CompTIA Security+

Certification Exam
Objectives
EXAM NUMBER: SY0-601
About the Exam
Candidates are encouraged to use this document to help prepare for the CompTIA
Security+ (SY0-601) certification exam. The CompTIA Security+ certification exam will
verify the successful candidate has the knowledge and skills required to:
• Assess the security posture of an enterprise environment and recommend
and implement appropriate security solutions
• Monitor and secure hybrid environments, including cloud, mobile, and IoT
• Operate with an awareness of applicable laws and policies, including
principles of governance, risk, and compliance
• Identify, analyze, and respond to security events and incidents
This is equivalent to two years of hands-on experience working in a security/systems administrator job role.
These content examples are meant to clarify the test objectives and should not be
construed as a comprehensive listing of all the content of this examination.

EXAM DEVELOPMENT
CompTIA exams result from subject matter expert workshops and industry-wide survey
results regarding the skills and knowledge required of an IT professional.

CompTIA AUTHORIZED MATERIALS USE POLICY

CompTIA Certifications, LLC is not affiliated with and does not authorize, endorse or condone utilizing any
content provided by unauthorized third-party training sites (aka “brain dumps”). Individuals who utilize
such materials in preparation for any CompTIA examination will have their certifications revoked and be
suspended from future testing in accordance with the CompTIA Candidate Agreement. In an effort to more
clearly communicate CompTIA’s exam policies on use of unauthorized study materials, CompTIA directs
all certification candidates to the CompTIA Certification Exam Policies. Please review all CompTIA policies
before beginning the study process for any CompTIA exam. Candidates will be required to abide by the
CompTIA Candidate Agreement. If a candidate has a question as to whether study materials are considered
unauthorized (aka “brain dumps”), he/she should contact CompTIA at examsecurity@comptia.org to confirm.

PLEASE NOTE
The lists of examples provided in bulleted format are not exhaustive lists. Other examples of
technologies, processes, or tasks pertaining to each objective may also be included on the exam
although not listed or covered in this objectives document. CompTIA is constantly reviewing the
content of our exams and updating test questions to be sure our exams are current, and the security
of the questions is protected. When necessary, we will publish updated exams based on testing
exam objectives. Please know that all related exam preparation materials will still be valid.

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
TEST DETAILS
Required exam SY0-601
Number of questions Maximum of 90
Types of questions Multiple-choice and performance-based
Length of test 90 minutes
Recommended experience • At least 2 years of work experience
in IT systems administration with
a focus on security
• Hands-on technical information security experience
• Broad knowledge of security concepts
Passing score 750 (on a scale of 100–900)

EXAM OBJECTIVES (DOMAINS)

The table below lists the domains measured by this examination
and the extent to which they are represented:

DOMAIN PERCENTAGE OF EXAMINATION

1.0 Attacks, Threats, and Vulnerabilities 24%

2.0 Architecture and Design 21%
3.0 Implementation 25%
4.0 Operations and Incident Response 16%
5.0 Governance, Risk, and Compliance 14%
Total 100%

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 1.0 Threats, Attacks, and Vulnerabilities
1.1 Compare and contrast different types of social engineering techniques.
• Phishing • Prepending - Social media
• Smishing • Identity fraud • Principles (reasons for effectiveness)
• Vishing • Invoice scams - Authority
• Spam • Credential harvesting - Intimidation
• Spam over instant messaging (SPIM) • Reconnaissance - Consensus
• Spear phishing • Hoax - Scarcity
• Dumpster diving • Impersonation - Familiarity
• Shoulder surfing • Watering hole attack - Trust
• Pharming • Typosquatting - Urgency
• Tailgating • Pretexting
• Eliciting information • Influence campaigns
• Whaling - Hybrid warfare

1.2 Given a scenario, analyze potential indicators

to determine the type of attack.
• Malware • Password attacks • Adversarial artificial intelligence (AI)
- Ransomware - Spraying - Tainted training data for
- Trojans - Dictionary machine learning (ML)
- Worms - Brute force - Security of machine
- Potentially unwanted programs (PUPs) - Offline learning algorithms
- Fileless virus - Online • Supply-chain attacks
- Command and control - Rainbow table • Cloud-based vs. on-premises attacks
- Bots - Plaintext/unencrypted • Cryptographic attacks
- Cryptomalware • Physical attacks - Birthday
- Logic bombs - Malicious Universal - Collision
- Spyware Serial Bus (USB) cable - Downgrade
- Keyloggers - Malicious flash drive
- Remote access Trojan (RAT) - Card cloning
- Rootkit - Skimming
- Backdoor

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 1.0 Threats, Attacks, and Vulnerabilities

1.3 Given a scenario, analyze potential indicators

associated with application attacks.
• Privilege escalation • Race conditions • Application programming
• Cross-site scripting - Time of check/time of use interface (API) attacks
• Injections • Error handling • Resource exhaustion
- Structured query language (SQL) • Improper input handling • Memory leak
- Dynamic-link library (DLL) • Replay attack • Secure Sockets Layer (SSL) stripping
- Lightweight Directory - Session replays • Driver manipulation
Access Protocol (LDAP) • Integer overflow - Shimming
- Extensible Markup Language (XML) • Request forgeries - Refactoring
• Pointer/object dereference - Server-side • Pass the hash
• Directory traversal - Cross-site
• Buffer overflows

1.4 Given a scenario, analyze potential indicators

associated with network attacks.
• Wireless • Layer 2 attacks - Application
- Evil twin - Address Resolution - Operational technology (OT)
- Rogue access point Protocol (ARP) poisoning • Malicious code or script execution
- Bluesnarfing - Media access control (MAC) flooding - PowerShell
- Bluejacking - MAC cloning - Python
- Disassociation • Domain name system (DNS) - Bash
- Jamming - Domain hijacking - Macros
- Radio frequency identification (RFID) - DNS poisoning - Visual Basic for Applications (VBA)
- Near-field communication (NFC) - Uniform Resource
- Initialization vector (IV) Locator (URL) redirection
• On-path attack (previously - Domain reputation
known as man-in-the-middle attack/ • Distributed denial-of-service (DDoS)
man-in-the-browser attack) - Network

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 1.0 Threats, Attacks, and Vulnerabilities

1.5 Explain different threat actors, vectors, and intelligence sources.

• Actors and threats • Vectors - Automated Indicator Sharing (AIS)
- Advanced persistent threat (APT) - Direct access - Structured Threat Information
- Insider threats - Wireless eXpression (STIX)/Trusted
- State actors - Email Automated eXchange of
- Hacktivists - Supply chain Intelligence Information (TAXII)
- Script kiddies - Social media - Predictive analysis
- Criminal syndicates - Removable media - Threat maps
- Hackers - Cloud - File/code repositories
- Authorized • Threat intelligence sources • Research sources
- Unauthorized - Open-source intelligence (OSINT) - Vendor websites
- Semi-authorized - Closed/proprietary - Vulnerability feeds
- Shadow IT - Vulnerability databases - Conferences
- Competitors - Public/private information- - Academic journals
• Attributes of actors sharing centers - Request for comments (RFC)
- Internal/external - Dark web - Local industry groups
- Level of sophistication/capability - Indicators of compromise - Social media
- Resources/funding - Threat feeds
- Intent/motivation - Adversary tactics, techniques,
and procedures (TTP)

1.6 Explain the security concerns associated with

various types of vulnerabilities.
• Cloud-based vs. on-premises • Third-party risks • Legacy platforms
vulnerabilities - Vendor management • Impacts
• Zero-day - System integration - Data loss
• Weak configurations - Lack of vendor support - Data breaches
- Open permissions - Supply chain - Data exfiltration
- Unsecure root accounts - Outsourced code development - Identity theft
- Errors - Data storage - Financial
- Weak encryption • Improper or weak patch management - Reputation
- Unsecure protocols - Firmware - Availability loss
- Default settings - Operating system (OS)
- Open ports and services - Applications

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 1.0 Threats, Attacks, and Vulnerabilities

1.7 Summarize the techniques used in security assessments.

• Threat hunting • Syslog/Security information and
- Intelligence fusion event management (SIEM)
- Threat feeds - Review reports
- Advisories and bulletins - Packet capture
- Maneuver - Data inputs
• Vulnerability scans - User behavior analysis
- False positives - Sentiment analysis
- False negatives - Security monitoring
- Log reviews - Log aggregation
- Credentialed vs. non-credentialed - Log collectors
- Intrusive vs. non-intrusive • Security orchestration,
- Application automation, and response (SOAR)
- Web application
- Network
- Common Vulnerabilities and
Exposures (CVE)/Common
Vulnerability Scoring System (CVSS)
- Configuration review

1.8 Explain the techniques used in penetration testing.

• Penetration testing • Passive and active reconnaissance
- Known environment - Drones
- Unknown environment - War flying
- Partially known environment - War driving
- Rules of engagement - Footprinting
- Lateral movement - OSINT
- Privilege escalation • Exercise types
- Persistence - Red-team
- Cleanup - Blue-team
- Bug bounty - White-team
- Pivoting - Purple-team

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 2.0 Architecture and Design
2.1 Explain the importance of security concepts
in an enterprise environment.
• Configuration management • Geographical considerations • Deception and disruption
- Diagrams • Response and recovery controls - Honeypots
- Baseline configuration • Secure Sockets Layer (SSL)/Transport - Honeyfiles
- Standard naming conventions Layer Security (TLS) inspection - Honeynets
- Internet protocol (IP) schema • Hashing - Fake telemetry
• Data sovereignty • API considerations - DNS sinkhole
• Data protection • Site resiliency
- Data loss prevention (DLP) - Hot site
- Masking - Cold site
- Encryption - Warm site
- At rest
- In transit/motion
- In processing
- Tokenization
- Rights management

2.2 Summarize virtualization and cloud computing concepts.

• Cloud models • Managed service provider (MSP)/ • Infrastructure as code
- Infrastructure as a service (IaaS) managed security service - Software-defined networking (SDN)
- Platform as a service (PaaS) provider (MSSP) - Software-defined visibility (SDV)
- Software as a service (SaaS) • On-premises vs. off-premises • Serverless architecture
- Anything as a service (XaaS) • Fog computing • Services integration
- Public • Edge computing • Resource policies
- Community • Thin client • Transit gateway
- Private • Containers • Virtualization
- Hybrid • Microservices/API - Virtual machine (VM)
• Cloud service providers sprawl avoidance
- VM escape protection

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 2.0 Architecture and Design

2.3 Summarize secure application development,

deployment, and automation concepts.
• Environment - Code reuse/dead code • Automation/scripting
- Development - Server-side vs. client-side - Automated courses of action
- Test execution and validation - Continuous monitoring
- Staging - Memory management - Continuous validation
- Production - Use of third-party libraries and - Continuous integration
- Quality assurance (QA) software development kits (SDKs) - Continuous delivery
• Provisioning and deprovisioning - Data exposure - Continuous deployment
• Integrity measurement • Open Web Application • Elasticity
• Secure coding techniques Security Project (OWASP) • Scalability
- Normalization • Software diversity • Version control
- Stored procedures - Compiler
- Obfuscation/camouflage - Binary

2.4 Summarize authentication and authorization design concepts.

• Authentication methods • Biometrics • Multifactor authentication
- Directory services - Fingerprint (MFA) factors and attributes
- Federation - Retina - Factors
- Attestation - Iris - Something you know
- Technologies - Facial - Something you have
- Time-based one- - Voice - Something you are
time password (TOTP) - Vein - Attributes
- HMAC-based one-time - Gait analysis - Somewhere you are
password (HOTP) - Efficacy rates - Something you can do
- Short message service (SMS) - False acceptance - Something you exhibit
- Token key - False rejection - Someone you know
- Static codes - Crossover error rate • Authentication, authorization,
- Authentication applications and accounting (AAA)
- Push notifications • Cloud vs. on-premises requirements
- Phone call
- Smart card authentication

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 2.0 Architecture and Design

2.5 Given a scenario, implement cybersecurity resilience.

• Redundancy • Replication - Offsite storage
- Geographic dispersal - Storage area network - Distance considerations
- Disk - VM • Non-persistence
- Redundant array of • On-premises vs. cloud - Revert to known state
inexpensive disks (RAID) levels • Backup types - Last known-good configuration
- Multipath - Full - Live boot media
- Network - Incremental • High availability
- Load balancers - Snapshot - Scalability
- Network interface - Differential • Restoration order
card (NIC) teaming - Tape • Diversity
- Power - Disk - Technologies
- Uninterruptible - Copy - Vendors
power supply (UPS) - Network-attached storage (NAS) - Crypto
- Generator - Storage area network - Controls
- Dual supply - Cloud
- Managed power - Image
distribution units (PDUs) - Online vs. offline

2.6 Explain the security implications of embedded and specialized systems.

• Embedded systems • Specialized - Subscriber identity module (SIM) cards
- Raspberry Pi - Medical systems - Zigbee
- Field-programmable gate array (FPGA) - Vehicles • Constraints
- Arduino - Aircraft - Power
• Supervisory control and data acquisition - Smart meters - Compute
(SCADA)/industrial control system (ICS) • Voice over IP (VoIP) - Network
- Facilities • Heating, ventilation, air - Crypto
- Industrial conditioning (HVAC) - Inability to patch
- Manufacturing • Drones - Authentication
- Energy • Multifunction printer (MFP) - Range
- Logistics • Real-time operating system (RTOS) - Cost
• Internet of Things (IoT) • Surveillance systems - Implied trust
- Sensors • System on chip (SoC)
- Smart devices • Communication considerations
- Wearables - 5G
- Facility automation - Narrow-band
- Weak defaults - Baseband radio

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 2.0 Architecture and Design

2.7 Explain the importance of physical security controls.

• Bollards/barricades - Electronic • Air gap
• Access control vestibules - Physical • Screened subnet (previously
• Badges - Cable locks known as demilitarized zone)
• Alarms • USB data blocker • Protected cable distribution
• Signage • Lighting • Secure areas
• Cameras • Fencing - Air gap
- Motion recognition • Fire suppression - Vault
- Object detection • Sensors - Safe
• Closed-circuit television (CCTV) - Motion detection - Hot aisle
• Industrial camouflage - Noise detection - Cold aisle
• Personnel - Proximity reader • Secure data destruction
- Guards - Moisture detection - Burning
- Robot sentries - Cards - Shredding
- Reception - Temperature - Pulping
- Two-person integrity/control • Drones - Pulverizing
• Locks • Visitor logs - Degaussing
- Biometrics • Faraday cages - Third-party solutions

2.8 Summarize the basics of cryptographic concepts.

• Digital signatures • Blockchain - Supporting integrity
• Key length - Public ledgers - Supporting obfuscation
• Key stretching • Cipher suites - Supporting authentication
• Salting - Stream - Supporting non-repudiation
• Hashing - Block • Limitations
• Key exchange • Symmetric vs. asymmetric - Speed
• Elliptic-curve cryptography • Lightweight cryptography - Size
• Perfect forward secrecy • Steganography - Weak keys
• Quantum - Audio - Time
- Communications - Video - Longevity
- Computing - Image - Predictability
• Post-quantum • Homomorphic encryption - Reuse
• Ephemeral • Common use cases - Entropy
• Modes of operation - Low power devices - Computational overheads
- Authenticated - Low latency - Resource vs. security constraints
- Unauthenticated - High resiliency
- Counter - Supporting confidentiality

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 3.0 Implementation
3.1 Given a scenario, implement secure protocols.
• Protocols - Simple Network Management • Use cases
- Domain Name System Protocol, version 3 (SNMPv3) - Voice and video
Security Extensions (DNSSEC) - Hypertext transfer protocol - Time synchronization
- SSH over SSL/TLS (HTTPS) - Email and web
- Secure/Multipurpose Internet - IPSec - File transfer
Mail Extensions (S/MIME) - Authentication header (AH)/ - Directory services
- Secure Real-time Transport Encapsulating Security - Remote access
Protocol (SRTP) Payloads (ESP) - Domain name resolution
- Lightweight Directory Access - Tunnel/transport - Routing and switching
Protocol Over SSL (LDAPS) - Post Office Protocol (POP)/ - Network address allocation
- File Transfer Protocol, Secure (FTPS) Internet Message Access Protocol (IMAP) - Subscription services
- SSH File Transfer Protocol (SFTP)

3.2 Given a scenario, implement host or application security solutions.

• Endpoint protection • Database • Hardening
- Antivirus - Tokenization - Open ports and services
- Anti-malware - Salting - Registry
- Endpoint detection - Hashing - Disk encryption
and response (EDR) • Application security - OS
- DLP - Input validations - Patch management
- Next-generation firewall (NGFW) - Secure cookies - Third-party updates
- Host-based intrusion prevention - Hypertext Transfer - Auto-update
system (HIPS) Protocol (HTTP) headers • Self-encrypting drive (SED)/
- Host-based intrusion detection - Code signing full-disk encryption (FDE)
system (HIDS) - Allow list - Opal
- Host-based firewall - Block list/deny list • Hardware root of trust
• Boot integrity - Secure coding practices • Trusted Platform Module (TPM)
- Boot security/Unified Extensible - Static code analysis • Sandboxing
Firmware Interface (UEFI) - Manual code review
- Measured boot - Dynamic code analysis
- Boot attestation - Fuzzing

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 3.0 Implementation

3.3 Given a scenario, implement secure network designs.

• Load balancing • Out-of-band management - Aggregators
- Active/active • Port security - Firewalls
- Active/passive - Broadcast storm prevention - Web application firewall (WAF)
- Scheduling - Bridge Protocol Data  - NGFW
- Virtual IP Unit (BPDU) guard - Stateful
- Persistence - Loop prevention - Stateless
• Network segmentation - Dynamic Host Configuration - Unified threat management (UTM)
- Virtual local area network (VLAN) Protocol (DHCP) snooping - Network address
- Screened subnet (previously - Media access translation (NAT) gateway
known as demilitarized zone) control (MAC) filtering - Content/URL filter
- East-west traffic • Network appliances - Open-source vs. proprietary
- Extranet - Jump servers - Hardware vs. software
- Intranet - Proxy servers - Appliance vs. host-based vs. virtual
- Zero Trust - Forward • Access control list (ACL)
• Virtual private network (VPN) - Reverse • Route security
- Always-on - Network-based intrusion detection • Quality of service (QoS)
- Split tunnel vs. full tunnel system (NIDS)/network-based • Implications of IPv6
- Remote access vs. site-to-site intrusion prevention system (NIPS) • Port spanning/port mirroring
- IPSec - Signature-based - Port taps
- SSL/TLS - Heuristic/behavior • Monitoring services
- HTML5 - Anomaly • File integrity monitors
- Layer 2 tunneling protocol (L2TP) - Inline vs. passive
• DNS - HSM
• Network access control (NAC) - Sensors
- Agent and agentless - Collectors

3.4 Given a scenario, install and configure wireless security settings.

• Cryptographic protocols - IEEE 802.1X - Controller and access point security
- WiFi Protected Access 2 (WPA2) - Remote Authentication Dial-in
- WiFi Protected Access 3 (WPA3) User Service (RADIUS) Federation
- Counter-mode/CBC-MAC • Methods
Protocol (CCMP) - Pre-shared key (PSK) vs.
- Simultaneous Authentication Enterprise vs. Open
of Equals (SAE) - WiFi Protected Setup (WPS)
• Authentication protocols - Captive portals
- Extensible Authentication • Installation considerations
Protocol (EAP) - Site surveys
- Protected Extensible - Heat maps
Authentication Protocol (PEAP) - WiFi analyzers
- EAP-FAST - Channel overlaps
- EAP-TLS - Wireless access point
- EAP-TTLS (WAP) placement

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 3.0 Implementation

3.5 Given a scenario, implement secure mobile solutions.

• Connection methods and receivers - Biometrics - Camera use
- Cellular - Context-aware authentication - SMS/Multimedia Messaging Service
- WiFi - Containerization (MMS)/Rich Communication
- Bluetooth - Storage segmentation Services (RCS)
- NFC - Full device encryption - External media
- Infrared • Mobile devices - USB On-The-Go (USB OTG)
- USB - MicroSD hardware - Recording microphone
- Point-to-point security module (HSM) - GPS tagging
- Point-to-multipoint - MDM/Unified Endpoint - WiFi direct/ad hoc
- Global Positioning System (GPS) Management (UEM) - Tethering
- RFID - Mobile application - Hotspot
• Mobile device management (MDM) management (MAM) - Payment methods
- Application management - SEAndroid • Deployment models
- Content management • Enforcement and monitoring of: - Bring your own device (BYOD)
- Remote wipe - Third-party application stores - Corporate-owned
- Geofencing - Rooting/jailbreaking personally enabled (COPE)
- Geolocation - Sideloading - Choose your own device (CYOD)
- Screen locks - Custom firmware - Corporate-owned
- Push notifications - Carrier unlocking - Virtual desktop infrastructure (VDI)
- Passwords and PINs - Firmware over-the-air (OTA) updates

3.6 Given a scenario, apply cybersecurity solutions to the cloud.

• Cloud security controls • Solutions
- High availability across zones - CASB
- Resource policies - Application security
- Secrets management - Next-generation secure
- Integration and auditing web gateway (SWG)
- Storage - Firewall considerations
- Permissions in a cloud environment
- Encryption - Cost
- Replication - Need for segmentation
- High availability - Open Systems
- Network Interconnection (OSI) layers
- Virtual networks • Cloud native controls vs.
- Public and private subnets third-party solutions
- Segmentation
- API inspection and integration
- Compute
- Security groups
- Dynamic resource allocation
- Instance awareness
- Virtual private
cloud (VPC) endpoint
- Container security

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 3.0 Implementation

3.7 Given a scenario, implement identity and

account management controls.
• Identity - Guest accounts - Access policies
- Identity provider (IdP) - Service accounts - Account permissions
- Attributes • Account policies - Account audits
- Certificates - Password complexity - Impossible travel time/risky login
- Tokens - Password history - Lockout
- SSH keys - Password reuse - Disablement
- Smart cards - Network location
• Account types - Geofencing
- User account - Geotagging
- Shared and generic - Geolocation
accounts/credentials - Time-based logins

3.8 Given a scenario, implement authentication

and authorization solutions.
• Authentication management - 802.1X - Role-based access control
- Password keys - RADIUS - Rule-based access control
- Password vaults - Single sign-on (SSO) - MAC
- TPM - Security Assertion - Discretionary access control (DAC)
- HSM Markup Language (SAML) - Conditional access
- Knowledge-based authentication - Terminal Access Controller - Privileged access management
• Authentication/authorization Access Control System Plus (TACACS+) - Filesystem permissions
- EAP - OAuth
- Challenge-Handshake - OpenID
Authentication Protocol (CHAP) - Kerberos
- Password Authentication • Access control schemes
Protocol (PAP) - Attribute-based access control (ABAC)

3.9 Given a scenario, implement public key infrastructure.

• Public key infrastructure (PKI) • Types of certificates - Privacy enhanced mail (PEM)
- Key management - Wildcard - Personal information exchange (PFX)
- Certificate authority (CA) - Subject alternative name - .cer
- Intermediate CA - Code signing - P12
- Registration authority (RA) - Self-signed - P7B
- Certificate revocation list (CRL) - Machine/computer • Concepts
- Certificate attributes - Email - Online vs. offline CA
- Online Certificate Status - User - Stapling
Protocol (OCSP) - Root - Pinning
- Certificate signing request (CSR) - Domain validation - Trust model
- CN - Extended validation - Key escrow
- Subject alternative name • Certificate formats - Certificate chaining
- Expiration - Distinguished encoding rules (DER)

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 4.0 Operations and Incident Response
4.1 Given a scenario, use the appropriate tool to
assess organizational security.
• Network reconnaissance and discovery - scanless - OpenSSL
- tracert/traceroute - dnsenum • Packet capture and replay
- nslookup/dig - Nessus - Tcpreplay
- ipconfig/ifconfig - Cuckoo - Tcpdump
- nmap • File manipulation - Wireshark
- ping/pathping - head • Forensics
- hping - tail - dd
- netstat - cat - Memdump
- netcat - grep - WinHex
- IP scanners - chmod - FTK imager
- arp - logger - Autopsy
- route • Shell and script environments • Exploitation frameworks
- curl - SSH • Password crackers
- theHarvester - PowerShell • Data sanitization
- sn1per - Python

4.2 Summarize the importance of policies, processes,

and procedures for incident response.
• Incident response plans • Exercises • Stakeholder management
• Incident response process - Tabletop • Communication plan
- Preparation - Walkthroughs • Disaster recovery plan
- Identification - Simulations • Business continuity plan
- Containment • Attack frameworks • Continuity of operations planning (COOP)
- Eradication - MITRE ATT&CK • Incident response team
- Recovery - The Diamond Model of • Retention policies
- Lessons learned Intrusion Analysis
- Cyber Kill Chain

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 4.0 Operations and Incident Response

4.3 Given an incident, utilize appropriate data

sources to support an investigation.
• Vulnerability scan output - Security • Metadata
• SIEM dashboards - Web - Email
- Sensor - DNS - Mobile
- Sensitivity - Authentication - Web
- Trends - Dump files - File
- Alerts - VoIP and call managers • Netflow/sFlow
- Correlation - Session Initiation Protocol (SIP) traffic - Netflow
• Log files • syslog/rsyslog/syslog-ng - sFlow
- Network • journalctl - IPFIX
- System • NXLog • Protocol analyzer output
- Application • Bandwidth monitors

4.4 Given an incident, apply mitigation techniques

or controls to secure an environment.
• Reconfigure endpoint security solutions • Isolation
- Application approved list • Containment
- Application blocklist/deny list • Segmentation
- Quarantine • SOAR
• Configuration changes - Runbooks
- Firewall rules - Playbooks
- MDM
- DLP
- Content filter/URL filter
- Update or revoke certificates

4.5 Explain the key aspects of digital forensics.

• Documentation/evidence • Acquisition • On-premises vs. cloud
- Legal hold - Order of volatility - Right-to-audit clauses
- Video - Disk - Regulatory/jurisdiction
- Admissibility - Random-access memory (RAM) - Data breach notification laws
- Chain of custody - Swap/pagefile • Integrity
- Timelines of sequence of events - OS - Hashing
- Time stamps - Device - Checksums
- Time offset - Firmware - Provenance
- Tags - Snapshot • Preservation
- Reports - Cache • E-discovery
- Event logs - Network • Data recovery
- Interviews - Artifacts • Non-repudiation
• Strategic intelligence/
counterintelligence

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 5.0 Governance, Risk, and Compliance
5.1 Compare and contrast various types of controls.
• Category • Control type - Deterrent
- Managerial - Preventive - Compensating
- Operational - Detective - Physical
- Technical - Corrective

5.2 Explain the importance of applicable regulations, standards, or

frameworks that impact organizational security posture.
• Regulations, standards, and legislation and Technology (NIST) Risk - Cloud control matrix
- General Data Protection Management Framework (RMF)/ - Reference architecture
Regulation (GDPR) Cybersecurity Framework • Benchmarks /secure
- National, territory, or state laws (CSF) configuration guides
- Payment Card Industry Data - International Organization - Platform/vendor-specific guides
Security Standard (PCI DSS) for Standardization (ISO) - Web server
• Key frameworks 27001/27002/27701/31000 - OS
- Center for Internet Security (CIS) - SSAE SOC 2 Type I/II - Application server
- National Institute of Standards - Cloud security alliance - Network infrastructure devices

5.3 Explain the importance of policies to organizational security.

• Personnel - Computer-based training (CBT) • Data
- Acceptable use policy - Role-based training - Classification
- Job rotation • Diversity of training techniques - Governance
- Mandatory vacation • Third-party risk management - Retention
- Separation of duties - Vendors • Credential policies
- Least privilege - Supply chain - Personnel
- Clean desk space - Business partners - Third-party
- Background checks - Service level agreement (SLA) - Devices
- Non-disclosure agreement (NDA) - Memorandum of - Service accounts
- Social media analysis understanding (MOU) - Administrator/root accounts
- Onboarding - Measurement systems analysis (MSA) • Organizational policies
- Offboarding - Business partnership agreement (BPA) - Change management
- User training - End of life (EOL) - Change control
- Gamification - End of service life (EOSL) - Asset management
- Capture the flag - NDA
- Phishing campaigns
- Phishing simulations

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
 5.0 Governance, Risk, and Compliance

5.4 Summarize risk management processes and concepts.

• Risk types - Risk control self-assessment • Disasters
- External - Risk awareness - Environmental
- Internal - Inherent risk - Person-made
- Legacy systems - Residual risk - Internal vs. external
- Multiparty - Control risk • Business impact analysis
- IP theft - Risk appetite - Recovery time objective (RTO)
- Software compliance/licensing - Regulations that affect risk posture - Recovery point objective (RPO)
• Risk management strategies - Risk assessment types - Mean time to repair (MTTR)
- Acceptance - Qualitative - Mean time between failures (MTBF)
- Avoidance - Quantitative - Functional recovery plans
- Transference - Likelihood of occurrence - Single point of failure
- Cybersecurity insurance - Impact - Disaster recovery plan (DRP)
- Mitigation - Asset value - Mission essential functions
• Risk analysis - Single-loss expectancy (SLE) - Identification of critical systems
- Risk register - Annualized loss expectancy (ALE) - Site risk assessment
- Risk matrix/heat map - Annualized rate of occurrence (ARO)
- Risk control assessment

5.5 Explain privacy and sensitive data concepts in relation to security.

• Organizational consequences - Personally identifiable • Information life cycle
of privacy and data breaches information (PII) • Impact assessment
- Reputation damage - Health information • Terms of agreement
- Identity theft - Financial information • Privacy notice
- Fines - Government data
- IP theft - Customer data
• Notifications of breaches • Privacy enhancing technologies
- Escalation - Data minimization
- Public notifications and disclosures - Data masking
• Data types - Tokenization
- Classifications - Anonymization
- Public - Pseudo-anonymization
- Private • Roles and responsibilities
- Sensitive - Data owners
- Confidential - Data controller
- Critical - Data processor
- Proprietary - Data custodian/steward
- Data protection officer (DPO)

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
Security+ (SY0-601) Acronym List

The following is a list of acronyms that appear on the CompTIA

Security+ exam. Candidates are encouraged to review the complete
list and attain a working knowledge of all listed acronyms as
part of a comprehensive exam preparation program.
ACRONYM DEFINITION ACRONYM DEFINITION
3DES Triple Data Encryption Standard CAR Corrective Action Report
AAA Authentication, Authorization, and Accounting CASB Cloud Access Security Broker
ABAC Attribute-based Access Control CBC Cipher Block Chaining
ACL Access Control List CBT Computer-based Training
AD Active Directory CCMP Counter-Mode/CBC-MAC Protocol
AES Advanced Encryption Standard CCTV Closed-Circuit Television
AES256 Advanced Encryption Standards 256bit CERT Computer Emergency Response Team
AH Authentication Header CFB Cipher Feedback
AI Artificial Intelligence CHAP Challenge-Handshake Authentication Protocol
AIS Automated Indicator Sharing CIO Chief Information Officer
ALE Annualized Loss Expectancy CIRT Computer Incident Response Team
AP Access Point CIS Center for Internet Security
API Application Programming Interface CMS Content Management System
APT Advanced Persistent Threat CN Common Name
ARO Annualized Rate of Occurrence COOP Continuity of Operations Planning
ARP Address Resolution Protocol COPE Corporate-owned Personally Enabled
ASLR Address Space Layout Randomization CP Contingency Planning
ASP Active Server Pages CRC Cyclic Redundancy Check
ATT&CK Adversarial Tactics, Techniques, CRL Certificate Revocation List
and Common Knowledge CSA Cloud Security Alliance
AUP Acceptable Use Policy CSIRT Computer Security Incident Response Team
AV Antivirus CSO Chief Security Officer
BASH Bourne Again Shell CSP Cloud Service Provider
BCP Business Continuity Planning CSR Certificate Signing Request
BGP Border Gateway Protocol CSRF Cross-Site Request Forgery
BIA Business Impact Analysis CSU Channel Service Unit
BIOS Basic Input/Output System CTM Counter-Mode
BPA Business Partnership Agreement CTO Chief Technology Officer
BPDU Bridge Protocol Data Unit CVE Common Vulnerabilities and Exposures
BSSID Basic Service Set Identifier CVSS Common Vulnerability Scoring System
BYOD Bring Your Own Device CYOD Choose Your Own Device
CA Certificate Authority DAC Discretionary Access Control
CAPTCHA Completely Automated Public Turing DBA Database Administrator
Test to Tell Computers and Humans Apart DDoS Distributed Denial-of-Service
DEP Data Execution Prevention

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
ACRONYM DEFINITION ACRONYM DEFINITION
DER Distinguished Encoding Rules HSM Hardware Security Module
DES Data Encryption Standard HSMaaS Hardware Security Module as a Service
DHCP Dynamic Host Configuration Protocol HTML Hypertext Markup Language
DHE Diffie-Hellman Ephemeral HTTP Hypertext Transfer Protocol
DKIM Domain Keys Identified Mail HTTPS Hypertext Transfer Protocol Secure
DLL Dynamic-link Library HVAC Heating, Ventilation, Air Conditioning
DLP Data Loss Prevention IaaS Infrastructure as a Service
DMARC Domain Message Authentication IAM Identity and Access Management
Reporting and Conformance ICMP Internet Control Message Protocol
DNAT Destination Network Address Transaction ICS Industrial Control Systems
DNS Domain Name System IDEA International Data Encryption Algorithm
DNSSEC Domain Name System Security Extensions IDF Intermediate Distribution Frame
DoS Denial-of-Service IdP Identity Provider
DPO Data Protection Officer IDS Intrusion Detection System
DRP Disaster Recovery Plan IEEE Institute of Electrical and Electronics Engineers
DSA Digital Signature Algorithm IKE Internet Key Exchange
DSL Digital Subscriber Line IM Instant Messaging
EAP Extensible Authentication Protocol IMAP4 Internet Message Access Protocol v4
ECB Electronic Code Book IoC Indicators of Compromise
ECC Elliptic-curve Cryptography IoT Internet of Things
ECDHE Elliptic-curve Diffie-Hellman Ephemeral IP Internet Protocol
ECDSA Elliptic-curve Digital Signature Algorithm IPS Intrusion Prevention System
EDR Endpoint Detection and Response IPSec Internet Protocol Security
EFS Encrypted File System IR Incident Response
EIP Extended Instruction Pointer IRC Internet Relay Chat
EOL End of Life IRP Incident Response Plan
EOS End of Service ISA Interconnection Security Agreement
ERP Enterprise Resource Planning ISFW Internal Segmentation Firewall
ESN Electronic Serial Number ISO International Organization for Standardization
ESP Encapsulating Security Payload ISP Internet Service Provider
ESSID Extended Service Set Identifier ISSO Information Systems Security Officer
FACL File System Access Control List ITCP IT Contingency Plan
FDE Full Disk Encryption IV Initialization Vector
FIM File Integrity Monitoring KDC Key Distribution Center
FPGA Field Programmable Gate Array KEK Key Encryption Key
FRR False Rejection Rate L2TP Layer 2 Tunneling Protocol
FTP File Transfer Protocol LAN Local Area Network
FTPS Secured File Transfer Protocol LDAP Lightweight Directory Access Protocol
GCM Galois/Counter Mode LEAP Lightweight Extensible Authentication Protocol
GDPR General Data Protection Regulation MaaS Monitoring as a Service
GPG GNU Privacy Guard MAC Media Access Control
GPO Group Policy Object MAM Mobile Application Management
GPS Global Positioning System MAN Metropolitan Area Network
GPU Graphics Processing Unit MBR Master Boot Record
GRE Generic Routing Encapsulation MD5 Message Digest 5
HA High Availability MDF Main Distribution Frame
HDD Hard Disk Drive MDM Mobile Device Management
HIDS Host-based Intrusion Detection System MFA Multifactor Authentication
HIPS Host-based Intrusion Prevention System MFD Multifunction Device
HMAC Hash-based Message Authentication Code MFP Multifunction Printer
HOTP HMAC-based One-time Password ML Machine Learning

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
ACRONYM DEFINITION ACRONYM DEFINITION
MMS Multimedia Message Service PCI DSS Payment Card Industry Data Security Standard
MOA Memorandum of Agreement PDU Power Distribution Unit
MOU Memorandum of Understanding PE Portable Executable
MPLS Multiprotocol Label Switching PEAP Protected Extensible Authentication Protocol
MSA Measurement Systems Analysis PED Portable Electronic Device
MS-CHAP Microsoft Challenge-Handshake PEM Privacy Enhanced Mail
Authentication Protocol PFS Perfect Forward Secrecy
MSP Managed Service Provider PGP Pretty Good Privacy
MSSP Managed Security Service Provider PHI Personal Health Information
MTBF Mean Time Between Failures PII Personally Identifiable Information
MTTF Mean Time to Failure PIN Personal Identification Number
MTTR Mean Time to Repair PIV Personal Identity Verification
MTU Maximum Transmission Unit PKCS Public Key Cryptography Standards
NAC Network Access Control PKI Public Key Infrastructure
NAS Network-attached Storage PoC Proof of Concept
NAT Network Address Translation POP Post Office Protocol
NDA Non-disclosure Agreement POTS Plain Old Telephone Service
NFC Near-field Communication PPP Point-to-Point Protocol
NFV Network Function Virtualization PPTP Point-to-Point Tunneling Protocol
NGFW Next-generation Firewall PSK Preshared Key
NG-SWG Next-generation Secure Web Gateway PTZ Pan-Tilt-Zoom
NIC Network Interface Card PUP Potentially Unwanted Program
NIDS Network-based Intrusion Detection System QA Quality Assurance
NIPS Network-based Intrusion Prevention System QoS Quality of Service
NIST National Institute of Standards & Technology PUP Potentially Unwanted Program
NOC Network Operations Center RA Registration Authority
NTFS New Technology File System RAD Rapid Application Development
NTLM New Technology LAN Manager RADIUS Remote Authentication Dial-in User Service
NTP Network Time Protocol RAID Redundant Array of Inexpensive Disks
OCSP Online Certificate Status Protocol RAM Random Access Memory
OID Object Identifier RAS Remote Access Server
OS Operating System RAT Remote Access Trojan
OSI Open Systems Interconnection RC4 Rivest Cipher version 4
OSINT Open-source Intelligence RCS Rich Communication Services
OSPF Open Shortest Path First RFC Request for Comments
OT Operational Technology RFID Radio Frequency Identification
OTA Over-The-Air RIPEMD RACE Integrity Primitives
OTG On-The-Go Evaluation Message Digest
OVAL Open Vulnerability and Assessment Language ROI Return on Investment
OWASP Open Web Application Security Project RPO Recovery Point Objective
P12 PKCS #12 RSA Rivest, Shamir, & Adleman
P2P Peer-to-Peer RTBH Remotely Triggered Black Hole
PaaS Platform as a Service RTO Recovery Time Objective
PAC Proxy Auto Configuration RTOS Real-time Operating System
PAM Privileged Access Management RTP Real-time Transport Protocol
PAM Pluggable Authentication Modules S/MIME Secure/Multipurpose Internet Mail Extensions
PAP Password Authentication Protocol SaaS Software as a Service
PAT Port Address Translation SAE Simultaneous Authentication of Equals
PBKDF2 Password-based Key Derivation Function 2 SAML Security Assertions Markup Language
PBX Private Branch Exchange SCADA Supervisory Control and Data Acquisition
PCAP Packet Capture SCAP Security Content Automation Protocol

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
ACRONYM DEFINITION ACRONYM DEFINITION
SCEP Simple Certificate Enrollment Protocol UAT User Acceptance Testing
SDK Software Development Kit UDP User Datagram Protocol
SDLC Software Development Life Cycle UEBA User and Entity Behavior Analytics
SDLM Software Development Life-cycle Methodology UEFI Unified Extensible Firmware Interface
SDN Software-defined Networking UEM Unified Endpoint Management
SDP Service Delivery Platform UPS Uninterruptible Power Supply
SDV Software-defined Visibility URI Uniform Resource Identifier
SED Self-Encrypting Drives URL Universal Resource Locator
SEH Structured Exception Handling USB Universal Serial Bus
SFTP SSH File Transfer Protocol USB OTG USB On-The-Go
SHA Secure Hashing Algorithm UTM Unified Threat Management
SIEM Security Information and Event Management UTP Unshielded Twisted Pair
SIM Subscriber Identity Module VBA Visual Basic for Applications
SIP Session Initiation Protocol VDE Virtual Desktop Environment
SLA Service-level Agreement VDI Virtual Desktop Infrastructure
SLE Single Loss Expectancy VLAN Virtual Local Area Network
SMB Server Message Block VLSM Variable-length Subnet Masking
S/MIME Secure/Multipurpose Internet Mail Extensions VM Virtual Machine
SMS Short Message Service VoIP Voice over IP
SMTP Simple Mail Transfer Protocol VPC Virtual Private Cloud
SMTPS Simple Mail Transfer Protocol Secure VPN Virtual Private Network
SNMP Simple Network Management Protocol VTC Video Teleconferencing
SOAP Simple Object Access Protocol WAF Web Application Firewall
SOAR Security Orchestration, Automation, Response WAP Wireless Access Point
SoC System on Chip WEP Wired Equivalent Privacy
SOC Security Operations Center WIDS Wireless Intrusion Detection System
SPF Sender Policy Framework WIPS Wireless Intrusion Prevention System
SPIM Spam over Instant Messaging WORM Write Once Read Many
SQL Structured Query Language WPA WiFi Protected Access
SQLi SQL Injection WPS WiFi Protected Setup
SRTP Secure Real-time Transport Protocol XaaS Anything as a Service
SSD Solid State Drive XML Extensible Markup Language
SSH Secure Shell XOR Exclusive OR
SSID Service Set Identifier XSRF Cross-site Request Forgery
SSL Secure Sockets Layer XSS Cross-site Scripting
SSO Single Sign-on
STIX Structured Threat Information eXpression
STP Shielded Twisted Pair
SWG Secure Web Gateway
TACACS+ Terminal Access Controller Access Control System
TAXII Trusted Automated eXchange
of Intelligence Information
TCP/IP Transmission Control Protocol/Internet Protocol
TGT Ticket Granting Ticket
TKIP Temporal Key Integrity Protocol
TLS Transport Layer Security
TOTP Time-based One Time Password
TPM Trusted Platform Module
TSIG Transaction Signature
TTP Tactics, Techniques, and Procedures

CompTIA Security+ Certification Exam Objectives Version 3.0 (Exam Number: SY0-601)
Security+ Proposed Hardware and Software List

CompTIA has included this sample list of hardware and software to assist candidates
as they prepare for the Security+ exam. This list may also be helpful for training
companies that wish to create a lab component for their training offering.
The bulleted lists below each topic are sample lists and are not exhaustive.

HARDWARE SOFTWARE OTHER

• Laptop with Internet access • Virtualization software • Access to a CSP
• Separate wireless NIC • Penetration testing OS/distributions
• WAP (e.g., Kali Linux, Parrot OS)
• Firewall • SIEM
• UTM • Wireshark
• Mobile device • Metasploit
• Server/cloud server • tcpdump
• IoT devices

© 2019 CompTIA Properties, LLC, used under license by CompTIA Certifications, LLC. All rights reserved. All certification programs and education related to such
programs are operated exclusively by CompTIA Certifications, LLC. CompTIA is a registered trademark of CompTIA Properties, LLC in the U.S. and internationally.
Other brands and company names mentioned herein may be trademarks or service marks of CompTIA Properties, LLC or of their respective owners. Reproduction
or dissemination prohibited without written consent of CompTIA Properties, LLC. Printed in the U.S. 007330-Dec2019