How I Passed The Security+ Exam On My First Try

If you are reading this, you have likely already visited numerous Medium posts and YouTube videos with creative titles like “How I Passed the Security+ Exam,” “How to Pass the Security+ Exam,” and “How I Passed the Security+ Exam.” I wanted to give this article a more attractive title, like “Click here to find out if it’s a good idea to read Gibson’s entire book in one week” (spoiler: it’s not), but instead I went with the generic one you see here. If you have not visited these other pages, and are wondering what Security+ is, you can think of it as a cybersecurity certification. The exam is vendor-neutral and the certification is internationally recognized — it also costs around $300 for every attempt. So, is it worth it?

Um…it depends.

If you have a career interest in cybersecurity, want to enhance your standing in the IT field, or work at a company that is closely tied to the Department of Defense, then the answer is probably yes. If you work somewhere that is willing to pay for it, then go for it. But the terms and material required to pass this exam are detailed here, and if you are like most people, you will not read through this list and envision many fun weekends ahead of you.

By the agreement I signed just before the exam, I am not allowed to disclose what was actually on the test. I will openly say, however, that what I took was not easy.

You need to score a 750/900, which is why many resources say you need to score 83%. You start with 100 points for getting 0. Someone on Reddit asked if that means you actually don’t need 83%, and I feel everyone just dodged the question…but some of the exam is a mystery. You start with performance-based questions, and these can range from drag-and-drop vocabulary, to configuring a firewall, to setting up a wireless access point (check out Gibson’s performance-based practice here). You might get partial credit, maybe…no one knows exactly how the test is scored except for CompTIA.

Hey look, one of the multiple choice answers is STP. I know STP means Spanning Tree Protocol. Oh wait…there are two STP abbreviations that mean different things. Source: https://getcertifiedgetahead.com/security/security-acronyms/

What this test is:

• A lot of multiple choice and free response questions. Multiple choice is going to be more valuable than free response — in fact, this test used to be 100% multiple choice before free response was added
• A cybersecurity exam
• Approximately 90 minutes, depending on how long you want to spend reading directions and anxiously filling out a survey before you get your semi-instant score
• “A mile wide and in inch deep”
• A very fast test where you answer a lot of questions very quickly

What this test is not:

• A penetration testing exam
• Longer than two hours
• A thorough, in-depth exercise to ensure you can apply complex encryption algorithms by hand, or troubleshoot a difficult network problem in 45 minutes

The Questions I Imagine You Have

• What did you actually do to prepare?

I took a one week training boot camp that was paid for by my company, which I personally do not think is necessary, and then I studied on and off for about two months. About two weeks before the exam, if I remember correctly, I took Gibson’s diagnostic test using the $10 Kindle book CompTIA Security+ Get Certified Get Ahead and scored around 60%. After a week of studying, I took a practice test in Chapple’s book and scored close to 60%. I freaked out, took a lot of practice tests, read the Gibson book in its entirety, and scored about 86% on the second Gibson test two days before the real thing. To prepare for the performance-based questions, I used materials provided to be at the boot camp…but some useful PBQ practice is here (Source: GetCertified4Less)

• What’s your point?

I cannot recommend Gibson’s work enough. You will hear similar things on r/CompTIA. I kept ignoring the book because I had coworkers who passed without reading it, and watched a YouTube video of someone who passed without reading it. Gibson’s book is really, really good. The length is around 550 pages, but that is including practice tests and the way he writes is in a great format. He will write in a clear way, bold the portions you need to know for the exam, provide a summary with emphasized points for anything you missed the first time, and then give you practice questions at the end of each chapter that serve as a good guide for what the real exam will be like

• What is your background?

I am a software engineer with about five years of experience. I had been pushing for this exam for a long time, but no one would sponsor me. Finally, I wrote an email that said, “I am very passionate about cybersecurity. I have watched all four seasons of Mr. Robot and enjoy listening to DarkNetDiaries while I wash dishes.” My company agreed to pay for one exam attempt and the boot camp

• Really?

Yes, really

• What about the version change?

By all means, study to the test you are going to take. If the date of August 1, 2021 passes, start studying for version six

• Should I take it at home, or at a testing center?

This is probably the most interesting aspect of the test, and maybe something that was not even considered before the pandemic. At this point in time, you are probably perfectly able to take the test in person. But should you? I am not so sure about this. I had a pretty typical experience of driving to a testing center, putting my personal belongings (electronics, car key, watch…pretty much everything but my ID) into a storage bin, and then taking the exam at a computer with a mask on while surrounded by people who were taking a wide variety of other tests, from a teaching credential test to physics. To take the test at home, you are going to be recorded and monitored for the entire test, you need to take pictures of your walls and surroundings, and you need to be in a place where roommates will not appear or talk. That sounded more stressful to me than physically going to a testing site.

A Disclaimer

I had a lot of advantages going into this test. Your situation might not be the same. My company had the resources to pay for a one-week course, it paid for my voucher, and (this is a big one) they paid me to study for a full week just before the exam. This is how I was able to read the book in a week. I doubt I would have been able to do this if I were just studying outside of work. If that had been the case, I would have prepared earlier.

YouTube Resources

Everyone and their dog recommends you should check out Dr. Messer on YouTube, and I can see why, but I do not personally think YouTube videos are the best way to study. When I took the boot camp, it consisted of watching people lecture for hours at a time, running through confusing terms I was not familiar with and abbreviations that were non-intuitive and sometimes overloaded. I liked my instructors, and I especially liked optional demos they gave us in which they would carry out actual hacking simulations with Kali and a simulated target server, but I learned a lot more by reading through the book at my own pace, after I had done enough practice tests on ExamCompass to know where I stood. The main thing I got out of watching lectures at the boot camp were some free resources they provided that helped during the performance-based portion.

There are a few YouTube videos I really do recommend, though:

This is where the official CompTIA channel runs through the interface. It is not difficult to use, but you do not want to spend your exam trying to figure out the program

Gibson running through performance-based questions.

This video is not mandatory viewing, I suppose, but it really made me realize just how valuable Gibson’s book was

Resource List (some of which were already listed above)

• Exam objectives for Security+ 501. I expect them to change this to 6 pretty soon https://www.comptia.jp/pdf/Security%2B%20SY0-501%20Exam%20Objectives.pdf
• The book everyone keeps going on and on about — the best explanations, readable chapters that closely follow the objectives above, and the best practice questions if you can find another resource for the performance-based portion https://www.amazon.com/CompTIA-Security-Get-Certified-Ahead/dp/1939136059/ref=sr_1_2?dchild=1&keywords=gibson+security+plus+5&qid=1626361208&sr=8-2
• No idea what the other version is like (I took and read 501), but this is Gibson’s updated book https://www.amazon.com/CompTIA-Security-Get-Certified-Ahead/dp/B096D1LGSK/ref=sr_1_4?dchild=1&keywords=gibson+security+plus+5&qid=1626361277&sr=8-4
• ExamCompass, which has around 625 free Security+ multiple choice questions. I see they have 601 questions as well, but the ones currently displayed are presumably 501. This is a great way to test general knowledge for each domain. It does not provide explanations, and I personally think the questions tend to require less critical thinking than the real thing, so Gibson’s questions are better. I would also caution against just memorizing practice questions and memorizing terms — I think you need knowledge that is more thorough than that https://www.examcompass.com/comptia/security-plus-certification/free-security-plus-practice-tests
• Chapple’s 501 practice tests. You can find the equivalent 601 version on Amazon as well, but I used 501. I do not really recommend this — I think it is way too hard — but probably would have used it if I had failed on my first attempt https://www.amazon.com/Security-Practice-Tests-Prepare-CertMike-ebook/dp/B07N6PD4ML/ref=sr_1_6?dchild=1&keywords=chapple+security+plus&qid=1626361456&sr=8-6
• GetCertified4Less Performance Based Practice Questions. This is the single best free resource I found for the performance-based questions. They did not build out a whole web interface, like Gibson had, so you do it with pen and paper…but it is still excellent https://getcertified4less.com/uploads/file/SecurityMiniCourseHandbook.pdf
• The Gibson website free practice questions, including some performance-based exercises https://gcgapremium.com/501-extra-ptqs/
• r/comptia, because Reddit is the greatest invention since fire (admittedly, you do not need this…but I did browse it a lot) https://www.reddit.com/r/CompTIA/

More YouTube Videos I Enjoyed

Not strictly necessary to watch, per se, but I enjoyed hearing about her experience. You can also check out her other videos to get a more in-depth look at the cybersecurity field, and where to go from here

This video was helpful, especially when she went through some practice questions, but I absolutely do not agree with the advice of not reading the book. It worked for her, but I do not think it would have worked for me

Final Tips

• Do what Gibson says to do and only solve performance-based questions that are really easy; flag the rest. You really do not want to rush multiple choice with 40 minutes on the clock and negative thoughts about how badly you screwed up the firewall, or the WAP, or the impossible beta question they didn’t tell you was a beta question
• My initial strategy was to use flash cards, ExamCompass, and 2-minute Google searches. I think this was a really, really bad strategy. Gibson’s book gave me a more grounded understanding — if I had not had time to read it, I could have at least read portions of it. When I reached the point where I could recite most of the abbreviations and name simple definitions…I was still not quite there. I needed a little more knowledge than that
• If you are set on not using Gibson’s book, at least buy a practice test somewhere. Can you score 83% (ideally 90%) on it? If so, fine. Do what works for you. If not, you might want to check out Gibson’s book
• My favorite author is William Gibson
• My favorite actor is Mel Gibson
• This post was not sponsored by Gibson, it just mentioned Gibson more than I thought it would

Seriously, good luck. Studying for this exam is…well it’s a ride. The idea is that you take it, you pass it, and then you have the foundation to actually apply it in the IT field or at your defense contractor job or by catapulting into more specialized areas of cybersecurity. It will not provide you with the timeless superpowers you need to keep up with cyber threats.

But the material is relevant, and it is important, and it is molded in the rapidly changing landscape of information security. That was a very long-winded way of saying, try to enjoy it a little. Just a tiny bit, I know $300 is a lot and 90 minutes is not a very long time.

Good luck.