CompTIA Security+ (SY0-701) Mastery Course: Complete Exam-Ready Preparation

CompTIA Security+

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

SY0-701

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

Hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

Zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Governance, risk, and compliance (GRC)

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Largest SY0-701 domain by weight

Security Operations is the largest SY0-701 domain at approximately 28% of the exam.

CIA triad

A core security model consisting of confidentiality, integrity, and availability. It defines the main goals security controls aim to achieve.

Confidentiality

Ensuring that information is not disclosed to unauthorized individuals, entities, or processes. Often implemented with encryption and access controls.

Integrity

Ensuring that data is accurate, complete, and has not been altered in an unauthorized way. Supported by hashes, digital signatures, and strict change controls.

Availability

Ensuring that systems and data are accessible to authorized users when needed. Supported by redundancy, backups, and resilient architectures.

Authentication

The process of verifying the identity of a user, device, or system, such as via passwords, biometrics, or multifactor authentication.

Authorization

The process of determining what an authenticated identity is allowed to do, such as which resources they can access and what actions they can perform.

zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

least privilege

An access principle where users, processes, and services are granted only the minimum permissions they need to perform their functions, reducing potential damage from compromise or misuse.

need-to-know

A data access principle where subjects are allowed to see only the specific information required for their job or task, even if they have a high-level clearance or role.

just-in-time (JIT) access

An approach where elevated permissions are granted only when needed and for a limited period, then automatically removed to reduce standing privileges.

network segmentation

The practice of dividing a network into separate segments or VLANs with controlled traffic between them, often enforced by firewalls and ACLs, to limit lateral movement and contain incidents.

Change management lifecycle

A structured sequence of steps (request, review/classification, risk assessment and planning, approval, implementation, validation, closure) used to introduce changes in a controlled, auditable, and low-risk way.

Request for Change (RFC)

The formal record or ticket that initiates a change, describing what will be changed, why, affected systems, risk/impact, timing, and implementation details.

Change Advisory Board (CAB)

A cross-functional group (e.g., operations, security, business owners) that reviews and approves or rejects significant changes based on risk and business impact.

Secure configuration baseline

A documented, approved set of configuration settings that defines the known good, secure state for a system or group of systems.

Configuration management tool

Software that defines and enforces desired system configurations (infrastructure as code), helping keep systems consistent with secure baselines and correcting drift.

Configuration Management Database (CMDB)

A centralized repository that tracks configuration items (CIs) such as servers, applications, and network devices, along with their attributes, relationships, and change history.

Encryption

The process of transforming readable data (plaintext) into unreadable data (ciphertext) using a key and an algorithm so that only someone with the correct key can recover the original plaintext.

Symmetric encryption

A type of encryption that uses the same shared key for both encryption and decryption; it is fast and suitable for encrypting large amounts of data (e.g., AES).

Asymmetric encryption

A type of encryption that uses a key pair consisting of a public key and a private key; it is used for key exchange, digital signatures, and scenarios involving public keys and certificates (e.g., RSA, ECC).

Hash function

A one-way, deterministic function that maps input data of any size to a fixed-size output (hash or message digest) and is designed to be collision-resistant and to support integrity checking.

Digital signature

A cryptographic mechanism that combines hashing with asymmetric encryption by signing a hash with a private key to provide integrity, authentication, and non-repudiation.

Public Key Infrastructure (PKI)

The system of technologies, policies, roles, and procedures used to create, manage, distribute, use, store, and revoke digital certificates and public-private key pairs.

Threat actor

An individual or group that is capable of carrying out a threat.

Nation-state / state-sponsored actor

A threat actor backed or directed by a government, typically with high capability and strategic motivations such as espionage and disruption.

Cybercriminal group

A threat actor focused on financial gain, often using ransomware, fraud, and data theft against a wide range of targets.

Hacktivist

An ideologically motivated threat actor seeking publicity or disruption for a political or social cause, often via defacement, DDoS, or data leaks.

Insider threat

A threat arising from individuals with authorized access (employees, contractors, partners) who may act maliciously, negligently, or under coercion.

Script kiddie

A less-skilled attacker who uses tools or scripts written by others to exploit easy or well-known vulnerabilities.

Attack surface

All the different points where an unauthorized user could try to enter data into, extract data from, or otherwise interact with a system.

Threat vector

The path or method an attacker uses to reach a target and exploit a vulnerability, such as email, web, removable media, supply chain, or unsecure networks.

Network attack surface

The collection of network-reachable entry points, including perimeter devices, exposed ports and services, remote access gateways, and wireless networks.

Application attack surface

All the ways an attacker can interact with software: web and API endpoints, input fields, authentication and session mechanisms, client-side code, and admin or debug interfaces.

User/social engineering attack surface

The exposure created by user accounts, behaviors, and communication channels that can be exploited through phishing, vishing, smishing, BEC, and related techniques.

Physical attack surface

The exposure created by physical access to facilities, devices, ports, and media, including tailgating, unattended workstations, and removable media.

Vulnerability

A weakness that could be exploited to violate confidentiality, integrity, or availability, such as an unpatched service, insecure code, or misconfiguration.

Threat

A potential cause of an unwanted incident, such as a threat actor, malware campaign, insider, or natural disaster.

Exploit

A specific tool, script, or technique that takes advantage of a particular vulnerability to achieve an effect, like remote code execution.

Risk

The combination of the likelihood that a threat exploits a vulnerability and the impact if it occurs, often used to prioritize remediation.

Exposure

The degree to which vulnerable assets are reachable or visible to potential attackers, such as internet-facing services.

Vulnerability scanning

An automated process that checks systems for known vulnerabilities, misconfigurations, and missing patches, typically producing severity-ranked findings.

Indicator of compromise (IOC)

A specific, observable artifact (such as a malicious IP, file hash, domain, registry key, or unexpected admin account) that strongly suggests a system has been breached.

Impossible travel

A user logs in from two geographically distant locations within a time frame that makes physical travel impossible, often indicating credential theft or account compromise.

Baseline behavior

A documented view of normal activity over time for systems and users, such as typical CPU usage, network traffic volumes, and login patterns, used to detect anomalies.

Beaconing

Regular, often small, outbound connections from an infected host to a command-and-control server, used by malware to receive instructions or exfiltrate data.

Virus vs Worm

A virus attaches to files and requires user action to spread; a worm self-replicates across networks without user interaction, typically exploiting vulnerabilities.

Trojan

Malicious code disguised as legitimate software that tricks users into installing it, often used to deliver additional malware or create backdoors.

Defense in depth

A layered security approach that uses multiple preventive, detective, and corrective controls so that if one control fails, others still protect the system.

Host hardening

The process of configuring an operating system and its applications to minimize attack surface and reduce exploitability, typically via patching, disabling services, and secure baselines.

Least privilege

An access control principle where users and processes are granted only the permissions they need to perform their tasks, and no more.

Stateful firewall

A firewall that tracks the state of active connections and makes filtering decisions based on the context of the traffic, allowing return traffic for established sessions.

IDS vs IPS

An Intrusion Detection System monitors and alerts on suspicious traffic (detective), while an Intrusion Prevention System sits inline and can block or modify traffic (preventive).

Web Application Firewall (WAF)

A security control that sits in front of web applications and inspects HTTP/HTTPS traffic to detect and block common web attacks such as SQL injection and cross-site scripting.

CompTIA Security+

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

SY0-701

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

Hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

Zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Operational Technology (OT)

Hardware and software that monitors or controls physical devices and processes (for example, ICS, SCADA, PLCs, building management systems), where safety and availability are often the top priorities.

Segmentation

The practice of dividing a network into smaller parts (VLANs, subnets, zones) separated by controls such as routers, firewalls, or SDN policies to limit lateral movement and enforce different security policies.

Least privilege

A principle where each user, device, service, and process is granted only the minimum access rights and permissions necessary to perform its function, and no more.

Segmentation

Dividing a network or environment into smaller zones or segments (such as VLANs, subnets, or security groups) with controlled communication paths to limit the spread of attacks.

Defense in depth

A strategy of using multiple, layered security controls so that if one control fails, others still protect the asset.

Zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

DMZ (Demilitarized Zone)

A network segment that hosts public-facing services and sits between an untrusted network (like the Internet) and an internal network, protected by firewalls on both sides.

Choke point

A location in the network where traffic converges and security controls such as firewalls, proxies, or IDS/IPS can be placed to inspect and control traffic.

Data classification

The process of labeling data based on its sensitivity and business impact, and tying those labels to specific handling and protection requirements.

Data in transit

Data that is moving across a network, such as web traffic, API calls, email, or VPN tunnels, typically protected with TLS or VPN encryption.

Data at rest

Data that is stored on persistent media such as disks, SSDs, databases, backups, and mobile devices, often protected with full disk, volume, file, or database encryption.

Full disk encryption (FDE)

An encryption method that protects an entire drive, including the operating system and user data, primarily to mitigate risks from lost or stolen devices.

Transparent Data Encryption (TDE)

A database feature that encrypts data at the storage level so that applications can access data normally while it remains encrypted on disk and in backups.

Tokenization

A technique that replaces a sensitive value with a non-sensitive token, with the mapping stored in a secure system, reducing exposure if databases are breached.

Resilience

The ability of a system to continue operating correctly, or to recover quickly, when it faces failures, attacks, or unexpected load.

Fault tolerance

Designing systems so that one or more components can fail without causing a total outage, typically through redundancy and automatic detection and recovery.

Recovery Point Objective (RPO)

The maximum acceptable amount of data loss, measured as the time between the last good backup or replica and an incident.

Recovery Time Objective (RTO)

The maximum acceptable amount of downtime, measured as the time from an incident to full restoration of service.

Graceful degradation

A design approach where a system reduces functionality under stress or partial failure but remains available and useful instead of crashing completely.

Active-active

A redundancy pattern where multiple nodes handle traffic simultaneously, providing load sharing and rapid failover.

Security Operations Center (SOC)

A centralized function (team, processes, and often a physical or virtual location) responsible for continuously monitoring, detecting, analyzing, and responding to security events across an organization.

SIEM (Security Information and Event Management)

A platform that collects, normalizes, correlates, and analyzes logs and security events from multiple sources, providing alerts, dashboards, and reports.

EDR (Endpoint Detection and Response)

Security tools with agents on endpoints that monitor behavior, detect suspicious activity, and enable remote response actions such as isolating hosts or killing processes.

Playbook

A high-level, structured procedure for handling a specific type of incident, defining goals, decision points, and escalation paths.

Runbook

A detailed, step-by-step technical guide for performing specific operational tasks, often including exact commands or tool actions.

Zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Asset inventory

A centralized, authoritative list of hardware, software, services, and data assets, including identifiers, ownership, location, and key technical details.

Asset classification

The process of labeling assets based on business criticality and data sensitivity, used to prioritize protection, monitoring, and remediation.

Configuration baseline

A standard, approved, and hardened set of configuration settings for a given asset type, used as the reference for secure deployment and drift detection.

Configuration drift

The gradual deviation of a system’s actual configuration from its approved baseline due to manual changes, quick fixes, or unmanaged updates.

Lifecycle management

Managing assets from onboarding (request, approval, deployment) through maintenance (patching, updates) to offboarding (decommissioning, wiping, access revocation).

Shadow IT

Use of systems, applications, or services without formal IT approval, often unmanaged and outside standard security controls.

Vulnerability management

The ongoing process of discovering, assessing, prioritizing, treating, and re-assessing vulnerabilities across an organization’s assets to keep risk within acceptable limits.

Network-based vulnerability scan

A scan that probes IP ranges and ports from the network to identify hosts, services, and known vulnerabilities based on service responses and banners.

Agent-based vulnerability scan

A scanning approach that uses lightweight agents installed on endpoints or servers to collect local software, configuration, and patch information, even when devices are off-network.

Authenticated (credentialed) scan

A vulnerability scan that logs into target systems with valid credentials to gather detailed information, reducing false positives and improving accuracy.

CVSS

The Common Vulnerability Scoring System, which assigns a base score from 0.0 to 10.0 to rate the severity of vulnerabilities and map them to Low, Medium, High, or Critical categories.

Remediation

A treatment option that fully fixes the underlying vulnerability, such as applying a patch, upgrading software, or removing a vulnerable component.

SIEM (Security Information and Event Management)

A platform that ingests, normalizes, and correlates logs and security events from multiple sources, providing real-time alerting, dashboards, and reporting to support detection and response.

Log management

The practice and tooling focused on collecting, storing, indexing, and searching logs from systems and applications, often as a foundation for security monitoring and compliance.

Alert triage

The process of reviewing security alerts, adding context, and deciding whether to close them as benign, perform simple containment, or escalate to incident response.

Correlation rule

A SIEM rule that combines multiple related events based on attributes like user, IP, or time window to detect higher-level attack patterns and reduce noise.

Use case (detection use case)

A defined threat scenario translated into specific conditions and log-based patterns that a monitoring system should detect and alert on.

False positive

An alert that indicates suspicious activity but, after investigation, is determined to be benign or expected behavior.

Authentication

The AAA function that verifies a user's identity and proves they are who they claim to be, typically using credentials such as passwords, tokens, or biometrics.

Authorization

The AAA function that determines what an authenticated user is allowed to do, implemented via permissions, roles, policies, and access control lists.

Accounting

The AAA function that tracks and records user activities, such as logins and resource access, providing an audit trail for investigations and compliance.

Multi-factor authentication (MFA)

An authentication method that requires two or more different factor types (for example, something you know and something you have) to verify a user's identity.

Identity Provider (IdP)

A system or service that authenticates users and issues tokens or assertions, which other applications rely on for access decisions.

Role-based access control (RBAC)

An access control model where permissions are assigned to roles, and users are assigned to those roles to receive the associated permissions.

Security automation

Using tools or scripts to perform security tasks automatically based on triggers or schedules, with minimal human intervention once configured.

Security orchestration

Coordinating multiple automated tasks and tools into an end‑to‑end workflow that achieves a broader security goal, such as incident handling.

SOAR platform

Security Orchestration, Automation, and Response platform that ingests alerts, runs playbooks, triggers responses, and records actions for audit.

Playbook (in SOAR)

A predefined, structured workflow of steps, decisions, and actions that a SOAR platform follows in response to specific triggers or alerts.

Guardrails

Automatic controls that prevent or detect unsafe configurations, allowing teams to move quickly while staying within defined security boundaries.

Policy-as-code

Expressing security and compliance rules in machine‑readable configuration files that are version‑controlled, reviewed, and tested like application code.

Incident response

The structured set of activities an organization uses to detect, analyze, contain, eradicate, and recover from security incidents, and then learn from them to improve defenses.

Incident response lifecycle (6 phases)

Preparation, Identification (detection and analysis), Containment, Eradication, Recovery, Lessons Learned (post-incident activity).

Incident commander

The person responsible for leading and coordinating the overall incident response effort, setting priorities, and making final decisions during an incident.

Playbook

A documented, step-by-step procedure for handling a specific type of incident, including triggers, data to collect, actions to take, and communication steps.

Chain of custody

The documented trail that records who collected, handled, transferred, and stored evidence, including times and purposes, to prove that the evidence is trustworthy and unaltered.

Containment

The IR phase focused on limiting the scope and impact of an incident, often by isolating affected systems, disabling accounts, or blocking malicious traffic.

Policy

A high-level, mandatory statement of management intent that sets overall direction (for example, "All company laptops must be encrypted").

Standard

A specific, measurable requirement that supports a policy, often technical (for example, "Use AES-256 full disk encryption managed by platform X").

Procedure

Step-by-step instructions describing how to implement a standard or perform a process, such as an incident response playbook or enrollment runbook.

Guideline

Recommended, non-mandatory best practice used where flexibility is needed or strict enforcement is impractical.

Governance, risk, and compliance (GRC)

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

CISO

Senior executive who owns the security program and policies, aligns security with business goals, and reports risk and posture to top management and the board.

Asset

Anything of value to the organization, such as data, systems, people, facilities, or reputation. Assets are what you are trying to protect in risk management.

Threat

A potential cause of an unwanted incident, which may result in harm to a system or organization. Examples include attackers, insiders, natural disasters, and power failures.

Vulnerability

A weakness that can be exploited by a threat. Examples include unpatched software, weak passwords, misconfigurations, and lack of monitoring.

Risk

The potential for loss or damage when a threat exploits a vulnerability affecting an asset. Often conceptualized as Risk = Likelihood × Impact.

Inherent risk

The level of risk that exists before any controls or mitigations are applied.

Residual risk

The level of risk that remains after controls and mitigations have been implemented.

Third-party risk

The potential for loss or harm resulting from an organization’s use of external entities such as vendors, cloud providers, partners, or suppliers that have access to data, systems, or critical business processes.

Vendor due diligence

A structured investigation of a potential or existing vendor’s security, privacy, and compliance posture, often using questionnaires, audit reports, and technical reviews before contracting or onboarding.

Service-Level Agreement (SLA)

A contractual document that defines expected service performance, such as uptime, response times, and support metrics, often including remedies or penalties for non-compliance.

Supply chain attack

An attack that targets less-secure elements in the production or delivery chain of hardware, software, or services, such as compromised updates, tampered devices, or malicious dependencies.

Zero trust (definition required verbatim)

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Continuous monitoring (third-party context)

Ongoing oversight of vendor performance and security, including SLA tracking, log and event monitoring, periodic reassessments, and watching for changes or incidents that affect risk.

CompTIA Security+

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

SY0-701

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

governance, risk, and compliance

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Personally Identifiable Information (PII)

Information that can be used to identify an individual, such as name, address, email, ID numbers; often subject to privacy and data protection laws.

Protected Health Information (PHI)

Health-related PII associated with the provision of healthcare or payment for healthcare services, protected under laws such as HIPAA.

PCI DSS

Payment Card Industry Data Security Standard: an industry standard, enforced via contracts, that defines security requirements for organizations that store, process, or transmit cardholder data.

Security awareness program

An organized, ongoing set of activities that educates users about threats and policies, builds specific secure behaviors, and reinforces a culture where security is part of everyone’s job.

Security awareness (vs training)

Awareness focuses on high-level understanding and attitude shift about security risks and responsibilities, while training focuses on building specific practical skills and behaviors.

Phishing simulation

A controlled test in which fake phishing messages are sent to users to measure how many click, provide credentials, or report the email, used to evaluate and improve awareness.

Governance, risk, and compliance

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Key performance indicator (KPI) in awareness

A measurable value, such as phishing click rate or training completion rate, used to evaluate the effectiveness of security awareness and training efforts over time.

Security culture

The shared values, norms, and behaviors in an organization that determine how people think about and act on security, especially when no one is watching.

CompTIA Security+

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

SY0-701

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

CIA triad – Confidentiality

Ensuring that information is not disclosed to unauthorized individuals, entities, or processes. Common controls: encryption, access control, data classification.

CIA triad – Integrity

Ensuring that data is accurate, complete, and has not been tampered with. Common controls: hashing, digital signatures, input validation, version control.

CIA triad – Availability

Ensuring that systems and data are accessible to authorized users when needed. Common controls: redundancy, backups, failover, DDoS protection.

AAA

Authentication, Authorization, and Accounting: verifying identity, granting appropriate permissions, and logging actions for traceability and auditing.