CompTIA Security+ Exam Guide (SY0-701)
Earn the industry's most recognized cybersecurity certification with this comprehensive Security+ study guide covering all five exam domains: general security concepts, threats and vulnerabilities, security architecture, security operations, and security program management. This guide breaks down each domain with real-world attack scenarios, defense strategies, and practice questions that mirror the performance-based format of the actual exam. Whether you are transitioning into cybersecurity or formalizing your existing security knowledge, this guide provides the structured study path to pass on your first attempt.
Key Features
- All five SY0-701 domains covered with weighted study priorities and learning objectives
- Threat landscape analysis covering malware types, social engineering, application attacks, and network threats
- Security architecture patterns including zero trust, defense in depth, and secure network design
- Cryptography fundamentals with algorithm comparisons, PKI workflows, and hashing use cases
- Identity and access management covering authentication factors, SSO, federation, and PAM
- Incident response procedures including detection, analysis, containment, eradication, and recovery
- Governance and compliance frameworks: NIST, ISO 27001, SOC 2, GDPR, PCI DSS
- Performance-based question practice simulating hands-on exam scenarios
Study Plan
Week 1-2: General Security Concepts (12% of exam)
- Security controls: technical, managerial, operational, physical
- CIA triad: confidentiality, integrity, availability
- AAA framework: authentication, authorization, accounting
- Zero trust architecture and its implementation principles
- Gap analysis, security awareness, and change management
Week 3-4: Threats, Vulnerabilities, and Mitigations (22% of exam)
- Threat actors: nation-state, organized crime, hacktivists, insider threats
- Malware types: ransomware, trojans, rootkits, fileless malware
- Social engineering: phishing, vishing, smishing, pretexting, watering hole
- Application vulnerabilities: injection, XSS, CSRF, buffer overflow
- Vulnerability scanning, penetration testing methodology, and risk assessment
Week 5-6: Security Architecture (18% of exam)
- Network segmentation: VLANs, DMZ, micro-segmentation
- Secure protocols: TLS 1.3, IPsec, SSH, DNSSEC, S/MIME
- Cloud security models: shared responsibility, CASB, SASE
- Infrastructure hardening: baselines, Group Policy, patch management
- Cryptographic concepts: symmetric, asymmetric, hashing, digital signatures
Week 7-8: Security Operations (28% of exam)
- SIEM operations, log analysis, and alert triage
- Incident response lifecycle and playbook development
- Digital forensics: order of volatility, chain of custody, evidence preservation
- Endpoint detection and response (EDR), SOAR, and threat intelligence
- Vulnerability management programs and remediation prioritization
Week 9-10: Security Program Management (20% of exam)
- Risk management: risk register, risk matrix, qualitative vs. quantitative analysis
- Compliance frameworks and regulatory requirements
- Security policies, standards, procedures, and guidelines
- Business continuity and disaster recovery planning
- Third-party risk management and vendor assessment
Key Topics
| Domain | Weight | Focus Areas |
|---|---|---|
| General Security Concepts | 12% | Controls, CIA, zero trust, AAA |
| Threats and Vulnerabilities | 22% | Malware, social engineering, attacks |
| Security Architecture | 18% | Network design, crypto, cloud security |
| Security Operations | 28% | SIEM, IR, forensics, EDR |
| Security Program Management | 20% | Risk, compliance, policies, BCP/DR |
Practice Questions
Q1: A security analyst notices that an employee's account is sending emails with malicious attachments to other employees during off-hours. The employee is currently on vacation. What type of threat does this most likely indicate?
A1: This most likely indicates a compromised account (account takeover). The attacker gained access to the employee's credentials, possibly through phishing or credential stuffing, and is using the trusted internal account to distribute malware (lateral phishing). Immediate response: disable the account, reset credentials, scan recipients' machines, and investigate how the credentials were compromised.
Q2: A company is implementing multi-factor authentication. They require a password (something you know) and a fingerprint scan (something you are). An attacker steals the password through a keylogger. Can they access the account?
A2: No. Multi-factor authentication requires factors from two or more categories. Even with the stolen password (knowledge factor), the attacker still needs the biometric factor (inherence). The fingerprint cannot be replayed from a keylogger. However, the compromised password should still be changed immediately, and the keylogger must be removed from the system.
Q3: During a penetration test, the team discovers a web application that reflects user input directly in the page without sanitization. Entering <script>alert('test')</script> in a search field causes a popup. What vulnerability is this, and how should it be remediated?
A3: This is a Reflected Cross-Site Scripting (XSS) vulnerability. The application fails to sanitize user input before rendering it in the HTML response. Remediation: implement input validation (whitelist allowed characters), output encoding (HTML entity encoding), and Content Security Policy (CSP) headers. Use a web application framework that auto-escapes output by default.
Q4: An organization needs to classify the risk of a server room flood. The server room contains assets worth $500,000. A flood would destroy 80% of assets. Historical data shows a flood occurs once every 50 years. Calculate the ALE.
A4: Using quantitative risk analysis: Asset Value (AV) = $500,000. Exposure Factor (EF) = 80% = 0.8. Single Loss Expectancy (SLE) = AV x EF = $400,000. Annualized Rate of Occurrence (ARO) = 1/50 = 0.02. Annualized Loss Expectancy (ALE) = SLE x ARO = $400,000 x 0.02 = $8,000 per year. This helps justify the cost of flood mitigation controls.
Lab Exercises
Lab 1: Network Reconnaissance and Scanning
# Discover live hosts on a network segment (use only on authorized networks)
nmap -sn 192.168.1.0/24
# Perform a service version scan on a target
nmap -sV -p 1-1000 192.168.1.100
# Check for common vulnerabilities
nmap --script vuln 192.168.1.100
# Analyze open ports and identify unnecessary services
nmap -sS -O 192.168.1.100
Lab 2: Log Analysis with Command Line
# Search authentication logs for failed login attempts
grep "Failed password" /var/log/auth.log | tail -20
# Count failed attempts per IP address
grep "Failed password" /var/log/auth.log | \
awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10
# Check for privilege escalation attempts
grep "sudo" /var/log/auth.log | grep "FAILED" | tail -20
Lab 3: File Integrity and Hashing
# Generate SHA-256 hash of a critical file
sha256sum /etc/passwd > /tmp/passwd_baseline.sha256
# Later, verify file integrity against the baseline
sha256sum -c /tmp/passwd_baseline.sha256
# Compare two files for differences
diff <(sha256sum /etc/passwd) /tmp/passwd_baseline.sha256
Exam Tips
- Security Operations is 28% — spend the most time on SIEM, incident response, and forensics topics
- Performance-based questions come first — practice hands-on scenarios with command-line tools, log analysis, and network diagrams
- Know your acronyms — Security+ is acronym-heavy; create flashcards for SIEM, SOAR, EDR, XDR, CASB, SASE, PAM
- Understand attack chains — questions often describe a multi-step attack and ask you to identify the phase or best response
- Risk calculations — memorize SLE = AV x EF, ALE = SLE x ARO; practice the math
- Read every option — "BEST" answer questions mean multiple options are partially correct; choose the most complete one
- Zero trust is heavily tested — understand "never trust, always verify" and how it applies to network architecture
Resources
- CompTIA Security+ SY0-701 Exam Objectives
- NIST Cybersecurity Framework
- OWASP Top 10
- MITRE ATT&CK Framework
This is 1 of 11 resources in the Certification Prep Pro toolkit. Get the complete [CompTIA Security+ Study Guide] with all files, templates, and documentation for $39.
Or grab the entire Certification Prep Pro bundle (11 products) for $249 — save 30%.
Top comments (0)