CompTIA Security+ · SY0-701 · 2026 · Quick Reference
CompTIA Security+ Cheat Sheet
Every cryptography algorithm, threat and attack type, IAM concept, PKI term, network security control, incident response step, and compliance framework you need for the SY0-701 exam — on one page.
🔐 Cryptography
⚡ Exam tip: Know symmetric vs asymmetric, which algorithms are weak vs strong, and what each is used for. AES = encryption, SHA = hashing, RSA = key exchange/signatures. These distinctions appear constantly.
| Algorithm | Type | Key Size | Use Case | Exam Note |
|---|
| AES | Symmetric | 128 / 192 / 256-bit | Bulk data encryption | Current standard — AES-256 strongest |
| 3DES | Symmetric | 112 / 168-bit | Legacy encryption | Deprecated — being phased out |
| DES | Symmetric | 56-bit | Legacy | Weak — considered broken |
| RSA | Asymmetric | 2048 / 4096-bit | Key exchange, digital signatures | 2048-bit minimum; slow for bulk data |
| ECC | Asymmetric | 256-bit ≈ RSA 3072 | Mobile, IoT, TLS | Same security as RSA with smaller keys |
| Diffie-Hellman | Asymmetric | — | Key exchange only | DH = static; DHE = ephemeral (forward secrecy) |
| MD5 | Hash | 128-bit output | Legacy integrity check | Broken — collision vulnerable, do not use |
| SHA-1 | Hash | 160-bit output | Legacy | Deprecated — weak, replaced by SHA-2 |
| SHA-256 | Hash | 256-bit output | File integrity, certificates | SHA-2 family — current standard |
| SHA-3 | Hash | Variable | High-security hashing | Different design from SHA-2; backup standard |
| HMAC | Hash + Key | — | Message authentication | Hash + secret key = proves integrity AND authenticity |
| PBKDF2 / bcrypt | Key Derivation | — | Password hashing | Slow by design — defeats brute force |
Symmetric vs Asymmetric
- Symmetric Same key encrypts + decrypts
- Asymmetric Public key encrypts, private decrypts
- Symmetric is faster Used for bulk data
- Asymmetric is slower Used for key exchange
- Hybrid (TLS) Asymmetric to share symmetric key
Encryption Modes (AES)
- ECB Weak — same block = same cipher
- CBC IV + XOR — common, sequential
- CTR Stream mode, parallelisable
- GCM Authenticated encryption — preferred
- OFB / CFB Stream-like from block cipher
Forward Secrecy: DHE and ECDHE generate a new session key for every connection. If the server's private key is later compromised, past sessions cannot be decrypted. Required for PFS (Perfect Forward Secrecy).
⚠️ Threats & Attacks
⚡ Exam tip: Security+ SY0-701 heavily tests threat categories. Know: social engineering indicators, malware types, application attacks (SQLi, XSS, buffer overflow), and network attacks (MitM, replay, DoS/DDoS).
| Attack / Threat | Category | How It Works | Key Defence |
|---|
| Phishing | Social Engineering | Fraudulent email impersonating trusted entity | Email filtering, user training, SPF/DKIM/DMARC |
| Spear Phishing | Social Engineering | Targeted phishing using personal info | MFA, security awareness training |
| Whaling | Social Engineering | Phishing targeting executives (CFO, CEO) | Out-of-band verification for wire transfers |
| Vishing | Social Engineering | Voice phishing via phone call | Call-back verification procedures |
| Smishing | Social Engineering | SMS phishing with malicious links | User training, MDM, URL filtering |
| Pretexting | Social Engineering | Fabricated scenario to extract info | Identity verification procedures |
| Tailgating / Piggybacking | Physical | Following authorised person through secure door | Mantraps, security guards, access cards |
| Ransomware | Malware | Encrypts files, demands payment for key | Offline backups (3-2-1 rule), patch management |
| Trojan Horse | Malware | Malicious code disguised as legitimate software | Application whitelisting, AV |
| Rootkit | Malware | Hides itself at OS/firmware level | Secure Boot, TPM, OS reinstall |
| Keylogger | Malware | Records keystrokes to capture credentials | MFA, virtual keyboards, EDR |
| RAT | Malware | Remote Access Trojan — gives attacker control | Endpoint protection, network monitoring |
| Worm | Malware | Self-replicates across network without user action | Network segmentation, patching |
| SQL Injection | Application | Malicious SQL in input fields queries DB directly | Parameterised queries, input validation, WAF |
| XSS | Application | Injects scripts into web pages viewed by users | Output encoding, CSP headers, WAF |
| CSRF | Application | Forces authenticated user to submit malicious request | CSRF tokens, SameSite cookie flag |
| Buffer Overflow | Application | Overwrites memory to execute arbitrary code | ASLR, DEP, input validation, safe coding |
| Man-in-the-Middle | Network | Intercepts communication between two parties | TLS/HTTPS, certificate pinning, MFA |
| Replay Attack | Network | Captures and re-sends valid authentication tokens | Nonces, timestamps, session tokens |
| DoS / DDoS | Network | Floods target with traffic to cause outage | Rate limiting, CDN, scrubbing centres |
| DNS Poisoning | Network | Corrupts DNS cache to redirect users | DNSSEC, secure resolvers |
| ARP Spoofing | Network | Links attacker MAC to legitimate IP | Dynamic ARP Inspection (DAI), static ARP |
| Pass-the-Hash | Credential | Uses captured NTLM hash without cracking it | Privileged Access Workstations, Credential Guard |
| Kerberoasting | Credential | Requests service tickets to crack offline | Long service account passwords, AES encryption |
| Brute Force | Credential | Tries all password combinations | Account lockout, MFA, long passwords |
| Rainbow Table | Credential | Pre-computed hash lookup table | Password salting defeats rainbow tables |
🛡️ Network Security Controls
| Control | What It Does | Exam Key Fact |
|---|
| Firewall | Filters traffic by port, IP, protocol | Stateful = tracks connections; stateless = packet-by-packet |
| NGFW | Next-Gen Firewall — adds DPI, IPS, app awareness | Operates at Layer 7; understands application context |
| IDS | Intrusion Detection System — alerts only | Passive — detects and logs, does NOT block |
| IPS | Intrusion Prevention System — blocks inline | Active — sits inline, can drop malicious packets |
| WAF | Web Application Firewall — filters HTTP/S | Protects against SQLi, XSS, CSRF at app layer |
| SIEM | Security Info & Event Management — aggregates logs | Correlates events from multiple sources; used for forensics |
| SOAR | Security Orchestration, Automation & Response | Automates incident response playbooks; extends SIEM |
| NAC | Network Access Control — checks device posture | Quarantines non-compliant devices before granting access |
| Honeypot | Decoy system to attract and study attackers | No legitimate traffic should reach it — any access = alert |
| DMZ | Demilitarised Zone — buffer between internet and LAN | Public-facing servers (web, email) placed here |
| VPN | Encrypted tunnel over untrusted network | Site-to-site vs remote access; split tunnel = partial routing |
| Zero Trust | Never trust, always verify — no implicit trust by network | Microsegmentation + identity verification at every hop |
| SD-WAN | Software-defined WAN with centralised control | Encrypts branch traffic; replaces MPLS in modern networks |
IDS vs IPS exam trap: IDS = passive monitoring, generates alerts. IPS = active, sits inline, drops packets. NIDS/NIPS = network-based. HIDS/HIPS = host-based. Know which generates false positives (both can) and which can block (only IPS).
👤 Identity & Access Management (IAM)
| Concept | Definition | Exam Key Fact |
|---|
| Authentication | Proving identity (who you are) | Something you know / have / are |
| Authorisation | Granting permissions (what you can do) | Happens AFTER authentication |
| Accounting | Logging and auditing activity | AAA = Authentication, Authorisation, Accounting |
| MFA | Multi-Factor Authentication — 2+ factor types | Two of the same type = NOT MFA (two passwords = single factor) |
| TOTP | Time-based One-Time Password | Changes every 30s — Google Authenticator, Microsoft Authenticator |
| HOTP | HMAC-based One-Time Password | Counter-based — valid until used, not time-limited |
| SSO | Single Sign-On — one login for multiple systems | Reduces password fatigue; SAML and OIDC are common protocols |
| SAML | Security Assertion Markup Language | XML-based SSO for web apps; IdP issues assertion to SP |
| OAuth 2.0 | Authorisation framework — delegates access | Used for "Login with Google" — grants access tokens, not identity |
| OIDC | OpenID Connect — identity layer on OAuth 2.0 | Adds authentication to OAuth; returns ID token with user info |
| DAC | Discretionary Access Control | Owner controls permissions — most flexible, least secure |
| MAC | Mandatory Access Control | Labels/classifications enforced by OS — most rigid |
| RBAC | Role-Based Access Control | Permissions assigned to roles, users assigned to roles |
| ABAC | Attribute-Based Access Control | Policy based on user + resource + environment attributes |
| PoLP | Principle of Least Privilege | Grant minimum access needed — applies to users AND services |
| Separation of Duties | No single person controls entire process | Example: person who requests payment ≠ person who approves it |
| PAM | Privileged Access Management | Controls and audits admin/privileged accounts specifically |
| Federation | Trusts identities from external organisations | IdP + SP relationship — used in B2B and cloud SSO |
📜 PKI & Certificates
⚡ Exam tip: PKI questions test the chain of trust. Know: CA hierarchy (Root → Intermediate → End-entity), what each certificate field means, and what happens during TLS handshake. Certificate pinning and CT logs appear in SY0-701.
| Term | Definition | Exam Note |
|---|
| PKI | Public Key Infrastructure — framework for managing digital certs | Binds public keys to identities via digital signatures |
| CA | Certificate Authority — issues and signs certificates | Root CA → Intermediate CA → End-entity cert chain |
| Root CA | Top of the trust hierarchy — self-signed | Kept offline (air-gapped) to protect private key |
| Intermediate CA | Issues certs on behalf of root CA | Online; if compromised, root CA can revoke it |
| CSR | Certificate Signing Request | Entity generates key pair, sends public key + info to CA |
| X.509 | Standard format for digital certificates | Contains: subject, issuer, public key, validity period, signature |
| SAN | Subject Alternative Name | One cert covers multiple domains (replaces CN for multi-domain) |
| Wildcard Cert | *.example.com covers all subdomains | One level only — *.example.com ≠ *.sub.example.com |
| CRL | Certificate Revocation List | Published list of revoked certs; must be downloaded and checked |
| OCSP | Online Certificate Status Protocol | Real-time revocation check; OCSP stapling = server includes proof |
| Certificate Pinning | App hardcodes expected certificate/key | Prevents MitM even with valid but malicious CA cert |
| CT Logs | Certificate Transparency — public append-only log | Browsers require CT — detects mis-issued certificates |
TLS Handshake — Simplified
1. Client Hello → TLS version, cipher suites, random nonce
2. Server Hello → Chosen cipher suite, server certificate
3. Certificate → Client verifies cert chain, validity, revocation
4. Key Exchange → ECDHE: ephemeral keys exchanged (forward secrecy)
5. Session Keys → Both sides derive symmetric session key (AES)
6. Finished → Encrypted handshake verified — data transfer begins
# Asymmetric crypto used ONLY for key exchange — symmetric AES encrypts actual data
🔍 Vulnerability Management
| Term | Definition | Exam Note |
|---|
| CVE | Common Vulnerabilities & Exposures — unique vuln IDs | CVE-YEAR-NUMBER format; published by NVD |
| CVSS | Common Vulnerability Scoring System — 0–10 severity | Critical = 9.0–10.0; High = 7.0–8.9; Medium = 4.0–6.9 |
| Zero-Day | Vulnerability with no patch available yet | No vendor fix exists — highest risk; IOC monitoring critical |
| Patch Management | Process of testing and applying software updates | Identify → Test → Deploy → Verify; test before production |
| Vulnerability Scan | Automated scan to identify known vulnerabilities | Non-invasive; credentialed scan = more thorough |
| Penetration Test | Authorised simulated attack to find exploitable vulns | Active exploitation; requires written authorisation (RoE) |
| Red Team | Offensive security team simulating real attackers | Full attack simulation; blue team defends; purple team = both |
| Threat Intelligence | Knowledge about current threats, TTPs, indicators | IOC = Indicator of Compromise; TTPs = Tactics, Techniques, Procedures |
| Attack Surface | All points where attacker could try to enter | Reduce by disabling unused services, ports, accounts |
| Supply Chain Attack | Compromising software/hardware before delivery | SolarWinds = classic example; trust the vendor chain |
🚨 Incident Response
⚡ Exam tip: Know the NIST IR lifecycle and the order of steps. Containment comes before eradication. Documentation happens throughout. Chain of custody is critical for forensics evidence admissibility.
NIST Incident Response Lifecycle
Phase 1: Preparation → IR plan, tools, training, communication contacts
Phase 2: Detection → Identify incident via SIEM, IDS, user reports
Phase 3: Containment → Short-term (isolate) + long-term (patch, rebuild)
Phase 4: Eradication → Remove malware, close attack vectors, patch
Phase 5: Recovery → Restore from clean backups, monitor for re-infection
Phase 6: Lessons Learned → Post-incident review, update IR plan
# Order matters on the exam — Containment BEFORE Eradication BEFORE Recovery
Digital Forensics Order of Volatility
- 1. CPU registers + cache Most volatile
- 2. RAM / running processes Volatile
- 3. Network connections Volatile
- 4. Running processes / temp files Volatile
- 5. Disk storage Persistent
- 6. Remote / cloud logs Least volatile
Evidence Handling
- Chain of custody Tracks who touched evidence
- Legal hold Preserve data — do not delete
- Bit-for-bit image Never work on original
- Hash verification MD5/SHA to prove integrity
- Write blockers Prevent altering disk evidence
📋 Frameworks, Regulations & Compliance
| Framework / Regulation | Who / What | Key Requirement |
|---|
| NIST CSF | US voluntary cybersecurity framework | 5 functions: Identify, Protect, Detect, Respond, Recover |
| NIST SP 800-53 | US federal security controls catalogue | Required for federal agencies; used as baseline globally |
| ISO 27001 | International ISMS standard | Risk-based; certifiable; Annex A = 93 security controls |
| PCI DSS | Payment Card Industry — card data security | 12 requirements; applies to any org storing/processing cards |
| HIPAA | US healthcare — PHI protection | Administrative, physical, and technical safeguards required |
| GDPR | EU — personal data protection | 72-hour breach notification; right to erasure; data minimisation |
| SOC 2 | AICPA — service org controls audit | 5 Trust Service Criteria: Security, Availability, Integrity, Confidentiality, Privacy |
| MITRE ATT&CK | Adversary tactics and techniques matrix | TTPs mapped to real threat actors; used for threat hunting |
| Cyber Kill Chain | Lockheed Martin 7-phase attack model | Recon → Weaponise → Deliver → Exploit → Install → C2 → Act |
| OWASP Top 10 | Web application security risks | Top risks: Broken Access Control, Injection, Crypto Failures |
📶 Wireless Security
| Protocol | Encryption | Auth | Status | Exam Note |
|---|
| WEP | RC4 (40-bit) | Shared key | Broken | Crackable in minutes — never use |
| WPA | TKIP (RC4) | PSK / Enterprise | Deprecated | TKIP is weak — replaced by WPA2 |
| WPA2-Personal | AES-CCMP | PSK | Acceptable | Vulnerable to PMKID attack; minimum standard |
| WPA2-Enterprise | AES-CCMP | 802.1X / RADIUS | Recommended | Per-user auth — much stronger than PSK |
| WPA3-Personal | AES-GCMP-256 | SAE | Current Standard | SAE replaces PSK — forward secrecy, offline attack resistant |
| WPA3-Enterprise | AES-GCMP-256 | 802.1X / RADIUS | Strongest | 192-bit mode available; required for high-security environments |
Wireless Attacks
- Evil Twin Rogue AP mimics legitimate SSID
- Deauth Attack Forces clients to reconnect (capture handshake)
- PMKID Attack Cracks WPA2-Personal without handshake
- WPS PIN Attack Brute forces 8-digit WPS PIN
- Wardriving Scanning for open/weak Wi-Fi networks
Wireless Defences
- WPA3-Enterprise Strongest option
- Disable WPS Eliminates WPS PIN attack
- 802.1X / RADIUS Per-user authentication
- WIDS Wireless Intrusion Detection
- Site survey Detect rogue APs
📖 Key Acronyms
| Acronym | Full Name | One-Line Description |
|---|
| AAA | Authentication, Authorisation, Accounting | Security services framework — RADIUS and TACACS+ implement AAA |
| ACL | Access Control List | Ordered rules permitting or denying traffic / access |
| APT | Advanced Persistent Threat | Long-term, targeted attack — often nation-state actors |
| BCP | Business Continuity Plan | Keeps operations running during and after a disaster |
| CIA | Confidentiality, Integrity, Availability | The three core security principles — every control maps to one |
| DLP | Data Loss Prevention | Prevents sensitive data leaving the organisation |
| DRP | Disaster Recovery Plan | Restores IT systems after a disaster; subset of BCP |
| EDR | Endpoint Detection and Response | Advanced endpoint protection with behaviour analysis |
| FIM | File Integrity Monitoring | Alerts when critical files are changed unexpectedly |
| HSM | Hardware Security Module | Dedicated hardware for cryptographic key storage |
| IOC | Indicator of Compromise | Evidence of a breach — hashes, IPs, domains, registry keys |
| MFA | Multi-Factor Authentication | 2+ factors from different categories (know/have/are) |
| MTD | Maximum Tolerable Downtime | Longest acceptable outage before serious business impact |
| RBAC | Role-Based Access Control | Access permissions tied to job roles, not individuals |
| RPO | Recovery Point Objective | Maximum data loss acceptable — drives backup frequency |
| RTO | Recovery Time Objective | Maximum time to restore a system after failure |
| SIEM | Security Information & Event Management | Aggregates and correlates logs for threat detection |
| SOC | Security Operations Centre | Team monitoring and responding to security events 24/7 |
| TTP | Tactics, Techniques, and Procedures | How attackers operate — mapped in MITRE ATT&CK |
| XDR | Extended Detection and Response | EDR extended across network, cloud, email — unified view |
RPO vs RTO exam trap: RPO = how much data you can afford to lose (drives backup schedule). RTO = how fast you need to recover (drives DR infrastructure investment). MTD = the absolute maximum downtime before the business fails — RTO must be less than MTD.
Ready to Pass Security+?
See the best study resources, practice exams, and courses for the SY0-701 exam.
View Security+ Resources →