Performance-based questions (PBQs) are the most feared and least-prepared-for component of CompTIA exams. They appear on A+, Network+, Security+, CySA+, Linux+, and other certifications, and they reliably separate candidates who understand how to do something from candidates who know facts about how it's done.
The fear is partly justified — PBQs are harder than multiple choice for most candidates. The poor preparation is entirely unnecessary.
What Performance-Based Questions Actually Are
PBQs are interactive simulations that require you to perform a task rather than select an answer. They simulate real work environments within the exam interface.
Types of PBQs that appear across CompTIA exams:
| Type | What it requires | Appears on |
|---|---|---|
| Network diagram configuration | Assign IP addresses, configure devices in a topology | Network+, Security+ |
| Command-line tasks | Execute Linux or Windows commands to achieve a result | Linux+, Security+ |
| Drag and drop ordering | Arrange steps of a process in correct sequence | A+, Security+ |
| Log analysis | Read provided logs and identify indicators or events | Security+, CySA+ |
| Firewall rule configuration | Create or modify rules to allow/deny specific traffic | Network+, Security+ |
| Cable/hardware identification | Identify correct cables or hardware in visual scenarios | A+ |
| Vulnerability prioritization | Score and rank vulnerabilities based on provided data | CySA+, PenTest+ |
The Exam Strategy Everyone Gets Wrong
PBQs appear at the beginning of CompTIA exams — they're the first questions you see. This placement is intentional: CompTIA puts them first because they take longer and they can't be skipped initially.
The mistake: spending 15-25 minutes on a difficult PBQ while 80+ multiple choice questions wait. PBQs and multiple choice questions earn the same per-question credit. Time spent struggling on one PBQ could answer 10 multiple choice questions.
The correct strategy:
When the exam starts, immediately scan each PBQ
If you can answer a PBQ confidently in under 5 minutes — answer it
If a PBQ is complex or unfamiliar — flag it and move on to multiple choice
Complete all multiple choice questions first
Return to flagged PBQs with remaining time
This approach guarantees you answer every accessible question before spending disproportionate time on the hardest ones.
How to Actually Prepare for PBQs
The gap between PBQ preparation and multiple-choice preparation is the most common reason candidates who "knew the material" don't pass.
The Hands-On Gap
Multiple choice questions reward recognition. You see "Which of the following provides the MOST secure method for remote access?" and recognize that SSH with key-based authentication is the answer.
A PBQ says "Configure SSH on this Linux server to use key-based authentication and disable password authentication." Now you need to:
Know the SSH configuration file location (
/etc/ssh/sshd_config)Know which directives to set (
PasswordAuthentication no,PubkeyAuthentication yes)Know how to restart the service (
systemctl restart sshd)Verify the change works
Reading about SSH key authentication doesn't prepare you to do it. Doing it — even in a practice environment — does.
"I see candidates who can answer every multiple choice question about SSH correctly, then fail a PBQ that asks them to actually configure it. The knowledge is there. The procedural fluency isn't. For PBQ preparation, there is no substitute for actually running the commands yourself." — Professor Messer, CompTIA exam instructor
Building PBQ-Specific Preparation
For A+ PBQs:
Configure a Windows system in VirtualBox or VMware: set up IP addressing, configure sharing, manage users and groups
Practice with command prompt:
ipconfig,ping,tracert,netstat,nslookup— type them, not just read about themBuild a basic home network topology mentally (or physically if you have equipment) and configure it
For Network+ PBQs:
Use Packet Tracer or similar tools to configure IP addressing on diagram topologies
Practice subnetting manually until you can identify subnet membership without a calculator
Configure VLANs in a simulation environment — the act of clicking through the configuration builds the procedural memory
For Security+ PBQs:
Log analysis: practice reading Windows Event Logs, Linux auth.log, and web server access logs. TryHackMe has log analysis exercises that match Security+ PBQ difficulty.
Firewall rule ordering: practice determining which rule matches first in ordered rule sets
For Linux+ PBQs:
Build a Linux lab (VirtualBox is free, Ubuntu Server is free): practice LVM management, file permission configurations, SELinux troubleshooting, and service management via systemd
Practice every command in the exam objectives — don't just read the syntax, run it
Common PBQ Types and How to Solve Them
IP Addressing and Subnetting PBQs
Scenario: A network diagram shows four hosts and a router. Hosts need IPs in the 192.168.10.0/26 range with specific assignments.
Approach:
Calculate the subnet range: /26 = 64 addresses, valid hosts 192.168.10.1-62, broadcast 192.168.10.63
Identify the default gateway — it should be in the same subnet, typically .1 or .62
Assign addresses from the valid range to each host
Verify no conflicts and no address outside the subnet
This is mechanical — practice the calculation sequence and it becomes fast.
Log Analysis PBQs
Scenario: A security analyst reviews logs showing failed authentication attempts. Which log entries indicate a brute force attack?
Approach:
Look for patterns — high frequency events from a single source
Identify event IDs (4625 = failed logon in Windows, repeated patterns in auth.log)
Identify the timeframe — many failures in a short window
Look for the successful authentication that follows the failures (successful brute force)
Practice: Use TryHackMe's Security Operations pathway or BlueTeamLabs.online for hands-on log analysis exercises.
Firewall Rule PBQs
Scenario: Configure a firewall to allow HTTP and HTTPS traffic from the internet to a web server, block Telnet, and log all dropped traffic.
Approach:
Rule order matters — most specific rules first, deny-all last
Identify the source (internet/any), destination (web server IP), and ports (80, 443 allow; 23 deny)
The implicit deny-all is typically the last rule — verify it's present
Logging rules: check whether the interface expects explicit log statements or logs by default
Performance-Based Question Scoring
CompTIA doesn't publish exact PBQ scoring mechanics, but community reports indicate:
Partially correct PBQ answers receive partial credit
A completely wrong answer on a PBQ scores zero, not negative
The number of PBQs on an exam varies (typically 3-10 per exam)
Implication: don't leave PBQs blank. If you're stuck, attempt a partial answer. Partial credit is better than zero.
Flagging strategy: CompTIA's exam interface allows flagging questions for review. Use this — flag difficult PBQs, move to multiple choice, and return to PBQs with remaining time. Candidates who flag PBQs and complete all multiple choice before returning consistently perform better than those who work linearly through the exam.
Resources That Build PBQ Skills
Professor Messer's free practice exams include PBQ-style questions with his explanation of the expected approach. The explanations describe what you're supposed to do, which helps identify where your procedural knowledge is weak.
Jason Dion's practice exams (Udemy) include PBQs for Security+ and CySA+ that replicate the format and difficulty of the real exam.
TryHackMe (free and paid tiers): particularly valuable for Security+ and CySA+ PBQ preparation. The learning paths include log analysis, firewall configuration, and command-line exercises that directly build PBQ skills.
Virtual machines: for A+, Network+, and Linux+ — set up VirtualBox (free) and practice on real operating systems. The procedural fluency you build in a VM lab is exactly what PBQs test.
PBQ Types by Certification: What Each Exam Actually Presents
The PBQ formats are not uniform across certifications. Understanding the specific types on your target exam eliminates preparation mismatches.
CompTIA A+ PBQs (Core 1 220-1101 and Core 2 220-1102)
A+ PBQs focus on hardware identification, cable selection, and basic system configuration.
Common A+ PBQ types:
Hardware drag-and-drop: identify whether a connector is HDMI, DisplayPort, USB-C, or Thunderbolt based on a visual image, then drag it to the correct device
Cable selection for scenario: a customer has a monitor 30 feet from the workstation — drag the correct cable type (active DisplayPort, fiber HDMI) to the solution
Troubleshooting flowchart: given a symptom, click through a troubleshooting sequence selecting the correct next step at each decision point
Windows command output: given
ipconfig /alloutput on screen, answer questions about what's configured (subnet mask, default gateway, DNS servers)Device identification: identify components in an exploded PC diagram (DIMM slot, M.2 slot, PCIe x16 slot, SATA connector)
Preparation approach for A+ PBQs: Professor Messer's CompTIA A+ course includes "Core 2 Domain 1.1" style labs that cover exactly the hardware identification format. Building a PC from parts — even once — produces the visual familiarity that makes hardware identification PBQs trivial.
CompTIA Network+ PBQs (N10-008 and N10-009)
Network+ PBQs heavily emphasize IP addressing and topology diagram interaction.
Common Network+ PBQ types:
IP addressing topology: a diagram with four subnets shows partial IP address assignments. Fill in the missing IP addresses, subnet masks, and default gateways ensuring all devices in each subnet are correctly addressed
Cable selection: given a wiring scenario (connecting a server to a patch panel, running cable between floors), select the correct cable category (Cat5e, Cat6, Cat6A) and connector type
VLAN configuration drag-and-drop: assign switch ports to the correct VLANs based on the network requirements described
Network troubleshooting output: given
tracerouteoutput showing where a path breaks, identify which device is the fault point
Specific commands tested in Network+ CLI simulations:
ipconfig /all— IP configuration reviewpingwith-t(continuous) and specific IP targetstracert/traceroute— path analysisnetstat -an— active connectionsnslookup— DNS resolution verificationroute print— routing table review
CompTIA Security+ PBQs (SY0-701)
Security+ PBQs have become more operationally focused in the SY0-701 version. The exam moved toward realistic security analyst tasks.
Common Security+ PBQ types:
Firewall rule drag-and-drop: given a network topology and security requirements, place firewall rules in the correct order. The "implicit deny" rule must be last. Rules for specific allowed services come before broader blocks.
Log analysis: a simulated SIEM interface shows authentication log entries. Identify which entries indicate a brute force attack, credential stuffing, or account lockout event.
Network device placement: drag security devices (IDS, IPS, firewall, proxy, WAF) into the correct positions in a network topology diagram
Incident response ordering: arrange the NIST incident response steps in sequence for a given scenario
Authentication configuration: in a simulated interface, configure MFA settings — select the correct factors and enforcement settings
Specific commands tested in Security+ CLI simulations:
Linux:
chmod,chown,ls -la,ps aux,netstat -tulnp,iptables -LWindows:
netsh,icacls,Get-Service(PowerShell),Get-EventLog
The firewall placement PBQs are the most frequently reported difficult PBQ type on Security+. Practice by drawing network topologies and manually placing controls — the spatial reasoning required is different from reading about where firewalls go.
Partial Credit and PBQ Scoring Mechanics
CompTIA's PBQ scoring is multi-part. A single PBQ typically has 3-5 components, each worth points independently.
How Partial Credit Works
A PBQ asking you to configure a firewall might have these components:
Create a rule allowing HTTPS from any source to web server (1 point)
Create a rule allowing SSH from admin subnet only (1 point)
Deny all other inbound traffic (1 point)
Place the deny-all rule at the bottom of the rule set (1 point)
If you complete steps 1, 2, and 3 correctly but misplace the deny-all rule, you earn 3 of 4 points. You don't fail the entire PBQ.
Implication for exam strategy: when you return to a flagged PBQ with 8 minutes left, don't skip it — even a partial attempt earns more than zero. Work through the components you're confident about and leave the uncertain parts for last.
Time Allocation Strategy by PBQ Type
| PBQ Type | Recommended Time Budget | Notes |
|---|---|---|
| Simple drag-and-drop (A+) | 2-3 minutes | Hardware identification is fast if you know it |
| IP addressing topology | 6-8 minutes | Subnetting calculation takes time |
| Firewall rule ordering | 4-6 minutes | Work through requirements systematically |
| Log analysis | 5-7 minutes | Read the scenario carefully before filtering logs |
| CLI simulation | 3-5 minutes per task | Know the commands before exam day |
| Multi-topology complex | 10-12 minutes | Consider flagging these for end-of-exam |
Total PBQ time budget: plan for 3-6 PBQs per exam, allocating 30-45 minutes. With 90 minutes total for Security+ and Network+, this leaves 45-60 minutes for multiple choice — approximately 45 seconds per multiple choice question, which is workable.
Practicing PBQs with GNS3 for Network+ and Security+
For Network+ and Security+ candidates, GNS3 provides a simulation environment that replicates PBQ scenario types more accurately than static flashcards.
Network+ PBQ practice using GNS3:
Build this topology in GNS3: three routers, four PCs, two switches. Configure:
Two separate /26 subnets for PC groups
OSPF between routers
Default route from edge router to internet (simulated)
The act of assigning IP addresses, verifying connectivity with ping, and troubleshooting when connectivity fails directly builds the skills tested in Network+ topology PBQs. The commands you run in GNS3 (show ip route, show ip interface brief, ping 192.168.x.x) appear verbatim in Network+ CLI simulation questions.
Security+ CLI simulation practice using a Linux VM:
Set up Ubuntu Server in VirtualBox. Practice:
iptables -A INPUT -p tcp --dport 443 -j ACCEPTfollowed byiptables -Lto verifychmod 600 ~/.ssh/authorized_keysand verify withls -la ~/.ssh/ps aux | grep suspicious_process— process investigationnetstat -tulnp— identify listening services
The Security+ CLI simulations use simplified interfaces, but candidates who've run these commands repeatedly on a real Linux system complete CLI PBQs in under 3 minutes. Candidates who've only read about the commands spend 8+ minutes second-guessing themselves.
"The PBQ question format is actually a gift — it tests real skill rather than test-taking ability. Candidates who do hands-on labs as they study find PBQs to be the easiest part of the exam. The ones who only read study guides find PBQs to be the hardest. That gap is entirely preparation, not aptitude." — Mike Chapple, CISSP, co-author of the CompTIA Security+ Study Guide (Sybex)
See also: CompTIA A+ Core 1 and Core 2: what actually changed in the current version, CompTIA Security+: the most important cert in IT security
References
CompTIA. Performance-Based Testing Frequently Asked Questions. CompTIA, 2024. https://www.comptia.org/testing/testing-options/about-comptia-performance-based-testing
Professor Messer. How to Pass CompTIA Certification Exams — Performance-Based Questions. professormesser.com, 2024. (Video and written guides on PBQ strategy)
CompTIA. CompTIA Exam Testing Policies — Time Allotments and Question Types. CompTIA, 2024. https://www.comptia.org/testing/testing-policies-procedures/test-taking-tips
Dion, Jason. Dion Training Practice Exam Notes — PBQ Approach. diontraining.com, 2024. (Practice exam explanations that describe PBQ solving methodology)
TryHackMe. Security Operations Learning Path. TryHackMe, 2024. https://tryhackme.com/path/outline/soclevel1 (Hands-on log analysis and security operations practice relevant to Security+ and CySA+ PBQs)
CompTIA. A+ Exam Objectives — Performance-Based Question Examples. CompTIA, 2022. https://www.comptia.org/certifications/a (Exam guide includes examples of PBQ formats)
Frequently Asked Questions
What are CompTIA performance-based questions?
PBQs are interactive exam simulations requiring you to perform a task rather than select an answer. Types include: network diagram configuration, command-line tasks, drag-and-drop step ordering, log analysis, firewall rule configuration, and hardware identification. They appear on A+, Network+, Security+, Linux+, CySA+, and PenTest+.
Should I answer PBQs first or multiple choice questions first?
Flag complex PBQs and answer multiple choice first. PBQs appear at the start of CompTIA exams but they take longer and earn the same per-question credit. Spending 20 minutes on one PBQ while 80 multiple choice questions wait is the most common time management mistake on CompTIA exams.
Do PBQs receive partial credit on CompTIA exams?
Yes. Community reports consistently indicate partial credit for partially correct PBQ answers. Never leave a PBQ blank — an incomplete attempt scores better than zero. If you can complete 50% of a PBQ correctly, do so before moving on.
What is the best way to practice for CompTIA PBQs?
Hands-on practice is the only effective preparation. Set up VirtualBox (free) to practice A+ and Linux+ command-line tasks. Use Packet Tracer for Network+ topology configuration. Use TryHackMe's free Security Operations path for Security+ and CySA+ log analysis practice. Reading about the tasks doesn't build the procedural fluency PBQs test.
How many PBQs are on CompTIA exams?
CompTIA doesn't publish exact counts, but community reports indicate 3-10 PBQs per exam depending on the certification. Security+ and CySA+ tend to have more PBQs than A+. The number can vary between individual exam instances from the same question bank.