Is the Security+ SY0-701 practice exam free?

Yes, all 12 Security+ SY0-701 practice exams on SecurityPlus Studio are completely free — no account, no credit card, no paywall. Access 1,080 questions instantly.

How many questions are on the CompTIA Security+ SY0-701 exam?

The CompTIA Security+ SY0-701 exam has a maximum of 90 questions including multiple-choice and performance-based questions (PBQs). The exam time limit is 90 minutes and the passing score is 750 out of 900.

What domains are covered in Security+ SY0-701?

Security+ SY0-701 covers 5 domains: General Security Concepts (12%), Threats, Vulnerabilities and Mitigations (22%), Security Architecture (18%), Security Operations (28%), and Security Program Management and Oversight (20%).

What is the passing score for Security+ SY0-701?

The passing score for CompTIA Security+ SY0-701 is 750 on a scale of 100-900. This is approximately 83%. You should target 80%+ on practice exams to ensure you pass the real exam.

How long should I study for Security+ SY0-701?

Most candidates need 4-12 weeks of study depending on their experience. IT professionals with networking background typically need 4-6 weeks. Beginners may need 8-12 weeks. Daily practice with our 12 full-length exams and domain study guides will maximize your score.

Incident Response: The PICERL Framework

What You'll Learn

All 6 PICERL phases in correct order with clear boundaries

The containment vs. eradication boundary — where candidates lose points

Evidence preservation and forensic chain of custody requirements

Post-incident review timing and Lessons Learned deliverables

207

Average days to identify a breach (IBM 2024)

4.9M

Average cost of a data breach (USD 2024)

Days: target window for Lessons Learned review

Preparation is the only phase that occurs BEFORE the actual incident. Everything else is reactive.

PICERL: The Lifecycle of a Breach

Incident Response is a highly structured discipline. The CompTIA SY0-701 tests heavily on which specific actions belong to which phase. Getting one action assigned to the wrong phase is a common and expensive mistake.

Phase 1: Preparation

Everything built BEFORE an incident occurs. Deliverables: Incident Response Plan (IRP), tabletop exercises, runbooks, configured SIEM alerting, defined communication trees. The only purely proactive phase.

Phase 2: Identification

Detecting that an incident is actually occurring and validating it is not a false positive. SIEM alerts fire, analyst investigates logs, correlates IOCs, and makes the determination to trigger the IRP.

Phase 3: Containment

Stop the bleeding. Prevent the threat from spreading while preserving forensic evidence. Short-term: disconnect infected host from the network (pull cable — do NOT power off). Long-term: rebuild unaffected systems, apply temporary firewall blocks.

Phase 4: Eradication

Remove the threat entirely. Delete malware artifacts, close backdoors, patch the exploited vulnerability, disable compromised accounts. Root cause analysis is performed here.

Phase 5: Recovery

Restore systems to verified, known-good operation. Restore from clean backups, force organization-wide password resets, monitor intensely for 30-90 days for signs of reinfection.

Phase 6: Lessons Learned

Post-Incident Review within 14 days. Review what went wrong, what went right, root cause. Update the IRP, add new SIEM detection rules. Output feeds directly back into Preparation.

Exam Trap: Do NOT wipe or reimage an infected server immediately. First disconnect it (Containment) and create a forensic disk image for evidence before Eradication. Wiping destroys chain of custody.

Common Phase Assignment Errors

Action	Wrong Phase (Common Mistake)	Correct Phase
Disconnecting infected server's ethernet cable	Identification or Eradication	Containment
Patching the vulnerability the attacker exploited	Recovery	Eradication
Identifying the root cause of the breach	Lessons Learned	Eradication
Restoring database from clean backup	Eradication	Recovery
Writing an Incident Response playbook	Lessons Learned	Preparation
Reviewing SIEM alerts to confirm the incident is real	Containment	Identification
Post-incident review with Root Cause Analysis report	Recovery	Lessons Learned

Real-World Scenario

A ransomware alert fires at 3 AM. Analyst confirms it is real (Identification). Immediately isolates infected servers by disabling switch ports — NOT powering off (Containment). Images drives forensically, then wipes and restores from last night's clean backup (Eradication + Recovery). Two weeks later, team holds a blameless post-mortem and updates the IRP with new ransomware-specific playbooks (Lessons Learned).

terminal

# Evidence preservation before eradication
virsh domif-setlink infected_vm vnet0 down  # Network containment
dd if=/dev/sda of=/forensics/disk.img bs=4M  # Forensic image
sha256sum /forensics/disk.img > disk.sha256   # Hash for chain of custody

When asked about when you patch the exploited vulnerability, the answer is 'Eradication' — not Recovery. When asked about updating the IRP or policies, the answer is always 'Lessons Learned.'

Key Takeaways

Preparation is the ONLY pre-incident phase — all others are reactive post-incident.
Containment = stop the spread and preserve evidence. Do NOT delete anything during Containment.
Eradication = remove the threat AND identify root cause. Patch the vulnerability here.
Recovery = restore from clean backups, monitor, return to production incrementally.
Lessons Learned must occur within 14 days — output feeds back into Preparation.

Next Steps

Read: Malware Deep Dive (Trojans, Rootkits, Ransomware)

Practice Domain 4 Operations Questions

Study Incident Response Flashcards

Ready to test your knowledge?

Take a free full-length practice exam with 90 questions and instant feedback.

Start Practice Exam

Incident Response: The PICERL Framework

PICERL: The Lifecycle of a Breach

Common Phase Assignment Errors

Ready to test your knowledge?

Related Articles

SSO Protocols Decoded: SAML vs. OAuth vs. OIDC

Report Error