Cert-Pass
Log in Sign up
arrow_back Cert

CompTIA Security+ SY0-701

🔥 0 streak
0%
timer Mock Exam lock Pro menu_book Course description 3-Page download Free
menu_book

Security+ SY0-701

Compressed Course

CompTIA Security+ SY0-701 Compressed Exam-Preparation Course

Purpose: A start-to-finish revision guide for CompTIA Security+ V7 (SY0-701), synthesized from the provided 1,100-question practice bank and organized around the official exam blueprint. It is designed for fast revision, scenario-based reasoning, and answer elimination.

Source-bank pattern analysis: The question bank repeatedly emphasizes control selection, attack recognition, vulnerability mitigation, segmentation, secure protocols, resilience, identity and access management, monitoring, incident response, forensics, risk management, vendor governance, compliance, and awareness training. Similar ideas have been consolidated so that each decision rule appears once in the clearest possible place.


1. Exam Overview

What the exam is testing

CompTIA Security+ SY0-701 validates whether you can make sound security decisions in realistic business and technical situations. It is not primarily a vocabulary test. Expect questions that ask for the best, most appropriate, or first action when several answers appear plausible.

The exam is vendor-neutral. You must recognize the purpose of controls and tools without relying on a specific product name.

The official exam focus is to verify that you can:

  • assess an enterprise security posture and recommend appropriate controls;
  • secure hybrid environments, including cloud, mobile, operational technology, and Internet of Things devices;
  • operate with an awareness of governance, risk, compliance, and privacy requirements;
  • identify, analyze, contain, eradicate, and recover from security events and incidents.

Exam format snapshot

Item SY0-701 exam detail
Exam version Security+ V7
Exam code SY0-701
Maximum number of questions 90
Time limit 90 minutes
Passing score 750 on a scale of 100–900
Question styles Multiple-choice and performance-based questions

How to think like the exam

Use this decision sequence:

  1. Identify the exact requirement. Is the question asking about confidentiality, integrity, availability, authentication, authorization, evidence, containment, resilience, compliance, or cost?
  2. Respect the timing word. “First” usually means stabilize, preserve evidence, or identify scope before making a permanent change. “Best” usually means the option that most directly satisfies the requirement with the least unnecessary risk.
  3. Prefer least privilege and reduced blast radius. Narrow access, segment networks, isolate suspicious systems, and remove unnecessary exposure.
  4. Choose the control closest to the problem. A web application attack suggests a web-focused defense. A compromised endpoint suggests endpoint isolation and EDR. A privileged-account risk suggests PAM and just-in-time access.
  5. Do not solve a governance problem with only a technical tool. A contract, policy, audit, exception, or risk register may be the correct answer.
  6. Do not overreact. Avoid options that disable logging, destroy evidence, grant broad access, apply untested production changes, or rely on one control only.
  7. Prefer repeatable and measurable controls. Centralized logging, documented procedures, version control, baselines, automation with guardrails, and validation are stronger than informal manual steps.

How to use this course

Read sections 1–4 in order for a complete foundation. Use sections 5–8 for targeted scenario practice. Use sections 9–10 in the final days before the exam.

A productive revision loop is:

  • review one domain;
  • answer a focused group of practice questions;
  • write down why your best wrong answer was wrong;
  • revisit the relevant comparison table;
  • repeat until you can explain the decision rule without memorizing the wording.

2. Exam Domains

Official domain priorities

Domain Weight Study priority Why it matters
1.0 General Security Concepts 12% Foundation Establishes the language used in every other domain: controls, CIA, AAA, zero trust, change management, and cryptography.
2.0 Threats, Vulnerabilities, and Mitigations 22% High Tests whether you can recognize attack patterns, distinguish vulnerabilities from threats, and choose practical mitigations.
3.0 Security Architecture 18% High Tests design choices for cloud, networks, data protection, resilience, and secure communications.
4.0 Security Operations 28% Highest The largest domain. Focus on hardening, monitoring, IAM, vulnerability management, incident response, automation, and investigation data sources.
5.0 Security Program Management and Oversight 20% High Tests governance, risk, third-party management, compliance, audits, privacy, and awareness.

What matters most

The source bank and official blueprint point to the following high-value areas:

  1. Security operations: incident response ordering, log selection, hardening, EDR, SIEM, IAM, PAM, vulnerability remediation, automation, and validation.
  2. Threat recognition and mitigation: phishing, credential attacks, application attacks, network attacks, malware, social engineering, and supply-chain risk.
  3. Architecture decisions: segmentation, zero trust, secure protocols, data states, cloud shared responsibility, backups, recovery sites, and availability design.
  4. Risk and governance: risk treatments, BIA metrics, policy hierarchy, vendor due diligence, contracts, audits, exceptions, awareness, and privacy.
  5. Foundational reasoning: CIA, AAA, control categories, encryption versus hashing versus signatures, PKI, and change management.

3. Start-to-Finish Study Path

Phase 1: Foundation

Build the vocabulary required to eliminate obviously wrong answers.

Study in this order:

  1. CIA triad, AAA, non-repudiation, least privilege, separation of duties.
  2. Control types and categories.
  3. Hashing, encryption, digital signatures, certificates, PKI, and key management.
  4. Threat actors, social engineering, malware, password attacks, and common web attacks.
  5. Network basics: segmentation, DMZ, VPN, TLS, IPSec, firewalls, IDS, IPS, WAF, and NAC.

Checkpoint: You should be able to explain why a hash does not provide confidentiality, why an IDS is not an IPS, and why a broad VPN group conflicts with least privilege.

Phase 2: Intermediate application

Move from definitions to selecting the best control.

Study:

  1. Endpoint hardening and secure baselines.
  2. IAM lifecycle, MFA, SSO, federation, PAM, access reviews, and service accounts.
  3. Vulnerability management: scan, prioritize, remediate, rescan, and verify.
  4. Monitoring: SIEM, EDR, XDR, logs, packet captures, dashboards, and alerts.
  5. Data protection: classification, encryption, tokenization, masking, DLP, retention, and disposal.
  6. Cloud architecture and shared responsibility.
  7. Risk register, risk treatment, RTO, RPO, MTTR, MTBF, and third-party agreements.

Checkpoint: Given a scenario, you should be able to choose the most relevant control and explain why a generic control is weaker.

Phase 3: Advanced scenario reasoning

Focus on priority, tradeoffs, and sequence.

Study:

  1. Incident response order: preparation, detection, analysis, containment, eradication, recovery, lessons learned.
  2. Forensic evidence: preserve before changing, maintain chain of custody, use legal hold when required.
  3. Architecture tradeoffs: availability versus cost, convenience versus least privilege, rapid automation versus guardrails, temporary exceptions versus permanent bypasses.
  4. Governance-document selection: policy, standard, procedure, guideline, SLA, NDA, MOU, rules of engagement.
  5. Recovery design: backup type, immutable or offline copies, replication, journaling, snapshots, warm versus hot versus cold sites.
  6. Zero trust and segmentation: evaluate identity, device posture, and resource-level authorization continuously.

Checkpoint: You should be able to identify why a technically useful answer may still be wrong because it occurs too early, grants too much access, destroys evidence, or fails to address the underlying cause.

Phase 4: Final review

Use sections 8–10 as a condensed review sheet. Practice mixed scenarios under time pressure. Flag questions containing BEST, FIRST, MOST likely, MOST appropriate, and Select TWO because wording determines the required reasoning style.


4. Core Concepts by Domain

Domain 1: General Security Concepts — 12%

1.1 Security control categories and functions

A control can be categorized by how it is implemented and what it does.

Implementation categories

Category Meaning Examples
Technical Implemented with technology Firewall, MFA, EDR, encryption, access control list
Managerial Administrative oversight and governance Risk assessment, security policy, vendor review
Operational People-driven process Awareness training, incident handling procedure, change review
Physical Protects physical access or environment Locks, bollards, guards, cameras, fencing

Functional types

Type Purpose Example Common trap
Preventive Stops an event before it occurs MFA, firewall allowlist, locked door Do not confuse with a control that only alerts afterward.
Detective Identifies an event IDS alert, log review, motion sensor Detection does not block the attack.
Corrective Fixes or restores after an event Patch deployment, restore from backup Restoration is not the same as prevention.
Deterrent Discourages attempts Warning sign, visible camera A deterrent changes behavior but may not stop an attacker.
Directive Tells people what to do Policy, standard, security procedure A document does not enforce a technical restriction by itself.
Compensating Alternative when the preferred control is not feasible Jump host and allowlisting for a legacy system lacking MFA Use only when the preferred control cannot reasonably be implemented.

Decision rule

When the question says a preferred control is impossible because of a legacy constraint, choose a compensating control that reduces exposure and is monitored. Never choose “ignore the risk” or “publish the service directly.”

1.2 Fundamental concepts

CIA triad

Property Question to ask Typical failure
Confidentiality Was information exposed to an unauthorized party? Data leak, excessive permissions, unencrypted sensitive data
Integrity Was data changed without authorization? Tampering, unauthorized database edit, malicious software update
Availability Can authorized users access the system when needed? Denial of service, outage, ransomware disruption

AAA

Element Purpose Example
Authentication Prove identity Password, passkey, smart card, biometric
Authorization Determine allowed actions Role-based permissions, ACL, least privilege
Accounting Record actions Audit log showing commands used by an administrator

Non-repudiation

Non-repudiation provides evidence that a specific party performed an action and cannot credibly deny it later. A common mechanism is a digital signature created with the signer’s private key.

Zero trust

Zero trust assumes that network location alone is not proof of trust. Evaluate:

  • user identity;
  • device health and posture;
  • resource sensitivity;
  • context such as location and risk;
  • least-privilege access;
  • continuous verification.

Trap: “The user is on the internal network” is not enough to justify broad access.

Deception and disruption technology

Technology Purpose
Honeypot Decoy system intended to attract suspicious activity
Honeynet Network of decoy systems
Honeyfile Decoy file that should not be accessed legitimately
Honeytoken Decoy credential or data element that triggers an alert if used

1.3 Change management

Security controls can create outages when implemented without review. A sound change process includes:

  1. request and business justification;
  2. impact analysis and dependency review;
  3. approval;
  4. testing;
  5. communication;
  6. implementation during an appropriate window;
  7. monitoring;
  8. rollback plan;
  9. documentation updates;
  10. version control and audit history.

Exam trap: The fastest technical fix is not always the best answer. If the question emphasizes avoiding an undocumented outage, choose assessment, approval, testing, and rollback.

1.4 Cryptographic solutions

Fast comparison

Need Best-fit mechanism
Keep data secret Encryption
Detect unauthorized modification Cryptographic hashing
Verify origin and integrity Digital signature
Verify a website or system identity Certificate and PKI validation
Store passwords safely Salted, slow password-hashing algorithm
Encrypt a large archive efficiently Symmetric encryption with secure key management
Protect data in transit TLS, IPSec, or another approved secure protocol

Symmetric versus asymmetric cryptography

Characteristic Symmetric Asymmetric
Keys Same secret key encrypts and decrypts Public/private key pair
Speed Faster Slower
Best use Bulk encryption Key exchange, digital signatures, identity verification
Main challenge Securely distribute and protect the shared key More computational overhead and certificate/key management complexity

Hashing, salting, and signatures

  • A hash is one-way and is used to verify integrity.
  • A salt makes identical passwords produce different stored hashes and reduces precomputed hash attacks.
  • A digital signature provides integrity, authenticity, and non-repudiation. It is not primarily used to keep content secret.

PKI essentials

Term Purpose
Certificate authority (CA) Issues and signs certificates
Registration authority (RA) Supports identity verification before certificate issuance
Certificate signing request (CSR) Request used to obtain a certificate
Certificate revocation list (CRL) Published list of revoked certificates
Online Certificate Status Protocol (OCSP) Query a certificate’s revocation status
Key escrow Controlled storage of a cryptographic key for recovery or legal requirements

Data obfuscation techniques

Technique Best use
Tokenization Replace sensitive values with tokens; common for payment data
Masking Hide portions of data from display or testing environments
Redaction Remove sensitive content from a document or output
Hashing Verify integrity or securely store password representations
Encryption Keep the original data confidential while allowing authorized recovery

Domain 1 traps

  • Hashing is not encryption.
  • Encoding is not encryption.
  • A shared symmetric key does not prove which individual approved a transaction.
  • An IDS detects; it does not automatically block.
  • Internal network location does not eliminate the need for authorization.
  • A compensating control is a governed alternative, not an excuse to ignore risk.

Domain 2: Threats, Vulnerabilities, and Mitigations — 22%

2.1 Threat actors and motivations

Actor Common motivation Characteristics
Nation-state Espionage, strategic disruption, geopolitical goals Highly resourced, patient, capable
Organized crime Financial gain Ransomware, fraud, credential theft
Hacktivist Ideology or publicity Defacement, leaks, denial of service
Insider threat Financial gain, revenge, coercion, negligence Has legitimate access or contextual knowledge
Unskilled attacker Curiosity, reputation, opportunism Often uses public tools and known weaknesses
Competitor Intellectual property or market advantage May seek sensitive business information
Shadow IT Convenience rather than malicious intent Creates unapproved exposure and governance gaps

Exam reasoning

Do not select an actor based only on technical sophistication. Use motivation, access level, persistence, and target value.

2.2 Threat vectors and social engineering

Social-engineering comparison

Technique Clue Best immediate response
Phishing Fraudulent message to many users Report, analyze, block indicators, coach users
Spear phishing Tailored message to a specific person or group Verify through a trusted channel
Whaling Targets senior executives Apply executive-focused awareness and verification controls
Smishing SMS-based social engineering Avoid clicking; report message
Vishing Voice-call manipulation Verify caller identity independently
Business email compromise Fraudulent payment or account-change request Use out-of-band verification and approval workflow
Pretexting Invented scenario to gain trust Verify identity and authority
Tailgating Unauthorized person follows an authorized person through a door Challenge or report; enforce badge and visitor process
Shoulder surfing Observing sensitive information physically Privacy screens, awareness, secure environment
Dumpster diving Searching discarded material Secure disposal and shredding

Common attack surfaces

  • email and messaging;
  • exposed services;
  • web applications and APIs;
  • removable media;
  • cloud configuration;
  • wireless networks;
  • mobile devices;
  • supply chain and third parties;
  • physical access;
  • unapproved applications and shadow IT.

2.3 Common vulnerabilities

Application and web vulnerabilities

Vulnerability What happens Strong mitigation
SQL injection Attacker manipulates database queries through untrusted input Parameterized queries, input validation, least privilege for database account
Cross-site scripting (XSS) Attacker injects script content executed in another user’s browser Output encoding, input validation, secure development practices
Cross-site request forgery (CSRF) Browser sends an unwanted authenticated action Anti-CSRF token, same-site controls, reauthentication for sensitive actions
Buffer overflow Input exceeds allocated memory and may alter execution Memory-safe coding, input validation, modern compiler and OS protections
Race condition / TOC-TOU Security decision becomes invalid between check and use Atomic operations, locking, safer design
Directory traversal Attacker accesses unintended paths Canonicalization, allowlisting, least privilege
Insecure API exposure Excessive permissions or weak authentication expose functions or data Strong authentication, authorization, rate limiting, validation, API gateway controls

Configuration and lifecycle vulnerabilities

Weakness Risk Best response
Default credentials Easy unauthorized access Change defaults immediately and manage secrets securely
Open ports and unnecessary services Enlarged attack surface Disable or remove unused services and protocols
Unpatched software Known weaknesses remain exploitable Prioritize, patch, test, deploy, and validate
End-of-life or legacy system No vendor support or modern security controls Replace, isolate, segment, and use compensating controls temporarily
Misconfigured cloud storage Unintended public exposure Restrict access, review policy, monitor configuration drift
Weak permissions Excessive access and lateral movement Least privilege, role design, access review

2.4 Malware and attack patterns

Attack Core behavior Response emphasis
Ransomware Encrypts or disrupts systems for extortion Isolate, preserve evidence, activate incident response, recover from tested clean backups
Trojan Malicious code disguised as legitimate software Validate software source, endpoint protection, sandboxing
Worm Self-propagates across systems Segment, patch, isolate, block propagation paths
Rootkit Hides persistent privileged access Forensic analysis, trusted rebuild where necessary
Keylogger Captures keystrokes Endpoint protection, MFA, incident investigation
Logic bomb Triggers under defined conditions Code review, monitoring, access control
Fileless malware Uses legitimate tools or memory Behavioral detection, EDR, log analysis

Credential attacks

Attack Pattern Mitigation
Brute force Many attempts against one account or service MFA, rate limiting, lockout, monitoring
Password spraying A few common passwords against many accounts MFA, password screening, monitoring, lockout strategy
Credential stuffing Reuse of leaked credentials on another service MFA, password uniqueness, breach monitoring
Dictionary attack Tries likely words and variations Long passwords/passphrases, MFA
Rainbow table attack Uses precomputed hashes Salting and slow password hashing

2.5 Network, wireless, and cryptographic attacks

Attack Clue Mitigation
On-path / man-in-the-middle Traffic interception or modification TLS certificate validation, secure protocols, VPN where appropriate
DNS poisoning Incorrect name resolution directs users elsewhere DNSSEC where applicable, monitoring, trusted resolvers
ARP spoofing Local network impersonation Segmentation, switch protections, secure network design
Denial of service Resource exhaustion reduces availability Rate limiting, upstream filtering, redundancy, scalable architecture
Evil twin Rogue wireless access point imitates a trusted SSID Enterprise authentication, certificate validation, user awareness, wireless monitoring
Replay attack Captured valid data is reused Nonces, timestamps, session protections
Downgrade attack Forces weaker protocol or cipher Disable legacy protocols and enforce modern secure configuration
Collision attack Seeks two inputs with the same hash Use approved collision-resistant algorithms

2.6 Mitigation strategy

A practical mitigation sequence:

  1. remove unnecessary exposure;
  2. patch or upgrade supported systems;
  3. segment legacy or high-risk systems;
  4. use strong authentication and least privilege;
  5. harden configurations;
  6. monitor and alert;
  7. validate remediation through rescanning or testing;
  8. document temporary exceptions and compensating controls.

Domain 2 traps

  • Do not confuse a threat actor with a vulnerability or an attack technique.
  • Do not choose encryption as the only answer to an input-validation problem.
  • Do not open suspicious files on an administrator workstation; use a sandbox.
  • Do not assume a patch is complete until remediation is verified.
  • Do not select user training alone when a technical control is required.
  • Do not disable logs to improve performance during an incident.

Domain 3: Security Architecture — 18%

3.1 Architecture principles

Secure architecture reduces the chance of compromise and limits the blast radius when compromise occurs.

Core design principles

  • least privilege;
  • segmentation and isolation;
  • defense in depth;
  • secure defaults;
  • minimized attack surface;
  • redundancy and resilience;
  • continuous verification;
  • data protection throughout its lifecycle;
  • centralized visibility;
  • separation of duties;
  • documented ownership and change control.

3.2 Network architecture patterns

Pattern Use it when Why it works Common wrong answer
DMZ Public-facing systems must remain reachable without unrestricted internal access Separates internet-exposed services from sensitive internal resources Flat VLAN placing public servers beside databases
Network segmentation You need to limit lateral movement or isolate sensitive systems Reduces blast radius and enables narrow traffic rules One large trusted internal network
Microsegmentation Workloads need fine-grained east-west controls Applies workload-level policy in data center or cloud environments Relying only on a perimeter firewall
Jump host / bastion host Administrators need controlled access to sensitive or legacy systems Centralizes access, logging, and policy enforcement Direct administrative access from any workstation
NAC Devices must meet policy before or during network access Evaluates identity and posture and can restrict access Treating any connected device as trusted
SASE Distributed users and branches need cloud-delivered security and network access controls Integrates secure access with policy enforcement closer to users Backhauling all traffic without considering performance or distributed policy needs
SD-WAN Branch connectivity needs centrally managed path selection and policy Improves WAN management and resilience Treating SD-WAN as a complete substitute for security controls

Flat network warning

When an answer places public servers, user workstations, and databases on the same VLAN, it is usually wrong. Prefer segmentation with narrowly allowed flows.

3.3 Cloud and virtualization models

Cloud service models

Model Customer controls more of Provider controls more of Typical customer focus
IaaS OS, applications, identities, data, many network configurations Physical infrastructure and core virtualization Patch guest OS, harden workloads, configure security groups
PaaS Application code, identities, data, configuration Runtime platform and underlying infrastructure Secure application, secrets, identities, and data
SaaS User access, configuration, data handling Application stack and infrastructure IAM, data classification, sharing settings, retention

Shared responsibility rule

Cloud adoption does not transfer all security responsibility to the provider. The customer remains responsible for areas such as identities, data classification, secure configuration, access decisions, and appropriate monitoring.

Containers and virtualization

Technology Key consideration
Virtual machine Isolate workloads, patch guest OS, secure hypervisor management plane
Container Use trusted images, scan images, minimize privileges, protect secrets, patch base images
Infrastructure as code Store templates in version control, peer review changes, scan configurations, use repeatable deployment
Serverless Secure permissions, input validation, dependencies, secrets, and logging

3.4 Secure communications

Requirement Best-fit protocol or control Avoid
Secure web traffic HTTPS using TLS Plain HTTP
Secure remote shell SSH Telnet
Secure file transfer through SSH SFTP or SCP FTP
Secure file transfer with TLS FTPS FTP
Secure network management SNMPv3 Earlier insecure SNMP configurations
Secure directory queries LDAPS or LDAP protected with TLS Plain LDAP over untrusted networks
Network-layer VPN IPSec Assuming encryption without key management or authentication
Email authenticity SPF, DKIM, and DMARC together Relying on only one signal

Email security roles

Control Purpose
SPF Identifies authorized sending systems for a domain
DKIM Adds a cryptographic signature to help verify message integrity and domain association
DMARC Defines policy and reporting for messages that fail alignment checks

3.5 Data protection architecture

Data states

Data state Example Typical controls
Data at rest Database, disk, backup, file Disk encryption, database encryption, access control, key management
Data in transit Network communication TLS, IPSec, VPN, secure protocols
Data in use Data actively processed in memory Strong access control, application isolation, secure execution design

Classification and handling

The more sensitive the data, the stricter the access, encryption, retention, monitoring, and disposal requirements should be.

Need Strong control choice
Prevent sensitive data from leaving approved channels DLP
Replace payment data with a non-sensitive substitute Tokenization
Hide selected fields in test or support screens Masking
Remove sensitive content from released documents Redaction
Keep recoverable stored data confidential Encryption

3.6 Resilience and recovery architecture

Recovery metrics

Metric Meaning Question clue
RTO Maximum acceptable time to restore service “How quickly must the system return?”
RPO Maximum acceptable data loss measured in time “How much recent data may be lost?”
MTTR Average time to repair or restore “How long does recovery typically take?”
MTBF Average operating time between failures “How frequently does the component fail?”

Recovery sites

Site type Readiness Cost Recovery speed
Hot site Fully prepared and rapidly usable Highest Fastest
Warm site Partially prepared Medium Moderate
Cold site Basic facility with limited equipment or setup Lowest Slowest

Backup strategies

Backup type Captures Restore consideration
Full All selected data Fastest restore, larger backup window and storage use
Incremental Changes since the most recent backup of any type Efficient backups, restore may require multiple sets
Differential Changes since the last full backup Restore usually needs last full plus latest differential
Snapshot Point-in-time state Useful for rapid rollback but not always a complete off-system backup strategy
Replication Copies data to another system or location Supports availability but can replicate corruption or ransomware
Immutable or offline backup Protected from routine alteration or deletion Important for ransomware resilience

Power and availability

Control Best purpose
UPS Immediate short-term power and graceful shutdown or bridge to generator
Generator Longer-duration backup power
Redundant links and systems Reduce single points of failure
Load balancing Distribute traffic and improve availability
Clustering Maintain service across multiple nodes

Domain 3 traps

  • Replication is not the same as a clean ransomware-resistant backup.
  • A snapshot is useful but may not satisfy long-term backup requirements by itself.
  • A hot site is fast but expensive; a cold site is inexpensive but slow.
  • A VPN is not an authorization model. Still apply least privilege.
  • The cloud provider does not automatically own every security task.
  • Public-facing systems should not sit on the same flat network as critical databases.

Domain 4: Security Operations — 28%

4.1 Secure baselines and hardening

A secure baseline is an approved configuration standard that is established, deployed, monitored, and updated.

Hardening checklist

  • patch operating systems, applications, firmware, and dependencies;
  • disable unused ports, protocols, services, and accounts;
  • remove unnecessary software;
  • change default credentials;
  • use host firewalls;
  • use endpoint protection and EDR where appropriate;
  • enforce secure configuration templates;
  • protect administrative interfaces;
  • separate administrative accounts from ordinary user accounts;
  • enable logging and time synchronization;
  • validate configuration drift.

Platform-specific focus

Platform High-value controls
Workstation Patch, EDR, host firewall, least privilege, application allowlisting where justified
Server Minimal services, secure baseline, restricted administration, monitored logs, backup validation
Mobile device MDM, screen lock, encryption, remote wipe, application policy, update enforcement
Network device Secure management protocol, strong authentication, configuration backup, ACL, logging
Cloud resource Secure identity, least-privilege role, security group review, logging, configuration monitoring
Container Trusted image, image scanning, non-root execution where practical, secrets protection
IoT or OT Asset inventory, segmentation, restricted communication, safe maintenance window, compensating controls

4.2 Asset lifecycle and disposal

Security operations require an accurate inventory and managed lifecycle.

Stage Security focus
Acquisition Approved source, ownership, classification, baseline requirements
Assignment Responsible owner, configuration, access control
Monitoring Inventory updates, patches, changes, vulnerabilities
Decommissioning Remove access, sanitize data, update inventory, retain evidence where required
Disposal Sanitization, destruction, certification, chain of custody where necessary

Trap: Deleting files is not always sufficient sanitization.

4.3 Monitoring and detection tools

Tool comparison

Tool Core purpose Best scenario Common confusion
SIEM Centralize, correlate, alert on, and retain logs Multiple systems must be analyzed together SIEM is not an endpoint prevention agent.
EDR Detect, investigate, and respond on endpoints Isolate a compromised workstation, inspect process behavior EDR is endpoint-focused, not a network perimeter firewall.
XDR Correlate detections across multiple security layers Broader investigation across endpoint, identity, email, and network telemetry Do not assume every organization requires XDR instead of SIEM.
IDS Detect suspicious network activity and alert Visibility without inline blocking IDS does not automatically block.
IPS Detect and block suspicious traffic inline Immediate network enforcement is required Inline placement can affect traffic if misconfigured.
WAF Protect web applications at the HTTP layer SQL injection or XSS risk against a web application A general network firewall is not a complete substitute.
Firewall Enforce allowed and denied network flows Restrict ports, addresses, protocols, and zones A firewall does not replace secure application code.
DNS filtering Block access to malicious or prohibited domains Reduce access to known harmful destinations It does not fix endpoint compromise already present.
DLP Detect or restrict sensitive-data movement Prevent regulated data exfiltration DLP is not a backup solution.
NAC Restrict network access based on identity or posture Quarantine devices failing policy NAC is not simply a VPN.
Sandbox Execute suspicious content in an isolated environment Analyze an unknown attachment safely Do not open the file on an administrator workstation.

Logging essentials

Collect the log source most directly related to the question.

Investigation question Useful source
Was a connection allowed or blocked? Firewall logs
What process executed on a host? Endpoint and OS security logs, EDR telemetry
Which web request triggered an error or suspicious action? Application, web server, and WAF logs
Was authentication successful or denied? Identity provider, directory, and authentication logs
What occurred on the network? IDS/IPS logs, network flow data, packet capture
Did a user download or send sensitive content? DLP, email, proxy, and endpoint logs

Time synchronization

Accurate timestamps are essential for event correlation and forensics. Use centralized time synchronization and verify that systems record the correct time zone and timestamp format.

4.4 Vulnerability management

Lifecycle

  1. Identify assets and scope. You cannot prioritize what you do not know exists.
  2. Discover vulnerabilities. Use scans, assessments, advisories, and configuration review.
  3. Analyze context. Consider severity, exploitability, exposure, asset criticality, active exploitation, and compensating controls.
  4. Prioritize. A critical internet-facing weakness on a business-critical system usually outranks a lower-impact internal issue.
  5. Remediate. Patch, reconfigure, segment, replace, mitigate, or formally accept with governance.
  6. Validate. Rescan, audit, or verify that the control works.
  7. Report and track. Assign ownership and due dates; measure overdue findings and time to remediate.

Scanner types

Type Strength Limitation
Credentialed scan More accurate visibility into installed software and configuration Requires protected credentials and careful permissions
Non-credentialed scan Shows what an external or unauthenticated perspective can see Less internal detail
Agent-based scan Useful for devices that are not always reachable centrally Requires agent management
Application scan Finds web or application-specific issues Does not replace infrastructure assessment

False positives and validation

Do not blindly deploy a risky production change based only on a scanner result. Validate the finding, prioritize it, test remediation, deploy through change management, and rescan.

4.5 Identity and access management

IAM lifecycle

Stage Action
Provisioning Create identity, assign only required access
Role change Adjust access promptly when responsibilities change
Periodic review Confirm access remains justified
Deprovisioning Disable access quickly when no longer required

Access models

Model Basis Best fit
RBAC Job role Stable organizational responsibilities
ABAC Attributes and conditions Context-aware access decisions using identity, device, location, or resource attributes
Rule-based access Defined system rules Firewall or policy evaluation based on explicit rules
Discretionary access control Owner decides access Flexible resource-owner management
Mandatory access control Central labels and classifications High-control environments with strict classification rules

Authentication factors

Factor category Examples
Something you know Password, PIN
Something you have Smart card, security key, authenticator device
Something you are Fingerprint, face, iris
Somewhere you are Location or network context
Something you do Behavioral pattern such as typing rhythm

MFA requires different factor categories. Two passwords are not MFA.

IAM tool selection

Need Best choice
One login experience for multiple applications SSO
Exchange trust between identity domains Federation
Temporary privileged access PAM with just-in-time permissions
Protect and rotate privileged passwords Password vaulting and secrets management
Reduce standing privileges Ephemeral credentials and JIT access
Review whether access is still justified Periodic access review
Control machine-to-machine credentials Service-account governance and secrets rotation

PAM essentials

Use privileged access management for sensitive administrative access:

  • password vaulting;
  • just-in-time permissions;
  • session monitoring;
  • ephemeral credentials;
  • approval workflow;
  • separation of administrator and user accounts.

Trap: Sharing one administrator account prevents reliable attribution and increases exposure.

4.6 Automation and orchestration

Automation can improve consistency and reaction time, but it must use safeguards.

Useful automation cases

  • user provisioning and deprovisioning;
  • resource provisioning;
  • configuration guardrails;
  • security-group validation;
  • ticket creation and escalation;
  • disabling compromised access;
  • enrichment of alerts;
  • continuous integration testing;
  • API integrations;
  • baseline enforcement.

Automation risks

  • unintended large-scale change;
  • single point of failure;
  • excessive permissions;
  • complexity and technical debt;
  • poor exception handling;
  • insufficient monitoring;
  • lack of human review for high-impact actions.

Decision rule: Automate repeatable tasks, but use approval gates, logging, testing, scope restrictions, and rollback for high-impact actions.

4.7 Incident response

Standard process

Stage Purpose Typical actions
Preparation Be ready before an incident Plans, contacts, playbooks, backups, tools, training, tabletop exercises
Detection Notice suspicious activity Alerts, user reports, monitoring
Analysis Confirm, scope, and prioritize Investigate evidence, identify affected assets and likely cause
Containment Limit damage Isolate endpoint, block indicator, restrict access, segment
Eradication Remove the cause Remove malware, disable compromised account, patch weakness, eliminate persistence
Recovery Restore safe service Rebuild or restore, monitor closely, validate operation
Lessons learned Improve the program Root cause analysis, control updates, metrics, documentation

First-action reasoning

  • If an endpoint is actively spreading malware, isolate it before performing a full rebuild.
  • If evidence is required, preserve evidence before making avoidable destructive changes.
  • If uptime has returned but compromise recurs, perform root cause analysis and remove persistence.
  • If a suspicious file must be examined, use an isolated sandbox.

4.8 Digital forensics and investigation

Forensic priorities

  • preserve evidence integrity;
  • maintain chain of custody;
  • document acquisition and handling;
  • avoid unnecessary modification;
  • use legal hold when data must be retained for legal or regulatory reasons;
  • report findings accurately;
  • support e-discovery where required.

Order-of-volatility idea

Collect more volatile evidence before less volatile evidence when appropriate and authorized. Memory and active network-state information may disappear faster than stored disk evidence.

Domain 4 traps

  • Do not restore service and close the case while persistence remains.
  • Do not rebuild a host before preserving required evidence.
  • Do not choose IDS when the requirement is to block inline.
  • Do not choose a firewall alone for a web-application-layer attack.
  • Do not treat SSO as MFA.
  • Do not leave service-account credentials static and embedded in code.
  • Do not assume patching succeeded without rescanning or verification.
  • Do not automate high-impact actions without guardrails.

Domain 5: Security Program Management and Oversight — 20%

5.1 Governance document hierarchy

Document Purpose Example
Policy High-level management intent and direction “The organization will protect sensitive information.”
Standard Mandatory detailed requirement Minimum password length, encryption requirement, approved protocol
Procedure Step-by-step instructions How to onboard a user or respond to a phishing report
Guideline Recommended but flexible advice Suggested secure coding practice
Playbook Repeatable response steps for a scenario Ransomware response playbook

Governance structures and roles

Role Typical responsibility
Data owner Determines classification and authorized use
Data controller Determines purpose and means of processing in privacy context
Data processor Processes data on behalf of a controller
Custodian or steward Handles operational protection and lifecycle activities
Executive leadership Sets risk appetite and approves strategy
Security team Implements and monitors controls
Internal audit Independently evaluates controls within the organization

5.2 Risk management

Risk terms

Term Meaning
Threat Potential cause of harm
Vulnerability Weakness that could be exploited
Likelihood Probability that the risk will occur
Impact Consequence if the event occurs
Exposure factor Percentage of asset value lost in one event
Single loss expectancy (SLE) Expected loss from one occurrence
Annualized rate of occurrence (ARO) Expected occurrences per year
Annualized loss expectancy (ALE) Expected annual financial loss
Risk appetite Broad amount and type of risk the organization is willing to pursue or retain
Risk tolerance Acceptable variation or threshold for a specific risk area
Risk register Tracked list of risks, owners, treatment, status, and supporting information

Quantitative formulas

  • SLE = Asset Value × Exposure Factor
  • ALE = SLE × ARO

Use quantitative analysis when financial estimates are reliable enough to support decisions. Use qualitative analysis when relative ranking is more practical.

Risk treatment options

Treatment Meaning Example
Mitigate Reduce likelihood or impact Patch system, segment network, deploy MFA
Transfer Shift some financial or contractual impact Cyber insurance, outsourced service with defined obligations
Avoid Stop the risky activity Retire unsupported system or discontinue exposed service
Accept Formally retain risk within tolerance Documented approval and monitoring
Exception or exemption Authorized deviation from a requirement under defined conditions Time-bound legacy-system exception with compensating controls

Trap: Risk transfer rarely eliminates accountability. The organization still needs oversight.

5.3 Business impact analysis and continuity

A BIA identifies critical processes, dependencies, recovery priorities, and acceptable interruption levels.

Metric Use
RTO Maximum acceptable restoration time
RPO Maximum acceptable data loss measured in time
MTTR Average repair or recovery duration
MTBF Reliability measure: average time between failures

Continuity decision rule

When leaders disagree about restoration priorities or backup ownership, perform a BIA, assign responsibilities, document objectives, and test the recovery plan. Buying another endpoint tool does not solve a continuity-governance gap.

5.4 Third-party risk management

Lifecycle

  1. identify the vendor’s access and data exposure;
  2. perform due diligence before granting access;
  3. define security requirements contractually;
  4. limit vendor access using least privilege;
  5. monitor performance and evidence;
  6. reassess periodically;
  7. revoke access and handle data at contract termination.

Agreement selection guide

Agreement Use it for
SLA Measurable service commitments such as uptime and response time
NDA Restrictions on use and disclosure of confidential information
MOU Understanding or cooperative arrangement between parties
Master service agreement Broad commercial terms governing an ongoing relationship
Data processing agreement Privacy and processing responsibilities for personal information
Rules of engagement Authorized scope, targets, time window, methods, contacts, and stop conditions for a security test

Evidence and assurance

A certification or assurance report supports due diligence but does not remove the need to assess relevance, review scope, monitor the vendor, and manage residual risk.

5.5 Compliance, privacy, and audits

Compliance reasoning

Map legal, regulatory, contractual, industry, and privacy obligations to controls. Requirements may differ by jurisdiction, business sector, data type, and contract.

Privacy principles

  • collect only the data required for a defined purpose;
  • retain data only as long as required;
  • control access;
  • support secure disposal;
  • document processing and sharing;
  • protect personal information in storage, transit, and use;
  • monitor third-party processing.

Audit and assessment comparison

Activity Purpose Key distinction
Internal audit Independent review performed by the organization’s audit function Internal but should be objective
External audit Review performed by an outside assessor Provides independent external assurance
Vulnerability scan Finds potential weaknesses Does not demonstrate controlled exploitation
Penetration test Authorized attempt to exploit weaknesses and show impact Requires scope and rules of engagement
Tabletop exercise Discussion-based walkthrough of a scenario Tests decision-making and readiness without full technical simulation
Simulation More realistic operational exercise Tests processes under more lifelike conditions

5.6 Awareness and reporting

Effective awareness program

  • recurring rather than one-time;
  • role-based where appropriate;
  • measured using outcomes;
  • reinforced with simulations;
  • paired with easy reporting channels;
  • designed to improve behavior, not publicly shame users.

Common awareness topics

  • phishing and suspicious-message reporting;
  • password and MFA hygiene;
  • social engineering;
  • removable media;
  • tailgating and visitor control;
  • data handling;
  • hybrid and remote work;
  • anomalous behavior and insider risk;
  • operational security.

Useful security metrics

Goal Good metric
Improve remediation Time to remediate by severity; overdue findings
Improve detection Mean time to detect
Improve incident handling Mean time to contain and recover
Improve awareness Simulation reporting rate and repeat failure trend
Improve access governance Overdue access reviews, excessive privilege findings
Improve vendor oversight Open findings, reassessment completion, SLA performance

Due care and due diligence

  • Due care: implement reasonable safeguards.
  • Due diligence: continuously verify that safeguards remain appropriate and effective.

Buying one tool and never reviewing risk is not due diligence.

Domain 5 traps

  • Policy is high-level; a standard contains mandatory detail.
  • An SLA defines measurable service performance; an NDA protects confidentiality.
  • A penetration test must be authorized and scoped.
  • A vulnerability scan is not a governance program or a complete audit.
  • Data minimization is stronger than collecting everything indefinitely.
  • A temporary exception must be approved, time-bound, monitored, and paired with compensating controls.
  • Risk transfer does not eliminate oversight.

5. Security Tool and Control Selection Guide

Security+ questions frequently present multiple useful controls. Select the option that is closest to the stated requirement.

Monitoring, prevention, and response tools

Requirement Choose Do not choose as the primary answer Reason
Correlate logs across many systems SIEM EDR only SIEM centralizes and correlates events across sources.
Investigate and isolate a compromised workstation EDR Network firewall only EDR provides endpoint visibility and response.
Block malicious traffic inline IPS IDS IDS alerts but does not automatically block.
Protect a web application from common HTTP-layer attacks WAF General firewall only WAF understands web-application traffic patterns.
Restrict a device that fails policy checks NAC VPN only NAC evaluates access and posture.
Stop sensitive data from leaving approved channels DLP Backup system DLP focuses on data movement and policy enforcement.
Safely inspect a suspicious attachment Sandbox Administrator workstation Isolation prevents production compromise.
Reduce access to malicious domains DNS filtering Disk encryption DNS filtering blocks domain resolution or access paths.
Limit lateral movement Segmentation and narrow rules Flat VLAN Segmentation reduces blast radius.
Control privileged accounts PAM with JIT access and vaulting Shared administrator password PAM improves least privilege, attribution, and credential control.

Identity service selection

Scenario Best fit Why
A user wants one sign-in experience across applications SSO Simplifies authentication experience across systems.
Two organizations need identity trust Federation Allows trust exchange between identity domains.
Administrator access should exist only during a maintenance window PAM with JIT permissions Reduces standing privilege.
A device credential must rotate without embedding a static password in code Secrets manager Centralized retrieval and rotation.
Access depends on device health, user role, location, and resource sensitivity ABAC or context-aware access Evaluates attributes rather than only job role.
Employees should receive permissions based on their stable job duties RBAC Maps access to organizational roles.

Cryptography selection

Requirement Best fit Why the common distractor fails
Verify a downloaded file has not changed Compare cryptographic hash Encryption after download does not prove the original file was unchanged.
Encrypt a large archive efficiently Symmetric encryption Asymmetric encryption is usually inefficient for bulk data.
Prove a specific person approved a transaction Digital signature A shared key cannot reliably prove which individual acted.
Check whether a certificate was revoked OCSP or CRL A CSR requests a certificate; it does not check revocation.
Store user passwords Salted slow hash Reversible encryption exposes all passwords if its key is compromised.
Replace sensitive payment data while retaining business workflows Tokenization Masking hides display values but may not replace the underlying sensitive value.

Governance selection

Requirement Best fit
State high-level security direction Policy
Define mandatory password length Standard
Explain step-by-step onboarding tasks Procedure
Provide flexible recommendations Guideline
Define vendor uptime and response commitments SLA
Restrict confidential information disclosure NDA
Authorize penetration-test targets and timing Rules of engagement
Track risks, owners, status, and treatment Risk register

6. Architecture Patterns and Common Exam Scenarios

Scenario 1: Public-facing server must access internal data safely

Recommended pattern: Place the public service in a DMZ or segmented zone. Allow only the required application flow to the internal database. Monitor traffic and harden the public host.

Why alternatives fail: A flat VLAN increases lateral-movement risk. Broad internal access violates least privilege. Disabling logs removes visibility.

Scenario 2: Legacy service cannot support MFA

Recommended pattern: Use a monitored jump host or proxy, strict allowlisting, segmentation, strong logging, temporary exception approval, and a replacement plan.

Why alternatives fail: Publishing the service directly increases exposure. Removing the standard hides risk rather than managing it.

Scenario 3: Remote contractor needs one application

Recommended pattern: Provide application-specific, context-aware, least-privilege access from a managed device. Require appropriate authentication and monitor activity.

Why alternatives fail: A broad employee VPN group exposes unrelated systems. Shared administrator credentials destroy accountability.

Scenario 4: Suspicious attachment requires analysis

Recommended pattern: Open the attachment in an isolated sandbox and collect behavioral indicators.

Why alternatives fail: Opening it on a privileged workstation may compromise production. Forwarding it widely increases risk.

Scenario 5: Internet-facing application is vulnerable to SQL injection

Recommended pattern: Fix the code using parameterized queries and input validation. Add WAF protection as defense in depth. Restrict database-account permissions.

Why alternatives fail: A network firewall alone does not correct unsafe query construction. Encryption does not stop malicious input.

Scenario 6: Ransomware spreads through endpoints

Recommended pattern: Isolate affected endpoints, preserve evidence, scope the incident, disable compromised access, eradicate persistence, restore from validated clean backups, and conduct lessons learned.

Why alternatives fail: Rebuilding immediately may destroy evidence. Restoring from an unvalidated backup may reintroduce compromise.

Scenario 7: Vendor will process sensitive data

Recommended pattern: Perform due diligence, classify the data, define contractual security and privacy requirements, enforce least-privilege access, monitor evidence, and plan termination handling.

Why alternatives fail: A marketing brochure is not assurance. Access should not be granted before review.

Scenario 8: Cloud environment has configuration drift

Recommended pattern: Use infrastructure as code, version control, peer review, automated scanning, guardrails, and monitored deployment.

Why alternatives fail: Manual untracked production edits weaken attribution and repeatability.

Scenario 9: High availability is required with minimal data loss

Recommended pattern: Define RTO and RPO first. Select redundancy, replication, journaling, backups, and an appropriate recovery site based on those objectives. Protect at least one backup from alteration.

Why alternatives fail: Replication alone can copy corruption or ransomware. A cold site may not meet a short RTO.

Scenario 10: Security team needs evidence of administrator actions

Recommended pattern: Use individual administrator accounts, PAM where appropriate, session logging, and accounting records.

Why alternatives fail: Shared administrator credentials prevent reliable attribution.

Scenario 11: Scanner reports a critical production weakness

Recommended pattern: Validate the finding, assess exposure and business criticality, test remediation, deploy through change control, rescan, and report closure.

Why alternatives fail: Immediate untested production changes may cause an outage. Ignoring the scan leaves risk unmanaged.

Scenario 12: User clicks realistic phishing lures repeatedly

Recommended pattern: Use recurring simulations, targeted coaching, easy reporting, email controls, and outcome measurement.

Why alternatives fail: Annual slides alone are insufficient. Public punishment discourages reporting and harms culture.


7. Exam Traps and Answer-Elimination Strategy

Misleading wording

Wording What it changes
FIRST Choose the earliest safe and necessary step, not the final solution.
BEST Choose the option that most directly meets the requirement and reduces risk appropriately.
MOST likely Select the explanation that fits the evidence, not the most severe possibility.
MOST appropriate Consider business context, technical fit, scope, and governance.
Select TWO Both selected actions must work together and satisfy the prompt.
Temporary legacy constraint Look for compensating controls, monitoring, exception approval, and migration plan.
Evidence or legal requirement Preserve data and chain of custody before destructive action.
Public-facing system Consider DMZ, segmentation, narrow rules, WAF, and monitoring.
Recurring compromise after recovery Look for root cause analysis and persistence removal.

Wrong-but-plausible distractor patterns

1. Useful tool, wrong layer

  • General firewall instead of WAF for HTTP-layer application attacks.
  • SIEM instead of EDR for isolating a workstation.
  • VPN instead of authorization for resource-level access.
  • Encryption instead of input validation for SQL injection.

2. Correct final step, wrong order

  • Rebuild before preserving evidence.
  • Restore service before containing spread.
  • Close incident after uptime returns without root cause analysis.
  • Patch production immediately without testing or change review.

3. Too broad

  • Grant general VPN access when one application is required.
  • Put all servers and databases on one VLAN.
  • Share one administrator account.
  • Give a service account unnecessary permissions.

4. Too narrow

  • Buy more antivirus licenses when the real problem is untested continuity planning.
  • Rotate one unrelated password when persistence is unknown.
  • Provide annual training only when behavior remains poor.
  • Rely on one email-authentication signal when layered SPF, DKIM, and DMARC controls are appropriate.

5. Removes visibility

Options that disable logging, monitoring, alerts, or evidence preservation are usually wrong unless the prompt explicitly justifies them.

6. Replaces governance with convenience

  • Grant vendor access before due diligence.
  • Use verbal promises instead of contractual obligations.
  • Treat a temporary exception as permanent.
  • Skip approval and rollback for urgent changes.

Five-step elimination strategy

  1. Cross out answers that increase exposure: flat network, unrestricted access, public service publication, shared credentials.
  2. Cross out answers that destroy evidence or visibility: disable logging, wipe immediately, rebuild before preservation.
  3. Cross out answers at the wrong layer: general firewall for code weakness, backup for DLP requirement, SSO for MFA requirement.
  4. Cross out answers that ignore lifecycle: patch without validation, vendor access without onboarding review, data retention without disposal.
  5. Choose the answer matching the stated priority: confidentiality, integrity, availability, containment, evidence, compliance, or measurable recovery target.

8. Quick Memory Rules

Fast “if you see X, think Y” mapping

If you see... Think...
Unauthorized data change Integrity
Unauthorized disclosure Confidentiality
Service outage or denial of service Availability
Record of administrator actions Accounting
Prove who approved something Digital signature and non-repudiation
Verify a file was not changed Hash
Encrypt large data efficiently Symmetric encryption
Website certificate revocation status OCSP or CRL
Legacy system cannot meet required control Compensating control plus time-bound exception
Public server must remain reachable DMZ and narrow traffic rules
Limit lateral movement Segmentation or microsegmentation
Analyze suspicious file safely Sandbox
Block web-layer attacks WAF
Correlate logs SIEM
Investigate or isolate endpoint EDR
Detect only IDS
Detect and block inline IPS
Device posture before network access NAC
Stop sensitive-data exfiltration DLP
Temporary admin rights PAM with JIT permissions
Machine password embedded in code Secrets manager and rotation
One login across applications SSO
Trust between identity domains Federation
How fast must recovery occur? RTO
How much data can be lost? RPO
Uptime and response commitments SLA
Confidentiality during negotiation NDA
Authorized test scope and stop conditions Rules of engagement
Risk owner, treatment, and status Risk register
Collect only required personal data Data minimization
Unclear restoration priorities BIA
Incident keeps returning Root cause analysis and persistence removal

Acronym cluster review

Acronym Meaning Recall clue
AAA Authentication, authorization, accounting Identity, permissions, records
ALE Annualized loss expectancy SLE × ARO
ARO Annualized rate of occurrence Expected frequency per year
BIA Business impact analysis Critical processes and recovery priorities
CA Certificate authority Signs certificates
CSR Certificate signing request Requests a certificate
CRL Certificate revocation list Published revoked certificates
DLP Data loss prevention Sensitive-data movement control
DMARC Domain-based Message Authentication, Reporting, and Conformance Email policy and reporting
DKIM DomainKeys Identified Mail Email signature
EDR Endpoint detection and response Endpoint investigation and isolation
IAM Identity and access management Identity lifecycle and access control
IDS Intrusion detection system Alert
IPS Intrusion prevention system Inline block
MFA Multifactor authentication Different factor categories
MTBF Mean time between failures Reliability
MTTR Mean time to repair Repair duration
NAC Network access control Admission and posture
OCSP Online Certificate Status Protocol Certificate revocation query
PAM Privileged access management Admin access control
RPO Recovery point objective Acceptable data loss
RTO Recovery time objective Acceptable downtime
SASE Secure access service edge Cloud-delivered secure access architecture
SIEM Security information and event management Central log correlation
SLA Service-level agreement Measurable service commitments
SLE Single loss expectancy Asset value × exposure factor
SPF Sender Policy Framework Authorized email senders
SSO Single sign-on One sign-in experience
TLS Transport Layer Security Protect data in transit
UPS Uninterruptible power supply Short-term backup power
WAF Web application firewall HTTP-layer protection
XDR Extended detection and response Cross-layer telemetry correlation

Ten rules worth memorizing

  1. Preserve evidence before destructive action.
  2. Contain active spread before full recovery.
  3. Reduce blast radius with segmentation and least privilege.
  4. Validate remediation; do not assume the patch worked.
  5. Choose the tool at the closest layer to the problem.
  6. Cloud security remains a shared responsibility.
  7. Replication supports availability but does not replace protected backups.
  8. Temporary exceptions must be documented, monitored, and time-bound.
  9. A policy sets intent; a standard states mandatory detail; a procedure explains steps.
  10. Governance gaps require governance fixes, not only another technical tool.

9. Final Revision Notes

Highest-yield review points

Security Operations

  • Know the incident response order and select the correct first action.
  • Match SIEM, EDR, XDR, IDS, IPS, WAF, NAC, DLP, firewall, DNS filtering, and sandbox to their strongest use case.
  • Apply secure baselines and reduce attack surface.
  • Understand vulnerability management from discovery through verification.
  • Know IAM lifecycle, RBAC versus ABAC, MFA factors, SSO, federation, PAM, service-account management, and access reviews.
  • Preserve evidence, maintain chain of custody, and correlate logs using accurate timestamps.
  • Automate repeatable work with testing, guardrails, logging, approval, and rollback.

Threats, Vulnerabilities, and Mitigations

  • Recognize social-engineering clues quickly.
  • Distinguish password spraying, credential stuffing, brute force, and rainbow-table attacks.
  • Know SQL injection, XSS, CSRF, buffer overflow, race conditions, and API risks.
  • Prioritize patching, hardening, segmentation, least privilege, endpoint protection, and monitoring.
  • Treat default credentials, unsupported systems, and unnecessary services as high-risk exposure.

Security Architecture

  • Place public-facing systems in a DMZ or segmented zone.
  • Use secure protocols and disable legacy protocols.
  • Know data at rest, in transit, and in use.
  • Understand shared responsibility in IaaS, PaaS, and SaaS.
  • Define RTO and RPO before selecting recovery architecture.
  • Keep protected backup copies that routine compromise cannot alter.

Security Program Management and Oversight

  • Select the right governance document.
  • Know risk treatment choices and the difference between appetite and tolerance.
  • Understand BIA metrics.
  • Apply due diligence before vendor access and monitor throughout the relationship.
  • Match SLA, NDA, MOU, and rules of engagement to the scenario.
  • Use recurring, measured, role-relevant awareness training.
  • Apply data minimization, retention, and secure disposal.

General Security Concepts

  • Know CIA, AAA, non-repudiation, control types, zero trust, and deception controls.
  • Distinguish symmetric encryption, asymmetric cryptography, hashing, salting, digital signatures, certificates, OCSP, and CRL.
  • Apply formal change management with approval, testing, rollback, documentation, and version control.

Last-day revision list

Read these items once more immediately before the exam:

  1. incident response sequence;
  2. RTO versus RPO;
  3. SLE, ARO, and ALE;
  4. policy versus standard versus procedure versus guideline;
  5. SLA versus NDA versus rules of engagement;
  6. IDS versus IPS;
  7. SIEM versus EDR versus XDR;
  8. firewall versus WAF;
  9. SSO versus federation versus MFA versus PAM;
  10. hash versus encryption versus digital signature;
  11. OCSP versus CRL versus CSR;
  12. full versus incremental versus differential backup;
  13. hot versus warm versus cold site;
  14. SQL injection versus XSS versus CSRF;
  15. brute force versus spraying versus credential stuffing;
  16. DMZ, segmentation, microsegmentation, NAC, and zero trust;
  17. data at rest, in transit, and in use;
  18. due care versus due diligence;
  19. risk mitigation versus transfer versus avoidance versus acceptance;
  20. evidence preservation and chain of custody.

10. Exam-Day Checklist

Must-know checklist

Foundations

  • I can map a scenario to confidentiality, integrity, or availability.
  • I can distinguish authentication, authorization, and accounting.
  • I can classify preventive, detective, corrective, deterrent, directive, and compensating controls.
  • I know when zero trust requires continuous evaluation rather than network-based trust.
  • I can select hashing, symmetric encryption, asymmetric cryptography, signatures, certificates, OCSP, and CRL correctly.

Threats and vulnerabilities

  • I can recognize major social-engineering techniques.
  • I can distinguish common password attacks.
  • I can recognize SQL injection, XSS, CSRF, buffer overflow, race conditions, and API risks.
  • I can select practical mitigations for malware, exposed services, unsupported systems, and default credentials.

Architecture

  • I know when to use segmentation, DMZ, microsegmentation, jump host, NAC, and SASE.
  • I can explain shared responsibility for IaaS, PaaS, and SaaS.
  • I can choose secure protocols instead of insecure legacy protocols.
  • I can match controls to data at rest, in transit, and in use.
  • I can distinguish RTO, RPO, MTTR, and MTBF.
  • I know the strengths and weaknesses of replication, snapshots, and backups.

Operations

  • I can select SIEM, EDR, XDR, IDS, IPS, WAF, DLP, NAC, DNS filtering, firewall, and sandbox correctly.
  • I understand secure baseline deployment and hardening.
  • I understand the vulnerability-management lifecycle and validation step.
  • I can distinguish RBAC, ABAC, SSO, federation, MFA, and PAM.
  • I know the incident response sequence and common first-action traps.
  • I know when to preserve evidence and maintain chain of custody.
  • I understand safe automation with guardrails.

Governance and oversight

  • I can distinguish policy, standard, procedure, guideline, and playbook.
  • I can select mitigation, transfer, avoidance, acceptance, and exception management correctly.
  • I can calculate SLE and ALE when given values.
  • I can choose SLA, NDA, MOU, and rules of engagement correctly.
  • I understand vendor due diligence and ongoing monitoring.
  • I understand data minimization, retention, disposal, audits, and awareness measurement.

Final confidence checklist

Before submitting an answer, ask:

  • Did I answer the word FIRST, BEST, or MOST appropriate correctly?
  • Did I select the control closest to the actual layer of the problem?
  • Did I avoid a choice that increases exposure or destroys visibility?
  • Did I apply least privilege and limit blast radius?
  • Did I preserve evidence when required?
  • Did I include validation after remediation?
  • Did I distinguish a governance issue from a purely technical issue?
  • Did I reject convenience-based options that bypass approval, documentation, or monitoring?

Final One-Page Mental Model

When uncertain, reduce the problem to this sequence:

  1. Protect the right property: confidentiality, integrity, availability, identity, evidence, or compliance.
  2. Use the right layer: endpoint, network, application, identity, data, physical, or governance.
  3. Reduce exposure: least privilege, segmentation, secure defaults, minimized attack surface.
  4. Respond in the right order: detect, analyze, contain, eradicate, recover, learn.
  5. Preserve visibility: logs, time synchronization, evidence handling, monitoring.
  6. Validate the result: rescan, retest, audit, and track closure.
  7. Govern the lifecycle: owners, approvals, contracts, exceptions, reviews, retention, and disposal.

If two answers remain plausible, prefer the one that addresses the stated requirement most directly, creates the smallest blast radius, preserves evidence and visibility, and can be measured or validated afterward.

lock_open

Unlock the full course

All 66 modules with detailed explanations, code examples, and exam tips.

workspace_premium
You've answered 0 of 35 free questions 1065 questions locked : these will appear on exam day.
0/35
rocket_launch Unlock All
event_available
Day 1 of 16 72 questions/day Finish by Jul 28, 2026
Question 1 of 1100
Threats, Vulnerabilities, and Mitigations · 22%

While reviewing the clinical application at a media company, several public servers must remain reachable from the internet, but they should not have unrestricted access to internal databases. Which choice BEST explains the situation?

0 correct
0 wrong
1100 left
0% done