Browse CompTIA Certification Guides

CompTIA Security+ (SY0-701) Cheat Sheet

Fuad Efendi March 28, 2026 6 min read

High-yield review of security concepts, architecture, IAM, crypto, cloud controls, detection, incident response, and governance for CompTIA Security+.

On this page

Use this for last-mile review. Read it quickly, mark the rows you still hesitate on, and then go back to targeted practice or deeper explanations only for those weak spots. Security+ questions reward answers that reduce risk without violating least privilege, evidence handling, or operational fit.

Final 20-minute recall (exam day)

Cue -> best move (scenario map)

If the question says…Usually best answer
Protect admin accounts immediatelyMFA + least privilege + privileged access controls
Phishing-resistant authFIDO2/WebAuthn or certificate-based factors
“Assume breach” architectureZero Trust segmentation + continuous verification + telemetry
Public web app attack reductionWAF + secure coding fixes + patching + monitoring
Ransomware containmentIsolate hosts, disable spread paths, preserve evidence, follow IR workflow
Data exfil concern in SaaS/cloudDLP/CASB + strong IAM + logging + encryption
Need integrity + non-repudiationDigital signatures + PKI controls
Certificate trust failureValidate chain, SAN, expiration, revocation, and trust store
Vulnerability backlog too largeRisk-based prioritization using asset criticality, exploitability, and exposure
Repeated incidentsRoot-cause analysis + control improvement + updated runbooks/tabletops

Must-memorize SY0-701 anchors

TopicFast recall
CIA triadConfidentiality, Integrity, Availability
AAAAuthentication, Authorization, Accounting
IR phasesPreparation -> Identification -> Containment -> Eradication -> Recovery -> Lessons learned
Access modelsDAC, MAC, RBAC, ABAC
Crypto splitSymmetric for speed, asymmetric for exchange/signature, hashing for integrity
Zero Trust coreVerify explicitly, least privilege, assume breach

Last-minute traps

  • confusing encoding, hashing, and encryption
  • choosing broad trust instead of identity-aware least privilege
  • stopping at detection without thinking about containment and recovery
  • ignoring evidence handling, chain of custody, or policy fit in an incident

1) Core principles

  • CIA Triad: confidentiality, integrity, availability
  • AAA: authentication, authorization, accounting
  • Defense in depth: layered controls across people, process, and technology
  • Zero Trust: verify explicitly, use least privilege, assume breach, segment and monitor

2) Threat actors and intelligence

ActorMotiveCapabilityNotes
Script kiddiecuriosity or disruptionlowrelies on public tools
Hacktivistideologyvariespublic-facing disruption is common
Criminal groupmoneymedium to highransomware, fraud, extortion
Insidermixedhigh contextmay be careless or malicious
Nation-state / APTstrategicvery highpersistence and stealth matter

Intel types: OSINT, HUMINT, SIGINT, TECHINT, vendor feeds.
Pyramid of Pain: indicators like hashes and IPs are easiest for attackers to change; TTPs are harder.

3) Common attacks

  • Social engineering: phishing, spear phishing, vishing, smishing, pretexting, baiting, tailgating
  • Credential attacks: brute force, password spraying, credential stuffing, keylogging, man-in-the-middle
  • Web and app: XSS, SQLi, CSRF, SSRF, command injection, deserialization, path traversal
  • Network and wireless: DoS, DNS poisoning, ARP poisoning, rogue AP, evil twin
  • Malware: worm, trojan, RAT, rootkit, ransomware, logic bomb
  • Supply chain and cloud: package compromise, malicious updates, exposed buckets, over-permissive roles, metadata abuse

4) Network security controls

ControlPurposeGood use
NGFWapplication-aware filtering and policysegment and restrict with least privilege
IDS/IPSdetect or block malicious trafficvisibility and inline prevention
WAFreduce web attack surfaceXSS, SQLi, and web abuse patterns
NAC / 802.1Xcontrol network admissionauthenticate users and devices before access
VPNsecure remote or site-to-site transportIPsec or TLS-based remote access
EDR/XDRendpoint visibility and responsedetect and contain suspicious host behavior
SEG / email securityfilter and analyze mailphishing, malware, spoofing reduction

5) Secure architecture and design

  • Deployment models: on-prem, cloud, hybrid, multi-cloud
  • Design goals: resiliency, segmentation, fail-open versus fail-closed, immutable infrastructure
  • Data lifecycle: create, store, use, share, archive, destroy
  • Zero Trust architecture: identity, policy decision, enforcement, segmentation, and telemetry work together

6) Identity, authentication, and access

  • Authentication factors: know, have, are, do, where
  • SSO and federation: SAML for web SSO, OAuth 2.0 for delegation, OIDC for authentication on top of OAuth
  • Access models: DAC, MAC, RBAC, ABAC
  • Privileged access: JIT, JEA, PIM, session recording, vaulting
  • Exam rule: the better answer usually narrows privilege and improves auditability

7) Cryptography quick map

ConceptUseNotes
HashingintegritySHA-256/3; HMAC adds integrity plus authenticity
Symmetric cryptospeed and confidentialityAES-GCM is a strong modern pattern
Asymmetric cryptokey exchange and signaturesRSA and ECC are common
ECDHEforward secrecycommon in modern TLS
PKItrust and certificate lifecycleroot -> intermediate -> leaf

Do not confuse: Base64 is encoding, not encryption.

8) Certificates and PKI

  • certificate types: DV, OV, EV, SAN, wildcard, code-signing, device, email
  • lifecycle: enroll, issue, install, monitor, renew, revoke
  • revocation: CRL, OCSP, OCSP stapling
  • common failure points: expired certificate, wrong SAN, broken trust chain, missing intermediate, untrusted root

9) Secure protocols

  • Prefer: HTTPS, SSH, SFTP, LDAPS, WPA3, 802.1X, modern TLS
  • Avoid as final answer: Telnet, FTP, WEP, broad unauthenticated access
  • Context matters: DNSSEC, DoT, DoH, and IPsec are good, but only when they solve the stated risk without breaking the requirement

10) Cloud and container security

  • Shared responsibility changes by IaaS, PaaS, and SaaS
  • Data controls: encryption, DLP, tokenization, key ownership, logging
  • Posture tooling: CSPM and CASB improve visibility and policy enforcement
  • Containers: minimal images, signed artifacts, secret handling, runtime controls, role-based access
  • Credential rule: prefer short-lived roles or tokens over long-lived static keys

11) DevSecOps and secure coding

  • threat modeling and secure requirements early
  • SAST, SCA, DAST, IaC scanning, artifact signing in CI/CD
  • parameterized queries, output encoding, input validation, least-privilege service accounts
  • logging must help investigations without leaking secrets

12) Vulnerability management and testing

ActivityWhat it doesNotes
Asset inventoryshows what existsyou cannot protect what you do not know exists
Vulnerability scanidentifies likely weaknessesauthenticated scans usually see more
Patch managementremediates known issuesprioritize by risk, not just count
Pen testproves impact through authorized exploitationrequires scope and rules of engagement
Red / blue / purple exercisesimulates attack and defensepurple adds collaborative learning

13) Monitoring, detection, and response

  • Telemetry: logs, metrics, NetFlow, DNS, EDR, cloud audit data
  • SIEM: normalize, correlate, alert
  • UEBA: behavioral anomaly detection
  • SOAR: automate repeatable triage and containment steps
  • Deception: honeypots, honey tokens, and canaries help expose adversary movement

14) Incident response and forensics

IR phases: preparation, identification, containment, eradication, recovery, lessons learned

    flowchart LR
	  A["Preparation"] --> B["Identification"]
	  B --> C["Containment"]
	  C --> D["Eradication"]
	  D --> E["Recovery"]
	  E --> F["Lessons learned"]

Order of volatility: registers/cache -> RAM -> disk -> remote logs/cloud -> archives

Forensics basics:

  • maintain chain of custody
  • hash evidence
  • preserve timestamps and time synchronization
  • use write blockers or other forensic-safe collection methods when appropriate
  • contain first when business risk demands it, but avoid destroying evidence without reason

15) Governance, risk, and compliance

  • Policy vs standard vs procedure vs guideline
  • Risk treatment: accept, avoid, transfer, mitigate
  • Control types: preventive, detective, corrective, deterrent, compensating
  • BCP/DR anchors: RTO is the target recovery time; RPO is tolerated data-loss window
  • Framework awareness: NIST, ISO/IEC 27001, CIS, SOC 2, PCI DSS, HIPAA, GDPR

16) Quick scenario pickers

  • Need web protection fast: WAF plus patching and secure coding
  • Need remote access: VPN plus MFA and least-privilege authorization
  • Need stronger wireless auth: WPA3-Enterprise or WPA2-Enterprise with 802.1X
  • Need better admin security: privileged access controls, session logging, MFA
  • Need lower blast radius: segmentation and microsegmentation
  • Need proof a vulnerability matters: authorized penetration testing, not only a scan result

Quiz

Loading quiz…

From here, use the FAQ for longer explanations or open the resources page when you need the official exam details, frameworks, or lab references.

FAQ