Most people studying for Security+ fall into the same trap — they grind questions, check their score, and confuse "got it right" with "understood it." That's usually why candidates plateau around 72% and can't push past it.
The SY0-701 isn't testing recall. It's testing whether you can read a scenario and pick the response a security professional would actually make. And the questions I've seen people miss most often aren't the hardest ones. They're the ones where they picked a technically correct answer that wasn't the best answer for the scenario.
So instead of another list of "top Security+ practice questions explained" with quick answers, here are five — one from each domain — broken down the way you should be breaking them down in your own head whenever you miss one. If you're not reading explanations this deeply, you're leaving knowledge on the table.
Domain 1: General Security Concepts (12%)
A manufacturing company discovers that employees regularly leave sensitive documents on unattended desks. The security team implements three responses:
- Installing locked filing cabinets to physically store documents
- Creating a mandatory clean-desk policy and conducting monthly audits
- Reducing the number of printed documents by moving to a paperless workflow
How should these three controls be classified?
A) Preventive, detective, and corrective controls B) Preventive, preventive, and corrective controls C) Detective, preventive, and corrective controls D) Corrective, detective, and preventive controls
The answer is B.
The trap is in #2. Most candidates pick A because "audits" feels like detection — that's the exact instinct CompTIA is testing. When a policy exists and audits are used to enforce ongoing compliance, the audit is part of the preventive machinery. Not a separate detection layer. A true detective control would be something like a camera that catches someone grabbing documents at 2 a.m.
The paperless workflow is corrective because it removes the root cause. No documents to leave on a desk means no behavior to control.
One pattern I see constantly: people who miss control-classification questions usually do it because they fixate on a single word — "audit," "scan," "log" — and don't read the sentence around it. Read the whole mechanism, then classify. The word by itself doesn't decide the category.
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
This is where I want to spend the most time, because Domain 2 is where I've seen more candidates lose points than any other single domain. It's 22% of the exam, the questions are consistently scenario-heavy, and the distractors are designed to exploit pattern-matching.
A financial services company's security team notices unusual activity on their Active Directory domain controller. Log analysis reveals:
- Multiple failed login attempts from different source IPs targeting service accounts
- Failed attempts continue for 30 seconds after each batch
- The attempts use common passwords from known password lists
- No suspicious lateral movement or privilege escalation follows the failed attempts
What type of attack is most likely being attempted?
A) Brute force attack B) Dictionary attack C) Rainbow table attack D) Pass-the-hash attack
The answer is B — dictionary attack.
Here's where candidates lose it. In practice tests I've watched people run, probably 40% of candidates pick A (brute force) on this kind of question. Brute force sounds more aggressive, more "serious." And it's not technically wrong — a dictionary attack is a type of brute force attack. But CompTIA is testing whether you can distinguish based on the evidence in the scenario.
The evidence is in one line: "common passwords from known password lists." That phrase is the tell. Brute force in the strict sense means trying every combination (aaaaa, aaaab, aaaac, and so on). Dictionary attacks use curated lists of likely passwords. If the scenario says "password lists" or "common passwords," it's a dictionary attack. Period.
The other two distractors are doing different work, and they're worth understanding because they teach you how to read these scenarios faster:
Rainbow tables get ruled out because the attacker would already have hashes. Rainbow tables are an offline cracking technique — you don't see login attempts, you see an attacker comparing stolen hashes against a pre-computed lookup. If the scenario shows login attempts, rainbow tables aren't it.
Pass-the-hash gets ruled out because the scenario explicitly says "no lateral movement or privilege escalation." Pass-the-hash reuses captured NTLM hashes to authenticate across Windows systems, so a successful attempt would almost certainly show lateral movement somewhere in the logs. The absence is the clue.
That last point is worth dwelling on. CompTIA routinely writes scenarios that include phrases like "no lateral movement" or "no privilege escalation observed." Those details aren't decorative. They're there to eliminate specific attack types. When you see them, read them as active clues — the scenario is telling you what the attack isn't.
Another pattern I've noticed: candidates who score high on Domain 2 practice questions but still miss them on the real exam usually aren't reading scenarios carefully enough. They recognize the shape ("multiple failed logins = password attack") and grab the first plausible answer. The exam is built to punish that.
If Domain 2 is your weak area, slow down. Read each scenario twice before you even look at the answers. And if you want more coverage on how the domain weights shake out, the Security+ exam domains guide has a full breakdown.
Domain 3: Security Architecture (18%)
A healthcare organization is designing a new network architecture to protect patient records stored in a private cloud. The organization wants to implement multiple layers of protection. Which option best demonstrates defense in depth?
A) Deploying multiple firewalls in the DMZ, each with identical ruleset configurations B) Placing a WAF in front of the application, a network firewall at the perimeter, encryption for data in transit and at rest, and multi-factor authentication for database access C) Implementing 256-bit AES encryption for all data and deploying intrusion detection systems on every network segment D) Installing endpoint protection on all client devices and ensuring all software is patched to the latest version
The answer is B.
The three wrong answers are useful here because they represent the specific ways people misunderstand defense in depth.
Option A is the most common trap — multiple firewalls with identical rulesets. That's redundancy, not layering. If an attacker finds a bypass in one firewall, the rest bypass the same way. Defense in depth means different types of controls at different layers: application, network, data, identity. Stacking the same control five times doesn't count.
Option B covers four layer types: WAF (application), network firewall (perimeter), encryption (data), MFA (access). Break one, the others still stand.
The tricky distractor is C. AES-256 plus IDS on every segment sounds comprehensive because the encryption is strong and the detection coverage is broad. But it's missing preventive controls at the access and application layers. Two strong controls isn't depth — depth requires variety across the stack.
Domain 4: Security Operations (28%)
Domain 4 is the largest domain on the exam, and cryptography is where I see otherwise-strong candidates lose points. The test isn't whether you remember what RSA is. It's whether you can read a scenario and pick the crypto primitive that satisfies all the stated requirements.
An organization wants to implement encrypted messaging for sensitive internal communications. Security requirements include:
- Message integrity verification
- Non-repudiation (sender cannot deny sending the message)
- The ability to send encrypted messages to multiple recipients without sharing a single key
Which cryptographic approach best meets these requirements?
A) Symmetric encryption with HMAC B) Asymmetric encryption with digital signatures C) Hashing combined with a shared secret D) One-time pad encryption with pre-shared keys
The answer is B.
Rather than walking through the mechanics of asymmetric encryption, let me tell you how to think about this kind of question — because the same pattern appears in a dozen different exam questions with different wording.
Build a requirements list from the scenario:
- Integrity
- Non-repudiation
- Multiple recipients, no shared key
Then match properties to primitives:
- Symmetric encryption — fast, provides confidentiality, can't provide non-repudiation (both parties hold the same key, so either could've produced any ciphertext)
- Asymmetric encryption — slower, provides confidentiality, supports non-repudiation via the private key
- Hashing alone — integrity only, no confidentiality
- HMAC — integrity plus authentication, but not non-repudiation because it uses a shared secret
- Digital signatures — integrity plus non-repudiation (the signer's private key is the proof)
The shortcut: the moment you see "non-repudiation" in a scenario, every symmetric-only answer is dead. Non-repudiation requires that only one party could have produced the signature, which requires a private key, which means asymmetric. That one cue eliminates A and C immediately.
D is a trap for people who remember that one-time pads are "theoretically unbreakable." They are. They're also impractical beyond two-party short-message communication, and they don't provide non-repudiation on their own.
If crypto is a weak area for you, the Security+ cryptography explainer covers the primitives in more depth than I can fit here.
Domain 5: Security Program Management and Oversight (20%)
A financial services firm discovers a vulnerability in its critical payment processing system that could bypass transaction verification. Patching will require a 4-hour maintenance window. The firm must process customer transactions continuously due to regulatory requirements. What is the most appropriate risk response?
A) Risk avoidance — cease payment processing until patched B) Risk mitigation — apply compensating controls while planning the patch deployment C) Risk transfer — obtain cyber insurance to cover fraud losses D) Risk acceptance — document the vulnerability and monitor for exploitation
The answer is B.
Domain 5 questions almost always hinge on one or two hard constraints buried in the scenario. Find the constraints, and most answers eliminate themselves.
Here, "must process transactions continuously due to regulatory requirements" kills avoidance. Insurance covers losses after the fact but doesn't prevent the fraud, so transfer alone fails. Acceptance is negligent for a regulated critical system. That leaves mitigation — temporary compensating controls (heightened fraud monitoring, extra verification steps) while the patch is scheduled for the next legitimate window.
That's most of Domain 5 in a nutshell. Read for constraints, not for keywords.
What you should actually do with these
Five questions isn't preparation. Neither is five hundred if you're just checking scores. What matters is whether you're using each missed question to build a mental model you can apply to scenarios you've never seen.
When you miss a question, don't just learn the answer. Work through three things:
- What was the exam specifically testing? Not the topic — the decision.
- Which distractor did I pick, and what made it feel right?
- What detail in the scenario would have pointed me to the correct answer if I'd read more carefully?
If you can answer those three every time, you'll learn faster than people who've done three times as many questions and just logged scores. I'd rather see someone do 40 questions in an hour with real analysis than 100 questions in an hour with none.
Another pattern worth mentioning: people who only review the questions they got wrong leave knowledge on the table. Review the ones you got right too, at least occasionally — sometimes you picked the correct answer for the wrong reason, and that's a gap you won't catch otherwise. This comes up more than you'd think, and it's related to why practice test scores and real exam scores diverge for some candidates.
If you want a real baseline
LearnZapp's Security+ question bank has 1,543 practice questions, each with explanations structured roughly the way the ones above are — what the question tests, why each distractor is wrong, and what to recognize next time. Everything's aligned to SY0-701 objectives and sourced against industry-standard references.
If you haven't taken a diagnostic yet, that's where I'd start before committing to a study plan. It'll tell you in about 30 minutes which domains you can skim and which ones need real work — no signup, no commitment.