Domain 4: Security Operations
The biggest slice of the exam — 28%. This is the daily work: harden baselines, track assets cradle to grave, find and fix vulnerabilities, watch the telemetry, grant the right access, automate the repeatable, and run incidents when everything breaks.
Six Ideas That Drive Every Domain 4 Question
Operations is where controls meet reality. Master these six and you can reason through almost any Domain 4 scenario — hardening, vuln management, monitoring, IAM, automation, or incident response.
Baseline, Then Drift
A documented, enforced, monitored secure baseline is the foundation. Everything else detects drift from it.
Own It Cradle to Grave
Asset management means a named owner, classification, a CMDB entry, and a sanitization method at end of life.
CVSS ≠ Risk
CVSS is technical severity. Risk = severity x exposure x asset value x threat activity. Prioritize by risk, not score.
Telemetry Before Tooling
SIEM correlates; SOAR automates; EDR watches endpoints; XDR stitches them. Pick by what question you need answered.
Identity Is the Perimeter
Least privilege, JIT elevation, MFA across factor categories, attestation, and lifecycle automation — that’s modern access control.
Contain Before You Chase
IR lifecycle: Prepare → Identify → Contain → Eradicate → Recover → Lessons Learned. Containment before eradication every time.
Find Out Where to Start
5 questions across Domain 4 — see which objectives need the most work.
Focus on these objectives
You’ve got these
9 Objectives — Pick Your Path
Each lesson teaches through real scenarios — concept, textbook, hard choice, exam signal. Start anywhere or go in order. Completed lessons show a checkmark.
Establish, deploy, and maintain secure baselines (CIS Benchmarks, DISA STIGs). Harden workstations, servers, mobile, wireless, cloud, IoT, ICS/SCADA, embedded, and RTOS. Enforcement via Group Policy, MDM, Ansible / Chef / Puppet, and drift detection.
Acquisition, assignment, named owners, classification, CMDB / inventory, monitoring and tracking, end-of-life disposal. NIST 800-88 sanitization (Clear / Purge / Destroy), media-to-method matrix (degaussing, crypto-erase, shred), data retention vs archival.
Scan types (authenticated vs unauthenticated, SAST, DAST, package monitoring), threat feeds, OSINT, bug bounty, pen tests, CVE and CVSS vs risk, prioritization, remediation (patch, segment, compensating control, exception), validation, reporting.
Systems, applications, and infrastructure telemetry. SIEM, SOAR, EDR, XDR, log aggregation, NetFlow vs PCAP, SCAP, agent vs agentless, SNMP, alert tuning, quarantine, report generation, archival.
Firewall rules and ACLs, IDS/IPS signatures, web filters (URL scan, agent-based, CASB), DNS filtering, email security (DMARC, DKIM, SPF, gateway), file integrity monitoring, DLP, NAC, EDR/XDR tuning, user behavior analytics.
Provisioning / deprovisioning, federation (SAML, OIDC), SSO, LDAP, OAuth, interoperability, attestation, access control models (RBAC, ABAC, MAC, DAC, rule-based), MFA factor categories (know / have / are / where / do), password managers, passwordless, PAM (JIT, ephemeral, vaulting).
Use cases (user provisioning, guard rails, resource allocation, ticket enrichment, escalation, security groups, continuous integration / delivery, API integrations), benefits (efficiency, reaction time, consistency), considerations (complexity, cost, fragility, technical debt, single point of failure).
Six phases (prepare, identify, contain, eradicate, recover, lessons learned). Training, testing (tabletop, simulation), root cause analysis, threat hunting, digital forensics — legal hold, chain of custody, acquisition, reporting, preservation, e-discovery.
Log data (firewall, application, endpoint, OS-specific, IPS/IDS, network, metadata), data sources (vulnerability scans, automated reports, dashboards, packet captures) — and how to match the investigative question to the data source that actually answers it.
Operations drills and adaptive quizzes — Coming Soon
TJS Platform will have SIEM triage scenarios, MFA factor puzzles, IR phase sequencing, and AI-powered explanations for every Domain 4 objective.
Learn It, Test It, Lock It In
Each card has 3 layers. Click to advance: mnemonic → scenario challenge → answer + exam tip.
SOC analyst sees beaconing from a laptop. Which phase comes first — isolate the host, or wipe and rebuild it?
Containment (isolate). Stop the spread first. Eradication comes after you have scope, evidence, and a plan. Wiping before containing loses lateral-movement data.
A help-desk tool requires a password AND a security question. Does that satisfy MFA?
No. Both are something you know — same category. True MFA pairs knowledge (password) with possession (token, phone push) or biometric (fingerprint).
A hospital decommissions 800 SSDs that once held PHI. Is degaussing an appropriate Purge method?
No. Degaussing only works on magnetic media (HDDs, tapes). SSDs use flash — unaffected by magnetic fields. For SSDs: crypto-erase (if encrypted day one) or physical destruction per NIST 800-88.
A SOC wants to auto-quarantine any endpoint that triggers a high-severity EDR alert and open a ticket. Which tool orchestrates that?
SOAR. SOAR consumes the alert, executes a playbook (quarantine via EDR API, open ticket, notify analyst). SIEM would correlate the alert; SOAR acts on it.
Two vulns: CVSS 9.8 on an isolated internal dev VM; CVSS 7.5 on a public-facing login API that’s being actively exploited. Patch order?
Public-facing first. Risk, not raw CVSS, drives priority. The 7.5 has active exploitation on a crown-jewel asset — that’s the higher risk.
A compromised laptop is being held for forensic investigation. Counsel says litigation is likely. What notice should go out first?
Legal hold. Suspends normal retention/destruction for all potentially relevant data. Without it, routine deletion can destroy evidence and create spoliation exposure.
The Forcing-Function Rule — Exam Strategy
Domain 4 scenarios encode the answer in their constraints. Ask: what are the forcing functions? IR phase language drives the sequence. MFA-category language drives which factor choice is real. Sanitization questions test media type as much as method. CVSS + exposure + threat language drives risk priority. Read the clue words — don’t reach for the biggest-sounding tool.
Security+ Tests How You Run Security
The Beaconing Laptop
The “MFA” That Wasn’t
The Vuln Prioritization Fight
Adaptive Domain 4 drills — Coming Soon
TJS Platform will track your weak areas and generate focused Operations drills. AI Study Buddy will explain why you got it wrong.
The Tempting Wrong Answer
Same-Category MFA
Password + security question, password + PIN, PIN + passphrase — all know. Real MFA crosses categories: know + have, or know + are.
Eradication Before Containment
Wiping an infected host before isolating destroys evidence and may hide lateral movement. Contain first, scope second, eradicate third.
SSD + Degaussing
Degaussing only works on magnetic media. SSDs use flash — magnetic fields don’t affect them. For SSD: crypto-erase (if encrypted day one) or physical destruction.
CVSS = Risk
CVSS is severity. Risk adds exposure, asset value, and active threat activity. A 9.8 on an isolated lab VM can be lower risk than a 7.5 on a crown-jewel API.
Delete ≠ Sanitize
File deletion and formatting leave data recoverable with off-the-shelf tools. NIST 800-88 Clear / Purge / Destroy is the standard — match method to media sensitivity.
SIEM Automates Response
SIEM correlates and alerts. SOAR executes the playbook (quarantine, ticket, enrich). Mixing the two is a common wrong-answer trap.
NetFlow ≠ PCAP
NetFlow is metadata (who talked to whom, how much, when) — cheap, scalable. PCAP is the actual packets — expensive to store but the only source for payload analysis.
Standing Admin as Default
Permanent admin for every engineer is the risk. Just-in-time elevation + PAM + ephemeral creds + session logging preserves response speed without the blast radius.
6 Practice Questions
Select an answer, then click Check. Full adaptive quiz engine with 200+ questions coming soon on TJS Platform.
Secure baselines are documented (CIS / STIG), deployed at scale (GPO, MDM, config-mgmt tools), and continuously monitored for drift. Manual checklists don’t survive scale; AV and quarterly scans don’t define the baseline.
Degaussing doesn’t affect flash. Crypto-erase requires day-one encryption — absent here. Quick-format leaves data recoverable. For unencrypted SSDs with sensitive data, Destroy is the defensible choice.
CVSS is technical severity. Risk = severity × exposure × asset value × threat activity. Internet-facing + active exploit + revenue-critical API beats an isolated lab asset with a higher raw score.
SOAR consumes alerts (often from the SIEM) and runs playbooks that invoke EDR, ITSM, and threat-intel APIs. SIEM correlates and searches; EDR watches endpoints; NetFlow is metadata telemetry.
MFA requires factors from different categories. Password (know) + FIDO2 key (have) crosses categories. A/B/D all pair two knowledge factors — single-factor, not MFA.
Containment comes before eradication. Isolation stops further C2 and lateral movement; volatile data (memory, network state) must be captured before reboot or re-image per order of volatility.
Continue Your Prep
Choose how you want to study. All paths lead to the same goal — passing the Security+ on exam day.
All 5 domains, 200+ adaptive questions, AI Study Buddy, timed exams, and certificate of completion.
Printable desk reference with key concepts, mnemonics, and quick-reference tables for all 5 domains.
IR phases, MFA factor categories, NIST 800-88 media matrix, and SIEM vs SOAR vs EDR on one page.