CompTIA Security+ Performance Based Questions: What They Are and How to Prepare
I watch it happen every single exam cycle. A student who crushed the multiple choice practice tests walks into their Security+ exam confident, hits the first question, and completely freezes. It is not a multiple choice question. It is a simulated firewall interface asking them to drag access control rules into the right order. They have never touched anything like it before. That frozen feeling costs them precious minutes they will not get back, and sometimes it costs them the entire exam.
Performance Based Questions, or PBQs, are the part of the CompTIA Security+ exam that separates people who memorized flashcards from people who actually understand security. After years of designing our Security+ bootcamp curriculum, I can tell you that PBQ readiness is the single biggest predictor of whether someone passes or fails on their first attempt. The good news? Once you understand what PBQs actually are and how to approach them, they become a lot less scary.
PBQs are weighted more heavily than standard multiple choice questions. You cannot afford to skip them, guess blindly, or treat them as optional. They are designed to prove you can actually do the job.
What Exactly Are Performance Based Questions?
A performance based question is an interactive simulation that puts you inside a simplified version of a real tool or environment. Instead of reading a scenario and picking answer A through D, you are actually doing something. You might be configuring firewall rules in a simulated interface, analyzing entries in a log file, matching security controls to a network diagram, or troubleshooting a wireless access point configuration. The simulation is not the full software you would use on the job, but it is close enough that you need to understand how the real thing works to complete the task.
CompTIA uses two types of PBQs. Simulations give you an approximated version of a tool or interface with limited functionality, but enough for you to demonstrate that you know what you are doing. These have a reset button so you can start over if you make a mess of things, and your work is saved if you skip ahead and come back later. Virtual environment PBQs put you inside an actual operating system or application running on a virtual machine. These are the real deal with full functionality, which means you can also go completely off track if you are not careful. Unlike simulation PBQs, you cannot skip virtual environment questions and return to them.
On the SY0 701 exam, most candidates report seeing three to five PBQs, though the official range is anywhere from one to ten. They typically show up right at the beginning of the exam, which is why that frozen feeling I mentioned earlier is so common. You sit down expecting to ease into things and immediately get hit with the hardest format.
Why CompTIA Uses PBQs (And Why You Should Be Glad They Do)
I know this might sound strange coming from someone who watches students struggle with PBQs constantly, but I genuinely believe they make the Security+ a better certification. Here is why. Multiple choice questions can only test whether you recognize a correct answer when you see it. PBQs test whether you can produce the correct answer from scratch. That is a fundamentally different skill, and it is the one that actually matters when you show up to work on Monday morning.
Think about it from an employer’s perspective. Would you rather hire someone who can identify the correct firewall rule from a list of four options, or someone who can actually write the correct firewall rule when handed a blank configuration? Employers trust Security+ precisely because it includes this hands on component. It is part of what makes the certification worth pursuing in the first place. Over 700,000 professionals hold the Security+ credential, and the PBQ component is a big reason it carries weight with hiring managers and meets DoD 8570 and 8140 requirements.
PBQs also allow for partial credit. CompTIA does not publish the exact scoring formula, but it is widely understood that getting part of a PBQ correct earns you some points rather than zero. So even if you cannot complete the entire simulation perfectly, every correct step you take matters. That is a much more realistic assessment of skill than a binary right or wrong answer.
The PBQ Topics You Are Most Likely to See
CompTIA does not publish exactly which PBQs appear on any given exam form. They rotate questions and each candidate gets a slightly different mix. But after training thousands of students through the Security+ exam, I have a pretty clear picture of the recurring patterns. The PBQ topics cluster around tasks that a junior security professional would actually perform on the job, which makes sense when you think about what the certification is supposed to validate.
FIREWALL RULES
NETWORK DIAGRAMS
LOG ANALYSIS
WIRELESS CONFIG
CERTIFICATE MGMT
Notice a pattern? Every one of these tasks maps directly to something a real security professional does on the job. CompTIA is not trying to trick you. They are trying to verify that you can do the actual work. If you can configure a real firewall, the PBQ version will feel familiar. If you have only read about firewalls in a textbook, the PBQ version will feel completely foreign.
The Time Management Problem Nobody Warns You About
The Security+ SY0 701 exam gives you 90 minutes for up to 90 questions. Quick math says that is about one minute per question. But that math is dangerously misleading because PBQs do not take one minute. A single PBQ can easily take five to fifteen minutes depending on complexity. If you spend twelve minutes on each of four PBQs, that is 48 minutes gone before you even reach the multiple choice section. You would have 42 minutes left for roughly 85 questions. That is about 30 seconds each. Not ideal.
This is the trap that catches well prepared students who simply did not practice their pacing. They know the material. They can solve the PBQ if given unlimited time. But they burn through half the clock on the first four questions and then rush through everything else, making careless mistakes on questions they absolutely knew the answers to.
Here is the pacing approach I teach my students. When you hit a PBQ, give yourself about two minutes to read the instructions carefully and assess whether you know how to solve it. If you do, work through it efficiently but do not rush. If it feels confusing or you are not sure where to start, flag it and move on immediately. Complete all of the multiple choice questions first, which should take roughly 45 to 50 minutes if you are well prepared. Then return to the flagged PBQs with whatever time you have remaining. Your simulation work is saved when you skip ahead, so you will not lose any progress.
One thing that trips students up: the exam timer can disappear during PBQ simulations on some testing platforms. Do not assume you can see the clock at all times. I tell my students to glance at the time before entering a PBQ and set a mental limit. If you have been working on the same PBQ for more than eight minutes and you are still stuck, move on and come back later.
How to Actually Prepare for PBQs
This is where most study plans fall short. People buy a book, memorize the objectives, run through a thousand multiple choice practice questions, and call it done. Then they are blindsided by the PBQs because nothing they studied looked or felt like a simulation. Preparing for PBQs requires a different approach than preparing for multiple choice, and you need to start early rather than treating it as something to worry about the week before the exam.
Get Your Hands on Real Tools
The single best thing you can do to prepare for PBQs is to use the actual tools and technologies the exam simulates. Set up a home lab with a couple of virtual machines. Install pfSense or any free firewall and practice creating rules. Open Wireshark and learn to read packet captures. Configure a wireless access point. Generate and examine certificates using OpenSSL. None of this requires expensive equipment. A laptop that can run VirtualBox and a couple of free operating system images is enough to get started.
The goal is not to become an expert in every tool. The goal is to get comfortable with the general feel of these interfaces so that the exam simulation does not disorient you. When you have actually typed firewall rules into a real system, the exam simulation just feels like another Tuesday. When you have only read about firewall rules, the simulation feels like a foreign language.
Memorize Your Port Numbers
I know this sounds old school, but port numbers are absolutely essential for firewall PBQs. If the simulation tells you to allow HTTPS traffic and block Telnet, you need to know instantly that HTTPS is port 443 and Telnet is port 23. There is no time to sit there trying to remember. The common ports you should have cold include SSH on 22, DNS on 53, HTTP on 80, HTTPS on 443, RDP on 3389, SMTP on 25 and 587, LDAP on 389, LDAPS on 636, and SNMP on 161. You will also want to know the difference between TCP and UDP for protocols that use both, like DNS.
Make a flashcard set and drill them until they are automatic. This is not the most exciting study advice, but it will save you real time and stress on PBQ questions that require you to write or evaluate rules referencing specific services.
Read the Instructions Twice
PBQ instructions are detailed for a reason. They tell you exactly what the scenario requires and what constraints you are working within. Students who skim the instructions and jump straight into the simulation almost always miss something important. Maybe the instructions specify that you should only allow traffic from a specific subnet. Maybe they tell you that a certain server needs to be accessible from the internet but not from the internal network. These details change the correct answer entirely.
I tell my students to read the instructions, then read them again, and then start working. That extra 30 seconds of reading saves minutes of going down the wrong path and having to hit reset.
Use CompTIA’s Official Sample PBQs
CompTIA publishes sample PBQs on their website with answer keys. These are not actual exam questions, but they show you the exact format and interaction style you will encounter. Spend time with these samples until the interface feels natural. Pay attention to how you interact with the simulation: how to drag items, how to select options, how to navigate between tabs within the PBQ. Getting comfortable with the mechanics means your brain can focus entirely on the content when you are sitting in the testing center.
A note on practice resources: Avoid anything claiming to offer “real PBQs from the exam.” Those are brain dumps, and CompTIA actively bans candidates caught using them. Beyond the ethical and policy issues, brain dump questions often contain errors and teach you incorrect procedures. Stick with legitimate practice question resources and hands on lab work. You will learn more and you will not risk your certification status.
Walking Through a PBQ Scenario
Let me walk you through how to think about a typical firewall PBQ, since it is the type students struggle with most. I cannot share actual exam content, but I can show you the thought process using a realistic example.
Imagine the instructions say: “A company needs to allow web traffic from the internet to its web server in the DMZ, allow internal users to browse the internet, allow the web server to query the internal database server on port 1433, and deny all other traffic.” You are given a firewall rule table with blank rows.
Step one: identify the zones involved. You have the internet (untrusted), a DMZ (semi trusted), and an internal network (trusted). Step two: translate each requirement into a rule. Internet to DMZ web server on ports 80 and 443, allow. Internal network to internet on ports 80 and 443, allow. DMZ web server to internal database on port 1433, allow. Everything else, deny. Step three: consider rule order. Firewalls process rules top to bottom and stop at the first match. Your specific allow rules need to come before the deny all rule at the bottom. If you put the deny all rule first, nothing else matters because all traffic gets blocked before reaching your allow rules.
Step four: double check your work against the original requirements. Did you cover every stated need? Did you accidentally allow something the instructions did not mention? Is the deny all rule at the bottom? This systematic approach keeps you from guessing and ensures you earn partial credit even if you get one rule slightly wrong.
Common Mistakes That Cost People Points
After debriefing with thousands of students after their exams, I see the same PBQ mistakes come up repeatedly. Knowing what to avoid is almost as valuable as knowing what to do.
The most common mistake is not reading instructions completely. I already mentioned this, but it bears repeating because it accounts for more lost points than any knowledge gap. Students glance at the first sentence, think they know what the question is asking, and start configuring. Then they realize halfway through that they misunderstood the scenario. Now they have to reset and start over, burning precious time.
The second most common mistake is spending too long on a single PBQ. Perfectionism is the enemy here. If you have completed 80% of a PBQ but the last 20% has you stuck, move on. You likely already earned most of the available partial credit. Spending another ten minutes chasing the last few points means sacrificing time you could spend on multiple choice questions worth just as many points total.
Third, students panic when the simulation interface looks different from what they practiced with. Every firewall interface looks slightly different. Every log viewer has its own layout. The underlying concepts are the same regardless of the interface. If you understand how firewall rules work, you can figure out any firewall interface. Do not let unfamiliar buttons or layouts shake your confidence. Take a breath, read the labels, and apply what you know.
Finally, some students forget that the reset button exists. If you have gone down the wrong path and your firewall rules are a tangled mess, hitting reset gives you a clean slate. It is much faster than trying to untangle a broken configuration one rule at a time.
Exam Day Strategy for PBQs
Here is the exact exam day approach I recommend to every Security+ candidate. When the exam starts and you see your first PBQ, take ten seconds to breathe. Do not start clicking immediately. Read the instructions thoroughly. If you recognize the task and feel confident, complete the PBQ. Aim to spend no more than five to seven minutes per PBQ. If you are unsure or the PBQ seems complex, flag it and skip to the multiple choice section.
Work through the multiple choice questions at a steady pace. Most well prepared candidates can answer these in 30 to 45 seconds each. Flag anything you are unsure about and keep moving. Do not agonize over a single multiple choice question when there are PBQs waiting for your attention at the end.
Once you have finished the multiple choice pass, check your remaining time. Go back to any flagged PBQs and work through them with whatever time you have left. Then review any flagged multiple choice questions. This approach ensures you attempt every question on the exam rather than getting stuck on PBQs and running out of time for the easier questions at the end.
Remember that the passing score for Security+ SY0 701 is 750 on a scale of 100 to 900. That is roughly equivalent to getting about 83% correct, though CompTIA uses scaled scoring that adjusts for question difficulty. You do not need a perfect score. You need a solid score across both question types. Neglecting PBQs will make passing extremely difficult because of how heavily they are weighted. But obsessing over PBQs at the expense of everything else is equally dangerous.
Building PBQ Confidence Through Your Study Plan
The students who handle PBQs best are never the ones who crammed the night before. They are the ones who integrated hands on practice into their study plan from the very beginning. Here is how I suggest structuring your preparation so that PBQs feel like a natural extension of what you already know rather than a surprise on exam day.
During the first few weeks of studying, focus on understanding concepts. Read about firewall rules, network architecture, authentication protocols, and encryption. But as soon as you learn a concept, find a way to practice it. When you study firewall rules in your book, go set up a pfSense VM and write those same rules in a live interface. When you learn about certificate types, use OpenSSL to actually generate a self signed certificate and examine its contents. Every time you turn a concept into a hands on task, you are building PBQ readiness without even thinking about it.
In the final two weeks before your exam, shift your focus to timed practice. Run through PBQ style exercises with a timer. Give yourself seven minutes per exercise and see if you can complete the task accurately within that window. This builds the speed and confidence you need on exam day. It also reveals any knowledge gaps while there is still time to fill them.