CompTIA Security+ SY0-701
Ultimate Cheat Sheet
Everything you need in one page — ports, attacks, crypto, acronyms, formulas, and memory aids. Print it, bookmark it, master it.
90 Min
Exam Window
750/900
Passing Score
90 Qs
Question Count
5 Domains
Coverage Areas
Section 01
Domain Weights & Focus Areas
D1
12%
General Security Concepts
CIA Triad, AAA, PKI, Zero Trust, Crypto basics
D2
22%
Threats, Vulns & Mitigations
Malware, Phishing, Injection, Social Engineering, IoCs
D3
18%
Security Architecture
Cloud, DMZ, VPN, Firewall, SDN, Zero Trust design
D4
28%
Security Operations
SIEM, IR, Forensics, IAM, PAM, Vuln Mgmt, EDR
D5
20%
Security Program Mgmt
Risk, BIA, BCP, GDPR, HIPAA, PCI-DSS, Compliance
Domain Strategy
D4 + D2 = 50% of exam — master these first
PBQs appear first — tackle when fresh, flag if stuck
Scenario stems: find the BEST or FIRST action, not all valid ones
Daily: 15 domain questions + 1 PBQ scenario walkthrough
D3: memorize DMZ, network segmentation, cloud shared responsibility
D5: know RTO vs RPO, BIA outputs, and regulatory frameworks
Section 02
Critical Ports & Protocols
Common Services
20/21
FTP
File Transfer — 21=control, 20=data (insecure)
22
SSH / SFTP / SCP
Secure remote shell, secure file transfer
23
Telnet
Unencrypted remote shell (AVOID — use SSH)
25
SMTP
Outbound email sending
53
DNS
Domain name resolution (UDP usually, TCP for zone transfers)
67/68
DHCP
IP address assignment (server/client)
69
TFTP
Trivial FTP — UDP, no auth (used in PXE boot, network devices)
80
HTTP
Unencrypted web traffic (replace with HTTPS)
110
POP3
Email retrieval (insecure — use 995 POP3S)
119
NNTP
Network news transfer
123
NTP
Network Time Protocol — critical for log accuracy & Kerberos
135
RPC/DCOM
Windows remote procedure calls
137-139
NetBIOS
Windows file/printer sharing (legacy)
143
IMAP
Email retrieval (insecure — use 993 IMAPS)
Secure & Encrypted
389
LDAP
Directory services (insecure — use 636 LDAPS)
443
HTTPS
Encrypted web traffic (TLS)
445
SMB
Windows file sharing — common attack vector (EternalBlue)
465/587
SMTPS
Secure email sending (587=STARTTLS preferred)
514
Syslog
Log forwarding (UDP — use 6514 for TLS syslog)
636
LDAPS
Encrypted LDAP — use instead of 389
993
IMAPS
Encrypted email retrieval
995
POP3S
Encrypted POP3
1433
MSSQL
Microsoft SQL Server
1521
Oracle DB
Oracle database
1723
PPTP
VPN (outdated — use IKEv2/OpenVPN/WireGuard)
3306
MySQL/MariaDB
MySQL database server
3389
RDP
Remote Desktop Protocol — high-value attack target
5060/5061
SIP
VoIP signaling (5060=UDP/TCP, 5061=TLS)
Security & Management
161/162
SNMP
Network device management (v3 = encrypted)
162
SNMP Trap
Notifications from devices to manager
389
LDAP
Active Directory queries
500
IKE/IPSec
VPN key exchange
514
Syslog
Log aggregation
1194
OpenVPN
VPN (UDP/TCP)
1701
L2TP
VPN tunneling (use with IPSec)
4500
IPSec NAT-T
IPSec through NAT
8080
HTTP Alt
Web proxy, alternate HTTP
8443
HTTPS Alt
Alternate HTTPS
51820
WireGuard
Modern VPN protocol
Remember for Exam
→ Secure replacements
Replace insecure with secure: Telnet→SSH, FTP→SFTP, HTTP→HTTPS, LDAP→LDAPS, SNMP v1/v2→v3, POP3→POP3S, IMAP→IMAPS, Telnet→SSH
→ UDP ports
DNS(53), DHCP(67/68), TFTP(69), NTP(123), SNMP(161), Syslog(514), RIP(520), IKE(500)
→ Attack vectors
SMB(445) — WannaCry/EternalBlue | RDP(3389) — brute force | FTP(21) — plain text | Telnet(23) — sniffing
→ Zone transfers
DNS zone transfers use TCP/53 — should be restricted to authorized DNS servers only
Section 03
Attack Types & Defenses
| Attack | What It Does | Key Detail | Defense |
|---|---|---|---|
| Phishing | Fraudulent emails to steal creds or deliver malware | Spear=targeted, Whaling=executives, Vishing=voice, Smishing=SMS | Email filtering, MFA, Security awareness training |
| SQL Injection | Malicious SQL in input fields manipulates DB | UNION, blind, time-based variations | Parameterized queries, WAF, input validation |
| XSS | Injects scripts into web pages viewed by others | Stored (DB), Reflected (URL), DOM-based | Input sanitization, CSP, output encoding |
| CSRF | Forces user to submit unintended requests | Exploits authenticated session | Anti-CSRF tokens, SameSite cookies |
| Buffer Overflow | Writes past buffer boundary to execute code | Stack/heap overflow, DEP bypass | Input validation, ASLR, DEP/NX bit, safe languages |
| Man-in-the-Middle | Intercepts communication between two parties | ARP spoofing, SSL stripping, DNS poisoning | TLS/HTTPS, certificate pinning, HSTS |
| DoS / DDoS | Overwhelms system to deny service | Volumetric, Protocol, App-layer, Amplification | Rate limiting, CDN, DDoS scrubbing, anycast |
| Ransomware | Encrypts files and demands payment | Double extortion: encrypt + exfiltrate | Backups (3-2-1), email filtering, patching, EDR |
| Supply Chain | Compromises software/hardware before delivery | SolarWinds attack (malicious update) | Vendor vetting, code signing, SBOM |
| Watering Hole | Compromises sites targets visit | Drive-by download delivery | Web filtering, browser hardening, threat intel |
| Password Spraying | Few common passwords against many accounts | Avoids account lockout policies | MFA, unusual login alerting, lockout policies |
| Credential Stuffing | Breached creds used on other services | Exploits password reuse | MFA, password managers, breach monitoring |
| Brute Force | Tries all password combinations systematically | Slow — use rainbow tables or wordlists | Account lockout, MFA, long complex passwords |
| Rainbow Table | Precomputed hash lookup to crack passwords | Eliminated by salting | Salt passwords before hashing |
| Replay Attack | Captures and retransmits valid authentication | Session token reuse | Timestamps, nonces, TLS session tokens |
| Kerberoasting | Requests Kerberos tickets to crack offline | Targets service accounts with SPNs | Long random service account passwords, AES encryption |
| Pass the Hash | Uses captured NTLM hash without cracking | Windows lateral movement technique | Credential Guard, privileged account hygiene |
| Social Engineering | Manipulates humans into revealing info | Pretexting, baiting, quid pro quo, tailgating | Security awareness training, verification procedures |
| Zero-Day | Exploits unknown/unpatched vulnerability | No patch exists yet | Defense-in-depth, behavior analytics, network segmentation |
| Fileless Malware | Runs in memory, leaves no disk artifacts | Uses PowerShell, WMI, or LOLBins | EDR, memory scanning, script block logging |
| Rootkit | Hides deep in OS or bootloader | Kernel-mode hardest to detect | Secure Boot, trusted boot, OS reinstall |
| Drive-By Download | Malware downloaded by just visiting a site | No user action required beyond browsing | Browser patching, content filtering, NoScript |
| Vishing | Voice phishing calls impersonating trusted orgs | Often targets call center staff or employees | Verification callbacks, training, caller ID validation |
| Smishing | SMS phishing messages with malicious links | Targets mobile users | User training, mobile security policies |
| Spear Phishing | Targeted phishing using personal info about victim | Research done via OSINT beforehand | Training, DMARC/SPF/DKIM, email authentication |
Section 04
Cryptography Quick Reference
Algorithms at a Glance
| Algorithm | Type | Key/Size | Use Case |
|---|---|---|---|
| AES | Symmetric | 128/192/256-bit | Block encryption (gold standard) |
| 3DES | Symmetric | 112/168-bit | Legacy block cipher (deprecated) |
| ChaCha20 | Symmetric | 256-bit | Mobile/IoT encryption, TLS 1.3 |
| RSA | Asymmetric | 2048-4096-bit | Key exchange, digital signatures |
| ECC/ECDSA | Asymmetric | 256-bit ≈ RSA 3072 | Smaller key, same strength |
| DH/DHE | Asymmetric | 2048+ bit | Key exchange (PFS with DHE) |
| ECDHE | Asymmetric | 256-bit | PFS key exchange (TLS 1.3) |
| SHA-256/512 | Hash | 256/512-bit output | Integrity verification |
| SHA-3 | Hash | Variable | Newest NIST hash standard |
| MD5 | Hash | 128-bit | BROKEN — do not use for security |
| HMAC | Hash+Key | Variable | Message authentication + integrity |
| bcrypt | KDF | Variable | Password hashing (slow by design) |
| PBKDF2 | KDF | Variable | Key stretching (NIST recommended) |
| scrypt | KDF | Variable | Memory-hard password hashing |
PKI Trust Chain
Root CA (offline)
→ Intermediate CA
→ Issued Certificate
→ End Entity
- →CRL = revocation list (periodic download)
- →OCSP = real-time revocation check
- →OCSP Stapling = cert proves its own validity
- →Certificate Pinning = hardcoded cert in app
- →Wildcard cert = *.example.com (one level only)
- →SAN cert = multiple domains in one cert
Block Cipher Modes
ECB
Electronic Codebook
AVOID — identical blocks produce identical ciphertext
CBC
Cipher Block Chaining
Each block XOR with previous — good but IV matters
CTR
Counter Mode
Turns block cipher into stream cipher, parallelizable
GCM
Galois/Counter Mode
Authenticated encryption — preferred in TLS 1.3
CCM
Counter+CBC-MAC
Used in WPA3, IoT (IEEE 802.11)
Key Crypto Concepts
Salting
Random data added before hashing — defeats rainbow tables
Key Stretching
Repeated hashing — makes brute force expensive (bcrypt, PBKDF2)
PFS
Perfect Forward Secrecy — ephemeral keys so past traffic stays safe
Ephemeral Keys
New key pair per session — provides PFS (DHE, ECDHE)
Digital Signature
Private key signs hash → public key verifies → non-repudiation
Hybrid Encryption
Asymmetric for key exchange + Symmetric for data (TLS)
Steganography
Hides data inside other files (not encryption)
Tokenization
Replaces sensitive data with non-sensitive token (PCI)
Obfuscation
Makes code/data harder to understand — security through obscurity
HSM
Dedicated hardware for key storage and crypto operations
Section 05
Incident Response & Forensics
IR Lifecycle (NIST SP 800-61)
1
Preparation
Plans, playbooks, SIEM, tools, training — BEFORE the incident
2
Detection & Analysis
Alerts, log review, scope assessment, artifact collection
3
Containment
Isolate affected systems, disable accounts, block IOCs — STOP SPREAD
4
Eradication
Remove malware, patch vuln, reset creds, clean affected systems
5
Recovery
Restore from clean backups, monitor for re-infection, resume operations
6
Lessons Learned
Post-incident review, update playbooks, document findings, training
Order of Volatility (most → least volatile)
1st
CPU Registers & Cache
Nanoseconds — lost on power off
2nd
RAM / Running Processes
Minutes — crucial for malware analysis
3rd
Swap Space / Virtual Memory
Less volatile than RAM
4th
Network Connections & State
Active connections, routing tables
5th
Running Processes & Services
Process list, open files, handles
6th
Disk (File System)
Files, logs, registry — stable
7th
Remote / Cloud Logs
May be overwritten — collect early
8th
Physical Media & Backups
Most stable — archived
Key Forensics Concepts
- →Chain of Custody: Document every handler, transfer, and action on evidence
- →Legal Hold: Stop destroying records when litigation is anticipated
- →Write Blocker: Hardware device preventing writes during forensic imaging
- →Disk Image: Bit-for-bit copy — always hash (MD5/SHA) before AND after
- →Locard's Principle: Every contact leaves a trace — digital evidence too
- →Containment types: Segmentation (network), Isolation (host), Removal (asset)
- →FIRST action in breach: Contain THEN eradicate — never eradicate first (destroys evidence)
Indicators of Compromise (IoCs)
•Unusual outbound traffic
•New/unknown admin accounts
•Disabled security tools
•Encrypted traffic spikes
•Impossible travel logins
•Large data transfers
•Failed login floods
•Registry run key changes
•New scheduled tasks
•Unusual process parents
•Lateral movement logs
•DNS queries to new TLDs
Section 06
Risk Math & Availability Metrics
Risk Quantification Formulas
SLE
Single Loss Expectancy
Asset Value × Exposure Factor (EF)
Cost of one incident occurrence
ARO
Annualized Rate of Occurrence
Expected frequency per year
ARO = 0.5 means once every 2 years
ALE
Annualized Loss Expectancy
SLE × ARO
Expected annual cost — justify control cost
EF
Exposure Factor
% of asset value lost per incident
EF = 0.25 means 25% of asset lost
Decision Rule
Implement control only if: Control Cost < ALE
Availability "The Nines"
99%
1 nine
~3.65 days/year downtime
99.9%
2 nines
~8.76 hours/year
99.99%
3 nines
~52.6 minutes/year
99.999%
4 nines
~5.26 minutes/year
99.9999%
5 nines
~31.5 seconds/year
99.99999%
6 nines
~3.15 seconds/year
Recovery Metrics
RTO
Recovery Time Objective
Max acceptable downtime after incident
RPO
Recovery Point Objective
Max acceptable data loss (time-based)
MTTR
Mean Time To Repair
Avg time to fix a failed component
MTBF
Mean Time Between Failures
Avg time between failures (reliability)
MTTF
Mean Time To Failure
Expected lifetime of non-repairable item
Risk Response Strategies
Accept
Live with the risk — cost of fix > cost of impact
Avoid
Eliminate the risk-causing activity entirely
Transfer
Shift risk to another party (insurance, outsource)
Mitigate
Reduce probability or impact via controls
Residual Risk
Risk remaining AFTER controls applied
Inherent Risk
Risk BEFORE any controls are applied
DR Site Types
Hot Site
Real-time sync, immediate failover, highest cost
Warm Site
Partially equipped, hours to days to activate
Cold Site
Basic shell (power, cooling), days/weeks to restore
Mobile Site
Trailer/portable facility — rapid deployment
Cloud DR
Elastic cloud resources spun up on demand
Backup Strategy (3-2-1 Rule)
3copies of data (1 primary + 2 backups)
2different storage media types
1offsite or cloud copy
Full backup: Complete copy, slow/large
Incremental: Changes since LAST backup, fast restore = multiple tapes
Differential: Changes since LAST FULL, faster restore = 2 tapes
Section 07
Must-Know Acronyms
Identity & Access
IAM
Identity & Access Management
MFA
Multi-Factor Authentication
SSO
Single Sign-On
PAM
Privileged Access Management
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MAC
Mandatory Access Control
DAC
Discretionary Access Control
LDAP
Lightweight Directory Access Protocol
SAML
Security Assertion Markup Language
OAuth
Open Authorization 2.0
OIDC
OpenID Connect
Network & Security
NGFW
Next-Generation Firewall
WAF
Web Application Firewall
IDS
Intrusion Detection System
IPS
Intrusion Prevention System
NAC
Network Access Control
CASB
Cloud Access Security Broker
DMZ
Demilitarized Zone
VPN
Virtual Private Network
SDN
Software-Defined Networking
VLAN
Virtual LAN
ACL
Access Control List
NTA
Network Traffic Analysis
Security Operations
SIEM
Security Info & Event Management
SOAR
Security Orchestration & Response
EDR
Endpoint Detection & Response
XDR
Extended Detection & Response
MDR
Managed Detection & Response
DLP
Data Loss Prevention
IoC
Indicator of Compromise
TTP
Tactics, Techniques & Procedures
APT
Advanced Persistent Threat
CTI
Cyber Threat Intelligence
SOC
Security Operations Center
UEBA
User & Entity Behavior Analytics
Governance & Risk
GRC
Governance, Risk & Compliance
BIA
Business Impact Analysis
BCP
Business Continuity Plan
DRP
Disaster Recovery Plan
RTO
Recovery Time Objective
RPO
Recovery Point Objective
SLE
Single Loss Expectancy
ALE
Annualized Loss Expectancy
ARO
Annualized Rate of Occurrence
NDA
Non-Disclosure Agreement
SLA
Service Level Agreement
MOU
Memorandum of Understanding
Section 08
Memory Aids & Mnemonics
CIA Triad
Keep It All
C
onfidentiality: Encryption, access control, need-to-know
I
ntegrity: Hashing, digital sigs, change control
A
vailability: Redundancy, DR/BCP, fault tolerance
AAA Framework
Who, What, Prove It
AuthN
Authentication: WHO are you? (passwords, biometrics, certs)
AuthZ
Authorization: WHAT may you do? (least privilege, RBAC)
Acct
Accounting: PROVE it: logs, audits, SIEM forensics
MFA Factors
Know Have Are Do Where
Know
Something you know: Password, PIN, security question
Have
Something you have: Phone, smart card, hardware token
Are
Something you are: Fingerprint, retina, facial recognition
Do
Something you do: Behavioral biometrics (typing rhythm)
Where
Somewhere you are: GPS location, IP geolocation
STRIDE Threat Model
STRIDE
S
poofing: Impersonating a user/system → strong auth
T
ampering: Modifying data → integrity checks
R
epudiation: Denying actions → logging, non-repudiation
I
nfo Disclosure: Data leaks → classification, encryption
D
enial of Service: Disruption → rate limiting, redundancy
E
levation of Privilege: Gaining higher rights → least privilege, patching
OSI Layers
Please Do Not Throw Sausage Pizza Away
7
Application: HTTP, DNS, SMTP, FTP — user-facing services
6
Presentation: TLS, SSL, encoding — data formatting
5
Session: NetBIOS, RPC — session management
4
Transport: TCP/UDP, ports, segmentation
3
Network: IP, ICMP, routing, ACLs
2
Data Link: MAC, ARP, switching, VLAN
1
Physical: Cables, RF, fiber, hubs
IR Steps
Prepare, Detect, Contain, Eradicate, Recover, Learn
P
reparation: Plans, tools, team — BEFORE incident
D
etection: Identify and confirm — SIEM, alerts
C
ontainment: Isolate — STOP the bleeding
E
radication: Remove root cause — clean systems
R
ecovery: Restore — verify, monitor, resume
L
essons Learned: Review — update playbooks
Section 09
Frameworks, Regulations & Standards
NIST CSF
National Institute of Standards and Technology Cybersecurity Framework
Identify → Protect → Detect → Respond → Recover
Voluntary framework for critical infrastructure and general orgs
ISO 27001
International Organization for Standardization
Plan → Do → Check → Act (PDCA cycle)
International standard for Information Security Management Systems (ISMS)
GDPR
General Data Protection Regulation (EU)
Data minimization, subject rights, 72hr breach notification
Applies to ANY org handling EU resident data; fines up to €20M or 4% revenue
HIPAA
Health Insurance Portability & Accountability Act
Privacy Rule + Security Rule + Breach Notification Rule
Protects PHI (Protected Health Information) for US healthcare entities
PCI-DSS
Payment Card Industry Data Security Standard
12 requirements: network security, encryption, access control, monitoring
Mandatory for orgs handling cardholder data; quarterly scans + annual pentest
SOC 2
Service Organization Control Type 2
Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy
Auditing standard for cloud service providers and SaaS companies
FedRAMP
Federal Risk and Authorization Management Program
NIST 800-53 controls + Continuous Monitoring
US government cloud security authorization program
CMMC
Cybersecurity Maturity Model Certification
5 maturity levels from basic to advanced practices
Required for US DoD contractors and subcontractors
CIS Controls
Center for Internet Security
18 Critical Security Controls prioritized by impact
Implementation Groups 1-3 for organizations of different sizes
Section 10
Security Tools & Technology Mapping
Network Defense
Firewall
Filters traffic by rules (stateful = tracks sessions)
NGFW
Deep packet inspection + app awareness + IPS
IDS
Passive — detects and alerts (Snort, Suricata)
IPS
Active — detects and blocks (inline)
WAF
Blocks web app attacks (SQLi, XSS) at Layer 7
Honeypot
Decoy system to detect/trap attackers
Proxy
Intercepts requests, hides client identity, filters content
CASB
Enforces policy between users and cloud services
Endpoint & Detection
EDR
Records all endpoint activity, detects advanced threats
XDR
EDR + network + cloud — unified detection
HIDS
Host-based IDS — file integrity, log monitoring
HIPS
Host-based IPS — blocks suspicious processes
AV/Anti-malware
Signature + heuristic malware detection
DLP
Prevents data exfiltration at endpoint/network/cloud
FDE
Full Disk Encryption — BitLocker, FileVault
TPM
Chip-based key storage for Secure Boot, BitLocker
Operations & Monitoring
SIEM
Centralizes logs, correlates events, triggers alerts
SOAR
Automates response playbooks, reduces response time
Log Management
Centralized storage, retention, and search of logs
NTA/NDR
Baseline normal traffic, detect anomalies
UEBA
Behavioral baseline per user — detects insider threats
Vulnerability Scanner
Nessus, Qualys, OpenVAS — find weaknesses
Patch Mgmt
WSUS, SCCM, Ansible — deploy security updates
Asset Mgmt
CMDB — inventory of all hardware and software
Identity & Crypto
MFA
Requires 2+ different factor categories
PAM
Controls/vaults privileged credentials (CyberArk)
SSO
One credential for multiple apps (SAML/OIDC)
Directory
Active Directory / LDAP — user/group management
PKI
Certificate authority hierarchy for digital trust
HSM
Hardware security module for key management
KMS
Cloud key management service (AWS KMS, Azure Key Vault)
Password Mgr
Encrypted vault for credentials — reduces reuse
Exam Day Strategy
Time Management
90 min / 90 questions = 1 min each. PBQs first. Flag difficult MCQs. Use last 10 min to review flags.
Process of Elimination
If unsure, eliminate obviously wrong answers. Always pick BEST answer — multiple may be technically correct.
Keyword Triggers
FIRST action = Contain. BEST step = most restrictive correct option. Immediate = automatic/technical control.
Scenario Logic
Identify: WHO is asking, WHAT is the problem, WHAT is already in place, WHAT is the goal. Then pick control.