My Experience with the CompTIA Security+ (SY0-701) Exam

Leave a Comment / Tips / By

Before we dive into the post, allow me to give you a brief overview of how I structured my thoughts. I wanted to give you the general thoughts and opinions up front, and this will be the first section you come across. For more detailed thoughts and opinions, I broke it up into “sub-sections” to give you insight into multiple topics. Without dawdling any further, let’s get right into it.


AS A BROAD DISCLAIMER, I AM NOT SPONSORED BY OR AFFILIATED WITH ANY OF THE VENDORS I MENTION. This represents the strategy and method I used in my journey of attaining certification.

GENERAL THOUGHTS

I am pleased to state that I received a passing score of 785, of a minimum 750 required, on my first attempt at the Security+ exam. My exam was 76 questions with an additional 3 performance-based ones (PBQ). I state that humbly, understanding there are those that do not have that outcome. For those of you still on the journey to pass this exam, it is for you that I make this post. If it is any consolation, I purchased my exam voucher through Dion Training and added the “Take2” option for an extra $99. In this case, I am happy to have “wasted” the $99.

I chose to take my exam at a testing center vice taking it at home. Why? Simply put, the exam is stressful enough and adding more unnecessary stressors didn’t seem wise. At a test center, everything is taken care of. You merely need to show up, prove your identity, and take the exam. Take that into consideration when seeking to take the exam.

For the exam itself, I am going to be a bit critical. In my opinion, the exam focuses more on semantics in definitions and processes vice testing knowledge and understanding of concepts. Also, I felt as though the questions were merely the tip of the iceberg so to speak. They lacked depth and were quite broad and general, open to a lot of interpretation. I understand that they might need to be since they must cover many different topics and a lot of material. The only truly technical ones I encountered were in the PBQs themselves. The PBQs were completely unlike anything I had seen prior to that moment. It is quite unsettling seeing something for the first time on an exam. Of all the practice exams and questions I had come across, the ones on the test were FAR more difficult. I won’t detail any of them but suffice it to say the generic “match the word with the definition” is NOT what you are likely to get. Sadly, I do not have advice on how to prepare for the PBQs specifically, as I myself was caught off guard. Correction, that would be the advice – expect something you likely haven’t seen before.

COURSE MATERIAL

There are various learning platforms where you can purchase “course material” from. If your employer is covering the cost and has specific requirements, getting them straight from CompTIA is likely a good option. If you are paying for this on your own dime, I personally went with Udemy. I found the SY0-701 Security+ course by Dion Training. At the time I searched, the course was at full price and over $100. A “hack” I would recommend is if you find the course at full price, add it to your cart and leave it there. Within a few days you *should* receive an email or other notification that “an item in your cart is on sale”. I paid $18 for the course using this exact tactic. I hope you too can benefit from this.

EXAM VOUCHERS

When purchasing the exam voucher, there is no need to pay full price for it. Unless you are being reimbursed by your employer, and they have specific requirements to purchase from the vendor directly. That said, there are a number of reputable third-party training vendors that offer discounted vouchers. Since they train a high volume of people, CompTIA offers them discounts and they pass the savings on to you. I personally purchased through Dion Training (found here). As I briefly mentioned, I chose them because of the “Take2” offering. There is also Professor Messer. You can purchase a discounted voucher here as well, however, a “Take2” option is not available at the time of writing. You do receive an eBook as part of the purchase as a bonus.

GENERAL TEST STRATEGY

I remember coming across a piece of advice stating that one should leave the PBQs until the end. Having done this exact strategy during the test, I can recommend this based on my experience. While the scoring criteria CompTIA uses is not known, I imagine it would obviously be based on the number of correct answers you get. That said, it becomes a numbers game. While true the PBQs are weighted differently, do not let that entice you into thinking you will be successful in passing the exam by answering the PBQs perfectly. They are not trivial questions and are time consuming. Your time is better spent getting through the multiple-choice questions FIRST, and answering the PBQs at the end with your remaining time. Set your mind to answering ALL questions within the 90 minutes, but prioritizing the “easier” ones first because it is a numbers game.

STUDY APPROACH

The first material I studied was the Dion Training course on Udemy. I went through all the videos and made note of areas I needed to focus or did not fully understand. At the end of all the videos and taking the included practice test (over the course of 1-2 months), I began to deep-dive into filling my gap in knowledge based on those notes.

I recommend when doing your review and a concept or topic comes up that is new or you need clarification on, watch a video specifically on the topic. Ideally more than one. This may be more time consuming but worthwhile. For me, concepts tend to be retained in memory better when they are associated with a unique memory. People each explain and teach things in different manners. Any video could have a cool animation or something specific that draws you in and triggers a unique memory or leads you to a deep thought. I believe you are more likely to remember the concept when those unique moments occur vice solely by reading.

After my self-study was completed, I made two more purchases. The first was for 4 practice exams (another course on Udemy, costing ~$15). These were helpful in further identifying knowledge gaps for me to focus on and get me in the mindset of test-taking. Test-taking is a skill unto itself, and the more you do them, the more comfortable you become. The second was a purchase I made through Professor Messer, found here. It was the “Notes and Exams” bundle for $50. This contained 3 more practice exams, including PBQs, with detailed answers. Additionally, you received his course notes. I completed these exams and for the final studying I went through the course notes while having the CompTIA exam objectives open side-by-side. The course notes follow the exam objectives almost exactly in outline fashion. As you would expect, they go into much more detail. I cannot stress enough how much you need to know ALL items listed in the course objectives, available from CompTIA’s website for free download.

In total, I took 8 practice exams over a 2-3 month period. My first score was a dismal 71%. Subsequent ones were in the 80-83% range. My last one I managed to get a 92% on. To me this marked I was prepared enough to schedule my exam, and so I did. As another point of reference, my total study time for this exam was in the ball-park of 200-300 hours over a 3-month period.

One final video I watched in the few days leading up to the exam is found here: The Complete CompTIA Security+ SY0 701 Crash Course. At this point, the video content should be a review and no new concept should be presented. I used it as a final check to make sure I didn’t miss something.

MY AREAS OF FOCUS

Everyone will have areas that they focus more on than others. Be it they find it more difficult or it is a new concept. I certainly had some of these areas and wanted to share the most challenging ones I faced. Those areas are as follows:

  • SASE – Secure Access Service Edge. Foolishly I thought this was a device or piece of hardware you could purchase and use as part of your system. Admittedly, it took a bit of time for me to understand it was a concept/architecture. Once that clicked, many ideas and thoughts clicked into place.
  • SD-WAN – Software Defined Wide Area Network. Much like SASE, this one clicked when I realized it too was a concept/architecture. The best part about this is that SASE can and often does utilize SD-WAN.
  • 802.1X and the related databases/architecture (RADIUS, TACACS+, KERBEROS, LDAP). From a technical standpoint, understanding the steps in which authorization occur and the architecture of components needed to accomplish this task, was a lot for someone lacking an IT background. It is quite complex how authentication is technically implemented, and you can see many areas where an attacker can exploit.
  • Control categories and types. I used one mnemonic to remember this: MOPT-CCDDDP. Why? The first part reminded me of having mopped a floor (if it helped, you’re welcome!). The second part is a play on 1-2-3, 1 P, 2 C’s and 3 D’s. As a refresher, here is what they stand for:
    • M Managerial (policies & procedures)
    • O Operational (implemented by people)
    • P Physical (block physical access)
    • T Technical (implemented by systems)
    • —————
    • C Corrective – apply control after detection
    • C Compensating – control using alternative means
    • D Directive – security compliance
    • D Detective – identify and log intrusion
    • D Deterrent – discourage intrusion attempts
    • P Preventative – block access
  • Incident Response process, per NIST-SP-800-61. Remember PDACERL. Say it with me, “P-DAC-E-R-L”. Another mnemonic is using DAC as it reminded me of discretionary access control. For review, here are the steps:
    • P Prepare
    • D Detect
    • A Analyze
    • C Contain
    • E Eradicate
    • R Recover
    • L Lessons Learned

CLOSING THOUGHTS

In hindsight, the entire experience was memorable. I am glad at the newfound knowledge I attained going through this process, as I genuinely enjoy learning. That said, if I ever have to take the Security+ exam again, it will be too soon.

My honest hope is that if you are reading this to get something useful in your preparation for this certification, you in fact did. It is a daunting task to study and take this certification exam, but entirely possible with the correct resources and drive.

I wish you the best of luck in taking the exam!

Leave a Comment

Your email address will not be published. Required fields are marked *