PBQ Workflow and Timing
Key Takeaways
- Performance-based questions reward a repeatable workflow more than memorized trivia.
- Read the task, identify the requested end state, and ignore details that do not affect the requested configuration.
- Capture easy points first, flag uncertain PBQs, and return after the multiple-choice questions if time is tight.
- Use Security+ decision patterns: least privilege, secure defaults, evidence preservation, and business constraints.
- Before submitting a PBQ, verify that every required object, rule, identity, or control is placed in the correct final state.
PBQ Workflow and Timing
Performance-based questions, or PBQs, test whether you can apply Security+ concepts in a realistic task. The exam interface may ask you to drag controls, configure rules, review logs, classify risks, complete a diagram, or choose the best order of operations. The best candidates do not try to "solve everything at once." They use a short workflow.
The Five-Pass PBQ Method
| Pass | What to do | Why it works |
|---|---|---|
| 1. Task | Read the actual command: configure, identify, match, order, or remediate | Prevents answering a different question than the one asked |
| 2. Scope | Mark the systems, users, ports, data, and constraints that matter | Keeps you from chasing distractors |
| 3. Baseline | Identify what is already correct and what is clearly wrong | Saves time and avoids unnecessary changes |
| 4. Apply | Make the smallest set of changes that reaches the required secure state | Matches least privilege and reduces side effects |
| 5. Verify | Re-read the task and check each required item | Catches missed inbound/outbound direction, source, destination, or role errors |
Timing Strategy
Do not let one PBQ consume the whole exam. A practical approach is:
| Situation | Recommended action |
|---|---|
| PBQ is familiar and mostly mechanical | Complete it now, then move on |
| PBQ is long but understandable | Do obvious parts, flag it, and return later |
| PBQ is confusing after one careful read | Flag it immediately and answer later with fresh context |
| Multiple-choice section is still untouched | Protect time for the rest of the exam |
You may see several PBQs at the beginning, but the order does not mean they are worth spending unlimited time on. Easy multiple-choice points can be lost if you spend too long on one simulation.
Read the Verb
| Verb in prompt | Candidate behavior |
|---|---|
| Identify | Select the object or finding; do not redesign the environment |
| Configure | Change settings, rules, roles, or controls to meet the stated goal |
| Match | Pair each item with the best category, control, attack, or remediation |
| Order | Put actions into a defensible sequence |
| Remediate | Choose controls that address the stated root cause |
| Recommend | Pick the best fit under the stated constraints |
Original PBQ Scenario: Branch Office Exposure
A branch office has a file server, a jump box, a web server, and a firewall. The prompt says:
"Configure the firewall to allow public HTTPS to the web server, allow administrators to manage internal servers only through the jump box, and block direct Internet management access."
The high-yield reading is:
| Requirement | Secure interpretation |
|---|---|
| Public HTTPS to web server | Allow inbound TCP 443 from Internet to web server only |
| Manage internal servers through jump box | Allow admin network to jump box; allow jump box to internal management ports |
| Block direct Internet management | Deny inbound SSH, RDP, Telnet, WinRM, and database ports from Internet |
| Internal file server | Do not expose SMB to Internet |
Good PBQ thinking is not "open whatever might be useful." It is "open the exact business path and deny the risky shortcuts."
Final Check Before Submit
Use this checklist on PBQs:
- Direction: inbound, outbound, source, and destination are correct.
- Identity: the user, group, role, or service account has only the required access.
- Protocol: the secure protocol is selected when a secure and insecure option both appear.
- Evidence: logs, alerts, or tickets are preserved if the scenario involves investigation.
- Sequence: contain, preserve evidence, eradicate, recover, and document are not randomly ordered.
- Constraints: legacy systems, downtime windows, cost, and compliance language are respected.
Common Exam-Day Mistakes
| Mistake | Better move |
|---|---|
| Solving from memory before reading the task | Read the required end state first |
| Overconfiguring permissive rules | Apply least privilege |
| Ignoring "most likely" or "best next" wording | Choose the answer that fits the timing and evidence |
| Treating every log line as equally important | Prioritize correlated identity, endpoint, network, and time clues |
| Forgetting to return to flagged PBQs | Leave enough time for a final pass |
A PBQ asks you to configure remote administration so admins can manage servers only through a jump box. Which approach best matches the requirement?
You spend several minutes on a confusing PBQ and still cannot identify the requested end state. What is the best exam strategy?
Put the PBQ workflow in the most useful order.
Arrange the items in the correct order