Threats, Vulnerabilities, and Mitigations
The whole domain is one chain: actor → vector → vulnerability → attack → indicator → mitigation
Assuming basic attack-and-defense vocabulary, you will learn to place any scenario on its chain and answer the link the stem asks. Domain 2 is the second-largest slice of SY0-701 at 22% (behind Security Operations at 28%), and every one of its six subtopics is a link in a single causal chain rather than an isolated topic. A threat actor with a motive (objective 2.1) chooses a threat vector to reach your attack surface (2.2); that vector lands only because an underlying vulnerability exists (2.3); exploiting the weakness produces an attack or malware payload and leaves observable indicators (both scored under objective 2.4); and mitigation techniques (2.5) break the chain at one or more of those links. Reading an exam scenario as a position on this chain ('which link is the question asking about?') is faster and more reliable than matching keywords, because the same incident appears under several subtopics depending on which link the stem emphasizes.
A vulnerability is the weakness; a threat exploits it; risk is the product. Keep the three apart
The exam consistently rewards separating the inherent weakness (a buffer overflow flaw, an open RDP port, a default credential, a deprecated cipher) from the threat that exploits it and from the resulting attack behavior. The same weakness can be reached through many vectors and abused by many actors, which is why durable risk treatment targets the weakness (patch, reconfigure, replace, or compensate) rather than chasing any single exploit attempt. NIST frames the attack surface as the aggregate set of points where an attacker could try to enter or extract data, so reducing it (removing services, retiring end-of-life software, closing ports, minimizing accounts) shrinks the number of vulnerabilities a threat can ever reach.
Mitigations do one of two jobs: shrink the attack surface or contain the blast radius
Objective 2.5 controls divide cleanly into surface reduction (patching, removing unnecessary software, disabling unused ports and protocols, changing default passwords, configuration enforcement) and containment (segmentation, isolation, least privilege, access control lists, application allow-listing). Surface reduction prevents the foothold; containment limits what a foothold can reach once an attacker is already inside. Defense in depth combines both so that no single failure is catastrophic, and detective controls such as monitoring are not mitigations themselves: they reduce risk only by shortening dwell time so a containment or surface-reduction control can be applied sooner.
Reason backward from the indicator to the most likely attack class
Indicators of malicious activity (2.4) test diagnosis, not definitions: a symptom such as a flood of failed logins, impossible-travel sign-ins, spiking CPU and bandwidth, or a gap where audit logs should be is a forensic clue, and the skill is mapping it to the attack class that produces that exact fingerprint. The discriminator is the spread (many failures against one account read as brute force, the same volume across many accounts as password spraying) while the indicators subtopic owns each full symptom-to-attack mapping. What carries here is the direction of inference: start from the observable. Because these signals are behavioral rather than tied to one device, they surface in centralized, write-once collection (SIEM, conditional-access policy), which is also why log integrity is a mitigation worth protecting.
The six subtopics mapped onto the threat chain
| Subtopic (objective) | Chain link it covers | Core question it answers | Primary defensive response |
|---|---|---|---|
| Threat actors & motivations (2.1) | WHO + WHY | Which adversary type and motive fits the scenario? | Threat intelligence; insider and shadow-IT governance |
| Threat vectors & attack surfaces (2.2) | HOW IN | What path was used and how large is total exposure? | Attack-surface reduction; awareness training; vendor due diligence |
| Vulnerability types (2.3) | THE WEAKNESS | What inherent flaw made the entry possible? | Patch, reconfigure, replace, or compensate |
| Malware & malicious activity (2.4) | THE PAYLOAD | What ran, and how does it spread or persist? | EDR/anti-malware; allow-listing; reimaging |
| Indicators of malicious activity (2.4) | THE SYMPTOM | What attack class produced this observable? | Monitoring, SIEM, log integrity (detection feeding response) |
| Mitigation techniques (2.5) | BREAK THE CHAIN | Which control prevents or contains this? | Surface reduction + containment (hardening, segmentation, least privilege) |