Table of Contents

Click Here to Return To the CompTIA Security+ Course Page

Security Operations is the largest domain on the CompTIA Security+ (SY0-701) exam at 28%. This module covers the hands-on work of securing, monitoring, and responding day to day. This domain carries the most exam weight, so study it thoroughly.

This is where architecture meets practice. You harden systems, manage identities, watch for alerts, hunt vulnerabilities, and run the incident response process when something breaks.

Hardening and Asset Management

A secure baseline is a known-good configuration you apply to every system. You establish it, deploy it, and maintain it as threats change.

  • Harden by removing default accounts, closing unused ports, and disabling unneeded services.
  • Apply hardening to mobile devices, workstations, servers, cloud infrastructure, and IoT.
  • Use secure configuration guides like CIS Benchmarks and DISA STIGs.

Asset management tracks gear through its life:

PhaseAction
AcquisitionApprove and inventory new assets
AssignmentAssign an owner and classification
MonitoringTrack location and patch status
DisposalSanitize media and destroy data

You cannot protect an asset you do not know you own.

Identity and Access Management

You control who gets access and how much.

ModelHow access is granted
RBACBy job role
ABACBy attributes (location, device, time)
MACBy labels set by the system
DACBy the data owner

Apply least privilege so users get only what they need. Use provisioning and deprovisioning to add and remove access quickly. Strengthen logins with MFA, SSO, and federation. Strong passwords stay the baseline, covered in how to create strong passwords .

Endpoint Security and Key Management

You defend the endpoint and protect the keys.

  • EDR and XDR detect and respond to threats on hosts.
  • Antivirus blocks known malware, and host-based firewalls filter local traffic.
  • DLP stops sensitive data from leaving the environment.

Key management keeps cryptography trustworthy:

  • Key rotation replaces keys on a schedule to limit exposure.
  • Key escrow stores a copy for recovery.
  • An HSM stores and processes keys in tamper-resistant hardware.

Secure Protocols

You replace plaintext protocols with encrypted ones.

InsecureSecure replacement
HTTPHTTPS (TLS)
FTPSFTP
TelnetSSH
LDAPLDAPS
DNSDNSSEC

Use S/MIME to sign and encrypt email. Verify file integrity with hashes, shown in how to get hashes of files on Linux and in Windows .

Vulnerability Management

You find weaknesses before attackers do.

  • Identify with scans, static and dynamic analysis, threat feeds, and penetration testing.
  • Prioritize with CVSS scores and track flaws by CVE number.
  • Remediate, then validate the fix with a rescan.

Learn the configuration side in Ansible for beginners for automated patching.

Monitoring and Alerting

You watch the environment and react to signals.

  • A SIEM aggregates logs and correlates events across systems.
  • NetFlow and SNMP traps report network behavior.
  • Tune alerts to cut false positives so real threats stand out.
# Watch authentication failures on a Linux host
grep "Failed password" /var/log/auth.log | tail -n 20

Automation and Orchestration

You automate repetitive work to respond faster and reduce error.

  • SOAR runs playbooks that triage and contain incidents automatically.
  • Scripts handle user provisioning, ticketing, and guard rails.
  • Automate the boring and dangerous tasks, then keep a human in the loop for decisions.

Incident Response and Forensics

You follow a repeatable process under pressure.

  1. Preparation builds plans, tools, and training.
  2. Identification confirms an incident occurred.
  3. Containment limits the spread.
  4. Eradication removes the cause.
  5. Recovery restores normal operations.
  6. Lessons learned improves the next response.

Digital forensics preserves evidence for legal use. Maintain a chain of custody, apply a legal hold, and acquire data in order of volatility (memory first, disk later). Document every step, because untracked evidence is inadmissible.

Next Steps

Wrap the program with Security Program Management and Oversight , grounded in General Security Concepts and Security Architecture . Return to the CompTIA Security+ Course .