Think you know security? Prove it.
Not the definitions you highlighted in the study guide. The real thing, where a question drops you into a scenario, gives you four answers that all look right, and starts the clock. That’s the gap between feeling ready and being ready.
The SY0-701 hands you up to 90 of those moments in 90 minutes. Miss too many and you walk out with a number below 750.
This guide gives you 80 practice test questions mapped to all five Security+ domains, each with a full explanation. You’ll also get the exact domain weightings, a breakdown of the performance-based questions that catch people off guard, and an 8-week study schedule. The fastest way to find your weak spots? Answer these first, then read why the wrong answers are wrong.
Quick exam facts:

| Detail | Value |
|---|---|
| Exam code | SY0-701 |
| Questions | Up to 90 (multiple-choice + PBQ) |
| Time limit | 90 minutes |
| Passing score | 750 out of 900 |
| Launched | November 2023 |
| Est. retirement | Late 2026 to 2027 (not yet announced) |
| Cost | $404 USD (single voucher) |
CompTIA hasn’t announced a retirement date for the SY0-701 yet. They usually keep an exam version live for around three years, so plan around late 2026 to 2027 and check CompTIA’s official Security+ page before you book.
What the CompTIA SY0-701 Security+ Practice Test Covers

The SY0-701 is built around five domains. Each one carries a different weight, and that weight is your study map. Spend your hours where the points are.
| Domain | Weight |
|---|---|
| 1.0 General Security Concepts | 12% |
| 2.0 Threats, Vulnerabilities, and Mitigations | 22% |
| 3.0 Security Architecture | 18% |
| 4.0 Security Operations | 28% |
| 5.0 Security Program Management and Oversight | 20% |
Security Operations is the giant. At 28%, it’s nearly a third of your exam. Threats and Program Management together add another 42%. So three domains decide roughly 70% of your result. That’s where this practice test puts most of its questions, weighted to match the real thing.
About 10 to 15% of the exam is performance-based (PBQs). These aren’t multiple choice. You’ll configure firewall rules, sort logs, match controls to scenarios, or analyse a simulated attack. Flashcards won’t save you here. More on that later.
First, a quick reality check: If you’ve already passed Network+ and you’re stacking certs, you’re on the right path. Security+ is the cert most employers and the US DoD treat as the baseline. Studying for it cold with no networking background? You’ll want longer. Either way, our Network+ practice test is a solid warm-up for the networking concepts Security+ assumes you already know.
Domain 1 Security+ Practice Questions: General Security Concepts (12%)
This is the vocabulary and the mental models. Get these wrong and the harder domains turn into guesswork, because the rest of the exam builds on this language.
What this domain covers:
- The CIA triad and non-repudiation
- Security control types (technical, managerial, operational, physical) and categories (preventive, deterrent, detective, corrective, compensating, directive)
- Zero Trust (control plane, data plane, policy engine, policy enforcement point)
- Cryptographic concepts (PKI, symmetric vs asymmetric, hashing, salting, digital signatures, certificates)
- Physical security and deception tech (honeypots, honeytokens)
- Change management basics
Q1. A company encrypts customer records so that even if the database is stolen, the attacker can’t read the contents. Which part of the CIA triad does this protect?
A) Integrity
B) Availability
C) Confidentiality ✓
D) Non-repudiation
Confidentiality keeps data secret from unauthorised parties. Encryption is the classic confidentiality control. Integrity protects against tampering, availability keeps systems reachable.
Q2. A security guard stationed at a building entrance is BEST classified as which control type and category?
A) Technical, preventive
B) Physical, deterrent ✓
C) Managerial, detective
D) Operational, corrective
A guard is a physical control. Their visible presence mainly deters people from trying something, so the category is deterrent. They can also detect and prevent, but the exam wants the primary intent.
Q3. In a Zero Trust architecture, which component makes the actual allow-or-deny decision for an access request?
A) Policy enforcement point
B) Policy engine ✓
C) Policy administrator
D) Data plane
The policy engine (in the control plane) evaluates the request and decides. The policy administrator carries out that decision, and the policy enforcement point is the gate that actually allows or blocks the traffic.
Q4. Which cryptographic feature provides non-repudiation, proving a specific sender created a message?
A) Symmetric encryption
B) Hashing alone
C) Digital signature ✓
D) A shared secret key
A digital signature uses the sender’s private key, so only they could have created it. That proves origin and prevents the sender from denying it. Symmetric keys are shared, so they can’t prove who acted.
Q5. What is the main difference between hashing and encryption?
A) Hashing is faster but less secure than encryption
B) Hashing is one-way and can’t be reversed; encryption is reversible with a key ✓
C) Encryption is one-way; hashing is two-way
D) They’re the same with different names
Hashing produces a fixed output you can’t reverse to the original. It’s used for integrity checks and password storage. Encryption is designed to be decrypted by anyone holding the right key.
Q6. Why do systems add a salt before hashing stored passwords?
A) To make the hash shorter
B) To encrypt the password
C) To defeat precomputed rainbow table attacks ✓
D) To speed up the login process
A salt is random data added to each password before hashing. It makes identical passwords hash differently and renders precomputed rainbow tables useless. Attackers would need a unique table per salt.
Q7. A security team sets up a decoy server with fake data, purely to watch how attackers behave. What is this called?
A) A jump server
B) A bastion host
C) A honeypot ✓
D) A proxy server
A honeypot is a decoy designed to attract and study attackers. A honeytoken is a similar idea applied to a single fake record or credential. Jump servers and proxies are legitimate access tools.
Q8. A company compares its current security posture against a target framework and lists every shortfall. What is this process called?
A) Penetration test
B) Gap analysis ✓
C) Risk transfer
D) Attestation
A gap analysis measures where you are now against where you need to be (a standard, framework, or policy) and documents the gaps to close. It’s a planning tool, not an attack simulation.
Q9. Two parties want to agree on a shared symmetric key over an insecure channel without ever sending the key itself. Which method makes this possible?
A) AES
B) SHA-256
C) Diffie-Hellman key exchange ✓
D) Salting
Diffie-Hellman lets two parties derive a shared secret over an open channel without transmitting the key. AES is the symmetric cipher used afterward, and SHA-256 is a hash function.
Q10. In a public key infrastructure, what does a certificate authority (CA) actually do?
A) Encrypt all traffic on the network
B) Issue and digitally sign certificates that bind a public key to an identity ✓
C) Store users’ private keys
D) Generate symmetric session keys
A CA vouches for identities by signing certificates. That signature lets others trust that a public key really belongs to who it claims. CAs never hold your private key, that stays with you.
Want the live version of all this? Reading control types is one thing. Building and breaking them in a lab is what makes it stick. SMEnode Academy’s Security Engineer course runs instructor-led labs that take these concepts well past exam level. Good option if you want structure and someone to ask when you’re stuck.
Domain 2 Security+ Practice Questions: Threats, Vulnerabilities, and Mitigations (22%)
The second-biggest domain. This is where the exam tests whether you can name an attack, spot a vulnerability, and pick the right fix. Lots of scenario questions live here.
What this domain covers:
- Threat actors (nation-state, hacktivist, insider, organised crime, unskilled attacker) and their motivations
- Social engineering (phishing, vishing, smishing, pretexting, business email compromise, watering hole, typosquatting)
- Malware types (ransomware, trojan, worm, virus, spyware, rootkit, logic bomb, keylogger)
- Application attacks (injection, buffer overflow, XSS, privilege escalation, race conditions)
- Network and crypto attacks (DDoS, on-path, DNS poisoning, downgrade, collision)
- Mitigation techniques (segmentation, hardening, least privilege, patching, isolation)
Q11. An attacker encrypts a company’s files and demands payment for the decryption key. What type of malware is this?
A) Spyware
B) Trojan
C) Ransomware ✓
D) Rootkit
Ransomware encrypts data and extorts the victim. A trojan disguises itself as legitimate software, spyware quietly collects data, and a rootkit hides its presence to maintain access.
Q12. A user gets a text message claiming to be from their bank, asking them to click a link and verify their PIN. What kind of attack is this?
A) Vishing
B) Smishing ✓
C) Pharming
D) Watering hole
Smishing is phishing over SMS text. Vishing is voice-based (phone calls). Pharming redirects users to fake sites via DNS, and a watering hole compromises a site the target already trusts.
Q13. A finance employee receives an email that looks like it’s from the CEO, urgently requesting a wire transfer. The domain is slightly misspelled. What is this attack called?
A) Spear phishing only
B) Business email compromise (BEC) ✓
C) Credential stuffing
D) Typosquatting only
BEC impersonates an executive or trusted partner to trigger fraudulent transfers or data release. It often combines spoofing and urgency. The misspelled domain is one tactic used to pull it off.
Q14. Which threat actor is typically the BEST funded, most patient, and motivated by espionage or strategic advantage?
A) Hacktivist
B) Unskilled attacker
C) Nation-state ✓
D) Insider threat
Nation-state actors have deep resources and run long campaigns (advanced persistent threats). Hacktivists chase ideology, unskilled attackers use prebuilt tools, and insiders act from within.
Q15. A web form passes user input straight into a database query without checking it. An attacker enters ' OR '1'='1. What attack does this enable?
A) Cross-site scripting
B) Buffer overflow
C) SQL injection ✓
D) CSRF
SQL injection happens when untrusted input is concatenated into a query. The classic ' OR '1'='1 makes the condition always true. Input validation and parameterised queries are the fix.
Q16. An attacker injects a malicious script into a website’s comment field. When other users load the page, the script runs in their browsers. What is this?
A) SQL injection
B) Cross-site scripting (XSS) ✓
C) Privilege escalation
D) On-path attack
XSS injects client-side scripts that execute in other users’ browsers. SQL injection targets the database. The fix is input sanitisation and output encoding.
Q17. A program writes more data into a memory buffer than it can hold, overwriting adjacent memory. What vulnerability is this?
A) Race condition
B) Buffer overflow ✓
C) Cross-site scripting
D) Directory traversal
A buffer overflow overwrites memory beyond a buffer’s bounds, which can crash the app or let an attacker run code. Bounds checking and modern memory-safe languages reduce the risk.
Q18. Two processes check and use a shared resource at nearly the same time, and the timing gap creates a security flaw. What is this called?
A) Logic bomb
B) Privilege escalation
C) Race condition (TOCTOU) ✓
D) Buffer overflow
A race condition, often a time-of-check to time-of-use (TOCTOU) flaw, exploits the gap between when a value is verified and when it’s used. Proper locking prevents it.
Q19. An attacker positions themselves between a user and a server, secretly relaying and possibly altering traffic. What is this attack called?
A) Replay attack
B) On-path attack (man-in-the-middle) ✓
C) DNS poisoning
D) Amplification attack
An on-path attack (the current CompTIA term for man-in-the-middle) intercepts traffic between two parties. Strong encryption like TLS and certificate validation make it much harder.
Q20. An attacker forces a connection to drop from TLS 1.3 down to an older, weaker protocol to exploit a known flaw. What attack is this?
A) Collision attack
B) Birthday attack
C) Downgrade attack ✓
D) Pass-the-hash
A downgrade attack tricks systems into using a weaker protocol or cipher. Disabling legacy protocols and enforcing minimum versions stops it.
Q21. A piece of code sits dormant in a system and triggers its payload only when a specific condition is met, like a date or a deleted user account. What is this?
A) Worm
B) Trojan
C) Logic bomb ✓
D) Rootkit
A logic bomb activates on a trigger condition. It’s often planted by a disgruntled insider. The delayed execution is what separates it from regular malware.
Q22. An attacker tries a handful of extremely common passwords (like “Password1”) across thousands of accounts, one attempt per account. What attack avoids lockouts this way?
A) Brute force
B) Dictionary attack
C) Password spraying ✓
D) Rainbow table attack
Password spraying uses a few common passwords against many accounts to stay under lockout thresholds. Brute force hammers one account with many guesses and trips lockouts fast.
Q23. A self-replicating piece of malware spreads across a network on its own, with no user action and no host file needed. What is it?
A) Virus
B) Worm ✓
C) Trojan
D) Spyware
A worm self-propagates across networks without user interaction. A virus needs a host file and usually a user to run it. That self-spreading is the key difference.
Q24. A vulnerability is being actively exploited in the wild, and no patch exists yet from the vendor. What is this called?
A) Known exploit
B) Legacy vulnerability
C) Zero-day ✓
D) Misconfiguration
A zero-day is a flaw with no available patch, giving defenders “zero days” to prepare. Behaviour-based detection and segmentation help limit damage until a fix ships.
Q25. A company buys a third-party software library, and attackers compromise that library to reach every business using it. What type of attack vector is this?
A) Insider threat
B) Watering hole
C) Supply chain attack ✓
D) Shadow IT
A supply chain attack targets a trusted vendor or component to reach many downstream victims. Vendor risk assessments and software bills of materials (SBOMs) help manage it.
Q26. Which mitigation technique limits how far an attacker can move after breaching one part of the network?
A) Patching
B) Segmentation ✓
C) Encryption at rest
D) Input validation
Network segmentation splits the network into zones so a breach in one segment can’t freely reach others. It directly limits lateral movement.
Q27. Employees set up an unsanctioned cloud file-sharing app without IT approval. What does this represent?
A) Nation-state threat
B) Shadow IT ✓
C) Logic bomb
D) Pretexting
Shadow IT is technology used inside an organisation without IT’s knowledge or approval. It expands the attack surface because security can’t protect what it doesn’t know exists.
Q28. A vulnerability scan flags an open port running an outdated service. The team applies the vendor’s update to close the flaw. Which mitigation technique is this?
A) Segmentation
B) Isolation
C) Patching ✓
D) Tokenisation
Patching applies vendor updates that fix known vulnerabilities. It’s the most direct mitigation when a fix exists. Isolation and segmentation are compensating controls when you can’t patch right away.
Mini-story: Daniel had a strong networking background and figured Security+ would be easy. He breezed through the threat-actor and malware questions in his short quizzes, scoring high. Then he sat a full 90-question mock under a timer. He hit a wall at the mitigation scenarios, the ones that say “which control BEST addresses this.” His knowledge was fine. His problem was reading three plausible answers and picking the one CompTIA wanted. He went 71% on that mock. Two weeks of reviewing wrong answers (not right ones) later, he was at 82%. He passed with a 793. His takeaway: “The exam tests judgement, not just facts. Practice picking between right and more right.”
Domain 3 Security+ Practice Questions: Security Architecture (18%)
Architecture is about designing security into systems. Cloud models, network placement, data protection, and keeping things running when something fails. Expect “where should this go” and “how do you protect this data” questions.
What this domain covers:
- Architecture models (cloud, serverless, microservices, IaC, virtualisation, IoT, ICS/SCADA)
- Secure infrastructure (device placement, security zones, fail-open vs fail-closed, jump servers, proxies)
- Firewall types (WAF, NGFW, UTM, layer 4 vs layer 7)
- Secure communication (VPN, IPSec, TLS, SD-WAN, SASE)
- Data protection (states of data, encryption, masking, tokenisation, obfuscation)
- Resilience and recovery (high availability, hot/warm/cold sites, backups, UPS, generators)
Q29. A firewall loses power and, by design, blocks all traffic until it’s back online. What failure mode is this?
A) Fail-open
B) Fail-closed ✓
C) Fail-safe to availability
D) Active-active
Fail-closed (fail-secure) blocks traffic when the device fails, prioritising security over availability. Fail-open allows traffic through, prioritising availability. The right choice depends on the asset.
Q30. Which firewall inspects traffic at the application layer and can identify specific applications regardless of port, plus integrate intrusion prevention?
A) Stateless packet filter
B) Layer 4 firewall
C) Next-generation firewall (NGFW) ✓
D) Basic ACL router
An NGFW does deep packet inspection at layer 7, application awareness, and often built-in IPS. A layer 4 firewall only sees ports and protocols. Want hands-on firewall depth? Our FortiGate firewall explainer breaks down a real NGFW.
Q31. A company wants to protect a public web application from SQL injection and XSS at the HTTP layer. Which device is purpose-built for this?
A) NGFW
B) Web application firewall (WAF) ✓
C) Load balancer
D) Network IPS
A WAF inspects HTTP/HTTPS traffic specifically to block web attacks like injection and XSS. A general firewall or IPS isn’t tuned for application-layer web threats the same way.
Q32. Data is being actively processed in a server’s RAM right now. Which state of data is this?
A) Data at rest
B) Data in transit
C) Data in use ✓
D) Data in storage
Data in use is data being processed in memory or by the CPU. At rest is stored data, in transit is data moving across a network. Each state needs different protections.
Q33. A company replaces credit card numbers with random surrogate values, stored in a separate vault, so the real numbers never sit in the application database. What technique is this?
A) Encryption
B) Masking
C) Tokenisation ✓
D) Hashing
Tokenisation swaps sensitive data for a meaningless token, with the real value stored separately. Masking only hides part of the data (like showing the last 4 digits). Tokenisation is common in payment systems.
Q34. Which site type has hardware and connectivity ready but no current data, requiring restoration before it can take over operations?
A) Hot site
B) Warm site ✓
C) Cold site
D) Cloud site
A warm site has infrastructure in place but needs data restored and some setup. A hot site is fully ready for near-instant failover. A cold site is just space and power, with the most work to bring online.
Q35. A jump server (jump box) is BEST described as what?
A) A backup server in a cold site
B) A hardened host used as a controlled gateway to access systems in a secure zone ✓
C) A load balancer for web traffic
D) A decoy to attract attackers
A jump server is a single hardened entry point administrators connect through to reach sensitive systems. It centralises and logs access. A decoy is a honeypot, not a jump server.
Q36. Which technology combines SD-WAN with cloud-delivered security services like secure web gateway, CASB, and Zero Trust access into one framework?
A) IPSec VPN
B) UTM
C) SASE ✓
D) Site-to-site VPN
SASE (Secure Access Service Edge) merges networking (SD-WAN) and security functions into a single cloud-delivered model. It’s built for distributed, work-from-anywhere setups.
Q37. An organisation runs critical industrial equipment controlled by systems that monitor and manage physical processes in a plant. What type of system is this?
A) IoT
B) ICS/SCADA ✓
C) RTOS only
D) Microservices
ICS (Industrial Control Systems) and SCADA manage physical industrial processes. They often run legacy software and need careful segmentation because downtime or tampering has physical consequences.
Q38. A power outage hits a data centre. Which device provides immediate, short-term battery power to keep systems running until generators start?
A) Generator
B) UPS (uninterruptible power supply) ✓
C) PDU
D) Surge protector
A UPS gives instant battery power to bridge the gap until a generator spins up. Generators provide longer-term power but take time to start. You typically need both.
Q39. A company wants two servers sharing the workload, both active, so if one fails the other absorbs the traffic. What is this configuration?
A) Cold standby
B) Active-active clustering / load balancing ✓
C) Active-passive only
D) RAID 1
Active-active means both nodes handle traffic simultaneously and provide redundancy. Active-passive keeps one node on standby. RAID 1 is disk mirroring, not server redundancy.
Q40. Which backup type captures only the data changed since the last full backup, and does NOT clear the archive bit, so each one keeps growing?
A) Full backup
B) Incremental backup
C) Differential backup ✓
D) Snapshot
A differential backup copies everything changed since the last full backup. Incremental copies only changes since the last backup of any kind. Differentials grow larger but restore faster (full + one differential).
Q41. A company stores encryption keys in a tamper-resistant hardware device dedicated to key management. What is this device?
A) TPM
B) HSM (hardware security module) ✓
C) Smart card
D) Secure enclave
An HSM is a dedicated, tamper-resistant appliance for generating and storing keys. A TPM is a chip on a single device for that machine’s keys. HSMs serve at scale across systems.
Q42. An organisation deploys its infrastructure using version-controlled configuration files instead of manual setup, so every environment is identical and repeatable. What practice is this?
A) Containerisation
B) Infrastructure as code (IaC) ✓
C) Virtualisation
D) Serverless computing
IaC defines infrastructure in code, making deployments consistent, repeatable, and auditable. It reduces configuration drift and human error. Containerisation and serverless are related but different concepts.
Hands-on beats highlighting. Security Architecture questions get easier once you’ve actually built the things. The SMEnode Labs FortiGate NSE4 Workbook walks you through real firewall, VPN, and segmentation labs in EVE-NG. It’s not a Security+ workbook, but the architecture muscle memory carries straight into these exam scenarios.
Domain 4 Security+ Practice Questions: Security Operations (28%)
The biggest domain, full stop. This is the day-to-day work of defending systems: hardening, monitoring, identity, incident response, and automation. If you’re weak here, you won’t pass. Give it the most study time.
What this domain covers:
- Hardening and secure baselines
- Identity and access management (provisioning, SSO, federation, MFA, PAM)
- Access control models (RBAC, MAC, DAC, ABAC, rule-based, least privilege)
- Vulnerability management (scanning, CVSS, CVE, prioritisation, remediation)
- Monitoring and alerting (SIEM, DLP, NAC, EDR/XDR, SNMP, NetFlow)
- Email security (SPF, DKIM, DMARC) and secure protocols
- Incident response process and digital forensics
Q43. Which access control model assigns permissions based on a user’s job function, like “Accountant” or “HR Manager”?
A) Discretionary access control (DAC)
B) Mandatory access control (MAC)
C) Role-based access control (RBAC) ✓
D) Attribute-based access control (ABAC)
RBAC ties permissions to roles, then assigns users to roles. MAC uses labels and clearances (common in government). DAC lets resource owners set permissions. ABAC uses attributes like location and time.
Q44. A login requires a password and a code from an authenticator app. Which two authentication factors are in use?
A) Two of “something you know”
B) “Something you know” and “something you have” ✓
C) “Something you are” and “something you have”
D) “Somewhere you are” and “something you know”
A password is something you know. An authenticator app on a phone is something you have. Combining different factor types is what makes it true multi-factor authentication.
Q45. A SOC analyst uses a tool that aggregates and correlates logs from firewalls, servers, and endpoints to detect patterns and raise alerts. What tool is this?
A) DLP
B) SIEM ✓
C) NAC
D) Vulnerability scanner
A SIEM (Security Information and Event Management) collects, correlates, and alerts on log data from across the environment. It’s the analyst’s central console. DLP stops data exfiltration, NAC controls device access.
Q46. Which technology prevents sensitive data like credit card numbers from leaving the organisation through email or USB?
A) NAC
B) IPS
C) DLP (data loss prevention) ✓
D) SIEM
DLP inspects data in motion, at rest, and in use to block unauthorised transfer of sensitive information. It can stop an email with card numbers or block a copy to a USB drive.
Q47. A vulnerability is scored using a standardised framework that rates severity from 0 to 10. What is this framework?
A) CVE
B) CVSS ✓
C) CWE
D) STIX
CVSS (Common Vulnerability Scoring System) rates severity 0 to 10. CVE is the unique identifier for a specific vulnerability. The two work together: a CVE has a CVSS score.
Q48. Put CompTIA’s incident response phases in order. Which sequence is correct?
A) Detection, preparation, recovery, containment
B) Preparation, detection, analysis, containment, eradication, recovery, lessons learned ✓
C) Containment, eradication, preparation, recovery
D) Analysis, preparation, recovery, detection
The order is preparation, detection, analysis, containment, eradication, recovery, then lessons learned. Preparation comes first (before any incident), and lessons learned closes the loop to improve next time.
Q49. During a forensic investigation, every person who handles evidence is documented, along with when and why. What does this maintain?
A) Legal hold
B) Chain of custody ✓
C) E-discovery
D) Data retention policy
Chain of custody documents who handled evidence, when, and what they did, so it holds up in court. A legal hold preserves data from deletion. Breaking the chain can make evidence inadmissible.
Q50. A company keeps privileged admin credentials in a vault and grants access only for a specific task, for a limited window. What concept is this?
A) Single sign-on
B) Federation
C) Just-in-time (JIT) privileged access ✓
D) Discretionary access control
JIT access grants elevated rights only when needed and revokes them after. Combined with password vaulting, it shrinks the window an attacker can abuse standing admin rights. This is core PAM.
Q51. Which email authentication method publishes a DNS record listing the mail servers authorised to send for a domain?
A) DKIM
B) SPF ✓
C) DMARC
D) S/MIME
SPF (Sender Policy Framework) lists authorised sending servers in DNS. DKIM signs messages cryptographically. DMARC ties SPF and DKIM together with a policy for handling failures. All three reduce spoofing.
Q52. An endpoint tool continuously monitors devices, detects suspicious behaviour, and can automatically respond by isolating a host. What is this?
A) Antivirus
B) EDR (endpoint detection and response) ✓
C) Host firewall
D) DLP
EDR goes beyond signature antivirus. It records endpoint activity, detects behavioural threats, and can respond (like isolating a machine). XDR extends this across endpoints, network, and cloud.
Q53. A new server is built from a standardised, secured template that disables unneeded services and applies hardening settings. What is this template called?
A) Golden ticket
B) Secure baseline ✓
C) Snapshot
D) Risk register
A secure baseline is a known-good, hardened configuration applied consistently to systems. Establishing, deploying, and maintaining baselines is a core operations task.
Q54. Which access control model is MOST common in government and military, using classification labels like “Secret” and “Top Secret”?
A) RBAC
B) DAC
C) MAC (mandatory access control) ✓
D) Rule-based access control
MAC enforces access through labels and clearances set by the system, not the user. Users can’t change permissions. It’s strict and common where data classification is legally enforced.
Q55. A SOC is flooded with false-positive alerts from a detection rule. What is the correct operational response?
A) Disable the SIEM
B) Ignore all alerts from that source
C) Tune the alert rule to reduce noise ✓
D) Quarantine every flagged host
Tuning adjusts thresholds and logic to cut false positives without missing real threats. Disabling the tool or ignoring alerts creates blind spots. Tuning is routine SOC maintenance.
Q56. A company wants devices to prove they’re patched and compliant before they’re allowed onto the corporate network. Which technology enforces this?
A) DLP
B) SIEM
C) NAC (network access control) ✓
D) WAF
NAC checks device posture (patch level, antivirus, configuration) before granting network access. Non-compliant devices get quarantined or sent to a remediation VLAN.
Q57. Several apps let users log in once and access all of them without re-entering credentials. What is this?
A) Federation
B) Single sign-on (SSO) ✓
C) Multi-factor authentication
D) Attestation
SSO lets one authentication grant access to multiple applications. Federation extends identity across separate organisations. SAML and OAuth are common protocols that make SSO work.
Q58. A scan runs without installing anything on the target hosts, querying them remotely instead. What type of scan is this?
A) Credentialed scan
B) Agentless scan ✓
C) Agent-based scan
D) Compliance scan
An agentless scan checks systems remotely with no software installed on them. An agent-based scan runs local software on each host for deeper, continuous data. Each has trade-offs in coverage and overhead.
Q59. Which automation benefit is the BEST reason a SOC scripts its repetitive triage tasks?
A) It removes the need for any analysts
B) Faster, consistent response and fewer human errors ✓
C) It guarantees zero false positives
D) It eliminates the need for logging
Automation and orchestration speed up response, enforce consistency, and reduce mistakes on repetitive work. It supports analysts, it doesn’t replace them, and it doesn’t make detection perfect.
Q60. A user’s access rights are reviewed and confirmed by their manager during a periodic certification cycle. What is this process?
A) Provisioning
B) Attestation (access review) ✓
C) Federation
D) Identity proofing
Attestation is the periodic review where someone confirms users still need the access they have. It catches privilege creep. Provisioning grants access, identity proofing verifies who someone is at enrolment.
Q61. An organisation assigns access based on a combination of department, location, time of day, and device type. Which model is this?
A) RBAC
B) MAC
C) DAC
D) Attribute-based access control (ABAC) ✓
ABAC evaluates multiple attributes (user, resource, environment) to make fine-grained decisions. It’s more flexible than RBAC but more complex to manage.
Q62. A forensic analyst must capture volatile data from a running system. Which source should be collected FIRST, following the order of volatility?
A) Data on the hard drive
B) Archived backups
C) CPU registers and RAM (memory) ✓
D) Remote logs
The order of volatility says collect the most fleeting data first. CPU cache, registers, and RAM disappear on power-off, so they come before disk and backups. Capturing them late means losing them.
Q63. Which log source would BEST show that a specific user account authenticated successfully to a Windows server at 2 AM?
A) Firewall logs
B) OS / authentication logs ✓
C) Web server logs
D) NetFlow data
OS security and authentication logs record login events, including account, time, and result. Firewall logs show traffic, NetFlow shows flow metadata, web logs show HTTP requests, none give login detail like the OS log.
Q64. A managed mobile fleet needs enforced encryption, remote wipe, and app control across all corporate phones. Which solution provides this?
A) NAC
B) MDM (mobile device management) ✓
C) DLP
D) CASB
MDM enforces policy on mobile devices: encryption, remote wipe, app restrictions, and configuration. It’s central to securing BYOD, COPE, and CYOD deployments.
Mini-story: Aisha worked a helpdesk job and wanted into a SOC analyst role. She crammed Domain 4 last because it had the most material, and she nearly ran out of time. On her first full mock she scored 58% overall, dragged down by a 44% in Security Operations. The incident response ordering questions and the SIEM-versus-DLP-versus-NAC distinctions kept tripping her. She rebuilt her schedule to spend ten days on operations alone, doing hands-on log analysis in a free SIEM lab. Her operations score climbed to 79%. She passed the SY0-701 with a 768 and landed the SOC role four months later. Operations is 28% of the exam and most of the actual job. Treat it that way.
Domain 5 Security+ Practice Questions: Security Program Management and Oversight (20%)
This domain catches technical people off guard. It’s governance, risk, compliance, and vendor management. Less hands-on, more “how do organisations manage security as a business function.” Memorise the agreement types and the risk math.
What this domain covers:
- Governance (policies, standards, procedures, roles like data owner, controller, processor, custodian)
- Risk management (risk register, appetite vs tolerance, transfer/accept/avoid/mitigate)
- Quantitative risk (SLE, ALE, ARO) and business impact analysis (RTO, RPO, MTTR, MTBF)
- Third-party risk (SLA, MOU, MSA, SOW, NDA, BPA, right-to-audit)
- Compliance and privacy (data subject, controller vs processor, right to be forgotten)
- Audits and penetration testing (passive vs active recon, known vs unknown environment)
Q65. A risk has a single loss expectancy (SLE) of $10,000 and is expected to happen twice a year. What is the annualised loss expectancy (ALE)?
A) $5,000
B) $10,000
C) $20,000 ✓
D) $40,000
ALE = SLE × ARO. Here that’s $10,000 × 2 = $20,000. The annualised rate of occurrence (ARO) of 2 means twice yearly. This math shows up almost every exam.
Q66. A company buys cyber insurance to cover potential breach costs. Which risk management strategy is this?
A) Risk avoidance
B) Risk acceptance
C) Risk transfer ✓
D) Risk mitigation
Buying insurance transfers financial risk to a third party. Avoidance stops the risky activity entirely, acceptance does nothing and absorbs the loss, mitigation reduces the likelihood or impact.
Q67. Which document is a formal, legally binding contract that defines the specific service levels and uptime a vendor guarantees?
A) MOU
B) SLA (service level agreement) ✓
C) NDA
D) BPA
An SLA defines measurable service commitments (like 99.9% uptime) and penalties for missing them. An MOU is a less formal statement of intent, an NDA protects confidentiality, a BPA governs a business partnership.
Q68. Under privacy regulations, the entity that determines WHY and HOW personal data is processed is called the:
A) Data subject
B) Data controller ✓
C) Data processor
D) Data custodian
The data controller decides the purpose and means of processing. The data processor acts on the controller’s instructions. The data subject is the individual the data is about.
Q69. A central document tracks each identified risk, its likelihood, impact, owner, and mitigation status. What is this document?
A) Business impact analysis
B) Risk register ✓
C) Disaster recovery plan
D) Acceptable use policy
A risk register is the living record of risks and how they’re being managed. A BIA assesses the impact of disruptions on business functions. They feed each other but aren’t the same.
Q70. What’s the difference between risk appetite and risk tolerance?
A) They’re identical terms
B) Appetite is the broad amount of risk an organisation is willing to pursue; tolerance is the acceptable variation around a specific risk ✓
C) Tolerance is set by regulators; appetite is internal
D) Appetite applies only to financial risk
Risk appetite is the overall level of risk leadership will accept to meet goals. Risk tolerance is the acceptable deviation for a particular risk or objective. Appetite is strategic, tolerance is more specific.
Q71. A penetration tester is given no prior information about the target environment and must discover everything from scratch. What type of test is this?
A) Known environment (white box)
B) Partially known (gray box)
C) Unknown environment (black box) ✓
D) Credentialed scan
An unknown-environment test gives the tester nothing upfront, simulating an outside attacker. A known-environment test shares full details. Partially known sits in between.
Q72. A tester gathers information about a target using public records and search engines, without sending any packets to the target’s systems. What is this?
A) Active reconnaissance
B) Passive reconnaissance ✓
C) Vulnerability scanning
D) Exploitation
Passive recon collects open-source intelligence without touching the target directly, so it’s hard to detect. Active recon (scanning, probing) sends traffic to the target and can be logged.
Q73. Which agreement specifically protects confidential information shared between two parties from disclosure?
A) SOW
B) SLA
C) NDA (non-disclosure agreement) ✓
D) MOA
An NDA legally binds parties to keep shared information confidential. A SOW defines the work to be done, an SLA defines service levels, an MOA is a more formal cooperative agreement.
Q74. Under privacy law, an individual requests that a company delete all personal data it holds about them. Which right is being exercised?
A) Right to access
B) Right to be forgotten (erasure) ✓
C) Data portability
D) Right to rectification
The right to be forgotten lets a data subject request erasure of their personal data. It’s a hallmark of regulations like GDPR. Rectification is correcting data, portability is moving it.
Q75. A document defines the detailed scope, deliverables, timeline, and milestones for a specific vendor project. What is it?
A) MOU
B) SOW (statement of work) ✓
C) NDA
D) BPA
A SOW spells out the specific work, deliverables, and schedule for a project. It’s usually tied to a broader master service agreement (MSA) that sets the overarching terms.
Q76. Which roles are correctly described? “The data owner sets classification and accepts risk; the data custodian handles day-to-day storage and protection.”
A) The descriptions are swapped
B) Both descriptions are correct ✓
C) Only the owner description is correct
D) Only the custodian description is correct
The data owner (usually a senior business leader) is accountable for the data, sets its classification, and accepts risk. The custodian (often IT) implements and maintains the controls. Both statements are right.
Q77. During business impact analysis, which metric defines the MAXIMUM acceptable amount of data loss, measured in time?
A) RTO
B) RPO (recovery point objective) ✓
C) MTTR
D) MTBF
RPO is how much data loss is acceptable, which drives backup frequency. RTO is how long restoration can take. MTTR and MTBF measure repair time and reliability.
Q78. A company faces fines, loss of its operating license, and reputational damage after failing an audit. These are examples of what?
A) Risk appetite
B) Consequences of non-compliance ✓
C) Compensating controls
D) Attestation
Fines, sanctions, license loss, reputational damage, and contract penalties are all consequences of non-compliance. They’re a major reason organisations invest in governance and audits.
Q79. An internal group periodically reviews whether the organisation follows its own security policies and regulatory requirements. What is this?
A) External regulatory examination
B) Penetration test
C) Internal compliance audit / self-assessment ✓
D) Right-to-audit clause
An internal audit or self-assessment is the organisation checking its own compliance. An external examination is done by a regulator or third party. Both confirm whether controls are actually working.
Q80. A contract clause lets a company inspect a vendor’s security controls and records on demand. What is this clause called?
A) Non-disclosure clause
B) Right-to-audit clause ✓
C) Service level clause
D) Indemnification clause
A right-to-audit clause gives a customer the contractual ability to assess a vendor’s security posture directly. It’s a key tool in third-party risk management and supply chain oversight.
What Are Performance-Based Questions and How Do You Prepare?
PBQs are the part of the SY0-701 that humble people who only memorised. You can’t recall your way through them.
A typical Security+ PBQ might ask you to:
- Configure firewall ACL rules to allow or block specific traffic
- Match attack types to their correct descriptions in a drag-and-drop grid
- Analyse a set of logs and identify the indicator of compromise
- Place security controls in the right network zone
- Read command output and pick the next remediation step
PBQs usually appear at the start of the exam. A common strategy: skip them, knock out the multiple-choice questions first to bank points, then return with your remaining time. The risk is losing track of the clock, so set a mental cap.
Budget around 5 to 10 minutes per PBQ. If one’s eating more than that, flag it and move on. A blank PBQ and a wrong PBQ score the same, so don’t let one question sink the whole exam.
The only real prep is doing the work. Reading about SIEM correlation is nothing like sorting real log entries under a timer. Free tools and lab environments make this practical even on a budget.
How to Use a Security+ Practice Test Effectively

A score on its own tells you almost nothing. The value is in what you do with the wrong answers.
Here’s the approach that works:
1. Take a cold baseline. Before studying, sit one full 80 to 90-question test with no notes. Ignore the score. You’re hunting for your weakest domain.
2. Attack weakness first. Scored 45% in Security Operations but 75% in General Concepts? Don’t split your time evenly. Fix the 28% domain that’s bleeding points.
3. Review every wrong answer AND every distractor. Understand why each wrong option is wrong. The SY0-701 loves answers that are technically true but not the BEST fit.
4. Run full-length timed mocks at least three times. Eighty-plus questions in 90 minutes is a stamina test. Short quizzes won’t build that.
5. Track domain scores across attempts. One overall percentage hides where you’re improving. Per-domain trends show it.
When you’re consistently clearing 80%+ on full mocks across all five domains, you’re ready to book.
Study Schedule: Security+ in 8 Weeks

This assumes 1 to 2 hours a day. Adjust to your background.
| Week | Focus |
|---|---|
| 1 | Domain 1: General Security Concepts (CIA, controls, crypto, Zero Trust) |
| 2-3 | Domain 2: Threats, Vulnerabilities, and Mitigations (attacks, malware, fixes) |
| 3-4 | Domain 3: Security Architecture (cloud, data protection, resilience) |
| 4-6 | Domain 4: Security Operations (IAM, monitoring, incident response) |
| 6-7 | Domain 5: Program Management (risk math, governance, vendor agreements) |
| 7-8 | Full timed mocks + weak-domain review + PBQ lab practice |
Already working in IT security? Compress this to 5 or 6 weeks. New to the field with no Network+? Give yourself 10 to 12 weeks. That’s not slow. That’s how you pass once instead of twice.
The payoff is real. The US Bureau of Labor Statistics projects information security analyst roles to grow about 33% through 2033, far faster than average. Security+ is the cert most employers use as the entry filter, and it meets US DoD 8140 baseline requirements for several roles. Passing it properly opens doors that rushing and failing keeps shut.
What Comes After Security+?
Security+ is the foundation. Here’s where most people head next.
Going deeper into security analysis:
CompTIA’s CySA+ is the natural next step. It moves from “know the concepts” to “analyse threats and run a SOC.” Our CySA+ certification guide covers the exam format, study timeline, and salary expectations in detail.
Still building networking fundamentals:
Security+ assumes you understand networking. If subnetting, ports, and the OSI model feel shaky, our Network+ practice test is the cleanest way to firm them up before they cost you Security+ points.
Getting hands-on with real security ops:
The biggest Security+ domain is operations, and nothing teaches it like building a real SIEM. The SMEnode Labs Wazuh Workbook walks you through deploying and tuning a working SIEM/XDR in a lab, the exact skills the Security Operations domain tests in theory.
Wanting live, instructor-led training:
SMEnode Academy’s Security Engineer course offers structured, instructor-led labs with live Q&A. Good fit if self-study isn’t keeping you accountable.
Frequently Asked Questions
Is the Security+ hard?
It’s a fair but serious exam. Most candidates need 60 to 120 hours of study. The judgement-style “which is BEST” questions and the PBQs are what trip up people who only memorised definitions. Hands-on practice closes that gap.
How many practice tests should I take before the real exam?
At least three full-length, timed tests. Five or more is better. Each one gives fresh questions and new diagnostic data on your weak domains.
What score do I need to pass the SY0-701?
750 out of 900. That’s not a flat percentage because of how PBQs are weighted, but aiming for a consistent 80%+ on full practice mocks is a safe target before booking.
Does Security+ expire?
Yes. It’s valid for three years. You renew through CompTIA’s continuing education programme or by earning a higher-level cert that auto-renews it.
Will SY0-701 be retired soon?
CompTIA hadn’t announced a retirement date as of mid-2026. They typically run a version for around three years, so a successor could appear in late 2026 or 2027. Check the official CompTIA Security+ page before you book, and don’t delay if your exam is close.
Is Security+ worth it for the salary?
For most people moving into security, yes. It’s the baseline cert employers screen for, it meets US DoD 8140 requirements for several roles, and it’s the gateway to higher-paying analyst certs like CySA+.
Bottom Line
The SY0-701 isn’t a test you can wing. Up to 90 questions. 90 minutes. Five domains. PBQs that punish anyone who skipped the hands-on work.
People who pass on the first try share a pattern. They took full-length timed mocks, not just short quizzes. They poured time into Security Operations, the 28% domain. And they reviewed why wrong answers were wrong, not just why right ones were right.
Use these 80 questions as your starting diagnostic. Find your weakest domain. Fix it. When you’re consistently hitting 80%+ across all five domains on full mocks, book the exam and go get it.
Next step: Want structured, hands-on security training with live instructors? SMEnode Academy’s Security Engineer course builds the practical skills the SY0-701 tests, and takes you well past exam level. Pair it with hands-on labs from SMEnode Labs and you’ll learn security by doing, not just reading.