What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $79 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Objective 1.1High Priority8 min read

Detective Controls

Controls that identify security incidents as they occur or after the fact. Detective controls do not prevent attacks but provide visibility into what happened, enabling response and investigation.

Understanding Detective Controls

Detective controls identify that something has happened. They don't stop attacks—they reveal them. Think of detective controls as the security equivalent of "catching someone in the act" or "finding evidence after the crime."

The value of detection is enabling response. An attack you don't know about can't be stopped, investigated, or prevented from recurring. Detective controls close the visibility gap between what attackers do and what defenders know.

Here's the critical exam distinction: detection happens during or after an event. Prevention happens before. An IDS (Intrusion Detection System) that alerts on malicious traffic is detective—the traffic already entered the network. An IPS (Intrusion Prevention System) that blocks malicious traffic is preventive—the traffic never reaches its destination.

Why This Matters for the Exam

Detective controls are heavily tested because they're central to security operations. Domain 4 (Security Operations) at 28% of the exam focuses on monitoring, alerting, and incident response—all of which depend on detective controls.

The exam frequently tests the IDS vs. IPS distinction. This is one of the most common questions: IDS = Detection (alerts only), IPS = Prevention (blocks traffic). The "D" and "P" in the acronyms tell you the control type.

Understanding detective controls also helps with scenario questions. When a question asks "how would you know if this attack occurred?" or "what would alert you to this breach?"—the answer involves detective controls.

Deep Dive

Common Detective Controls on the Exam

Network Detection

•IDS (Intrusion Detection System) — Monitors and alerts on suspicious traffic
•Network traffic analysis — Identifies anomalous patterns
•NetFlow/packet capture — Records traffic for analysis
•Honeypots — Detect unauthorized access attempts

System Detection

•SIEM (Security Information and Event Management) — Aggregates and correlates logs
•Audit logs — Record system and user activity
•File integrity monitoring — Detects unauthorized file changes
•Endpoint detection — Monitors endpoint behavior

Physical Detection

•Security cameras (recording) — Capture evidence of incidents
•Motion sensors — Detect movement in secured areas
•Door/window sensors — Alert on physical access
•Badge access logs — Record entry/exit times

Human Detection

•Security guards on patrol — Observe and report
•Log reviewers — Analyze audit trails
•Security analysts — Monitor dashboards and alerts
•Incident responders — Investigate anomalies

The Detection Timeline

Detective controls work at different points:

1. Real-time detection — Alerts as events happen (IDS, motion sensors) 2. Near-real-time — Slight delay but still actionable (SIEM correlation) 3. After-the-fact — Discovered during review (log analysis, audits)

All three are detective—the timing differs, but all identify rather than prevent.

Detective vs. Preventive: The Critical Distinction

System	Detective Function	Preventive Function
IDS	Alerts on threats	None—doesn't block
IPS	Alerts on threats	Blocks malicious traffic
Firewall logs	Records blocked attempts	N/A (logs are detective)
Firewall rules	N/A (rules are preventive)	Blocks traffic
Antivirus alert	Notifies of detection	N/A (alert is detective)
Antivirus quarantine	N/A (action is corrective)	Blocks execution

The "D" Test: Ask yourself—does this control Detect or Deflect? Detect = detective. Deflect = preventive.

Detective Controls Across Categories

Detective is a TYPE that exists in all CATEGORIES:

• Technical Detective: IDS, SIEM, audit logs, file integrity monitoring • Managerial Detective: Risk assessments, security audits, compliance reviews • Operational Detective: Log review, security patrols, incident investigation • Physical Detective: Cameras, motion sensors, access logs

How CompTIA Tests This

Example Analysis

Scenario: A company deploys sensors throughout its network that analyze traffic patterns and generate alerts when they detect signatures matching known attack patterns. Security analysts receive these alerts and investigate potential threats.

Analysis: This describes an IDS (Intrusion Detection System), which is a detective control because: • It monitors and analyzes (detection function) • It generates alerts (notification, not prevention) • Analysts investigate AFTER detection • The malicious traffic already entered the network

What would make it preventive? If the system blocked the traffic instead of just alerting, it would be an IPS—a preventive control. The "S" (System) is the same; the difference is Detection vs. Prevention.

Control category: This is a technical control (implemented through technology)

Important: The IDS is detective even if it detects in real-time. "Real-time detection" is still detection, not prevention. The attack traffic reached the network—it wasn't stopped.

Key Terms to Know

detective controlsIDSintrusion detectionSIEMaudit logssecurity monitoringalertingincident detectionlog analysis

Common Mistakes to Avoid

Thinking real-time detection is prevention—even if an IDS alerts instantly, it's still detective. The traffic already entered the network. Speed doesn't change the control type.

Confusing IDS with IPS—IDS = Detection (alerts). IPS = Prevention (blocks). The exam tests this distinction constantly. Remember: D = Detect, P = Prevent.

Forgetting that logs are detective—audit logs, firewall logs, access logs are all detective controls. They record what happened for later review.

Missing that cameras can be multiple types—a visible camera is deterrent. A camera that records is detective. Many cameras are both. Focus on what the question emphasizes.

Exam Tips

Look for detection verbs: monitors, alerts, identifies, discovers, detects, reveals, notifies. These signal detective controls.

IDS vs IPS is guaranteed to appear on your exam. Intrusion Detection System = Detective. Intrusion Prevention System = Preventive. Memorize this.

SIEM is a detective control—it aggregates logs and generates alerts. It doesn't prevent anything; it provides visibility.

When a question asks "how would you detect this threat?"—the answer is a detective control. When it asks "how would you stop this threat?"—that's preventive.

Logs are always detective. Any system that records activity for later review is performing a detective function.

Memory Trick

"Detective controls DETECT—they don't DEFLECT."

Like a detective solving a crime, these controls find out what happened. They don't stop crimes from happening.

•The IDS/IPS Rule:
•IDS = Sees the threat (Detective)
•IPS = Stops the threat (Preventive)

Or remember: Detection vs Prevention—the letters are right in the acronym.

•The Camera Test:
•Camera RECORDING = Detective (captures evidence)
•Camera VISIBLE = Deterrent (discourages attackers)
•Both? = Both types (most cameras)

•Timeline Test:
•Happens BEFORE the attack succeeds → Preventive
•Happens DURING or AFTER → Detective

Test Your Knowledge

Q1.An organization implements a system that monitors network traffic for suspicious patterns and sends alerts to the security team when potential threats are detected. The system does not block any traffic. What type of control is this?

Q2.A security analyst reviews firewall logs daily to identify any unauthorized access attempts that were blocked. The log review activity is which type of control?

Q3.Which of the following is the BEST example of a detective control?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Preventive Controls Corrective Controls Technical Controls Operational Controls

Ready to test your knowledge?

Practice questions on detective controls and other Objective 1.1 concepts.

Start Practice

Deterrent Controls Corrective Controls