Phase 6: Domain 6 — Security Assessment & Testing

Phase 6: Domain 6 — Security Assessment & Testing (12%)

Timeline: May 10-16 (Week 6)

Covers formal testing methodologies, audit types, and assessment strategies. You have Wazuh SIEM and vulnerability scanning experience but need the formal frameworks.

Key Concepts

Assessment Types

Type	Description
Vulnerability assessment	Identify weaknesses without exploiting them (Nessus, Qualys, OpenVAS)
Penetration testing	Actively exploit vulnerabilities (with authorization)
Security audit	Formal examination against standards/policies
Security assessment	Comprehensive evaluation of security posture
Red team / blue team	Adversarial simulation (red attacks, blue defends)
Purple team	Collaborative: red + blue working together

Type

Description

Vulnerability assessment

Identify weaknesses without exploiting them (Nessus, Qualys, OpenVAS)

Penetration testing

Actively exploit vulnerabilities (with authorization)

Security audit

Formal examination against standards/policies

Security assessment

Comprehensive evaluation of security posture

Red team / blue team

Adversarial simulation (red attacks, blue defends)

Purple team

Collaborative: red + blue working together

Penetration Testing Methodology

Planning and reconnaissance — scope, rules of engagement, OSINT
Scanning — port scanning, vulnerability scanning, network mapping
Gaining access — exploitation of discovered vulnerabilities
Maintaining access — persistence, privilege escalation
Analysis and reporting — findings, risk ratings, recommendations

Testing perspectives: * Black box — no knowledge (external attacker) * White box — full knowledge (internal audit) * Gray box — partial knowledge (partner/contractor)

Audit Types

Internal audit — conducted by organization’s own audit team
External audit — independent third party (SOC 2, ISO 27001)
Regulatory audit — government/regulatory body (HIPAA, PCI)

SOC Reports

Report	Purpose
SOC 1	Financial reporting controls (SSAE 18)
SOC 2 Type I	Security controls at a point in time
SOC 2 Type II	Security controls over a period (6-12 months)
SOC 3	Public summary of SOC 2

Report

Purpose

SOC 1

Financial reporting controls (SSAE 18)

SOC 2 Type I

Security controls at a point in time

SOC 2 Type II

Security controls over a period (6-12 months)

SOC 3

Public summary of SOC 2

Log Management and Monitoring

SIEM correlation (your Wazuh)
Log retention requirements
Continuous monitoring vs periodic assessment
Key performance indicators (KPIs) and key risk indicators (KRIs)

Software Testing

Static analysis (SAST) — review code without executing
Dynamic analysis (DAST) — test running application
Fuzzing — random/malformed input to find crashes
Code review — manual examination of source code
Interface testing — API, UI, physical

Practice Questions

25 questions/day from Official Practice Tests — Domain 6 section.

Check	Status
Read Study Guide Chapters 15 (Assessment)	[ ]
Watch Destination Certification MindMap — Domain 6	[ ]
Pen test methodology memorized (5 phases)	[ ]
SOC report types understood (SOC 1, 2 Type I/II, 3)	[ ]
Testing types differentiated (SAST, DAST, fuzzing)	[ ]
Mapped Wazuh to CISSP SIEM/monitoring concepts	[ ]
25+ practice questions completed (Domain 6)	[ ]

Check

Status

Read Study Guide Chapters 15 (Assessment)

[ ]

Watch Destination Certification MindMap — Domain 6

[ ]

Pen test methodology memorized (5 phases)

[ ]

SOC report types understood (SOC 1, 2 Type I/II, 3)

[ ]

Testing types differentiated (SAST, DAST, fuzzing)

[ ]

Mapped Wazuh to CISSP SIEM/monitoring concepts

[ ]

25+ practice questions completed (Domain 6)

[ ]