SY0-701 — CompTIA Security+ (SY0-701) Exam Blueprint

How to Use This Exam Blueprint

Use this checklist as a practical readiness map for the CompTIA Security+ (SY0-701) exam. It is not a replacement for the official exam objectives, but it helps translate the public topic areas into what you should be able to recognize, explain, configure conceptually, troubleshoot, and choose in scenario questions.

For each area, ask:

• Can I identify the concept from a short scenario?
• Can I choose the best control, not just a possible control?
• Can I explain why one option is better than another?
• Can I spot common distractors, outdated assumptions, or overbuilt solutions?
• Can I connect security controls to business risk, operations, and governance?

Use the status column as you review:

Topic-Area Readiness Table

General Security Concepts Checklist

Core Principles

Foundational Control Types

Can You Do This?

• Explain the difference between a policy, standard, procedure, and guideline.
• Choose a control type based on the goal: prevent, detect, correct, deter, compensate, or direct.
• Identify when business continuity, disaster recovery, and incident response each apply.
• Distinguish risk acceptance, risk mitigation, risk transference, and risk avoidance.
• Explain why least privilege and separation of duties reduce insider and administrative risk.
• Recognize when change management prevents security and availability incidents.
• Apply secure by design thinking to systems, networks, applications, and cloud deployments.

Threats, Vulnerabilities, and Mitigations Checklist

Threat Actors and Motivations

Social Engineering and Human-Focused Attacks

Malware and Attack Techniques

Application, Web, and API Attacks

Network and Infrastructure Attacks

Vulnerability Management

Can You Do This?

• Given symptoms, identify whether an incident is phishing, malware, credential attack, DDoS, insider misuse, or misconfiguration.
• Select the best mitigation for a specific vulnerability instead of choosing a generic “more security” answer.
• Explain why patching alone may not solve an exposed-service risk without segmentation or access control.
• Prioritize vulnerabilities using business criticality and exposure, not severity labels alone.
• Recognize when a control reduces likelihood, impact, or both.
• Identify common web attack mitigations: validation, encoding, parameterization, secure session handling, and least privilege.

Security Architecture Checklist

Network Security Architecture

Cloud and Virtualization Readiness

Identity and Access Architecture

Cryptography and PKI

Data Protection Architecture

Resilience and Recovery

Can You Do This?

• Place public web servers, databases, administrative systems, and user workstations into appropriate security zones.
• Decide when to use WAF, network firewall, host firewall, IDS, IPS, proxy, VPN, or NAC.
• Explain cloud shared responsibility without assuming the provider secures every layer.
• Select an identity pattern for employees, administrators, third parties, service accounts, and applications.
• Match encryption, hashing, digital signatures, certificates, and tokenization to the correct security goal.
• Choose backup and recovery controls based on ransomware, disaster, deletion, or hardware failure scenarios.

Security Operations Checklist

Monitoring, Logging, and Detection

Incident Response Readiness

A practical incident response decision path:

    flowchart TD
	    A[Alert or report received] --> B{Is there credible evidence?}
	    B -- No --> C[Tune, document, or close as false positive]
	    B -- Yes --> D[Classify severity and scope]
	    D --> E{Active compromise?}
	    E -- Yes --> F[Contain affected accounts, hosts, or network paths]
	    E -- No --> G[Preserve evidence and continue analysis]
	    F --> H[Eradicate root cause]
	    G --> H
	    H --> I[Recover and validate service]
	    I --> J[Lessons learned and control updates]

Operational Security Tasks

Forensics and Evidence Basics

Command and Tool Recognition

You do not need to become a full-time administrator for every tool, but you should recognize what common tools are used for and what output implies.

Example readiness prompts:

• If a host cannot reach a web service, can you decide whether to check DNS, routing, firewall rules, service status, or certificates?
• If authentication failures spike across many users, can you distinguish password spraying from one-user brute force?
• If a server starts beaconing to a suspicious domain, can you identify containment and investigation steps?
• If a firewall blocks expected traffic, can you inspect source, destination, port, protocol, direction, and rule order conceptually?

Log and Alert Interpretation Checklist

Security Program Management and Oversight Checklist

Governance Documents and Roles

Risk Management

Common risk formula:

\[ \text{Annualized Loss Expectancy} = \text{Single Loss Expectancy} \times \text{Annualized Rate of Occurrence} \]

Be ready to apply the idea, not just memorize the formula: expected loss helps compare risk treatment options when reliable estimates exist.

Compliance, Privacy, and Third-Party Risk

Security Awareness and Culture

Scenario and Decision-Point Checks

Control Selection Scenarios

Authentication and Access Decision Checks

Incident Response Decision Checks

Architecture Decision Checks

Common Weak Areas and Traps

Final-Week Review Checklist

High-Value Review Tasks

• Re-read the public objectives for CompTIA Security+ (SY0-701) and mark every unfamiliar acronym.
• Build a one-page list of controls by purpose: preventive, detective, corrective, deterrent, compensating, directive, and physical.
• Review identity concepts: MFA, federation, SSO, RBAC, ABAC, PAM, service accounts, and access reviews.
• Practice distinguishing attacks by scenario wording, especially phishing variants, credential attacks, injection, XSS, DDoS, and on-path attacks.
• Review cloud shared responsibility, IAM, storage exposure, secrets management, containers, and configuration monitoring.
• Practice incident response sequencing: detection, analysis, containment, eradication, recovery, and lessons learned.
• Review cryptography differences: symmetric, asymmetric, hashing, salting, signatures, certificates, PKI, and revocation.
• Review governance artifacts: policies, standards, procedures, guidelines, baselines, risk register, and third-party agreements.
• Practice log interpretation using timestamp, source, destination, account, action, process, and severity.
• Rework missed practice questions by writing why each wrong answer is wrong.

Rapid Self-Test Prompts

If you cannot answer these quickly, add the topic to your final review list.

• What control best reduces damage from a compromised admin account?
• What is the difference between a vulnerability scan and a penetration test?
• When would a WAF be more relevant than a network firewall?
• Why are offline or immutable backups important for ransomware?
• What makes password spraying different from brute force?
• How does tokenization differ from encryption?
• What is the difference between RTO and RPO?
• What evidence handling practice supports integrity and accountability?
• What security issue does least privilege address?
• When is risk transference more appropriate than risk mitigation?
• What cloud security mistakes commonly expose data?
• Why is centralized logging useful during incident response?
• What does a certificate authority do?
• What is the purpose of a secure baseline?
• Why should vendor access be time-bound and monitored?

Final Readiness Indicators

Practical Next Step

Use this Exam Blueprint to tag your practice results by readiness area: concepts, threats, architecture, operations, and governance. For every missed question, record the tested concept, the decision cue you missed, and the control or process that would have led to the better answer. Then focus your final practice on the weakest two areas before returning to mixed SY0-701 review.