RoleMath Study Track for CompTIA Security+ (SY0-701)
A free study companion keyed to the officially published exam domains of CompTIA Security+ (SY0-701): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. CompTIA Security+ objectives
A free, source-cited study companion built on CompTIA's published exam objectives — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
A free Security+ program blueprint that follows CompTIA's current SY0-701 scope, uses official-first and vetted community instruction, and turns every domain into authorized defensive evidence without claiming instructional completeness or an exam or employment outcome.
This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.
Modules
5
Labs
5
Concept checks
13
Resource mix
2 official / 3 community
Choose an outcome
Three routes through the same evidence
Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.
Certification-focused
Learners who have selected Security+ and need one evidence-based sequence across the complete current SY0-701 blueprint.
Completion emphasis: Complete all five modules and defensive labs, the official sample set, the integrated security-baseline capstone, and a final objective-by-objective gap review.
Required phases: Scope, ethics, safety, and baseline, Security principles and integrity, Observe, triage, and preserve evidence, Threats, weaknesses, and mitigations, Design controls and govern risk, Defensive incident and control capstone
Defensive skills first
Career changers and IT practitioners who want reviewable evidence of integrity, threat analysis, architecture, operations, risk, and incident communication before scheduling an exam.
Completion emphasis: Retain redacted hash, header, TLS, packet, risk, control, incident, and communication artifacts from authorized labs and the capstone.
Required phases: Scope, ethics, safety, and baseline, Security principles and integrity, Observe, triage, and preserve evidence, Threats, weaknesses, and mitigations, Design controls and govern risk, Defensive incident and control capstone
Career-fit sprint
Learners deciding whether defensive analysis, security operations, architecture, or governance work fits their interests and judgment style.
Completion emphasis: Complete the diagnostic, integrity lab, permitted traffic or header analysis, and a short fictional risk-and-incident exercise; record which technical and governance tasks felt worth pursuing.
Required phases: Scope, ethics, safety, and baseline, Security principles and integrity, Observe, triage, and preserve evidence, Threats, weaknesses, and mitigations
Start safely
Prerequisite diagnostic
Route learners to ethical, safe, and accessible defensive practice before the labs; this is not a vendor eligibility rule or prediction of exam performance.
Can you state which devices, accounts, mailboxes, files, connections, and networks you own or are explicitly permitted to inspect?
Ready when: Yes, with a clear boundary that excludes work, school, public, shared, and third-party targets unless written permission exists.
If not yet: Use only fictional scenarios, throwaway local files, and written observation alternatives until the authorization boundary is unambiguous.
Can you create a throwaway file, open a terminal in its folder, and enter a read-only hash or certificate-inspection command exactly?
Ready when: Yes, with written steps and no need for elevated access on a managed device.
If not yet: Complete the local file-and-terminal warm-up before hashing, TLS, or packet-analysis work.
Can you distinguish an address, hostname, DNS lookup, TCP connection, port, and encrypted web session at a basic level?
Ready when: Yes, or you are prepared to use the networking bridge before the packet and TLS labs.
If not yet: Review the Network+ concepts and operations modules or an equivalent free networking foundation before interpreting packet evidence.
Can you inspect headers or a fictional phishing report without clicking, downloading, replying, forwarding, enabling content, or testing the sender?
Ready when: Yes, and you will route any real employer-targeted message through the employer's reporting process.
If not yet: Use a legitimate automated message or the written scenario only; do not open suspicious content for the sake of a lab.
Can you recognize credentials, tokens, email addresses, domains, packet payloads, hostnames, and business weaknesses that must not appear in a shared artifact?
Ready when: Yes, with a redaction checklist and a plan to delete raw captures when they are no longer needed.
If not yet: Use fictional evidence and complete the privacy checklist before recording screenshots, headers, logs, or packet fields.
Can you reserve short concept sessions plus a longer weekly block for evidence capture, analysis, and written incident or risk reasoning?
Ready when: Yes, with enough time to explain why a control or response fits rather than only naming it.
If not yet: Choose the steady pace, separate collection from analysis, and defer exam scheduling until the routine is repeatable.
Plan, then adapt
Pace options
Steady
10 weeks 6-8 hours/week
A planning estimate for first-time security learners: establish concepts and network foundations first, then give separate practice blocks to operations, threats, architecture, governance, and integration.
Standard
7 weeks 8-12 hours/week
A planning estimate that moves through one major phase per week and protects the final two weeks for the defensive capstone, cited corrections, and remaining objective gaps.
Intensive
4 weeks 14-18 hours/week
For learners with prior IT, networking, governance, or operations experience; slow down whenever evidence, control choice, or incident sequence cannot be explained without the lab script.
Evidence-gated sequence
Program roadmap
1
Scope, ethics, safety, and baseline
Pin the current SY0-701 scope, choose a goal and pace, define the authorization boundary, and establish safe evidence and redaction practices.
Exit evidence
Confirm SY0-701 and the five current domains on CompTIA's official page.
Choose a goal path, provisional pace, and owned, fictional, read-only, or isolated lab route.
Complete the authorization, suspicious-content, capture, and evidence-redaction checklist.
2
Security principles and integrity
Build the control, confidentiality, integrity, availability, identity, trust, and cryptographic vocabulary used throughout the other domains.
Retain the before, changed, and restored SHA-256 evidence from a throwaway file.
Explain the difference among hashing, encryption, authentication, authorization, and digital signatures in plain language.
Correct every missed foundations check against its cited source and write one new control-selection scenario.
3
Observe, triage, and preserve evidence
Practice permission-bound monitoring and analysis while distinguishing observable metadata, encrypted content, events, alerts, incidents, and response actions.
Complete the capstone packet and pass its authorization, evidence, privacy, control, incident-sequence, and consistency review.
Crosswalk all five domains to at least one artifact and one corrected or confidently explained check.
Record remaining objective gaps and choose a continue, practice, defer, or logistics-verification next decision.
Before a lab
Environment, access, and safety
Required and optional setup
Required
A personal computer with a terminal, browser, text editor, and permission to inspect its own files and connections
A dedicated folder for fictional scenarios and redacted hashes, headers, certificate fields, packet observations, risks, incidents, and reflections
An owned private network for any live capture, or the written observation-only route when network authorization is unavailable
Optional
Wireshark from the official project for short captures limited to the learner's own authorized interface and traffic
OpenSSL already present on macOS/Linux or supplied through Git for Windows for read-only TLS inspection
A disposable virtual machine and free spreadsheet or diagram tool for isolated evidence and tabletop artifacts
Accounts and accessibility routes
Accounts
No paid account is required for the core program.
The header lab may use a legitimate automated message in the learner's own mailbox; no suspicious message or employer account is required.
A hosted spreadsheet account is optional because a local document, LibreOffice, or paper can hold the risk and incident artifacts.
Equivalent routes
Use command transcripts and recorded field descriptions when terminal, browser, or visual constraints block live inspection; label the artifact observation-only.
Use fictional authentication results and packet metadata when mailbox, network, privacy, or permission constraints block live collection.
Split evidence collection, redaction, analysis, and reflection across sessions without reducing the safety or module exit requirements.
Safety baseline
Use only files, devices, accounts, mailboxes, connections, and networks you own or are explicitly authorized to inspect; a public endpoint is not permission to probe it.
Never execute malware, deliver phishing, collect credentials, exploit a weakness, scan an address range, intercept another person's traffic, or create persistence for a lab.
Do not click, download, reply to, forward, or enable content in a suspicious message; report real employer-targeted content through the employer's process.
Minimize, redact, and delete raw headers, captures, logs, screenshots, and risk records as soon as the learning evidence no longer requires them.
Show your work
Module evidence and missed-check protocol
Module exit evidence
A saved hash record, header analysis, certificate/TLS observation, permitted packet analysis, risk artifact, or documented accessibility alternative tied to the module objective map.
A plain-language explanation that separates fact, inference, risk, control, response, and verification while naming evidence limitations.
All authored checks attempted, with every miss corrected against its cited source and applied to a fresh defensive scenario.
After a missed check
Identify whether the question tests a principle, threat, architecture choice, operational response, or governance decision before reviewing the answer.
Write why the distractor was plausible and what cited objective, observed field, control property, or response sequence distinguishes the answer.
Create and answer a new fictional scenario with different assets, actors, evidence, or constraints before marking the gap reviewed.
Completing this policy demonstrates coverage and defensive practice inside RoleMath; it does not predict a Security+ score, replace CompTIA's current guidance, or authorize testing of any third-party system.
Integrated practice
Fictional organization security baseline and incident response packet
Assess and improve a small fictional organization's security posture, analyze a contained suspicious-email and integrity scenario, document a proportionate response, and leave reviewable artifacts spanning all five Security+ domains.
Workflow
Write a fictional brief for a fifteen-person design firm using cloud email, shared client files, remote laptops, one office wireless network, and a small public website; state owners, assumptions, sensitive data categories, and what is out of scope.
Create an asset, identity, and data-flow view showing endpoints, accounts, email, file storage, network zones, public service, administrators, third parties, trust boundaries, and where important data is stored or transmitted.
Define the security objectives for the scenario using confidentiality, integrity, availability, authentication, authorization, accountability, privacy, safety, and business continuity; record one measurable observation for each relevant objective.
Build a threat-and-risk register with at least six entries. Connect each threat to a vulnerable condition and impact, rate likelihood and impact, choose a risk response, identify a preventive and detective control, assign an owner, and set a review date.
Create a control and architecture plan covering identity, least privilege, multifactor authentication, secure protocols, segmentation, endpoint hardening, updates, backups, logging, monitoring, certificate management, vendor access, and recovery. Record one usability, cost, or operational tradeoff.
Prepare a fictional evidence packet: an authentication-results summary for a lookalike-domain message, a before-and-after hash mismatch for one throwaway file, a redacted TLS certificate-chain observation, and synthetic or personally authorized packet metadata. Do not create or deliver an attack.
Open a fictional incident when a user reports the lookalike-domain message and a monitored file no longer matches its baseline hash. Record time, reporter, assets, evidence source, chain-of-custody assumptions, scope, known facts, unknowns, and severity rationale.
Build a timeline and rank hypotheses without declaring causation. Distinguish what the headers, hash, certificate, packet metadata, and fictional identity events can prove, suggest, or not answer.
Write containment, eradication, recovery, and escalation options appropriate to the evidence: preserve data, isolate only a fictional endpoint if justified, revoke or reset fictional credentials and sessions, block the lookalike domain, restore a known-good file, verify controls, and involve the named owner. Do not perform these actions on a real account or device for the capstone.
Create a validation and monitoring plan covering restored hash, authentication state, endpoint health, email rule or domain block, backup restore test, certificate validity, logging coverage, alert ownership, false-positive review, and closure evidence.
Write three communications: a plain-language update for the reporting user, a technical shift handoff, and a concise leadership risk update. They must agree on facts, uncertainty, impact, actions, and next review time without exposing sensitive evidence.
Create a change and lessons-learned record with approval assumption, affected assets, risk, test, backup, rollback, verification, policy or training update, owner, due date, and success measure.
Crosswalk every artifact, control, and incident step to the five Security+ domain IDs, flag uncovered objective areas, review the packet for contradictions or identifiers, and record the next practice decision.
Retained artifacts
Fictional organization brief plus asset, identity, and data-flow view
Security objectives, threat-and-risk register, and control/architecture plan
Redacted fictional hash, header, TLS, packet, and identity evidence packet
Incident intake, scope, evidence log, timeline, hypothesis, and severity record
Containment, recovery, validation, monitoring, escalation, and closure plan
User, technical, and leadership communications
Change/lessons record, five-domain crosswalk, and gap reflection
Review checklist
The brief, assets, data flows, risks, controls, evidence, timeline, response, communications, and change record describe the same fictional organization and incident without contradictions.
Every evidence statement distinguishes fact from inference, records source and limitation, and avoids claiming that one indicator alone proves compromise or attribution.
No malware, phishing delivery, credential collection, exploitation, scanning, persistence, unauthorized capture, production isolation, or real-account reset occurred for the capstone.
No real person, employer, email address, domain, IP, MAC, hostname, credential, token, packet payload, client data, or undisclosed weakness remains in the packet.
Responses are proportionate to the fictional evidence, include authorization, preservation, rollback or escalation, verification, communication, ownership, and review timing.
All five SY0-701 domains map to at least one artifact; uncovered objectives remain explicit gaps rather than implied completion.
The packet does not claim exam success, official CompTIA training, professional security experience, or a RoleMath credential.
Safety boundary: Keep the organization, indicators, accounts, logs, and incident fictional or derived only from throwaway local files and personally authorized read-only observations. Never create an attack, interact with suspicious content, run malware, capture third-party traffic, probe a public system, or perform response actions on a real work or shared environment for this capstone.
Finish honestly
Completion, portfolio, and maintenance
Completion evidence
All five current SY0-701 domain modules have been covered and checked against CompTIA's official page.
Every defensive lab has a saved redacted artifact, permitted observation record, or clearly labeled accessibility alternative.
Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh defensive scenario.
The official CompTIA sample set has been used to calibrate scope and wording rather than memorized as an answer bank.
The security-baseline capstone passes authorization, evidence, privacy, threat/control, incident-sequence, recovery, communication, governance, and five-domain coverage review.
The learner has recorded remaining objective gaps and an explicit next decision; completion is not represented as an exam result, credential, authorization, or professional experience.
Portfolio candidates
A redacted asset/data-flow and control architecture diagram
A fictional threat-and-risk register with control ownership
A sanitized incident timeline and evidence-quality table
A containment, recovery, validation, and communication packet
A reflection explaining one control tradeoff and one corrected analytical assumption
Present the packet as self-directed defensive Security+ lab work demonstrating reasoning and documentation. Do not call it incident-response employment, penetration testing, official CompTIA training, or a RoleMath credential.
Freshness controls
Objective source checked 2026-07-11. Recheck objectives every 30 days and resources every 90 days.
Stop and re-verify when
CompTIA changes the active Security+ exam code, V7 scope, domain, published weight, lifecycle, or official prerequisite guidance.
An official or community resource changes ownership, URL, SY0-701 coverage, free-access posture, account requirement, or reuse terms.
A hashing command, OpenSSL route, Wireshark, browser certificate view, email-header view, or spreadsheet tool becomes paid, unavailable, unsafe, or materially different.
A lab or capstone step can no longer stay defensive, permission-bound, privacy-preserving, or accessible while producing the stated evidence.
Any module, lab, check, resource mapping, phase, or capstone fails technical, source, ethics, beginner-walkthrough, safety, privacy, accessibility, or claims review.
Skills measured
The official objective domains and their exam weight — titles & weights only, straight from the vendor’s exam objectives. CompTIA Security+ objectives
Our default advice is to study the heaviest-weighted domain first, because the published weights tell you where the exam spends its questions. Security+ gets one honest exception: General security concepts carries the lightest weight (12%), but it is the vocabulary every other domain is written in — controls, the CIA triad, cryptographic building blocks, zero trust. Skipping it to chase weight makes the other four domains harder to read. So we suggest: General security concepts first as your foundation, then strictly by weight — Security operations (28%), Threats, vulnerabilities, and mitigations (22%), Security program management and oversight (20%), and Security architecture (18%). This is sequencing advice based on the published weights and how the topics depend on each other, not a claim about the science of learning — if a different order fits how you think, use it.
Start here even though it is the lightest-weighted domain. It defines the vocabulary — control types, the CIA triad, cryptographic building blocks, zero trust — that the other four domains assume you already speak.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Security+ objectives
This is the vocabulary domain. Before Security+ asks you to analyze an attack or harden a server, it establishes a shared language for talking about security at all: what a control is, what security is actually trying to protect, and the handful of mental models the rest of the exam quietly leans on. It carries the smallest published weight of the five domains, but almost every question elsewhere on the exam is written in the words this domain teaches. If a practice question ever feels like it is written in a foreign language, the gap is usually here.
The center of gravity is the idea that security work is organized around a small set of goals and a large toolbox of controls that serve them. The classic statement of the goals is the CIA triad — confidentiality (only the right people can read it), integrity (nobody has silently changed it), and availability (it works when you need it). Almost any safeguard you can name exists to protect one or more of those three, and a surprising number of exam-style scenarios are just asking you to identify which goal is at stake. Around the goals sits the taxonomy of controls: some are technical (a firewall rule, disk encryption), some are managerial or operational (a policy, a background check, a review step), some are physical (a locked door, a badge reader). Controls also differ by intent — some prevent bad things, some detect them, some correct or deter or compensate. Being able to place a real safeguard into that grid is the core skill this domain builds.
The domain also introduces the trust models that modern security is converging on. The old mental picture — a hard network perimeter with a trusted inside — has given way to zero trust: no user or device is trusted just because of where it sits, and access is verified continuously. Alongside that sit foundational identity ideas like authentication (proving who you are), authorization (what you are allowed to do), and accountability (being able to trace actions to an identity), plus everyday principles like least privilege. You will meet those again in the operations domain; here they are introduced as concepts.
Cryptography's building blocks live here too, at the concept level rather than the math level. You should come away able to explain, in your own words, what encryption does (makes data unreadable without a key), how symmetric and asymmetric approaches differ in the key arrangement, what a hash is (a fingerprint of data that changes completely if the data changes at all), what a digital signature adds, and why public key infrastructure — certificates and the authorities that vouch for them — exists. None of this requires computing anything by hand; it requires being able to pick the right tool when a scenario says 'we need to prove this file was not altered' (that is a hash) versus 'we need to keep this file secret' (that is encryption).
Two quieter topic areas round the domain out, and they are easy to underestimate. Change management shows up because uncontrolled change is one of the most common ways real environments break their own security — the exam expects you to see approval workflows, testing, and rollback plans as security tools, not bureaucracy. And physical security is a reminder that a stolen laptop defeats a lot of elegant network defense; locks, sensors, guards, and environmental design are controls like any other.
On the job, this domain is the difference between memorizing tools and reasoning about them. When a colleague proposes a safeguard, the working questions are exactly the ones this domain drills: which goal does it protect, what kind of control is it, what does it prevent versus merely detect, and what do we trust for it to work? A useful way to study is to stop reading and start classifying: pick ten safeguards you have personally encountered — a password, a door badge, a backup, an approval form — and place each one in the goals-and-controls grid out loud. If you can do that without notes, and you can explain a hash versus encryption to a friend in plain words, you have what this domain is checking for. Read the official objectives page for the exact topic list — the wording there is the exam's own, and this explanation deliberately paraphrases rather than reproduces it.
Vetted independent · Free video course (community)
Professor Messer's free SY0-701 Security+ training courseThe de-facto free gold standard for Security+: a complete, well-paced video course covering the full SY0-701 blueprint, free to stream with no login. Pair it with CompTIA's official objectives, which stay authoritative; the downloadable notes and full practice exams are the optional paid Success Bundle. (captured 2026-07-09)
Demonstrate the integrity property with SHA-256 and the avalanche effect on your own file Perform AES-256 encryption/decryption and generate an RSA keypair to distinguish symmetric from asymmetric
Free tools
Your own Windows machine via Git Bash
Your own Linux machine
Your own macOS machine
Steps
Create a throwaway text file on your own machine, record its SHA-256 digest, change exactly one character and re-hash to see a completely different digest, then restore the text and confirm the original digest returns.
Encrypt the file with AES-256 and decrypt it back, confirming the decrypted output matches the original plaintext to demonstrate confidentiality.
Generate an RSA keypair, inspect the private key structure, then sign the file with the private key and verify the signature with the public key to make the asymmetric key arrangement concrete.
Record which OpenSSL step demonstrated confidentiality, integrity, and the asymmetric key arrangement in one sentence each, then delete the throwaway lab folder.
What you should see
Confirm the notes show a recorded hash baseline, a completely different digest after a one-character edit, an AES decrypt that matched the original, and an RSA signature that verified with the public key.
Practice evidence maps to exam_domain_comptia_security_plus_01
Stay safe & legal: Every command in this lab runs on files under a throwaway folder on the machine you own; nothing touches the network, and no system, service, or account other than your own local files is involved. This is a local cryptography exercise only - never point any of these commands at a system, key, or file you do not own. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 2 of 5 · domain 4 · 28% of the exam
Security operations
Second in our suggested order, and the heaviest domain on the published outline at 28%. Once the Domain 1 vocabulary is in place, spend your largest block of study time here — by weight, it is where the exam spends its questions.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Security+ objectives
This is the biggest domain on the published outline, and it is the day-job domain: what security people actually do between incidents and during them. If the architecture domain designs the building, operations lives in it — hardening what runs, watching what happens, managing who can touch what, and responding when something goes wrong. Its 28% weight is the outline's honest signal about what entry-level security work mostly consists of, which also makes it the most useful domain to study deeply if your goal is a security job and not just a credential.
The first strand is keeping systems defensible in the first place. Hardening means shrinking what an attacker can touch: removing software and services nothing needs, changing default credentials, closing unused ports, and applying secure configuration baselines so machines start from a known-good state instead of a vendor default. Behind that sits the unglamorous discipline the whole strand depends on — asset management. You cannot harden, patch, or monitor a machine you do not know you have, and real environments are full of machines nobody remembers. Vulnerability management turns this into a repeating cycle: scan for weaknesses, prioritize what the scan finds (severity scores help, but so does asking which systems actually matter and which flaws are actually being exploited), fix or mitigate, and verify the fix took. The prioritization step is the one the exam probes hardest, because in practice there is never time to fix everything at once.
The second strand is watching: monitoring and detection. Systems and applications emit logs constantly; the operational skill is turning that firehose into decisions. Centralized log collection feeds a SIEM — the correlation engine that connects a failed login here, a privilege change there, and an odd outbound connection into one story an analyst can judge. Around the SIEM sit the enforcement and inspection tools you should be able to tell apart by behavior: endpoint detection agents, intrusion detection versus intrusion prevention (one alerts, one also blocks), email and web filtering, and data-loss prevention watching for sensitive content leaving. Expect alert fatigue to be the implied villain in these scenarios: tuning out noise so real signals surface is a running theme.
The third strand is identity and access as an operational practice. Domain 1 introduced the principles; here they become the routine work that most breaches ultimately trace back to: provisioning accounts when people arrive, adjusting them when roles change, killing them promptly when people leave, enforcing multi-factor authentication, wrangling password policy, granting access by role rather than by individual favors, and giving privileged accounts special handling — because an administrator credential is the single most valuable thing an attacker can steal. Automation threads through all of it: scripted, repeatable processes both reduce human error and scale the work, which is why the outline treats automation and orchestration as operations topics in their own right.
The fourth strand is responding when prevention fails. Incident response gives the disaster a script: prepare beforehand, detect and analyze what is happening, contain it so it stops spreading, eradicate the cause, recover normal service, and — the step organizations skip at their peril — extract lessons afterward. Alongside response sits just enough digital forensics to act competently near evidence: collect it in the right order (volatile things like memory first), preserve it without altering it, and keep a documented chain of custody so it holds up later. You are not training to be a forensic examiner here; you are training not to destroy evidence while being helpful.
Study this domain by walking through days rather than memorizing lists: narrate a morning as a junior analyst — an alert fires, you check what the machine is and who owns it (asset management), what the logs around it say (SIEM), whether the account involved should have that access (identity), and what you do first if it is real (containment, from the response script). The packet-capture lab below gives you a first-person feel for the traffic-analysis piece of that story. The official objectives page carries the full topic list in the exam's own wording — as everywhere on this track, our explanation paraphrases it rather than reproducing it.
Vetted independent · Free video course (community)
Professor Messer's free SY0-701 Security+ training courseIts operations videos cover hardening, monitoring and SIEM, identity, and the incident-response lifecycle — the heaviest domain — free to stream. Give it your largest block and keep CompTIA's objectives as the scope check. (captured 2026-07-09)
Work a PICERL incident-response runbook against your own log data with containment documented, not executed Generate, inspect, and verify a self-signed X.509 certificate to make PKI concrete on your own machine
Free tools
Your own Windows machine via Git Bash
Your own Linux machine
Your own macOS machine
Steps
Open the PICERL runbook and fill in Preparation and Identification from your own log data (reuse the Domain 2 auth events): record the trigger, the supporting events with timestamps, and whether this is a policy-violating incident or normal activity.
Document the Containment, Eradication, and Recovery steps: write the proportionate containment action and why, note that evidence is preserved before any change, and record the containment command as a documented option only - do not run it against any real account.
Run the PKI fixture on your own machine to generate a self-signed X.509 certificate and inspect its fields with 'x509 -text', reading the Subject, Issuer, validity window, and key algorithm.
Verify the certificate against itself, note in one line how a CA-signed certificate would differ (Issuer is a trusted CA, so browsers trust it without warning), then delete the throwaway PKI lab folder.
What you should see
Confirm the runbook works PICERL against your own logs with containment documented (not executed), and that the PKI output shows a generated self-signed certificate, its inspected fields, and a successful verification.
Practice evidence maps to exam_domain_comptia_security_plus_04
Stay safe & legal: Work the incident-response runbook against logs from a machine you OWN, and run the PKI commands on files under a throwaway folder on your OWN machine. The containment step is DOCUMENTED, not executed - never lock, disable, or reset any account except a test account you created on a machine you own, and never point any command at a system, key, or account you do not own. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 3 of 5 · domain 2 · 22% of the exam
Threats, vulnerabilities, and mitigations
Third in our suggested order — second-heaviest by weight. Study it after the foundations and operations work, or alongside operations: the two domains describe the same incidents from the attacker's side and the defender's side.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Security+ objectives
This is the know-your-enemy domain, and at 22% it is the second-heaviest on the published outline. Where the first domain gives you security's vocabulary, this one gives you its cast of characters and their playbook: who attacks systems and why, the paths they take in, the weaknesses they exploit, the signs they leave behind, and the standard moves defenders make in response. It rewards a particular reading skill — looking at a described situation and naming what kind of attack it is — which is also one of the most transferable skills on the whole exam.
Start with the actors. Not every attacker is the hoodie stereotype: the exam expects you to distinguish attackers by capability and motive — organized criminal groups after money, state-backed groups after intelligence or disruption, hacktivists after attention for a cause, insiders misusing legitimate access, and low-skill opportunists running tools they barely understand. The reason this matters in practice is that motive predicts behavior. A ransomware crew and a disgruntled employee threaten the same database in completely different ways, and defending against one does not automatically defend against the other.
Next come the paths in: attack surfaces and vectors. Every account, exposed service, email inbox, USB port, wireless network, vendor connection, and public code repository is a possible doorway. The domain's most human topic lives here — social engineering. Phishing and its variants (targeted spear phishing, executive-focused whaling, SMS and voice flavors, business email compromise) work by manipulating a person rather than breaking a machine. Understanding why they work — urgency, authority, familiarity — is worth more than memorizing the variant names, both for the exam and for the day a convincing fake lands in your own inbox.
Then the weaknesses themselves. A vulnerability is a flaw a threat can exploit, and they come in families: unpatched or end-of-life software, misconfigurations (the wide-open cloud storage bucket is the modern classic), weak or reused credentials, injectable applications, and the uncomfortable category of zero-days — flaws the vendor does not yet know about, for which no patch exists. Malware gets its own taxonomy: ransomware that encrypts data for extortion, trojans that pretend to be legitimate software, worms that spread on their own, spyware and keyloggers that watch quietly, rootkits that hide deep in the system. You do not need to reverse-engineer any of these; you need to recognize each one from a description of its behavior.
The domain closes the loop with detection and response concepts: indicators that something is wrong (impossible travel between logins, resource consumption that makes no sense, accounts locked out en masse, log sources going mysteriously quiet) and the standard mitigation toolkit — segmenting networks so intruders cannot roam, applying least privilege so a stolen account is worth less, patching promptly, filtering email, requiring multi-factor authentication, isolating compromised machines, and hardening configurations before trouble starts. Notice that the mitigations are mostly Domain 1 concepts applied against Domain 2 threats; the exam builds on itself this way constantly.
A study approach that works: for every attack type you meet, write a three-line story in your own words — how it starts, what the attacker gets, and which one or two mitigations would have stopped it. Stories stick where definition lists do not, and the exam's scenario style is essentially asking you to recognize your stories in someone else's words. Pair that with the phishing-header lab below, which turns the most common attack in this domain into something you have physically inspected rather than just read about. And as always, read the official objectives page for the authoritative topic list — this explanation paraphrases the domain's scope in our own words rather than reproducing CompTIA's.
Vetted independent · Free video course (community)
Professor Messer's free SY0-701 Security+ training courseIts threats-and-attacks videos walk through the actor types, vectors, and malware families this domain tests, in plain language and free to stream. Keep CompTIA's objectives as the authoritative scope check. (captured 2026-07-09)
Read your own machine's authentication logs and recognize a failure-then-success pattern Write a short incident summary that separates observation from inference
Free tools
Your own Windows machine (Event Viewer / PowerShell)
Your own Linux machine (journalctl)
Steps
On your own machine, pull recent authentication events read-only: on Windows query the Security log for 4625 (failed logon), 4624 (success), and 4720 (account created); on Linux read the SSH journal for Failed and Accepted lines.
Fill in the worksheet's pattern section: the time window of any failure burst, the count of failures, the distinct usernames tried, the failure status code (e.g. 0xC000006D bad password, 0xC0000064 no such user) or logon type, and whether a success immediately followed the failures.
Write the five-line incident summary: what was observed (facts and times), what it might indicate (inference), your confidence and what would change it, one documented first defensive action, and what you cannot conclude from this log alone.
What you should see
Confirm the worksheet shows auth events read from your own machine, a characterized failure pattern, and a five-line summary that separates observed facts from inference and documents (does not execute) a first defensive action.
Practice evidence maps to exam_domain_comptia_security_plus_02
Stay safe & legal: Read authentication logs ONLY on a machine you personally own; never read, export, or analyze logs from a shared, employer, school, or third-party system. This is a read-only analysis of your own logs - no account is attacked, locked, or probed, and any defensive action is documented in the worksheet, not executed. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 4 of 5 · domain 5 · 20% of the exam
Security program management and oversight
Fourth in our suggested order, per its 20% weight. If you come from business, project, compliance, or management work, consider starting here right after Domain 1 — this domain speaks your language and builds early momentum.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Security+ objectives
This is the domain that zooms out from technology to the organization: how security is governed, measured, bought, audited, and taught. At 20%, it is weightier than many first-time candidates expect — a deliberate signal that the exam considers the management layer part of the baseline, not an optional extra for future managers. For career changers from business, legal, project, or operations backgrounds, this is usually the friendliest terrain on the exam: the underlying skills are structured thinking and organizational judgment, not packet headers.
The spine of the domain is governance: somebody has to decide what 'secure enough' means here, write it down, and be answerable for it. That takes the form of a hierarchy of documents you should be able to tell apart by their force: policies state what the organization requires (high-level and mandatory), standards pin down the specifics that make a policy testable, procedures give step-by-step instructions for doing the work, and guidelines advise without compelling. External forces shape all of them — laws and regulations, industry rules, contractual promises — and governance is the machinery that turns those obligations into internal rules, assigns owners, and keeps the rules current as the organization changes.
The heart of the domain is risk management, which is the closest thing security has to a native language for talking to executives. The working sequence: identify what could go wrong (a threat meeting a vulnerability), assess how likely it is and how bad it would be — qualitatively on a high/medium/low grid, or quantitatively when you can put currency figures on expected loss — then choose a response for each risk: mitigate it with controls, transfer it (insurance, contracts), avoid the activity entirely, or accept it knowingly because the fix costs more than the exposure. Two supporting ideas matter: risk appetite (how much risk leadership has decided the organization can stomach) and the risk register — the living document that lists the risks, their ratings, their owners, and what is being done. The register is the artifact this domain's lab has you build, because reading about one and constructing one are different levels of understanding.
The domain then extends risk beyond your own walls. Third-party risk management recognizes that vendors, suppliers, and service providers effectively join your attack surface: their breach can become your breach. The toolkit is diligence and paperwork with teeth — assessing vendors before and during the relationship, and writing security expectations into agreements so they are enforceable rather than assumed. Compliance and audit close the accountability loop: compliance means actually meeting the obligations that apply to you (with real financial and legal consequences when you do not), audits and assessments verify that the controls you claim exist actually work, and attestation puts someone's name behind the claim. Internal reviews catch problems early; external ones make the verification credible to outsiders.
Finally, the domain covers the human program: security awareness. Since social engineering targets people (Domain 2's lesson), organizations train people — recognizing phishing, handling data properly, reporting anomalies without fear — and try to measure whether the training changes behavior rather than just ticking a box. The connecting thread through all of these topics is that documents, metrics, and meetings are controls too: a policy nobody enforces and a register nobody updates fail exactly the way an unpatched server fails, just more quietly.
Study this domain by translating, in both directions. Take each technical safeguard you learned in Domains 1-4 and ask which policy would require it, which risk it mitigates, and how an auditor would verify it exists. Then take each management artifact — policy, register, vendor assessment, awareness course — and ask what technical reality it is trying to change. The risk-register lab below runs this muscle on a concrete scenario. As with every domain on this track, the official objectives page is the authoritative source for the exact topics — read its Domain 5 section in CompTIA's own wording; ours is deliberately a paraphrase.
Vetted independent · Free video course (community)
Professor Messer's free SY0-701 Security+ training courseIts governance, risk, and compliance videos map the policy hierarchy, risk-response choices, third-party risk, and audit concepts this domain tests, free to stream. CompTIA's objectives remain authoritative. (captured 2026-07-09)
Build a prioritized risk register on your own home-lab assets with likelihood, impact, and a response per row Produce a CIS Control 1 device inventory from your own router's DHCP table and a home security-policy statement
Free tools
Your own computer with a spreadsheet or text editor
Your own home router admin page (read-only)
Steps
Fill in the risk-register worksheet for your own home-lab assets (or a fictional small environment): write at least five risks as 'threat exploits vulnerability -> impact', rate likelihood and impact L/M/H, derive a priority, and sort so the worst risks lead.
For each risk choose a response (mitigate/transfer/avoid/accept) with at least one reasonable 'avoid', write one concrete first control step, and assign an owner and a review date.
Open your OWN router's admin page, read its DHCP client/lease list (do not scan), and fill in the device-inventory worksheet: account for each device as authorized, and flag any you cannot identify with a safe next step. Mask MAC addresses.
Write the home security-policy statement in the risk-register worksheet: purpose, scope, acceptable use, data classification, backup/recovery rule, access rule, and review cycle.
What you should see
Confirm the register has five or more prioritized risks each with a response, owner, and review date; that the device inventory was read from the learner's own router with MACs masked; and that a home security-policy statement is complete.
Practice evidence maps to exam_domain_comptia_security_plus_05
Stay safe & legal: This is a documentation exercise on your OWN home-lab assets (or a fictional small environment) and a READ-ONLY view of your OWN router's DHCP list; never scan, probe, or inventory a network or device you do not own, and never enter a real employer's or third party's assets into the worksheets. Reading your own router's existing lease list is not scanning. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 5 of 5 · domain 3 · 18% of the exam
Security architecture
Last in our suggested order — not because it matters least, but because its design trade-offs make the most sense once you have seen the threats (Domain 2) and the day-to-day operations (Domain 4) the architecture exists to serve.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. CompTIA Security+ objectives
This is the design domain: instead of asking what attacks exist or how to run defenses day to day, it asks how you build environments so that security is a property of the structure, not an afterthought bolted on. It weighs in at 18%, and it thinks at the level of diagrams — where data lives, what sits between components, what happens when a piece fails — rather than at the level of individual alerts.
The first pillar is understanding the security personality of each architecture model, because almost nobody runs just one anymore. On-premises infrastructure gives you full control and full responsibility. Cloud shifts part of that responsibility to a provider — and the exam expects you to reason about where the line sits: the provider secures the underlying platform, but your configurations, identities, and data remain yours to protect, which is exactly why misconfiguration is the signature cloud failure. Virtualization and containers change the isolation story (many workloads sharing hardware or a kernel), infrastructure-as-code turns your environment into text files — which means a bad template replicates a flaw everywhere at machine speed, but also means security review can happen before anything is deployed. Embedded and industrial systems round out the picture with a harder constraint: they often cannot be patched or rebooted on a normal schedule, so their protection has to come from the architecture around them.
The second pillar is putting structure between things. The recurring architectural moves are segmentation — dividing networks into zones so a compromise in one cannot freely reach the rest — and controlled chokepoints between the zones: firewalls enforcing policy, proxies and gateways inspecting what passes, VPNs or newer zero-trust access brokers deciding who gets in from outside, and dedicated zones for anything that must face the internet. Placement is the skill being tested: given a component, where in the diagram does it belong, and what is it protecting from what? When you meet a question like that, sketch it — the answer is usually visible on paper.
The third pillar is protecting the data itself, wherever it flows. That means knowing the states data can be in — sitting in storage, moving across a network, actively in use — and which protections apply to each: encryption at rest, TLS in transit, plus techniques like masking, tokenization, and hashing when whole-file encryption is the wrong shape. Public key infrastructure does its practical work here: certificates are how machines prove identity to each other, and a certificate authority is the third party both sides agree to trust. Every HTTPS connection you have ever made is this pillar operating in production — which is exactly what this domain's lab makes visible.
The fourth pillar is designing for failure on purpose: resilience and recovery. Redundancy (no single point of failure), high-availability arrangements, backups that are actually restorable and kept where ransomware cannot reach them, alternate sites ranked by how fast they can take over, and the two numbers that discipline all of it — how much data you can afford to lose (recovery point) and how long you can afford to be down (recovery time). The architectural mindset is that failure is a certainty to be designed for, not an anomaly to be hoped against.
Career changers often fear this domain because they have never been network engineers, but its questions mostly reward structured common sense: what happens if this box dies, what can this compromised segment reach, who vouches for this connection? Study it by drawing — take any system you know, even a home network, and sketch its zones, chokepoints, data flows, and single points of failure. Do the TLS/PKI lab below to watch the trust machinery run live. And read the official objectives page for the exact topic wording; this explanation is a paraphrase of the domain's scope in our own words, not a substitute for it.
Vetted independent · Free video course (community)
Professor Messer's free SY0-701 Security+ training courseIts architecture videos make the cloud shared-responsibility line, segmentation, PKI, and resilience concepts concrete and free to stream. CompTIA's objectives remain the authoritative scope. (captured 2026-07-09)
Segment and harden a VirtualBox VM you own with host-only networking and a default-deny firewall Enumerate listening services before and after hardening to see the attack surface shrink
Free tools
VirtualBox on your own hardware
Ubuntu/Debian VM you own
Linux terminal inside that VM
Steps
Snapshot your own VM, then set its network adapter to Host-Only in the VirtualBox UI so no traffic leaves your host, confirming the segmentation before touching the firewall.
Enumerate the listening TCP services inside your own VM as a baseline before hardening.
Configure a default-deny host firewall with ufw and add a single explicit allow rule scoped to the host-only subnet, then enable and read the status.
Disable one unneeded service you identified in the baseline, then re-enumerate listening services to confirm the attack surface shrank, and run the teardown before reverting the snapshot.
What you should see
Confirm the captures show a host-only-segmented VM, a default-deny ufw firewall with one explicit allow rule, a disabled unneeded service, and a smaller listening-service list after hardening than before.
Practice evidence maps to exam_domain_comptia_security_plus_03
Stay safe & legal: Every enumeration, firewall rule, and service change in this lab runs INSIDE an Ubuntu/Debian VM you own, on a host-only network that keeps all traffic on your own host; never apply these changes to a shared, corporate, employer, or school machine, and never scan or probe any host other than your own VM. Snapshot the VM first and revert it afterward. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Skills you’ll build
Studying CompTIA Security+builds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:
Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.
Exam voucher (standalone): Approximately $439 USD, region-priced. CompTIA does not print a fixed voucher price on the certification page, so treat this as an approximate figure and confirm the current price at the CompTIA store before purchasing. Official CompTIA Security+ page
Certification validity: 3 years, renewed through CompTIA's continuing-education (CE) program (50 CEUs per 3-year cycle) or by passing a qualifying higher CompTIA exam. CompTIA CE renewal fees page
Federal/defense baseline (DoD 8570/8140): Security+ is listed as an approved baseline certification for Information Assurance Technical (IAT) Level II roles under the U.S. Department of Defense 8570/8140 workforce framework. This is a factual differentiator for federal and defense positions; it is not a job requirement or a guarantee of employment. Official CompTIA Security+ page
Version currency (SY0-701 vs SY0-801 watch): SY0-701 is the current version (launched 2023-11-07). CompTIA's roadmap points to a successor, SY0-801, expected around late 2026 (expected to add generative-AI and LLM-threat objectives), with SY0-701 retirement expected around mid-2027 - no firm dates are published yet. Re-verify the active version and objectives on the official page before your exam; this note should itself be re-checked by 2026-10. Official CompTIA Security+ page
A free, source-cited study companion built on CompTIA's published exam objectives — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by CompTIA.