Limited Time Offer: Use code CERTLABS10 for 10% off!
Free Practice Test May 4, 2026 15 min readSpencer Fricks
Free CompTIA Security+ Practice Test 2026: SY0-701 Sample Questions
By Spencer Fricks, CompTIA Security+ Certified, Senior PBQ Designer
15 free SY0-701 practice questions across all Security+ domains. Click any answer to reveal the correct response and a detailed explanation. Includes PBQ strategy and domain breakdown.
90
Max Questions
750
Passing Score / 900
90
Minutes Duration
5
Domain Areas
CompTIA Security+ (SY0-701) is the most widely recognized entry-level cybersecurity certification globally and serves as a baseline requirement for many government, defense, and corporate cybersecurity roles. Updated in 2023, the SY0-701 exam reflects the current threat landscape — covering cloud security, zero trust, automation, and updated cryptography standards that weren't prominent in previous versions.
This free practice test includes 15 questions aligned with the SY0-701 exam objectives. Each question is designed to reflect the application-level thinking CompTIA expects — not just definition recall. After answering, you'll see exactly why the correct answer is right and why the distractors are wrong. This is the most effective way to build exam-level reasoning, not just pass rate familiarity.
CompTIA Security+ validates cybersecurity fundamentals and threat management skills
Official Exam Objectives
Study aligned to the official objectives. Download the CompTIA Security+ SY0-701 Exam Objectives PDF from CompTIA's official website — it's free and defines exactly what's on the exam.
Score: 0 / 0
Security+ SY0-701 Practice Questions
Question 1 — Domain 1: General Security Concepts
A security analyst is reviewing a security control that limits how many failed login attempts a user can make before their account is locked. What type of control is this?
A Detective control
B Preventive control
C Corrective control
D Compensating control
Correct: B. Account lockout is a preventive control because it stops attacks from occurring (prevents brute force) rather than detecting, correcting, or compensating for them. Detective controls identify incidents after they occur. Corrective controls remediate damage. Compensating controls are implemented when primary controls aren't feasible.
An attacker sends an email posing as the company's CEO, urgently requesting a wire transfer to a new vendor. No phone verification was done. What type of attack is this?
A Pharming
B Vishing
C Business Email Compromise (BEC) / Spear phishing
D Watering hole attack
Correct: C. Business Email Compromise (BEC) involves impersonating executives to fraudulently request money transfers or sensitive data. It's a highly targeted form of spear phishing. Pharming redirects DNS lookups. Vishing uses voice calls. Watering hole attacks compromise websites that targets visit.
Question 3 — Domain 3: Security Architecture
An organization wants to ensure that if one server in their web application cluster is compromised, the attacker cannot pivot to the database server. Which network architecture concept BEST achieves this?
A Network address translation (NAT)
B Load balancing
C Network redundancy
D Microsegmentation with Zero Trust
Correct: D. Microsegmentation divides the network into small zones with strict access controls between them, preventing lateral movement even after a compromise. NAT hides internal addresses but doesn't prevent movement between segments. Load balancing distributes traffic. Redundancy improves availability, not security isolation.
Question 4 — Domain 4: Security Operations
A security analyst receives an alert that a known-malicious IP address is attempting to connect to an internal server. The analyst needs to stop the connection immediately. What is the BEST first action?
A Block the IP at the firewall and update the threat intelligence feed
B Shut down the internal server to prevent compromise
C Notify management and wait for authorization to act
D Capture a full packet trace for forensic analysis before blocking
Correct: A. Blocking at the firewall immediately stops the threat while preserving the server's availability. Shutting down the server (B) is disruptive and unnecessary. Waiting for management (C) allows the attack to continue. While forensics are valuable, preventing active compromise takes priority over packet capture (D).
Question 5 — Domain 5: Security Program Management & Oversight
A company's security policy requires all contractors to sign an NDA before accessing internal systems. This policy is BEST described as an example of which control category?
A Technical control
B Administrative control
C Physical control
D Operational control
Correct: B. An NDA is a policy/legal agreement, which falls under administrative controls. These are documented policies, procedures, and agreements rather than technical implementations or physical barriers. Technical controls are software/hardware-based. Physical controls are environmental (locks, badges). Operational controls overlap with administrative but focus on day-to-day procedures.
Which of the following BEST describes a zero-day vulnerability?
A A vulnerability that was discovered 0 days ago by the vendor
B A vulnerability for which no exploit has been written yet
C A vulnerability that is unknown to the vendor and has no available patch
D A vulnerability that has been exploited in the last 24 hours
Correct: C. A zero-day vulnerability is one that the software vendor is unaware of, meaning there is zero time between discovery and exploitation. There is no patch available. The "zero" refers to zero days of protection — not the age of discovery or time since exploitation. It becomes a known vulnerability once the vendor is notified.
Question 7 — Domain 1: General Security Concepts
An organization uses asymmetric encryption to secure email communications. A user wants to send an encrypted message to a colleague. Which key should the sender use to encrypt the message?
A The sender's private key
B The recipient's public key
C A shared symmetric key
D The sender's public key
Correct: B. In asymmetric encryption, you encrypt with the recipient's PUBLIC key. Only the recipient's corresponding private key can decrypt it. The sender's private key is used for digital signatures (proving authenticity), not encryption. A shared symmetric key would not be asymmetric encryption. The sender's public key would mean the sender could decrypt it — defeating the purpose.
Question 8 — Domain 3: Security Architecture
A developer wants to prevent cross-site scripting (XSS) attacks in a web application. Which secure coding practice provides the most direct protection?
A Output encoding of all user-supplied data before rendering it in HTML
B Enforcing HTTPS on all connections
C Using a Web Application Firewall (WAF)
D Implementing multi-factor authentication
Correct: A. XSS occurs when untrusted data is rendered in a browser without proper encoding, allowing injected scripts to execute. Output encoding neutralizes malicious characters before they reach the browser's rendering engine. HTTPS (B) protects data in transit but doesn't prevent XSS. A WAF (C) helps but is a compensating control, not a root-cause fix. MFA (D) protects authentication, not injection.
Want the Full 200-Question Security+ Practice Bank?
CertLabz includes 200+ SY0-701 practice questions, PBQ simulations, and a timed mock exam. Track your score by domain and identify exactly where you need more practice before exam day.
Domain 5: Security Program Management & Oversight20%
Security+ Key Term Flashcards
What is the difference between authentication and authorization?
Click to reveal
Authentication = proving WHO you are (username/password, MFA). Authorization = determining WHAT you're allowed to do after authentication (permissions, ACLs).
What is the purpose of a DMZ in network architecture?
Click to reveal
A DMZ (Demilitarized Zone) is a network segment between the internet and internal network that hosts public-facing services (web, email, DNS), isolating them from internal resources.
What is the difference between symmetric and asymmetric encryption?
Click to reveal
Symmetric = same key to encrypt and decrypt (fast, AES). Asymmetric = key pair (public encrypts, private decrypts — or private signs, public verifies). RSA, ECC are asymmetric.
What is a rainbow table attack?
Click to reveal
A precomputed table of plaintext-to-hash mappings used to crack password hashes. Mitigated by salting (adding random data to passwords before hashing), which makes precomputed tables useless.
What is the principle of least privilege?
Click to reveal
Users and processes should have only the minimum access required to perform their job functions. Reduces the blast radius of a compromised account or process.
1 / 5
PBQ Strategy: Performance-Based Questions
Performance-Based Questions (PBQs) are one of the hardest parts of Security+. They present simulated environments — drag-and-drop packet analysis, firewall rule configuration, network diagram labeling — that require hands-on skills, not just memorization. CompTIA typically places 4–6 PBQs at the beginning of the exam.
Skip PBQs Initially
Many test-takers spend too long on PBQs at the start, running out of time for multiple-choice. Flag PBQs and come back after answering all multiple-choice questions to bank time first.
Practice in Actual Labs
Reading about firewall rules doesn't prepare you for PBQs. Use interactive lab platforms like CertLabz to configure real firewall rules, analyze pcap files, and respond to simulated incidents.
Know Wireshark Basics
Many Security+ PBQs include packet capture analysis. Know how to read TCP handshakes, identify suspicious patterns, filter by protocol, and recognize cleartext vs. encrypted traffic.
Master Firewall ACLs
ACL-based PBQs require you to determine whether traffic is permitted or denied based on rule order. Practice creating access control lists with explicit deny rules and understanding implicit deny-all.
Security+ is moderately difficult. The exam requires application-level understanding, not just memorization — especially the SY0-701 update which added more scenario-based questions. Most candidates with 1–2 years of IT experience or equivalent study time (80–120 hours of focused preparation) pass on the first attempt. The PBQs are the most challenging component for candidates without hands-on experience.
What's the passing score for Security+ SY0-701?
The passing score for CompTIA Security+ SY0-701 is 750 on a scale of 100–900. This is a scaled score, not a percentage of correct answers. The exam has up to 90 questions and must be completed in 90 minutes.
How many PBQs are on Security+?
CompTIA typically includes 4–6 performance-based questions on Security+, though the exact number varies by exam form. They appear at the beginning of the exam by default. You can flag them and skip to multiple-choice questions first, but make sure you return to them before time expires.
Does Security+ expire?
Yes. Security+ is valid for 3 years. You can renew through CompTIA's Continuing Education (CE) program by earning 50 CE credits and paying the renewal fee, or by passing a qualifying higher-level CompTIA exam (CySA+, CASP+, PenTest+) which automatically renews Security+.
