How to Pass CompTIA Security+ (SY0-701)
5-domain breakdown, 8-week plan, and how to handle performance-based questions
Security+ is the most widely held entry-level security certification globally, required for DoD 8570 compliance and listed as a baseline requirement for thousands of cybersecurity roles. The SY0-701 exam is harder than its predecessor — more scenario-based, heavier on cloud and hybrid environments, and now includes performance-based questions (PBQs). This guide covers how to approach it efficiently.
Understand the five SY0-701 domains
SY0-701 reorganised the domain structure compared to SY0-601. Know where to allocate study time.
Domain 1: General Security Concepts — 12%
Domain 2: Threats, Vulnerabilities & Mitigations — 22% ← heaviest
Domain 3: Security Architecture — 18%
Domain 4: Security Operations — 28% ← heaviest
Domain 5: Security Program Management & Oversight — 20%
Focus: Domains 2 and 4 together = 50% of the exam.
Domain 2 = attack types, vulnerability scanning, threat intelligence.
Domain 4 = incident response, digital forensics, identity management, endpoint security.Master Domain 2 — threats and attack types
Domain 2 is the most content-heavy domain. You need to know attack types, threat actors, and vulnerability management in detail.
Social engineering attacks (know them all):
Phishing, Spear phishing, Whaling, Vishing (voice), Smishing (SMS),
Business Email Compromise (BEC), Pretexting, Baiting, Tailgating/Piggybacking
Network attacks:
- On-path (MITM) attack: intercepts traffic between two parties
- DDoS: volumetric, protocol, application layer types
- DNS poisoning / spoofing: redirects DNS lookups
- ARP poisoning: associates attacker MAC with legitimate IP
- Replay attack: captures and retransmits valid authentication data
Application attacks:
- SQL injection: ' OR '1'='1 — manipulates database queries
- XSS (Cross-Site Scripting): injects scripts into web pages seen by other users
- CSRF: tricks authenticated user into making unintended requests
- Buffer overflow: writes beyond allocated memory, can execute arbitrary code
- Directory traversal: ../../etc/passwd — accesses files outside web rootSocial engineering is always the #1 attack vector on Security+ exams. Know the difference between phishing (bulk email), spear phishing (targeted individual), whaling (targeting executives), and vishing (voice calls).
Understand Domain 4 — security operations
Domain 4 covers the day-to-day work of a security practitioner — incident response, digital forensics, identity, and endpoint security.
Incident Response Phases (memorise this order):
1. Preparation
2. Detection & Analysis (Identification)
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned (Post-Incident Activity)
Key identity and access concepts:
- MFA factors: Something you know, have, are (+ location, something you do)
- Privileged Access Management (PAM): controls elevated account access
- Zero Trust: "never trust, always verify" — no implicit trust based on network location
- Least privilege: minimum access needed to do the job
- Separation of duties: no single person can complete a sensitive process alone
Endpoint security:
- EDR (Endpoint Detection & Response): monitors + responds to threats on endpoints
- AV vs EDR: AV = signature-based, EDR = behavioural + threat hunting capability
- FDE (Full Disk Encryption): encrypts entire disk (BitLocker, FileVault)Handle performance-based questions (PBQs)
PBQs are interactive questions at the start of the exam — drag-and-drop, click-on-diagram, or command-line simulations. They take longer than multiple-choice questions.
PBQ types on SY0-701:
- Order the incident response steps correctly
- Match attack types to descriptions (drag-and-drop)
- Identify which ports/protocols are used (firewall rule scenarios)
- Configure a firewall rule (allow/deny specific traffic)
- Read a vulnerability scan output and identify findings
- Classify data based on sensitivity level
Strategy:
1. Skip PBQs initially if they feel time-consuming — flag and return
2. Each PBQ is worth more points than a standard question
3. Partial credit is given for PBQs — attempt every one, even if uncertain
4. Most PBQs reward process knowledge (incident response order) over memorisationDo NOT skip PBQs entirely. They are worth more points than standard questions and partial credit is awarded. Even getting 2/4 drag-and-drop items correct earns partial marks. The biggest mistake is leaving PBQs blank.
Build an 8-week study plan
Security+ requires more study time than Cloud Practitioner — plan for 6–10 weeks if you have no security background.
Weeks 1-2: Domain 1 + General Security Concepts
- Cryptography (symmetric vs asymmetric, hashing, PKI, certificates)
- Authentication protocols (RADIUS, TACACS+, Kerberos, LDAP)
- Security controls (technical, administrative, physical; preventive, detective, corrective)
Weeks 3-4: Domain 2 — Threats & Vulnerabilities
- All attack types (social engineering, network, application, physical)
- Vulnerability scanning vs penetration testing
- Threat intelligence feeds, IOCs, TTPs, MITRE ATT&CK
Weeks 5-6: Domain 3 + 4 — Architecture + Operations
- Network architecture (DMZ, segmentation, Zero Trust)
- Cloud security (shared responsibility, CASB, CSPM)
- Incident response process (all 6 phases)
- Digital forensics (chain of custody, acquisition order)
Weeks 7-8: Domain 5 + Full Practice Exams
- GRC: frameworks (NIST CSF, ISO 27001, SOC 2, PCI DSS, HIPAA)
- Risk assessment and management
- 4× full practice exams, review wrong answers dailyKey tips
Memorise the 6 incident response phases in order — they appear on almost every Security+ exam in some form, usually as a 'what should you do FIRST' question.
Know the difference between vulnerability assessment (passive, finds weaknesses) and penetration testing (active, exploits them). Security+ tests this distinction repeatedly.
PKI and certificate concepts are heavily tested: CA, intermediate CA, certificate chain of trust, CRL vs OCSP, self-signed certificates.
Zero Trust is a major topic on SY0-701 — know that it means 'never trust, always verify' regardless of network location, and that it relies on micro-segmentation and strong identity verification.
For PBQs: practice with the CompTIA CertMaster Labs environment or TryHackMe rooms if you want to build command-line confidence before exam day.
Frequently asked questions
How many questions are on Security+ SY0-701?
Maximum 90 questions in 90 minutes. This includes up to 5 PBQs. The actual question count can be lower — some candidates report 75-80 questions. Passing score is 750/1000.
Is Security+ harder than Network+?
Yes — Security+ covers more content, has harder scenario questions, and includes PBQs. Most candidates with Network+ find Security+ requires 4–6 more weeks of dedicated study. Without Network+, plan for 10–12 weeks from scratch.
What is the DoD 8570 / DoD 8140 baseline?
DoD Directive 8570 (now 8140) requires all US Department of Defense personnel who access classified systems to hold specific certifications by role and privilege level. Security+ meets IAT Level II (Information Assurance Technician), making it a mandatory baseline for a large number of US government and defence contractor roles.
Related glossary terms
Dynamic route
A route that is automatically learned and updated by a router using a routing protocol, rather than being manually configured.
Security pillar
The Security pillar is a set of best practices for designing and operating cloud systems that protect data, systems, and assets through confidentiality, integrity, and availability controls.
Public IP address
A globally unique IP address assigned to a device that allows it to communicate directly over the internet.
Extensible Authentication Protocol
Extensible Authentication Protocol (EAP) is a flexible authentication framework used in network access control, particularly in wireless and point-to-point connections, that supports multiple authentication methods without requiring changes to the underlying protocol.
Risk acceptance
Risk acceptance is a risk management strategy where an organization acknowledges a potential risk but decides to tolerate it without taking active measures to reduce or eliminate it.
Security strategy
A security strategy is a high-level plan that outlines how an organization protects its information assets, aligns security with business goals, and manages risk over time.
Practice with real exam questions
Apply what you just learned with exam-style practice questions.