Home / Security+ / Study Guide

Security+ SY0-701 Study Guide

A condensed, exam-focused tour of all five domains. This isn't a replacement for the videos — it's the scaffold to hang them on, and a fast review tool in the final week.

Domain 1 — General Security Concepts 12%

Security controls

Controls are classified two ways. By category: technical (firewalls, encryption), managerial (policies, risk assessments), operational (training, guards), physical (locks, fences). By type/function: preventive, deterrent, detective, corrective, compensating, and directive. Expect questions that give a scenario and ask you to name both the category and type.

Core principles

Zero Trust

"Never trust, always verify." Split into a Control Plane (adaptive identity, policy engine/administrator, policy decision point) and a Data Plane (policy enforcement point, the subject/system requesting access). Key idea: trust is never implied by network location; every request is authenticated and authorized.

Physical & deception

Bollards, access vestibules (mantraps), badges, video, sensors (infrared, pressure, microwave, ultrasonic). Deception tech: honeypots, honeynets, honeyfiles, and honeytokens — bait to detect and study attackers.

Cryptography essentials

Change management

Business process matters for security: approval, ownership, stakeholders, impact analysis, test results, backout plans, maintenance windows; technical implications like allow/deny lists, downtime, restarts, dependencies, and updating documentation/diagrams.

Domain 2 — Threats, Vulnerabilities & Mitigations 22%

Threat actors & motivations

Nation-states (well-funded, APTs), organized crime, hacktivists, insiders, unskilled "script kiddies," shadow IT. Attributes: internal vs external, resources, sophistication. Motivations: data exfiltration, financial gain, espionage, disruption/chaos, war, ideology/revenge. Attack vectors: email/phishing, removable media, vulnerable software, unsupported systems, open ports, default credentials, supply chain.

Social engineering

Phishing, vishing, smishing, spear phishing, whaling, business email compromise, pretexting, watering-hole, brand impersonation, typosquatting, and disinformation. Principles of influence: authority, intimidation, consensus/social proof, scarcity, urgency, familiarity, trust.

Vulnerabilities

Application (buffer overflow, race conditions/TOCTOU, memory injection), web (SQL injection, XSS), OS, hardware (firmware, end-of-life, legacy), virtualization (VM escape, resource reuse), cloud, supply chain, cryptographic, misconfiguration, mobile (sideloading, jailbreaking), and zero-day.

Attack types you must recognize

Indicators & mitigations

Indicators: account lockouts, impossible travel, concurrent sessions, resource inaccessibility, out-of-cycle logging, blocked content, missing logs. Mitigations: segmentation, access control (ACLs/permissions), application allow lists, isolation/quarantine, patching, encryption, monitoring, least privilege, configuration enforcement, decommissioning, and hardening.

Domain 3 — Security Architecture 18%

Architecture models & trade-offs

Compare cloud (responsibility matrix, hybrid, third-party vendors), IaC, serverless, microservices, on-prem, centralized vs decentralized, virtualization/containers, IoT, ICS/SCADA, RTOS, and embedded systems. Trade-offs: availability, resilience, cost, responsiveness, scalability, ease of deployment/recovery, patch availability, attack surface.

Secure network design

Data protection

Classify data (regulated, trade secret, PII, financial, public/private/restricted). States: data at rest, in transit, in use. Methods: geographic restrictions, encryption, hashing, masking, tokenization, obfuscation, segmentation, permission restrictions. Know DLP.

Resilience & recovery

High availability and load balancing/clustering; site resiliency (hot/warm/cold); platform diversity; multi-cloud. Backups: onsite/offsite, frequency, encryption, snapshots, replication, journaling. Continuity: COOP, capacity planning, and testing — tabletop exercises, failover, simulation, parallel processing. Power: generators, UPS.

Domain 4 — Security Operations 28% — the biggest domain

Secure baselines & hardening

Establish, deploy, and maintain secure baselines. Harden targets: mobile, workstations, switches/routers, cloud, servers, ICS/SCADA, embedded/RTOS, IoT. Techniques: disable unused ports/services, default password changes, host-based firewalls/HIPS, encryption, EDR. Mobile: MDM, BYOD/COPE/CYOD, connection methods (cellular, Wi-Fi, Bluetooth).

Identity & Access Management (IAM)

Automation & monitoring

Benefits of automation/orchestration (efficiency, scaling, standardization, secure provisioning) and cautions (complexity, single point of failure, technical debt). Monitor systems, applications, infrastructure; tools: SCAP, SIEM, SNMP traps, NetFlow, vulnerability scanners, antivirus, DLP. Alerting, quarantine, alert tuning.

Vulnerability management

Identify (scans, static/dynamic analysis, pentest, threat intel, bug bounty, CVE/CVSS), analyze (false positives/negatives, prioritize, exposure factor, CVSS), and respond (patching, insurance, segmentation, compensating controls, exceptions). Validate remediation via rescanning, audit, verification. Report.

Incident response

Know the lifecycle cold: Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons learned. Training, testing (tabletop, simulations), root cause analysis, threat hunting. Digital forensics: legal hold, chain of custody, acquisition, reporting, preservation, e-discovery. Investigate using log data: firewall, app, endpoint, OS, IPS/IDS, network, metadata, vulnerability scans, packet captures, dashboards.

Domain 5 — Security Program Management & Oversight 20%

Governance

Guidelines, policies (AUP, information security, BC/DR, incident response, SDLC, change management), standards (password, access, encryption), procedures (onboarding/offboarding, playbooks), and external considerations (regulatory, legal, industry, local/regional/national/ global). Governance structures: boards, committees, government, centralized/decentralized. Roles: owners, controllers, processors, custodians/stewards.

Risk management

Third-party / vendor risk

Vendor assessment (penetration testing, right-to-audit, evidence of internal audits, independent assessments, supply-chain analysis). Agreements: SLA, MOA/MOU, MSA, WO/SOW, NDA, BPA. Ongoing vendor monitoring and questionnaires.

Compliance & audits

Compliance reporting (internal/external), consequences of non-compliance (fines, sanctions, reputational/contractual/license loss), monitoring (due diligence/care, attestation, automation), and privacy (legal/regulatory, data subject, controller vs processor, ownership, retention, right to be forgotten). Audits/assessments: internal (compliance, audit committee, self-assessment) vs external (regulatory, examinations, third-party, attestation) and penetration testing (offensive/defensive/integrated; known/partially known/unknown environments; reconnaissance, passive vs active).

Security awareness

Phishing campaigns & recognizing anomalous behavior; user guidance (policy, situational awareness, insider threat, password management, removable media, social engineering, operational security, hybrid/remote work); reporting/monitoring, and program development/execution.

Acronym warning. Security+ is acronym-heavy. Drill the CompTIA acronym list until it's automatic — see the Resources page for a free acronym quiz, and the Practice page for how to use it.

← Overview Resources →