CompTIA Security+ Threats Vulnerabilities Study Guide

Q: What is the difference between a threat, vulnerability, and risk?

These three terms are closely related but distinct. A threat is a potential danger or attack that could exploit a system. A vulnerability is a weakness that could be exploited. Risk is the probability that a threat will exploit a vulnerability and cause harm. Think of it this way: a broken door lock (vulnerability) and a burglar in your neighborhood (threat) together create risk. The threat must meet the vulnerability for risk to actually materialize. Understanding this relationship matters for Security+ because exam questions test all three concepts. The risk formula summarizes this relationship: Risk equals Threat multiplied by Vulnerability multiplied by Asset Value. If any element is zero, risk becomes zero. This framework helps security professionals prioritize efforts by addressing the highest-risk combinations of threats and vulnerabilities.

Q: How do I differentiate between malware types like viruses, worms, and trojans?

The key differences lie in propagation method and deception. A virus requires user action, attaches to executable files, and spreads when those files run. A worm is self-replicating and spreads independently across networks without user interaction, making it faster and more dangerous. A trojan disguises itself as legitimate software but performs malicious actions once installed. Unlike viruses and worms, trojans do not replicate themselves. Ransomware encrypts files and demands payment. Spyware secretly monitors user activity. For Security+, remember: virus equals needs help, worm equals spreads itself, trojan equals disguises itself. The exam frequently presents scenarios asking you to identify malware types based on behavior descriptions. Understanding propagation mechanisms helps predict which controls work best. User training helps with viruses and trojans, but network monitoring is crucial for detecting worms due to their independent spread.

Q: Why are flashcards particularly effective for learning Security+ threats and vulnerabilities?

Flashcards leverage spaced repetition and active recall, both proven to strengthen memory and enable rapid information retrieval. The threats and vulnerabilities domain requires you to quickly recognize attack scenarios and identify appropriate responses. Flashcards build this speed through consistent practice. Scenario-based flashcards are especially powerful because Security+ exam questions are heavily scenario-driven. Practicing with similarly formatted cards prepares your brain for actual exam conditions. Flashcards also let you focus study time on concepts you struggle with using algorithms that show difficult cards more frequently. The portable nature of digital flashcards means you can study during downtime, maximizing learning with minimal time investment. Creating your own flashcards forces you to synthesize information and identify key distinctions, which itself improves learning. Regular flashcard review prevents knowledge decay, so you maintain mastery of concepts you studied weeks ago rather than forgetting them.

Q: What CVSS score range indicates a critical vulnerability that requires immediate patching?

CVSS scores range from 0.0 to 10.0 with these severity levels: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). Critical vulnerabilities scoring 9.0 or higher require immediate attention and patching within days. High severity vulnerabilities (7.0-8.9) should be remediated quickly, usually within weeks depending on your organization's risk tolerance. Medium severity vulnerabilities can be patched during normal maintenance windows, while Low severity issues receive routine attention. However, CVSS scores represent only one input to remediation prioritization. You must also consider whether the vulnerability is actually exploitable in your environments, how many systems are affected, and how exposed those systems are to the internet. A low CVSS score on an external-facing system might receive higher priority than a high CVSS score on an internal system with strong compensating controls. Security+ expects you to use CVSS alongside business context to make rational remediation decisions.

By FluentFlash Research Team·Updated 2026-04-30

CompTIA Security+ threats and vulnerabilities is a critical domain covering threat identification, vulnerability analysis, and security risk mitigation. You'll study malware types, social engineering attacks, advanced persistent threats, and the weaknesses that make systems susceptible to compromise.

Flashcards excel for this domain because they build rapid threat recognition. You see a scenario and instantly identify the attack type, vulnerability classification, or appropriate defense. By exposing yourself repeatedly to threat descriptions and their characteristics, you develop the pattern recognition needed for the Security+ exam and real cybersecurity work.

Why This Domain Matters

Security+ professionals must quickly identify threats in live environments. Flashcards with spaced repetition strengthen long-term recall, making threat identification automatic. Scenario-based cards prepare you for how the exam actually tests this material: "A user receives an email requesting credentials. What attack type is this?" rather than just definitions.

Key Takeaways

•Threats include malware (viruses, worms, trojans, ransomware), social engineering, APTs, DoS/DDoS, and zero-day exploits. Understanding propagation methods helps you select appropriate defenses.
•CVSS scores range from 0.0 to 10.0 with Critical (9.0-10.0) requiring immediate patching, High (7.0-8.9) within weeks, and Medium/Low during normal maintenance. Pair scores with business context for remediation decisions.
•Risk equals Threat multiplied by Vulnerability multiplied by Asset Value. Quantitative methods like ALE provide financial justification for security investments and help prioritize remediation efforts.
•STRIDE, PASTA, and kill chain frameworks structure threat modeling and help you identify attack paths and progression stages through seven steps from reconnaissance to actions on objectives.
•Security controls span preventive (firewalls, encryption, access controls), detective (IDS, SIEM, monitoring), and corrective (backups, incident response) categories. Defense in depth layers multiple controls to reduce overall risk.
•Scenario-based flashcards with spaced repetition build rapid threat recognition and analytical skills. Organize cards by threat type, mitigation approach, and realistic scenarios to maximize exam preparation.

Types of Security Threats and Attack Vectors

Malware comprises distinct categories based on propagation method. A virus attaches to executable files and spreads only when users run those files. A worm replicates independently across networks without user action, making it faster and more dangerous. A trojan disguises itself as legitimate software but performs malicious functions once installed.

Ransomware encrypts files to extort payment. Spyware secretly monitors user activity. Each type requires different detection and prevention methods.

Social Engineering and Advanced Threats

Social engineering attacks manipulate users into compromising security. Phishing uses deceptive emails to steal credentials. Pretexting constructs false scenarios to extract information. Baiting offers something attractive (USB drive, file download) containing malware. Tailgating gains physical access by following authorized personnel.

Advanced Persistent Threats (APTs) are sophisticated, targeted attacks that maintain long-term system access. They often target specific organizations and use custom tools.

Network and Exploitation Attacks

Man-in-the-Middle (MITM) attacks intercept communications between two parties. Denial of Service (DoS) overwhelms a single system with traffic. Distributed Denial of Service (DDoS) uses multiple systems to flood a target.

Zero-day exploits target previously unknown vulnerabilities before patches exist. Password attacks include brute force, dictionary, and rainbow table methods. Privilege escalation gains higher access levels, while lateral movement spreads within a network after initial compromise.

Why Threat Mechanics Matter

Security+ requires you to understand not just threat names but how they work. Know their propagation methods, the damage they cause, and what indicators reveal their presence. This knowledge helps you both identify attacks and choose appropriate defenses.

Vulnerability Classification and Assessment

Vulnerabilities are weaknesses that threats can exploit. The Common Vulnerabilities and Exposures (CVE) system provides standardized identifiers for known security flaws. The Common Vulnerability Scoring System (CVSS) rates severity on a 0 to 10 scale, considering factors like attack method, required privileges, user interaction, and impact on confidentiality, integrity, and availability.

CVSS severity ratings guide remediation priorities. Critical vulnerabilities (9.0-10.0) require immediate patching within days. High severity (7.0-8.9) needs remediation within weeks. Medium (4.0-6.9) fits normal maintenance windows. Low (0.1-3.9) receives routine attention.

Classification Methods

Vulnerabilities fall into three classification types. Design flaws exist in system architecture. Configuration errors result from improper setup. Implementation bugs occur in source code. OWASP Top 10 lists the most critical web application vulnerabilities: injection attacks, broken authentication, sensitive data exposure, and XML external entities (XXE).

The Vulnerability Management Process

Vulnerability assessment systematically identifies, quantifies, and prioritizes security weaknesses using tools like Nessus, OpenVAS, or Qualys. Penetration testing goes further by attempting to exploit vulnerabilities to demonstrate real-world impact. The full vulnerability management lifecycle includes identification through scanning, analysis of risk and business impact, remediation through patching or configuration changes, and verification that fixes work properly.

Threat Modeling and Risk Analysis

Threat modeling structures how you identify potential attacks against a system. The STRIDE methodology categorizes threats into six types: Spoofing identity, Tampering with data, Repudiation of actions, Information disclosure, Denial of Service, and Elevation of privilege.

PASTA (Process for Attack Simulation and Threat Analysis) provides another framework for understanding attack surfaces. These structured approaches map how attackers might compromise systems and what entry points they could use.

Risk Calculation Fundamentals

Risk equals Threat multiplied by Vulnerability multiplied by Asset Value. If any element is zero, risk becomes zero. Qualitative risk analysis uses subjective ratings like High, Medium, or Low. Quantitative analysis assigns numerical values to express risk in financial terms.

Annualized Loss Expectancy (ALE) equals Annual Rate of Occurrence (ARO) multiplied by Single Loss Expectancy (SLE). This metric justifies security investments to business leaders using financial language they understand.

Understanding Threat Actors

Identifying threat actors helps predict attack sophistication and likelihood. Internal threats come from employees or contractors. Script kiddies use existing tools without deep technical knowledge. Hacktivists pursue political or social causes. Organized crime seeks financial gain. Nation-states conduct espionage or cyberwarfare.

The kill chain framework describes attacker progression through seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Understanding this progression helps you identify where defenses can interrupt the attack.

Mitigation Strategies and Security Controls

Security controls fall into three operational categories that work together. Preventive controls stop attacks before they occur: firewalls, access controls, encryption, and awareness training. Detective controls identify attacks in progress: intrusion detection systems, log monitoring, and security information and event management (SIEM). Corrective controls remediate damage after attacks: backup restoration, incident response, and recovery procedures.

Threat-Specific Mitigations

Different threats require different defenses. Against malware, deploy antivirus software, endpoint detection and response (EDR) tools, and behavior-based detection. Defend against social engineering through security awareness training, email filtering, and multi-factor authentication.

Network segmentation limits lateral movement if one network segment becomes compromised. Patching and configuration management address known vulnerabilities. Encryption protects data confidentiality in transit and at rest. Secure coding practices and code review reduce implementation vulnerabilities.

Foundational Security Principles

Principle of least privilege ensures users have only the access necessary for their role. Defense in depth implements multiple security layers so no single failure causes total compromise. Incident response procedures outline how to contain, investigate, and recover from attacks.

Matching Controls to Threats

Security+ scenario questions test whether you can match appropriate controls to specific risks. For example, understanding that network segmentation prevents lateral movement helps you design better network architecture. Knowing that user training reduces social engineering attacks helps you allocate security budgets effectively.

Study Strategies and Flashcard Effectiveness for Threats and Vulnerabilities

The threats and vulnerabilities domain requires mastery of dozens of concepts, threat types, and mitigation strategies. Flashcards work exceptionally well because this domain demands rapid pattern recognition. You must see a scenario and immediately identify the threat or vulnerability type.

Effective flashcards emphasize scenarios over definitions. A front might read: "A user receives an email appearing to be from IT support requesting their password. What type of social engineering attack is this?" The back identifies it as pretexting and explains why this matters for security.

Building Application-Focused Cards

Create cards that test concept application, not just recall. Example: "Given a network vulnerability requiring authentication to exploit, which CVSS metric would be most affected?" This builds the analytical thinking Security+ demands. Practice calculating risk scores and identifying appropriate controls for specific scenarios.

Organize cards by threat type, by mitigation approach, and by real-world scenarios. This develops multiple retrieval pathways in your memory. Include cards covering threat actors and motivations, because understanding who attacks systems and why helps predict future attacks.

Maximizing Retention and Speed

Study with active recall by testing yourself before reviewing answers. This strengthens long-term retention far better than passive reading. Space out your review sessions rather than cramming, allowing your brain to consolidate knowledge and making information more retrievable during the exam.

Combine flashcard study with hands-on practice using actual vulnerability scanning tools. Read real CVE entries to ground abstract concepts in concrete examples. This multi-sensory approach builds deeper understanding than flashcards alone.

Start Studying Threats and Vulnerabilities

Master CompTIA Security+ threats and vulnerabilities using spaced repetition flashcards. Build rapid threat recognition, understand CVSS scoring, practice risk analysis, and develop the scenario-based reasoning the exam demands. Study on your schedule with AI-optimized review sequences.

Create Free Flashcards

Frequently Asked Questions

What is the difference between a threat, vulnerability, and risk?

These three terms are closely related but distinct. A threat is a potential danger or attack that could exploit a system. A vulnerability is a weakness that could be exploited. Risk is the probability that a threat will exploit a vulnerability and cause harm.

Think of it this way: a broken door lock (vulnerability) and a burglar in your neighborhood (threat) together create risk. The threat must meet the vulnerability for risk to actually materialize. Understanding this relationship matters for Security+ because exam questions test all three concepts.

The risk formula summarizes this relationship: Risk equals Threat multiplied by Vulnerability multiplied by Asset Value. If any element is zero, risk becomes zero. This framework helps security professionals prioritize efforts by addressing the highest-risk combinations of threats and vulnerabilities.

How do I differentiate between malware types like viruses, worms, and trojans?

The key differences lie in propagation method and deception. A virus requires user action, attaches to executable files, and spreads when those files run. A worm is self-replicating and spreads independently across networks without user interaction, making it faster and more dangerous.

A trojan disguises itself as legitimate software but performs malicious actions once installed. Unlike viruses and worms, trojans do not replicate themselves. Ransomware encrypts files and demands payment. Spyware secretly monitors user activity.

For Security+, remember: virus equals needs help, worm equals spreads itself, trojan equals disguises itself. The exam frequently presents scenarios asking you to identify malware types based on behavior descriptions. Understanding propagation mechanisms helps predict which controls work best. User training helps with viruses and trojans, but network monitoring is crucial for detecting worms due to their independent spread.

Why are flashcards particularly effective for learning Security+ threats and vulnerabilities?

Flashcards leverage spaced repetition and active recall, both proven to strengthen memory and enable rapid information retrieval. The threats and vulnerabilities domain requires you to quickly recognize attack scenarios and identify appropriate responses. Flashcards build this speed through consistent practice.

Scenario-based flashcards are especially powerful because Security+ exam questions are heavily scenario-driven. Practicing with similarly formatted cards prepares your brain for actual exam conditions. Flashcards also let you focus study time on concepts you struggle with using algorithms that show difficult cards more frequently.

The portable nature of digital flashcards means you can study during downtime, maximizing learning with minimal time investment. Creating your own flashcards forces you to synthesize information and identify key distinctions, which itself improves learning. Regular flashcard review prevents knowledge decay, so you maintain mastery of concepts you studied weeks ago rather than forgetting them.

What CVSS score range indicates a critical vulnerability that requires immediate patching?

CVSS scores range from 0.0 to 10.0 with these severity levels: None (0.0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). Critical vulnerabilities scoring 9.0 or higher require immediate attention and patching within days.

High severity vulnerabilities (7.0-8.9) should be remediated quickly, usually within weeks depending on your organization's risk tolerance. Medium severity vulnerabilities can be patched during normal maintenance windows, while Low severity issues receive routine attention.

However, CVSS scores represent only one input to remediation prioritization. You must also consider whether the vulnerability is actually exploitable in your environments, how many systems are affected, and how exposed those systems are to the internet. A low CVSS score on an external-facing system might receive higher priority than a high CVSS score on an internal system with strong compensating controls. Security+ expects you to use CVSS alongside business context to make rational remediation decisions.

How should I organize my threat and vulnerability flashcards for maximum study efficiency?

Organize cards using multiple schemes that you review in different study sessions. First, organize by threat type: malware cards together, social engineering together, network attacks together. Second, organize by mitigation approach: detective controls together, preventive controls together.

Third, create scenario-based decks where each card presents a situation and you identify the threat and appropriate response. Include cards testing relationships between concepts: How do threat actors choose targets? What vulnerabilities do they typically exploit? What defenses are most effective? Create cards for CVSS scoring practice, risk calculation problems, and real CVE entries.

Include acronyms and definitions, but bias toward application questions. Study your threat-type deck until you instantly recognize threats from brief descriptions. Then study scenarios to practice integrating knowledge. Use spaced repetition, reviewing cards frequently when you first create them, then at increasing intervals as mastery develops. Color-code or tag cards by difficulty level to ensure extra attention to challenging concepts. Regularly test yourself without reviewing answers first, then check your correctness.