Security+ Domain 2 is the largest technical domain, covering threat actors, attack vectors, vulnerability types, and mitigation strategies. Expect heavy scenario-based questions requiring you to identify attacks from indicators and recommend appropriate countermeasures.
Questions
~19-20 questions
Concepts
38 total
Difficulty
Intermediate
Study Time
2-3 weeks
Objectives
5 objectives
Understanding who attacks systems and why.
Key Concepts
Categories of adversaries including nation-states, unskilled attackers (script kiddies), hacktivists, insider threats, organized crime, and shadow IT.
Characteristics that differentiate threat actors: internal vs external, resources/funding levels, and sophistication/capability levels.
Understanding why actors attack: data exfiltration, espionage, service disruption, blackmail, financial gain, philosophical beliefs, revenge, chaos, and warfare.
Exam Tip
Match threat actors to their typical motivations: nation-states (espionage, disruption), organized crime (money), hacktivists (ideology), insiders (revenge, financial gain). Understand the resource levels and sophistication of each.
Understanding how attackers gain access to systems.
Key Concepts
Attack delivery through communication channels including email, SMS, and instant messaging. Understanding how malicious content is distributed.
Attacks delivered through files, images, voice calls, and removable devices. Understanding malicious payloads in various media types.
Attack surface created by software vulnerabilities. Understanding client-based vs agentless software risks and unsupported systems.
Vulnerabilities in network infrastructure including unsecure wireless, wired, and Bluetooth networks. Open ports and default credentials.
Attacks through trusted third parties including MSPs, vendors, and suppliers. Understanding supply chain compromise risks.
Human-focused attack methods including phishing, vishing, smishing, pretexting, impersonation, and business email compromise.
Sophisticated social attacks including watering hole attacks, brand impersonation, typosquatting, and misinformation/disinformation campaigns.
Exam Tip
Social engineering vectors are heavily tested. Know the differences between phishing variants and how to identify each type from a scenario description.
Understanding weaknesses that attackers exploit.
Key Concepts
Software flaws including memory injection, buffer overflow, and race conditions (TOC/TOU). Understanding how application code can be exploited.
Common web-specific vulnerabilities including SQL injection and cross-site scripting (XSS). Understanding input validation failures.
OS-level security weaknesses including kernel vulnerabilities, privilege escalation paths, and system misconfigurations.
Physical device weaknesses including firmware vulnerabilities, end-of-life hardware, and legacy system risks.
Risks specific to virtual environments including VM escape and resource reuse vulnerabilities.
Security weaknesses unique to cloud environments including misconfigured storage, insecure APIs, and shared responsibility gaps.
Weaknesses introduced through service providers, hardware providers, and software providers in the supply chain.
Weaknesses in cryptographic implementations including weak algorithms, poor key management, and implementation flaws.
Security weaknesses from improper system configuration including default settings, excessive permissions, and exposed services.
Mobile-specific risks including side loading, jailbreaking, and mobile malware. Understanding mobile attack surfaces.
Previously unknown vulnerabilities with no available patches. Understanding zero-day discovery, disclosure, and mitigation challenges.
Exam Tip
Focus on web application vulnerabilities (SQL injection, XSS, CSRF) and cloud misconfigurations—these are heavily tested. Know what each vulnerability looks like and how it's exploited.
Identifying attacks from logs, behavior, and other indicators.
Key Concepts
Recognizing different malware categories: ransomware, trojans, worms, spyware, viruses, keyloggers, logic bombs, rootkits, and bloatware.
Signs of physical security breaches including brute force entry, RFID cloning, and environmental attacks.
Recognizing network-based attacks including DDoS (amplified/reflected), DNS attacks, wireless attacks, on-path attacks, and credential replay.
Signs of application-level attacks including injection, buffer overflow, replay, privilege escalation, forgery, and directory traversal.
Recognizing attacks on cryptographic systems including downgrade attacks, collision attacks, and birthday attacks.
Signs of password-focused attacks including password spraying and brute force attempts.
Recognizing anomalous activity: account lockouts, concurrent sessions, blocked content, impossible travel, resource issues, and logging anomalies.
Exam Tip
This is a PBQ-heavy objective. Practice reading log excerpts and identifying attack patterns. Know the difference between IoC (after breach) and IoA (during attack).
Countermeasures to prevent, detect, or respond to attacks.
Key Concepts
Dividing networks into isolated segments to contain breaches and limit lateral movement. Understanding VLANs, subnets, and network boundaries.
Using ACLs and permissions to restrict access to resources. Implementing principle of least privilege.
Restricting which applications can execute to prevent unauthorized software. Whitelisting approaches and implementation.
Separating systems and processes to prevent compromise spread. Sandboxing, air gaps, and logical isolation methods.
Keeping systems current with security patches. Patch management processes, testing, and deployment strategies.
Using encryption to protect data confidentiality and integrity as a mitigation control.
Continuous observation of systems and networks to detect threats. SIEM, log analysis, and alerting.
Ensuring systems maintain secure configurations. Configuration management, baselines, and compliance checking.
Securely retiring systems and data. Data sanitization, secure disposal, and asset lifecycle management.
Reducing attack surface through secure configuration. Disabling unnecessary services, changing defaults, removing unnecessary software, implementing host-based protections.
Exam Tip
For every attack type, know the corresponding mitigation. Scenarios will describe an attack and ask for the best countermeasure—match threats to mitigations.
Performance-based questions (PBQs) for this domain typically cover:
Practice reading logs and identifying patterns. Look for unusual login times, failed authentication attempts, unexpected outbound connections, and suspicious process activity. Build a mental library of what "normal" vs "abnormal" looks like.
Focus on the main categories: viruses (need host file), worms (self-replicating), trojans (disguised), ransomware (encryption/extortion), rootkits (hide presence), keyloggers (capture input), RATs (remote access), and spyware (surveillance). Know how each behaves and spreads.
A vulnerability is a weakness that could be exploited. A threat is something that could exploit a vulnerability. A threat actor is who exploits it. Risk = Threat × Vulnerability × Impact. All three concepts work together.
APTs are tested as the most sophisticated threat actor category. Understand they use multiple attack vectors, maintain long-term persistence, often involve nation-states, and require defense-in-depth strategies to counter.
Focus on recognizing attack patterns and matching them to mitigations. Use flashcards for malware types and social engineering variants. Practice with log analysis scenarios.
Get personalized practice questions and track your progress.
99% of students who reach 95% concept mastery pass
Start Free AssessmentOur adaptive learning system identifies your weak spots and creates a personalized study plan.
99% of students who reach 95% concept mastery pass the exam