You have studied threats, vulnerabilities and attack techniques. The SY0-701 feels manageable. Then a scenario question asks which control type addresses a specific security requirement – and you realize preventive, detective and corrective controls all feel like they could apply.
That’s the trap. The exam doesn’t just ask what each control type is. It asks which one fits a specific situation and why the others don’t.
Why Security Controls Catch SY0-701 Candidates Off Guard
Most candidates memorize the control type definitions and move on. The exam doesn’t reward memorization here.
It presents a security scenario, describes a requirement and expects you to select the control type that fits – before presenting a second layer asking whether the control is technical, administrative, or physical.
Two dimensions. One question. That combination is where candidates lose marks.
Preventive Controls: Stop the Threat Before It Happens
A preventive control stops a security incident before it occurs. It acts before damage is done.
Firewalls blocking unauthorized traffic, access control lists restricting resource access, encryption protecting data at rest – these are all preventive. They don’t detect or respond. They stop.
The exam uses preventive controls in scenarios where the requirement is to stop an attack from succeeding. An organization wants to prevent unauthorized users from accessing a system – that’s a preventive requirement. The answer is an access control, not a monitoring tool.
Where candidates go wrong is choosing a preventive control when the scenario describes something that already happened. Preventive controls don’t help after the fact.
Detective Controls: Identify What Already Occurred
A detective control identifies and records security events that have already happened or are currently happening.
Security Information and Event Management systems, intrusion detection systems, log monitoring and audit trails are all detective. They don’t stop anything – they surface it.
The exam tests detective controls in scenarios where visibility is the requirement. An organization needs to know when unauthorized access attempts occur – that’s a detective requirement. An IDS is the answer, not a firewall.
The key distinction: if the scenario uses words like “identify,” “alert,” “monitor,” or “audit,” the answer is almost always a detective control.
Corrective Controls: Fix What Went Wrong
A corrective control reduces the impact of an incident after it has occurred and restores normal operations.
Backups restoring a system after ransomware, incident response procedures, patching a vulnerability after exploitation – these are corrective. They don’t prevent or detect. They recover.
The exam presents corrective controls in scenarios where damage has already occurred. A system was compromised and needs to be restored – that’s a corrective requirement. The answer is a backup or recovery process, not a firewall rule or an IDS alert.
Candidates who blur corrective and preventive controls will choose patching as a preventive measure when the scenario describes post-exploitation remediation – that’s corrective, not preventive.
The Second Dimension: Technical, Administrative and Physical
Every control type sits inside one of three implementation categories. The exam tests both dimensions together.
Technical controls are implemented through technology – firewalls, encryption, MFA, IDS, antivirus. Administrative controls are implemented through policy and procedure – security awareness training, acceptable use policies, background checks. Physical controls restrict physical access – locks, security guards, badge readers, CCTV.
The exam gives you a scenario and expects you to identify both the control type and the implementation category. A security awareness training program that teaches employees to recognize phishing – that’s preventive and administrative. A CCTV system recording activity in a server room – that’s detective and physical.
Getting one dimension right and the other wrong means a wrong answer on the exam.
Compensating and Deterrent Controls: The Two That Confuse Everyone
Two additional control types appear on the SY0-701 that candidates regularly confuse with the primary three.
A compensating control is an alternative control used when the primary control can’t be implemented. An organization can’t patch a legacy system – so they add network segmentation and enhanced monitoring around it instead. The compensating control doesn’t eliminate the risk. It manages it while the primary control gap exists.
A deterrent control discourages an attacker from attempting an action without physically preventing it. Warning banners on login screens, visible security cameras, signs warning of monitoring – these deter. They don’t stop a determined attacker. The exam tests deterrent versus preventive specifically – a security camera deters, but it doesn’t prevent entry. A locked door prevents entry.
Decision Framework: How to Answer Control Questions on the Exam
The exam scenario will describe a situation. Before looking at the answer choices, ask three questions in order.
Has the incident already happened? If yes, the answer is corrective or detective – not preventive. Is the goal to stop something or identify something? Stop points to preventive. Identify points to detective. Is an alternative being used because the primary control isn’t available? That’s compensating.
Then ask the second dimension question. Is the control implemented through technology, policy, or physical means? Match both answers to the scenario and you’ll eliminate at least two wrong choices before reading all four options.
Exam Scenarios That Keep Appearing
An organization deploys an IDS to alert on suspicious network traffic – that’s detective and technical. A company implements a mandatory security awareness training program – that’s preventive and administrative. A badge reader controls entry to a server room – that’s preventive and physical.
A ransomware attack encrypted production data and backups are used to restore systems – that’s corrective and technical. A warning banner displayed before login informs users their activity is monitored – that’s deterrent and technical. Network segmentation is added around a legacy system that can’t be patched – that’s compensating and technical.
Practicing these scenario patterns with Updated Exam Dumps for SY0-701 Exam helps you build the two-dimensional thinking the exam rewards – so you’re matching both the control type and implementation category before reading the answer choices.
The Bottom Line
Security controls on the SY0-701 aren’t tested as definitions. They’re tested as decisions. Preventive stops. Detective identifies. Corrective recovers. Deterrent discourages. Compensating substitutes.
Add the implementation dimension – technical, administrative, physical – and apply both to the scenario before choosing an answer.
That two-step thinking is what the exam is actually measuring.