⚡ SY0-701 at a Glance
Security+ SY0-701 has 5 domains, up to 90 questions, 90 minutes, passing score 750/900. The biggest domain is General Security Concepts at 12% — but don't let the lower percentage fool you, it's the widest domain and sets the vocabulary for everything else. Threats, Vulnerabilities and Mitigations (22%) is the largest single domain and the one candidates most often underestimate. The exam is scenario-heavy — you'll be told a situation and asked what to do, not just asked to define terms.
Domain Weightings — Visual Overview
SY0-701 Domain Weightings
1. General Security Concepts
2. Threats, Vulnerabilities & Mitigations
5. Security Program Management
Domain 1 — General Security Concepts (12%)
01
General Security Concepts
Security vocabulary, controls, and cryptography fundamentals
12%
The vocabulary layer of the exam. Covers security control categories and types, basic cryptography concepts, authentication and authorisation fundamentals, and key security concepts like zero trust and defence in depth. While 12% is the smallest weighting, this domain's concepts appear embedded in every other domain's questions — weak foundations here cost you points everywhere else.
Security ControlsTechnical, managerial, operational controls. Preventive, detective, corrective, compensating, deterrent, directive.
Cryptography BasicsSymmetric vs asymmetric, hashing, PKI, digital signatures, TLS/SSL, certificate types
AuthenticationMFA factors (something you know/have/are/somewhere/do), SSO, federation, SAML, OAuth, OIDC
Zero TrustNever trust always verify, microsegmentation, least privilege, identity as the new perimeter
Security FrameworksNIST CSF, ISO 27001, CIS Controls — awareness of frameworks not deep memorisation
Physical SecurityAccess control vestibules (mantraps), bollards, badge systems, cameras, secure areas
Study priority: Security control types (preventive/detective/corrective/compensating) are tested constantly throughout the exam — not just in this domain. Know the difference between each and be able to classify a given control correctly. Cryptography fundamentals underpin Domains 3 and 4.
Domain 2 — Threats, Vulnerabilities and Mitigations (22%)
02
Threats, Vulnerabilities and Mitigations
Largest domain — attacks, malware, and social engineering
22%
The largest domain and the most scenario-heavy. You'll be given attack descriptions and asked to identify the type, or given an attack type and asked for the correct mitigation. Covers the full threat landscape — malware types, social engineering techniques, network attacks, application vulnerabilities, and how threat actors operate. Every scenario starts here — if you can't identify what type of attack is happening, you can't answer what to do about it.
Malware TypesViruses, worms, trojans, ransomware, rootkits, spyware, keyloggers, RATs, fileless malware, botnets
Social EngineeringPhishing, spear phishing, vishing, smishing, whaling, pretexting, baiting, tailgating, watering hole
Network AttacksDoS/DDoS, man-in-the-middle, ARP spoofing, DNS poisoning, VLAN hopping, replay attacks
Application AttacksSQL injection, XSS, buffer overflow, CSRF, privilege escalation, directory traversal
Threat IntelligenceOSINT, dark web monitoring, threat feeds, IoCs (indicators of compromise), TTPs
Vulnerability ManagementCVE/CVSS scoring, patch management, vulnerability scanning vs penetration testing
Threat ActorsNation-state, organised crime, insider threats, hacktivists, script kiddies — motivations and capabilities
MitigationsPatching, segmentation, allowlisting, MFA — which mitigation applies to which threat
Study priority: Social engineering attack types are tested relentlessly — know every variant (spear phishing vs whaling vs vishing vs smishing) by definition and example. Malware type distinctions (virus vs worm vs RAT vs fileless) are the second biggest focus. The exam gives you a scenario and you must name the attack type — not the other way around.
Domain 3 — Security Architecture (18%)
03
Security Architecture
Network design, cloud security, and infrastructure hardening
18%
How you design and build secure infrastructure — network segmentation, cloud security models, secure protocols, and infrastructure hardening. SY0-701 added significantly more cloud and hybrid environment content compared to the previous version. This domain asks how to architect a solution, not just what the components are.
Network Security DesignSegmentation, DMZ, zero trust architecture, microsegmentation, east-west vs north-south traffic
Cloud SecurityShared responsibility model, CASB, cloud-native security tools, IaaS/PaaS/SaaS security differences
Secure ProtocolsHTTPS, SFTP, SSH, SNMPv3, LDAPS, TLS 1.3 — know which replaces which insecure protocol
Infrastructure HardeningPatch management, configuration baselines, disabling unnecessary services, secure defaults
Virtualisation SecurityVM escape, hypervisor security, container security, serverless architecture risks
Embedded & IoT SecurityFirmware security, segmenting IoT, RTOS security, supply chain risk for hardware
Study priority: The shared responsibility model for cloud (who secures what in IaaS vs PaaS vs SaaS) is heavily tested. Secure protocol substitutions (HTTP→HTTPS, Telnet→SSH, FTP→SFTP, SNMP v2→v3) are easy points — know all of them. Network segmentation scenarios (where to place the firewall, what goes in the DMZ) appear frequently.
Domain 4 — Security Operations (28%)
04
Security Operations
Heaviest domain — IAM, incident response, and monitoring
28%
The largest domain by a significant margin — 28% means roughly 25 questions. Covers the day-to-day operational security work: identity and access management, incident response, digital forensics, security monitoring, and endpoint security. This is where Security+ most reflects what a real security analyst actually does. Do not deprioritise this domain — it's nearly a third of the exam.
Identity & Access ManagementLeast privilege, separation of duties, MFA, PAM, directory services, SSO, account lifecycle
Incident ResponsePICERL phases (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned), playbooks
Digital ForensicsOrder of volatility, chain of custody, forensic imaging, legal hold, write blockers
Security MonitoringSIEM, log analysis, threat hunting, IoC identification, baseline anomaly detection
Endpoint SecurityEDR, antivirus, application allowlisting/blocklisting, DLP, mobile device management (MDM)
PKI & CertificatesCertificate lifecycle, CA hierarchy, CRL, OCSP, certificate pinning, digital signatures
Wireless SecurityWPA3, 802.1X Enterprise, EAP-TLS, PEAP, rogue AP detection, evil twin attacks
Data SecurityData classification, DLP, encryption at rest/in transit, data destruction methods, tokenisation
Study priority: IAM concepts (least privilege, separation of duties, account lockout policy) appear in multiple questions. Incident response phases (PICERL order and what happens in each) are directly tested. Order of volatility for digital forensics is a specific exam favourite. Spend the most time here.
Domain 5 — Security Program Management and Oversight (20%)
05
Security Program Management & Oversight
Governance, compliance, risk, and privacy
20%
The governance layer — risk management, compliance frameworks, security policies, data privacy regulations, and third-party risk. Often called the "boring domain" by candidates who then fail questions on it. 20% is too large to skip. This domain is more conceptual than technical but requires you to understand how security decisions get made at an organisational level, not just how to configure a firewall.
Risk ManagementRisk types, risk responses (accept/transfer/avoid/mitigate), risk register, risk appetite vs tolerance
Compliance & RegulationsGDPR, HIPAA, PCI-DSS, SOX — what each covers and which industries they apply to
Security PoliciesAUP, data retention, incident response policy, BYOD, MDM policy, password policy
Business ContinuityBCP, DRP, RTO vs RPO, BIA (business impact analysis), backup strategies
Third-Party RiskVendor assessment, supply chain risk, SLAs, right to audit, data processing agreements
Data PrivacyPII, PHI, data sovereignty, privacy by design, data minimisation, consent management
Study priority: Risk responses (accept/transfer/avoid/mitigate) with examples of each are tested directly — know which response applies to which scenario. RTO vs RPO distinction is a classic exam question. Compliance regulation applicability (HIPAA = healthcare, PCI-DSS = payment cards, GDPR = EU personal data) is straightforward points if you know the basics.
How to Allocate Your Study Time
| Domain | Weight | Study Time % | Why |
|---|
| 4. Security Operations | 28% | 30% | Biggest domain — IAM, IR, forensics, and monitoring are all heavily tested with scenario questions |
| 2. Threats, Vulnerabilities & Mitigations | 22% | 25% | Attack identification scenarios require genuine knowledge — you can't guess your way through these |
| 5. Security Program Management | 20% | 15% | Conceptual but consistently tested — risk responses and compliance basics are learnable quickly |
| 3. Security Architecture | 18% | 15% | Cloud and secure protocol questions are very predictable — study the patterns |
| 1. General Security Concepts | 12% | 15% | Small % but foundational vocabulary — weak here costs you points in every other domain |
SY0-701 vs SY0-601 — what changed
SY0-701 was released in November 2023. Key changes from the previous version: Cloud and hybrid environment content significantly increased — the shared responsibility model and cloud-native security tools are now explicitly tested. Zero Trust architecture is a named concept you must understand. Automation and orchestration concepts (SOAR) were added. Domain names and structure changed — Operations was reorganised into the largest domain at 28%.
If you're using older study materials written for SY0-601, they cover ~80% of the content but you'll have gaps in cloud and zero trust. Use updated materials.
Exam Facts — SY0-701
| Detail | Value |
|---|
| Exam code | SY0-701 |
| Questions | Maximum 90 (multiple choice + performance-based) |
| Time limit | 90 minutes |
| Passing score | 750 out of 900 |
| DoD approval | DoD 8570/8140 approved — required for many US government and defense contractor security roles |
| Recommended experience | Network+ and 2 years of IT administration with security focus |
| Validity | 3 years (renewable via CE credits) |
| Cost | ~$404 USD (check CompTIA.org for current pricing) |
How to Use the Domain Weightings in Your Study Plan
Security Operations at 28% is the most important domain by far — nearly a third of your exam score. If you have limited study time, investing heavily in incident response (PICERL phases, IR procedures, digital forensics order of volatility), identity and access management, endpoint security, and SIEM/monitoring concepts will generate the highest return. Domain 2 (Threats at 22%) is the second priority — malware types, social engineering, and vulnerability concepts are tested heavily in scenario format throughout the exam, not just within Domain 2 questions.
Domain 5 (Security Program Management at 20%) is the most under-studied domain and a significant source of exam failures. Risk management, compliance frameworks, and data governance feel less technical but represent roughly 18 questions. Don't skip GRC content — candidates who focus entirely on technical security topics and neglect governance consistently report unexpected difficulty in this area on exam day.
Domain 1 — General Security Concepts Deep Dive
At 12%, Domain 1 provides foundational concepts that underpin questions throughout the entire exam. Security controls by type: Technical (firewalls, encryption, MFA), Managerial (policies, risk assessments, security awareness training), Operational (physical security, SOC procedures, change management), Physical (locks, cameras, mantraps). By function: Preventive (stops an attack), Detective (identifies an attack), Corrective (responds to an attack), Deterrent (discourages an attack), Compensating (alternative when primary control isn't feasible), Directive (guides behaviour through policy). These taxonomies appear throughout exam scenarios — "which type of control is a camera?" (Physical, Detective).
Cryptography fundamentals are also primarily tested in Domain 1: symmetric vs asymmetric encryption (AES, RSA, ECC), hashing (SHA-256, MD5 — weaknesses of MD5), PKI (certificate authorities, certificate chains, digital signatures), TLS handshake, and key management concepts. Understand the relationship: asymmetric encryption secures the key exchange, symmetric encryption secures the bulk data transfer. This pattern (hybrid encryption) underlies TLS, PGP, and most secure communication systems.
Domain 2 — Threats, Vulnerabilities and Mitigations Deep Dive
At 22%, this domain demands that you can identify threats from descriptions rather than names. Malware types by behaviour: virus (attaches to files, requires user execution), worm (self-replicating, spreads without user action), trojan (disguised as legitimate software), ransomware (encrypts files and demands payment), RAT (remote access trojan — gives attacker persistent remote control), rootkit (hides itself and other malware from the OS), keylogger (captures keystrokes), spyware (collects data without consent), botnet/zombie (compromised device under attacker control). Know what each does, how it spreads, and how it's detected.
Social engineering attacks: phishing (broad email campaign), spear phishing (targeted at specific individual), whaling (targeting executives/C-suite), vishing (voice phishing), smishing (SMS phishing), business email compromise (BEC — impersonating a trusted party to request fraudulent wire transfers), pretexting (creating a fabricated scenario to extract information), tailgating/piggybacking (physical social engineering). Vulnerability types: zero-day (no patch exists), unpatched (patch exists but not applied), misconfiguration (default credentials, open ports), weak credentials, supply chain vulnerabilities (compromised vendor software or hardware).
Domain 3 — Security Architecture Deep Dive
Security Architecture at 18% covers both cloud and network security design. Cloud security: shared responsibility model (provider vs customer obligations differ by IaaS/PaaS/SaaS), CASB (visibility and control over SaaS), CSPM (continuous configuration monitoring), CWPP (workload protection for VMs and containers), SASE (cloud-delivered security for remote workers). Network security design: DMZ (screened subnet between two firewalls, hosts public-facing services), Zero Trust architecture (never trust, always verify), microsegmentation (east-west traffic controls), network access control (802.1X with RADIUS).
Infrastructure security: secure baseline configurations, hardening (disabling unnecessary services, changing defaults, applying CIS benchmarks), patch management processes, vulnerability scanning vs penetration testing (scanning identifies vulnerabilities, pentesting exploits them to confirm exploitability and measure real-world risk). Know when each is appropriate and what authorisation is required (pentest requires explicit written authorisation — never assumed).
Domain 4 — Security Operations Deep Dive
The largest domain at 28% — invest proportionally. Incident response (PICERL): Preparation (tools, playbooks, training), Identification (is this an incident? what type?), Containment (stop the spread — isolate systems before eradication), Eradication (remove the threat), Recovery (restore systems to production), Lessons Learned (document, improve). Order matters: always contain before eradicating. Preserve evidence (order of volatility: RAM → running processes → network connections → filesystem → logs → archive) before reimaging.
Identity and access management: MFA factors (something you know/have/are), SSO (single sign-on with federation using SAML or OIDC), PAM (privileged access management — just-in-time elevation, session recording), directory services (LDAP, Active Directory), certificate-based authentication. Endpoint security: EDR (endpoint detection and response — behavioural monitoring, threat hunting, automated response), MDM (mobile device management — remote wipe, configuration enforcement), application whitelisting/blacklisting, DLP (data loss prevention — prevents exfiltration). Monitoring: SIEM (log aggregation, correlation rules, alerting), SOAR (automated response playbooks), threat intelligence feeds.
Related Articles