Master all five Security+ SY0-701 domains through the four nations — from cryptographic bending arts to governance scrolls of the Earth Kingdom. The four elements guide your path to certification.
All five exam domains with objective numbers and key topic tags.
Objectives: 1.1 · 1.2 · 1.3 · 1.4
CIA TriadAAA FrameworkSecurity ControlsCryptographyPKISymmetric/AsymmetricHashing & SaltingZero TrustChange ManagementDigital SignaturesHoneypotsNon-repudiationObjectives: 2.1 · 2.2 · 2.3 · 2.4 · 2.5
Threat ActorsSocial EngineeringPhishing/VishingMalware TypesDDoSSQL InjectionXSSRansomwareZero-DayHardeningSegmentationLeast PrivilegeObjectives: 3.1 · 3.2 · 3.3 · 3.4
Cloud ModelsDMZ/Screened SubnetVLANAir GapFirewall TypesIDS/IPSVPN/SD-WANData StatesRTO/RPOHot/Warm/Cold SiteZero Trust ArchitectureDefense in DepthObjectives: 4.1 · 4.2 · 4.3 · 4.4 · 4.5 · 4.6 · 4.7 · 4.8 · 4.9
IAM/SSO/MFARBAC/ABACSIEM/SOAREDR/XDRIncident ResponseDigital ForensicsVulnerability MgmtThreat HuntingLog AnalysisAutomationDLPChain of CustodyObjectives: 5.1 · 5.2 · 5.3 · 5.4 · 5.5 · 5.6
GovernanceRisk ManagementComplianceVendor RiskAudit/AssessmentPen TestingSecurity AwarenessBIA/BCPPrivacy LawsSLA/MOU/NDAOne mnemonic per domain, opening one accordion at a time.
A·A·N·G = Authentication · Authorization · Non-repudiation · Governance
CIA Triad: Confidentiality (only Aang knows the Avatar State trigger), Integrity (scroll authenticity verified by monks), Availability (spirit world access when needed).
Controls: Preventive (walls), Detective (seismic SIEM alerts), Corrective (restoration bending), Deterrent (fire nation patrols), Compensating (redirect if main gate fails).
Cryptography: Symmetric (shared temple key), Asymmetric (Avatar's public seal + private meditation key), PKI (White Lotus Society as CA), Salting (adding random chi to each password hash).
Which cryptographic concept uses a public key to encrypt and a private key to decrypt?
S·O·Z·I·N = Social Engineering · On-path Attacks · Zero-Day · Injection · Nation-State
Threat Actors: Fire Nation = Nation-State APT. Azula = Sophisticated insider/APT. Dai Li = Organized crime with state backing. Wan Shi Tong = Hacktivist (withholds knowledge as leverage).
Malware: Azula's lightning = Ransomware (fast, demands surrender). Fire nation virus = Worm (self-propagating). Dai Li agents = Rootkits (hidden, persistent, high privilege).
Mitigations: Segmentation (four nations), Hardening (Ba Sing Se walls), Least Privilege (bending roles), Patching (fixing wall gaps), Monitoring (Toph's seismic SIEM).
A threat actor pretends to be a Water Tribe healer to gain access to Ba Sing Se medical records. This is:
A·P·P·A = Architecture Models · Perimeter Controls · PKI/Encryption · Availability/Resilience
Network Zones: Ba Sing Se's three rings = Defense in Depth. Outer wall = DMZ. Middle ring = Internal LAN. Palace = Air-gapped highly restricted zone requiring separate auth at each layer.
Cloud Models: Air Nomads (stateless/mobile) = Serverless/Cloud-native. Earth Kingdom (heavy on-prem) = IaaS. Fire Navy fleet (standardized ships) = PaaS. White Lotus (service network) = SaaS.
Resilience: Spirit Oasis = Hot Site. Iroh's backup teahouse = Warm Site. Empty outpost = Cold Site. RTO/RPO = recovery commitments after Fire Nation invasion.
Ba Sing Se's three-ring concentric wall system best maps to which security principle?
I·R·O·H = Identity/Access Mgmt · Response (IR) · Operations (SIEM/EDR) · Hardening
IAM: RBAC (bending roles), MFA (White Lotus riddle + physical presence + bending = 3 factors), SSO (Avatar State grants all-element access instantly), Least Privilege (soldiers bend only their element).
Monitoring: Toph's seismic sense = SIEM. Zuko tracking Aang = Threat Hunting. Sokka's war room = SOC. CVSS scores = danger rating of each bender's attack capability.
IR Lifecycle: Prep (training) → Detection (scout sighting) → Analysis (confirm threat) → Containment (hold wall) → Eradication (defeat Ozai) → Recovery (rebuild) → Lessons Learned (Zuko's reforms).
Zuko actively hunts Aang's trail using known patterns and new clues. This models which security operation?
K·Y·O·S·H·I = Key Policies · Your Risk Register · Oversight · Standards · Human Factors · Investigation
Governance: Fire Lord's decrees = AUP (Acceptable Use Policy). Earth King's council = Board/Committee structure. White Lotus = External audit body. Avatar cycle = Annual policy review cadence.
Risk: Sozin's Comet = Known risk with high ALE. Building the wall = Mitigation. Surrendering Omashu = Acceptance. Dispersing the fleet = Avoidance. Hiring White Lotus = Transference.
Compliance: Four nations' treaties = SLAs. GDPR = Earth Kingdom data sovereignty. Aang's privacy (hiding identity) = Right to be forgotten. Dai Li monitoring = Compliance surveillance.
The Earth King commits to restoring Ba Sing Se's defenses within 4 hours of any fire attack. This maps to:
Each bender mirrors a real-world cybersecurity role.
Holds the ultimate "Superuser" role — unrestricted access to all four elemental systems. Like a CISO, responsible for the security posture of the entire world. His compromise would be catastrophic for all nations — a total loss-of-confidentiality event.
Katara's healing mirrors a SOC Analyst's corrective control function — she identifies damage and restores system integrity. Her waterbending role grants access only to the healing module, not destructive firebending — perfect Least Privilege implementation.
Toph's seismic sense is the perfect SIEM metaphor — aggregating data from across the network (earth), identifying anomalies (enemy tunnels), and alerting in real time. Her blind spot to aerial threats = monitoring coverage gaps that attackers exploit.
Early Zuko = persistent, targeted Threat Hunter tracking the Avatar across all nations using intelligence and behavioral patterns. His arc from adversary to ally also demonstrates insider threat rehabilitation — with proper onboarding (Iroh's mentorship), even high-risk actors become defenders.
The wise Security Architect — deeply understands all four domains, designs layered defenses, and mentors junior analysts. His White Lotus network demonstrates supply-chain security: trusted third-party relationships built through rigorous vetting rather than assumed trust.
The textbook Advanced Persistent Threat — state-sponsored, near-perfect accuracy, uses zero-days (lightning bending no one else can replicate), recruits insider threats (Long Feng), achieves persistent access to Ba Sing Se. Defeating her required behavioral analytics, not signatures.
Four Avatar scenarios mapped precisely to Security+ exam concepts.
Three concentric rings force any attacker to breach three independent security zones. This maps to Defense in Depth: layered controls so that defeating one (bypassing the perimeter firewall) doesn't grant full access. Each ring requires separate authentication, mirroring network micro-segmentation.
Air Nomads are stateless and mobile — they verify identity through bending tests, not location. This is Zero Trust: "Never trust, always verify." No implicit trust zone exists; every monk authenticates regardless of being inside the temple. White Lotus challenges mirror re-authentication at every Policy Enforcement Point.
The Dai Li secretly operate inside Ba Sing Se while appearing loyal — classic insider threat combined with APT persistence. They maintain elevated privileges, avoid detection by blending in, and exfiltrate intelligence. Detection required behavioral analytics (anomaly-based), not signature matching of known attacks.
The White Lotus issues membership certificates through identity verification (riddles/challenges) by trusted Grandmasters (Root CAs). Iroh as CA signs new members. Revocation occurs if a member betrays the order (CRL). Trust chains from the Root CA (Iroh) to all validated leaf certificates (members).
Five must-know topic cards — the most commonly tested Security+ concepts.
• AES = Symmetric (128/192/256-bit)
• RSA/ECC = Asymmetric (public+private pair)
• ECC = same security, smaller keys than RSA
• Diffie-Hellman = key exchange over insecure channel
• PFS = new session key each connection
• TPM = hardware key storage on motherboard
• HSM = dedicated hardware for key management
• SSH=22 · FTP=21 · Telnet=23
• SMTP=25 · DNS=53 · HTTP=80
• HTTPS=443 · RDP=3389 · LDAP=389
• LDAPS=636 · RADIUS=1812/1813
• TACACS+=49 · Syslog=514 · NTP=123
• SNMP=161/162 · Kerberos=88
• SFTP=22 (same as SSH)
• MAC = Mandatory — labels (Top Secret)
• DAC = Discretionary — owner sets perms
• RBAC = Role-based — job function
• ABAC = Attribute-based — time/location/device
• Rule-based = ACL firewall rules
• Least Privilege = minimum access to do job
• 802.1X = port NAC (supplicant→authenticator→RADIUS)
• Order: Prep→Detection→Analysis→Containment→Eradication→Recovery→Lessons Learned
• Chain of custody = document who touched evidence
• Legal hold = preserve data, suspend deletion
• E-discovery = legal process for electronic evidence
• Order of volatility: RAM→swap→disk→remote logs
• Root Cause Analysis = WHY it happened
• SLE = Asset Value × Exposure Factor
• ALE = SLE × ARO
• RTO = max downtime before business impact
• RPO = max data loss tolerable (in time)
• MTTR = average time to repair a failure
• MTBF = average time BETWEEN failures
• Risk = Threat × Vulnerability × Impact
Domain 4.8 — Seven IR phases mapped to Team Avatar's comet battle.
Team Avatar trains for months before Sozin's Comet. IR plans written, tabletop exercises run, tools prepared. Like creating an IRP and running simulation drills before any real incident occurs.
Scouts detect the Fire Nation fleet. Team analyzes: true positive or false positive? SIEM alerts, log analysis, IDS triggers — all map to identifying an actual incident vs. noise in the data.
Aang creates an earth shield — stop the spread without destroying forensic evidence. Short-term = isolate infected system. Long-term = VLAN segmentation, firewall rule update. Don't wipe yet!
Aang defeats Ozai — root cause removed. Patch the vulnerability, revoke compromised credentials, restore from clean backups, rotate secrets. Confirm clean state before returning to production.
Zuko becomes Fire Lord and rewrites policy. The post-incident report identifies what failed, what worked, and how to improve. Root cause analysis prevents the same incident from happening again.
Domain 4.4 — Security alerting, monitoring concepts and tools.
SIEM = collects, correlates, and alerts (Toph hearing footsteps). SOAR = automated response (Toph automatically sealing tunnels without being told). SIEM tells you; SOAR acts for you. Together they are the ideal monitoring stack.
Signature-based = matches known attack patterns (Azula's blue fire = known IOC). Anomaly-based = flags unusual behavior (non-bender accessing firebending scrolls). Zero-Day threats bypass signature detection — anomaly catches them.
True Positive = correctly detecting Azula. False Positive = alerting on a friendly waterbender (wasted resources). False Negative = MISSING Dai Li agents (worst outcome — breach goes undetected). Tune your alerts to minimize both FP and FN.
Toph's seismic sense misidentifies a badgermole tunnel as an enemy invasion. Which detection term applies?
Domain 5.1 governance roles mapped to Avatar characters.
Earth King — owns all Ba Sing Se citizen records. Ultimately accountable for data classification and protection policy, even though he doesn't manage it day-to-day. Sets the rules; Dai Li enforces them.
Dai Li — physically handle and store the records. Responsible for implementing controls the Owner dictates. They can (dangerously) abuse their access without the Owner knowing — demonstrates why separation of duties matters.
White Lotus scholars who process and copy scrolls on behalf of nations. Process data per the controller's instructions but don't own it — the GDPR processor role. Must sign data processing agreements (DPAs).
Fire Lord Ozai — determines the purpose and means of processing captured intelligence. The controller decides WHY and HOW data is processed, carrying full legal accountability under frameworks like GDPR.
The Earth King orders the Dai Li to store and protect citizen census scrolls. Who is the Data Owner?
Domain 4.8 and 5.4 — internal and external incident reporting obligations.
Notify: CISO, SOC team, Legal, HR (if insider), affected business unit managers. Timeline: immediate verbal → 1-hour written summary → 24-hour full incident report. Like Sokka briefing King Bumi immediately, then submitting a battle report to the council within a day.
Regulators (GDPR = 72 hours), law enforcement (FBI/CISA for critical infrastructure), affected customers (breach notifications). Like informing all four nations of the comet threat — mandatory disclosure within legal deadlines, not optional communication.
Legal hold = suspend all data deletion for relevant evidence. Chain of custody = document every person who touched evidence. Like preserving Ozai's war scrolls for a war crimes tribunal — tampered or undocumented evidence is inadmissible in court.
Under GDPR, how quickly must a data breach be reported to the supervisory authority after discovery?
Domain 4.8 — what happens AFTER the incident is resolved.
Mandatory post-incident review ideally within 2 weeks. Attendees: all responders. Questions: What happened? What worked? What failed? What changes? Team Avatar's war council after defeating Ozai = perfect model. Zuko's governance reforms = policy updates driven by lessons learned.
MTTD (Mean Time to Detect), MTTR (Mean Time to Respond/Recover), number of systems affected, data volume exposed, regulatory notifications sent, total incident cost. Track these to demonstrate SOC effectiveness and justify security budget increases.
After Azula's insider threat succeeded via social engineering, all nations must update security awareness training. Post-incident training targets the specific attack vector used. If phishing succeeded, run a phishing simulation within 30 days. Close every gap that enabled the breach.
Guide Team Avatar through a security incident using real IR decisions. Wrong answers won't advance — choose wisely!
⚔️ SCENE 1 OF 4 — DETECTION & ANALYSIS
⚔️ SCENE 2 OF 4 — CONTAINMENT
⚔️ SCENE 3 OF 4 — ERADICATION
⚔️ SCENE 4 OF 4 — LESSONS LEARNED
You guided Team Avatar through all four IR phases correctly:
All the tools you need to pass SY0-701.
70 cards across all 5 domains — spaced repetition. Progress saves to your browser automatically.
70 cards · Domains 1–5 · Leitner spaced repetition · localStorage key: ltr_avatar-cards
Exam-style questions across all five domains. Personalized feedback on missed topics. Retake resets without page reload.