Security+ Performance-Based Questions: How to Prepare for PBQs on the SY0-701 Exam

Updated on May 23, 2026

Security+ performance-based questions are the part of the SY0-701 exam that most candidates underestimate during preparation. Unlike standard multiple-choice questions, PBQs require you to do something — configure a firewall rule set, identify devices on a network diagram, order incident response steps correctly, or analyze a log file for indicators of compromise. They appear at the start of the exam, before you see a single multiple-choice question, and they require a different preparation approach. This guide covers what PBQs test, the six most common types, and how to prepare in 14 days.

What are Security+ performance-based questions?

Performance-based questions are interactive exam items that simulate real cybersecurity tasks. Instead of reading a scenario and choosing from four options, you interact with a virtual environment — dragging items into position, selecting values from drop-downs, entering commands into a simulated terminal, or clicking elements on a network diagram. PBQs test whether you can apply knowledge, not just recall it.

CompTIA uses PBQs to separate candidates who understand security concepts in context from candidates who have only memorized definitions. A candidate who knows what a DMZ is can answer a multiple-choice question about it. A candidate who can correctly identify the DMZ on a network diagram — distinguishing it from the internal network, the external firewall interface, and the screened subnet — has demonstrated applied knowledge. PBQs measure the second kind of understanding.

SY0-701 exam facts: what you need to know before exam day

• Maximum questions: 90 questions per exam (PBQs plus multiple-choice and other item types).
• Time limit: 90 minutes.
• Passing score: 750 on a scale of 100–900.
• PBQ placement: PBQs appear at the beginning of the SY0-701 exam, not at the end. Most candidates encounter 3–5 PBQs before seeing any standard questions.
• Partial credit: CompTIA PBQs may award partial credit. Getting 3 of 4 sub-tasks correct on a firewall PBQ is better than skipping it entirely.

Source: CompTIA Security+ Certification Page and the SY0-701 Exam Objectives.

SY0-701 domain weights: where PBQs come from

PBQs can draw from any of the five SY0-701 domains, but they appear most frequently in domains that involve hands-on configuration and analysis. Knowing the domain weights tells you where to concentrate your PBQ preparation.

• General Security Concepts: 12% — foundational knowledge; less likely to generate complex PBQs.
• Threats, Vulnerabilities, and Mitigations: 22% — PBQs here often involve log analysis, threat identification, or matching attack types to indicators.
• Security Architecture: 18% — PBQs here often involve network diagram identification, firewall placement, or zone configuration.
• Security Operations: 28% — the highest-weighted domain and the most common source of PBQs; includes incident response ordering, log analysis, and tool configuration.
• Security Program Management and Oversight: 20% — PBQs here may involve matching controls to frameworks or ordering governance steps.

Security Operations at 28% is where most PBQ preparation time should go. Incident response ordering, SIEM log analysis, and vulnerability scanning workflow questions all live in this domain.

The 6 most common Security+ PBQ types on SY0-701

1. Firewall rule configuration

You are given a partially configured firewall rule set and asked to add, modify, or identify the correct rules to allow specific traffic while blocking everything else. Common tasks include creating an allow rule for HTTPS outbound, blocking inbound traffic from a specific IP range, identifying a rule that is too permissive, or ordering rules correctly so that more specific rules appear before catch-all denies.

Most common mistake: Forgetting that firewall rules are evaluated top-to-bottom. Placing a broad permit before a specific deny means the deny never triggers. Always read the full rule set before adding a new rule.

2. Network diagram identification

You are shown a network diagram with unlabeled or partially labeled components and asked to identify device types, security zones, traffic paths, or the correct placement of security controls. Common tasks include identifying the DMZ, the screened subnet, the internal firewall interface, the IDS position, or labeling a device as a proxy, load balancer, or WAF.

Most common mistake: Confusing the DMZ with the internal network. The DMZ sits between the external and internal firewalls — or between the external firewall and the internal network if only one firewall is used. Devices in the DMZ are accessible from the internet but isolated from the internal network.

3. Log analysis

You are given a log excerpt — from a SIEM, firewall, web server, or endpoint — and asked to identify indicators of compromise, the attack type, the affected system, or the correct remediation step. Common tasks include identifying a brute force pattern from repeated failed login attempts, spotting a port scan from sequential connection attempts, recognizing a SQL injection attempt in a web server log, or identifying data exfiltration from unusually large outbound transfers.

Most common mistake: Focusing on individual log lines instead of patterns. Most PBQ log analysis questions test pattern recognition — a single failed login is noise; 200 failed logins from the same IP in 30 seconds is a brute force attack.

4. Incident response ordering

You are given a set of incident response steps and asked to place them in the correct order or identify which step is missing or out of sequence. The NIST SP 800-61 lifecycle (Preparation, Detection and Analysis, Containment/Eradication/Recovery, Post-Incident Activity) and the SANS PICERL model (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned) are the two primary frameworks tested.

Most common mistake: Jumping to Eradication before Containment. The correct IR order always contains before it eradicates. Removing malware before isolating the affected system lets the threat continue to spread.

5. Drag-and-drop matching

You are given a list of security controls, threats, frameworks, or concepts on one side and a set of categories or descriptions on the other. You drag each item to its correct match. Common tasks include matching attack types to their descriptions, matching security controls to the threats they address, matching encryption algorithms to their key lengths or use cases, or placing NIST CSF functions in the correct order.

Most common mistake: Guessing on unfamiliar items without using elimination. If you are unsure about one item, match the ones you know first — the remaining unmatched item becomes the forced answer for the one you were unsure about.

6. Tool and command selection

You are given a scenario and asked to select the correct security tool, command, or configuration option from a list. Common tasks include choosing the right scanning tool for a specific task (Nmap vs. Nessus vs. Wireshark), selecting the correct command syntax for a network diagnostic, identifying the appropriate encryption standard for a use case, or choosing the correct authentication protocol for a described scenario.

Most common mistake: Confusing vulnerability scanners with penetration testing tools. Nessus identifies known vulnerabilities without exploiting them. Metasploit exploits vulnerabilities to test defenses. The SY0-701 exam distinguishes these sharply.

How to approach PBQs on exam day

PBQs appear at the start of the exam. Your first decision is whether to work through them immediately or flag and skip them to tackle multiple-choice questions first.

If you skip PBQs first: You bank points quickly on questions you can answer confidently, reduce test anxiety, and return to PBQs with more time. The risk is misjudging remaining time and rushing the PBQs at the end.

If you attempt PBQs first: You give each PBQ focused attention while your energy is highest. The risk is that a difficult PBQ consumes 15–20 minutes and puts you behind on easier questions.

Most Security+ coaches recommend attempting PBQs first with a hard time cap — no more than 6–8 minutes per PBQ. If a PBQ is taking longer, do your best with the sub-tasks you can answer, flag it, and move on. Partial credit is better than a perfect attempt that sacrifices 10 multiple-choice questions.

3 worked Security+ PBQ practice examples

Practice example 1: Firewall rule configuration

Scenario: You manage a web server in the DMZ at 10.10.10.5. You need to allow HTTPS traffic (port 443) inbound from the internet, block all other inbound traffic, and allow the web server to make outbound DNS queries (port 53 UDP) to the internal DNS server at 192.168.1.10.

Correct rule set:

• Rule 1: Allow TCP 443 inbound from Any to 10.10.10.5
• Rule 2: Allow UDP 53 outbound from 10.10.10.5 to 192.168.1.10
• Rule 3: Deny All inbound from Any to Any

Key reasoning: The specific allow rules must appear before the catch-all deny. Rules are evaluated top-to-bottom — if the deny appeared first, all traffic including legitimate HTTPS would be blocked before the allow rules were evaluated.

Practice example 2: Log analysis for indicators of compromise

Scenario: A SIEM alert triggers on a workstation. The log shows four failed logins for different usernames (admin, root, administrator, sysadmin) from the same IP address (192.168.5.44) within 3 seconds, followed by a successful login as sysadmin from the same IP. What type of attack does this indicate, and what is the correct first containment step?

Answer: The pattern — multiple sequential username attempts from the same IP in under 3 seconds — is a credential-stuffing or brute force attack. The successful login at the end confirms a breach. The correct first containment step is to isolate the affected workstation from the network to prevent lateral movement, then disable the compromised account and preserve the logs for forensic analysis.

Practice example 3: Incident response ordering

Scenario: Ransomware is detected on a file server. Place these actions in the correct order: (A) restore files from backup, (B) identify the ransomware variant and entry point, (C) isolate the affected server from the network, (D) document findings and update the IR plan, (E) verify restored files are clean and monitor for re-infection.

Correct order: C then B then A then E then D.

Key reasoning: Containment (C) comes first to stop the spread. Identification (B) is part of the analysis phase and determines the scope. Recovery (A, E) follows eradication. Post-Incident Activity including Lessons Learned (D) always comes last.

14-day Security+ PBQ study plan

Days 1–2 — Assess and inventory: Take a full-length SY0-701 practice exam under timed conditions. Note every PBQ type you encountered. Categorize your gaps by PBQ type, not by domain.

Days 3–4 — Firewall and network architecture: Review firewall rule logic (top-down evaluation, implicit deny, stateful vs. stateless), DMZ architecture, screened subnet design, and common network device placement. Draw 3–4 network diagrams from memory and label every zone and device.

Days 5–6 — Log analysis and threat identification: Practice reading SIEM, firewall, and web server logs. Learn to identify brute force, port scan, SQL injection, XSS, and data exfiltration patterns from log output.

Days 7–8 — Incident response: Memorize the NIST SP 800-61 IR lifecycle and the SANS PICERL model. Practice ordering IR steps for ransomware, data breach, and DDoS scenarios.

Days 9–10 — Drag-and-drop and matching: Build flashcard decks for attack types and their indicators, encryption algorithms and their use cases, authentication protocols and their characteristics, and security controls mapped to the threats they mitigate.

Days 11–12 — Tool and command selection: Review key Security+ tools: Nmap (network discovery), Nessus (vulnerability scanning), Wireshark (packet capture), Metasploit (penetration testing), Snort/Suricata (IDS/IPS), and tcpdump (command-line capture). Know which tool is appropriate for which task.

Days 13–14 — Timed PBQ simulation: Complete 6–8 PBQ practice sets under timed conditions, targeting the 6-minute-per-PBQ pace. Review every missed sub-task and identify whether the error was a knowledge gap or a misread of the scenario.

Official CompTIA sources to bookmark

• CompTIA Security+ Certification Page — official source for exam details, pricing, and prerequisites.
• SY0-701 Exam Objectives — official domain weights, task statements, and knowledge areas.
• About CompTIA Performance-Based Questions — CompTIA's official explanation of how PBQs work and what to expect.

Exam details verified against CompTIA.org on May 23, 2026. Requirements, domain weights, and fees are subject to change — confirm current details at comptia.org before registering.

Security+ PBQ FAQ

Where do PBQs appear on the Security+ exam?

PBQs appear at the beginning of the SY0-701 exam. Most candidates encounter 3–5 PBQs before seeing any standard multiple-choice questions.

How many PBQs are on the Security+ SY0-701 exam?

CompTIA does not publish the exact number of PBQs per exam. Most test-taker reports indicate 3–5 PBQs, though the count can vary. The total exam is capped at 90 questions.

Do Security+ PBQs have partial credit?

Yes. CompTIA PBQs may award partial credit based on sub-task completion. Attempting every sub-task — even imperfectly — is better than skipping a PBQ entirely.

What is the passing score for Security+ SY0-701?

The passing score is 750 on a scale of 100–900.

Should I skip PBQs and come back to them?

You can flag PBQs and return to them later. Most coaches recommend attempting them first with a 6–8 minute time cap per PBQ. If a PBQ is taking too long, do your best and flag it — do not let one PBQ consume time you need for multiple-choice questions.

Which domains generate the most PBQs on SY0-701?

Security Operations (28%) and Security Architecture (18%) generate the most PBQs in practice. Incident response, log analysis, firewall configuration, and network diagram identification are the most common PBQ formats.

SimpuTech's CompTIA Security+ AI tutor gives you adaptive practice across all five SY0-701 domains, with scenario-based questions that simulate the judgment and application skills PBQs test. Use it to build domain knowledge and then practice applying it under timed conditions.