Is the Security+ SY0-701 practice exam free?

Yes, all 12 Security+ SY0-701 practice exams on SecurityPlus Studio are completely free — no account, no credit card, no paywall. Access 1,080 questions instantly.

How many questions are on the CompTIA Security+ SY0-701 exam?

The CompTIA Security+ SY0-701 exam has a maximum of 90 questions including multiple-choice and performance-based questions (PBQs). The exam time limit is 90 minutes and the passing score is 750 out of 900.

What domains are covered in Security+ SY0-701?

Security+ SY0-701 covers 5 domains: General Security Concepts (12%), Threats, Vulnerabilities and Mitigations (22%), Security Architecture (18%), Security Operations (28%), and Security Program Management and Oversight (20%).

What is the passing score for Security+ SY0-701?

The passing score for CompTIA Security+ SY0-701 is 750 on a scale of 100-900. This is approximately 83%. You should target 80%+ on practice exams to ensure you pass the real exam.

How long should I study for Security+ SY0-701?

Most candidates need 4-12 weeks of study depending on their experience. IT professionals with networking background typically need 4-6 weeks. Beginners may need 8-12 weeks. Daily practice with our 12 full-length exams and domain study guides will maximize your score.

Phishing vs. Spear Phishing vs. Whaling: The 2026 Breakdown

What You'll Learn

The structural difference between phishing, spear phishing, and whaling

How attackers use OSINT to build convincing spear phishing emails

Defense-in-depth: DMARC, SPF, DKIM, and FIDO2

Context clues to identify attack type in scenario questions

Phishing

Mass broadcast to thousands — spray and pray

Spear Phishing

Targeted, OSINT-driven, one specific victim

Whaling

Exclusively attacks C-Suite executives

Vishing

Voice-based social engineering via phone

The attacker's goal is to bypass technical controls by exploiting human psychology: urgency, fear, greed, or curiosity.

The Core Differences in One Line

Social engineering relies on human deception. The SY0-701 exam requires you to differentiate these attacks based on their target scope and level of personalization.

Phishing: Broad, untargeted attack sent to thousands (Spray and Pray). Low personalization, high volume.
Spear Phishing: Highly targeted, OSINT-crafted message for a specific person or team. May reference manager name, project, or internal terminology.
Whaling: Specialized spear phishing aimed exclusively at C-Suite executives (CEO, CFO, Board Members).
Vishing: Voice-based social engineering — the attacker calls the victim, often impersonating IT support or a bank.

Deep Dive: Anatomy of a Spear Phishing Attack

Unlike generic phishing, spear phishers conduct serious reconnaissance first. They scrape LinkedIn, company websites, GitHub commits, and previous breach data to craft an incredibly convincing email.

Real-World Scenario

An attacker researches the target company on LinkedIn, finds the CFO's name and her direct report in accounting, and learns the company uses Salesforce. They craft an email from 'Salesforce billing' addressing the accounting manager by first name, referencing the CFO's approval, with a link to a fake Salesforce login. The manager enters credentials immediately.

Spear phishing business email compromise attack path

Exam questions often present an email mentioning the recipient's exact project name or manager. This is Spear Phishing, not generic Phishing. The specificity of internal detail is the key differentiator.

Business Email Compromise (BEC)

Attacker spoofs the CEO's email and requests an urgent wire transfer from the CFO to a 'new vendor' for a 'confidential acquisition.' Urgency + authority bypass normal approval workflows.

Attacker spoofs a trusted vendor's email and sends a 'change of banking details' notice. Company updates payment records and sends future payments to the attacker's account for months before discovery.

Attacker calls the IT help desk impersonating an executive, claiming they're locked out before an important board call. Social pressure results in credential reset without proper identity verification.

Defense-in-Depth vs Phishing Attacks

Control Type	Implementation	Exam Relevance
Administrative	Security Awareness Training & Phishing Simulations	Addresses the human element directly.
Technical	DMARC, SPF, and DKIM email authentication	Prevents domain spoofing, verifies sender authenticity.
Technical	FIDO2 / Hardware Security Keys (YubiKey)	Completely neutralizes credential harvesting from fake login pages.
Technical	Email Sandboxing & Link Rewriting	Detonates malicious attachments before they reach the inbox.
Administrative	Multi-person approval for wire transfers	Eliminates single-point-of-failure in BEC scenarios.

If the exam asks for the MOST effective technical control against credential phishing, look for FIDO2/Hardware tokens. SMS or TOTP MFA can still be bypassed by modern AitM proxy tools like Evilginx2.

Key Takeaways

Phishing = mass broadcast. Spear Phishing = targeted individual. Whaling = C-Suite target.
More specific internal detail in the email = higher confidence it is Spear Phishing.
BEC (Business Email Compromise) combines whaling with wire fraud — CFO/HR teams are primary targets.
FIDO2 hardware keys are the only MFA method that cannot be bypassed by AitM proxy attacks.
DMARC + SPF + DKIM: SPF validates the server, DKIM validates the content, DMARC enforces policy.

Next Steps

Read: Psychology of Social Engineering

Practice Domain 1 Exam Questions

Study Social Engineering Flashcards

Ready to test your knowledge?

Take a free full-length practice exam with 90 questions and instant feedback.

Start Practice Exam

Phishing vs. Spear Phishing vs. Whaling: The 2026 Breakdown

The Core Differences in One Line

Deep Dive: Anatomy of a Spear Phishing Attack

Business Email Compromise (BEC)

Defense-in-Depth vs Phishing Attacks

Ready to test your knowledge?

Related Articles

The Psychology of Social Engineering: Authority, Urgency, Scarcity

Report Error