17 min read5 domains coveredFree practice, no sign-up
CompTIA Security+ (SY0-701) is a foundational cybersecurity certification, and it is broad rather than deep. It tests whether you can recognise the right control, threat, or response across the whole field, from cryptography to incident response to governance, at the level of a working practitioner with a year or two of hands-on exposure. There is no specialism to hide in: every domain is fair game.
It suits people moving into a security role: help-desk and sysadmin staff stepping across, new analysts, and developers who need the security vocabulary. Up to 90 questions in 90 minutes mix multiple-choice with performance-based items that drop you into a simulated scenario and ask you to act, not just recognise. The pass mark is 750 on a scaled 100 to 900, so you have a little room to miss some and still pass, but not much.
The exam rewards applied judgement. Most questions are short scenarios where several options are technically valid and only one is the best fit for the situation as written. The skill being tested is choosing correctly under that ambiguity, which is why practising on scenario questions with a worked explanation, and a reason every wrong option is wrong, beats memorising definitions.
SY0-701 rewards recognising the best control or response in a messy scenario, not reciting definitions, so train judgement on worked questions, not flashcards alone.
Difficulty
Foundational
Best for
People moving into their first dedicated security role: help-desk, sysadmin, and network staff stepping across, new security analysts, and developers who need a working security vocabulary.
Prerequisites
None required. CompTIA suggests Network+ and around two years of security-focused IT administration, but neither is enforced; the network and systems grounding is what actually helps.
Maximum of 90 questions
Questions
90 min
Time allowed
750 / 900
Pass mark
$425
Exam cost (USD)
298
Practice questions
How this exam thinks
Three habits separate a pass from a fail on the SY0-701, and none of them is about knowing more facts.
First, the exam almost always asks for the best response, not a correct one. Several options will be real security measures; only one fits the scenario as written. Read the last line first to find the actual requirement, then judge each option against that requirement, not against general good practice. A control that is excellent in another context is still wrong here if it does not address what the question asked.
Second, the exam thinks in scenarios and performance-based items. It puts you in a situation, a breach in progress or a new deployment or a failed audit, and asks what you would do, in what order, or with which tool. Memorised definitions do not survive contact with a scenario; you have to recognise the pattern and apply the concept. The performance-based questions open the exam, carry more weight, and take longer, so the timing strategy below matters.
Third, the exam wants you to think like a defender who weighs cost, risk, and proportion. The right answer is usually the one that addresses the actual risk with the least disruption, follows the process (change management, incident response, least privilege), and avoids the extreme. Options with absolutes, such as always, never, or block everything, are usually wrong precisely because real security is a proportionate response. When two answers look right, pick the one a measured practitioner following process would choose.
What each domain tests and how to study it
The SY0-701 blueprint is split across 5 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Classify a control by its category and function, state a core concept in one line, and judge when a change needs the full change-management process.
In one sentenceThe shared vocabulary the rest of the exam assumes: control types, the CIA triad and friends, change management, and the cryptography building blocks.
Recall check: answer these from memory first
Name the four control categories and the six control functions, and give one example that is both physical and deterrent.
Which security goal does hashing protect, and which does encryption protect? Which of the two is reversible?
What does non-repudiation mean, and which cryptographic tool provides it?
What it tests. The foundational vocabulary every later domain builds on. Control categories (technical, managerial, operational, physical) and control functions (preventive, detective, corrective, deterrent, compensating, directive); core concepts such as the CIA triad, non-repudiation, authentication and authorisation and accounting, and Zero Trust; the change-management process and why it counts as a security control; and the cryptography toolkit, from symmetric versus asymmetric keys to hashing, salting, digital signatures, and the certificate machinery (PKI, CRL, OCSP).
How to study it. Get the definitions exact and one sentence long, because the exam attacks fuzzy ones. Drill the control matrix until you can place any example into its category and function fast: a security guard is physical and can be preventive or deterrent; a log review is technical and detective. For cryptography, learn by purpose, which tool gives you confidentiality, which gives integrity, which gives non-repudiation, rather than by algorithm trivia. You do not need to implement crypto; you need to pick the right primitive for a stated goal.
Easy to confuse
Control category versus control function. Category is what the control is (technical, managerial, operational, physical); function is what it does (preventive, detective, corrective, and so on). A control has one category but can serve more than one function.
Encryption versus hashing. Encryption is reversible with a key and protects confidentiality; hashing is one-way and protects integrity. If the question wants the original data back it is encryption; if it wants to detect tampering it is hashing.
Authentication versus authorisation. Authentication proves who you are; authorisation decides what you may do. MFA strengthens authentication, not authorisation; least privilege governs authorisation, not authentication.
Worked example from the SY0-701 bank
lock_openFree sampleGeneral Security Conceptseasy
A hospital's electronic health record system goes offline for four hours during a ransomware incident, blocking clinicians from reading patient charts. Which pillar of the CIA triad is most directly impacted by this outage?
AAvailability, because authorised users were unable to access the data when needed.check_circle Correct
BConfidentiality, because clinicians could not see records they are authorised to view.
CIntegrity, because the records could not be trusted to be accurate during the outage.
DNon-repudiation, because the source of the records could not be verified during the outage.
Identify which pillar of the CIA triad is impacted when authorised users cannot reach a system because of an outage. The CIA triad defines confidentiality (preventing unauthorised disclosure), integrity (preventing unauthorised modification), and availability (ensuring timely authorised access). A ransomware-driven outage that prevents clinicians from reading charts directly degrades availability, regardless of whether the data itself was altered or disclosed.
Why A is correct: Availability is the assurance that authorised users can reach systems and data when required. A four-hour outage that blocks clinical access is the textbook impact on availability.
Why B is wrong: Confidentiality concerns unauthorised disclosure, not denial of access to authorised users. The incident may also affect confidentiality if data was exfiltrated, but the four-hour read outage described is fundamentally an availability problem, so this is the wrong best fit.
Why C is wrong: Integrity concerns unauthorised modification or corruption of data. The scenario describes inability to reach the records, not altered content, so integrity is a tempting but incorrect choice.
Why D is wrong: Non-repudiation prevents a party from denying an action they performed and is usually achieved through digital signatures and logging. It is not the pillar harmed by a system being offline, so this option is incorrect.
What you must be able to do. Match an indicator or scenario to the threat actor, vector, or vulnerability behind it, and choose the mitigation that addresses the root cause.
In one sentenceThe biggest knowledge domain: who attacks, how they get in, what weaknesses they exploit, how to spot it, and what to do about it.
Recall check: answer these from memory first
Given mass-encrypted files and a payment demand, name the attack and the single best preventive control.
Distinguish a zero-day from a misconfiguration and from a known-but-unpatched vulnerability.
What one mitigation most reduces the blast radius of a single compromised account?
What it tests. The attacker's side and your response. Threat actors and their motivations (nation-state, organised crime, insider, hacktivist, shadow IT), threat vectors and attack surfaces (phishing and other message-based lures, supply chain, removable media, vulnerable software), the main vulnerability types (misconfiguration, zero-day, buffer overflow, race condition, supply-chain), reading indicators of malicious activity across malware, network, application, and cryptographic attacks, and the mitigation techniques (segmentation, hardening, least privilege, patching, access control) that reduce the risk.
How to study it. This is the heaviest domain, so spend the most time here. Build two mental tables: attack to indicator (what would you see in the logs) and weakness to mitigation (what control closes it). The exam rarely asks for a bare definition; it gives symptoms and asks for the attack, or gives an attack and asks for the fix. Practise reading a short scenario and naming the most likely cause, then the single best mitigation. Keep the social-engineering techniques distinct, because the exam loves making you tell phishing, vishing, smishing, and pretexting apart.
Easy to confuse
Threat versus vulnerability versus risk. A threat is who or what could cause harm; a vulnerability is the weakness they exploit; risk is the likelihood and impact of the two meeting. Patching removes a vulnerability, not the threat.
Phishing versus vishing versus smishing. Same trick, different channel: phishing is email, vishing is voice calls, smishing is SMS. The answer often hinges on the channel named in the scenario.
DoS versus DDoS. A DoS comes from one source; a DDoS is distributed across many, usually a botnet, which is why blocking a single address stops one but not the other.
Worked example from the SY0-701 bank
lock_openFree sampleThreats, Vulnerabilities, and Mitigationseasy
A regional water utility's SCADA network is breached by an attacker who patiently maintains access for months, exfiltrates engineering diagrams, and tampers with no production processes. Forensics traces the operation to infrastructure linked to a foreign military intelligence unit. Which threat actor category best fits the adversary in this incident?
AAn organised cybercrime gang motivated by extorting the utility through a ransomware payout demand.
BA hacktivist collective protesting the utility's environmental record through public defacement actions.
CA disgruntled insider abusing valid credentials to harvest confidential project files for personal use.
DA nation-state actor conducting cyber espionage to map critical infrastructure for future leverage.check_circle Correct
Recognise that prolonged stealthy intrusions targeting critical infrastructure for intelligence value typically map to nation-state threat actors. Nation-state actors prioritise persistent access, low-noise operations, and intelligence collection over immediate disruption or financial gain. Stealing engineering diagrams from a SCADA environment supports future targeting and strategic leverage, which is the defining motivation of state-sponsored espionage against critical infrastructure operators.
Why A is wrong: Tempting because utilities are common ransomware targets, but the long dwell time, lack of disruption, and theft of engineering diagrams point to espionage rather than financially motivated extortion.
Why B is wrong: Hacktivists seek visibility and publicity for a cause, so they would deface sites or leak data publicly rather than quietly steal schematics for months.
Why C is wrong: An insider scenario is plausible at utilities, but forensics here points to external foreign infrastructure rather than a current employee acting from within the network.
Why D is correct: Long-term stealthy access, theft of engineering data, and attribution to a foreign military intelligence unit are hallmarks of nation-state espionage against critical infrastructure.
What you must be able to do. Compare the security trade-offs of architecture models, and apply the right principle to protect infrastructure, data, and availability in a given design.
In one sentenceHow design choices change your risk: cloud and on-prem models, segmenting and protecting the network, protecting data by its state and classification, and building in resilience.
Recall check: answer these from memory first
Name the three states of data and the protection that best fits each.
Define RPO and RTO in one line each, and say which one drives backup frequency.
Why does network segmentation limit the damage of a breach, and what is the cheapest way to achieve it logically?
What it tests. Security as a property of design. The implications of architecture models (cloud, serverless, microservices, on-premises, hybrid, IoT, ICS and SCADA); applying principles to secure enterprise infrastructure (segmentation, firewalls, secure communication and VPNs, device placement, port security); protecting data through its classification, its states (at rest, in transit, in use), sovereignty, and the protective tools (encryption, tokenisation, masking); and designing for resilience and recovery (high availability, site resiliency, backups, continuity of operations, and testing them).
How to study it. Anchor everything to data states and to the question what happens when this fails. For data protection, learn which tool fits which state: encryption for data at rest and in transit, tokenisation and masking for data in use or in test systems. For resilience, learn the recovery metrics as decisions: RPO is how much data you can afford to lose, RTO is how long you can afford to be down, and the backup and replication strategy follows from those two numbers. Be able to read a topology and say where the segmentation boundary or the firewall belongs and why.
Easy to confuse
RPO versus RTO. RPO is the maximum data loss measured backwards from an outage; RTO is the maximum acceptable time to restore service. Frequent backups improve RPO; fast failover improves RTO.
Tokenisation versus encryption. Encryption transforms data with a key you can reverse; tokenisation swaps the data for a meaningless reference held in a separate vault. Tokenisation removes the sensitive value from the system entirely, which is why it suits payment data.
High availability versus backups. High availability keeps a service running through a failure; backups let you recover data after a loss. HA does not save you from corrupted or deleted data being replicated, which is why you need both.
Worked example from the SY0-701 bank
lock_openFree sampleSecurity Architecturehard
A logistics start-up is rebuilding its order processing platform as a set of small services deployed independently to a Kubernetes cluster. Each service has its own database, owns one bounded context, and communicates with peers over authenticated REST and gRPC. The chief information security officer is briefing the board on how this microservices model changes the firm's security posture compared with the previous single Java monolith. Which statement best captures a distinctive security implication of moving to microservices rather than retaining the monolith?
AThe microservices design eliminates the need for network segmentation because each service runs in its own container and is therefore isolated from peers by default at the operating system level.
BPatching cycles can be relaxed because each microservice is small enough that a compromise is contained within that service's container and cannot affect data owned by other services in the platform.
CCentralised audit logging becomes simpler because every microservice writes to the same application log file and the team can rely on a single chain of custody across the whole order processing workflow.
DThe east-west attack surface grows because authentication, authorisation, and transport security must now be enforced on every inter-service call instead of relying on a single process boundary, which usually requires mutual TLS, service identities, and per-service policy.check_circle Correct
Recognise that microservices shift the security boundary from a single process to many authenticated inter-service hops and expand the east-west attack surface. A microservices architecture decomposes a monolith into independently deployable services that communicate over the network. Each inter-service call that was once an in-process function call becomes a network request that an attacker on the cluster network could observe, replay, or forge. To preserve the security guarantees the monolith got for free, defenders must terminate mutual TLS between services, assign workload identities, enforce per-service authorisation, and apply network policies. This expanded east-west attack surface is the defining security implication that distinguishes microservices from the monolithic model.
Why A is wrong: Container runtimes share a host kernel and a flat pod network unless deliberate network policies, service meshes, or namespaces enforce segmentation; assuming default isolation is a common misconception that leaves east-west traffic wide open.
Why B is wrong: A compromised service is often a stepping stone to peers via service tokens, shared secrets, or excessive RBAC; smaller blast radius is a goal, not an automatic property, and patching cadence must in fact rise because each service brings its own dependency tree.
Why C is wrong: Microservices typically emit logs from many pods to a shared pipeline, so achieving an end-to-end audit trail requires correlation IDs, distributed tracing, and centralised log aggregation; assuming a single log file is exactly the legacy mindset that microservice adoption breaks.
Why D is correct: Splitting a monolith into independently deployable services replaces in-process calls with network calls, so each hop must be authenticated, authorised, and encrypted; defenders typically introduce a service mesh, workload identities, and per-service policy to control the expanded east-west attack surface.
What you must be able to do. Given a live operational scenario, apply the right technique, tool, or process step (hardening, monitoring, identity, response, or investigation) in the right order.
In one sentenceThe largest domain and the most hands-on: running security day to day, from hardening and monitoring to identity, automation, and incident response.
Recall check: answer these from memory first
List the incident-response phases in order, and say which phase isolating an infected host belongs to.
State the one-line rule for role-based, attribute-based, and mandatory access control.
Which tool flags credit-card numbers leaving the network, and which detects malicious behaviour on a laptop?
What it tests. Security as an ongoing operation. Applying techniques to harden computing resources (secure baselines, mobile and wireless, application security); hardware and software and data asset management; vulnerability management (scanning, penetration testing, CVSS scoring, remediation, responsible disclosure); alerting and monitoring (SIEM, log aggregation, SNMP); modifying enterprise capabilities (firewall rules, IDS and IPS, web and DNS filtering, DLP, EDR and XDR); identity and access management (SSO, federation, MFA, access-control models, privileged access management); automation and orchestration (SOAR and scripting); the incident-response process; and using data sources to support an investigation.
How to study it. This is the biggest domain by weight, so it deserves the most practice, and most of it is procedural. Learn the incident-response phases in order (preparation, identification, containment, eradication, recovery, lessons learned) and be ready to place a scenario at the right phase, because the exam loves asking what to do next. Learn the access-control models by their one-line rule: role-based assigns by job, attribute-based by conditions, mandatory by labels you cannot override. Treat the tools as answers to what would detect or stop this, and keep IDS versus IPS, and DLP versus EDR, crisply apart.
Easy to confuse
IDS versus IPS. An IDS detects and alerts; an IPS sits inline and can block. If the scenario needs the threat stopped automatically it is an IPS; if it needs visibility without breaking traffic, an IDS.
Containment versus eradication. Containment stops the incident spreading (isolate the host); eradication removes the cause (delete the malware, close the hole). Containment comes first; you do not skip to eradication while the bleeding continues.
DLP versus EDR. Data loss prevention watches for sensitive data leaving; endpoint detection and response watches for malicious behaviour on the endpoint. One catches exfiltration, the other catches the attacker on the device.
Worked example from the SY0-701 bank
lock_openFree sampleSecurity Operationseasy
A logistics company is retiring forty laptops that previously held delivery manifests and payroll files. The IT manager wants the drives processed so that the data cannot be recovered even by a forensic lab, but the chassis themselves will be donated to a local charity in working order. Which disposal action best meets both requirements?
ARun a quick format from the operating system installer on each laptop before handing the units over to the charity.
BPerform a vendor-certified cryptographic erase or multi-pass overwrite of each drive, then verify and document the sanitisation before donation.check_circle Correct
CPhysically shred each drive in an approved media destruction bin and pass the laptops on with the empty drive bays.
DDelete the user profiles, empty the recycle bin, and rely on full disk encryption being enabled at the time of donation.
Recognise that secure disposal must destroy data on storage media while matching the reuse plan for the surrounding hardware. Secure disposal balances data sanitisation with the future use of the device. Cryptographic erase and verified multi-pass overwrite are recognised sanitisation methods that render data non-recoverable while preserving the drive and chassis for reuse or donation, and the resulting certificate provides documented evidence for the asset record.
Why A is wrong: A quick format only rewrites filesystem metadata and leaves the underlying sectors intact, so commodity recovery tools can restore the manifests and payroll files. It is tempting because it appears to wipe the disk, but it does not satisfy the forensic non-recoverability requirement.
Why B is correct: A certified cryptographic erase or NIST-aligned multi-pass overwrite destroys the readable contents of the drive while leaving the hardware usable, and the verified certificate of sanitisation supports an auditable chain of custody. This satisfies both the non-recoverability and the working-order requirements.
Why C is wrong: Shredding does destroy the data beyond forensic recovery, but it also removes the storage that makes the laptops functional, so the charity would receive incomplete units. The requirement is to keep the chassis in working order, which this approach breaks.
Why D is wrong: Deleting profiles and emptying the recycle bin leaves the underlying data blocks recoverable, and an unrevoked encryption key on a donated machine still permits decryption by the recipient. Candidates may pick this because encryption sounds protective, but without key destruction it does not sanitise the drive.
What you must be able to do. Read a governance, risk, or compliance scenario and pick the right process step, document, or metric a security programme would use.
In one sentenceThe management layer: governance and policy, the risk-management process and its numbers, third-party risk, compliance, audits, and security awareness.
Recall check: answer these from memory first
Write the SLE and ALE formulae, then compute the ALE for an asset worth 20,000 with a 50 percent exposure factor that is hit twice a year.
Name the four risk-treatment options and give a one-line example of transferring risk.
Put these in hierarchy order: standard, policy, procedure, guideline.
What it tests. Security as a managed programme. The elements of governance (policies, standards, procedures, governance structures, roles and responsibilities, regulatory drivers); the risk-management process (identification, assessment, the risk register, risk appetite and tolerance, and the quantitative measures SLE, ARO, and ALE); third-party and supply-chain risk (vendor assessment, SLAs and MOUs, the right to audit); compliance (reporting, consequences, privacy, data retention); the types and purposes of audits and assessments; and running effective security-awareness practices.
How to study it. Most of this domain is process and a little arithmetic, so it is reliable marks if you prepare it. Memorise the risk formulae and practise them: single loss expectancy is asset value times exposure factor, and annual loss expectancy is single loss expectancy times the annualised rate of occurrence. Learn the risk-treatment options (accept, avoid, transfer, mitigate) and match a business decision to one. Keep the document types straight, policy versus standard versus procedure versus guideline, because the exam tests the hierarchy. This domain feels dry, but it is among the most learnable, so do not leave it to the end.
Easy to confuse
Policy versus standard versus procedure. A policy is the high-level intent (we protect data), a standard is the mandatory specific (use AES-256), a procedure is the step-by-step how. The exam tests which document a given statement belongs in.
Risk appetite versus risk tolerance. Appetite is how much risk the organisation will take overall; tolerance is the acceptable variation around a specific risk. Appetite is strategic and broad; tolerance is the practical limit on one item.
SLE versus ALE. Single loss expectancy is the cost of one incident; annual loss expectancy is that cost times how many times a year you expect it (the ARO). The exam gives you two of the three and asks for the third.
Worked example from the SY0-701 bank
lock_openFree sampleSecurity Program Management and Oversightmedium
A regional building society's incident review finds that engineers across three teams handled a recent ransomware outbreak inconsistently: one team wiped a compromised laptop before evidence was preserved, another paused containment to seek written approval that never arrived, and a third made firewall changes without recording them. The chief information security officer wants the governance artefact that most directly fixes this inconsistency by prescribing the exact step-by-step actions every responder must take, in order, for a ransomware event. Which artefact should she commission first?
AA board-approved information security policy that states the firm will respond to ransomware in a timely and proportionate manner.
BA written ransomware response procedure that lists the ordered steps for triage, isolation, evidence preservation, approval gates, and communications, mapped to named roles.check_circle Correct
CAn industry standard such as ISO/IEC 27035 referenced in the security manual as the firm's accepted approach to incident management.
DA governance committee charter that assigns the chief information security officer accountability for ransomware preparedness across the group.
Distinguish procedures from policies and standards by recognising that procedures prescribe the ordered operational steps responders must execute. In a governance hierarchy, policies state intent, standards state the measurable criteria a programme must meet, and procedures state the ordered actions people must take. Inconsistent operational behaviour during an incident is a procedure gap because no policy or standard reaches the level of telling a responder exactly what to do, in what order, with which approval, so a runbook is the artefact that closes it.
Why A is wrong: A policy expresses managerial intent and accountability at a high level; it does not prescribe the ordered operational steps responders need, which is exactly the gap the incident review surfaced.
Why B is correct: Procedures translate policy and standards into the ordered, role-tagged actions responders execute; this directly removes the inconsistency by giving every team the same numbered runbook for a ransomware event.
Why C is wrong: A standard sets the criteria a programme should meet and is tempting because it carries authority, but it stops short of the ordered ransomware-specific actions a responder follows at 02:00 in the morning.
Why D is wrong: A charter clarifies who is accountable at the governance layer, which is useful, but it does not tell the engineer on shift which command to run before pulling a network cable on an infected host.
A study plan that works
Map the blueprint and book a date
Day 1
Read the official exam objectives and the five domains with their weights. Book a provisional date now: a fixed date converts open-ended study into a plan and is the strongest predictor of actually sitting. Note that Security Operations (28 percent) and Threats (22 percent) are half the exam between them.
Lock the vocabulary (Domain 1)
Week 1
Get the control matrix and the core concepts exact before anything else, because every later domain assumes them. Use the recall checks in this guide: cover the summary, answer from memory, then reveal. If you cannot state a concept in one sentence, you do not own it yet.
Go deep on threats and operations (Domains 2 and 4)
Weeks 1 to 3
These two are half the exam, so they get the most time. Build the attack-to-indicator and weakness-to-mitigation tables, and drill the incident-response phases until you can place any scenario. Practise on scenario questions and read the worked explanation on every one, including the ones you got right.
Cover architecture and governance (Domains 3 and 5)
Weeks 3 to 4
Architecture rewards thinking in data states and recovery metrics; governance rewards the risk formulae and the document hierarchy. Both are learnable, reliable marks. Do the SLE and ALE arithmetic by hand until it is automatic.
Rehearse the performance-based questions
Week 4
The simulated, task-based items open the exam, carry more weight, and eat time. Rehearse them specifically: ordering response steps, configuring a rule, matching attacks to defences. Do not let an unfamiliar interface cost you marks you actually know.
Drill weak domains, then space the review
Week 5
Use your per-domain accuracy to attack the two domains dragging you down, not to re-read what you already know. Then space it: revisit each domain's recall prompts after a few days and again a week later. Spacing roughly doubles what sticks compared with cramming.
Sit a timed mock and calibrate
Weeks 5 to 6
Take at least one full timed mock under exam conditions to rehearse pacing and the flag-and-return habit. Treat the score as a per-domain readiness signal, not a single number, and review every missed question before you book or sit.
Know when you're ready
Readiness for the SY0-701 is a score on questions you have not seen before, not a feeling that the material is familiar. Those are different things, and the gap between them is where people fail. Re-reading notes builds fluency, and fluency feels like knowledge, so confidence rises while real recall does not. The fix is to test yourself: if you can answer fresh scenario questions and explain why the wrong options are wrong, you know it; if you can only nod along to an explanation, you do not yet.
Be especially wary of early confidence. The people most likely to book too soon are the ones who feel ready after one pass, because they have not met the questions that show them what they missed. Trust your measured per-domain accuracy over your gut, and set the bar at clearing every domain comfortably on unseen questions across more than one session, not scraping the pass mark once.
This guide gives you the map. The practice bank is where you find out whether you can navigate it, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free SY0-701 questions with worked explanations. No sign-up.
Read the last line of the question first. It tells you what is actually being asked, so you can scan the scenario for the answer instead of memorising every detail.
Choose the best option, not merely a correct one. Several answers are often valid security measures; the exam wants the one that fits the scenario as written.
Treat the performance-based questions with care but do not let them trap you. They open the exam and take longest; if one stalls you, flag it and return so it does not eat the marks waiting later.
Distrust absolutes. Options that say always, never, or block everything are usually wrong, because real security is proportionate to risk.
When two answers look right, pick the one that follows process: contain before eradicate, least privilege, change management, the measured response over the extreme.
Flag and move on. Cover every question once before you spend time on a hard one; the timer rewards collecting the easy marks first.
Frequently asked questions
Is CompTIA Security+ hard?
It is foundational, so it is broad rather than deep, but the breadth is the challenge: every domain from cryptography to governance is fair game, and the questions are applied scenarios rather than definitions. Scenario practice with worked explanations matters far more than memorising terms.
How long should I study for the SY0-701?
Most candidates with some IT background are ready in six to eight weeks of steady study. Less hands-on experience means more time on the two heavy domains, Threats and Security Operations, which carry half the exam between them.
What is the pass mark for the SY0-701?
750 on a scaled range of 100 to 900, shown in the facts panel above. The scale is not a percentage, so aim to clear every domain comfortably on unseen practice questions rather than targeting a raw figure.
What are performance-based questions?
Task-based items that drop you into a simulated environment and ask you to do something, such as configure a rule or match attacks to defences, rather than pick a letter. They usually appear first, carry more weight, and take more time, so rehearse them specifically.
Do I need Network+ first?
No. CompTIA recommends Network+ and around two years of security-focused IT experience, but neither is required to sit the exam. The networking grounding genuinely helps with the architecture and operations domains, so it is worth having even if you skip that exam.
Which domains should I focus on?
Security Operations at 28 percent and Threats, Vulnerabilities, and Mitigations at 22 percent are half the exam, so they deserve the most time. Do not neglect the smaller Governance domain, though: it is dry but among the most learnable, so it is reliable marks.
How many practice questions should I do before booking?
Enough that every domain clears the pass line with margin on questions you have not seen, and a full timed mock feels comfortable on pacing. Quality of review beats raw volume: read the explanation on every question, including the ones you got right.
Is CompTIA Security+ worth it?
Security+ is worth it for IT professionals moving into security-focused roles and for those in roles where a vendor-neutral baseline certification is valued or required, including many government contractor positions that reference DoD 8570 compliance. It is a well-recognised entry point that covers threat analysis, security architecture, operations, and governance at a depth that genuinely builds fluency rather than just surface familiarity. Those targeting deeper specialisations such as network security, cloud security, or penetration testing will typically use Security+ as the foundation before pursuing a more focused credential.
Examworthy is not affiliated with or endorsed by CompTIA. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. SY0-701 and related marks belong to their respective owners.
