What this objective tests
SY0-701 Security Operations — Key Topics
Security Operations tests your ability to detect, respond to, and recover from real-world security incidents. On the SY0-701 exam it covers incident response (NIST SP 800-61), vulnerability management, SIEM log analysis, data protection, and change management. It is worth 28% of your score — the highest-weighted domain.
- Incident response lifecycle — Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-Incident Activity (NIST SP 800-61). Know the exact order cold.
- Vulnerability management — scan types, CVSS severity scoring, patch prioritisation, and the critical difference between a vulnerability scan and a penetration test.
- Security monitoring — SIEM log correlation, IDS vs IPS placement and behaviour, alert triage, and separating true positives from false positives.
- Identity and access management operations — enforcing MFA, detecting privilege escalation, account lockout policies, and least-privilege principles.
- Data protection — encryption at rest vs in transit, DLP tool placement, data classification schemes, and secure data disposal methods.
- Disaster recovery and business continuity — RTO vs RPO definitions, full/incremental/differential backup strategies, and failover testing.