Understand every Performance-Based Question type β then practice each one with hands-on interactive simulators.
3β5
PBQs per exam
90 min
Total exam time
750/900
Passing score
8 types
PBQ categories
What Are Performance-Based Questions?
PBQs go beyond multiple choice β they test whether you can actually do the job, not just recall facts.
The PBQ Difference
Performance-Based Questions (PBQs) are interactive, scenario-driven tasks embedded in the Security+ exam. Instead of selecting from four text answers, you manipulate a simulated environment β dragging devices, configuring rules, reading logs, or toggling settings β to solve a real security problem.
π±οΈ Interactive β Click, drag, configure, and select within a simulated tool or environment.
πΊοΈ Scenario-Based β Each PBQ presents a realistic workplace situation with context and constraints.
β±οΈ Time-Intensive β PBQs typically take 5β10 minutes each. They appear first and set the tone.
π Multi-Step β Most require a sequence of correct decisions, not just a single answer.
PBQs on the SY0-701 Exam
The SY0-701 exam contains 90 questions maximum β a mix of multiple choice and PBQs β in a 90-minute window. Here's what you need to know:
β οΈ PBQs appear at the start. You'll encounter them before any multiple-choice questions. Many candidates spend too long on them and run out of time. Budget no more than 8 minutes per PBQ.
β You can flag and skip PBQs. If you're stuck, flag it, move on to multiple choice, and return with remaining time. Partial credit is better than no credit.
CompTIA does not publish an exact PBQ count per exam version β candidates report seeing 3 to 5 PBQs. Each is worth more than a standard question. Missing all PBQs makes passing extremely difficult, so they demand deliberate preparation.
The 8 PBQ Types You'll Encounter
Click PBQ Types & Practice in the nav to dive into each one with an interactive simulator.
π
1. Network Diagram Placement
Place firewalls, IDS/IPS, servers in the correct network zones.
π₯
2. Firewall / ACL Configuration
Allow or deny traffic rules based on a security policy.
Enable/disable OS settings to meet a secure configuration baseline.
π€
5. IAM Troubleshooting
Assign minimum necessary permissions to users (least privilege).
π
6. Cryptography Selection
Match cryptographic algorithms to the correct use case.
πΆ
7. Wireless Security Configuration
Configure SSIDs with correct protocols, auth methods, and isolation.
β‘
8. Vulnerability Prioritization
Rank vulnerabilities by risk and determine remediation order.
Why PBQs Trip Up Candidates
Most Security+ study materials focus on multiple-choice memorization. PBQs require applied knowledge under time pressure. The three most common failure patterns:
π Time mismanagement β Spending 15+ minutes on a single PBQ, leaving insufficient time for 85 multiple-choice questions.
π Lack of hands-on practice β Knowing about firewall rules is very different from correctly writing them under exam conditions.
π‘ The fix: Practice each PBQ type interactively β use the simulators in the PBQ Types tab β and time yourself. Familiarity removes the "what do I do?" panic on exam day.
PBQ Types & Interactive Practice
Select a PBQ type below to read about it, then try the practice simulator. Answers are checked with instant feedback.
π Network Diagram & Security Control Placement
In this PBQ type, you're shown a network architecture with zones (Internet, DMZ, Internal LAN, Server Farm) and asked to place security devices correctly. The key principle: defense in depth β every boundary needs a control.
π§ Exam logic: The firewall goes at the internet perimeter. The DMZ hosts publicly accessible services (web servers). IDS/IPS monitors traffic between zones. Sensitive data (databases) lives in the most protected inner zone.
Defense in DepthDMZ ArchitectureZero Trust Zones
π§ Practice Simulator β Network Zone Placement
A company is redesigning its network. You must place the following four devices into the correct network zones: Firewall, Web Server, IDS/IPS Sensor, and Database Server. Each device goes in exactly one zone.
Assign each device to the correct network zone
π Internet Perimeter
π‘ DMZ (Demilitarized Zone)
π΅ Internal LAN Border
π’ Server Farm (Inner)
π₯ Firewall / ACL Rule Configuration
You're presented with a firewall rule table and must set each rule to Allow or Deny based on a stated security policy. Firewall rules are evaluated top-down; the first match wins. The implicit final rule is always Deny All.
π§ Exam logic: Block unencrypted protocols (HTTPβredirect to HTTPS). Block direct internet access to databases. Allow management traffic only from admin subnets. Default-deny is always the safe choice when in doubt.
ACL Rule OrderDefault DenyLeast Privilege
π§ Practice Simulator β Firewall ACL Rules
Your company policy: (1) All public web traffic must use HTTPS. (2) The database server must not be reachable from the internet. (3) SSH admin access is permitted from the 10.0.0.0/24 admin subnet only. (4) Block all ICMP from the internet. Set each rule to Allow or Deny.
Configure each ACL rule
Rule 1
TCP 443 (HTTPS) Β· Internet β Web Server
Rule 2
TCP 80 (HTTP) Β· Internet β Web Server
Rule 3
TCP 3306 (MySQL) Β· Internet β Database Server
Rule 4
TCP 22 (SSH) Β· 10.0.0.0/24 β Web Server
Rule 5
TCP 22 (SSH) Β· Any Internet IP β Web Server
Rule 6
ICMP (Ping) Β· Internet β Any
π Log Analysis & Incident Response
You're given a set of system or network logs and asked to identify the suspicious entry, then classify the attack type. Key skill: distinguishing normal traffic patterns from anomalies like brute force, port scans, or exfiltration.
π§ Exam logic: Look for volume anomalies (hundreds of requests in seconds), unusual ports, failed authentication spikes, and off-hours activity. The source IP and event frequency are your first clues.
Brute ForcePort ScanningExfiltrationSIEM Analysis
π§ Practice Simulator β Security Log Review
Review the authentication and network logs below from the past 60 seconds. Click the row you believe is suspicious, then identify the attack type from the dropdown.
Step 1 β Click the suspicious log entry
#
Timestamp
Source IP
Event
Status
Count
1
14:02:01
192.168.1.45
SSH login success β user: admin
SUCCESS
1
2
14:02:14
10.0.0.8
DNS query β google.com (A record)
OK
3
3
14:02:22
203.0.113.47
SSH login failed β user: root
FAILED
487
4
14:02:35
10.0.0.12
GET /dashboard HTTP/1.1 200
OK
8
5
14:02:58
192.168.1.22
NTP sync β pool.ntp.org
OK
2
Step 2 β Identify the attack type
Attack classification
π₯οΈ Endpoint Hardening & Secure Configuration
You're given a Windows workstation with its current settings and asked to configure it to meet a security baseline (like CIS Benchmarks). You enable/disable individual features using toggles or dropdowns.
π§ Exam logic: Disable all unnecessary services (Guest account, RDP if not needed, USB autorun). Enable protective services (Firewall, automatic updates, screen lock). Every enabled unnecessary feature is an attack surface.
π§ Practice Simulator β Windows Workstation Hardening
A new employee workstation has been deployed with default settings. Configure it to meet the company security baseline. Toggle each setting to its secure state β some are already correct, some need to be changed.
USB AutoRun / AutoPlayAutomatically execute code from USB drives
Screen Lock (15-min timeout)Auto-lock screen after inactivity
π€ Identity & Access Management Troubleshooting
You're given a set of users with their job roles and a permission list. Apply the principle of least privilege: grant only the permissions each role genuinely requires to do their job β nothing more.
π§ Exam logic: Least privilege means minimum necessary access. A Help Desk tech doesn't need financial data. A Finance analyst doesn't need system admin rights. Over-provisioning is a security failure even if it makes things convenient.
Least PrivilegeRBACNeed-to-Know
π§ Practice Simulator β Assign Minimum Permissions
Three employees need access configured. Check only the permissions each role genuinely needs to perform their job. Over-provisioning counts as an error.
π Cryptography & Secure Communication Selection
You're given security use cases and must select the correct cryptographic algorithm or protocol. Key distinctions: symmetric vs. asymmetric, hashing vs. encryption, and which algorithms are considered current vs. deprecated.
π§ Exam logic: MD5 and SHA-1 are broken β never use them. AES-256 for symmetric encryption. RSA-2048+ for asymmetric. bcrypt/Argon2 for passwords (not SHA). TLS 1.3 for transport. Understand why each is used, not just the name.
Match each security requirement to the most appropriate cryptographic algorithm or protocol. Select the best answer for each use case.
Select the correct algorithm for each use case
Use Case 1
Storing user passwords in a database securely
Use Case 2
Encrypting data in transit between browser and server
Use Case 3
Encrypting a large file for storage (symmetric)
Use Case 4
Securely exchanging a symmetric key with a remote server
Use Case 5
Verifying a file hasn't been tampered with (integrity check)
πΆ Wireless Security Configuration
You configure wireless network settings for different SSIDs (Corporate, Guest, IoT). Each SSID needs the right security protocol, authentication method, and network isolation setting to meet the policy.
π§ Exam logic: Corporate networks β WPA3-Enterprise + RADIUS/802.1X (individual credentials). Guest networks β WPA3-Personal + isolated VLAN (no access to internal). WPA2 is still acceptable but WPA3 is preferred. Never use WEP or open networks.
Configure two wireless networks per company policy: (1) CorpNet must use enterprise-grade authentication with individual user credentials. (2) GuestNet must provide internet access only β isolated from all internal resources.
Configure CorpNet (Corporate SSID)
Security Protocol
CorpNet encryption standard
Authentication Method
CorpNet β how users authenticate
Configure GuestNet (Guest SSID)
Security Protocol
GuestNet encryption standard
Network Isolation
GuestNet β access to internal resources
β‘ Vulnerability Prioritization & Remediation
You're given a vulnerability scan report with multiple findings. Rank them in remediation order, considering CVSS score, exploitability, asset exposure (internet-facing vs. internal), and business impact.
π§ Exam logic: CVSS score is a starting point, not the only factor. A Critical vuln on a public-facing server is always Priority 1. An internal-only Critical can sometimes wait for a scheduled patch window. Exposure + severity + asset criticality = real risk.
π§ Practice Simulator β Rank Vulnerabilities for Remediation
Your vulnerability scanner found 5 issues. Assign each a remediation priority ranking (1 = fix immediately, 5 = lowest urgency). Each rank must be used exactly once.
Assign remediation priority (1β5) to each vulnerability
CVE-2024-1001 β Remote Code Execution
Public-facing web server Β· Apache 2.4.51 Β· Exploited in the wild
CVSS 9.8
CVE-2024-2002 β Privilege Escalation
Internal domain controller Β· Windows Server 2019 Β· No public exploit yet
CVSS 9.4
CVE-2024-3003 β SQL Injection
Internal HR database Β· Not internet-facing Β· Auth required
CVSS 8.1
CVE-2024-4004 β Stored XSS
Internal intranet portal Β· Employees only Β· No sensitive data
CVSS 6.5
CVE-2024-5005 β Information Disclosure
Development/test server Β· Internal only Β· No production data
CVSS 3.2
π― Readiness Quiz
5 quick questions to assess where you are in your Security+ journey and what to focus on next.
Question 1 of 5
π PBQ Prep Strategy
Choose a study timeline that fits your schedule. Each plan builds PBQ skills systematically before exam day.
β οΈ 7-day plans work best if you already have solid Security+ fundamentals and just need PBQ-specific drilling.
Complete all 8 PBQ simulators in a single timed session
β±οΈ Time Management on Exam Day
The biggest PBQ mistake is time mismanagement. Here's a proven approach:
β Budget 8 minutes per PBQ. With 3β5 PBQs, that's 24β40 minutes. You have 90 minutes total, leaving 50β66 minutes for ~85 multiple-choice questions (~45 sec each).
π‘ Flag and move on. If you're stuck past 8 minutes, flag the PBQ and move to multiple choice. Return with leftover time. Partial credit beats no credit.
β οΈ Never leave fields blank. An unanswered PBQ question is 100% wrong. A guess has some chance of partial credit. Always make a selection, even if unsure.
β Frequently Asked Questions
The most common questions about Security+ PBQs β answered clearly.
How many PBQs are on the Security+ SY0-701 exam?βΌ
CompTIA does not publish an exact PBQ count per exam version, and it may vary between test forms. Based on candidate reports and CompTIA documentation, most exam-takers encounter 3 to 5 PBQs. They are always presented at the beginning of the exam before multiple-choice questions begin.
Do PBQs count more than multiple-choice questions?βΌ
CompTIA uses an adaptive scoring model and does not publicly break down per-question point values. However, PBQs are generally multi-part β meaning they can have multiple scoring components within a single question. A single PBQ may be worth the equivalent of several multiple-choice questions. Missing all PBQs makes passing extremely difficult.
Can I skip PBQs and come back to them?βΌ
Yes. You can flag any question and return to it later using the exam navigation. This is a recommended strategy for PBQs β if you're stuck, flag it, move through the multiple-choice section, and return with remaining time. Do not let one difficult PBQ consume your entire exam window.
Are PBQs the same for every candidate?βΌ
No. CompTIA maintains a pool of PBQ scenarios and different exam versions draw from different scenarios. The specific scenario you see (which network to configure, which logs to analyze) will differ between candidates. However, the types of PBQs (firewall, log analysis, etc.) and the underlying knowledge required remain consistent across versions β which is why practicing all 8 types is important.
What tools or references can I use during PBQs?βΌ
You have access to a basic calculator (provided by the testing platform) but no external references, notes, or internet access. The exam is closed-book. Some PBQ scenarios include a help panel with relevant documentation or a reference chart β these are part of the simulation and you should use them.
How is partial credit handled for PBQs?βΌ
CompTIA does award partial credit on multi-part PBQs. If a PBQ has 6 configuration decisions and you get 4 correct, you earn partial credit for those 4. This is why you should never leave a PBQ completely blank β even an educated guess on every field is better than an empty submission. Complete every part before moving on.
Which PBQ type do candidates find hardest?βΌ
Based on candidate feedback, Log Analysis and Network Diagram Placement are most commonly reported as challenging. Log analysis requires pattern recognition under time pressure. Network diagrams require understanding the why of security architecture, not just memorizing device names. Both reward hands-on lab practice over passive reading.
Should I use a PBQ simulator to prepare?βΌ
Absolutely β it's the most effective preparation method. Reading about firewall rules is very different from configuring them under time pressure. Interactive simulators (like the ones in the PBQ Types tab) build procedural memory β the kind that holds up under exam stress. Aim to attempt each PBQ type at least 3 times until the answers become intuitive.
How has SY0-701 changed the PBQ format from SY0-601?βΌ
SY0-701 introduced stronger emphasis on cloud security, zero trust architecture, and automation/orchestration scenarios within PBQs. Vulnerability prioritization questions now incorporate real-world exposure context, not just CVSS score alone. The cryptography questions increasingly test understanding of why certain algorithms are deprecated (MD5, SHA-1, DES) rather than just asking you to name them.
What's the passing score for Security+ SY0-701?βΌ
The passing score is 750 on a scale of 100β900. This is a scaled score β the raw percentage required to hit 750 varies slightly between exam versions due to adaptive scoring. As a general guideline, aim for 80%+ accuracy in your practice to have a comfortable margin above the threshold.
Can I use a virtual lab instead of PBQ simulators to prepare?βΌ
Yes, and it's recommended. Setting up a home lab (using VirtualBox/VMware with pfSense, Windows Server, and a SIEM like Security Onion) builds deeper intuition than simulators alone. However, simulators are faster and more targeted for exam-specific practice. The ideal approach: labs for understanding, simulators for exam conditioning.
How long should I study before attempting the exam?βΌ
Varies significantly by background. Candidates with 1β2 years of IT experience typically need 60β100 hours of focused study. Those starting with limited IT background often need 120β160 hours. The 30-day plan in the Prep Strategy tab is designed for full-time working professionals spending ~2 hours per day. Key signal: consistently scoring 80%+ on full practice exams before scheduling.
Free PBQ Practice Β· flashgenius.net
Ready to Practice More PBQs?
FlashGenius offers additional Security+ practice questions and interactive study tools.