← Concepts
General Security ConceptsSY0-701 · Task 1.2

Zero Trust — SY0-701

CompTIA Security+ SY0-701 concept reference for Zero Trust: definition, mental model, exam traps, and related concepts grounded in NIST SP 800-207.

WHAT IT IS

Zero Trust is "a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised." (NIST SP 800-207, via CSRC Glossary)

The architecture built on these concepts — a Zero Trust Architecture (ZTA) — is "a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy" that eliminates implicit trust in any element and mandates continuous verification using real-time information from multiple sources to determine access and system responses. (NIST SP 800-207, via CSRC Glossary)

Mental model

Think of every access request as if it arrives from an untrusted network — even when the requester is already inside the building. Zero Trust replaces the old assumption "inside = safe, outside = dangerous" with a single governing question applied to every request: Can this identity, on this device, in this context, be granted minimum necessary access right now?

The three words that capture the shift: never trust, always verify.

When to use it

A common source of exam confusion is treating Zero Trust as simply "no VPN" or as a firewall upgrade. Zero Trust is a strategy that changes the basis of access decisions — not a single product or protocol. The table below contrasts it with the perimeter-based model it is designed to supersede.

DimensionPerimeter-Based ModelZero Trust Model
Trust boundaryThe network edge (firewall)No implicit boundary; every request is evaluated
Trust assumptionInternal traffic is trustedNo entity is trusted by default — internal or external
Access decisionMade once at the perimeterMade per-request using real-time context
Principle appliedAllow by locationLeast privilege per request
Threat postureAssumes a secure interiorTreats the network as already compromised
MonitoringPerimeter loggingContinuous verification from multiple sources

COMMON MISCONCEPTION

Zero Trust does not mean "trust nothing forever." It means no implicit, pre-granted trust — access can absolutely be granted, but only after per-request evaluation against policy. Candidates sometimes read "never trust" and conclude that Zero Trust systems permanently block all access or eliminate authentication. The opposite is true: Zero Trust demands richer, more continuous authentication and authorization, not the absence of it.

A second trap: Zero Trust is not synonymous with multi-factor authentication, micro-segmentation, or any single control. Those controls are mechanisms that support a zero trust strategy; they do not constitute it. NIST SP 800-207 frames Zero Trust as a collection of concepts and a design strategy — not a product category.

How it shows up on the exam

The cognitive target for Zero Trust questions is distinguishing the strategic premise from its implementing controls. Candidates are often asked to identify which scenario best exemplifies a zero trust approach — and the distractor scenarios tend to present perimeter-hardening (adding firewalls, upgrading VPN) or a single control (MFA, segmentation) as equivalent to zero trust.

Signal phrases in stem text that point toward Zero Trust answers:

  • "regardless of network location"
  • "per-request access decision"
  • "continuous verification"
  • "least privilege access to resources"
  • "network viewed as compromised"

When a question describes granting access based on where a device is (e.g., "it's on the internal LAN"), that is a perimeter assumption — the opposite of Zero Trust. When access is granted based on who, what device, and what context, that aligns with the zero trust strategy as NIST describes it.

Related concepts

  • CIA Triad — Zero Trust operationalizes confidentiality and integrity by ensuring access is granted only to what is needed, verified at each request.
  • Non-repudiation — Continuous verification in a Zero Trust model generates the audit trail that supports non-repudiation.
  • AAA Framework — Authentication, Authorization, and Accounting are the per-request mechanisms Zero Trust relies on; ZTA elevates these from one-time perimeter events to continuous, context-aware decisions.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.