So the finally learning is over, the exam is passed and the certificate is here. All of the burdens have resulted in success. And it feels great knowing that your efforts were rewarded. Even though a certificate is nothing to brag about and it’s only an entry-level, it is still joyful to get your first one.
As I succeeded in taking the CompTIA Security+ exam a few weeks ago, here I am to share my personal experience of passing the CompTIA Security+ exam.
I scored 831 of the maximum 900. I passed the exam on July 8
As the article is pretty long, here is a table of contents for you :)
- What is the CompTIA Security+ certificate?
- What is my background?
- How long should you study for the CompTIA Security+ certificate?
- Studying for the CompTIA Security+ certificate: what resources had I used?
- What was the exam like?
- Tips for passing the CompTIA Security+ exam
- What didn’t worked for me
- What’s next?
- SYO-501 vs SYO-601
- Final words
What is the CompTIA Security+ certificate?
Before telling you my story, I wanted to introduce to you what is the CompTIA Sec+ certificate. If you are reading this, you are probably familiar with it already, but in case you landed here accidentally (or if you are checking which one of the entry-level certificates is worthy), let me make you a short introduction.
CompTIA Security+ is a vendor-neutral certificate that proves your baseline cybersecurity skills. Material that you will learn when preparing for the certification exam, will give you the basic skills needed for accelerating your cybersec career. It covers many things that knowing is a must for anyone working in the IT field (I believe that the domains of the Sec+ are relevant for any IT professional, especially someone who is starting his or her career).
For the up-to-date information about the exam, check the official website
What does the CompTIA Security+ cover? There are a few different domains that the Sec+ consists of:
- Threats, Attacks and Vulnerabilities
- Technologies and Tools
- Architecture and Design
- Identity and Access Management
- Risk Management
- Cryptography and PKI
The natural question after hearing about this certificate is this - is CompTIA Security+ worth it? I would say definitely yes. As I was searching the internet which certificate should be my first as I am seeking a career in cybersecurity, this one was mentioned many times by various people. This is a certificate many professionals advise to get as a first cyber security certificate. And now as I am a proud holder of a CompTIA Security+ certificate myself, I can only agree to everyone who advises getting this cert.
Along the way, I’ve learned not only about the principles of information security, types of viruses, but also what network protocols can be a security risk, what are the ways of mitigating risks, or how the cryptography works. These are the things I was not familiar with. Learning the subjects of the Sec+ also helped me to connect the dots in understanding how does everything in my company works (why there are separate WiFi access points for guests, how can one access any resource of the company with providing password once, and so on).
I’ve mentioned only a few of the things that were covered on the Security+ study guide, there are many more, but the conclusion I am trying to get to is this: learning for the Security+ is beneficial as it helps to get the basic knowledge that is a must for a career in cybersec.
And if you are already familiar with the subjects that Security+ is focusing on, then getting the certificate is a wise step. It will prove your knowledge.
What is my background?
Moving on, let’s talk about what I knew and what I was capable of before I decided I will be taking the exam.
I am a third-year Information Technologies student at Vilnius University. During the study years, I had various subjects that are useful for someone seeking a career in cyber security: virtualization, computer networks (we had a course based on CCNA), network security, information security, programming. So, I was already familiar with some of the things that later on I will face when learning for the Security+ exam.
At the time I was also a junior QA engineer. As I was combining work with my studies, I was working only part-time and I had 7 months of experience at the time. Of course, no one gets into the cyber security with 0 experience, but as I was interested in cyber security, my managers encouraged me to choose this path. So, even though I started as a manual QA and most of the time on work was spent by writing and executing test cases, I had a mentor that familiarized me with Kali Linux, Burp Suite, automatic vulnerability scanners, OWASP methodologies, and other security-related things.
And of course, I am a proud owner of Raspberry Pi. Here it is:
Even though I’ve used my Raspberry less than I planned to, after I got it on Christmas (sorry Raspberry), I’ve still done some things such as spinning my own DNS server or exposing a website from my home network. And this helped me to better understand how might the DNS attacks happen and how it can be mitigated (one of the CompTIA Security+ subjects). There are some other small experiences of mine. Every little count.
Back to the certificate, I started thinking about it in the middle of February. Here, at our company, we have a predefined amount every year that we can spent on education purposes. I’ve decided to spent it on the certificate. March 9 was the day I’ve created a request in Jira. But we all know what happened at the March of 2020 - COVID-19 started spreading accross the world. As the certification centers had closed at the time, I was not able to take the Security+ exam.
How long should you study for the CompTIA Security+ certificate?
That completely depends of how much time do you have. Even though I took the exam 4 months after I started learning, I wasn’t studying for the whole time. There was time I was studying about 8 hours a day for a whole week, while sometimes I studied only a few hours during the whole week.
Before the exam, I’ve studied for 2 days for 12+ hours and I released that there are still so many things I should learn and these long days are pretty exhausting, so I rescheduled my exam for a week. This way I had enough time to get ready without stress
I believe so it took me about a month of full-time learning, but if you don’t have a technical background, you might not be able to get ready in a month.
If you have time and aren’t rushing to get the certificate in 30 or so days, dedicate a little of time for learning every day. In this way, you won’t get bored and burnt out.
Did the extended learning process to the 4 months was useful? I believe so. It happened not because of my will (the virus), but because of this, I had plenty of time to learn without burning out.
Studying for the CompTIA Security+ certificate: what resources had I used?
There a few great resources that are effective when preparing for taking the certificate. And you will probably see them a few times all across the topics of Sec+ exam. These are the resources that helped me:
- Professor Messer’s CompTIA Security+ SYO-501 Training course and his other free and paid resources. Check his Youtube channel for monthly study groups. His live monthly study sessions are very helpful.
- CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide - study guide that was the main source of information for me. PDF version of it has 1197 pages of information, so that’s a lot to learn. There are also some free practice tests on the website of the author, Darill Gibson, that helps a lot.
- Jason Dion CompTIA Security+ (SY0-501) Practice Exams with Simulations. 6 practice tests with 420 questions. The questions are similar to the questions on the actual exam, so this is a great resource to test yourself if you are ready for taking the exam. By checking yourself with these tests, you will know what are your knowledge gaps.
- Reddit, YouTube ant Google :). Every time I wanted to understand the subjects more deeply, or when I was not able to understand it properly, I was Googling.
This is how my learning process looked like:
The reason why I read GCGA (Get Certified Get Ahead) twice, is because the first time I didn’t concentrated on understanding differences between encryption algorithms, authentication protocols and also I made a gap in preparing for the cert. So, I wanted to make sure that I hadn’t forgotten what I learned and am familiar with everything in the book.
However, the second time I skipped the content that I understood pretty well. And of course, I was taking the same practice tests of the book a few times.
Talking about what followed after the GCGA, I started taking the free CompTIA Security+ tests. I used them to understand where I lack my knowledge and then tried to find as much information as possible about the things I mistakingly answered.
Opinion about Professor Messer’s videos
You will probably notice that Professor Messer is praised everywhere in the context of learning for CompTIA Security+. I agree that he provides very good material, and his monthly study group is a gift. Keeping in mind that he provides a big part of his material for free, he is doing a wonderful job for the community.
But let me tell you my personal experience with the Messer’s videos. This was the first study material I took, and as far as I remember it takes about 13 hours to finish all the videos. And these videos are good, they are easy to watch, quite informative and short. Sec+ objectives lists consist of many topics, and Professor Messer managed to put it all in his video series.
So, as I finished watching the videos I was hyped of how easy the exam will be. I understood most of the topics of the videos and it looked so easy. But as soon as I started reading the Gibson book, I realized that there are so many things I am not familiar with, and I got only about 50 % in the pre-assessment test. Even though Messer tries to put the key things in his videos, but because you are learning new things, a short video might not be enough. You might need to spend a couple of hours on a topic that is explained in a few minutes in one of the Messer videos.
And as videos are fast, you will soon forget part of the information you are dealing the first time with.
In conclusion: use different resources for preparing for the exam
What was the exam like?
I can’t disclose anything too specific about the questions I got on the exam because of the CompTIA policy, but I can say that the questions were similar to what I was expecting. They weren’t out of blue. The majority of the questions were asking about the things that were covered on Darril Gibson Get Certified Get Ahead: SY0-501 Study Guide.
However, the exam questions were slightly harder than the ones on the GCGA book. If you are scoring big on the GCGA book, don’t make this a confirmation that you know everything perfectly. Don’t forget that the practice questions on the book aren’t formulated by the CompTIA itself. The questions even though are close enough to the real exam questions, they reflect the writing and asking style of the author. However, as I already said, the practice questions from the Darril Gibson book are good.
Talking about the exam, I got 82 questions (if I remember correctly). CompTIA says there are up to 90 questions, so I guess the number is different for everyone.
By the way, CompTIA mentions that you can possible get questions that won’t be rated, as they are unscored questions. I think I got one, can’t recollect the question, but I wasn’t sure what all of the 4 answers were talking about.
Tips for passing the CompTIA Security+ exam
Here are some tips from my personal experience that might help you:
Tip no. 1 - take your time to read the material. If it is possible, don’t be in a rush and take your time learning. It doesn’t matter how much of the different domains you understood, one of the major things for passing Sec+ is to see the big picture. Because the Security+ questions usually have a lot of excessive information, you should be able to understand what is the conversation going about.
Tip no. 2 - if you feel you are not ready for the exam, postpone it. I did this myself - postponed for a week. It’s better to make a tactical retreat than to fail. Rescheduling the exam is easy - I only had to write an email at least 2 working days before my exam date.
Tip no. 3 - use different resources. I already mentioned some of the good resources, but there are definitly more of them (ex. CompTIA Security+ SYO-501 Certification Study Guide. Make sure you aren’t putting all your eggs into one basket and don’t forget that using a few resources will only benefit you.
- Tip no. 4 - read different Security+ success stories, failure stories, and learning experiences. Basically, read everything you can find related to learning for or passing the Sec+. Some of the phrases you can Google to get useful information:
- How to Pass the CompTIA Security+
- I failed CompTIA Security+ exam
- CompTIA Security+ success story Reddit
- Study plan for CompTIA Security+ Reddit
- How long did you study for CompTIA security+
You might want to ignore the failing stories, but trust me, knowing how people failed will help you. Otherwise, you will make the same mistakes as they did.
Note: I personally like searching on Reddit for this type of information. Most of the time you can get a valuable opinion from smart people. That’s only my personal observation, but I’ve noticed that other platforms such as Quora often have low-quality answers to questions like this. On those platforms, many answers that don’t have much depth and the main purpose of them is to get a backlink to an external website and usually the answer ends something like this: “For more tips on how to pass CompTIA Security+ check out this blog”. And the good thing about the Reddit, is that the quality answers are upvoted and poor answers are downvoted by the community.
- Tip no. 5 - this one is more about taking the exam. - stay calm and skip the performance-based questions. I won’t say anything original, but here are my two cents of taking the CompTIA Security+ exam:
- Skip the performance-based questions at the beginning. It will be the first questions you will get when starting the exam. My advice is to skip them even if they don’t look hard to you. It usually takes more time to answer them, so let’s leave them at the end. You first warm-up with other, easier questions, then you start the heavy lifting - that would be my advice. This also applies to other, not performance based questions that are harder than others, or the question has a lot of information. Mark them for review and move along. Pick the low hanging fruits at the beginning.
- Stay calm and confident. Stress won’t help you think. I know this is easier to say than to accomplish, but breathe and stop worrying. You spent a lot of time learning so it’s your time to prove yourself, and to do so, you have to be relaxed and confident. Otherwise, you might fail even if you are 100% prepared. And by being confident I mean stop doubting yourself. If you think you know the correct answer, select it and move along. If you don’t, mark the question for a review. But stop wandering and returning to the questions you had answered. Doubting yourself will affect your decision-making abilities.
Tip no. 6 - know the acronyms. You don’t want to make a stupid mistake at the exam because you forgot what ECB or CBC is. Even the most obvious question might become hard if you forgot the basics. For example, this is a pretty easy question if you studied for the exam. However, if you forgot what do these acronyms are, well, good luck answering.
Stop-frame from Professor Messers’ June Security+ Study Group
What didn’t worked for me
Making the flashcards. After reading some of the articles that tells how wonderful the flashcards are, I decided to try it. I started making the flashcards after the moment I started preparing for the CompTIA Security+. And this was a mistake, as the beginning, there were a lot new things.
I made a bunch of flashcards about things that later became obvious. For example, “What ensures integrity?”. The answer - hashing. And in any book you will be using for learning, the most common hashing algorithms are explained, so knowing that hashing ensures integrity will be natural later on. There is no need to make flashcards with such simple things. But in the beginning it feels like this is very important and it’s worth a flashcard. But eventually, everything adds up, and you are making a bunch of flashcards that won’t be effective later on.
This is how many flashcards, I’ve made until I understand it’s not worth my time.
I’ve seen articles that praise that the flashcards are effective, like this one, and I am not trying to say anything controversial. It just didn’t worked for me. Of course, it is a good way to learn, but it takes a lot of time to make the flashcards by yourself. Because flashcards are time-consuming, I think it’s better to create notes with the subjects explained you think you didn’t understand enough, and reference it during the learning. A flashcard can fit only amount of information.
I’ve seen CompTIA Security+ flashcards that you can buy (can’t recollect where I’ve seen this, but I am sure you will be able to find it by the help of Google). This might be an option, but then again, I hadn’t tried this.
Even though CEH is disliked by some people from the community (that’s based on posts and comments I’ve seen on Facebook groups or various platforms), I think that a logical next step would be to get CEH (certified ethical hacker) certificate. Not only because certified ethical hacker sounds cool, but because it is more universal than, for example, OSCP. What do I mean by this? CEH covers different domains of cyber security and talks about different tools. Even if this certificate would be a good fit for penetration testers, it is also a great choice for managers. Meanwhile, getting certificates, such as OSCP demands experience with penetration testing. Also, CEH is recognized and respected by the HR, which will help to level up your career.
In the future I am going to release a case study what certificate you should take next after Security+ and what the cyber security does think about the CEH. Follow my blog for this.
SYO-501 vs SYO-601
CompTIA announced that SYO-601 certificate will be launched in November 2020. Until the SYO-501 certificate will be retired in July 2010, you can take it. So, if you are studying or the SYO-501 right now, don’t worry, you will be able to take it for almost a year.
I can’t advise if you should take the SYO-501 or SYO-601, but as far as I know for the SYO-601 you will have to learn more subjects. Messer talks about the new version in his video:
Keep calm, you can handle this :). And don’t forget, even if CompTIA Security+ is hard, is not that hard if you are consistently studying and putting the effort.