The Security+ exam looks deceptively friendly on paper. Five domains, around 90 questions, a 750/900 passing score on a scaled scale, and 90 minutes of clock time. Candidates walk in confident because they have memorized port numbers and can recite the CIA triad in their sleep. They walk out shocked when the score report shows a 698.
The reason is structural. The SY0-701 blueprint published by CompTIA in November 2023 redistributed weight in ways that punish rote memorization. The exam writers assume candidates can already recall facts; what they probe is whether candidates can apply concepts to Security Operations scenarios under time pressure. That single shift — from recall to application — explains roughly seventy percent of failures.
This article breaks the exam down domain by domain, identifies the failure modes inside each, and shows where to invest the marginal study hour for the largest score gain.
The SY0-701 Blueprint at a Glance
CompTIA published the new SY0-701 objectives on 7 November 2023 and retired SY0-601 on 31 July 2024. The five domains are not equal in weight or difficulty.
| Domain | Title | Weight |
|---|---|---|
| 1.0 | General Security Concepts | 12% |
| 2.0 | Threats, Vulnerabilities, and Mitigations | 22% |
| 3.0 | Security Architecture | 18% |
| 4.0 | Security Operations | 28% |
| 5.0 | Security Program Management and Oversight | 20% |
Two observations matter. First, Security Operations at 28% is now the largest domain, up from 24% on SY0-601. Second, governance content (Domain 5) holds steady at twenty percent — a domain many candidates cram for the night before because it feels boring.
"We rebalanced 701 because hiring managers told us their entry-level analysts cannot triage an alert. They can name attacks, but they cannot work a ticket. The new exam reflects that gap." -- Patrick Lane, Director of Certification at CompTIA
Candidates who score below 750 almost always lose points in Domain 4 first and Domain 2 second. Those two domains carry half the exam.
Domain 1: General Security Concepts (12%)
This is the warmup. It covers the CIA triad, AAA framework, change management, cryptography fundamentals, and zero-trust architecture pillars. The trap is that it feels easy, so candidates skip it during review and lose two or three questions to small wording differences.
Non-repudiation -- the security property that prevents a sender from credibly denying that they sent a message, typically achieved through digital signatures backed by asymmetric cryptography.
Gap analysis -- the comparison of an organization's current security posture against a target framework to identify control deficiencies, usually done before launching a remediation roadmap.
Where Candidates Fail Here
The cryptography questions in Domain 1 lean conceptual. Expect to see scenarios like "a developer wants to verify file integrity after download — which property does a hash provide?" The answer is integrity, not confidentiality, but candidates who are tired or rushing often select confidentiality because hashing feels secure.
Practical fix: drill the four properties — confidentiality, integrity, availability, non-repudiation — against twenty different scenarios. The book CompTIA Security+ Get Certified Get Ahead SY0-701 Study Guide by Darril Gibson has a clean drill set.
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
This domain is the second-largest and the second-highest source of point loss. It covers threat actors, attack vectors, vulnerability types, indicators of compromise, and mitigation techniques.
The tricky part is that CompTIA tests three layers simultaneously:
- Can you identify the attack from a description?
- Do you know the indicator of compromise it leaves behind?
- Can you select the correct mitigation from four plausible options?
A single question often hits all three. Example: a SOC analyst sees outbound DNS queries to TXT records containing base64-encoded data at unusual intervals. The exam expects you to identify DNS tunneling (attack), recognize the C2 traffic pattern (IoC), and choose DNS filtering with egress allow-listing (mitigation) from a list that includes WAF tuning and certificate pinning as distractors.
High-Frequency Attack Topics
Business email compromise -- impersonation of executives or vendors to redirect payments, often combined with mailbox forwarding rules and lookalike domains.
Supply chain attacks -- compromise of an upstream vendor or open-source dependency to reach downstream targets, as seen in the SolarWinds Orion incident in 2020.
Indicator artifact knowledge -- recognizing log patterns, registry keys, scheduled tasks, and network beacons that indicate specific malware families.
The Microsoft Digital Defense Report consistently ranks business email compromise above ransomware in dollar losses, and CompTIA mirrors that emphasis in SY0-701 question distribution. CrowdStrike's annual Global Threat Report is a useful supplementary read because the exam draws scenario flavor from real campaigns.
Domain 3: Security Architecture (18%)
Architecture is where the exam shifts from what is this to how would you build this. Topics include cloud responsibility models, on-prem vs hybrid trade-offs, infrastructure considerations like SASE and SD-WAN, and data protection through encryption, masking, and tokenization.
"Architecture questions are the leading indicator of whether a candidate has worked in production. Bookworms can pass Domain 1; only practitioners pass Domain 3 cleanly." -- James Stanger, Chief Technology Evangelist at CompTIA
Cloud shared-responsibility questions trip up candidates who memorized AWS without understanding the model. The exam is vendor-neutral, so questions reference IaaS, PaaS, and SaaS — not specific products. A typical scenario: "Your organization moves a workload from IaaS to SaaS. Which security responsibility shifts entirely to the provider?" Patch management of the underlying OS is the cleanest answer; identity, data classification, and access governance remain with the customer.
Practice translating the AWS, Azure, and Google Cloud responsibility matrices into vendor-neutral language. The Cloud Security Alliance Cloud Controls Matrix is the canonical reference.
Domain 4: Security Operations (28%)
This is the largest domain and the leading source of failure. It covers vulnerability management, monitoring, log analysis, incident response, digital forensics, and identity and access management operations.
Why Candidates Lose Here
Three failure modes account for most missed points:
Log interpretation under time pressure: questions show a log snippet — Windows event 4625, a Linux auth.log line, a firewall deny rule — and ask what happened. Candidates who never opened a real log struggle to parse syntax fast enough.
Incident response phase ordering: CompTIA uses NIST SP 800-61 phases — preparation, detection and analysis, containment, eradication and recovery, post-incident activity. Questions ask which phase a specific action belongs to, and the distractors are adjacent phases.
IAM scenario nuance: the exam distinguishes between authentication, authorization, and accounting in scenarios where a user successfully logs in but cannot access a resource. The correct diagnosis is an authorization failure, not authentication, but candidates fixate on the login screen.
The fix is hands-on practice. Set up a free Splunk developer license, ingest sample Windows Security logs from the SwiftOnSecurity sysmon-modular repository, and write five queries. That single weekend project converts Domain 4 from your worst domain to your best.
| Subdomain | Approximate Weight Within Domain 4 | Common Failure |
|---|---|---|
| Vulnerability management | 5% of total exam | Confusing CVSS base vs temporal scores |
| Log monitoring and SIEM | 7% of total exam | Misreading raw log syntax |
| Incident response | 8% of total exam | Wrong NIST phase selection |
| Identity and access | 5% of total exam | Conflating authn and authz |
| Automation and orchestration | 3% of total exam | Overlooking SOAR vs SIEM scope |
Domain 5: Security Program Management and Oversight (20%)
This domain looks unglamorous and is the third-largest. It covers governance, risk management, third-party risk, compliance, audit and assessment, and security awareness.
The exam writers love this domain because the answers depend on definitions that are stable and well-documented in standards like ISO 27001, NIST CSF 2.0, and PCI DSS 4.0. Candidates who skim governance lose easy points to candidates who memorize precise definitions.
Risk register -- a documented list of identified risks with owner, likelihood, impact, current control state, and treatment plan, maintained as a living artifact rather than a one-time deliverable.
Risk appetite -- the aggregate level of risk an organization is willing to accept in pursuit of its objectives, expressed qualitatively (low/medium/high) or as quantitative thresholds.
Real-World Anchor
The Equifax 2017 breach is the case study CompTIA implicitly references in third-party and patch management questions. Equifax failed to apply an Apache Struts patch (CVE-2017-5638) within its own service-level window, exposing 147 million records. Questions about patch SLAs, vulnerability prioritization, and accountability have flavor lifted directly from the post-incident reports.
The Target 2013 breach, where attackers entered through HVAC vendor Fazio Mechanical, anchors the third-party risk and segmentation questions. Knowing one named breach per topic is more valuable than memorizing forty acronyms.
Where to Invest the Marginal Study Hour
If you have one extra hour before exam day, spend it here in priority order:
- One hour of log analysis practice (Domain 4)
- Thirty minutes drilling NIST 800-61 incident phases (Domain 4)
- Thirty minutes on cloud shared-responsibility scenarios (Domain 3)
- Twenty minutes on indicator-of-compromise to attack mapping (Domain 2)
- Ten minutes on risk register vs risk appetite vocabulary (Domain 5)
Skip more port memorization. Skip more cipher acronyms. Both yield diminishing returns past week two.
"The candidates who pass with 850+ are not the ones who studied longer. They are the ones who studied the right twenty percent of the blueprint that drives sixty percent of the questions." -- Daniel Lachance, author and CompTIA SME
A Realistic Six-Week Study Plan Mapped to Domain Weights
Most candidates over-invest in the first two weeks on Domain 1 fundamentals because they feel comfortable, then run out of time before reaching Domain 4 depth. A weight-aligned plan inverts this.
Week 1 -- Domain 1 in three days, Domain 5 governance vocabulary in two. Read the NIST Cybersecurity Framework 2.0 core functions once end-to-end and write a one-page summary of each function in your own words. Target two hours per evening.
Week 2 -- Domain 2 threats and vulnerabilities. Pair each attack type with one indicator and one mitigation in flashcards. Watch the Professor Messer video series for SY0-701 Domain 2 in full and pause at every scenario question to answer aloud before he reveals the answer.
Week 3 -- Domain 3 architecture. Build a hand-drawn diagram of a hypothetical SaaS company with on-prem AD, hybrid cloud, a CDN, and a remote workforce. Annotate every trust boundary, every encryption-in-transit and at-rest decision, and every IAM gateway. This single artifact answers about thirty potential exam questions.
Week 4 and 5 -- Domain 4 Security Operations. Spend two evenings on Splunk Free, two on a free OSSEC or Wazuh install, two on tabletop incident response walkthroughs. The SANS Incident Handler's Handbook by Patrick Kral is the cleanest summary outside the official NIST document and reads in one sitting.
Week 6 -- Full-length practice exams under timed conditions, then targeted review of weak domains. Two practice exams per evening with disciplined review beats four exams with shallow review.
The Linux Foundation publishes a free Introduction to DevSecOps for Managers course that, while not Security+ specific, reinforces the supply-chain and pipeline content the exam tests in Domain 2 and Domain 3.
Common Wrong-Answer Patterns by Domain
Reviewing your practice-test mistakes by category surfaces patterns that one more practice test will not. Five archetypes account for the majority of wrong selections on SY0-701.
Recency bias -- selecting the most recently studied attack type when scenarios are ambiguous. A candidate who just reviewed pass-the-hash sees pass-the-hash everywhere for the next twenty questions.
Acronym swap -- choosing SIEM when the question describes SOAR behavior, or selecting IDS when the scenario clearly involves IPS in-line blocking. The cure is rewriting each acronym pair in plain English on a single index card.
Compliance confusion -- mapping the wrong regulation to a scenario. PCI DSS for payment card data, HIPAA for U.S. healthcare PHI, GDPR for EU personal data, SOX for financial reporting controls. Mixing these costs three to five questions per exam.
Layer-of-defense mistakes -- selecting a perimeter control when the scenario asks for a host-based control, or vice versa. A WAF protects web applications; an EDR protects endpoints; a DLP solution governs data movement. Each has a layer.
Time-pressure guessing -- abandoning analysis on questions sixty through eighty because PBQs ate too much clock at the start. Time discipline is itself a study topic.
Track which of these five categories your practice mistakes fall into. After three exams, the dominant category becomes the highest-ROI study target for the final week.
How the Exam Actually Scores
The SY0-701 is scaled, not raw-percentage. CompTIA does not publish exact scaled-score formulas, but candidates and instructors have triangulated the rough behavior through years of feedback.
| Raw Approximate | Scaled | Interpretation |
|---|---|---|
| 65% correct | ~720 | Just below pass |
| 70% correct | ~750 | Pass threshold |
| 80% correct | ~820 | Strong pass |
| 90% correct | ~880 | Top-decile result |
Performance-based questions are weighted more heavily than multiple-choice in the scaling, which is why time invested in PBQ practice yields outsized score gains. A candidate at sixty-eight percent raw who nails all five PBQs often scales to a 760 pass; a candidate at seventy-two percent raw who skipped three PBQs can scale to a 740 fail.
The takeaway is unambiguous: do not skip PBQs. Even a partially correct PBQ scores higher than a skipped one in most rubrics.
Performance-Based Questions Across Domains
SY0-701 includes up to five performance-based questions (PBQs) that appear at the start of the exam. They draw from any domain but cluster in Operations and Architecture. Common PBQ types:
- Drag-and-drop firewall rule construction for a given traffic requirement
- Log line classification (benign, suspicious, malicious)
- Network diagram annotation showing where to place a WAF, IDS, or proxy
- Matching attack types to indicators
- Configuring permissions for least privilege on a sample resource
Allocate fifteen minutes total for PBQs. If a single PBQ stalls you for more than four minutes, flag it and move on. Returning with a fresh head after the multiple-choice block usually resolves it.
See also: /certifications/comptia/comptia-security-plus-most-important-cert-in-it-security, /certifications/comptia/comptia-performance-based-questions-how-to-approach-them, /certifications/cybersecurity/, /exam-prep/study-techniques/, /resources/practice-question-banks/
References
- CompTIA. Security+ Certification Exam Objectives SY0-701. CompTIA, November 2023.
- Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide. YCDA LLC, 2024.
- Chapple, Mike and David Seidl. CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition. Sybex / Wiley, 2024.
- NIST. Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide. National Institute of Standards and Technology, 2012.
- Cloud Security Alliance. Cloud Controls Matrix v4. CSA, 2021.
- Microsoft. Digital Defense Report 2024. Microsoft Threat Intelligence, October 2024.
- CrowdStrike. 2024 Global Threat Report. CrowdStrike Holdings, 2024.
- U.S. House Committee on Oversight and Government Reform. The Equifax Data Breach: Majority Staff Report. December 2018.