Study Guide · SY0-701

SY0-701 Cheat Sheet

605 entries · 30 chapters · 5 domains

General Security Concepts

Security Controls

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Category and type are two independent axes

Every SY0-701 security control carries one category (who or what enforces it: technical, managerial, operational, or physical) and one type (what it does about an incident: preventive, deterrent, detective, corrective, compensating, or directive). The axes are orthogonal: re-stating a control's purpose never moves its category. A host firewall is technical and preventive; a recording CCTV camera is technical and detective; both stay technical whatever their type.

Trap Letting a control's type drag its category along: calling a CCTV camera "physical" because it watches a door, when CompTIA classes the hardware/software system as technical.

4 questions test this
Six control types map to the threat lifecycle

The six SY0-701 types track an incident across time: preventive stops it before it happens, deterrent discourages the attempt, detective discovers it during or after, corrective remediates and restores afterward, compensating substitutes when the required control can't be used, and directive steers behaviour through instruction. Pairing the missing stage to the scenario is the whole game: most stems hinge on before-vs-during-vs-after timing.

2 questions test this
Technical controls are enforced by hardware, software, or firmware

A control is technical (also called logical) when hardware, software, or firmware enforces it with no person needed at the moment it acts: firewall rules, ACLs, MFA enforcement, encryption, IDS/IPS, and antivirus all qualify. The mechanism runs itself once configured, which is what separates it from an operational control a human performs.

Trap Calling a technical control operational because a person configured or installed it - the category follows who enforces it at run time (the machine), not who set it up.

5 questions test this
Managerial controls are the policies and governance documents

Managerial (administrative) controls are the policies, standards, risk assessments, plans, and approval gates that govern the security program: a security policy, a background-check policy, or a change-management sign-off. The control is the document or decision itself, not whatever technology it tells the organization to deploy.

Trap Classifying a policy by the technology it mandates: a standard that requires a firewall is managerial; the firewall it calls for is technical.

7 questions test this
Operational controls are tasks people carry out

Operational controls are executed by people as part of day-to-day work: delivering security-awareness training, working a log-review shift, a guard checking badges, or an IR team running the runbook. Security-awareness training stays operational even though its subject is technical, because people deliver and consume it; the category follows who acts, not the topic.

Trap Marking security-awareness training technical because its subject matter is technical - the category follows who performs the control (people), making it operational.

6 questions test this
Physical controls are tangible real-world barriers

Physical controls are tangible barriers and devices in the real world: fences, locks, bollards, access-control vestibules, badge readers, fire suppression, and CCTV hardware. CompTIA treats access-control hardware at the door (a badge reader, for instance) as physical even though software drives it, because the enforcement object is a physical device at a physical boundary.

Trap Reclassifying a badge reader as technical because software drives it - CompTIA treats the device enforcing entry at a physical boundary as physical.

3 questions test this
Pick the type from the scenario's timing word

Match the stem's verb to the type: stop or block before → preventive; discourage, warn off, make them think twice → deterrent; detect, alert, discover, identify after the fact → detective; recover, restore, remediate, fix the damage → corrective; instead of a control you cannot implement → compensating; a policy or procedure telling staff what to do → directive. The verb the question emphasizes, not the device named, decides the type.

6 questions test this
Compensating means a substitute for a control you can't use

A compensating control is one employed in lieu of a required control, providing equivalent or comparable protection, typically because the primary control can't be implemented, such as isolating a legacy server on its own VLAN with extra monitoring when a vendor patch breaks the app. It is the most over-selected wrong answer, so the exam tell is explicit substitution language: "cannot patch right now," "the vendor no longer supports it," "in place of," "as an alternative to." Without that signal, a different type is correct.

Trap Reaching for compensating on any layered defense: without explicit "in lieu of" or "cannot implement the required control" language in the stem, it is over-selected and wrong.

7 questions test this
An extra layer is not automatically a compensating control

A control added purely for defense-in-depth, while the required primary control is present and working, is preventive, detective, or whatever it does in its own right, not compensating. Compensating applies only when the primary control is being substituted for; a second layer stacked on a functioning first layer never qualifies on that basis alone.

Trap Calling a redundant second layer compensating because it backs up the first - compensating requires substituting for an absent or infeasible primary control, not reinforcing a working one.

Directive controls instruct people what to do

Directive controls steer behaviour through instruction: an acceptable-use policy, a posted operating procedure, a standard staff must follow, or an onboarding requirement. The tell is language about telling people what is and isn't allowed; the answer is the instruction itself, not a technical mechanism that enforces it. A firewall blocking the traffic is technical/preventive, while the policy that says "don't use unauthorized apps" is directive.

Trap Picking the technical control that enforces a rule instead of the directive - the policy telling staff what to do is directive, while the firewall enforcing it is technical/preventive.

6 questions test this
Recording CCTV is detective, never preventive on its own

A closed-circuit camera is technical by category and stays that way. A camera that records for later review is detective; a prominently visible one meant to scare off intruders is deterrent. CCTV is never preventive by itself (recording an intrusion documents it but does nothing to stop it) so "CCTV = preventive" is a stock wrong answer.

Trap Calling a camera preventive: it records or deters but cannot physically block entry, so its type is detective or deterrent, not preventive.

A login banner or warning sign is deterrent, not preventive

A login banner warning of monitoring, a "Beware of dog" sign, or a no-trespassing sign only discourages. It does nothing to physically block, so its type is deterrent, not preventive. Contrast a lock, which physically stops entry and is therefore preventive; the test is whether the control stops the act or merely warns against it.

Trap Marking a warning banner or no-trespassing sign preventive - it only discourages and cannot stop the act, so its type is deterrent.

3 questions test this
Restore-from-backup and patching are corrective

Restoring from backup, patching the exploited flaw, and an IPS resetting a malicious session all act after the incident, so they are corrective, not preventive. CompTIA frames restoring from backup as corrective even though a backup arguably "prevents" permanent data loss. Reward the after-the-incident action the stem describes, not the backup's general purpose.

Trap Marking restore-from-backup as preventive because backups guard against data loss: the recovery action happens after the incident, making it corrective.

A policy that mandates a technical control is managerial

A policy or standard that requires a firewall is managerial: the document is the control. The firewall it calls for is technical. Classify the mandate by what it is (a governing document), never by the technology it happens to demand.

Trap Calling a standard technical because it mandates a firewall - the governing document is managerial regardless of the technology it requires.

Resolve multi-membership by the emphasised verb

Many real controls fit more than one type, so the category is usually fixed and the type follows the scenario's stated objective. A guard is always operational but reads as preventive (turning people away), deterrent (visibly patrolling), or detective (spotting an anomaly) depending on the sentence's emphasis. Anchor on the verb the stem stresses, and never default to compensating unless substitution language is explicit.

The taxonomy maps onto NIST SP 800-53 control families

The SY0-701 category/type vocabulary lines up with NIST SP 800-53 Rev. 5 control families: Physical and Environmental Protection ≈ physical; Access Control and System and Communications Protection ≈ technical preventive; Audit and Accountability ≈ technical detective; Contingency Planning and Incident Response ≈ corrective; Planning and Program Management policy families ≈ managerial/directive. The mapping is for understanding only: you don't need the two-letter family identifiers for SY0-701.

Defense in depth wants a deliberate mix of types

A program leaning entirely on preventive technical controls is brittle, and the exam-correct gap is usually missing detective controls (you can't see an incident you failed to prevent) and corrective controls (you can't recover from one). The right answer adds the absent lifecycle stage rather than stacking yet another preventive control on top of the ones already there.

Trap Answering a defense-in-depth gap with another preventive control: the missing piece is almost always the detective or corrective stage, not more prevention.

Fundamental Security Concepts

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Classify every control by which CIA leg it protects

The CIA triad is the three goals every security control serves: confidentiality (preserving authorized restrictions on access and disclosure), integrity (guarding against improper modification or destruction, including authenticity), and availability (timely, reliable access to information). SY0-701 items make you tag a control by its leg: encryption, access control, and masking serve confidentiality; hashing, digital signatures, and checksums serve integrity; redundancy, backups, and DDoS protection serve availability.

Trap Mislabeling which CIA leg a control serves, such as tagging hashing or a digital signature as confidentiality when both serve integrity.

6 questions test this
DAD names the violation of each CIA leg

DAD is the attacker-side mirror of CIA: Disclosure violates confidentiality, Alteration violates integrity, and Denial (or Destruction) violates availability. Use it to label incidents: a data leak is disclosure/confidentiality, tampering is alteration/integrity, and an outage is denial/availability.

Trap Mismatching a DAD term to its CIA leg, such as mapping Alteration to availability instead of integrity.

1 question tests this
The CIA legs trade off; they are not co-maximized

CIA goals are in tension, not three dials all pushed to maximum. Hardening confidentiality with heavy encryption and strict key custody can cost availability if a key is lost, and replicating broadly for availability widens the confidentiality attack surface. Good design balances the legs against data sensitivity and risk appetite rather than maxing one in isolation.

Non-repudiation proves who acted so they cannot deny it

Non-repudiation is assurance that a party cannot credibly deny having performed an action, such as sending a message or approving a transaction. NIST ties it to proof of origin verifiable by a third party via the signer's private key. It is a goal distinct from confidentiality and integrity: a system can keep data intact and secret yet still fail to prove which user produced it.

8 questions test this
Use a digital signature when you need integrity AND non-repudiation

A digital signature is the answer when a scenario demands both that a message was not altered and that one specific party demonstrably sent it, because it binds the action to the signer's private key. A plain hash or a symmetric MAC/HMAC gives integrity only: a hash carries no identity, and a MAC's shared key cannot single out one signer.

Trap Offering a hash or HMAC for non-repudiation: both prove integrity, but a shared MAC key can't pin the action to one signer.

6 questions test this
AAA runs authentication, then authorization, then accounting

AAA is authentication (proving who a subject is), authorization (determining what that proven identity may do, enforcing least privilege), and accounting/auditing (recording what it actually did). The order is load-bearing: authorization without prior authentication is meaningless, so a stem that authorizes before identifying is wrong.

Trap Conflating authorization with authentication, treating the check of what a subject may do as the same step that proves who it is.

10 questions test this
Know the five authentication factor categories the exam tests

SY0-701 tests five factor categories: something you know (knowledge: password, PIN), something you have (possession: TOTP token, smart card, hardware key), something you are (inherence/biometric: fingerprint, face, iris), somewhere you are (location: GPS/geofence, source IP), and something you do (behavior: typing cadence, gait). NIST's classic three are know/have/are; CompTIA adds location and behavior.

Trap Miscategorizing a factor, such as calling a smart card or hardware token 'something you know' when possession of the device makes it 'something you have'.

MFA combines factors from different categories, not duplicates

Multi-factor authentication requires more than one distinct TYPE of factor, not two of the same kind. A password plus a PIN is NOT MFA because both are 'something you know'; a password plus a TOTP code IS MFA because it pairs knowledge with possession. The category mix is the testable point, not the number of prompts.

Trap Counting password-plus-security-question (or password-plus-PIN) as MFA: two knowledge factors are still a single category.

People and systems authenticate by different means

SY0-701 separates authenticating people from authenticating systems. People use passwords, tokens, and biometrics; systems and devices use certificates (PKI), pre-shared keys, or hardware roots of trust, for example a server proving identity in a TLS handshake, or an endpoint presenting a device certificate via 802.1X.

Zero trust never grants trust from network location

Zero trust grants no implicit trust to an asset or account based solely on its physical or network location or ownership; every request is authenticated and authorized before access. The exam-portable idea: being inside the perimeter earns nothing. A flat internal network with implicit trust is exactly what zero trust replaces.

Trap Assuming traffic from inside the corporate LAN is trusted: under zero trust, internal location grants no implicit trust.

3 questions test this
Zero trust separates a control plane from a data plane

Per NIST SP 800-207, a zero-trust architecture uses a control plane to make and communicate access decisions and configure communication paths, kept logically separate from the data plane where application traffic flows once access is enforced. The decision channel and the traffic channel are distinct.

2 questions test this
The policy engine decides; the policy administrator executes

In NIST SP 800-207 the policy engine (PE) makes and logs the ultimate grant/deny/revoke decision using a trust algorithm fed by enterprise policy and external signals. The policy administrator (PA) executes that decision by establishing or tearing down the communication path between subject and resource. Deciding versus enforcing the decision are two distinct logical roles.

Trap Crediting the policy administrator with making the grant/deny decision when it only executes the decision the policy engine reaches.

PE plus PA form the PDP; the PEP is separate

NIST SP 800-207 groups the policy engine and policy administrator into one logical policy decision point (PDP). The policy enforcement point (PEP) is the distinct component that actually enables, monitors, and terminates the connection between the subject and the protected resource: it acts on the PDP's decision rather than making it.

Trap Having the policy enforcement point decide access when it only acts on the PDP's decision by enabling or terminating the connection.

3 questions test this
Zero-trust access is dynamic and adapts to context

Zero-trust access is governed by dynamic policy evaluated per request, not static perimeter rules. Adaptive identity adjusts trust using context such as device posture, observed behavior, and risk signals, so the same user may be allowed, challenged, or denied depending on conditions at that moment.

1 question tests this
Zero trust grants access per session with least privilege

Among the NIST SP 800-207 tenets the exam leans on: all data sources and computing services are treated as resources; all communication is secured regardless of network location; access to a resource is granted per session with least privilege and does not carry to other resources; and all authentication and authorization are dynamic and strictly enforced before access is allowed.

Trap Assuming one access grant carries over to other resources, when zero trust scopes each grant per session to a single resource.

Any touch of a decoy is high-confidence evidence of attack

Deception technology plants assets with no legitimate business purpose, so any interaction with them is high-confidence evidence of malicious activity. The false-positive rate is near zero because no normal user has a reason to touch a decoy, which makes deception an early, high-confidence intrusion-detection layer rather than a preventive control.

Trap Classifying deception as a preventive control, when planting decoys detects and alerts on intrusion rather than blocking it.

Honeypot is one decoy host; honeynet is a decoy network

A honeypot is a single decoy system with no legitimate purpose, alerting on any connection to it. A honeynet is a network of honeypots imitating a realistic environment, luring an intruder into exploring fake systems while generating intelligence on their tactics and lateral-movement patterns.

Honeyfile is a bait file; honeytoken is a bait record

A honeyfile is a decoy file (such as a fake passwords.txt) that triggers an alert when opened, copied, or exfiltrated. A honeytoken is a bogus data record: a fake credential, fake database row, or canary API key, whose use anywhere reveals a breach.

A decoy must hold no real data and grant no live access

A deception asset works as a tripwire only if it contains no real data and grants no live access. A poorly isolated honeypot or honeyfile becomes an attacker foothold rather than a detection mechanism, converting your tripwire into their pivot point.

Trap Stocking a honeypot with real credentials or live network reach to make it convincing: that turns the decoy into a usable foothold.

Cryptography and PKI

Read full chapter
  • Symmetric uses one shared key; asymmetric uses a public/private pair
  • Symmetric is fast for bulk data; asymmetric is slow and wraps keys
  • AES has a fixed 128-bit block; the key length changes rounds, not block size
  • Encrypt at the smallest scope that meets the requirement
  • Diffie-Hellman agrees a shared key; it is not a cipher
  • Key length only compares strength within an algorithm family
  • ECC reaches RSA-equivalent strength with a much shorter key
  • Hybrid crypto: asymmetric exchanges the key, symmetric encrypts the data
  • Hashing is one-way and keyless; it proves integrity, not confidentiality
  • SHA-2 is the default; SHA-1 is broken and a wrong answer
  • Salting defeats rainbow tables; key stretching slows each guess
  • PBKDF2 iterates an HMAC-based PRF to slow each derivation
  • HMAC gives keyed integrity and origin auth, but no non-repudiation
  • Digital signatures give integrity, authentication, and non-repudiation
  • FIPS 186-5 approves RSA, ECDSA, EdDSA; plain DSA is withdrawn
  • A CA binds an identity to a public key by signing the certificate
  • Offline root signs intermediates; intermediates issue leaf certs
  • Self-signed certs work internally but public clients reject them
  • A CSR sends the public key; the private key never leaves the subject
  • Wildcard covers one level of subdomains; SAN lists distinct names
  • CRL is a bulk periodic list; OCSP checks one cert in real time
  • OCSP stapling has the server attach the signed OCSP response
  • Key escrow enables recovery but concentrates decryption risk
  • Obfuscation: steganography, tokenization, and masking differ
  • Blockchain is an append-only ledger chained by hashes
  • Ephemeral DHE/ECDHE give forward secrecy; TLS 1.3 mandates it

Unlock with Premium — includes all practice exams and the complete study guide.

Change Management

Read full chapter
  • Unmanaged change is itself the vulnerability
  • Baseline changes only through change control
  • Approval gates the change before work begins
  • Ownership assigns end-to-end accountability
  • Stakeholders are identified and consulted first
  • Impact analysis runs before approval, judging security not downtime
  • Test results prove the change works before production
  • Backout plan restores the prior known-good state
  • Maintenance window confines disruptive work
  • SOP covers pre-approved standard changes
  • Allow lists default-deny; deny lists default-allow
  • Restricted activities bound the change to its approved scope
  • Service restart vs application restart
  • Downtime drives the need for a maintenance window
  • Dependencies make a single change cascade
  • Legacy apps force compensating controls
  • Update diagrams to match the post-change topology
  • Update policies and procedures after a control change
  • Version control is the evidence and rollback layer
  • Emergency change bypasses timing, not accountability
  • Undocumented changes evade monitoring

Unlock with Premium — includes all practice exams and the complete study guide.

Threats, Vulnerabilities, and Mitigations

Threat Actors and Motivations

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Classify a threat actor on three axes, not one label

SY0-701 Objective 2.1 profiles every actor on three axes, not a single tag: the TYPE (nation-state, unskilled attacker, hacktivist, insider threat, organized crime, shadow IT), the ATTRIBUTES (internal vs. external, resources/funding, level of sophistication/capability), and the MOTIVATION. No one clue names the actor: weigh access, resources, and the stated motive together before choosing a type, because techniques alone overlap across categories.

Trap Naming the actor from a single signal such as a sophisticated tool, when objective 2.1 deliberately separates type, attributes, and motivation.

4 questions test this
The nation-state profile is the APT: top resources, longest persistence

Nation-state is the actor type SY0-701 maps to the advanced persistent threat (APT) concept: not a synonym CompTIA lists, but the profile the term describes. NIST defines an APT as an adversary with sophisticated expertise and significant resources that uses multiple attack vectors to pursue its objectives repeatedly over an extended period, adapting to defenders. That means custom tooling, the highest funding and capability, and prolonged stealthy residence; the motivations are espionage and war.

Trap Treating APT as a kind of malware or a single named group, when the term describes the nation-state actor profile of sustained, well-resourced intrusion.

7 questions test this
Resources and sophistication rise together at the top tier

For top-tier actors, funding and technical capability move together: nation-states carry the highest resources and sophistication, and organized crime is high on both. The standout exception is the unskilled attacker: low capability that can still inflict high impact by running a borrowed, potent tool, so capability and impact are not the same axis.

Trap Reading high impact as proof of high sophistication, when a low-skill actor wielding a powerful off-the-shelf tool produces the same damage.

2 questions test this
Low sophistication never proves a low-tier actor

Sophistication is a weak identifier on its own: a capable actor may deliberately use crude, commodity tooling for deniability, and an insider may need only a single simple command. High impact does not prove high skill and a low-skill action does not prove an unskilled attacker: the access and the motive carry as much weight as the technique.

Trap Labeling any crude or low-skill action an unskilled attacker, when a capable actor may choose commodity tooling for deniability.

Organized crime is profit-driven, not statecraft

Organized crime is external, well-funded, and capable, but its defining motivation is money: financial gain, blackmail/extortion, and selling exfiltrated data, the ransomware-as-a-business profile. When its techniques resemble a nation-state's, the discriminator is money versus intelligence: a profit motive points to organized crime, a strategic/espionage motive to a state actor.

Trap Calling a polished, well-resourced intrusion a nation-state attack, when a financial-gain or extortion motive marks it as organized crime.

5 questions test this
Hacktivist is defined by cause, not budget or skill

A hacktivist is driven by philosophical or political belief and aims to disrupt, embarrass, or publicize: defacement, data leaks, DDoS. Sophistication and funding vary widely across hacktivists, so infer the type from an ideological/political motive plus a public, attention-seeking outcome, never from skill or resource level.

Trap Ruling out a hacktivist because the operation looked unsophisticated or low-budget, when the cause-driven motive is the defining attribute.

3 questions test this
Insider threat is defined by authorized access

An insider threat is anyone with legitimate, authorized access (employee, contractor, or partner) who uses it to harm the organization. NIST's definition turns on that access being used wittingly or unwittingly, so the defining trait is internal placement that bypasses the perimeter, not technical skill or malicious intent.

Trap Limiting the insider category to direct employees, when contractors and partners holding authorized access also qualify.

6 questions test this
Insider threats include the careless, not just the malicious

NIST's insider-threat definition covers both witting and unwitting misuse of authorized access, so an employee who clicks a phish or misconfigures a share is an insider-threat exposure even with no ill intent. Malicious insiders add deliberate motives (revenge, financial gain, and espionage) but intent is not required for the category to apply.

Trap Restricting insider threat to disgruntled, deliberate sabotage, when NIST explicitly includes the unwitting, negligent employee.

1 question tests this
Unskilled attacker is SY0-701's term for 'script kiddie'

SY0-701 retires 'script kiddie' and uses 'unskilled attacker' for the low-capability actor who runs tools, scripts, and exploits written by others without understanding the internals. Borrowed tooling can still cause serious damage, so the low skill level does not bound the impact.

Trap Looking for the term 'script kiddie' on the exam, when SY0-701's objective list names this actor 'unskilled attacker.'

5 questions test this
Shadow IT is a risk condition, not an adversary

Shadow IT is hardware, software, or cloud services deployed inside the organization without IT/security approval: unmanaged, unpatched, and invisible to defenders. SY0-701 lists it among threat actors, but it is a self-inflicted exposure the org creates rather than a hostile person; the actual attacker is whoever later exploits the unmanaged asset.

Trap Picturing shadow IT as an external attacker, when it is an internal, unapproved deployment that merely creates the opening.

7 questions test this
Internal vs. external decides which control fails first

The internal/external attribute determines which control breaks first: an external actor is meant to be stopped at the edge, while an internal (insider) actor sails past the perimeter and is caught only by least privilege, separation of duties, and user-behavior analytics (UEBA). Mapping the attribute to the failing layer is what 'best control' questions test.

Trap Reaching for a firewall or perimeter control to stop an insider, when an internal actor is already past the edge and is checked by least privilege and UEBA.

Motivation is the strongest disambiguator between actors

When two actor types share a technique, the stated motivation usually decides between them: espionage or war points to a nation-state; financial gain, blackmail, or data resale to organized crime; philosophical/political belief to a hacktivist; revenge to a disgruntled insider. SY0-701 lists these as distinct objective-2.1 motivations precisely so they can separate look-alike actors.

Trap Picking the actor from the shared technique, when the stated motivation is the field that separates look-alike actors.

2 questions test this
Data exfiltration splits by who benefits from the stolen data

Data exfiltration is an objective-2.1 motivation that maps to more than one actor, so it disambiguates by beneficiary: stealing for strategic intelligence implies a nation-state, while stealing to sell or extort implies organized crime. Use statecraft versus profit, not the act of exfiltration itself, to pick between them.

Trap Treating data exfiltration as a single-actor signal, when the beneficiary (strategic intelligence versus profit) decides between nation-state and organized crime.

'Ethical' is the authorized tester's motivation, not an attack

The 'ethical' motivation in objective 2.1 describes a penetration tester or bug-bounty researcher operating under rules of engagement: lawful and sanctioned activity. Never map it to a malicious actor or treat the activity as an incident to contain; it is listed to be contrasted with hostile motives, not grouped with them.

Trap Treating authorized, ethical testing as a breach to escalate, when it is sanctioned work performed under rules of engagement.

Match the mitigation to the actor's defining attribute

Best-control questions chain actor to attribute to control: insider (already inside) maps to least privilege, separation of duties, and UEBA; nation-state/APT (long dwell, custom exploits) to defense in depth and detective/behavioral controls; unskilled attacker (known public exploits) to patch management and hardening; shadow IT (unmanaged assets) to asset discovery, inventory, and acceptable-use policy. The control follows from the attribute, not the actor's name.

Trap Choosing the control by the actor's name, when the defining attribute (already-inside, long dwell, public exploit, unmanaged asset) dictates the best control.

Nation-states may run financial crime to fund their missions

Although nation-state actors are defined by strategic and espionage objectives, some (notably DPRK-linked groups) also run financially motivated operations such as cryptocurrency theft and even ransomware-as-a-service to fund those missions or mask intelligence-gathering. A financial-gain signal therefore does not by itself rule out a state-sponsored actor; weigh it against targeting and strategic intent.

Trap Ruling out a nation-state the moment a financial motive appears, when state-sponsored groups also run profit operations to fund or mask their missions.

4 questions test this
RaaS splits the operator who builds from the affiliate who deploys

Ransomware-as-a-Service is a division-of-labor model: an operator develops and maintains the payload, payment portal, and data-leak site, while affiliates rent those tools (often buying initial network access from access brokers) and carry out the actual intrusions. The affiliate keeps the majority of each ransom and the operator takes a cut (commonly ~30-40%), so the group that deploys ransomware against a target is the affiliate, not the developer.

Trap Attributing the intrusion to the ransomware developer, when under RaaS the affiliate is the party that selects the target and deploys the payload.

5 questions test this

Threat Vectors and Attack Surfaces

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A vector is one route; the attack surface is every route summed

A threat vector (attack vector) is the specific route of a single intrusion: one phishing email, one open port, one rogue USB. The attack surface is the aggregate of every reachable entry point: each interface, port, service, account, device, and human. So the vector answers how this one attack got in, while the attack surface is the total exposure you work to shrink. The two terms are not interchangeable on the stem.

Trap Treating "attack vector" and "attack surface" as synonyms: the vector is one path, the surface is the sum of all of them.

Classify a delivery vector by its channel or its payload container

Message-based vectors deliver lures or payloads over a messaging channel: email, SMS, or instant messaging; file-based vectors hide malicious code inside a document, script, archive, or executable the user opens; image-based vectors conceal payloads within image files via steganography or a malformed parser. The categories overlap deliberately: a phishing email (message-based) can carry a weaponized attachment (file-based), so classify by whichever the stem emphasizes: the delivery channel or the payload's container.

Trap Forcing a phishing email with a malicious attachment into one bucket, when it is both message-based delivery and a file-based payload; classify by what the stem emphasizes.

1 question tests this
Voice-call vectors enable vishing; removable media carries malware in or data out

A voice-call vector is the phone channel exploited for vishing. A removable-device vector (USB sticks and external media) both introduces malware and exfiltrates data, and is countered by device-control/USB-blocking policy, disabling autorun, and physically locking down ports. The removable-media risk is two-directional: it is as much a covert exfiltration path as an infection path.

Trap Treating a USB drive as only an inbound malware-infection risk, overlooking that the same removable media is a covert outbound data-exfiltration path.

1 question tests this
Unsecure-network vectors are fixed by encryption and segmentation, not just logging

Unsecure-network vectors include open or weakly encrypted wireless (including rogue APs and evil-twin APs), flat unsegmented wired LANs that let one foothold reach everything, and discoverable Bluetooth radios. Mitigate by closing the exposure itself: strong encryption (WPA2/WPA3), network segmentation, and disabling unneeded radios. Adding more logging is detective only: it watches the weakness without removing it.

Trap Answering "increase logging/monitoring" to reduce an unsecure-network vector: detection observes the exposure but does not shrink it.

Every listening port is an entry point: inventory and close what isn't needed

An open (listening) service port is a potential entry point and the first place attackers and assessors probe during discovery. Inventory listening ports and firewall or close anything not required; never leave high-value services such as RDP (3389), SMB (445), or admin consoles directly internet-facing, since those are top targets for brute-force and worm propagation.

Default credentials are a one-step compromise: change them before deployment

Factory-default usernames and passwords left on routers, IoT devices, databases, and admin consoles let an attacker in with a single publicly known value, and automated malware (e.g. Mirai) scans the internet for exactly these. The control is to change every default credential before the device goes into production: leaving a known default on a reachable device is a major, widely exploited risk.

Patchable software is a temporary vector; unsupported software is a standing one

Vulnerable software with an available patch is a vector only until you update it. Unsupported (end-of-life) software is a standing vector: the vendor ships no patches at all, so a known CVE stays exploitable indefinitely, which is why the exam-correct treatment for EOL is replacement. When you can't replace it yet, isolate and compensate with segmentation and virtual patching.

Trap Answering "keep patching" for end-of-life software: the vendor issues no patches, so the fix is replacement (or isolation), not a patch that doesn't exist.

Phishing, vishing, and smishing are the same con over different channels

The three differ only by delivery channel: phishing = fraudulent email, vishing = voice/phone call, smishing = SMS/text. The exam tests the medium word, so a text-message scenario is smishing even when the lure reads exactly like a phishing email. Match the term to the channel named in the stem, not to the content of the message.

Trap Calling a text-message scam "phishing" because the lure sounds email-like: the SMS channel makes it smishing.

5 questions test this
Spear phishing is targeted; whaling targets the executive

Spear phishing is phishing aimed at a named individual using researched personal detail, trading volume for higher conviction. Whaling is spear phishing specifically directed at a high-value executive (CEO, CFO). Bulk, generic, untargeted email is plain phishing: the discriminator is how specific and senior the target is.

Trap Labeling a targeted lure aimed at the CFO "spear phishing" when the senior-executive target makes it whaling.

3 questions test this
Pretexting supplies the fabricated backstory other attacks ride on

Pretexting invents a scenario or backstory that justifies an unusual request, for example posing as IT to "verify" a password. It is channel-agnostic and functions as a building block beneath many other social-engineering attacks rather than only as a standalone technique, so a stem that hinges on the believable cover story (not the delivery channel) is pointing at pretexting.

Trap Classifying an attack by its delivery channel when the stem turns on the fabricated cover story itself, which is what marks it as pretexting.

Impersonation borrows a person's trust; brand impersonation borrows a company's

Impersonation poses as a specific trusted person (a colleague, the help desk, an executive) while brand impersonation poses as a trusted company using spoofed logos, look-alike sites, or fake support pages. Both work by borrowing existing trust to lower the target's suspicion; the discriminator is whether the disguise is an individual or an organization.

Trap Picking plain impersonation for a spoofed-logo fake support page, when posing as the company rather than a specific person makes it brand impersonation.

BEC moves money via a spoofed exec or vendor: verify out-of-band

Business email compromise (BEC) spoofs or hijacks an executive or vendor email account to request a wire transfer or a change to payment/banking details. The tell is a money-movement or invoice/banking-change request appearing to come from leadership or a supplier; the exam-correct control is out-of-band verification (call a known number) never a reply to the email itself, which may be attacker-controlled.

Trap Replying to the suspicious email to confirm the wire request: if the account is hijacked, you are confirming with the attacker; verify on a separately known channel.

A watering-hole attack poisons a site the targets already trust

A watering-hole attack compromises a legitimate third-party website the target group routinely visits, so victims infect themselves while browsing a site they already trust and the attacker never contacts them directly. Because the malware is served from a legitimate, hard-to-blacklist site, the tell is a normally-trusted site suddenly serving malware to a specific population.

Trap Reading a watering-hole attack as direct phishing, when the attacker never contacts victims and instead poisons a trusted site they choose to visit.

5 questions test this
Typosquatting registers look-alike domains to catch mistyped URLs

Typosquatting (a form of URL hijacking) registers misspelled or homoglyph domains that mimic a real brand to capture users who mistype an address, then serves a phishing page or drive-by malware. It overlaps with brand impersonation, so the discriminator is the deceptive domain name itself: a look-alike URL rather than a spoofed message or logo alone.

Trap Labeling a mistyped-URL look-alike domain as brand impersonation, when the deceptive domain name itself is the defining feature of typosquatting.

2 questions test this
Misinformation vs. disinformation turns entirely on intent

Misinformation is false information spread without intent to deceive (an honest error passed along); disinformation is deliberately false content spread to mislead, as in a coordinated influence campaign. On SY0-701 the single discriminator is intent: deliberate falsehood is disinformation. Both are recognized threat vectors because they steer human decisions, and the controls are awareness, source verification, and authoritative channels.

Trap Calling deliberately planted false content "misinformation": intentional deception makes it disinformation.

Social engineering is countered by people and process, not a patch

Social engineering exploits the human (trust, urgency, authority, fear) rather than a software flaw, so the primary controls are security-awareness training plus process controls such as out-of-band verification of payment or credential changes. A technical fix like patching addresses a different problem; on a social-engineering stem the right answer is almost always training and verification procedure.

Trap Choosing "apply a patch" against social engineering: there is no software bug to patch; the exposure is human, so the answer is training and process.

1 question tests this
Supply chain extends your attack surface into trusted third parties

MSPs, hardware vendors, software suppliers, and open-source dependencies are part of your attack surface because compromising any of them reaches you through a trusted channel that installs with full trust. An MSP with broad remote access can breach many customers from one foothold, and a malicious update from a legitimate supplier installs without question: the trust that makes the relationship useful is exactly what the attacker rides in on.

Trap Scoping the attack surface to your own systems only, when trusted MSPs, suppliers, and dependencies reach you through channels that install with full trust.

7 questions test this
Manage supply-chain risk with due diligence, code signing, and an SBOM

Control supply-chain (MSP/vendor/supplier) risk with vendor due-diligence and security attestations, contractual security requirements, least-privilege access for third parties, code signing and integrity verification of updates, and a software bill of materials (SBOM) that enumerates exactly which dependencies you actually run. The SBOM is what lets you answer "are we affected?" fast when a dependency is found vulnerable.

Trap Reaching for a vulnerability scanner to answer "are we affected?" when an SBOM is what instantly enumerates which dependencies you actually run.

6 questions test this
Reduce the attack surface by removing exposure, not by watching it

The most effective way to reduce an attack surface is to remove or harden entry points: close unused service ports, change default credentials, decommission unsupported software, disable unused Bluetooth/wireless radios, segment the network, and minimize accounts. Adding a detective layer such as more logging does not shrink the surface: it only observes it, so on a "BEST way to reduce the attack surface" item the answer is elimination, not detection.

Trap Picking "add monitoring/logging" as the best way to reduce the attack surface: detection watches exposure without eliminating it.

Hardware implants and firmware tampering ride in below the OS

A hardware supply-chain compromise inserts unauthorized chips or modified firmware into a device during manufacturing or shipment, before it ever reaches the buyer. Because the implant lives below the OS, it evades antivirus and host IDS and mimics a legitimate component, so detection relies on physical inspection and firmware-integrity checks rather than software scanning, and buying from unauthorized resellers raises the risk.

Trap Trusting antivirus/EDR to catch a firmware implant: it operates beneath the OS, so software scanning can't see it; detection is physical and firmware-integrity based.

8 questions test this
Dependency confusion wins by publishing a higher-versioned public look-alike

In a dependency-confusion attack the adversary publishes a malicious package to a public repository using the exact name of a victim's internal/private package but with a higher version number. The package manager's resolution logic prefers the higher version, so it fetches the attacker's public package instead of the intended internal one and executes its code during the build. The defense is scoping/namespacing internal packages and pinning trusted sources so a public higher version can't win.

Trap Assuming a private package always beats a public one of the same name: the resolver picks the higher version number, which the attacker simply sets larger.

4 questions test this
Bluesnarfing silently steals data over Bluetooth; bluejacking only pushes messages

Bluesnarfing exploits a Bluetooth connection (often via the OBEX protocol on a discoverable device) to covertly copy data such as contacts, calendar entries, and emails without the owner's consent. Contrast bluejacking, which only pushes unwanted messages to a device and steals nothing; bluesnarfing exfiltrates data. The roughly 10-meter proximity requirement makes crowded public areas the typical setting, and disabling discoverability is the basic defense.

Trap Confusing bluesnarfing with bluejacking: bluejacking merely sends unsolicited messages, while bluesnarfing actually copies data off the device.

4 questions test this

Malware and Malicious Activity

Read full chapter
  • Classify malware by how it spreads before its payload
  • A virus attaches to a host file and runs only when the user does
  • A worm self-replicates across the network with no user action
  • A trojan is disguised software the user runs voluntarily
  • A RAT is the trojan payload that grants interactive remote control
  • A backdoor is the hidden re-entry path that bypasses authentication
  • A rootkit hides the attacker by subverting a privileged layer
  • Fileless malware runs in memory by abusing trusted LOLBins
  • Ransomware encrypts or locks access and extorts payment to restore it
  • Double extortion adds a data-leak threat on top of encryption
  • Spyware covertly collects user activity and reports it out
  • A keylogger is the spyware subtype that captures keystrokes
  • A logic bomb is defined by its trigger, not its spread
  • A botnet is many bots driven by one command-and-control channel
  • Bloatware is unwanted preinstalled software, not malware
  • Trojan, RAT, and backdoor are one delivery-to-control chain, not synonyms
  • Signature-AV failure points to fileless malware or a rootkit
  • Rootkit remediation is reimaging, not in-place AV removal

Unlock with Premium — includes all practice exams and the complete study guide.

Vulnerability Types

Read full chapter
  • A vulnerability is the weakness itself, not the attack on it
  • Buffer overflow writes past a buffer into adjacent memory
  • Memory injection writes attacker code into a running process
  • A race condition / TOCTOU exploits the gap between check and use
  • A malicious update rides in through the trusted patch channel
  • OS-based weaknesses are unpatched flaws or insecure defaults
  • SQLi runs server-side on the database; XSS runs in the victim's browser
  • Parameterized queries are the primary SQLi defense
  • Firmware flaws sit below the OS and survive a reinstall
  • End-of-life means no future patches, so replace it
  • Legacy systems you can't yet retire get isolated and compensated
  • VM escape breaks guest isolation through to the hypervisor
  • Resource reuse leaks residual data from unsanitized memory or storage
  • Cloud-specific weaknesses usually land on the customer's side of the line
  • Supply-chain flaws are inherited from a trusted vendor's product
  • Cryptographic weakness: weak algorithm, key, or randomness
  • Misconfiguration is a wrong setting, not a defect in the code
  • Sideloading and jailbreaking both strip a mobile device's protections
  • A zero-day has no patch or signature yet
  • The deeper in the stack a flaw sits, the bigger its blast radius
  • Match each vulnerability class to its owner and fix
  • Container escape stems from the shared host kernel

Unlock with Premium — includes all practice exams and the complete study guide.

Mitigation Techniques

Read full chapter
  • Every mitigation either shrinks the attack surface or contains the threat
  • Patch first when a vendor fix exists; compensating controls only buy time
  • Detection shortens dwell time but is not itself a mitigation
  • Hardening is the per-host bundle of surface-reduction controls
  • HIPS sits inline and blocks; HIDS only watches and alerts
  • EDR detects and responds; it does not pre-empt attack surface
  • Segmentation contains lateral movement by partitioning the network
  • Isolation reactively cuts off one already-compromised host
  • Least privilege caps the blast radius of a compromised identity
  • Access control is how you enforce least privilege
  • Application allow lists let only approved code run
  • Disabling ports/protocols and removing software erase what could be attacked
  • Changing default passwords closes a publicly documented door
  • Encryption at rest contains data loss when storage is stolen
  • Configuration enforcement keeps the hardened baseline from drifting
  • Secure decommissioning revokes, sanitizes, then de-inventories
  • Media sanitization picks Clear, Purge, or Destroy by data sensitivity and reuse
  • A host firewall both reduces surface and contains: still a mitigation
  • A compensating mitigation is a stopgap, never the primary answer
  • Test a patch before production to avoid a self-inflicted outage

Unlock with Premium — includes all practice exams and the complete study guide.

Indicators of Malicious Activity

Read full chapter
  • Reason backward from the indicator to the attack
  • SY0-701 groups attacks into six families on objective 2.4
  • Many failed logins on one account ending in lockout means brute force
  • Low failures across many accounts means password spraying
  • Impossible travel or concurrent sessions point to a stolen credential
  • Replay re-sends a captured valid authenticator to impersonate a user
  • Resource consumption plus inaccessibility is the denial-of-service signature
  • Amplification inflates the response; reflection redirects it at the victim
  • An on-path attacker sits between two parties to intercept or alter traffic
  • Injection makes the app run untrusted input as code or a query
  • Directory traversal walks ../ sequences out of the web root
  • CSRF abuses the victim's browser; SSRF abuses the server's trust
  • Privilege escalation is a principal acting beyond its granted rights
  • A downgrade attack forces a session onto a weaker protocol or cipher
  • A collision is two distinct inputs producing the same hash digest
  • The birthday paradox is why collisions are far cheaper than brute force
  • Physical brute force breaks a barrier, not a password
  • RFID cloning copies a proximity badge so the clone opens the same doors
  • An environmental attack hits power, cooling, or fire systems to kill availability
  • Missing logs where records should exist signal anti-forensics
  • Out-of-cycle logging flags activity at abnormal times
  • A block event reveals an attempt to reach or run something disallowed
  • Published/documented indicators are external IOCs you match against your telemetry
  • Correlate an indicator against change records before declaring an attack
  • Regular small outbound check-ins to one external host are C2 beaconing
  • DNS tunneling hides payload data in long encoded subdomains
  • Side-channel attacks read secrets from physical leakage, not the algorithm

Unlock with Premium — includes all practice exams and the complete study guide.

Security Architecture

Architecture Models

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Choosing a model re-divides responsibility, never removes it

Objective 3.1 tests the security implications of an architecture model, not how to build it. Every model fixes a boundary of responsibility: moving to cloud, SaaS, or a vendor offloads operational work but never deletes a security control. It only changes who owns each one. The exam-correct read of any model is therefore which controls shifted and which stayed with you.

Trap Treating a move to cloud or SaaS as eliminating a security requirement rather than reassigning who performs it.

2 questions test this
On-premises means you own the entire stack

On-premises puts everything on you: physical facility and HVAC, hardware, hypervisor, OS, application, and data. That buys maximum control and visibility (any agent, any log, any packet) but carries the full patching burden, physical-security cost, and capital expense. It is the baseline the cloud models are compared against on 3.1.

Trap Concluding that because on-premises gives you the most control it is automatically the most secure choice, when it also hands you the full patching and physical-security burden.

Cloud is a shared-responsibility split, not a transfer

Cloud divides security into "of the cloud" (the provider owns the physical datacenter, hosts, and virtualization layer) and "in the cloud," which the customer owns. Regardless of service model the customer always retains data, identities, and access management; those never shift to the provider. So a model only moves the lower-stack work, never accountability for who can touch the data.

Trap Assuming the provider's "of the cloud" duties cover your data and identities. Those stay with the customer in every model.

1 question tests this
The service model decides where the responsibility line sits

Service model sets how much you patch: IaaS leaves the customer the guest OS and everything above it (you patch the OS); PaaS hands you only the application and data (the provider patches the OS and runtime); SaaS leaves you essentially data, identities, and configuration. The more the provider manages, the smaller your patchable surface, and the less host-level visibility you keep. "Who patches the OS?" is the classic IaaS-vs-PaaS discriminator.

Trap Saying the customer patches the operating system in PaaS or SaaS. OS patching there belongs to the provider.

1 question tests this
Cloud offloads operations but not data accountability

Outsourcing to SaaS or a third-party vendor offloads day-to-day operations, but the data owner stays legally and contractually accountable for the data: its classification, protection, and compliance follow the owner, not the host. Any answer claiming "the provider assumes responsibility for your data confidentiality or compliance" is wrong by definition.

Trap Picking the option where signing with a cloud or SaaS provider transfers regulatory accountability for the data to that provider.

1 question tests this

Hybrid clouds and third-party vendors stitch separate estates together, and every interconnection and every vendor adds a trust boundary you didn't fully build. The combined system is only as secure as its weakest link, so the security posture is governed by the least-controlled estate, not your strongest one. This is why third-party/supply-chain risk reviews matter most in hybrid designs.

Trap Rating a hybrid design's security by your most-hardened estate when its real posture is set by the least-controlled interconnection or vendor.

Virtualization gives strong isolation but makes the hypervisor the surface

Virtualization runs full-OS guest VMs on a hypervisor (the component that manages the guests and mediates their access to hardware) giving strong tenant isolation. The new attack surface is the hypervisor itself: a VM escape lets code break out of a guest to reach the hypervisor or co-resident VMs, the worst-case virtualization flaw. VM sprawl and dormant snapshots quietly become unpatched, unmonitored assets.

Trap Assuming strong VM isolation makes the host irrelevant. A hypervisor compromise or VM escape exposes every co-resident guest.

1 question tests this
Containers are lightweight because they share the host kernel

Containers package an app with its dependencies and share the host OS kernel instead of booting a guest OS, making them far lighter and faster than VMs. The tradeoff is weaker isolation: a kernel exploit or container escape has a larger blast radius across every container on that host. Untrusted or unscanned images add supply-chain risk on top.

Trap Treating a container as equivalent isolation to a VM. The shared kernel makes a host-kernel flaw a shared-fate event.

VM vs container is an isolation-versus-density trade-off

Choose virtualization when you need the strongest isolation between tenants; choose containers when you need density, portability, and fast scaling and can manage image and kernel hygiene. The kernel-sharing that makes containers efficient is exactly what makes their isolation weaker than a VM's, so the right answer follows whether the scenario stresses isolation or speed/scale.

Trap Selecting containers for a scenario that demands the strongest tenant isolation, when the shared kernel makes a VM the stronger boundary.

Serverless shrinks the patchable surface but removes host visibility

In serverless (FaaS) the provider runs, patches, and scales the host and runtime; you supply only function code and its permissions. There is no persistent server to put an agent or host logs on, so host-level visibility is gone, and the dominant risks become an over-permissive execution role and insecure code dependencies. Least-privilege on the function's role is the control that matters most.

Trap Reaching for host-based agents or OS hardening to secure a serverless function. There is no host you control; secure the role and dependencies.

2 questions test this
Microservices contain blast radius but multiply east-west boundaries

Breaking a monolith into microservices improves fault isolation and limits blast radius, but it multiplies east-west (service-to-service) calls and authentication boundaries. Every inter-service call now needs its own authentication and authorization, which pushes designs toward mutual TLS and internal zero-trust rather than trusting the internal network. More services means more identities and connections to secure, not fewer.

Trap Assuming services inside the same network can trust each other implicitly. Each east-west call still needs authentication and authorization.

SDN centralizes policy and makes the controller a high-value target

Software-defined networking decouples the control plane from the data (forwarding) plane so policy is programmed centrally and the network becomes directly programmable. That enables fast, consistent policy, but it concentrates power in the logically centralized SDN controller: compromise it and an attacker can reprogram the whole network. Harden and tightly access-control the controller and its northbound APIs.

Trap Treating the SDN controller as just another network device. It is the single point that, if owned, reprograms the entire fabric.

1 question tests this
IaC is reproducible and auditable, but mistakes propagate at scale

Infrastructure as Code defines infrastructure in version-controlled templates, making environments reproducible, reviewable, and auditable. The flip side is scale: one bad definition, a hardcoded secret in a template, or unreviewed drift replicates to every environment the code provisions. So IaC's security depends on template/secrets scanning and peer review in the pipeline, not on the template language itself.

Trap Hardcoding a credential into an IaC template. Version control then copies the secret into every environment and its history.

12 questions test this
Centralized versus decentralized trades consistency for resilience

Centralized architecture (one management plane, one IdP, one chokepoint) makes consistent policy and monitoring easy but concentrates risk into a single point of failure and a prize target. Decentralized improves resilience and limits blast radius but makes uniform policy and full visibility harder to achieve. Neither is inherently more secure. The right answer follows whether the scenario prioritizes consistency or fault-tolerance.

Trap Declaring centralized architecture inherently more secure because of its single control point, when that same chokepoint is its single point of failure and prize target.

In ICS/SCADA, availability and safety outrank confidentiality

Operational technology (ICS/SCADA running physical processes) inverts the usual CIA priority: availability and integrity/safety come first, confidentiality last. A controller that keeps the process running safely matters more than a leaked sensor reading, because downtime or tampering can cause physical harm. NIST SP 800-82 is the authoritative reference for securing these systems.

Trap Applying the standard IT CIA ranking to OT and treating confidentiality as the top priority over keeping the process safely running.

1 question tests this
Protect ICS/SCADA by segmentation, not by patching fast

ICS devices run legacy or vendor-validated firmware with lifespans that can exceed 20 years, and many cannot run anti-malware; taking them offline or actively scanning them can disrupt real-time control. Per NIST SP 800-82, the accepted defense is segmentation (isolating OT from corporate IT into zones joined by controlled conduits) plus compensating controls, patching only after vendor validation in planned maintenance windows.

Trap Prescribing an immediate patch-now or active vulnerability scan against a live ICS device. Either can disrupt the real-time process.

1 question tests this
IoT, embedded, and RTOS are resource-constrained and vendor-locked

IoT, embedded systems, and RTOS run on limited CPU, memory, and power, so they often ship with weak or no crypto, no endpoint agent, and default or hardcoded credentials on vendor-locked firmware that may never be patched. Because you can't harden the device itself, the control is to isolate it on a dedicated segment/VLAN and monitor it from the network.

Trap Planning to install an endpoint agent or push regular patches to a constrained IoT/RTOS device that has no capacity or vendor path for either.

13 questions test this
An air gap removes network reach, not insiders or USB malware

An air gap physically isolates a network (the strongest segmentation, common around critical ICS) and removes the network-borne attack surface. It does not stop an insider, infected removable media/USB (the vector Stuxnet used to cross into air-gapped centrifuge controllers), or a supply-chain compromise. Treat an air gap as removing reachability, not as complete protection.

Trap Calling an air-gapped network immune to malware. Removable media and insiders still bridge the gap, as Stuxnet demonstrated.

Infrastructure Security

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A control only acts on traffic that reaches it

Device placement is the first infrastructure-security decision, because a control can only inspect or block the traffic that physically passes it. Put filtering and inspection capabilities on the trust boundaries between security zones, where traffic crosses and trust changes; a powerful appliance off the data path sees nothing and protects nothing.

Trap Buying a high-end firewall or IPS but cabling it outside the actual traffic path, so it never inspects the flows it was meant to guard.

Security zones group hosts by trust level

A security zone is a network segment of like trust: the untrusted internet, a public-facing screened subnet (DMZ) for internet-reachable servers, the trusted internal LAN, and a restricted management zone. Filtering controls live at the boundaries between zones, so a compromise in one zone does not flow freely into a more trusted one.

14 questions test this
Attack surface = every reachable interface, port, service, protocol

The attack surface is the full set of boundary points an attacker can reach to enter, affect, or extract data from a system (open ports, running services, exposed protocols, and interfaces) and it grows with connectivity. The cheapest reduction is removing reachability: close unused ports, segment zones, and funnel admin access through one entry, rather than bolting on more appliances.

Trap Trying to shrink the attack surface by stacking on more security appliances, when the real reduction is removing reachability by closing unused ports and services.

2 questions test this
Fail-closed protects security; fail-open protects availability

An inline control's failure mode decides what survives an outage: fail-closed (fail-secure) blocks all traffic when the device dies, preserving confidentiality and integrity, while fail-open passes traffic unfiltered, preserving availability. Set a control guarding regulated or sensitive data to fail-closed; choose fail-open only where an outage must never sever a network whose uptime matters more than inspection.

Trap Defaulting an inline appliance to fail-open in front of regulated data, so a device crash silently lets unfiltered traffic straight through.

Active blocks; passive only observes

An active device can modify or block traffic (drop a session, deny a flow) whereas a passive device only observes and reports. This attribute describes what the device is permitted to do and is independent of where it sits in the path, so blocking requires an active control regardless of placement.

Trap Conflating active/passive with inline/tap, when active versus passive describes what a device may do while inline versus tap describes where it sits in the path.

4 questions test this
Inline transits traffic; tap/monitor sees a copy

Inline means traffic physically flows through the device, so it can act on each packet; tap/monitor means the device receives a copy through a network tap or switch SPAN/mirror port and can only observe. Blocking therefore needs active-plus-inline placement, while non-disruptive visibility (analysis that can never accidentally drop production traffic) comes from passive-plus-tap.

Trap Expecting a device on a tap or SPAN/mirror port to block traffic, when it only receives a copy and so can observe but never drop the live flow.

4 questions test this
IDS detects and alerts; IPS blocks in real time

An IDS is passive and detective: it inspects a copied feed of traffic and raises alerts but cannot stop an attack in progress. An IPS has all of an IDS's detection ability plus the power to act: sitting inline, it drops or blocks the malicious session in real time. The deciding word is the verb: detect/alert points to an IDS, stop/block/prevent points to an IPS.

Trap Choosing an IDS to stop or block an active attack. It only watches a copy and alerts, so it can never sever the malicious flow.

3 questions test this
Jump server = single hardened admin entry point

A jump server (bastion host) is the sole audited entry into a protected zone, usually management: admins authenticate to it and reach internal hosts from there, so SSH/RDP are never exposed per-host and every session funnels through one logged choke point. The jump server itself must be hardened and tightly scoped, since it becomes the single most valuable target.

Trap Exposing SSH/RDP directly on each internal host to ease access, which scatters management ports across the network instead of one audited gateway.

8 questions test this
Proxy mediates requests; forward vs reverse differ by side

A proxy breaks the direct connection between client and server, accepting traffic on one side, processing it, and forwarding it on the other. A forward proxy sits between internal clients and the internet for egress filtering, caching, and content control; a reverse proxy sits in front of servers for TLS offload, hiding the origin, and distributing requests. Forward serves the clients; reverse serves the servers.

Trap Swapping the two and using a forward proxy to front and shield public servers, a job that belongs to a reverse proxy serving the server side.

2 questions test this
Load balancer distributes connections for availability and scale

A load balancer is active and inline in front of a server pool, spreading incoming connections across members so the service scales out and survives a member failure. It commonly also terminates TLS to offload encryption work and runs health checks, routing traffic only to members that pass them.

Trap Treating a load balancer as a security filtering control, when its job is distributing connections for availability and scale rather than inspecting or blocking attacks.

6 questions test this
Sensors are passive telemetry feeds for monitoring

Sensors are distributed collection points (typically passive, on taps or SPAN ports) that feed traffic telemetry to monitoring tools or a SIEM. They exist to observe and report, not to act: a sensor surfaces what is happening but does not block it, so the blocking decision belongs to an inline control downstream.

Trap Expecting a passive sensor to block or drop traffic, when its tap/SPAN copy lets it only see and report, never intervene.

Layer 4 firewall is blind to payload content

A layer 4 (transport) firewall filters on IP address, port, protocol, and connection state (fast, but unconcerned with the content of packets). It cannot distinguish a benign HTTP request from one carrying a SQL-injection string, because both ride the same allowed port; stopping a payload-borne attack needs a layer 7 device that inspects the actual data.

Trap Reaching for a layer 4 / stateful firewall to stop SQL injection or other web-app payload attacks it physically cannot read.

WAF is a layer 7 control for web-application attacks

A web application firewall inspects HTTP/HTTPS payloads (methods, URLs, headers, and body) to block application-layer exploits such as SQL injection and cross-site scripting, the attacks a port/IP filter cannot see. It is the right answer when the threat is a web-app payload attack; deploy it inline in front of the public web tier.

Trap Treating a WAF as a general network firewall. It specializes in HTTP/HTTPS web exploits, not broad IP/port segmentation.

NGFW adds app awareness, identity, and IPS to stateful filtering

A next-generation firewall extends stateful layer 3–4 filtering with application awareness, user identity, deep packet inspection, and integrated intrusion prevention in a single engine. Choose it when the enterprise perimeter needs policy that decides on the actual application and user, not just IP and port, without stacking separate appliances.

Trap Picking a UTM for an app- and identity-aware enterprise perimeter, when its all-in-one branch focus lacks the deep application and identity policy an NGFW delivers.

UTM bundles multiple security functions in one box

Unified threat management consolidates firewall, IDS/IPS, antivirus, and content/URL filtering into a single appliance and console, trading best-of-breed depth for simplicity. It fits small offices and branch sites where running and staffing separate appliances is impractical, accepting that one box doing everything is a single point of both failure and performance ceiling.

Trap Putting a single UTM at a high-throughput enterprise core, where its all-in-one inspection becomes the bottleneck and single point of failure.

Firewall layer determines what it can decide on

Match the firewall to the decision the question demands: IP/port/state only points to a layer 4 (stateful) firewall; HTTP payload attacks point to a WAF or layer 7 device; an app- and identity-aware enterprise perimeter points to an NGFW; an all-in-one for a small or branch site points to a UTM. The layer a device reads bounds the policy it can enforce.

Screened subnet (DMZ) isolates internet-facing hosts

A screened subnet (DMZ) is a buffer network inserted between the untrusted internet and the internal LAN, behind firewall policy, that holds internet-reachable servers like web and mail. It gives outside users restricted access to public services while shielding internal systems, so compromising a public host does not hand an attacker direct reach into the internal network.

Trap Placing internet-facing servers directly on the internal LAN, so one compromised public host opens a straight path to internal systems.

8 questions test this
Port security limits a switch port to approved MAC addresses

Port security is a layer 2 switch control that restricts which and how many MAC addresses may use a physical port, shutting down or restricting the port on a violation: the go-to control for keeping rogue devices in open wall jacks off the network. Because MAC addresses are easily spoofed, it is a basic safeguard rather than strong device authentication; 802.1X with EAP is the stronger answer when the requirement is to admit only authenticated devices.

Trap Relying on MAC-based port security as strong device authentication, when spoofing an allowed MAC defeats it. 802.1X is the real control.

5 questions test this

Data Protection Strategies

Read full chapter
  • Data type and classification are two different axes
  • Regulated data is governed by an external law or standard
  • The classification label, not discretion, sets the required controls
  • Human-readable vs non-human-readable data determines the control
  • Each data state needs its own protection method
  • Data in use is the hardest state to protect
  • Encryption is the reversible confidentiality default
  • Hashing is one-way, never for recoverable data
  • Tokenization swaps the value out and shrinks compliance scope
  • Masking is a presentation-layer control, not storage protection
  • Obfuscation is broader and weaker than encryption
  • Segmentation isolates the breach blast radius
  • Permission restrictions enforce least privilege on data
  • Data sovereignty follows the data's physical location
  • Geolocation finds where data is; geographic restrictions control where it may go
  • Classify data first, then choose its controls
  • DLP stops exfiltration at the boundary; IRM controls use after sharing
  • IRM rights travel with the file, even onto unmanaged devices
  • Static data masking is a one-way, format-preserving copy for test and dev
  • A unique per-password salt defeats rainbow tables

Unlock with Premium — includes all practice exams and the complete study guide.

Resilience and Recovery

Read full chapter
  • RTO is downtime tolerance, RPO is data-loss tolerance
  • RTO must normally be shorter than MTD
  • Shorter RTO costs more
  • Hot, warm, and cold sites trade cost for readiness
  • Geographic dispersion defeats regional disasters
  • Load balancing scales; clustering fails over
  • High availability is not a backup
  • Platform diversity reduces correlated failure
  • Multi-cloud limits vendor and outage dependence
  • Backup frequency sets the RPO
  • Offsite backups survive site loss; encrypt them
  • Snapshots are point-in-time rollback, not offsite backups
  • Replication is not a backup
  • Journaling rolls forward to a precise point
  • An untested backup is just an assumption
  • UPS bridges; the generator sustains
  • A tabletop exercise is discussion-only
  • Parallel processing tests recovery without cutover
  • COOP keeps essential functions running
  • Capacity planning sizes people, technology, and infrastructure
  • MTBF measures reliability, MTTR measures repair speed
  • High availability defends the availability leg of CIA

Unlock with Premium — includes all practice exams and the complete study guide.

Secure Communication and Network Access

Read full chapter
  • AH gives integrity and authentication but never encrypts (proto 51)
  • ESP encrypts the payload, which is why real VPNs use it (proto 50)
  • AH breaks across NAT; ESP with NAT-T survives it
  • Tunnel mode wraps the whole packet in a new IP header
  • Transport mode protects only the payload, keeping the original header
  • IKE builds the keying channel first, then the SAs that carry data
  • Treat IKEv2 as the modern default and IKEv1 as legacy
  • TLS 1.2 is the mandatory floor and TLS 1.3 the preferred version
  • TLS 1.3 makes forward secrecy mandatory and handshakes in 1-RTT
  • Forward secrecy keeps a stolen server key from decrypting past sessions
  • A TLS VPN rides 443; IPsec needs ESP plus the IKE ports opened
  • Swap each plaintext protocol for its encrypted equivalent
  • SFTP and FTPS are separate protocols, not two names for one
  • Full tunnel inspects every flow; split tunnel leaves some uninspected
  • SD-WAN policy-steers WAN traffic across multiple transports
  • SASE delivers networking and security together from the cloud edge
  • ZTNA grants access per application, not to the whole network
  • 802.1X uses supplicant, authenticator, and authentication server
  • EAP travels as EAPOL between supplicant and authenticator
  • EAP-TLS is the strongest; PEAP and EAP-TTLS tunnel a password
  • RADIUS hides only the password; TACACS+ encrypts the whole body

Unlock with Premium — includes all practice exams and the complete study guide.

Security Operations

Computing Resource Security

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A secure baseline is established, deployed, then maintained

Objective 4.1 frames the secure baseline as three actions, not a one-time document: establish the hardened reference config, deploy it identically to every in-scope device, and maintain it by continuously checking for and correcting configuration drift. The maintain step is the control's backbone: a baseline that is set once and never re-enforced decays into drift, so continuous compliance checking is part of the baseline, not an add-on.

1 question tests this
Deploy a baseline by golden image, GPO, or MDM profile

Identical, repeatable deployment is what makes a baseline measurable: push it as a golden image for workstations and servers, as Group Policy Objects (GPOs) across a Windows domain, or as an MDM configuration profile for mobile. Every device then boots in the same known-good state, so any later deviation is detectable drift measured against one reference rather than guesswork.

1 question tests this
Hardening removes reachable function and is target-specific

Hardening shrinks the attack surface by disabling unneeded services and ports and constraining what remains, but there is no universal checklist, because the right technique follows the target (workstation vs switch vs server vs cloud vs ICS). The exam rewards matching the measure to the device's constraints; a generic "just harden it" answer ignores that an ICS controller and a workstation accept entirely different controls.

Harden ICS/SCADA, embedded, and RTOS by isolation, not patching

Operational-technology targets (ICS/SCADA, embedded systems, RTOS) often run for 20+ years on vendor-unsupported software that cannot be patched on a normal cycle, and anti-malware frequently isn't available for PLCs/DCS, so AV/EDR requirements can't be met on those endpoints. The correct hardening is network segmentation/isolation plus compensating controls (e.g., a deep-packet-inspection firewall, Purdue-model zones), because the device can't defend itself.

Trap Applying a workstation playbook to a PLC: "schedule the patch" or "install antivirus" on a SCADA device that supports neither.

5 questions test this
IoT hardening: change defaults and segment onto its own VLAN

IoT devices ship with weak default security at scale, so core hardening is replacing default credentials, applying firmware updates where the vendor offers them, and placing the device on a dedicated/segmented VLAN. Segmentation is the load-bearing control: a compromised sensor confined to its own VLAN cannot pivot into the production network even when it can't otherwise be secured.

Trap Leaning on firmware updates as the primary IoT control, when many IoT devices never receive patches and segmenting them onto their own VLAN is what actually contains a compromise.

Switch/router hardening locks down the management plane

Network-device hardening disables unused ports, replaces Telnet with SSH so management traffic is encrypted rather than plaintext, changes default credentials, and restricts who can reach the management plane (e.g., dedicated management network/ACLs). The goal is to remove cleartext administration and cut the number of reachable interfaces an attacker can probe.

Trap Keeping Telnet for management because it is on an "internal" network, when Telnet still ships credentials in cleartext that anyone sniffing the segment can read.

Site survey plus heat map place APs and expose rogues

Securing Wi-Fi starts with measuring the RF environment: a site survey captures real signal strength, interference, and neighboring networks, and a heat map visualizes coverage so access points land where signal is adequate and where rogue APs or interference appear. Coverage that bleeds past the building wall is itself an exposure, letting an outsider reach the SSID from the parking lot.

Trap Treating excess Wi-Fi coverage as purely a performance concern, when signal bleeding into the parking lot is an attack surface, not just wasted range.

The mobile deployment model sets the control ceiling

The deployment model fixes device ownership, and ownership caps how much the organization may control. BYOD = employee-owned personal device, lowest control (corporate work container, selective wipe only). CYOD = corporate-owned but chosen by the employee from an enterprise-approved list and required to run the management agent; company ownership allows high control (full MDM, full-device wipe), like COPE. COPE = corporate-owned, personally enabled, highest control (full MDM, full-device wipe). Ownership, not who picked the device, is what decides the ceiling.

Trap Calling CYOD employee-owned because the user picks the model: the company buys and owns the device, so it allows a full-device wipe like COPE, unlike employee-owned BYOD.

3 questions test this
Wipe granularity follows ownership: BYOD (employee-owned) gets a selective wipe; corporate-owned (CYOD/COPE) get a full wipe

Wipe granularity follows ownership. On the employee-owned BYOD device the organization may only selectively/enterprise-wipe the corporate container; it cannot erase the employee's personal data. On corporate-owned devices (CYOD and COPE) it may perform a full-device wipe of the entire user partition. "Remove company data without touching personal files" → BYOD + selective wipe.

Trap Treating CYOD like BYOD: CYOD is corporate-owned (like COPE), so a full-device wipe is allowed. Only on employee-owned BYOD does a full wipe wrongly destroy the employee's personal data.

4 questions test this
MDM is the engine that enforces mobile policy

Mobile device management (MDM), part of an EMM/UEM suite, pushes the configuration profile and enforces device encryption, passcode/screen-lock timeout, application allow/deny lists (allowlist preferred), and remote lock/wipe. It is the mechanism that turns the deployment-model policy into settings actually applied on the device, rather than a policy that only exists on paper.

5 questions test this
MDM treats each mobile connection method as attack surface

A mobile device's connection methods (cellular, Wi-Fi, Bluetooth, NFC, and USB tethering) are each a reachable attack surface, and MDM policy can disable or restrict any of them. Turning off unused radios and interfaces is part of mobile hardening: a disabled Bluetooth or NFC stack is one fewer wireless entry point to exploit.

WPA3 uses SAE to defeat offline PSK dictionary attacks

WPA3-Personal replaces WPA2's pre-shared-key four-way handshake with SAE (Simultaneous Authentication of Equals), a password-authenticated key exchange (the Dragonfly handshake, RFC 7664) that is resistant to offline dictionary attack: an attacker who captures the exchange cannot brute-force the passphrase offline, because any advantage requires live interaction with a participant. WPA3 also adds forward secrecy. "Stop offline cracking of the Wi-Fi passphrase" → WPA3/SAE, not WPA2-PSK.

Trap Picking WPA2-PSK with a longer passphrase: a captured WPA2 handshake still cracks offline; only SAE removes that offline path.

1 question tests this
WPA3-Enterprise authenticates each user via 802.1X/EAP to RADIUS

WPA3-Personal shares one SAE passphrase among everyone; WPA3-Enterprise authenticates each user individually through 802.1X/EAP to a RADIUS (AAA) server, so credentials are per-user and revocable instead of one secret the whole office holds. "Give each wireless user individual, revocable credentials" → WPA3-Enterprise + 802.1X/RADIUS, revoking one user never forces a network-wide passphrase change.

Trap Choosing WPA3-Personal for an office that needs per-user revocation, when its single shared SAE passphrase forces a network-wide change every time one person leaves.

Input validation is the first-line defense against injection and overflow

Input validation checks input for expected type, length, format, and range before it is processed, preferably with an allow-list (accept known-good) rather than a deny-list that is full of bypassable loopholes. It is the foundational defense against injection and buffer-overflow classes, where crafted oversized or malformed input is the attack, paired with parameterized queries for SQLi specifically. Validate server-side: client-side checks are a usability aid an attacker simply bypasses.

Trap Relying on client-side (JavaScript) validation as the security control: an attacker hits the API directly and skips the browser entirely.

2 questions test this

Session cookies are hardened with three attributes: Secure (sent only over HTTPS, never plaintext HTTP), HttpOnly (unreadable by JavaScript/document.cookie, which blunts XSS token theft), and SameSite (limits whether the cookie rides cross-site requests, reducing CSRF exposure). Together they keep the session token off cleartext channels and out of reach of injected scripts and forged cross-site requests.

Trap Assuming the Secure flag stops script theft of the cookie, when Secure only forces HTTPS and HttpOnly is what hides the token from JavaScript.

Sandboxing isolates untrusted code from the host

Sandboxing runs untrusted code or files in an isolated environment with restricted access to host resources, so a malicious payload executes but stays contained. It is the standard way to detonate a suspicious file and observe its behavior before trusting it. "Run an unknown executable safely to watch what it does" → sandbox, not the production host.

2 questions test this
Monitoring is the detective backstop after preventive hardening

Hardening, input validation, and sandboxing are preventive; monitoring the computing resource is the detective layer that confirms it still matches its baseline and surfaces the behavior earlier controls were meant to block but might have missed. It closes objective 4.1's resource-security loop: prevention narrows the openings, monitoring catches what slips through.

Trap Classing monitoring as a preventive control, when it is detective, catching what slipped past hardening rather than blocking it up front.

Cloud-infrastructure hardening = least privilege plus no public exposure

Hardening cloud infrastructure centers on least-privilege IAM, tight security groups, disabling public access to storage and endpoints, encryption, and logging. Under shared responsibility the provider secures the underlying platform, but the customer owns hardening their own identity, network exposure, and resource configuration: a world-readable storage bucket is the customer's misconfiguration, not the provider's.

Trap Assuming the cloud provider hardens your resources: public buckets, over-broad IAM, and open security groups are the customer's side of shared responsibility.

MDM geofencing applies policy by device location

Geofencing uses GPS or network location to draw a virtual perimeter around a place, and an MDM automatically tightens or relaxes policy when a managed device crosses that boundary. It is the capability used to suspend sensitive apps, lock the work container, or disable the camera when a device leaves an approved facility: location becomes a policy condition rather than relying on the user to comply.

Trap Confusing geofencing with geotagging, when geofencing enforces policy across a location boundary while geotagging only stamps location metadata onto a file.

5 questions test this
Containerization and MAM isolate corporate data on personal devices

On employee-owned devices, containerization carves out an encrypted, isolated workspace that separates corporate apps and data from personal content and enables a selective wipe of only the corporate container. Mobile application management (MAM) applies the same app-level data-protection and DLP controls without enrolling the whole device, which sidesteps employees' privacy concerns about IT seeing their personal device, the common adoption blocker for BYOD.

Trap Choosing full-device MDM enrollment for a privacy-sensitive BYOD fleet, when MAM protects corporate apps without enrolling the whole personal device.

9 questions test this

Asset Management

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Asset management is a four-stage lifecycle control

SY0-701 objective 4.2 treats asset management as one security control spanning four stages, applied to hardware, software, and data: acquisition/procurement, assignment/accounting, monitoring/tracking, and disposal/decommissioning. Each stage carries a security action, so a gap anywhere (an un-inventoried, un-owned, or un-sanitized asset) is the security weakness the exam probes.

Procurement is the entry gate for security requirements

Acquisition/procurement is where security requirements are defined and suppliers are vetted for supply-chain risk before anything is bought, keeping unmanaged, unpatchable devices off the network. It also records licensing and warranty; buying around approved procurement is precisely how shadow IT enters.

Trap Treating procurement as a finance-only step rather than the gate that sets security requirements and vets suppliers.

1 question tests this
Every asset needs an assigned owner and a data classification

Assignment/accounting records an owner, the person accountable for the asset's config, patching, access, and disposal decisions, which is a security role, not legal title, plus a data classification, the sensitivity label that drives which controls and which sanitization method apply. An asset with no owner or no classification is a control gap.

Trap Reading ownership as legal title to the hardware rather than accountability for its security decisions.

1 question tests this
You can't protect what isn't in the inventory

An accurate asset inventory is the foundation every other control depends on: vulnerability scanning, patching, and incident scoping all reach only what's recorded. Enumeration (active discovery) keeps the inventory matching reality instead of drifting from it.

7 questions test this
Shadow IT and ghost assets are un-tracked risk

Shadow IT (assets brought in without approval) and ghost or orphaned assets (still connected but with no owner or inventory record) sit outside patching and monitoring, which makes them attacker-preferred entry points. Asset tracking and enumeration are what surface them.

Trap Conflating shadow IT (unapproved assets users introduce) with ghost or orphaned assets (formerly tracked, now ownerless but still connected).

8 questions test this
NIST SP 800-88 defines exactly three sanitization categories

Media sanitization has three categories, and they are the basis of every SY0-701 disposal question. Clear applies logical techniques to all user-addressable storage to block simple non-invasive recovery (media stays usable); Purge renders data recovery infeasible even with state-of-the-art lab techniques while leaving media reusable; Destroy reaches that same lab-infeasible bar but also makes the media unusable.

Clear = overwrite, media stays usable

Clear writes non-sensitive data over all user-addressable storage (or applies a factory reset where rewriting isn't supported) to defeat standard read-back tools. It fits low-confidentiality data that stays under organizational control, and the media remains fully reusable afterward.

Trap Assuming Clear defeats state-of-the-art lab recovery, when it only blocks simple non-invasive read-back tools.

Purge resists lab recovery yet keeps media reusable

Purge renders data recovery infeasible even with state-of-the-art laboratory techniques while leaving the drive reusable, so it can be redeployed or sold. Its methods are cryptographic erase, block erase / ATA Secure Erase, and degaussing of magnetic media, applied through dedicated sanitize commands, not ordinary file deletion.

Trap Counting an ordinary file deletion or quick format as a Purge technique instead of a dedicated sanitize command.

Destroy physically ruins the media

Destroy (shred, disintegrate, pulverize, incinerate, or melt) makes data unrecoverable by state-of-the-art lab techniques and leaves the media permanently unusable. Choose it for high-confidentiality data with no reuse need, or for media that cannot be reliably purged.

Method = data confidentiality + reuse vs. release

SP 800-88 picks the category from two factors: the data's confidentiality and whether the media will be reused or leave organizational control. Low-confidentiality staying internal selects Clear; moderate/high, or any media reused or leaving the org, selects Purge; high-confidentiality with no reuse (or media that can't be reliably purged) selects Destroy.

Trap Choosing the sanitization category from media type alone, ignoring data confidentiality and whether the media will be reused or released.

Cryptographic erase is a Purge technique

Cryptographic erase (CE) sanitizes by destroying the data's encryption key, leaving only unrecoverable ciphertext: a Purge-level method, not Destroy, that completes in a fraction of a second regardless of disk size. It is valid only when the data was strong-encrypted from the start (e.g. a self-encrypting drive); enabling encryption after sensitive data was already written makes CE unsafe. This is why full-disk encryption at rest enables fast disposal later.

Trap Using cryptographic erase on a drive where encryption was turned on only after sensitive data had already been written in the clear.

Degaussing does nothing to SSDs/flash

Degaussing destroys magnetic fields, so it purges HDDs and tape but is useless on SSDs and flash, which store data in non-magnetic cells; NIST says it should never be solely relied upon for flash-based media. For SSDs, use the drive's built-in cryptographic or block erase, or physically destroy it.

Trap Reaching for a degausser to sanitize an SSD: a classic SY0-701 wrong answer, since flash isn't magnetic.

Overwriting is unreliable on SSDs

Wear-leveling on SSDs silently relocates data to spare cells that an overwrite pass can't directly address, so Clear-by-overwrite can leave recoverable data behind. Use the drive's dedicated cryptographic or block erase command instead.

Trap Trusting a multi-pass overwrite to sanitize an SSD, when wear-leveling hides data in spare cells the overwrite can't reach.

Sanitization must be verified and certified

Sanitization is verified (by full verification or representative sampling (NIST suggests covering at least ~10% of the addressable space), ideally by someone other than who performed it) and documented with a Certificate of Sanitization. The certificate records the media identifier (serial / property number, media type), the category (Clear/Purge/Destroy), the method, the verification method, and the name, date, and signature for both steps. For outsourced destruction, that certificate plus chain of custody is the audit proof, not the vendor's invoice.

Trap Accepting a destruction vendor's invoice or receipt as audit proof instead of the Certificate of Sanitization plus chain of custody.

1 question tests this
Data retention constrains when disposal may happen

Data-retention requirements (legal, regulatory, or business) set the minimum period data must be kept before destruction, and a legal hold freezes deletion of data relevant to litigation. Disposal proceeds only once the retention clock has expired and no hold is in place.

Trap Proceeding with disposal once the retention period expires while a legal hold is still active on that data.

1 question tests this
Keeping data too long vs. destroying too early

Retention is a two-sided balance. Holding data longer than needed enlarges breach blast radius and can violate data-minimization rules; destroying it before a retention requirement is met, or while a legal hold is active, creates spoliation liability. The exam tests recognizing both failure directions.

Trap Treating indefinite retention as the safe default, overlooking the larger breach blast radius and data-minimization violations it causes.

Pick Purge for reusable media, not Destroy

When a scenario says the media will be reused or sold, the answer is Purge, not Destroy, because Destroy ruins the media, and reaching for a degausser on an SSD is the other classic wrong answer. Anchor disposal choices to data confidentiality, reuse-vs-release, and media type rather than defaulting to the most aggressive option.

Trap Defaulting to Destroy for any sensitive drive even when the media is slated for reuse, where Purge is the correct, media-preserving choice.

Vulnerability Management

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Vulnerability management is a continuous lifecycle, not a one-time scan

SY0-701 objective 4.3 frames vulnerability management as a repeating loop (identify, analyze/prioritize, respond, validate, report, then repeat) so a scan report is an input, not the finish line. The exam-correct stance treats findings as something to confirm, fix, and re-scan rather than blindly patching the raw list. Residual risk and accepted exceptions from one cycle feed the next.

2 questions test this
Credentialed scans cut both false positives and false negatives

A credentialed (authenticated) scan logs into the host and reads installed versions, patch levels, and configuration directly, making it far more accurate than a non-credentialed scan that only probes from outside and over-reports. Authenticated reading lowers BOTH error types: fewer false positives (less guessing from banners) and fewer false negatives (it sees internal flaws an external probe can't). Choose credentialed when accuracy matters.

Trap Assuming a non-credentialed external scan is just as accurate: it over-reports and misses internal flaws a login would reveal.

5 questions test this
Active scans send probes; passive scans only observe traffic

An active scan sends packets and probes to the target, which can disrupt fragile or legacy systems, whereas a passive scan watches existing traffic without touching the host. Pick passive for sensitive, legacy, or production-critical systems you cannot risk crashing, accepting that it only sees what crosses the wire. Active gives deeper coverage where the host can tolerate it.

Trap Running an active probe scan against a fragile legacy or OT host you can't afford to crash, where passive observation was the safe choice.

SAST reads source code; DAST exercises the running app

Static application security testing (SAST) analyzes source code without executing it (white-box, early in the SDLC) and catches code-level flaws like buffer overflows and injection. Dynamic application security testing (DAST) tests the running application from the outside (black-box, later) and catches runtime and configuration flaws. They are complementary: SAST finds the flaw in the code, DAST finds what's exploitable when it runs.

Trap Calling testing of a live running application SAST: exercising the running app from outside is DAST; SAST never executes the code.

2 questions test this
Package/dependency analysis flags vulnerable third-party libraries

Package (software composition) analysis inventories third-party and open-source dependencies and flags those with known CVEs, addressing supply-chain risk in components you did not write. It covers the blind spot SAST and DAST of your own code miss: a vulnerable library you merely imported. This is why a known-vulnerable dependency shows up here, not in a scan of your own source.

Trap Expecting SAST or DAST of your own code to catch a vulnerable imported library, when an unmodified third-party dependency surfaces only in software composition analysis.

Pen testing actively exploits to prove impact; scanning only detects

A penetration test is a human, per NIST, attempting to "circumvent or defeat the security features of a system", actively exploiting and chaining flaws to prove real-world impact. A vulnerability scan only automatically checks targets against a database of known flaws and reports possible existence. So a stem describing someone who actively exploits to demonstrate impact points to a pen test, not a scan.

Trap Picking vulnerability scanning when the stem says the tester actively exploited flaws to prove impact: that's a penetration test.

Bug bounty and responsible disclosure intake external researcher reports

Responsible (coordinated) disclosure gives external researchers a structured channel to report flaws, with the issue going public only after the vendor has had time to patch; a bug-bounty program adds a reward for those reports. Both are legitimate identification inputs and beat ignoring or threatening the reporter. Threat feeds and OSINT supply related external context like newly weaponized CVEs.

Trap Treating an external researcher's report as a threat to silence, rather than intake through responsible disclosure or a bug-bounty channel.

Confirmation matrix maps scanner result against ground truth

The four outcomes pair what the scanner said with what is really there: true positive = a real flaw correctly flagged (remediate); false positive = flagged but absent (noise to verify and dismiss); true negative = correctly reported clean; false negative = a real flaw the scan missed. NIST SP 800-115 defines a false positive as "an alert that incorrectly indicates that a vulnerability is present." Knowing which quadrant a described result lands in is the testable skill.

2 questions test this
A false negative is the most dangerous scan error

A false positive only wastes analyst time verifying a flaw that isn't there, but a false negative is a real, unfound flaw nobody investigates: the genuinely dangerous outcome. Credentialed scanning and follow-up penetration testing exist largely to shrink the false-negative rate by seeing what an external probe misses. When a question ranks the errors by risk, false negative wins.

Trap Ranking a false positive as the worst error: it only wastes time; the false negative is the unfound real flaw nobody chases.

A CVE names the flaw but assigns no severity

A CVE (Common Vulnerabilities and Exposures) is a unique identifier for one publicly known vulnerability, formatted CVE-YYYY-NNNNN (e.g., CVE-2021-44228 / Log4Shell). The identifier only names and describes the flaw: it carries no severity rating of its own; severity comes separately from CVSS, as enriched in the NVD. A bare CVE number tells you which flaw, never how urgent.

Trap Reading a CVE number as a severity or urgency signal: the CVE only identifies the flaw; CVSS supplies the score.

1 question tests this
CVSS scores severity on a 0.0-10.0 scale

CVSS (Common Vulnerability Scoring System) is, per NVD/NIST, "a method used to supply a qualitative measure of severity," producing a numeric base score from 0.0 to 10.0. The contrast with CVE is the testable pair: a CVE tells you which flaw, CVSS tells you how severe. A 0.0-10.0 number is a CVSS score; a CVE-YYYY-NNNNN token is not.

Trap Reading a CVSS score as the identifier of which vulnerability it is, when CVSS only rates severity and the CVE is what names the flaw.

1 question tests this
Memorize the CVSS v3.x severity bands, especially where Critical starts

CVSS v3.x maps base scores to bands: None = 0.0, Low = 0.1-3.9, Medium = 4.0-6.9, High = 7.0-8.9, Critical = 9.0-10.0. The two boundaries the exam leans on are High starting at 7.0 and Critical starting at 9.0. A score like 8.5 is High, not Critical: the band edges are the trap.

Trap Calling an 8.x score Critical: Critical begins at 9.0; 7.0-8.9 is the High band.

Highest CVSS is not automatically remediated first

The CVSS base score reflects a vulnerability's intrinsic severity, constant across environments, so it is only a starting point: CVSS is explicitly not a measure of risk. Real prioritization layers on environmental and exposure factors (internet-facing? compensating control present? feature enabled?), asset criticality, organizational impact, and risk tolerance. An isolated Critical can therefore rank below an internet-exposed Medium.

Trap Remediating strictly in descending CVSS order, ignoring that an exposed, business-critical Medium can outrank an isolated Critical.

2 questions test this
Exposure factor is the fraction of asset value lost per event

The exposure factor (EF) is the proportion of an asset's value destroyed if the vulnerability is exploited, expressed 0-1.0 (or 0-100%); it drives the loss math via SLE = Asset Value x EF. As an analysis input it raises remediation priority: more of the asset at stake per event means a more urgent fix. It is one environmental input layered on top of the raw CVSS score, not a severity score itself.

Trap Treating the exposure factor as a standalone severity rating, when EF is only the fraction of asset value lost per event feeding SLE, not a CVSS-style score.

Patching is one of four vulnerability responses, not the only one

Objective 4.3 tests four legitimate responses: remediate (patch/fix/upgrade, the default and most complete), mitigate (compensating control or segmentation when you can't patch), accept (a documented exception/exemption signed by the risk owner), or transfer (cyber-insurance offsets the financial cost). Patching is the first choice but the wrong single answer when the stem rules it out: match the response to the constraint.

Trap Choosing patch every time, even when the stem says the system can't be patched and a compensating control, exception, or transfer is the fit.

2 questions test this
When you can't patch now, mitigate by shrinking reachability

When a flaw can't be patched immediately (legacy/EOL system, the patch breaks production, or the maintenance window is weeks away) reduce exposure with compensating controls: network segmentation or isolation, virtual patching at a WAF/IPS, tighter access, or disabling the affected feature. The flaw itself remains, but its reachability and blast radius shrink until a real fix lands.

8 questions test this
Risk acceptance is valid only as a documented, signed exception

Accepting a vulnerability's risk is legitimate only as a formal, documented exception/exemption approved by the designated risk owner, with a defined review or expiry date. An informal "we'll fix it later" is not acceptance: the documentation and sign-off are the testable point that distinguishes accepted risk from ignored risk. The exception then becomes residual risk tracked into the next cycle.

Trap Calling an unwritten "we'll get to it later" risk acceptance: without the documented, risk-owner-signed exception it's just unmanaged risk.

Cyber-insurance transfers the cost, never the flaw

Transfer via cyber-insurance shifts the financial impact of a residual risk to a third party, but it does not remove, fix, or reduce the vulnerability: only the cost is offset if exploitation occurs. The flaw and its likelihood remain exactly as before. Treat transfer as a financial response, not a technical remediation.

Trap Treating buying cyber-insurance as remediating the vulnerability: it offsets loss only; the flaw and its likelihood are untouched.

Enterprise patching is risk-prioritized preventive maintenance

NIST SP 800-40 Rev.4 frames patch management as "a critical component of preventive maintenance... a cost of doing business", a routine process of identifying, prioritizing, acquiring, installing, and verifying patches, not optional cleanup. Patches should be prioritized by risk rather than applied uniformly. This makes remediation a standing, risk-driven business operation, which is why the exam treats it as expected baseline practice.

Trap Applying every available patch uniformly and immediately, instead of prioritizing the patch backlog by the risk each flaw poses.

Validate every fix by rescanning before you close the finding

After any remediation, validate that the vulnerability is actually gone via rescanning (the most common and most testable method), audit, or verification, never close a finding on the strength of the patch alone. A patch can fail to apply, miss a host, or be reverted. So "patch applied, what next?" resolves to rescan/verify, then close.

Trap Closing a finding the moment the patch is applied, without a rescan to confirm the flaw is actually gone on every affected host.

6 questions test this
Reporting closes the loop and seeds the next cycle

The lifecycle ends with reporting findings, remediation status, and residual risk: per-asset technical detail for the teams that fix things, and aggregated risk and trend data for management and compliance. Residual risk and any accepted exceptions documented here become inputs to the next identification and analysis round, which is what makes the lifecycle continuous rather than linear.

4 questions test this
Inhibitors to remediation delay a fix even when the flaw is known

Inhibitors to remediation are factors that prevent or postpone applying a fix despite a known vulnerability: uptime/availability SLAs that limit maintenance windows, legacy or proprietary systems, organizational governance and change control, and vendor end-of-life status where no patch will ever ship. When an inhibitor blocks patching, the response shifts to mitigation or a documented exception rather than waiting indefinitely.

Trap Assuming a known vulnerability can always be patched promptly, ignoring inhibitors like uptime SLAs, EOL status, or change-control governance.

14 questions test this

Alerting and Monitoring

Read full chapter
  • Monitoring covers systems, applications, and infrastructure
  • Monitoring runs as a pipeline: aggregate, alert, respond
  • A SIEM is centralized logging for many log types
  • Only the SIEM correlates events across multiple sources
  • Cure alert fatigue with tuning, never by silencing the alert
  • Tuning trades false positives against false negatives
  • A validated alert leads to quarantine and remediation
  • Centralized off-host logging survives an attacker's log wipe
  • ISCM is ongoing awareness frequent enough for risk decisions
  • Agents give depth; agentless gives reach
  • Can't install software on the device, so go agentless
  • Antivirus and EDR monitor endpoint files and process behavior
  • SCAP standardizes how flaw and config data is expressed
  • A benchmark is the hardened baseline SCAP checks a system against
  • SNMP monitors device health; a trap pushes an event unsolicited
  • Scanning surfaces findings; vulnerability management acts on them
  • Normalization unifies log schemas before correlation can run
  • Syslog forwards events to a central collector on UDP 514

Unlock with Premium — includes all practice exams and the complete study guide.

Enterprise Network Security

Read full chapter
  • Objective 4.5 is config and tuning, not appliance placement
  • Firewall ACLs evaluate top-down, first match wins
  • Firewall rules match the 5-tuple; an implicit deny ends the list
  • A screened subnet (DMZ) is enforced by firewall rules, not a box
  • Signature detection is blind to the unknown; anomaly catches novelty
  • A web filter inspects content; a DNS filter inspects only the name
  • DNS filtering stops C2 and phishing links before a connection opens
  • Group Policy centralizes Windows hardening across the domain
  • SELinux enforces mandatory access control beneath Unix permissions
  • SPF authorizes sending IPs for the envelope-from domain only
  • DKIM signs the message and proves it wasn't altered
  • DMARC adds From-header alignment, policy, and reporting on top of SPF/DKIM
  • Roll DMARC out as none, then quarantine, then reject
  • SPF passes but phishing still lands? The gap is DMARC alignment
  • The secure email gateway enforces email controls inline
  • FIM detects file tampering; it does not prevent it
  • DLP guards data in use, in motion, and at rest
  • NAC admits only authenticated, posture-compliant devices
  • EDR works one host; XDR correlates across layers
  • UBA catches the valid-credential threat
  • Domain authentication is not message-sender authentication
  • Inline IPS blocks; a passive IDS on a TAP/SPAN only watches

Unlock with Premium — includes all practice exams and the complete study guide.

Identity and Access Management

Read full chapter
  • Provisioning binds an account to a proofed identity
  • Deprovisioning: disable first, then remove
  • Attestation recertifies access on a schedule
  • MAC is system-enforced and non-discretionary
  • DAC lets the owner decide
  • RBAC: users to roles, roles to permissions
  • ABAC decides from subject/object/action/environment attributes
  • Rule-based and time-of-day apply uniform conditions
  • Least privilege bounds every access model
  • FIDO2/WebAuthn security keys are phishing-resistant
  • SMS/PSTN out-of-band auth is RESTRICTED
  • Push fatigue defeats simple push approval
  • Biometrics are unique but not secret or revocable
  • Password length beats forced complexity and rotation
  • Block reuse; managers and passwordless reduce secret risk
  • SAML = enterprise web SSO (authentication)
  • OAuth 2.0 is delegated authorization, not authentication
  • OIDC adds the identity layer on top of OAuth
  • LDAP is the directory store, not a federation protocol
  • PAM password vaulting stores and rotates privileged secrets
  • Just-in-time access eliminates standing privilege
  • Ephemeral credentials expire so there's nothing to steal
  • MFA combines two of the three factor categories
  • SSO concentrates risk at the IdP: enforce MFA there

Unlock with Premium — includes all practice exams and the complete study guide.

Automation and Orchestration

Read full chapter
  • Objective 4.7 is three memorizable lists: use cases, benefits, considerations
  • Automation runs one task; orchestration coordinates a multi-tool workflow
  • SOAR = Security Orchestration, Automation, and Response
  • Memorize the nine Objective 4.7 use cases by name
  • Guardrails prevent the noncompliant action; monitoring only detects it
  • Provisioning automation makes entitlements consistent and de-provisioning reliable
  • Enabling/disabling services and access is how containment scales
  • CI and testing catch security flaws before deploy
  • Integrations and APIs are the backbone that lets a playbook act across tools
  • Know the seven Objective 4.7 benefits by their CompTIA names
  • Workforce multiplier: a small team covers work that would need many analysts
  • Enforcing baselines yields standard, auditable configurations
  • Know the five Objective 4.7 considerations (the drawbacks)
  • An automation pipeline is itself a single point of failure and a high-value target
  • Unmaintained automation becomes technical debt with an ongoing supportability cost
  • Automate the frequent, stable, low-judgment work
  • Keep a human approval gate on high-judgment, high-accountability actions
  • Never hardcode credentials in automation scripts

Unlock with Premium — includes all practice exams and the complete study guide.

Incident Response

Read full chapter
  • CompTIA's 7 IR steps split NIST's 4-phase life cycle
  • Containment precedes eradication, which precedes recovery
  • Preparation is the only phase done before an incident
  • Containment isolates the threat to stop it spreading
  • Eradication removes the root cause, not just symptoms
  • Recovery returns systems to verified-normal operation
  • Short-term containment buys time; long-term keeps business running
  • A tabletop exercise is a discussion-based walkthrough
  • A simulation runs an actual technical drill
  • Lessons learned feeds improvements back into preparation
  • Root cause analysis fixes why it happened, not just the symptom
  • Threat hunting is proactive and assumes a breach already exists
  • NIST SP 800-86's forensic process: collect, examine, analyze, report
  • Chain of custody is the documented trail that keeps evidence admissible
  • Order of volatility: capture the most ephemeral evidence first
  • On a live host, capture memory before imaging the disk
  • Preservation means working from a hashed forensic image, never the original
  • Acquisition is making the forensically sound bit-for-bit copy
  • A legal hold suspends routine deletion of relevant data
  • E-discovery identifies and produces ESI for a legal request
  • A matching hash proves the image was not altered
  • Incident response begins where alerting and monitoring end

Unlock with Premium — includes all practice exams and the complete study guide.

Investigation Data Sources

Read full chapter
  • Objective 4.9 is source selection, not tooling
  • Firewall and router logs prove allow/deny, never the payload
  • Packet capture is the only source that holds the payload
  • Flow data shows who and how much; only capture shows what
  • IPS/IDS logs add intent: attack type and outcome
  • IPS logs also record the prevention action taken
  • OS logs split into system events and audit records
  • OS-specific logs: Windows proprietary format vs. Linux syslog
  • Endpoint (AV/EDR) logs show what ran and what the agent did
  • Application logs attribute in-app actions to a user
  • Web proxy and NAT logs de-anonymize a shared public IP
  • Remote-access (VPN) logs capture origin and authenticated user
  • A vulnerability scan shows the weakness, not that it was used
  • Dashboards and reports give the trend, not the single event
  • Lead with the primary source, then corroborate with secondary
  • Timestamps are the join key: clocks must be synced first
  • Distrust a compromised host's own logs
  • Read NetFlow patterns as deviations from baseline

Unlock with Premium — includes all practice exams and the complete study guide.

Security Program Management and Oversight

Security Governance

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Policy → standard → procedure → guideline is the governance hierarchy

Governance documents descend from intent to detail: a policy is management's broad statement of what and why, a standard turns it into a specific measurable rule (e.g., AES-256, passwords ≥14 chars), a procedure gives the numbered step-by-step how-to, and a guideline offers optional advice. Policies, standards, and procedures are mandatory; only the guideline is discretionary, which is the line the exam tests.

Trap Assuming the guideline outranks or precedes the procedure in the hierarchy because it sounds authoritative, when the guideline is the lowest and only optional tier.

1 question tests this
A guideline is the only non-mandatory governance document

Guidelines are recommended best-practice that can be met more than one way, so they are the single discretionary document type. Policies, standards, and procedures are all compulsory. The fastest tell is the verb: "shall/must" marks a mandatory document, "should/may" marks a guideline.

Trap Treating a standard or procedure as optional because it is more detailed than a policy, when only the guideline is discretionary.

3 questions test this
A standard is a specific, measurable, mandatory rule

A standard fixes exactly how strict a policy's intent must be and is compulsory within the organization. Where the policy says "protect data," the standard says AES-256 at rest, passwords ≥14 characters, or RBAC for access. That precision is what makes a policy uniform and auditable. Named SY0-701 examples are password, access control, physical security, and encryption standards.

Trap Classifying a specific measurable rule as a guideline because it reads like best practice, when its mandatory enforceable nature makes it a standard.

1 question tests this
A policy is high-level intent, never the mechanism

A policy is a leadership-approved statement of required outcome and direction written at a broad level; it deliberately leaves the "how" to the standards and procedures beneath it. Named SY0-701 policies include the information security policy, AUP, business continuity, disaster recovery, incident response, SDLC, and change management.

Trap Expecting a policy to name the specific control or technology, when that mechanism belongs to the standard and procedure beneath it.

1 question tests this
Procedures and playbooks are step-by-step instructions

A procedure is the mandatory numbered how-to that implements a standard so the result doesn't depend on who runs it, and a playbook is the procedure variant that codifies repeatable response steps an IR or SOAR workflow executes. SY0-701 examples are change-management and onboarding/offboarding procedures; a checklist counts as a procedure too.

Trap Treating a playbook as a policy: it is an operational procedure that implements policy, not the high-level intent itself.

6 questions test this
AUP defines acceptable use of organizational assets

An Acceptable Use Policy (AUP) is an issue-specific policy spelling out permitted and prohibited use of company systems and data, signed by the user. Because it documents what the user agreed to, it is the basis for disciplinary action when someone misuses assets.

Trap Reaching for an NDA as the document that governs day-to-day use of company systems, when the NDA covers confidentiality and the AUP governs acceptable use.

2 questions test this
Policy scope: program, issue-specific, system-specific

Policies are categorized by scope: a program (organizational) policy establishes the security program enterprise-wide, an issue-specific policy governs one topic such as an AUP or email use, and a system-specific policy sets rules for a single system or asset. The scope mirrors the authority of the manager who issues it.

Trap Labeling an AUP a system-specific policy because it constrains how systems are used, when its single-topic focus makes it issue-specific.

1 question tests this
Data owner sets classification; it cannot be delegated

The data owner is the senior business official with operational authority over a data set and is accountable for setting its classification and acceptable use. That managerial accountability stays with the owner and is not handed to IT, so an admin who decides classification is itself a governance failure.

Trap Naming the IT administrator or custodian as the one who classifies data: they implement protection but never own the classification decision.

4 questions test this
Data custodian/steward implements; never decides classification

The data custodian (steward) is the technical role that carries out the owner's decisions day-to-day, applying access controls, backups, and encryption to protect the data. The custodian enforces protection but never sets the classification or acceptable use; that authority belongs to the owner.

Trap Letting the custodian set or change a data set's classification because they have hands-on access to it, when only the owner holds that decision authority.

1 question tests this
Owner/controller decide, custodian/processor execute

Across the four data roles the dividing line is decide-versus-execute: the owner and controller determine classification and purpose, while the custodian and processor act only on those decisions. Under GDPR the controller "determines the purposes and means of processing" and the processor acts on the controller's instructions, so a scenario that hands a decision to an executing role is describing a control failure.

Trap Assuming a cloud or SaaS vendor that hosts your data becomes the controller: it is normally the processor, and your organization stays the accountable controller.

1 question tests this
Centralized governance favors consistency over flexibility

Centralized governance puts one authority in charge of setting and enforcing policy enterprise-wide, producing uniform, easy-to-audit controls at the cost of speed and local responsiveness. Choose it when consistency and auditability matter most.

Trap Picking centralized governance for its agility and fast local response, when those are the strengths of decentralized governance and centralization trades them away for uniformity.

1 question tests this
Decentralized governance favors agility over uniformity

Decentralized governance lets business units set their own policy within broad guardrails, gaining agility and local responsiveness but risking inconsistent controls and harder auditing. Choose it when units must move independently and speed outranks uniformity.

Trap Choosing decentralized governance when the priority is uniform, easy-to-audit controls, since that consistency is exactly what decentralization sacrifices for speed.

1 question tests this
Boards, committees, and government entities are governance structures

Governance is exercised through structures: boards hold ultimate oversight (e.g., the board of directors), committees such as a security steering or risk committee review and approve policy, and government entities/regulators impose binding external rules where the organization is regulated. Each is a named SY0-701 governance structure.

5 questions test this
Governance includes continuous monitoring and revision

A security program is maintained, not written once: policies are reviewed on a defined cadence and re-examined whenever threats, technology, business needs, or law change. That monitoring-and-revision loop is itself a governance activity owned by the oversight body, not a one-time document.

1 question tests this
External considerations drive which policies are mandatory

Governance must satisfy external forces: regulatory mandates (HIPAA, PCI DSS, SOX), broader legal and contractual obligations, and industry frameworks, and these dictate which policies and standards are non-negotiable regardless of internal preference. On the exam, an external requirement overrides an organization's own appetite for a control.

Trap Allowing the organization's internal risk appetite to waive a control that an external regulation mandates, when the external requirement is non-negotiable.

Geographic scope: local, regional, national, global

Requirements apply at distinct geographic scopes (local, regional, national, and global), so a multinational must reconcile rules that conflict across borders, such as EU data-residency duties versus another jurisdiction's lawful-access demands. That is why scope is treated as an explicit governance dimension rather than an afterthought.

SDLC and change-management policies bake security into operations

An SDLC policy forces security to be built into how software is developed rather than bolted on afterward, and a change-management policy blocks unauthorized changes from reaching production. Both are named SY0-701 governance policies that flow down into procedures developers and operators actually follow.

1 question tests this
A CISO reporting to the CIO creates a conflict of interest

When the CISO reports to the CIO, the executive accountable for IT delivery also oversees the function that evaluates IT risk, a separation-of-duties conflict that can pressure the CISO to soften controls and skew risk reporting; SOX audits have flagged this reporting line as a control-design weakness. Reporting higher, to the CEO or board, preserves the CISO's independence and unfiltered risk communication, while the board and senior leadership retain ultimate accountability for cyber risk.

Trap Placing the CISO under the CIO to keep security "close to IT": it undermines the independence the role needs to objectively report risk.

3 questions test this

Risk Management

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

SLE is the dollar loss from one occurrence: AV × EF

Single Loss Expectancy is the monetary loss from a single occurrence of a threat, calculated SLE = Asset Value (AV) × Exposure Factor (EF), where EF is the fraction (0–1.0) of the asset's value destroyed by one event. A $200,000 asset with EF 0.5 has an SLE of $100,000. SLE is the per-event building block that ARO then annualizes into ALE.

Trap Using the full asset value as the SLE and skipping the exposure factor, which overstates per-event loss whenever EF is below 1.0.

4 questions test this
ALE annualizes per-event loss: SLE × ARO

Annualized Loss Expectancy is the expected yearly loss from a risk, calculated ALE = SLE × ARO. An SLE of $100,000 at an ARO of 0.25 (once every four years) yields an ALE of $25,000/yr. ALE is the figure you weigh against a control's annual cost, because both are now expressed per year.

Trap Reporting the SLE as the annual loss and forgetting to multiply by ARO, which inflates the yearly figure for any event that does not occur once per year.

7 questions test this
ARO is how many times per year the event is expected

Annualized Rate of Occurrence is the expected frequency of a loss event per year: ARO 0.25 means once every four years, ARO 2 means twice a year. It is the multiplier that converts a per-event SLE into an annual ALE, so a small ARO error swings the whole annualized figure.

Trap Treating ARO as a probability capped at 1.0: a frequent event has ARO above 1 (e.g. 12 for monthly).

4 questions test this
Exposure Factor is the fraction of asset value lost per event

Exposure Factor is the percentage (0%–100%, or 0–1.0) of an asset's value destroyed by a single occurrence of the threat, and it feeds SLE = AV × EF. A total loss is EF = 1.0; a half-loss is 0.5. EF captures severity-per-event, distinct from ARO, which captures frequency-per-year.

Trap Confusing exposure factor with the annualized rate of occurrence, treating a severity-per-event percentage as how often the event happens.

3 questions test this
Justify a control when its cost is below the ALE it removes

The cost/benefit test for a safeguard is net benefit = (ALE before − ALE after) − annual control cost: implement it when the annual cost is less than the ALE reduction it buys. A $10,000/yr control that removes a $25,000 ALE nets $15,000/yr, so it pays off; a $40,000/yr control against that same risk does not. Cost and benefit must both be annualized to compare.

Quantitative analysis uses dollars; qualitative uses high/med/low

Quantitative risk analysis assigns monetary values (AV, SLE, ALE) so risks compare directly against control cost, but it demands high-quality loss data to be meaningful. Qualitative analysis instead rates likelihood and impact on relative scales (high/medium/low), often plotted on a heat map: faster, needs no dollar data, but not directly comparable to spend. Most programs blend both.

Trap Swapping the two methods, calling the high/medium/low heat-map approach quantitative when it is qualitative analysis that needs no dollar data.

2 questions test this
Use qualitative analysis when reliable loss data is unavailable

When monetary loss data is scarce or unreliable, a qualitative assessment is the honest choice, because manufacturing precise AV/EF/ARO figures from guesswork produces false confidence. Quantitative techniques generally require high-quality data to be meaningful, so absent that data the relative high/medium/low rating is more defensible than a fabricated dollar figure.

Trap Forcing a quantitative ALE from invented AV/ARO numbers: precise-looking dollars built on guesses mislead decision-makers.

1 question tests this
SY0-701 names four risk assessment cadences

Objective 5.2 tests four assessment types by their trigger and timing: ad hoc (event-triggered, e.g. after a breach or major change), one-time (a single bounded engagement), recurring (a fixed schedule such as quarterly or annual), and continuous (ongoing near-real-time monitoring that feeds risk decisions). The cadence is chosen to match how fast the relevant risk changes.

There are exactly four risk treatment strategies

After analysis, the risk owner picks one of four responses: mitigate (apply controls to reduce likelihood or impact), transfer (shift the financial impact to a third party, e.g. insurance), avoid (stop the activity that creates the risk), or accept (formally take on the residual risk). These four are the only sanctioned treatments; any plan reduces to one of them.

1 question tests this
Risk acceptance requires a documented, signed-off exception

Acceptance is legitimate only as a documented exception/exemption, approved by the designated risk owner, with a defined review or expiry date. An informal "we'll fix it later" is not acceptance; the formal documentation and sign-off are the testable point, and they make the accepted residual risk auditable rather than forgotten.

Trap Treating an unwritten "we'll get to it" as risk acceptance: without a signed exception and review date it is just an unmanaged gap.

Transfer offsets financial impact but leaves the vulnerability

Risk transfer (cyber-insurance or a contractual clause) shifts the financial impact of residual risk to a third party, but it is not remediation: the underlying vulnerability stays in place and likelihood is unchanged. It pays for the loss; it does not stop the loss from happening, so it pairs with, rather than replaces, technical controls.

Trap Picking cyber-insurance as the fix for a vulnerability: it covers the cost but the exploitable flaw is still there.

5 questions test this
Avoidance eliminates the risk by stopping the activity

Risk avoidance removes a risk entirely by ceasing the activity that creates it: retiring an unsupported product, cancelling a project, or declining to enter a market. It is the only strategy that drives residual risk to zero, but at the cost of forgoing whatever value the activity would have produced, so it is reserved for risks that outweigh their reward.

Trap Confusing avoidance with mitigation, treating added controls that merely reduce a risk as if they eliminated the activity and drove residual risk to zero.

Senior leadership sets risk appetite, not the security team

Risk appetite is the board/senior-leadership statement of the types and amount of risk, at a broad level, the organization is willing to accept in pursuit of its objectives. It is a governance decision, expressed qualitatively or quantitatively, and security teams operate within it rather than setting it. Appetite is the strategic ceiling that downstream treatment choices must respect.

Trap Assuming the security or IT team defines risk appetite: appetite is owned by the board/senior leadership; security executes within it.

SY0-701 names three risk-appetite postures

Objective 5.2 lists three appetite postures: expansionary (willing to take on more risk for growth or reward), conservative (minimize risk even at the cost of opportunity), and neutral (a balanced middle stance). The chosen posture shapes which treatment strategies the organization favors: an expansionary firm accepts more, a conservative one mitigates or avoids more.

Risk tolerance is the acceptable variance around appetite

Risk tolerance is the acceptable level of deviation from the risk appetite for a specific risk or category: the per-risk wiggle room around the strategic line. Appetite sets the broad, organization-wide willingness; tolerance bounds how far an individual risk may stray before action is required, and exceeding tolerance triggers escalation.

Trap Confusing tolerance with appetite, treating the broad organization-wide willingness as if it were the per-risk acceptable deviation around it.

The risk register records an owner, KRIs, and a threshold per risk

The risk register is the living record of each identified risk and its treatment. Objective 5.2 tests three fields per entry: the risk owner (the one accountable individual who approves treatment or acceptance), the key risk indicators (KRIs) that signal movement, and the risk threshold that, when crossed, triggers action. It is the single source of truth that lets risks aggregate up the enterprise.

2 questions test this
A KRI warns of rising risk; a KPI measures control performance

A Key Risk Indicator (KRI) is a forward-looking metric signaling that a risk is climbing toward its threshold, so it warns before the loss. A Key Performance Indicator (KPI) measures how well a control or process is performing today. The distinction is direction: a KRI is predictive of future risk, a KPI is a current-state measure of effectiveness.

Trap Using a KPI as an early-warning signal: a KPI reports current control performance, not the rising-risk forecast a KRI gives.

Each risk has exactly one accountable risk owner

Every risk in the register is assigned a single risk owner: the accountable individual who decides the treatment and signs off any acceptance. Naming one owner is what makes a documented exception valid and prevents a risk from falling between teams; shared or unassigned ownership is the failure mode the register exists to close.

Trap Assigning a risk to a committee or shared team instead of one accountable owner, which is the diffused-ownership failure the register is meant to prevent.

1 question tests this
A BIA yields RTO, RPO, MTTR, and MTBF

A Business Impact Analysis identifies critical processes and the consequences of their disruption, producing four recovery metrics: RTO and RPO are targets you set (how fast to restore, how much data loss is tolerable), while MTTR and MTBF are measured system properties (time to repair, time between failures). The BIA's outputs drive continuity and recovery design, including how much redundancy to fund.

Trap Treating MTTR and MTBF as targets you set like RTO and RPO, when they are measured properties of the system rather than goals chosen by the business.

13 questions test this
Risk reporting frames impact to the right audience

Risk reporting communicates the register's state at the altitude each audience needs: executives and the board see aggregated business-impact framing (ALE, appetite-vs-actual, overdue treatments), while operational teams see specific KRIs and per-control status. Consistent impact-and-frequency documentation is what lets individual registers roll up into one enterprise view, so the same risk reads correctly at every level.

NIST SP 800-30 and SP 800-37 frame the risk process

NIST SP 800-30 is the Guide for Conducting Risk Assessments, while NIST SP 800-37 defines the Risk Management Framework (RMF), sequencing seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Together they supply the assessment method and the lifecycle that underpin SY0-701's risk-management vocabulary.

Trap Swapping the two documents, attributing the Risk Management Framework to SP 800-30 when it is SP 800-37 that defines the RMF.

MTBF, MTTR, RTO, and RPO each measure a distinct recovery quantity

MTBF is average uptime between repairable failures (total operational time ÷ number of failures); MTTR is the average time to restore a failed system. RTO is the maximum acceptable time to restore operations after a disruption, and RPO is the point in time to which data must be recovered (the tolerable data loss, in time). When measured MTTR exceeds the RTO, high-availability failover is needed to close the gap.

Trap Confusing RPO with RTO, treating the tolerable data-loss point as if it were the time allowed to restore operations.

16 questions test this

Third-Party Risk Management

Read full chapter
  • Outsource the work, never the liability
  • TPRM is a lifecycle: assess, select, agree, then monitor
  • A questionnaire is self-attestation, not verification
  • A right-to-audit clause lets you verify the vendor directly
  • Independent assessment outranks the vendor's own audit
  • Supply chain analysis reaches past the vendor to fourth parties
  • Due diligence vets a vendor before you engage
  • Conflict of interest can bias a vendor selection
  • An SLA defines measurable service levels plus remedies
  • An MOU is a non-binding statement of intent
  • An MOA is the more formal, obligation-bearing cousin of an MOU
  • An MSA sets standing umbrella terms for all future work
  • A WO/SOW scopes one engagement under the MSA
  • An NDA is the confidentiality contract
  • A BPA sets terms between business partners, not buyer and supplier
  • Agreements make expectations enforceable; assessments only inform
  • Vendor monitoring continues after the contract is signed
  • Rules of engagement authorize and bound third-party testing

Unlock with Premium — includes all practice exams and the complete study guide.

Security Compliance

Read full chapter
  • Compliance reporting splits internal vs. external by audience
  • External reporting is deadline-bound by breach-notification law
  • Due care = doing; due diligence = checking
  • A written-but-untested plan = due care without due diligence
  • Non-compliance has exactly five consequence categories
  • Fines are money; sanctions are an order
  • GDPR's top fine tier is the greater of EUR 20M or 4% of global turnover
  • Reputational damage has no ceiling and no end date
  • Attestation is a formal control assertion; acknowledgement is a personal sign-off
  • Monitoring can be internal or external, and external carries more weight
  • Automation makes due diligence continuous, not point-in-time
  • Compliance is necessary but not sufficient for security
  • Privacy obligations stack across four scopes, and the strictest governs
  • Know the privacy triad: data subject, controller, processor
  • A processor that decides purpose is reclassified as a controller
  • A data inventory is the prerequisite to every privacy obligation
  • Retention is pulled between minimization and legal hold
  • The right to be forgotten is not absolute
  • Match each consequence category to the source that produces it
  • GDPR reaches any organization worldwide that targets people in the EU
  • Handling DoD CUI requires at least CMMC 2.0 Level 2, mapped to NIST SP 800-171
  • HIPAA requires individual breach notice within 60 calendar days of discovery

Unlock with Premium — includes all practice exams and the complete study guide.

Audits and Assessments

Read full chapter
  • Attestation is a signed claim, not a discovery
  • Internal vs external audit turns on independence, not rigor
  • Internal audit forms: compliance, audit committee, self-assessment
  • External audit drivers: regulatory, examination, third-party
  • A self-assessment cannot satisfy an independence requirement
  • A pen test mimics real attacks to circumvent security
  • Environment knowledge: known, partially known, unknown
  • Known is fastest; unknown is the most realistic outsider
  • Posture: offensive (red), defensive (blue), integrated (purple)
  • Physical pen testing extends the attack surface past the network
  • Passive vs active recon turns on whether you touch the target
  • NIST pen-test lifecycle: planning, discovery, attack, reporting
  • Attack phase: exploit, escalate, pivot, loop back to discovery
  • Audits and assessments are point-in-time assurance, not the scan loop
  • SOC reports: SOC 1 financial, SOC 2 security, SOC 3 public; Type 1 vs 2

Unlock with Premium — includes all practice exams and the complete study guide.

Security Awareness

Read full chapter
  • Security awareness is the managed human-layer control
  • 5.6 tests running the awareness program, not naming the attack
  • A phishing campaign is a simulated phish against your own staff
  • Measure report rate, not just click rate, and never punish reporters
  • Verify an unexpected high-stakes request out-of-band
  • On a suspicious message, report: don't click, reply, or forward
  • Anomalous behavior splits into risky, unexpected, and unintentional
  • Risky vs. unexpected vs. unintentional turns on intent and pattern
  • Insider-threat awareness is the human early-warning sensor
  • Acceptable-use policy and handbooks are the acknowledged rules of behavior
  • Password training: long, unique, never reused, and it pairs with MFA
  • Removable media and cables: never plug in the unknown
  • OPSEC training limits the public detail adversaries can aggregate
  • Hybrid/remote-work awareness covers off-premises exposure
  • An awareness program is a managed lifecycle, not a one-time event
  • CompTIA splits the program into development and execution
  • Initial vs. recurring monitoring = set a baseline, then trend it
  • Effectiveness metric: do incidents drop after a campaign
  • Awareness lowers likelihood; it doesn't enforce
  • UEBA flags deviations from a learned behavioral baseline
  • Anonymous reporting plus non-retaliation drives insider-threat reporting

Unlock with Premium — includes all practice exams and the complete study guide.