- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
Audits, SOC Reports & Pen Tests — Sec+ SY0-701 Obj 5.5
How does a security program prove it actually works? Not with a slide deck — with audits, assessments, and pen tests. Objective 5.5 is the part of Domain 5 where every control you wrote down gets verified by somebody who is allowed to push back. Internal auditors, external auditors, regulators, certification bodies, third parties issuing SOC 1 and SOC 2 reports, red teams running unannounced engagements — they all answer one question: are the controls real, and are they operating effectively?
This 18-minute lesson opens with a financial services firm that got breached on a finding their own pen test flagged eight months earlier — same finding number, same page, never fixed. From there we walk attestation, internal vs external audits, SOC 1 vs SOC 2 (Type 1 vs Type 2), the five Trust Service Criteria, the four pen-test team colors, black/gray/white-box knowledge environments, the six pen-test types, passive vs active recon, OSINT, the post-compromise phases, Rules of Engagement, the pen-test report, red team vs pen test, and the audit committee. Aligned to CompTIA SY0-701. Full course at https://secplus.it-learn.io.
🔗 Full course: https://secplus.it-learn.io
🎓 Subscribe for the rest of Domain 5 and the full SY0-701 series
WHAT YOU'LL LEARN
✅ Attestation — officer-signed declaration, SOC reports, SOX filings, criminal liability if false
✅ Internal vs external audits — five internal flavors, four external flavors, certification vs assessment
✅ SOC 1 vs SOC 2 vs SOC 3, Type 1 vs Type 2, and the AICPA Trust Service Criteria (Security mandatory)
✅ Pen-test team colors — Red offensive, Blue defensive, Purple integrated, White oversight
✅ Knowledge environments — black box (unknown), white box (known), gray box (partial)
✅ Pen-test phases — recon → enumeration → exploitation → post-exploitation → reporting
✅ Pivot, lateral movement, privilege escalation, persistence — the post-compromise kill chain
✅ Rules of Engagement, pen-test report structure, red team vs pen test, bug bounty programs
CHAPTERS
00:00 Intro — three teams, one question
00:21 Cold open — the pen-test report that became the attacker's roadmap
01:33 Attestation — somebody senior signs
02:08 Internal audits — five flavors
03:16 External audits — four flavors
04:18 SOC 1 vs SOC 2 (and SOC 3, Type 1 vs Type 2)
05:39 Trust Service Criteria — Security mandatory
06:12 Pen-test team colors — Red, Blue, Purple, White
07:04 Knowledge environments — black, white, gray box
08:13 Pen-test types — Network, Web, Physical, Social, Wireless, Cloud
09:14 Passive vs active reconnaissance
10:18 OSINT — always passive, always legal
10:56 Pivot, lateral, escalate, persist
11:38 Rules of Engagement — in writing, before testing
12:29 The pen-test report — track to closure
13:18 Red team vs pen test
14:00 Unannounced red team — measuring real defense
14:41 Assessment vs audit — different verbs
15:25 Audit committee — board-level oversight
16:06 14-rule exam runbook
17:57 Outro — next up: 5.6 Security awareness
EXAM QUICK REFERENCE
- Attestation = officer-signed declaration; signing falsely = criminal liability
- SOC 1 = financial reporting · SOC 2 = security/TSC · SOC 3 = public summary
- SOC 2 Type 1 = point-in-time · Type 2 = 6–12 month period (what buyers want)
- TSC: Security MANDATORY · Availability, Processing Integrity, Confidentiality, Privacy optional
- Teams: Red offensive · Blue defensive · Purple integrated · White oversight
- Knowledge: white box = known · black box = unknown · gray box = partial
- Recon: passive (OSINT, Shodan, WHOIS) = no traffic · active (Nmap, banners) = IDS sees it
- RoE before any pen test: scope, exclusions, techniques, window, authorization — in writing
- Certification = certificate (procurement-friendly) · Assessment = report (advisory)
- Pen test = scoped/timeboxed vuln hunt · Red team = sustained adversary simulation
- Audit committee = board subcommittee, independent chair, hires/fires the auditor
#CompTIA #SecurityPlus #SY0701 #Cybersecurity #PenTesting #SOC2 #ITLearn #SecPlus
Видео Audits, SOC Reports & Pen Tests — Sec+ SY0-701 Obj 5.5 канала it-learn
This 18-minute lesson opens with a financial services firm that got breached on a finding their own pen test flagged eight months earlier — same finding number, same page, never fixed. From there we walk attestation, internal vs external audits, SOC 1 vs SOC 2 (Type 1 vs Type 2), the five Trust Service Criteria, the four pen-test team colors, black/gray/white-box knowledge environments, the six pen-test types, passive vs active recon, OSINT, the post-compromise phases, Rules of Engagement, the pen-test report, red team vs pen test, and the audit committee. Aligned to CompTIA SY0-701. Full course at https://secplus.it-learn.io.
🔗 Full course: https://secplus.it-learn.io
🎓 Subscribe for the rest of Domain 5 and the full SY0-701 series
WHAT YOU'LL LEARN
✅ Attestation — officer-signed declaration, SOC reports, SOX filings, criminal liability if false
✅ Internal vs external audits — five internal flavors, four external flavors, certification vs assessment
✅ SOC 1 vs SOC 2 vs SOC 3, Type 1 vs Type 2, and the AICPA Trust Service Criteria (Security mandatory)
✅ Pen-test team colors — Red offensive, Blue defensive, Purple integrated, White oversight
✅ Knowledge environments — black box (unknown), white box (known), gray box (partial)
✅ Pen-test phases — recon → enumeration → exploitation → post-exploitation → reporting
✅ Pivot, lateral movement, privilege escalation, persistence — the post-compromise kill chain
✅ Rules of Engagement, pen-test report structure, red team vs pen test, bug bounty programs
CHAPTERS
00:00 Intro — three teams, one question
00:21 Cold open — the pen-test report that became the attacker's roadmap
01:33 Attestation — somebody senior signs
02:08 Internal audits — five flavors
03:16 External audits — four flavors
04:18 SOC 1 vs SOC 2 (and SOC 3, Type 1 vs Type 2)
05:39 Trust Service Criteria — Security mandatory
06:12 Pen-test team colors — Red, Blue, Purple, White
07:04 Knowledge environments — black, white, gray box
08:13 Pen-test types — Network, Web, Physical, Social, Wireless, Cloud
09:14 Passive vs active reconnaissance
10:18 OSINT — always passive, always legal
10:56 Pivot, lateral, escalate, persist
11:38 Rules of Engagement — in writing, before testing
12:29 The pen-test report — track to closure
13:18 Red team vs pen test
14:00 Unannounced red team — measuring real defense
14:41 Assessment vs audit — different verbs
15:25 Audit committee — board-level oversight
16:06 14-rule exam runbook
17:57 Outro — next up: 5.6 Security awareness
EXAM QUICK REFERENCE
- Attestation = officer-signed declaration; signing falsely = criminal liability
- SOC 1 = financial reporting · SOC 2 = security/TSC · SOC 3 = public summary
- SOC 2 Type 1 = point-in-time · Type 2 = 6–12 month period (what buyers want)
- TSC: Security MANDATORY · Availability, Processing Integrity, Confidentiality, Privacy optional
- Teams: Red offensive · Blue defensive · Purple integrated · White oversight
- Knowledge: white box = known · black box = unknown · gray box = partial
- Recon: passive (OSINT, Shodan, WHOIS) = no traffic · active (Nmap, banners) = IDS sees it
- RoE before any pen test: scope, exclusions, techniques, window, authorization — in writing
- Certification = certificate (procurement-friendly) · Assessment = report (advisory)
- Pen test = scoped/timeboxed vuln hunt · Red team = sustained adversary simulation
- Audit committee = board subcommittee, independent chair, hires/fires the auditor
#CompTIA #SecurityPlus #SY0701 #Cybersecurity #PenTesting #SOC2 #ITLearn #SecPlus
Видео Audits, SOC Reports & Pen Tests — Sec+ SY0-701 Obj 5.5 канала it-learn
Комментарии отсутствуют
Информация о видео
21 мая 2026 г. 22:13:05
00:18:25
Другие видео канала
STUDY = Success Takes Understanding, Discipline, and You #Shorts
Threat Actors — ranked by budget — the exam expects you to know who's who #Shorts
Latency: Network Latency #Shorts
Vulnerability Management — CVSS, KEV, SLA (Sec+ SY0-701 4.3)
UCCX Labs Working with a script, creating the auto attendant and looking at the logic of the script
EIGRP: Enhanced Interior Gateway Routing Protocol #Shorts
NAS vs SAN — What's the Difference? #Shorts
Network Operations Explained — Change Mgmt, SLAs, Incident & Monitoring (N10-009)
1_1 Introduction to UC and Collaboration Projects
Logs, PCAP, NetFlow & Event IDs for SOCs — Sec+ SY0-701 4.9
CHANGE HEALTHCARE — ALPHV/BlackCat ransomware (2024) #Shorts
Routing & Bandwidth Management Explained — OSPF, BGP, QoS & FHRP (N10-009)
CIA Triad, AAA, Zero Trust Explained — Security+ SY0-701 Objective 1.2
What Is a SAN (Storage Area Network)? #Shorts
Top 10 Services to Know #Shorts
RSA #Shorts
Resilience & Recovery — DR, Backups, RTO/RPO (Security+ SY0-701 Obj 3.4)
2_3 Creating a Bill of Materials with Virtual Engineering
SIEM, Alert Tuning & Monitoring Tools — Sec+ SY0-701 4.4
Cisco switch configuration for Cisco ISE. All steps #ciscoise IBNS 1.0
Cable Troubleshooting — Copper, Fiber, NEXT, EMI, OTDR (Network+ N10-009)
