Investigation question | Useful source |
|---|---|
| Was a connection allowed or blocked? | Firewall logs |
| What process executed on a host? | Endpoint and OS security logs, EDR telemetry |
| Which web request triggered an error or suspicious action? | Application, web server, and WAF logs |
| Was authentication successful or denied? | Identity provider, directory, and authentication logs |
| What occurred on the network? | IDS/IPS logs, network flow data, packet capture |
| Did a user download or send sensitive content? | DLP, email, proxy, and endpoint logs |
Time synchronization
Accurate timestamps are essential for event correlation and forensics. Use centralized time synchronization and verify that systems record the correct time zone and timestamp format.
4.4 Vulnerability management
Lifecycle
- Identify assets and scope. You cannot prioritize what you do not know exists.
- Discover vulnerabilities. Use scans, assessments, advisories, and configuration review.
- Analyze context. Consider severity, exploitability, exposure, asset criticality, active exploitation, and compensating controls.
- Prioritize. A critical internet-facing weakness on a business-critical system usually outranks a lower-impact internal issue.
- Remediate. Patch, reconfigure, segment, replace, mitigate, or formally accept with governance.
- Validate. Rescan, audit, or verify that the control works.
- Report and track. Assign ownership and due dates; measure overdue findings and time to remediate.
Scanner types
| Type | Strength | Limitation |
|---|---|---|
| Credentialed scan | More accurate visibility into installed software and configuration | Requires protected credentials and careful permissions |
| Non-credentialed scan | Shows what an external or unauthenticated perspective can see | Less internal detail |
| Agent-based scan | Useful for devices that are not always reachable centrally | Requires agent management |
| Application scan | Finds web or application-specific issues | Does not replace infrastructure assessment |
False positives and validation
Do not blindly deploy a risky production change based only on a scanner result. Validate the finding, prioritize it, test remediation, deploy through change management, and rescan.
4.5 Identity and access management
IAM lifecycle
| Stage | Action |
|---|---|
| Provisioning | Create identity, assign only required access |
| Role change | Adjust access promptly when responsibilities change |
| Periodic review | Confirm access remains justified |
| Deprovisioning | Disable access quickly when no longer required |
Access models
| Model | Basis | Best fit |
|---|---|---|
| RBAC | Job role | Stable organizational responsibilities |
| ABAC | Attributes and conditions | Context-aware access decisions using identity, device, location, or resource attributes |
| Rule-based access | Defined system rules | Firewall or policy evaluation based on explicit rules |
| Discretionary access control | Owner decides access | Flexible resource-owner management |
| Mandatory access control | Central labels and classifications | High-control environments with strict classification rules |
Authentication factors
| Factor category | Examples |
|---|---|
| Something you know | Password, PIN |
| Something you have | Smart card, security key, authenticator device |
| Something you are | Fingerprint, face, iris |
| Somewhere you are | Location or network context |
| Something you do | Behavioral pattern such as typing rhythm |
MFA requires different factor categories. Two passwords are not MFA.
IAM tool selection
| Need | Best choice |
|---|---|
| One login experience for multiple applications | SSO |
| Exchange trust between identity domains | Federation |
| Temporary privileged access | PAM with just-in-time permissions |
| Protect and rotate privileged passwords | Password vaulting and secrets management |
| Reduce standing privileges | Ephemeral credentials and JIT access |
| Review whether access is still justified | Periodic access review |
| Control machine-to-machine credentials | Service-account governance and secrets rotation |
PAM essentials
Use privileged access management for sensitive administrative access:
- password vaulting;
- just-in-time permissions;
- session monitoring;
- ephemeral credentials;
- approval workflow;
- separation of administrator and user accounts.
Trap: Sharing one administrator account prevents reliable attribution and increases exposure.
4.6 Automation and orchestration
Automation can improve consistency and reaction time, but it must use safeguards.
Useful automation cases
- user provisioning and deprovisioning;
- resource provisioning;
- configuration guardrails;
- security-group validation;
- ticket creation and escalation;
- disabling compromised access;
- enrichment of alerts;
- continuous integration testing;
- API integrations;
- baseline enforcement.
Automation risks
- unintended large-scale change;
- single point of failure;
- excessive permissions;
- complexity and technical debt;
- poor exception handling;
- insufficient monitoring;
- lack of human review for high-impact actions.
Decision rule: Automate repeatable tasks, but use approval gates, logging, testing, scope restrictions, and rollback for high-impact actions.
4.7 Incident response
Standard process
| Stage | Purpose | Typical actions |
|---|---|---|
| Preparation | Be ready before an incident | Plans, contacts, playbooks, backups, tools, training, tabletop exercises |
| Detection | Notice suspicious activity | Alerts, user reports, monitoring |
| Analysis | Confirm, scope, and prioritize | Investigate evidence, identify affected assets and likely cause |
| Containment | Limit damage | Isolate endpoint, block indicator, restrict access, segment |
| Eradication | Remove the cause | Remove malware, disable compromised account, patch weakness, eliminate persistence |
| Recovery | Restore safe service | Rebuild or restore, monitor closely, validate operation |
| Lessons learned | Improve the program | Root cause analysis, control updates, metrics, documentation |
First-action reasoning
- If an endpoint is actively spreading malware, isolate it before performing a full rebuild.
- If evidence is required, preserve evidence before making avoidable destructive changes.
- If uptime has returned but compromise recurs, perform root cause analysis and remove persistence.
- If a suspicious file must be examined, use an isolated sandbox.
4.8 Digital forensics and investigation
Forensic priorities
- preserve evidence integrity;
- maintain chain of custody;
- document acquisition and handling;
- avoid unnecessary modification;
- use legal hold when data must be retained for legal or regulatory reasons;
- report findings accurately;
- support e-discovery where required.
Order-of-volatility idea
Collect more volatile evidence before less volatile evidence when appropriate and authorized. Memory and active network-state information may disappear faster than stored disk evidence.
Domain 4 traps
- Do not restore service and close the case while persistence remains.
- Do not rebuild a host before preserving required evidence.
- Do not choose IDS when the requirement is to block inline.
- Do not choose a firewall alone for a web-application-layer attack.
- Do not treat SSO as MFA.
- Do not leave service-account credentials static and embedded in code.
- Do not assume patching succeeded without rescanning or verification.
- Do not automate high-impact actions without guardrails.
Domain 5: Security Program Management and Oversight — 20%
5.1 Governance document hierarchy
| Document | Purpose | Example |
|---|---|---|
| Policy | High-level management intent and direction | “The organization will protect sensitive information.” |
| Standard | Mandatory detailed requirement | Minimum password length, encryption requirement, approved protocol |
| Procedure | Step-by-step instructions | How to onboard a user or respond to a phishing report |
| Guideline | Recommended but flexible advice | Suggested secure coding practice |
| Playbook | Repeatable response steps for a scenario | Ransomware response playbook |
Governance structures and roles
| Role | Typical responsibility |
|---|---|
| Data owner | Determines classification and authorized use |
| Data controller | Determines purpose and means of processing in privacy context |
| Data processor | Processes data on behalf of a controller |
| Custodian or steward | Handles operational protection and lifecycle activities |
| Executive leadership | Sets risk appetite and approves strategy |
| Security team | Implements and monitors controls |
| Internal audit | Independently evaluates controls within the organization |
5.2 Risk management
Risk terms
| Term | Meaning |
|---|---|
| Threat | Potential cause of harm |
| Vulnerability | Weakness that could be exploited |
| Likelihood | Probability that the risk will occur |
| Impact | Consequence if the event occurs |
| Exposure factor | Percentage of asset value lost in one event |
| Single loss expectancy (SLE) | Expected loss from one occurrence |
| Annualized rate of occurrence (ARO) | Expected occurrences per year |
| Annualized loss expectancy (ALE) | Expected annual financial loss |
| Risk appetite | Broad amount and type of risk the organization is willing to pursue or retain |
| Risk tolerance | Acceptable variation or threshold for a specific risk area |
| Risk register | Tracked list of risks, owners, treatment, status, and supporting information |
Quantitative formulas
- SLE = Asset Value × Exposure Factor
- ALE = SLE × ARO
Use quantitative analysis when financial estimates are reliable enough to support decisions. Use qualitative analysis when relative ranking is more practical.
Risk treatment options
| Treatment | Meaning | Example |
|---|---|---|
| Mitigate | Reduce likelihood or impact | Patch system, segment network, deploy MFA |
| Transfer | Shift some financial or contractual impact | Cyber insurance, outsourced service with defined obligations |
| Avoid | Stop the risky activity | Retire unsupported system or discontinue exposed service |
| Accept | Formally retain risk within tolerance | Documented approval and monitoring |
| Exception or exemption | Authorized deviation from a requirement under defined conditions | Time-bound legacy-system exception with compensating controls |
Trap: Risk transfer rarely eliminates accountability. The organization still needs oversight.
5.3 Business impact analysis and continuity
A BIA identifies critical processes, dependencies, recovery priorities, and acceptable interruption levels.
| Metric | Use |
|---|---|
| RTO | Maximum acceptable restoration time |
| RPO | Maximum acceptable data loss measured in time |
| MTTR | Average repair or recovery duration |
| MTBF | Reliability measure: average time between failures |
Continuity decision rule
When leaders disagree about restoration priorities or backup ownership, perform a BIA, assign responsibilities, document objectives, and test the recovery plan. Buying another endpoint tool does not solve a continuity-governance gap.
5.4 Third-party risk management
Lifecycle
- identify the vendor’s access and data exposure;
- perform due diligence before granting access;
- define security requirements contractually;
- limit vendor access using least privilege;
- monitor performance and evidence;
- reassess periodically;
- revoke access and handle data at contract termination.
Agreement selection guide
| Agreement | Use it for |
|---|---|
| SLA | Measurable service commitments such as uptime and response time |
| NDA | Restrictions on use and disclosure of confidential information |
| MOU | Understanding or cooperative arrangement between parties |
| Master service agreement | Broad commercial terms governing an ongoing relationship |
| Data processing agreement | Privacy and processing responsibilities for personal information |
| Rules of engagement | Authorized scope, targets, time window, methods, contacts, and stop conditions for a security test |
Evidence and assurance
A certification or assurance report supports due diligence but does not remove the need to assess relevance, review scope, monitor the vendor, and manage residual risk.
5.5 Compliance, privacy, and audits
Compliance reasoning
Map legal, regulatory, contractual, industry, and privacy obligations to controls. Requirements may differ by jurisdiction, business sector, data type, and contract.
Privacy principles
- collect only the data required for a defined purpose;
- retain data only as long as required;
- control access;
- support secure disposal;
- document processing and sharing;
- protect personal information in storage, transit, and use;
- monitor third-party processing.
Audit and assessment comparison
| Activity | Purpose | Key distinction |
|---|---|---|
| Internal audit | Independent review performed by the organization’s audit function | Internal but should be objective |
| External audit | Review performed by an outside assessor | Provides independent external assurance |
| Vulnerability scan | Finds potential weaknesses | Does not demonstrate controlled exploitation |
| Penetration test | Authorized attempt to exploit weaknesses and show impact | Requires scope and rules of engagement |
| Tabletop exercise | Discussion-based walkthrough of a scenario | Tests decision-making and readiness without full technical simulation |
| Simulation | More realistic operational exercise | Tests processes under more lifelike conditions |
5.6 Awareness and reporting
Effective awareness program
- recurring rather than one-time;
- role-based where appropriate;
- measured using outcomes;
- reinforced with simulations;
- paired with easy reporting channels;
- designed to improve behavior, not publicly shame users.
Common awareness topics
- phishing and suspicious-message reporting;
- password and MFA hygiene;
- social engineering;
- removable media;
- tailgating and visitor control;
- data handling;
- hybrid and remote work;
- anomalous behavior and insider risk;
- operational security.
Useful security metrics
| Goal | Good metric |
|---|---|
| Improve remediation | Time to remediate by severity; overdue findings |
| Improve detection | Mean time to detect |
| Improve incident handling | Mean time to contain and recover |
| Improve awareness | Simulation reporting rate and repeat failure trend |
| Improve access governance | Overdue access reviews, excessive privilege findings |
| Improve vendor oversight | Open findings, reassessment completion, SLA performance |
Due care and due diligence
- Due care: implement reasonable safeguards.
- Due diligence: continuously verify that safeguards remain appropriate and effective.
Buying one tool and never reviewing risk is not due diligence.
Domain 5 traps
- Policy is high-level; a standard contains mandatory detail.
- An SLA defines measurable service performance; an NDA protects confidentiality.
- A penetration test must be authorized and scoped.
- A vulnerability scan is not a governance program or a complete audit.
- Data minimization is stronger than collecting everything indefinitely.
- A temporary exception must be approved, time-bound, monitored, and paired with compensating controls.
- Risk transfer does not eliminate oversight.
5. Security Tool and Control Selection Guide
Security+ questions frequently present multiple useful controls. Select the option that is closest to the stated requirement.
Monitoring, prevention, and response tools
| Requirement | Choose | Do not choose as the primary answer | Reason |
|---|---|---|---|
| Correlate logs across many systems | SIEM | EDR only | SIEM centralizes and correlates events across sources. |
| Investigate and isolate a compromised workstation | EDR | Network firewall only | EDR provides endpoint visibility and response. |
| Block malicious traffic inline | IPS | IDS | IDS alerts but does not automatically block. |
| Protect a web application from common HTTP-layer attacks | WAF | General firewall only | WAF understands web-application traffic patterns. |
| Restrict a device that fails policy checks | NAC | VPN only | NAC evaluates access and posture. |
| Stop sensitive data from leaving approved channels | DLP | Backup system | DLP focuses on data movement and policy enforcement. |
| Safely inspect a suspicious attachment | Sandbox | Administrator workstation | Isolation prevents production compromise. |
| Reduce access to malicious domains | DNS filtering | Disk encryption | DNS filtering blocks domain resolution or access paths. |
| Limit lateral movement | Segmentation and narrow rules | Flat VLAN | Segmentation reduces blast radius. |
| Control privileged accounts | PAM with JIT access and vaulting | Shared administrator password | PAM improves least privilege, attribution, and credential control. |
Identity service selection
| Scenario | Best fit | Why |
|---|---|---|
| A user wants one sign-in experience across applications | SSO | Simplifies authentication experience across systems. |
| Two organizations need identity trust | Federation | Allows trust exchange between identity domains. |
| Administrator access should exist only during a maintenance window | PAM with JIT permissions | Reduces standing privilege. |
| A device credential must rotate without embedding a static password in code | Secrets manager | Centralized retrieval and rotation. |
| Access depends on device health, user role, location, and resource sensitivity | ABAC or context-aware access | Evaluates attributes rather than only job role. |
| Employees should receive permissions based on their stable job duties | RBAC | Maps access to organizational roles. |
Cryptography selection
| Requirement | Best fit | Why the common distractor fails |
|---|---|---|
| Verify a downloaded file has not changed | Compare cryptographic hash | Encryption after download does not prove the original file was unchanged. |
| Encrypt a large archive efficiently | Symmetric encryption | Asymmetric encryption is usually inefficient for bulk data. |
| Prove a specific person approved a transaction | Digital signature | A shared key cannot reliably prove which individual acted. |
| Check whether a certificate was revoked | OCSP or CRL | A CSR requests a certificate; it does not check revocation. |
| Store user passwords | Salted slow hash | Reversible encryption exposes all passwords if its key is compromised. |
| Replace sensitive payment data while retaining business workflows | Tokenization | Masking hides display values but may not replace the underlying sensitive value. |
Governance selection
| Requirement | Best fit |
|---|---|
| State high-level security direction | Policy |
| Define mandatory password length | Standard |
| Explain step-by-step onboarding tasks | Procedure |
| Provide flexible recommendations | Guideline |
| Define vendor uptime and response commitments | SLA |
| Restrict confidential information disclosure | NDA |
| Authorize penetration-test targets and timing | Rules of engagement |
| Track risks, owners, status, and treatment | Risk register |
6. Architecture Patterns and Common Exam Scenarios
Scenario 1: Public-facing server must access internal data safely
Recommended pattern: Place the public service in a DMZ or segmented zone. Allow only the required application flow to the internal database. Monitor traffic and harden the public host.
Why alternatives fail: A flat VLAN increases lateral-movement risk. Broad internal access violates least privilege. Disabling logs removes visibility.
Scenario 2: Legacy service cannot support MFA
Recommended pattern: Use a monitored jump host or proxy, strict allowlisting, segmentation, strong logging, temporary exception approval, and a replacement plan.
Why alternatives fail: Publishing the service directly increases exposure. Removing the standard hides risk rather than managing it.
Scenario 3: Remote contractor needs one application
Recommended pattern: Provide application-specific, context-aware, least-privilege access from a managed device. Require appropriate authentication and monitor activity.
Why alternatives fail: A broad employee VPN group exposes unrelated systems. Shared administrator credentials destroy accountability.
Scenario 4: Suspicious attachment requires analysis
Recommended pattern: Open the attachment in an isolated sandbox and collect behavioral indicators.
Why alternatives fail: Opening it on a privileged workstation may compromise production. Forwarding it widely increases risk.
Scenario 5: Internet-facing application is vulnerable to SQL injection
Recommended pattern: Fix the code using parameterized queries and input validation. Add WAF protection as defense in depth. Restrict database-account permissions.
Why alternatives fail: A network firewall alone does not correct unsafe query construction. Encryption does not stop malicious input.
Scenario 6: Ransomware spreads through endpoints
Recommended pattern: Isolate affected endpoints, preserve evidence, scope the incident, disable compromised access, eradicate persistence, restore from validated clean backups, and conduct lessons learned.
Why alternatives fail: Rebuilding immediately may destroy evidence. Restoring from an unvalidated backup may reintroduce compromise.
Scenario 7: Vendor will process sensitive data
Recommended pattern: Perform due diligence, classify the data, define contractual security and privacy requirements, enforce least-privilege access, monitor evidence, and plan termination handling.
Why alternatives fail: A marketing brochure is not assurance. Access should not be granted before review.
Scenario 8: Cloud environment has configuration drift
Recommended pattern: Use infrastructure as code, version control, peer review, automated scanning, guardrails, and monitored deployment.
Why alternatives fail: Manual untracked production edits weaken attribution and repeatability.
Scenario 9: High availability is required with minimal data loss
Recommended pattern: Define RTO and RPO first. Select redundancy, replication, journaling, backups, and an appropriate recovery site based on those objectives. Protect at least one backup from alteration.
Why alternatives fail: Replication alone can copy corruption or ransomware. A cold site may not meet a short RTO.
Scenario 10: Security team needs evidence of administrator actions
Recommended pattern: Use individual administrator accounts, PAM where appropriate, session logging, and accounting records.
Why alternatives fail: Shared administrator credentials prevent reliable attribution.
Scenario 11: Scanner reports a critical production weakness
Recommended pattern: Validate the finding, assess exposure and business criticality, test remediation, deploy through change control, rescan, and report closure.
Why alternatives fail: Immediate untested production changes may cause an outage. Ignoring the scan leaves risk unmanaged.
Scenario 12: User clicks realistic phishing lures repeatedly
Recommended pattern: Use recurring simulations, targeted coaching, easy reporting, email controls, and outcome measurement.
Why alternatives fail: Annual slides alone are insufficient. Public punishment discourages reporting and harms culture.
7. Exam Traps and Answer-Elimination Strategy
Misleading wording
| Wording | What it changes |
|---|---|
| FIRST | Choose the earliest safe and necessary step, not the final solution. |
| BEST | Choose the option that most directly meets the requirement and reduces risk appropriately. |
| MOST likely | Select the explanation that fits the evidence, not the most severe possibility. |
| MOST appropriate | Consider business context, technical fit, scope, and governance. |
| Select TWO | Both selected actions must work together and satisfy the prompt. |
| Temporary legacy constraint | Look for compensating controls, monitoring, exception approval, and migration plan. |
| Evidence or legal requirement | Preserve data and chain of custody before destructive action. |
| Public-facing system | Consider DMZ, segmentation, narrow rules, WAF, and monitoring. |
| Recurring compromise after recovery | Look for root cause analysis and persistence removal. |
Wrong-but-plausible distractor patterns
1. Useful tool, wrong layer
- General firewall instead of WAF for HTTP-layer application attacks.
- SIEM instead of EDR for isolating a workstation.
- VPN instead of authorization for resource-level access.
- Encryption instead of input validation for SQL injection.
2. Correct final step, wrong order
- Rebuild before preserving evidence.
- Restore service before containing spread.
- Close incident after uptime returns without root cause analysis.
- Patch production immediately without testing or change review.
3. Too broad
- Grant general VPN access when one application is required.
- Put all servers and databases on one VLAN.
- Share one administrator account.
- Give a service account unnecessary permissions.
4. Too narrow
- Buy more antivirus licenses when the real problem is untested continuity planning.
- Rotate one unrelated password when persistence is unknown.
- Provide annual training only when behavior remains poor.
- Rely on one email-authentication signal when layered SPF, DKIM, and DMARC controls are appropriate.
5. Removes visibility
Options that disable logging, monitoring, alerts, or evidence preservation are usually wrong unless the prompt explicitly justifies them.
6. Replaces governance with convenience
- Grant vendor access before due diligence.
- Use verbal promises instead of contractual obligations.
- Treat a temporary exception as permanent.
- Skip approval and rollback for urgent changes.
Five-step elimination strategy
- Cross out answers that increase exposure: flat network, unrestricted access, public service publication, shared credentials.
- Cross out answers that destroy evidence or visibility: disable logging, wipe immediately, rebuild before preservation.
- Cross out answers at the wrong layer: general firewall for code weakness, backup for DLP requirement, SSO for MFA requirement.
- Cross out answers that ignore lifecycle: patch without validation, vendor access without onboarding review, data retention without disposal.
- Choose the answer matching the stated priority: confidentiality, integrity, availability, containment, evidence, compliance, or measurable recovery target.
8. Quick Memory Rules
Fast “if you see X, think Y” mapping
| If you see... | Think... |
|---|---|
| Unauthorized data change | Integrity |
| Unauthorized disclosure | Confidentiality |
| Service outage or denial of service | Availability |
| Record of administrator actions | Accounting |
| Prove who approved something | Digital signature and non-repudiation |
| Verify a file was not changed | Hash |
| Encrypt large data efficiently | Symmetric encryption |
| Website certificate revocation status | OCSP or CRL |
| Legacy system cannot meet required control | Compensating control plus time-bound exception |
| Public server must remain reachable | DMZ and narrow traffic rules |
| Limit lateral movement | Segmentation or microsegmentation |
| Analyze suspicious file safely | Sandbox |
| Block web-layer attacks | WAF |
| Correlate logs | SIEM |
| Investigate or isolate endpoint | EDR |
| Detect only | IDS |
| Detect and block inline | IPS |
| Device posture before network access | NAC |
| Stop sensitive-data exfiltration | DLP |
| Temporary admin rights | PAM with JIT permissions |
| Machine password embedded in code | Secrets manager and rotation |
| One login across applications | SSO |
| Trust between identity domains | Federation |
| How fast must recovery occur? | RTO |
| How much data can be lost? | RPO |
| Uptime and response commitments | SLA |
| Confidentiality during negotiation | NDA |
| Authorized test scope and stop conditions | Rules of engagement |
| Risk owner, treatment, and status | Risk register |
| Collect only required personal data | Data minimization |
| Unclear restoration priorities | BIA |
| Incident keeps returning | Root cause analysis and persistence removal |
Acronym cluster review
| Acronym | Meaning | Recall clue |
|---|---|---|
| AAA | Authentication, authorization, accounting | Identity, permissions, records |
| ALE | Annualized loss expectancy | SLE × ARO |
| ARO | Annualized rate of occurrence | Expected frequency per year |
| BIA | Business impact analysis | Critical processes and recovery priorities |
| CA | Certificate authority | Signs certificates |
| CSR | Certificate signing request | Requests a certificate |
| CRL | Certificate revocation list | Published revoked certificates |
| DLP | Data loss prevention | Sensitive-data movement control |
| DMARC | Domain-based Message Authentication, Reporting, and Conformance | Email policy and reporting |
| DKIM | DomainKeys Identified Mail | Email signature |
| EDR | Endpoint detection and response | Endpoint investigation and isolation |
| IAM | Identity and access management | Identity lifecycle and access control |
| IDS | Intrusion detection system | Alert |
| IPS | Intrusion prevention system | Inline block |
| MFA | Multifactor authentication | Different factor categories |
| MTBF | Mean time between failures | Reliability |
| MTTR | Mean time to repair | Repair duration |
| NAC | Network access control | Admission and posture |
| OCSP | Online Certificate Status Protocol | Certificate revocation query |
| PAM | Privileged access management | Admin access control |
| RPO | Recovery point objective | Acceptable data loss |
| RTO | Recovery time objective | Acceptable downtime |
| SASE | Secure access service edge | Cloud-delivered secure access architecture |
| SIEM | Security information and event management | Central log correlation |
| SLA | Service-level agreement | Measurable service commitments |
| SLE | Single loss expectancy | Asset value × exposure factor |
| SPF | Sender Policy Framework | Authorized email senders |
| SSO | Single sign-on | One sign-in experience |
| TLS | Transport Layer Security | Protect data in transit |
| UPS | Uninterruptible power supply | Short-term backup power |
| WAF | Web application firewall | HTTP-layer protection |
| XDR | Extended detection and response | Cross-layer telemetry correlation |
Ten rules worth memorizing
- Preserve evidence before destructive action.
- Contain active spread before full recovery.
- Reduce blast radius with segmentation and least privilege.
- Validate remediation; do not assume the patch worked.
- Choose the tool at the closest layer to the problem.
- Cloud security remains a shared responsibility.
- Replication supports availability but does not replace protected backups.
- Temporary exceptions must be documented, monitored, and time-bound.
- A policy sets intent; a standard states mandatory detail; a procedure explains steps.
- Governance gaps require governance fixes, not only another technical tool.
9. Final Revision Notes
Highest-yield review points
Security Operations
- Know the incident response order and select the correct first action.
- Match SIEM, EDR, XDR, IDS, IPS, WAF, NAC, DLP, firewall, DNS filtering, and sandbox to their strongest use case.
- Apply secure baselines and reduce attack surface.
- Understand vulnerability management from discovery through verification.
- Know IAM lifecycle, RBAC versus ABAC, MFA factors, SSO, federation, PAM, service-account management, and access reviews.
- Preserve evidence, maintain chain of custody, and correlate logs using accurate timestamps.
- Automate repeatable work with testing, guardrails, logging, approval, and rollback.
Threats, Vulnerabilities, and Mitigations
- Recognize social-engineering clues quickly.
- Distinguish password spraying, credential stuffing, brute force, and rainbow-table attacks.
- Know SQL injection, XSS, CSRF, buffer overflow, race conditions, and API risks.
- Prioritize patching, hardening, segmentation, least privilege, endpoint protection, and monitoring.
- Treat default credentials, unsupported systems, and unnecessary services as high-risk exposure.
Security Architecture
- Place public-facing systems in a DMZ or segmented zone.
- Use secure protocols and disable legacy protocols.
- Know data at rest, in transit, and in use.
- Understand shared responsibility in IaaS, PaaS, and SaaS.
- Define RTO and RPO before selecting recovery architecture.
- Keep protected backup copies that routine compromise cannot alter.
Security Program Management and Oversight
- Select the right governance document.
- Know risk treatment choices and the difference between appetite and tolerance.
- Understand BIA metrics.
- Apply due diligence before vendor access and monitor throughout the relationship.
- Match SLA, NDA, MOU, and rules of engagement to the scenario.
- Use recurring, measured, role-relevant awareness training.
- Apply data minimization, retention, and secure disposal.
General Security Concepts
- Know CIA, AAA, non-repudiation, control types, zero trust, and deception controls.
- Distinguish symmetric encryption, asymmetric cryptography, hashing, salting, digital signatures, certificates, OCSP, and CRL.
- Apply formal change management with approval, testing, rollback, documentation, and version control.
Last-day revision list
Read these items once more immediately before the exam:
- incident response sequence;
- RTO versus RPO;
- SLE, ARO, and ALE;
- policy versus standard versus procedure versus guideline;
- SLA versus NDA versus rules of engagement;
- IDS versus IPS;
- SIEM versus EDR versus XDR;
- firewall versus WAF;
- SSO versus federation versus MFA versus PAM;
- hash versus encryption versus digital signature;
- OCSP versus CRL versus CSR;
- full versus incremental versus differential backup;
- hot versus warm versus cold site;
- SQL injection versus XSS versus CSRF;
- brute force versus spraying versus credential stuffing;
- DMZ, segmentation, microsegmentation, NAC, and zero trust;
- data at rest, in transit, and in use;
- due care versus due diligence;
- risk mitigation versus transfer versus avoidance versus acceptance;
- evidence preservation and chain of custody.
10. Exam-Day Checklist
Must-know checklist
Foundations
- I can map a scenario to confidentiality, integrity, or availability.
- I can distinguish authentication, authorization, and accounting.
- I can classify preventive, detective, corrective, deterrent, directive, and compensating controls.
- I know when zero trust requires continuous evaluation rather than network-based trust.
- I can select hashing, symmetric encryption, asymmetric cryptography, signatures, certificates, OCSP, and CRL correctly.
Threats and vulnerabilities
- I can recognize major social-engineering techniques.
- I can distinguish common password attacks.
- I can recognize SQL injection, XSS, CSRF, buffer overflow, race conditions, and API risks.
- I can select practical mitigations for malware, exposed services, unsupported systems, and default credentials.
Architecture
- I know when to use segmentation, DMZ, microsegmentation, jump host, NAC, and SASE.
- I can explain shared responsibility for IaaS, PaaS, and SaaS.
- I can choose secure protocols instead of insecure legacy protocols.
- I can match controls to data at rest, in transit, and in use.
- I can distinguish RTO, RPO, MTTR, and MTBF.
- I know the strengths and weaknesses of replication, snapshots, and backups.
Operations
- I can select SIEM, EDR, XDR, IDS, IPS, WAF, DLP, NAC, DNS filtering, firewall, and sandbox correctly.
- I understand secure baseline deployment and hardening.
- I understand the vulnerability-management lifecycle and validation step.
- I can distinguish RBAC, ABAC, SSO, federation, MFA, and PAM.
- I know the incident response sequence and common first-action traps.
- I know when to preserve evidence and maintain chain of custody.
- I understand safe automation with guardrails.
Governance and oversight
- I can distinguish policy, standard, procedure, guideline, and playbook.
- I can select mitigation, transfer, avoidance, acceptance, and exception management correctly.
- I can calculate SLE and ALE when given values.
- I can choose SLA, NDA, MOU, and rules of engagement correctly.
- I understand vendor due diligence and ongoing monitoring.
- I understand data minimization, retention, disposal, audits, and awareness measurement.
Final confidence checklist
Before submitting an answer, ask:
- Did I answer the word FIRST, BEST, or MOST appropriate correctly?
- Did I select the control closest to the actual layer of the problem?
- Did I avoid a choice that increases exposure or destroys visibility?
- Did I apply least privilege and limit blast radius?
- Did I preserve evidence when required?
- Did I include validation after remediation?
- Did I distinguish a governance issue from a purely technical issue?
- Did I reject convenience-based options that bypass approval, documentation, or monitoring?
Final One-Page Mental Model
When uncertain, reduce the problem to this sequence:
- Protect the right property: confidentiality, integrity, availability, identity, evidence, or compliance.
- Use the right layer: endpoint, network, application, identity, data, physical, or governance.
- Reduce exposure: least privilege, segmentation, secure defaults, minimized attack surface.
- Respond in the right order: detect, analyze, contain, eradicate, recover, learn.
- Preserve visibility: logs, time synchronization, evidence handling, monitoring.
- Validate the result: rescan, retest, audit, and track closure.
- Govern the lifecycle: owners, approvals, contracts, exceptions, reviews, retention, and disposal.
If two answers remain plausible, prefer the one that addresses the stated requirement most directly, creates the smallest blast radius, preserves evidence and visibility, and can be measured or validated afterward.
Unlock the full course
All 66 modules with detailed explanations, code examples, and exam tips.
While reviewing the clinical application at a media company, several public servers must remain reachable from the internet, but they should not have unrestricted access to internal databases. Which choice BEST explains the situation?
Get Your Personalized Results
Enter your email to receive your score, weak-topic analysis, and a personalized revision plan.
Results sent! Check your inbox.
This Question is Locked
You're viewing 35 of 1100 free questions.
trending_up Certified pros earn 20-30% more
Higher salary: IT certifications add $12,000-$25,000/year on average to your paycheck
Job security: 87% of hiring managers prefer candidates with certifications : you become irreplaceable
More opportunities: Freelance gigs, remote roles, and promotions open up instantly
Practice all questions: Comprehensive practice is the #1 predictor of passing
Mock Exam : Upgrade to Unlock
Available in Q&A + Course + Mock Exam package
You've already started : one exam away from a career upgrade.