My roadmap for passing the CompTIA Security+ (SY0-601) in 2 weeks with no IT experience

First, some comments on the test itself: The 601 simultaneously felt like both the easiest and most difficult exam of the trifecta at the same time. There were fewer technical questions, but a lot more questions that felt like gotcha or trick questions, or some word in the question forced you to remember an obscure thing in the studies which would invalidate the most obvious answer. I spent the longest on the multiple-choice section of this exam than in any other exam and the least on the PBQs (there were only 2). During the other exams, I moved along the MC questions at a pretty good clip and could almost always tell with certainty whether my answer was right or if I was making an educated guess. It felt like I was being tested on my recall abilities: I either knew it, or I made my best guess. On the 601 however, there were a lot of questions where I knew all of the concepts, so my recall was fine, but I wasn’t sure what the BEST answer would be. I could reason the merits of each of the choices, but I had to try and get in the test-makers head more and think about the impact of the answer and which would be the industry-best answer.

A quick tangent about this: I remember some questions in my practice exams for A+ being a bit counterintuitive to test logic and wondering how much of this is true on this and other CompTIA exams. Let me explain what I mean.

I’m sure we’ve all taken a test, especially for employment or training, where there’s the answer that you know is correct (usually a legal by the book response that the employee is looking for) and then there’s the common sense answer that most people would do but may not be what the test-maker is looking for. I ran into some questions like this for my A+ studies where I chose what I thought the “textbook” response would be and was surprised to see the correct answer actually was what I would really do.

For example, I remember one of the practice questions for the A+ (don’t remember the source, so take this with a grain of salt) asking what an IT tech should do if they order a computer screen replacement that was missing documentation and installation instructions, with none to be found online. What I would do is still try to replace it but use best practices, but I selected the “by the book” answer which was to return the screen and order a product that contained proper documentation. To my surprise, the correct answer was just to do it anyways and keep track of the parts and screws, with the reasoning being something like: you’re an IT professional, you can replace a screen. You don’t need instructions.

Again, this was not an OFFICIAL question, but this practice question and reasoning always left me with that little doubt. I felt less confident guessing what the test correct answer was in situations where a question like this came up. I don’t know if this is the case on the actual exams because it doesn’t show you the right answers or reasonings but I was wondering if anyone else has noticed anything similar. Overall, I think CompTIA is very good about not having questions where the “best/common sense practice” goes against the “by the book/most thorough practice.”

Wow, that tangent was longer than I thought, back to the 601.

I began studying for the 601 right after Net+. Why the 601 and not the 501? When I bought Professor Messer’s notes a few months ago (I was going to start with Sec+ before I backtracked and did A+ and Net+ first) I assumed the most recent test would have the most updated info that would be applicable to any future career in IT. I have heard the 501 is easier and that it is indistinguishable from the 601 in terms of passing and earning the certification, so if you’re worried about earning a passing score it may be smarter to take the 501.

I gave myself 2 weeks for this exam since there were not many testing appointments available, and I figured after Net+, it would seem much easier in comparison.

First thing I noticed: holy shit the 601 is LLOOOONNNGGG.

The messer notes PDF (directly based on the official exam objectives) is 131 pages long.

Compare this to the length of Messer’s notes for the other exams.

A+ Core 1 (220-1001): 67 pages

A+ Core 2 (220-1002): 59 pages

Net+ (N10-07): 76 pages

My first step in studying for these is just to watch all the Messer videos which align with his notes and the exam objectives exactly. To get through this quicker, I watched them on 1.5-2x speed and took only some notes on the trickier concepts, such as the encryption types and details.

It was hilarious when I watched it on my phone and couldn’t increase the speed since Messer sounded like he was talking in slow motion after being used to 2x Messer.

Then I went straight into the Jason Dion practice exams. I always like taking a baseline test after watching the videos and doing a quick read-over of the notes to see what I retain and where I am before targeted studying. I ended up with an 80% on my baseline, the highest I’ve gotten on any of the CompTIA first practice exams.

I repeated my strategy of making Anki flashcards of only the concepts that I wasn’t 100% confident I understood and could recall and I ended up with almost 280 flashcards! The most I’ve ended up with. This repeats the pattern of this test, which is it’s grueling and takes the longest due to the staggering amount of information in it, BUT at the same time, this information (at least to me) was by far the most concrete and accessible for a person without IT experience or an IT background. So it’s accessible but overwhelming.

I did a post mortem of each exam, wrote down questions I missed, took notes, reviewed flashcards, rinsed, and repeated. I scored an 86% on my second exam and I felt great, but after test #2 I found my scores dropping and staying around the 80% mark. These were my remaining scores: 82%, 81%, 81%, 78%. I felt gutted since, with every test, I was studying what I missed before taking my last exam and I felt like I was going to crush it. But what I found was that while Jason Dion’s practice exams were very helpful, they included a lot of questions from 501 or questions that just were not in the objectives, and thus were not in Messer’s notes or videos. I felt blindsided by a lot of concepts, but a good piece of advice someone gave me then that I’ll pass on is that it’s more helpful to compare your right or wrong answers to the actual 601 objectives instead of just focusing on the score.

The Dion exams had a lot of specific questions on encryption algorithms and bit or block sizes or exploit programs that were not in the objectives, for example, so don’t feel gutted if you miss those questions but if you want to be more prepared for those particular exams it makes sense to go beyond the scope of the objectives in terms of encryption and exploit platforms (although you probably won’t need to expand your scope too far past the objectives for the actual test so this may not be the most efficient way of preparing).

It helped to make tables of the encryption standards to compare block vs stream, symmetrical vs. asymmetrical, bit/block size, versions, etc.

Also, the objectives don’t tell you to study all the ports that I saw on the exam, but please know all your common and not so common ports (like SCP, TFTP, SFTP SSH, RDP, SNMP, SMTP, etc. especially the ports that have to do with secure protocols).

Understanding the legal considerations such as contracts, regulations, laws, and best practices for business security and disclosure is also important. Know your interoperability agreements!: MOU, SLA, NDA, MPA, ISA etc.

And most importantly, know how to troubleshoot and remediate given all the different types of threats and attacks. You really do need a holistic bird’s eye understanding of systems, infrastructure, hardware, protocols, and tech in order to be able to know how to answer them. If you’re not already familiar with the concepts covered in Net+ and A+, you may find this difficult to do. It’s easy to identify a type of threat, less easy to know how to respond to a certain type of threat given a certain type of system and certain limitations and business considerations. The questions were shorter/more straightforward in the 601 than the many paragraphs questions I saw on the other exams, but they were much more complex in terms of the number of concepts you have to pull from the think about the best response. A lot more nuance here than just recalling or identifying concepts.

On test day I flagged and skipped the PBQs as always, answered the MC, then came back to the PBQs. I’ve heard of people saying it felt like they were failing the whole time and I think I know why. I was confident that I scored a solid majority of the questions correctly, but there were enough tricky questions that made me doubt between two answers. I knew if I missed enough of these non-clear-cut questions that I was not 100% confident about, it may have been enough to prevent me from passing, so I really wasn’t sure if I passed until it popped up on the screen, despite my confidence in MOST of the question.

I ended up with a 782 (86%) and I feel like a HUGE weight has been lifted off my shoulders.

A huge thank you to everyone who has read any of these posts and I really hope this info can be helpful to folks who might need a more detailed breakdown of someone’s experience, roadmap, and resources. If you have questions, don’t hesitate to shoot me a message or leave a comment.

Peace!