IntermediateExam Strategy 8 min read

How to Pass CompTIA Security+ (SY0-701)

5-domain breakdown, 8-week plan, and how to handle performance-based questions

Security+ is the most widely held entry-level security certification globally, required for DoD 8570 compliance and listed as a baseline requirement for thousands of cybersecurity roles. The SY0-701 exam is harder than its predecessor — more scenario-based, heavier on cloud and hybrid environments, and now includes performance-based questions (PBQs). This guide covers how to approach it efficiently.

1

Understand the five SY0-701 domains

SY0-701 reorganised the domain structure compared to SY0-601. Know where to allocate study time.

SY0-701 domain weights
Domain 1: General Security Concepts        — 12%
Domain 2: Threats, Vulnerabilities & Mitigations — 22% ← heaviest
Domain 3: Security Architecture               — 18%
Domain 4: Security Operations                 — 28% ← heaviest
Domain 5: Security Program Management & Oversight — 20%

Focus: Domains 2 and 4 together = 50% of the exam.
Domain 2 = attack types, vulnerability scanning, threat intelligence.
Domain 4 = incident response, digital forensics, identity management, endpoint security.
2

Master Domain 2 — threats and attack types

Domain 2 is the most content-heavy domain. You need to know attack types, threat actors, and vulnerability management in detail.

Key attack types for Domain 2
Social engineering attacks (know them all):
Phishing, Spear phishing, Whaling, Vishing (voice), Smishing (SMS),
Business Email Compromise (BEC), Pretexting, Baiting, Tailgating/Piggybacking

Network attacks:
- On-path (MITM) attack: intercepts traffic between two parties
- DDoS: volumetric, protocol, application layer types
- DNS poisoning / spoofing: redirects DNS lookups
- ARP poisoning: associates attacker MAC with legitimate IP
- Replay attack: captures and retransmits valid authentication data

Application attacks:
- SQL injection: ' OR '1'='1 — manipulates database queries
- XSS (Cross-Site Scripting): injects scripts into web pages seen by other users
- CSRF: tricks authenticated user into making unintended requests
- Buffer overflow: writes beyond allocated memory, can execute arbitrary code
- Directory traversal: ../../etc/passwd — accesses files outside web root

Social engineering is always the #1 attack vector on Security+ exams. Know the difference between phishing (bulk email), spear phishing (targeted individual), whaling (targeting executives), and vishing (voice calls).

3

Understand Domain 4 — security operations

Domain 4 covers the day-to-day work of a security practitioner — incident response, digital forensics, identity, and endpoint security.

Domain 4 key concepts
Incident Response Phases (memorise this order):
1. Preparation
2. Detection & Analysis (Identification)
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned (Post-Incident Activity)

Key identity and access concepts:
- MFA factors: Something you know, have, are (+ location, something you do)
- Privileged Access Management (PAM): controls elevated account access
- Zero Trust: "never trust, always verify" — no implicit trust based on network location
- Least privilege: minimum access needed to do the job
- Separation of duties: no single person can complete a sensitive process alone

Endpoint security:
- EDR (Endpoint Detection & Response): monitors + responds to threats on endpoints
- AV vs EDR: AV = signature-based, EDR = behavioural + threat hunting capability
- FDE (Full Disk Encryption): encrypts entire disk (BitLocker, FileVault)
4

Handle performance-based questions (PBQs)

PBQs are interactive questions at the start of the exam — drag-and-drop, click-on-diagram, or command-line simulations. They take longer than multiple-choice questions.

PBQ strategy
PBQ types on SY0-701:
- Order the incident response steps correctly
- Match attack types to descriptions (drag-and-drop)
- Identify which ports/protocols are used (firewall rule scenarios)
- Configure a firewall rule (allow/deny specific traffic)
- Read a vulnerability scan output and identify findings
- Classify data based on sensitivity level

Strategy:
1. Skip PBQs initially if they feel time-consuming — flag and return
2. Each PBQ is worth more points than a standard question
3. Partial credit is given for PBQs — attempt every one, even if uncertain
4. Most PBQs reward process knowledge (incident response order) over memorisation

Do NOT skip PBQs entirely. They are worth more points than standard questions and partial credit is awarded. Even getting 2/4 drag-and-drop items correct earns partial marks. The biggest mistake is leaving PBQs blank.

5

Build an 8-week study plan

Security+ requires more study time than Cloud Practitioner — plan for 6–10 weeks if you have no security background.

8-week study plan
Weeks 1-2: Domain 1 + General Security Concepts
- Cryptography (symmetric vs asymmetric, hashing, PKI, certificates)
- Authentication protocols (RADIUS, TACACS+, Kerberos, LDAP)
- Security controls (technical, administrative, physical; preventive, detective, corrective)

Weeks 3-4: Domain 2 — Threats & Vulnerabilities
- All attack types (social engineering, network, application, physical)
- Vulnerability scanning vs penetration testing
- Threat intelligence feeds, IOCs, TTPs, MITRE ATT&CK

Weeks 5-6: Domain 3 + 4 — Architecture + Operations
- Network architecture (DMZ, segmentation, Zero Trust)
- Cloud security (shared responsibility, CASB, CSPM)
- Incident response process (all 6 phases)
- Digital forensics (chain of custody, acquisition order)

Weeks 7-8: Domain 5 + Full Practice Exams
- GRC: frameworks (NIST CSF, ISO 27001, SOC 2, PCI DSS, HIPAA)
- Risk assessment and management
- 4× full practice exams, review wrong answers daily

Key tips

  • Memorise the 6 incident response phases in order — they appear on almost every Security+ exam in some form, usually as a 'what should you do FIRST' question.

  • Know the difference between vulnerability assessment (passive, finds weaknesses) and penetration testing (active, exploits them). Security+ tests this distinction repeatedly.

  • PKI and certificate concepts are heavily tested: CA, intermediate CA, certificate chain of trust, CRL vs OCSP, self-signed certificates.

  • Zero Trust is a major topic on SY0-701 — know that it means 'never trust, always verify' regardless of network location, and that it relies on micro-segmentation and strong identity verification.

  • For PBQs: practice with the CompTIA CertMaster Labs environment or TryHackMe rooms if you want to build command-line confidence before exam day.

Frequently asked questions

How many questions are on Security+ SY0-701?

Maximum 90 questions in 90 minutes. This includes up to 5 PBQs. The actual question count can be lower — some candidates report 75-80 questions. Passing score is 750/1000.

Is Security+ harder than Network+?

Yes — Security+ covers more content, has harder scenario questions, and includes PBQs. Most candidates with Network+ find Security+ requires 4–6 more weeks of dedicated study. Without Network+, plan for 10–12 weeks from scratch.

What is the DoD 8570 / DoD 8140 baseline?

DoD Directive 8570 (now 8140) requires all US Department of Defense personnel who access classified systems to hold specific certifications by role and privilege level. Security+ meets IAT Level II (Information Assurance Technician), making it a mandatory baseline for a large number of US government and defence contractor roles.

Related glossary terms

Browse full glossary →

Practice with real exam questions

Apply what you just learned with exam-style practice questions.

Related guides