Home / Security+ / Study Guide
Security+ SY0-701 Study Guide
A condensed, exam-focused tour of all five domains. This isn't a replacement for the videos — it's the scaffold to hang them on, and a fast review tool in the final week.
Domain 1 — General Security Concepts 12%
Security controls
Controls are classified two ways. By category: technical (firewalls, encryption), managerial (policies, risk assessments), operational (training, guards), physical (locks, fences). By type/function: preventive, deterrent, detective, corrective, compensating, and directive. Expect questions that give a scenario and ask you to name both the category and type.
Core principles
- CIA triad: Confidentiality, Integrity, Availability — the three goals every control serves.
- Non-repudiation: proof someone did something (digital signatures, logging).
- AAA: Authentication (who you are), Authorization (what you can do), Accounting (what you did). Applies to people and systems (device certificates).
- Gap analysis: where you are vs. where you need to be.
Zero Trust
"Never trust, always verify." Split into a Control Plane (adaptive identity, policy engine/administrator, policy decision point) and a Data Plane (policy enforcement point, the subject/system requesting access). Key idea: trust is never implied by network location; every request is authenticated and authorized.
Physical & deception
Bollards, access vestibules (mantraps), badges, video, sensors (infrared, pressure, microwave, ultrasonic). Deception tech: honeypots, honeynets, honeyfiles, and honeytokens — bait to detect and study attackers.
Cryptography essentials
- Symmetric (one shared key, fast — AES) vs asymmetric (public/private key pair — RSA, ECC).
- PKI: CA, registration authority, certificates, CRL/OCSP for revocation, key escrow.
- Hashing (integrity — SHA-256) vs encryption (confidentiality). Add salt to defeat rainbow tables.
- Concepts: digital signatures, key stretching, blockchain, steganography, TPM/HSM/secure enclave, key exchange.
Change management
Business process matters for security: approval, ownership, stakeholders, impact analysis, test results, backout plans, maintenance windows; technical implications like allow/deny lists, downtime, restarts, dependencies, and updating documentation/diagrams.
Domain 2 — Threats, Vulnerabilities & Mitigations 22%
Threat actors & motivations
Nation-states (well-funded, APTs), organized crime, hacktivists, insiders, unskilled "script kiddies," shadow IT. Attributes: internal vs external, resources, sophistication. Motivations: data exfiltration, financial gain, espionage, disruption/chaos, war, ideology/revenge. Attack vectors: email/phishing, removable media, vulnerable software, unsupported systems, open ports, default credentials, supply chain.
Social engineering
Phishing, vishing, smishing, spear phishing, whaling, business email compromise, pretexting, watering-hole, brand impersonation, typosquatting, and disinformation. Principles of influence: authority, intimidation, consensus/social proof, scarcity, urgency, familiarity, trust.
Vulnerabilities
Application (buffer overflow, race conditions/TOCTOU, memory injection), web (SQL injection, XSS), OS, hardware (firmware, end-of-life, legacy), virtualization (VM escape, resource reuse), cloud, supply chain, cryptographic, misconfiguration, mobile (sideloading, jailbreaking), and zero-day.
Attack types you must recognize
- Malware: ransomware, trojan, worm, spyware, bloatware, virus, keylogger, logic bomb, rootkit.
- Network: DDoS (amplified/reflected), DNS attacks, on-path (MITM), credential replay, malicious code.
- Application: injection, buffer overflow, replay, privilege escalation, forgery (CSRF), directory traversal.
- Crypto: downgrade, collision, birthday.
- Password: brute force vs spraying; online vs offline.
Indicators & mitigations
Indicators: account lockouts, impossible travel, concurrent sessions, resource inaccessibility, out-of-cycle logging, blocked content, missing logs. Mitigations: segmentation, access control (ACLs/permissions), application allow lists, isolation/quarantine, patching, encryption, monitoring, least privilege, configuration enforcement, decommissioning, and hardening.
Domain 3 — Security Architecture 18%
Architecture models & trade-offs
Compare cloud (responsibility matrix, hybrid, third-party vendors), IaC, serverless, microservices, on-prem, centralized vs decentralized, virtualization/containers, IoT, ICS/SCADA, RTOS, and embedded systems. Trade-offs: availability, resilience, cost, responsiveness, scalability, ease of deployment/recovery, patch availability, attack surface.
Secure network design
- Device placement & security zones; screened subnet (DMZ).
- Attack surface, connectivity, failure modes — fail-open vs fail-closed.
- Device modes: active vs passive, inline vs tap/monitor (SPAN).
- Appliances: jump server, proxy, IPS/IDS, load balancer, sensors.
- Port security: 802.1X, EAP. Firewall types: WAF, NGFW, UTM, Layer 4 vs Layer 7.
- Secure access: VPN, TLS, IPSec, SD-WAN, SASE.
Data protection
Classify data (regulated, trade secret, PII, financial, public/private/restricted). States: data at rest, in transit, in use. Methods: geographic restrictions, encryption, hashing, masking, tokenization, obfuscation, segmentation, permission restrictions. Know DLP.
Resilience & recovery
High availability and load balancing/clustering; site resiliency (hot/warm/cold); platform diversity; multi-cloud. Backups: onsite/offsite, frequency, encryption, snapshots, replication, journaling. Continuity: COOP, capacity planning, and testing — tabletop exercises, failover, simulation, parallel processing. Power: generators, UPS.
Domain 4 — Security Operations 28% — the biggest domain
Secure baselines & hardening
Establish, deploy, and maintain secure baselines. Harden targets: mobile, workstations, switches/routers, cloud, servers, ICS/SCADA, embedded/RTOS, IoT. Techniques: disable unused ports/services, default password changes, host-based firewalls/HIPS, encryption, EDR. Mobile: MDM, BYOD/COPE/CYOD, connection methods (cellular, Wi-Fi, Bluetooth).
Identity & Access Management (IAM)
- Provisioning/deprovisioning, permission assignment, identity proofing.
- SSO: LDAP, OAuth, SAML. Federation. Interoperability.
- Access control models: mandatory, discretionary, role-based, rule-based, attribute-based, time-of-day, least privilege.
- MFA factors: something you know / have / are / somewhere you are / something you do. Biometrics, hard/soft tokens, OTP (TOTP/HOTP).
- Password concepts & privileged access management (PAM): just-in-time, password vaulting, ephemeral credentials.
Automation & monitoring
Benefits of automation/orchestration (efficiency, scaling, standardization, secure provisioning) and cautions (complexity, single point of failure, technical debt). Monitor systems, applications, infrastructure; tools: SCAP, SIEM, SNMP traps, NetFlow, vulnerability scanners, antivirus, DLP. Alerting, quarantine, alert tuning.
Vulnerability management
Identify (scans, static/dynamic analysis, pentest, threat intel, bug bounty, CVE/CVSS), analyze (false positives/negatives, prioritize, exposure factor, CVSS), and respond (patching, insurance, segmentation, compensating controls, exceptions). Validate remediation via rescanning, audit, verification. Report.
Incident response
Know the lifecycle cold: Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons learned. Training, testing (tabletop, simulations), root cause analysis, threat hunting. Digital forensics: legal hold, chain of custody, acquisition, reporting, preservation, e-discovery. Investigate using log data: firewall, app, endpoint, OS, IPS/IDS, network, metadata, vulnerability scans, packet captures, dashboards.
Domain 5 — Security Program Management & Oversight 20%
Governance
Guidelines, policies (AUP, information security, BC/DR, incident response, SDLC, change management), standards (password, access, encryption), procedures (onboarding/offboarding, playbooks), and external considerations (regulatory, legal, industry, local/regional/national/ global). Governance structures: boards, committees, government, centralized/decentralized. Roles: owners, controllers, processors, custodians/stewards.
Risk management
- Risk identification & assessment (ad hoc, recurring, one-time, continuous).
- Risk analysis: qualitative vs quantitative; SLE = AV × EF; ALE = SLE × ARO; probability, likelihood, impact.
- Risk register, risk tolerance/appetite, KRIs, owners, thresholds.
- Risk responses: transfer, accept (with exemption/exception), avoid, mitigate.
- Business impact analysis: RTO, RPO, MTTR, MTBF.
Third-party / vendor risk
Vendor assessment (penetration testing, right-to-audit, evidence of internal audits, independent assessments, supply-chain analysis). Agreements: SLA, MOA/MOU, MSA, WO/SOW, NDA, BPA. Ongoing vendor monitoring and questionnaires.
Compliance & audits
Compliance reporting (internal/external), consequences of non-compliance (fines, sanctions, reputational/contractual/license loss), monitoring (due diligence/care, attestation, automation), and privacy (legal/regulatory, data subject, controller vs processor, ownership, retention, right to be forgotten). Audits/assessments: internal (compliance, audit committee, self-assessment) vs external (regulatory, examinations, third-party, attestation) and penetration testing (offensive/defensive/integrated; known/partially known/unknown environments; reconnaissance, passive vs active).
Security awareness
Phishing campaigns & recognizing anomalous behavior; user guidance (policy, situational awareness, insider threat, password management, removable media, social engineering, operational security, hybrid/remote work); reporting/monitoring, and program development/execution.