This guide explains how to prepare for CompTIA Security+ (SY0-701) using a simple loop: read the official objectives, understand why each control exists, and practise hands-on tasks. It contains study guidance and explanations only — no real or simulated exam questions. Security+ is best learned by understanding concepts and practising skills, not by memorising answers.
How the exam works
You get up to 90 questions in 90 minutes, a mix of multiple-choice and performance-based questions (PBQs), and you need 750 out of 900 to pass. The PBQs usually come first and are the most time-consuming, so the single biggest exam-day skill is time management: if a PBQ stalls you, flag it and move on to bank the quicker multiple-choice marks, then return. The exam is scenario-driven, so most questions describe a situation and ask for the best response, not a definition.
The five domains, and how to study each
1. General Security Concepts (12%)
This is the foundation everything else builds on. Master the CIA triad (plus non-repudiation), and be able to classify security controls two ways at once: by category (technical, managerial, operational, physical) and by type (preventive, deterrent, detective, corrective, compensating, directive). Learn zero trust properly — the control plane vs data plane, and the policy engine, policy administrator and policy enforcement point. Finish with cryptography fundamentals: symmetric vs asymmetric encryption, hashing and salting, digital signatures, and how PKI binds identities to keys through certificates, CSRs and revocation (CRL/OCSP).
2. Threats, Vulnerabilities and Mitigations (22%)
The largest knowledge domain. Start with threat actors (nation-state, organised crime, hacktivist, insider, unskilled) and their motivations, then attack surfaces and vectors. Learn the families of attacks: social engineering (phishing, pretexting, business email compromise), malware (ransomware, trojans, worms, rootkits, logic bombs), and network and application attacks (DDoS, on-path, injection, replay). For each, study the mitigation: segmentation, hardening, patching, least privilege. The exam almost always pairs a threat with “what is the best way to reduce it?“
3. Security Architecture (18%)
This is about designing systems that fail safely. Compare architecture models — on-premises, cloud, serverless, microservices, IoT and ICS/SCADA — and the security trade-offs of each. Study data protection: classification, encryption at rest and in transit, tokenisation, masking and data loss prevention. Then resilience and recovery: high availability, load balancing, backups (and the 3-2-1 rule), and recovery sites (hot, warm, cold). Think about where a control belongs and why a design reduces risk, rather than memorising product names.
4. Security Operations (28%)
The most heavily weighted domain, and the most hands-on. It spans identity and access management (provisioning, MFA, SSO, federation, privileged access management), monitoring with a SIEM and log sources, vulnerability management (scanning, prioritising, remediating), hardening and asset management, automation, and the phases of incident response (preparation, detection, analysis, containment, eradication, recovery, lessons learned) plus basic digital forensics. Most PBQs live here, so this is where lab practice pays off the most.
5. Security Program Management and Oversight (20%)
The governance domain that technical candidates love to skip — and lose easy marks on. Learn the hierarchy of governance (policies, standards, procedures, guidelines), the risk management process (identification, assessment, response, monitoring, registers, appetite and tolerance), third-party / vendor risk, and compliance and audits. Treat it as seriously as the technical domains; it is a full fifth of the exam and the questions are usually straightforward once you know the vocabulary.
Quick-reference cheat sheet
| Acronym | Meaning |
|---|---|
| CIA | Confidentiality, Integrity, Availability |
| AAA | Authentication, Authorization, Accounting |
| MFA | Multi-Factor Authentication |
| SSO | Single Sign-On |
| PKI | Public Key Infrastructure |
| SIEM | Security Information and Event Management |
| IDS / IPS | Intrusion Detection / Prevention System |
| DLP | Data Loss Prevention |
| EDR | Endpoint Detection and Response |
| TLS | Transport Layer Security |
| CRL / OCSP | Certificate Revocation List / Online Certificate Status Protocol |
| SOAR | Security Orchestration, Automation and Response |
How to practise (without dumps)
Build a small lab to make the concepts real: a couple of virtual machines, a firewall or pfSense, and a free SIEM trial are enough to practise hardening, log analysis and IAM. Work from the official objectives as a checklist, and treat any site advertising “real exam questions” as both a policy violation and a copyright risk — using them can get your certification revoked. Finish your preparation with full-length, timed reviews to build stamina and surface weak areas.
After you pass
Security+ is valid for three years and renews through CompTIA’s continuing education programme (including by earning a higher certification). A natural next step for analyst roles is CySA+, which goes deeper into security operations and detection.