Tool-vs-technique
A specific vendor or product implements a broader security technique. The trap offers the tool name when the question is asking about the underlying technique (or vice versa).
The Trap in One Sentence
You picked a specific tool/vendor when the question asked about the underlying technique. The tool is one implementation of the technique — they're not the same answer.
Pairs Candidates Confuse
Specific product vs the category
Tool vs technique
Implementation vs general capability
Microsoft product vs the concept it implements
How to Avoid It
- →If a vendor name appears in the choices but not the stem, suspect a tool-vs-technique trap.
- →Choose the broader technique unless the question explicitly names a tool.
- →Watch for 'BEST tool' vs 'PRIMARY purpose' phrasing — the first wants a product, the second wants the concept.
Frequently Asked Questions
How do I recognize a tool-vs-technique trap in an exam question?
Check whether the choices mix vendor or product names with concept names. Splunk next to SIEM, Wireshark next to packet capture, Snort next to IDS — this pairing is the giveaway. The question is asking which level the stem is at, and a vendor name in the choices when the stem doesn't name a vendor is almost always wrong.
What's the tell-tale stem phrasing that signals this trap?
Stems that ask for the PURPOSE, FUNCTION, CATEGORY, or PRIMARY ROLE of a control are asking about the underlying technique, not the tool that implements it. Stems naming a specific product or scenario ("in our SOC we deployed X") are at the tool level. Match the level of the stem to the level of the answer.
If a vendor name and a concept name both seem right, how do I decide?
Choose the broader concept unless the stem explicitly names a tool. The exam rewards understanding the technique because techniques transfer across tools; product names are perishable knowledge the exam tries not to test for that exact reason. When in doubt, the concept-level answer is the safer pick.
What's a real example of a tool-vs-technique trap?
Stem: "What is the PRIMARY function of correlating logs from multiple sources to detect attacks?" Choices: (a) Splunk, (b) SIEM, (c) ELK stack, (d) QRadar. Three are products that implement the function; only one is the function. The answer is (b) SIEM. Picking Splunk or QRadar is the classic miss because the stem describes correlation, which is what every SIEM does.
How is tool-vs-technique different from protocol-confusion?
Tool-vs-technique mixes products with concepts — the dimension is implementation vs idea. Protocol-confusion mixes peer protocols that all sit at the same conceptual level — the dimension is which protocol solves the specific problem. Tool-vs-technique punishes brand-name memorization; protocol-confusion punishes shallow protocol knowledge.
Why do item writers love this distractor mechanism?
Vendor names are sticky in candidate memory because they're everywhere in industry marketing. Item writers exploit that stickiness to discriminate candidates who learned the concept from candidates who only know the dominant product. It also future-proofs the question — the right answer (the concept) stays valid even when vendor names churn.
Where does this trap show up most often?
Sec+ uses it across Domains 2, 3, and 4 (especially around SIEM/EDR/SOAR vocabulary). CySA+ leans on it heavily in Domain 1 (Threat Management). GSEC and GCIH feature it because the SANS curriculum is concept-first. Vendor-specific exams (AWS Security, Microsoft SC-200) flip the polarity — there the tool-named answer is often correct, but the trap is in distinguishing similar tools.
How do I deliberately drill against this archetype?
Use the trap drill linked from the section above to focus reps on this pattern. Build a mental table of "concept → top 2-3 tools that implement it" for each major category (SIEM, EDR, IDS, NAC, CASB, WAF). After drilling, the brand-name distractors stop pulling your attention and you read the stem for the concept it actually describes.
Practice Against This Trap
43 cert-prep questions currently use this archetype as a distractor. Run a trap drill to face them in a row.
Run a Tool-vs-technique trap drill →Related Traps
- Protocol confusionYou picked the wrong protocol from a similar set. TLS vs IPsec, SAML vs OAuth vs OIDC, RADIUS vs TACACS+ — they sit at the same layer but solve different problems.
- Standard confusionYou conflated two similar standards. NIST RMF vs CSF, ISO 27001 vs 27002, SP 800-53 vs CSF — they overlap but aren't substitutes.
- Category confusionYou picked a control or concept from the wrong category. The four categories (preventive, detective, corrective, deterrent) sound interchangeable but each does a different job.