Security+ Domain 4 is the highest-weighted domain at 28%, covering day-to-day security tasks: monitoring, incident response, vulnerability management, and security tooling. Heavy emphasis on practical, operational scenarios and performance-based questions.
Questions
~25-26 questions
Concepts
58 total
Difficulty
Advanced
Study Time
3-4 weeks
Objectives
9 objectives
Implementing security on systems, devices, and applications.
Key Concepts
Secure Baselines
Establishing standard secure configurations for systems. Creating and maintaining configuration benchmarks.
Hardening Targets
Security hardening for mobile devices, workstations, switches, routers, cloud infrastructure, servers, ICS/SCADA, embedded systems, RTOS, and IoT devices.
Wireless Security
Implementing wireless security including installation considerations, site surveys, and heat maps.
Mobile Solutions
Managing mobile devices through MDM, deployment models (BYOD, COPE, CYOD), and connection methods.
Application Security
Securing applications through input validation, secure cookies, HTTP headers, code signing, and sandboxing.
Wireless Security Standards
Understanding WPA3, AAA/RADIUS, cryptographic protocols, and authentication methods for wireless networks.
Exam Tip
Hardening questions often ask about specific techniques: disabling unnecessary services, removing default accounts, implementing least privilege. Know the order of operations for securing a new system.
Managing the security of organizational assets throughout their lifecycle.
Key Concepts
Acquisition and Procurement
Security considerations when acquiring hardware and software. Vendor assessment and supply chain security.
Asset Assignment and Accounting
Tracking ownership, classification, and monitoring of organizational assets.
Disposal and Decommissioning
Secure disposal methods including sanitization, destruction, and certification. Media sanitization standards.
Exam Tip
Know the data sanitization methods: clearing (overwriting), purging (cryptographic erase), and destroying (physical destruction). Match method to data sensitivity.
Identifying, assessing, and remediating vulnerabilities.
Key Concepts
Vulnerability Identification Methods
Techniques for finding vulnerabilities including scanning, application security testing, threat feeds, and OSINT.
Vulnerability Analysis
Confirming and prioritizing vulnerabilities. Understanding CVE, CVSS, and vulnerability classification.
Vulnerability Response and Remediation
Addressing vulnerabilities through patching, insurance, segmentation, and compensating controls. Validation of fixes.
Vulnerability Reporting
Communicating vulnerability findings including internal/external reporting and responsible disclosure.
Exam Tip
Understand the vulnerability management lifecycle: identify → assess → prioritize → remediate → verify. Know when to use credentialed scans (more thorough) vs non-credentialed (external perspective).
Using security tools to detect and analyze threats.
Key Concepts
Monitoring Computing Resources
Monitoring systems, applications, and infrastructure including baseline monitoring and performance metrics.
Monitoring Activities
Logging, archiving, alerting, alert response, and alert tuning for security monitoring.
Security Tools
Using SCAP, benchmarks, agents, agentless monitoring, and SIEM systems.
Security Monitoring Dashboards
Visualizing security metrics and status. Interpreting security data and trends.
Exam Tip
SIEM is heavily tested—know its components and use cases. Understand the difference between SIEM (monitoring/alerting) and SOAR (automated response). Practice interpreting SIEM alerts.
Configuring security controls across enterprise systems.
Key Concepts
Firewall Rules and Configuration
Configuring firewall rules, access lists, and network segmentation for security.
IDS/IPS Configuration
Tuning intrusion detection/prevention signatures and thresholds. Reducing false positives.
Web Filtering
Configuring web content filtering, agent-based vs centralized approaches, URL categorization, and reputation filtering.
Operating System Security
Group Policy implementation, SELinux, and operating system hardening.
Protocol Security
Securing protocols including DNS filtering, email security (DKIM, SPF, DMARC, gateway configuration).
Network Security
Implementing network access control, port security, MAC filtering, and secure port configurations.
EDR and XDR
Configuring Endpoint Detection and Response and Extended Detection and Response solutions.
User Behavior Analytics
Implementing UBA for anomaly detection and insider threat identification.
Exam Tip
Know how to configure each security control. Scenarios often present a problem and ask which configuration change would address it.
Managing user identities, authentication, and authorization.
Key Concepts
Provisioning and Deprovisioning
Creating, modifying, and removing user accounts. Account lifecycle management.
Permission Assignments
Implementing permissions including least privilege, separation of duties, and user account controls.
Identity Governance
Managing identity verification, account access reviews, and orphaned account management.
Federation and SSO
Implementing federated identities and single sign-on across systems and organizations.
Interoperability Standards
Using SAML, OAuth, and OpenID Connect for identity federation and authentication.
Attestation
Verifying identity and access through access reviews and certification processes.
Access Control Models
Implementing mandatory, discretionary, role-based, rule-based, and attribute-based access control.
Multifactor Authentication
Implementing MFA including authentication factors, biometrics, and authentication apps.
Password Concepts
Password security including managers, passwordless authentication, and password policies.
Privileged Access Management
Managing and securing privileged accounts. Just-in-time access and privilege escalation controls.
Exam Tip
Know the difference between RBAC (role-based) and ABAC (attribute-based). Understand when to use each authentication factor: something you know, have, are, or somewhere you are.
Using automation to improve security efficiency and consistency.
Key Concepts
Use Cases for Automation
User provisioning, guard rails, security groups, ticket creation, escalation, and resource enablement/disablement.
Automation Benefits
Efficiency, standardization, time savings, employee retention, scaling, and reaction time improvements.
Automation Considerations
Complexity, cost, single points of failure, technical debt, and ongoing support requirements.
Exam Tip
Automation is increasingly important in SY0-701. Understand how SOAR playbooks automate incident response and why DevSecOps integrates security into CI/CD pipelines.
Handling security incidents from detection through recovery.
Key Concepts
Incident Response Process
The phases of incident response: preparation, detection, analysis, containment, eradication, recovery, and lessons learned.
Incident Response Training
Tabletop exercises, simulations, and testing for incident preparedness.
Root Cause Analysis
Determining the underlying cause of incidents to prevent recurrence.
Threat Hunting
Proactively searching for indicators of compromise and threats.
Digital Forensics
Legal hold, chain of custody, acquisition, reporting, and preservation of digital evidence.
Exam Tip
Know the incident response phases in order. Scenarios often present mid-incident situations and ask what the next step should be.
Collecting and analyzing evidence during security investigations.
Key Concepts
Log Data Sources
Firewall logs, application logs, endpoint logs, OS logs, IPS/IDS logs, network logs, and metadata.
Data Collection Sources
Vulnerability scans, automated reports, dashboards, and packet captures.
Exam Tip
Remember evidence volatility order: CPU registers → cache → memory → disk → logs → archives. Collect volatile evidence first because it disappears when power is lost.
Performance-based questions (PBQs) for this domain typically cover:
Domain 4 accounts for 28% of the exam—approximately 25-26 questions out of 90. It's the largest domain and contains the most PBQ content. Allocate at least 3-4 weeks of study time here.
Hands-on experience is extremely helpful. If you don't have access to enterprise tools, try free/community versions like Splunk Free, ELK Stack, or Security Onion. Practice reading alerts and understanding what they indicate.
The six phases in order: 1) Preparation, 2) Detection/Identification, 3) Containment, 4) Eradication, 5) Recovery, 6) Lessons Learned. The exam often tests whether you know the correct next step.
Focus on evidence handling: order of volatility, chain of custody, imaging procedures. Know the difference between copying files (not forensically sound) and creating bit-for-bit images (forensically sound).
This is 28% of the exam—practice PBQs heavily. Get hands-on with SIEM tools, vulnerability scanners, and incident response procedures. This domain requires practical experience, not just reading.
Get personalized practice questions and track your progress.
99% of students who reach 95% concept mastery pass
Start Free AssessmentOur adaptive learning system identifies your weak spots and creates a personalized study plan.
99% of students who reach 95% concept mastery pass the exam