How I certified with CompTIA Security+ in 2023
This is an article about my study process for passing the CompTIA Security+ SY0–601 exam in order to obtain the certification.
Study Timeframe
I studied at a personal pace of excitement for 4–8 hours per day for about one month, making sure I understood the relationships of the complexities of the content and that I did so in a healthy way, mosty outdoors in the summer to balance the computer time.
Next I practiced through reviews and test questions for a couple of weeks. The final week was an intense complete rapid review, at this point there was nothing new in any of the content, the last couple days were even more rapid and intense, and on the final day I spent a few hours rapidly reviewing everything also.
Study Materials
My primary study materials were the two complimentary books made up of the Study Guide and the Practice Questions (two books for $90 on Amazon), the online flashcards and practice questions (come with the books) as well as the LinkedIn Learning video series (free through local library card login). A shout-out to Wiley/Sybex and Mike Chapple with David Seidl for being amazing.
A few other small items were also useful, these included an audio review (free), a glossary (free) and an acronyms list (free), as well as a quick summary ($10). The Study Guide is about 500 pages with a couple hundred review questions. There are about 800 practice questions in the book, over 200 flashcards and a couple hundred online practice questions.
Main Objective
My aim for studying is to create understanding of the relationships of the material. This means I tried to create one single mindmap of the entire field of Security+. By doing so, I can connect any one topic to any other topics, or immediately see the place of one aspect in the entire field of Security. I can also add or subtract any aspect and understand why I am doing so. I succeeded in doing this onto two large formate papers and several smaller sheets. In the future I could make one map but I would most likely do so in VR, as I have done in the past, as documented in previous articles.
Main book
At first, with 20% of effort for 80% of the work, simply read the Study Guide. Highlight any obvious highlights. Mark any parts to return to that would require obvious lengthy investigation. No need to go into any deep dives on a first read.
Do the review questions after each chapter to see what was retained. Use bookmark tabs to mark points of reference that will be interesting to actually pursue at some point professionally and to book mark in body of knowledge collection in browser bookmarks. After reading the entire book, skim through the obvious main aspects and map on a large format paper using keywords — into a mind map. I used two such large sheets.
Online Audio
These are the chapter summaries from the book. Good to listen to and imagine the concepts as they relate.
The Test book
This was my personal favourite assistance. These are so well written that they often add new knowledge not in other sources! Do 20 questions each, one chapter at a time and check with answers, scoring yourself until you reach 100 questions per section. Then you get a score out of 100 to tell you where you are at. Your general aptitude. My scores were between 65 to 85 after 100 questions.
Then continue with questions until you answer 150 questions per each of the five sections. Some sections have many more questions, at this point simply read the answers at the back for any information from each question that adds new knowledge.
Online Flashcards and Test Questions
The publisher has an online study database of over 200 flashcards and 250 practice questions formatted as practice tests and quizzes. I used this on my smartphone and was able to sit anywhere outside in the summer and study. The flashcards are most challenging as they often ask for greater detailed lists from memory. The questions are timed and can be sorted based on level of difficulty, chapters, and other attributes.
Downloadable PDFs
The co-author has a page with downloadables, for example a cheet sheet PDF. You may also find a glossary and acronyms list for download.
Video
Using my local library card I logged into the LinkedIn Learning platform to gain free access to the author’s video series for this exam. This was a good compliment after reading the Study Guide because then I could play most of the videos at 2x speed and still understand them. The videos do contain extra information to compliment the book, as much as the book contains complimentary information for the videos.
ChatGPT4 — paid version
Any extra information I needed: I asked a learned machine to clarify for me. Treating this as if it can be completely wrong is helpful.
The Live Exam Approach
There are about 80 questions. There is 90 minutes for the exam. You can do it at home but I did my exam at a specialized designated location driving distance because I prefer for the security to be completed by outside management, it helps me focus. There is a certain speed that must be maintained. It is about $4 USD per minute to take the exam, for 90 minutes. In other words it’s about $400 USD for the exam. No re-takes. No refunds.
Reading and comprehension at high speed combined with the need to respond and select the best possible answer in an intelligent way remained a challenge for at least half the questions! After the first half hour I did not think I was going to pass but I knew I had to do the best I can so I continued.
The best way I could describe this was to try and resonate with the general size of the question first. If it is too large to do fast, flag it and skip to the next one. If the question is short but difficult, flag it and do not yet answer. These unanswered questions will be returned to first upon the second skim. For the first round, answer all the questions as fast as possible.
After resonating with the size of the question, resonate with the words as you read them, then the phrases, the sentences, and feel the entire question by holding to its understanding. Then quickly skim the answers to see which are obviously not a right answer. Only then try to match the resonance of the question with the right answer.
There are often multiple right answers and you have to choose the best one. The reason why it is essential to align with the words from the question is because the best answer often relates to one single word in the question. At this point, after so much studying, do not second guess, just place an answer and be confident that it is the right answer.
The second skim is to answer all unanswered questions, then all the flagged ones. Do not leave unanswered questions if they do not resonate at all. Answer these by guessing. I had one or two questions that I had not come across at all in my studies. These might have been inserted at random by the test creators.
Final Notes
Cyber Security is more complex than ever and increasingly so. It felt as if I was being tested in everything from organizational governance to technical implementation, to adversarial thinking to software architecture, risk assessments and incident response. These are often seperate career paths with multitudes of specialized branches in each!
I do not want to be working with most of these aspects professionally as a Penetration Tester — this would take several lifetimes - but the knowledge is certainly helpful. It all points to the fact that one needs to work in a team, or at least in collaboration with increasingly powerful learned machines. A lot of the advanced knowledge seems to come from the experiences of professionals at enterprise levels of major organizations. I often wondered how much of it all is applicable to individual best practices.
Exam Results
I passed the exam with greatly focused difficulty and nearly obtained a score of about 90%. I could have gotten higher if not for my psychological profile and unnecessary focus on a few questions for too long. I was emotional for hours after this experience but treated myself well for the next few days. My life depended on the results.
Next plans
The Security+ knowledge helps me understand the power I am up against as a Bug Bounty Hunter or Penetration Tester when I work through various adversarial tactics and techniques, for example by an SOC team at an organization.
My intention now is to connect with the right employment in Cyber Security, most likely as an SOC Analyst Level 1 or as a Penetration Tester. As I do this, I plan to immediately begin applying aspects of what I learned in my own life, and in my business practices. I will also be pursuing a Bug Bounty Hunting learning path in the direction of Penetration Testing and Red Teaming.
Future
The CompTIA Security+ certification needs to be renewed every 3 years but this can be done in many ways, including by simply working in the industry, taking complimentary certifications and being involved in the local Cyber Security community.
Personal Notes
I’m very excited about Cyber Security because I can see it whizz through my hands. It is not some mental computer game played by nerds without a sense of reality. It is exactly the opposite, it is reality playing the majority of people into desensitized nerds. To me, it is more exciting than playing heavy metal guitar or watching a 3D movie at the theatre. I have done all of these things extensively.
I have completed university and some college, I have unique psychological traits, I completed 20 years of work and certifications in various other fields, and this was on par with challenging advanced intellectual testing I had done previously, possibly at Master’s levels.
What does this certification help a Bug Bounty Hunter learn? Mosty how valuable organizations design their security and what they know that I know as a White Hat Hacker. I need to know the Web App stuff of network security and penetration testing. I need to be able to get around it all. For example, load balancers, IPS, firewalls, routes, anti-forensics. Now after the exam, I know what I don’t know — it’s much more than what I do know. However, all it takes for adversarial success is one weakness to exploit. Also, perhaps more importantly, through the self assurance of the mainstream Cyber Security industry, through what they do not teach, I can be more certain of what I know outside of contemporary knowledge.
I have been inspired to create my own security lab setup for personal use with and without any technology. I think that the language of Security+ establishes a powerful international baseline for any line of work. It might be that Incident Responders and Threat Hunters will be the only jobs for humans in one view of the near future, and this is a good way to get started as early as possible.
