PRACTICE

Dave's Advice - Contents

Passing score: 750 (on a scale of 100-900) - roughly 81-83%.
(Yes, you already start with 100 points just for sitting down).

Duration: 120 minutes.
(90 minutes + 30 minute time extension for non-native English speakers. This is automatically applied).

Number of questions: maximum of 90, a mix of multiple-choice and performance-based questions.
Usually, you will get 84 multiple choice questions and 3 performance-based questions.

Common exam problems

Overthinking questions. This is probably the BIGGEST reason students fail. All the information you need to know is in the question. Read it carefully and then read it again - the clues are there. Don't add any real-world knowledge of your own. This exam tests CompTIA's World, not the real world.

Spending too long on one question. On this exam, a lot of questions will seem to have more than one right answer. Pick the "best" answer and move on. If you spend more than 60 seconds on a question, just go with your gut instinct.

Port and protocol overload. You don't need to memorise 100+ ports for this exam, just the most common ones.

Studying until the last minute. Your brain will burn out. Take 1-2 days off before the exam with zero studying.

Ignoring the "boring" stuff. Many students ignore Chapters 14-16 about GRC and Data Protection. This represents 20% of the entire exam and it can be learned with memorization. Don't just learn about the "exciting" exploits, learn all the policy and governance.

 

Which areas most students find challenging

Cryptography & PKI (Chapter 03)
Risk Management Calculations & Metrics (Chapter 14)
Incident Response & Digital Forensics (Chapter 12)
Governance, Policies & Legal Agreements (Chapters 14 & 16) - heavily tested.
Attack Types & Indicators (Chapters 02 & 13)

What you DEFINITELY need to memorize (Exam Killers!)

  1. Top ports and protocols

  2. Everything about Public Key Infrastructure (CA, CRL, CSR, OCSP)

  3. The full CompTIA incident response lifecycle (order matters): Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons Learned

  4. The full Cyber Kill Chain (Lockheed Martin version - order matters): Reconnaissance → Weaponization → Delivery → Exploitation → Installation → Command & Control (C2) →Actions on Objectives

  5. The full OSI Layer model

  6. Disaster Recovery Metrics - you must know these and what they mean.

    RPO (Recovery Point Objective): Max data loss (time between backups). Lower is better.
    RTO (Recovery Time Objective): Max downtime allowed. Lower is better.
    MTBF (Mean Time Between Failures): Uptime reliability. Higher is better.
    MTTR (Mean Time To Repair): Fix speed. Lower is better.

  7. Data Roles: Owner (classifies/approves), Custodian (manages backups), Processor (handles data for controller).

  8. Tool Differentiation — SIEM vs. SOAR vs. EDR vs. NIDS vs. NIPS. DLP vs. CASB. UTM vs. NGFW. Know the scope (network vs. host) and action (detection vs. prevention vs. response).

  9. Cloud Security Models — Responsibilities in SaaS vs. PaaS vs. IaaS. Think in your mind: what does the CSP secure vs. what do you secure?

DO NOT MEMORIZE (Waste of brain space!)

A lot of this stuff WAS on the exam but isn't anymore! If someone tells you to learn this stuff, ignore them!

  • Cryptography & PKI: Don't waste much time learning about specific details like initialization vectors, counter mode, block vs. stream ciphers... the exam will only test the uses of encryption. Understand when to use symmetric vs. asymmetric, hashing vs. encryption, salting, PFS, and the certificate lifecycle (CSR, CA, validation).
  • Specific CVE numbers (e.g., you don't need to know CVE-2021-44228 is Log4j). You will never be asked this.
  • Specific CVSS scores (know 0-10 scale, not that a specific flaw is 9.8).
  • Exact command syntax (e.g., nmap -sS -p 1-65535). Know what a port scan does, not the specifc commands.
  • Registry key paths (e.g., HKLM\Software\Microsoft\...). Know that persistence uses Registry Run keys generally.
  • Subnet maths, octal chmod commands in Linux, etc. You will never need to calculate these on the exam anymore.
  • Exact dates of when any laws or standards were published.

Concepts that students usually get confused - know the differences!

  • Insider threats CAN include people who left the company. It's current and former employees.
  • Nation-state just means military or government (state sponsored), not always an APT. APT is about the length of access (persistence) and skill level.
  • In social engineering, know the difference between consensus (doing something because other people are doing it, so it seems safe) vs. urgency (time is running out) vs. coercion (intimidation or threats).
  • Watering holes vs. pharming. Watering hole attack infects a legitimate site. Pharming redirects users to a spoofed site.
  • Access control models: DAC, MAC, RBAC.
  • Uses of different types of identity federation, e.g. Single Sign-on, Kerberos (Windows), OAuth (only provides authorization, not identity/authentication!), SAML (the markup language used to enable SSO/web federation).
  • Legal contracts: MOU vs. MOA vs. MSA vs. SOW vs. SLA vs. ROE
  • The differences between 802.1X (port-based network access control) and 802.11x (Wi-Fi) and X.500 (directory services protocol).
  • Type I and Type II error in biometrics, false positives vs false negatives vs true positives in vulnerability scanning.