Career Employer

FREE CompTIA Security+ Study Guide 2026 (SY0-701)

The most important things the CompTIA Security+ SY0-701 exam tests — an interactive study guide with built-in quizzes and flashcards, organized by all 5 official domains.

Check sections to boost your score

Don't know where to start?

To find us again, just search “Career Employer CompTIA Security+

By

This free CompTIA Security+ study guide covers every domain the current SY0-701 exam tests, organized to CompTIA’s official exam objectives.[2] Security+ is the industry’s baseline cybersecurity certification — it validates the core skills to assess security, monitor environments, respond to incidents, and operate with an awareness of laws and policies.

It’s interactive, not a wall of text: every module has built-in checkpoint quizzes, crawlable diagrams, flashcards, and practice questions, so you learn by doing — not just reading.

The Security+ SY0-701 exam has five domains, and we teach each one as its own module, leading with the heaviest-weighted content. Read a module, test yourself at each checkpoint, then drill gaps with our free practice test and flashcards. This guide is a high-yield overview mapped to the official objectives — not a full networking-and-security textbook.

CompTIA Security+ is one of the 14 CompTIA certifications — explore our CompTIA study guides to compare and prep across the whole family.

Security+ (SY0-701) Exam Snapshot

CompTIA Security+ SY0-701 exam at a glance
DetailSecurity+ (SY0-701)
QuestionsMaximum of 90
FormatMultiple-choice + performance-based (PBQs)
Time90 minutes
Passing score750 (on a scale of 100–900; scaled scoring)
Exam codeSY0-701 (launched November 2023)
Delivered byPearson VUE (test center or online proctored)
Certifying bodyCompTIA
Recommended prepNetwork+ and ~2 years of IT security experience (not required)
Cost≈ $425 USD (single voucher, U.S., 2026)
Valid for3 years — renew with 50 CEUs (CompTIA CE program)

Two domains dominate. Security Operations (28%) and Threats, Vulnerabilities & Mitigations (22%) together are half the exam, so invest there first.[2] Study by weight:

Security+ SY0-701 weighting by domain (CompTIA exam objectives)
4.0 Security Operations28% · biggest domain
2.0 Threats, Vulnerabilities & Mitigations22%
5.0 Security Program Mgmt & Oversight20%
3.0 Security Architecture18%
1.0 General Security Concepts12%

Module 1 · General Security Concepts

Domain 1.0 — 12% of the exam. This domain sets the vocabulary and mental models for everything else: the goals of security, how controls are categorized, the Zero Trust model, and the cryptography that underpins confidentiality, integrity, and trust.

1.1 CIA Triad, AAA & Control Types

Start with the goals. The is the foundation of the entire exam: Confidentiality (only authorized people can read the data), Integrity (the data is accurate and unaltered), and Availability (authorized users can access it when needed). Security+ adds and the pillars — authentication, authorization, and accounting.

Every safeguard is a . The exam asks you to classify them two ways: by category (technical, managerial, operational, physical) and by function (preventive, deterrent, detective, corrective, compensating, directive). A firewall is a technical, preventive control; a security camera is a physical, detective (and deterrent) control; restoring from backup is corrective.

Control categories vs. functions — worked examples
ControlCategoryFunction
Firewall rule blocking a portTechnicalPreventive
Security awareness trainingOperationalPreventive / Directive
Intrusion detection system (IDS)TechnicalDetective
Restoring from a backupTechnicalCorrective
Warning sign / lightingPhysicalDeterrent
Risk assessment policyManagerialDirective

1.2 Zero Trust & Physical Security

is a major SY0-701 theme. The old “castle-and-moat” model trusted anything inside the network; Zero Trust removes that implicit trust and verifies every request.

CompTIA splits it into a control plane (the decides grant or deny; the policy administrator executes) and a data plane (the allows or blocks each request). Key ideas: adaptive identity, threat-scope reduction, and policy-driven access.[3]

Physical security is still on the exam: fencing, bollards, lighting, locks, badges, access control vestibules (mantraps), and sensors. So is deception and disruption technology — a honeypot is a decoy system to lure and study attackers; a honeynet is a network of them; honeyfiles and honeytokens are bait data that should never be touched, so any access is a clear alert.

Deception and disruption technologies
TermWhat it is
HoneypotA single decoy system that lures attackers away from real assets and records their behavior
HoneynetA network of honeypots that mimics a real environment
HoneyfileA bait file (e.g., 'passwords.xlsx') that triggers an alert when opened
HoneytokenFake data (a credential, record, or API key) that signals compromise when used

1.3 Cryptography & PKI

Cryptography is the most technical part of Domain 1. There are three families: (one shared key, fast — AES), (a public/private key pair — RSA, ECC), and (a one-way digest — SHA-256). They solve different problems: encryption for confidentiality, hashing for integrity.

Know which key does what. To send something only the recipient can read, encrypt with their public key. To prove a message is from you, create a by signing with your private key. Because asymmetric crypto is slow, real systems are hybrid: asymmetric exchanges a fast symmetric session key (this is how TLS works).

Passwords are never encrypted — they’re with a unique so identical passwords don’t share a hash and rainbow tables fail. Other building blocks: and (X.509), issued by a and checked for revocation via or ; hardware roots of trust like the and ; key escrow; and (hiding data inside other data).

Cryptography quick reference
GoalUse…Example
Encrypt bulk data fastSymmetric encryptionAES-256
Securely exchange a key / signAsymmetric encryptionRSA, ECC, Diffie-Hellman
Verify integrityHashingSHA-256
Store passwords safelySalted hashing / KDFbcrypt, Argon2, PBKDF2
Prove identity to a websiteDigital certificate (PKI)X.509 over TLS
Protect keys in hardwareTPM / HSMBitLocker with TPM

Checkpoint · General Security Concepts

Question 1 of 10

In cybersecurity, what is a 'honeypot' primarily used for?

Module 2 · Threats, Vulnerabilities & Mitigations

Domain 2.0 — 22% of the exam. This is the “attacks” domain: who attacks, how they get in, what weaknesses they exploit, and how you stop them. It’s the second-largest domain, so learn the vocabulary cold.

2.1 Threat Actors & Vectors

A is whoever carries out an attack. Rank them by sophistication and resources: nation-state actors (an ) are the most capable and best-funded, motivated by espionage; organized crime is profit-driven; hacktivists pursue a cause; an misuses authorized access; and unskilled attackers (“script kiddies”) use others’ tools. Watch for — unsanctioned tools that create unmanaged risk.

Actors get in through threat vectors and attack surfaces: email and messages, malicious files and images, removable media (a dropped USB), voice calls, unsecured networks, and the supply chain (a compromised vendor, MSP, or software update). Reducing the attack surface — fewer exposed services, ports, and entry points — is a recurring theme.

Threat actors by sophistication and motivation
ActorResourcesTypical motivation
Nation-state / APTHighestEspionage, strategic disruption
Organized crimeHighFinancial gain
HacktivistVariableIdeology / a cause
Insider threatTrusted accessRevenge, money, or unintentional
Unskilled attackerLowNotoriety, curiosity (uses others' tools)

2.2 Social Engineering

attacks the human, not the machine. The headliner is (fraudulent email); its variants are (voice), (SMS), spear phishing (targeted), and whaling (executives). impersonates a trusted leader or vendor to authorize fraudulent payments. Other techniques: pretexting, pharming, watering-hole attacks, typosquatting, brand impersonation, and disinformation.[8]

Defenses are layered: user awareness training and phishing simulations on the human side, plus email authentication (SPF, DKIM, DMARC) to block spoofed senders on the technical side.

Social-engineering attacks at a glance
AttackHow it works
PhishingFraudulent email to steal credentials or deliver malware
VishingThe same, by voice phone call
SmishingThe same, by SMS text message
Spear phishing / whalingTargeted at a specific person / at executives
Business email compromiseImpersonates an executive or vendor to authorize fraudulent payment
Watering holeCompromises a site the target group is known to visit
TyposquattingRegisters misspelled domains to catch mistyped traffic

2.3 Vulnerabilities & Malware

Memorize the zoo: (encrypts data, demands payment), (disguised as legitimate), worm (self-propagating), virus (needs a host), spyware/keylogger, (hides at the kernel level), and a (triggers on a condition).[7]

Then the vulnerabilities attackers exploit. Application flaws: , (TOCTOU), and memory injection. Web flaws: and . Plus misconfiguration, weak/default credentials, unpatched systems, and the (no patch exists yet). Common attacks to recognize include (man-in-the-middle), replay, DNS/ARP poisoning, DDoS, and .

High-yield vulnerabilities and their fix
VulnerabilityWhat it isPrimary mitigation
SQL injectionMalicious SQL in input runs on the databaseParameterized queries + input validation
Cross-site scripting (XSS)Injected script runs in another user's browserOutput encoding + Content Security Policy
Buffer overflowOverwriting memory beyond a bufferBounds checking, ASLR, secure coding
Race condition (TOCTOU)Exploiting timing between check and useLocking / atomic operations
Zero-dayUnknown, unpatched vulnerabilityDefense in depth, behavior-based detection
MisconfigurationInsecure default or settingSecure baselines + hardening

2.4 Mitigation Techniques

The domain ends with how you reduce risk: (secure baselines, disabling unused services), patch management, encryption, network segmentation and isolation, access control and , application allow-listing, sandboxing, monitoring, and configuration enforcement. The unifying idea is — layers, so one failure doesn’t mean a breach.

Checkpoint · Threats, Vulnerabilities & Mitigations

Question 1 of 10

Which of the following is a type of malware that requires user interaction to activate and replicate, often disguised as legitimate software?

Module 3 · Security Architecture

Domain 3.0 — 18% of the exam. This domain is about designing secure systems: the trade-offs of different architecture models, building secure infrastructure, protecting data in all its states, and engineering resilience so the business survives a disruption.

3.1 Architecture Models & Cloud

Know the major models and their security trade-offs: on-premises vs. cloud, virtualization, , serverless, microservices, software-defined networking (SDN), and . In the cloud, the most-tested idea is the : the provider secures the infrastructure (“security of the cloud”); the customer secures their data, identities, and configuration (“security in the cloud”). Where the line falls depends on IaaS vs. PaaS vs. SaaS.

Specialized systems carry extra risk: IoT, embedded systems, and ICS/SCADA (industrial control systems) often can’t be patched easily and need segmentation and compensating controls.

Cloud shared responsibility by service model
ModelProvider securesCustomer secures
IaaSPhysical, network, hypervisorOS, apps, data, access (the most)
PaaSUp through the runtime/platformApps, data, and access
SaaSAlmost everythingData and access (the least)

3.2 Secure Infrastructure

Build the network for security. Use security zones and device placement (a DMZ for public-facing servers), and the right appliance for the job: firewalls (a WAF for web apps, an NGFW/UTM for layered inspection), IDS/IPS (detect vs. block), proxies, a jump server for admin access, and load balancers.

Know fail-open vs. fail-closed, active vs. passive inspection, and inline vs. tap/monitor placement. On the access layer, 802.1X with EAP and port security control who connects.

Security appliances and what they do
DeviceRole
Firewall (NGFW/UTM)Filters traffic by rules; NGFW adds app awareness and inspection
WAFProtects web apps from injection, XSS, and other layer-7 attacks
IDSDetects and alerts on suspicious traffic (passive)
IPSDetects and blocks suspicious traffic inline (active)
Proxy / web filterMediates and filters outbound web requests
Jump serverA hardened pivot host for administering internal systems
Load balancerDistributes traffic across servers for availability and scale

3.3 Data Protection

Protect data in all three states: (encrypt the disk/database), (TLS), and (secure enclaves). Drive the level of protection with (public → sensitive → confidential → critical). Beyond encryption, you can de-identify data with masking, , or hashing, and stop exfiltration with .

Data states and their controls
StateWhere the data isPrimary control
At restStored on disk, database, or backupEncryption (e.g., AES) + access control
In transitMoving across a networkTLS / VPN encryption
In useBeing processed in memorySecure enclave / trusted execution

3.4 Resilience & Recovery

Engineer for survival. comes from redundancy: load balancing and clustering, multiple power feeds with UPS and generators, RAID, and geographic dispersion across sites. Recovery sites trade cost for speed — a hot site is ready immediately, a warm site needs some setup, and a cold site is just space and power. Back up using the .

The exam loves the recovery metrics: (how fast you must be back up), (how much data you can afford to lose), plus MTBF (mean time between failures) and MTTR (mean time to repair). Test plans with tabletop exercises, failover, parallel processing, and simulations.

Recovery sites and key metrics
TermMeaning
Hot siteFully equipped, near-instant failover (most expensive)
Warm sitePartially equipped; some setup needed
Cold siteSpace and utilities only; longest to bring online (cheapest)
RTOMaximum acceptable downtime to restore a system
RPOMaximum acceptable data loss, measured back to the last backup
MTBF / MTTRMean time between failures / mean time to repair

Checkpoint · Security Architecture

Question 1 of 10

What is the primary purpose of using a WAF (Web Application Firewall)?

Module 4 · Security Operations

Domain 4.0 — 28% of the exam, the single largest domain. This is the day-to-day work of security: hardening and managing assets, finding and fixing vulnerabilities, monitoring, controlling identity and access, and responding when something goes wrong. Spend the most time here.

4.1 Hardening, Assets & Vulnerability Management

Apply from secure baselines across all targets — servers, workstations, mobile (MDM with BYOD/COPE), and wireless (use WPA3). Manage assets through their whole life: acquisition, inventory, and secure disposal/sanitization (wiping or destroying media).

Vulnerability management is a cycle: scan, then prioritize using severity and identifiers, confirm findings (true vs. false positive), remediate, and rescan to validate. A goes further by actually exploiting weaknesses; responsible disclosure and bug bounties bring in outside researchers.[9]

The vulnerability management cycle
StepWhat happens
Identify / scanRun vulnerability scanners across assets
Analyze / prioritizeScore with CVSS, map to CVEs, weed out false positives
RemediatePatch, reconfigure, or apply a compensating control
ValidateRescan to confirm the fix actually worked
ReportDocument for stakeholders and compliance

4.2 Monitoring & Enterprise Capabilities

Visibility is everything. A aggregates and correlates logs from across the enterprise to detect threats, generate alerts, and support investigations — but it must be tuned to avoid alert fatigue.[6]

Layer in enterprise controls: firewall and IDS/IPS rules, web and DNS filtering, email security (DKIM, DMARC, SPF), /XDR on endpoints, file integrity monitoring, and sandboxing. Automate response with playbooks.

Monitoring and response capabilities
CapabilityWhat it provides
SIEMCentral log aggregation and correlation; alerting and investigation
EDR / XDREndpoint (and extended) detection and response
SOARAutomated, orchestrated response via playbooks
DLPDetects and blocks sensitive-data exfiltration
FIMAlerts when critical files change unexpectedly
DNS / web filteringBlocks access to malicious or disallowed sites

4.3 Identity & Access Management

(IAM) governs who can do what. It spans the identity lifecycle (provisioning and prompt deprovisioning when someone leaves), and (SAML, OAuth, OIDC, LDAP), and strong authentication with .

Master the access-control models: (by role), (by labels/clearance, high-security), (owner decides), and (by attributes/context). Apply and separation of duties, and protect admin accounts with (vaulting, just-in-time, ephemeral access).

MFA — the factor categories
FactorCategoryExample
Something you knowKnowledgePassword, PIN
Something you havePossessionAuthenticator app, smart card, token
Something you areInherenceFingerprint, face, iris
Somewhere you areLocationGPS / network location (contextual)
Access-control models compared
ModelWho decides access
RBACPermissions follow the user's ROLE
MACThe SYSTEM enforces labels/clearances (mandatory)
DACThe resource OWNER decides (discretionary)
ABACATTRIBUTES and context (user, resource, environment)

4.4 Incident Response & Forensics

When prevention fails, you respond. CompTIA follows the (NIST SP 800-61): preparation; detection & analysis; containment, eradication & recovery; and post-incident activity (lessons learned and root cause analysis). Prepare with playbooks, training, tabletop exercises, and threat hunting.[4]

Digital forensics preserves evidence: apply a , maintain a (who handled what, when), acquire data in a sound order of volatility, and document everything so it’s admissible. Useful data sources include firewall, application, endpoint, and OS logs.

Checkpoint · Security Operations

Question 1 of 10

Which cybersecurity term describes a small piece of data used to identify and authenticate a user's session?

Module 5 · Security Program Management & Oversight

Domain 5.0 — 20% of the exam. This is the governance, risk, and compliance (GRC) side: the policies and structures that run a security program, how organizations measure and treat risk, managing third parties, and staying compliant. It’s less technical but heavily tested — learn the vocabulary and the formulas.

5.1 Governance

is the framework that directs security: policies (AUP, incident response, business continuity, disaster recovery, SDLC, change management), standards (password, encryption, access control), and procedures (step-by-step playbooks, onboarding/offboarding). Oversight comes from boards, committees, and regulators, and clear data roles assign accountability.[10]

Data roles and responsibilities
RoleResponsibility
Data ownerAccountable for the data; sets its classification
Data controllerDetermines why and how personal data is processed
Data processorProcesses data on the controller's behalf
Data custodian / stewardImplements controls and maintains data quality day-to-day

5.2 Risk Management

Risk management runs in a cycle: identify, assess, analyze, and treat. Analysis is qualitative (rate likelihood × impact as low/medium/high) or quantitative (put dollars on it). The quantitative formulas are exam favorites: = asset value × exposure factor; = × .[5] Track everything in a with an owner and threshold, set against the organization’s .

Then choose a response: mitigate (reduce with controls), (insurance/outsourcing), avoid (stop the activity), or accept (within appetite). A business impact analysis (BIA) ranks what matters most and sets RTO/RPO.

Quantitative risk formulas
TermFormula / meaningExample
Exposure Factor (EF)% of asset value lost per event40% of a server
Single Loss Expectancy (SLE)Asset value × EF$50,000 × 0.40 = $20,000
Annualized Rate of Occurrence (ARO)Events expected per year2 times/year
Annualized Loss Expectancy (ALE)SLE × ARO$20,000 × 2 = $40,000/yr
The four risk response strategies
StrategyWhat you doExample
MitigateReduce likelihood/impact with controlsAdd MFA and patching
TransferShift the financial risk to another partyBuy cyber insurance
AvoidStop the risky activity entirelyDiscontinue a vulnerable feature
AcceptAcknowledge and take no further actionRisk is within appetite

5.3 Third-Party Risk & Compliance

Vendors are an attack surface. Assess them with , right-to-audit clauses, penetration testing, and supply-chain analysis, and formalize the relationship with agreements. Learn the acronyms: , / MOA, MSA, SOW/WO, NDA, and BPA.

Compliance means meeting laws and regulations. Failure brings consequences — fines, sanctions, reputational damage, even loss of license. Privacy is central: know the difference between a data controller and processor, data retention, and the .

Third-party agreements
AgreementWhat it covers
SLAService Level Agreement — guaranteed service levels and metrics
MOU / MOAMemorandum of Understanding/Agreement — intentions between parties
MSAMaster Service Agreement — overarching terms for ongoing work
SOW / WOStatement/Work Order — the specific deliverables and tasks
NDANon-Disclosure Agreement — confidentiality obligations
BPABusiness Partners Agreement — terms between business partners

5.4 Audits & Security Awareness

Audits and assessments verify the program works — internal vs. external, attestation, and regulatory exams. Penetration tests are classified by knowledge given to the tester: known (white-box), partially known (gray-box), and unknown (black-box) environments, and reconnaissance can be passive or active.

Finally, security awareness is itself a program: phishing campaigns, recognizing anomalous behavior, user training and guidance, and ongoing reporting and monitoring. People are both the biggest risk and the strongest control — a trained workforce is a force multiplier.

Penetration test knowledge levels
TypeTester's knowledge
Known environment (white-box)Full information about the target
Partially known (gray-box)Limited information
Unknown environment (black-box)No prior information — simulates an outsider

Checkpoint · Security Program Management & Oversight

Question 1 of 10

Which concept in risk management involves determining the impact of an adverse event that may affect the assets, resources, or operations of an organization?

How to Use This Security+ Study Guide

This guide is built to be worked, not just read. The most efficient path to a pass:

  • Study by weight. Security Operations (28%) and Threats, Vulnerabilities & Mitigations (22%) are half the exam — start there, then Program Management, Architecture, and General Concepts.
  • Check off as you go. Use the Study Guide Contents to mark each section done; it raises your exam-readiness score.
  • Take every checkpoint. The end-of-module quizzes show you exactly which domains need another pass.
  • Practice the PBQs. Performance-based questions reward hands-on knowledge — drill commands, log reading, and configuration concepts, not just definitions.
  • Drill the weak domain. Send your weak area into the flashcards and a practice test until the score climbs comfortably above 750.

Security+ Concept Questions

Core Security+ concepts candidates search while studying — each answered briefly and backed by an official source. Test yourself, then drill them as flashcards.

Security+ Glossary

The high-yield Security+ terms in one place — hover any dotted term in the guide, or flip the whole deck here as a self-grading flashcard set.

3-2-1 backup rule
Keep 3 copies of data, on 2 different media, with 1 copy offsite.
AAA
Authentication (proving identity), Authorization (granting access rights), and Accounting (logging what was done).
ABAC
Attribute-Based Access Control — access decided by attributes and context (user, resource, environment).
Advanced persistent threat
A skilled, well-resourced (often nation-state) adversary that maintains long-term, stealthy access to a network.
ALE
Annualized Loss Expectancy — expected yearly loss from a risk (SLE × ARO).
ARO
Annualized Rate of Occurrence — how many times per year a risk is expected to happen.
Asymmetric encryption
Encryption using a public/private key pair (e.g., RSA, ECC); data encrypted with one key is decrypted only with the other.
Buffer overflow
Writing more data than a buffer can hold, overwriting adjacent memory — potentially to run attacker code.
Business email compromise
An attack impersonating a trusted executive or vendor to authorize fraudulent payments or data transfers.
Certificate Authority
A trusted entity that issues and signs digital certificates, vouching for the identity bound to a public key.
Chain of custody
Documentation tracking who handled evidence, when, and how — to keep it admissible.
CIA triad
The three core goals of information security — Confidentiality (only authorized access), Integrity (data is unaltered), and Availability (accessible when needed).
Containerization
Packaging an app with its dependencies in an isolated container that shares the host OS kernel (e.g., Docker).
CRL
Certificate Revocation List — a published list of certificates a CA has revoked before expiry.
Cross-site scripting
An attack injecting malicious script into a trusted site that runs in another user's browser (stored, reflected, or DOM-based).
CVE
Common Vulnerabilities and Exposures — a public catalog of unique IDs for known vulnerabilities.
CVSS
Common Vulnerability Scoring System — a 0–10 score rating the severity of a vulnerability.
DAC
Discretionary Access Control — the resource owner decides who gets access.
Data at rest
Data stored on a disk, database, or backup — protected with encryption and access control.
Data classification
Labeling data by sensitivity (e.g., public, sensitive, confidential, critical) to apply the right controls.
Data in transit
Data moving across a network — protected with TLS and other transport encryption.
Data in use
Data actively being processed in memory — protected by techniques such as secure enclaves.
Defense in depth
Layering multiple independent controls so the failure of one doesn't expose the asset.
Digital certificate
An X.509 file binding a public key to a verified identity, signed by a CA, used to establish trust (e.g., in TLS).
Digital signature
A hash of a message encrypted with the signer's private key; proves integrity and authenticity (non-repudiation).
DLP
Data Loss Prevention — tools that detect and block unauthorized movement of sensitive data.
Due diligence
The investigation and care taken to identify risks before entering an agreement or activity.
EDR
Endpoint Detection and Response — continuously monitors endpoints to detect, investigate, and respond to threats.
Federation
Allowing identities from one domain to access resources in another via a trust relationship (e.g., SAML, OIDC).
Governance
The policies, standards, procedures, and oversight structures that direct a security program.
Hardening
Reducing a system's attack surface by removing unneeded services, applying secure baselines, and patching.
Hashing
A one-way function producing a fixed-length digest of input (e.g., SHA-256); used for integrity and password storage, not reversible.
High availability
Designing systems to remain operational with minimal downtime through redundancy and failover.
HSM
Hardware Security Module — a dedicated, tamper-resistant device for generating, storing, and using cryptographic keys.
IaC
Infrastructure as Code — defining and provisioning infrastructure through machine-readable, version-controlled files.
Identity and access management
The policies and tools that manage digital identities and control access to resources.
Incident response lifecycle
The NIST phases: preparation; detection & analysis; containment, eradication & recovery; post-incident activity.
Insider threat
A current or former employee, contractor, or partner who misuses authorized access to harm the organization.
Least privilege
Granting only the minimum access needed to perform a task — limits the blast radius of a compromise.
Legal hold
A directive to preserve relevant data when litigation or investigation is anticipated.
Logic bomb
Malicious code that executes when a specific condition is met (e.g., a date or an event).
MAC
Mandatory Access Control — access enforced by labels/clearances set by the system, used in high-security environments.
Malware
Malicious software — including ransomware, trojans, worms, viruses, spyware, rootkits, and keyloggers.
MFA
Multi-factor authentication — requiring two or more factors from different categories (know, have, are).
MOU
Memorandum of Understanding — a non-binding agreement outlining mutual intentions between parties.
Non-repudiation
Assurance that someone cannot deny having performed an action; provided by digital signatures and logging.
OCSP
Online Certificate Status Protocol — a real-time query to check whether a certificate is revoked.
On-path attack
An attacker secretly relaying or altering traffic between two parties (formerly 'man-in-the-middle').
PAM
Privileged Access Management — controls, vaults, and audits privileged (admin) accounts, often with just-in-time access.
Penetration test
An authorized simulated attack to find and exploit weaknesses before real attackers do.
Phishing
A fraudulent message (usually email) that tricks the victim into revealing credentials or running malware.
PKI
Public Key Infrastructure — the CAs, policies, and keys that issue and manage digital certificates.
Policy Enforcement Point
The Zero Trust data-plane component that allows or blocks each actual request to a resource.
Policy Engine
The Zero Trust control-plane component that decides whether to grant or deny access using policy and context.
Privilege escalation
Gaining higher access rights than granted — vertical (to admin) or horizontal (to another user).
Race condition
A flaw where the outcome depends on the timing of events; the time-of-check to time-of-use (TOCTOU) bug is the classic case.
Ransomware
Malware that encrypts a victim's data and demands payment for the decryption key; often also steals data (double extortion).
RBAC
Role-Based Access Control — permissions assigned to roles, which users inherit.
Right to be forgotten
A privacy right allowing individuals to request deletion of their personal data.
Risk appetite
The amount and type of risk an organization is willing to accept in pursuit of its objectives.
Risk register
A documented list of identified risks with their owner, likelihood, impact, and treatment.
Risk transference
Shifting risk to another party, such as buying insurance or outsourcing.
Rootkit
Malware that hides deep in the system (often the kernel) to maintain stealthy, privileged access.
RPO
Recovery Point Objective — the maximum acceptable amount of data loss, measured as time since the last backup.
RTO
Recovery Time Objective — the maximum acceptable time to restore a system after an outage.
Salting
Adding unique random data to a password before hashing so identical passwords produce different hashes and rainbow tables fail.
Security control
A safeguard categorized as technical, managerial, operational, or physical, and by function (preventive, detective, etc.).
Shadow IT
Hardware, software, or services used without the IT/security team's approval or knowledge.
Shared responsibility model
Cloud division of duties: the provider secures the infrastructure; the customer secures data, identities, and configuration.
SIEM
Security Information and Event Management — collects and correlates logs across the enterprise to detect and investigate threats.
SLA
Service Level Agreement — a contract defining expected service levels and metrics with a provider.
SLE
Single Loss Expectancy — the expected dollar loss from a single occurrence (asset value × exposure factor).
Smishing
SMS phishing — a social-engineering attack delivered by text message.
SOAR
Security Orchestration, Automation, and Response — automates and coordinates incident response via playbooks.
Social engineering
Manipulating people into divulging information or performing actions that compromise security.
SQL injection
A web attack inserting malicious SQL into input so the database runs unintended commands; mitigated with parameterized queries.
SSO
Single Sign-On — one authentication grants access to multiple systems.
Steganography
Hiding data inside other data (e.g., within an image) so its very existence is concealed.
Symmetric encryption
Encryption using one shared secret key to both encrypt and decrypt (e.g., AES) — fast, but the key must be shared securely.
Threat actor
An individual or group that carries out an attack — e.g., nation-state, organized crime, hacktivist, insider, or unskilled attacker.
Tokenization
Replacing sensitive data with a non-sensitive token, with the real value stored securely elsewhere.
TPM
Trusted Platform Module — a hardware chip that securely stores keys and supports disk encryption and integrity checks.
Trojan
Malware disguised as legitimate software that performs a hidden malicious action when run.
Vishing
Voice phishing — a social-engineering attack carried out over a phone call.
Zero Trust
A model that removes implicit trust and verifies every request based on identity, device, and context — 'never trust, always verify.'
Zero-day
A vulnerability unknown to the vendor (no patch yet) that attackers can exploit.

Security+ Study Guide FAQ

The Security+ SY0-701 exam has a maximum of 90 questions — a mix of multiple-choice and performance-based questions (PBQs) — and you get 90 minutes to complete it. Because PBQs are hands-on simulations, many candidates save them for last and triage their time.

References

  1. 1.CompTIA. “CompTIA Security+ (SY0-701) Certification.” comptia.org.
  2. 2.CompTIA. “Security+ (SY0-701) Exam Objectives.” comptia.org.
  3. 3.National Institute of Standards and Technology. “SP 800-207, Zero Trust Architecture.” csrc.nist.gov.
  4. 4.National Institute of Standards and Technology. “SP 800-61, Computer Security Incident Handling Guide.” csrc.nist.gov.
  5. 5.National Institute of Standards and Technology. “SP 800-30, Guide for Conducting Risk Assessments.” csrc.nist.gov.
  6. 6.National Institute of Standards and Technology. “Cybersecurity Framework (CSF) 2.0.” nist.gov.
  7. 7.Cybersecurity and Infrastructure Security Agency. “Stop Ransomware: Ransomware 101.” cisa.gov.
  8. 8.Cybersecurity and Infrastructure Security Agency. “Recognize and Report Phishing.” cisa.gov.
  9. 9.Forum of Incident Response and Security Teams. “Common Vulnerability Scoring System (CVSS).” first.org.
  10. 10.International Organization for Standardization. “ISO/IEC 27001 Information Security Management.” iso.org.
  11. 101.National Institute of Standards and Technology (NIST). “Confidentiality (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  12. 102.National Institute of Standards and Technology (NIST). “Cryptography (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  13. 103.National Institute of Standards and Technology (NIST). “Hash function (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  14. 104.National Institute of Standards and Technology (NIST). “Public Key Infrastructure (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  15. 105.National Institute of Standards and Technology (NIST). “Defense-in-depth (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  16. 106.National Institute of Standards and Technology (NIST). “SQL Injection (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  17. 107.National Institute of Standards and Technology (NIST). “Cross-Site Scripting (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  18. 108.National Institute of Standards and Technology (NIST). “Advanced Persistent Threat (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  19. 109.National Institute of Standards and Technology (NIST). “Multi-Factor Authentication (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  20. 110.National Institute of Standards and Technology (NIST). “Least Privilege (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  21. 111.National Institute of Standards and Technology (NIST). “Security Information and Event Management (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
  22. 112.National Institute of Standards and Technology (NIST). “Role-Based Access Control (CSRC Glossary).” csrc.nist.gov, accessed 19 June 2026.
Career Employer

Career Employer is the ultimate resource to help you get started working the job of your dreams. We cover topics from general career information, career searching, exam preparation with free study materials, career interviewing, and becoming successful in your career of choice.

Follow Us:

All Posts

Career Employer’s Editorial Process

Here at Career Employer, we focus a lot on providing factually accurate information that is always up to date. We strive to provide correct information using strict editorial processes, article editing, and fact-checking for all of the information found on our website. We only utilize trustworthy and relevant resources. To find out more, make sure to read our full editorial process page here.