CompTIA Security+ Certification Prep — Complete Study Guide
CompTIA Security+ is the most widely recognized entry-level cybersecurity certification, validating foundational skills in threat management, cryptography, identity management, network security, and risk compliance.
What You’ll Learn
By the end of this tutorial, you’ll understand the five Security+ exam domains, key concepts tested in each domain, common acronyms and ports to memorize, and have a study plan to pass the SY0-701 exam on your first attempt.
Why Security+ Matters
Security+ is a DoD-approved baseline certification (ISO 17024) and is required for many government and contractor security roles. Over 600,000 professionals hold the certification. It’s the most common entry point for cybersecurity careers. At DodaTech, Security+ is a recommended certification for Durga Antivirus Pro security operations team members.
Security+ Learning Path
flowchart LR
A[Security Basics] --> B[Network Security]
B --> C[Web Security]
C --> D[Cryptography]
D --> E[Security+ Exam Prep]
E --> F{You Are Here}
style F fill:#f90,color:#fff
Exam Overview
| Detail | Information |
|---|---|
| Exam code | SY0-701 |
| Format | 90 multiple-choice and performance-based questions |
| Duration | 90 minutes |
| Passing score | 750 (on a scale of 100-900) |
| Cost | $404 (USD) |
| Validity | 3 years (CEUs or retake) |
| Languages | English, Japanese, Chinese, Korean, Spanish |
The Five Domains
Domain 1: General Security Concepts (12%)
Key topics:
- CIA triad (Confidentiality, Integrity, Availability)
- Non-repudiation, authentication, authorization, accounting (AAA)
- Security controls: technical, administrative, physical
- Zero Trust model
- Defense in depth
Zero Trust architecture:
flowchart TD
subgraph "Zero Trust Model"
A[Never Trust, Always Verify]
B[Verify Identity]
C[Verify Device]
D[Verify Access]
E[Least Privilege]
A --> B
A --> C
A --> D
A --> E
end
User --> A
Device --> A
Network --> A
Sample question:
Which security principle ensures that a user cannot deny having performed an action? A) Confidentiality B) Integrity C) Non-repudiation D) Availability
Answer: C) Non-repudiation (ensured through logging, digital signatures, and audit trails)
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
Key topics:
- Malware types: virus, worm, trojan, ransomware, rootkit, spyware
- Attack types: phishing, spear phishing, whaling, vishing, smishing
- Social engineering: pretexting, baiting, tailgating, quid pro quo
- Application attacks: SQLi, XSS, buffer overflow, race conditions
- Network attacks: DDoS, MitM, DNS poisoning, ARP spoofing
- Indicators of compromise (IoCs)
Attack type comparison:
| Attack | Method | Target | Mitigation |
|---|---|---|---|
| Phishing | Deceptive email | Credentials | Email filtering, user training |
| DDoS | Traffic flood | Availability | CDN, rate limiting, auto-scaling |
| MitM | Intercept traffic | Confidentiality | HTTPS, certificate pinning |
| SQLi | Malicious SQL input | Data integrity | Parameterized queries |
| XSS | Script injection | User data | Output encoding, CSP |
Sample question:
An attacker sends an email claiming to be from the CEO asking for an urgent wire transfer. This is an example of: A) Spear phishing B) Whaling C) Vishing D) Pharming
Answer: B) Whaling (targeted at executives/high-value individuals)
Domain 3: Security Architecture (18%)
Key topics:
- Firewall types: packet filtering, stateful, application-layer (WAF), next-gen
- VPN protocols: IPSec, SSL/TLS, WireGuard
- Intrusion detection/prevention: IDS (monitor), IPS (block)
- Cloud security: shared responsibility, CASB, cloud deployment models
- Network segmentation: VLANs, DMZ, micro-segmentation
- Virtualization and container security
Cloud deployment models:
| Model | Description | Use Case |
|---|---|---|
| Public | Shared infrastructure | Startups, variable workloads |
| Private | Dedicated to one org | Compliance-sensitive data |
| Hybrid | Mix of public and private | Burst capacity, legacy integration |
| Community | Shared by orgs with common goals | Government, healthcare consortium |
Domain 4: Security Operations (28%)
Largest domain — focus here during study.
Key topics:
- Incident response lifecycle: Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned
- Digital forensics: acquisition, chain of custody, analysis, reporting
- Logging and monitoring: SIEM, syslog, log retention
- Vulnerability management: scanning, patching, reporting
- Disaster recovery: RTO, RPO, MTBF, MTTR
- Backup types: full, incremental, differential
# security_plus_calculator.py
# Calculate common Security+ metrics
class SecurityPlusMetrics:
"""Calculate Security+ exam-related metrics."""
@staticmethod
def calculate_rto_rpo(rto_hours: float, rpo_hours: float) -> dict:
"""
RTO = Recovery Time Objective (max acceptable downtime)
RPO = Recovery Point Objective (max acceptable data loss in time)
"""
return {
"RTO": rto_hours,
"RPO": rpo_hours,
"explanation": f"Systems must be restored within {rto_hours}h "
f"with data loss no more than {rpo_hours}h"
}
@staticmethod
def calculate_annualized_loss_expectancy(
asset_value: float,
exposure_factor: float,
annual_occurrence: float
) -> dict:
"""SLE = AV × EF, ALE = SLE × ARO"""
sle = asset_value * exposure_factor
ale = sle * annual_occurrence
return {
"single_loss_expectancy": sle,
"annualized_loss_expectancy": ale,
}
@staticmethod
def port_memorization() -> list[dict]:
"""Common Security+ port numbers to memorize."""
return [
{"port": 20, "protocol": "FTP data", "secure": False},
{"port": 21, "protocol": "FTP control", "secure": False},
{"port": 22, "protocol": "SSH", "secure": True},
{"port": 23, "protocol": "Telnet", "secure": False},
{"port": 25, "protocol": "SMTP", "secure": False},
{"port": 53, "protocol": "DNS", "secure": False},
{"port": 80, "protocol": "HTTP", "secure": False},
{"port": 110, "protocol": "POP3", "secure": False},
{"port": 143, "protocol": "IMAP", "secure": False},
{"port": 443, "protocol": "HTTPS", "secure": True},
{"port": 445, "protocol": "SMB", "secure": False},
{"port": 3389, "protocol": "RDP", "secure": False},
{"port": 993, "protocol": "IMAPS", "secure": True},
{"port": 995, "protocol": "POP3S", "secure": True},
{"port": 389, "protocol": "LDAP", "secure": False},
{"port": 636, "protocol": "LDAPS", "secure": True},
{"port": 161, "protocol": "SNMP", "secure": False},
]
@staticmethod
def acronyms_to_know() -> list[str]:
"""Must-know acronyms for the exam."""
return [
"AAA", "ACL", "AES", "ALE", "AP", "API", "ARP", "AV",
"BIA", "BYOD", "CA", "CAC", "CAPTCHA", "CASB", "CIA",
"CIRT", "CSRF", "DDoS", "DEP", "DHCP", "DLL", "DLP",
"DMZ", "DNSSEC", "DoS", "EAP", "ECB", "EFS", "ESD",
"FTP", "GPO", "GPS", "GPU", "GRE", "HDD", "HIDS",
"HIPS", "HOTP", "HTTP", "HTTPS", "IAM", "ICMP", "ICS",
"IDS", "IKE", "IMAP", "IoC", "IoT", "IP", "IPS",
"IPSEC", "IR", "ISAKMP", "ISFW", "ISO", "ISP", "ITU",
"KDC", "KEK", "L2TP", "LAN", "LDAP", "LEAP", "MAC",
"MAM", "MAN", "MBSA", "MDM", "MFA", "MFD", "MITM",
"MLS", "MMS", "MSCHAP", "MTBF", "MOU", "MTTR", "NAC",
"NAS", "NAT", "NFC", "NGFW", "NIC", "NIDS", "NIPS",
"NIST", "Nmap", "NMS", "NOC", "NTFS", "NTLM", "OS",
"OSINT", "OWASP", "P0F", "P2P", "PAC", "PAM", "PAP",
"PAT", "PBX", "PCA", "PCI DSS", "PEAP", "PED", "PEM",
"PII", "PIV", "PKI", "PoC", "POP", "POTS", "PPP",
"PTZ", "RA", "RAD", "RAID", "RAS", "RAT", "RC4",
"RDP", "RF", "RFID", "RMF", "ROI", "RPO", "RSA",
"RTFM", "RTO", "S/MIME", "SaaS", "SAE", "SAML", "SAN",
"SCAP", "SCSI", "SCTP", "SDK", "SDLC", "SDN", "SED",
"SEH", "SFTP", "SHA", "SIEM", "SIG", "SIM", "SIP",
"SLA", "SLE", "SMB", "SMS", "SMTP", "SNA", "SNMP",
"SOAP", "SOAR", "SOC", "SPIM", "SQL", "SRTP", "SSD",
"SSH", "SSL", "SSO", "STP", "SWG", "TACACS", "TCP/IP",
"TGT", "TKIP", "TLS", "TOTP", "TPM", "UAT", "UDP",
"UPS", "URL", "USB", "UTM", "VLAN", "VLSM", "VM",
"VoIP", "VPN", "VTC", "WAF", "WEP", "WIDS", "WIPS",
"WORM", "WPA", "WPA2", "WPA3", "XSS", "ZTA"
]
# Display ports to memorize
metrics = SecurityPlusMetrics()
print("=== Must-Know Ports ===")
for p in metrics.port_memorization():
icon = "✓" if p["secure"] else " "
print(f" {icon} Port {p['port']:5}: {p['protocol']}")Domain 5: Security Program Management and Oversight (20%)
Key topics:
- Governance: policies, standards, procedures, guidelines
- Risk management: identification, assessment, treatment, communication
- Business continuity: BCP, BIA, DRP
- Third-party risk: vendor assessments, SLAs, contracts
- Security awareness training: phishing simulations, onboarding
- Compliance: GDPR, HIPAA, PCI-DSS, SOX, FISMA
Study Plan (8 Weeks)
Week 1-2: Foundations
- Watch Professor Messer’s Security+ videos (free on YouTube)
- Read Domain 1 and 2 in your study guide
- Create flashcards for acronyms (use Anki)
Week 3-4: Core Content
- Read Domain 3 and 4 (largest domain)
- Take domain-specific practice tests
- Focus on incident response process and recovery metrics
Week 5-6: Practice Tests
- Take full-length practice exams (2-3 per week)
- Identify weak areas and re-study those domains
- Memorize ports, acronyms, and attack types
Week 7-8: Final Review
- Review all missed practice questions
- Take CompTIA’s official practice exam ($50)
- Schedule and take the real exam
Common Exam Mistakes
1. Rushing Performance-Based Questions (PBQs)
PBQs are at the beginning and take the most time. Don’t spend more than 10 minutes per PBQ. Flag and return if needed.
2. Confusing Similar Concepts
- IDS vs IPS (monitor vs block)
- RTO vs RPO (time to restore vs data loss tolerance)
- Hashing vs Encryption (one-way vs reversible)
- White box vs Black box (full knowledge vs no knowledge)
3. Not Reading the Full Question
Security+ questions often have “MOST” or “BEST” — there may be multiple correct answers, but one is best. Read carefully.
4. Memorizing Without Understanding
The exam tests application, not memorization. Understand WHY a concept works, not just what it is.
5. Ignoring PBQ Practice
Performance-based questions require hands-on skills. Practice with simulators (like CompTIA CertMaster Labs).
Practice Questions
1. A company wants to ensure data remains unchanged during transmission. Which CIA principle is being addressed?
Integrity — ensuring data hasn’t been modified in transit, often achieved through hashing and digital signatures.
2. What is the difference between RTO and RPO?
RTO (Recovery Time Objective) is the maximum acceptable downtime. RPO (Recovery Point Objective) is the maximum acceptable data loss measured in time.
3. What type of attack uses multiple compromised systems to flood a target with traffic?
DDoS (Distributed Denial of Service) — uses a botnet of compromised devices to overwhelm the target.
4. Which security control would prevent an attacker from reading network traffic?
Encryption (specifically TLS/HTTPS). Encryption ensures confidentiality by making intercepted data unreadable.
5. Challenge: Calculate ALE given: asset value = $100,000, exposure factor = 0.3, annual rate of occurrence = 2.
SLE = $100,000 × 0.3 = $30,000. ALE = $30,000 × 2 = $60,000/year.
Mini Project: Study Progress Tracker
# security_plus_tracker.py
# Track exam preparation progress
class SecurityPlusTracker:
"""Track Security+ exam preparation progress."""
DOMAINS = {
"1. General Security Concepts": {"weight": 12, "questions": []},
"2. Threats, Vulnerabilities, and Mitigations": {"weight": 22, "questions": []},
"3. Security Architecture": {"weight": 18, "questions": []},
"4. Security Operations": {"weight": 28, "questions": []},
"5. Security Program Management": {"weight": 20, "questions": []},
}
def __init__(self):
self.total_questions = 0
self.correct_answers = 0
self.practice_tests = []
def add_practice_test(self, domain: str, questions: int, correct: int):
"""Record a practice test result."""
if domain in self.DOMAINS:
self.DOMAINS[domain]["questions"].append(questions)
self.total_questions += questions
self.correct_answers += correct
self.practice_tests.append({
"domain": domain,
"score": round(correct / questions * 100, 1)
})
def readiness_report(self) -> dict:
"""Generate readiness assessment."""
domain_scores = {}
for domain, data in self.DOMAINS.items():
if data["questions"]:
total_q = sum(data["questions"])
# Assume ~70% accuracy per domain (simplified)
domain_scores[domain] = {
"status": "Ready" if total_q > 20 else "Needs practice",
"practice_questions": total_q
}
else:
domain_scores[domain] = {"status": "Not started", "practice_questions": 0}
overall = round(self.correct_answers / max(self.total_questions, 1) * 100, 1)
return {
"overall_score": overall,
"ready": overall >= 85,
"domains": domain_scores,
"exam_estimate": "PASS" if overall >= 75 else "STUDY MORE"
}
# Example
tracker = SecurityPlusTracker()
tracker.add_practice_test("1. General Security Concepts", 20, 18)
tracker.add_practice_test("2. Threats, Vulnerabilities, and Mitigations", 35, 28)
tracker.add_practice_test("4. Security Operations", 40, 32)
report = tracker.readiness_report()
print(f"Exam Readiness: {report['exam_estimate']}")
print(f"Overall Score: {report['overall_score']}%")
for domain, status in report['domains'].items():
print(f" {domain}: {status['status']} ({status['practice_questions']} questions)")FAQ
Try It Yourself
Take a free Security+ practice test and score yourself:
- Visit Professor Messer’s website for free practice questions
- Take a 25-question quiz on Domain 4 (Security Operations — largest domain)
- Review every wrong answer and understand WHY
- Repeat weekly until you score 85%+ consistently
This is the same approach DodaTech team members use to prepare for Security+ certification exams.
What’s Next
What’s Next
Congratulations on completing this CompTIA Security+ prep tutorial! Here’s where to go from here:
- Practice daily — Consistency is more important than long study sessions
- Build a project — Apply what you learned by building something real
- Explore related topics — Check out other tutorials in the same category
- Join the community — Discuss with other learners and share your progress
Remember: every expert was once a beginner. Keep coding!
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro