← back to blog
4 min read
  • #security-plus
  • #ejpt
  • #study-habits
  • #notes

How I take notes for technical certs

My Security+ and eJPT note system: plain Markdown files, own-words summaries, an explain-it-to-a-client test, and a weekly pass that turns notes into flashcards.


I kept missing practice questions on Security+ port numbers. My notes looked great. That was the problem: I had copied them almost word for word from the study guide, and copying feels like studying while teaching you almost nothing.

I'm studying for Security+ SY0-701 and eJPT right now. I have not passed either one yet, so this is not a how-I-aced-it post. It's the note system that finally made my practice scores move after the pretty notes failed.

Plain Markdown, one file per domain

All my notes live in plain Markdown, one file per exam domain. SY0-701 has five domains, so I keep five files, plus a scratch file for anything I have not sorted yet.

Why Markdown instead of a fancy notes app:

  • Plain text syncs anywhere, opens in anything, and will still open in ten years.
  • Code blocks. Half of eJPT prep is commands. nmap -sV -p- 10.10.10.5 belongs in a code block, not a screenshot.
  • Search works. When I blank on something, I search the folder instead of scrolling.
  • I can edit on my phone. I once shipped a code fix from a chairlift with Termux. Fixing a typo in a note from anywhere is easy by comparison.

Two structure rules I actually stick to: headings match the exam objectives, so I always know which objective a note came from, and every acronym gets spelled out the first time it shows up in a file. Future me does not remember what CASB stood for at 11pm.

Summaries in my own words, book closed

The rule that changed everything: I am not allowed to write the note while looking at the source.

Read the section. Close the book or pause the video. Write the summary from memory. Then open the source and check it for mistakes.

Book version: "Symmetric encryption uses a single shared key for both encryption and decryption operations."

My version: "One key does both jobs. Fast, good for big files. The catch is getting that key to the other person without leaking it. That delivery problem is what asymmetric crypto exists to solve."

Mine is longer and messier. It's also the only one I can reproduce on a quiz, because I built it instead of transcribing it. And when I can't write the summary from memory at all, that's not a failure. That's the system finding the exact thing I need to reread.

The explain-it-to-a-client test

I build websites for small local businesses. My first client runs a nail salon. So every security concept in my notes gets a second, shorter summary: how would I explain this to her in two sentences?

TLS: "The padlock in the browser means anything a customer types on your booking page is scrambled between their phone and your site. Without it, someone on the same coffee shop wifi can read it."

Phishing: "Nobody hacks your register. They email you a fake invoice, you click it, and you hand over the keys yourself."

If I can't produce the client version, I don't understand the concept yet. I just memorized the vocabulary around it. The test is brutal because jargon is exactly where weak understanding hides.

Honest limit: this does not work for everything. There is no salon-owner version of subnetting math, and no two-sentence version of pivoting through a compromised host in an eJPT lab. Some material you just drill, and for hands-on eJPT skills notes only get you so far. Nothing replaces terminal time.

Notes turn into flashcards

Once a week I go back through the notes and turn every fact I stumbled on into a flashcard.

One rule matters here: the front of the card is a question, not a term. "What port does LDAPS use?" forces recall. A card that just says "LDAPS" lets me nod at it and move on, and nodding at notes is how I ended up missing those port questions in the first place.

What becomes a card: ports, protocol names, acronyms, which control type belongs to which category, tool flags I keep forgetting. What does not: anything that needs a lab. Flashcards are strong for facts and honestly weak for skills.

One more tradeoff worth admitting: this whole system is slow. Own-words summaries plus client explanations plus writing cards roughly doubles my study time per chapter. That is a real cost on nights when I'm tired after client work. The return is that the material sticks, and my practice scores stopped lying to me.

The Security+ and eJPT flashcards I built for myself ended up inside my app, along with quizzes and a daily question with streaks, so I touch the material even on days I skip a full study block. If you're grinding the same certs, it's on the app page: Aldo's Toolkit, free on both stores, no ads, no tracking.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.