WOLF//SEC
← Domain 1
OBJECTIVE 1.1 Compare and contrast

Compare and contrast various types of security controls

Security controls are the mechanisms you deploy to protect assets. The exam tests two classification axes — by category (who/what implements it) and by function (what it does). You need to be able to look at a control and classify it on both axes simultaneously.

Categories

Technical Controls

Implemented by technology. Hardware or software mechanisms that enforce security without human intervention at the point of execution.

  • Firewalls, IDS/IPS, encryption, access control lists (ACLs)
  • Antivirus/EDR, DLP agents, smart cards, biometric scanners
  • Key trait: Operates automatically once configured

Managerial (Administrative) Controls

Policies, procedures, and oversight activities that define how security is governed.

  • Acceptable Use Policies (AUP), security awareness training, risk assessments
  • Background checks, separation of duties, incident response plans
  • Change management processes, data classification standards
  • Key trait: Defines what should happen — enforced by humans or by technical controls downstream

Operational Controls

Day-to-day procedures executed by people (or automation on behalf of people) to maintain security posture.

  • Patch management cycles, log review, backup verification
  • Guard patrols, media handling procedures, configuration management
  • Key trait: The ongoing execution of managerial policy — where rubber meets road

Physical Controls

Tangible barriers that prevent or detect unauthorized physical access.

  • Fences, bollards, mantrap/vestibule, locks, safes
  • CCTV, motion sensors, security guards, lighting
  • Cable locks, server rack locks, Faraday cages
  • Key trait: Controls you can touch

Functions

Preventive

Stops an incident before it occurs. The first line of defense.

  • Firewall rules blocking unauthorized traffic (technical)
  • Mandatory security training before system access (managerial)
  • Locked doors requiring badge access (physical)

Detective

Identifies that an incident has occurred or is in progress. Doesn’t stop it — alerts on it.

  • IDS alerts on suspicious traffic patterns (technical)
  • Log analysis revealing anomalous login patterns (operational)
  • Motion sensors triggering alarms (physical)

Corrective

Remediates the impact after an incident is detected. Restores normal operations.

  • Restoring from backup after ransomware (technical/operational)
  • Patching a vulnerability after exploitation (technical)
  • Rebuilding a compromised system from a known-good image (operational)

Deterrent

Discourages threat actors from attempting an attack. Psychological barrier.

  • Warning banners on login screens (technical)
  • Visible security cameras (physical)
  • Published acceptable use policies with stated consequences (managerial)

Compensating

Alternative controls when the primary control is impractical or too expensive. Must provide equivalent protection.

  • Network segmentation when patching a legacy system isn’t possible (technical)
  • Increased monitoring when you can’t enforce MFA on a legacy app (operational)
  • Exam trap: Compensating controls aren’t inferior — they’re alternatives that meet the same security objective through a different path

Directive

Guides behavior through mandates and instructions. Tells people what to do.

  • “All passwords must be 16+ characters” (managerial)
  • “Visitors must be escorted at all times” (operational)
  • Signage indicating restricted areas (physical)

Cross-Classification

The exam loves asking you to classify a single control on both axes:

ControlCategoryFunction
Firewall rule blocking port 23TechnicalPreventive
Security cameraPhysicalDetective + Deterrent
Mandatory awareness trainingManagerialPreventive + Directive
Backup restoration procedureOperationalCorrective
”No tailgating” signPhysicalDeterrent + Directive
Network segmentation for unpatched systemTechnicalCompensating

Exam tip: A single control often serves multiple functions. CCTV is both detective (records incidents) and deterrent (visible cameras discourage attacks). The exam will ask you to pick the primary function.

Offensive Context

An attacker’s first move is mapping which controls exist and which functions are missing. If an org has strong preventive controls but weak detective controls, the attacker knows they need to avoid triggering prevention — but once past it, they can operate freely because nobody’s watching. Understanding control gaps as an attacker makes you better at identifying what’s missing as a defender.