If you're studying for the CompTIA Security+ SY0-701 exam, you've probably already realized that the difference between passing and failing isn't just about knowing the facts—it's about understanding why those facts matter in real security scenarios.
Every question on the Security+ exam is scenario-based, which means you're not memorizing isolated concepts. Instead, you're learning to think like a security professional. When you see a practice question, the real learning happens when you dig into the explanation, not just when you check whether you got it right or wrong.
In this post, we'll walk through five original sample questions—one from each of the five Security+ exam domains—and break down exactly why each answer is correct (or incorrect). These walkthroughs will show you how the best practice questions teach deeper understanding, not just test recall.
Why Detailed Explanations Matter
Before we dive into the questions, let's talk about why explanation-driven learning works better than score-chasing. When you encounter a Security+ question you get wrong, your impulse might be to memorize the correct answer so you don't miss it next time. But that's studying for the test, not studying for the job.
Real security work requires you to recognize patterns. A vulnerability scanner flagged a port as open—why is that a risk? A new access control policy was proposed—which model does it use, and what are the trade-offs? A compliance audit revealed non-compliance—what's the remediation path?
When you study with detailed explanations, you're building mental frameworks. You're learning not just what the answer is, but when and why it applies. That's the difference between a test score and actual security competence.
Domain 1: General Security Concepts
Domain 1 covers 12% of the exam and focuses on foundational security principles, controls, and risk management frameworks.
Sample Question 1: Identifying Control Types in a Remediation Strategy
A manufacturing company discovers that employees regularly leave sensitive documents on unattended desks. The security team implements three responses:
- Installing locked filing cabinets to physically store documents
- Creating a mandatory clean-desk policy and conducting monthly audits
- Reducing the number of printed documents by moving to a paperless workflow
How should these three controls be classified?
A) Preventive, detective, and corrective controls B) Preventive, preventive, and corrective controls C) Detective, preventive, and corrective controls D) Corrective, detective, and preventive controls
The Correct Answer: B
Why This Answer Is Right:
This question tests your understanding of the three major control categories and how they function:
Locked filing cabinets = Preventive control. Locked cabinets prevent unauthorized access to documents by making it physically difficult (or impossible without a key) to reach them. Preventive controls stop unwanted events before they occur.
Clean-desk policy with audits = Preventive control. While audits might sound detective, the emphasis here is on the policy enforcement and monthly audits to catch and prevent ongoing violations. The policy itself prevents the behavior; the audits ensure compliance. In this scenario, audits are part of the prevention strategy, not a standalone detection mechanism.
Moving to paperless workflow = Corrective control. This addresses the root cause of the problem and eliminates the threat entirely. Corrective controls fix a vulnerability or reduce risk by changing the underlying process.
Why the Other Answers Are Wrong
A) Preventive, detective, and corrective controls
This incorrectly labels the clean-desk policy with audits as a detective control. While audits do have a detective element, when paired with a policy that employees are expected to follow, the entire mechanism functions preventively. Detective controls are designed to identify violations that have already occurred (like a CCTV camera reviewing footage after a breach). The audits here are ensuring ongoing compliance, which is a preventive function.
C) Detective, preventive, and corrective controls
This misclassifies the locked filing cabinet as a detective control. Locked cabinets don't detect anything—they prevent access. A detective control would be something like motion sensors that alert security staff when someone is at the filing cabinet after hours.
D) Corrective, detective, and preventive controls
This reverses the logic entirely. Locked cabinets aren't corrective; they're the first line of defense. A corrective control wouldn't install cabinets—it would address why documents were left unattended in the first place.
Study Tip for Domain 1
Remember the three-part framework: Preventive stops it, detective finds it, corrective fixes it. When you see a control in a scenario, ask yourself: Does this stop the problem before it happens? Does this find the problem after it happens? Or does this fix the root cause? This framework applies to nearly every Domain 1 question.
Domain 2: Threats, Vulnerabilities, and Mitigations
Domain 2 accounts for 22% of the exam and covers threat actors, attack methods, and mitigation strategies.
Sample Question 2: Identifying an Attack Vector from Behavioral Indicators
A financial services company's security team notices unusual activity on their Active Directory domain controller. Log analysis reveals:
- Multiple failed login attempts from different source IPs targeting service accounts
- Failed attempts continue for 30 seconds after each batch
- The attempts use common passwords from known password lists
- No suspicious lateral movement or privilege escalation follows the failed attempts
What type of attack is most likely being attempted?
A) Brute force attack B) Dictionary attack C) Rainbow table attack D) Pass-the-hash attack
The Correct Answer: B
Why This Answer Is Right:
This scenario contains several key indicators of a dictionary attack:
Common passwords from known lists — This is the defining characteristic of a dictionary attack. The attacker is using pre-compiled lists of commonly used passwords (like "password123", "letmein", etc.) rather than systematically trying every possible character combination.
Multiple source IPs — The attacker is likely using multiple machines or a botnet to spread the attack across different IPs, avoiding detection and lockout thresholds that might trigger on a single IP.
30-second intervals — This suggests the attacker is pacing their attempts to avoid triggering account lockout policies, which is common in dictionary attacks against systems with weak account lockout configurations.
No follow-up activity — The attacker isn't getting in (the attempts are failing), so there's no lateral movement or privilege escalation. This indicates they're still in the reconnaissance/access phase.
Dictionary attacks are successful against systems with weak password policies or users who choose common passwords. The attacker doesn't need to guess every possible combination—just the ones that are statistically most likely.
Why the Other Answers Are Wrong
A) Brute force attack
While brute force attacks and dictionary attacks are both password-guessing methods, they differ in strategy. A brute force attack would systematically try every character combination (aaa, aab, aac, aad, etc.), which is computationally expensive. Dictionary attacks specifically use known-common passwords, which is what the log evidence shows. The attacker is using known word lists, not exhaustive combination attempts.
C) Rainbow table attack
Rainbow table attacks require the attacker to already possess hashed passwords and are comparing those hashes against pre-computed lookup tables. There's no evidence of the attacker having already compromised password hashes—they're attempting to log in with plaintext passwords. Rainbow tables are a cracking technique, not a login-attempt technique.
D) Pass-the-hash attack
Pass-the-hash attacks bypass the need for passwords entirely by using captured NTLM hashes directly for authentication on Windows systems. This attack requires the attacker to have already obtained hashes from somewhere else (like from a compromised system), which isn't indicated in the scenario. Also, pass-the-hash would show lateral movement and privilege escalation if successful, which isn't present here.
Study Tip for Domain 2
When analyzing attack indicators, look for the method the attacker is using to gain access. Dictionary attacks use word lists, brute force tries every combination, rainbow tables crack hashes offline, and pass-the-hash reuses already-captured credentials. Each leaves different forensic traces. Study the attack lifecycle: what information does the attacker need before they try it? What evidence would they leave behind if they failed? What would success look like?
Domain 3: Security Architecture
Domain 3 represents 18% of the exam and focuses on secure design principles, network architecture, and cloud security.
Sample Question 3: Designing for Defense in Depth
A healthcare organization is designing a new network architecture to protect patient records stored in a private cloud. The organization wants to implement multiple layers of protection. Which of the following best demonstrates defense in depth?
A) Deploying multiple firewalls in the DMZ, each with identical ruleset configurations B) Placing a Web Application Firewall (WAF) in front of the application, a network firewall at the perimeter, encryption for data in transit and at rest, and multi-factor authentication for database access C) Implementing a 256-bit AES encryption for all data and deploying intrusion detection systems on every network segment D) Installing endpoint protection on all client devices and ensuring all software is patched to the latest version
The Correct Answer: B
Why This Answer Is Right:
Defense in depth (also called "layered security") means implementing multiple independent security controls at different layers of your infrastructure so that if one fails, others still protect your assets. The goal is not redundancy of the same control, but diversity of control types.
Answer B demonstrates this perfectly:
- WAF = Application layer protection (prevents malicious requests to the web application)
- Network firewall = Perimeter defense (controls traffic entering the network)
- Encryption = Data protection (ensures confidentiality if data is compromised)
- Multi-factor authentication = Access control (prevents unauthorized database access even with valid credentials)
These are different types of controls protecting different attack surfaces. If an attacker bypasses the firewall, the WAF might catch them. If they get past the WAF, encryption prevents them from reading the data. If they somehow extract hashes, MFA prevents unauthorized database access. Each layer is independent.
Why the Other Answers Are Wrong
A) Deploying multiple firewalls in the DMZ with identical rulesets
While deploying multiple firewalls might sound like defense in depth, having identical ruleset configurations means they protect against the same threats in the same way. If an attacker finds a bypass in one firewall, they can likely bypass the others. This is redundancy, not defense in depth. True defense in depth would use different firewall technologies or different rule configurations to address different threat vectors.
C) Implementing 256-bit AES encryption and intrusion detection systems
This focuses heavily on encryption and detection but neglects preventive controls like firewalls or access controls. While these are strong controls, defense in depth requires more variety across different architectural layers. You need prevention, detection, and response capabilities, not just encryption and monitoring.
D) Installing endpoint protection and keeping software patched
Endpoint protection and patching are critical, but they primarily address client-side vulnerabilities. This answer doesn't include controls for network perimeter defense, application security, data protection, or database access control. Defense in depth means protecting across all layers: network, application, data, and identity.
Study Tip for Domain 3
When you see a security architecture question, think about the complete attack path an attacker might take. Do your controls cover every point along that path? Network perimeter? Application layer? Data layer? Identity and access? Cloud infrastructure? The best architectures have overlapping, independent controls so that a single failure doesn't compromise everything. Memorize the key architectural principles: least privilege, defense in depth, zero trust, and secure-by-default design.
Domain 4: Security Operations
Domain 4 is the largest domain at 28% of the exam and covers incident response, cryptography, identity management, and operational security.
Sample Question 4: Selecting the Appropriate Encryption for a Use Case
An organization wants to implement encrypted messaging for sensitive internal communications. Security requirements include:
- Message integrity verification
- Non-repudiation (sender cannot deny sending the message)
- The ability to send encrypted messages to multiple recipients without sharing a single key
Which cryptographic approach best meets these requirements?
A) Symmetric encryption with HMAC B) Asymmetric encryption with digital signatures C) Hashing combined with a shared secret D) One-time pad encryption with pre-shared keys
The Correct Answer: B
Why This Answer Is Right:
This question tests your understanding of cryptographic properties and how they apply to real-world scenarios. Let's break down what each requirement demands:
- Message integrity verification — We need to ensure the message wasn't altered in transit.
- Non-repudiation — We need proof that a specific person sent the message (they can't claim someone else sent it).
- Ability to send to multiple recipients without sharing a single key — We can't have everyone sharing one decryption key.
Asymmetric encryption (public-key cryptography) combined with digital signatures provides all three:
How it works: The sender uses their private key to sign the message (creating a digital signature), then encrypts it with the recipient's public key. The recipient decrypts with their private key and verifies the signature with the sender's public key.
Integrity: If the message is altered, the signature verification fails, alerting the recipient.
Non-repudiation: Only the sender's private key could have created the signature. The sender can't later claim someone else sent it because only they have that private key.
Multiple recipients: Each recipient has their own public/private key pair. The sender encrypts a copy of the message for each recipient using their public key. No shared key is necessary.
This is exactly how secure email (like S/MIME) and enterprise messaging systems work.
Why the Other Answers Are Wrong
A) Symmetric encryption with HMAC
Symmetric encryption means both parties share the same key. While HMAC provides integrity verification and some authentication, it doesn't provide true non-repudiation. If both the sender and recipient have the same key, both could have created the HMAC. Additionally, if you have 10 recipients, you'd need to either share one key among all of them (poor security) or pre-establish 10 different symmetric relationships (difficult to manage). Asymmetric encryption handles multiple recipients elegantly.
C) Hashing combined with a shared secret
Hashing (like SHA-256) is one-way and irreversible—you can't decrypt hashed data, so this doesn't work for encryption at all. A shared secret could provide some authentication, but it still doesn't solve the multiple-recipients problem or provide true non-repudiation (both parties with the shared secret could claim to have created the hash).
D) One-time pad encryption with pre-shared keys
One-time pads are theoretically unbreakable but require sharing a key that's the same length as the message beforehand. This is impractical for modern business communications, impossible for multiple recipients (you'd need different OTP keys for each recipient), and the pre-sharing process is a logistical nightmare. Additionally, one-time pads don't inherently provide non-repudiation without additional mechanisms.
Study Tip for Domain 4
In Domain 4, encryption questions often test whether you understand the properties each cryptographic method provides. Create a mental matrix:
- Symmetric encryption: Fast, shared key, scalability problems with many recipients
- Asymmetric encryption: Slower, public/private key pair, enables non-repudiation, solves multi-recipient problem
- Digital signatures: Proves who signed something and that it hasn't been altered
- Hashing: One-way, detects tampering, no secrecy
When you encounter a scenario, identify what properties are required, then match them to the crypto method.
Domain 5: Security Program Management and Oversight
Domain 5 covers 20% of the exam and focuses on governance, compliance, risk management, and security policies.
Sample Question 5: Applying Risk Management Frameworks
A financial services firm discovers a vulnerability in its critical payment processing system that could be exploited to bypass transaction verification. Patching will require a 4-hour maintenance window and immediate deployment. The organization's risk management framework requires evaluating risk against business impact before deciding on remediation timing.
The firm must process customer transactions continuously due to regulatory requirements. What is the most appropriate risk response in this scenario?
A) Risk avoidance — cease payment processing until the system is patched B) Risk mitigation — apply compensating controls while planning the patch deployment C) Risk transfer — obtain cyber insurance to cover potential transaction fraud losses D) Risk acceptance — document the vulnerability and monitor for exploitation attempts
The Correct Answer: B
Why This Answer Is Right:
This scenario tests whether you can apply the four risk response strategies appropriately to a real business situation. Each strategy has its place, but the right choice depends on context.
Risk mitigation is implementing controls to reduce the likelihood or impact of a risk. In this case:
- The vulnerability is real and exploitable, so ignoring it (acceptance) is irresponsible.
- The business cannot stop processing (avoidance is impractical).
- Insurance covers financial losses after they occur, but it doesn't prevent the fraud (transfer alone isn't sufficient).
- Mitigation means implementing temporary compensating controls (like additional transaction verification, real-time fraud monitoring, or temporarily enabling additional authentication factors) while maintaining business continuity. Once compensating controls are in place, risk is reduced to an acceptable level. Then the patch can be deployed during a planned maintenance window.
This balances security with business requirements—the organization protects itself while avoiding catastrophic downtime.
Why the Other Answers Are Wrong
A) Risk avoidance — cease payment processing
While ceasing operations would eliminate the risk entirely, it creates a worse risk: regulatory violation and loss of business. You cannot avoid risks that are core to business operations. Avoidance is appropriate for risks that aren't essential (like "should we enable legacy FTP for file transfer?"—just avoid it and use SFTP instead). For critical systems, avoidance is rarely viable.
C) Risk transfer — obtain cyber insurance
Cyber insurance can cover financial losses after fraud occurs, but it doesn't prevent the fraud or maintain business continuity. Insurance is a supporting strategy, not a primary response to an active vulnerability. If the firm is compromised and loses customer data or causes regulatory harm, insurance may not cover all damages. Insurance is better used in addition to mitigation, not instead of it.
D) Risk acceptance — document and monitor
Accepting risk means acknowledging that you're okay with the consequence if it occurs. Given that this is a critical payment processing system with regulatory implications, accepting the risk without any controls is negligent. Acceptance might be appropriate for lower-impact vulnerabilities ("we accept the risk that someone might write on the whiteboard in Conference Room B"), but not for critical security gaps in regulated systems.
Study Tip for Domain 5
The four risk responses are tools, and each applies to different situations:
- Avoidance: For non-essential risks (stop doing the risky thing)
- Mitigation: For important risks you can reduce (implement controls)
- Transfer: For financial risks (buy insurance)
- Acceptance: For residual risks that are within tolerance (document and monitor)
Most real-world scenarios require combination responses. Mitigation is the most common for security vulnerabilities, but ask yourself: "What else could we do?" Usually, you mitigate, document, possibly transfer, and accept whatever risk remains.
Bringing It All Together
The five questions you've just walked through represent just a fraction of the Security+ exam. The real SY0-701 exam contains up to 90 questions spread across all five domains, each requiring you to apply security concepts to realistic scenarios.
Here's what these walkthroughs demonstrate:
- Domain 1 questions test whether you understand foundational concepts like control types and risk frameworks.
- Domain 2 questions require you to recognize attack patterns and understand threat actors.
- Domain 3 questions challenge you to design secure architectures and understand security principles.
- Domain 4 questions test operational knowledge—cryptography, identity management, and incident response.
- Domain 5 questions assess your ability to manage security programs and make governance decisions.
The key difference between studying with detailed explanations and simply checking answers is transferability. When you understand why a particular cryptographic approach solves a multi-recipient problem, you can apply that principle to any scenario involving multiple parties. When you understand why defense in depth requires different controls, not redundant ones, you can design better architectures. When you understand the difference between a detective control and a preventive control, you can recommend appropriate security measures.
Ready to Practice?
These five sample questions barely scratch the surface of Security+ exam preparation. At LearnZapp, our full question bank contains 1,543 practice questions—every single one with detailed explanations for why each answer choice is correct or incorrect.
Whether you're just starting your Security+ journey or you're in the final weeks of preparation, detailed explanations matter more than raw question count. Our questions are sourced from industry-standard references and aligned with the latest SY0-701 exam objectives. Each one teaches a principle, not just a fact.
Take a free Security+ diagnostic test on LearnZapp—no signup required. See how you perform across all five domains, then dive into the detailed explanations for every question you encounter. That's how security knowledge sticks.
Good luck with your Security+ preparation. You've got this.