🔒

PracticeTest360

by Dr. Rodas  ·  Rontechmedia

⚠ Important Disclaimer & Terms of Use

This practice examination has been independently developed by PracticeTest360 / Rontechmedia solely for educational and examination preparation purposes. Please read the following disclosures carefully before proceeding.

No Affiliation or Endorsement: PracticeTest360 and Rontechmedia are independent entities with no affiliation, association, partnership, endorsement, or official connection of any kind with CompTIA® (Computing Technology Industry Association), Pearson VUE®, or any other organization that administers, develops, certifies, or otherwise oversees the official CompTIA Security+® (SY0-701) examination. CompTIA®, Security+®, and SY0-701™ are registered trademarks or trademarks of CompTIA Properties, LLC. All rights are reserved by their respective owners.

Practice Questions Only — Not Official Exam Content: All questions, scenarios, and answer explanations contained within this practice tool are original, independently authored content created by PracticeTest360 for study preparation and self-assessment purposes only. None of the questions are derived from, reproduced from, representative of, or in any way sourced from official CompTIA® exam question banks, proprietary test pools, beta questions, or any confidential or licensed testing materials. These questions do not constitute actual exam content and should not be treated as such.

Scoring Approximation: The scaled scoring methodology used herein (100–900 scale with a simulated 750 passing threshold) is an approximation based on publicly available CompTIA® score reporting guidelines. The actual exam employs a proprietary psychometric scaling process. Scores achieved on this practice tool do not predict, guarantee, or reflect actual CompTIA Security+® examination performance.

No Guarantee of Certification: Completion of or high scores on this practice test do not guarantee passage of the official CompTIA Security+® (SY0-701) examination. This tool is intended as a supplementary study aid and is not a substitute for official CompTIA® study materials, authorized training courses, or hands-on laboratory experience.

← practicetest360.com / CompTIA Security+ SY0-701
🔒

CompTIA Security+ SY0-701

PracticeTest360  ·  by Dr. Rodas

Time 90:00
⚡ SY0-701 · Current Version · Nov 2023

CompTIA Security+

SY0-701 Practice Examination  ·  PracticeTest360
Simulate the full CompTIA Security+ exam experience with a 90-minute countdown timer, scaled scoring (100–900), performance-based scenario questions, real-time analytics, and a complete score report across all five domains.
90
Questions Max
90
Minutes
750
Passing Score
5
Domains
🛡️General Security Concepts12%
CIA triad, security controls, cryptography basics, authentication concepts
⚠️Threats, Vulnerabilities & Mitigations22%
Malware, social engineering, threat intelligence, vulnerability scanning
🏗️Security Architecture18%
Zero trust, cloud security, network segmentation, secure infrastructure
⚙️Security Operations28%
Incident response, SIEM, identity management, endpoint security, monitoring
📋Security Program Management20%
Risk management, compliance, governance, data privacy, security frameworks

📊 CompTIA Scaled Scoring — 100 to 900

850–900
Expert Level
800–849
Proficient
750–799
✓ Pass
100–749
✗ Below Pass

Passing score: 750 on a scale of 100–900. This practice test uses an approximated scaled scoring algorithm. The official exam uses CompTIA's proprietary psychometric formula.

SECURITY+ STUDY GUIDE
CompTIA SY0-701 · All Five Domains · Concepts, Definitions, Strategies
🛡️

Domain 1 — General Security Concepts (12%)

CIA Triad · Controls · Cryptography · Authentication

Domain 1 covers foundational security principles every security professional must know cold.

CIA Triad:

  • Confidentiality — ensuring data is accessible only to authorized parties (encryption, access controls)
  • Integrity — ensuring data is accurate and unmodified (hashing, digital signatures)
  • Availability — ensuring systems and data are accessible when needed (redundancy, backups, RAID)

Security Control Categories:

Preventive
Stop incidents before they occur (firewalls, encryption)
Detective
Identify incidents in progress (IDS, audit logs, SIEM)
Corrective
Restore systems after an incident (backups, patches)
Deterrent
Discourage attacks (warning banners, cameras)
Compensating
Alternative when primary control isn't feasible
Directive
Guide behavior through policy and training

Cryptography Essentials:

  • Symmetric encryption — same key for encryption/decryption. Fast. Examples: AES-256, 3DES. Key distribution problem.
  • Asymmetric encryption — public/private key pair. Slower. Examples: RSA, ECC. Solves key distribution. Used in PKI.
  • Hashing — one-way transformation. Examples: SHA-256, MD5 (deprecated). Used for integrity verification.
  • PKI — Public Key Infrastructure. CAs issue digital certificates. Chain of trust.
AES-256: 256-bit key, symmetric  |  RSA-2048: asymmetric, key exchange  |  SHA-256: hashing, 256-bit output

Authentication Factors (MFA):

  • Something you know — password, PIN
  • Something you have — smart card, hardware token, phone (TOTP)
  • Something you are — biometrics (fingerprint, retina, facial recognition)
  • Somewhere you are — geolocation
  • Something you do — behavioral biometrics
💡 MFA requires at least two DIFFERENT factor types. Two passwords = single factor (both "know"). A password + phone authenticator = MFA.
⚠️

Domain 2 — Threats, Vulnerabilities & Mitigations (22%)

Malware · Social Engineering · Threat Intelligence · Attack Types

Malware Types:

Virus
Attaches to files, requires user action to spread
Worm
Self-replicates, spreads without user action
Trojan
Masquerades as legitimate software
Ransomware
Encrypts files, demands payment for key
Rootkit
Hides malware, grants privileged access
Spyware
Secretly monitors and transmits user activity
Keylogger
Records keystrokes to steal credentials
Botnet
Network of infected hosts (bots) controlled by C2

Social Engineering Attacks:

  • Phishing — mass email impersonating trusted entities
  • Spear phishing — targeted phishing against a specific individual/org
  • Whaling — spear phishing targeting executives (C-suite)
  • Vishing — voice phishing via phone calls
  • Smishing — SMS phishing via text messages
  • Pretexting — fabricating a scenario to manipulate a victim
  • Baiting — leaving infected USB drives for victims to find
  • Tailgating/Piggybacking — following an authorized person through a secure door

Application & Network Attacks:

  • SQL Injection (SQLi) — inserting SQL commands via input fields to manipulate a database
  • Cross-Site Scripting (XSS) — injecting malicious scripts into web pages viewed by others
  • CSRF — tricks authenticated users into performing unintended actions
  • Buffer Overflow — overwriting memory by supplying more data than a buffer can hold
  • DDoS — overwhelming a target with traffic from multiple sources
  • Man-in-the-Middle (MitM) — intercepting communications between two parties
  • Pass-the-Hash — using captured password hash to authenticate without knowing plaintext
  • Privilege Escalation — gaining higher permissions than authorized
⚠️ Zero-Day: A vulnerability unknown to the vendor with no patch available. APT (Advanced Persistent Threat): A sophisticated, long-term attack usually by nation-state actors.

Threat Intelligence Sources: OSINT, dark web monitoring, ISACs, vendor advisories, CVE/NVD database, threat feeds (STIX/TAXII)

🏗️

Domain 3 — Security Architecture (18%)

Zero Trust · Cloud · Network Design · Secure Infrastructure

Zero Trust Architecture: "Never trust, always verify." No implicit trust based on network location. Every request must be authenticated and authorized. Key principles: least privilege, microsegmentation, continuous validation.

Cloud Service Models:

IaaS
Infrastructure as a Service. Provider manages hardware. Customer manages OS upward. (AWS EC2)
PaaS
Platform as a Service. Provider manages runtime/OS. Customer manages apps. (AWS Elastic Beanstalk)
SaaS
Software as a Service. Provider manages everything. Customer uses software. (Microsoft 365, Salesforce)

Cloud Deployment Models: Public, Private, Hybrid, Community, Multi-cloud

Shared Responsibility Model: Security responsibility is shared between the CSP and customer depending on the service model. In IaaS, customer is responsible for OS and above.

Network Segmentation & Security:

  • DMZ — Demilitarized Zone: network segment between internet and internal network for public-facing servers
  • VLAN — Virtual LAN: logical network segmentation to isolate traffic
  • VPN — encrypts traffic over public networks (IPSec, SSL/TLS)
  • NAC — Network Access Control: enforces security policy on devices before granting access
  • Firewall types: Packet-filtering, stateful, application/NGFW, WAF (web), proxy

IDS vs IPS:

  • IDS (Intrusion Detection System) — passive, monitors and alerts only. Does NOT block.
  • IPS (Intrusion Prevention System) — active, monitors AND blocks traffic inline.
  • HIDS/HIPS — host-based; NIDS/NIPS — network-based
💡 SASE (Secure Access Service Edge) combines WAN capabilities with cloud-delivered security services (ZTNA, CASB, SWG, FWaaS) — a key SY0-701 topic.
⚙️

Domain 4 — Security Operations (28%)

Incident Response · SIEM · IAM · Endpoint Security · Monitoring

Domain 4 is the largest domain (28%) — prioritize it heavily.

Incident Response Lifecycle (NIST SP 800-61):

Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned
  • Preparation — policies, IR plan, tools in place before an incident
  • Identification — detect and determine if an event is an incident
  • Containment — short-term (isolate system) and long-term (patch/harden)
  • Eradication — remove root cause (malware, compromised accounts)
  • Recovery — restore systems and verify normal operation
  • Lessons Learned — post-incident review, update IR plan

Identity and Access Management (IAM):

  • AAA — Authentication, Authorization, Accounting (RADIUS, TACACS+)
  • RBAC — Role-Based Access Control: permissions assigned to roles, not individuals
  • ABAC — Attribute-Based Access Control: fine-grained, based on attributes (dept, time, location)
  • MAC — Mandatory Access Control: labels/classifications (government use)
  • DAC — Discretionary Access Control: owner determines permissions (NTFS, Linux)
  • PAM — Privileged Access Management: controls and monitors privileged accounts
  • SSO — Single Sign-On: authenticate once, access multiple systems
  • Federation — trust relationship between organizations (SAML, OAuth, OpenID Connect)

SIEM (Security Information & Event Management): Centralizes log collection, correlates events, generates alerts. Combines SIM (storage/reporting) + SEM (real-time monitoring). Examples: Splunk, Microsoft Sentinel, IBM QRadar.

Endpoint Protection: EDR (Endpoint Detection & Response), AV/anti-malware, host-based firewall, DLP (Data Loss Prevention), application whitelisting, patch management.

Digital Forensics: Order of volatility (CPU registers → RAM → swap → disk → remote logs). Chain of custody. Write blockers. File carving. Forensic images (bit-for-bit copy).

⚠️ The FIRST step in incident response after identification is CONTAINMENT — not eradication. Stop the spread before removing the threat.
📋

Domain 5 — Security Program Management & Oversight (20%)

Risk · Compliance · Governance · Privacy · Frameworks

Risk Management Concepts:

  • Risk = Threat × Vulnerability × Impact
  • Risk Appetite — how much risk an org is willing to accept
  • Risk Tolerance — acceptable deviation from risk appetite

Risk Response Strategies:

Avoid
Eliminate the activity causing the risk
Transfer
Shift risk to a third party (insurance, outsourcing)
Mitigate
Reduce likelihood or impact (controls, patches)
Accept
Acknowledge and tolerate residual risk

Key Security Frameworks:

  • NIST CSF — Identify, Protect, Detect, Respond, Recover
  • ISO 27001/27002 — International standard for ISMS
  • CIS Controls — 18 prioritized security actions
  • MITRE ATT&CK — adversary tactics, techniques, and procedures (TTPs)
  • NIST SP 800-53 — security controls for federal information systems

Regulations & Compliance:

  • HIPAA — healthcare data in the US
  • PCI-DSS — payment card industry data security
  • GDPR — EU data privacy regulation
  • SOX — financial reporting controls
  • FISMA — federal information security in the US
  • FERPA — education records privacy

Data Classification:

Government: Top Secret → Secret → Confidential → Unclassified
Commercial: Confidential/Proprietary → Internal → Public

Business Continuity:

  • BCP — Business Continuity Plan: keeps operations running during disruptions
  • DRP — Disaster Recovery Plan: restores IT systems after disaster
  • RTO — Recovery Time Objective: max acceptable downtime
  • RPO — Recovery Point Objective: max acceptable data loss (in time)
💡 RTO = how long you can be down. RPO = how much data you can afford to lose. Lower = better (but more expensive to achieve).
⏱️

Exam Strategy & Time Management

90 questions · 90 minutes · Scaled scoring 100–900 · Pass at 750

90 questions · 90 minutes = ~1 min/question. PBQs take longer — budget 3–5 min each.
  • Performance-Based Questions (PBQs) appear first. Many candidates skip PBQs initially, answer all multiple-choice, then return — this is a valid strategy.
  • Non-adaptive format — you CAN go back and change answers during the exam.
  • Scaled scoring: 750/900 ≈ 83% correct, but weighting varies by question difficulty.
  • Domain weighting: focus most time on Security Operations (28%) and Threats/Vulnerabilities (22%) — they make up 50% of the exam.
  • Process of elimination: on tough questions, eliminate 2 wrong answers first, then choose between the remaining two.
  • Watch for qualifiers: "BEST," "MOST," "FIRST," "LEAST" — these words change the answer. The question isn't asking what works, but what works BEST.
  • No penalty for guessing — always answer every question.
⚠️ Exam fee: $404–$425 USD. Retake policy: no waiting period for 2nd attempt; 14-day wait for 3rd+ attempts. Certification is valid for 3 years.
Security+
90:00 Q 1/90 Score: —
Answered: 0
Correct: 0
Remaining: 90
Scaled: /900

EXAM RESULTS

CompTIA Security+ SY0-701 · Practice Assessment · PracticeTest360
/ 900
Score Distribution: 100 → 900
Domain Performance Breakdown

Score Interpretation

← PT360