CompTIA Security+ SY0-701: Study Guide and Exam Tips

Security+ is the baseline cybersecurity certification that most employers, government agencies, and defense contractors accept as proof you understand information security fundamentals. The SY0-701 version, released in November 2023 to replace SY0-601, restructured the domains and placed greater emphasis on security operations, automation, and zero trust architecture. If you are studying with SY0-601 materials, you are studying the wrong exam.

What Changed in SY0-701

CompTIA reorganized the exam from six domains to five and shifted the content emphasis significantly. The biggest changes:

• Domain consolidation. The old "Threats, Attacks, and Vulnerabilities" and "Architecture and Design" domains were restructured. SY0-701 merges and reorganizes these into "Threats, Vulnerabilities, and Mitigations" and "Security Architecture."
• Zero trust architecture is now a first-class topic, not a passing mention. Expect questions about identity verification at every access point, microsegmentation, and policy-driven access control.
• Security operations got its own domain at 28% of the exam. Incident response, monitoring, alerting, SOAR, and log analysis are now heavily tested.
• Automation and scripting appear throughout. You will not write code on the exam, but you need to understand how automation applies to security operations, compliance scanning, and incident response workflows.
• Cloud and hybrid environments are assumed throughout, not treated as a separate specialty topic.

The 5 Domains

1. General Security Concepts (12%)

Foundational concepts: CIA triad, AAA, security controls (technical, administrative, physical), gap analysis, and change management. This domain is the smallest by weight but underpins everything else. If you understand the "why" behind security controls, the other four domains make more sense. Do not skip this or treat it as obvious.

2. Threats, Vulnerabilities, and Mitigations (22%)

Attack types (phishing, social engineering, malware families, application attacks, network attacks), vulnerability types (software, hardware, cloud-specific), and the mitigations that address them. The exam tests your ability to match threats to appropriate countermeasures. A question might describe an attack scenario and ask which control would prevent or detect it. You need to think in terms of attack chains, not individual threats in isolation.

3. Security Architecture (18%)

Network architecture, cloud models (IaaS, PaaS, SaaS security responsibilities), infrastructure concepts (load balancers, reverse proxies, WAFs), and resilience strategies (HA, fault tolerance, backups). Zero trust principles live here. Expect questions about microsegmentation, implicit deny, and continuous verification. The exam assumes you understand that network boundaries no longer define the security perimeter.

4. Security Operations (28%)

The largest domain. Monitoring and alerting (SIEM, SOAR), vulnerability management, incident response procedures, digital forensics basics, and data protection strategies. This domain is where the exam most clearly tests operational thinking rather than theoretical knowledge. You need to know the incident response lifecycle, what to do first when a breach is detected, chain of custody for forensic evidence, and how to prioritize vulnerabilities from scan results.

5. Security Program Management and Oversight (20%)

Governance, risk management, compliance frameworks (NIST, ISO 27001, GDPR, PCI-DSS), security awareness training, and third-party risk management. This domain tests organizational security, not technical implementation. Expect questions about risk assessment methods, policy development, audit processes, and how to evaluate vendor security posture.

Performance-Based Questions (PBQs)

Security+ includes performance-based questions, typically 3 to 5 per exam. PBQs present a simulated environment where you need to perform a task: configure a firewall rule, match threats to mitigations in a drag-and-drop interface, analyze a network diagram, or interpret log output to identify an attack.

PBQs appear at the beginning of the exam. The standard advice, which is correct, is to flag them and move to the multiple-choice questions first. PBQs take significantly more time per question, and you do not want to burn 20 minutes on the first PBQ and then rush through 85 multiple-choice questions. Answer the MCQs, then return to the PBQs with whatever time remains.

To prepare for PBQs, practice in simulated environments whenever possible. Set up a home lab with VirtualBox or use cloud-based labs. Configure firewall rules, read log files, run vulnerability scans. The PBQs test applied skills, and the only way to build applied skills is to apply them.

Study Schedule

Most candidates need 6 to 12 weeks depending on background. Someone with IT help desk or system administration experience is working from a stronger foundation than a career changer. Be honest about your starting point.

• Weeks 1-2: General Security Concepts and Security Architecture. Build the foundational framework before studying specific threats and operations.
• Weeks 3-5: Threats, Vulnerabilities, and Mitigations. This is memorization-heavy territory. Learn attack types, malware families, and social engineering techniques. Map each threat to its countermeasure.
• Weeks 6-8: Security Operations. Incident response procedures, SIEM concepts, vulnerability management lifecycle. This domain benefits from hands-on practice more than any other.
• Weeks 9-10: Security Program Management. Governance frameworks, risk assessment, compliance requirements. This domain is more reading-intensive than technical.
• Weeks 11-12: Full-length practice exams under timed conditions. Review every wrong answer. Focus on PBQ practice.

Common Traps

Security+ questions are written to test whether you can distinguish between similar concepts. Some recurring traps:

• IDS vs. IPS: Detection vs. prevention. An IDS alerts; an IPS blocks. The exam will describe a scenario and ask which to deploy. Read whether the question asks for detection or prevention.
• Symmetric vs. asymmetric encryption: Speed vs. key distribution. Symmetric is faster (AES for data at rest), asymmetric solves the key exchange problem (RSA/ECDHE for key agreement). Many questions test whether you know when to use which.
• Authentication factors: Something you know, have, or are. The exam will present scenarios and ask how many factors are involved. A password plus a security question is still only one factor (both are "something you know"). A password plus a hardware token is two factors.
• "Best" vs. "first" vs. "most important": These qualifiers change the correct answer. "What should you do first" in an incident response scenario is almost always "contain the incident," not "eradicate the threat" or "notify management."

The Passing Score

You need 750 out of 900 on a scaled score. That is roughly 83%, though the scaling means the raw percentage equivalent varies. This is a high bar, and it means you need strong performance across all five domains. You cannot afford to completely neglect any one domain and expect to pass on the strength of the others.

The exam gives you 90 minutes for a maximum of 90 questions. Time is usually not a problem if you skip PBQs initially and return to them. Budget about 1 minute per MCQ and save the remaining time for PBQs.