SOT-001 — CompTIA SecOT+ V1 Exam Blueprint
Practical readiness checklist for the CompTIA SecOT+ V1 (SOT-001) topic areas, security operations scenarios, tools, and final-review tasks.
How to Use This Exam Blueprint
Use this checklist as a practical study map for CompTIA SecOT+ V1 (SOT-001) from CompTIA. It is designed to help you verify whether you can apply security operations concepts, not just recognize definitions.
Because exact official weights are not provided here, the sections below are organized as readiness areas, not as weighted exam domains. For each area, ask:
- Can I explain the concept in plain language?
- Can I identify the correct tool, control, or workflow from a scenario?
- Can I interpret a small artifact such as a log entry, alert summary, ticket, diagram, or command output?
- Can I choose the safest next action without overreacting, destroying evidence, or ignoring risk?
Topic-Area Readiness Table
| Readiness area | What to review | What “ready” looks like |
|---|---|---|
| Security operations foundations | SOC roles, monitoring, alert triage, escalation, incident lifecycle, operational priorities | You can describe how alerts move from detection to triage, containment, recovery, documentation, and lessons learned. |
| Threats and attack activity | Phishing, credential attacks, malware, ransomware, insider activity, web attacks, data exfiltration, lateral movement | You can match indicators and behaviors to likely threat types and choose a reasonable response. |
| Logs and telemetry | Authentication logs, endpoint events, firewall logs, DNS, proxy, EDR, IDS/IPS, cloud logs, application logs | You can identify useful fields, correlate events, build a timeline, and separate signal from noise. |
| SIEM and alert analysis | Search, filtering, correlation, dashboards, severity, enrichment, false positives, alert fatigue | You can use a SIEM-style workflow to validate an alert and decide whether to escalate. |
| Incident response | Preparation, identification, containment, eradication, recovery, post-incident activity, evidence handling | You can choose next steps based on incident stage and business impact. |
| Vulnerability management | Scanning, asset criticality, prioritization, remediation, compensating controls, verification | You can prioritize vulnerabilities using context, not just severity labels. |
| Identity and access security | MFA, least privilege, RBAC, privileged access, account lifecycle, service accounts, credential hygiene | You can recognize risky access patterns and recommend practical controls. |
| Network security operations | Firewalls, segmentation, IDS/IPS, VPNs, NAC, secure protocols, DNS, packet basics | You can interpret common network security alerts and identify likely misconfigurations. |
| Endpoint security | EDR, antivirus, host firewall, process behavior, persistence, isolation, patching, hardening | You can evaluate endpoint alerts and choose containment actions. |
| Cloud and hybrid security | Shared responsibility, cloud IAM, logging, storage exposure, key management, network controls, workload security | You can analyze common cloud security scenarios without assuming on-premises controls work the same way. |
| Data protection | Classification, encryption, DLP, backups, retention, privacy-sensitive handling, secure deletion | You can recommend data safeguards based on sensitivity and business use. |
| Governance and documentation | Policies, standards, procedures, risk register, tickets, reports, evidence, change records | You can document findings clearly and know when to escalate. |
| Automation and tooling | SOAR concepts, playbooks, scripts, ticketing, enrichment, threat intelligence feeds | You can identify where automation helps and where analyst judgment is still required. |
| Troubleshooting and operational judgment | Tool health, sensor gaps, time sync issues, noisy alerts, incomplete data, conflicting evidence | You can recognize when a detection problem is caused by visibility, configuration, or process issues. |
Security Operations Foundations
Core Concepts to Review
| Concept | Be ready to explain | Scenario cue |
|---|---|---|
| Security operations center | People, processes, and tools used to monitor and respond to threats | “Multiple alerts are being triaged during business hours.” |
| Triage | First-pass evaluation of an alert or report | “Determine whether this alert is actionable.” |
| Escalation | Moving an issue to a higher tier, team, or incident lead | “The analyst confirms suspicious activity but lacks authority to isolate a server.” |
| Incident lifecycle | Preparation, detection, analysis, containment, eradication, recovery, lessons learned | “Which step comes next?” |
| Severity vs. priority | Technical seriousness versus business urgency | “A high-severity issue affects a low-value lab asset; a medium issue affects payroll.” |
| Runbooks and playbooks | Repeatable guidance for known situations | “A phishing report arrives in the queue.” |
| Metrics | Mean time to detect, mean time to respond, alert volume, false positive rate, backlog | “Management asks whether the SOC is improving.” |
Can You Do This?
- Distinguish an event, alert, security incident, and breach without using them interchangeably.
- Identify when an analyst should monitor, investigate, contain, escalate, or close as benign.
- Explain why business context affects response priority.
- Recognize when an alert needs more evidence before action.
- Document an investigation so another analyst can reproduce your reasoning.
Threats, Indicators, and Attack Behavior
Threat Activity Checklist
| Threat type | Indicators to recognize | Response thinking |
|---|---|---|
| Phishing | Suspicious sender, urgent language, credential link, attachment, lookalike domain | Preserve message, analyze headers/links safely, identify affected users, block indicators if confirmed. |
| Credential attack | Password spraying, brute force, impossible travel, MFA fatigue, new device login | Validate account activity, reset credentials if needed, revoke sessions, review related accounts. |
| Malware | Unexpected process, suspicious file path, persistence, outbound beaconing, endpoint alert | Isolate if warranted, collect evidence, identify scope, remove persistence, recover safely. |
| Ransomware | File renaming, encryption behavior, ransom note, mass file writes, disabled defenses | Contain quickly, protect backups, escalate, avoid ad hoc cleanup that destroys evidence. |
| Data exfiltration | Large outbound transfers, unusual destination, compressed archives, cloud sharing anomalies | Confirm data sensitivity, identify path and account, contain, preserve logs. |
| Insider activity | Unusual access, off-hours downloads, policy violations, privilege misuse | Handle carefully, document facts, involve appropriate teams, avoid unsupported accusations. |
| Web application attack | SQL injection pattern, path traversal, command injection, abnormal HTTP requests | Review web logs, identify exploited endpoint, apply fixes or compensating controls. |
| Lateral movement | Remote admin tools, unusual SMB/RDP/SSH use, credential reuse, new service creation | Scope affected hosts, contain access paths, review privileged credentials. |
Common Indicator Types
- IP addresses and network ranges
- Domain names and URLs
- File hashes
- Email addresses and sender infrastructure
- Usernames and account IDs
- Hostnames and device IDs
- Process names, parent-child relationships, command-line arguments
- Registry keys, scheduled tasks, services, startup locations
- Cloud resource IDs, access keys, storage objects, role assignments
Logs, Telemetry, and Evidence
Log Sources to Know
| Source | Useful for | Key fields to inspect |
|---|---|---|
| Authentication logs | Login success/failure, account misuse, privilege changes | User, source IP, device, time, result, authentication method |
| Endpoint logs | Process execution, file activity, malware behavior | Host, process, parent process, path, hash, user, timestamp |
| Firewall logs | Allowed/blocked traffic, unusual ports, policy hits | Source, destination, port, protocol, action, rule |
| DNS logs | Domain lookups, malware beaconing, tunneling clues | Client, query, response, domain, time |
| Proxy/web logs | Web browsing, downloads, suspicious URLs | User, URL, category, action, bytes, user agent |
| IDS/IPS alerts | Network attack patterns, signatures, anomalies | Signature, severity, source, destination, payload summary |
| Email security logs | Phishing, malware attachments, spoofing | Sender, recipient, subject, verdict, attachment, URL |
| Cloud audit logs | API activity, role changes, access to resources | Actor, action, resource, source, result, region/account/project |
| Application logs | Authentication, errors, transactions, misuse | User, action, session, request path, response code |
Evidence Quality Checklist
- Do timestamps use the same time zone?
- Are systems synchronized to reliable time?
- Is the log source authoritative for the claim being made?
- Is the event a direct observation or a derived alert?
- Is there supporting evidence from another source?
- Could the activity be explained by normal administration, automation, or a service account?
- Has the evidence been preserved before disruptive containment?
Generic SIEM Search Patterns
Use these as conceptual patterns, not vendor-specific syntax.
auth_logs
WHERE user = "target.user"
AND result = "failure"
GROUP BY source_ip, time_window
endpoint_events
WHERE host = "HOST-123"
AND process_name IN ("powershell.exe", "cmd.exe", "wscript.exe")
AND command_line CONTAINS suspicious_terms
network_logs
WHERE destination_port IN (22, 3389, 445)
AND source_zone = "external"
AND action = "allowed"
Readiness check:
- You can filter by time, user, host, IP, action, and event type.
- You can widen or narrow a search without losing the investigation thread.
- You can explain why a query might miss evidence because of logging gaps or field normalization issues.
SIEM, SOAR, and Alert Triage
Alert Triage Decision Table
| Question | If yes | If no |
|---|---|---|
| Is the alert tied to a real asset or user? | Enrich with owner, criticality, and recent activity. | Validate inventory and sensor data before escalation. |
| Is the behavior expected for that user or system? | Consider closing as benign with notes or tuning. | Continue investigation. |
| Is there corroborating evidence? | Increase confidence and scope related activity. | Look for additional logs before containment. |
| Is sensitive data, privilege, or critical service involved? | Increase priority and escalate sooner. | Continue normal triage unless behavior worsens. |
| Is active compromise likely? | Contain according to procedure. | Monitor, document, or request more data. |
False Positive vs. True Positive Cues
| Cue | Likely interpretation |
|---|---|
| Known admin tool used by authorized admin during change window | Possibly benign; verify change record. |
| Same tool used by non-admin from unusual host after phishing email | Suspicious; investigate account compromise. |
| IDS signature fires once against patched, non-vulnerable service | May be scan noise; verify exposure and patch state. |
| Repeated alerts plus endpoint execution plus outbound traffic | Stronger evidence; escalate. |
| Cloud role changed by approved automation account | Validate pipeline/change record before treating as malicious. |
Incident Response Readiness
Incident Lifecycle Checklist
| Phase | Candidate readiness tasks |
|---|---|
| Preparation | Know policies, roles, communication paths, evidence handling, backup expectations, and tooling. |
| Identification | Validate alerts, classify the incident type, determine initial scope, and assign severity. |
| Containment | Limit damage while preserving evidence and business continuity. |
| Eradication | Remove malware, close exploited paths, disable persistence, rotate compromised credentials. |
| Recovery | Restore services, monitor for recurrence, validate clean state. |
| Post-incident | Document timeline, root cause, impact, lessons learned, and control improvements. |
Can You Choose the Right Next Action?
- A single failed login from a known user location: investigate lightly or monitor.
- Password spraying against many accounts: alert identity team, block sources if appropriate, review MFA and lockout behavior.
- EDR reports active ransomware behavior: isolate host quickly, escalate, protect backups.
- A web server shows exploit attempts but no successful execution: verify exposure, patch status, and WAF/firewall controls.
- A privileged account logs in from an impossible location: revoke session, reset credentials, review privilege use.
- Sensitive files are shared externally from a cloud drive: identify files, user, recipient, sharing method, and policy impact.
Evidence Handling Checks
- Preserve original logs or exports when possible.
- Record who collected evidence, when, and from where.
- Avoid altering a system before capturing volatile facts if procedures require preservation.
- Do not rely on screenshots alone when structured logs are available.
- Separate confirmed facts from assumptions in notes.
Vulnerability Management
Practical Prioritization Model
Do not treat vulnerability severity as the only decision factor. Review how these items interact:
| Factor | Why it matters |
|---|---|
| Asset criticality | A medium issue on a critical public system may outrank a high issue on a lab host. |
| Exploitability | Known exploitation or available exploit code increases urgency. |
| Exposure | Internet-facing systems usually carry more immediate risk than isolated systems. |
| Compensating controls | Segmentation, WAF rules, EDR, or configuration controls may reduce short-term risk. |
| Business impact | Downtime, maintenance windows, and dependencies affect remediation planning. |
| Data sensitivity | Systems processing regulated or confidential data require extra attention. |
| Patch availability | No patch may require mitigation, isolation, or configuration changes. |
Vulnerability Workflow Checklist
- Identify assets and owners.
- Validate scan results and remove obvious false positives.
- Prioritize based on risk context.
- Assign remediation actions.
- Track exceptions and compensating controls.
- Verify remediation with rescans or configuration checks.
- Report trends and unresolved risk.
Common Traps
- Assuming every scanner finding is exploitable.
- Ignoring asset ownership and business criticality.
- Closing tickets without verification.
- Treating compensating controls as permanent fixes without review.
- Focusing only on operating system patches and missing firmware, applications, containers, and cloud configurations.
Identity and Access Security
Identity Controls to Review
| Control | What to know |
|---|---|
| MFA | Reduces risk from stolen passwords; not immune to fatigue attacks, token theft, or misconfiguration. |
| Least privilege | Users and services should have only the access required. |
| RBAC | Access is assigned by role instead of individually whenever practical. |
| Privileged access management | Admin access should be controlled, monitored, and time-bound where possible. |
| Account lifecycle | Joiner, mover, leaver processes reduce stale and excessive access. |
| Service accounts | Require ownership, limited permissions, strong secret handling, and monitoring. |
| Conditional access | Access decisions can include device, location, risk, and authentication strength. |
Scenario Prompts
| Scenario | What should you check? |
|---|---|
| User reports MFA prompts they did not initiate | Recent login attempts, source locations, device registrations, session tokens, password reset need. |
| Former employee account remains active | Offboarding process, account disablement, access logs, data access after departure. |
| Service account used interactively | Whether this is expected, credential exposure risk, privilege scope, owner, rotation. |
| Admin account signs in from new geography | Travel context, VPN use, impossible travel, privilege actions, session revocation. |
| Cloud role grants broad access | Business need, least privilege, inheritance, recent changes, audit logs. |
Network Security Operations
Network Topics to Review
| Topic | Readiness target |
|---|---|
| Ports and protocols | Know common secure and insecure protocols and when port usage is suspicious. |
| Firewalls | Understand allow/deny rules, zones, rule order conceptually, and logging. |
| IDS/IPS | Distinguish detection from prevention and signature from anomaly behavior. |
| Segmentation | Explain how network boundaries limit lateral movement. |
| VPNs | Understand remote access risk, MFA, split tunneling considerations, and logging. |
| DNS security | Recognize suspicious domains, tunneling clues, sinkholes, and filtering. |
| Packet basics | Interpret source/destination, protocol, ports, flags at a high level. |
| NAC | Understand device posture and network access decisions. |
Useful Command Awareness
Know what these commands are used for and how their output supports troubleshooting or investigation. Do not assume every exam task requires memorized syntax.
| Command/tool | Used for |
|---|---|
ping | Basic reachability testing. |
traceroute / tracert | Path and routing troubleshooting. |
nslookup / dig | DNS resolution checks. |
ipconfig / ifconfig / ip | Local network configuration. |
netstat / ss | Listening ports and active connections. |
curl | HTTP response and connectivity testing. |
tcpdump / packet capture tools | Network traffic capture and inspection. |
whois | Domain or registration context. |
nmap | Network discovery and port scanning in authorized environments. |
Endpoint Security
Endpoint Investigation Checklist
- Identify the affected host, user, and business owner.
- Review process tree and parent-child relationships.
- Check file path, hash, signer, and creation time.
- Review network connections from the endpoint.
- Look for persistence mechanisms.
- Determine whether similar indicators appear on other hosts.
- Decide whether isolation is required.
- Document actions taken by EDR, antivirus, or analyst.
Suspicious Endpoint Cues
| Cue | Why it matters |
|---|---|
| Office document launches a script interpreter | Common phishing-to-execution pattern. |
| PowerShell with encoded or obfuscated arguments | May indicate malicious automation or evasion. |
| Unsigned binary in a user-writable directory | Higher suspicion than known signed software in standard paths. |
| New scheduled task after suspicious login | Possible persistence. |
| Security tool disabled unexpectedly | Possible defense evasion. |
| Large number of files modified quickly | Possible ransomware or destructive activity. |
Cloud and Hybrid Security
Cloud Readiness Areas
| Area | What to be ready for |
|---|---|
| Shared responsibility | Know that provider and customer responsibilities differ by service model and configuration. |
| Cloud IAM | Review users, roles, policies, keys, service principals, and privilege boundaries conceptually. |
| Logging and monitoring | Know the value of audit logs, flow logs, access logs, and alerting. |
| Storage exposure | Recognize public access, overly broad sharing, and weak encryption/key practices. |
| Network controls | Understand security groups, network ACL-style controls, private connectivity, and segmentation concepts. |
| Secrets management | Avoid hardcoded keys, exposed tokens, and unmanaged credentials. |
| Workload protection | Consider images, containers, serverless functions, patching, and runtime behavior. |
| Cost and abuse signals | Unusual resource creation can indicate compromise or misuse. |
Cloud Scenario Checks
- A cloud access key appears in a public repository. Can you identify immediate containment steps?
- A storage bucket/container is publicly accessible. Can you determine whether data exposure occurred?
- A new administrator role is assigned at night. Can you trace who made the change and from where?
- A workload begins communicating with unfamiliar external hosts. Can you find logs that show source, destination, and process or workload identity?
- A security group allows broad inbound access. Can you recommend a least-privilege change?
Data Protection and Resilience
Data Protection Topics
| Topic | Readiness target |
|---|---|
| Data classification | Match controls to public, internal, confidential, or sensitive data categories. |
| Encryption in transit | Understand TLS and secure protocol selection conceptually. |
| Encryption at rest | Know where storage, database, endpoint, and backup encryption may apply. |
| Hashing | Understand integrity checking and password storage concepts. |
| DLP | Recognize policy-based detection and prevention of sensitive data movement. |
| Backups | Know why offline, immutable, tested, or segmented backups matter for ransomware resilience. |
| Retention | Understand that logs and records must be retained according to policy and need. |
| Secure deletion | Know why normal deletion may not be enough for sensitive data. |
Backup and Recovery Readiness
- Explain the difference between backup, replication, snapshot, and archive at a high level.
- Identify why untested backups are a risk.
- Recognize that ransomware response must protect backup infrastructure.
- Understand why recovery objectives affect technical decisions.
- Recommend monitoring for backup failures or unauthorized deletion.
Governance, Risk, and Communication
Documentation Artifacts
| Artifact | What it supports |
|---|---|
| Policy | Management-approved requirements. |
| Standard | Specific mandatory rules or baselines. |
| Procedure | Step-by-step execution guidance. |
| Runbook/playbook | Repeatable operational response for common cases. |
| Ticket | Work tracking, ownership, status, and audit trail. |
| Incident report | Timeline, impact, actions, root cause, and lessons learned. |
| Risk register | Known risks, owners, likelihood, impact, and treatment. |
| Exception record | Approved deviation with rationale, owner, and review date. |
Communication Checklist
- Use precise, factual language.
- State impact and uncertainty clearly.
- Separate technical detail from executive summary.
- Avoid blaming individuals in incident notes.
- Escalate through approved channels.
- Include timestamps, affected assets, evidence, and recommended next actions.
- Know when legal, privacy, HR, management, or third-party teams may need to be involved.
Automation, Playbooks, and Tooling
Tool Categories to Understand
| Tool/category | Purpose |
|---|---|
| SIEM | Centralize, correlate, search, and alert on security data. |
| SOAR | Automate enrichment, workflows, and response playbooks. |
| EDR/XDR | Detect and respond to endpoint or cross-domain activity. |
| IDS/IPS | Detect or block network attack patterns. |
| Vulnerability scanner | Identify missing patches, exposures, and configuration weaknesses. |
| Ticketing system | Track work, ownership, status, and evidence. |
| Threat intelligence platform/feed | Enrich indicators with reputation and context. |
| DLP | Monitor or restrict sensitive data movement. |
| CASB/SSE-style controls | Provide visibility and policy enforcement for cloud and SaaS use conceptually. |
Automation Judgment
| Automate when | Be cautious when |
|---|---|
| The task is repetitive and low risk. | The action could disrupt critical services. |
| Inputs are reliable and well structured. | Alerts are noisy or poorly tuned. |
| Human approval is built into high-impact steps. | Evidence must be preserved before action. |
| The outcome is easy to verify. | The action affects user access, data, or production systems. |
Troubleshooting Security Operations Problems
Common Operational Issues
| Problem | What to check |
|---|---|
| Missing logs | Agent health, forwarding configuration, licensing/retention constraints, network path, permissions. |
| Incorrect timestamps | Time synchronization, time zone normalization, ingestion delay. |
| Too many false positives | Detection logic, asset context, allowlists, baseline behavior, change windows. |
| Alert did not trigger | Log source coverage, field parsing, rule conditions, threshold, disabled detection. |
| Duplicate alerts | Correlation rules, event aggregation, repeated retries, multiple sensors. |
| Sensor blind spot | Unsupported platform, unmanaged asset, encrypted traffic, network placement. |
| Investigation conflict | Validate source reliability and compare raw logs against normalized events. |
Troubleshooting Prompts
- If a firewall shows allowed traffic but the application fails, what else could be wrong?
- If an EDR alert lacks process details, what supporting logs can help?
- If a SIEM query returns no results, did you check time range, field names, index/source, and ingestion delay?
- If a vulnerability scan reports a critical issue, did you validate the asset, service, and exposure?
- If a user denies activity, can you corroborate with device, MFA, VPN, and application logs?
High-Value “Can You Do This?” Checklist
Use this section as a final readiness gate for SOT-001 preparation.
Alert Analysis
- Given an alert summary, identify the affected user, asset, indicator, and suspected activity.
- Determine whether the alert is likely benign, suspicious, or confirmed malicious.
- Pick the best next log source to review.
- Build a short incident timeline from multiple events.
- Identify what information is missing before escalation.
- Explain why an alert should be tuned, suppressed, escalated, or converted into an incident.
Incident Response
- Select containment steps for malware, phishing, credential compromise, and data exposure.
- Avoid destructive actions before evidence is collected when preservation matters.
- Distinguish containment from eradication and recovery.
- Identify when to isolate a host, disable an account, block an indicator, or open a change request.
- Write a concise incident handoff note.
Vulnerability and Risk
- Prioritize vulnerabilities using asset context, exposure, exploitability, and business impact.
- Recommend remediation or compensating controls.
- Identify when a vulnerability finding may be a false positive.
- Verify remediation instead of assuming it worked.
- Explain residual risk and exception handling.
Identity, Network, Endpoint, and Cloud
- Investigate suspicious authentication activity.
- Interpret firewall, DNS, proxy, and endpoint clues.
- Recognize risky cloud IAM or storage configurations.
- Identify where segmentation, MFA, EDR, logging, or encryption helps.
- Choose the control that best reduces risk in a given scenario.
Scenario and Decision-Point Practice
Scenario 1: Suspicious Login
| Detail | Interpretation |
|---|---|
| User logged in successfully from a new country | Could be travel, VPN, or compromise. |
| MFA prompt was approved | Does not automatically prove legitimacy. |
| New inbox forwarding rule created | Strong compromise cue. |
| Several file downloads followed | Potential data exposure. |
Ready response:
- Review identity logs, MFA details, device, IP reputation, and user confirmation.
- Revoke sessions if compromise is likely.
- Reset credentials and review MFA methods.
- Remove malicious mailbox rules.
- Check for lateral movement or data access.
Scenario 2: Endpoint Malware Alert
| Detail | Interpretation |
|---|---|
| EDR detects suspicious script execution | Needs process-tree review. |
| Parent process is an email attachment viewer | Phishing path likely. |
| Outbound connection to unknown domain | Possible command-and-control. |
| Similar hash appears on other hosts | Scope is larger than one endpoint. |
Ready response:
- Isolate affected endpoint if active compromise is likely.
- Collect process, file, network, and user evidence.
- Search for the hash, domain, and process pattern across the environment.
- Remove persistence and recover from trusted sources.
- Update detections or blocks as appropriate.
Scenario 3: Vulnerability on an Internet-Facing System
| Detail | Interpretation |
|---|---|
| Scanner reports high-severity vulnerability | Important, but validate context. |
| System is internet-facing | Raises priority. |
| Exploit activity is observed in logs | Treat as urgent. |
| Patch requires downtime | Coordinate remediation and interim controls. |
Ready response:
- Confirm asset owner and exposure.
- Check whether exploitation has occurred.
- Apply patch or mitigation through change process.
- Use temporary controls if immediate patching is not possible.
- Rescan or otherwise verify remediation.
Scenario 4: Public Cloud Storage Exposure
| Detail | Interpretation |
|---|---|
| Storage object is accessible publicly | Potential data exposure. |
| Object contains internal reports | Determine sensitivity. |
| Access logs show unknown external downloads | Exposure may have occurred. |
| Public access was enabled by recent change | Review change history and permissions. |
Ready response:
- Restrict access according to policy.
- Preserve access logs.
- Determine data type and affected parties.
- Review identity and change records.
- Document impact and escalation needs.
Common Weak Areas and Exam Traps
| Weak area | How to correct it |
|---|---|
| Memorizing tool names without knowing workflows | Practice choosing the next action from short scenarios. |
| Treating all alerts as incidents | Learn validation, enrichment, and triage steps. |
| Ignoring business context | Always identify asset criticality, data sensitivity, and operational impact. |
| Overreliance on severity labels | Combine technical severity with exposure, exploitability, and asset value. |
| Confusing SIEM and SOAR | SIEM collects/correlates/searches; SOAR automates workflows and response steps. |
| Confusing IDS and IPS | IDS detects and alerts; IPS can block or prevent traffic. |
| Confusing authentication and authorization | Authentication verifies identity; authorization grants permissions. |
| Skipping evidence preservation | Know when logs, timelines, and artifacts must be captured before changes. |
| Assuming MFA prevents all account compromise | Review MFA fatigue, token theft, session hijacking, and social engineering. |
| Closing tickets without verification | Confirm remediation through logs, scans, or configuration review. |
| Missing time zone issues | Normalize timestamps before building timelines. |
| Acting outside authority | Escalate when containment, legal, privacy, HR, or business decisions exceed the analyst role. |
Final-Week Review Checklist
Knowledge Review
- Revisit each readiness area in this checklist.
- Create a one-page summary of incident response stages and common next actions.
- Review log source purposes and key fields.
- Review common attack types and indicators.
- Review identity, endpoint, network, cloud, and data protection controls.
- Review vulnerability prioritization factors.
- Review governance artifacts and documentation expectations.
Scenario Practice
- Practice phishing triage scenarios.
- Practice suspicious login scenarios.
- Practice endpoint malware scenarios.
- Practice vulnerability prioritization scenarios.
- Practice cloud misconfiguration scenarios.
- Practice choosing between monitor, contain, escalate, and close.
Artifact Practice
- Read sample authentication logs.
- Interpret firewall allow/deny records.
- Review DNS and proxy log clues.
- Analyze endpoint process examples.
- Build short timelines from mixed events.
- Write concise investigation notes.
Exam-Day Readiness
- Know the official exam identity: CompTIA SecOT+ V1 (SOT-001).
- Avoid assuming exact weights or scoring rules from unofficial summaries.
- Read each scenario for role, asset, business impact, and requested action.
- Watch for words such as “first,” “best,” “most likely,” and “next.”
- Eliminate answers that are technically possible but operationally unsafe.
- Choose the answer that fits the evidence provided, not the answer that solves a different problem.
Practical Next Step
After reviewing this checklist, move into mixed scenario practice. Focus on explaining why each answer is right or wrong, especially for alert triage, incident response, vulnerability prioritization, identity events, endpoint behavior, network logs, and cloud security scenarios.