Free Practice Questions for CompTIA Security+ Certification

    📚 Exam Guide
    🔄 Last checked for updates April 8th, 2026

    Study with 370 exam-style practice questions designed to help you prepare for the CompTIA Security+.

    Start Practicing

    Random Questions

    Practice with randomly mixed questions from all topics

    Question MixAll Topics
    FormatRandom Order

    Domain Mode

    Practice questions from a specific topic area

    Quiz History

    Exam Details

    Key information about CompTIA Security+

    Official study guide

    View

    Question formats CertSafari offers
    • Multiple choice
    • Ordering
    • Matching

    Exam Topics & Skills Assessed

    Skills measured (from the official study guide)

    Domain 1: General security concepts

    Subdomain 1.1: Security controls

    comparing technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, and directive controls.

    Subdomain 1.2: Fundamental concepts

    summarizing confidentiality, integrity, and availability (CIA); non-repudiation; authentication, authorization, and accounting (AAA); zero trust; and deception/disruption technology.

    Subdomain 1.3: Change management

    explaining business processes, technical implications, documentation, and version control.

    Subdomain 1.4: Cryptographic solutions

    using public key infrastructure (PKI), encryption, obfuscation, hashing, digital signatures, and blockchain.

    Domain 2: Threats, vulnerabilities, and mitigations

    Subdomain 2.1: Threat actors and motivations

    comparing nation-states, unskilled attackers, hacktivists, insider threats, organized crime, shadow IT, and motivations like data exfiltration, espionage, and financial gain.

    Subdomain 2.2: Threat vectors and attack surfaces

    explaining message-based, unsecure networks, social engineering, file-based, voice call, supply chain, and vulnerable software vectors.

    Subdomain 2.3: Vulnerabilities

    explaining application, hardware, mobile device, virtualization, operating system (OS)-based, cloud-specific, web-based, and supply chain vulnerabilities.

    Subdomain 2.4: Malicious activity

    analyzing malware attacks, password attacks, application attacks, physical attacks, network attacks, and cryptographic attacks.

    Subdomain 2.5: Mitigation techniques

    using segmentation, access control, configuration enforcement, hardening, isolation, and patching.

    Domain 3: Security architecture

    Subdomain 3.1: Architecture models

    comparing on-premises, cloud, virtualization, Internet of Things (IoT), industrial control systems (ICS), and infrastructure as code (IaC).

    Subdomain 3.2: Enterprise infrastructure

    applying security principles to infrastructure considerations, control selection, and secure communication/access.

    Subdomain 3.3: Data protection

    comparing data types, securing methods, general considerations, and classifications.

    Subdomain 3.4: Resilience and recovery

    explaining high availability, site considerations, testing, power, platform diversity, backups, and continuity of operations

    Domain 4: Security operations

    Subdomain 4.1: Computing resources

    applying secure baselines, mobile solutions, hardening, wireless security, application security, sandboxing, and monitoring.

    Subdomain 4.2: Asset management

    explaining acquisition, disposal, assignment, and monitoring/tracking of hardware, software, and data assets.

    Subdomain 4.3: Vulnerability management

    identifying, analyzing, remediating, validating, and reporting vulnerabilities.

    Subdomain 4.4: Alerting and monitoring

    explaining monitoring tools and computing resource activities.

    Subdomain 4.5: Enterprise security

    modifying firewalls, IDS/IPS, DNS filtering, DLP (data loss prevention), NAC (network access control), and EDR/XDR (endpoint/extended detection and response).

    Subdomain 4.6: Identity and access management

    implementing provisioning, SSO (single sign-on), MFA (multifactor authentication), and privileged access tools.

    Subdomain 4.7: Automation and orchestration

    explaining automation use cases, scripting benefits, and considerations.

    Subdomain 4.8: Incident response

    implementing processes, training, testing, root cause analysis, threat hunting, and digital forensics.

    Subdomain 4.9: Data sources

    using log data and other sources to support investigations.

    Domain 5: Security program management and oversight

    Subdomain 5.1: Security governance

    summarizing guidelines, policies, standards, procedures, external considerations, monitoring, governance structures, and roles/responsibilities.

    Subdomain 5.2: Risk management

    explaining risk identification, assessment, analysis, register, tolerance, appetite, strategies, reporting, and business impact analysis (BIA).

    Subdomain 5.3: Third-party risk

    managing vendor assessment, selection, agreements, monitoring, questionnaires, and rules of engagement.

    Subdomain 5.4: Security compliance

    summarizing compliance reporting, consequences of non-compliance, monitoring, and privacy.

    Subdomain 5.5: Audits and assessments

    explaining attestation, internal/external audits, and penetration testing.

    Subdomain 5.6: Security awareness

    implementing phishing training, anomalous behavior recognition, user guidance, reporting, and monitoring.

    Techniques & products

    technical controls
    preventive controls
    managerial controls
    deterrent controls
    operational controls
    detective controls
    physical controls
    corrective controls
    compensating controls
    directive controls
    Confidentiality, Integrity, and Availability (CIA)
    non-repudiation
    Authentication, Authorization, and Accounting (AAA)
    zero trust
    deception/disruption technology
    change management
    Public Key Infrastructure (PKI)
    encryption
    obfuscation
    hashing
    digital signatures
    blockchain
    nation-states
    unskilled attackers
    hacktivists
    insider threats
    organized crime
    shadow IT
    data exfiltration
    espionage
    financial gain
    message-based attacks
    unsecure networks
    social engineering
    file-based attacks
    voice call attacks
    supply chain attacks
    vulnerable software
    application vulnerabilities
    hardware vulnerabilities
    mobile device vulnerabilities
    virtualization vulnerabilities
    operating system (OS)-based vulnerabilities
    cloud-specific vulnerabilities
    web-based vulnerabilities
    malware attacks
    password attacks
    physical attacks
    network attacks
    cryptographic attacks
    segmentation
    access control
    configuration enforcement
    hardening
    isolation
    patching
    on-premises architecture
    cloud architecture
    virtualization
    Internet of Things (IoT)
    industrial control systems (ICS)
    infrastructure as code (IaC)
    enterprise infrastructure security
    data protection
    high availability
    backups
    continuity of operations
    secure baselines
    mobile solutions
    wireless security
    application security
    sandboxing
    monitoring tools
    asset management
    vulnerability management
    firewalls
    IDS/IPS
    DNS filtering
    DLP (data loss prevention)
    NAC (network access control)
    EDR/XDR (endpoint/extended detection and response)
    Identity and Access Management (IAM)
    provisioning
    SSO (single sign-on)
    MFA (multifactor authentication)
    privileged access tools
    automation
    orchestration
    scripting
    incident response
    root cause analysis
    threat hunting
    digital forensics
    log data
    security governance
    risk management
    Business Impact Analysis (BIA)
    third-party risk management
    security compliance
    privacy
    audits
    penetration testing
    security awareness training
    phishing training

    CertSafari is not affiliated with, endorsed by, or officially connected to Comptia. Full disclaimer