PBQ Workflow and Timing
Key Takeaways
- SY0-701 delivers up to 90 questions in 90 minutes, so you have roughly one minute per item and PBQs eat that budget fast.
- PBQs appear first; do the mechanical ones, flag long or confusing ones, and protect the multiple-choice points.
- Use a fixed five-pass method: read the task verb, scope it, baseline what is already correct, apply the smallest secure change, then verify.
- Apply Security+ defaults: least privilege, secure protocols, deny by default, evidence preservation, and stated business constraints.
- Before submitting, confirm direction, source, destination, identity, protocol, and rule order for every required object.
What a PBQ Actually Is
Performance-based questions (PBQs) are interactive tasks that ask you to apply Security+ skills rather than recall a fact. On the SY0-701 exam you may drag controls onto a diagram, build or reorder firewall rules, assign IAM (identity and access management) roles, read a log set and pick the next action, classify risk, or order incident-response steps. CompTIA delivers up to 90 questions in 90 minutes with a passing score of 750 on a 100-900 scale. The exam is not pass/fail by raw percentage; it is scaled, so missing a hard PBQ is survivable if you bank the easier multiple-choice points.
Timing Math You Must Internalize
Ninety items in ninety minutes is about 60 seconds per question. PBQs typically consume 3-6 minutes each, and you usually see 2-5 of them clustered at the start. If five PBQs each eat five minutes, that is 25 minutes gone before you touch a single multiple-choice item. The fatal exam-day error is grinding on the first PBQ until the clock is bleeding.
| Situation | Recommended action | Time guardrail |
|---|---|---|
| PBQ is familiar and mechanical | Complete it now | Cap at ~4 minutes |
| PBQ is long but understandable | Do the obvious parts, flag, return later | Bank partial credit first |
| PBQ is confusing after one careful read | Flag immediately, answer later with fresh context | Do not exceed 2 minutes deciding |
| Multiple-choice section untouched | Protect that time; MCQs are faster points | Reserve ~50 minutes |
Many PBQs award partial credit, so a half-correct firewall ruleset still scores. Never leave a PBQ completely blank because you ran out of time.
The Five-Pass PBQ Method
| Pass | What to do | Why it works |
|---|---|---|
| 1. Task | Read the exact verb: identify, configure, match, order, or remediate | Stops you answering a different question than asked |
| 2. Scope | Mark the systems, users, ports, data, and constraints that matter | Keeps you off distractors |
| 3. Baseline | Note what is already correct and what is clearly wrong | Avoids unnecessary edits that break partial credit |
| 4. Apply | Make the smallest change set that reaches the secure end state | Matches least privilege, limits side effects |
| 5. Verify | Re-read the task and check each required item | Catches reversed direction, wrong source, or role errors |
Read the Verb
The prompt verb tells you the scope of action. Over-acting is a common point-loser.
| Verb in prompt | Correct behavior |
|---|---|
| Identify | Select the object or finding; do not redesign |
| Configure | Change settings, rules, roles, or controls to meet the goal |
| Match | Pair each item with the best category, control, or remediation |
| Order | Put actions into a defensible sequence |
| Remediate | Choose controls that address the stated root cause |
| Recommend | Pick the best fit under the stated constraints |
Worked Scenario: Branch Office Exposure
A branch office has a file server, a jump box, a web server, and a firewall. The prompt: "Configure the firewall to allow public HTTPS to the web server, allow administrators to manage internal servers only through the jump box, and block direct Internet management."
| Requirement | Secure interpretation |
|---|---|
| Public HTTPS to web server | Allow inbound TCP 443 from Internet to the web server only |
| Manage servers via jump box | Allow admin subnet to jump box; allow jump box to internal management ports |
| Block direct Internet management | Deny inbound SSH (22), RDP (3389), Telnet (23), WinRM (5985/5986) from Internet |
| Internal file server | Do not expose SMB (445) to the Internet |
Good PBQ thinking is not "open whatever might help." It is "open the exact business path and deny the risky shortcuts."
Final Check Before You Submit
Run this checklist on every configuration PBQ:
- Direction: inbound vs outbound, and the source/destination pair, are correct.
- Identity: the user, group, role, or service account holds only the access required.
- Protocol: the secure option (HTTPS, SSH, LDAPS) is chosen when a secure and insecure pair both appear.
- Order: the implicit deny-all rule sits last, and specific allows precede broad denies.
- Evidence: logs, alerts, or tickets are preserved if the scenario is an investigation.
- Constraints: legacy systems, downtime windows, cost, and compliance language are respected.
Common Exam-Day Mistakes
| Mistake | Better move |
|---|---|
| Solving from memory before reading the task | Read the required end state first |
| Writing permissive any-any allow rules | Apply least privilege; specific source and destination |
| Ignoring "most likely" or "best next" wording | Choose the answer that fits timing and evidence |
| Treating every log line as equal | Prioritize correlated identity, endpoint, network, and time clues |
| Leaving a flagged PBQ blank | Bank partial credit; never submit empty |
The difference between a 740 and a 760 is often one well-managed PBQ. Treat the workflow as a habit, not a luxury.
A PBQ asks you to configure remote administration so admins can manage servers only through a jump box. Which approach best matches the requirement?
You have spent several minutes on a confusing PBQ and still cannot identify the requested end state. With up to 90 questions in 90 minutes, what is the best strategy?
Put the five-pass PBQ workflow in the most useful order.
Arrange the items in the correct order