Practice Questions, PBQs, and the Missed-Question Notebook
Key Takeaways
- Practice questions are most useful when you review why the correct answer beats the second-best answer.
- PBQs reward structured troubleshooting, careful reading, and completing the requested configuration rather than overbuilding.
- A missed-question notebook should track the concept gap, the scenario clue missed, and the rule you will use next time.
- Timed practice should be added gradually so pacing improves without hiding knowledge gaps.
- Original scenarios, official objectives, and explanation-driven review are enough for legitimate preparation; never rely on leaked or shared live items.
Practice as Error Correction
Practice questions are not just score generators. They expose bad assumptions while there is still time to fix them. For Security+, the most valuable review is usually the explanation you write after missing or nearly missing a question. A practice item you guessed correctly teaches you nothing unless you confirm your reasoning matched the answer.
How to Review a Multiple-Choice Question
| Review step | What to write |
|---|---|
| Identify the tested concept | "This tested detective vs preventive controls" |
| Find the scenario clue | "The wording said identify after occurrence, not stop before it" |
| Explain the correct answer | "An intrusion detection system is detective because it alerts on suspicious traffic" |
| Explain the second-best answer | "A firewall could prevent, but the question asked for detection" |
| Create a future rule | "When the verb is detect, look for logs, alerts, monitoring, IDS, or SIEM" |
The second-to-last step is what separates passing scores from near misses. Most wrong answers on Security+ are not absurd; they are the second-best control. Writing down why the runner-up loses to the winner builds the discrimination skill the exam rewards.
PBQ Practice Method
Performance-based questions (PBQs) simulate an admin task, triage decision, drag-and-drop matching, or configuration review. They appear early in the exam and carry more weight than a single multiple-choice item, but they are not meant to be over-engineered. Work in this order:
| Step | PBQ habit |
|---|---|
| 1 | Read the required outcome before touching any control |
| 2 | Identify assets, users, networks, ports, protocols, and constraints |
| 3 | Apply least privilege and avoid broad allow rules |
| 4 | Check for implicit denies, logging, rule ordering, and dependencies |
| 5 | Re-read the prompt to confirm you answered exactly the asked task |
A common PBQ trap is overbuilding: adding rules, ports, or hardening steps the prompt never requested. Each extra change is a chance to introduce an error the grader penalizes. Do precisely what the scenario asks, no more.
Original PBQ-Style Scenario
You are given three firewall rules for a payroll application. Microsoft SQL Server listens on TCP 1433, and SSH uses TCP 22.
| Rule | Source | Destination | Port | Action | Problem |
|---|---|---|---|---|---|
| 1 | Any | Payroll DB | 1433 | Allow | Too broad; the database should not accept any source |
| 2 | Payroll App | Payroll DB | 1433 | Allow | Likely the required application path |
| 3 | Internet | Payroll App Admin | 22 | Allow | Exposes administrative SSH to the Internet |
Best correction: allow only the payroll application server to reach the database on TCP 1433, restrict administration (SSH 22) to a management subnet or jump host, deny unnecessary traffic, and log denied attempts. Do not create an "allow any" exception just because it makes the app work during testing. Remember that firewalls process rules top-down and stop at the first match, and most end with an implicit deny for anything not explicitly allowed, so rule order matters as much as rule content.
Missed-Question Notebook Template
| Field | Example entry |
|---|---|
| Date | 2026-06-15 |
| Domain | 4.0 Security Operations |
| Miss type | Chose long-term fix instead of first containment step |
| Scenario clue missed | "Active outbound beaconing" |
| Correct rule | Active compromise: contain and preserve evidence before rebuild |
| Follow-up drill | 10 incident-response order questions |
Common Practice Traps
| Trap | Fix |
|---|---|
| Memorizing answer letters | Explain concepts without looking at the options |
| Reviewing only wrong answers | Review lucky guesses and slow correct answers too |
| Taking full exams too early | Use topic sets first, then timed mixed sets |
| Ignoring PBQs until the final day | Practice small configuration and matching drills weekly |
| Chasing leaked or shared live items | Use original scenarios and the official objectives instead |
Relying on so-called "brain dumps" or shared live exam items is both ineffective and a violation of the CompTIA Candidate Agreement, which can void your certification. Your notebook should get shorter over time. If the same rule keeps reappearing, stop running mixed sets and repair that one concept directly with a focused drill before returning to full-length practice. The day before the exam, do a light review of your notebook only, not new material, so you walk in pattern-aware and rested.
Reading Speed and the Two-Pass Strategy
With roughly one minute per item and a handful of time-hungry PBQs up front, a disciplined two-pass approach beats brute-forcing every question in order. On the first pass, answer everything you are confident about and flag any item where you are torn between two options or where a PBQ is consuming more than three minutes. The exam interface lets you mark and return. On the second pass, you arrive at flagged items with the rest of the test already banked, less clock pressure, and often a clearer head, because a later question sometimes jogs the exact concept the earlier one needed.
Never leave an item blank at the end; there is no penalty for guessing on Security+, so an educated guess on a flagged item is strictly better than nothing.
Turning Explanations into Transfer
The single most common reason a candidate plateaus is reviewing outcomes instead of reasoning. "I got it wrong, the answer was the IDS" teaches nothing; "the verb was detect, so a monitoring control wins over the firewall I picked" creates a rule that fires on the next twenty questions. After every practice set, sort your misses into one of three buckets: a knowledge gap (you did not know the fact), a reading gap (you misread the qualifier or scenario clue), or a process gap (you knew both but applied the wrong priority order).
Each bucket has a different cure: knowledge gaps need targeted reading, reading gaps need the underline-the-verb habit, and process gaps need the incident-response and least-privilege ordering drills. Tagging misses by bucket in the notebook turns a vague "I need to study more" into a precise, finite to-do list, and it is the fastest way to convert practice questions into a passing score rather than just a rising practice average.
What is the best reason to keep a missed-question notebook while studying for Security+?
In a PBQ, a firewall rule allows Any source to reach a payroll database on TCP 1433. Which correction best follows least privilege?
When working a performance-based question, which habit most reduces avoidable point loss?
Which habits improve practice-question review? Select all that apply.
Select all that apply