You've studied for weeks. You know the material cold. You've crushed every practice test. Then you open your Security+ exam and hit your first PBQ — and your mind goes blank. The familiar multiple-choice format is gone. In its place: a simulated firewall interface, a CLI prompt, or a network diagram asking you to drag components into the right slots. The clock is ticking.
This is one of the most consistent experiences reported by SY0-701 candidates on r/CompTIA. The exam includes 3–5 performance-based questions, and they appear right at the start — before you've had a chance to build any momentum. Despite this, most candidates spend 95% of their prep time on flashcards and MCQ practice banks, treating PBQs as an afterthought. That mismatch is exactly why so many people fail on their first attempt — not because the content was beyond them, but because they'd never actually done the thing the exam was asking them to do.
What Are Security+ PBQs?
Performance-based questions (PBQs) are interactive exam items that simulate real-world tasks. Instead of reading a question and selecting A, B, C, or D, you're placed inside a simulated environment and asked to complete a task — configure a firewall, analyze a log file, or set up a VPN tunnel.
PBQs come in several formats on the SY0-701:
- Drag-and-drop: Match terms, order steps, or place components onto a diagram
- CLI simulations: Type actual commands into a simulated terminal or network device prompt
- Network diagrams: Add, remove, or configure elements in a simulated network map
- Configuration interfaces: Use a simulated GUI (firewall admin panel, certificate manager) to complete a task
Based on aggregated reports from r/CompTIA, CompTIA study forums, and candidate debriefs, the five most common PBQ types on the SY0-701 are:
- Firewall rule configuration — creating or modifying ACL rules to allow/block traffic
- VPN and IPSec setup — configuring tunnel parameters, authentication, and encryption
- Log analysis — reading through SIEM or server logs to identify an infected host or suspicious event
- Digital certificate and PKI tasks — managing certificate lifecycle, trust chains, or CRL/OCSP configuration
- Cloud security architecture — placing WAFs, load balancers, and security groups in the right position within a cloud diagram
These five types won't appear on every exam — CompTIA rotates questions — but any serious SY0-701 candidate should be able to handle all five confidently before sitting for the test.
The #1 Mistake Candidates Make
The single biggest mistake is studying PBQs by reading about them instead of doing them.
Flashcards won't prepare you for drag-and-drop firewall rules. Knowing that a firewall ACL blocks or permits traffic based on source IP, destination IP, port, and protocol is completely different from sitting in front of a simulated firewall interface and actually configuring those rules under timed pressure. The knowledge is necessary but not sufficient.
Here's why this matters: PBQs require a different kind of memory — procedural memory, sometimes called "muscle memory for knowledge workers." When you've typed iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT ten times in a real terminal, your brain encodes that differently than if you've read it in a textbook. Under exam stress, procedural memory is far more reliable than recall-based memory.
The hard truth: If you can't complete the task in a real or simulated environment, you're not ready for the PBQ. Knowing the concept and doing the task are two different skills, and the exam tests the latter.
Most candidates don't do hands-on practice because it feels harder to set up and less productive than a fast flashcard session. That's exactly the wrong optimization. PBQs are worth more per question than standard MCQs, and the hands-on tasks are where underprepared candidates hemorrhage points.
The Strategy That Actually Works
Here's the approach that consistently produces better results — based on what high-scorers report and what the evidence supports.
1. Skip PBQs First, Come Back Later
When you open the exam and see a PBQ as your first question, flag it and skip it immediately. Move through every MCQ first. This does two things: it banks time on questions you're faster at, and it rebuilds your confidence before you tackle the harder interactive items. A PBQ that seems impossible at minute 3 often becomes solvable at minute 60 once your brain is warmed up and you've reinforced your knowledge through the MCQ section.
2. Use the help Command
Inside CLI simulations, most candidates forget that the help command works. Type help or append ? to a partial command, and the simulation will often display valid syntax and available options. This is not cheating — it's exactly what a real sysadmin would do. CompTIA built this into the simulation because it reflects real-world behavior.
3. Practice With Actual Tools Before Exam Day
Don't let the exam be the first time you've touched these interfaces. Set up free VMs using VirtualBox or VMware (both have free tiers). Run iptables on a Linux VM. Configure a VPN in pfSense. Use Cisco's free Packet Tracer for network diagramming. For PKI tasks, OpenSSL on any Linux machine will teach you more in an hour than a week of reading. Browser-based labs — including the ones at GetCertLab — let you practice without any local setup at all.
4. Walk Through Each Scenario Type Twice
Don't just practice once and check it off. Walk through each of the five PBQ types at least twice before your exam date, ideally with a day or two gap between sessions. Spaced repetition applies to procedural skills, not just facts. If you can complete the scenario from memory without referring to notes, you're ready.
I built a hands-on lab workbook specifically for Security+ SY0-701 PBQs — 12 lab scenarios built around what candidates actually report seeing on the exam. You can grab 2 free labs at getcertlab.com to try before buying. No signup required to browse — just a link to your free sample download.
PBQ Type Breakdown: What to Expect and How to Practice
Let's go through each of the five most common SY0-701 PBQ types individually — what the exam scenario looks like, what skills it's testing, and how to build the competency before test day.
🔥 Firewall Rule Configuration
What to expect: You're given a simulated firewall or ACL interface and asked to create, modify, or troubleshoot rules. You might need to allow SSH from a specific subnet, block all inbound ICMP, or deny traffic to a range of IP addresses. The interface might look like a simplified iptables command line or a GUI rule builder.
How to practice: Spin up a Linux VM and learn iptables basics — append rules, delete rules, list rules, understand ACCEPT/DROP/REJECT. Practice building a rule set from scratch that implements a stated policy. Know the order of operations (rules are evaluated top-to-bottom, first match wins). Packet Tracer's ACL labs are also excellent for this type.
🔐 VPN and IPSec Setup
What to expect: A drag-and-drop or fill-in-the-blank scenario where you configure a site-to-site or remote-access VPN. You'll need to correctly pair Phase 1 and Phase 2 parameters: IKE version, authentication method, encryption algorithm (AES-256), hashing (SHA-256), Diffie-Hellman group, and pre-shared key vs. certificate authentication.
How to practice: Build a site-to-site VPN between two pfSense VMs in VirtualBox. You'll configure every parameter manually, which forces you to actually understand what each field does. Know the difference between IKEv1 and IKEv2, tunnel mode vs. transport mode, and the purpose of the SA (Security Association). If you've configured it once end-to-end, the PBQ becomes a pattern recognition exercise.
📋 Log Analysis
What to expect: You're shown a scrollable log file — server logs, firewall logs, or SIEM output — and asked to identify an infected host, a specific attack type, or a suspicious event. These logs can be long. You're looking for patterns: repeated failed logins (brute force), unusual outbound connections (C2 traffic), or spikes in traffic from a single IP.
How to practice: Get comfortable reading raw log formats: Apache access logs, Windows Event Viewer exports, syslog. Practice by downloading sample log files from GitHub or security training platforms and identify the anomaly. Know what a normal baseline looks like so you can spot what's abnormal. Focus on timestamps, source IPs, event IDs (Windows), and HTTP status codes.
🏛️ Digital Certificate and PKI Tasks
What to expect: A scenario involving certificate management — creating a CSR, installing a certificate, configuring a trust chain, or diagnosing a certificate error. You might be asked to identify whether a cert is expired, self-signed, or untrusted, and what the correct remediation is. Some scenarios involve configuring OCSP or CRL settings.
How to practice: Use OpenSSL on any Linux machine to generate a root CA, an intermediate CA, and a leaf certificate. Install the chain. Verify it with openssl verify. Understand the fields in an X.509 cert — CN, SAN, validity period, issuer, key usage extensions. Practice reading openssl s_client output to diagnose trust issues. This hands-on workflow maps directly to what the exam simulates.
☁️ Cloud Security Architecture
What to expect: A network diagram showing a cloud environment — typically a three-tier web application (web servers, app servers, database layer) — where you need to drag security components into the correct positions. You might be asked where to place a WAF, a load balancer, a network security group, or a jump server. Sometimes you need to identify which existing configuration is wrong and fix it.
How to practice: Study the standard cloud security reference architectures from AWS and Azure (both publicly available). Know the difference between a WAF (Layer 7, application-aware) and a traditional firewall (Layer 3/4). Know why a jump server (bastion host) belongs in the DMZ, not inside the private subnet. Draw the architectures yourself — even with pen and paper — until you can reproduce the correct component placement from memory.
How to Put It All Together
The Security+ SY0-701 is a demanding exam, but PBQs are beatable with the right preparation. The candidates who fail on their first attempt aren't failing because they don't know the material — they're failing because they never practiced the doing, only the knowing. That's a solvable problem.
Here's the condensed playbook:
- Flag PBQs and skip them on the first pass. Work MCQs first, come back with confidence.
- Use
helpand?inside CLI simulations — it's there for a reason. - Do hands-on practice, not just reading. Set up VMs, run real commands, configure real tools.
- Cover all five PBQ types — at least twice each — before your exam date.
- Practice under time pressure — set a 10-minute timer and complete a lab scenario start to finish.
If you're looking for a structured way to run through all five types without spending hours on setup, the GetCertLab Security+ PBQ lab guide has 12 lab scenarios built specifically around what SY0-701 candidates report seeing. Two labs are free — no email required to grab the sample.