The official Security+ SY0-701 acronym list has 200+ entries. You don’t need all 200. You need about 60 — the ones that actually appear on the exam in 80% of questions.
Here they are, ranked by exam frequency and grouped by domain. Came from the IG reel? Scroll to the list and start drilling.
Tier 1 — Memorize cold (the 30 that appear in every exam)
These show up in 60+% of questions. If you can’t recall any of these in under 5 seconds — both directions — keep studying.
| Acronym | Expansion | Domain | What it does |
|---|---|---|---|
| MFA | Multi-Factor Authentication | Identity | Something you know + have + are |
| SSO | Single Sign-On | Identity | One login → many apps |
| RBAC | Role-Based Access Control | Identity | Permissions tied to job role |
| ABAC | Attribute-Based Access Control | Identity | Permissions tied to attributes (location, time, etc.) |
| LDAP | Lightweight Directory Access Protocol | Identity | Directory lookups (Active Directory uses it) |
| SAML | Security Assertion Markup Language | Identity | SSO via XML between identity providers |
| OAuth | Open Authorization | Identity | Delegated authorization for apps |
| MAC | Mandatory Access Control | Identity | OS-enforced labels (Bell-LaPadula, Biba) |
| DAC | Discretionary Access Control | Identity | Owner sets permissions |
| AES | Advanced Encryption Standard | Crypto | Symmetric encryption (256-bit standard) |
| RSA | Rivest-Shamir-Adleman | Crypto | Asymmetric encryption + signatures |
| PKI | Public Key Infrastructure | Crypto | The whole certificate trust chain |
| CA | Certificate Authority | Crypto | Issues digital certificates |
| CRL | Certificate Revocation List | Crypto | List of revoked certificates |
| OCSP | Online Certificate Status Protocol | Crypto | Real-time cert revocation check |
| TLS | Transport Layer Security | Crypto | The modern replacement for SSL |
| HMAC | Hash-based Message Authentication Code | Crypto | Hash + secret key = integrity proof |
| VPN | Virtual Private Network | Network | Encrypted tunnel |
| IPS | Intrusion Prevention System | Network | Detects AND blocks attacks |
| IDS | Intrusion Detection System | Network | Detects attacks, alerts only |
| DLP | Data Loss Prevention | Network | Stops sensitive data exfiltration |
| WAF | Web Application Firewall | Network | Layer-7 firewall for web apps |
| NAC | Network Access Control | Network | Posture-check devices before LAN access |
| SIEM | Security Information and Event Management | Operations | Log aggregation + correlation |
| SOAR | Security Orchestration, Automation, Response | Operations | Automated incident workflows |
| EDR | Endpoint Detection and Response | Operations | Modern endpoint security |
| XDR | Extended Detection and Response | Operations | EDR + network + cloud telemetry |
| APT | Advanced Persistent Threat | Threats | Nation-state or organized criminal actor |
| DDoS | Distributed Denial of Service | Threats | Overwhelm a service with traffic |
| CVE | Common Vulnerabilities and Exposures | Threats | The canonical vulnerability ID system |
Tier 2 — Recognize on sight (another 30 you should know)
These appear in 15–30% of questions. You should recognize them, even if recall is slower.
| Acronym | Expansion | Notes |
|---|---|---|
| PII | Personally Identifiable Information | What HIPAA/PCI/GDPR all care about |
| PHI | Protected Health Information | HIPAA-specific |
| PCI-DSS | Payment Card Industry Data Security Standard | Credit card data protection |
| HIPAA | Health Insurance Portability and Accountability Act | US healthcare regulation |
| GDPR | General Data Protection Regulation | EU privacy regulation |
| SOC | Security Operations Center / System and Organization Controls | Two meanings — context matters |
| SOC 2 | Service Organization Control 2 | SaaS security audit framework |
| NIST | National Institute of Standards and Technology | Publishes US security standards |
| ISO 27001 | International Org for Standardization 27001 | International security management standard |
| CIA | Confidentiality, Integrity, Availability | The security triad |
| AAA | Authentication, Authorization, Accounting | The access-control triad |
| MITM | Man-in-the-Middle | Interception attack |
| XSS | Cross-Site Scripting | Injecting JS into a vulnerable site |
| SQLi | SQL Injection | Injecting SQL into a vulnerable input |
| CSRF | Cross-Site Request Forgery | Trick a logged-in user into an action |
| RCE | Remote Code Execution | Run code on a target system |
| DKIM | DomainKeys Identified Mail | Email authentication via signing |
| SPF | Sender Policy Framework | Email anti-spoofing |
| DMARC | Domain-based Message Authentication, Reporting, and Conformance | Email policy combining SPF + DKIM |
| MDM | Mobile Device Management | Managing phones/tablets at scale |
| BYOD | Bring Your Own Device | Letting personal devices on corp network |
| CASB | Cloud Access Security Broker | Visibility/control for cloud apps |
| ZTNA | Zero Trust Network Access | Modern replacement for VPN |
| SASE | Secure Access Service Edge | Cloud-delivered security + networking |
| IAM | Identity and Access Management | The whole identity discipline |
| PAM | Privileged Access Management | Special vault for admin accounts |
| HSM | Hardware Security Module | Tamper-resistant key storage |
| TPM | Trusted Platform Module | Chip on the motherboard that stores keys |
| UEFI | Unified Extensible Firmware Interface | Modern BIOS replacement |
| SBOM | Software Bill of Materials | Inventory of components in a software product |
The pairs that get confused most
The single biggest source of acronym-question mistakes is the paired terms. Drill these specifically — practice “when do you use X vs Y” for each pair:
| Pair | The distinction |
|---|---|
| DLP vs DRM | DLP stops data from leaving the org. DRM controls how a recipient uses data after they get it. |
| IDS vs IPS | IDS detects + alerts. IPS detects + blocks. IPS is inline; IDS is passive. |
| SSO vs MFA | SSO reduces the number of logins. MFA strengthens each login. They’re complementary, not competitors. |
| RBAC vs ABAC | RBAC = permissions per role (admin, user, auditor). ABAC = permissions per attribute (location, time, device posture). |
| EDR vs XDR | EDR sees just endpoints. XDR correlates endpoints + network + cloud. |
| SIEM vs SOAR | SIEM collects + correlates logs. SOAR automates the response. |
| AAA vs CIA | AAA = access control (Authentication, Authorization, Accounting). CIA = security goals (Confidentiality, Integrity, Availability). |
| CRL vs OCSP | CRL is a downloadable list. OCSP is a real-time query. OCSP is the modern approach; CRL is the fallback. |
| SPF vs DKIM vs DMARC | SPF says “this IP is allowed to send for this domain.” DKIM signs the message. DMARC says what to do when SPF/DKIM fail. |
The 10-minute daily drill
Two weeks to lock in 60 acronyms:
- Day 1–3: Tier 1 only. Both directions: acronym → expansion, expansion → acronym.
- Day 4–6: Tier 1 + Tier 2.
- Day 7–10: Tier 1 + 2 + the paired-confusion drill.
- Day 11–14: Full mixed deck, timed. 60 acronyms in under 5 minutes.
By day 14, the categories trigger the meanings automatically and you’re spotting acronym questions on sight during the exam.
Practice as flashcards (free)
🛡️ Studying for CompTIA Security+?
Practice with free flashcards, crypto-decoder drills, and exam-style scenarios at secplus.it-learn.io — aligned to the current SY0-701 objectives. Free with a quick signup.
The flashcard deck on secplus.it-learn.io is keyed off this exact list — same 60 acronyms, same grouping, same paired-confusion drill. Drill 10 minutes a day for two weeks and the acronym questions on SY0-701 become reflex.
🎯 Studying for any IT cert?
All the free cert-study tools — Network+, Security+, CCIE Security, CHFI, ECIH — live at study.it-learn.io. Flashcards, quizzes, calculators, mnemonics. Free with a quick signup.
