This free CompTIA Security+ study guide covers every domain the current SY0-701 exam tests, organized to CompTIA’s official exam objectives.[2] Security+ is the industry’s baseline cybersecurity certification — it validates the core skills to assess security, monitor environments, respond to incidents, and operate with an awareness of laws and policies.
It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.
The Security+ SY0-701 exam has five domains, and we teach each one as its own module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official objectives — not a full networking-and-security textbook.
CompTIA Security+ is one of the 14 CompTIA certifications — explore our CompTIA study guides to compare and prep across the whole family.
Security+ (SY0-701) Exam Snapshot
| Detail | Security+ (SY0-701) |
|---|---|
| Questions | Maximum of 90 |
| Format | Multiple-choice + performance-based (PBQs) |
| Time | 90 minutes |
| Passing score | 750 (on a scale of 100–900; scaled scoring) |
| Exam code | SY0-701 (launched November 2023) |
| Delivered by | Pearson VUE (test center or online proctored) |
| Certifying body | CompTIA |
| Recommended prep | Network+ and ~2 years of IT security experience (not required) |
| Cost | ≈ $425 USD (single voucher, U.S., 2026) |
| Valid for | 3 years — renew with 50 CEUs (CompTIA CE program) |
Two domains dominate. Security Operations (28%) and Threats, Vulnerabilities & Mitigations (22%) together are half the exam, so invest there first.[2] Study by weight:
Module 1 · General Security Concepts
Domain 1.0 — 12% of the exam. This domain sets the vocabulary and mental models for everything else: the goals of security, how controls are categorized, the Zero Trust model, and the cryptography that underpins confidentiality, integrity, and trust.
1.1 CIA Triad, AAA & Control Types
Start with the goals. The is the foundation of the entire exam: Confidentiality (only authorized people can read the data), Integrity (the data is accurate and unaltered), and Availability (authorized users can access it when needed). Security+ adds and the pillars — authentication, authorization, and accounting.
Confidentiality
Only authorized people can read the data. Enforced by encryption, access control, and least privilege.
Integrity
Data is accurate and unaltered. Enforced by hashing, digital signatures, and checksums.
Availability
Authorized users can access data when needed. Enforced by redundancy, backups, and DDoS defense.
Every safeguard is a . The exam asks you to classify them two ways: by category (technical, managerial, operational, physical) and by function (preventive, deterrent, detective, corrective, compensating, directive). A firewall is a technical, preventive control; a security camera is a physical, detective (and deterrent) control; restoring from backup is corrective.
Four categories (who/what implements it)
Technical
Implemented by technology — firewalls, encryption, MFA, antivirus.
Managerial
Administrative — policies, risk assessments, security planning.
Operational
Carried out by people — awareness training, guard duty, configuration management.
Physical
Tangible — locks, fences, badges, cameras, bollards.
Six functions (what it does)
Preventive
Stops it before it happens (firewall rule, lock).
Deterrent
Discourages an attacker (warning sign, lighting).
Detective
Finds it during/after (IDS, log review, camera).
Corrective
Fixes after the fact (restore backup, patch).
Compensating
An alternative when the primary can’t be used.
Directive
Directs behavior (policy, procedure).
| Control | Category | Function |
|---|---|---|
| Firewall rule blocking a port | Technical | Preventive |
| Security awareness training | Operational | Preventive / Directive |
| Intrusion detection system (IDS) | Technical | Detective |
| Restoring from a backup | Technical | Corrective |
| Warning sign / lighting | Physical | Deterrent |
| Risk assessment policy | Managerial | Directive |
1.2 Zero Trust & Physical Security
is a major SY0-701 theme. The old “castle-and-moat” model trusted anything inside the network; Zero Trust removes that implicit trust and verifies every request.
CompTIA splits it into a control plane (the decides grant or deny; the policy administrator executes) and a data plane (the allows or blocks each request). Key ideas: adaptive identity, threat-scope reduction, and policy-driven access.[3]
Control plane (the brain)
- Policy Engine (PE) — decides grant or deny using identity, device health, and context.
- Policy Administrator (PA) — executes the decision and sets up the session.
- Adaptive identity, threat scope reduction, policy-driven access.
Data plane (the muscle)
- Policy Enforcement Point (PEP) — allows or blocks each request to a resource.
- Implicit trust zones are removed — every request is verified.
- Subject/system → PEP → protected resource.
Physical security is still on the exam: fencing, bollards, lighting, locks, badges, access control vestibules (mantraps), and sensors. So is deception and disruption technology — a honeypot is a decoy system to lure and study attackers; a honeynet is a network of them; honeyfiles and honeytokens are bait data that should never be touched, so any access is a clear alert.
| Term | What it is |
|---|---|
| Honeypot | A single decoy system that lures attackers away from real assets and records their behavior |
| Honeynet | A network of honeypots that mimics a real environment |
| Honeyfile | A bait file (e.g., 'passwords.xlsx') that triggers an alert when opened |
| Honeytoken | Fake data (a credential, record, or API key) that signals compromise when used |
1.3 Cryptography & PKI
Cryptography is the most technical part of Domain 1. There are three families: (one shared key, fast — AES), (a public/private key pair — RSA, ECC), and (a one-way digest — SHA-256). They solve different problems: encryption for confidentiality, hashing for integrity.
Symmetric
One shared secret key
Bulk encryption — fast (AES, ChaCha20). Both sides share the same key; key distribution is the hard part.
Asymmetric
A public/private key pair
Key exchange, digital signatures, PKI (RSA, ECC). Encrypt with one key, decrypt with the other.
Hashing
No key — one-way
Integrity & password storage (SHA-256, bcrypt). Same input → same fixed-length digest; cannot be reversed.
Know which key does what. To send something only the recipient can read, encrypt with their public key. To prove a message is from you, create a by signing with your private key. Because asymmetric crypto is slow, real systems are hybrid: asymmetric exchanges a fast symmetric session key (this is how TLS works).
Confidentiality (encrypt for someone)
Encrypt with the recipient's PUBLIC key
Only their private key can decrypt it.
Authentication / integrity (sign)
Sign with YOUR PRIVATE key
Anyone can verify with your public key — proves it came from you.
Speed / bulk data
Use a SYMMETRIC session key
Asymmetric is slow, so it's used only to exchange the fast symmetric key (hybrid).
Passwords are never encrypted — they’re with a unique so identical passwords don’t share a hash and rainbow tables fail. Other building blocks: and (X.509), issued by a and checked for revocation via or ; hardware roots of trust like the and ; key escrow; and (hiding data inside other data).
- 1
Root CA
A trusted Certificate Authority's self-signed root, distributed in OS/browser trust stores. Kept offline.
- 2
Intermediate CA
Signed by the root; issues end-entity certificates so the root key stays protected.
- 3
Server / end-entity certificate
Binds a public key to an identity (domain). Sent during the TLS handshake (X.509).
- 4
Client validation
The client builds the chain to a trusted root, checks the signature, expiry, and revocation (CRL/OCSP), then trusts it.
| Goal | Use… | Example |
|---|---|---|
| Encrypt bulk data fast | Symmetric encryption | AES-256 |
| Securely exchange a key / sign | Asymmetric encryption | RSA, ECC, Diffie-Hellman |
| Verify integrity | Hashing | SHA-256 |
| Store passwords safely | Salted hashing / KDF | bcrypt, Argon2, PBKDF2 |
| Prove identity to a website | Digital certificate (PKI) | X.509 over TLS |
| Protect keys in hardware | TPM / HSM | BitLocker with TPM |
Checkpoint · General Security Concepts
Question 1 of 10
In cybersecurity, what is a 'honeypot' primarily used for?
Module 2 · Threats, Vulnerabilities & Mitigations
Domain 2.0 — 22% of the exam. This is the “attacks” domain: who attacks, how they get in, what weaknesses they exploit, and how you stop them. It’s the second-largest domain, so learn the vocabulary cold.
2.1 Threat Actors & Vectors
A is whoever carries out an attack. Rank them by sophistication and resources: nation-state actors (an ) are the most capable and best-funded, motivated by espionage; organized crime is profit-driven; hacktivists pursue a cause; an misuses authorized access; and unskilled attackers (“script kiddies”) use others’ tools. Watch for — unsanctioned tools that create unmanaged risk.
Actors get in through threat vectors and attack surfaces: email and messages, malicious files and images, removable media (a dropped USB), voice calls, unsecured networks, and the supply chain (a compromised vendor, MSP, or software update). Reducing the attack surface — fewer exposed services, ports, and entry points — is a recurring theme.
| Actor | Resources | Typical motivation |
|---|---|---|
| Nation-state / APT | Highest | Espionage, strategic disruption |
| Organized crime | High | Financial gain |
| Hacktivist | Variable | Ideology / a cause |
| Insider threat | Trusted access | Revenge, money, or unintentional |
| Unskilled attacker | Low | Notoriety, curiosity (uses others' tools) |
2.2 Social Engineering
attacks the human, not the machine. The headliner is (fraudulent email); its variants are (voice), (SMS), spear phishing (targeted), and whaling (executives). impersonates a trusted leader or vendor to authorize fraudulent payments. Other techniques: pretexting, pharming, watering-hole attacks, typosquatting, brand impersonation, and disinformation.[8]
Defenses are layered: user awareness training and phishing simulations on the human side, plus email authentication (SPF, DKIM, DMARC) to block spoofed senders on the technical side.
| Attack | How it works |
|---|---|
| Phishing | Fraudulent email to steal credentials or deliver malware |
| Vishing | The same, by voice phone call |
| Smishing | The same, by SMS text message |
| Spear phishing / whaling | Targeted at a specific person / at executives |
| Business email compromise | Impersonates an executive or vendor to authorize fraudulent payment |
| Watering hole | Compromises a site the target group is known to visit |
| Typosquatting | Registers misspelled domains to catch mistyped traffic |
2.3 Vulnerabilities & Malware
Memorize the zoo: (encrypts data, demands payment), (disguised as legitimate), worm (self-propagating), virus (needs a host), spyware/keylogger, (hides at the kernel level), and a (triggers on a condition).[7]
Then the vulnerabilities attackers exploit. Application flaws: , (TOCTOU), and memory injection. Web flaws: and . Plus misconfiguration, weak/default credentials, unpatched systems, and the (no patch exists yet). Common attacks to recognize include (man-in-the-middle), replay, DNS/ARP poisoning, DDoS, and .
| Vulnerability | What it is | Primary mitigation |
|---|---|---|
| SQL injection | Malicious SQL in input runs on the database | Parameterized queries + input validation |
| Cross-site scripting (XSS) | Injected script runs in another user's browser | Output encoding + Content Security Policy |
| Buffer overflow | Overwriting memory beyond a buffer | Bounds checking, ASLR, secure coding |
| Race condition (TOCTOU) | Exploiting timing between check and use | Locking / atomic operations |
| Zero-day | Unknown, unpatched vulnerability | Defense in depth, behavior-based detection |
| Misconfiguration | Insecure default or setting | Secure baselines + hardening |
2.4 Mitigation Techniques
The domain ends with how you reduce risk: (secure baselines, disabling unused services), patch management, encryption, network segmentation and isolation, access control and , application allow-listing, sandboxing, monitoring, and configuration enforcement. The unifying idea is — layers, so one failure doesn’t mean a breach.
Checkpoint · Threats, Vulnerabilities & Mitigations
Question 1 of 10
Which of the following is a type of malware that requires user interaction to activate and replicate, often disguised as legitimate software?
Module 3 · Security Architecture
Domain 3.0 — 18% of the exam. This domain is about designing secure systems: the trade-offs of different architecture models, building secure infrastructure, protecting data in all its states, and engineering resilience so the business survives a disruption.
3.1 Architecture Models & Cloud
Know the major models and their security trade-offs: on-premises vs. cloud, virtualization, , serverless, microservices, software-defined networking (SDN), and . In the cloud, the most-tested idea is the : the provider secures the infrastructure (“security of the cloud”); the customer secures their data, identities, and configuration (“security in the cloud”). Where the line falls depends on IaaS vs. PaaS vs. SaaS.
Specialized systems carry extra risk: IoT, embedded systems, and ICS/SCADA (industrial control systems) often can’t be patched easily and need segmentation and compensating controls.
| Model | Provider secures | Customer secures |
|---|---|---|
| IaaS | Physical, network, hypervisor | OS, apps, data, access (the most) |
| PaaS | Up through the runtime/platform | Apps, data, and access |
| SaaS | Almost everything | Data and access (the least) |
3.2 Secure Infrastructure
Build the network for security. Use security zones and device placement (a DMZ for public-facing servers), and the right appliance for the job: firewalls (a WAF for web apps, an NGFW/UTM for layered inspection), IDS/IPS (detect vs. block), proxies, a jump server for admin access, and load balancers.
Know fail-open vs. fail-closed, active vs. passive inspection, and inline vs. tap/monitor placement. On the access layer, 802.1X with EAP and port security control who connects.
| Device | Role |
|---|---|
| Firewall (NGFW/UTM) | Filters traffic by rules; NGFW adds app awareness and inspection |
| WAF | Protects web apps from injection, XSS, and other layer-7 attacks |
| IDS | Detects and alerts on suspicious traffic (passive) |
| IPS | Detects and blocks suspicious traffic inline (active) |
| Proxy / web filter | Mediates and filters outbound web requests |
| Jump server | A hardened pivot host for administering internal systems |
| Load balancer | Distributes traffic across servers for availability and scale |
3.3 Data Protection
Protect data in all three states: (encrypt the disk/database), (TLS), and (secure enclaves). Drive the level of protection with (public → sensitive → confidential → critical). Beyond encryption, you can de-identify data with masking, , or hashing, and stop exfiltration with .
| State | Where the data is | Primary control |
|---|---|---|
| At rest | Stored on disk, database, or backup | Encryption (e.g., AES) + access control |
| In transit | Moving across a network | TLS / VPN encryption |
| In use | Being processed in memory | Secure enclave / trusted execution |
3.4 Resilience & Recovery
Engineer for survival. comes from redundancy: load balancing and clustering, multiple power feeds with UPS and generators, RAID, and geographic dispersion across sites. Recovery sites trade cost for speed — a hot site is ready immediately, a warm site needs some setup, and a cold site is just space and power. Back up using the .
The exam loves the recovery metrics: (how fast you must be back up), (how much data you can afford to lose), plus MTBF (mean time between failures) and MTTR (mean time to repair). Test plans with tabletop exercises, failover, parallel processing, and simulations.
| Term | Meaning |
|---|---|
| Hot site | Fully equipped, near-instant failover (most expensive) |
| Warm site | Partially equipped; some setup needed |
| Cold site | Space and utilities only; longest to bring online (cheapest) |
| RTO | Maximum acceptable downtime to restore a system |
| RPO | Maximum acceptable data loss, measured back to the last backup |
| MTBF / MTTR | Mean time between failures / mean time to repair |
Checkpoint · Security Architecture
Question 1 of 10
What is the primary purpose of using a WAF (Web Application Firewall)?
Module 4 · Security Operations
Domain 4.0 — 28% of the exam, the single largest domain. This is the day-to-day work of security: hardening and managing assets, finding and fixing vulnerabilities, monitoring, controlling identity and access, and responding when something goes wrong. Spend the most time here.
4.1 Hardening, Assets & Vulnerability Management
Apply from secure baselines across all targets — servers, workstations, mobile (MDM with BYOD/COPE), and wireless (use WPA3). Manage assets through their whole life: acquisition, inventory, and secure disposal/sanitization (wiping or destroying media).
Vulnerability management is a cycle: scan, then prioritize using severity and identifiers, confirm findings (true vs. false positive), remediate, and rescan to validate. A goes further by actually exploiting weaknesses; responsible disclosure and bug bounties bring in outside researchers.[9]
| Step | What happens |
|---|---|
| Identify / scan | Run vulnerability scanners across assets |
| Analyze / prioritize | Score with CVSS, map to CVEs, weed out false positives |
| Remediate | Patch, reconfigure, or apply a compensating control |
| Validate | Rescan to confirm the fix actually worked |
| Report | Document for stakeholders and compliance |
4.2 Monitoring & Enterprise Capabilities
Visibility is everything. A aggregates and correlates logs from across the enterprise to detect threats, generate alerts, and support investigations — but it must be tuned to avoid alert fatigue.[6]
Layer in enterprise controls: firewall and IDS/IPS rules, web and DNS filtering, email security (DKIM, DMARC, SPF), /XDR on endpoints, file integrity monitoring, and sandboxing. Automate response with playbooks.
| Capability | What it provides |
|---|---|
| SIEM | Central log aggregation and correlation; alerting and investigation |
| EDR / XDR | Endpoint (and extended) detection and response |
| SOAR | Automated, orchestrated response via playbooks |
| DLP | Detects and blocks sensitive-data exfiltration |
| FIM | Alerts when critical files change unexpectedly |
| DNS / web filtering | Blocks access to malicious or disallowed sites |
4.3 Identity & Access Management
(IAM) governs who can do what. It spans the identity lifecycle (provisioning and prompt deprovisioning when someone leaves), and (SAML, OAuth, OIDC, LDAP), and strong authentication with .
Master the access-control models: (by role), (by labels/clearance, high-security), (owner decides), and (by attributes/context). Apply and separation of duties, and protect admin accounts with (vaulting, just-in-time, ephemeral access).
| Factor | Category | Example |
|---|---|---|
| Something you know | Knowledge | Password, PIN |
| Something you have | Possession | Authenticator app, smart card, token |
| Something you are | Inherence | Fingerprint, face, iris |
| Somewhere you are | Location | GPS / network location (contextual) |
| Model | Who decides access |
|---|---|
| RBAC | Permissions follow the user's ROLE |
| MAC | The SYSTEM enforces labels/clearances (mandatory) |
| DAC | The resource OWNER decides (discretionary) |
| ABAC | ATTRIBUTES and context (user, resource, environment) |
4.4 Incident Response & Forensics
When prevention fails, you respond. CompTIA follows the (NIST SP 800-61): preparation; detection & analysis; containment, eradication & recovery; and post-incident activity (lessons learned and root cause analysis). Prepare with playbooks, training, tabletop exercises, and threat hunting.[4]
Phase 1
Preparation
Build the team, tools, playbooks, and training before an incident — plus hardening and logging.
Phase 2
Detection & Analysis
Identify and validate the incident using indicators of compromise, SIEM alerts, and logs; determine scope.
Phase 3
Containment, Eradication & Recovery
Limit the damage, remove the threat (malware, accounts, footholds), then restore systems to normal.
Phase 4
Post-Incident Activity
Lessons learned, root cause analysis, and report — feed improvements back into Preparation.
Digital forensics preserves evidence: apply a , maintain a (who handled what, when), acquire data in a sound order of volatility, and document everything so it’s admissible. Useful data sources include firewall, application, endpoint, and OS logs.
Checkpoint · Security Operations
Question 1 of 10
Which cybersecurity term describes a small piece of data used to identify and authenticate a user's session?
Module 5 · Security Program Management & Oversight
Domain 5.0 — 20% of the exam. This is the governance, risk, and compliance (GRC) side: the policies and structures that run a security program, how organizations measure and treat risk, managing third parties, and staying compliant. It’s less technical but heavily tested — learn the vocabulary and the formulas.
5.1 Governance
is the framework that directs security: policies (AUP, incident response, business continuity, disaster recovery, SDLC, change management), standards (password, encryption, access control), and procedures (step-by-step playbooks, onboarding/offboarding). Oversight comes from boards, committees, and regulators, and clear data roles assign accountability.[10]
| Role | Responsibility |
|---|---|
| Data owner | Accountable for the data; sets its classification |
| Data controller | Determines why and how personal data is processed |
| Data processor | Processes data on the controller's behalf |
| Data custodian / steward | Implements controls and maintains data quality day-to-day |
5.2 Risk Management
Risk management runs in a cycle: identify, assess, analyze, and treat. Analysis is qualitative (rate likelihood × impact as low/medium/high) or quantitative (put dollars on it). The quantitative formulas are exam favorites: = asset value × exposure factor; = × .[5] Track everything in a with an owner and threshold, set against the organization’s .
Then choose a response: mitigate (reduce with controls), (insurance/outsourcing), avoid (stop the activity), or accept (within appetite). A business impact analysis (BIA) ranks what matters most and sets RTO/RPO.
| Term | Formula / meaning | Example |
|---|---|---|
| Exposure Factor (EF) | % of asset value lost per event | 40% of a server |
| Single Loss Expectancy (SLE) | Asset value × EF | $50,000 × 0.40 = $20,000 |
| Annualized Rate of Occurrence (ARO) | Events expected per year | 2 times/year |
| Annualized Loss Expectancy (ALE) | SLE × ARO | $20,000 × 2 = $40,000/yr |
| Strategy | What you do | Example |
|---|---|---|
| Mitigate | Reduce likelihood/impact with controls | Add MFA and patching |
| Transfer | Shift the financial risk to another party | Buy cyber insurance |
| Avoid | Stop the risky activity entirely | Discontinue a vulnerable feature |
| Accept | Acknowledge and take no further action | Risk is within appetite |
5.3 Third-Party Risk & Compliance
Vendors are an attack surface. Assess them with , right-to-audit clauses, penetration testing, and supply-chain analysis, and formalize the relationship with agreements. Learn the acronyms: , / MOA, MSA, SOW/WO, NDA, and BPA.
Compliance means meeting laws and regulations. Failure brings consequences — fines, sanctions, reputational damage, even loss of license. Privacy is central: know the difference between a data controller and processor, data retention, and the .
| Agreement | What it covers |
|---|---|
| SLA | Service Level Agreement — guaranteed service levels and metrics |
| MOU / MOA | Memorandum of Understanding/Agreement — intentions between parties |
| MSA | Master Service Agreement — overarching terms for ongoing work |
| SOW / WO | Statement/Work Order — the specific deliverables and tasks |
| NDA | Non-Disclosure Agreement — confidentiality obligations |
| BPA | Business Partners Agreement — terms between business partners |
5.4 Audits & Security Awareness
Audits and assessments verify the program works — internal vs. external, attestation, and regulatory exams. Penetration tests are classified by knowledge given to the tester: known (white-box), partially known (gray-box), and unknown (black-box) environments, and reconnaissance can be passive or active.
Finally, security awareness is itself a program: phishing campaigns, recognizing anomalous behavior, user training and guidance, and ongoing reporting and monitoring. People are both the biggest risk and the strongest control — a trained workforce is a force multiplier.
| Type | Tester's knowledge |
|---|---|
| Known environment (white-box) | Full information about the target |
| Partially known (gray-box) | Limited information |
| Unknown environment (black-box) | No prior information — simulates an outsider |
Checkpoint · Security Program Management & Oversight
Question 1 of 10
Which concept in risk management involves determining the impact of an adverse event that may affect the assets, resources, or operations of an organization?
How to Use This Security+ Study Guide
This guide is built to be worked, not just read. The most efficient path to a pass:
- Study by weight. Security Operations (28%) and Threats, Vulnerabilities & Mitigations (22%) are half the exam — start there, then Program Management, Architecture, and General Concepts.
- Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
- Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
- Practice the PBQs. Performance-based questions reward hands-on knowledge — drill commands, log reading, and configuration concepts, not just definitions.
- Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 750.
Security+ Concept Questions
Core Security+ concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.
Security+ Glossary
The high-yield Security+ terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.
- 3-2-1 backup rule
- Keep 3 copies of data, on 2 different media, with 1 copy offsite.
- AAA
- Authentication (proving identity), Authorization (granting access rights), and Accounting (logging what was done).
- ABAC
- Attribute-Based Access Control — access decided by attributes and context (user, resource, environment).
- Advanced persistent threat
- A skilled, well-resourced (often nation-state) adversary that maintains long-term, stealthy access to a network.
- ALE
- Annualized Loss Expectancy — expected yearly loss from a risk (SLE × ARO).
- ARO
- Annualized Rate of Occurrence — how many times per year a risk is expected to happen.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC); data encrypted with one key is decrypted only with the other.
- Buffer overflow
- Writing more data than a buffer can hold, overwriting adjacent memory — potentially to run attacker code.
- Business email compromise
- An attack impersonating a trusted executive or vendor to authorize fraudulent payments or data transfers.
- Certificate Authority
- A trusted entity that issues and signs digital certificates, vouching for the identity bound to a public key.
- Chain of custody
- Documentation tracking who handled evidence, when, and how — to keep it admissible.
- CIA triad
- The three core goals of information security — Confidentiality (only authorized access), Integrity (data is unaltered), and Availability (accessible when needed).
- Containerization
- Packaging an app with its dependencies in an isolated container that shares the host OS kernel (e.g., Docker).
- CRL
- Certificate Revocation List — a published list of certificates a CA has revoked before expiry.
- Cross-site scripting
- An attack injecting malicious script into a trusted site that runs in another user's browser (stored, reflected, or DOM-based).
- CVE
- Common Vulnerabilities and Exposures — a public catalog of unique IDs for known vulnerabilities.
- CVSS
- Common Vulnerability Scoring System — a 0–10 score rating the severity of a vulnerability.
- DAC
- Discretionary Access Control — the resource owner decides who gets access.
- Data at rest
- Data stored on a disk, database, or backup — protected with encryption and access control.
- Data classification
- Labeling data by sensitivity (e.g., public, sensitive, confidential, critical) to apply the right controls.
- Data in transit
- Data moving across a network — protected with TLS and other transport encryption.
- Data in use
- Data actively being processed in memory — protected by techniques such as secure enclaves.
- Defense in depth
- Layering multiple independent controls so the failure of one doesn't expose the asset.
- Digital certificate
- An X.509 file binding a public key to a verified identity, signed by a CA, used to establish trust (e.g., in TLS).
- Digital signature
- A hash of a message encrypted with the signer's private key; proves integrity and authenticity (non-repudiation).
- DLP
- Data Loss Prevention — tools that detect and block unauthorized movement of sensitive data.
- Due diligence
- The investigation and care taken to identify risks before entering an agreement or activity.
- EDR
- Endpoint Detection and Response — continuously monitors endpoints to detect, investigate, and respond to threats.
- Federation
- Allowing identities from one domain to access resources in another via a trust relationship (e.g., SAML, OIDC).
- Governance
- The policies, standards, procedures, and oversight structures that direct a security program.
- Hardening
- Reducing a system's attack surface by removing unneeded services, applying secure baselines, and patching.
- Hashing
- A one-way function producing a fixed-length digest of input (e.g., SHA-256); used for integrity and password storage, not reversible.
- High availability
- Designing systems to remain operational with minimal downtime through redundancy and failover.
- HSM
- Hardware Security Module — a dedicated, tamper-resistant device for generating, storing, and using cryptographic keys.
- IaC
- Infrastructure as Code — defining and provisioning infrastructure through machine-readable, version-controlled files.
- Identity and access management
- The policies and tools that manage digital identities and control access to resources.
- Incident response lifecycle
- The NIST phases: preparation; detection & analysis; containment, eradication & recovery; post-incident activity.
- Insider threat
- A current or former employee, contractor, or partner who misuses authorized access to harm the organization.
- Least privilege
- Granting only the minimum access needed to perform a task — limits the blast radius of a compromise.
- Legal hold
- A directive to preserve relevant data when litigation or investigation is anticipated.
- Logic bomb
- Malicious code that executes when a specific condition is met (e.g., a date or an event).
- MAC
- Mandatory Access Control — access enforced by labels/clearances set by the system, used in high-security environments.
- Malware
- Malicious software — including ransomware, trojans, worms, viruses, spyware, rootkits, and keyloggers.
- MFA
- Multi-factor authentication — requiring two or more factors from different categories (know, have, are).
- MOU
- Memorandum of Understanding — a non-binding agreement outlining mutual intentions between parties.
- Non-repudiation
- Assurance that someone cannot deny having performed an action; provided by digital signatures and logging.
- OCSP
- Online Certificate Status Protocol — a real-time query to check whether a certificate is revoked.
- On-path attack
- An attacker secretly relaying or altering traffic between two parties (formerly 'man-in-the-middle').
- PAM
- Privileged Access Management — controls, vaults, and audits privileged (admin) accounts, often with just-in-time access.
- Penetration test
- An authorized simulated attack to find and exploit weaknesses before real attackers do.
- Phishing
- A fraudulent message (usually email) that tricks the victim into revealing credentials or running malware.
- PKI
- Public Key Infrastructure — the CAs, policies, and keys that issue and manage digital certificates.
- Policy Enforcement Point
- The Zero Trust data-plane component that allows or blocks each actual request to a resource.
- Policy Engine
- The Zero Trust control-plane component that decides whether to grant or deny access using policy and context.
- Privilege escalation
- Gaining higher access rights than granted — vertical (to admin) or horizontal (to another user).
- Race condition
- A flaw where the outcome depends on the timing of events; the time-of-check to time-of-use (TOCTOU) bug is the classic case.
- Ransomware
- Malware that encrypts a victim's data and demands payment for the decryption key; often also steals data (double extortion).
- RBAC
- Role-Based Access Control — permissions assigned to roles, which users inherit.
- Right to be forgotten
- A privacy right allowing individuals to request deletion of their personal data.
- Risk appetite
- The amount and type of risk an organization is willing to accept in pursuit of its objectives.
- Risk register
- A documented list of identified risks with their owner, likelihood, impact, and treatment.
- Risk transference
- Shifting risk to another party, such as buying insurance or outsourcing.
- Rootkit
- Malware that hides deep in the system (often the kernel) to maintain stealthy, privileged access.
- RPO
- Recovery Point Objective — the maximum acceptable amount of data loss, measured as time since the last backup.
- RTO
- Recovery Time Objective — the maximum acceptable time to restore a system after an outage.
- Salting
- Adding unique random data to a password before hashing so identical passwords produce different hashes and rainbow tables fail.
- Security control
- A safeguard categorized as technical, managerial, operational, or physical, and by function (preventive, detective, etc.).
- Shadow IT
- Hardware, software, or services used without the IT/security team's approval or knowledge.
- Shared responsibility model
- Cloud division of duties: the provider secures the infrastructure; the customer secures data, identities, and configuration.
- SIEM
- Security Information and Event Management — collects and correlates logs across the enterprise to detect and investigate threats.
- SLA
- Service Level Agreement — a contract defining expected service levels and metrics with a provider.
- SLE
- Single Loss Expectancy — the expected dollar loss from a single occurrence (asset value × exposure factor).
- Smishing
- SMS phishing — a social-engineering attack delivered by text message.
- SOAR
- Security Orchestration, Automation, and Response — automates and coordinates incident response via playbooks.
- Social engineering
- Manipulating people into divulging information or performing actions that compromise security.
- SQL injection
- A web attack inserting malicious SQL into input so the database runs unintended commands; mitigated with parameterized queries.
- SSO
- Single Sign-On — one authentication grants access to multiple systems.
- Steganography
- Hiding data inside other data (e.g., within an image) so its very existence is concealed.
- Symmetric encryption
- Encryption using one shared secret key to both encrypt and decrypt (e.g., AES) — fast, but the key must be shared securely.
- Threat actor
- An individual or group that carries out an attack — e.g., nation-state, organized crime, hacktivist, insider, or unskilled attacker.
- Tokenization
- Replacing sensitive data with a non-sensitive token, with the real value stored securely elsewhere.
- TPM
- Trusted Platform Module — a hardware chip that securely stores keys and supports disk encryption and integrity checks.
- Trojan
- Malware disguised as legitimate software that performs a hidden malicious action when run.
- Vishing
- Voice phishing — a social-engineering attack carried out over a phone call.
- Zero Trust
- A model that removes implicit trust and verifies every request based on identity, device, and context — 'never trust, always verify.'
- Zero-day
- A vulnerability unknown to the vendor (no patch yet) that attackers can exploit.
Security+ Study Guide FAQ
The Security+ SY0-701 exam has a maximum of 90 questions — a mix of multiple-choice and performance-based questions (PBQs) — and you get 90 minutes to complete it. Because PBQs are hands-on simulations, many candidates save them for last and triage their time.
You need a scaled score of 750 on a scale of 100 to 900. Because it's a scaled score, 750 does not equal a fixed percentage correct — performance-based questions can carry more weight than standard multiple-choice questions.
There are five domains: General Security Concepts (12%), Threats, Vulnerabilities, and Mitigations (22%), Security Architecture (18%), Security Operations (28%), and Security Program Management and Oversight (20%). SY0-701 reduced six domains to five and made Security Operations the largest.
Study by weight. Security Operations (28%) and Threats, Vulnerabilities & Mitigations (22%) together are half the exam, so master operations, threats, and mitigations first, then Architecture, Program Management, and General Concepts. Read each module, take the checkpoint, and drill gaps with our free practice test and flashcards.
A single Security+ exam voucher is about $425 in the United States (Pearson VUE, 2026); prices vary by region and bundles. Always confirm the current price on CompTIA's store before you buy, as promotions and voucher-plus-training bundles change.
The certification is valid for three years. You renew through CompTIA's Continuing Education (CE) program by earning 50 Continuing Education Units (CEUs) over the three years (or by passing a higher-level CompTIA exam), plus the annual CE fee.
No formal prerequisites are required to sit the exam. CompTIA recommends the Network+ certification and about two years of experience in IT with a security focus, but anyone can register and take Security+.
Security+ is a broad, entry-level cybersecurity exam — the challenge is breadth and the hands-on PBQs rather than deep specialization. This study guide, the checkpoints, the glossary, the practice test, and the flashcards are all 100% free with no account required.
References
- 1.CompTIA. “CompTIA Security+ (SY0-701) Certification.” comptia.org. ↑
- 2.CompTIA. “Security+ (SY0-701) Exam Objectives.” comptia.org. ↑
- 3.National Institute of Standards and Technology. “SP 800-207, Zero Trust Architecture.” csrc.nist.gov. ↑
- 4.National Institute of Standards and Technology. “SP 800-61, Computer Security Incident Handling Guide.” csrc.nist.gov. ↑
- 5.National Institute of Standards and Technology. “SP 800-30, Guide for Conducting Risk Assessments.” csrc.nist.gov. ↑
- 6.National Institute of Standards and Technology. “Cybersecurity Framework (CSF) 2.0.” nist.gov. ↑
- 7.Cybersecurity and Infrastructure Security Agency. “Stop Ransomware: Ransomware 101.” cisa.gov. ↑
- 8.Cybersecurity and Infrastructure Security Agency. “Recognize and Report Phishing.” cisa.gov. ↑
- 9.Forum of Incident Response and Security Teams. “Common Vulnerability Scoring System (CVSS).” first.org. ↑
- 10.International Organization for Standardization. “ISO/IEC 27001 Information Security Management.” iso.org. ↑
- 101.National Institute of Standards and Technology (NIST). “Confidentiality (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 102.National Institute of Standards and Technology (NIST). “Cryptography (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 103.National Institute of Standards and Technology (NIST). “Hash function (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 104.National Institute of Standards and Technology (NIST). “Public Key Infrastructure (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 105.National Institute of Standards and Technology (NIST). “Defense-in-depth (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 106.National Institute of Standards and Technology (NIST). “SQL Injection (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 107.National Institute of Standards and Technology (NIST). “Cross-Site Scripting (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 108.National Institute of Standards and Technology (NIST). “Advanced Persistent Threat (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 109.National Institute of Standards and Technology (NIST). “Multi-Factor Authentication (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 110.National Institute of Standards and Technology (NIST). “Least Privilege (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 111.National Institute of Standards and Technology (NIST). “Security Information and Event Management (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑
- 112.National Institute of Standards and Technology (NIST). “Role-Based Access Control (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026. ↑

Career Employer
Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.
All PostsCareer Employer’s Editorial Process
Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.
