CompTIA Security+ Performance Based Questions for 2024

comptia security+ performance based questions featured image

What awaits you on exam day is a majority of multiple-choice questions and a significantly weighted minority of a special type of question: the CompTIA Security+ performance-based questions (PBQs). They may be the toughest part of this certification exam. How should you go about solving them?

Look no further: This article is the answer you’re seeking. We start with an introduction to PBQs, what they look like, what topics they cover, and our best tips for approaching them. By the end of this article, you’ll understand more clearly what to do when faced with these challenging questions in the Security+ exam.

The ability to nail each performance-based question quickly and accurately is crucial to excellence in the Security+ exam. Don’t forget to share this article with a fellow student after reading it. Without further ado, let’s dive in.

What Are Performance-Based Questions?

Multiple-choice questions dominate the Security+ certification exam, and they may have single or multiple answers. A good grasp of the study material and appropriate test-taking skills will help you excel in them.

A huge reason for the recognition CompTIA certifications enjoy is their inclusion of PBQs. PBQs assess your practical skills in cyber security. Excellence in your lab work demonstrates competence.

As a Security+ candidate, instead of having computing machines to tamper with, you only need to solve the graded lab work (the PBQs) on the monitor on which you take your exam. Such PBQs are called simulations (simulation PBQs). You may return to them anytime during the exam, and you may reset each simulation PBQ you want to redo.

How Many Performance Based Questions Can I Expect?

The Security+ exam has at most 90 questions, and you have 90 minutes to complete the exam, but this doesn’t mean your answering speed should be a question every minute. This is because PBQs require additional thinking. You’d spend more time on PBQs and less on multiple-choice questions.

Between one and 10 PBQs appear at the start of the exam, and the typical expectation is four to five. Some PBQs may take more time than others, but you won’t know which ones would be challenging in advance. Therefore, manage your time in your practice tests accordingly.

How Are Performance Based Questions Scored?

Each Security+ exam is 90 minutes long and has a maximum of 90 questions. Therefore, the more PBQs you get, the fewer multiple-choice questions you have.

The official stance of CompTIA is that exam questions and the scoring scheme are confidential. However, CompTIA admits multiple approaches to solving PBQs, and the scoring scheme addresses different possible methods and may reward partial credit. You don’t have to solve a PBQ a certain way out of fear that all other alternative correct answers give you no points.

What Do Security+ Performance Based Questions Look Like?

A PBQ fills the screen. It contains instructions and several buttons: the next/previous buttons are for navigating between questions, and the reset button is for returning to the initial configuration of a question if you mess it up and want a clean slate on which to work.

In simulation PBQs like the ones you find in Security+, you may hide the instructions if you want to see the entire PBQ layout and bring them back up if you want to reread them and recall what you need to do.

PBQs come in several variations:

  • Fill-in-the-blank: This is a simple question in which you fill in the answers;
  • Drag-and-drop: In this type of question, you drag items, such as images or text boxes, into specified places in the question to match the larger image, such as a table;
  • Scenario/Performance-based: This is a detailed question where you have open dialog boxes or other configuration windows. Your role is to configure the various elements in the question as the instructions require.

Such questions are versatile, and you may see different topics manifest in all three formats, along with checkboxes, dropdown menus, radio buttons, and other dynamic elements that you can find in web forms.

Familiarity with the fundamentals translates into nailing the right answers quickly during the exam. Therefore, it’s vital to master the key concepts in Security+ through diligent study and practice instead of obsessing over specific techniques for tackling the various ways these concepts present themselves in the PBQs.

What Skills Are Tested in Security+ Performance Based Questions?

As the main purpose of PBQs is to assess whether your practical skills meet the industry standard of an entry-level cyber security professional, PBQs test your real-life problem-solving skills in many areas, such as the following:

  • Assess the security posture of an enterprise environment and recommend and implement appropriate security solutions.
  • Monitor and secure hybrid environments, including cloud, mobile, and IoT.
  • Operate with an awareness of applicable laws and policies, including governance, risk, and compliance principles.
  • Identify, analyze, and respond to security events and incidents.

Specifically, the PBQs may ask you to demonstrate your knowledge in various situations, explain security concepts, or justify security measures.

Review your material with practical applications in mind, and make sure you solve as many Security+ PBQs in practice tests as is necessary to consolidate your learning.

Sample Security+ Performance Based Questions

As CompTIA keeps its exam questions confidential, the following sample Security+ PBQs are not actual exam questions, but they’re typical of what you can expect during your Security+ exam. The more familiar you are with them, the fewer unwanted surprises you’ll encounter on exam day.

We’ll display a sample of each type of PBQ below as illustrations of what test takers might expect in the Security+ exam, from the easiest to the hardest, from the rarest to the most common. These questions sometimes come with clickable supporting diagrams.

Fill-In-The-Blank Question

This type of PBQ is relatively rare but the simplest to understand. The following example illustrates what a fill-in-the-blank PBQ looks like, with additional follow-up questions to test your practical understanding:

Fill in the blank PBQ

This fill-in-the-blank question asks you to fill in information about the RAID configuration. Attention to detail is key: apart from technical details, you must spell “yes” or “no” correctly in some text boxes, or you won’t get points.

Now that we’re done looking at fill-in-the-blank questions, we’ll move on to the next type of PBQ: the drag-and-drop question.

Drag-And-Drop Question

This type of question includes matching and rearranging answers in the correct order. The following PBQ assesses your knowledge of the CompTIA Security+ incident response steps, which are a fundamental part of the CompTIA Security+ curriculum:

Drag and drop PBQ

From the instructions, you can tell that you’ll have a drag-and-drop PBQ. Getting full marks for this PBQ is elementary if you know the procedures.

The next type of PBQ, the scenario, is arguably the one that most Security+ candidates expect and prepare for whenever they think of PBQs.

Scenario Question

The most practical of Security+ PBQs, the scenario PBQ assesses your hands-on cyber security skills. To a well-prepared Security+ candidate, scenario PBQs are nothing to be afraid of and are great opportunities to demonstrate your expertise, such as:

  • Configuring a wireless access point (WAP),
  • Implementing security controls based on logs,
  • Mapping a network where you’re putting firewalls in the right place, and
  • Installing intrusion detection systems in the right place.

Most scenario questions can be quite involved. The only sample PBQ CompTIA offers is a networking problem, which falls well within the scope of Security+. This example encompasses the Security+ PBQs that test your knowledge of access control lists (ACL) and the command prompt, both of which are important assessment objectives of Security PBQs.

We’ll walk through this particular PBQ step by step to illustrate how to solve it:

CompTIA demonstration simulation PBQ

As a novice, you might notice that you could click on each of the buttons labeled “Workstation 1” and “Workstation 2” and input terminal commands such as ipconfig:

CompTIA demonstration simulation PBQ: ipconfig

The button labeled “Router” is also clickable, and it has information about its network interfaces:

CompTIA demonstration simulation PBQ: network interfaces

The other tab in the “Router” window is the Access Control List (ACL):

CompTIA demonstration simulation PBQ: Access Control List (ACL)

The instruction says one of the executives cannot access “” and we have two workstations. A ping from each of the two workstations to “” reveals that only “Workstation 2” has this issue:

CompTIA demonstration simulation PBQ: ping

We make the following observations from the information above:

  • “Workstation 1” and “Workstation 2” are on the network eth3, which has an address of;
  • “Workstation 1” has an IPv4 address of;
  • “Workstation 2” has an IPv4 address of;
  • The ACL makes use of subnetting;
  • At least one of the allow/deny rules in the ACL is causing the connectivity issue mentioned above;
  • Your task is to find such a rule (or rules) and remove it (them) so that “Workstation 2” can reconnect to the Internet.

Try this question by yourself. CompTIA has provided an answer key to check where your answer might have fallen short.

What Is the Best Way to Approach the Security+ Performance Based Questions?

You’ll see PBQs first and the multiple-choice questions later. Should you do them first or last? The answer depends on what kind of test taker you are, and this highlights the importance of practice tests.

  • If, according to your experience in your practice tests, you’re worried about losing points heavily because you don’t have enough time to complete the PBQs, do them first.
  • If you excel in the multiple-choice questions and have ample time to finish the PBQs, you may do PBQs last.

If your mind goes blank at a PBQ, you can come back to it later in the exam: all you need to do is use the “Mark Question” option on the PBQ and review them afterward. The only caveat is that marking the question for review doesn’t mean you’ve answered it, so you must look at the questions you’ve marked before the time is up.

You must read the instructions carefully to answer correctly in both cases above. If you make a mistake, remember you can reset the simulation, although you can’t regain any time lost. Ultimately, the best way to handle Security+ PBQs is the one that works for you.


While Security+ is by no means easy, it’s within the ability of anyone willing to put in the time and effort. We hope this article on CompTIA Security+ performance-based questions gives you an extra boost when you attempt this exam, and you can proudly show that you’re Security+ Certified and launch your IT security career.

If you’re interested in a selection of high-quality exam preparation courses and practice tests for Security+ and beyond, consider joining our Member Section here, look for the following courses, and join our community of students and mentors on the inside. Good luck on exam day!

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Cassandra Lee

    Cassandra is a writer, artist, musician, and technologist who makes connections across disciplines: cyber security, writing/journalism, art/design, music, mathematics, technology, education, psychology, and more. She's been a vocal advocate for girls and women in STEM since the 2010s, having written for Huffington Post, International Mathematical Olympiad 2016, and Ada Lovelace Day, and she's honored to join StationX. You can find Cassandra on LinkedIn and Linktree.