How I Passed The CompTIA Security+ On My First Try
4 Things I Used To Pass and 4 Lessons I Learned Along The Way
The CompTIA Security+ can be a great place to start your cybersecurity journey. It tests the fundamentals of cybersecurity that you need to know as you move into your first full-time position in the industry.
Before I dive in, I wanted to start by clarifying that I passed the Security+ in February 2020 (though with the pandemic, it feels like a lifetime ago), and I took the SY0–501 exam. As of July 31st, 2021, that variant is retired, replaced by the SY0–601 variant.
The differences are minimal, mostly reorganizing elements of the exam objectives and consolidating them under different, or in some cases, new sections. Overall, the test requires you to answer up to 90 questions in 90 minutes, and score no less than 750 points to pass. My experience with the SY0–501 still carries over to the SY0–601, since it’s the same material.
Now that we’ve clarified test versions, let’s talk about what you’ll be expected to learn. I’m pulling all this information from the CompTIA Security+ Exam Objectives.
SY0–601 focuses on 5 different domains. As you can see, 69% of the exam is weighted in the first three modules: Attacks, Threats, & Vulnerabilities; Architecture and Design; and Implementation. The remaining 31% covers Operations and Incident Response, as well as Governance, Risk, and Compliance.
Yes, these are some pretty varied domains. It was once described to me that the Security+ covers a mile-wide area about a foot deep. It certainly feels like this when you’re studying for the exam. Nevertheless, it’s certainly possible to pass on your first try, take it from me!
If you reference the exam objectives (link above), you can scroll down to see the breakdowns of each section by domain.
With the breakdown of what you need to know to pass the exam established, how do we actually pass the darn thing?
I was a senior in college when I took the exam. I graduated with a B.S. in Cybersecurity, so the material wasn’t new to me by any means, however, I want to explicitly state right now that I would have failed horribly if I tried to take this test based on my knowledge from school alone. My official college courses helped to familiarize me with the material, but I am by no means a star student, and while I was blessed to attend a school with a good cybersecurity program, the information in this test requires a deep enough understanding of a wide enough range of topics that I would have probably struggled to score above 500 if I didn’t put my head to the wheel and work at it.
That said, I do see my time in school prior to diving into this certification as an advantage. I wasn’t learning brand new information that was previously foreign to me, I was learning details about the things I had already learned about and gaining a deeper understanding of cybersecurity. Personally, because of this, I’d recommend anyone currently studying cybersecurity in college, or interested in doing so, to pass this exam before graduating. Not only is it a fantastic supplement to the work experience and the degree, but it shows that you’re willing to push yourself and take the initiative with your career (I’m not including myself in this description, I did it for vanity).
If you’re not in school for cybersecurity and this is starting to intimidate you, fear not. You’re in the perfect position to benefit the most from the Security+, and you’ll probably do much better than I did. I’ll explain why later.
I leveraged 4 things to pass: Professor Messer’s YouTube channel, practice tests, and google. Let’s dive into each one.
YouTube really is a wonderful place. You can be entertained and educated in a span of 15 minutes for free without leaving the site. Professor Messer has an educational channel focusing on CompTIA certifications, including the A+ and Network+. His series on the Security+ is one of the assets that, I believe, is why I passed on my first try. Seriously, it’s that good. I watched every single one of his 141 videos for the SY0–501. Luckily, he already has the SY0–601 playlist posted, so you can leverage this amazing resource for free as well.
He also has a number of paid materials on his website. Before you ask, no, this isn’t a paid advertisement. I’m too small for that — he doesn’t have a clue who I am. I simply believe in the work he’s doing and that you should take advantage of the completely free YouTube content to learn more about the exam content.
I learn most by doing, and practice tests are the best way to, well, practice what you’re learning. I got an app on my phone that I used to take practice tests on the train instead of scrolling on Twitter. I made sure I took a practice test for every section I completed while studying, and if there was a question I missed, I would go back, review it, and retake the practice test until I got a grade that I wasn’t embarrassed about. Take the time and push yourself to take some practice tests.
This is also the only area I spent money while preparing for the exam. The worthwhile practice tests were behind paywalls, including the app I relied heavily on. I didn’t drop more than $50 altogether on different studying sites/apps and got an impressive range of questions and content to practice on.
Google is my best friend now. It’s a friendship forged in this specific period where I had things that just didn’t make sense, so I asked sergeant Google and got all the information I needed. The internet is a big place, the Security+ covers topics that absolutely everyone in the cybersecurity industry has posted about at least a few times. Heck, this could be a great time to practice your google dorking skills.
Finally, I took my time. This is specifically something I struggle with. When I get on a roll, I roll, and I roll fast. Slowing down and making sure I’m absorbing the material and understanding the details was hard for me, but I had to do it, and I think that’s another reason why I passed this exam.
So we just covered 4 things I used to pass, now let’s talk about 4 lessons I learned along the way. Please note that these were lessons that I learned while staring at my ugly face in the mirror stressing about this exam, and I had to come to terms with some things to make sure I didn’t just Leroy Jenkins the exam and waste $300 and months of preparation.
When I first started studying I thought that it would be a breeze. After all, my dad is a cybersecurity professor and I’m a cybersecurity student. I should get this stuff pretty easy, right?
Wrong. The more time I spent doing practice tests, the more it became abundantly apparent (through failing practice grades) that I needed to put my pride aside, kill my entitlement, and just do the work.
Yes, I felt like I *should* pass the exam. I thought I’d spent enough time in class, I’d had some internships, I was basically a shoo-in. This was absolutely not true, and I would have wasted my time and money if I held on to that mentality and just took the exam. This realization led to my next lesson.
Take Your Time
I was originally going to take my exam in December. I wanted to pass and then celebrate Christmas stress-free. As the time for the exam drew near, I knew I wasn’t ready. I wanted to take it and just pay for the retake, but that wouldn’t have been a wise way to handle my time or money. I wanted to believe I was ready and it was just the pre-test anxiety, but the practice tests showed otherwise. I decided it was time to just reschedule and use the extra time I had to really go hard with my preparation. I did, and that turned out to be the right decision.
If you’re getting close to your exam date and you aren’t ready, just reschedule. Use the extra time to dial up your studies and to make sure that you aren’t letting time go to waste.
Use Your Resources
I’ve listed 4 tools above that I used. You can use every single one of them for free. Sure, you can spend some money if you’d like to make the most of the resources that are available, but it is definitely not the only way to reach success.
Hold Yourself Accountable
Earlier I said you should take your time, I sure did when I was preparing. That said, don’t let that be an excuse to keep pushing off the exam and skipping your study sessions. Pushing the exam back should be a last resort.
Frankly, I pushed the exam back because I didn’t steward my time very well on the front-end. Straight up, I didn’t. I wasted time, I did other things, and I put myself in a position where the test date was coming up and I wasn’t prepared. Let me be the first to tell you that this is not ideal.
When you get your Security+ voucher, go ahead and schedule it for a time that is far enough in the future that you have enough time to prepare, but not so far that you have time to procrastinate. That date will motivate you every day to take just a little bit of time to study.
Overall, I learned more than just cybersecurity material when preparing for the Security+. Currently, I’m preparing for the OSCP. While that’s further down the road, I’ve been much more judicious with my time and preparation than I was the Security+. I could probably take the Offensive Security course that culminates in the OSCP now and be able to survive, however, I’ve learned to not believe in my own hubris, and instead to keep nailing the basics until I know 100% that I’m ready. Basically, I want the “probably” in my sentence about taking the OSCP-course to be a “definitely”, or better yet, “easily”. That’s quite the task since it’s quite a lot of material and practice but my experience in preparing for the Security+ has helped me to learn more about myself and my study habits.
All of this being said, I have faith in you, I know that you’ll pass and that you’ll go on to do great things in this industry. Please learn from my mistakes so you can score higher, and then you can comment on this article or @ me on Twitter telling me about how you passed. Good luck!
Be sure to check out my YouTube channel where I cover cybersecurity topics, news, and Security+ material. Also follow me on Twitter @studiosec, where you can tell me about how you passed the Security+!