Certified: The Security+ Prepcast

If Domain One is the foundation of cybersecurity—built on core principles and frameworks—then Domain Two is where we start applying that knowledge to real-world threats. This is the domain where you learn what we’re actually defending against. You’ll explore how attackers operate, what kinds of vulnerabilities they target, and how defenders recognize and respond to malicious activity. If you’re someone who wants to understand how attacks really happen, what makes systems vulnerable, and how to stop threats before they spread, this is the heart of it.
Domain Two is titled Threats, Vulnerabilities, and Mitigations, and it carries the second-highest weight on the Security Plus exam at 22 percent. That’s nearly a quarter of your exam questions, and for good reason—this domain is packed with the practical knowledge every security professional needs to recognize risk and prevent damage. You’ll see terms like malware, ransomware, credential stuffing, buffer overflow, privilege escalation, distributed denial of service, phishing, smishing, zero-day, and more. And not just as definitions, but in the context of how they show up in real environments.
Let’s break this down further. The domain starts by introducing different types of threat actors. You’ll learn how to identify and differentiate nation-state hackers, insider threats, organized cybercriminal groups, hacktivists, and amateur threat actors sometimes called script kiddies. Each of these actors has different motives, different tools, and different levels of sophistication. Nation-state actors may pursue espionage or infrastructure disruption. Insiders might be driven by revenge, ideology, or simple carelessness. Understanding these motivations helps you understand what an attacker might do next—and what kind of defenses are appropriate.
You’ll also study attack surfaces and threat vectors. An attack surface is the total collection of points where an attacker can try to enter or extract data from a system. A threat vector is how they actually get in—like email, USB drives, social engineering, open ports, or poorly configured cloud services. Being able to map out where your exposures are—and how they might be exploited—is one of the most valuable skills you can develop, both for the exam and for real-world roles.
Next, this domain introduces a wide range of vulnerability types. These include memory-based vulnerabilities like buffer overflows and race conditions, operating system flaws, cryptographic misuses, insecure APIs, web application bugs, and misconfigured services. You’ll also learn about legacy systems, unpatched software, and weak authentication settings. These are the openings that attackers look for. The more you understand them, the better you’ll be at identifying, prioritizing, and mitigating them before they’re used against you.
Let’s pause for a moment and make this practical. Think of a breach you’ve seen in the news. A major retailer gets hit with malware. An employee clicks a phishing link. An attacker finds a server that’s been exposed to the internet with a default password. These are not just stories—they are exam material. The Security Plus exam will absolutely ask you about real-world attacks like these. Not with names or timelines, but in scenarios. You’ll be given a situation and asked to identify what happened, what was exploited, and how to fix it.
You’ll also explore indicators of malicious activity. These are the signs that something isn’t right. It might be unusual logins at strange hours, high outbound network traffic, unexpected system crashes, disabled antivirus software, or large numbers of failed login attempts. Being able to spot these signs and correlate them with potential attacks is essential for effective detection and response.
And of course, the domain includes mitigation strategies. Knowing the threat isn’t enough—you also need to know how to stop it. That means applying patches, enforcing least privilege, using segmentation, enabling logging, implementing multifactor authentication, and disabling unnecessary services. You’ll see exam questions that describe a situation and ask, “What’s the best way to mitigate this?” In some cases, there’s more than one right answer—but only one is the best based on the context. That’s why understanding both the attack and the environment matters.
You’ll also cover human-centric threats, like social engineering, phishing, smishing, vishing, and pretexting. These techniques are designed to exploit people—not systems. The attacker might impersonate IT support, pretend to be a manager, or craft an urgent message that tricks someone into clicking a malicious link or sharing credentials. And once that door is open, technical controls may not be enough to stop what comes next.
Understanding the human element of cybersecurity is one of the most important takeaways from this domain. Attackers don’t always start with advanced code or zero-days. They start with emails, conversations, fake invoices, and messages designed to trigger fear, urgency, or curiosity. Training users to spot these tactics is just as important as configuring firewalls or deploying endpoint protection.
You’ll also explore case studies and common attack paths. For example, how an attacker might get a foothold through a phishing campaign, escalate privileges, move laterally through the network, and exfiltrate data. The exam won’t name specific breaches, but it will test your understanding of the patterns and steps that attackers use to compromise systems. If you can walk through an attack scenario and explain what’s happening at each phase—and how to stop it—you’re exactly where you need to be.
So why is this domain so heavily weighted? Because in real jobs, this is what you’ll face most often. Security analysts, SOC analysts, risk managers, and auditors all need to understand threats and how to respond to them. Whether you’re tuning alerts, writing policies, or reviewing logs, your ability to think in terms of threats, vulnerabilities, and mitigation will shape the value you bring to your team.
And here’s a tip. As you study this domain, look for connections. Don’t study malware in isolation. Connect it to how it’s delivered, what vulnerabilities it targets, how it behaves on a system, and what indicators it leaves behind. Don’t just memorize that phishing is bad. Learn how attackers craft believable messages and what user behaviors can break the attack chain. The more you link these ideas, the more they’ll stick—and the better you’ll do on the test and in the field.