200+ Free Security+ Practice Questions

Pass your CompTIA Security+ (SY0-701) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70% Pass Rate

200+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

A company installs security cameras throughout its office building to discourage unauthorized access. What type of security control is this?

Preventive technical control

Detective physical control

Deterrent physical control

Compensating administrative control

to track

2026 Statistics

Key Facts: Security+ Exam

~70%

Est. Pass Rate

Industry estimate

750/900

Passing Score

CompTIA

$116,000

Avg Salary

CompTIA 2024

700K+

Cert Holders

CompTIA 2024

$404

Exam Fee

CompTIA

90 min

Exam Duration

CompTIA

CompTIA Security+ (SY0-701) is the most widely held cybersecurity certification, with over 700,000 holders worldwide. It is DoD 8570/8140 approved for IAT Level II, IAM Level I, and IASAE Level I positions. The exam has 90 questions in 90 minutes, requiring 750/900 to pass. Security+ holders average $116,000 annual salary (CompTIA 2024).

Sample Security+ Practice Questions

Try these sample questions to test your Security+ exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1A company installs security cameras throughout its office building to discourage unauthorized access. What type of security control is this?

A.Preventive technical control

B.Detective physical control

C.Deterrent physical control

D.Compensating administrative control

Explanation: Security cameras that are visible serve as a deterrent physical control because their primary purpose is to discourage malicious activity by making potential attackers aware they are being watched. While cameras also have detective capabilities (recording incidents), their visible placement is primarily intended to deter unauthorized behavior.

2An organization requires all employees to complete annual security awareness training. Which category and type of control does this represent?

A.Technical preventive control

B.Administrative preventive control

C.Physical detective control

D.Operational corrective control

Explanation: Security awareness training is an administrative preventive control. It is administrative because it involves policies, procedures, and training (managed by people rather than technology or physical barriers). It is preventive because the goal is to reduce the likelihood of security incidents before they occur by educating employees about threats and proper security practices.

3After a firewall rule is found to be too restrictive for a critical business application, the security team implements a proxy-based workaround that still enforces security policies. What type of control is this proxy solution?

A.Corrective control

B.Preventive control

C.Compensating control

D.Directive control

Explanation: A compensating control is an alternative security measure implemented when the primary control cannot be applied as intended. In this scenario, the proxy workaround serves as a compensating control because it provides an equivalent level of security protection while accommodating the business requirement that the original firewall rule could not satisfy.

4A SIEM system generates an alert when it detects unusual login patterns from a user account. What type of security control does the SIEM represent in this scenario?

A.Preventive technical control

B.Detective technical control

C.Corrective technical control

D.Deterrent administrative control

Explanation: A SIEM (Security Information and Event Management) system that generates alerts based on unusual activity is a detective technical control. It is technical because it uses technology to monitor and analyze events. It is detective because its primary function is to identify and alert on security incidents that have occurred or are occurring, rather than preventing them from happening.

5Following a malware infection, the IT team restores affected systems from clean backups. What type of security control does this backup restoration represent?

A.Preventive control

B.Detective control

C.Corrective control

D.Compensating control

Explanation: Restoring systems from backup after a malware infection is a corrective control. Corrective controls are designed to restore systems to a known-good state after a security incident has occurred. The backup and restore process remediates the damage caused by the malware, returning the environment to normal operations.

6A security architect is designing a defense strategy that uses firewalls at the network perimeter, host-based intrusion detection on servers, and endpoint protection on workstations. Which security principle does this approach best illustrate?

A.Least privilege

B.Defense in depth

C.Zero trust

D.Separation of duties

Explanation: Defense in depth is a layered security strategy that deploys multiple security controls at different levels of the environment. By using firewalls at the perimeter, IDS on servers, and endpoint protection on workstations, the organization creates overlapping layers of defense so that if one control fails, others are in place to detect or prevent the attack.

7An organization classifies its security controls into categories: managerial, operational, and technical. A policy requiring background checks for new hires falls under which category?

A.Technical control

B.Operational control

C.Managerial (administrative) control

D.Physical control

Explanation: A background check policy is a managerial (administrative) control because it is a policy-driven measure established by management to govern the hiring process. Administrative controls include policies, procedures, guidelines, and management directives that define how the organization manages and oversees security. Background checks help prevent insider threats by vetting personnel before granting access.

8A security team deploys a honeypot server designed to appear as a vulnerable database server. What is the PRIMARY control type this honeypot serves?

A.Preventive control

B.Deterrent control

C.Detective control

D.Corrective control

Explanation: A honeypot primarily functions as a detective control. Its main purpose is to detect and monitor unauthorized access attempts by luring attackers to a decoy system. While honeypots can also serve as deterrent controls (if their existence is known), their primary value is in detecting intrusions and gathering intelligence about attacker techniques, tools, and behaviors.

9A hospital encrypts all patient records stored in its database to ensure only authorized medical staff can read the information. Which element of the CIA triad is this primarily protecting?

A.Confidentiality

B.Integrity

C.Availability

D.Non-repudiation

Explanation: Encrypting patient records primarily protects confidentiality, which ensures that information is accessible only to those authorized to view it. By encrypting the data at rest, even if an unauthorized person gains access to the database files, they cannot read the actual patient information without the proper decryption keys.

10A financial institution implements checksums and digital signatures on all wire transfer instructions. Which element of the CIA triad is being primarily addressed?

A.Confidentiality

B.Integrity

C.Availability

D.Authentication

Explanation: Checksums and digital signatures primarily protect integrity by ensuring that data has not been altered during transmission or storage. If a wire transfer instruction is modified after being signed, the checksum or signature verification will fail, alerting the recipient that the message has been tampered with.

About the Security+ Exam

The most widely held cybersecurity certification and a DoD 8570/8140 approved baseline. Security+ SY0-701 validates core security skills needed for any cybersecurity role.

Questions

90 scored questions

Time Limit

90 minutes

Passing Score

750/900

Exam Fee

$404 (CompTIA)

Security+ Exam Content Outline

12%

General Security Concepts

Security controls, CIA triad, authentication, authorization, and zero trust

22%

Threats, Vulnerabilities, and Mitigations

Threat actors, attack types, malware, social engineering, and vulnerability management

18%

Security Architecture

Network architecture, cloud security, cryptography, and PKI

28%

Security Operations

Monitoring, incident response, forensics, endpoint security, and vulnerability management

20%

Security Program Management and Oversight

Risk management, governance, compliance, data privacy, and security awareness

How to Pass the Security+ Exam

What You Need to Know

Passing score: 750/900
Exam length: 90 questions
Time limit: 90 minutes
Exam fee: $404

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Security+ Study Tips from Top Performers

1Focus on Security Operations (28%) and Threats/Vulnerabilities (22%) — they make up half the exam

2Practice performance-based questions (PBQs) — skip them initially during the exam and return after multiple choice

3Know the difference between similar concepts: IDS vs IPS, symmetric vs asymmetric, authentication vs authorization

4Understand risk management formulas: ALE = ARO x SLE, and qualitative vs quantitative analysis

5Master common ports and protocols: 22 (SSH), 443 (HTTPS), 3389 (RDP), 389/636 (LDAP/LDAPS)

Frequently Asked Questions

What is the Security+ SY0-701 exam format?

The Security+ SY0-701 exam has a maximum of 90 questions with a 90-minute time limit. Question types include multiple choice and performance-based questions (PBQs). You need a score of 750 on a scale of 100-900 to pass. The exam fee is $404 USD.

Is Security+ good for beginners?

Yes, Security+ is designed as an entry-level to intermediate cybersecurity certification. While CompTIA recommends CompTIA Network+ and 2 years of IT experience, many candidates pass without prior certifications. It is one of the most recommended first cybersecurity certifications.

What changed in SY0-701 vs SY0-601?

SY0-701 (released November 2023) consolidated from 5 domains to 5 restructured domains, added emphasis on zero trust, automation/orchestration, cloud security, and AI/ML security. Performance-based questions now focus more on real-world scenarios. SY0-601 retired on July 31, 2024.

Is Security+ DoD approved?

Yes, CompTIA Security+ is approved under DoD Directive 8570/8140 for IAT Level II, IAM Level I, and IASAE Level I positions. This makes it required for many government and defense contractor cybersecurity roles. It is the most commonly held DoD-approved certification.

How long should I study for Security+?

Plan for 40-60 hours of study over 4-8 weeks. Focus on Security Operations (28% of exam) and Threats/Vulnerabilities (22%). Complete 300+ practice questions and score 80%+ consistently before scheduling. Candidates with IT experience may need less preparation time.

What is the Security+ salary?

According to CompTIA and industry salary surveys, Security+ holders earn an average of $116,000 annually in North America. Entry-level security analysts with Security+ earn $65,000-$85,000, while experienced professionals earn $100,000-$140,000+. The certification provides a 10-15% salary premium over non-certified peers.