CompTIA Security+ Cheat Sheet: The Ultimate Quick Reference Guide

Q: How many domains does the Security+ exam have?

The current Security+ exam has 5 domains: General Security Concepts (12%), Threats Vulnerabilities and Mitigations (22%), Security Architecture (18%), Security Operations (28%), and Security Program Management and Oversight (20%).

This CompTIA Security+ cheat sheet distills the most critical concepts, ports, protocols, acronyms, and formulas from all five exam domains into a single reference guide. Whether you are reviewing the night before your exam or reinforcing key topics during your study period, this cheat sheet covers the high-frequency items that appear most often on the Security+ exam.

Remember: you cannot bring notes into the exam, but you can perform a "brain dump" — writing down memorized formulas and key facts on the provided whiteboard immediately after the exam starts. Practice your brain dump with this cheat sheet until you can reproduce the critical tables from memory.

Exam Domains

Max Questions

750/900

Passing Score

90 min

Time Limit

Domain 1: General Security Concepts (12%)

This domain covers the foundational security principles that underpin every other topic on the exam:

CIA Triad: Confidentiality (encryption, access controls), Integrity (hashing, digital signatures), Availability (redundancy, fault tolerance)
AAA Framework: Authentication (who are you?), Authorization (what can you access?), Accounting (what did you do?)
Zero Trust: "Never trust, always verify." Assumes no implicit trust regardless of network location. Key principles: least privilege, microsegmentation, continuous verification.
Defense in Depth: Layered security approach — physical, network, host, application, and data layers.
Separation of Duties: No single person should control all aspects of a critical function.
Least Privilege: Users and systems should have only the minimum access necessary to perform their function.

Domain 2: Threats, Vulnerabilities, and Mitigations (22%)

Common Attack Types

Attack	Description	Mitigation
Phishing	Social engineering via fraudulent emails	User training, email filtering, MFA
Ransomware	Encrypts data, demands payment	Backups, endpoint protection, network segmentation
SQL Injection	Malicious SQL in input fields	Parameterized queries, input validation, WAF
XSS	Injecting scripts into web pages	Output encoding, CSP headers, input sanitization
Man-in-the-Middle	Intercepting communications	TLS/SSL, certificate pinning, HSTS
DDoS	Overwhelming resources with traffic	CDN, rate limiting, cloud-based DDoS protection
Brute Force	Trying all possible passwords	Account lockout, MFA, long passphrases
Privilege Escalation	Gaining unauthorized higher access	Patching, least privilege, monitoring

Threat Actors

Nation-states (APTs, well-funded), Hacktivists (politically motivated), Organized crime (financially motivated), Insider threats (employees, contractors), Script kiddies (low skill, using existing tools).

Domain 3: Security Architecture (18%)

Network Architecture Concepts

DMZ (Demilitarized Zone): Network segment between external and internal networks for public-facing services
VLAN: Logically segments a network at Layer 2 to reduce broadcast domains and improve security
NAC (Network Access Control): Verifies device compliance before granting network access
Microsegmentation: Granular network isolation, often software-defined, core to zero trust architecture
Air Gap: Complete physical isolation of a network from all other networks

Cloud Security Models

Model	You Manage	Provider Manages
IaaS	OS, apps, data, middleware	Hardware, virtualization, networking
PaaS	Apps and data	OS, middleware, runtime, hardware
SaaS	Data (sometimes configuration)	Everything else

Domain 4: Security Operations (28%)

This is the largest domain at 28% of the exam. Focus heavily on these operational concepts:

Security Tools and Technologies

SIEM: Aggregates and correlates logs from multiple sources for threat detection (e.g., Splunk, Microsoft Sentinel)
SOAR: Automates incident response workflows and orchestrates security tools
IDS/IPS: Intrusion Detection (passive monitoring) vs. Intrusion Prevention (active blocking)
EDR: Endpoint Detection and Response — monitors endpoints for suspicious behavior
DLP: Data Loss Prevention — prevents unauthorized data exfiltration
NAC: Controls network access based on device compliance and user identity

Incident Response Process

Preparation — Policies, procedures, team training, tools
Detection & Analysis — Identify indicators of compromise (IoCs)
Containment — Isolate affected systems (short-term and long-term)
Eradication — Remove the threat completely
Recovery — Restore systems to normal operation
Lessons Learned — Post-incident review and documentation

Domain 5: Security Program Management and Oversight (20%)

Risk Management Formulas

SLE (Single Loss Expectancy) = Asset Value × Exposure Factor

ALE (Annualized Loss Expectancy) = SLE × ARO (Annual Rate of Occurrence)

Risk = Likelihood × Impact

Risk Response Strategies

Avoidance: Eliminate the risk by removing the activity or asset
Mitigation: Reduce the likelihood or impact through controls
Transfer: Shift risk to a third party (insurance, contracts)
Acceptance: Acknowledge the risk and proceed without additional controls

Compliance Frameworks

NIST CSF (Identify, Protect, Detect, Respond, Recover), ISO 27001 (ISMS standard), PCI DSS (payment card data), HIPAA (healthcare data), GDPR (EU personal data), SOC 2 (service organization controls).

Essential Ports and Protocols

Port	Protocol	TCP/UDP	Secure Alternative
20/21	FTP	TCP	SFTP (22) or FTPS (990)
22	SSH / SFTP / SCP	TCP	Already secure
23	Telnet	TCP	SSH (22)
25	SMTP	TCP	SMTPS (465/587)
53	DNS	TCP/UDP	DoH (443) / DoT (853)
80	HTTP	TCP	HTTPS (443)
110	POP3	TCP	POP3S (995)
143	IMAP	TCP	IMAPS (993)
161/162	SNMP	UDP	SNMPv3
389	LDAP	TCP	LDAPS (636)
443	HTTPS	TCP	Already secure
3389	RDP	TCP	RDP over VPN/gateway

Cryptography Quick Reference

Symmetric Encryption (Same Key)

AES (128/192/256-bit) — current standard, used everywhere. 3DES (168-bit effective) — legacy, being phased out. ChaCha20 — fast on mobile devices, used in TLS 1.3.

Asymmetric Encryption (Key Pair)

RSA (2048/4096-bit) — most common for digital signatures and key exchange. ECC (256-bit ≈ RSA 3072-bit) — faster, smaller keys, preferred for mobile. Diffie-Hellman — key exchange protocol, not encryption itself.

Hashing Algorithms

SHA-256 — current standard for integrity verification. SHA-3 — next-generation hash. MD5 — broken, do not use for security (still seen in legacy systems). bcrypt/scrypt — designed for password hashing with salt and work factor.

Key Acronyms to Memorize

Acronym	Full Name
CIA	Confidentiality, Integrity, Availability
AAA	Authentication, Authorization, Accounting
SIEM	Security Information and Event Management
SOAR	Security Orchestration, Automation, Response
PKI	Public Key Infrastructure
MFA	Multi-Factor Authentication
IDS/IPS	Intrusion Detection/Prevention System
EDR	Endpoint Detection and Response
XDR	Extended Detection and Response
DLP	Data Loss Prevention
WAF	Web Application Firewall
CASB	Cloud Access Security Broker
NAC	Network Access Control
IoC	Indicator of Compromise
APT	Advanced Persistent Threat

Frequently Asked Questions

What should a Security+ cheat sheet include?

A comprehensive Security+ cheat sheet should cover all 5 exam domains (threats, architecture, implementation, operations, governance), essential ports and protocols, cryptography algorithms with key sizes, common acronyms, risk management formulas, and attack type definitions.

Can I bring a cheat sheet to the Security+ exam?

No. You cannot bring any notes, cheat sheets, or reference materials into the exam. However, you can do a "brain dump" — writing down memorized formulas and key facts on the provided whiteboard or scratch paper immediately after the exam starts.

What ports should I memorize for Security+?

Key ports include: FTP (20/21), SSH (22), Telnet (23), SMTP (25), DNS (53), HTTP (80), HTTPS (443), POP3 (110), IMAP (143), LDAP (389), LDAPS (636), RDP (3389), and SNMP (161/162). Memorize both the port number and whether it uses TCP, UDP, or both.

What are the most important acronyms for Security+?

Critical acronyms include: CIA (Confidentiality, Integrity, Availability), AAA (Authentication, Authorization, Accounting), SIEM (Security Information and Event Management), IDS/IPS (Intrusion Detection/Prevention System), PKI (Public Key Infrastructure), and SOAR (Security Orchestration, Automation, and Response).

How many domains does the Security+ exam have?

The current exam has 5 domains: General Security Concepts (12%), Threats Vulnerabilities and Mitigations (22%), Security Architecture (18%), Security Operations (28%), and Security Program Management and Oversight (20%).

What risk formulas appear on Security+?

Key formulas include: SLE = Asset Value × Exposure Factor, ALE = SLE × ARO (Annual Rate of Occurrence), and Risk = Likelihood × Impact. Understanding quantitative vs. qualitative risk assessment is essential.

What cryptography concepts are on Security+?

You should know symmetric vs. asymmetric encryption, hashing algorithms (SHA-256, MD5), key exchange (Diffie-Hellman), digital signatures, PKI and certificate authorities, and common algorithms (AES-256, RSA, ECC) with their typical key sizes.

How should I use this cheat sheet to study?

Use this cheat sheet as a review tool, not a primary study resource. Study each domain in depth first, then use the cheat sheet to reinforce key facts. In the final week before your exam, review the cheat sheet daily and practice writing a brain dump from memory.

Test Your Security+ Knowledge

Practice with unlimited adaptive questions covering all five Security+ domains.

Start Free Practice Test →