The CompTIA concepts people keep confusing (and how to actually tell them apart)

Most wrong answers on Security+ and Network+ aren't knowledge gaps. You read the objective, you watched the video, you could explain the term to a coworker. Then the exam hands you a scenario, two of the five answers look correct, and you pick the wrong one. That's not "I didn't study." That's "I couldn't tell which of these two similar things the question is describing."

Those are different skills. Knowing what tokenization is and being able to separate it from masking under time pressure are not the same muscle. The exam is built almost entirely on the second one. It rarely asks "define X." It asks "a company needs Y — which control fits," and the trap is a near-neighbor concept that's correct in isolation but wrong for the scenario.

This is why re-reading notes and grinding more questions past a certain point stops helping. Both reinforce recall. Neither trains discrimination — the ability to name the one feature that splits two look-alikes. Below are the pairs that trip people up the most, with the splitting feature for each. Once you can name the discriminator, the question gets easy.

WPA2 vs WPA3

Everyone knows WPA3 is newer and "more secure." The exam doesn't care that you know it's newer. It asks what WPA3 actually added, and that's where people stall.

Three concrete additions:

• SAE (Simultaneous Authentication of Equals) replaces WPA2's pre-shared key 4-way handshake. The WPA2 handshake can be captured and brute-forced offline. SAE is resistant to that offline dictionary attack and gives forward secrecy.
• OWE (Opportunistic Wireless Encryption) encrypts traffic on open networks — coffee-shop wifi with no password now has per-client encryption instead of plaintext.
• 192-bit security suite for WPA3-Enterprise, aimed at high-assurance environments.

Discriminator: if the scenario says "captured the handshake and cracked it offline," that's the WPA2 weakness SAE fixes. If it says "open network but still want encryption," that's OWE.

Wildcard vs SAN vs Single certificates

This one is entirely about scope, and people miss it because they reach for "wildcard = covers everything." It does not.

• Single certificate covers one fully qualified domain name. www.example.com and nothing else.
• Wildcard (*.example.com) covers one level of subdomains: mail.example.com, shop.example.com. It does not cover the bare example.com, and it does not cover api.v2.example.com — that's a second level down.
• SAN (Subject Alternative Name) certificate covers an explicit list of names you specify: example.com, www.example.com, mail.otherdomain.com. Different domains, multiple specific hosts, whatever you list.

Discriminator: count the names and their shape. One host, single. One level of subdomains under a single domain, wildcard. An explicit mixed list, SAN.

DV vs OV vs EV certificates

The trap here is assuming these are encryption tiers. They are not. A DV cert and an EV cert give you the exact same TLS encryption. The difference is who the certificate authority verified before issuing.

• DV (Domain Validation) — the CA confirmed you control the domain. A DNS record or a file on the server. Fast, automatable, no human checks who you are.
• OV (Organization Validation) — the CA confirmed an actual organization exists and is tied to the domain. Some manual vetting.
• EV (Extended Validation) — the CA vetted the legal entity through a stricter, standardized process.

Discriminator: the question is always who got verified, never how strong is the crypto. If an answer implies EV is "more encrypted," it's wrong.

Tokenization vs Masking vs Encryption

Three ways to protect a data field, and the exam loves to swap them. Split them on two questions: is it reversible, and where does the original live.

• Encryption — reversible with a key. The original is mathematically present in the ciphertext; the key unlocks it. Lose control of the key, lose the data.
• Tokenization — the value is swapped for a meaningless token. There's no algorithm that turns the token back into the original; the real value sits in a separate vault, and the token is just a lookup reference. Steal the token database without the vault and you have nothing useful.
• Masking — the value is permanently obscured for display: ***-**-1234. There is no key, no vault, no way back. It's for showing data to people who don't need the full value.

Discriminator: reversible with a key → encryption. Reversible only via a separate vault lookup → tokenization. Not reversible at all → masking.

MFA vs SSO vs Federation

These get blended because they all sit around "logging in," but they answer different questions. MFA is about how many proofs. SSO and federation are about how many systems and across what boundary.

• MFA (Multi-Factor Authentication) — one login that requires two or more different factor types: something you know, have, are. A password plus a TOTP code. Two passwords is not MFA — same factor type.
• SSO (Single Sign-On) — one login grants access to many applications within the same organization. Authenticate once to the company IdP, reach email, the wiki, and the ticketing system without re-entering credentials.
• Federation — SSO that crosses an organizational boundary via an established trust relationship, usually SAML or OIDC. Logging into a third-party SaaS vendor using your company identity is federation, because two separate trust domains agreed to honor each other's assertions.

Discriminator: count factor types for MFA. Count organizational boundaries for the other two — zero boundaries crossed is SSO, one boundary crossed is federation.

Two more that cause the same trouble

NAT vs PAT. NAT maps private addresses to public ones. Plain NAT can be a one-to-one mapping. PAT (Port Address Translation) — what most home routers actually do — maps many private addresses to a single public IP by tracking port numbers, also called NAT overload. Discriminator: many-to-one using ports is always PAT.

IDS vs IPS. Both detect. Only one acts. An IDS sits out of band, watches a copy of the traffic, and alerts — it cannot stop anything. An IPS sits inline, in the traffic path, and can drop or block in real time. Discriminator: if the device can stop the packet, it's inline, and inline means IPS. "Out of band / monitor / SPAN port / alerts only" is IDS.

Why this keeps happening

Notice the shape of every section above. The hard part was never the definition. It was a single splitting feature — reversibility, scope, who-got-verified, how-many-boundaries — that the scenario hides and the wrong answer is built to obscure. Standard studying optimizes recall: flashcards, re-reading, watching the term explained again. None of that trains you to produce the discriminator on demand, which is the exact thing the exam tests.

The fix is to study the pairs as pairs. Don't ask "what is tokenization." Ask "what one fact separates tokenization from masking, and which way does this scenario point." When you can state the discriminator in a sentence, the near-neighbor trap stops working on you.

Closing

If a question feels like a coin flip between two answers, that's the signal — you know both terms and you're missing the line between them. Find the line, write it down, and that whole class of question collapses.

I built a small free tool that drills these specific confusion pairs the way I described above — the most-confused concepts list — but the distinctions in this article stand on their own. The point isn't the tool. It's that "I keep getting these two mixed up" is a fixable, specific problem, and the fix is naming the discriminator rather than studying harder.