If you're studying for the CompTIA Security+ exam (SY0-701), you've probably heard about PBQs. Maybe they sound intimidating. Maybe you're wondering what they actually are, how many you'll face, and whether you're ready for them.
Here's the good news: PBQs are manageable. In fact, with the right strategy and preparation, they can actually be the most rewarding part of your exam because they test what you really know—not just what you can recognize in a multiple-choice list.
This guide breaks down everything you need to know about Security+ PBQs: what they look like, how many to expect, which topics they cover, and the exact strategies that top performers use to handle them.
What Are Security+ PBQs?
PBQ stands for "Performance-Based Question." These are interactive, hands-on scenarios that test your ability to apply security knowledge in realistic situations.
Unlike multiple-choice questions where you pick the best answer from four options, PBQs require you to do something:
- Configure a firewall and set up rules for specific traffic
- Drag and drop network components into a topology
- Match cryptographic algorithms to their appropriate use cases
- Analyze security logs and identify anomalies
- Sort incident response steps in the correct order
- Fill in a security diagram or complete a scenario
The key difference: PBQs test whether you can think like a security professional—not just whether you've memorized definitions.
How Many PBQs Will You See?
Most test-takers encounter 3 to 5 PBQs out of approximately 90 total questions on the SY0-701 exam. This varies slightly from test to test, but you should prepare for at least 3 and as many as 5.
Here's what's important: PBQs typically appear at the beginning of the exam. You'll log in and might encounter one within the first few questions. This is actually a blessing in disguise once you understand the strategy (more on that below).
Common Types of Security+ PBQs
While the exact format varies, Security+ PBQs typically fall into these categories:
Drag-and-Drop Questions
You're given items on the left and categories, zones, or positions on the right. You drag each item into its correct location. Example: Matching security controls to the CIA triad domains, or placing devices in network zones based on security requirements.
Simulation-Based (Configuration) Questions
You interact with a simplified version of actual security software or tools. You might configure a firewall, set up access controls, adjust authentication settings, or complete a network diagram. These feel closest to real-world scenarios.
Matching and Sorting Questions
You match related items (cryptographic algorithms to their use cases, threats to mitigation strategies) or sort items in the correct order (incident response phases, vulnerability management steps).
Fill-in-the-Blank Scenarios
You're given a partially completed scenario or configuration, and you need to fill in missing details or make selections to complete it correctly.
Multi-Step Problem Solving
Some PBQs require you to work through a scenario step-by-step, with each action affecting subsequent options or revealing new information.
The #1 PBQ Strategy: Skip Them First
Here's the single most important tactical advice for exam day: Flag your PBQs and come back to them after you've completed all your multiple-choice questions.
Why? Because of time efficiency.
- Multiple-choice questions take approximately 1 minute each
- PBQs take 5-10 minutes each (sometimes longer)
If you encounter a PBQ early and spend 10 minutes on it, you've used up time that could have earned you points on 10 multiple-choice questions. PBQs are worth the same as MCQs—usually 1 question point each toward your overall score. The math is simple: spend your time where it's most efficient.
When you encounter a PBQ:
- Read the question so you understand what it's asking
- Flag it using the exam interface's marking feature
- Move on to the next question
- Return after you've completed all other questions
This strategy allows you to:
- Build momentum and confidence on familiar multiple-choice format
- Secure points on questions you can answer quickly
- Reserve focused time for the more demanding PBQs
- Avoid the panic of rushing through either format
Time Management: The 90-Minute Breakdown
You have 90 minutes for approximately 90 questions. Here's how to allocate that time strategically:
Scenario: 5 PBQs + 85 MCQs
- MCQs: 60 minutes (~0.7 minutes per question) - Fast and efficient
- PBQs: 25-30 minutes (~5-6 minutes each) - More deliberate, thoughtful
Scenario: 3 PBQs + 87 MCQs
- MCQs: 65 minutes (~0.75 minutes per question)
- PBQs: 20-25 minutes (~7 minutes each)
Buffer: Always reserve 5-10 minutes to review flagged questions and double-check answers if time allows.
This approach prevents the common mistake of spending so much time on PBQs that you're forced to rush through MCQs, where you might make careless errors on questions you actually know.
Security+ PBQ Topic Areas
PBQs don't appear randomly. They focus on hands-on, application-level security concepts. Be especially prepared for these areas:
Firewall and ACL Configuration
You might need to create firewall rules that allow specific traffic while blocking others. Understanding network protocols, ports, and the purpose of each rule is essential. Example: "Configure firewall rules to allow HTTPS traffic from the office subnet to a web server while blocking SSH."
Network Topology and Design
PBQs often ask you to design or complete network diagrams, placing firewalls, DMZs, servers, and clients appropriately. Example: "Place these network devices in the correct zones based on security requirements."
Cryptography Matching
Match encryption algorithms or protocols to their appropriate use cases. Example: "Assign each encryption standard (AES, RSA, SHA-256) to the scenario where it's most appropriate."
Security Log Analysis
Interpret security logs, identify anomalies, and classify events. Example: "Review these server logs and identify which entries indicate a potential breach or security incident."
Incident Response Ordering
Arrange incident response phases or steps in the correct sequence. Example: "Order these incident response steps: containment, eradication, detection, preparation, recovery."
Authentication and Authorization Configuration
Configure multi-factor authentication, role-based access control, or authentication protocols. Example: "Set up authentication requirements for users accessing sensitive company data."
How to Prepare for Security+ PBQs
PBQ preparation is different from traditional test prep. Here's what actually works:
Build Conceptual Understanding (Not Memorization)
PBQs test whether you understand why security controls exist, not just what they're called. When you know why a particular firewall rule blocks certain traffic, you can configure similar rules in a PBQ scenario.
Focus on:
- Principles: Why is network segmentation important? When would you use encryption?
- Trade-offs: When do you prioritize availability over confidentiality?
- Real-world applications: How do these concepts work in actual security environments?
Practice with Scenario-Based Questions
Generic flashcards won't prepare you for PBQs. Use study materials that include:
- Detailed practice questions with comprehensive explanations (not just answer keys)
- Scenario-based questions where you must apply knowledge to realistic situations
- Interactive elements that simulate decision-making
LearnZapp's Security+ practice question bank includes over 1,543 practice questions with in-depth explanations—designed to build the conceptual foundation that translates directly to PBQ success. Each question reinforces not just the answer, but the reasoning behind it.
Understand the "Why"
For every security concept, ask yourself: "Why does this matter? In what situation would I use this?"
For example:
- "Why would I block ICMP?" (To prevent reconnaissance and denial-of-service attacks)
- "Why separate critical servers into a DMZ?" (To contain a breach and limit lateral movement)
- "Why require multi-factor authentication?" (To prevent account compromise even if passwords are stolen)
When you can answer the "why," you're ready for any variation of PBQ the exam throws at you.
Partial Credit and Incomplete Answers
Here's an encouraging reality: CompTIA PBQs may award partial credit. You don't have to be perfect.
If a PBQ asks you to configure five firewall rules and you confidently complete three while being unsure about two, you'll earn points for those three. You won't get credit for blank spaces, but partial understanding still counts.
This means: Never leave a PBQ completely blank. Fill in what you can. Make educated guesses based on your knowledge. Even if you're 60% confident, 60% of the points is better than 0%.
Common PBQ Mistakes (and How to Avoid Them)
1. Spending Too Long on One PBQ
You got 7 minutes, not 20. If you're stuck, make your best attempt and move on. Don't let one PBQ cost you points on multiple MCQs.
2. Not Reading Instructions Carefully
PBQs have specific instructions. Read them completely before you start dragging, clicking, or configuring. A single misread instruction can make you solve the wrong problem.
3. Overthinking
PBQs are usually more straightforward than they initially appear. If you've studied the domain well, your first instinct is often correct. Second-guessing yourself leads to changing right answers to wrong ones.
4. Leaving PBQs Blank
As mentioned, partial credit exists. Even a partial attempt is worth points. There's no penalty for a wrong answer on the Security+ exam.
5. Ignoring Time Limits
Keep one eye on the clock. If you have a 5-minute-per-PBQ budget and you're halfway through with 3 minutes left, wrap up and move to the next one.
How Practice Questions Build PBQ Readiness
You might be thinking: "Can I practice PBQs directly?"
The reality is nuanced. Most study platforms can't perfectly replicate the exact PBQ interface you'll see on exam day—that's CompTIA's proprietary software. However, quality practice questions build the conceptual foundation you absolutely need.
Here's the connection:
- A practice question about firewall rules teaches you the logic behind access control lists
- A practice question about cryptography teaches you when to use encryption vs. hashing
- A practice question about network security teaches you segmentation principles
When exam day arrives and you face an actual PBQ, you're not starting from scratch. You've already worked through the concepts dozens of times. You understand the principles. You can apply them to a new scenario.
This is why comprehensive study materials matter. The 1,543 practice questions and 320 study articles available through LearnZapp's Security+ program are designed to build exactly this depth of understanding. Each question reinforces the conceptual knowledge you'll apply during PBQs.
Final Thoughts: PBQs Are Your Strength
Many test-takers worry about PBQs. Here's the perspective that changes everything: PBQs reward deep understanding.
If you've genuinely learned the material—if you understand not just the what but the why—PBQs are actually easier than MCQs. There's no trick answer. There's no confusing distractor. It's just you, your knowledge, and a scenario that asks you to apply what you know.
Meanwhile, people who memorized without understanding often struggle with PBQs. So if you've invested time in real learning, PBQs are your advantage.
On exam day:
- Stay calm when you encounter that first PBQ
- Read the instructions thoroughly
- Flag it and move on to build your time buffer
- Return with a fresh mind and enough time to do it right
- Apply what you've learned—trust your preparation
You've got this. The strategy is sound, the preparation is clear, and PBQs are absolutely manageable with the right approach.
Ready to build the conceptual understanding that PBQs require? Take a free Security+ diagnostic test through LearnZapp. No signup required. See where you stand and identify the areas where deeper practice will make the biggest difference.