CompTIA Security+ (SY0-701) Ultimate Cheat Sheet
Your Quick Reference Study Guide
This cheat sheet covers the core concepts, terms, and definitions you need to know for the CompTIA Security+ (SY0-701). We've distilled the most important domains, topics, and critical details to help your exam preparation.
💡 Note: While this study guide highlights essential concepts, it's designed to complement—not replace—comprehensiv e learning materials. Use it for quick reviews, last-minute prep, or to identify areas that need deeper study before your exam.
About This Cheat Sheet: This study guide covers core concepts for CompTIA Security+ (SY0-701). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
CompTIA Security+ (SY0-701)
Cheat Sheet •
About This Cheat Sheet: This study guide covers core concepts for CompTIA Security+ (SY0-701). It highlights key terms, definitions, common mistakes, and frequently confused topics to support your exam preparation.
Use this as a quick reference alongside comprehensive study materials.
General Security Concepts
12%Compensating Control — Documented Alternative
Temporary or permanent alternative control that provides equivalent risk mitigation when a primary control is impractic
Key Insight
Must be documented, justified, approved, and demonstrably equivalent — not a weaker stopgap.
Often Confused With
Common Mistakes
- Treating it as a permanent swap without documented justification
- Skipping documentation, approval, or risk assessment
- Using an unrelated or weaker control and calling it compensating
Control Diversity — Layers & Functions
Classify controls by layer (tech/admin/physical) and by purpose (preventive, detective, corrective, deterrent, compens
Key Insight
Controls are classified two ways — layer + function — and often overlap; combine types for defense‑in‑depth.
Often Confused With
Common Mistakes
- Thinking detective controls prevent incidents
- Equating compensating controls with corrective controls
- Assuming each control fits only one category
Digital Signatures & Non‑repudiation
Private key signs a message hash; public key verifies origin and integrity — supports evidentiary non‑repudiation if key
Key Insight
Sign a hash with the private key to prove origin/integrity; signatures do not provide confidentiality and rely on key custody.
Often Confused With
Common Mistakes
- Confusing signing with encrypting for confidentiality.
- Assuming signatures are absolute despite key compromise or poor custody.
- Signing the entire message directly and skipping hashing first.
Zero Trust — Verify Every Request
Architecture that denies implicit trust: authenticate and authorize every user, device and request with least privilege.
Key Insight
Default‑deny + least privilege + continuous, context‑aware checks (user, device, location, risk); it's policies + controls, not a single product.
Often Confused With
Common Mistakes
- Treating Zero Trust as a single product you can buy.
- Removing perimeter/network controls entirely under 'Zero Trust'.
- Limiting Zero Trust to cloud only and ignoring on‑prem/hybrid systems.
Rollback: Revert to Known State
Return systems, configs, or data to a validated prior snapshot/version after a failed change or deployment to restore a
Key Insight
Rollback is an emergency recovery step, not a root-cause fix — it can cause data loss, schema/API mismatches, and needs follow-up analysis.
Often Confused With
Common Mistakes
- Assuming rollback fixes the root cause and skipping post-rollback investigation
- Believing rollback is risk-free — ignoring possible data loss, downtime, or config drift
- Assuming all changes (DB schemas, external APIs) can be fully rolled back without side effects
Env Separation — Dev / Test / Staging / Prod
Keep Dev, Test, Staging, and Production separate to reduce deployment risk, enforce least privilege, and validate real‑w
Key Insight
Staging must mirror production (configs, scale, access controls); lower envs require masked data and restricted credentials.
Often Confused With
Common Mistakes
- Treating staging as identical to production and skipping final verification
- Using production credentials or unmasked real data in lower environments for convenience
- Giving developers full, direct rights to modify production to fix issues quickly
PKI & CA — Chain of Trust
Hierarchical system binding public keys to identities via root/intermediate CAs to validate TLS and code certificates.
Key Insight
Trust is anchored at root CAs; validation follows the chain plus client checks (expiry, CRL/OCSP); trust is local, not automatic.
Often Confused With
Common Mistakes
- Assuming a certificate alone proves identity.
- Believing any CA-issued cert is trusted everywhere.
- Expecting revocation to be immediate and always enforced.
Cryptographic Hashing (Integrity)
Deterministic, fixed-size digest that proves data integrity; non-reversible—used for file verification, fingerprints, &签
Key Insight
Hashes prove content equality and tampering; not confidentiality—use salted/slow functions for passwords and avoid MD5/SHA-1.
Often Confused With
Common Mistakes
- Thinking hashes are reversible or provide confidentiality.
- Using MD5/SHA-1 as secure collision-resistant hashes.
- Assuming matching hashes prove provenance or authorship.
Compensating Control — Documented Alternative
Temporary or permanent alternative control that provides equivalent risk mitigation when a primary control is impractic
Key Insight
Must be documented, justified, approved, and demonstrably equivalent — not a weaker stopgap.
Often Confused With
Common Mistakes
- Treating it as a permanent swap without documented justification
- Skipping documentation, approval, or risk assessment
- Using an unrelated or weaker control and calling it compensating
Control Diversity — Layers & Functions
Classify controls by layer (tech/admin/physical) and by purpose (preventive, detective, corrective, deterrent, compens
Key Insight
Controls are classified two ways — layer + function — and often overlap; combine types for defense‑in‑depth.
Often Confused With
Common Mistakes
- Thinking detective controls prevent incidents
- Equating compensating controls with corrective controls
- Assuming each control fits only one category
Digital Signatures & Non‑repudiation
Private key signs a message hash; public key verifies origin and integrity — supports evidentiary non‑repudiation if key
Key Insight
Sign a hash with the private key to prove origin/integrity; signatures do not provide confidentiality and rely on key custody.
Often Confused With
Common Mistakes
- Confusing signing with encrypting for confidentiality.
- Assuming signatures are absolute despite key compromise or poor custody.
- Signing the entire message directly and skipping hashing first.
Zero Trust — Verify Every Request
Architecture that denies implicit trust: authenticate and authorize every user, device and request with least privilege.
Key Insight
Default‑deny + least privilege + continuous, context‑aware checks (user, device, location, risk); it's policies + controls, not a single product.
Often Confused With
Common Mistakes
- Treating Zero Trust as a single product you can buy.
- Removing perimeter/network controls entirely under 'Zero Trust'.
- Limiting Zero Trust to cloud only and ignoring on‑prem/hybrid systems.
Rollback: Revert to Known State
Return systems, configs, or data to a validated prior snapshot/version after a failed change or deployment to restore a
Key Insight
Rollback is an emergency recovery step, not a root-cause fix — it can cause data loss, schema/API mismatches, and needs follow-up analysis.
Often Confused With
Common Mistakes
- Assuming rollback fixes the root cause and skipping post-rollback investigation
- Believing rollback is risk-free — ignoring possible data loss, downtime, or config drift
- Assuming all changes (DB schemas, external APIs) can be fully rolled back without side effects
Env Separation — Dev / Test / Staging / Prod
Keep Dev, Test, Staging, and Production separate to reduce deployment risk, enforce least privilege, and validate real‑w
Key Insight
Staging must mirror production (configs, scale, access controls); lower envs require masked data and restricted credentials.
Often Confused With
Common Mistakes
- Treating staging as identical to production and skipping final verification
- Using production credentials or unmasked real data in lower environments for convenience
- Giving developers full, direct rights to modify production to fix issues quickly
PKI & CA — Chain of Trust
Hierarchical system binding public keys to identities via root/intermediate CAs to validate TLS and code certificates.
Key Insight
Trust is anchored at root CAs; validation follows the chain plus client checks (expiry, CRL/OCSP); trust is local, not automatic.
Often Confused With
Common Mistakes
- Assuming a certificate alone proves identity.
- Believing any CA-issued cert is trusted everywhere.
- Expecting revocation to be immediate and always enforced.
Cryptographic Hashing (Integrity)
Deterministic, fixed-size digest that proves data integrity; non-reversible—used for file verification, fingerprints, &签
Key Insight
Hashes prove content equality and tampering; not confidentiality—use salted/slow functions for passwords and avoid MD5/SHA-1.
Often Confused With
Common Mistakes
- Thinking hashes are reversible or provide confidentiality.
- Using MD5/SHA-1 as secure collision-resistant hashes.
- Assuming matching hashes prove provenance or authorship.
Threats, Vulnerabilities, and Mitigations
22%Threat Actor Types — Script Kiddies → APT (Nation‑State)
Group attackers by motive, skill, and resources to infer TTPs and set response priority.
Key Insight
Combine target, tools, complexity, and infrastructure to infer motive/skill — single indicators mislead.
Often Confused With
Common Mistakes
- Assuming one indicator (e.g., ransom note) definitively IDs the attacker.
- Believing nation‑states only do espionage, never extortion/financial gain.
- Equating visible disruption with low attacker sophistication.
Insider Threat — Malicious, Negligent, Compromised
Risk from authorized users (employees, contractors) acting maliciously, carelessly, or after compromise.
Key Insight
Distinguish intent (malicious vs negligent vs compromised) by behavior patterns and access use to choose controls.
Often Confused With
Common Mistakes
- Treating insiders as only malicious and ignoring negligent/compromised cases.
- Relying on background checks or hiring controls as a complete solution.
- Using only technical monitoring without HR/policy/process controls.
Social Engineering — Human Attack Surface
Psychological manipulation to trick people into revealing access, data, or performing actions — common initial-access路.
Key Insight
Attackers exploit routine and trust; defenses require training, policy/process controls, and targeted tech together.
Often Confused With
Common Mistakes
- Treating social engineering as email-only (ignores phone, USB drops, in-person).
- Relying solely on technical controls; human error bypasses firewalls/AV.
- Assuming only external attackers use it; insiders can be vectors.
Cross‑Site Scripting (XSS) — Client‑Side Injection
Client-side script injection in web pages (reflected, stored, DOM) that can steal sessions, deface pages, or run actions
Key Insight
Context-aware output encoding + Content Security Policy stop XSS; input validation alone is insufficient.
Often Confused With
Common Mistakes
- Believing input validation alone prevents XSS — output encoding matters by context.
- Thinking HTTPS stops XSS — transport security doesn't sanitize content.
- Assuming stored XSS requires a click — stored payloads can execute when a page loads.
Cryptography — Keys, RNG & Modes
Algorithms + key lifecycle + RNG + correct modes/signatures protect confidentiality, integrity, authenticity.
Key Insight
Strong algorithm ≠ secure system — correct mode, uncompromised keys, and high-entropy RNG decide real security.
Often Confused With
Common Mistakes
- Thinking encryption alone guarantees integrity and authenticity
- Believing longer keys fix fundamentally broken algorithms
- Assuming TLS/HTTPS automatically makes crypto safe (ignore ciphersuites/certs)
Buffer Overflows & Memory Corruption
Writing past buffer bounds corrupts memory (stack/heap/off-by-one/use-after-free) causing crashes, leaks, or code exec.
Key Insight
Any writable memory region can be abused; mitigations (ASLR/DEP/canaries/CFI) raise attack cost but don't make exploitation impossible.
Often Confused With
Common Mistakes
- Believing only C/C++ programs can have buffer overflows
- Assuming ASLR/DEP/canaries make exploitation impossible
- Relying on naive input validation without fixing memory-management flaws
SQL Injection (SQLi)
User-supplied input alters SQL queries to read, modify, or delete DB data; exploit of poor input handling.
Key Insight
If user input becomes executable SQL (via string concatenation), the attacker controls the query — separate code and data with parameterized queries.
Often Confused With
Common Mistakes
- Assuming SQLi only affects web apps — APIs, desktop apps, and backend services can be vulnerable.
- Relying on simple string escaping — escaping is fragile and often incomplete.
- Believing prepared statements always make you safe — misused dynamic SQL can still be injected.
DoS / DDoS Attacks
Attackers exhaust target resources to deny availability; DDoS multiplies impact using many distributed sources.
Key Insight
Classify the attack layer: volumetric (bandwidth), protocol/state (connections), or application (CPU/DB) — mitigation must match the layer (scrubbers,
Often Confused With
Common Mistakes
- Thinking DDoS is for data theft — its primary goal is to deny availability (though it can be a diversion).
- Believing a perimeter firewall alone will stop DDoS — large volumetric attacks require upstream scrubbing, CDN/anycast, or provider mitigation.
- Assuming all DDoS traffic is IP‑spoofed and sources are useless — many botnets use real IPs; source data still helps detection and rate limits.
Sandboxing — Isolate & Contain Untrusted Code
Isolated runtime for untrusted code that limits system access and contains compromise for testing/mitigation.
Key Insight
Containment reduces impact but isn't foolproof — enforce least privilege, host hardening, and monitoring.
Often Confused With
Common Mistakes
- Assuming a sandbox is foolproof — sandbox escapes occur.
- Skipping host patching/hardening because code runs in a sandbox.
- Treating containers as equivalent to a secure sandbox.
VLAN Segmentation — Logical Device Isolation
Use VLANs to group and isolate devices to limit lateral movement; pair with ACLs, routing controls, and monitoring.
Key Insight
VLANs provide logical separation, not an absolute boundary — you still need ACLs/firewalls and L2 protections.
Often Confused With
Common Mistakes
- Treating VLANs as complete security boundaries.
- Enabling inter‑VLAN routing without ACLs or filtering.
- Assuming VLANs stop ARP/DHCP attacks without DAI/DHCP snooping.
Security Architecture
18%Layered Defense — Defense‑in‑Depth
Overlapping physical, technical, and administrative controls that limit attack paths and reduce single points of failure
Key Insight
Layers reduce correlated failures; vendor diversity boosts resilience but raises ops complexity—choose complementary controls and centralize mgmt
Often Confused With
Common Mistakes
- Assuming more layers always equals more security — extra controls can add complexity and gaps
- Relying on one 'strong' control (e.g., firewall) to replace other layers
- Treating defense‑in‑depth as only technical and ignoring physical/admin controls
VPN Tunnels & IPsec (Site‑to‑Site vs Remote Access)
Encrypted tunnels over untrusted networks; IPsec tunnel mode encapsulates the entire original IP packet for site‑to‑site
Key Insight
IPsec components differ: ESP = confidentiality+integrity (optionally), AH = integrity/auth; tunnel mode encapsulates full IP packet (site‑to‑site use)
Often Confused With
Common Mistakes
- Assuming IPsec always encrypts traffic — it can be configured for auth/integrity only
- Mixing up ESP and AH — ESP can provide encryption; AH does not
- Confusing tunnel vs transport mode — tunnel encapsulates full packet; transport protects only payload
HA & Resilience Patterns
Design redundancy, HA patterns and geo‑replication to meet RTO/RPO while avoiding single fault domains.
Key Insight
True availability = redundancy + fault‑domain separation; trade RTO/RPO vs consistency, complexity, cost.
Often Confused With
Common Mistakes
- Treating backups as full DR — backups don't guarantee fast service recovery or meet tight RTOs.
- Adding redundancy inside the same fault domain — still a single point of failure.
- Assuming active‑active always wins — can add consistency issues, cost, and operational complexity.
SSH: Encrypted Admin & Tunneling
Encrypts remote admin sessions and file transfers; supports TCP port‑forwarding to secure other protocols.
Key Insight
Identity = host keys + user keys; port forwarding secures weak protocols, but SSH must be hardened against brute force.
Often Confused With
Common Mistakes
- Assuming SSH prevents brute‑force or credential attacks — enable key auth, rate limits, and lockouts.
- Treating SCP and SFTP as identical — they use different protocols and features.
- Accepting unknown host key warnings — this can mask a man‑in‑the‑middle attack.
Data-in-Transit — Network Encryption
Info moving across networks; defend with TLS/HTTPS, SSH, IPsec, integrity checks, and endpoint trust.
Key Insight
Transport encryption prevents eavesdropping but not endpoint compromise or bad certs—validate certs, ciphers, endpoints.
Often Confused With
Common Mistakes
- Treating TLS or VPN as foolproof—ignore weak ciphers or certificate validation
- Assuming network encryption protects data if endpoints are compromised
- Believing IPsec removes need for application-layer encryption in all cases
DLP (Data Loss Prevention) — Policy Enforcement
Policy-driven tools that detect and block unauthorized data exfiltration across endpoints, network, and cloud.
Key Insight
DLP enforces policy based on classification and context; it needs endpoint agents or decryption proxies and constant tuning.
Often Confused With
Common Mistakes
- Expecting DLP to stop all leaks without classification and policy tuning
- Assuming DLP inspects encrypted traffic without decryption or endpoint sensors
- Relying on a single detection method (e.g., one regex) for all sensitive data
RPO — Recovery Point Objective (Max Data‑Loss Window)
Max acceptable data loss measured backward in time; dictates backup/replication frequency and cost.
Key Insight
RPO defines how far back recovered data can be — not how long systems will be down; lower RPO means more frequent or continuous replication and higher
Often Confused With
Common Mistakes
- Mixing up RPO and RTO — RPO = data age/loss, RTO = downtime duration.
- Treating RPO as downtime length instead of the allowable data‑age limit.
- Assuming zero RPO is free — continuous replication raises cost/complexity.
BCP — Business Continuity Plan (Keep Ops Running)
Documented program to maintain or resume critical people, processes, facilities and suppliers during/after disruptions.
Key Insight
BCP is enterprise‑wide (people, processes, facilities, suppliers); DRP is the IT recovery subset — the BCP must be tested, updated, and tied to BIAs.
Often Confused With
Common Mistakes
- Equating BCP with a DRP — BCP covers the whole business, DRP focuses on IT.
- Restricting BCP to IT systems only instead of people/facilities/suppliers.
- Skipping regular tests and updates — an untested BCP won't work under pressure.
Security Operations
28%App Allowlist vs Denylist (Application Control)
Allowlisting = default‑deny only approved apps run; denylisting = block known bad apps — key for endpoint hardening.
Key Insight
Allowlists stop unknown/zero‑day execution by default but need exception processes and coverage for scripts/interpreters.
Often Confused With
Common Mistakes
- Equating code signing with allowlisting — signed apps can still be malicious.
- Relying on blacklists to stop zero‑day malware — lists only cover known threats.
- Controlling only .exe files — neglecting scripts, macros, interpreters, and libraries.
Secure Baselines — Versioned Reference Builds
Versioned reference configs used to detect drift, validate builds, and drive remediation in CI/change workflows.
Key Insight
Baselines are snapshots to detect change; they must be updated per patch/build and tailored per platform — they don't fix issues.
Often Confused With
Common Mistakes
- Using vendor default configs as your secure baseline.
- Assuming baselines never change — skip updates after patches or policy shifts.
- Believing a baseline guarantees security — it's for detection and validation, not remediation.
Data Classification Labels — Confidential/Private/Public/Proprietary
Policy labels that map data sensitivity to required access, protection, retention, and disposal.
Key Insight
Labels drive controls and retention; they don't enforce controls and must be kept current by business, legal, and IT.
Often Confused With
Common Mistakes
- Treating classification as one-and-done — review when risk, use, or regulations change.
- Equating classification with encryption — encryption is a control, not a label or policy.
- Assuming higher sensitivity always means longer retention — follow legal/business retention rules.
Asset Discovery & Monitoring — Agent vs Agentless
Tools/techniques (agent/agentless, scanning, SNMP, active/passive) to locate, classify, track assets and feed the CMDB.
Key Insight
Agent = deeper, continuous telemetry; agentless = lower footprint but blind spots; active scans can disrupt or trigger IDS.
Often Confused With
Common Mistakes
- Assuming agentless gives full visibility — it can miss devices behind NAT or offline endpoints.
- Running active scans without controls — active scans can disrupt systems or trigger security alerts.
- Expecting SNMP to provide complete asset detail — it requires correct credentials/version and offers limited MIB data.
Patch Management (Hotfix / Patch / Service Pack)
Risk‑based cycle to test, prioritize, schedule, deploy, verify and report software fixes using CVSS, asset value, and SL
Key Insight
Prioritize by exploitability + asset value, always test, backup, and have rollback; CVSS alone doesn't set order
Often Confused With
Common Mistakes
- Deploying patches straight to production without testing or rollback plans
- Using CVSS severity as the sole remediation priority
- Assuming a vendor patch completely removes the security risk
Continuous Monitoring — Telemetry, Alerts & KPIs
Ongoing automated + human‑reviewed observation of telemetry and KPIs to detect issues, measure MTTR/MTTD, and report org
Key Insight
Automation finds signals; human tuning and contextual KPIs (MTTD, MTTR, SLA, prioritized vuln counts) turn them into action
Often Confused With
Common Mistakes
- Assuming continuous monitoring replaces periodic audits or compliance checks
- Expecting it to detect every incident instantly without tuning or human review
- Reporting raw open‑vuln counts without context (asset value, exploitability)
SIEM — Central Log Engine (time-sync, correlation, WORM)
Centralizes log collection, time‑sync, parsing/correlation and protected retention to detect incidents and prove audits.
Key Insight
Timestamps + correlation turn noisy events into forensic timelines; WORM + retention policies prove integrity for compliance.
Often Confused With
Common Mistakes
- Assuming infinite log retention is best — ignores cost and diminishing investigative value.
- Treating a SIEM as a blocking/preventive control; it's primarily detective and investigative.
- Skipping access controls or encryption because logs are centralized — centralized data still needs protection.
IDS vs IPS — Detect vs Block (NIDS/HIDS, signature/behavioral)
Monitors host/network activity: IDS alerts passively; IPS sits inline to block/mitigate; uses signature, heuristic, and/
Key Insight
IDS generates alerts; IPS can stop traffic but risks disruption — exam answers favor tuning, placement, and layered detection.
Often Confused With
Common Mistakes
- Expecting an IDS to block traffic like an IPS.
- Using identical placement/config for IDS and IPS without considering inline impact.
- Relying only on signature-based detection for zero-day or polymorphic threats.
Segmentation & Isolation (VLAN / Virtualization / Air‑Gap)
Partition networks/hosts (physical, VLANs, VMs, host microsegmentation, air gaps) to limit east–west movement and reduce
Key Insight
Segmentation only reduces blast radius if inter-segment policies are enforced — more segments + poor policy = bigger risk.
Often Confused With
Common Mistakes
- Treating VLANs as a security barrier — they separate traffic but don't enforce access policies.
- Believing microsegmentation replaces perimeter firewalls; both are complementary.
- Over-segmenting without management increases configuration errors and attack surface.
Firewall — Packet, Stateful, Application (Placement Matters)
Enforces allow/deny rules: stateless packet filters, stateful (connection-tracking), and app-layer proxies for deeper‑in
Key Insight
Stateful firewalls track sessions to permit return traffic; stateless require explicit inbound rules; app firewalls inspect payloads.
Often Confused With
Common Mistakes
- Relying on a firewall as sole defense — it won't stop malware or insider threats.
- Assuming host-based firewalls can replace network/perimeter firewalls at enterprise scale.
- Expecting stateless devices to auto-allow return traffic or thinking stateful can't handle UDP.
AAA — Authn, Authz & Accounting
Three-step identity model: authenticate identity, authorize actions, and record activity for audits.
Key Insight
Authentication must come first; authorization enforces permissions for a verified identity, and accounting = audit evidence (not just billing).
Often Confused With
Common Mistakes
- Mixing authentication with authorization — logging in ≠ having permissions.
- Treating accounting as billing only — it's the audit trail for forensics/compliance.
- Assuming logs alone guarantee detection — retention, coverage, and correlation matter.
MFA — Know / Have / Be (factor categories)
Require 2+ independent factor categories (knowledge, possession, inherence, environment) to raise identity assurance.
Key Insight
True MFA = independent categories; two passwords or password+manager are one factor; contextual signals are weaker and often supplemental.
Often Confused With
Common Mistakes
- Counting two passwords (or password+manager) as MFA.
- Assuming MFA always means exactly 2 factors — it can be 2 or more.
- Treating biometrics or location as infallible — they have false accepts/rejects and can be spoofed.
SOAR Playbooks & Runbooks (Automated COA)
Predefined incident‑response workflows: playbooks decide logic; runbooks execute concrete steps (manual or automated).
Key Insight
Playbook = decision flow; Runbook = executable procedure — always test, include approval gates, and review regularly.
Often Confused With
Common Mistakes
- Assuming SOAR can fully replace human analysts
- Skipping testing and periodic reviews of playbooks/runbooks
- Treating playbooks and runbooks as identical; ignoring manual runbook steps
Secrets & Key Management — Vaults/KMS/HSM
Centralize secrets in vaults/KMS/HSM with scoped access, automated rotation, audit logging, and CI/CD integration.
Key Insight
Never hard‑code or base64 secrets — use short‑lived credentials, least privilege, rotation, and audit trails.
Often Confused With
Common Mistakes
- Storing secrets in private repos or hard-coding credentials
- Treating environment variables as inherently secure secret storage
- Using base64 or long-lived keys instead of rotation, logging, and scoped access
IR Phases — Prepare, Identify, Contain, Eradicate, Recover, Learn
Six-step flow (Prepare→Identify→Contain→Eradicate→Recover→Learn) to manage incidents and prevent repeats.
Key Insight
Phases overlap and iterate—containment limits impact while eradication removes the root cause; preparation includes tooling and exercises.
Often Confused With
Common Mistakes
- Equating containment with eradication—containment limits impact; eradication removes root cause.
- Running phases strictly linearly—expect overlap and parallel workstreams.
- Treating every alert as confirmed—triage before escalation and action.
IR Plan Components — Roles, Triggers, Escalation, Comms
Defines categories, roles, activation triggers, escalation paths, and communications templates to coordinate response.
Key Insight
Activation triggers and decision criteria determine when the plan starts; include cross-functional roles, legal/comms, and tested playbooks.
Often Confused With
Common Mistakes
- Using ad-hoc staff for IR roles—assign predefined, trained alternates.
- Limiting comms to external audiences—include internal, legal, and exec channels.
- Treating the plan as static—test and update after exercises or environment changes.
OS Security Logs — Windows Event Log Focus
OS audit records (System/Application/Security) showing logons, priv‑esc, service/policy changes — enable audit policy to
Key Insight
Windows Event IDs (logon/failed logon/privilege use/process creation) are forensic breadcrumbs; many events need audit policy and forwarding to retain
Often Confused With
Common Mistakes
- Assuming every security event is logged by default — enable/adjust audit policies.
- Trusting local logs are tamper‑proof — attackers can clear or modify them.
- Thinking cleared logs destroy all evidence — artifacts or forwarded/SIEM copies can remain.
Log Anomaly Detection — SIEM, Baselines, Triage
Collect, normalize and analyze logs centrally to spot deviations, reconstruct timelines and generate tuned alerts for IR
Key Insight
Centralization ≠ detection — you need parsing, normalization, baselines, rule tuning and time‑sync (NTP) to reduce false positives
Often Confused With
Common Mistakes
- Logging everything without filters — floods systems and hides real alerts.
- Treating every anomaly as a breach — many are benign or misconfigurations.
- Believing SIEM auto‑detects attacks or timestamps are already synced — tune rules and verify NTP.
Security Program Management and Oversight
20%Authorized Change Pipeline (CAB & Rollback)
Process + technical controls to ensure changes are authorized, tested, logged, and reversible.
Key Insight
If a change lacks authorization, testing, logging, or rollback capability it's noncompliant—expedited changes still need an audit trail.
Often Confused With
Common Mistakes
- Only major upgrades need tickets — small config changes still require control
- Emergency changes can permanently skip documentation; retrospective docs don't count
- Assuming every change must get CAB approval; standard/pre-approved change paths exist
Risk Assessment Lifecycle (Inherent → Residual)
Identify assets, threats, vulnerabilities; estimate likelihood & impact; calculate inherent and residual risk to drive控制
Key Insight
Residual risk = inherent risk reduced by controls; it rarely becomes zero—pick mitigations by effectiveness and risk appetite.
Often Confused With
Common Mistakes
- Believing residual risk equals zero once controls are in place
- Treating threats and vulnerabilities as the same thing
- Picking controls based only on cost, ignoring effectiveness and risk appetite
Risk Responses — Accept, Transfer, Avoid, Mitigate (ATAM)
Four deliberate ways to handle risks: accept, transfer, avoid, or mitigate; choose by cost, impact, and business goals.
Key Insight
Pick by cost vs residual risk: transfer shifts cost but not full responsibility; acceptance requires monitoring/contingency.
Often Confused With
Common Mistakes
- Assuming 'accept' means ignore — acceptance must include monitoring or contingency plans
- Believing transfer removes all responsibility; residual risk and accountability often remain
- Thinking mitigation eliminates risk completely; controls usually only reduce likelihood or impact
Risk Register — Live Risk Inventory
A dynamic catalog of identified risks with scores, owners, controls and status used to prioritize treatment and assign (
Key Insight
It's a living, prioritized tool — scores are relative estimates; assign an accountable owner who tracks residual risk.
Often Confused With
Common Mistakes
- Treating the register as a one-time report instead of updating it continuously
- Interpreting risk scores as exact measurements rather than relative estimates for prioritization
- Assigning the owner as the person doing fixes instead of the accountable stakeholder who monitors the risk
Supply‑Chain Assessment (SBOMs & Firmware/BIOS)
Evaluate suppliers and components (SBOMs—Software Bill of Materials), validate firmware/BIOS, and monitor mitigations 24
Key Insight
SBOMs, contracts, and signatures are evidence — not proof; combine vetting, technical verification, counterfeit checks, and continuous monitoring.
Often Confused With
Common Mistakes
- Treating a vendor attestation or SBOM as definitive proof the component is safe.
- Assuming a digitally signed firmware image alone guarantees device trustworthiness.
- Performing supply‑chain checks only at procurement instead of ongoing monitoring.
Third‑Party Risk Management (Vendor Lifecycle)
Structured lifecycle to assess, contract, monitor, and mitigate security and operational risks from suppliers.
Key Insight
Vendor risk is continuous and cross‑functional—tier vendors by risk, map controls to SLAs, and combine contractual, technical, and operational checks.
Often Confused With
Common Mistakes
- Stopping risk activities after contract signature—no ongoing reassessment.
- Relying solely on vendor questionnaires or self‑assessments as evidence.
- Believing small or low‑spend vendors can't introduce critical risks.
Continuous Controls & Assessment (SIEM, CCM, KPIs)
Combine automated monitoring and periodic audits to collect mapped, retained evidence and detect control drift.
Key Insight
Automation finds issues fast; audits provide independent assurance — logs must be retained, integrity-checked, and mapped to controls.
Often Confused With
Common Mistakes
- Equating audits with continuous monitoring — they complement, don't replace.
- Assuming SIEM log forwarding alone is auditable evidence (no retention/integrity or mapping).
- Relying on automation or one green KPI to prove remediation or control effectiveness.
Data Protection Regs — HIPAA / GLBA / SOX / GDPR
Statutory rules that define scope, required safeguards, retention, breach notification, and legal obligations for data.
Key Insight
Each law differs by scope, jurisdiction, and required controls — complying with one does not auto-cover others.
Often Confused With
Common Mistakes
- Assuming compliance with one regulation automatically covers others.
- Treating documented policies as proof of legal compliance (implementation and evidence matter).
- Believing encryption alone satisfies all regulatory requirements.
Pen Test vs Vulnerability Scan — Verify & Prove
Vuln scans find weaknesses at scale; pen tests exploit select findings to prove real risk and validate fixes.
Key Insight
Scans discover; pen tests prove exploitability — audits require verification steps and retained evidence.
Often Confused With
Common Mistakes
- Assuming a single automated re-scan proves remediation — targeted verification is required.
- Closing a ticket after patching ≠ proof; verify the control works and retain evidence.
- Equating technical severity with business priority — triage must include asset value/impact.
Network Recon: Ping, SYN, Port, Banner & OS Fingerprinting
Active scans (ping, SYN, port, banner/OS fingerprinting) locate hosts/services but vary in detectability, accuracy, and侵
Key Insight
Scan choice = tradeoff: SYN is stealthier than full connect; banner/OS fingerprinting is probabilistic and can be fooled.
Often Confused With
Common Mistakes
- Assuming active reconnaissance is always illegal — authorized scans are legitimate with scope and approval.
- Believing scans are undetectable — IDS/IPS and SIEM commonly log and alert on them.
- Treating fingerprinting output as exact vendor/version — results are probabilistic and easily obfuscated.
Security Awareness Program (Phishing Campaigns)
Planned, repeated training and simulated phishing to lower click/reporting risk and measure remediation.
Key Insight
A program = cadence + reinforcement + metrics (reporting, remediation, repeat-offender drop), not one-offs.
Often Confused With
Common Mistakes
- Calling a single simulated email a 'campaign' — programs require repeated, scheduled activities.
- Using click‑rate or course completion alone as success — ignore reporting, remediation, and repeat offenders.
- Relying only on tech controls/simulations to stop social engineering; user processes matter.
Phishing — Spearphishing & Whaling
Social‑engineering attacks (email, SMS, voice) that impersonate trusted sources to steal creds or deliver malware.
Key Insight
Phishing isn't just mass email — smishing/vishing exist and targeted attacks use personalization or BEC to bypass filters.
Often Confused With
Common Mistakes
- Assuming phishing only arrives by email — SMS and voice attacks are common.
- Trusting a padlock, familiar logo, or brand graphic as proof an item is safe.
- Thinking spear/phishing always uses attachments—credential prompts or BEC often succeed without malware.
Certification Overview
Cheat Sheet Content
Similar Cheat Sheets
- CCNA Exam v1.1 (200-301) Cheat Sheet
- AWS Certified Cloud Practitioner (CLF-C02) Cheat Sheet
- AWS Certified AI Practitioner (AIF-C01) Cheat Sheet
- Exam AI-900: Microsoft Azure AI Fundamentals Cheat Sheet
- Google Cloud Professional Cloud Architect Cheat Sheet
- Google Cloud Security Operations Engineer Exam Cheat Sheet