Gary's Coffee Shop, 22 Stories, and 587 Sec+ Questions

The CompTIA Security+ SY0-701 exam covers five domains and somewhere north of 600 distinct objectives. Cryptography, identity federation, threat intelligence frameworks, incident response playbooks, cloud security controls, network segmentation models — all of it needs to be not just recognised, but retrievable under exam pressure in under 90 minutes. If you have tried to study for it using a standard question bank, you probably know the feeling: you drill the same question three times, get it right, and then blank on it completely a week later when it comes back in a practice test.

That is not a memory failure. That is a storage failure. The information was never encoded in a way that makes retrieval reliable. Rote drilling builds recognition but not recall. When you need to produce an answer under pressure, recognition is not enough.

I built something to fix that. It is called Gary's Security Stories, and it runs at carlsimpson.co.uk/security-plus-study/. This is the story of why I built it and how the underlying learning technique actually works.

The technique: method of loci

The method of loci is approximately 2,500 years old. The ancient Greeks attributed it to the poet Simonides of Ceos; Cicero documented it in De Oratore; Roman rhetoricians used it to memorise hours-long speeches without notes. Modern memory champions — the people who memorise shuffled decks of cards in under 20 seconds — use variants of it in every competition. It works because the human brain is significantly better at remembering places and events than it is at remembering isolated facts.

The core mechanic is this: choose a stable, vivid location you know well. Walk through it mentally. At each point along the route, deposit the thing you want to remember as a scene — something visual, concrete, and ideally a little strange. When you need to recall it, you mentally walk the route again. The scene is there. The fact attached to it comes with it.

The underlying reason this works is that episodic memory — memory for events in context — is substantially more durable than semantic memory for isolated propositions. Giving a dry technical concept a location, a character, and consequences turns it from a semantic datum into a scene. The brain stores scenes differently from definitions, and retrieves them more reliably under pressure.

The question was how to apply this to a 600-objective technical exam. The answer was to stop using a real building and build a fictional one instead — one designed specifically around the exam content.

Gary's Coffee Shop on Cipher Lane

Gary runs a coffee shop on Cipher Lane. He is a well-meaning but perennially overwhelmed small business owner, and things go wrong for him constantly — but in very specific ways that happen to map exactly onto CompTIA Security+ SY0-701 exam objectives.

That is the entire premise. Gary is the protagonist. The coffee shop is the memory palace. Every exam concept gets dropped into the shop as a scene with real consequences for Gary's business. Domain 1 threats and attacks are things that happen to Gary by bad actors. Domain 2 vulnerabilities are weaknesses in his shop's own systems. Domain 3 architecture concepts are the way he structures his security after things go wrong. Domain 4 operations and incident response is Gary and his team dealing with the aftermath. Domain 5 governance and programme management is the bureaucratic fallout.

The structure matters. Each concept has a setting (somewhere in the shop), a character (Gary, a customer, a supplier, a staff member, an inspector), and a consequence (something goes wrong, something gets fixed, something gets audited). When the exam asks about a concept, the recall chain is: keyword → scene → answer. It is faster and more reliable than keyword → definition, because the scene is a much larger retrieval hook.

The Complete Run page showing 22 Gary story cards including titles like Gary's Coffee Shop Gets Done, Gary's Nightmare Shift, Seven Floors, and others arranged in a grid — The 22-story library — each card is a narrative case study covering a cluster of related SY0-701 objectives.

There are 22 stories in the current library. They cover all five SY0-701 domains — from threat actor classification and attack vectors through to cryptographic protocols, identity and access management patterns, zero-trust architecture, incident response procedures, and governance frameworks. Each story is a standalone narrative, but they share the same cast, the same location, and the same coherent world. Reading one reinforces the others.

I deliberately avoided making the stories cute or whimsical in a way that would undercut the technical precision. The technique requires narrative context, not comedy. Gary's problems need to feel consequential enough that the scenes are worth encoding. A story about Gary's supply chain being compromised needs to actually explain supply chain integrity, not just gesture at it through an allegory.

What was built

The study platform is a pure HTML/CSS/JS application — no framework, no build step, no runtime dependencies. It runs locally via nginx and python3 http.server, served over HTTPS at optima.local on my home network, and publicly at carlsimpson.co.uk/security-plus-study/. It installs as a PWA on my phone so I can drill questions anywhere.

The content layer is the significant part:

587 practice questions mapped across all five SY0-701 domains, each with a study explanation averaging 128 words
529 of 587 questions tagged with a "See-story" chip that links the question directly to its Gary narrative source
5 Performance-Based Question (PBQ) scenarios — the high-value simulation questions that CompTIA weighs most heavily: attack/remediation matching, log analysis, VPN configuration, cloud architecture diagram, and resiliency design
22 narrative case studies covering all five domains end-to-end

The practice modes are structured around how the exam actually works. There is a Quick Drill (short session, wrong answers prioritised), a Full Practice (timed, 90-question simulation), a Domain Focus mode (isolate a specific domain), and a Review Wrong queue. The drill queue on the dashboard shows wrong answers plus spaced-repetition due items — so each session starts with whatever I got wrong last time and whatever the spacing algorithm has scheduled for today.

How a session actually works

Exam Practice screen showing Question 1 of 10 in Domain 4 asking which tool a security operations center should use to improve incident response procedures, with options Playbooks, Frameworks, Baselines, and Benchmarks — Domain Focus exam practice — a timed question set isolated to a single SY0-701 domain.

Gary's Security Stories dashboard showing streak tracking, drill queue, domain accuracy bars, and MCQ and PBQ practice card options — The dashboard — streak, drill queue, per-domain accuracy bars, and direct links to MCQ and PBQ practice.

I open the dashboard. The drill queue tells me I have 8 items due — a mix of questions I got wrong last session and questions scheduled by the spaced repetition timer. I start with the drill queue to clear those first. Then, depending on how much time I have, I either run a Domain Focus set on whichever domain my accuracy bar is lowest for, or I go through a new story I have not read yet.

The exam practice flow has keyboard shortcuts throughout: arrow keys to navigate between questions, A through D to select an answer, F to flag a question for review, Enter to submit. That sounds like a minor detail, but it eliminates the mouse from the practice flow entirely. The exam itself is mouse-driven, but practising without the mouse means I am reading and processing rather than clicking. The friction is slightly higher, which turns out to help.

After each question, the explanation loads immediately. If the question has a See-story chip, I can jump directly to the narrative that covers that concept. The explanation is not just a definition — it is framed in the context of what Gary's situation illustrates. That closes the loop between the story encoding and the exam question format.

The honest section

I have not passed the exam yet. I am studying. My best practice score so far is 60%, which is below the 750/900 passing threshold. My Domain 1 and Domain 2 accuracy is strong. Domains 3, 4, and 5 are where I am losing points — the architecture and operations domains, which require more procedural knowledge than the threat-and-attack domains I drilled first.

The tool is working in the sense that I am retaining what I study. The problem is coverage — I have not yet drilled all five domains equally, and the exam does not reward depth in two domains at the expense of the other three. The next phase is disciplined domain rotation rather than following interest.

The technique also has a genuine limitation worth naming: it is excellent for conceptual recall but slower to encode purely procedural knowledge. A story-based encoding of "how to analyse a packet capture log" is harder to construct than one for "what is a replay attack." The PBQ scenarios are where the method strains most, and those are also the most valuable questions on the exam. I am working through it, but I would not oversell narrative mnemonic encoding as a complete answer to exam preparation. It is the most effective retention technique I have used for this material. Whether it is sufficient for the full SY0-701 scope at exam pace — I will find out.

What is portable

The technique is not specific to Security+. Any large-syllabus exam with a high volume of interconnected concepts is a candidate: AWS Solutions Architect, Magento Associate, Certified Kubernetes Administrator, CISSP. The pattern is the same — pick a stable fictional location, build a recurring cast, encode every concept cluster as a scene with consequences. The tooling is trivially portable: the platform is plain HTML and could be rebuilt around any domain's content without touching the underlying architecture.

There is also a longer-term angle here that I find interesting. One of the ongoing problems in technical certification study is that the market is saturated with question banks that teach you to pass the test rather than understand the domain. A narrative-first approach inverts that: the stories are built around genuine understanding of the concepts, and the questions test whether that understanding transferred. It is a different philosophy about what study material is for.

I can see a version of this that becomes the backbone of a proper QB Digital learning product — narrative-driven technical study for engineering certifications, built by people who actually work in the domain rather than by content mills. That is a future conversation. For now, Gary's Coffee Shop has enough problems of its own.

The point

The standard study materials for Security+ are not bad. They are thorough, they are accurate, and they will get you through the exam if you spend enough hours with them. What they are not is efficient. The information is presented in the format that is easiest to write, not the format that is easiest to retain. Flashcards and bulk question banks optimise for coverage, not for the way memory actually works under pressure.

Method of loci is not a shortcut. It takes more time to build the stories than to read a chapter. But the retention differential is significant enough that the upfront investment pays back across the full exam scope. Every hour I spend reading a Gary narrative is doing double work: it is covering exam content and it is giving that content a durable retrieval hook.

A 2,500-year-old memory technique, a fictional coffee shop, and a framework-free web app running on my home network. If it gets me through a 600-objective cybersecurity exam, it was worth building.

Study platform: carlsimpson.co.uk/security-plus-study/

Gary's Security Stories — 22 narratives, 5 domains, every concept as a scene in Gary's Coffee Shop on Cipher Lane.