The CompTIA Security+ SY0-701 is one of the most recognized entry-level cybersecurity certifications in the industry. It’s DoD-approved, vendor-neutral, and validates that you understand the real threats and controls organizations deal with every day.
But here’s the truth: you can’t just read your way to passing Security+. The exam tests scenario-based thinking. You need to understand why a control exists, how an attack works, and what you would do when something goes wrong.
That’s where home labs come in.
This post covers study strategies and specific labs you can build — most of them free or nearly free — organized around the five SY0-701 exam domains.
The SY0-701 Exam Domains
Before diving into labs, here’s what the exam actually covers:
| Domain | Weight |
|---|---|
| 1.0 General Security Concepts | 12% |
| 2.0 Threats, Vulnerabilities & Mitigations | 22% |
| 3.0 Security Architecture | 18% |
| 4.0 Security Operations | 28% |
| 5.0 Security Program Management & Oversight | 20% |
Domain 4 (Security Operations) is the heaviest at 28% — and it’s almost entirely hands-on topics: endpoint security, identity management, monitoring, incident response. Labs are the fastest way to lock that domain in.
Setting Up Your Lab Environment
You don’t need expensive hardware. A modern laptop or desktop with 8GB+ RAM (16GB preferred) is enough to run 2-3 VMs simultaneously.
Option 1: VirtualBox (Free)
Download from virtualbox.org. It’s free, cross-platform, and works well for most lab scenarios.
Option 2: VMware Workstation Player (Free for personal use)
Slightly better performance than VirtualBox. Available at vmware.com.
Core VMs to Download and Install
| VM | Purpose | Where to get it |
|---|---|---|
| Kali Linux | Attacker / pentesting | kali.org |
| Ubuntu Server 22.04 | Target / defender | ubuntu.com |
| Metasploitable 2 | Intentionally vulnerable target | SourceForge |
| Windows Server 2022 Eval | Active Directory, GPO, Windows attacks | Microsoft Eval Center |
| pfSense | Firewall / network segmentation | pfsense.org |
Set all VMs on an isolated host-only network so your attack traffic never touches the real internet.
Domain 1: General Security Concepts (12%)
This domain covers cryptography, authentication, PKI, and security controls. It’s heavy on theory but you can reinforce it with quick labs.
Lab 1 — Build Your Own Certificate Authority
Understanding PKI is much easier once you’ve actually signed a certificate.
1# On Ubuntu Server
2sudo apt install openssl -y
3
4# Create a root CA key and cert
5openssl genrsa -out rootCA.key 4096
6openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
7
8# Create a server key and CSR
9openssl genrsa -out server.key 2048
10openssl req -new -key server.key -out server.csr
11
12# Sign the CSR with your root CA
13openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key \
14 -CAcreateserial -out server.crt -days 365 -sha256
Now you understand: key pairs, CSRs, signing, the chain of trust. The exam loves this stuff.
Lab 2 — Hash Files and Verify Integrity
1# Generate hashes
2sha256sum /etc/passwd
3md5sum /etc/passwd
4
5# Tamper with the file, re-hash, and see it change
6echo "test" >> /etc/passwd.copy
7sha256sum /etc/passwd.copy
This directly maps to exam questions on integrity, hashing algorithms, and file verification.
Domain 2: Threats, Vulnerabilities & Mitigations (22%)
This is the most scenario-heavy domain. You need to recognize attack types, understand how they work, and know the mitigations.
Lab 3 — Run Your First Vulnerability Scan with OpenVAS
OpenVAS (Greenbone) is a free, professional-grade vulnerability scanner.
1# Install on Kali Linux
2sudo apt install gvm -y
3sudo gvm-setup
4sudo gvm-start
5
6# Access the web UI
7# https://localhost:9392
Scan Metasploitable 2 and review the results. Practice reading CVEs, CVSS scores, and understanding what the vulnerabilities actually mean. This maps directly to the vulnerability scanning and threat intelligence objectives.
Lab 4 — Exploit Metasploitable 2 with Metasploit
1# On Kali Linux
2msfconsole
3
4# Search for a known Metasploitable exploit
5msf6 > search vsftpd
6msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
7msf6 exploit > set RHOSTS 192.168.56.X
8msf6 exploit > run
Once you have a shell, you’ve just experienced what an attacker does after exploitation. Now you understand why patching matters and how the kill chain works in practice.
Lab 5 — Set Up a Phishing Simulation with GoPhish
GoPhish is a free phishing simulation framework. Set up a fake campaign against a test email account and watch how quickly people click.
1# Download GoPhish from github.com/gophish/gophish
2./gophish
3# Access UI at https://localhost:3333
This reinforces social engineering, phishing, and user awareness training — all testable on the exam.
Domain 3: Security Architecture (18%)
This domain covers network segmentation, cloud security, zero trust, infrastructure hardening, and resilience.
Lab 6 — Build a Segmented Network with pfSense
Install pfSense in VirtualBox and create three network zones:
- WAN (simulated internet)
- LAN (trusted internal)
- DMZ (servers exposed to the outside)
Configure firewall rules so that:
- DMZ can only accept traffic on ports 80/443
- LAN can initiate connections to DMZ but not the reverse
- Nothing from DMZ can reach LAN directly
This is network segmentation in practice. It makes exam questions about DMZs, firewall rule order, and implicit deny trivial to answer.
Lab 7 — Harden a Linux Server with a Security Baseline
Take a fresh Ubuntu Server install and apply a CIS (Center for Internet Security) benchmark:
1# Disable unused services
2sudo systemctl disable avahi-daemon
3sudo systemctl disable cups
4
5# Configure UFW firewall
6sudo ufw default deny incoming
7sudo ufw default allow outgoing
8sudo ufw allow ssh
9sudo ufw enable
10
11# Enforce strong password policy
12sudo apt install libpam-pwquality -y
13# Edit /etc/security/pwquality.conf
14# minlen = 14, dcredit = -1, ucredit = -1, ocredit = -1, lcredit = -1
15
16# Disable root SSH login
17sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
18sudo systemctl restart sshd
Walk through the CIS benchmark checklist item by item. You’ll understand hardening at a level that exam questions can’t fool you on.
Domain 4: Security Operations (28%) — The Big One
This is the heaviest domain and the one most people lose points on. The key topics are: SIEM, endpoint protection, identity and access management, incident response, and digital forensics.
Lab 8 — Set Up a SIEM with Splunk Free
Splunk offers a free tier (500MB/day) — more than enough for a home lab.
- Download Splunk Enterprise free from splunk.com
- Install on Ubuntu Server
- Configure it to receive syslog from your other VMs
- Install the Splunk Security Essentials app
1# Forward logs from Ubuntu to Splunk
2sudo apt install rsyslog -y
3# Add to /etc/rsyslog.conf:
4# *.* @SPLUNK_IP:514
5
6sudo systemctl restart rsyslog
Now generate some “attacks” on Metasploitable from Kali, and watch the logs flow into Splunk in real time. Practice writing SPL queries to detect suspicious activity:
index=syslog sourcetype=linux_secure "Failed password"
| stats count by src_ip
| where count > 10
| sort -count
That query detects brute force attempts. You just built a SIEM detection rule.
Lab 9 — Active Directory Attack & Defense
Set up Windows Server 2022 with Active Directory, create users and groups, then attack it from Kali:
1# From Kali — enumerate AD with enum4linux
2enum4linux -a WINDOWS_SERVER_IP
3
4# Password spray with CrackMapExec
5crackmapexec smb WINDOWS_SERVER_IP -u users.txt -p 'Password123!'
6
7# Kerberoasting
8impacket-GetUserSPNs DOMAIN/user:password -dc-ip SERVER_IP -request
Then go back to the Windows Server and implement the defenses:
- Fine-grained password policies
- Account lockout thresholds
- Audit policies (log failed logins)
- Disable legacy NTLM authentication
- Enable Protected Users security group
This covers IAM, authentication protocols, privilege escalation, and hardening in one lab.
Lab 10 — Practice Incident Response with a Simulated Breach
Use the NIST SP 800-61 incident response lifecycle as your guide:
- Preparation — document your assets, configure logging
- Detection — use Splunk to identify the attack
- Containment — isolate the compromised VM (disable the NIC)
- Eradication — identify and remove the malware/backdoor
- Recovery — restore from snapshot, verify clean state
- Lessons Learned — write a one-page incident report
Running through this process even once makes exam scenarios about IR phases feel obvious.
Domain 5: Security Program Management & Oversight (20%)
This domain is less hands-on — it covers governance, risk, compliance, auditing, and privacy. Study it with a mix of reading and scenario practice.
What to Focus On
- Risk frameworks: NIST CSF, ISO 27001, NIST RMF
- Risk calculations: SLE × ARO = ALE (Single Loss Expectancy × Annual Rate of Occurrence)
- Regulations: GDPR, HIPAA, PCI-DSS — know what they protect and who they apply to
- Audit types: internal vs. external, penetration test vs. vulnerability assessment
- Data classifications: public, internal, confidential, restricted
Quick Practice: Risk Math
Work through these manually until they’re automatic:
Asset value: $50,000
Exposure factor: 40%
SLE = $50,000 × 0.40 = $20,000
Annual rate of occurrence: 0.5 (once every 2 years)
ALE = $20,000 × 0.5 = $10,000
If a control costs $3,000/year → implement it (saves $7,000/year)
If a control costs $15,000/year → don't (costs more than the risk)
Recommended Study Stack
Here’s what we’d use if we were starting from scratch today:
| Resource | Cost | Best for |
|---|---|---|
| Professor Messer SY0-701 | Free (YouTube) | Video learning, covers every objective |
| CompTIA CertMaster Practice | ~$99 | Official practice questions |
| Jason Dion on Udemy | ~$15 (sale) | Video + practice tests |
| TryHackMe | Free / $14/mo | Hands-on labs in browser |
| Hack The Box Academy | Free tier | More advanced labs |
| NIST SP 800-53 | Free | Reference for controls |
Study Tips That Actually Work
1. Do labs before you read the theory. Break something, then figure out why it broke. You’ll remember the fix forever.
2. Take notes in your own words. If you can’t explain a concept without looking it up, you don’t know it yet.
3. Use TryHackMe rooms for quick wins. Their Security+ learning path has guided labs that take 30-60 minutes each — perfect for evenings.
4. Take at least 300 practice questions before exam day. The exam is scenario-based; volume of practice questions is what trains you to spot the right answer quickly.
5. Study acronyms the week before the exam. There are a lot of them (AAA, DAC, MAC, RBAC, ABAC, IDS, IPS…). Flash cards work well here.
What’s Next After Security+?
Once you pass, the natural paths are:
- CySA+ → Blue team / SOC analyst focus
- PenTest+ → Offensive security / penetration testing
- CASP+ → Advanced enterprise security architecture
- CISSP → Management-level security (requires 5 years experience)
- CEH → Ethical hacking (more vendor-specific, industry recognized)
Security+ opens the door. Where you go after depends on whether you want to work in defense (blue team), offense (red team), or governance and architecture.
Start Today
You don’t need to build every lab at once. Start with:
- Install VirtualBox and download Kali Linux + Metasploitable
- Run your first vulnerability scan with OpenVAS
- Exploit one vulnerability with Metasploit and understand what happened
That’s a solid Saturday afternoon — and you’ll understand more about how attacks actually work than most people who just read about them.
Good luck on the exam. 🔐