If you're about to sit the Security+ SY0-701 exam and you're not sure when PBQs show up — or how many to expect — you're in the right place. The answer matters for how you pace yourself on exam day. And it's simpler than most study guides make it seem.
Here's the short version: PBQs appear at the very beginning of your exam. They're the first things you see when the clock starts. Everything else — the timing strategy, how to handle them, which types to expect — flows from that one fact.
The Direct Answer: When PBQs Appear
PBQs appear at the START of the Security+ SY0-701 exam. They are the first questions you encounter when you begin your test session — before any multiple-choice questions. You don't need to get halfway through the exam to hit them. They're waiting for you on question 1.
Community-confirmed: We surveyed 17 recent SY0-701 test-takers on r/CompTIA in April 2026. Every single respondent confirmed PBQs were front-loaded — they appeared before any MCQs. Zero candidates reported PBQs appearing mid-exam or at the end.
This is intentional. CompTIA front-loads PBQs by design. It's not random and it hasn't changed across exam versions. When you sit down, click through the intro screens, and your first question loads — that's a PBQ. Plan for it.
Why PBQs Are Front-Loaded
CompTIA places performance-based questions at the beginning of the exam for a practical reason: they're resource-intensive to deliver. PBQs run inside simulated environments — interactive GUIs, virtual CLI sessions, drag-and-drop interfaces. The exam system needs to load and run these environments, and it makes sense to front-load them rather than inject them at unpredictable points mid-exam.
There's also a psychometric rationale. PBQs assess a different cognitive skill set than multiple-choice questions. CompTIA wants to evaluate your hands-on ability independently from your recall ability. Grouping them together at the start creates a cleaner separation between the two question types.
From a practical standpoint, what this means for you: you will see PBQs cold, at the start, with a fresh clock. You haven't warmed up on easier MCQs yet. You haven't built any momentum. This is exactly why the skip-and-return strategy exists — more on that below.
The exam gives you 90 minutes total for up to 90 questions. A single complex PBQ can take 5–15 minutes. If you grind through 3–5 PBQs at the start without skipping, you can easily burn 30–40 minutes before you've touched a single MCQ. That's a pacing disaster.
How Many PBQs to Expect
Based on our community research — 17 SY0-701 test-takers surveyed on r/CompTIA in April 2026 — the confirmed range is 3 to 5 PBQs per exam. Here's the breakdown of what candidates reported:
| PBQ Count | Frequency in Our Sample | Notes |
|---|---|---|
| 3 PBQs | Reported by some candidates | Minimum end of the range |
| 4 PBQs | Most common | Majority of responses landed here |
| 5 PBQs | Reported by some candidates | Upper end of typical range |
| 6 PBQs | Rare outlier | A few candidates reported this; not typical |
A few important clarifications about PBQ count:
- PBQs do NOT appear scattered throughout the exam. They're front-loaded. All of them. You see them grouped at the beginning, then MCQs for the rest of the exam.
- The exact number varies by exam form. CompTIA uses multiple test forms. Your version may have 3, your friend's may have 5. Both are normal.
- CompTIA doesn't publish the official count. The 3–5 range comes from community reports, not official documentation. It has been consistent across recent test-takers.
- PBQs can have multiple sub-tasks. A single PBQ might ask you to configure three things. That counts as one PBQ but requires multiple correct answers. Partial credit is possible.
The 5 PBQ Types on SY0-701
Based on community reports from recent test-takers and alignment with SY0-701 exam objectives, five PBQ types appear consistently on the current Security+ exam. Know these before you walk in.
1. Firewall Rule Configuration
You're given a network policy and asked to configure ACL rules in a simulated firewall interface. This typically involves allowing or blocking traffic by source IP, destination IP, port, and protocol. The interface varies — sometimes it looks like a pfSense or iptables-style configuration screen. Practice: Get hands-on with iptables in a Linux VM or use pfSense in VirtualBox. Know how to read a policy and translate it into specific allow/deny rules.
2. VPN / IPSec Setup
Configure a site-to-site or remote-access VPN tunnel. You'll be matching Phase 1 and Phase 2 parameters: IKE version (IKEv1 vs. IKEv2), encryption algorithm (AES-128, AES-256), hashing (SHA-256, SHA-384), Diffie-Hellman group, and authentication method. Mismatches between tunnel endpoints are a common failure point. Practice: Understand IKE phase negotiation cold. Know which parameters must match on both sides. Set up a basic IPSec tunnel in a lab if possible.
3. Log Analysis
You're shown a SIEM log dump, server log, or event log and asked to identify an infected host, attack type, or anomalous event. This tests your ability to read raw log data under time pressure. Common scenarios include identifying the source of a brute-force attack, spotting a C2 callback, recognizing port scan signatures, or flagging a privilege escalation attempt. Practice: Get comfortable reading log files. Practice with sample SIEM exports and know the patterns for common attack signatures.
4. Digital Certificate and PKI Tasks
Configure certificate trust chains, identify certificate errors (expired, self-signed, untrusted root, revoked), set up OCSP or CRL checking, or manage certificate lifecycle steps. These scenarios test whether you understand how certificate validation actually works end to end — not just the vocabulary. Practice: Use OpenSSL on a Linux VM. Generate self-signed certificates, create a basic CA, and inspect certificate details with openssl x509 -text. Know what each field means.
5. Cloud Security Architecture
Drag-and-drop or place security components — WAFs, load balancers, firewalls, security groups, network ACLs — into the correct positions within a three-tier cloud architecture diagram. You might be given a partially complete diagram with components in the wrong positions and asked to fix it. Practice: Study the standard three-tier architecture (web tier, application tier, data tier) and know where each security control belongs in that model. Know the difference between a WAF (protects HTTP traffic at the application layer) and a network firewall (operates at Layer 3/4).
The Skip-and-Return Strategy
Most experienced Security+ candidates — and most people who advise test-takers on r/CompTIA — recommend the same approach: skip all PBQs at the start, complete every MCQ first, then return to PBQs with your remaining time.
Here's why this works:
- MCQs are faster. A well-prepared candidate can average 60–90 seconds per MCQ. Doing 80+ MCQs before returning to PBQs means you've built up a rhythm and locked in points on questions you can answer quickly.
- You're in a better headspace. By the time you return to PBQs, you've been through the exam content. Concepts that felt fuzzy at the start may be sharper after reading 80 MCQs that reinforce the material.
- You still have time. If you budget 60 seconds per MCQ and have 85 MCQs, that's about 85 minutes on MCQs — leaving 5 minutes per PBQ. Tight, but workable. Many candidates who skip and return report finishing with more time than they expected.
- You avoid the spiral. Spending 20 minutes stuck on a single PBQ at the start, then running out of time for MCQs you could have answered easily, is a common failure mode. The skip strategy prevents it.
How to flag PBQs: CompTIA's exam interface includes a "Mark for Review" or flag function. When you see a PBQ, flag it immediately and click Next. Do not attempt to answer it. Work through all MCQs, then use the Review screen to return to flagged items.
One caveat: if you're well-prepared and a PBQ looks straightforward, there's no rule against attempting it at the start. The skip strategy is a risk mitigation approach, not a mandate. The goal is to protect your MCQ time from PBQ overrun.
How to Actually Prepare for PBQs
Here's the honest reality: you cannot prepare for PBQs by reading about them. Reading about firewall rule configuration doesn't build the muscle memory you need to configure one under time pressure. You have to practice the actual scenarios.
- Use free lab tools. VirtualBox (free) lets you run Linux VMs where you can practice iptables, OpenSSL, and CLI tasks. Cisco Packet Tracer (free for students) is useful for networking scenarios. Browser-based Linux terminals require no setup at all — good for quick practice on log analysis and CLI commands.
- Practice the five types specifically. Don't do generic "lab practice" — drill the exact five PBQ types listed above. Each one has a specific skill set. Build that skill set deliberately.
- Time yourself. Practice completing each scenario type in under 10 minutes. That's roughly the budget you have per PBQ if you've reserved 30–45 minutes for PBQ return time.
- Use the
helpcommand. CompTIA's CLI simulations supporthelpand?. If you blank on syntax, try it. This is expected behavior — real sysadmins use help too. Using it isn't cheating; it's realistic. - Always attempt partial completion. If a PBQ has five sub-tasks and you're confident on three, answer those three. Partial credit is real on SY0-701. A blank PBQ scores zero; a partially completed one might still pass.
The Security+ PBQ Lab Guide walks through 12 hands-on scenarios covering all five PBQ types on SY0-701 — firewall configs, VPN setup, log analysis, PKI tasks, and cloud architecture. Step-by-step, no environment setup required.
→ Get the Security+ PBQ Lab Guide · What Are CompTIA PBQs? (Full Explainer)
Conclusion
PBQs appear at the beginning of the Security+ SY0-701 exam — every time, without exception. You'll see 3–5 of them, grouped at the front, before any MCQs load. The standard move is to flag them all and skip to MCQs first, then return with your remaining time. The five types you're most likely to see are firewall configuration, VPN/IPSec setup, log analysis, PKI tasks, and cloud security architecture.
None of this is hard to prepare for once you know what you're dealing with. The candidates who struggle on PBQs aren't underprepared — they're surprised. You won't be. Grab a free sample from the Security+ PBQ Lab Guide to start practicing the actual scenarios before exam day.