CompTIA Security+ SY0-701

Comprehensive study tool covering all 5 domains. Use flashcards to build knowledge, take the practice exam to test yourself, and reference the quick-ref tables during review. Exam cut score: 750/900.

DOMAIN 1

General Security Concepts

12%

DOMAIN 2

Threats, Vulnerabilities & Mitigations

22%

DOMAIN 3

Security Architecture

18%

DOMAIN 4

Security Operations

28%

DOMAIN 5

Security Program Management & Oversight

20%

90

Max Questions

90

Minutes to Complete

750

Passing Score (of 900)

83%

Approx. Pass %

5

Exam Domains

PBQ

Includes Perf-Based Qs

Exam Strategy Tips

Flag and skip PBQs first — return after multiple choice
Read every option before selecting — eliminate wrong answers
Watch for "BEST" and "MOST" qualifiers in questions
Time budget: ~1 min per question, PBQs get 3–5 min
If unsure, think CIA Triad first — it guides many answers
Know the difference between authentication and authorization
Recognize port numbers — especially well-known and registered

High-Frequency Topics

Zero Trust Architecture & microsegmentation
PKI, certificate types, and certificate lifecycle
Social engineering tactics (phishing, vishing, smishing)
Incident response phases (PICERL)
Vulnerability scanning vs. penetration testing
MFA types: something you know / have / are
SIEM, SOAR, EDR, XDR — know the differences
Risk treatment: avoid, transfer, mitigate, accept

CIA Triad Quick Ref

Confidentiality — prevent unauthorized disclosure (encryption, ACLs)
Integrity — prevent unauthorized modification (hashing, signing)
Availability — ensure access when needed (redundancy, backups)
Non-repudiation — digital signatures prove origin
Authentication — prove who you are
Authorization — define what you can do

Cryptography Cheat Sheet

AES-256 — symmetric, block cipher, strongest common
RSA-2048+ — asymmetric, key exchange & signatures
ECC — asymmetric, smaller keys, used in mobile/IoT
SHA-256/SHA-3 — hashing, integrity verification
PBKDF2/bcrypt/Argon2 — password hashing (salted)
TLS 1.3 — current secure transport standard
DHE/ECDHE — forward secrecy key exchange

Flashcards

Click a card to reveal the answer. Use ← → to navigate. Mark cards Known/Review to track progress.

Card 1 of 72 | Known: 0

▸ CLICK TO REVEAL ANSWER

1 / 72

Practice Exam

50 questions across all 5 domains. Passing score: 75% (38/50). Timer optional.

Configure Your Exam

Select exam mode and difficulty. Questions are randomized from our question bank.

Full Practice Exam

50 questions, all domains, timed

Quick Review

25 questions, untimed

Domain Focus

20 questions from one domain

Missed Questions

Retake only questions you got wrong

Question 1 of 50

90:00

Score: 0/0

--

DOMAIN BREAKDOWN

MISSED QUESTIONS — REVIEW

Quick Reference

Essential tables and charts for exam day review.

Port	Protocol	Transport	Notes
20/21	FTP	TCP	File Transfer Protocol — 20 data, 21 control. Unencrypted.
22	SSH / SCP / SFTP	TCP	Secure Shell. Encrypted remote access and secure file transfer.
23	Telnet	TCP	Unencrypted remote terminal. Replaced by SSH.
25	SMTP	TCP	Simple Mail Transfer Protocol. Email sending (unencrypted).
53	DNS	TCP/UDP	Domain Name System. UDP for queries, TCP for zone transfers.
67/68	DHCP	UDP	Dynamic Host Config. 67 = server, 68 = client.
69	TFTP	UDP	Trivial FTP — no auth, used for booting (PXE).
80	HTTP	TCP	Unencrypted web traffic.
88	Kerberos	TCP/UDP	Authentication protocol for Active Directory.
110	POP3	TCP	Post Office Protocol v3. Email retrieval, downloads & deletes.
119	NNTP	TCP	Network News Transfer Protocol.
123	NTP	UDP	Network Time Protocol. Critical for Kerberos & log correlation.
135	RPC	TCP	Microsoft Remote Procedure Call / WMI.
137-139	NetBIOS	TCP/UDP	Legacy Windows networking. Often blocked at firewall.
143	IMAP	TCP	Internet Message Access Protocol. Email stays on server.
161/162	SNMP	UDP	Network monitoring. 161 agent, 162 traps. Use v3 (encrypted).
389	LDAP	TCP/UDP	Lightweight Directory Access Protocol — unencrypted.
443	HTTPS	TCP	HTTP over TLS. Standard secure web traffic.
445	SMB	TCP	Server Message Block. Windows file sharing. EternalBlue target.
465/587	SMTPS	TCP	SMTP over TLS. 587 preferred (STARTTLS).
514	Syslog	UDP	System logging. Sends logs to SIEM. TCP 6514 for TLS.
636	LDAPS	TCP	LDAP over TLS. Secure directory queries.
993	IMAPS	TCP	IMAP over TLS.
995	POP3S	TCP	POP3 over TLS.
1433	MSSQL	TCP	Microsoft SQL Server.
1521	Oracle DB	TCP	Oracle Database listener.
3306	MySQL	TCP	MySQL / MariaDB database.
3389	RDP	TCP	Remote Desktop Protocol. High-value attack target. Requires NLA.
5060/5061	SIP	TCP/UDP	VoIP signaling. 5061 = TLS.
8080/8443	HTTP Alt	TCP	Alternate HTTP/HTTPS ports for web proxies or dev servers.

Algorithm	Type	Key Size	Use Case / Notes
AES	SYMMETRIC	128, 192, 256-bit	Block cipher. AES-256 is the gold standard. Used in TLS, disk encryption.
3DES (TDEA)	SYMMETRIC	112/168-bit	Legacy — deprecated. 3x DES. Still seen in legacy POS systems.
Blowfish/Twofish	SYMMETRIC	32–448 / 128–256	Block ciphers. Twofish was AES finalist. Used in bcrypt.
ChaCha20	SYMMETRIC	256-bit	Stream cipher. Fast in software; used in TLS 1.3 as alternative to AES.
RC4	SYMMETRIC	40–2048	Stream cipher. DEPRECATED — broken in WEP, TLS. Do not use.
RSA	ASYMMETRIC	2048–4096-bit	Key exchange, digital signatures. Slow — used to exchange symmetric keys.
ECC	ASYMMETRIC	256-bit ≈ RSA-3072	Elliptic Curve. Smaller keys, same strength. Used in mobile, IoT, TLS.
Diffie-Hellman	ASYMMETRIC	2048+ bits	Key exchange only. DHE adds ephemeral (forward secrecy).
ECDH / ECDHE	ASYMMETRIC	256+ bits	ECC-based DH. ECDHE = ephemeral = perfect forward secrecy.
DSA / ECDSA	ASYMMETRIC	1024–3072 / 256+	Digital Signature Algorithm. ECDSA preferred (smaller, faster).
MD5	HASH	128-bit output	BROKEN — collision vulnerabilities. Never use for security.
SHA-1	HASH	160-bit output	DEPRECATED — collision found in 2017. Use SHA-2+.
SHA-256 / SHA-3	HASH	256-bit output	Current standard. SHA-256 = SHA-2 family. SHA-3 = Keccak algorithm.
HMAC	HASH	Depends on hash	Hash-based MAC — adds secret key to hash for integrity + auth.
PBKDF2	HASH	Variable	Password-Based Key Derivation. Salted + iterated. FIPS-approved.
bcrypt / Argon2	HASH	Variable	Password hashing. Argon2 is winner of Password Hashing Competition.
TLS 1.3	PROTOCOL	N/A	Current TLS standard. Removes weak cipher suites. Mandatory ECDHE/DHE.
IPSec	PROTOCOL	N/A	Layer 3 VPN. AH (integrity only) + ESP (encryption + integrity).

Social Engineering

Phishing — Email-based deception to steal credentials
Spear Phishing — Targeted phishing at specific individual
Whaling — Phishing targeting executives (C-suite)
Vishing — Voice/phone-based phishing
Smishing — SMS-based phishing
Pretexting — Fabricated scenario to gain trust
Tailgating/Piggybacking — Physical follow-through
Baiting — Leaving infected media for victim
Quid Pro Quo — Something for something exchange
Watering Hole — Infect sites targets visit

Network Attacks

DoS/DDoS — Overwhelm resources to deny service
Smurf Attack — Amplified ICMP DDoS using broadcast
ARP Poisoning — Corrupt ARP cache for MITM
DNS Poisoning — Corrupt DNS cache for redirect
MITM — Intercept/modify traffic between two parties
On-Path Attack — CompTIA term for MITM
Replay Attack — Capture and retransmit valid packets
Session Hijacking — Steal authenticated session token
Evil Twin — Rogue AP mimicking legitimate SSID
Disassociation Attack — Force 802.11 client off network

Application Attacks

SQLi — Inject SQL code into database queries
XSS — Inject scripts into web pages for other users
CSRF — Trick browser into unwanted authenticated action
Buffer Overflow — Write past buffer to overwrite memory
Integer Overflow — Exceed max numeric value causing wrap
Race Condition — TOCTOU — exploit timing gaps
Directory Traversal — Access files outside web root (../)
LDAP Injection — Inject LDAP queries via input fields
XML Injection / XXE — Exploit XML parsers
SSRF — Forge server-side requests to internal services

Malware Types

Virus — Self-replicates by attaching to files
Worm — Self-propagates without host file (network)
Trojan — Appears legitimate, conceals malicious payload
RAT — Remote Access Trojan — gives attacker remote control
Rootkit — Hides deep in OS, evades detection
Ransomware — Encrypts files, demands payment
Spyware — Secretly monitors user activity
Keylogger — Records keystrokes (passwords, PII)
Botnet — Network of compromised systems (zombies)
Logic Bomb — Triggers payload on specific condition/date

Password Attacks

Brute Force — Try every possible combination
Dictionary Attack — Use wordlist of common passwords
Rainbow Table — Precomputed hash lookup — defeated by salt
Credential Stuffing — Leaked creds tried on other sites
Password Spraying — One password tried across many accounts
Pass-the-Hash — Use NTLM hash directly without cracking
Kerberoasting — Offline crack of Kerberos service tickets
Birthday Attack — Find hash collision via probability

Cryptographic Attacks

Downgrade Attack — Force use of older, weaker protocol
Collision Attack — Find two inputs with same hash
Side-Channel Attack — Exploit power/timing/EM emissions
Padding Oracle — Decrypt by observing padding errors
IV Attack — Exploit weak initialization vectors (WEP)
BEAST/POODLE — Protocol-specific TLS/SSL attacks
SWEET32 — Birthday attack on 64-bit block ciphers
Known Plaintext — Have both plaintext & ciphertext pairs

NIST CSF 2.0

Govern — Establish cybersecurity risk strategy
Identify — Asset mgmt, risk assessment
Protect — Safeguards to limit impact
Detect — Identify cybersecurity events
Respond — Take action on detected incidents
Recover — Restore normal operations

Incident Response (PICERL)

Preparation — Policies, training, tools
Identification — Detect and confirm incident
Containment — Short & long-term contain spread
Eradication — Remove malware, close vectors
Recovery — Restore systems, monitor
Lessons Learned — Post-incident review

MITRE ATT&CK Tactics

Reconnaissance — Gather target information
Initial Access — Gain entry to network
Execution — Run malicious code
Persistence — Maintain foothold
Privilege Escalation — Gain higher permissions
Defense Evasion — Avoid detection
Credential Access — Steal credentials
Lateral Movement — Move through network
Exfiltration — Steal data out
Impact — Disrupt/destroy/ransom

Risk & Compliance

HIPAA — Healthcare data (PHI)
PCI-DSS — Payment card data
GDPR — EU personal data privacy
SOX — Financial reporting controls
FISMA — US federal agency security
ISO 27001 — ISMS standard
NIST 800-53 — Security controls catalog
CIS Controls — Prioritized security actions

Authentication Factors

Type 1 — Something you KNOW (password, PIN)
Type 2 — Something you HAVE (token, smart card)
Type 3 — Something you ARE (biometric)
Type 4 — Somewhere you ARE (geolocation)
MFA — Two or more different types
2FA — Two factors (may be same type)
TOTP — Time-based OTP (RFC 6238)
FIDO2/WebAuthn — Passwordless standard

Access Control Models

DAC — Owner controls access (default NTFS)
MAC — Labels/clearances enforced by OS
RBAC — Role-based — most common enterprise
ABAC — Attribute-based — policies on attributes
Rule-Based — Firewall ACL-style rules
Zero Trust — Never trust, always verify
PoLP — Principle of Least Privilege
Separation of Duties — No single person has full control

Tool	Category	Purpose
Wireshark	Network Analysis	GUI packet capture and analysis. Deep packet inspection.
tcpdump	Network Analysis	CLI packet capture. Lightweight, scriptable, used on Linux/Unix.
Nmap	Scanning	Network port scanner. OS fingerprinting, service version detection.
Nessus	Vulnerability Scanner	Commercial. Authenticated scanning, CVE mapping, compliance.
OpenVAS	Vulnerability Scanner	Open-source vulnerability scanning framework.
Metasploit	Exploitation	Framework for developing and launching exploits. Pen testing.
Burp Suite	Web App Testing	Web proxy for intercepting, modifying, and testing HTTP(S) traffic.
John the Ripper	Password Cracking	Offline password cracker. Wordlists, brute force, rules.
Hashcat	Password Cracking	GPU-accelerated password cracking. Rainbow tables, hybrid attacks.
Aircrack-ng	Wireless	WEP/WPA cracking, packet injection, wireless auditing.
Autopsy / FTK	Forensics	Digital forensics platforms. File recovery, timeline analysis.
Volatility	Forensics	Memory forensics framework. Analyze RAM dumps.
Snort / Suricata	IDS/IPS	Open-source network intrusion detection/prevention.
Splunk	SIEM	Log aggregation, correlation, alerting. Industry-standard SIEM.
CrowdStrike Falcon	EDR/XDR	Endpoint detection and response. Behavioral analysis.
SET (Social Engineer Toolkit)	Social Engineering	Automates phishing, credential harvesting attacks for testing.
Shodan	OSINT	Search engine for internet-facing devices and services.
Maltego	OSINT	Link analysis and data mining for threat intelligence.
netstat	Network Utility	Display active connections, listening ports, routing tables.
tracert/traceroute	Network Utility	Map network path to destination, identify routing issues.

Domain Notes

Condensed study notes organized by domain. Click any domain to jump directly.

CIA Triad & Core Concepts 12% of Exam

The CIA Triad is the foundation of security: Confidentiality (prevent disclosure), Integrity (prevent modification), Availability (ensure access). Add Non-repudiation as a 4th principle — digital signatures ensure someone cannot deny an action.

Authentication, Authorization & Accounting

Authentication — Proving identity (who are you?)

Something you know — password, PIN, security question
Something you have — smart card, hardware token, phone
Something you are — fingerprint, retina, voice, facial
MFA = two+ DIFFERENT factor types
SSO — Single Sign-On (one auth, many services)
SAML, OAuth 2.0, OIDC — federated identity standards

Authorization — What are you allowed to do?

DAC, MAC, RBAC, ABAC — access control models
Least privilege — minimum rights needed
Need to know — access only to required info
ACL — Access Control List defines permissions
Implicit deny — deny unless explicitly permitted

PKI & Certificates

CA (Certificate Authority) — Issues and signs digital certificates
Root CA — Top-level CA; offline for security
Intermediate/Subordinate CA — Issues end-entity certs; online
Certificate — Binds public key to identity (X.509 standard)
CRL — Certificate Revocation List — list of revoked certs (periodic)
OCSP — Online Certificate Status Protocol — real-time revocation check
CSR — Certificate Signing Request — sent to CA to obtain cert
Wildcard cert — *.domain.com — covers all subdomains
SAN cert — Subject Alternative Name — multiple FQDNs in one cert
Self-signed — No CA trust chain — OK for internal, not public
Pinning — Hardcode expected certificate/public key in application

Cryptography Essentials

Symmetric encryption — Same key encrypts and decrypts (fast). Problem: key distribution
Asymmetric encryption — Public key encrypts, private key decrypts (slow). Solves key distribution
Hybrid encryption — Asymmetric to exchange symmetric key (TLS does this)
Hashing — One-way function; same input always produces same output; cannot reverse
Salt — Random value added before hashing; defeats rainbow tables
Digital signature — Hash signed with sender's private key; verify with public key
Key escrow — Copies of keys held by third party for recovery
Perfect Forward Secrecy — New session keys each session; past sessions safe if key compromised
Quantum threats — Shor's algorithm breaks RSA/ECC; need post-quantum crypto (CRYSTALS-Kyber)

Threat Intelligence & Actors 22% of Exam

Nation-State — Most sophisticated, APT, long dwell time, geopolitical goals
Hacktivists — Ideology-driven; DDoS, defacement
Insider Threat — Malicious or unintentional; hardest to detect
Script Kiddies — Low skill; use tools they don't understand
Organized Crime — Financial motivation; ransomware, fraud
APT — Advanced Persistent Threat — slow, stealthy, targeted
IOC — Indicator of Compromise — evidence of breach (IP, hash, domain)
TTP — Tactics, Techniques, Procedures — how attackers operate
ISAC — Industry-specific threat sharing organization
OSINT — Open Source Intelligence — publicly available info

Vulnerability Management

CVE — Common Vulnerabilities and Exposures — unique ID for known vulns
CVSS — Common Vulnerability Scoring System — 0–10 severity score
NVD — National Vulnerability Database — NIST-maintained CVE database
Zero-day — Vulnerability unknown to vendor; no patch exists
Patch management — Identify → Test → Deploy → Verify cycle
Credentialed scan — Authenticated; deeper, more accurate results
Uncredentialed scan — External view; what an attacker sees
False positive — Scanner reports vuln that doesn't exist
False negative — Scanner misses real vulnerability (worse!)

Penetration Testing Phases

Planning/Scoping — Define rules of engagement, scope, objectives
Reconnaissance (OSINT) — Passive info gathering; no direct contact
Scanning/Enumeration — Active scanning; identify open ports/services
Exploitation — Attempt to compromise vulnerabilities found
Post-Exploitation — Pivoting, privilege escalation, persistence
Reporting — Document findings, risk ratings, remediation
White box — Tester has full knowledge of environment
Black box — No prior knowledge (simulates real attacker)
Gray box — Partial knowledge (most common)

Network Security Architecture 18% of Exam

DMZ — Demilitarized Zone — semi-trusted network for public-facing servers
Segmentation — Divide network into zones to limit lateral movement
VLAN — Virtual LAN — logical segmentation at Layer 2
Microsegmentation — Fine-grained segmentation down to workload level (Zero Trust)
Zero Trust — Never trust, always verify; no implicit trust by location
SD-WAN — Software-defined WAN — centralized WAN management
SASE — Secure Access Service Edge — cloud-delivered network security

Firewall Types

Packet Filter — Layer 3/4; stateless; checks headers only
Stateful Inspection — Tracks connection state; more secure than packet filter
NGFW — Next-Gen Firewall — Layer 7 inspection, IPS, SSL inspection, app awareness
WAF — Web Application Firewall — protects HTTP/S applications (SQLi, XSS)
UTM — Unified Threat Management — all-in-one: FW + IPS + AV + proxy

Cloud Security

Service Models

IaaS — You manage OS and up
PaaS — You manage apps and data
SaaS — Provider manages everything
FaaS — Serverless functions

Deployment Models

Public — Shared multi-tenant cloud
Private — Dedicated single-org cloud
Hybrid — Mix of on-prem and cloud
Community — Shared among org group

Shared Responsibility — Provider secures infrastructure; you secure data/access
CASB — Cloud Access Security Broker — visibility and control of cloud apps
CSP — Cloud Service Provider (AWS, Azure, GCP)

Security Operations 28% of Exam

SIEM — Security Info & Event Management — aggregate, correlate, alert on logs
SOAR — Security Orchestration, Automation & Response — automate IR workflows
EDR — Endpoint Detection & Response — behavioral endpoint monitoring
XDR — Extended Detection & Response — cross-layer (endpoint + network + cloud)
NDR — Network Detection & Response — analyze network traffic for threats
IDS — Intrusion Detection System — alerts only, does not block
IPS — Intrusion Prevention System — actively blocks threats inline
HIDS/HIPS — Host-based — on the endpoint itself
NIDS/NIPS — Network-based — monitor network traffic

Log Management & Monitoring

Log aggregation — Centralize logs from all sources into SIEM
Log retention — How long logs are kept (regulatory requirement)
NTP sync — Critical! Ensures log timestamps are accurate for correlation
Syslog — Standard protocol for log forwarding (port 514 UDP)
NetFlow — Cisco protocol capturing network traffic metadata
Baseline — Normal behavior profile used to detect anomalies
UEBA — User & Entity Behavior Analytics — detect insider threats via anomalies

Digital Forensics Principles

Order of Volatility — CPU cache → RAM → Swap → Disk → Remote logs → Backup
Chain of Custody — Document who handled evidence and when
Legal hold — Preserve all potentially relevant data
Forensic copy — Bit-for-bit image of drive (dd, FTK Imager)
Write blocker — Prevent any writes to source media
Hash verification — MD5/SHA-256 proves copy matches original
Steganography — Hiding data within other data (images, audio)

Risk Management 20% of Exam

Risk = Threat × Vulnerability × Impact
Threat — Potential cause of harm
Vulnerability — Weakness that can be exploited
Likelihood — Probability of threat exploitation
Impact — Magnitude of damage if exploited
Inherent risk — Risk before controls applied
Residual risk — Risk remaining after controls
Risk appetite — Amount of risk org is willing to accept

Risk Treatment Options:

Avoid — Eliminate the activity creating the risk
Mitigate — Apply controls to reduce likelihood/impact
Transfer — Shift risk to third party (insurance, contracts)
Accept — Acknowledge risk and do nothing (low risk)

Business Continuity & Disaster Recovery

BCP — Business Continuity Plan — keep business running during disruption
DRP — Disaster Recovery Plan — restore IT systems after disaster
RTO — Recovery Time Objective — max acceptable downtime
RPO — Recovery Point Objective — max acceptable data loss (time)
MTTR — Mean Time to Repair — average repair time
MTBF — Mean Time Between Failures — average uptime
Hot site — Fully operational duplicate; failover in minutes
Warm site — Partial equipment; recovery in hours/days
Cold site — Space only; recovery in days/weeks
Tabletop exercise — Discussion-based DR simulation
Parallel test — Both systems run simultaneously
Failover test — Actually switch to DR site

Data Classifications & Privacy

Top Secret → Secret → Confidential → Unclassified (government)
Restricted → Confidential → Internal → Public (corporate)
PII — Personally Identifiable Information
PHI — Protected Health Information (HIPAA)
Data at rest — Stored data (encrypt with AES)
Data in transit — Moving data (encrypt with TLS)
Data in use — Being processed (encrypt with trusted execution env)
DLP — Data Loss Prevention — prevents unauthorized data exfil
Tokenization — Replace sensitive data with non-sensitive token
Data masking — Obfuscate data for non-production use

Acronym Glossary

All critical Security+ acronyms. Type to filter instantly.