3. Threats, Vulnerabilities, and Mitigations (22%)

This domain covers exam objectives 2.1 through 2.5 and accounts for roughly 20 of the 90 exam questions — the second-heaviest domain. Where Phase 2 gave you the tools and frameworks for defense, Phase 3 introduces the adversaries, their methods, and the weaknesses they exploit. Understanding attacks isn't about becoming an attacker — it's about thinking like one so your defenses actually address real threats rather than imagined ones. The exam leans heavily on scenario-based questions here: you'll be given a description of an attack and asked to identify the threat actor, the vector, the vulnerability exploited, or the appropriate mitigation.