What does Security+ SY0-701 cover?
The CompTIA Security+ SY0-701 exam covers five domains: general security concepts, threats and vulnerabilities, security architecture, security operations, and security program management and oversight. It is an entry-level security certification requiring no formal prerequisites, though two years of IT experience with a security focus is recommended. The exam costs $392 USD.
The CompTIA Security+ SY0-701 is the most widely recognized entry-level cybersecurity certification globally and is required or preferred for thousands of security-related IT positions. It covers the fundamental security skills needed across all areas of IT security and is approved by the U.S. DoD for IAT Level II and IAM Level I positions.
Security+ is the starting point for most cybersecurity career paths, providing the foundation for more advanced certifications like CySA+, CASP+, and CISSP. The exam costs $392 USD, contains a maximum of 90 questions, and requires a passing score of 750 out of 900.
Exam Overview
| Detail | Information |
|---|---|
| Exam Code | SY0-701 |
| Full Name | CompTIA Security+ |
| Number of Questions | Maximum 90 |
| Time Limit | 90 minutes |
| Passing Score | 750/900 |
| Cost | $392 USD |
| Prerequisites | None formal; Network+ and 2 years IT experience recommended |
| Validity | 3 years (renewed via CEUs or retaking) |
| DoD Approval | IAT Level II, IAM Level I |
The SY0-701 exam covers five domains:
- General security concepts (12%)
- Threats, vulnerabilities, and mitigations (22%)
- Security architecture (18%)
- Security operations (28%)
- Security program management and oversight (20%)
"Security+ SY0-701 significantly updated the exam to reflect modern security operations, including cloud security, zero trust architecture, and operational security procedures that reflect actual job roles. Candidates who studied from outdated SY0-601 materials will find significant gaps in the newer exam." -- CompTIA security training community
Domain 1: General Security Concepts (12%)
Security Controls Framework
Security controls are categorized by type and category:
Control types:
- Technical controls: Software and hardware mechanisms (firewalls, encryption, access control systems)
- Managerial controls: Administrative policies and procedures (security policies, risk assessments, security awareness training)
- Operational controls: Day-to-day procedures and practices (incident response, change management, security monitoring)
- Physical controls: Physical security measures (locks, cameras, guards, mantrap)
Control categories:
- Preventive: Stop incidents before they occur (firewall rules, access control)
- Detective: Identify and log security events (IDS, SIEM, audit logs)
- Corrective: Restore systems after an incident (backups, patches, incident response)
- Compensating: Alternative controls when primary controls cannot be implemented
- Directive: Require specific behavior (security policies, training requirements)
Zero Trust Architecture
Zero Trust assumes no user, device, or network is inherently trusted:
- Verify explicitly: Authenticate and authorize every request based on all available signals
- Least privilege access: Grant only the minimum permissions needed
- Assume breach: Design for breach containment; segment and monitor
Zero Trust network components:
- Identity provider: Verifying user identity (Active Directory, Entra ID with MFA)
- Policy enforcement point: Enforcing access decisions (proxy, firewall, WAF)
- Policy decision point: Making access decisions based on policy
- Network segmentation: Micro-segmentation preventing lateral movement
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
Threat Actor Types
| Threat Actor | Motivation | Sophistication | Resources |
|---|---|---|---|
| Nation-state | Political, espionage | Very high | Government-funded |
| Organized crime | Financial | High | Significant |
| Hacktivist | Ideological | Moderate | Limited |
| Script kiddie | Notoriety, curiosity | Low | Minimal; uses existing tools |
| Insider threat | Various | Varies | Legitimate access |
| Competitor | Economic advantage | Varies | Varies |
Common Attack Techniques
Social engineering:
- Phishing: Mass email impersonating trusted organizations
- Spear phishing: Targeted phishing using personal information
- Whaling: Spear phishing targeting executives (C-suite)
- Vishing: Voice phishing via phone calls
- Smishing: SMS-based phishing
- Business Email Compromise (BEC): Impersonating executives or vendors to authorize fraudulent transfers
Malware categories:
- Ransomware: Encrypts files and demands payment for decryption key
- Trojan: Malware disguised as legitimate software
- Worm: Self-replicating malware that spreads across networks
- Rootkit: Hides malware presence at OS or firmware level
- Spyware: Covertly monitors and exfiltrates user data
- Fileless malware: Resides in memory; leaves no files on disk for traditional AV to detect
Vulnerability Management
CVSS (Common Vulnerability Scoring System) scores vulnerabilities from 0.0 to 10.0:
- 9.0-10.0: Critical
- 7.0-8.9: High
- 4.0-6.9: Medium
- 0.1-3.9: Low
CVE (Common Vulnerabilities and Exposures): Standardized identifiers for publicly known vulnerabilities (e.g., CVE-2021-44228 for Log4Shell).
Domain 3: Security Architecture (18%)
Cloud Security Architecture
Cloud security responsibilities follow the shared responsibility model. Customers are always responsible for:
- Data classification and protection
- Identity and access management
- Client-side encryption
- Network configuration (in IaaS and PaaS)
Cloud security services:
- CASB (Cloud Access Security Broker): Visibility and control over cloud application usage
- CSPM (Cloud Security Posture Management): Detecting and remediating cloud misconfigurations
- CWPP (Cloud Workload Protection Platform): Protecting cloud workloads from threats
Network Architecture Security
- DMZ (Demilitarized Zone): Network segment between external and internal firewalls hosting public-facing services (web servers, email gateways)
- Network segmentation: VLANs and ACLs isolating sensitive systems
- Jump server (bastion host): Hardened intermediate server for managing systems in restricted network zones
- Air gap: Physical separation between sensitive networks with no network connection
Cryptography
| Algorithm | Type | Key Size | Use Case |
|---|---|---|---|
| AES-256 | Symmetric | 256-bit | File and disk encryption |
| RSA | Asymmetric | 2048+ bit | Key exchange, digital signatures |
| ECC (ECDSA) | Asymmetric | 256-bit equivalent | Efficient signatures, TLS |
| SHA-256 | Hashing | N/A (256-bit output) | File integrity, digital signatures |
| bcrypt/Argon2 | Password hashing | Adaptive | Storing password hashes |
Domain 4: Security Operations (28%)
Identity and Access Management
Authentication factors:
- Something you know: Password, PIN, security questions
- Something you have: Smart card, hardware token, mobile authenticator app
- Something you are: Fingerprint, retina scan, voice recognition
Authentication protocols:
- RADIUS: AAA protocol for network access control (UDP 1812/1813)
- TACACS+: AAA protocol for network device management (TCP 49); separates authentication, authorization, and accounting
- SAML: XML-based standard for web SSO federation
- OAuth 2.0: Delegated authorization framework for API access
- OpenID Connect: Identity layer on top of OAuth 2.0 for web SSO
Incident Response Process
NIST Incident Response Lifecycle:
- Preparation: Building incident response capability before incidents occur
- Detection and analysis: Identifying and analyzing potential incidents
- Containment, eradication, and recovery: Limiting damage, removing the threat, restoring operations
- Post-incident activity: Lessons learned, documentation improvement
Endpoint Security
- EDR (Endpoint Detection and Response): Continuous monitoring and automated response on endpoints
- XDR (Extended Detection and Response): EDR extended to network, cloud, and email telemetry
- DLP (Data Loss Prevention): Preventing sensitive data from leaving the organization
- FDE (Full Disk Encryption): Encrypting entire drive contents (BitLocker, FileVault)
- Patch management: Regular application of security patches to reduce vulnerability exposure
Domain 5: Security Program Management (20%)
Risk Management
Risk calculation: Risk = Probability x Impact
Risk response strategies:
- Avoidance: Eliminate the risk by not performing the activity
- Transfer: Shift risk to another party (cyber insurance, outsourcing)
- Mitigation: Implement controls to reduce probability or impact
- Acceptance: Accept the risk when cost of mitigation exceeds potential impact
Compliance Frameworks
| Framework | Applicability | Focus |
|---|---|---|
| NIST CSF | All organizations | Cybersecurity risk management |
| ISO 27001 | International | Information security management system |
| PCI-DSS | Payment card handlers | Card data security |
| HIPAA | Healthcare (US) | Patient data privacy and security |
| GDPR | EU data subjects | Personal data privacy |
| SOC 2 | Service organizations | Security, availability, confidentiality |
"The compliance and governance domain in SY0-701 is weighted more heavily than many candidates expect. Understanding which framework applies to which industry, and what the framework's core requirements are, is directly tested. Candidates who skip the compliance section focusing only on technical security topics typically miss 15-20% of available points." -- Security+ exam preparation community
Frequently Asked Questions
Is Security+ enough to get a cybersecurity job? Security+ is a strong entry point for cybersecurity careers and is the minimum qualification for many junior security analyst and security operations center (SOC) positions. However, most employers hiring for technical security roles also want 1-2 years of practical experience or demonstrated skills through CTF competitions, home lab projects, or prior IT roles. Security+ combined with hands-on experience is a strong foundation for entry-level positions.
How is Security+ SY0-701 different from SY0-601? SY0-701 significantly restructured the domain weights and updated content to reflect modern security practices. Key changes include greater emphasis on cloud security, a new Security Program Management domain covering governance and compliance more extensively, updated coverage of zero trust architecture, and updated threat landscape content including supply chain attacks. Candidates studying from SY0-601 materials will find coverage gaps in approximately 20-30% of the new content.
What is the best order to study domains for Security+? Start with Domain 1 (General Security Concepts) to build foundational vocabulary. Then study Domain 3 (Security Architecture) to understand how security is designed. Domain 2 (Threats and Vulnerabilities) builds on architecture knowledge. Domain 4 (Security Operations) is the largest domain and should receive the most study time. Finish with Domain 5 (Security Program Management) which is more conceptual and requires less technical depth.
References
- CompTIA. (2025). CompTIA Security+ SY0-701 Exam Objectives. https://www.comptia.org/certifications/security
- Dulaney, E., & Easttom, C. (2023). CompTIA Security+ SY0-701 Study Guide. Sybex.
- Chapple, M., & Seidl, D. (2023). CompTIA Security+ SY0-701 Study Guide. Sybex.
- Professor Messer. (2025). CompTIA Security+ SY0-701 Course. https://www.professormesser.com/security-plus/
- NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity (CSF). https://www.nist.gov/cyberframework
- CompTIA. (2025). DoD 8570/8140 Approved Baselines. https://www.comptia.org/certifications/which-certification/dod-8570