CompTIA Security+

Security+ exam information: Performance-based questions [updated 2021]

Daniel Brecht
February 23, 2021 by
Daniel Brecht

IT security is vital to organizations, as cloud computing and mobile devices have revolutionized the way we do business. With the immense amounts of data transmitted and stored on networks all over the world, it is necessary to have effective security practices in place. That is where CompTIA Security+ comes in to ensure professionals have the knowledge and skills to solve a variety of today’s complex issues. This certification is a significant stepping stone to an IT security career. 

The Security+ certification is internationally trusted to certify foundational, vendor-neutral IT security knowledge and skills and is “chosen by more corporations and defense organizations than any other certification on the market to validate baseline security skills and for fulfilling the DoD 8570 compliance.”

This certification ensures that a successful candidate possesses the complete knowledge and expertise to handle and manage security functions also by placing significant emphasis on testing for hands-on troubleshooting skills that prove know-how to secure systems, software and hardware. 

CompTIA has also made some amendments to their Security+ exam objectives. These amendments cover the most core technical skills in risk assessment and management, incident response, forensics, enterprise networks, hybrid/cloud operations and security controls, thus ensuring high performance on the job. For more on the Security+ certification, view our Security+ certification hub.  Now, let's explore what you need to know about performance-based questions.

Become a SOC Analyst: get Security+ certified!

Become a SOC Analyst: get Security+ certified!

More than 47,000 new SOC analysts will be needed by 2030. Get your CompTIA Security+ to leap into this rapidly growing field — backed with an Exam Pass Guarantee.

Performance-based changes

To maintain the ISO/ANSI accreditation status of Security+, CompTIA is required to come up with new exam questions after a certain period of time (normally every three years). Changes are intended to mirror the changing world of IT security, as well as skills and job role requirements. To that end, they’re continuously updating their performance-based questions (PBQs), which test a candidate’s ability to solve problems in a simulated, virtual environment (e.g., a firewall, network diagram, terminal window or operating system) — see the CompTIA Sample PBQ Answer Key — that are included along with Multiple-Choice Questions (MCQs) in the Security+ exam. 

MCQs require an applicant to select one or more correct answers to a specific question. However, a performance-based question involves performing a task or solving a problem. The exam now places increasing importance on these types of Q&As to assess the practical understanding of the candidate.

Here is how the CompTIA Security+ (SY0-601) certification exam has changed:

  • The new exam covers five major domains instead of six.
  • The exam will focus more on hot topics in today’s IT world such as governance, compliance, operations and incident response.
  • It focuses on the importance of risk mitigation, assessing the cybersecurity posture of an enterprise infrastructure and securing hybrid environments.
  • The exam also includes a new emphasis on policy-based decisions and security procedures, especially as they relate to all applicable new laws.
  • The latest exam version has a longer exam objectives document but actually fewer objectives: 35 exam objectives compared to 37 on SY0-501. In fact, the new version simply adds 25% more examples under each objective to help candidates better understand the meaning of each one.

Below is a list of possible topics covered by performance-based questions:

  • Explain the security concerns associated with various types of vulnerabilities, or on different threat actors, vectors and intelligence sources.
  • Given a scenario, analyze potential indicators to determine the type of attack associated with networks and applications.
  • Understand the techniques used in security assessments, penetration testing and social engineering.
  • Identify secure application development, deployment and automation concepts.
  • Explain the importance of security concepts in an enterprise environment, or with virtualization and cloud computing.
  • Clarify authentication and authorization design concepts.
  • Identify the security implications of embedded and specialized systems.
  • Given a scenario, implement cybersecurity resilience.
  • Knowledge on the importance of physical security controls.
  • Acquaint with the basics of cryptographic concepts.
  • Given a scenario, implement secure network designs, protocols, host or application security solutions, as well as a public key infrastructure.
  • Figure out how to install and configure wireless security settings.
  • Recognize secure mobile solutions.
  • Give details on how to apply cybersecurity solutions to the cloud.
  • Comprehend identity and account management controls.
  • Know the appropriate tool to assess organizational security.
  • Justify the demand of policies, processes and procedures for incident response.
  • Given an incident, utilize appropriate data sources to support an investigation, apply mitigation techniques or controls to secure an environment.
  • Describe the key aspects of digital forensics.
  • Knowledge of the importance of applicable regulations, standards or frameworks that impact organizational security posture.
  • Disclose risk management processes and concepts.
  • Explain privacy and sensitive data concepts in relation to security.

What’s more, test takers will undergo hands-on troubleshooting in ensuring candidates have practical security problem-solving skills required to:

  • Assess the security posture of an enterprise environment and recommend and implement appropriate security solutions.
  • Monitor and secure hybrid environments, including cloud, mobile and IoT.
  • Operate with an awareness of applicable laws and policies, including principles of governance, risk and compliance.
  • Identify, analyze and respond to security events and incidents.

When were performance-based questions added to the Security+ exam?

The Security+ performance-based questions started to appear from the first quarter of 2013 in the Security+ exam. At that time, the Security+ exam had only 100 multiple-choice questions. After performance-based questions were introduced, candidates typically had 70 to 90 multiple-choice questions, and somewhere between two and ten performance-based questions.

How much are Security+ performance-based questions worth?

Performance-based questions are valued more than a usual multiple-choice question. While CompTIA does not make the actual value of any single question public, it is very expected that each question is worth a little more than 4 percent of the entirety.

For example, if the original exam has 100 multiple-choice questions and the new exam has 87 multiple-choice questions with three performance-based questions, these three performance-based questions could be worth about 13 percent of the total. If you divide 13 percent by three, it’s a little over four.

Do they give partial credit for Security+ performance-based questions?

It is not clear or stated by CompTIA that they give partial credit. In fact, here is what is said in the PBQs:

“There may be questions for which partial credit is offered. However, exam questions and their scoring are confidential, so no further information can be provided regarding which questions may offer partial credit.”

What performance-based questions should I expect on the Security+ exam?

As the CompTIA security+ exam is updated regularly, it is difficult to predict the exact questions. However, here are some types of questions that reportedly appear in the exam:

Matching: You might be asked to match topics with each other. For example, you might have a list of port numbers and a list of protocols and then be tasked with matching the ports to the protocols.

Diagram: You might be asked to click on a diagram to select something. As a simple example, you might see a network diagram with multiple devices and be asked which device provides the best security during an attack.

Correct order: You might be asked to arrange topics into a specific order. For example, a forensic analyst is required to know the order of volatility for data and given a list to put it in the correct order:

  • Data in RAM, including cache and recently used data and applications
  • Data in RAM, including system and network processes
  • Data stored on local disk drives
  • Logs stored on remote systems
  • Archive media

ACL: You might be asked to give details for an access control list on a router or firewall. For example, if you required allowing a certain IP address through, you might add an exception in the ACL to allow traffic from or to this IP address.

Configure a WAP: Networks commonly use wireless access points (WAPs) and configuring security with them is a significant skill to know. You should be able to configure basics such as:

  • Change the SSID
  • Enable/disable SSID broadcast
  • Enable MAC address filtering
  • Configure security such as WPA and WPA2

Command prompt: You might be asked to achieve a task from the command prompt. You will have access to a simulated command prompt and be required to perform a specific task.

Tip: Be careful how much time you spend on performance-based questions. Some students report on forums that they ran out of time to tackle the multiple-choice, fill-in-the-blank and drag-and-drop questions adequately. Test-takers report that PBQs require more time to complete, as this requires someone to actually perform the task.


Proper Security+ certification training will reinforce theory with hands-on courses and lab exercises. To pass the exam ($370 USD) successfully, at an authorized Pearson VUE test center, a professional will need to know the enhanced objectives added to the most recent version of the exam (SY0-601). An in-depth prep course can uncover any knowledge gaps so you’ll be able to take additional time to ensure you’re fully prepared for the PBQs and get certified on your first attempt.

For more on the Security+ certification, view our Security+ certification hub.


Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.