CompTIA Security+ (SY0-701) Ultimate Cheat Sheet

5 Domains • 56 Concepts • Approx. 7 pages

Your Quick Reference Study Guide

This cheat sheet covers the core concepts, terms, and definitions you need to know for the CompTIA Security+ (SY0-701). We've distilled the most important domains, topics, and critical details to help your exam preparation.

💡 Note: While this study guide highlights essential concepts, it's designed to complement—not replace—comprehensiv e learning materials. Use it for quick reviews, last-minute prep, or to identify areas that need deeper study before your exam.

CompTIA Security+ (SY0-701) Practice Questions

Access Mock Exams & Comprehensive Question Bank

Listen to Audio Podcasts

Expert summaries for CompTIA Security+ (SY0-701)

Compensating Control — Documented Alternative

Temporary or permanent alternative control that provides equivalent risk mitigation when a primary control is impractic‍

Key Insight

Must be documented, justified, approved, and demonstrably equivalent — not a weaker stopgap.

Often Confused With

Corrective controlPreventive control

Common Mistakes

Treating it as a permanent swap without documented justification
Skipping documentation, approval, or risk assessment
Using an unrelated or weaker control and calling it compensating

Control Diversity — Layers & Functions

Classify controls by layer (tech/admin/physical) and by purpose (preventive, detective, corrective, deterrent, compens‍

Key Insight

Controls are classified two ways — layer + function — and often overlap; combine types for defense‑in‑depth.

Often Confused With

Detective controlPreventive controlCompensating control

Common Mistakes

Thinking detective controls prevent incidents
Equating compensating controls with corrective controls
Assuming each control fits only one category

Digital Signatures & Non‑repudiation

Private key signs a message hash; public key verifies origin and integrity — supports evidentiary non‑repudiation if key

Key Insight

Sign a hash with the private key to prove origin/integrity; signatures do not provide confidentiality and rely on key custody.

Often Confused With

Encryption (Confidentiality)Message Authentication Code (MAC)

Common Mistakes

Confusing signing with encrypting for confidentiality.
Assuming signatures are absolute despite key compromise or poor custody.
Signing the entire message directly and skipping hashing first.

Zero Trust — Verify Every Request

Architecture that denies implicit trust: authenticate and authorize every user, device and request with least privilege.

Key Insight

Default‑deny + least privilege + continuous, context‑aware checks (user, device, location, risk); it's policies + controls, not a single product.

Often Confused With

Perimeter SecurityMFA‑onlyVPNs

Common Mistakes

Treating Zero Trust as a single product you can buy.
Removing perimeter/network controls entirely under 'Zero Trust'.
Limiting Zero Trust to cloud only and ignoring on‑prem/hybrid systems.

Rollback: Revert to Known State

Return systems, configs, or data to a validated prior snapshot/version after a failed change or deployment to restore a

Key Insight

Rollback is an emergency recovery step, not a root-cause fix — it can cause data loss, schema/API mismatches, and needs follow-up analysis.

Often Confused With

Restore from backupDisaster recoveryVersion-control revert

Common Mistakes

Assuming rollback fixes the root cause and skipping post-rollback investigation
Believing rollback is risk-free — ignoring possible data loss, downtime, or config drift
Assuming all changes (DB schemas, external APIs) can be fully rolled back without side effects

Env Separation — Dev / Test / Staging / Prod

Keep Dev, Test, Staging, and Production separate to reduce deployment risk, enforce least privilege, and validate real‑w

Key Insight

Staging must mirror production (configs, scale, access controls); lower envs require masked data and restricted credentials.

Often Confused With

Production paritySandbox environmentCI/CD pipeline

Common Mistakes

Treating staging as identical to production and skipping final verification
Using production credentials or unmasked real data in lower environments for convenience
Giving developers full, direct rights to modify production to fix issues quickly

PKI & CA — Chain of Trust

Hierarchical system binding public keys to identities via root/intermediate CAs to validate TLS and code certificates.

Key Insight

Trust is anchored at root CAs; validation follows the chain plus client checks (expiry, CRL/OCSP); trust is local, not automatic.

Often Confused With

PGP Web of TrustSelf-signed certificatesCertificate pinning

Common Mistakes

Assuming a certificate alone proves identity.
Believing any CA-issued cert is trusted everywhere.
Expecting revocation to be immediate and always enforced.

Cryptographic Hashing (Integrity)

Deterministic, fixed-size digest that proves data integrity; non-reversible—used for file verification, fingerprints, &签

Key Insight

Hashes prove content equality and tampering; not confidentiality—use salted/slow functions for passwords and avoid MD5/SHA-1.

Often Confused With

EncryptionDigital signaturesNon-crypto checksums

Common Mistakes

Thinking hashes are reversible or provide confidentiality.
Using MD5/SHA-1 as secure collision-resistant hashes.
Assuming matching hashes prove provenance or authorship.

Compensating Control — Documented Alternative

Temporary or permanent alternative control that provides equivalent risk mitigation when a primary control is impractic‍

Key Insight

Must be documented, justified, approved, and demonstrably equivalent — not a weaker stopgap.

Often Confused With

Corrective controlPreventive control

Common Mistakes

Treating it as a permanent swap without documented justification
Skipping documentation, approval, or risk assessment
Using an unrelated or weaker control and calling it compensating

Control Diversity — Layers & Functions

Classify controls by layer (tech/admin/physical) and by purpose (preventive, detective, corrective, deterrent, compens‍

Key Insight

Controls are classified two ways — layer + function — and often overlap; combine types for defense‑in‑depth.

Often Confused With

Detective controlPreventive controlCompensating control

Common Mistakes

Thinking detective controls prevent incidents
Equating compensating controls with corrective controls
Assuming each control fits only one category

Digital Signatures & Non‑repudiation

Private key signs a message hash; public key verifies origin and integrity — supports evidentiary non‑repudiation if key

Key Insight

Sign a hash with the private key to prove origin/integrity; signatures do not provide confidentiality and rely on key custody.

Often Confused With

Encryption (Confidentiality)Message Authentication Code (MAC)

Common Mistakes

Confusing signing with encrypting for confidentiality.
Assuming signatures are absolute despite key compromise or poor custody.
Signing the entire message directly and skipping hashing first.

Zero Trust — Verify Every Request

Architecture that denies implicit trust: authenticate and authorize every user, device and request with least privilege.

Key Insight

Default‑deny + least privilege + continuous, context‑aware checks (user, device, location, risk); it's policies + controls, not a single product.

Often Confused With

Perimeter SecurityMFA‑onlyVPNs

Common Mistakes

Treating Zero Trust as a single product you can buy.
Removing perimeter/network controls entirely under 'Zero Trust'.
Limiting Zero Trust to cloud only and ignoring on‑prem/hybrid systems.

Rollback: Revert to Known State

Return systems, configs, or data to a validated prior snapshot/version after a failed change or deployment to restore a

Key Insight

Rollback is an emergency recovery step, not a root-cause fix — it can cause data loss, schema/API mismatches, and needs follow-up analysis.

Often Confused With

Restore from backupDisaster recoveryVersion-control revert

Common Mistakes

Assuming rollback fixes the root cause and skipping post-rollback investigation
Believing rollback is risk-free — ignoring possible data loss, downtime, or config drift
Assuming all changes (DB schemas, external APIs) can be fully rolled back without side effects

Env Separation — Dev / Test / Staging / Prod

Keep Dev, Test, Staging, and Production separate to reduce deployment risk, enforce least privilege, and validate real‑w

Key Insight

Staging must mirror production (configs, scale, access controls); lower envs require masked data and restricted credentials.

Often Confused With

Production paritySandbox environmentCI/CD pipeline

Common Mistakes

Treating staging as identical to production and skipping final verification
Using production credentials or unmasked real data in lower environments for convenience
Giving developers full, direct rights to modify production to fix issues quickly

PKI & CA — Chain of Trust

Hierarchical system binding public keys to identities via root/intermediate CAs to validate TLS and code certificates.

Key Insight

Trust is anchored at root CAs; validation follows the chain plus client checks (expiry, CRL/OCSP); trust is local, not automatic.

Often Confused With

PGP Web of TrustSelf-signed certificatesCertificate pinning

Common Mistakes

Assuming a certificate alone proves identity.
Believing any CA-issued cert is trusted everywhere.
Expecting revocation to be immediate and always enforced.

Cryptographic Hashing (Integrity)

Deterministic, fixed-size digest that proves data integrity; non-reversible—used for file verification, fingerprints, &签

Key Insight

Hashes prove content equality and tampering; not confidentiality—use salted/slow functions for passwords and avoid MD5/SHA-1.

Often Confused With

EncryptionDigital signaturesNon-crypto checksums

Common Mistakes

Thinking hashes are reversible or provide confidentiality.
Using MD5/SHA-1 as secure collision-resistant hashes.
Assuming matching hashes prove provenance or authorship.

Threat Actor Types — Script Kiddies → APT (Nation‑State)

Group attackers by motive, skill, and resources to infer TTPs and set response priority.

Key Insight

Combine target, tools, complexity, and infrastructure to infer motive/skill — single indicators mislead.

Often Confused With

Insider threatTTPs (Tactics, Techniques, Procedures)Threat motivations

Common Mistakes

Assuming one indicator (e.g., ransom note) definitively IDs the attacker.
Believing nation‑states only do espionage, never extortion/financial gain.
Equating visible disruption with low attacker sophistication.

Insider Threat — Malicious, Negligent, Compromised

Risk from authorized users (employees, contractors) acting maliciously, carelessly, or after compromise.

Key Insight

Distinguish intent (malicious vs negligent vs compromised) by behavior patterns and access use to choose controls.

Often Confused With

Third‑party/vendor riskExternal cyberattacksPrivileged account misuse

Common Mistakes

Treating insiders as only malicious and ignoring negligent/compromised cases.
Relying on background checks or hiring controls as a complete solution.
Using only technical monitoring without HR/policy/process controls.

Social Engineering — Human Attack Surface

Psychological manipulation to trick people into revealing access, data, or performing actions — common initial-access路.

Key Insight

Attackers exploit routine and trust; defenses require training, policy/process controls, and targeted tech together.

Often Confused With

PhishingInsider ThreatsTailgating

Common Mistakes

Treating social engineering as email-only (ignores phone, USB drops, in-person).
Relying solely on technical controls; human error bypasses firewalls/AV.
Assuming only external attackers use it; insiders can be vectors.

Cross‑Site Scripting (XSS) — Client‑Side Injection

Client-side script injection in web pages (reflected, stored, DOM) that can steal sessions, deface pages, or run actions

Key Insight

Context-aware output encoding + Content Security Policy stop XSS; input validation alone is insufficient.

Often Confused With

CSRFSQL InjectionHTML Injection

Common Mistakes

Believing input validation alone prevents XSS — output encoding matters by context.
Thinking HTTPS stops XSS — transport security doesn't sanitize content.
Assuming stored XSS requires a click — stored payloads can execute when a page loads.

Cryptography — Keys, RNG & Modes

Algorithms + key lifecycle + RNG + correct modes/signatures protect confidentiality, integrity, authenticity.

Key Insight

Strong algorithm ≠ secure system — correct mode, uncompromised keys, and high-entropy RNG decide real security.

Often Confused With

HashingEncodingTLS/HTTPS

Common Mistakes

Thinking encryption alone guarantees integrity and authenticity
Believing longer keys fix fundamentally broken algorithms
Assuming TLS/HTTPS automatically makes crypto safe (ignore ciphersuites/certs)

Buffer Overflows & Memory Corruption

Writing past buffer bounds corrupts memory (stack/heap/off-by-one/use-after-free) causing crashes, leaks, or code exec.

Key Insight

Any writable memory region can be abused; mitigations (ASLR/DEP/canaries/CFI) raise attack cost but don't make exploitation impossible.

Often Confused With

Integer overflowFormat stringUse-after-free

Common Mistakes

Believing only C/C++ programs can have buffer overflows
Assuming ASLR/DEP/canaries make exploitation impossible
Relying on naive input validation without fixing memory-management flaws

SQL Injection (SQLi)

User-supplied input alters SQL queries to read, modify, or delete DB data; exploit of poor input handling.

Key Insight

If user input becomes executable SQL (via string concatenation), the attacker controls the query — separate code and data with parameterized queries.

Often Confused With

Cross-Site Scripting (XSS)Command InjectionLDAP Injection

Common Mistakes

Assuming SQLi only affects web apps — APIs, desktop apps, and backend services can be vulnerable.
Relying on simple string escaping — escaping is fragile and often incomplete.
Believing prepared statements always make you safe — misused dynamic SQL can still be injected.

DoS / DDoS Attacks

Attackers exhaust target resources to deny availability; DDoS multiplies impact using many distributed sources.

Key Insight

Classify the attack layer: volumetric (bandwidth), protocol/state (connections), or application (CPU/DB) — mitigation must match the layer (scrubbers,

Often Confused With

Volumetric attacksApplication-layer (Layer 7) attacksBotnets

Common Mistakes

Thinking DDoS is for data theft — its primary goal is to deny availability (though it can be a diversion).
Believing a perimeter firewall alone will stop DDoS — large volumetric attacks require upstream scrubbing, CDN/anycast, or provider mitigation.
Assuming all DDoS traffic is IP‑spoofed and sources are useless — many botnets use real IPs; source data still helps detection and rate limits.

Sandboxing — Isolate & Contain Untrusted Code

Isolated runtime for untrusted code that limits system access and contains compromise for testing/mitigation.

Key Insight

Containment reduces impact but isn't foolproof — enforce least privilege, host hardening, and monitoring.

Often Confused With

ContainersVirtual Machines (VMs)

Common Mistakes

Assuming a sandbox is foolproof — sandbox escapes occur.
Skipping host patching/hardening because code runs in a sandbox.
Treating containers as equivalent to a secure sandbox.

VLAN Segmentation — Logical Device Isolation

Use VLANs to group and isolate devices to limit lateral movement; pair with ACLs, routing controls, and monitoring.

Key Insight

VLANs provide logical separation, not an absolute boundary — you still need ACLs/firewalls and L2 protections.

Often Confused With

SubnettingMicrosegmentation

Common Mistakes

Treating VLANs as complete security boundaries.
Enabling inter‑VLAN routing without ACLs or filtering.
Assuming VLANs stop ARP/DHCP attacks without DAI/DHCP snooping.

Layered Defense — Defense‑in‑Depth

Overlapping physical, technical, and administrative controls that limit attack paths and reduce single points of failure

Key Insight

Layers reduce correlated failures; vendor diversity boosts resilience but raises ops complexity—choose complementary controls and centralize mgmt

Often Confused With

Zero Trust ArchitecturePerimeter‑based Security

Common Mistakes

Assuming more layers always equals more security — extra controls can add complexity and gaps
Relying on one 'strong' control (e.g., firewall) to replace other layers
Treating defense‑in‑depth as only technical and ignoring physical/admin controls

VPN Tunnels & IPsec (Site‑to‑Site vs Remote Access)

Encrypted tunnels over untrusted networks; IPsec tunnel mode encapsulates the entire original IP packet for site‑to‑site

Key Insight

IPsec components differ: ESP = confidentiality+integrity (optionally), AH = integrity/auth; tunnel mode encapsulates full IP packet (site‑to‑site use)

Often Confused With

SSL/TLS VPNGRE (Generic Routing Encapsulation)

Common Mistakes

Assuming IPsec always encrypts traffic — it can be configured for auth/integrity only
Mixing up ESP and AH — ESP can provide encryption; AH does not
Confusing tunnel vs transport mode — tunnel encapsulates full packet; transport protects only payload

HA & Resilience Patterns

Design redundancy, HA patterns and geo‑replication to meet RTO/RPO while avoiding single fault domains.

Key Insight

True availability = redundancy + fault‑domain separation; trade RTO/RPO vs consistency, complexity, cost.

Often Confused With

BackupsClusteringLoad Balancing

Common Mistakes

Treating backups as full DR — backups don't guarantee fast service recovery or meet tight RTOs.
Adding redundancy inside the same fault domain — still a single point of failure.
Assuming active‑active always wins — can add consistency issues, cost, and operational complexity.

SSH: Encrypted Admin & Tunneling

Encrypts remote admin sessions and file transfers; supports TCP port‑forwarding to secure other protocols.

Key Insight

Identity = host keys + user keys; port forwarding secures weak protocols, but SSH must be hardened against brute force.

Often Confused With

SCPSFTPTelnet

Common Mistakes

Assuming SSH prevents brute‑force or credential attacks — enable key auth, rate limits, and lockouts.
Treating SCP and SFTP as identical — they use different protocols and features.
Accepting unknown host key warnings — this can mask a man‑in‑the‑middle attack.

Data-in-Transit — Network Encryption

Info moving across networks; defend with TLS/HTTPS, SSH, IPsec, integrity checks, and endpoint trust.

Key Insight

Transport encryption prevents eavesdropping but not endpoint compromise or bad certs—validate certs, ciphers, endpoints.

Often Confused With

Data-at-restData-in-use

Common Mistakes

Treating TLS or VPN as foolproof—ignore weak ciphers or certificate validation
Assuming network encryption protects data if endpoints are compromised
Believing IPsec removes need for application-layer encryption in all cases

DLP (Data Loss Prevention) — Policy Enforcement

Policy-driven tools that detect and block unauthorized data exfiltration across endpoints, network, and cloud.

Key Insight

DLP enforces policy based on classification and context; it needs endpoint agents or decryption proxies and constant tuning.

Often Confused With

Data classificationCASBEndpoint protection

Common Mistakes

Expecting DLP to stop all leaks without classification and policy tuning
Assuming DLP inspects encrypted traffic without decryption or endpoint sensors
Relying on a single detection method (e.g., one regex) for all sensitive data

RPO — Recovery Point Objective (Max Data‑Loss Window)

Max acceptable data loss measured backward in time; dictates backup/replication frequency and cost.

Key Insight

RPO defines how far back recovered data can be — not how long systems will be down; lower RPO means more frequent or continuous replication and higher

Often Confused With

RTO — Recovery Time ObjectiveBackup window

Common Mistakes

Mixing up RPO and RTO — RPO = data age/loss, RTO = downtime duration.
Treating RPO as downtime length instead of the allowable data‑age limit.
Assuming zero RPO is free — continuous replication raises cost/complexity.

BCP — Business Continuity Plan (Keep Ops Running)

Documented program to maintain or resume critical people, processes, facilities and suppliers during/after disruptions.

Key Insight

BCP is enterprise‑wide (people, processes, facilities, suppliers); DRP is the IT recovery subset — the BCP must be tested, updated, and tied to BIAs.

Often Confused With

DRP — Disaster Recovery PlanIRP — Incident Response Plan

Common Mistakes

Equating BCP with a DRP — BCP covers the whole business, DRP focuses on IT.
Restricting BCP to IT systems only instead of people/facilities/suppliers.
Skipping regular tests and updates — an untested BCP won't work under pressure.

App Allowlist vs Denylist (Application Control)

Allowlisting = default‑deny only approved apps run; denylisting = block known bad apps — key for endpoint hardening.

Key Insight

Allowlists stop unknown/zero‑day execution by default but need exception processes and coverage for scripts/interpreters.

Often Confused With

Endpoint Detection and Response (EDR)Code SigningApplication Sandboxing

Common Mistakes

Equating code signing with allowlisting — signed apps can still be malicious.
Relying on blacklists to stop zero‑day malware — lists only cover known threats.
Controlling only .exe files — neglecting scripts, macros, interpreters, and libraries.

Secure Baselines — Versioned Reference Builds

Versioned reference configs used to detect drift, validate builds, and drive remediation in CI/change workflows.

Key Insight

Baselines are snapshots to detect change; they must be updated per patch/build and tailored per platform — they don't fix issues.

Often Confused With

Change ManagementConfiguration Management Database (CMDB)Vulnerability Management

Common Mistakes

Using vendor default configs as your secure baseline.
Assuming baselines never change — skip updates after patches or policy shifts.
Believing a baseline guarantees security — it's for detection and validation, not remediation.

Data Classification Labels — Confidential/Private/Public/Proprietary

Policy labels that map data sensitivity to required access, protection, retention, and disposal.

Key Insight

Labels drive controls and retention; they don't enforce controls and must be kept current by business, legal, and IT.

Often Confused With

EncryptionAccess ControlData Retention Policy

Common Mistakes

Treating classification as one-and-done — review when risk, use, or regulations change.
Equating classification with encryption — encryption is a control, not a label or policy.
Assuming higher sensitivity always means longer retention — follow legal/business retention rules.

Asset Discovery & Monitoring — Agent vs Agentless

Tools/techniques (agent/agentless, scanning, SNMP, active/passive) to locate, classify, track assets and feed the CMDB.

Key Insight

Agent = deeper, continuous telemetry; agentless = lower footprint but blind spots; active scans can disrupt or trigger IDS.

Often Confused With

Vulnerability ScanningEDR (Endpoint Detection & Response)

Common Mistakes

Assuming agentless gives full visibility — it can miss devices behind NAT or offline endpoints.
Running active scans without controls — active scans can disrupt systems or trigger security alerts.
Expecting SNMP to provide complete asset detail — it requires correct credentials/version and offers limited MIB data.

Patch Management (Hotfix / Patch / Service Pack)

Risk‑based cycle to test, prioritize, schedule, deploy, verify and report software fixes using CVSS, asset value, and SL

Key Insight

Prioritize by exploitability + asset value, always test, backup, and have rollback; CVSS alone doesn't set order

Often Confused With

Change ManagementConfiguration ManagementVulnerability Scanning

Common Mistakes

Deploying patches straight to production without testing or rollback plans
Using CVSS severity as the sole remediation priority
Assuming a vendor patch completely removes the security risk

Continuous Monitoring — Telemetry, Alerts & KPIs

Ongoing automated + human‑reviewed observation of telemetry and KPIs to detect issues, measure MTTR/MTTD, and report org

Key Insight

Automation finds signals; human tuning and contextual KPIs (MTTD, MTTR, SLA, prioritized vuln counts) turn them into action

Often Confused With

SIEMPeriodic AuditsIncident Response

Common Mistakes

Assuming continuous monitoring replaces periodic audits or compliance checks
Expecting it to detect every incident instantly without tuning or human review
Reporting raw open‑vuln counts without context (asset value, exploitability)

SIEM — Central Log Engine (time-sync, correlation, WORM)

Centralizes log collection, time‑sync, parsing/correlation and protected retention to detect incidents and prove audits.

Key Insight

Timestamps + correlation turn noisy events into forensic timelines; WORM + retention policies prove integrity for compliance.

Often Confused With

Log ManagementSOAR (Security Orchestration, Automation and Response)

Common Mistakes

Assuming infinite log retention is best — ignores cost and diminishing investigative value.
Treating a SIEM as a blocking/preventive control; it's primarily detective and investigative.
Skipping access controls or encryption because logs are centralized — centralized data still needs protection.

IDS vs IPS — Detect vs Block (NIDS/HIDS, signature/behavioral)

Monitors host/network activity: IDS alerts passively; IPS sits inline to block/mitigate; uses signature, heuristic, and/

Key Insight

IDS generates alerts; IPS can stop traffic but risks disruption — exam answers favor tuning, placement, and layered detection.

Often Confused With

FirewallWAF (Web Application Firewall)EDR (Endpoint Detection and Response)

Common Mistakes

Expecting an IDS to block traffic like an IPS.
Using identical placement/config for IDS and IPS without considering inline impact.
Relying only on signature-based detection for zero-day or polymorphic threats.

Segmentation & Isolation (VLAN / Virtualization / Air‑Gap)

Partition networks/hosts (physical, VLANs, VMs, host microsegmentation, air gaps) to limit east–west movement and reduce

Key Insight

Segmentation only reduces blast radius if inter-segment policies are enforced — more segments + poor policy = bigger risk.

Often Confused With

VLANsMicrosegmentationCloud Security Groups

Common Mistakes

Treating VLANs as a security barrier — they separate traffic but don't enforce access policies.
Believing microsegmentation replaces perimeter firewalls; both are complementary.
Over-segmenting without management increases configuration errors and attack surface.

Firewall — Packet, Stateful, Application (Placement Matters)

Enforces allow/deny rules: stateless packet filters, stateful (connection-tracking), and app-layer proxies for deeper‑in

Key Insight

Stateful firewalls track sessions to permit return traffic; stateless require explicit inbound rules; app firewalls inspect payloads.

Often Confused With

Host-based firewallIDS/IPSAccess Control List (ACL)

Common Mistakes

Relying on a firewall as sole defense — it won't stop malware or insider threats.
Assuming host-based firewalls can replace network/perimeter firewalls at enterprise scale.
Expecting stateless devices to auto-allow return traffic or thinking stateful can't handle UDP.

AAA — Authn, Authz & Accounting

Three-step identity model: authenticate identity, authorize actions, and record activity for audits.

Key Insight

Authentication must come first; authorization enforces permissions for a verified identity, and accounting = audit evidence (not just billing).

Often Confused With

RBAC (Role-Based Access Control)SSO (Single Sign-On)Audit Logging

Common Mistakes

Mixing authentication with authorization — logging in ≠ having permissions.
Treating accounting as billing only — it's the audit trail for forensics/compliance.
Assuming logs alone guarantee detection — retention, coverage, and correlation matter.

MFA — Know / Have / Be (factor categories)

Require 2+ independent factor categories (knowledge, possession, inherence, environment) to raise identity assurance.

Key Insight

True MFA = independent categories; two passwords or password+manager are one factor; contextual signals are weaker and often supplemental.

Often Confused With

2FA (Two-Factor Authentication)Password ManagersAdaptive/Contextual Authentication

Common Mistakes

Counting two passwords (or password+manager) as MFA.
Assuming MFA always means exactly 2 factors — it can be 2 or more.
Treating biometrics or location as infallible — they have false accepts/rejects and can be spoofed.

SOAR Playbooks & Runbooks (Automated COA)

Predefined incident‑response workflows: playbooks decide logic; runbooks execute concrete steps (manual or automated).

Key Insight

Playbook = decision flow; Runbook = executable procedure — always test, include approval gates, and review regularly.

Often Confused With

PlaybooksRunbooks

Common Mistakes

Assuming SOAR can fully replace human analysts
Skipping testing and periodic reviews of playbooks/runbooks
Treating playbooks and runbooks as identical; ignoring manual runbook steps

Secrets & Key Management — Vaults/KMS/HSM

Centralize secrets in vaults/KMS/HSM with scoped access, automated rotation, audit logging, and CI/CD integration.

Key Insight

Never hard‑code or base64 secrets — use short‑lived credentials, least privilege, rotation, and audit trails.

Often Confused With

Environment variablesBase64 encodingHard-coded credentials

Common Mistakes

Storing secrets in private repos or hard-coding credentials
Treating environment variables as inherently secure secret storage
Using base64 or long-lived keys instead of rotation, logging, and scoped access

IR Phases — Prepare, Identify, Contain, Eradicate, Recover, Learn

Six-step flow (Prepare→Identify→Contain→Eradicate→Recover→Learn) to manage incidents and prevent repeats.

Key Insight

Phases overlap and iterate—containment limits impact while eradication removes the root cause; preparation includes tooling and exercises.

Often Confused With

Business Continuity/Disaster Recovery (BC/DR)Incident Management

Common Mistakes

Equating containment with eradication—containment limits impact; eradication removes root cause.
Running phases strictly linearly—expect overlap and parallel workstreams.
Treating every alert as confirmed—triage before escalation and action.

IR Plan Components — Roles, Triggers, Escalation, Comms

Defines categories, roles, activation triggers, escalation paths, and communications templates to coordinate response.

Key Insight

Activation triggers and decision criteria determine when the plan starts; include cross-functional roles, legal/comms, and tested playbooks.

Often Confused With

Runbooks/PlaybooksBusiness Continuity/Disaster Recovery (BC/DR)

Common Mistakes

Using ad-hoc staff for IR roles—assign predefined, trained alternates.
Limiting comms to external audiences—include internal, legal, and exec channels.
Treating the plan as static—test and update after exercises or environment changes.

OS Security Logs — Windows Event Log Focus

OS audit records (System/Application/Security) showing logons, priv‑esc, service/policy changes — enable audit policy to

Key Insight

Windows Event IDs (logon/failed logon/privilege use/process creation) are forensic breadcrumbs; many events need audit policy and forwarding to retain

Often Confused With

Application logsLinux audit/syslog

Common Mistakes

Assuming every security event is logged by default — enable/adjust audit policies.
Trusting local logs are tamper‑proof — attackers can clear or modify them.
Thinking cleared logs destroy all evidence — artifacts or forwarded/SIEM copies can remain.

Log Anomaly Detection — SIEM, Baselines, Triage

Collect, normalize and analyze logs centrally to spot deviations, reconstruct timelines and generate tuned alerts for IR

Key Insight

Centralization ≠ detection — you need parsing, normalization, baselines, rule tuning and time‑sync (NTP) to reduce false positives

Often Confused With

Signature‑based IDSNetwork traffic (PCAP)

Common Mistakes

Logging everything without filters — floods systems and hides real alerts.
Treating every anomaly as a breach — many are benign or misconfigurations.
Believing SIEM auto‑detects attacks or timestamps are already synced — tune rules and verify NTP.

Authorized Change Pipeline (CAB & Rollback)

Process + technical controls to ensure changes are authorized, tested, logged, and reversible.

Key Insight

If a change lacks authorization, testing, logging, or rollback capability it's noncompliant—expedited changes still need an audit trail.

Often Confused With

Configuration ManagementPatch ManagementRelease Management

Common Mistakes

Only major upgrades need tickets — small config changes still require control
Emergency changes can permanently skip documentation; retrospective docs don't count
Assuming every change must get CAB approval; standard/pre-approved change paths exist

Risk Assessment Lifecycle (Inherent → Residual)

Identify assets, threats, vulnerabilities; estimate likelihood & impact; calculate inherent and residual risk to drive控制

Key Insight

Residual risk = inherent risk reduced by controls; it rarely becomes zero—pick mitigations by effectiveness and risk appetite.

Often Confused With

Threat ModelingVulnerability AssessmentRisk Management

Common Mistakes

Believing residual risk equals zero once controls are in place
Treating threats and vulnerabilities as the same thing
Picking controls based only on cost, ignoring effectiveness and risk appetite

Risk Responses — Accept, Transfer, Avoid, Mitigate (ATAM)

Four deliberate ways to handle risks: accept, transfer, avoid, or mitigate; choose by cost, impact, and business goals.

Key Insight

Pick by cost vs residual risk: transfer shifts cost but not full responsibility; acceptance requires monitoring/contingency.

Often Confused With

Risk AppetiteResidual Risk

Common Mistakes

Assuming 'accept' means ignore — acceptance must include monitoring or contingency plans
Believing transfer removes all responsibility; residual risk and accountability often remain
Thinking mitigation eliminates risk completely; controls usually only reduce likelihood or impact

Risk Register — Live Risk Inventory

A dynamic catalog of identified risks with scores, owners, controls and status used to prioritize treatment and assign (

Key Insight

It's a living, prioritized tool — scores are relative estimates; assign an accountable owner who tracks residual risk.

Often Confused With

Issue LogAsset InventoryControl Register

Common Mistakes

Treating the register as a one-time report instead of updating it continuously
Interpreting risk scores as exact measurements rather than relative estimates for prioritization
Assigning the owner as the person doing fixes instead of the accountable stakeholder who monitors the risk

Supply‑Chain Assessment (SBOMs & Firmware/BIOS)

Evaluate suppliers and components (SBOMs—Software Bill of Materials), validate firmware/BIOS, and monitor mitigations 24

Key Insight

SBOMs, contracts, and signatures are evidence — not proof; combine vetting, technical verification, counterfeit checks, and continuous monitoring.

Often Confused With

Third-party/vendor risk managementSupply Chain Risk Management (SCRM)

Common Mistakes

Treating a vendor attestation or SBOM as definitive proof the component is safe.
Assuming a digitally signed firmware image alone guarantees device trustworthiness.
Performing supply‑chain checks only at procurement instead of ongoing monitoring.

Third‑Party Risk Management (Vendor Lifecycle)

Structured lifecycle to assess, contract, monitor, and mitigate security and operational risks from suppliers.

Key Insight

Vendor risk is continuous and cross‑functional—tier vendors by risk, map controls to SLAs, and combine contractual, technical, and operational checks.

Often Confused With

Supply Chain AssessmentContract Management

Common Mistakes

Stopping risk activities after contract signature—no ongoing reassessment.
Relying solely on vendor questionnaires or self‑assessments as evidence.
Believing small or low‑spend vendors can't introduce critical risks.

Continuous Controls & Assessment (SIEM, CCM, KPIs)

Combine automated monitoring and periodic audits to collect mapped, retained evidence and detect control drift.

Key Insight

Automation finds issues fast; audits provide independent assurance — logs must be retained, integrity-checked, and mapped to controls.

Often Confused With

AuditsVulnerability ScanningConfiguration Management

Common Mistakes

Equating audits with continuous monitoring — they complement, don't replace.
Assuming SIEM log forwarding alone is auditable evidence (no retention/integrity or mapping).
Relying on automation or one green KPI to prove remediation or control effectiveness.

Data Protection Regs — HIPAA / GLBA / SOX / GDPR

Statutory rules that define scope, required safeguards, retention, breach notification, and legal obligations for data.

Key Insight

Each law differs by scope, jurisdiction, and required controls — complying with one does not auto-cover others.

Often Confused With

PCI DSSData ResidencyPrivacy vs. Security

Common Mistakes

Assuming compliance with one regulation automatically covers others.
Treating documented policies as proof of legal compliance (implementation and evidence matter).
Believing encryption alone satisfies all regulatory requirements.

Pen Test vs Vulnerability Scan — Verify & Prove

Vuln scans find weaknesses at scale; pen tests exploit select findings to prove real risk and validate fixes.

Key Insight

Scans discover; pen tests prove exploitability — audits require verification steps and retained evidence.

Often Confused With

Vulnerability assessmentRed team exerciseConfiguration audit

Common Mistakes

Assuming a single automated re-scan proves remediation — targeted verification is required.
Closing a ticket after patching ≠ proof; verify the control works and retain evidence.
Equating technical severity with business priority — triage must include asset value/impact.

Network Recon: Ping, SYN, Port, Banner & OS Fingerprinting

Active scans (ping, SYN, port, banner/OS fingerprinting) locate hosts/services but vary in detectability, accuracy, and侵

Key Insight

Scan choice = tradeoff: SYN is stealthier than full connect; banner/OS fingerprinting is probabilistic and can be fooled.

Often Confused With

Ping sweepFull TCP connect scanBanner grabbing

Common Mistakes

Assuming active reconnaissance is always illegal — authorized scans are legitimate with scope and approval.
Believing scans are undetectable — IDS/IPS and SIEM commonly log and alert on them.
Treating fingerprinting output as exact vendor/version — results are probabilistic and easily obfuscated.

Security Awareness Program (Phishing Campaigns)

Planned, repeated training and simulated phishing to lower click/reporting risk and measure remediation.

Key Insight

A program = cadence + reinforcement + metrics (reporting, remediation, repeat-offender drop), not one-offs.

Often Confused With

Phishing (including spear phishing and whaling)Technical Controls

Common Mistakes

Calling a single simulated email a 'campaign' — programs require repeated, scheduled activities.
Using click‑rate or course completion alone as success — ignore reporting, remediation, and repeat offenders.
Relying only on tech controls/simulations to stop social engineering; user processes matter.

Phishing — Spearphishing & Whaling

Social‑engineering attacks (email, SMS, voice) that impersonate trusted sources to steal creds or deliver malware.

Key Insight

Phishing isn't just mass email — smishing/vishing exist and targeted attacks use personalization or BEC to bypass filters.

Often Confused With

SmishingVishingBusiness Email Compromise (BEC)

Common Mistakes

Assuming phishing only arrives by email — SMS and voice attacks are common.
Trusting a padlock, familiar logo, or brand graphic as proof an item is safe.
Thinking spear/phishing always uses attachments—credential prompts or BEC often succeed without malware.

CompTIA Security+ (SY0-701) Practice Questions

Access Mock Exams & Comprehensive Question Bank

Listen to Audio Podcasts

Expert summaries for CompTIA Security+ (SY0-701)

Certification Overview

Duration:90 min

Questions:90

Passing:81%

Level:Intermediate

Cheat Sheet Content

56Key Concepts

5Exam Domains

CompTIA Security+ (SY0-701) Ultimate Cheat Sheet

Your Quick Reference Study Guide

CompTIA Security+ (SY0-701)

General Security Concepts

General Security Concepts

Compensating Control — Documented Alternative

Control Diversity — Layers & Functions

Digital Signatures & Non‑repudiation

Zero Trust — Verify Every Request

Rollback: Revert to Known State

Env Separation — Dev / Test / Staging / Prod

PKI & CA — Chain of Trust

Cryptographic Hashing (Integrity)

Compensating Control — Documented Alternative

Control Diversity — Layers & Functions

Digital Signatures & Non‑repudiation

Zero Trust — Verify Every Request

Rollback: Revert to Known State

Env Separation — Dev / Test / Staging / Prod

PKI & CA — Chain of Trust

Cryptographic Hashing (Integrity)

Threats, Vulnerabilities, and Mitigations

Threats, Vulnerabilities, and Mitigations

Threat Actor Types — Script Kiddies → APT (Nation‑State)

Insider Threat — Malicious, Negligent, Compromised

Social Engineering — Human Attack Surface

Cross‑Site Scripting (XSS) — Client‑Side Injection

Cryptography — Keys, RNG & Modes

Buffer Overflows & Memory Corruption

SQL Injection (SQLi)

DoS / DDoS Attacks

Sandboxing — Isolate & Contain Untrusted Code

VLAN Segmentation — Logical Device Isolation

Security Architecture

Security Architecture

Layered Defense — Defense‑in‑Depth

VPN Tunnels & IPsec (Site‑to‑Site vs Remote Access)

HA & Resilience Patterns

SSH: Encrypted Admin & Tunneling

Data-in-Transit — Network Encryption

DLP (Data Loss Prevention) — Policy Enforcement

RPO — Recovery Point Objective (Max Data‑Loss Window)

BCP — Business Continuity Plan (Keep Ops Running)

Security Operations

Security Operations

App Allowlist vs Denylist (Application Control)

Secure Baselines — Versioned Reference Builds

Data Classification Labels — Confidential/Private/Public/Proprietary

Asset Discovery & Monitoring — Agent vs Agentless

Patch Management (Hotfix / Patch / Service Pack)

Continuous Monitoring — Telemetry, Alerts & KPIs

SIEM — Central Log Engine (time-sync, correlation, WORM)

IDS vs IPS — Detect vs Block (NIDS/HIDS, signature/behavioral)

Segmentation & Isolation (VLAN / Virtualization / Air‑Gap)

Firewall — Packet, Stateful, Application (Placement Matters)

AAA — Authn, Authz & Accounting

MFA — Know / Have / Be (factor categories)

SOAR Playbooks & Runbooks (Automated COA)

Secrets & Key Management — Vaults/KMS/HSM

IR Phases — Prepare, Identify, Contain, Eradicate, Recover, Learn

IR Plan Components — Roles, Triggers, Escalation, Comms

OS Security Logs — Windows Event Log Focus

Log Anomaly Detection — SIEM, Baselines, Triage

Security Program Management and Oversight

Security Program Management and Oversight

Authorized Change Pipeline (CAB & Rollback)

Risk Assessment Lifecycle (Inherent → Residual)

Risk Responses — Accept, Transfer, Avoid, Mitigate (ATAM)

Risk Register — Live Risk Inventory

Supply‑Chain Assessment (SBOMs & Firmware/BIOS)

Third‑Party Risk Management (Vendor Lifecycle)

Continuous Controls & Assessment (SIEM, CCM, KPIs)

Data Protection Regs — HIPAA / GLBA / SOX / GDPR

Pen Test vs Vulnerability Scan — Verify & Prove

Network Recon: Ping, SYN, Port, Banner & OS Fingerprinting

Security Awareness Program (Phishing Campaigns)

Phishing — Spearphishing & Whaling

Certification Overview

Cheat Sheet Content

Similar Cheat Sheets