Free Practice Questions for CompTIA Security+ Certification
Study with 370 exam-style practice questions designed to help you prepare for the CompTIA Security+. All questions are aligned with the latest exam guide and include detailed explanations to help you master the material.
Start Practicing
Random Questions
Practice with randomly mixed questions from all topics
Domain Mode
Practice questions from a specific topic area
Quiz History
Exam Details
Key information about CompTIA Security+
- Multiple choice
- Ordering
- Matching
90 minutes
English, Japanese, Portuguese, Spanish, and Thai
usually three years after launch (estimated 2026)
November 7, 2023
V7
750 (on a scale of 100-900)
SY0-701
cyber defense analyst, incident responder, vulnerability analyst, security control assessor, system administrator, network specialist, systems planner, IT project manager, information security manager, secure software assessor, and many more
maximum of 90, a mix of multiple-choice and performance-based questions
CompTIA Network+ and two years of experience working in a security/ systems administrator job role
Exam Topics & Skills Assessed
Skills measured (from the official study guide)
Domain 1: General security concepts
Subdomain 1.1: Security controls
comparing technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, and directive controls.
Subdomain 1.2: Fundamental concepts
summarizing confidentiality, integrity, and availability (CIA); non-repudiation; authentication, authorization, and accounting (AAA); zero trust; and deception/disruption technology.
Subdomain 1.3: Change management
explaining business processes, technical implications, documentation, and version control.
Subdomain 1.4: Cryptographic solutions
using public key infrastructure (PKI), encryption, obfuscation, hashing, digital signatures, and blockchain.
Domain 2: Threats, vulnerabilities, and mitigations
Subdomain 2.1: Threat actors and motivations
comparing nation-states, unskilled attackers, hacktivists, insider threats, organized crime, shadow IT, and motivations like data exfiltration, espionage, and financial gain.
Subdomain 2.2: Threat vectors and attack surfaces
explaining message-based, unsecure networks, social engineering, file-based, voice call, supply chain, and vulnerable software vectors.
Subdomain 2.3: Vulnerabilities
explaining application, hardware, mobile device, virtualization, operating system (OS)-based, cloud-specific, web-based, and supply chain vulnerabilities.
Subdomain 2.4: Malicious activity
analyzing malware attacks, password attacks, application attacks, physical attacks, network attacks, and cryptographic attacks.
Subdomain 2.5: Mitigation techniques
using segmentation, access control, configuration enforcement, hardening, isolation, and patching.
Domain 3: Security architecture
Subdomain 3.1: Architecture models
comparing on-premises, cloud, virtualization, Internet of Things (IoT), industrial control systems (ICS), and infrastructure as code (IaC).
Subdomain 3.2: Enterprise infrastructure
applying security principles to infrastructure considerations, control selection, and secure communication/access.
Subdomain 3.3: Data protection
comparing data types, securing methods, general considerations, and classifications.
Subdomain 3.4: Resilience and recovery
explaining high availability, site considerations, testing, power, platform diversity, backups, and continuity of operations
Domain 4: Security operations
Subdomain 4.1: Computing resources
applying secure baselines, mobile solutions, hardening, wireless security, application security, sandboxing, and monitoring.
Subdomain 4.2: Asset management
explaining acquisition, disposal, assignment, and monitoring/tracking of hardware, software, and data assets.
Subdomain 4.3: Vulnerability management
identifying, analyzing, remediating, validating, and reporting vulnerabilities.
Subdomain 4.4: Alerting and monitoring
explaining monitoring tools and computing resource activities.
Subdomain 4.5: Enterprise security
modifying firewalls, IDS/IPS, DNS filtering, DLP (data loss prevention), NAC (network access control), and EDR/XDR (endpoint/extended detection and response).
Subdomain 4.6: Identity and access management
implementing provisioning, SSO (single sign-on), MFA (multifactor authentication), and privileged access tools.
Subdomain 4.7: Automation and orchestration
explaining automation use cases, scripting benefits, and considerations.
Subdomain 4.8: Incident response
implementing processes, training, testing, root cause analysis, threat hunting, and digital forensics.
Subdomain 4.9: Data sources
using log data and other sources to support investigations.
Domain 5: Security program management and oversight
Subdomain 5.1: Security governance
summarizing guidelines, policies, standards, procedures, external considerations, monitoring, governance structures, and roles/responsibilities.
Subdomain 5.2: Risk management
explaining risk identification, assessment, analysis, register, tolerance, appetite, strategies, reporting, and business impact analysis (BIA).
Subdomain 5.3: Third-party risk
managing vendor assessment, selection, agreements, monitoring, questionnaires, and rules of engagement.
Subdomain 5.4: Security compliance
summarizing compliance reporting, consequences of non-compliance, monitoring, and privacy.
Subdomain 5.5: Audits and assessments
explaining attestation, internal/external audits, and penetration testing.
Subdomain 5.6: Security awareness
implementing phishing training, anomalous behavior recognition, user guidance, reporting, and monitoring.
Techniques & products