← All Certifications CompTIA

CompTIA Certification Prep

Domain guides, practice questions, and study plans for every CompTIA certification — from A+ to CASP+. Built for practitioners working full-time while studying.

Use the selector below to pick a certification and choose how you want to study — guides, practice exams, games, or curated resources.

SY0-701

CompTIA Security+

The most widely recognized entry-level security certification. Required by U.S. Department of Defense Directive 8570/8140 and referenced in hundreds of job postings as a baseline credential for security analyst, SOC analyst, and security engineer roles.

Exam at a glance

  • Exam code: SY0-701
  • Questions: Maximum 90 (multiple choice + performance-based)
  • Time: 90 minutes
  • Passing score: 750 (on a 100–900 scale)
  • Recommended experience: 2 years IT with security focus; Network+ recommended first
  • Renewal: 3-year cycle, 50 CEUs required
  • Domain 1: General Security Concepts (12%)
  • Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
  • Domain 3: Security Architecture (18%)
  • Domain 4: Security Operations (28%)
  • Domain 5: Security Program Management and Oversight (20%)

Domain breakdown

Domain 1 · 12%

General Security Concepts

Security controls (technical, managerial, operational, physical), cryptography fundamentals (symmetric, asymmetric, hashing, PKI), authentication methods (MFA, biometrics, tokens), and the security governance framework. Focus areas: control categories and types, cryptographic algorithms (AES-256, RSA, ECC, SHA-256), certificate management and the CA hierarchy, and non-repudiation.

Domain 2 · 22%

Threats, Vulnerabilities & Mitigations

Malware classification, social engineering attack types, network attacks (MITM, DDoS, DNS poisoning), application vulnerabilities (OWASP Top 10 mapped), and threat intelligence. Focus areas: attack vectors and surface reduction, vulnerability scanning vs. penetration testing, the ATT&CK framework, and threat actor classification (nation-state, hacktivist, insider).

Domain 3 · 18%

Security Architecture

Cloud security models (IaaS, PaaS, SaaS shared responsibility), Zero Trust principles, network segmentation (DMZ, VLANs, micro-segmentation), VPN types, and secure infrastructure design. Focus areas: cloud deployment models, SD-WAN and SASE, infrastructure as code security, and secure by design principles.

Domain 4 · 28%

Security Operations

Incident response lifecycle, digital forensics (chain of custody, evidence acquisition), SIEM, log analysis, endpoint security (EDR/XDR), identity and access management operations, and vulnerability management workflow. Focus areas: the IR phases (preparation, detection, containment, eradication, recovery, lessons learned), SOAR, privilege access management, and patching cadences.

Domain 5 · 20%

Security Program Management & Oversight

Risk management (identification, assessment, treatment), compliance frameworks (NIST CSF, ISO 27001, PCI DSS, HIPAA, SOC 2), data privacy regulations (GDPR, CCPA), third-party risk, and security awareness programs. Focus areas: risk calculation (likelihood × impact), GRC tooling, data classification, and the vendor assessment lifecycle.

N10-009

CompTIA Network+

The foundational networking certification covering the design, management, and troubleshooting of network infrastructure. Strongly recommended before Security+ and required for many entry-level network technician roles.

Domain 1 · 23%

Networking Concepts

OSI model layer functions, TCP/IP model, common ports and protocols (HTTP 80, HTTPS 443, SSH 22, DNS 53, DHCP 67/68, SMTP 25/587, RDP 3389), addressing (IPv4 subnetting, IPv6, CIDR notation), and network topologies. Key skill: subnetting calculations from memory.

Domain 2 · 20%

Network Infrastructure

Routers, switches, firewalls, load balancers, wireless access points, and cabling standards (Cat5e, Cat6, fiber types). VLANs, trunking (802.1Q), spanning tree, and WAN connectivity types (MPLS, Metro Ethernet, SD-WAN).

Domain 3 · 19%

Network Operations

Network documentation, change management, monitoring tools (SNMP, NetFlow, syslog), high availability concepts (FHRP, VRRP, clustering), backup and recovery, and disaster recovery planning for network infrastructure.

Domain 4 · 16%

Network Security

Physical security, network hardening (ACLs, firewall rules, disabling unused ports), wireless security (WPA3, EAP types, RADIUS), common attacks (ARP poisoning, MAC flooding, rogue AP), and remote access security (VPN, SSL/TLS).

Domain 5 · 22%

Network Troubleshooting

Structured troubleshooting methodology, tools (ping, traceroute, nslookup, netstat, Wireshark, cable testers), troubleshooting common connectivity issues, wireless interference diagnosis, and performance problem identification.

Core 1: 220-1101 / Core 2: 220-1102

CompTIA A+

The entry point to IT support and administration. A+ is required for many help desk, desktop support, and field technician roles. It covers hardware, software, networking basics, security fundamentals, and troubleshooting across two separate exams.

Core 1 (220-1101)

Mobile Devices, Networking, Hardware, Virtualization

Laptop and mobile device hardware, network connectivity (TCP/IP, Wi-Fi standards, cabling), hardware components (CPUs, RAM, storage, power supplies, BIOS/UEFI), printer troubleshooting, and cloud and virtualization concepts.

Core 2 (220-1102)

OS, Security, Software, Operational Procedures

Windows, macOS, Linux, and ChromeOS administration, security best practices (social engineering, malware removal, Windows security settings), software troubleshooting, scripting basics, and professional IT procedures including change management and documentation.

CS0-003

CompTIA CySA+ (Cybersecurity Analyst)

The analyst-level certification for threat detection, incident response, and vulnerability management. Positioned between Security+ and CASP+, CySA+ validates the skills needed for a SOC analyst Tier II/III role.

Domain 1 · 22%

Security Operations

Log analysis, SIEM tuning, threat intelligence consumption (STIX/TAXII, OpenIOC), threat hunting methodology, and security monitoring architecture including EDR, NDR, and SOAR integration.

Domain 2 · 35%

Vulnerability Management

Vulnerability scanning (Nessus, OpenVAS, Qualys), CVSS scoring and prioritisation, remediation verification, asset inventory, and exception handling workflow. Includes cloud and container vulnerability considerations.

Domain 3 · 22%

Incident Response Management

IR phases, evidence collection and preservation, containment and eradication decisions, threat actor attribution, forensic artifact analysis (registry, memory, network captures), and post-incident reporting.

Domain 4 · 21%

Reporting and Communication

Root cause analysis, executive reporting, compliance reporting requirements, recommended remediation prioritisation, and continuous improvement program design following incidents and assessments.

PT0-003

CompTIA PenTest+

The offensive security certification for penetration testers and red team members. Covers the full penetration testing lifecycle including planning, scoping, reconnaissance, exploitation, post-exploitation, and reporting.

Domain 1 · 14%

Engagement Management

Rules of engagement, scope definition, statement of work, legal considerations (authorisation letters, NDA), risk acceptance documentation, and communication cadence during an engagement.

Domain 2 · 22%

Reconnaissance & Enumeration

Passive and active reconnaissance (OSINT, Shodan, theHarvester), network enumeration (Nmap, Masscan), service fingerprinting, DNS enumeration, and web application reconnaissance including directory brute-forcing.

Domain 3 · 30%

Attacks & Exploits

Network attacks, application attacks (SQLi, XSS, command injection, SSRF), credential attacks, wireless attacks, social engineering, and post-exploitation (lateral movement, persistence, privilege escalation, data exfiltration).

Domain 4 · 18%

Post-Exploitation & Lateral Movement

Pivoting techniques, living off the land (LOLBins), credential harvesting, privilege escalation paths (Windows/Linux), maintaining access, covering tracks, and data staging for exfiltration.

Domain 5 · 16%

Reporting & Communication

Technical report writing, executive summary structure, finding classification and CVSS scoring, remediation recommendations, retesting procedures, and client communication best practices.

CAS-004

CompTIA CASP+ (Advanced Security Practitioner)

The expert-level practitioner certification for security architects and senior engineers. CASP+ is performance-based and validates the ability to design, implement, and manage enterprise-level security solutions. It is DoD 8140-approved for senior technical roles.

Domain 1 · 29%

Security Architecture

Enterprise security architecture patterns, Zero Trust implementation, SASE and SD-WAN security, cryptographic engineering decisions, cloud security architecture (multi-cloud, hybrid), and resilience design including business continuity integration.

Domain 2 · 30%

Security Operations

Threat modelling, security orchestration and automation, advanced incident response, threat hunting programme design, threat intelligence operationalisation, and forensics at scale. Emphasis on decision-making under uncertainty.

Domain 3 · 26%

Security Engineering & Cryptography

PKI lifecycle management, HSM usage, quantum-resistant cryptography considerations, secure DevOps pipeline design, hardware security (TPM, Secure Boot), and embedded / OT/ICS security engineering.

Domain 4 · 15%

Governance, Risk & Compliance

Enterprise risk programme leadership, regulatory alignment strategies, third-party assurance programme management, privacy engineering, and cross-functional security governance including board reporting.

CV0-004

CompTIA Cloud+

Vendor-neutral cloud infrastructure certification covering deployment, security, management, and troubleshooting of cloud environments. Useful for cloud administrators and engineers working across AWS, Azure, and GCP.

Domain 1 · 24%

Cloud Architecture & Design

Cloud service and deployment models, shared responsibility, cloud migration strategies (lift-and-shift, re-platform, refactor), disaster recovery architecture, and cost optimisation design patterns.

Domain 2 · 20%

Security

Identity and access management in cloud (IAM policies, RBAC, federation), data protection (encryption at rest and in transit, key management), network security controls (security groups, NACLs, WAF), and cloud audit logging.

Domain 3 · 22%

Deployment

Infrastructure as code (Terraform, CloudFormation, Bicep), container orchestration (Kubernetes), CI/CD pipelines and DevSecOps integration, serverless architectures, and multi-cloud provisioning.

Domain 4 · 16%

Operations & Support

Cloud monitoring and observability (CloudWatch, Azure Monitor), autoscaling and elasticity management, patch management for cloud workloads, backup and restore in cloud environments, and cost management tooling.

Domain 5 · 18%

Troubleshooting

Systematic troubleshooting methodology for cloud connectivity, performance, security, and deployment failures. Includes reading cloud provider dashboards, interpreting error codes, and log correlation.

Security+ SY0-701

Practice Questions — Security+

Sample questions aligned to the SY0-701 exam objectives. Use these to test your understanding of key concepts and identify domains that need additional study.

1. An organization implements a policy requiring employees to use a smartcard plus a PIN to access the network. Which type of authentication does this represent?

  • A) Single-factor authentication using a knowledge factor
  • B) Multi-factor authentication combining possession and knowledge factors
  • C) Multi-factor authentication combining inherence and possession factors
  • D) Dual-factor authentication using two knowledge factors
Answer: B The smartcard is a possession factor (something you have) and the PIN is a knowledge factor (something you know). Combining two different factor types qualifies as multi-factor authentication (MFA). Option C is incorrect because a PIN is not an inherence factor (biometric).

2. A security analyst receives an alert that a host is communicating with an IP address on a threat intelligence block list. After investigation, the analyst determines the traffic is from a legitimate software update service wrongly listed. What should the analyst do?

  • A) Block all traffic from the update service permanently
  • B) Whitelist the IP address and document the exception with a business justification
  • C) Re-image the host as a precaution
  • D) Escalate to law enforcement immediately
Answer: B This is a false positive. The correct response is to create an exception (whitelist) for the verified legitimate traffic and document the exception with a business justification and approval chain, following the organisation's exception management process. Re-imaging is unnecessary and disproportionate for a verified false positive.

3. Which of the following BEST describes the purpose of a SIEM in a security operations centre?

  • A) To automatically patch vulnerable systems based on CVE severity
  • B) To aggregate and correlate log data from multiple sources to detect anomalies and security events
  • C) To perform active vulnerability scanning of network hosts
  • D) To enforce data loss prevention policies on endpoints
Answer: B A Security Information and Event Management (SIEM) system aggregates log data from firewalls, endpoints, servers, and applications, then correlates events using rules and machine learning to identify anomalies and generate alerts. It does not perform patching (A), active scanning (C), or DLP enforcement (D) — those are separate tools.

4. An attacker sends a phishing email containing a link that, when clicked, executes a script that harvests the victim's session cookie. Which attack type is this?

  • A) SQL Injection
  • B) Cross-Site Request Forgery (CSRF)
  • C) Cross-Site Scripting (XSS)
  • D) Session Hijacking via ARP Poisoning
Answer: C Cross-Site Scripting (XSS) attacks inject malicious scripts into web content delivered to users. Stealing session cookies by executing client-side scripts is the canonical XSS payload. CSRF (B) forces a victim's browser to make unintended requests using their existing session — it doesn't harvest cookies. SQL Injection (A) targets databases, not sessions.

5. Which risk treatment option accepts the risk and takes no action to reduce it?

  • A) Risk mitigation
  • B) Risk avoidance
  • C) Risk transference
  • D) Risk acceptance
Answer: D Risk acceptance (also called risk retention) acknowledges the risk and consciously decides to take no further action, typically because the cost of mitigation exceeds the potential impact. Risk mitigation (A) reduces likelihood or impact. Risk avoidance (B) eliminates the risk by stopping the activity. Risk transference (C) shifts financial impact to a third party (e.g., insurance, vendor contract).

6. A company's web application stores session tokens in cookies without the HttpOnly or Secure flags set. Which TWO vulnerabilities does this directly enable?

  • A) Session cookie theft via XSS, and session cookie transmission over unencrypted HTTP
  • B) SQL injection and buffer overflow
  • C) DNS poisoning and CSRF
  • D) Privilege escalation and command injection
Answer: A HttpOnly prevents JavaScript from accessing the cookie — without it, an XSS payload can steal the session token with document.cookie. Secure restricts the cookie to HTTPS — without it, the browser will send the session cookie over plain HTTP, exposing it to network interception. These are two of the most common misconfigurations caught in web application penetration tests and flagged in OWASP's A07:2021 Identification and Authentication Failures.

7. Which of the following is an example of a compensating control when patching a critical server cannot occur within the standard window?

  • A) Accepting the risk and noting it in the risk register
  • B) Isolating the server in a separate network segment with restrictive firewall rules and enhanced logging until the patch is applied
  • C) Documenting the vulnerability and scheduling it for the next quarterly patch cycle
  • D) Shutting the server down until a patch is available
Answer: B A compensating control is an alternative measure that provides comparable protection to the primary control when the primary control cannot be implemented. Network isolation, strict firewall rules, and enhanced monitoring reduce exploitability while the patch is prepared. Option A is risk acceptance without additional control. Option C defers without compensating. Option D may be disproportionate and operationally disruptive. PCI DSS formally requires compensating controls documentation when standard requirements cannot be met — see PCI DSS v4.0, Appendix B.

8. An organisation uses a cloud provider and is responsible for securing the operating system, applications, and data on virtual machines. Which cloud service model does this represent?

  • A) Software as a Service (SaaS)
  • B) Platform as a Service (PaaS)
  • C) Infrastructure as a Service (IaaS)
  • D) Function as a Service (FaaS)
Answer: C In IaaS, the cloud provider manages hardware, hypervisor, and networking; the customer is responsible for the OS, middleware, runtime, applications, and data. In PaaS, the provider also manages the OS and runtime — the customer manages only applications and data. In SaaS, the provider manages everything; the customer manages configuration and access. The NIST SP 800-145 cloud definition is the authoritative reference for these distinctions on the Security+ exam.

9. A digital forensics investigator receives a seized hard drive. Before imaging the drive, which step is MOST critical to maintaining the integrity of the evidence?

  • A) Connect the drive to a standard Windows workstation for examination
  • B) Attach a write-blocker to prevent any modification to the original drive
  • C) Format the drive to remove any residual data from previous analysis
  • D) Copy only the files with recent modification dates
Answer: B A write-blocker (hardware or software) prevents any write operations from reaching the original evidence drive during the imaging process, preserving the legal integrity of the evidence. Any modification — even mounting the drive — can alter timestamps and metadata, making evidence inadmissible. The imaging process creates a bit-for-bit forensic copy, validated by comparing MD5/SHA-256 hashes of the original and the image. This chain-of-custody requirement comes directly from NIST's SP 800-86 Guide to Integrating Forensic Techniques.

10. Which protocol provides mutual authentication between a client and server and is commonly used in wireless 802.1X environments?

  • A) PAP (Password Authentication Protocol)
  • B) CHAP (Challenge Handshake Authentication Protocol)
  • C) EAP-TLS (Extensible Authentication Protocol — Transport Layer Security)
  • D) MS-CHAPv2
Answer: C EAP-TLS provides certificate-based mutual authentication — both the client and the authentication server present certificates, making it the most secure 802.1X EAP method. PAP (A) sends credentials in cleartext — never acceptable. CHAP (B) is a challenge-response protocol that authenticates the client but NOT the server (no mutual authentication). MS-CHAPv2 (D) provides mutual authentication but is vulnerable to offline dictionary attacks if a RADIUS server's certificate is not validated. EAP-TLS is recommended in NIST SP 800-97 and the Wi-Fi Alliance security documentation.
Recommended approach

Security+ 12-Week Study Plan

Designed for professionals working full-time. Assumes 1.5–2 hours per weekday and 3–4 hours on weekends (approximately 15–20 hours per week total).

Weeks 1–3: Foundations

  • Week 1: Domain 1 — General Security Concepts (cryptography, controls, authentication)
  • Week 2: Domain 5 — Security Program Management (risk, compliance, GRC frameworks)
  • Week 3: Domain 3 — Security Architecture (Zero Trust, cloud models, network design)

Weeks 4–7: Core Domains

  • Week 4: Domain 2 — Threats & Vulnerabilities (attack types, threat intelligence)
  • Week 5: Domain 4 — Security Operations (IR lifecycle, forensics, SIEM/SOAR)
  • Week 6: Domain 4 continued (vulnerability management, IAM operations)
  • Week 7: Full first pass review — read through all domain notes

Weeks 8–10: Practice & Gaps

  • Week 8: Take first full-length practice exam; identify weak domains
  • Week 9: Deep-dive study on weakest two domains
  • Week 10: Performance-based question (PBQ) practice — drag-and-drop, simulation

Weeks 11–12: Final Prep

  • Week 11: Two more full-length practice exams; target ≥ 80% consistently
  • Week 12: Review acronyms, port numbers, and protocol behaviours; final mock on exam day minus 2
  • Exam day: No new studying — review notes only; arrive early; flag and return on PBQs

Recommended resources (free & official only)

Network+ N10-009

Practice Questions — Network+

Network+ covers networking fundamentals, implementation, troubleshooting, and security. These questions target the most frequently tested concepts and common exam traps.

1. A host with IP address 172.16.50.10/22 needs to communicate with 172.16.52.1. Will this traffic be routed through the default gateway?

  • A) No — both addresses are on the same /22 subnet
  • B) Yes — the /22 subnet mask creates two separate /23 subnets
  • C) Yes — 172.16.52.1 is outside the 172.16.48.0/22 network
  • D) No — all 172.16.x.x addresses are on the same Class B network
Answer: C A /22 mask covers 4 class C ranges. 172.16.50.10 is in the 172.16.48.0/22 network (range: 172.16.48.1 – 172.16.51.254). 172.16.52.1 falls in the next /22 block (172.16.52.0/22), so traffic must be routed through the default gateway. Always calculate the network address and broadcast to confirm subnet membership.

2. You are troubleshooting intermittent connectivity issues on a VLAN. A switch port shows input errors increasing steadily. What is the MOST likely cause?

  • A) Duplex mismatch between the switch port and the connected device
  • B) An incorrect VLAN ID assigned to the port
  • C) The switch port is operating in half-duplex mode
  • D) A spanning tree loop on the segment
Answer: A Steadily increasing input errors (especially CRC errors and runts) are the classic symptom of a duplex mismatch. When one side auto-negotiates to full duplex and the other is forced to half duplex, the half-duplex side uses CSMA/CD and generates collisions that the full-duplex side reports as input errors. Fix by setting both sides to the same duplex mode (ideally both auto-negotiate).

3. Which DNS record type maps a hostname to an IPv6 address?

  • A) A
  • B) AAAA
  • C) PTR
  • D) CNAME
Answer: B The AAAA (quad-A) record maps a hostname to a 128-bit IPv6 address. The A record maps to a 32-bit IPv4 address. PTR records provide reverse DNS lookup (IP → hostname). CNAME records create an alias pointing to another hostname.

4. A network engineer needs to implement a solution to prevent rogue DHCP servers on the network. Which switch feature should be configured?

  • A) Port security
  • B) DHCP snooping
  • C) Dynamic ARP Inspection (DAI)
  • D) 802.1X authentication
Answer: B DHCP snooping designates switch ports as trusted or untrusted. DHCP offer and acknowledgement messages arriving on untrusted ports are dropped, preventing rogue DHCP servers from answering client requests. The port connected to the legitimate DHCP server is set as trusted. DHCP snooping also builds a binding table used by Dynamic ARP Inspection (C) to validate ARP responses.

5. A fibre optic cable is experiencing signal loss. A technician uses an OTDR (Optical Time-Domain Reflectometer) and identifies a sharp spike at 850 metres. What does this indicate?

  • A) Normal attenuation — signal loss is expected over distance
  • B) A splice or connector at 850 metres
  • C) A complete break or open in the cable at 850 metres
  • D) A bend radius violation causing microbending loss
Answer: C An OTDR spike (reflection) followed by no return signal indicates a break or open in the fibre at that distance. A splice or connector (B) would show a small loss event — a dip, not a spike. Gradual slope represents normal attenuation (A). Microbending (D) appears as distributed loss across a segment, not a sharp event.

6. A router is configured with both a static default route and an OSPF-learned route to the same destination. Which route does the router prefer and why?

  • A) The OSPF route — OSPF is a dynamic protocol and always preferred
  • B) The static route — administrative distance of 1 is lower than OSPF's 110
  • C) The static route — static routes always win regardless of prefix length
  • D) The OSPF route — dynamic routes have lower administrative distance
Answer: B Administrative distance (AD) is the router's trustworthiness metric for route sources. Lower AD wins. Static routes have AD = 1 (only connected routes at 0 are preferred); OSPF internal routes have AD = 110. When two routes exist to the same destination/prefix, the lower-AD source wins. Exception: if prefix lengths differ, the longer prefix (more specific) always wins regardless of AD — this is called longest-prefix matching. Reference: RFC 2328 — OSPFv2.

7. Which 802.11 feature allows a wireless client to move between access points without re-authenticating, maintaining session continuity?

  • A) WPA3 SAE (Simultaneous Authentication of Equals)
  • B) 802.11r Fast BSS Transition (FT)
  • C) SSID bridging
  • D) VLAN trunking across access points
Answer: B 802.11r (Fast BSS Transition) enables fast roaming by pre-caching authentication keys between APs so clients can roam without the full 802.1X re-authentication delay. This is critical for voice-over-Wi-Fi (VoWiFi) calls. WPA3 SAE (A) is the handshake used during initial connection — it doesn't address mid-session roaming. SSID bridging (C) and VLAN trunking (D) are Layer 2 concepts unrelated to wireless client roaming.

8. A security team needs to prevent hosts on VLAN 10 from communicating with hosts on VLAN 20 while both VLANs must still reach the internet. Where should an ACL be placed to enforce this?

  • A) Inbound on the uplink port connecting the switch to the router
  • B) Outbound on the internet-facing router interface
  • C) Inbound on the inter-VLAN routing interface (SVI) of each VLAN on the Layer 3 switch or router
  • D) On the access ports of each host in VLAN 10
Answer: C Inter-VLAN filtering requires ACLs applied inbound on the SVI (or router sub-interface) for each VLAN involved. An inbound ACL on VLAN 10's SVI can permit internet-destined traffic (to the default route) while denying traffic toward the VLAN 20 subnet. Applying it on the uplink (A) only filters traffic going up to the router, not lateral VLAN-to-VLAN traffic handled at Layer 3 locally. CompTIA N10-009 specifically tests ACL placement direction and interface.

9. Which technology allows a single IP address to be translated to multiple private IPs by tracking source port numbers, enabling many internal hosts to share one public IP?

  • A) Static NAT — one-to-one translation
  • B) Dynamic NAT — pool of public addresses
  • C) PAT (Port Address Translation) / NAT Overload
  • D) Proxy ARP
Answer: C PAT (also called NAT Overload) maps multiple internal addresses to a single public IP by tracking unique source port numbers for each session. This is how almost every home and small-business router works. Static NAT (A) maps one private IP to one fixed public IP permanently. Dynamic NAT (B) maps internal hosts to a pool of public IPs — sessions can fail if the pool is exhausted. Proxy ARP (D) is a technique where a router answers ARP requests on behalf of hosts in other subnets — unrelated to NAT.

10. A network technician runs show interface GigabitEthernet0/1 and sees "input errors: 1,200, CRC: 1,200, output errors: 0". What is the MOST likely cause?

  • A) The remote end is generating excessive broadcast traffic
  • B) A damaged cable, a duplex mismatch, or an interface hardware fault
  • C) A spanning tree loop on the segment
  • D) The interface is operating at the wrong VLAN
Answer: B High CRC errors with matching input errors and zero output errors point to a physical layer issue — corrupted frames arriving from the far end. Root causes include damaged/incorrect cabling (Cat5 where Cat6 is needed, bent pins, too-long run), a duplex mismatch (one side full-duplex, other half-duplex generating late collisions), or a failing NIC/SFP. A STP loop (C) would show massive broadcast storms visible on multiple interfaces. VLAN misconfiguration (D) causes traffic loss or incorrect forwarding — not CRC errors.
CySA+ CS0-003

Practice Questions — CySA+

CySA+ tests analytical thinking in threat detection, SIEM/SOAR workflows, and incident response. Questions tend to be scenario-heavy — focus on process and tool selection, not just definitions.

1. A SIEM alert fires on 10,000 events per day. After tuning, 99% are eliminated but 100 alerts remain. Analysis shows 90 are legitimate threats and 10 are false positives. How would you classify these metrics?

  • A) High true positive rate, acceptable false positive rate
  • B) High false positive rate — 10% of remaining alerts are noise
  • C) High true positive rate, but the false positive volume is concerning
  • D) The SIEM rule needs no further tuning
Answer: A The true positive rate (precision) is 90/100 = 90%, which is excellent for a tuned SIEM rule. The false positive rate (10 out of 100 remaining alerts) is 10% of the actionable alert volume — the exam expects you to focus on the ratio among remaining alerts after tuning, not the original volume. This represents successful tuning from 10,000 to 100 alerts while maintaining high precision.

2. During a threat hunt, an analyst discovers a PowerShell process spawning from winword.exe. The process executes a Base64-encoded command that reaches out to an external IP. Which MITRE ATT&CK tactic does this BEST represent?

  • A) Initial Access
  • B) Execution followed by Command and Control (C2)
  • C) Persistence
  • D) Lateral Movement
Answer: B winword.exe spawning PowerShell is a classic spear phishing attachment execution pattern (T1059 – Command and Scripting Interpreter). The Base64-encoded command reaching an external IP represents Command and Control (TA0011) — establishing a communication channel with attacker infrastructure. Multiple ATT&CK tactics can apply simultaneously; the primary observable behaviours are execution and C2 communication.

3. Which type of analysis uses known malware indicators (file hashes, IPs, domains) to identify infections, and which uses behavioural patterns to detect previously unknown threats?

  • A) Signature-based for known; anomaly-based for unknown
  • B) Heuristic for known; reputation-based for unknown
  • C) Anomaly-based for known; signature-based for unknown
  • D) Static analysis for known; dynamic analysis for unknown
Answer: A Signature-based detection compares observable indicators against a database of known bad — highly accurate for known threats, zero coverage for novel ones. Anomaly-based detection establishes a behavioural baseline and alerts on deviations — capable of detecting zero-days but generates more false positives. SIEM and EDR solutions use both in combination.

4. A security analyst receives a vulnerability scan report showing a critical CVE on a production web server. The development team says patching will break a critical integration and requires three months of testing. What is the BEST immediate action?

  • A) Accept the risk and wait for the patching window
  • B) Implement compensating controls (WAF rules, network segmentation, enhanced monitoring) and document the risk exception with executive approval
  • C) Force an emergency patch regardless of the integration impact
  • D) Remove the web server from the network until patching is complete
Answer: B When immediate patching is not feasible, the security team implements compensating controls that reduce exploitability and impact while the patch is prepared and tested. This must be documented as a formal risk exception with a defined remediation timeline and sign-off from the appropriate executive risk owner. Simply accepting risk (A) without controls or documentation is insufficient. Taking the server offline (D) is typically not a proportionate response for a single unpatched CVE.

5. After responding to an incident, the security team conducts a lessons-learned session and identifies that detection took 47 days from initial compromise to alert. Which metric represents this lag?

  • A) Mean Time to Respond (MTTR)
  • B) Mean Time to Detect (MTTD)
  • C) Mean Time Between Failures (MTBF)
  • D) Recovery Time Objective (RTO)
Answer: B Mean Time to Detect (MTTD) measures the average time from when a threat actor first gains access until the security team detects the compromise. Industry average MTTD hovers around 21 days (IBM Cost of a Data Breach Report). MTTR (A) measures the time from detection to full resolution. MTBF (C) applies to infrastructure reliability. RTO (D) is a business continuity metric for acceptable downtime.
PenTest+ PT0-003

Practice Questions — PenTest+

PenTest+ covers planning, scoping, information gathering, exploitation, post-exploitation, and reporting. Questions test methodology knowledge and tool selection — not hands-on exploitation skills.

1. During a penetration test engagement, the client asks you to test their internet-facing assets only. Which type of engagement scope does this represent?

  • A) Grey box — partial knowledge provided
  • B) White box — full infrastructure access
  • C) Black box — no internal access
  • D) Red team engagement
Answer: C Testing only internet-facing assets without internal network access or credentials mirrors an external attacker's perspective — this is a black box engagement. Grey box (A) provides partial information such as credentials or network diagrams. White box (B) provides full documentation and access for maximum coverage. A red team engagement (D) is a broader adversary simulation, typically longer-duration with physical and social engineering components.

2. A tester completes active reconnaissance and identifies an open port 445 on a Windows server. Which is the MOST appropriate next step?

  • A) Immediately attempt MS17-010 (EternalBlue) exploitation
  • B) Enumerate SMB shares and service version to identify applicable vulnerabilities
  • C) Conduct a password spray attack against the SMB service
  • D) Run a full Metasploit auxiliary scan module against the host
Answer: B The correct methodology moves from reconnaissance to enumeration before attempting exploitation. After identifying port 445, enumerate the SMB service version, shares, signing configuration, and any exposed named pipes. This determines which vulnerabilities are actually applicable before attempting exploitation — skipping to MS17-010 (A) without confirming the OS version and patch level wastes time and may cause unintended impact.

3. Which technique involves capturing a Kerberos service ticket and attempting to crack it offline to recover the service account password?

  • A) Pass-the-Hash
  • B) Kerberoasting
  • C) AS-REP Roasting
  • D) Golden Ticket attack
Answer: B Kerberoasting requests service tickets (TGS) for service accounts with SPNs and cracks them offline using tools like Hashcat. Any authenticated domain user can request these tickets. AS-REP Roasting (C) targets accounts with pre-authentication disabled — no credentials required. Pass-the-Hash (A) reuses NTLM hashes for lateral movement without cracking. Golden Ticket (D) requires compromising the krbtgt account hash to forge TGTs.

4. During post-exploitation, a tester discovers that the compromised host runs as SYSTEM. What term describes the process of moving from this host to other systems in the network?

  • A) Privilege escalation
  • B) Lateral movement
  • C) Pivoting
  • D) Persistence
Answer: B Lateral movement describes techniques used to progressively move through a network after initial compromise, accessing additional systems using harvested credentials, exploited services, or trust relationships. Pivoting (C) is a specific technique using a compromised host as a relay to reach network segments not directly accessible to the attacker — it enables lateral movement. Privilege escalation (A) is gaining higher privileges on the current system. Persistence (D) is maintaining access across reboots.

5. A penetration tester's final report should include which of the following for each finding?

  • A) Technical details only — remediation is the client's responsibility
  • B) Risk rating, proof-of-concept evidence, business impact, and prioritised remediation recommendations
  • C) A list of all tested IP addresses and their open ports
  • D) Executive summary only — technical details should be delivered verbally
Answer: B A professional penetration test report includes for each finding: a risk severity rating (CVSS or similar), proof-of-concept evidence (screenshots, output), business impact description contextualised for the client's environment, and prioritised, actionable remediation recommendations. The report should have both an executive summary for non-technical leadership and a technical section with full details. Providing technical details verbally (D) is unprofessional and unacceptable.
A+ 220-1101 (Core 1) & 220-1102 (Core 2)

Practice Questions — CompTIA A+

A+ is the entry-level credential for help desk and field technician roles. The exam splits into two parts: Core 1 (hardware, networking, mobile, virtualisation, troubleshooting) and Core 2 (OS, security, software troubleshooting, operational procedures). Both must be passed within 3 years.

1. (Core 1) A laptop will not power on. After connecting the AC adapter, the charging LED does not light up. What is the FIRST step a technician should perform?

  • A) Replace the battery
  • B) Verify the AC adapter and outlet are functional using a known-good device
  • C) Replace the motherboard
  • D) Reseat the RAM modules
Answer: B CompTIA's six-step troubleshooting methodology starts with "Identify the problem" and emphasises checking the simplest, cheapest, most likely causes first. Verifying the AC adapter, charger cable, and wall outlet using a known-good device confirms whether the power source is the issue before replacing expensive components. Always test power delivery before condemning internal parts.

2. (Core 1) A user reports that printed documents are coming out with vertical white lines on every page. Which printer component is MOST likely the cause on a laser printer?

  • A) The fuser assembly
  • B) The transfer belt
  • C) The imaging drum or toner cartridge
  • D) The pickup roller
Answer: C Vertical white lines (lines that run the length of the page in the direction of paper travel) indicate a scratch or contamination on the imaging drum, or low/empty toner in part of the cartridge. Fuser issues (A) cause smudging or unfused toner. Transfer belt issues (B) typically cause ghosting or full-page colour issues. Pickup roller problems (D) cause paper jams or misfeeds, not print quality issues.

3. (Core 2) A Windows user receives a UAC prompt every time they launch a specific application. The application is legitimate and trusted. How can a technician suppress the prompt for this single application without disabling UAC globally?

  • A) Run the application as administrator using "Run as administrator" each time
  • B) Create a scheduled task that runs the application with highest privileges, then create a shortcut that triggers the task
  • C) Disable UAC by setting it to "Never notify" in User Account Control settings
  • D) Add the user to the local Administrators group
Answer: B Creating a scheduled task configured to "Run with highest privileges" and triggering it via a desktop shortcut allows a trusted application to elevate without showing a UAC prompt — Task Scheduler bypasses the prompt for tasks marked as administrator. Disabling UAC entirely (C) weakens system security significantly. Adding the user to Administrators (D) is the worst answer — it gives the user blanket administrative rights for all applications.

4. (Core 2) A user reports that their Windows 11 PC has become slow and is showing pop-up advertisements in the browser even when no browser windows are open. What is the BEST course of action?

  • A) Reset the browser settings to default
  • B) Follow CompTIA's malware removal process: identify, quarantine, disable System Restore, remediate, schedule scans, re-enable System Restore, educate the user
  • C) Reinstall Windows
  • D) Run a single antivirus scan and reboot
Answer: B CompTIA's malware removal procedure (memorise the order — heavily tested): 1) Investigate and verify malware symptoms. 2) Quarantine infected systems. 3) Disable System Restore (Windows) to prevent malware re-injection from restore points. 4) Remediate by updating signatures and scanning with multiple tools. 5) Schedule scans and updates. 6) Re-enable System Restore and create a new restore point. 7) Educate the end user. Single scans (D) often miss components; full reinstall (C) is the last resort.

5. (Core 1) Which RAID level provides both performance improvement through striping AND fault tolerance, requiring a minimum of four drives?

  • A) RAID 0 — striping with no fault tolerance
  • B) RAID 1 — mirroring
  • C) RAID 5 — striping with distributed parity (minimum 3 drives)
  • D) RAID 10 (RAID 1+0) — mirrored pairs that are then striped
Answer: D RAID 10 combines mirroring (RAID 1) with striping (RAID 0) — requires a minimum of 4 drives. It provides excellent read/write performance and can tolerate the loss of one drive in each mirrored pair. RAID 5 (C) also provides performance and fault tolerance but with only 3-drive minimum and uses parity rather than mirroring. RAID 10 is preferred for high-performance database workloads despite the 50% capacity overhead.
Server+ SK0-005

Practice Questions — CompTIA Server+

Server+ is the only major server administration credential that is vendor-neutral. It covers server hardware, virtualisation, storage, security, networking, and disaster recovery — a critical foundation for data centre operations and infrastructure engineering roles.

1. A server administrator needs to ensure that a critical database server can continue operating without interruption if a single CPU socket fails. Which technology accomplishes this?

  • A) Symmetric Multi-Processing (SMP)
  • B) Lockstep CPUs in a fault-tolerant chassis
  • C) Hyper-Threading
  • D) NUMA (Non-Uniform Memory Access)
Answer: B Lockstep CPU configurations (e.g., HPE NonStop, Stratus ftServer) execute identical instructions on parallel CPUs simultaneously. If one CPU fails, the redundant CPU continues with no interruption. This is true fault tolerance — distinct from clustering, which involves a failover delay. SMP (A) is the standard architecture allowing multiple CPUs but provides no fault tolerance. Hyper-Threading (C) presents two logical cores per physical core — no redundancy. NUMA (D) describes memory architecture, not CPU redundancy.

2. A server in a data centre rack frequently reaches 85°C under load. The rack airflow is bottom-to-top. Where should the server be installed for optimal cooling?

  • A) At the top of the rack to allow heat to rise away from intake
  • B) In the middle of the rack with equal airspace above and below
  • C) Toward the bottom of the rack where the cool air intake is strongest
  • D) Position is irrelevant if HVAC is properly sized
Answer: C Data centre racks use hot-aisle/cold-aisle airflow with cold air entering from the bottom front of the rack and heated air exhausting at the top rear. Hot-running servers should be installed lower in the rack where intake air is coolest. Critical servers also benefit from being below the rack's mid-point, since the temperature gradient rises naturally as heated air ascends. Blanking panels in unused rack units prevent recirculation of hot air to intakes.

3. A server administrator must implement backup retention according to the "3-2-1 rule". Which of the following correctly describes 3-2-1?

  • A) 3 full backups, 2 incremental, 1 differential per week
  • B) 3 copies of data, on 2 different media types, with 1 copy stored offsite
  • C) 3-year retention with 2 verifications and 1 disaster recovery test annually
  • D) 3 backup servers, 2 in a primary site, 1 in a secondary site
Answer: B The 3-2-1 backup rule (popularised by US-CERT) is a foundational principle: maintain at least 3 copies of important data (1 production + 2 backups), store those copies on at least 2 different media types (e.g., disk and tape or disk and cloud), and keep 1 copy offsite to protect against site disasters. Modern variants extend this to 3-2-1-1-0: add one offline (air-gapped) copy and verify zero errors in recovery testing.

4. A virtualisation administrator notices that one VM consistently runs slowly while host CPU utilisation is only 40%. Other VMs perform well. What is the MOST likely cause?

  • A) The host needs additional physical CPUs
  • B) CPU ready time is high — the VM is waiting for physical CPU cycles even though overall host CPU is low
  • C) The VM has too many vCPUs allocated, causing co-scheduling delays
  • D) The VM's disk I/O is saturated
Answer: C A common virtualisation anti-pattern: over-allocating vCPUs to a single VM. The hypervisor must schedule all vCPUs simultaneously (co-scheduling/gang scheduling), so a VM with 8 vCPUs on a host with limited free pCPUs waits for all 8 to be available — even though host CPU appears low overall. Reduce the VM to 2–4 vCPUs and observe immediate improvement. Always size VMs to actual usage. Answer B (ready time) is the symptom; C is the root cause.
Cloud+ CV0-004

Practice Questions — CompTIA Cloud+

Cloud+ is CompTIA's vendor-neutral mid-level cloud credential, covering architecture, deployment, operations, security, and troubleshooting across AWS, Azure, GCP, and private cloud. It is one of the few cloud certifications that is multi-cloud rather than vendor-specific.

1. A cloud architect needs to design a deployment that automatically reverts to the previous version if health checks fail. Which deployment strategy provides this capability with minimal user impact?

  • A) Rolling deployment
  • B) Blue/Green deployment
  • C) Recreate deployment
  • D) Canary deployment
Answer: B Blue/Green deployments maintain two identical environments — one (Blue) currently serving traffic, the other (Green) running the new version. Traffic is switched from Blue to Green via load balancer or DNS change after Green passes health checks. If issues are detected, switching back to Blue is near-instantaneous. Canary (D) gradually shifts a percentage of traffic and is more nuanced — rollback is possible but not as fast. Rolling (A) replaces instances incrementally; recreate (C) takes the service offline.

2. A workload running in the cloud experiences a sudden traffic spike that causes the auto-scaling group to add new instances. New instances take 90 seconds to fully bootstrap and pass health checks. Which approach MOST effectively addresses this latency?

  • A) Increase the minimum capacity to keep more idle instances running
  • B) Bake the application into a pre-configured machine image (golden image) so instances launch ready to serve traffic
  • C) Decrease the auto-scaling cooldown period
  • D) Switch to a smaller instance type to reduce boot time
Answer: B Pre-baking a golden image (Packer-built AMI, custom VM image) with all dependencies installed eliminates bootstrap time. Instances become available within 30–45 seconds instead of 90+. This is the standard pattern for production auto-scaling workloads. Increasing minimum capacity (A) wastes money on idle resources. Reducing cooldown (C) makes scaling more aggressive but doesn't fix slow boot times. Predictive scaling can also help when traffic patterns are anticipated.

3. A cloud workload requires high availability across multiple availability zones. The application uses session state stored in memory on each web server. What architectural change is required?

  • A) Enable sticky sessions on the load balancer
  • B) Move session state to a shared, distributed data store (Redis, DynamoDB, or similar) accessible from all instances
  • C) Increase the instance size to retain more in-memory state
  • D) Disable health checks during deployment
Answer: B Stateless application servers are a foundational cloud design pattern. Move session state to an external store (Redis, Memcached, DynamoDB, or similar) so any instance can serve any request. This enables horizontal scaling, zone-level failover, and zero-downtime deployments. Sticky sessions (A) work but reduce availability — if the instance with the session fails, the user loses state. Cloud+ heavily tests the stateless tier pattern.
Common questions

CompTIA Certification FAQ

How hard is the CompTIA Security+ exam?

Security+ (SY0-701) is considered entry-to-intermediate difficulty. Most candidates with 1–2 years of IT experience and 60–80 hours of focused study pass on their first attempt. The exam includes performance-based questions (PBQs) — scenario simulations that trip up candidates who only study theory. Practice with Professor Messer's free course and a full question bank is the most cost-effective preparation.

Should I get Network+ before Security+?

CompTIA recommends Network+ as a prerequisite but does not require it. If you already understand TCP/IP, subnetting, and common protocols from work experience, you can go directly to Security+. If networking is new to you, Network+ first is strongly advisable — Security+ assumes solid networking fundamentals.

What is the difference between CySA+ and Security+?

Security+ is a broad entry-level credential covering general security concepts. CySA+ (CS0-003) is an intermediate analyst credential focused specifically on threat detection, SIEM analysis, SOAR, and incident response workflows. CySA+ requires Security+ knowledge as a foundation and is the next logical step for security operations and SOC analyst career paths.

Is CASP+ worth getting?

CASP+ (CAS-004) is an expert-level practitioner credential for security architects and senior engineers with 10+ years of experience. Unlike most CompTIA certifications, CASP+ does not expire once earned. It satisfies DoD 8570 IAT Level III requirements and is highly valued for government contractor and senior engineering roles. It is not a management exam — it tests expert-level technical design and implementation decisions.

How long does CompTIA Security+ remain valid?

All CompTIA certifications (except CASP+) are valid for 3 years. You can renew by earning 50 Continuing Education Units (CEUs) through approved training, higher-level certifications, or professional development activities. Alternatively, passing the current version of the exam restarts the 3-year cycle. CompTIA's CertMaster CE online course also satisfies renewal requirements automatically.

Interactive · Timed · Fully explained

Interactive Practice Exam — Security+ SY0-701

A 20-question, 30-minute scenario-based practice test. Each item includes a detailed explanation of why the correct answer is right (and why the other choices are wrong), with links to the authoritative source — NIST, OWASP, MITRE ATT&CK, IETF, RFCs, vendor documentation. Progress auto-saves; you can pause and resume later.

Loading the interactive practice exam… If it does not load, ensure JavaScript is enabled.

Interactive · Timed · Fully explained · Exam #2

Practice Exam #2 — Security+ SY0-701

A second 20-question, 30-minute practice exam with all-new scenarios. Covers cryptography, PKI, network security architecture, Zero Trust, cloud security, SOAR, identity and access management, incident response, and governance. Perfect for a second-pass drill after completing Exam #1.

Loading practice exam… If it does not load, ensure JavaScript is enabled.

Case study · Apply what you study

Real-World Walkthrough: The 2017 Equifax Breach

Security+ tests concepts; real incidents test whether you understood them. Every SY0-701 domain — vulnerability management, network monitoring, identity, incident response, governance — surfaces in this 147-million-record breach. Map each phase to the domains you are studying.

Timeline

  • March 7, 2017: Apache Software Foundation publishes CVE-2017-5638 — an unauthenticated RCE in Apache Struts2's Jakarta Multipart parser.
  • March 8, 2017: US-CERT alert reaches Equifax security. A patch advisory goes to the email distribution list — but the list is out of date and the Struts owner does not receive it. Vulnerability scanning later misses the vulnerable host because the scanner was configured against the wrong directory.
  • May 13 – July 30, 2017: Attackers exploit CVE-2017-5638 on the Equifax Automated Consumer Interview System (ACIS) dispute portal. They establish web shells, pivot through internal networks using credentials found in plaintext config files, and exfiltrate 147 million consumer records — names, SSNs, DOBs, driver's license numbers, ~209,000 credit card numbers.
  • July 29, 2017: An expired certificate on a passive traffic-inspection device is finally renewed. Within hours, anomalous outbound traffic to attacker C2 is detected — proving the exfiltration had been invisible for 76 days because TLS inspection was broken.
  • September 7, 2017: Equifax publicly discloses. Stock drops 35% in one week. CEO, CIO, and CISO resign. Final cost: $1.4B+ in remediation, $700M FTC settlement, congressional investigations.

Map to SY0-701 domains

  • Domain 4 — Security Operations: Patch management failed because the asset inventory was incomplete and the scanner was misconfigured. SY0-701 explicitly tests CVE prioritisation, asset management, and continuous monitoring.
  • Domain 3 — Security Architecture: A flat internal network allowed lateral movement after initial RCE. Segmentation and zero-trust principles would have contained blast radius.
  • Domain 2 — Threats & Vulnerabilities: CVE-2017-5638 was a CRITICAL CVSS 10.0 RCE published with a patch on day zero. Reachable internet-facing services must be patched within 24-72 hours per CISA BOD 22-01 today.
  • Domain 4 — Detection & monitoring: Expired certificate on the inspection device created a 76-day detection blind spot. PKI lifecycle (cert expiry monitoring) is now an explicit SY0-701 objective.
  • Domain 1 — Governance: Disclosure was delayed six weeks while executives sold stock — leading to SEC insider-trading scrutiny. Incident-response policy must define communication AND legal triggers.
  • Domain 5 — Program management: The GAO report identified failures in vulnerability scanning policy, asset inventory, network segmentation, and IR coordination — every one of these is on the SY0-701 blueprint.

Study technique: after every domain you study, find one news-grade incident that exemplifies it, and write three paragraphs mapping the technical details to the exam objectives. This consolidates concept retention far better than re-reading.

Curated resources · Verified links

Helpful Materials — Security+ SY0-701

A short list of resources we actually recommend. We deliberately keep this list lean — quantity is not the same as quality. Use the official objectives as the ground-truth scope and read everything else through that lens.

Recommended books

  • Mike Chapple & David Seidl — CompTIA Security+ SY0-701 Study Guide (Sybex). The mainstream textbook.
  • Mike Meyers — CompTIA Security+ Certification All-in-One Exam Guide. Best for visual learners.
  • William Stallings — Computer Security: Principles and Practice. Deeper conceptual grounding for cryptography and access control.

Video & community

Additional free practice

Quick reference · Memorise before exam day

Security+ SY0-701 Cheatsheet

High-frequency facts that appear repeatedly on the exam. Print this page and review it the morning of the test.

Ports & protocols

  • FTP — 20/21 · SFTP — 22 · FTPS — 989/990
  • SSH — 22 · Telnet — 23 (avoid)
  • SMTP — 25 · SMTPS — 465/587 with STARTTLS
  • DNS — 53 (TCP/UDP) · DoT 853 · DoH 443
  • HTTP — 80 · HTTPS — 443 · HTTP/3 over QUIC — UDP/443
  • POP3 — 110 / POP3S — 995 · IMAP — 143 / IMAPS — 993
  • LDAP — 389 · LDAPS — 636
  • SMB — 445 · RDP — 3389 (NEVER expose)
  • SNMP — 161/162 · Syslog — 514 (UDP) / 6514 (TLS)
  • Kerberos — 88 · RADIUS — 1812/1813 · TACACS+ — 49

Cryptography quick facts

  • Symmetric: AES (128/192/256), ChaCha20. Fast, single key.
  • Asymmetric: RSA (≥2048), ECDSA, Ed25519. Slow, key pair.
  • Hashing: SHA-256 / SHA-3. MD5 & SHA-1 are deprecated.
  • Password hashing: bcrypt, Argon2id, scrypt, PBKDF2 (salted + costly).
  • TLS 1.3 only — TLS 1.0/1.1 deprecated (RFC 8996).
  • PFS = ephemeral DH (ECDHE / DHE).

OSI model layers

  • L1 Physical — cables, NIC hardware
  • L2 Data Link — MAC, Ethernet, switches, ARP
  • L3 Network — IP, routers, ICMP, IPsec
  • L4 Transport — TCP/UDP, ports
  • L5 Session — RPC, SOCKS
  • L6 Presentation — TLS, MIME, JPEG
  • L7 Application — HTTP, DNS, SMTP, SSH

Mnemonic: Please Do Not Throw Sausage Pizza Away.

Incident response phases (NIST SP 800-61)

  1. Preparation
  2. Detection & Analysis
  3. Containment, Eradication & Recovery
  4. Post-Incident Activity (lessons learned)

Risk treatment options

  • Avoid — stop the activity
  • Transfer — insurance, outsourcing
  • Mitigate — apply controls
  • Accept — formally tolerate residual risk
Study tools · Active recall · CompTIA

Flashcards & Term-Matching Game

Active recall beats passive reading for long-term retention. Use the flashcards to drill definitions and the matching game to reinforce connections between concepts. Shuffle to mix domains and reset to start fresh. Keyboard navigation supported on flashcards.

Flashcard Deck — Key Terms

Loading flashcards… ensure JavaScript is enabled.

Term-Matching Game

Click a term on the left, then click its matching definition on the right. Correct pairs lock in green; wrong pairs flash red. Complete all pairs to advance to the next round.

Loading matching game… ensure JavaScript is enabled.

Speed Round — True or False

You have 10 seconds per statement. Answer TRUE or FALSE before the timer runs out. Build a combo multiplier for consecutive correct answers and beat your session high score.

Loading speed round… ensure JavaScript is enabled.

Fill in the Blank

Read the clue and type the missing term. One typo is forgiven for longer answers. Use the hint button if you're stuck — but it costs half the question's points.

Loading fill-in-the-blank… ensure JavaScript is enabled.

Domain Sprint — Categorise the Term

A term appears — click the correct exam domain it belongs to. Correct selections score 100 pts; wrong selections deduct 25 pts. Master domain knowledge before exam day.

Loading domain sprint… ensure JavaScript is enabled.

Explore other CompTIA certifications

← All Certifications ISC2 Prep → Cisco Prep →