I took the Security+ exam (SYO-401 version) last week. While I’ve held the certification since 2005, I wanted to see how it looked and compare this to what readers have shared with me.
As background, I hear from people almost every day telling me that they passed the exam using the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide and/or online study packages. They often mention things like how many performance-based questions they saw or if they had any port questions.
I’m not going to violate the NDA, but there are many things I can share.
Number of Questions
First, I had 6 performance-based questions. Many people that I’ve heard from recently had only two. I followed the advice I’ve given to others and skipped the performance-based questions.
Next, I went through 66 multiple-choice questions. This took me about 40 minutes, which averages out to about 36 seconds per question. Admittedly, this is probably less time than most people will spend on each question. However, I found most of the questions straight-forward and I’m very familiar with the content.
In contrast, I spent about 30 minutes on the performance-based questions. That’s an average of about 5 minutes per question. Some of these were straight-forward, while others were quite vague making it difficult to figure out what the test writer was asking.
Some test-takers told me they didn’t receive any port questions. I had two. Both were covered in the book, and listed in Table 3.1: “Some commonly used well-known ports.”
Some questions were simple, but thin. For example, I had a couple of one-sentence questions about which key to use with digital signatures or encryption. These didn’t have any scenario and didn’t add any extra words to confuse the topic. They simply asked which key to use to meet a specific need.
Some questions were outrageously fuzzy. I had difficulty figuring out what they were even asking. Gratefully, these typically had answer choices that were completely unrelated to the topic of the question.
For comparison, imagine this question.
Q. What is the color of the sky at sunset in northern Alaska while the northern lights are active?
Admittedly, if this question had four color choices, it might be difficult to answer. However, if you know that electronic, magnetic, and gravitational are not colors, the question becomes trivial.
This is one of the reasons I stress to test takers the importance of knowing why the correct answers are correct and why the incorrect answers are incorrect. This gives them the best chance of accurately interpreting the questions on the live exam and answering them correctly. Eliminate the incorrect answers and you’ll find the correct answer.
“Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.“
– Arthur Conan Doyle
Some questions had two obviously incorrect choices that were easy to throw out. The remaining two answers required me to reread the question to understand what the test writer was really asking. Picking the correct answer in these questions required a solid understanding of the topic.
I had a few questions with multiple answers. These were always clear how many answers were required in the question with a statement such as Select Two or Select Three.
In contrast, some people have reported that questions they saw required multiple answers, but the question didn’t say so. I’m not sure if this was a mistake in a beta question, or something new CompTIA is trying out. At any rate, you can tell if the question needs one or more answers by looking at how the answers are formatted.
A single-answer question has the answers formatted with radio buttons.
A multiple-answer question has the answers formatted with check boxes.
CompTIA typically includes ungraded questions in the exam. These are often added to validate the question and commonly called beta questions. However, you are told which questions are ungraded.
I noticed several questions that were obviously beta questions. I could tell because the content was directly from the newer SY0-501 objectives and not included in the SY0-401 objectives.
As an example, Airgap is listed twice in the 501 objectives (once as air gap and once as airgap), but it isn’t listed in the 401 objectives. If I had any questions on airgaps, I’d say that they are beta questions for the 501 version.
Most of the performance-based questions were relatively straight-forward and simple to answer. However, at least a couple of them were quite deep. Additionally, it was difficult to determine exactly what the question wanted. These will likely be challenging for people that don’t meet the networking prerequisites.
Gratefully, the content to answer the performance-based questions that I saw is included in the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide, online study packages, and labs. In other words, if you understand the content, you can answer these questions.
Security+ Exam Summary
In summary, I had 6 performance-based questions (that I skipped at first) and 66 multiple-choice questions. Many questions were straight-forward and easy to answer because I knew the content. Other questions were unclear, but again because I understood the content, I easily eliminated obviously incorrect answers to get to the correct answer. My exam included what I believe were obviously ungraded questions (but I answered them anyway). Most of the performance-based questions were clear, but a couple of them were very deep and unclear. And yes, I passed.