The biggest slice of the exam — 28%. This is the daily work: harden baselines, track assets cradle to grave, find and fix vulnerabilities, watch the telemetry, grant the right access, automate the repeatable, and run incidents when everything breaks.
28%
Exam Weight
9
Objectives
~70m
Read Time
SY0-701
Exam Code
Domain 4 — 28% of exam (largest)100%
All Domains
01Key Concepts at a Glance
Six Ideas That Drive Every Domain 4 Question
Operations is where controls meet reality. Master these six and you can reason through almost any Domain 4 scenario — hardening, vuln management, monitoring, IAM, automation, or incident response.
▾
B
Baseline, Then Drift
A documented, enforced, monitored secure baseline is the foundation. Everything else detects drift from it.
“You can’t tell what’s wrong until you’ve defined what’s right. Establish, deploy, maintain — CIS Benchmark or DISA STIG, Group Policy or Ansible, monitored continuously.”
CVSS is technical severity. Risk = severity x exposure x asset value x threat activity. Prioritize by risk, not score.
“A CVSS 9.8 on an isolated internal box is lower risk than a 7.5 on an internet-facing crown-jewel service under active exploitation. The exam rewards this nuance.”
Least privilege, JIT elevation, MFA across factor categories, attestation, and lifecycle automation — that’s modern access control.
“Password + security question isn’t MFA — both are knowledge factors. Standing admin access on 40 engineers is the risk; JIT elevation + PAM + logging is the answer.”
IR lifecycle: Prepare → Identify → Contain → Eradicate → Recover → Lessons Learned. Containment before eradication every time.
“Stop the bleeding before you rebuild. Preserve evidence with chain of custody, legal hold, and order-of-volatility captures — don’t reboot the forensic witness.”
Incident Response Lifecycle — The Six Phases (4.8)
Phase
Purpose
Exam Signal
1. Preparation
IR plan, roles, comms tree, tooling, training, tabletop exercises.
Before anything happens. Plan exists, people know roles.
2. Identification
Detect, triage, confirm incident vs event, declare.
SIEM alert, user report → is this real? Declare or close.
3. Containment
Stop the spread. Short-term isolate; long-term segment.
Unplug, block, disable account. Before eradication.
4. Eradication
Remove the adversary and artifacts; close the root cause.
Rebuild from gold image, revoke creds, patch the CVE.
5. Recovery
Return to production with monitoring; validate clean.
Staged restoration, heightened logging, watch for re-entry.
6. Lessons Learned
Post-incident review, timeline, control gaps, update runbook.
No blame. Feed findings back into Preparation.
02Diagnostic Quiz
Find Out Where to Start
5 questions across Domain 4 — see which objectives need the most work.
Focus on these objectives
You’ve got these
03Objective Navigator
9 Objectives — Pick Your Path
Each lesson teaches through real scenarios — concept, textbook, hard choice, exam signal. Start anywhere or go in order. Completed lessons show a checkmark.
Six phases in order. Contain before eradicate, always.
Scenario
SOC analyst sees beaconing from a laptop. Which phase comes first — isolate the host, or wipe and rebuild it?
Answer
Containment (isolate). Stop the spread first. Eradication comes after you have scope, evidence, and a plan. Wiping before containing loses lateral-movement data.
Exam tip: any IR question with “first” or “next step” almost always maps to containment after identification.
MFA Categories
Know · Have · Are · Where · Do
MFA requires factors from different categories. Two from the same category is not MFA.
Scenario
A help-desk tool requires a password AND a security question. Does that satisfy MFA?
Answer
No. Both are something you know — same category. True MFA pairs knowledge (password) with possession (token, phone push) or biometric (fingerprint).
Exam tip: password + PIN, password + security question, PIN + passphrase — all same category, all not MFA.
Sanitization Ladder
Clear → Purge → Destroy
NIST 800-88. Match method to media sensitivity — and to the media type.
Scenario
A hospital decommissions 800 SSDs that once held PHI. Is degaussing an appropriate Purge method?
Answer
No. Degaussing only works on magnetic media (HDDs, tapes). SSDs use flash — unaffected by magnetic fields. For SSDs: crypto-erase (if encrypted day one) or physical destruction per NIST 800-88.
Exam tip: any SSD + degauss combo is a distractor. Memorize the media-to-method matrix.
Different jobs. Pick by what question needs answering.
Scenario
A SOC wants to auto-quarantine any endpoint that triggers a high-severity EDR alert and open a ticket. Which tool orchestrates that?
Answer
SOAR. SOAR consumes the alert, executes a playbook (quarantine via EDR API, open ticket, notify analyst). SIEM would correlate the alert; SOAR acts on it.
A 9.8 on an airgapped lab box is lower risk than a 7.5 on the customer portal under active exploit.
Scenario
Two vulns: CVSS 9.8 on an isolated internal dev VM; CVSS 7.5 on a public-facing login API that’s being actively exploited. Patch order?
Answer
Public-facing first. Risk, not raw CVSS, drives priority. The 7.5 has active exploitation on a crown-jewel asset — that’s the higher risk.
Exam tip: exposure + active threat beats raw score. Look for words like “internet-facing,” “actively exploited,” “crown jewel.”
Chain of Custody
Legal hold → Acquire → Preserve → Document
Forensically sound = reproducible, documented, and defensible in court.
Scenario
A compromised laptop is being held for forensic investigation. Counsel says litigation is likely. What notice should go out first?
Answer
Legal hold. Suspends normal retention/destruction for all potentially relevant data. Without it, routine deletion can destroy evidence and create spoliation exposure.
Exam tip: any “litigation,” “e-discovery,” or “lawsuit anticipated” language → legal hold is almost always the right answer.
The Forcing-Function Rule — Exam Strategy
Domain 4 scenarios encode the answer in their constraints. Ask: what are the forcing functions? IR phase language drives the sequence. MFA-category language drives which factor choice is real. Sanitization questions test media type as much as method. CVSS + exposure + threat language drives risk priority. Read the clue words — don’t reach for the biggest-sounding tool.
At 02:10 the SIEM flags a corporate laptop opening periodic outbound HTTPS connections to a newly-registered domain. EDR shows a signed but uncommon process. The user is on vacation; the device is on a home Wi-Fi. What is the analyst’s next step?
×
Wipe and re-image the laptop immediatelyEradication before containment destroys evidence and may miss lateral-movement indicators. Wrong phase.
✓
Use EDR to isolate the endpoint, preserve memory / disk for forensics, then scope the incidentContainment first — stop the spread, keep the evidence, then investigate scope. Classic PICERL sequence.
×
Open a ticket and wait until the user returns from vacationWaiting on active beaconing allows data exfiltration and lateral movement. Timeliness matters in IR.
×
Block the domain at the firewall and close the alertBlocks the C2 channel only. The underlying implant can use fallback infrastructure; endpoint is still compromised.
Principle: Contain before you eradicate. Isolate with EDR, preserve volatile data first (order of volatility), then scope and remediate.
02
Scenario
The “MFA” That Wasn’t
An internal audit finds that a customer portal requires users to enter a password and then answer a pre-set security question. The vendor markets the feature as “multi-factor authentication.” A compliance deadline for MFA is three weeks away. What is the accurate assessment and best next step?
×
Accept the vendor’s claim; both inputs are user-suppliedBoth are knowledge factors. MFA requires different categories.
✓
Flag as non-compliant; require a second-category factor (TOTP, push, FIDO2, or biometric) before the deadlineMFA requires factors from different categories: knowledge + possession, or knowledge + biometric. Password + security question is single-factor.
×
Add a second security question to strengthen the first factorThree knowledge factors are still one category. Does not satisfy MFA.
×
Send SMS OTPs only to users flagged as “high risk”Partial coverage does not meet a blanket MFA requirement; SMS is also a weaker possession factor than TOTP / push / FIDO2.
Principle: MFA is defined by category diversity, not input count. Know / Have / Are / Where / Do — the factors must come from different categories.
03
Scenario
The Vuln Prioritization Fight
The weekly vulnerability report lists two findings. Finding A: CVSS 9.8 on a pre-production lab VM with no internet exposure and no sensitive data. Finding B: CVSS 7.5 on the customer-facing login API; a threat feed shows active exploitation in the wild targeting this CVE. Patching capacity this sprint covers one. Which do you patch first?
×
Patch Finding A first — higher CVSS scoreCVSS is technical severity. Exposure and active threat activity push Finding B to higher risk.
✓
Patch Finding B first; accept risk or compensate on A with network isolation and a tracking ticketRisk = severity × exposure × asset value × threat activity. Internet-facing + active exploit + revenue-critical API beats a higher score on an isolated lab asset.
×
Patch both this sprint by overloading the change windowChange capacity exists for operational safety; busting it invites incidents. The exam rewards prioritization under constraint.
×
File a risk exception on both and revisit next quarterExceptions are for accepted, compensated risk — not a default. Active exploitation is not exception territory.
Principle: Patch by risk, not by raw CVSS. Exposure, asset value, and active threat activity turn a lower-scored vuln into a higher-priority fix.
🎯
Adaptive Domain 4 drills — Coming Soon
TJS Platform will track your weak areas and generate focused Operations drills. AI Study Buddy will explain why you got it wrong.
Coming Soon
06Common Traps
The Tempting Wrong Answer
1
Same-Category MFA
Password + security question, password + PIN, PIN + passphrase — all know. Real MFA crosses categories: know + have, or know + are.
2
Eradication Before Containment
Wiping an infected host before isolating destroys evidence and may hide lateral movement. Contain first, scope second, eradicate third.
3
SSD + Degaussing
Degaussing only works on magnetic media. SSDs use flash — magnetic fields don’t affect them. For SSD: crypto-erase (if encrypted day one) or physical destruction.
4
CVSS = Risk
CVSS is severity. Risk adds exposure, asset value, and active threat activity. A 9.8 on an isolated lab VM can be lower risk than a 7.5 on a crown-jewel API.
5
Delete ≠ Sanitize
File deletion and formatting leave data recoverable with off-the-shelf tools. NIST 800-88 Clear / Purge / Destroy is the standard — match method to media sensitivity.
6
SIEM Automates Response
SIEM correlates and alerts. SOAR executes the playbook (quarantine, ticket, enrich). Mixing the two is a common wrong-answer trap.
7
NetFlow ≠ PCAP
NetFlow is metadata (who talked to whom, how much, when) — cheap, scalable. PCAP is the actual packets — expensive to store but the only source for payload analysis.
8
Standing Admin as Default
Permanent admin for every engineer is the risk. Just-in-time elevation + PAM + ephemeral creds + session logging preserves response speed without the blast radius.
07Self-Check Quiz
6 Practice Questions
Select an answer, then click Check. Full adaptive quiz engine with 200+ questions coming soon on TJS Platform.
UnderstandBeginner4.1
Q1. An organization wants a repeatable way to establish, deploy, and maintain a secure configuration for all Windows servers. Which combination BEST fits?
A A one-time manual hardening checklist run at build
B A documented baseline (e.g., CIS Benchmark) deployed via Group Policy / MDM with continuous drift monitoring
C Antivirus on every server with default settings
D Quarterly vulnerability scans with emailed reports
Correct: B
Secure baselines are documented (CIS / STIG), deployed at scale (GPO, MDM, config-mgmt tools), and continuously monitored for drift. Manual checklists don’t survive scale; AV and quarterly scans don’t define the baseline.
Source: CompTIA SY0-701 Objectives v5.0 — 4.1
ApplyIntermediate4.2
Q2. A hospital is decommissioning 800 SSDs that held PHI. Which sanitization method is MOST appropriate if the drives were not encrypted at deployment?
A Degauss each drive
B Quick-format and reuse
C Crypto-erase by deleting the encryption key
D Physical destruction (shred or incinerate) per NIST 800-88 Destroy
Correct: D
Degaussing doesn’t affect flash. Crypto-erase requires day-one encryption — absent here. Quick-format leaves data recoverable. For unencrypted SSDs with sensitive data, Destroy is the defensible choice.
Q3. Two vulnerabilities compete for the same patch window. A: CVSS 9.8 on an isolated pre-production lab VM with no sensitive data. B: CVSS 7.5 on a customer-facing login API, actively exploited in the wild. Which is the HIGHER-priority fix?
A A, because raw CVSS is higher
B B, because risk factors in exposure, asset value, and active threat activity
C Neither; file exceptions and revisit
D Both are equal priority without more data
Correct: B
CVSS is technical severity. Risk = severity × exposure × asset value × threat activity. Internet-facing + active exploit + revenue-critical API beats an isolated lab asset with a higher raw score.
Source: CompTIA SY0-701 Objectives v5.0 — 4.3
ApplyIntermediate4.4
Q4. A SOC wants alerts from multiple products to trigger a single playbook that isolates an endpoint, opens a ticket, and enriches the event with threat-intel. Which tool category fits?
A SIEM
B SOAR
C EDR
D NetFlow collector
Correct: B
SOAR consumes alerts (often from the SIEM) and runs playbooks that invoke EDR, ITSM, and threat-intel APIs. SIEM correlates and searches; EDR watches endpoints; NetFlow is metadata telemetry.
Q5. Which pairing of authentication factors BEST satisfies multi-factor authentication?
A Password + security question
B Password + PIN
C Password + hardware security key (FIDO2)
D PIN + passphrase
Correct: C
MFA requires factors from different categories. Password (know) + FIDO2 key (have) crosses categories. A/B/D all pair two knowledge factors — single-factor, not MFA.
Source: CompTIA SY0-701 Objectives v5.0 — 4.6
AnalyzeAdvanced4.8
Q6. SIEM flags a laptop beaconing to a newly-registered domain at 02:10. EDR shows a signed but uncommon process running. What should the analyst do FIRST?
A Wipe and re-image the laptop
B Isolate the endpoint via EDR and preserve volatile data for forensics
C Block the domain at the firewall and close the alert
D Open a low-priority ticket and wait for the user to return
Correct: B
Containment comes before eradication. Isolation stops further C2 and lateral movement; volatile data (memory, network state) must be captured before reboot or re-image per order of volatility.
Source: CompTIA SY0-701 Objectives v5.0 — 4.8
Continue Your Prep
Choose how you want to study. All paths lead to the same goal — passing the Security+ on exam day.
Recommended
TJS Platform
All 5 domains, 200+ adaptive questions, AI Study Buddy, timed exams, and certificate of completion.
Coming Soon
Coming Soon
Pocket Reference PDF
Printable desk reference with key concepts, mnemonics, and quick-reference tables for all 5 domains.
This content is provided for educational and exam preparation purposes only. It is designed to supplement your study efforts with additional context, scenarios, and practice material. This is not official CompTIA content, is not endorsed by CompTIA, and does not guarantee exam success. All practice questions are original and based on published exam objectives — they are not actual exam questions. Exam content, format, and policies are determined solely by CompTIA. Always refer to the official CompTIA Security+ SY0-701 Exam Objectives as your primary reference. Tech Jacks Solutions is not responsible for exam outcomes.
Stay Current on Certifications
Get updates when salary data, exam changes, or new cert guides are published.
No spam. Unsubscribe anytime. We respect your data.
Cert guides, study strategies, and update alertsGet Cert Updates
