Although the smallest domain, cryptography and PKI questions appear throughout the exam in other domains too. Know the key algorithm types: AES = symmetric block cipher; RSA/ECC = asymmetric (public/private key pairs); SHA-256 = hashing (one-way, integrity only). Digital certificates bind a public key to an identity, signed by a CA.

• Security controls: preventive, detective, corrective, compensating
• Cryptography: symmetric (AES), asymmetric (RSA/ECC), hashing (SHA-256)
• PKI: certificates, certificate authorities, certificate lifecycle
• Authentication: MFA, biometrics, authenticator types
• Security frameworks: NIST, ISO 27001, SOC 2
• Zero trust architecture

The second largest domain and the most scenario-heavy. Know the attack types and their mitigations. Phishing → security awareness training; SQL injection → parameterised queries / prepared statements; DDoS → scrubbing centre / CDN; MitM → encryption (HTTPS/TLS). The exam often asks you to identify an attack from a description rather than naming it directly.

• Malware types: ransomware, trojan, worm, spyware, rootkit, keylogger
• Social engineering: phishing, spear phishing, vishing, smishing, pretexting, baiting
• Application vulnerabilities: SQL injection, XSS, buffer overflow, IDOR, SSRF
• Network attacks: DDoS, ARP poisoning, DNS poisoning, on-path (MitM)
• Vulnerability scanning vs penetration testing
• Threat intelligence: OSINT, dark web monitoring, IOCs

Architecture questions test whether you know WHERE to place security controls. Firewalls filter traffic between segments; IDS passively detects and alerts; IPS actively blocks. A DMZ sits between the internet and the internal network — public-facing servers (web, mail) go in the DMZ. Microsegmentation limits lateral movement after a breach.

• Network segmentation: DMZ, VLANs, microsegmentation, east-west traffic
• Secure network design: firewalls, IDS/IPS placement, honeypots
• Cloud security: shared responsibility, CASB, cloud access controls, CSPM
• Infrastructure hardening: secure baseline, patch management, disable unnecessary services
• Virtualisation and container security
• Zero trust network access (ZTNA)

The largest domain. Incident response order is tested repeatedly: contain FIRST (stop the bleeding), then eradicate (remove the cause), then recover (restore services), then lessons learned. Order of volatility in forensics: CPU registers/cache → RAM → swap/temp files → hard disk → remote logs → archive media.

• IAM: least privilege, RBAC, PAM, just-in-time access, federation (SAML, OAuth, OIDC)
• Endpoint security: EDR, antivirus, host-based firewall, disk encryption (BitLocker/FileVault)
• SIEM: log aggregation, correlation rules, alerting, SOAR
• Incident response lifecycle: preparation, identification, containment, eradication, recovery, lessons learned
• Digital forensics: chain of custody, order of volatility, disk imaging
• Vulnerability management: scanning, CVSS scoring, patch prioritisation

Risk treatment options are reliably tested — know all four: Accept (tolerate the risk), Transfer (insurance or contract), Avoid (stop the activity), Mitigate (implement controls). Data classification drives access controls — the higher the classification, the stricter the controls. GDPR applies to personal data of EU residents regardless of where the organisation is located.

• Risk management: risk appetite, risk register, risk treatment (accept/transfer/avoid/mitigate)
• Compliance frameworks: PCI DSS, HIPAA, GDPR, SOX, CMMC
• Data classifications: public, internal, confidential, restricted
• Privacy concepts: PII, PHI, data minimisation, right to erasure
• Third-party risk management: vendor due diligence, supply chain security
• Security awareness training and policy