Monday, September 4, 2023

The 5 CompTIA Security+ Domains: All You Need To Know About

If you’re thinking about entering the cyber security industry, you might find it daunting to master the syllabus for the entry-level CompTIA Security+ certification exam. Security+ encompasses a broad knowledge base across five exam domains (SY0-601). What does each of these Security+ domains mean, and what cyber security concepts do they include?

Look no further: we’ve got you covered. We’ll demystify each of the Security+ domains to help you plan your studies. For each domain, we’ll explain the key ideas, terms, and acronyms you must remember. Moreover, we’ll show you examples of questions that assess your knowledge of every exam domain.

When you’re ready, let’s dive in.

About CompTIA Security+ Exam

CompTIA Security+ is an entry-level cyber security certification focusing primarily on up-to-date best practices for risk management and risk mitigation. It emphasizes the practical aspects of identifying and addressing security threats, attacks, and vulnerabilities.

The target audience of the Security+ certification is anyone with some foundation in networking who aspires to move into some aspect of cyber security.

The latest CompTIA Security+ exam code is SY0-601. The associated exam is available until July 2024. The Security+ exam domains are:

  • Attacks, Threats, and Vulnerabilities (24%)
  • Architecture and Design (21%)
  • Implementation (25%)
  • Operations and Incident Response (16%)
  • Governance, Risk, and Compliance (14%)

New topics within these core knowledge domains include supply chain management and the Internet of Things (IoT).

CompTIA Security plus study domains
CompTIA Security+ Domains (SY0-601)

The CompTIA Security+ exam includes two types of questions:

  • Multiple-choice questions, which may admit single or multiple answers, and
  • Performance-based questions (PBQs), which test your ability to solve problems in a simulated environment; these make CompTIA Security+ such a valuable certification, demonstrating one’s excellence in practical cyber security skills. Anywhere from one to ten PBQs appear at the start of the Security+ exam.

You’ll need to answer at most 90 questions in this 90-minute examination and complete a survey after it ends. The passing score is 750 on a scale of 100–900.

For more information, read our guide to Security+. Now, let’s move on to the first domain.

Domain 1: Attacks, Threats, and Vulnerabilities

“Status quo—that’s Latin for the mess we’re in…”

—Ronald Reagan, in Chicago, Illinois, September 3, 1981

The first thing that comes to everyone’s mind regarding cyber security is cyber warfare: hacking, malware, social engineering, physical threats, and suchlike. As such, it’s important for an entry-level cyber security professional to have a broad knowledge of attacks, threats, and vulnerabilities in cyberspace.

Cyber attacks happen on three frontiers: the physical, the digital, and the psychological. They’re not mutually exclusive. Don’t underestimate any of them, especially not the last one, as humans are the weakest link in cyber security.

  • A physical threat relies on physical devices to cause damage. A compromised flash drive is such an example. Stuxnet could spread thanks to portable drives infected with the worm. Another example is card cloning for skimming (theft of credit card payment information).
  • A digital threat is a cyber attack using digital means. Malware, such as ransomware, is an instance of a digital threat. Password and cryptographic attacks fall under this category.
  • A psychological threat preys on human weaknesses to take insecure actions. Social engineering is a psychological threat. Phishing is the most well-known social engineering tactic. This type of threat includes adversarial artificial intelligence (AI), such as deepfakes or voice clones which exploit the victims’ implicit trust in their senses.

Attack vectors are how cyber-attacks happen. They come in two kinds: application attacks, of which SQL injection and pass-the-hash attacks are examples, and network attacks, such as evil twin and denial-of-service (DDoS) attacks. In a DDoS attack, multiple computers fire at a server to slow down or stop it.

Vulnerabilities are loopholes that hackers may exploit. These include unpatched software, weak passwords, easily guessable credentials (such as having an “admin” account), and insecure ports and protocols.

Some key terms/acronyms to remember:

  • SIEM: Security Information and Event Management
  • Zero-day attack: A previously unknown vulnerability
  • APT: Advanced Persistent Threat; Long-term intelligence-mining hacking
  • STIX: Structured Threat Information Expression
  • TAXII: Trusted Automated Exchange of Intelligence Information

Example questions from this domain: (answer key follows)

What is the primary goal of an application attack? Gain unauthorized access to the network / Circumvent the application security system / Cause the application to crash / Execute arbitrary code on the system
How does a man-in-the-browser (MitB) attack typically occur? By installing malicious plug-ins or scripts in web browsers / By intercepting calls between the browser process and DLLs / By compromising access control on web servers / By exploiting vulnerabilities in clients browsing a website


  1. Execute arbitrary code on the system. The primary goal of an application attack is to allow the threat actor to run their own code on the system, which is referred to as arbitrary code execution, with which the attacker can gain control over the system, install backdoors, disable the system, or perform other malicious activities.
  2. By installing malicious plug-ins or scripts in web browsers. In a man-in-the-browser (MitB) attack, the attacker compromises the web browser by installing malicious plug-ins or scripts. This allows them to manipulate browser settings, inject code, and access sensitive information.

Domain 2: Architecture and Design

“He wins his battles by making no mistakes. [...] the skillful fighter puts himself into a position which makes defeat impossible and does not miss the moment for defeating the enemy.”

—Sun Tzu, The Art of War

The victory or defeat of every battle is guaranteed before it’s ever fought. Many firms only have security architecture as an afterthought, and this mentality is the reason for millions of security incidents, such as data breaches, worldwide. Such disasters would have been avoidable if computer systems’ hardware, software, and networks had secure infrastructures built into them.

This domain is about network security and system design principles, including notions such as defense-in-depth (the more layers, the less hackable), separation of duties (single individuals should not perform all critical functions in a system), and the policy of least privilege (need-to-know; only grant sufficient privileges to do one’s job).

Furthermore, this domain covers physical security controls, AAA (authentication, authorization, and accounting), virtualization, cloud computing, security concepts in an enterprise environment, security implications of embedded and specialized systems, and software security: secure application development, deployment, and automation.

Many cyber security incidents include on-path (man-in-the-middle) attacks and eavesdropping, highlighting the importance of secure data exchange. Thus, cryptography, formerly a separate Security+ exam domain and the foundation for secure protocols and services (SSL/TLS, VPNs, SSH, etc.), is now part of this domain.

Some key terms/acronyms to remember:

  • SCADA: Supervisory Control and Data Acquisition
  • ICS: Industrial Control System
  • Software development life cycle (SDLC): A process to design, develop, and test high-quality software. The aim is to produce software that meets or exceeds customer expectations within time and cost estimates.
  • Scalability: Ease of growing and managing increased demand on infrastructure
  • XaaS: Anything-as-a-Service (IaaS: Infrastructure, PaaS: Platform, SaaS: Software, VCaaS: Voice cloning)

Example questions from this domain: (answer key follows)

What distinguishes Security as a Service (SECaaS) from an MSSP? SECaaS is more cost-effective than an MSSP. / SECaaS involves outsourcing the security function to a third party. / SECaaS focuses on big picture analysis and alignment.
What is the difference between scalability and elasticity in the context of IT systems? Scalability refers to real-time changes in demand, while elasticity refers to linear costs. / Scalability refers to linear costs, while elasticity refers to real-time changes in demand. / Scalability refers to the ability to handle changes in demand, while elasticity refers to linear costs. / Scalability refers to linear costs, while elasticity refers to the ability to handle changes in demand.


  1. Security-as-a-Service (SECaaS) focuses on big picture analysis and alignment. SECaaS implements specific security controls in the cloud. SECaaS is typically distinguished from an MSSP by focusing on implementing specific security controls, such as virus scanning or SIEM-like functionality, in the cloud. It involves a connector installed locally that interacts with the cloud service provider for managing and updating the security controls.
  2. Scalability refers to the ability to handle changes in demand, while elasticity refers to linear costs. Scalability refers to the system’s capability to handle changes whenever requested, ensuring that the costs involved in supplying the service to more users are linear. On the other hand, elasticity refers to the system’s ability to adjust its resources in real time based on changes in demand, which helps optimize costs by scaling up or down as needed.

Domain 3: Implementation

“For the things we have to learn before we can do them, we learn by doing them.”

—Aristotle, The Nicomachean Ethics

The previous domain is about designing secure systems, while this is about putting security measures into practice. This domain is about security controls, which protect IT infrastructure or fix problems once they’ve happened, security practices, and software development security.

The exam objectives in this domain begin with “Given a scenario,” which means the appropriate security controls largely depend on the situation. Therefore, Security+ PBQs will likely assess your practical knowledge in this domain.

In a network, a firewall is the first line of defense, an IDS (intrusion detection system) watches out for security threats, and an IPS (intrusion prevention system) stops or prevents them. Besides network security, this domain also covers secure protocols, network designs, mobile solutions, cloud solutions, identity and access management, and wireless security settings.

Secure application development practices help prevent or mitigate future cyber security incidents in software. They include input validation and sanitation, data encryption, secure cookies, error handling, HTTP headers to block cross-site origin requests, and so on to prevent users from gaining unauthorized access to web resources through the browser.

Some key terms/acronyms to remember:

  • CA: Certificate Authority
  • PKI: Public Key Infrastructure
  • PAP: Password Authentication Protocol
  • CHAP: Challenge-Handshake Authentication Protocol (e.g., MS-CHAP-v2)
  • S/MIME: Secure/Multipurpose Internet Mail Extensions

Example questions from this domain: (answer key follows)

What is the main purpose of dynamic code analysis? Scan the source code for known issues and vulnerabilities /Test the application under "real world" conditions / Identify oversights or mistaken assumptions in the code / Collaboratively review the code with other developers
Why is the use of code signing recommended in secure application development? To prevent injection attacks and data exposure / To detect and mitigate race condition attacks / To document the use of approved coding languages / To make malicious code easier to detect


  1. Test the application under “real world” conditions. Dynamic code analysis involves testing the application under “real world” conditions using a staging environment. It aims to uncover vulnerabilities that may exist in the runtime environment, such as race conditions or unexpected user input. Techniques like fuzzing are used to generate large amounts of deliberately invalid and/or random input to stress test the application and assess its robustness.
  2. To make malicious code easier to detect. Code signing involves digitally signing application code with a unique cryptographic signature. This helps in verifying the authenticity and integrity of the code. By documenting the use of approved coding languages and launch locations and applying code signing, it becomes easier to detect malicious code as any unauthorized or modified code will lack a valid signature.

Domain 4: Operations and Incident Response

“Everybody has a plan until they get punched in the mouth.”

—Mike Tyson, legendary US boxer

It’s one thing to design a fortress, but another to repair its walls, protect the flow of goods and people to and from the compound, and ensure the guards aren’t sleeping. As it is in the physical world, so it is in the cyber sphere: this domain is about being vigilant in maintaining secure operations. Our enterprises are digital fortresses.

Security monitoring, logging, and auditing are important because it’s from such data that we uncover security incidents, such as data breaches or attempts to gain unauthorized access, and through which we supply evidence to law enforcement should we need their assistance. This domain is also where you address the issue of an incident response plan (IRP).

Incident response process: - Preparation - Identification - Containment - Eradication - Recovery - Lessons learned

This domain encompasses tools to assess organizational security, incident response policies, processes, and procedures, the use of logs to support investigations into security incidents, mitigation techniques or controls to secure an environment, and digital forensics.

Some key terms/acronyms to remember:

  • ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge
  • BCP: Business Continuity Plan
  • IRP: Incident Response Plan
  • IoC: Indicators of Compromise
  • Legal hold: Process to preserve all forms of potentially relevant information for potential litigation

Example questions from this domain: (answer key follows)

What is the naming convention used for cmdlets in PowerShell? Adjective-Noun / Verb-Noun / Noun-Verb / Verb-Adjective
What is the purpose of remediation mechanisms in DLP? To block unauthorized copying of files / To alert administrators of policy violations / To enforce data loss policies on client computers / To scan email attachments and strip out sensitive data


  1. Verb-Noun. Cmdlets in PowerShell follow a Verb-Noun naming convention. They are named using a verb that describes the action or operation and a noun that represents the target or object of the action. This naming convention helps to provide consistency and clarity in PowerShell commands.
  2. To block unauthorized copying of files. Remediation mechanisms in DLP are designed to take action when a policy violation is detected. The purpose is to prevent unauthorized copying or transfer of files that violate the established data loss policies. Remediation actions may include blocking the user from copying the file, denying access to the original file, quarantining the file, or replacing it with a notification of the policy violation. The goal is to prevent the unauthorized dissemination of sensitive data.

Domain 5: Governance, Risk, and Compliance

“Learn to obey before you command.”

— Solon, ancient Greek statesman

It can be thrilling to get carried away with fictional depictions of hackers subverting large organizations in popular culture, often in defiance of the law. Still, it’s vital for real-life cyber security professionals to comply with relevant laws, regulations, and industry standards because hacking has consequences. This domain is about law and order in the cyber sphere.

Cyber security and risk management go hand in hand. We rely on security frameworks to communicate security policies to other members in their respective teams at work and amongst other cyber security professionals in the industry. Establishing them is important for managing and conveying the risks of cyber threats to third parties.

As information security professionals, your work in this cyber security domain involves identifying and prioritizing risks.

In a security assessment, you identify risks by their types:

  • External: threat actors from the outside
  • Internal: threat actors within the organization
  • Legacy systems: outdated hardware or software, including operating systems
  • Multiparty: problems involving several threat actors
  • Intellectual property theft: the likelihood of unauthorized parties accessing and distributing privileged resources
  • Software compliance/licensing: Many proprietary applications, including Microsoft Office 365, come with personal and business/commercial licenses. Organizations must use the software according to the correct license, or they may face the ire of the vendor, such as in the form of fines.

To prioritize risks, you have the following risk management strategies:

  • Acceptance: Accept the risk if the likelihood of the threat happening is less than the cost of mitigation.
  • Avoidance: Avoid the risk completely and change how the business is done, such as avoiding using platforms involved in data breaches.
  • Transference: Offload some risk to third parties, such as using Cloudflare to divert DDoS attacks.
  • Mitigation: Perform certain operations that reduce the likelihood and impact of risks, such as penetration testing to identify and patch up weaknesses in the system.

Apart from regulatory frameworks on organizational security posture and risk management, this domain covers the categories of security controls and security concerns in privacy and sensitive data.

Some key terms/acronyms to remember:

  • ISO: International Organization for Standardization
  • BIA: Business Impact Analysis
  • DRP: Disaster Recovery Plan
  • SLA: Service Level Agreement
  • ALE: Annualized Loss Expectancy

Example questions from this domain: (answer key follows)

What is the purpose of a nondisclosure agreement (NDA)? To govern the relationship between an organization and a third-party service provider / To ensure compliance with data privacy regulations / To protect information assets and deter unauthorized sharing / To specify terms for data analysis and prevent reidentification risks
What is the purpose of a nondisclosure agreement (NDA)? To govern the relationship between an organization and a third-party service provider / To ensure compliance with data privacy regulations / To protect information assets and deter unauthorized sharing / To specify terms for data analysis and prevent reidentification risks


  1. To protect information assets and deter unauthorized sharing. A nondisclosure agreement (NDA) is a legal agreement for such a purpose. NDAs are commonly used between organizations and employees, contractors, or between two companies. Violation of an NDA can lead to legal consequences, serving as a deterrent for individuals from sharing confidential or sensitive information.
  2. To provide adequate privacy regulations to data subjects. The purpose of GDPR (General Data Protection Regulation) protections is to ensure that the privacy rights of EU citizens are respected and protected. GDPR extends its protections to any EU citizen within the EU or EEA borders. It requires that data subjects are provided with meaningful options to refuse consent for data transfer and that adequate privacy regulations are in place, either within the destination jurisdiction or through contractual safeguards.


We hope this brief article on Security+ domains helps you plan your studies for this in-demand entry-level cyber security certification. Security+ isn’t an easy exam, but with proper planning, practice, and perseverance, you can enter the field of cyber security and gain valuable work experience there for further career opportunities.

If you want to learn more about Security+ and other cyber security certifications that may be suitable for you, check out our articles on this subject and our course offerings below:

from StationX

No comments:

Post a Comment