CompTIA Security+ (SY0-701) Syllabus — Objectives by Domain

Use this syllabus as your source of truth for SY0-701. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Domain 1: General security concepts (12%)
• Domain 2: Threats, vulnerabilities, and mitigations (22%)
• Domain 3: Security architecture (18%)
• Domain 4: Security operations (28%)
• Domain 5: Security program management and oversight (20%)

Domain 1: General security concepts (12%)

Practice this topic →

Task 1.1 - Compare and contrast security roles, controls, and frameworks

• Define the core goals of information security—confidentiality, integrity, and availability—and how they drive security control selection.
• Differentiate common security job roles such as analyst, engineer, architect, administrator, and manager based on typical responsibilities.
• Classify example controls as administrative, technical, or physical based on how they are implemented.
• Classify example controls as preventive, detective, corrective, deterrent, or compensating based on their primary function.
• Summarize the purpose of common security frameworks and standards such as NIST CSF, ISO/IEC 27001, and CIS Controls.
• Explain how adopting security frameworks supports consistency, compliance, and continuous improvement in an organization.

Task 1.2 - Explain fundamental security principles and concepts

• Distinguish authentication, authorization, and accounting/auditing and how they work together to enforce access control.
• Explain the principle of least privilege and why limiting access to only what is necessary reduces security risk.
• Explain separation of duties and job rotation and how they help prevent fraud and detect misuse.
• Explain defense in depth and layered security using examples across physical, technical, and administrative controls.
• Explain the zero trust concept, including continuous verification and minimizing implicit trust in networks and identities.
• Explain security by design and secure default configurations as strategies for reducing misconfigurations and vulnerabilities.
• Explain the concept of an attack surface and common ways to reduce it, such as disabling unused services and closing ports.

Task 1.3 - Explain basic cryptographic concepts

• Compare symmetric and asymmetric encryption in terms of key use, performance, and common use cases.
• Differentiate hashing, encryption, and encoding based on purpose and reversibility.
• Explain how digital signatures provide integrity, authentication, and non-repudiation in common scenarios.
• Describe the role of public key infrastructure (PKI), digital certificates, and certificate authorities in establishing trust.
• Identify common cryptography use cases such as securing data at rest, data in transit, VPNs, and disk encryption.
• Explain why organizations should use modern, well-vetted algorithms and strong key lengths instead of outdated or homegrown cryptography.

Task 1.4 - Apply basic risk management concepts

• Distinguish between threat, vulnerability, risk, impact, and likelihood in the context of information security.
• Compare qualitative and quantitative risk assessment approaches and when each is appropriate.
• Given simple single loss expectancy (SLE) and annualized rate of occurrence (ARO) values, calculate annual loss expectancy (ALE) and interpret what it represents.
• Describe common risk response strategies such as avoid, transfer, mitigate, and accept and when to apply each.
• Explain the purpose of a business impact analysis (BIA) in identifying critical functions, dependencies, and acceptable downtime.

Domain 2: Threats, vulnerabilities, and mitigations (22%)

Practice this topic →

Task 2.1 - Classify threat actors, attack surfaces, and threat vectors

• Identify common threat actor types such as script kiddies, insiders, organized crime, nation-states, hacktivists, and competitors based on motivations and capabilities.
• Differentiate internal from external threat actors and describe potential impacts from each.
• Describe how attributes such as intent, capability, and opportunity are used to evaluate and prioritize threats.
• Define an attack surface and relate it to assets, entry points, trust boundaries, and exposed services.
• Identify common threat vectors such as email, web browsing, removable media, supply chain, cloud services, and wireless networks.
• Explain how social engineering attacks exploit human factors such as trust, urgency, authority, and fear.
• Explain how shadow IT and unsanctioned cloud or SaaS usage increase an organization's attack surface and risk.
• Explain how emerging technologies such as IoT, OT, and pervasive mobility change the threat landscape and introduce new risks.

Task 2.2 - Given a scenario, analyze potential indicators of common attacks

• Given a scenario, recognize phishing, spear phishing, and whaling attacks based on message content, targeting, and delivery methods.
• Given a scenario, identify social engineering techniques such as pretexting, baiting, tailgating, and piggybacking.
• Given a scenario, differentiate malware types such as viruses, worms, Trojans, ransomware, spyware, keyloggers, and remote access Trojans by their behavior.
• Given a scenario, recognize password attacks such as brute force, dictionary, credential stuffing, and password spraying from log and alert patterns.
• Given a scenario, identify network-based attacks such as DoS, DDoS, man-in-the-middle, spoofing, and replay from symptoms and traffic descriptions.
• Given a scenario, identify web application attacks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), directory traversal, and command injection.
• Given a scenario, identify wireless attacks such as evil twin access points, deauthentication attacks, WPS brute force, rogue APs, and jamming.
• Given a scenario, recognize cloud-specific attacks such as exploitation of misconfigured storage, stolen cloud credentials, insecure APIs, and container breakout.
• Given a scenario, identify indicators of insider threats such as unusual data access, policy violations, or attempts to bypass controls.

Task 2.3 - Summarize common vulnerabilities and misconfigurations

• Identify insecure default settings, such as default credentials and open management interfaces, as common vulnerabilities that require hardening.
• Explain how unpatched systems, outdated software, and unsupported operating systems create exploitable vulnerabilities.
• Explain how weak credentials and poor password practices, such as reuse or lack of complexity, increase the risk of compromise.
• Explain why insecure network protocols and services (such as Telnet, HTTP, and legacy SMB versions) should be replaced or protected.
• Describe misconfigured access controls, such as overly permissive file shares or access control lists (ACLs), as sources of excessive privilege and data exposure.
• Explain how lack of input validation and output encoding leads to injection, cross-site scripting (XSS), and similar application vulnerabilities.
• Explain software supply chain and dependency risks, such as vulnerable third-party libraries and untrusted packages.
• Summarize common cloud misconfigurations, such as publicly exposed storage, overly broad IAM policies, and lack of segmentation in virtual networks.
• Summarize common IoT and OT vulnerabilities such as weak authentication, lack of updates, insecure communication, and physical exposure.

Task 2.4 - Explain security assessment and testing concepts

• Differentiate vulnerability scanning from penetration testing in terms of goals, depth, and rules of engagement.
• Explain black-box, white-box, and gray-box testing approaches based on the amount of information provided to testers.
• Explain passive versus active reconnaissance and when each is appropriate during assessments.
• Describe common vulnerability scan types such as credentialed vs non-credentialed and internal vs external scans.
• Explain assessment techniques such as configuration reviews, log reviews, and wireless surveys and what each can reveal.
• Explain the roles of red teams, blue teams, and purple teams in improving organizational security posture.
• Summarize reporting and communication considerations for assessment findings, including severity, prioritization, and remediation guidance.
• Explain legal, authorization, and rules-of-engagement requirements that must be in place before conducting security testing.

Task 2.5 - Recommend appropriate threat and vulnerability mitigations

• Given a scenario, select appropriate technical controls such as EDR, application allowlisting, and timely patching to mitigate malware.
• Given a scenario, choose controls such as awareness training, email filtering, SPF/DKIM/DMARC, and reporting processes to reduce phishing and social engineering risk.
• Given a scenario, apply mitigations for password-related attacks such as enforcing MFA, account lockout, password managers, and credential hygiene.
• Given a scenario, recommend network security controls such as firewalls, IDS/IPS, and segmentation to mitigate DoS, man-in-the-middle, and scanning attacks.
• Given a scenario, recommend web application protections such as input validation, parameterized queries, web application firewalls (WAFs), and secure coding practices.
• Given a scenario, recommend wireless security hardening steps such as using WPA3, 802.1X, disabling WPS, and controlling signal coverage.
• Given a scenario, recommend cloud security measures such as least-privilege IAM, security groups/NSGs, logging, and cloud posture management tools.
• Given risk assessment results, prioritize remediation actions based on impact, likelihood, and available resources.

Domain 3: Security architecture (18%)

Practice this topic →

Task 3.1 - Explain secure network design principles

• Describe network segmentation and isolation using VLANs, subnets, and firewalls to limit the spread of attacks.
• Explain the purpose of a demilitarized zone (DMZ) and where to place public-facing services relative to internal networks.
• Explain secure network zones such as intranet, extranet, guest networks, and management networks and their typical access restrictions.
• Explain zero trust network design principles such as microsegmentation and least-privilege access between services.
• Describe secure deployment of VPNs and remote access solutions, including split-tunnel vs full-tunnel considerations at a high level.
• Summarize secure routing and switching concepts such as access control lists (ACLs), port security, and basic loop protection.
• Explain the security roles of load balancers and reverse proxies, including traffic distribution, TLS termination, and limited application protection.
• Explain how network-based security devices such as IDS/IPS, WAFs, DLP appliances, and NAC contribute to a layered defense.

Task 3.2 - Explain secure application and cloud architectures

• Describe a basic secure software development lifecycle (SDLC) and the concept of integrating security into DevSecOps pipelines.
• Explain application deployment models such as monolithic, n-tier, and microservices and their high-level security considerations.
• Explain secure API design concepts such as strong authentication, authorization, rate limiting, and input validation.
• Describe application security controls such as secure cookies, session management, and CSRF tokens at a high level.
• Summarize the shared responsibility model across IaaS, PaaS, and SaaS cloud service models for security and compliance.
• Explain the advantages and security risks of using containers and orchestration platforms in modern application deployments.
• Explain basic security considerations for serverless and function-as-a-service architectures, including permissions and event sources.
• Describe common cloud-native security services such as cloud firewalls, CASB, and cloud security posture management (CSPM) at a conceptual level.

Task 3.3 - Explain endpoint, device, and IoT security

• Explain endpoint hardening steps such as reducing functionality, applying patches, and enforcing secure baselines.
• Describe endpoint protection platforms (EPP) and endpoint detection and response (EDR) and how they differ in capabilities.
• Explain mobile device management (MDM) and mobile application management (MAM) concepts and typical controls they provide.
• Describe secure configuration of removable media and data loss prevention (DLP) controls to limit data exfiltration.
• Explain security considerations for specialized devices such as printers, cameras, and medical or industrial equipment.
• Summarize challenges securing IoT devices, including limited resources, lack of updates, default credentials, and long lifecycles.
• Explain concepts of secure boot and device attestation and how they help ensure device integrity.
• Explain physical security controls for devices such as locks, tamper-evident seals, cable locks, and safes.

Task 3.4 - Explain identity, authentication, and access management concepts

• Compare authentication factors such as something you know, have, are, do, and somewhere you are with simple examples of each.
• Differentiate single-factor authentication, multi-factor authentication (MFA), and strong authentication at a high level.
• Describe common authentication methods such as passwords, PINs, biometrics, hardware tokens, smart cards, and push-based approvals.
• Explain single sign-on (SSO) and federation concepts using standards such as SAML and OAuth/OpenID Connect at a conceptual level.
• Summarize the role of directory services and identity providers, such as on-premises directories and cloud identity platforms, in managing identities.
• Explain authorization models such as role-based access control (RBAC), attribute-based access control (ABAC), and rule-based access control.
• Explain privileged access management (PAM) concepts such as just-in-time access, credential vaulting, and session monitoring.
• Describe account lifecycle management processes, including provisioning, maintenance, and deprovisioning for joiners, movers, and leavers.
• Explain identity governance concepts such as periodic access reviews, certification campaigns, and policy-based access control checks.
• Given a scenario, choose appropriate identity and access management solutions or controls such as SSO, MFA, or RBAC to meet stated requirements.

Domain 4: Security operations (28%)

Practice this topic →

Task 4.1 - Given a scenario, use security monitoring and logging tools

• Given a scenario, identify which log source—such as firewall, IDS, operating system, application, DNS, or proxy—is most relevant for an investigation task.
• Given a scenario, interpret basic SIEM alerts and dashboards to prioritize security events for further analysis.
• Given a scenario, identify suspicious patterns in authentication logs such as repeated failures, impossible travel, or logins from unusual locations.
• Given a scenario, identify suspicious network traffic characteristics such as unusual ports, volumes, destinations, or connection patterns.
• Given a scenario, choose appropriate filtering, correlation, or aggregation techniques in monitoring tools to focus on relevant events.
• Given a scenario, select appropriate time synchronization and log retention settings to support investigations and compliance requirements.
• Given a scenario, determine when monitoring results justify escalation from routine review to formal incident response.
• Explain the importance of baselining normal behavior to detect anomalies in security monitoring.
• Explain how SOAR tools can automate common monitoring and response tasks such as ticket creation, enrichment, and basic containment.

Task 4.2 - Given an incident, analyze potential indicators of compromise

• Given a scenario, identify indicators of malware infection such as unusual processes, outbound connections, file changes, or resource usage.
• Given a scenario, identify evidence of successful phishing compromise such as suspicious mailbox rules, unauthorized OAuth consents, or unusual email-sending patterns.
• Given a scenario, identify indicators of lateral movement and privilege escalation, such as new administrative group memberships or remote logins between servers.
• Given a scenario, identify indicators of data exfiltration such as large file transfers, unusual destinations, or use of uncommon protocols.
• Given a scenario, distinguish between false positives and true positives in security alerts based on corroborating evidence.
• Given a scenario, recognize indicators of credential stuffing or brute-force attacks from authentication and access logs.
• Given a scenario with multiple related alerts, infer a likely root cause or stage in the attack lifecycle.
• Explain the difference between indicators of compromise (IOCs) and indicators of attack (IOAs) and how each is used in detection.
• Explain the role of threat intelligence feeds and information-sharing communities in identifying and correlating IOCs.

Task 4.3 - Given an incident, apply incident response procedures

• List typical phases of the incident response lifecycle—preparation, identification, containment, eradication, recovery, and lessons learned—and state their goals.
• Given a scenario, distinguish between a routine event, a security incident, and a potential policy violation.
• Given a scenario, determine appropriate initial triage steps such as isolating affected systems, collecting logs, and confirming scope.
• Given a scenario, choose an appropriate containment strategy—such as network isolation, segmentation, or disabling accounts—while balancing business impact.
• Given a scenario, select eradication and recovery actions that remove root causes and restore services while preserving evidence when required.
• Explain the importance of incident communication plans, notification requirements, and coordination among stakeholders during response.
• Given a scenario, identify when to involve external parties such as law enforcement, regulators, vendors, or incident response partners.
• Explain the purpose of post-incident reviews and lessons-learned meetings in improving processes and controls.
• Explain how incident lessons learned drive updates to documentation, playbooks, training, and technical controls.

Task 4.4 - Implement appropriate security automation and orchestration concepts

• Explain the purpose and benefits of security orchestration, automation, and response (SOAR) platforms in streamlining operations.
• Describe common use cases for security automation such as blocking IPs, disabling accounts, opening tickets, and collecting forensic artifacts.
• Explain the concepts of playbooks and runbooks in security operations and how they guide repeatable response actions.
• Explain the advantages and risks of using scripting and APIs for automating security tasks.
• Explain the concept of infrastructure as code (IaC) and how it affects security operations, including drift detection and policy enforcement.
• Given a scenario, identify opportunities to automate repetitive security tasks while minimizing operational risk.
• Explain the importance of testing, change control, and rollback plans when deploying automated security actions.
• Explain at a high level how machine learning and user and entity behavior analytics (UEBA) support anomaly detection in security monitoring.

Task 4.5 - Apply basic digital forensics concepts

• Explain the goals of digital forensics, including supporting investigations, regulatory inquiries, and legal proceedings.
• Explain the concept of chain of custody and why maintaining documented control of evidence is critical.
• Summarize the order of volatility for common data sources, such as CPU registers, memory, disk, and backups.
• Explain high-level imaging and acquisition concepts, including creating bit-level copies and using hashes to verify integrity.
• Identify common forensic data sources such as memory, disks, logs, network captures, and cloud service logs.
• Given a scenario, determine which data sources to capture to support a specific type of investigation.
• Explain basic timeline analysis and reconstruction concepts for understanding the sequence of events in an incident.
• Explain legal and jurisdictional considerations that can affect the collection and handling of digital evidence.
• Explain limitations and challenges of performing forensic analysis in cloud and virtualized environments.

Task 4.6 - Implement secure operations practices and procedures

• Explain the importance of formal change management and approval processes for maintaining secure and stable operations.
• Describe configuration management and baselining for systems and network devices and how they support security.
• Explain patch management processes, including prioritization based on risk and testing before deployment.
• Explain backup strategies such as full, incremental, and differential backups and how retention supports recovery objectives.
• Explain log management practices, including centralization, protection of log integrity, and controlled access to logs.
• Explain how least privilege and need-to-know principles are applied to service accounts, local administrator access, and operational tasks.
• Describe secure provisioning and deprovisioning of systems and services, including imaging, baseline application, and retirement steps.
• Given a scenario, apply segregation of duties and dual control concepts to reduce the risk of fraud or critical errors in operations.
• Given a scenario, select appropriate monitoring and oversight controls for third-party or outsourced services.
• Explain the concept of continuous improvement in security operations using metrics, key performance indicators (KPIs), and maturity models.

Domain 5: Security program management and oversight (20%)

Practice this topic →

Task 5.1 - Summarize governance and compliance concepts

• Distinguish governance, risk management, and compliance at a high level and describe how they relate to security programs.
• Explain the purpose of security policies, standards, guidelines, and procedures and how they differ.
• Summarize key objectives of common regulations and frameworks relevant to security practitioners, such as GDPR, HIPAA, PCI DSS, and SOX, at a high level.
• Explain data classification concepts and how classification drives handling requirements and access controls.
• Explain the role of acceptable use policies (AUPs) in setting expectations for system and data usage.
• Explain concepts of due care and due diligence in the context of managing security risks.
• Describe the role of internal and external audits and assessments in verifying compliance and control effectiveness.
• Explain the concept of lines of defense (operations, risk management/compliance, internal audit) in governance models.

Task 5.2 - Explain data security and privacy practices

• Identify common data sensitivity levels such as public, internal, confidential, and restricted and their general handling requirements.
• Explain data minimization and purpose limitation as privacy principles that reduce unnecessary data collection and processing.
• Describe data masking, tokenization, and anonymization versus pseudonymization and when each might be used.
• Explain securing data at rest, in transit, and in use at a high level, including typical controls for each state.
• Explain retention and destruction policies, including retention schedules, legal holds, and secure disposal methods for different media.
• Given a scenario, determine appropriate storage or transmission protections based on the data classification and regulatory context.
• Explain privacy-by-design and privacy-by-default principles and how they influence system and process design.
• Explain considerations for cross-border data transfers and data residency, including risks of storing data in other jurisdictions.

Task 5.3 - Explain security awareness and training

• Explain the goals of a security awareness program in reducing human-related security risk.
• Identify common awareness and training topics such as phishing, password hygiene, physical security, and incident reporting.
• Explain the importance of tailoring training for different audiences, including end users, developers, executives, and privileged administrators.
• Explain the importance of measuring training effectiveness using methods such as phishing simulations, metrics, and feedback.
• Given a scenario, choose an appropriate awareness or training method such as e-learning, in-person sessions, drills, or targeted communications.
• Explain the role of policies and leadership support in reinforcing security training and expected behaviors.
• Explain insider threat awareness concepts and the importance of clear, confidential reporting channels.

Task 5.4 - Explain vendor, supply chain, and third-party risk management

• Explain risks introduced by third-party service providers and suppliers, including data access, service availability, and security control gaps.
• Describe due diligence activities before onboarding a vendor, such as questionnaires, security assessments, and reference checks.
• Explain contract and service level agreement (SLA) considerations for security and privacy requirements with third parties.
• Explain ongoing vendor monitoring activities such as periodic security reviews, attestations, and audit reports.
• Given a scenario, identify appropriate controls for managing cloud service provider risk, such as shared responsibility clarification, access reviews, and logging requirements.
• Explain the concepts of a software bill of materials (SBOM) and supply chain transparency in managing software risk.
• Explain termination and offboarding considerations for third-party relationships, including data return or destruction and access revocation.

Task 5.5 - Explain business continuity and disaster recovery concepts

• Distinguish business continuity planning (BCP) from disaster recovery (DR) and explain how they work together.
• Explain key business impact analysis outputs such as recovery time objective (RTO) and recovery point objective (RPO) and how they guide continuity planning.
• Explain common backup and recovery strategies and how they support BCP and DR objectives.
• Describe high availability, fault tolerance, and redundancy at a conceptual level and when each is appropriate.
• Given a scenario, select an appropriate site strategy—such as hot, warm, or cold site—based on recovery requirements and constraints.
• Explain the importance of DR testing, exercises, and tabletop scenarios to validate plans and identify gaps.
• Explain succession planning and role mapping to ensure key responsibilities are covered during and after a disruptive event.
• Explain crisis communication planning, including stakeholder identification, messaging, and communication channels during incidents.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit weak objectives before moving on.