CompTIA Security+ Cheat Sheet 2026 — Ports, Protocols, Acronyms & Risk Formulas
Everything you must have memorised before sitting the SY0-701 exam. Bookmark this page and review it in the final week of study — these are the high-frequency, high-point areas where most candidates drop marks.
1. Essential Port Numbers
Port questions appear in almost every Security+ exam — usually in a firewall rule scenario or a "which protocol is insecure?" context. Know these exactly.
| Port(s) | Protocol / Service | Notes / Exam Trap |
|---|---|---|
| 20/21 | FTP | Port 21 = control, 20 = data. Unencrypted — never use in secure environments. |
| 22 | SSH / SFTP / SCP | Secure shell, file transfer (SFTP), and copy (SCP) all use port 22. |
| 23 | Telnet | Unencrypted — replace with SSH. Classic exam wrong-answer vs SSH. |
| 25 | SMTP | Outbound email (server-to-server). Insecure plain text. |
| 53 | DNS | UDP (queries) and TCP (zone transfers / large responses). |
| 67/68 | DHCP | 67 = server, 68 = client. UDP only. |
| 80 | HTTP | Unencrypted web. Redirect to 443 in secure setups. |
| 88 | Kerberos | Authentication tickets. Know KDC, TGT, service ticket flow. |
| 110 | POP3 | Unencrypted email retrieval. Replaced by IMAPS 993. |
| 119 | NNTP | Network News. Rarely tested — know it exists. |
| 135 | MSRPC | Microsoft RPC endpoint mapper. Common attack vector. |
| 137–139 | NetBIOS | Windows file/print sharing over NetBIOS. Largely replaced by SMB. |
| 143 | IMAP | Unencrypted email. Use 993 (IMAPS) instead. |
| 161/162 | SNMP | 161 = queries, 162 = traps. V1/V2 = insecure, V3 = encrypted. |
| 389 | LDAP | Directory queries. Unencrypted — use LDAPS (636) instead. |
| 443 | HTTPS | TLS-encrypted web. Default secure web port. |
| 445 | SMB | Windows file sharing (Server Message Block). EternalBlue / WannaCry. |
| 465 | SMTPS | Encrypted SMTP (TLS/SSL). Compare with STARTTLS on 587. |
| 500 | IKE | Internet Key Exchange for IPsec VPN negotiations. |
| 514 | Syslog | UDP syslog logging. RFC 5424. Not encrypted by default. |
| 587 | SMTP + STARTTLS | Authenticated email submission with opportunistic TLS. |
| 636 | LDAPS | Encrypted LDAP over TLS. Replaces port 389. |
| 993 | IMAPS | Encrypted IMAP over TLS. Use instead of port 143. |
| 995 | POP3S | Encrypted POP3 over TLS. |
| 1433 | MS SQL | Microsoft SQL Server. Restrict with firewall rules. |
| 1521 | Oracle DB | Oracle Database listener. |
| 3306 | MySQL / MariaDB | Open source DB default port. |
| 3389 | RDP | Remote Desktop Protocol. High-value attack target — restrict or disable. |
| 5060/5061 | SIP/SIPS | VoIP signalling. 5061 = encrypted TLS (SIPS). |
| 6514 | Syslog TLS | Encrypted syslog. Use instead of 514 for compliance. |
| 8080 | HTTP alt | Common alternative HTTP port for dev/proxy. |
2. Risk Formulas — With Worked Examples
Risk calculation questions are worth guaranteed points — the formula never changes, and if you know it, these are some of the easiest marks on the exam.
SLE — Single Loss Expectancy
SLE = Asset Value (AV) × Exposure Factor (EF)
AV = total value of the asset. EF = % of asset lost in one incident (0.0–1.0).
Example: Server worth $200,000. Fire destroys 40% of it. SLE = $200,000 × 0.40 = $80,000
ALE — Annualised Loss Expectancy
ALE = SLE × Annualised Rate of Occurrence (ARO)
ARO = how many times the incident is expected per year (can be a fraction).
Example: SLE = $80,000. Fire expected once every 5 years (ARO = 0.2). ALE = $80,000 × 0.2 = $16,000 per year
Control Cost Decision
Value of control = ALE(before) − ALE(after) − Annual Cost of Control
If value > 0, the control is worth implementing. If negative, accept the risk.
Example: ALE drops from $16,000 to $4,000 after installing fire suppression ($5,000/yr). Value = $16,000 − $4,000 − $5,000 = $7,000 benefit → implement it.
3. Incident Response — PICERL Phases
The PICERL framework is tested in ordering questions and scenario questions constantly. Know every phase and what actions belong where.
IR plan, playbooks, communication tree, forensic tools, tabletop exercises, jump bags. Nothing reactive — this is all before an incident.
Detect the incident (logs, alerts, reports), confirm it is a real incident (not FP), triage severity, notify stakeholders.
SHORT-TERM: Isolate affected systems (quarantine, network block). LONG-TERM: patch, segment, harden while preserving evidence. CRITICAL: Contain BEFORE Eradicate.
Remove the threat: delete malware, close backdoors, patch the exploited vulnerability, remove compromised accounts.
Restore from clean backup, monitor for re-infection, validate systems are clean before returning to production.
Post-incident report: what happened, timeline, what worked, what failed, updated controls. Held within 2 weeks of resolution.
4. Digital Forensics — Order of Volatility
Collect evidence from most volatile (disappears fastest) to least volatile. This is a classic ordering and scenario question.
5. Cryptography Key Facts
6. Must-Know Security+ Acronyms
| Acronym | Stands For | Context |
|---|---|---|
| PICERL | Prepare Identify Contain Eradicate Recover Lessons Learned | IR lifecycle |
| ALE | Annualised Loss Expectancy | Risk math = SLE × ARO |
| SLE | Single Loss Expectancy | Risk math = AV × EF |
| ARO | Annualised Rate of Occurrence | Risk math frequency |
| RTO | Recovery Time Objective | How fast systems must recover |
| RPO | Recovery Point Objective | Max acceptable data loss (time) |
| MTTR | Mean Time To Repair | Avg time to restore a system |
| MTBF | Mean Time Between Failures | Avg uptime before failure |
| CASB | Cloud Access Security Broker | Cloud traffic inspection/control |
| SASE | Secure Access Service Edge | SD-WAN + Cloud security stack |
| ZTNA | Zero Trust Network Access | Identity-based remote access |
| SOAR | Security Orchestration Automation & Response | Automated IR playbooks |
| EDR | Endpoint Detection & Response | Host-level threat detection + response |
| XDR | Extended Detection & Response | Cross-domain (endpoint, cloud, network) |
| PAM | Privileged Access Management | Credential vaulting, JIT access |
| SIEM | Security Information & Event Management | Log aggregation + correlation |
| DLP | Data Loss Prevention | Prevents unauthorised data egress |
| HSM | Hardware Security Module | Key generation/storage hardware |
| TPM | Trusted Platform Module | Chip for measured boot + BitLocker |
| DNSSEC | DNS Security Extensions | Cryptographic DNS validation |
| OCSP | Online Certificate Status Protocol | Real-time cert revocation check |
| CRL | Certificate Revocation List | Batch revocation list (vs OCSP) |
| MFA | Multi-Factor Authentication | ≥2 of: know, have, are, are-at, do |
| TOTP | Time-based One-Time Password | MFA codes (Google Authenticator) |
| HOTP | HMAC-based One-Time Password | Counter-based OTP |
| SAML | Security Assertion Markup Language | SSO standard (XML-based) |
| OIDC | OpenID Connect | SSO extension over OAuth 2.0 (JSON) |
| CVSS | Common Vulnerability Scoring System | 0–10 severity scale (9+ = Critical) |
| CVE | Common Vulnerabilities & Exposures | Vulnerability identifier |
| SBOM | Software Bill of Materials | Supply chain — component inventory |
| BIA | Business Impact Analysis | Determine critical systems + RPO/RTO |
7. Security Control Categories & Types
Now Test What You Know
540 free questions covering every topic in this cheat sheet. Performance-based, scenario-driven — just like the real exam.