Introduction
The CompTIA Security+ (SY0-701) is the most widely-recognized entry-to-mid-level cybersecurity certification in the world. It’s vendor-neutral, DoD 8570 / 8140 compliant, and required for thousands of US federal and contractor cybersecurity job postings. It’s the credential most candidates target as their first serious security cert.
The SY0-701 (released November 2023, current through at least mid-2027 based on CompTIA’s typical 3+ year cycle) updates the previous SY0-601 with expanded coverage of cloud security, zero trust, automation, and modern threat techniques.
This guide covers the SY0-701 objectives, exam format, costs, hands-on skills, and a realistic 8–12 week prep plan.
Who Security+ Is For
Security+ is the right exam if you:
- Want an entry-to-mid-level cybersecurity credential with broad employer recognition
- Are pursuing US federal / DoD or government contractor cybersecurity roles (often required)
- Need a baseline security cert to complement cloud certs (AZ-500, AWS Security Specialty)
- Have 1–2 years of general IT experience, ideally including Network+
- Want to transition from helpdesk / sysadmin / network admin into security roles
Security+ has no formal prerequisites, but CompTIA recommends Network+ and 2 years of IT administration experience.
Security+ SY0-701 Exam Specifications
| Attribute | Detail |
|---|---|
| Exam code | SY0-701 |
| Title | CompTIA Security+ |
| Format | Multi-choice, multi-select, Performance-Based Questions (PBQs) |
| Questions | Up to 90 |
| Duration | 90 minutes |
| Passing score | 750 / 900 (~83%) |
| Cost | $392 USD (single voucher) |
| Languages | English, Japanese, Portuguese, Spanish, Thai, Vietnamese, German, Korean |
| Delivery | Pearson VUE in person or online |
| Validity | 3 years (CE renewal via CEUs, higher cert, or retake) |
| Prerequisites | None official; Network+ recommended |
The 750 / 900 passing score is the highest of any major entry-level security cert — Security+ is not trivially easy.
Security+ SY0-701 Domains and Weights
| Domain | Weight |
|---|---|
| General Security Concepts | 12% |
| Threats, Vulnerabilities, and Mitigations | 22% |
| Security Architecture | 18% |
| Security Operations | 28% |
| Security Program Management and Oversight | 20% |
The new SY0-701 increases coverage of Security Operations (28%) — the largest domain.
Domain 1: General Security Concepts (12%)
- CIA triad and security control categories (technical, managerial, operational, physical)
- Control types: preventive, deterrent, detective, corrective, compensating, directive
- Change management fundamentals
- Cryptographic solutions: PKI, symmetric/asymmetric, hashing, salting, key exchange
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
- Threat actors: nation-state, organized crime, hacktivists, insider, script kiddies
- Attack surfaces and threat vectors
- Common attacks: malware, social engineering (phishing, vishing, smishing, BEC, pretexting), DNS attacks, on-path, password attacks, supply chain
- Application attacks: injection, buffer overflow, race conditions, malicious code
- Vulnerability management: scanning, prioritization (CVSS, EPSS), patching
- Mitigations: segmentation, hardening, encryption, monitoring, EDR/XDR
Domain 3: Security Architecture (18%)
- Architecture models: cloud (IaaS/PaaS/SaaS), on-prem, hybrid, microservices, serverless
- Infrastructure as code, embedded systems, ICS/SCADA, IoT
- Zero Trust principles: identity-aware, microsegmentation, continuous verification
- Resilience and recovery: HA, fault tolerance, RPO/RTO, backups, site types (hot, warm, cold)
- Data protection: classification, masking, tokenization, encryption at rest/in transit
Domain 4: Security Operations (28%) — Largest Domain
- Identity & Access Management: SSO, MFA, federation, RBAC, ABAC, PAM
- Endpoint security: EDR, NGAV, application allowlisting, MDM, hardening baselines
- Network security: firewalls, IDS/IPS, NAC, segmentation, VPN, ZTNA
- Cloud security operations: CASB, CSPM, container security
- Vulnerability management lifecycle
- Incident response: phases, runbooks, RACI, digital forensics, chain of custody
- Logging and monitoring: SIEM, SOAR, log aggregation, alert tuning
- Automation and orchestration
Domain 5: Security Program Management and Oversight (20%)
- Governance: policies, standards, procedures, guidelines
- Risk management: risk register, risk appetite, qualitative vs. quantitative
- Compliance: HIPAA, PCI DSS, GDPR, SOX, FedRAMP
- Third-party risk management (TPRM)
- Awareness and training programs
- Auditing and assessments
Performance-Based Questions (PBQs)
Security+ includes PBQs — simulation-style questions where you might:
- Drag-and-drop devices into a network diagram with security zones
- Configure a firewall rule set to allow/deny specific traffic
- Identify the type of attack from a log excerpt
- Match controls to threats
You’ll typically see 3–6 PBQs at the start of the exam. Don’t get stuck — flag them, complete the multi-choice questions, then return to PBQs with remaining time.
What Makes Security+ Hard
- High passing score (750/900 ≈ 83%). You have less margin than most exams.
- PBQs eat time. Allocate ~10 minutes per PBQ, not 90 seconds.
- Memorization-heavy. Acronyms, port numbers, cryptography names, compliance frameworks.
- Subtle wording. “MOST appropriate,” “FIRST step,” “BEST mitigation” — read carefully.
- Breadth, not depth. Security+ covers everything from cryptography to compliance to physical security. Don’t deep-dive into one area at the expense of others.
Hands-On Skills Worth Practicing
You don’t need a home lab to pass Security+, but these basics help:
- Configure firewall rules (any vendor, even pfSense/OPNsense)
- Use Wireshark to identify protocols and a basic attack signature
- Use Nmap to scan a target network and interpret results
- Configure SSH key authentication on a Linux server and disable password auth
- Install and explore an EDR or AV trial; review a sample alert
- Set up a basic SIEM (e.g., Wazuh or Security Onion) and ingest logs
- Read a vulnerability scan report (Nessus, OpenVAS) and prioritize findings
Recommended 8–12 Week Study Plan
Weeks 1–2: General concepts and cryptography
- CIA triad, control types
- Cryptographic primitives, PKI, hashing
- Key exchange, certificates
Weeks 3–4: Threats and attacks
- Threat actors and motivations
- Malware families and behaviors
- Social engineering techniques
- Network attack catalogue
- Vulnerability management and CVSS
Weeks 5–6: Architecture and design
- Cloud, on-prem, hybrid models
- Zero Trust principles
- Resilience architectures
- Data protection strategies
Weeks 7–9: Security Operations (largest domain)
- IAM, MFA, federation
- Endpoint and network security tools
- Cloud security operations
- Incident response and forensics
- SIEM, SOAR, automation
Week 10: Governance, risk, compliance
- Policies and frameworks
- Risk management
- Compliance regulations
- Third-party risk
Weeks 11–12: Mock exams and PBQ practice
- 3+ full-length mocks from Sailor.sh’s Security+ SY0-701 mock exam bundle
- Dedicated PBQ practice sessions
- Targeted re-study on weak domains
Free and Paid Resources
- CompTIA exam objectives PDF — canonical objective list
- Professor Messer’s free YouTube SY0-701 course — community gold standard
- CompTIA CertMaster Learn ($) — official self-paced course
- Mike Chapple “CompTIA Security+ SY0-701 Study Guide” (Sybex, current edition)
- Sailor.sh Security+ SY0-701 mock exam bundle — exam-format practice with PBQs
Salary Impact
Security+ is the highest-ROI security cert by salary lift per study hour:
- US average: $70K–$110K for “SOC analyst / security analyst + Security+”
- DoD/federal contractor uplift: Security+ is required for many 8570 / 8140 IAT II roles
- Pairing impact: Security+ + AZ-500 or AWS Security Specialty often lifts salaries 15–25% over single-cert candidates
Security+ vs. Other Security Certs
| Certification | Provider | Cost | Difficulty | Validity |
|---|---|---|---|---|
| Security+ | CompTIA | $392 | Medium | 3 years |
| CISSP | (ISC)² | $749 | Hard | 3 years |
| CISA | ISACA | $760 | Hard | 3 years |
| SSCP | (ISC)² | $249 | Medium | 3 years |
| GIAC GSEC | SANS | ~$2,499 | Hard | 4 years |
| AWS Security Specialty | AWS | $300 | Hard | 3 years |
Security+ is the natural first credential. CISSP is the natural next step once you have ~5 years of qualifying experience.
Most Common Reasons People Fail
- Under-practicing PBQs. They eat 30–40% of your time if you’re unprepared.
- Skipping cryptography fundamentals. Several Domain 1 and Domain 3 questions are crypto-flavored.
- Memorizing without context. “What does CVE stand for?” is trivial; “Which CVE prioritization framework is best for X?” is hard.
- Booking too early. Security+ rewards 8–12 weeks of structured prep, not 2 weekends of cramming.
- Ignoring compliance. ~20% of the exam, and frequently undervalued by candidates.
After You Pass
Strong next moves depend on your trajectory:
- Cloud security: AZ-500 or AWS Security Specialty
- General security ladder: CySA+ (analyst), then CASP+ or PenTest+
- Strategic / management: CISSP (5 years experience required, or Associate of (ISC)²)
- Audit-focused: CISA
- Network depth first: CompTIA Network+ if not already held
Frequently Asked Questions
Q: Is Security+ worth it in 2026? A: Yes. It remains the most widely-recognized entry-to-mid security credential and a frequent requirement for US federal and contractor cybersecurity roles.
Q: How hard is Security+? A: Medium. The 750/900 passing score and PBQs make it harder than most candidates expect. Plan 8–12 weeks.
Q: Do I need Network+ first? A: Not required, but recommended. Network+ knowledge significantly helps with Security+ network-security questions.
Q: How do I renew Security+? A: Earn 50 Continuing Education Units (CEUs) over 3 years, or earn a higher CompTIA cert, or retake the exam. Most candidates use CEUs from training, articles, or higher certs.
Q: How much time should I budget on PBQs? A: ~10 minutes per PBQ. With 3–6 PBQs, that’s 30–60 minutes. Flag them initially, complete MCQs, return.
Q: What’s the best practice resource for PBQs? A: Resources that include realistic PBQ-style simulations. Sailor.sh’s Security+ SY0-701 mock exam bundle includes PBQ-style scenario questions in addition to standard MCQs.
Ready to Start?
Security+ is the canonical “first serious security certification” and a meaningful resume signal regardless of which security domain you target later. Spend 8–12 weeks combining a structured course (Professor Messer or CertMaster), realistic practice with PBQs, and a few simple hands-on tools (Wireshark, Nmap, an EDR trial).
Take a free Security+ practice test on Sailor.sh to baseline your domains, then work the full mock exam bundle until you consistently score 85%+ — comfortably above the 83% passing threshold.