Browse Exams — Mock Exams & Practice Tests

CompTIA Security+ (SY0-701) Cheatsheet — High-Yield Security Concepts & Comparisons

Rapid review for SY0-701: threats/attacks, secure architecture & zero trust, identity & access, crypto/PKI, network & cloud security, secure coding/DevSecOps, monitoring/IR/forensics, and governance/risk/compliance.

On this page

Use this for last-mile review. Skim top to bottom, star weak rows, and re-drill with practice.

1) Core principles

  • CIA Triad: Confidentiality • Integrity • Availability
  • AAA: Authentication • Authorization • Accounting (audit)
  • Defense in Depth: layered controls across people, process, tech
  • Zero Trust: verify explicitly • least privilege • assume breach • segment and monitor

2) Threat actors & intel

Actor Motive Capability Notes
Script kiddies Fun/curiosity Low Use public tools
Hacktivists Ideology Varies Web defacement, doxxing
Criminals Financial Medium–High Ransomware, BEC, fraud
Insider Mixed High (context) Accidental or malicious
APT / Nation-state Strategic Very high Long dwell time, stealth

Intel types: OSINT • HUMINT • SIGINT • TECHINT • Closed-source/vendor feeds.
Pyramid of Pain: Hash→IP→Domain→Tools→TTPs (hardest to change: TTPs).

3) Common attacks (spot the pattern)

  • Social engineering: phishing/spear/whaling, vishing, smishing, pretexting, baiting, tailgating.
  • Credential attacks: spraying, stuffing, brute force, keyloggers, MIM.
  • Network: DoS/DDoS, MITM/ARP poisoning, DNS poisoning, rogue AP/evil twin.
  • Web/app: XSS (reflected/stored/DOM), SQLi, command injection, CSRF, SSRF, deserialization, path traversal.
  • Email/domain: SPF/DMARC/DKIM misconfig abuse, homograph domains, BEC.
  • Malware: virus, worm, trojan, RAT, rootkit, logic bomb, ransomware.
  • Supply chain: package poisoning, malicious drivers/firmware, CI/CD compromise.
  • Cloud: metadata service abuse, overly broad roles/keys, public buckets.

4) Network security controls

Control Layer Purpose Notes
Firewall (NGFW) Net/L7 Allow/block App-aware, IPS features
IPS/IDS Net Detect/stop Inline (IPS) vs TAP (IDS)
WAF L7 Web app shield Blocks XSS/SQLi, rulesets
SWG/CASB Edge/Cloud SaaS control/DLP Visibility, policy
NAC Access Posture + auth 802.1X, agent/agentless
VPN Net Secure tunnel IPsec (IKEv2), SSL VPN
SEG Email Filter Anti-spam/AV, phishing
EDR/XDR Endpoint Detect/respond Telemetry + response

Segmentation: VLANs • subnetting • ACLs • Microsegmentation with identity tags.
Wireless: WPA3-Personal/Enterprise • 802.1X/EAP-TLS • disable WPS • evil-twin detection.

5) Secure architecture & design

  • Models: On-prem • Cloud (IaaS/PaaS/SaaS) • Hybrid • Multi-cloud.
  • Design goals: redundancy (N+1), fail-open vs fail-closed, resiliency, immutable infrastructure.
  • Zero Trust architecture: strong identity, continuous verification, policy decision point (PDP)/enforcement point (PEP), least-privilege access, segmentation, telemetry.
  • Secure data lifecycle: Create → Store → Use → Share → Archive → Destroy.

6) Identity, auth & access (IAM)

  • Factors: something you know/have/are/do/where. Prefer MFA.
  • Modern auth: SAML (SAML IdP↔SP), OAuth 2.0 (delegation), OIDC (login on OAuth).
  • SSO: IdP centralizes identity; SP trusts assertions/tokens.
  • Account types: users • service accounts • break-glass/admin.
  • Access models: DAC (owner sets) • MAC (labels) • RBAC (roles) • ABAC (attributes).
  • Privileged access: JIT/JEA, PIM, session recording, vaults, least privilege.

7) Cryptography quick map

Concept Use Notes
Hashing Integrity SHA-256/3; HMAC adds auth
Symmetric Speed/conf AES-GCM (AEAD)
Asymmetric Key exchange, signatures RSA, ECC (Curve25519), DH/ECDH
PKI Trust, certs Root → intermediate → leaf
TLS 1.3 Transport security ECDHE + AEAD; no legacy suites

Don’t confuse: encoding (Base64) ≠ encryption ≠ hashing.
Key mgmt: rotation, escrow, HSM/KMS, CRL/OCSP, certificate pinning (awareness).

8) Certificates & PKI

  • Cert types: DV/OV/EV, SAN, wildcard, code-signing, device, email (S/MIME).
  • Lifecycle: enroll → issue → install → monitor → renew/revoke.
  • Revocation: CRL (pull) • OCSP (real-time) • OCSP stapling.
  • CSR contents: subject, SANs, public key, signature of private key owner.

9) Secure protocols (prefer these)

  • Web: HTTPS (TLS 1.2+/1.3), HSTS, TLS-only cookies.
  • Remote: SSH, RDP over TLS + NLA, no Telnet/FTP. Use SFTP/FTPS.
  • Email: SMTP with STARTTLS, S/MIME for end-to-end.
  • Time/DNS: NTP with auth, DNSSEC/DoT/DoH (context-dependent).
  • IPsec: IKEv2, ESP, tunnel mode for site-to-site; split/full tunnel policy for remote.

10) Cloud & container security

  • Shared responsibility: provider vs customer varies by service model.
  • Data controls: DLP, tokenization, encryption at rest/in transit, key ownership (KMS/HSM).
  • CASB/CSPM: visibility, misconfig detection, policy enforcement.
  • Compute: containers vs VMs; minimal base images; signed images; runtime protections; namespaces/cgroups; seccomp.
  • Secrets: vaults, short-lived tokens, instance metadata hardening.
  • Access: least-privilege IAM roles; avoid long-lived keys; JIT.

11) DevSecOps & secure coding

  • Shift left: threat modeling, secure requirements, code reviews.
  • CI/CD controls: SAST • SCA (deps) • DAST • IaC scanning • image signing • artifact integrity.
  • OWASP Top-style issues: injection, broken auth, sensitive data exposure, XXE/SSRF, access control, misconfig, deserialization, SSRF, logging/monitoring failures.
  • Secure coding basics: input validation, parameterized queries, output encoding, least privilege DB accounts, errors without secrets.

12) Vulnerability mgmt & testing

Activity Output Notes
Asset inventory SBOM/CMDB Know what exists
Vulnerability scan Findings w/ CVSS Authenticated scans better
Patch mgmt Remediation Risk-based prioritization
Pen test Exploitation report ROE, scope, consent required
Red vs Blue vs Purple Attacker/defender/collab MITRE ATT&CK mapping

Scan vs pen test: scanning identifies flaws; pentesting validates/exploits with permission.

13) Monitoring, detection & response

  • Telemetry: logs, metrics, traces, NetFlow, DNS, EDR.
  • SIEM: normalize + correlate + alert; UEBA for behavior anomalies.
  • SOAR: playbooks/automation for triage/containment.
  • Deception: honeypots, honey tokens, canaries.

14) Incident response (IR) & forensics

IR phases: Preparation → Identification → Containment → Eradication → Recovery → Lessons learned.
Order of volatility: registers/cache → RAM → disk → remote logs/cloud → archives.
Forensics basics: chain of custody, hashing evidence, time synchronization, wr

Syllabus
Practice