5 exercises — performance-based questions (PBQs), threat actor classification (nation-state, hacktivist, insider), vulnerability vs. threat vs. risk, zero trust architecture, and IoC vs. IoA. The precise English vocabulary the Security+ SY0-701 exam tests, distinct from CISSP or CEH.
Why precise Security+ vocabulary matters
Performance-based questions (PBQs) — simulated tasks, not just multiple choice
Threat actor types — nation-state, hacktivist, insider threat, script kiddie each carry distinct meaning
Vulnerability vs. threat vs. risk — three separate concepts the exam tests precisely
Zero trust — 'never trust, always verify', distinct from defense in depth or segmentation
IoC vs. IoA — confirmed compromise evidence vs. in-progress attack behaviour
0 / 5 completed
1 / 5
The Security+ SY0-701 exam includes performance-based questions (PBQs) alongside multiple-choice questions. What distinguishes a PBQ from a standard multiple-choice item?
A performance-based question (PBQ) simulates a real task — e.g. matching security controls to the correct scenario, configuring firewall ACL rules in a mock interface, or identifying the attack type from a packet capture excerpt — rather than just picking from four static options. PBQs typically appear at the start of the exam and are weighted more heavily than a single multiple-choice item.
Exam format facts worth knowing the English for:
Maximum of 90 questions, mixing multiple-choice and PBQs, in 90 minutes
Passing score: 750 on a scale of 100–900 (not a percentage)
The exam uses scenario-based wording throughout — "A security analyst notices..." — so reading comprehension under time pressure matters as much as knowledge
Because PBQs often front-load the exam, candidates are advised to skip and flag them for review rather than spend disproportionate time early on.
2 / 5
SY0-701 groups threat actors by motivation and sophistication. A company detects a slow, highly targeted, multi-month intrusion using custom malware, consistent with a well-resourced government-backed group. Which threat actor classification fits, and how is it distinct from a "hacktivist"?
A nation-state actor is characterised by high sophistication, significant funding, and patience — consistent with an advanced persistent threat (APT), a term SY0-701 tests directly: a prolonged, stealthy, targeted intrusion, often for espionage or infrastructure disruption rather than quick financial gain.
Threat actor vocabulary the exam expects you to distinguish precisely:
Script kiddie — low skill, uses existing tools/scripts without understanding them
Hacktivist — ideologically or politically motivated, often seeks public disruption/embarrassment rather than stealth
Insider threat — someone with legitimate authorised access who misuses it (malicious or unintentional)
Nation-state / APT — highest sophistication and resources, long dwell time, specific strategic objectives
Exam questions test whether you can infer the actor type from behavioural clues (dwell time, targeting, motivation) rather than just memorising the label.
3 / 5
A vulnerability scanner flags a web server as having an unpatched library with a known CVE. The security team confirms the library is present but is never loaded at runtime by the application. In SY0-701 vocabulary, how should this finding be described, and why does the distinction matter?
SY0-701 tests the precise triad: vulnerability (a weakness that could be exploited), threat (something/someone capable of exploiting a vulnerability), and risk (the likelihood and impact of a threat actually exploiting the vulnerability). A vulnerability with no viable exploitation path (no attack vector) carries much lower risk even though the vulnerability technically still exists.
Why this matters in real security work: vulnerability scanners produce large volumes of findings, and teams must triage by actual risk, not just raw CVE count. Terms like compensating control (an alternative safeguard used when the primary fix isn't immediately possible) and risk acceptance (a documented decision not to remediate a low-risk finding) are the vocabulary used to justify these triage decisions to auditors and management — precise use of "vulnerability" vs. "risk" avoids both over-reacting to noise and under-reacting to genuine exposure.
4 / 5
A company's security architecture requires every access request — internal or external — to be authenticated, authorised, and continuously validated, with no device or user trusted by default just because it is inside the corporate network perimeter. This architectural principle is called _____.
Zero trust is a major SY0-701 architecture topic: the principle of "never trust, always verify" — no implicit trust is granted based on network location alone (e.g. "it's inside the VPN, so it's safe"). Every request is authenticated and authorised individually, continuously, regardless of origin.
Related terms tested alongside zero trust, and how they differ:
Defense in depth — layering multiple, different security controls so a single failure doesn't compromise the whole system (a broader concept that zero trust is one modern expression of)
Least privilege — granting only the minimum access needed for a task, a supporting principle within zero trust policy enforcement
Network segmentation — dividing a network into isolated zones to limit lateral movement; useful, but on its own still relies on perimeter-style trust within each zone, which zero trust explicitly avoids
Policy enforcement point / policy decision point — the SY0-701 exam objectives explicitly name these zero-trust architecture components: the PEP enforces a decision made by the PDP for every access request
Exam distractors often offer "defense in depth" or "segmentation" for zero-trust scenarios — the key differentiator is the "no implicit trust based on location" phrasing.
5 / 5
After an incident, a security operations center (SOC) analyst reviews an indicator of compromise (IoC) — an unusual outbound DNS query pattern to a newly registered domain. What is the correct relationship between an "IoC" and an "IoA" (indicator of attack) in SY0-701 terminology?
An indicator of compromise (IoC) is typically a forensic artifact confirming a breach already happened — a malware hash, a suspicious outbound connection, an unexpected registry key. An indicator of attack (IoA) focuses on the attacker's behaviour and intent as it unfolds (e.g. a sequence of commands consistent with privilege escalation), which can allow detection during an attack rather than only after damage is done.
Related SOC vocabulary tested on SY0-701:
SIEM (Security Information and Event Management) — aggregates and correlates logs to surface IoCs/IoAs
SOAR (Security Orchestration, Automation, and Response) — automates the response playbook once an indicator is confirmed
Dwell time — how long an attacker remains undetected in an environment; a key reason IoA-based detection is valued over IoC-only approaches
CVSS (Common Vulnerability Scoring System) — a standardised severity score (0–10) used to prioritise which vulnerabilities/IoCs need the fastest response
Exam questions frequently embed both acronyms in the same scenario to test whether you can tell "already happened" (IoC) apart from "happening now, inferred from behaviour" (IoA).
What will I practice in "CompTIA Security+ (SY0-701) Vocabulary — Certification Exam Language"?
This is a Certification Prep exercise set. It walks through 5 scenario-based multiple-choice questions built around real usage of Certification Prep terminology that IT professionals encounter on the job.
Is this exercise free to use?
Yes. Every exercise on CoderSlingo, including this one, is free to complete with no account, sign-up, or paywall.
How many questions are in this exercise?
This set contains 5 questions. Each one shows immediate feedback and a detailed explanation after you answer, so you learn the correct usage right away rather than waiting for a final score.
Do I need prior experience to complete this exercise?
No prior experience is required. Each question includes a full explanation covering the reasoning behind the correct answer, so the exercise itself teaches the Certification Prep vocabulary as you go.
Can I retry the exercise if I get questions wrong?
Yes — use the "Try again" button on the results screen to reset your answers and go through all the questions again. There is no limit on attempts.
Is my progress saved?
Your answers and score for the current session are tracked in the browser as you go. No account or login is needed, and there is nothing to install.
What if I don't understand a term used in a question?
Read the explanation shown after you answer each question — it breaks down the correct term in plain English with a real-world example. You can also check the site Glossary for quick definitions.
How is this different from reading a blog article on the topic?
Exercises like this one are interactive drills that test and reinforce specific vocabulary through multiple-choice questions, while blog articles explain concepts in prose. Practising here after reading builds active recall, not just passive recognition.
Where can I find more Certification Prep exercises?
See the Certification Prep exercises hub for the full set of related pages, or browse all exercise categories from the main Exercises index.
Can I use this exercise to prepare for a technical interview?
Yes — Certification Prep vocabulary comes up often in technical discussions and interviews. Pair this exercise with our dedicated Interview Preparation section for role-specific practice.