Study Threats, Vulnerabilities, and Mitigations for Security+ (SY0-701)

This chapter is where Security+ starts feeling like real incident and defensive reasoning instead of term review. The exam wants you to separate attacker motive from attack vector, vector from vulnerability, and vulnerability from mitigation. Weak answers usually skip one of those layers and jump to a generic “security product” response.

Attack vector: The path or method the attacker uses to reach the target, such as phishing, exposed services, or a supply-chain channel.

Blast radius: The amount of system, data, or business impact a successful attack can reach before it is contained.

IOC: Indicator of compromise, a clue such as a suspicious hash, IP, process, or login event that suggests malicious activity has already occurred.

Current weight in the objectives

CompTIA currently weights this domain at 22%. It is one of the larger domains and it cross-connects heavily with architecture and operations.

Work this domain in order

Start with 2.1 Threat Actors & Motivations, then move through 2.2 Threat Vectors & Attack Surfaces, 2.3 Vulnerabilities, 2.4 Malicious Activity, and 2.5 Mitigation Techniques.

Fast routing inside this chapter

What strong answers usually do

• identify the entry path before proposing a tool
• reduce the real blast radius instead of just adding another alert
• match the mitigation to the stated constraint, not to a favorite acronym
• treat cloud, mobile, and web risks as distinct surfaces rather than one generic bucket

Where this domain blends with the rest of the exam

Threat analysis rarely stays inside one chapter on Security+:

• architecture questions reuse threat thinking when they ask for segmentation or access design that actually shrinks exposure
• operations questions reuse it when alerts, telemetry, and response steps depend on identifying the real vector first
• governance questions reuse it when risk treatment, vendor review, or awareness training needs to address the most realistic threat path

If your misses are mostly “I knew the term but chose the wrong control,” this is usually the domain to revisit first.

If you keep missing social-engineering, web, or ransomware questions, do not just reread the cheat sheet. Rework the related lesson pages and log which layer you misidentified.

In this section

• Compare Threat Actors and Motivations for Security+ (SY0-701)
  Understand how Security+ distinguishes insider, criminal, hacktivist, nation-state, shadow IT, and other actor motives in scenario questions.
• Analyze Threat Vectors and Attack Surfaces for Security+ (SY0-701)
  Recognize phishing, social engineering, exposed services, unsecure networks, supply-chain paths, and other attack surfaces on Security+.
• Identify Vulnerabilities for Security+ (SY0-701)
  Understand application, hardware, mobile, virtualization, operating system, cloud, web, and supply-chain vulnerabilities for Security+.
• Analyze Malicious Activity for Security+ (SY0-701)
  Recognize malware, password, application, physical, network, and cryptographic attacks well enough to separate them in Security+ scenarios.
• Choose Mitigation Techniques for Security+ (SY0-701)
  Use segmentation, access control, hardening, isolation, patching, and related defensive choices correctly in Security+ scenarios.