Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
Domain 2 of 5 Light
COMPTIA · SECURITY+ · STUDY GUIDE · DOMAIN 2

Domain 2: Threats, Vulnerabilities, and Mitigations

Know your enemy. Know your weaknesses. Know what to do when both collide. The largest Domain-2 questions block on the exam — match actors to motivations, vectors to attacks, indicators to incidents, and mitigations to threats.

22%
Exam Weight
5
Objectives
~40m
Read Time
SY0-701
Exam Code
Domain 2 — 22% of exam100%
All Domains
01Key Concepts at a Glance

Six Ideas That Drive Every Domain 2 Question

Threats, vulnerabilities, and mitigations weave through 22% of the exam. Master these six and you can reason through almost any Domain 2 scenario.

A

Threat Actor Triangle

Motivation + Resources + Sophistication = who’s attacking you and why

“A custom zero-day with a two-year dwell time points to nation-state. A $2M ransom demand points to organized crime. Motivation narrows actors faster than any other attribute.”

Deep dive in 2.1 Threat Actors
V

Vector vs Attack

The vector is the pathway; the attack is what happens after

“Email is a vector. Phishing is an attack that uses it. The exam asks ‘which vector?’ — answer the delivery channel, not the payload.”

Deep dive in 2.2 Threat Vectors
Z

Zero-Day vs Unpatched CVE

Zero-day = vendor doesn’t know. Unpatched CVE = vendor fixed it, you didn’t apply it.

“This is the #1 Domain 2 trap. If a patch exists, it’s not a zero-day — no matter how dangerous the flaw is.”

Deep dive in 2.3 Vulnerabilities
I

IoC Direction

Spray = wide (many accounts, one password). Brute = deep (one account, many guesses).

“Direction matters. A thousand accounts each getting one failed login is spraying. One account getting a thousand failed logins is brute force. Detection and response differ.”

Deep dive in 2.4 Malicious Indicators
L

Allow List vs Blocklist

Antivirus says “block the known-bad.” Allow-listing says “only run the known-good.”

“Antivirus can’t catch what it’s never seen. Application allow-listing catches unknown malware by default because unknown = not on the list = not allowed.”

Deep dive in 2.5 Mitigation Techniques
D

Defense-in-Depth

Segmentation + least privilege + monitoring + hardening — layers beat single controls.

“Zero-day defeats signature-based controls. The only reliable answer: layered controls. Allow-listing + segmentation + EDR behavioral detection buys time signature-based AV cannot.”

Deep dive in 2.5 Mitigation Techniques
↓ Download Domain 2 Cheat Sheet (PDF)
02Diagnostic Quiz

Find Out Where to Start

5 questions across Domain 2 — see which objectives need the most work.

Focus on these objectives

    You’ve got these

      03Objective Navigator

      5 Objectives — Pick Your Path

      Each lesson teaches through real scenarios — concept, textbook, hard choice, exam signal. Start anywhere or go in order. Completed lessons show a checkmark.

      2.1
      Threat Actors and Motivations Free

      Nation-state, organized crime, hacktivist, insider, unskilled, shadow IT — with attributes (internal/external, resources, sophistication) and motivations (exfil, espionage, disruption, blackmail, financial, ideology, revenge, war).
      2.2
      Threat Vectors and Attack Surface Free

      Message (email/SMS/IM), image, file, voice, removable, vulnerable software, unsupported systems, unsecure networks, open ports, default creds, supply chain, human/social engineering (phishing, vishing, smishing, BEC, pretexting, watering hole, typosquatting, quishing).
      2.3
      Types of Vulnerabilities Free

      Application (memory injection, buffer overflow, TOCTOU), OS, web (SQLi, XSS), hardware (firmware, EOL, legacy), virtualization (VM escape, resource reuse), cloud, supply chain, cryptographic, misconfiguration, mobile (sideloading, jailbreaking), zero-day.
      2.4
      Indicators of Malicious Activity Free

      Malware (ransomware, trojan, worm, spyware, virus, keylogger, logic bomb, rootkit), physical, network (DDoS, DNS, wireless, on-path), application (injection, replay, priv esc, forgery, traversal), crypto (downgrade, collision), password (spraying vs brute force), generic IoCs (impossible travel, missing logs).
      2.5
      Mitigation Techniques Free

      Segmentation, ACL + permissions, allow list, isolation, patching, encryption, monitoring, least privilege, configuration enforcement, decommissioning — plus hardening (endpoint protection, host firewall, HIPS, disable ports/protocols, default password changes, remove unnecessary software).
      🔨

      Scenario-based drills and adaptive quizzes — Coming Soon

      TJS Platform will have attribution drills, vector-to-attack matching, and AI-powered explanations for every Domain 2 objective.

      Coming Soon
      04Memory Aids

      Learn It, Test It, Lock It In

      Each card has 3 layers. Click to advance: mnemonicscenario challengeanswer + exam tip.

      0 / 6 mastered
      Actor Resources
      Nation > Org Crime > Hacktivist > Insider > Script Kiddie
      Resources and sophistication, ranked highest to lowest.
      Scenario

      Custom malware with 2-year dwell time targeting an aerospace firm. Which actor?

      Answer

      Nation-state (APT). Custom tooling + long dwell + strategic target = APT signature. Organized crime rivals this in tooling but wants faster ROI, not multi-year espionage.

      Exam tip: long dwell + custom tooling + strategic target = nation-state. Financial urgency = organized crime.
      click to advance →1 of 3
      Phishing Family
      Phish (email) · Vish (voice) · Smish (SMS) · Quish (QR)
      Same trick, different channel. Match prefix to delivery method.
      Scenario

      A deepfake voicemail from the CFO asks accounts payable to wire funds. Which vector?

      Answer

      Vishing. Voice call = vish. If the CFO was impersonated over email for wire fraud specifically, that would be BEC — but this scenario is voice, so vishing.

      Exam tip: match prefix to channel. Email + executive impersonation + wire fraud = BEC. Voice call = vishing regardless of content.
      click to advance →1 of 3
      Zero-Day Definition
      If a patch exists, it is not a zero-day
      Zero-day = vendor doesn’t know. Unpatched CVE = vendor fixed it, you didn’t apply it.
      Scenario

      A Windows server is compromised via CVE-2024-XXXXX, which Microsoft patched 90 days ago. Is this a zero-day?

      Answer

      No. A patch exists — this is an unpatched known vulnerability, not a zero-day. The distinction matters because controls differ: zero-day needs behavioral / defense-in-depth; unpatched CVE needs patch management.

      Exam tip: Zero-day ≠ unpatched. If the CVE has a number and a patch, it’s not a zero-day regardless of how dangerous it is.
      click to advance →1 of 3
      Spray vs Brute
      Spray = wide (many accts) · Brute = deep (many guesses)
      Direction, not volume, is the defining feature.
      Scenario

      Fifteen hundred accounts each received one failed login attempt using “Spring2024!” in the same hour. Which attack?

      Answer

      Password spraying. One password across many accounts. Brute force would be many passwords against one account. Spraying evades single-account lockout thresholds, so the IoC pattern is wide and quiet.

      Exam tip: spraying triggers lockouts across the directory; brute force triggers lockouts on a single account. Detection logic must look for both shapes.
      click to advance →1 of 3
      DDoS Shapes
      Amplified = small req → huge resp · Reflected = spoofed src
      DNS / NTP / memcached amplify. Reflection hides the attacker behind a spoofed source IP.
      Scenario

      NTP servers return 500-byte responses to 50-byte queries. Attacker spoofs victim’s IP as source. What is this called?

      Answer

      Both: amplified and reflected. The response is amplified (10x) AND reflected off NTP servers at the victim via IP spoofing. Exam questions usually focus on one property; read whether they emphasize “small request / huge response” (amplification) or “spoofed source IP” (reflection).

      Exam tip: classic reflection-amplification attacks (DNS, NTP, memcached) are both. The wording tells you which property the question is testing.
      click to advance →1 of 3
      Mitigation vs Hardening
      Patching fixes flaws · Hardening shrinks surface
      A fully-patched system can still be badly hardened.
      Scenario

      An auditor finds SMBv1 enabled on a patched Windows server. Is this a patching failure or a hardening failure?

      Answer

      Hardening. SMBv1 is not a bug — it’s a deprecated protocol that should be disabled. Leaving it enabled is a hardening/configuration failure, not a missing-patch failure.

      Exam tip: missing patch → patch management. Unused-but-enabled service → hardening. Default credential left in place → both (but usually tagged hardening on the exam).
      click to advance →1 of 3

      The Direction Rule — Exam Strategy

      On Domain 2 IoC questions, ask: which direction? Spraying is wide (many accounts). Brute is deep (many guesses). Amplification is volume (small in / big out). Reflection is source (spoofed IP). The exam tests whether you can identify the shape of the attack, not just name it.

      ↓ Download Flashcards (Anki-Compatible)
      05Think Like a Tech

      Security+ Tests How You Solve Problems

      01
      Scenario

      Attribution Puzzle

      A defense contractor discovers custom malware that has been in their network for 22 months. It periodically exfiltrated design documents and beaconed to a C2 server using domains that resolve during business hours of a specific overseas timezone. No ransom, no data dump. Who is the most likely actor?
      • ×
        Organized crimeNo monetization — no ransom, no carding, no data sale. OC wants ROI fast.
      • ×
        HacktivistHacktivists publicize: defacement, data leak, statement. This is quiet, patient exfil.
      • ✓
        Nation-state (APT)Custom tooling + 22-month dwell + strategic IP target + no monetization = APT espionage signature.
      • ×
        Script kiddieScript kiddies don’t have the capability for multi-year custom-tooled campaigns.
      Principle: Attribution follows motivation. No monetization + long dwell + strategic data = espionage = nation-state.
      02
      Scenario

      The Ransomware Choice

      Ransomware hit a flat-networked manufacturing plant and spread from one infected workstation to 1,400 hosts in four hours via SMB. Patch levels were already at 98%. The CISO asks: what single investment would most reduce the next event’s blast radius?
      • ×
        More aggressive patching cadenceAlready at 98% — marginal gains. The problem wasn’t missing patches, it was lateral movement.
      • ×
        Upgrade antivirus to a newer vendorSignature-based AV missed day-zero ransomware. A vendor swap doesn’t fix the category.
      • ✓
        Network segmentation + microsegmentationSegmentation contains the blast radius. One infected host can’t touch 1,400 others when VLANs + firewall rules enforce separation.
      • ×
        Mandatory two-factor auth for all usersMFA helps credential attacks, not worm-style SMB propagation. Right problem, wrong answer.
      Principle: When patch coverage is high and the attack is lateral, segmentation beats more patching.
      03
      Scenario

      The Allow-List Argument

      A healthcare org was hit by fileless malware that commodity AV didn’t detect for 11 days. Leadership asks what to invest in. The Security Architect proposes application allow-listing over replacing AV. Why?
      • ×
        Allow-listing is cheaper than AV licensingCost isn’t the reason. Both have operational overhead.
      • ✓
        AV blocks known-bad. Allow-listing only permits known-good — so unknown malware is blocked by default.Default-deny posture catches what signatures miss, including fileless and zero-day threats.
      • ×
        Allow-listing eliminates the need for patchingFalse — allow-listed apps still need patches. Allow-listing is about execution, not vulnerability.
      • ×
        AV cannot be run alongside allow-listingThey layer. Defense-in-depth uses both.
      Principle: For unknown/fileless/zero-day threats, default-deny (allow-listing) outperforms default-allow (AV blocklist).
      🎯

      Adaptive Domain 2 drills — Coming Soon

      TJS Platform will track your weak areas and generate focused scenario drills. AI Study Buddy will explain why you got it wrong.

      Coming Soon
      06Common Traps

      The Tempting Wrong Answer

      1

      Spraying vs Brute Force

      Spraying = wide (one password, many accounts). Brute force = deep (many passwords, one account). Direction matters, not volume.

      2

      Vector vs Attack

      Email is a vector. Phishing is an attack using that vector. The exam asks which vector — identify the channel, not the payload.

      3

      Zero-Day vs Unpatched CVE

      If a patch exists, it’s not a zero-day — no matter how dangerous. Zero-day = vendor doesn’t know yet.

      4

      Allow List vs AV

      AV = blocklist (known-bad). Allow list = default-deny (only known-good). Allow-listing catches unknown malware; AV doesn’t.

      5

      Segmentation vs Isolation

      Segmentation = separated zones that still communicate via controlled paths. Isolation = no communication at all (air-gap).

      6

      Vishing vs Smishing vs BEC

      Vishing = voice. Smishing = SMS. BEC = executive email impersonation for wire fraud specifically. Match channel + intent to label.

      07Self-Check Quiz

      5 Practice Questions

      Select an answer, then click Check. Full adaptive quiz engine with 200+ questions coming soon on TJS Platform.

      UnderstandBeginner2.1
      Q1. An attacker uses readily available exploit kits downloaded from a forum, has limited technical knowledge, and targets systems opportunistically for thrill and reputation. Which threat actor type best matches?
      • A Nation-state actor
      • B Organized crime group
      • C Unskilled attacker (script kiddie)
      • D Hacktivist
      Correct: C

      “Readily available tools they didn’t build,” “limited knowledge,” and “thrill/reputation” motivation are the defining traits of an unskilled attacker / script kiddie. Hacktivists can also be unskilled but are ideologically driven.

      Source: CompTIA SY0-701 Objectives v5.0 — 2.1
      ApplyIntermediate2.2
      Q2. An attacker places a QR code sticker on the back of a legitimate restaurant menu. Scanning the code redirects to a credential-harvesting page. Which threat vector is this?
      • A Smishing (SMS phishing)
      • B Quishing (QR code phishing) — an image-based vector
      • C Watering hole attack
      • D Vishing (voice phishing)
      Correct: B

      A malicious QR code is quishing, a form of image-based phishing. Smishing uses SMS, vishing uses voice, watering hole compromises a site the target already visits.

      Source: CompTIA SY0-701 Objectives v5.0 — 2.2
      AnalyzeAdvanced2.3
      Q3. A web application validates a user’s balance, then issues the transfer using that validated balance. Between validation and transfer, the user submits a second transfer in parallel. Both succeed, producing a negative balance. Which vulnerability class?
      • A SQL injection
      • B Buffer overflow
      • C Race condition (TOCTOU)
      • D Memory injection
      Correct: C

      Time-of-Check to Time-of-Use (TOCTOU) is a race condition: state changes between validation and action. The check was correct, but the state changed before the action ran. Injection and buffer overflow exploit input handling, not timing.

      Source: CompTIA SY0-701 Objectives v5.0 — 2.3
      ApplyIntermediate2.4
      Q4. A user’s account shows successful authentications from New York at 09:14 and from Lagos at 09:21, seven minutes apart, no VPN on file. What is the most likely indicator?
      • A Password spraying
      • B Impossible travel — likely credential compromise
      • C Brute force
      • D Privilege escalation
      Correct: B

      Two successful logins from geographically impossible locations within minutes = impossible travel, a generic IoC suggesting credential compromise. Spraying/brute-force produce failed logins, not successful geo-separated ones.

      Source: CompTIA SY0-701 Objectives v5.0 — 2.4
      AnalyzeAdvanced2.5
      Q5. A zero-day begins circulating with no signature and no vendor patch. Which combination best reduces likelihood of successful execution on the endpoint?
      • A Signature-based antivirus + scheduled full scans
      • B Strict perimeter firewall rules only
      • C Application allow-listing + segmentation + EDR behavioral detection
      • D Mandatory password complexity + annual awareness training
      Correct: C

      Signature-based AV can’t detect what it’s never seen. For zero-day, defense-in-depth with default-deny (allow-listing), lateral containment (segmentation), and behavioral detection (EDR) provides layered coverage. Perimeter-only and password-only controls don’t reach endpoint execution.

      Source: CompTIA SY0-701 Objectives v5.0 — 2.5

      Continue Your Prep

      Choose how you want to study. All paths lead to the same goal — passing the Security+ on exam day.

      Recommended
      TJS Platform

      All 5 domains, 200+ adaptive questions, AI Study Buddy, timed exams, and certificate of completion.

      Coming Soon
      Coming Soon
      Pocket Reference PDF

      Printable desk reference with key concepts, mnemonics, and quick-reference tables for all 5 domains.

      $12 / one-time
      Get the PDF
      Free Domain 2 Cheat Sheet

      Actor triangle, vector family, vulnerability classes, IoC directions, and mitigation mapping on one page.

      Free / email signup
      Download Free
      Disclaimer
      This content is provided for educational and exam preparation purposes only. It is designed to supplement your study efforts with additional context, scenarios, and practice material. This is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on published exam objectives — they are not actual exam questions. Exam content, format, and policies are determined solely by CompTIA. Always refer to the official CompTIA Security+ SY0-701 Exam Objectives as your primary reference. Tech Jacks Solutions is not responsible for exam outcomes.
      Tech Jacks Solutions

      CompTIA Security+ SY0-701 Exam Objectives · GAIO Integrity Lock Active · No brain dumps · No fabricated statistics