CompTIA Security+ (SY0-701) Mastery: Domain-Weighted Exam Prep

What is CompTIA Security+?

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

What is SY0-701?

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

List the five SY0-701 domains in order.

1) General Security Concepts 2) Threats, Vulnerabilities, and Mitigations 3) Security Architecture 4) Security Operations 5) Security Program Management and Oversight

Name the CIA triad components.

The CIA triad components are: confidentiality, integrity, availability.

What are the three AAA functions?

The AAA functions are: authentication, authorization, accounting.

Define zero trust.

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

CIA triad components (in order)

confidentiality, integrity, availability

AAA functions (in order)

authentication, authorization, accounting

Canonical security control types (full list)

technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive

Define confidentiality

Ensuring that only authorized people, processes, or systems can access data; protecting secrecy and privacy.

Define integrity

Ensuring data is accurate, complete, and unaltered except by authorized methods; preventing unauthorized or undetected changes.

Define availability

Ensuring authorized users can access data and systems when needed; focusing on uptime, resilience, and performance.

Zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

CIA triad components

The CIA triad components are confidentiality, integrity, availability.

AAA functions

AAA functions are authentication, authorization, accounting.

Least privilege

An access control principle where users, processes, and systems are granted only the minimum permissions they need to perform their tasks, and no more.

Need-to-know

A confidentiality-focused principle where individuals can access specific information only if it is necessary for their job or function.

Change management

A formal, documented process for proposing, assessing, approving, planning, testing, implementing, and reviewing modifications to systems and services in a controlled, auditable way.

Change Advisory Board (CAB)

A group of stakeholders (for example, security, operations, business owners) that reviews and approves or rejects proposed changes based on risk, impact, and business needs.

Encryption

The process of transforming readable plaintext into unreadable ciphertext using a mathematical algorithm and a key so that only authorized parties with the correct key can recover the original data.

Symmetric encryption

A type of encryption that uses the same key for both encryption and decryption, offering high performance and suitability for bulk data but requiring secure key distribution.

Asymmetric encryption

A type of encryption that uses a public/private key pair, enabling functions like key exchange, digital signatures, and certificate-based authentication but with higher computational cost.

Data at rest

Data stored on physical or virtual media such as disks, SSDs, databases, or backups, typically protected using disk, volume, or database encryption to maintain confidentiality.

Threat actor

Any person or group that has the intent, capability, and opportunity to carry out malicious activity against an information system.

Nation-state / state-sponsored actor

A threat actor backed or directed by a government, typically with high funding, skill, and patience, often focused on espionage, disruption, or strategic advantage.

Organized cybercriminal group

A profit-driven threat actor that conducts activities such as ransomware, fraud, and data theft, often operating like a business with specialized roles.

Hacktivist

A threat actor motivated by ideology or political causes, using hacking techniques to protest, embarrass, or pressure organizations.

Script kiddie

An often inexperienced attacker who uses pre-built tools and exploit kits without deep understanding, typically targeting easy, poorly secured systems.

Insider threat

A threat that comes from someone with legitimate access to systems or data (employee, contractor, vendor), whether malicious, negligent, or compromised.

Attack surface

The sum of all the points where an unauthorized user could try to enter data into, extract data from, or otherwise interact with a system or environment.

Threat vector (attack vector)

A specific path or method an attacker uses to gain access to a target system or move within an environment, such as email, web, remote access, or supply chain.

Phishing vs spear phishing

Phishing is broad, generic deceptive messaging; spear phishing is highly targeted at a specific person or small group, often using personal details.

Drive-by download

An attack where simply visiting a compromised or malicious website causes malware to be downloaded and potentially executed, often exploiting browser or plugin flaws.

Credential stuffing

An attack that uses large lists of previously breached username/password pairs against many websites or services, relying on password reuse.

Business Email Compromise (BEC)

A social-engineering attack where an attacker hijacks or convincingly spoofs a trusted business email account (often an executive or vendor) to request payments or sensitive data.

Vulnerability

A weakness in a system, process, design, or control that could be exploited.

Threat

Any potential cause of an unwanted impact, such as a threat actor, event, or condition that could exploit a vulnerability.

Risk

The likelihood that a threat will exploit a vulnerability, combined with the impact if it happens.

CIA triad components

confidentiality, integrity, availability

AAA functions

authentication, authorization, accounting

Security control types (list)

technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive

Indicator of malicious activity

Any observable data point (log entry, alert, behavior, metric) suggesting hostile or abnormal activity that may be part of an attack.

Indicator of Compromise (IoC)

Evidence that a system has likely already been compromised, such as malware present, unauthorized accounts, persistence mechanisms, or confirmed data exfiltration.

Indicator of Attack (IoA)

Evidence that an attack is being attempted or is in progress, focused on attacker behavior (for example: scanning, repeated login failures, impossible travel) even if compromise is not yet confirmed.

Impossible travel

A detection pattern where the same account logs in from geographically distant locations within a time period too short for physical travel, suggesting credential misuse.

Unusual resource consumption

Abnormal CPU, memory, disk, or bandwidth usage (for example: cryptomining, data exfiltration, DDoS participation) that can indicate malicious activity.

Missing or tampered logs

Gaps in log data, disabled logging, or altered log settings that may indicate an attacker is attempting to hide their actions.

Hardening

The process of making a system more resistant to attack by reducing its attack surface, such as disabling unnecessary services, changing defaults, and enforcing least functionality and least privilege.

Secure configuration baseline

A standard, approved set of configuration settings for a specific asset type (such as a Windows server or router) used to ensure systems start and remain in a known secure state.

Network segmentation

Dividing a network into smaller zones or VLANs with controlled traffic between them, typically enforced by firewalls or ACLs, to limit lateral movement and contain breaches.

Security awareness and training

An operational, preventive, and deterrent control that teaches users how to recognize and respond to threats such as phishing, social engineering, and data handling risks.

Risk-based prioritization

Choosing which mitigations to implement first by considering the likelihood that a threat will occur and the impact it would have, focusing on high-likelihood, high-impact issues.

Compensating control

A security control that is used in place of a primary control when the primary control is not feasible, providing an equivalent or comparable level of protection.

CompTIA Security+

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

SY0-701

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

CIA triad components

The CIA triad components are: confidentiality, integrity, availability.

DMZ (demilitarized zone)

A DMZ is a network segment between an untrusted network (like the internet) and the internal network, used to host public-facing services while limiting direct access to internal systems.

CompTIA Security+

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

SY0-701

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Hardening

The process of reducing a system's attack surface by removing unnecessary components and securely configuring what remains.

Baseline configuration

An approved, standard set of security settings for a system, used as a secure starting point and reference for auditing and drift detection.

Security control types (10)

technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive

CIA triad components (3 items)

confidentiality, integrity, availability

Data classification

The process of categorizing data by sensitivity and criticality to determine appropriate handling, access control, and protection requirements.

Data at rest encryption

Encryption applied to stored data, such as disks, databases, and backups, to protect against unauthorized access if storage media are accessed directly or stolen.

Data in transit encryption

Encryption applied to data moving across networks (e.g., TLS, VPNs) to protect against eavesdropping and tampering.

Public Key Infrastructure (PKI)

A framework of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and public/private key pairs.

Key rotation

The practice of replacing cryptographic keys at regular intervals or after specific events to limit the impact of key compromise and meet policy or regulatory requirements.

Resilience

The ability of a system or organization to continue operating, or to recover quickly, when facing disruptions, failures, or attacks.

Business Continuity (BC)

Planning and capabilities that ensure critical business functions can continue during and after a disruption.

Disaster Recovery (DR)

The specific processes and technologies used to restore IT services and data after a major incident.

Recovery Point Objective (RPO)

The maximum acceptable amount of data loss, measured as time; answers how far back in time you can afford to restore.

Recovery Time Objective (RTO)

The maximum acceptable time to restore a service after a disruption; answers how long the service can be down.

Single Point of Failure (SPOF)

Any component whose failure brings down the entire service; eliminated using redundancy and diversity.

Telemetry

Data that describes what is happening in an environment, such as logs, events, and metrics from systems, networks, applications, cloud services, and security tools.

SIEM (Security Information and Event Management)

A centralized platform that ingests, normalizes, stores, correlates, and analyzes security events from multiple sources, generating alerts, dashboards, and reports for Security Operations.

Baseline behavior

A documented understanding of what is typical for a system, user, or network (such as normal login times or traffic levels), used as a reference for detecting anomalies.

Anomaly detection

A detection approach that identifies deviations from established baselines of normal behavior, potentially indicating malicious or risky activity.

Indicator of compromise (IoC)

An artifact or piece of evidence that suggests a system may already be compromised, such as a malicious file hash, known C2 IP address, or suspicious registry key.

Indicator of attack (IoA)

A pattern of behavior that suggests an attack is in progress, such as repeated privilege escalation attempts or lateral movement across hosts.

Asset management

The discipline of discovering, identifying, classifying, and tracking organizational assets such as hardware, software, services, data, and accounts so they can be protected and managed throughout their lifecycle.

Vulnerability management

A continuous process used to find, assess, prioritize, treat, and verify the remediation of security weaknesses across an organization’s assets.

Hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

Governance, risk, and compliance

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Asset criticality

A measure of how important an asset is to business operations, safety, or regulatory obligations; higher criticality increases the priority of vulnerabilities found on that asset.

Exposure (in vulnerability management)

The degree to which a vulnerable asset can be reached or attacked, influenced by factors like internet-facing status, network segmentation, and access paths.

AAA functions (list all 3 in order)

authentication, authorization, accounting

Authentication

The process of proving that a user or system is who or what it claims to be, typically using factors such as something you know, have, are, where you are, or something you do.

Authorization

The process of determining what an authenticated user or system is allowed to do, usually implemented via roles, attributes, and policies that enforce least privilege.

Accounting

The process of logging and tracking user and system activities, including logins, access decisions, and actions, to support auditing, monitoring, and investigations.

Multi-factor authentication (MFA)

An authentication method that requires two or more different factor types (e.g., something you know and something you have) to verify identity, greatly reducing the impact of stolen credentials.

Provisioning

The process of creating user accounts and assigning initial access rights and roles, often triggered by onboarding and automated through IAM workflows.

CompTIA Security+

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

SY0-701

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

Security alerting

The process of generating notifications when tools detect events that match defined conditions, such as suspicious logins or malware detections.

Security monitoring

The continuous collection, analysis, and review of security-relevant data (logs, metrics, events, network flows) to identify suspicious or malicious activity.

Incident response

The structured set of processes and activities an organization uses to detect, analyze, contain, eradicate, and recover from security incidents, and then learn from them.

Detection and analysis phase

The phase where alerts and indicators are triaged, correlated, and investigated to determine whether a security event is a true incident, and to assess its scope and severity.

Containment phase

The phase focused on limiting damage and preventing further spread of an incident, while preserving evidence and maintaining as much business function as possible.

Eradication phase

The phase where responders remove the root cause and all malicious artifacts from the environment, such as malware, backdoors, and exploited vulnerabilities.

Recovery phase

The phase where systems and services are restored to normal operation from known-good baselines or backups, and closely monitored to ensure stability and absence of the threat.

Lessons learned phase

The post-incident phase where teams conduct reviews, perform root cause analysis, update plans and controls, and document findings to improve future resilience.

CompTIA Security+

CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.

SY0-701

SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.

zero trust

Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.

hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

governance, risk, and compliance

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

MDM / UEM

Mobile Device Management / Unified Endpoint Management are platforms that enroll and manage mobile and endpoint devices, enforce policies (encryption, screen lock, OS version, apps), and can remotely wipe or block non-compliant devices.

governance, risk, and compliance

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Security governance

The system of management, roles, and processes used to direct and control an organization’s security program so it supports business goals.

Policy

A high-level, management-approved statement of intent or rules that sets direction and expectations, typically technology-agnostic and stable over time.

Standard

A specific, mandatory requirement that supports policies, often technical and measurable (for example, exact encryption algorithms or configurations).

Guideline

A recommended, non-mandatory best practice that helps people meet policies and standards while allowing flexibility.

Procedure

A detailed, step-by-step set of instructions that describes exactly how to perform a task or process.

Risk (in information security)

The possibility that a threat will exploit a vulnerability and negatively impact an asset.

Asset

Anything of value to the organization, such as data, systems, processes, people, or reputation.

Threat

Anything that can cause harm to an asset, such as attackers, insiders, accidents, or natural disasters.

Vulnerability

A weakness that could be exploited by a threat to cause harm to an asset.

Impact

The consequence or damage that occurs if a risk materializes, such as financial loss, downtime, legal penalties, or reputational harm.

Likelihood

The probability that a particular risk event will occur within a given timeframe.

Third-party risk

The possibility that an external organization you rely on (vendor, supplier, partner, or service provider) will cause harm to your confidentiality, integrity, availability, compliance status, or reputation.

Hybrid environment

A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.

Due diligence (in third-party risk)

Pre-contract activities to evaluate a vendor’s security posture, such as questionnaires, audits, and technical assessments, before you trust them with data or critical services.

Service-level agreement (SLA)

A contractual document that defines measurable service performance targets (such as uptime, response times, and sometimes security-related metrics like patch timelines).

Software supply chain attack

An attack where adversaries compromise software components or update mechanisms so that malicious code is distributed through trusted software or libraries.

Right to audit

A contractual clause that allows a customer to review or verify a vendor’s controls and compliance, either directly or via independent audits and reports.

Security compliance

Adherence to applicable laws, regulations, standards, and contractual obligations, as well as formally adopted internal policies and procedures.

Audit (security context)

A formal, structured review that checks conformance to defined criteria (such as a regulation, standard, contract, or policy), usually evidence‑based and often performed by an independent party.

Security assessment

An evaluation of security posture, risks, and control effectiveness that is usually broader and more advisory than a formal audit, for example vulnerability assessments or penetration tests.

Internal vs external audit

Internal audits are performed by staff within the organization, usually for improvement and preparation. External audits are performed by independent third parties and often produce reports for customers or regulators.

Security metric

A quantitative or qualitative measure used to track and communicate security control performance or program maturity over time.

Control effectiveness metric

A metric that directly measures whether a specific security control is operating as intended, for example the percentage of systems with current patches.

Security awareness

High‑level understanding and attitudes about security for all users, aimed at helping people recognize risks and make safer everyday choices.

Training (in security context)

Role‑based, skill‑building activities that teach people how to perform specific security‑relevant tasks or follow procedures correctly.

Education (in security context)

Deeper, often long‑term learning for security professionals, building broad conceptual understanding (for example, full courses, professional certifications).

Phishing simulation

A controlled test where realistic but safe phishing emails are sent to users to measure behavior (clicks, credential entry, reporting) and provide targeted coaching.

Security culture

The shared values, norms, and everyday behaviors in an organization that support secure actions by default and encourage responsible reporting.

Governance, risk, and compliance

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

List the CIA triad components.

confidentiality, integrity, availability

List the AAA functions.

authentication, authorization, accounting

Name the 10 security control types.

technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive

Which domain covers incident response and day-to-day monitoring?

Security Operations

Which domain most directly covers governance, risk, and compliance?

Security Program Management and Oversight

Give an example of a technical, preventive control.

Examples: firewall rule blocking ports; anti-malware blocking execution; IPS blocking malicious traffic.