What is the largest domain in Security+ SY0-701?
Security Operations is the largest domain in Security+ SY0-701, accounting for 28% of the exam. It covers identity and access management, alert investigations, vulnerability management, application security techniques, and security monitoring tools. The second largest domain is Security Program Management and Oversight at 20%, covering governance, risk management, compliance, auditing, and privacy.
This deep-dive study guide covers all five Security+ SY0-701 domains in detail, with expanded explanations of the most frequently tested topics, practical examples, and exam-taking strategies. While our main Security+ guide provides an overview, this guide goes deeper into the concepts that distinguish passing from failing scores.
The CompTIA Security+ SY0-701 exam rewards candidates who understand the "why" behind security controls, not just the "what." This guide focuses on the concepts and scenarios where exam questions become most challenging.
Domain 1 Deep Dive: General Security Concepts (12%)
Authentication Protocols in Detail
RADIUS (Remote Authentication Dial-In User Service):
- Uses UDP ports 1812 (authentication) and 1813 (accounting)
- Encrypts only the password field in the access request
- Combines authentication and authorization in a single response
- Common use: VPN authentication, 802.1X for network access, Wi-Fi authentication
TACACS+ (Terminal Access Controller Access Control System Plus):
- Uses TCP port 49 for reliable, connection-oriented communication
- Encrypts the entire payload (not just the password)
- Separates authentication, authorization, and accounting (true AAA)
- Primary use: Device administration (network routers, switches) -- distinguishes from RADIUS
Kerberos:
- Default authentication protocol in Windows Active Directory environments
- Uses tickets to prove identity without repeatedly sending credentials
- Three parties: Client, KDC (Key Distribution Center/AS + TGS), and Service
- KDC components: AS (Authentication Service) issues TGT; TGS (Ticket Granting Service) issues service tickets
- Tickets have timestamps; clock skew >5 minutes causes authentication failure
Cryptographic Concepts Deep Dive
Key exchange algorithms:
- Diffie-Hellman (DH): Allows two parties to establish a shared secret over an insecure channel without prior shared secret. The foundation of modern key exchange.
- ECDH (Elliptic Curve Diffie-Hellman): More efficient than DH; provides same security with smaller key sizes
- Perfect Forward Secrecy (PFS): Using ephemeral (temporary) keys for each session so that compromising the long-term private key does not expose past session keys. TLS 1.3 uses PFS by default.
Cipher modes relevant to exam scenarios:
| Mode | Property | Use Case |
|---|---|---|
| ECB | Blocks encrypted independently; identical plaintext → identical ciphertext | Not recommended (pattern leakage) |
| CBC | Each block XORed with previous ciphertext before encryption | TLS 1.2 (being phased out) |
| CTR | Block cipher used as stream cipher; parallelizable | Preferred for efficiency |
| GCM | CTR + authentication (AEAD) | TLS 1.3, AES-GCM |
Domain 2 Deep Dive: Threats, Vulnerabilities, and Mitigations (22%)
Attack Chain (Cyber Kill Chain vs. MITRE ATT&CK)
Lockheed Martin Cyber Kill Chain (7 phases):
- Reconnaissance: Gathering target information
- Weaponization: Creating the exploit payload
- Delivery: Transmitting the payload to target
- Exploitation: Executing the exploit
- Installation: Installing malware for persistence
- Command and Control (C2): Establishing control channel
- Actions on Objectives: Achieving the attack goal
MITRE ATT&CK provides a more granular, evidence-based framework organized by tactics and techniques. Each tactic represents an adversary goal; each technique is a specific method to achieve it. The exam uses ATT&CK terminology:
| MITRE Tactic | Description |
|---|---|
| Initial Access | Gaining entry into the target environment |
| Execution | Running attacker-controlled code |
| Persistence | Maintaining access after initial compromise |
| Privilege Escalation | Gaining higher-level permissions |
| Defense Evasion | Avoiding detection |
| Lateral Movement | Moving through the environment |
| Exfiltration | Stealing data |
Application Vulnerabilities Deep Dive
Buffer overflow:
- Stack-based buffer overflow: Writing beyond a buffer on the stack, potentially overwriting the return address with an attacker-controlled value, redirecting execution to shellcode
- Heap-based buffer overflow: Corrupting heap memory structures; harder to exploit reliably
- Mitigations: Stack canaries, ASLR (Address Space Layout Randomization), DEP/NX (Data Execution Prevention/No-Execute), safe coding practices
Injection attacks beyond SQL:
- LDAP injection: Manipulating LDAP queries used for directory services authentication
- XML injection / XXE (XML External Entity): Exploiting XML parsers to read files or perform SSRF
- OS command injection: Executing system commands through vulnerable web application inputs
- Template injection: Injecting code into server-side template rendering engines
Domain 3 Deep Dive: Security Architecture (18%)
Network Security Architecture Patterns
Hub-and-spoke network topology security:
- Firewall placement: Perimeter firewall at internet edge; internal segmentation firewalls between security zones
- DMZ design: Web servers in DMZ with firewall on each side; DMZ servers can initiate connections inward to application servers on specific ports only
- Jump server pattern: Administrative access to sensitive systems via hardened intermediate host with full session logging
Cloud security architecture patterns:
- Layered defense in cloud: VPC isolation + security groups + WAF + API gateway + IAM
- Zero trust in cloud: Identity as perimeter; no implicit trust for resources inside VPC
- SASE: Convergence of SD-WAN and cloud-native security services for distributed organizations
PKI and Certificate Management
Certificate types and use cases:
| Certificate Type | Purpose | Example |
|---|---|---|
| DV (Domain Validated) | Proves domain control | Basic HTTPS site |
| OV (Organization Validated) | Proves organization identity | Corporate websites |
| EV (Extended Validation) | Highest identity verification | Banking, financial services |
| Wildcard | Covers all subdomains | *.example.com |
| SAN (Subject Alternative Name) | Multiple domains in one cert | example.com and example.org |
Certificate transparency: Public logs of all issued certificates, allowing detection of mis-issued certificates. Certificate Transparency (CT) is required by major browsers for EV certificates.
OCSP stapling: The web server periodically queries the CA for certificate revocation status and attaches (staples) the OCSP response to the TLS handshake. Improves performance compared to client-side OCSP lookups.
Domain 4 Deep Dive: Security Operations (28%)
SIEM and SOC Operations
SIEM use cases most heavily tested:
- Detecting brute force: Multiple failed authentication events from one source IP within a short time window
- Detecting impossible travel: Successful authentication from two geographically distant locations within a time window too short for travel
- Detecting data exfiltration: Large outbound transfers to external IPs, especially during non-business hours
- Detecting privilege escalation: Successful authentication with administrative account shortly after standard account compromise
SOC tier model:
- Tier 1: Alert triage, initial analysis, escalation
- Tier 2: Deeper investigation, incident response
- Tier 3: Threat hunting, advanced analysis, tool development
Vulnerability Management Deep Dive
CVSS v3.1 scoring components:
Base Score (mandatory):
| Metric | Options | Impact |
|---|---|---|
| Attack Vector | Network/Adjacent/Local/Physical | Network = highest score |
| Attack Complexity | Low/High | Low = higher score |
| Privileges Required | None/Low/High | None = higher score |
| User Interaction | None/Required | None = higher score |
| Scope | Unchanged/Changed | Changed = higher score |
| Confidentiality Impact | None/Low/High | High = highest score |
| Integrity Impact | None/Low/High | High = highest score |
| Availability Impact | None/Low/High | High = highest score |
Temporal Score: Adjusts base score based on exploit availability and remediation status.
Environmental Score: Adjusts for organization-specific factors like asset criticality.
Domain 5 Deep Dive: Security Program Management (20%)
Risk Calculations
Quantitative risk analysis:
- AV (Asset Value): Monetary value of the asset
- EF (Exposure Factor): Percentage of asset lost in a single incident (0-100%)
- SLE (Single Loss Expectancy) = AV x EF
- ARO (Annualized Rate of Occurrence): Expected frequency of the threat per year
- ALE (Annualized Loss Expectancy) = SLE x ARO
Example: Server worth $50,000. Ransomware EF = 40% (can recover 60% from backups). ARO = 0.5 (expected once every 2 years).
- SLE = $50,000 x 0.40 = $20,000
- ALE = $20,000 x 0.5 = $10,000/year
A ransomware protection control costing $8,000/year has positive ROI if it reduces ALE by more than $8,000.
Business Impact Analysis
BIA (Business Impact Analysis) identifies critical business functions and their dependencies:
- MTD (Maximum Tolerable Downtime): The absolute maximum time a business function can be unavailable before threatening organizational viability
- RTO (Recovery Time Objective): Target time to restore the function after disruption (must be less than MTD)
- RPO (Recovery Point Objective): Maximum acceptable data loss expressed in time
Exam Strategy
Time Management
With 90 questions in 90 minutes, average 1 minute per question:
- Answer all questions you know immediately
- Flag uncertain questions and return after completing certain ones
- For performance-based questions (simulations), spend no more than 3-4 minutes; move on if stuck
- Never leave questions unanswered -- there is no penalty for guessing
Eliminating Wrong Answers
Most Security+ questions have one or two clearly wrong answers that can be eliminated quickly:
- Eliminate answers that use outdated protocols (MD5 for passwords, WEP, Telnet) unless the question is about identifying vulnerabilities
- Eliminate answers that violate fundamental security principles (sharing administrative credentials, disabling encryption for performance)
- When two answers seem correct, choose the one that is most specific to the scenario described
"Security+ questions are written so that all four options could theoretically be valid in some context. The skill is identifying which option is the BEST answer for the specific scenario described. Read each question twice and identify the specific requirement before evaluating answers." -- Security+ exam coaching community
Frequently Asked Questions
What is the difference between authentication and authorization in Security+ context? Authentication verifies identity (proving you are who you claim to be) using methods like passwords, biometrics, or certificates. Authorization determines what an authenticated identity is permitted to do (access control based on permissions and roles). The exam regularly presents scenarios requiring you to identify whether an authentication or authorization failure caused a security incident. Authentication happens first; authorization happens after successful authentication.
How many performance-based questions are on Security+ SY0-701? The number of performance-based questions varies, but most candidates report 2-5 PBQ (performance-based questions) that require interacting with simulations. Common PBQ types include matching security concepts to definitions, configuring firewall rules in a simulated interface, identifying attack types from log output, and ordering steps in a security process. These questions appear at the beginning of the exam.
Should I study all five domains equally for Security+? No, study proportionally to domain weight. Security Operations (28%) deserves the most study time, followed by Security Program Management (20%), Threats and Vulnerabilities (22%), Security Architecture (18%), and General Security Concepts (12%). Allocating equal time to all domains leaves you underprepared for the largest domains and overprepared for the smallest.
References
- CompTIA. (2025). CompTIA Security+ SY0-701 Exam Objectives. https://www.comptia.org/certifications/security
- Chapple, M., & Seidl, D. (2023). CompTIA Security+ SY0-701 Study Guide. Sybex.
- MITRE ATT&CK. (2025). ATT&CK Framework. https://attack.mitre.org/
- FIRST.org. (2025). Common Vulnerability Scoring System (CVSS) v3.1. https://www.first.org/cvss/v3.1/specification-document
- Lockheed Martin. (2015). Cyber Kill Chain. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
- Professor Messer. (2025). Security+ SY0-701 Study Resources. https://www.professormesser.com/security-plus/