100 CompTIA Security+ Terms You Need to Know Before Exam Day

Watch: Security+ 100 Terms

Build your vocabulary before diving into practice questions. This video covers the most important terms — explained clearly, no fluff.

Threats, Vulnerabilities & Attacks

1. Threat — Any circumstance or event with the potential to cause harm to a system or organization. Threats can be human (hackers, insiders) or natural (weather, equipment failure).

2. Vulnerability — A weakness in a system or process that can be exploited to cause harm. Every software has vulnerabilities; finding and patching them before attackers do is the core of security.

3. Risk — The probability that a threat will exploit a vulnerability and cause impact. Risk = Threat × Vulnerability × Impact. Your job is to reduce it.

4. Malware — Malicious software designed to damage or compromise a system. This includes viruses, worms, trojans, ransomware, spyware, and adware.

5. Ransomware — Malware that encrypts files or locks systems until the victim pays a ransom. Modern ransomware targets both data and operations, causing millions in damage.

6. Phishing — Fraudulent attempts to trick users into revealing credentials or installing malware through deceptive emails, texts, or websites. The most successful attack vector against organizations.

7. Spear Phishing — Targeted phishing attacks personalized with victim details (name, company, job title) to increase success rates. Far more effective than mass phishing.

8. Social Engineering — Manipulating people into revealing information or performing actions that compromise security. Often more effective than technical attacks.

9. Brute Force Attack — Trying all possible password combinations until one works. Modern password hashing and account lockouts make this less practical, but it’s still a viable threat to weak passwords.

10. Dictionary Attack — A faster variant of brute force using a pre-built list of common passwords. Why try billions of random combinations when most people use “password123”?

11. Rainbow Table — Pre-computed hash values for common passwords, used to crack stolen password hashes instantly. Salting passwords defeats rainbow tables.

12. SQL Injection — Inserting malicious SQL code into web form inputs to manipulate databases. One of the oldest and most dangerous web vulnerabilities.

13. Cross-Site Scripting (XSS) — Injecting malicious JavaScript into web pages viewed by other users, stealing their session cookies or credentials. Two types: reflected (temporary) and stored (persistent).

14. Man-in-the-Middle (MITM) Attack — An attacker positioned between two parties intercepts and potentially modifies their communications. HTTPS prevents this by encrypting data in transit.

15. Zero-Day — A vulnerability unknown to vendors and security researchers, making it impossible to patch. Attackers with zero-day knowledge have a significant advantage until the vulnerability is disclosed.

16. Exploit — Code or technique that takes advantage of a vulnerability to compromise a system. Exploits are weaponized vulnerabilities.

17. Payload — The malicious code or instructions delivered after an exploit succeeds. The payload might install backdoors, exfiltrate data, or destroy systems.

18. Command Injection — Inserting operating system commands into application inputs to execute arbitrary code. Similar to SQL injection but targeting the OS level.

19. Privilege Escalation — Gaining higher-level permissions than initially granted. A user account might escalate to administrator, or an application might escalate to system level.

20. Lateral Movement — Moving from one compromised system to another within a network. After breaching your first foothold, attackers move laterally toward high-value targets.

Cryptography & Hashing

21. Cryptography — The science of protecting information through encoding and decoding. Cryptography protects confidentiality, integrity, and authenticity.

22. Encryption — Converting readable data (plaintext) into unreadable format (ciphertext) using an algorithm and key. Only someone with the correct key can decrypt it.

23. Symmetric Encryption — Both parties use the same key to encrypt and decrypt. Fast and efficient, but challenging for key distribution. AES is the current standard.

24. Asymmetric Encryption — Using different keys for encryption (public key) and decryption (private key). Solves key distribution but is slower than symmetric encryption.

25. AES (Advanced Encryption Standard) — The U.S. government standard symmetric encryption algorithm. AES-256 is considered quantum-resistant.

26. RSA — A widely-used asymmetric encryption algorithm using prime number factorization. RSA is used for key exchange and digital signatures.

27. Elliptic Curve Cryptography (ECC) — A newer asymmetric encryption method using elliptic curves, offering stronger security with smaller key sizes than RSA. Increasingly used in modern systems.

28. Hash Function — An algorithm that converts data of any size into a fixed-length string (hash) that uniquely represents it. Hashing is one-way; you cannot reverse it to recover original data.

29. MD5 & SHA-1 — Older cryptographic hash functions that are now considered broken and should not be used for security purposes. Both are vulnerable to collision attacks.

30. SHA-256 & SHA-3 — Modern hash functions considered secure. SHA-256 is widely used; SHA-3 is the newest standard.

31. Salt — Random data added to a password before hashing, ensuring identical passwords produce different hashes. Defeats rainbow tables and makes password cracking much harder.

32. HMAC (Hash-based Message Authentication Code) — A hash combined with a secret key to verify both authenticity and integrity of a message. Used in APIs and signed communications.

33. Digital Signature — Cryptographic proof that a message was created by a specific person and hasn’t been altered. Uses asymmetric encryption to prove authenticity and non-repudiation.

34. Public Key Infrastructure (PKI) — The framework for managing digital certificates, keys, and the trust relationships between parties. Every HTTPS connection relies on PKI.

35. Certificate Authority (CA) — A trusted organization that issues and signs digital certificates. CAs verify identity and vouch for public keys.

36. X.509 Certificate — The standard format for digital certificates containing a public key, certificate holder information, CA signature, and expiration date. Your browser uses these every day.

37. Certificate Revocation List (CRL) — A list of certificates that have been revoked before expiration. Browsers check CRLs to ensure certificates are still valid.

38. OCSP (Online Certificate Status Protocol) — A real-time alternative to CRLs for checking certificate validity. Faster and more current than CRL-based checking.

39. TLS (Transport Layer Security) — The modern standard for encrypting communications between browsers and websites. TLS 1.3 is the current version; anything older is deprecated.

40. SSL/TLS Handshake — The initial exchange between client and server establishing encryption parameters, verifying certificates, and creating session keys. Understanding this is essential for Security+.

Authentication & Access Control

41. Authentication — Verifying someone’s identity. Something you know (password), something you have (phone, key), or something you are (biometric).

42. Authorization — Granting or denying access based on verified identity. Just because you’re authenticated doesn’t mean you’re authorized to access everything.

43. Accounting — Logging and tracking user actions and access. “Who did what, when, and where?” Accounting creates the audit trail.

44. Multi-Factor Authentication (MFA) — Requiring two or more authentication factors to verify identity. Security+ emphasizes MFA as non-negotiable for sensitive systems.

45. Something You Know — A memorized secret like a password or PIN. Easy to use but vulnerable to phishing and brute force.

46. Something You Have — A physical object like a security key, smart card, or phone. Adds significant security but introduces complexity.

47. Something You Are — Biometric factors like fingerprints, face, or iris scans. Convenient but can be spoofed and raises privacy concerns.

48. RADIUS (Remote Authentication Dial-In User Service) — A protocol for centralized authentication and authorization. Used for VPNs, wireless networks, and remote access.

49. TACACS+ — A more secure alternative to RADIUS with separate authentication, authorization, and accounting. Used in enterprise networks.

50. LDAP (Lightweight Directory Access Protocol) — A protocol for accessing directory services like Active Directory. Used for authenticating and managing user accounts at scale.

51. SAML (Security Assertion Markup Language) — An XML-based standard for single sign-on (SSO) between organizations. Widely used for cloud SaaS authentication.

52. OAuth 2.0 — An open standard for authorization allowing users to log in with third-party accounts (Google, Facebook) without sharing passwords. More user-friendly than SAML.

53. Access Control List (ACL) — A list specifying which users have access to which resources. The foundation of permission management.

54. Role-Based Access Control (RBAC) — Granting permissions based on job roles (admin, user, viewer) rather than individual identities. Simplifies management at scale.

55. Attribute-Based Access Control (ABAC) — Granting access based on attributes like department, clearance level, or location. More flexible than RBAC but more complex to implement.

56. Principle of Least Privilege (PoLP) — Granting users only the minimum permissions needed to do their job. Reduces attack surface if an account is compromised.

57. Separation of Duties — Splitting critical functions among multiple people so no single person can cause major damage alone. A critical control in finance and HR.

58. Single Sign-On (SSO) — Logging in once to access multiple systems and applications. Convenient for users but a high-value target for attackers.

59. Session Management — Creating, maintaining, and terminating user sessions securely. Poor session management is a common vulnerability.

60. Session Timeout — Automatically logging out users after a period of inactivity. Prevents unauthorized access to unattended devices.

Network Security

61. Firewall — A security device or software controlling traffic between networks based on rules. The first line of defense for most organizations.

62. Stateful Firewall — Tracks active connections and allows return traffic for established connections. The standard in modern deployments.

63. Next-Generation Firewall (NGFW) — A firewall with advanced features like application awareness, intrusion prevention, and threat intelligence. Offers deeper inspection than traditional firewalls.

64. Intrusion Detection System (IDS) — A system monitoring network traffic for suspicious activity and alerting when threats are detected. IDS watches and warns.

65. Intrusion Prevention System (IPS) — Like an IDS but with the ability to actively block malicious traffic. IPS watches and stops.

66. Web Application Firewall (WAF) — Protects web applications by filtering HTTP/HTTPS traffic. Defends against SQL injection, XSS, DDoS, and other application-layer attacks.

67. Network Segmentation — Dividing a network into separate zones with restricted traffic between them. Limits lateral movement if one zone is breached.

68. DMZ (Demilitarized Zone) — A network segment between the internet and internal network hosting public-facing services. If a DMZ server is breached, the internal network is protected.

69. VLAN (Virtual LAN) — A logical network segment created within a physical switch. Used to separate traffic and restrict access without running separate cables.

70. VPN (Virtual Private Network) — Encrypts all traffic over a public network, creating a secure tunnel. Essential for remote workers accessing corporate networks.

71. IPsec — The protocol suite underlying site-to-site VPN connections. Provides encryption at the IP layer.

72. Proxy Server — An intermediary server handling requests on behalf of clients. Can filter traffic, improve performance, and anonymize users.

73. Reverse Proxy — A proxy server sitting in front of web servers, accepting requests from clients. Used for load balancing and WAF functionality.

74. DNS Filtering — Blocking access to malicious domains at the DNS level. Prevents users from reaching known bad sites.

75. Zero Trust Architecture — Never trust, always verify. Every access request is authenticated and authorized regardless of source. The modern security standard.

76. Microsegmentation — Breaking networks into small, isolated zones with strict access controls. Implements zero trust principles in practice.

77. EDR (Endpoint Detection and Response) — Software installed on devices monitoring for suspicious activity and enabling quick response. The modern endpoint security standard.

78. XDR (Extended Detection and Response) — Unified visibility across endpoints, networks, and applications with automated response. The evolution beyond EDR.

79. Network Access Control (NAC) — Enforces that only compliant, healthy devices can connect to the network. Checks patch level, antivirus, and configuration before allowing access.

80. 802.1X — The IEEE standard for port-based network access control. Requires authentication before network access is granted.

Incident Response & Risk Management

81. Incident Response — The structured process for responding to security incidents: detection, analysis, containment, eradication, recovery, and lessons learned.

82. MTTR (Mean Time to Respond) — The average time from incident detection to first response. Faster response reduces damage.

83. MTBF (Mean Time Between Failures) — The average time a system operates before failing. Higher MTBF means more reliable systems.

84. RTO (Recovery Time Objective) — The maximum acceptable time to restore a service after an incident. Your target for how long downtime can last.

85. RPO (Recovery Point Objective) — The maximum acceptable data loss measured in time. How old is the most recent acceptable backup?

86. Forensics — The scientific process of investigating incidents by collecting, analyzing, and preserving evidence. Results must stand up in court.

87. Chain of Custody — Documenting the handling of evidence from collection through presentation. Critical for maintaining evidence integrity.

88. Data Exfiltration — Unauthorized copying or transmission of data outside the organization. Often the true goal of breaches; theft matters more than damage.

89. Containment — Stopping an attack’s spread during an incident. Isolate compromised systems, revoke credentials, and limit access.

90. Eradication — Removing the attacker’s presence from the environment. Patches, credential resets, and malware removal ensure they can’t maintain access.

91. Risk Assessment — Systematically identifying threats, vulnerabilities, and impact to prioritize security investments. Quantitative uses numbers; qualitative uses judgment.

92. Risk Mitigation — Taking action to reduce risk through patches, controls, or process changes. The goal is acceptable risk, not zero risk.

93. Risk Acceptance — Consciously deciding to accept remaining risk because mitigation cost exceeds potential impact. A valid business decision.

94. Risk Avoidance — Eliminating a risk entirely by not doing the risky activity. Sometimes the right choice.

95. Risk Transfer — Shifting risk to another party through insurance or outsourcing. Insurance transfers financial risk; outsourcing transfers responsibility.

96. Vulnerability Management — The continuous process of discovering, prioritizing, and remediating vulnerabilities. A core security function.

97. Patch Management — Systematically applying security updates to systems. The most cost-effective security control available.

98. Compliance — Meeting regulatory requirements like HIPAA, PCI-DSS, GDPR, or industry standards. Non-compliance carries legal and financial penalties.

99. Penetration Testing — Authorized simulated attacks to discover vulnerabilities before attackers do. Red team vs. blue team exercises.

100. CompTIA Security+ Certification — The industry-leading vendor-neutral security certification validating competency in threats, cryptography, access control, networking, and incident response. Your entry ticket to cybersecurity careers.

Ready to Ace Your Security+ Exam?

These 100 terms are just the foundation. At Cover6 Academy, we’ve built courses and practice exams that break down the real concepts tested on Security+. We’re not SANS, and we don’t gatekeep knowledge—we make cybersecurity accessible to everyone with the drive to learn.

Start your Security+ journey:

• Take full practice exams: cover6solutions.com/courses
• Join The6 community: cover6solutions.com/the6
• Subscribe on YouTube: youtube.com/c/cover6solutions
• Join our Discord: discord.gg/x7MXS3yMqb

Your success is our reward. — The Cover6 Solutions Team