How I cracked my Comptia Security+

After weeks of hard work and studying, I managed to pass #comptia #securityplus certification.

It is indeed an entry level, vendor independent, general IT #Security #certificate, however of a moderate difficulty (has a relatively high number of 1st time takers fails; there are no official figures, but percent of 1st time takers to pass it, is assumed to be around 50%). Security+ certifies theoretical knowledge related to foundational aspects like security terminology, concepts' understanding and appliance - related to cryptography, IAM, secure operations, cloud models, key standards and legislation frameworks, basic troubleshooting and auditing tools, basic pentesting aspects and vocabulary.

All in all, I would say no advanced or deep security skills are required to pass it, and neither certifies you as a security expert, or advanced professional, but it provides a good basis to start a career in whatever security area (from operations, pentesting, risk management, security analyst, architect .. )

Furthermore, it is, maybe, most "sought " security certification, 3rd most widely held security, governance, compliance and/or privacy-related certifications.

I share below some personal impressions and maybe some tips on how to approach it.

There are currently two exam parallel versions (this will last until July 2024)

• SY0-601 - amount of objectives for SY0-601 is quite impressive (>1000) compared to newer version; this is probably due to the fact that 601 kept more focus on Security tools, methods and techniques, Will be completely re-drawn in July 2024
• SY0-701 - is more #riskmanagement and operations focused than 601 (this does not mean at all the one exam version is easier than the other, is just that they have slightly different focus, which needs to adapt, during the years, in order to match most recent security industry practices). It is valid since November 2023 and will last for 3 years.

I still took the old version of the exam, SY0-601, so all my tips are based on this one

• exam covers 5 areas (each of them weighted and counting differently for the result - see below)
• Attacks, Threats, and Vulnerabilities - this is about understanding different types of attack scenarios, vulnerabilities and malwares; is weighted with 24% within whole result
• Architecture and Design - about understanding different security concepts (IAMs, encryption, cloud models, physical security) ; weighted with 21%
• Implementation - about understanding different security concepts (TCP/IP protocols, including secure protocols; basic understanding of security solutions, like DLP, firewalls, EDRs, IPS/IDS, ); this is most important area of the exam, weighted with - 25%
• Operations and Incident Response - basic knowledge related to network troubleshooting and forenic SW tools, as well as topics like SIEM or SOAR, is required; basic incident response process knowledge - 16%
• Governance, Risk, and Compliance - GRC is a "standard" acronym in the Security community, foundational risk management as well as basic knowledge about legal frameworks is required; this is least weighted area in the exam 14%, this will increase in importance and weighting starting with 701.
• you will need to memorize a sheer amount of abbreviations, but their vast majority being relatively common IT terms - all listed in same downloadable PDF where all objectives (above) are specified
• you can pass the exam without any previous #IT experience, but you'll need to have a basic #networking and also risk management understanding (this is why actually #comptia recommends Network+ certification and two years of experience in IT administration with a security focus)

Exam itself:

• I chose to take it at PearsonVue testing center , and I would also recommend to do same, althtough it can be taken also from home (do not know exactly how it works)
• exam fee depends on the region and the currency is paid, for Germany was 360EUR + 60EUR (test center fee) - which is relatively inexpensive, compared to other Security certificates which can range from ~800 EUR (like #CISSP , #CCSP, or CISA) even to x1000 EUR (like SANS certifications )
• may contain between 80 and 90 questions (I got 82), almost entirely of multiple choice - to be asnwered in 90 mins - so you should pay attention to time management
• contains between 2 and 5 (not multiple choice) PBQ (Performance Based Questions) - meant to simulate small real world scnearios - here are some good videos to understand them
• you can skip every question, mark it for review, and answer it later - my advice is to do so for all PBQs, since are relatively time-consuming
• don't get overwhelmed by PBQs, they are meant to look more complicated than they really are;
• [IMPORTANT] don't get scared about estimations which require to perform >90% on practice tests, in order to pass the exam; I never had >85%, it's all about how you perform and you're focused on the exam day (!!)
• memorization is important, but not the key, you'll need to understand how concepts are working; however is NOT that kind of "think like a manager" exam type, but rather tests understanding of theoretical concepts
• do NOT over-interpret questions choices; usually 2, or even 3, are close to the correct answer, sometimes one is distractor
• is NOT a CAT exam type (unlike #CISSP, for example) - meaning questions difficulty and domains do not dynamically adapt, during the exam, based on type of answers
• Keep constant focus during the exam, in the end is not very long 1h30mins, compared to other certifications - this is key to pass it (!!)

Resources to learn for exam - given widespread and exam prominence, those are numerous and un-expensive (budget required to train and prepare for exam could be squezeed within 50-60 EUR)

• Professor Messer has a Youtube channel with completely free resources; I would also recommend to download practice questions from his Webpage with detailed answers explanations; making sure you understand why correct answers are correct, and same for wrong ones, is very important to pass the exam, although questions you'll find at the exam are quite different than those ones
• another highly recommendable learning resources are Dion's and Mike Myer's Udemy courses, as well as their Practice Questions
• I did not try #chatgp, I knew from other people it may work good and may help to prepare for whatever certificate, but is highly advisable to correlate its info with reliable sources

Hope this helped you, Security+ taker, to pass the exam!