CompTIA Security+ (SY0-701) Cheat Sheet
High-yield SY0-701 review sheet for control selection, zero trust, attack patterns, architecture choices, operations workflows, and GRC anchors.
On this page
Use this for last-mile review, not first exposure. Read it fast, mark the rows that still cause hesitation, and then return to the exact lesson page that fixes the weakness. Security+ rewards precise thinking about control fit, access scope, evidence handling, and operational practicality.
IAM: Identity and access management, which covers authentication, authorization, privilege control, and account lifecycle.
GRC: Governance, risk, and compliance work that ties policy, risk handling, and evidence together.
CIA / AAA: Confidentiality, integrity, availability and authentication, authorization, accounting.
Fast question-decoding flow
flowchart LR
A["Read the operational constraint"] --> B["Classify the real problem"]
B --> C["Choose the control family or workflow"]
C --> D["Check least privilege, evidence, and business fit"]
D --> E["Eliminate the answer that is broad, vague, or incomplete"]
What to notice:
- Security+ often hides the real problem inside the operational detail
- the strongest answer usually fits the risk and the workflow at the same time
- broad “more security everywhere” answers often lose to narrower, better-targeted controls
Fast routing back into the guide
| If you are blank on… | Reopen… |
|---|---|
| control types, zero trust, change management, crypto basics | 1. General Security Concepts |
| attackers, vectors, vulnerabilities, web attacks, ransomware, mitigation choices | 2. Threats, Vulnerabilities & Mitigations |
| cloud, segmentation, secure design, classification, resilience | 3. Security Architecture |
| hardening, monitoring, IAM operations, automation, incident response, evidence | 4. Security Operations |
| governance, risk, vendors, audits, privacy, awareness | 5. Security Program Management & Oversight |
Final 20-minute recall
What to ask before you answer
| Fast question | Why it helps |
|---|---|
| Is this mainly a prevention, detection, containment, recovery, or governance problem? | It narrows the control family quickly |
| Is the scenario really about identity, data, network path, or evidence handling? | It points you to the right lesson page or mental model |
| Which option preserves least privilege and still works operationally? | Security+ usually rewards that balance |
| Which tempting answer sounds secure but breaks availability, auditability, or the stated constraint? | This eliminates many distractors |
Cue -> best move
| If the question says… | Usually strongest answer |
|---|---|
| Protect admin access quickly | MFA + least privilege + privileged-access discipline |
| Reduce lateral movement | Segmentation or microsegmentation + tighter access paths |
| Public web app is at risk | WAF + secure coding fixes + patching + monitoring |
| Phishing or spoofed mail problem | SPF/DKIM/DMARC + mail filtering + awareness |
| Ransomware is spreading | Isolate systems, restrict spread paths, preserve evidence, follow IR order |
| Sensitive data leaving SaaS or cloud | DLP/CASB + strong IAM + logging + encryption or tokenization |
| Need proof of integrity and sender accountability | Hashing or digital signature, depending on the exact need |
| Vulnerability backlog is too large | Risk-based prioritization using asset criticality, exploitability, and exposure |
| Repeated incidents keep happening | Root cause analysis + control improvement + updated runbooks or tabletop practice |
Must-memorize anchors
| Topic | Fast recall |
|---|---|
| CIA | Confidentiality, Integrity, Availability |
| AAA | Authentication, Authorization, Accounting |
| IR phases | Preparation -> Identification -> Containment -> Eradication -> Recovery -> Lessons learned |
| Risk treatments | Accept, avoid, transfer, mitigate |
| Access models | DAC, MAC, RBAC, ABAC |
| Zero Trust core | Verify explicitly, least privilege, assume breach |
Last-minute traps
- confusing vector, vulnerability, and malicious activity
- calling every auth attack brute force instead of password spraying or credential stuffing
- choosing a detective control when the question clearly needs prevention or containment
- confusing encryption, hashing, signatures, and encoding
- forgetting chain of custody or time synchronization in investigation scenarios
Control and principle quick map
| Concept | Fast distinction |
|---|---|
| Preventive vs detective | stop or reduce first, observe and alert second |
| Corrective vs compensating | fix after an issue, or substitute when the ideal control is not possible |
| Managerial vs operational vs technical | policy and oversight, people and process, or enforced by technology |
| Authentication vs authorization | prove identity, then decide allowed actions |
| Non-repudiation | prevent denial that a specific action occurred |
Threats and mitigations quick map
| Pattern | Best memory hook |
|---|---|
| Password spraying | one password across many users |
| Credential stuffing | reused credentials from another breach |
| XSS | attacker script reaches another user’s browser |
| SQL injection | attacker manipulates database queries through input |
| Supply-chain attack | trusted software, package, or vendor path is compromised |
| Shadow IT | unmanaged technology adopted outside policy |
Architecture and operations quick map
| Need | Strongest first fit |
|---|---|
| Narrow admin exposure | VPN, MFA, approved path, logging |
| Device admission control | NAC or 802.1X |
| Sensitive data visibility without full disclosure | masking or tokenization |
| Fast recovery with highest cost | hot site |
| Lowest data-loss window | lower RPO |
| Fastest containment | isolate affected systems and reduce communication paths |
| Better detection workflow | telemetry -> correlation -> alert -> triage |
Cryptography quick map
| Need | Strongest first fit |
|---|---|
| Confidentiality | encryption |
| Integrity | hashing or HMAC |
| Sender proof and integrity | digital signature |
| Certificate trust validation | PKI chain plus revocation checking |
| Hide format only | encoding, not security |
Do not confuse: Base64 is encoding, not encryption.
Incident response quick map
flowchart LR
A["Preparation"] --> B["Identification"]
B --> C["Containment"]
C --> D["Eradication"]
D --> E["Recovery"]
E --> F["Lessons learned"]
What to notice:
- containment comes before eradication
- recovery does not mean the review is finished
- evidence handling matters whenever legal, audit, or forensics language appears
GRC quick map
| Term | Fast distinction |
|---|---|
| Policy | what the organization requires |
| Standard | required rule or baseline supporting policy |
| Procedure | how the task is done |
| Guideline | preferred but not always mandatory practice |
| BIA | critical business functions and recovery priorities |
| Risk register | tracked record of risks, owners, and treatments |
High-confusion pairs worth one last look
| Pair | Fast distinction |
|---|---|
| Password spraying vs credential stuffing | one password against many users vs reused breached credentials against one or more accounts |
| Encryption vs tokenization | protect readable data vs replace sensitive values for workflow safety |
| HA vs backup | keep the service alive vs restore data or service after loss |
| Vulnerability management vs incident response | reduce known weakness exposure vs handle active or recent security events |
Quiz
Loading quiz…
From here, use the study plan for pacing, the glossary when terms blur together, or the resources page when you need the official CompTIA references.