1. What Is CompTIA Security+?
CompTIA Security+ is a globally recognised, vendor-neutral cybersecurity certification that validates foundational security skills. It is the most widely held entry-level cybersecurity certification in the world, with over 700,000 professionals certified. For many roles in federal government and defence contracting, Security+ is not just beneficial — it is a mandatory requirement under DoD Directive 8570 / 8140.
The current version of the exam is SY0-701, launched in November 2023. It replaced SY0-601 and reflects the evolving threat landscape, with greater emphasis on cloud security, zero-trust architecture, automation, and modern attack techniques. CompTIA typically retires an exam version two years after its replacement is released.
2. Exam Format (SY0-701)
| Number of Questions | Up to 90 |
| Question Types | Multiple choice, multiple select, performance-based (PBQ) |
| Time Limit | 90 minutes |
| Passing Score | 750 out of 900 |
| Exam Fee | $392 USD (CompTIA Store) |
| Languages | English, Japanese, Portuguese, Simplified Chinese |
| Delivery | In-person (Pearson VUE) or online proctored |
| Recommended Experience | CompTIA Network+ and 2 years IT with security focus |
| Validity | 3 years (renewable via CE credits or retesting) |
3. The Six Exam Domains
The SY0-701 exam is organised into six domains, each with a defined percentage of exam questions:
Domain 1: General Security Concepts (12%)
Covers control types (technical, managerial, operational, physical), basic cryptographic algorithms, PKI, authentication methods, and fundamental security principles. This is foundational knowledge — master it first before moving to application domains.
Domain 2: Threats, Vulnerabilities & Mitigations (22%)
The second-largest domain. Covers threat actors and their motivations, attack types (phishing, vishing, smishing, malware families, ransomware, SQL injection, XSS, buffer overflow), vulnerability scanning, threat intelligence, and mitigation controls. Real-world scenarios are common here.
Domain 3: Security Architecture (18%)
Network security models (on-prem, cloud, hybrid, SASE), cloud deployment types, infrastructure as code (IaC), virtualisation security, secure network design (DMZ, NAC, segmentation), and zero-trust principles. Cloud questions have significantly increased in SY0-701.
Domain 4: Security Operations (28%)
The largest domain. Covers identity and access management (IAM), MFA, certificate management, endpoint security, EDR/MDR/XDR, mobile device management, incident response lifecycle, digital forensics, log management, SIEM, SOAR, and monitoring. Many scenario-based questions live here.
Domain 5: Security Program Management & Oversight (20%)
Risk management (identification, assessment, treatment), compliance frameworks (GDPR, HIPAA, PCI-DSS, SOC 2, NIST), third-party risk, data classifications, privacy regulations, security training and awareness, and auditing. Policy-heavy domain with many regulatory scenario questions.
4. Performance-Based Questions (PBQs)
PBQs are interactive, scenario-based questions that appear at the beginning of the exam. They require you to perform a simulated task rather than just select an answer — for example, configuring a firewall rule, analysing a network diagram to identify a misconfiguration, or matching attack types to a given scenario.
Most candidates find PBQs time-consuming. A common test-taking strategy is to flag PBQs and return to them after completing the multiple-choice questions, since PBQs can consume 10–15 minutes each. However, you cannot skip questions on the Security+ exam — you must provide at least a partial answer before moving on.
Tip: There are typically 5 or fewer PBQs. If you spend more than 3 minutes on one, make your best attempt and move on — the remaining 85+ multiple-choice questions are each worth more than any single PBQ strategy.
5. Scoring and Passing
Security+ uses a scaled scoring system from 100 to 900. The passing score is 750. There is no partial credit — each question is scored as correct or incorrect. PBQs can have partial credit within the question if multiple tasks are required.
Scores are reported immediately after the exam. You receive a score and a performance report showing your strength and weakness in each domain area — useful for planning a retake if needed. CompTIA does not publish the exact number of questions required to pass due to scaled scoring adjustments between exam forms.
6. Who Should Get Security+?
- IT professionals with 1–2 years of experience transitioning into cybersecurity
- Help desk and sysadmin staff seeking to move into security operations
- Recent computer science or IT graduates entering the job market
- Military personnel and veterans pursuing DoD IT positions
- Government employees or contractors requiring 8570/8140 compliance
- Anyone seeking SOC analyst, security analyst, or IT auditor roles
Security+ is not designed for advanced practitioners — for those, CompTIA CySA+, CASP+, or CISSP are more appropriate. Security+ is the ideal first cybersecurity certification for someone with general IT experience looking to specialise.
7. Study Plan and Resources
Most candidates with networking fundamentals need 6–12 weeks of focused study. Here is a structured approach:
Weeks 1–2: Foundation
Complete Domain 1 (General Security Concepts) and review fundamental cryptography, authentication, and network security basics. Ensure you understand TCP/IP, firewalls, and basic protocols before advancing.
Weeks 3–4: Threats & Architecture
Work through Domain 2 (Threats) and Domain 3 (Architecture). Domain 2 has the highest question count after Operations — memorise attack types, threat actors, and their motivations with flashcards.
Weeks 5–6: Security Operations
Domain 4 is the largest and most scenario-heavy. Focus on IAM, incident response, and SIEM/SOAR concepts. Practise reading logs and network diagrams.
Weeks 7–8: Governance & Practice
Cover Domain 5 (Governance, Risk, Compliance). Then take full-length practice tests. Review all wrong answers by looking up the underlying concept, not just the answer.
Final Week: Exam Simulation
Take timed full-length practice tests daily. Focus on your weakest domain. Review CompTIA's exam objectives document to ensure no topics are missed.
8. Frequently Asked Questions
Do I need a prerequisite certification before Security+?
No prerequisites are required, but CompTIA recommends having Network+ and at least two years of IT experience with a security focus. Without networking fundamentals, the material will be significantly harder to absorb.
How long does Security+ certification last?
Security+ is valid for 3 years. You can renew by earning 50 Continuing Education (CE) units within the three-year period, or by passing the current version of the exam again.
What is the difference between SY0-601 and SY0-701?
SY0-701 consolidates domain count from 5 to 6, adds more cloud security content, increases emphasis on zero-trust and automation, and aligns to current attack techniques. SY0-601 retired in July 2024.
What jobs can I get with Security+?
Common roles include SOC Analyst (Tier 1/2), Security Administrator, IT Auditor, Systems Administrator, Network Administrator, and junior Penetration Tester. Many government and defence positions list Security+ as a requirement.
Is Security+ enough to get a cybersecurity job?
Security+ plus hands-on lab experience (TryHackMe, HackTheBox, home lab) is a competitive combination for entry-level roles. The certification demonstrates knowledge — pair it with practical skills and projects for the strongest job applications.