CompTIA Security+ SY0-701 Study Guide: Advanced Security Strategies and Incident Response
Course section: Advanced Security Strategies and Incident Response Estimated course time: 10 hours Coverage: 6 modules, 90 practice questions Purpose: Full exam-focused study notes for this Security+ course section. This is original study material, not a transcript, Coursera quiz copy, or real CompTIA exam content.
How To Use This Guide
- Read one module at a time.
- Memorize the high-yield anchors first.
- Work through the module details and lab notes.
- Take the matching practice-question bank.
- Review missed questions by returning to the named section.
- Retest until you can score at least 85%, with 90% or better as the comfort target.
Exam Context
- Exam code: SY0-701
- Official format: up to 90 questions in 90 minutes, with multiple-choice and performance-based items.
- Official passing score: 750 on a 100-900 scaled score. The app uses 85% as a stricter local practice pass target, 90% as the comfort target, and 95% as a strong signal.
- Official domains: General Security Concepts 12%; Threats, Vulnerabilities, and Mitigations 22%; Security Architecture 18%; Security Operations 28%; Security Program Management and Oversight 20%.
High-Yield Memory Anchors
- Cloud security follows shared responsibility: know what the provider handles and what the customer must configure.
- Containers share the host kernel; images, secrets, isolation, and runtime controls matter.
- IoT, ICS, embedded, and mobile devices often need segmentation and compensating controls.
- Web application security focuses on access control, injection, XSS, CSRF, SSRF, misconfiguration, and secure coding.
- Vulnerability scanning finds likely weaknesses; penetration testing validates exploitability within scope.
- Incident response follows preparation, detection, containment, eradication, recovery, and lessons learned.
Course Map
- Securing Virtual and Cloud Environments - Virtualization and cloud change where controls live, not whether controls are needed. Security+ expects you to understand cloud models, shared responsibility, public server defense, segmentation, resilience, and container/VM risk.
- Securing Dedicated and Mobile Systems - Dedicated systems, IoT, ICS, embedded devices, and mobile devices often cannot be secured like ordinary servers. The exam expects compensating controls, segmentation, policy, and lifecycle thinking.
- Secure Protocols and Applications - Application security ties protocols, coding, configuration, and testing together. Security+ does not expect you to be a senior developer, but it does expect you to recognize common web and protocol risks and choose secure alternatives.
- Testing Infrastructure - Testing finds weaknesses before attackers do, but different tests answer different questions. Security+ focuses on authorization, scope, tool purpose, and the difference between scanning, assessment, and exploitation.
- Business Security Impact - Security programs are judged by business outcomes. This module connects controls, audits, third parties, data roles, change management, automation, and frameworks to resilience and accountability.
- Dealing with Incidents - Incident response is a process, not a panic button. The exam expects the correct next step, evidence handling, communication, containment strategy, recovery planning, and lessons learned.
Study Notes
Securing Virtual and Cloud Environments
Big Picture
Virtualization and cloud change where controls live, not whether controls are needed. Security+ expects you to understand cloud models, shared responsibility, public server defense, segmentation, resilience, and container/VM risk.
Must Know
- Compare public, private, hybrid, community, and multicloud.
- Compare IaaS, PaaS, and SaaS responsibility boundaries.
- Understand hypervisors, VMs, containers, SDN, and virtual networking.
- Recognize public server hardening and DDoS mitigation choices.
- Know common cloud misconfigurations such as public storage, weak IAM, exposed keys, and insecure security groups.
Public server defense
Internet-facing systems need hardened images, minimal services, patched software, restricted management, logging, WAF or reverse proxy where appropriate, segmentation, and monitoring. Management ports should not be open to the world.
DDoS mitigation
DDoS defense may require upstream filtering, CDN, scrubbing providers, Anycast, rate limiting, autoscaling, caching, and resilient architecture. A local host firewall cannot absorb large upstream floods.
Hypervisors and VMs
Type 1 hypervisors run directly on hardware; type 2 hypervisors run on a host OS. Risks include VM escape, snapshot exposure, sprawl, insecure templates, and management-plane compromise.
Containers
Containers package applications and dependencies while sharing the host kernel. Security requires trusted base images, vulnerability scanning, minimal privileges, secrets management, runtime policy, and patching.
Cloud deployment models
Public cloud uses provider infrastructure, private cloud is dedicated to one organization, hybrid combines environments, community cloud serves shared requirements, and multicloud uses multiple providers.
Cloud service models
IaaS gives the customer more control and responsibility for OS and apps. PaaS shifts platform management to the provider. SaaS leaves the customer mainly responsible for identity, data, configuration, and usage policy.
Shared responsibility
The provider secures the cloud; the customer secures what they put in and configure. The exact line moves by service model. Misunderstanding this line is a common cause of cloud breaches.
SDN and virtual networks
Software-defined networking uses controllers and policy to manage virtual routing, segmentation, and security groups. Protect the control plane and audit changes.
Hands-On Practice
- Draw shared responsibility for one IaaS VM, one PaaS database, and one SaaS app.
- Review a mock cloud security group and identify overexposed management ports.
- List hardening steps for a containerized public web service.
Exam Traps
- The cloud provider does not secure your identities and data configuration in every model.
- Containers are not automatically safer than VMs.
- Autoscaling alone is not a complete DDoS plan.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Securing Dedicated and Mobile Systems
Big Picture
Dedicated systems, IoT, ICS, embedded devices, and mobile devices often cannot be secured like ordinary servers. The exam expects compensating controls, segmentation, policy, and lifecycle thinking.
Must Know
- Recognize embedded, IoT, ICS/SCADA, RTOS, and mobile constraints.
- Apply segmentation, allow lists, vendor access control, monitoring, and careful patch/change management.
- Know mobile controls: MDM/UEM, encryption, screen locks, remote wipe, app control, containerization, and update policy.
- Understand BYOD policy issues around privacy, ownership, legal access, and data separation.
Embedded and IoT systems
These devices may have weak defaults, limited patching, long lifecycles, and minimal logging. Change default credentials, update firmware, segment networks, restrict outbound access, and monitor behavior.
ICS and SCADA
Industrial systems control physical processes, so safety and availability are central. Patch windows may be limited, and changes require testing. Segmentation, jump hosts, vendor access control, backups, and monitoring are key.
Mobile devices
Mobile devices combine endpoint, identity, network, and physical risks. Controls include encryption, lock screens, biometrics, MDM/UEM, app allow/deny lists, remote wipe, OS updates, and separation of personal/corporate data.
BYOD
Bring-your-own-device programs require clear acceptable use, privacy boundaries, support expectations, minimum security controls, data ownership, and offboarding procedures.
Dedicated-purpose devices
Printers, cameras, kiosks, medical devices, and building systems often hold credentials or network access. Treat them as managed assets, not background appliances.
Hands-On Practice
- Create a segmentation plan for cameras, printers, user PCs, and servers.
- Write a BYOD policy outline covering enrollment, data separation, remote wipe, and offboarding.
- List compensating controls for an ICS device that cannot be patched immediately.
Exam Traps
- IoT devices are not harmless because they are small.
- Patching an ICS device without change control can create safety and availability risk.
- Remote wipe rules must be clear before BYOD enrollment.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Secure Protocols and Applications
Big Picture
Application security ties protocols, coding, configuration, and testing together. Security+ does not expect you to be a senior developer, but it does expect you to recognize common web and protocol risks and choose secure alternatives.
Must Know
- Know secure replacements for insecure protocols: SFTP/FTPS/HTTPS instead of FTP, SSH instead of Telnet, SNMPv3 instead of older community strings.
- Recognize DNS poisoning, DNS tunneling, and DNSSEC purpose.
- Understand SPF, DKIM, and DMARC at a purpose level.
- Identify XSS, CSRF, SSRF, injection, broken access control, and misconfiguration.
- Use OWASP Top 10 as a risk checklist, not a tool.
DNS security
DNS can be abused through poisoning, tunneling, typo-squatting, malicious domains, and weak resolver configuration. DNSSEC validates integrity of DNS data but does not encrypt web content. DNS filtering and logging support detection.
Secure transfer
FTP sends credentials and data in clear text. SFTP uses SSH, FTPS uses TLS, and HTTPS can support secure uploads/downloads. Choose the protocol that fits the system and security requirements.
Secure email
SPF authorizes sending sources, DKIM signs messages, and DMARC tells receivers how to handle mail that fails alignment. These controls reduce spoofing but do not eliminate phishing.
XSS
Cross-site scripting executes attacker-controlled script in a user browser. Stored XSS persists in the application, reflected XSS comes from a request, and DOM XSS occurs in client-side processing. Output encoding, validation, and safe frameworks help.
CSRF
Cross-site request forgery tricks an authenticated browser into sending unwanted actions. Anti-CSRF tokens, SameSite cookies, reauthentication for sensitive actions, and proper methods reduce risk.
Injection and access control
Injection sends untrusted data into an interpreter. Broken access control allows users to do what they should not. Parameterized queries, server-side authorization checks, and secure design are essential.
OWASP Top 10
Use the Top 10 to structure review: broken access control, cryptographic failures, injection, insecure design, misconfiguration, vulnerable components, auth failures, integrity failures, logging/monitoring failures, and SSRF.
Hands-On Practice
- Review a mock packet capture and identify cleartext FTP credentials.
- Map SPF, DKIM, and DMARC to their purpose.
- Classify sample web flaws as XSS, CSRF, injection, SSRF, or broken access control.
Exam Traps
- DNSSEC is integrity validation, not encryption for websites.
- DMARC helps spoofing control but does not make all email safe.
- Client-side validation alone is not a security control.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Testing Infrastructure
Big Picture
Testing finds weaknesses before attackers do, but different tests answer different questions. Security+ focuses on authorization, scope, tool purpose, and the difference between scanning, assessment, and exploitation.
Must Know
- Distinguish vulnerability scanning, vulnerability assessment, penetration testing, red team, blue team, purple team, and bug bounty.
- Know rules of engagement: scope, timing, targets, allowed techniques, communication, emergency stop, and reporting.
- Recognize social engineering techniques and when they require explicit approval.
- Understand false positives, false negatives, prioritization, and remediation validation.
Vulnerability scanning
Scanning identifies known vulnerabilities and misconfigurations. Authenticated scans usually find more accurate host-level issues. Scans can be noisy and may affect fragile systems, so schedule and scope matter.
Vulnerability assessment
Assessment interprets scan findings, business context, exposure, exploitability, and remediation priority. It turns raw findings into a plan.
Penetration testing
Pen testing validates exploitability and impact within rules of engagement. It should produce findings, evidence, risk, reproduction steps, and remediation guidance.
Metasploit and exploit frameworks
Exploit frameworks can validate risk in authorized environments. They can also cause damage if used outside scope or against fragile systems.
Social engineering testing
Phishing, pretexting, tailgating, baiting, and impersonation tests require careful approval, legal review, safety limits, and user support plans.
Reporting
Good reports separate executive summary, technical evidence, affected assets, severity, business risk, remediation, and retest status.
Hands-On Practice
- Write a rules-of-engagement checklist for a small internal penetration test.
- Take a mock scan report and rank findings by exposure and asset criticality.
- Draft a remediation validation step for one high-risk finding.
Exam Traps
- A scan is not a penetration test.
- Permission is not optional.
- Critical CVSS does not always mean top business priority without context.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Business Security Impact
Big Picture
Security programs are judged by business outcomes. This module connects controls, audits, third parties, data roles, change management, automation, and frameworks to resilience and accountability.
Must Know
- Understand BIA, RTO, RPO, MTTR, MTBF, and recovery priorities.
- Know data roles: owner, controller, processor, custodian, steward, and user.
- Apply third-party risk management, contracts, SLAs, MOUs, NDAs, BPAs, and right-to-audit concepts.
- Use change management to reduce production risk.
- Recognize automation, orchestration, SOAR-style workflows, and NIST framework value.
Business impact analysis
BIA identifies critical processes, dependencies, maximum tolerable downtime, RTO, RPO, staffing needs, and recovery priorities. It informs business continuity and disaster recovery planning.
Data types and roles
Regulated, confidential, private, intellectual property, financial, health, and authentication data need different handling. Data owners decide classification and use; custodians implement controls; processors handle data under instructions.
Personnel risk and policies
Background checks, onboarding, acceptable use, least privilege, separation of duties, mandatory vacation, termination procedures, and awareness training all reduce people-related risk.
Audits and assessments
Internal audits prepare and improve. External audits provide independent assurance. Attestation documents can show compliance or control posture to stakeholders.
Third-party risk
Vendors can introduce operational, legal, privacy, and supply-chain risk. Evaluate security before onboarding, write requirements into contracts, monitor performance, and plan exit strategies.
Change management
Requests, risk review, testing, approval, scheduling, communication, rollback plans, and documentation reduce outage and security risk. Emergency changes still need after-the-fact review.
Automation and orchestration
Automation performs tasks; orchestration coordinates multiple tools and steps. SOAR-style playbooks can enrich alerts, isolate hosts, block indicators, open tickets, and notify responders.
NIST frameworks
NIST guidance helps structure risk management, cybersecurity program maturity, privacy, incident response, and control selection. Know why frameworks exist more than exact publication numbers.
Hands-On Practice
- Create a BIA table for email, payroll, identity provider, and public website.
- Draft a vendor questionnaire section for data access, logging, incident notification, and subcontractors.
- Write a change request with test plan and rollback plan.
Exam Traps
- RTO is how fast to restore; RPO is how much data loss is acceptable.
- A signed contract does not replace ongoing vendor monitoring.
- Automation can spread mistakes quickly if not tested.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Dealing with Incidents
Big Picture
Incident response is a process, not a panic button. The exam expects the correct next step, evidence handling, communication, containment strategy, recovery planning, and lessons learned.
Must Know
- Know incident response phases: preparation, detection/analysis, containment, eradication, recovery, lessons learned.
- Understand incident response plans, communication plans, escalation, roles, and tabletop testing.
- Recognize Cyber Kill Chain and threat analysis purpose.
- Apply digital forensics concepts: preservation, collection, analysis, reporting, hashing, and chain of custody.
- Connect business continuity, alternate sites, and backups to recovery.
Incident response plan
An IRP defines roles, severity, communication, escalation, legal involvement, evidence handling, containment options, eradication, recovery, and post-incident review. It should exist before an incident.
Detection and analysis
Alerts, logs, user reports, EDR, SIEM, network telemetry, and threat intelligence help confirm incidents. Analysts must distinguish true positives, false positives, scope, and impact.
Containment
Containment limits damage while preserving evidence and business function. Options include isolating hosts, disabling accounts, blocking indicators, segmenting networks, or taking systems offline. The best action depends on impact and volatility.
Eradication and recovery
Remove root cause, patch vulnerabilities, rotate credentials, rebuild compromised systems when needed, restore clean data, monitor for recurrence, and validate normal operation.
Digital forensics
Preserve evidence, document chain of custody, hash images, avoid altering originals, collect volatile data when appropriate, and record who handled evidence and when.
Cyber Kill Chain
Mapping activity to attacker stages helps defenders identify earlier detection and disruption points. It is a model, not a perfect timeline for every attack.
Business continuity and alternate sites
Hot sites are ready fastest and cost most. Warm sites need some setup. Cold sites require the most setup and time. Choose based on BIA and budget.
Backups
Backups should meet RPO/RTO, include offline or immutable copies for ransomware resilience, and be tested. Untested backups are assumptions, not recovery capability.
Lessons learned
After-action reviews identify control gaps, communication issues, detection improvements, training needs, and policy/process changes.
Hands-On Practice
- Run a tabletop scenario for ransomware and list who decides containment, notification, and recovery.
- Build a chain-of-custody form with evidence ID, hash, handler, time, and purpose.
- Compare hot, warm, and cold sites for a critical service.
Exam Traps
- Do not start wiping systems before preserving evidence when investigation matters.
- Containment and eradication are different steps.
- Backups that cannot be restored inside the RTO do not meet the business requirement.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Final Review Checklist
- I can map the course topics to the SY0-701 domains.
- I can explain each major control in plain language and identify whether it is preventive, detective, corrective, deterrent, compensating, managerial, operational, technical, or physical.
- I can answer scenario questions by identifying the asset, threat, vulnerability, impact, and best next action.
- I can distinguish implementation/tool questions from governance/process questions.
- I can describe how I would perform labs safely and only with authorization.
- I can score at least 85% locally and preferably 90% or better across multiple randomized tests.
Deep Review Tables
Cloud Responsibility Guide
| Service Model | Provider Usually Handles | Customer Usually Handles |
|---|---|---|
| IaaS | Physical data center, hardware, virtualization layer | Guest OS, apps, data, IAM, firewall/security groups, patches inside VM |
| PaaS | Runtime platform, managed OS/platform components | Application code, data, IAM, configuration, secrets |
| SaaS | Application platform and infrastructure | Users, data, access policy, tenant configuration, monitoring available logs |
Cloud And Virtualization Risk Table
| Risk | Why It Matters | Mitigation |
|---|---|---|
| Public storage exposure | Data can leak without exploiting a server | Least privilege, private defaults, scanning, alerts |
| Overly permissive security groups | Public services become reachable | Restrict source, ports, and management access |
| Exposed cloud keys | Attackers can control resources | Secrets manager, rotation, no hardcoding |
| VM sprawl | Untracked systems miss patches and monitoring | Inventory, tagging, lifecycle policy |
| Insecure container image | Vulnerabilities or malicious code enter production | Trusted registry, image scanning, minimal base images |
| Weak management plane security | Control plane compromise affects many assets | MFA, least privilege, logging, conditional access |
Incident Response Action Table
| Phase | Goal | Typical Actions |
|---|---|---|
| Preparation | Be ready before the event | Plans, roles, tools, logging, training, tabletop exercises |
| Detection and analysis | Confirm and scope | Triage alerts, collect evidence, identify affected assets |
| Containment | Limit damage | Isolate hosts, disable accounts, block indicators, segment networks |
| Eradication | Remove root cause | Patch, remove malware, rotate credentials, close persistence |
| Recovery | Restore service safely | Rebuild, restore clean data, validate function, monitor recurrence |
| Lessons learned | Improve | After-action review, update controls, improve detection and training |
Forensics Evidence Checklist
| Evidence Need | Good Practice | Reason |
|---|---|---|
| Preserve integrity | Hash images and collected files | Proves evidence did not change |
| Track handling | Chain of custody form | Shows who handled evidence and when |
| Avoid altering originals | Work from copies when possible | Preserves admissibility and reliability |
| Collect volatile data | Capture memory/network state when needed | Some evidence disappears after shutdown |
| Document time | Record time zones and system clock issues | Supports event reconstruction |
| Secure storage | Restrict evidence access | Maintains confidentiality and integrity |
Business Continuity Choices
| Requirement | Likely Choice | Tradeoff |
|---|---|---|
| Fastest alternate processing | Hot site | Highest cost, fastest recovery |
| Moderate recovery time | Warm site | Some setup required |
| Lowest cost standby | Cold site | Slowest recovery |
| Low data loss tolerance | Frequent replication/backups | More cost and complexity |
| Ransomware resilience | Offline or immutable backups | Must still test restoration |
Scenario Drills
- A SaaS breach occurs because an admin disabled MFA and made storage public. The provider may run the platform, but customer configuration remains the customer responsibility.
- A vulnerable container image is deployed repeatedly by CI/CD. Fix the image source and pipeline scanning, not just the running container.
- A phishing incident is active. Disabling one account may contain immediate damage, but full response includes scope, indicators, mailbox rules, token revocation, endpoint review, and user notification.
- A production ICS device cannot be patched. Segment it, restrict access, monitor, and schedule tested maintenance rather than forcing an unsafe patch.
- A vulnerability scan report has 200 findings. Prioritize internet exposure, asset criticality, exploitability, compensating controls, and business impact.
- A backup exists but has never been restored. Treat recovery capability as unproven until tested.