Top 10 CompTIA Security+ interview questions and how to answer them in 2026

The 10 questions

1. What is the CIA triad and give an example of a control for each?

Confidentiality, Integrity, Availability. Confidentiality: AES-256 disk encryption, RBAC, TLS in transit. Integrity: SHA-256 hashing, HMAC, digital signatures, file-integrity monitoring. Availability: redundancy, DDoS mitigation, RAID, backups, hot standby. The interviewer is checking whether you can pair each property with a concrete control. Reciting only the acronym is the disqualifying answer — a tired interviewer has heard it 50 times this week.

2. Symmetric vs asymmetric encryption — when do you use each?

Symmetric (AES) uses one shared key for encrypt and decrypt — orders of magnitude faster, ideal for bulk data. Asymmetric (RSA, ECC) uses a public/private keypair — slower, ideal for key exchange and digital signatures. Real systems combine them: TLS uses asymmetric (RSA or ECDHE) to negotiate a symmetric session key, then AES-GCM for the actual traffic. Saying “asymmetric is more secure” is the wrong answer — they solve different problems. The interviewer wants to hear the hybrid pattern.

3. What is the difference between an IDS and an IPS?

An IDS (intrusion detection system) sits passively out of band — it sees a copy of traffic via a SPAN port or tap and alerts. An IPS (intrusion prevention system) sits inline — it can drop, reset, or shape traffic in real time. The trade-off is latency and blast radius: an IPS that mis-tunes will block legitimate users; an IDS only ever generates alerts. Modern stacks combine an IPS at the perimeter with host-based EDR (CrowdStrike, Defender for Endpoint) for east-west visibility.

4. Vulnerability vs threat vs risk — explain the difference.

A vulnerability is a weakness (unpatched CVE-2024-3094 in xz-utils). A threat is the actor or event that could exploit it (a ransomware affiliate, an insider). Risk is the likelihood of exploitation multiplied by the impact if it happens. CVSS scores vulnerabilities in isolation; a risk register prioritises remediation by likelihood × impact, which is why a CVSS 9.8 on an air-gapped device may sit below a CVSS 6.5 on the public-facing portal. Confusing “CVSS score” with “risk” is the rookie answer.

5. What is the principle of least privilege and how would you implement it?

Give every identity (user, service account, role) the minimum permissions required to perform its job — and remove them when no longer needed. Implementation: role-based access control with named roles tied to job functions, time-bound just-in-time elevation for admin tasks (Azure PIM, AWS IAM Identity Center), regular access reviews, and automated deprovisioning on offboarding. Mentioning “deny all by default” and just-in-time access signals operational maturity beyond the textbook definition.

6. How would you respond to a phishing email reported by an employee?

Preserve the original message with full headers. Search the mail gateway for the same sender, subject, or URL across the org. Block the sender domain and embedded URLs at the proxy and email gateway. Query SIEM for users who clicked. Reset credentials and revoke active sessions for any user who entered them on a lookalike page. Submit IOCs to your threat-intel feed (MISP, OpenCTI). Do not open the URL on a corporate workstation — detonate it in a sandbox (Joe Sandbox, urlscan.io). Walking through these steps in order proves you’ve worked an actual ticket.

7. Hashing vs encryption — and why salt passwords?

Hashing is one-way (SHA-256, BLAKE3) — you can’t recover the input. Encryption is two-way (AES) — you can decrypt with the key. Passwords are hashed, never encrypted. A salt is a unique random value per password so identical passwords produce different hashes, defeating precomputed rainbow tables. Use a slow KDF specifically designed for passwords — Argon2id in 2026, with bcrypt and PBKDF2 as legacy-acceptable. Suggesting SHA-256 alone for password storage is the disqualifying answer.

8. How does the TLS 1.3 handshake differ from TLS 1.2?

TLS 1.3 completes the handshake in 1-RTT (with optional 0-RTT for resumption) versus 2-RTT for TLS 1.2. It removes RSA key exchange, static DH, CBC modes, RC4, MD5, SHA-1, and renegotiation — closing entire classes of attacks (BEAST, CRIME, ROBOT). Cipher suites are now AEAD-only (AES-GCM, ChaCha20-Poly1305) with forward secrecy mandatory via ECDHE. Recommending TLS 1.2 in 2026 is a red flag — the answer is “TLS 1.3 with TLS 1.2 retained only for compatibility, with weak suites disabled.”

9. Explain Zero Trust vs perimeter-based security.

Perimeter (“castle and moat”) trusts anyone inside the VPN or LAN by default. Zero Trust assumes the network is hostile and verifies every request: identity (strong MFA), device posture (managed, patched, EDR healthy), and explicit per-app authorization. Implementation is identity-aware proxies (Cloudflare Access, Zscaler, Google BeyondCorp), conditional access policies, micro-segmentation, and continuous re-authentication. Saying “Zero Trust means no trust” is the buzzword answer — the interviewer wants “never trust, always verify, with device and identity signals on every request.”

10. Walk me through the NIST 800-61 incident response lifecycle.

Four phases: (1) Preparation — playbooks, tooling, training, tabletop exercises. (2) Detection and Analysis — SIEM alert triage, scope determination, severity classification. (3) Containment, Eradication, and Recovery — short-term containment (isolate host), long-term containment (block IOCs at perimeter), eradicate the foothold, restore from clean backups, validate. (4) Post-Incident Activity — root-cause analysis, lessons learned, control updates within 30 days. Mentioning the 30-day post-incident review and the containment/eradication split shows you’ve actually run the lifecycle, not just memorised the headings.

What these questions test

Every question above has a “book answer” and an “operational answer.” Interviewers are looking for the operational version — the version that names Argon2id over SHA-256, TLS 1.3 over TLS 1.2, just-in-time access over standing admin, and the specific containment step before eradication. Passing SY0-701 proves you know the vocabulary. Answering these correctly proves you’ve worked alerts and would survive your first week in the SOC.

Frequently asked questions