Three words show up constantly on the SY0-701 exam and in real security work, and they get blended together more than almost anything else: encoding, hashing, and encryption. All three turn readable data into something that looks scrambled, so people treat them as interchangeable. The exam writes questions specifically to catch you doing that.

Here is the clean mental model that finally fixed it for me.

Encoding is for compatibility, not secrecy

Encoding changes the format of data so a system can store or transport it safely. Base64, URL encoding, and ASCII are encoding schemes. There is no key. Anyone who knows the scheme can reverse it instantly, and that is the entire point.

If a question shows Base64 and an answer choice says "the data is protected," that choice is wrong. Base64 is reversible by design. Attackers use it to slip payloads past simple filters, not to hide anything from someone competent. When a phishing attachment contains a Base64 blob, decoding it is step one of analysis, not a wall.

Rule of thumb: no key, and the goal is "make this readable by another system," means encoding.

Hashing is one-way, and that is the whole feature

Hashing runs data through a function like SHA-256 and produces a fixed-length digest. You cannot reverse it back to the original. The same input always gives the same output, and changing the input by even one character produces a completely different digest.

That one-way property is why hashing protects integrity, not confidentiality. You hash a downloaded file and compare it against the published value to confirm nothing changed in transit. You store password hashes so a database breach does not hand over plaintext passwords.

Two traps the exam loves here:

• Hashing is not encryption. There is no key and no decryption step. If an answer says "decrypt the hash," it is wrong.
• Hashes need salt. A salt is random data added before hashing so two users with the same password get different digests. Without salt, attackers lean on precomputed rainbow tables. If a question describes identical hashes for identical passwords, the missing control is salting.

Encryption is the only one built for confidentiality

Encryption uses a key to transform data, and the correct key transforms it back. That reversible-with-a-key behavior is what makes it real protection. An attacker can know the algorithm and still get nowhere without the key.

Inside encryption, the split that trips people up is symmetric versus asymmetric:

• Symmetric (AES) uses one shared key for both directions. It is fast, so it does the heavy lifting on bulk data. The hard part is sharing that key safely.
• Asymmetric (RSA, ECC) uses a public key and a private key. Anyone can encrypt to your public key, but only your private key decrypts. It solves key exchange but is slow.

Real systems use both. TLS uses asymmetric encryption to exchange a symmetric session key, then switches to symmetric for the actual data transfer. If you can explain that one sentence, you have already answered a surprising number of exam questions.

A 10-second sorting test

When a question describes data being transformed, ask two things:

1. Is there a key? No key points to encoding or hashing. A key points to encryption.
2. Can it be reversed? Reversible with no key is encoding. Not reversible is hashing. Reversible with a key is encryption.

That two-question filter resolves most of the crypto items in Domain 1 without memorizing every algorithm on the objectives.

Where people actually lose the points

It is rarely the definitions. It is the application questions, like "A developer stores user passwords using AES. What is the problem?" The trap is that AES is a strong algorithm, so the answer feels correct. But passwords should be salted and hashed, not encrypted, because the system never needs to recover the original password, only verify it. Encrypting passwords means one stolen key exposes every account at once.

You only catch that kind of distinction by working application-style questions, not by flipping flashcards. I built SecPlus Mastery (https://secplusmastery.com) partly because I kept missing these until I drilled enough of them to see the pattern. If you want to find your own crypto gaps quickly, the free diagnostic at https://secplusmastery.com/diagnostic will surface them in a few minutes.

Get these three straight and a whole cluster of Domain 1 and Domain 3 questions stops being guesswork. Encoding for compatibility, hashing for integrity, encryption for confidentiality. Key or no key, reversible or not. That is the entire map.