Everything you need to pass SY0-701 — exam structure, all 5 domain weightings, a realistic study plan, the highest-priority topics, performance-based question formats, and links to every Security+ concept on IT Study Hub.
Security+ is the entry-level cybersecurity certification recognised by the US DoD (Directive 8140) and most enterprise security teams. It proves you can identify threats, implement security controls, and respond to incidents — not just define terms. The SY0-701 version emphasises scenario-based application over memorisation; you need to understand what to do in a situation, not just what something is called.
Security+ is the logical next step after Network+. Roughly 30% of its content builds directly on networking knowledge — firewalls, VPNs, network attacks, wireless security. If you've taken Network+ recently, you already know a significant chunk of Domain 4.
The SY0-701 (current) consolidated from 6 domains to 5 and significantly expanded coverage of cloud security, zero trust architecture, and automation/scripting. The threats domain now includes more advanced attack techniques (living-off-the-land, supply chain attacks). If you're using older SY0-601 materials, supplement them — the cloud and automation content is substantially different.
SY0-601 expires Q4 2024 — if you haven't passed it yet, you need SY0-701 materials.
Foundational vocabulary — security controls (technical, administrative, physical), cryptography principles, authentication types, and public key infrastructure. Smaller domain, but the concepts underpin everything else. Get these definitions sharp — they set up the vocabulary for all other domains.
The largest threat-focused domain — malware types, social engineering, network attacks, application vulnerabilities, and vulnerability scanning. This is the most scenario-heavy domain: given a description of an attack, identify it and select the correct mitigation.
How secure networks and infrastructure are designed — cloud security models, network segmentation, virtualisation security, secure network design (DMZ, screened subnet), and resilience. Cloud security is heavily weighted in SY0-701 and was significantly expanded from SY0-601.
The largest domain at 28% — incident response, digital forensics, identity and access management, endpoint security, and monitoring. This is where the most scenario-based questions live. Know the PICERL phases cold and be able to select the correct IR action for a given scenario.
Governance, risk, compliance, and data privacy — the business side of security. Risk assessment types (qualitative vs quantitative), frameworks (NIST, ISO 27001), regulations (GDPR, HIPAA, PCI-DSS), and security policies. Often underestimated — 20% means roughly 18 questions. Don't skip GRC.
Security+ requires more study time than A+ or Network+ because of the breadth and the scenario-based question format. Most candidates need 8–12 weeks. This plan assumes 1–2 hours per day.
Incident Response (PICERL) — Domain 4 is 28% of the exam and IR scenarios appear constantly. Know the six phases in order, know which action belongs in which phase (containment before eradication, legal counsel before public notification), and know the order of volatility for forensics.
Cryptography — Symmetric vs asymmetric, when to use each, which algorithms (AES, RSA, ECC, SHA), and how TLS uses both (asymmetric for key exchange, symmetric for data). Questions appear across all domains — a secure protocol question is really a cryptography question.
Scenario reading — Security+ questions are long. Practice reading scenario questions efficiently: identify what the question is actually asking (often in the last sentence), eliminate obviously wrong answers, then apply your knowledge. Time management on PBQs is the #1 reason candidates run out of time.
Security+ PBQs on SY0-701 commonly include: network diagram analysis (identify the security flaw in a given topology), log file interpretation (identify the attack type from firewall or SIEM logs), access control configuration (assign the correct permissions given a scenario), and incident response ordering (drag the response steps into the correct PICERL sequence).
PBQs appear at the start of the exam and cannot be skipped (you must at least submit an answer before moving on). A common strategy: spend no more than 5 minutes per PBQ, make your best attempt, flag it, then return after finishing the multiple-choice questions if time allows.
See the best courses, practice exams, and books for Security+ SY0-701.
SY0-701 is 90 questions in 90 minutes with a passing score of 750 out of 900. Like Network+, PBQs appear at the start of the exam. Security+ PBQ formats include log file analysis (identify an attack type from a SIEM or firewall log excerpt), network diagram analysis (identify the security flaw in a described topology), incident response ordering (sequence the correct PICERL steps), and access control configuration (select the correct policy for a described user scenario).
Security+ scenario questions are longer and more complex than A+ or Network+ questions. A question might describe a company's entire security posture across three paragraphs before asking which single control would most effectively address the described risk. Practising reading and extracting the key question from long scenarios is a skill that must be developed through practice, not just content study.
The most commonly cited exam day surprise from candidates: Domain 5 (Security Program Management) questions are more frequent and more detailed than expected. Risk calculations (SLE × ARO = ALE), data roles (data owner vs data custodian vs data processor), and regulatory frameworks (GDPR 72-hour notification, HIPAA, PCI-DSS scope) appear in scenario form. Know these — they're not background knowledge, they're exam questions.
Candidates with Network+ spend roughly 8 weeks preparing for Security+ at 1–2 hours per day. A practical 4-phase approach: Weeks 1–2 — cover Domain 1 (cryptography, security controls taxonomy, authentication concepts) and Domain 2 (all malware types, social engineering attacks, vulnerability types). These form the vocabulary for the rest of the exam. Weeks 3–4 — cover Domain 3 (cloud security, Zero Trust, network security architecture, secure design) and Domain 4 Part 1 (incident response PICERL, digital forensics, identity and access management). Weeks 5–6 — cover Domain 4 Part 2 (endpoint security, SIEM/SOAR, monitoring) and Domain 5 (risk management, compliance frameworks, data governance, security awareness). Weeks 7–8 — full practice exams (Dion Training), domain-level analysis of weak areas, PBQ-specific drilling, and scenario question reading practice.
Three things to do differently from most candidates: First, study GRC (Domain 5) as seriously as the technical domains. Second, practise identifying attack types from descriptions rather than names — the exam describes the behaviour, you supply the term. Third, track your performance by domain on every practice exam and weight your review time to both domain weight and your personal weakness.
Security+ is the baseline credential for most entry to mid-level cybersecurity roles. It satisfies the US Department of Defense Directive 8140 IAT Level II requirement, making it a mandatory or preferred credential for many federal government and defence contractor positions. In the private sector, security analyst, SOC analyst, information security specialist, and junior penetration tester roles commonly list Security+ as a preferred or required certification.
Beyond the job requirement signal, Security+ teaches the conceptual foundation for understanding security operations, incident response, risk management, and secure architecture. The knowledge has long-term value because the fundamental principles — defence in depth, least privilege, zero trust, the CIA triad — don't change even as specific technologies do. Security+ is worth studying thoroughly, not just passing.