DEV Community: NERDEXAM

What's Actually Tested on AZ-305

NERDEXAM — Wed, 17 Jun 2026 14:02:02 +0000

What Is on the AZ-305 Exam, and How Should You Prepare?

The AZ-305 Designing Microsoft Azure Infrastructure Solutions exam is not a knowledge quiz. It is a scenario-based assessment that asks you to make architectural decisions under constraint - balancing cost, security, performance, and operational maturity across four core domains. Candidates who pass are not just familiar with Azure services; they can reason through trade-offs and justify a design choice against competing options. If you want to calibrate where your gaps actually are before diving into study, practice with free AZ-305 questions on NerdExam and see how you perform against real scenario formats.

The exam targets architects and senior engineers who are expected to translate business requirements into technical designs. The four domains - design infrastructure solutions, design identity, governance, and monitoring solutions, design data storage solutions, and design business continuity solutions - map directly to the decisions a cloud architect makes every day. Here is what each domain tests, and more importantly, how you need to think to answer correctly.

Domain 1: Design Infrastructure Solutions

This domain covers compute, networking, and migration architecture. The core skill is not knowing which Azure services exist - it is knowing when to use one over another, and why.

The decision framework: Every infrastructure question puts a constraint in front of you: lift-and-shift urgency, a specific SLA requirement, a team with no containerization experience, a workload with unpredictable traffic spikes. Your job is to match those constraints to the right architecture tier.

Consider the compute layer. Azure has at minimum four distinct ways to run application code - Virtual Machines, Azure Kubernetes Service, App Service, and Azure Container Apps - and the exam tests your ability to distinguish them by fit, not by definition. The question is never "what is AKS?" The question is "given a team that already manages Helm charts and needs node-level GPU access, which compute option is correct?" That is a different cognitive task.

Worked example: A company needs to migrate a monolithic .NET application with stateful Windows services and a dependency on a third-party COM component. The team wants minimal rearchitecting and a six-week timeline. The answer is Azure Virtual Machines, probably with Azure Migrate to lift the existing workload. App Service would require rearchitecting the COM dependency. AKS would require containerization. The constraint - COM dependency and zero rearchitect budget - makes VM the defensible choice even if containers are the cleaner long-term path.

Networking architecture within this domain is equally scenario-heavy. Hub-and-spoke topology, Azure Virtual WAN, peering versus VPN Gateway, private endpoints versus service endpoints - these all appear in scenarios that require you to reason about traffic flow, latency, and cost at scale, not just recite definitions.

Domain 2: Design Identity, Governance, and Monitoring Solutions

This domain is where many candidates underestimate the complexity. It tests three distinct skill sets that share a single domain bucket: identity and access design, policy and governance architecture, and observability strategy.

The decision framework for identity: Microsoft Entra ID scenarios require you to understand federation, B2B versus B2C, Conditional Access, and Privileged Identity Management at an architectural level. The key discriminator is usually trust boundary - where does the identity originate, and how much control does your tenant have over it?

For governance, the exam consistently tests management group hierarchy design and Azure Policy versus RBAC as enforcement mechanisms. The distinction matters: RBAC controls what a principal can do with a resource after it exists; Azure Policy controls what resources can exist in the first place. An exam scenario that says "the company needs to ensure no storage accounts are created without private endpoints" is testing Policy, not RBAC.

Worked example: A financial services company with three subsidiaries needs each subsidiary to manage its own resources while a central security team enforces encryption-at-rest and approved regions. The correct architecture uses a management group hierarchy with the company root at the top, one management group per subsidiary below it, and policy assignments at the root level for compliance requirements. Subscription-level RBAC then grants each subsidiary team Contributor rights within their own subscriptions. RBAC alone cannot prevent a subsidiary from creating non-compliant resources; only Policy at a parent scope achieves that.

For monitoring, the exam tests the integration between Azure Monitor, Log Analytics workspaces, Diagnostic Settings, and Microsoft Defender for Cloud. The architectural question is typically about workspace design - centralized versus distributed - and the trade-offs between cost (ingestion, egress) and operational simplicity.

Domain 3: Design Data Storage Solutions

This domain covers relational databases, NoSQL, object storage, caching, and data integration. The surface area is large, but the exam focuses tightly on selection criteria and architecture patterns rather than service internals.

The decision framework: Every data storage question has at least one constraint that rules out most options. Query pattern, consistency requirement, data volume, geographic distribution, and team SQL familiarity are the most common discriminators. Learn these as filters, not as a memorization list.

Azure SQL Database, Azure SQL Managed Instance, and SQL Server on VMs form a spectrum. SQL Database is PaaS with the highest abstraction and lowest operational overhead. Managed Instance adds near-full SQL Server compatibility, including SQL Agent, linked servers, and cross-database queries. SQL on VMs is for scenarios where OS-level access, specific SQL Server versions, or third-party integrations require control that PaaS tiers cannot provide.

Worked example: A legacy application uses SQL Server's cross-database queries and SQL Agent jobs extensively. The team wants to reduce patching overhead and move to Azure. Azure SQL Database does not support cross-database queries or SQL Agent. SQL on VMs removes the patching benefit. Azure SQL Managed Instance supports both features and provides managed patching. This is exactly the Managed Instance design sweet spot the exam targets repeatedly.

For NoSQL storage, Cosmos DB questions test partition key selection strategy - the architectural decision with the largest downstream consequence in Cosmos designs. An exam scenario will describe an access pattern and ask you to identify the correct partition key; the right answer minimizes cross-partition queries for the hot path. The AZ-305 study guide on NerdExam covers data storage decision trees in depth and is worth working through alongside official Microsoft documentation.

Domain 4: Design Business Continuity Solutions

This domain is deceptively specific. It does not test general availability concepts - it tests Azure's concrete mechanisms for backup, disaster recovery, and high availability, and when to use which one.

The decision framework: Every business continuity question begins with two numbers: the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). RTO is how long you can be down; RPO is how much data you can afford to lose. These two constraints drive the entire architecture. A workload with a 4-hour RTO and 1-hour RPO has completely different design requirements than one with a 15-minute RTO and near-zero RPO.

Azure Site Recovery, Azure Backup, geo-redundant storage with failover, and Always On availability groups for SQL are the primary mechanisms. The exam tests your ability to match RTO/RPO requirements to the right mechanism and configuration - not just to name the service, but to defend why it fits while the alternatives do not.

Worked example: A company runs a Tier-1 ERP application on SQL Server in Azure VMs. The business requires a 30-minute RTO and a 5-minute RPO after a regional failure. Azure Backup alone cannot meet either target - restore times for VMs typically exceed 30 minutes, and backup frequency cannot achieve a 5-minute RPO. The correct design uses Azure Site Recovery for VM replication (enabling near-zero RPO and sub-30-minute failover) combined with SQL Always On availability groups with a replica in the secondary region for the database layer specifically. Azure Backup remains appropriate for long-term retention, but it is not the DR mechanism here.

Availability Zones versus regional redundancy is another recurring decision in this domain. Availability Zones protect against datacenter-level failure within a region; they do not protect against regional outages. Exam scenarios that describe a legal requirement to maintain data within a single geography while surviving a datacenter fire are testing Availability Zone design, not geo-redundancy.

Pulling It Together

The AZ-305 rewards architects who think in constraints rather than catalogs. Memorizing Azure services is insufficient - the exam presents realistic scenarios where three different services could all technically work, and your job is to identify which one fits the specific combination of requirements in front of you.

Practical preparation involves working through scenario-based questions that reflect actual exam depth. The full AZ-305 exam catalog on NerdExam gives you a structured view of coverage alongside practice resources aligned to each domain. Study the decision frameworks above, practice applying them under timed conditions, and pay particular attention to scenarios where two options seem equally valid - those are the questions where understanding the trade-offs separates passing candidates from repeaters.

AWS Certified Developer Associate (DVA-C02): What's Actually Tested

NERDEXAM — Mon, 15 Jun 2026 14:02:31 +0000

The AWS Certified Developer Associate (DVA-C02) is the certification for
developers who build and deploy applications on AWS. The exam is $150, runs
130 minutes, has 65 questions, and requires 720 out of 1000 to pass. Most
candidates need 8 to 10 weeks of focused study on top of real development
experience. The questions are almost entirely scenario-based. You are not
reciting API names. You are picking the right Lambda concurrency model, the
right DynamoDB partition key design, or the right CodeDeploy deployment
strategy for a given situation. If you have spent a year writing code that
runs on AWS, you can pass without a course. If you have not, budget the full
10 weeks and build real serverless applications.

The 90-second answer

Take DVA-C02 if you write code for a living and your work runs on AWS.
It is the credential that proves you can build with Lambda, DynamoDB, API
Gateway, SQS, and the AWS SDK, not just click through the console. Hiring
managers at companies running serverless workloads specifically screen for
this cert, and it pairs well with SAA-C03 if you already have that one.

Skip DVA-C02 if you have never deployed a function to Lambda or read
from DynamoDB in production code. Start with AWS Cloud Practitioner
(CLF-C02) to build vocabulary, or work through SAA-C03 first if you want
the architecture angle before the coding angle. Going into DVA-C02 without
hands-on developer experience usually means a failed first attempt and
another $150.

What does the DVA-C02 actually test?

DVA-C02 tests four domains. The weights below are from the official AWS
exam guide and have been stable since the exam launched in 2023. Every
question maps to one of them.

Domain	Weight	What it covers
Development with AWS Services	32%	Lambda, containers, API Gateway, DynamoDB data modeling, SQS, SNS, EventBridge, Step Functions, SDK and CLI usage
Security	26%	IAM roles and policies, Cognito user pools and identity pools, KMS encryption, Secrets Manager, SSM Parameter Store, secure API access patterns
Deployment	24%	CI/CD with CodePipeline, CodeBuild, and CodeDeploy; SAM and CloudFormation; Elastic Beanstalk; canary, blue/green, and rolling deployment strategies
Troubleshooting and Optimization	18%	CloudWatch logs and metrics, X-Ray tracing, caching strategies, Lambda cold start optimization, cost and performance tuning

The exam rewards developers who have actually shipped code to AWS. A typical
question describes a scenario ("a Lambda function is hitting concurrency
limits during peak traffic, and the team needs to handle the overflow without
dropping events") and asks which combination of services and settings to
apply. You are choosing the solution that fits the stated constraints, not
the most sophisticated one.

If you have heard "DVA-C02 is all about knowing when NOT to use a service,"
that captures it well. Questions routinely give you four architectures that
all technically work and ask which one is cheapest, most scalable, or
easiest to maintain for a development team.

How hard is the DVA-C02?

DVA-C02 is a difficulty 3 out of 5. About the same difficulty as SAA-C03,
but the focus shifts from designing infrastructure to writing and deploying
application code. It is harder than AWS Cloud Practitioner (CLF-C02) and
much easier than AWS DevOps Engineer Professional (DOP-C02). Community
surveys suggest first-time pass rates are in the 65% to 75% range for
candidates who studied at least 6 weeks and had real development experience.

The hard parts are specific:

DynamoDB data modeling: partition keys, sort keys, GSIs, LSIs, and access patterns come up constantly, and wrong design decisions at the data layer break everything else
Lambda execution model: cold starts, concurrency limits (reserved vs. provisioned), event source mappings, and retry behavior are tested deeply
Security at the code level: knowing the difference between an IAM role attached to a Lambda, a Cognito identity pool, and a resource-based policy matters, and the exam distinguishes them carefully
"Pick TWO" multi-select questions where partial credit does not exist
Time pressure: 65 questions in 130 minutes is exactly 2 minutes per question, with no buffer for review

The most common failure pattern looks like this: candidate takes a video
course, never deploys a real serverless application, walks into the exam,
hits a DynamoDB access-pattern question at question 20, spends 5 minutes
second-guessing, and then rushes the CI/CD section. Final score: 690.
Build real applications in week 2, not week 9. Deploy a Lambda behind an
API Gateway with a DynamoDB table before you have finished your first week
of study.

How long should you study for DVA-C02?

AWS recommends at least 1 year of hands-on development experience with AWS
services and proficiency in at least one high-level language (Python, Java,
JavaScript, etc.) plus the AWS SDK and CLI. That baseline is baked into the
question difficulty. For actual study time on top of that experience:

With 1+ year AWS developer experience: 4 to 6 weeks at 8 to 10 hours per week
With 6 to 12 months AWS experience: 8 to 10 weeks at 8 to 10 hours per week
No AWS experience: 14 to 16 weeks, and you should take CLF-C02 or SAA-C03 first anyway
Coming from SAA-C03: 4 to 6 weeks; you already know the service landscape, now learn the SDK and coding patterns deeply

The biggest waste of study time is reading documentation without writing
code. Build at least three real projects in your AWS account: a Lambda
function triggered by SQS with a dead-letter queue for failures; an API
Gateway endpoint backed by Lambda with Cognito authorizer protecting it;
and a SAM template that deploys all of the above via CodePipeline. That
hands-on work is what makes the scenario questions click. Reading about
Lambda cold starts is forgettable. Debugging one in a real function is not.

A realistic week-by-week pace for an 8-week study plan looks like:

Week 1: IAM deeply (roles, policies, trust relationships), Lambda fundamentals, function execution model
Week 2: API Gateway (REST and HTTP APIs), Lambda integrations, Cognito user pools and identity pools
Week 3: DynamoDB data modeling (partition keys, GSIs, query vs. scan, DAX caching)
Week 4: SQS, SNS, EventBridge, Step Functions (event-driven patterns)
Week 5: CodePipeline, CodeBuild, CodeDeploy, Elastic Beanstalk (CI/CD and deployment strategies)
Week 6: CloudFormation and SAM, ECS and Fargate basics, S3 events and presigned URLs
Week 7: CloudWatch, X-Ray, KMS, Secrets Manager, SSM Parameter Store, security and observability
Week 8: Practice exams, weak-area cleanup, exam-day pacing drills

Most failures happen because candidates treat this like SAA-C03 and focus
on architecture breadth. DVA-C02 goes narrow and deep on the developer
services. Lambda, DynamoDB, and the CI/CD pipeline together cover well over
half the exam.

What does the DVA-C02 cost?

The exam itself is $150 USD plus any local taxes. Beyond that, real total
cost depends on your study path:

Component	Range	Notes
Exam fee	$150	One attempt. Retake is another $150 if you fail.
Study course	$0 to $150	Stephane Maarek's DVA-C02 course on Udemy at ~$15 during sales
Practice questions	$0 to $50	NerdExam has 803 DVA-C02 questions if you want a free option
AWS lab costs	$20 to $60	Free tier covers most Lambda and DynamoDB usage; watch your API Gateway call counts
Books or whitepapers	$0	AWS Well-Architected Framework and Serverless Application Lens are free
Total realistic spend	$150 to $400	Cheapest viable path: $150 (exam only)

AWS offers a 50% retake voucher if you fail your first attempt, but only if
you book the retake within 14 days. AWS also drops 50% vouchers for
completing Skill Builder learning plans, so check your Skill Builder account
before you pay full price.

What salary can you expect after passing?

DVA-C02 sits in the developer tier, which commands a solid premium over
generalist development roles. Developers who can demonstrate AWS-specific
skills in Lambda, DynamoDB, and CI/CD pipelines routinely close the gap
with their infrastructure-focused peers. 2026 salary estimates from US job
boards show:

Cloud developer or software engineer (cloud): $110,000 to $150,000
Back-end developer with AWS skills: $100,000 to $140,000
DevOps-leaning developer roles: $120,000 to $160,000
With 3+ years and SAA-C03 plus DVA-C02: $160,000 and up at companies running serverless-first workloads

The cert alone does not deliver those numbers. It signals to hiring managers
that you know how to use AWS as a developer, not just as a console user. The
salary lift is most visible at companies running heavily on Lambda and
managed services, where DVA-C02 skills are directly billable.

A practical note on negotiation: if you pass DVA-C02 while currently
employed, bring it up before your next performance cycle, not after. The
cert validates a skill set your employer is already benefiting from. Internal
moves with a fresh DVA-C02 alongside real AWS production work historically
clear 8 to 15% base bumps. External moves with DVA-C02 plus 1 to 2 years of
serverless development experience routinely clear 20 to 30%.

What study resources actually work?

The candidates who pass on the first attempt use a consistent stack:

One video course for breadth. Stephane Maarek's "Ultimate AWS Certified Developer Associate" on Udemy is the community favorite at around $15 on sale. It covers the SDK patterns and DynamoDB modeling in more depth than most alternatives.
The AWS Serverless Application Model (SAM) documentation (free). Read the full developer guide and deploy a real SAM application. SAM questions appear on every sitting.
A free AWS account for hands-on labs (set a $10 billing alert immediately; Lambda and DynamoDB free tiers are generous but API Gateway and X-Ray add up quickly in lab scenarios)
At least 500 practice questions before exam day to build pacing and expose weak areas in DynamoDB and deployment strategies
Two full-length timed practice exams in the final week. Take them on a Saturday morning, treat them like the real exam, score honestly. If you are below 75% on the second one, postpone the real exam.

Skip the brain-dump sites. AWS refreshes DVA-C02 questions regularly, and
the scenario-based format means memorized answers fail in practice anyway.
Reddit's r/AWSCertifications has the most current crowd-sourced advice on
which resources are working this quarter.

For the practice question portion, NerdExam has 803 enriched DVA-C02
questions with full explanations. Start practicing DVA-C02 questions
to see the question style before you commit to a study plan. The free
explanations show you the reasoning pattern the exam expects, especially for
DynamoDB access patterns and Lambda concurrency, which are harder to absorb
from videos than from working through the questions.

Who should NOT take DVA-C02?

The cert is wrong for these candidates:

You are	Take instead
New to cloud entirely	AWS Cloud Practitioner (CLF-C02) first
Focused on cloud architecture and design, not coding	AWS Solutions Architect Associate (SAA-C03)
An infrastructure or ops engineer, not a developer	AWS SysOps Administrator (SOA-C02)
A non-developer who wants a cloud credential	SAA-C03 or CLF-C02 - DVA-C02 assumes you write application code
Already holding SAA-C03 and targeting a senior architecture role	Solutions Architect Professional (SAP-C02) is the higher-leverage move

The path matters more than the individual cert. DVA-C02 is excellent when
your daily work involves writing and deploying application code on AWS. It
is a poor use of 8 weeks if your role lives in Terraform and CloudFormation
templates and you rarely touch the SDK. Hiring managers do not penalize
architects for skipping DVA-C02; they penalize developers who cannot explain
why their Lambda function is timing out.

What's next after DVA-C02?

Once DVA-C02 is in hand, three paths open up depending on where you want
to go:

DevOps and operations track: AWS DevOps Engineer Professional (DOP-C02) is the natural step up. It builds directly on DVA-C02's CI/CD and deployment knowledge and adds infrastructure automation, monitoring at scale, and incident response. Most developers do this 12 to 18 months after DVA-C02.
Architecture breadth track: Add SAA-C03 if you do not already have it, or SOA-C02 for the operations angle. Holding DVA-C02 plus SAA-C03 covers both the build and design sides and makes you competitive for senior cloud engineer roles.
Specialty track: AWS Certified Security (SCS-C02) pairs exceptionally well with DVA-C02. The security domain is 26% of DVA-C02, and SCS-C02 deepens that into a standalone credential for developers working in regulated industries.

Most people take 12 to 24 months between DVA-C02 and their next cert. Use
that time to ship real Lambda and serverless production work. The cert pays
off when hiring managers see it alongside actual shipped applications, not
when it is the only AWS line on your resume.

Ready to start? Practice with real DVA-C02 questions on NerdExam
or jump straight into the free per-question explanations.
The official AWS exam guide is also worth reading first:
AWS Certified Developer Associate exam page.

AWS Certified Cloud Practitioner (CLF-C02): What's Actually Tested

NERDEXAM — Sun, 14 Jun 2026 14:01:52 +0000

The AWS Certified Cloud Practitioner (CLF-C02) is the foundational AWS cert and
the most common first step into cloud careers. The exam is $100, runs 90
minutes, has 65 questions, and requires 700 out of 1000 to pass. Most
candidates need 2 to 6 weeks of part-time study. The questions are mostly
definitional and conceptual, not deeply technical. If you already work near
cloud or IT, you can pass in a couple of weekends. If you're brand new to
technology entirely, budget the full 6 weeks and watch a full course.

The 90-second answer

Take CLF-C02 if you're new to cloud and want a recognized credential that
proves you understand the AWS vocabulary, the shared responsibility model, and
how billing works. It's the right first cert for career switchers, salespeople,
project managers, recruiters, and anyone supporting cloud teams without writing
infrastructure code.

Skip CLF-C02 if you already have hands-on AWS experience and a technical
role. If you can comfortably describe EC2, S3, VPC, and IAM from real work, go
straight to AWS Solutions Architect Associate (SAA-C03). CLF-C02 is foundational
on purpose. Hiring managers for engineering roles rarely weight it, and you'll
get more career return from the associate-level cert.

What does the CLF-C02 actually test?

CLF-C02 tests four domains. The current weights took effect with the C02 version
in 2023 and shifted security up and billing down compared to the old C01 exam.
Every scored question maps to one of these.

Domain	Weight	What it covers
Cloud Concepts	24%	Benefits of cloud, the AWS Cloud value proposition, cloud economics, the Well-Architected Framework, migration basics
Security and Compliance	30%	Shared responsibility model, IAM, AWS compliance programs, security services (GuardDuty, Shield, WAF), data protection
Cloud Technology and Services	34%	Core compute, storage, networking, database services, ways to deploy and operate, AWS global infrastructure
Billing, Pricing, and Support	12%	Pricing models, Cost Explorer, Budgets, the Pricing Calculator, support plans, account structures

The exam is light on tradeoffs and heavy on definitions. A typical question
describes a need ("a company wants to reduce the operational burden of patching
servers") and asks which AWS concept or service fits. You're matching the right
term to the right scenario, not designing an architecture.

If you've heard CLF-C02 called "the AWS vocabulary test," that's a fair summary.
Knowing what each service does matters far more than knowing how to configure it.

How hard is the CLF-C02?

CLF-C02 is a difficulty 1.5 out of 5. It's the easiest AWS cert and one of the
easier entry IT certs overall. Easier than CompTIA A+, much easier than AWS
Solutions Architect Associate (SAA-C03). AWS doesn't publish pass rates, but
community surveys put first-time pass rates well above 80% for candidates who
studied even two weeks.

The exam is approachable, but people still fail it. The common reasons:

Underestimating it and walking in with zero study, expecting general tech knowledge to carry them
Confusing similar service names (Inspector vs Macie vs GuardDuty, or EBS vs EFS vs S3)
Missing the shared responsibility model, which shows up repeatedly and trips up people who guess instead of memorizing the line between "AWS" and "you"
Skipping billing and support plans because the domain is only 12%, then losing easy points

Pacing is not a concern here. 65 questions in 90 minutes is roughly 1.4 minutes
per question, which is generous. Most candidates finish with 30 minutes to spare.

The most common failure pattern is overconfidence. Someone reads "foundational,"
assumes it means trivial, studies for an afternoon, and gets caught on the
service-identification questions. Two focused weeks beats one rushed evening
every time.

How long should you study for CLF-C02?

AWS recommends about 6 months of general AWS exposure before CLF-C02, but unlike
the associate exams, you can pass this one with study alone and no production
experience. Realistic study time:

With any IT or cloud background: 1 to 2 weeks at 5 to 8 hours per week
Career switcher, non-technical: 4 to 6 weeks at 5 to 8 hours per week
Already work adjacent to AWS (sales, PM, support): 2 to 3 weeks, mostly to learn service names and the billing model
Coming from Azure or GCP fundamentals: 1 week to map equivalent terms

The biggest time waster is over-studying. People watch a 14-hour course twice
and grind 1,000 practice questions for an exam that mostly asks "what does this
service do." You do not need labs for CLF-C02, though spinning up one free-tier
EC2 instance and one S3 bucket makes the concepts stick faster than any video.

A realistic week-by-week pace for a 4-week plan looks like:

Week 1: Cloud concepts, the six benefits of cloud, the Well-Architected Framework, global infrastructure (Regions, Availability Zones, edge locations)
Week 2: Core services. Compute (EC2, Lambda), storage (S3, EBS, EFS), databases (RDS, DynamoDB), networking (VPC, Route 53, CloudFront)
Week 3: Security and compliance. Shared responsibility model, IAM, security services, AWS Artifact and compliance programs
Week 4: Billing and support. Pricing models, Cost Explorer, Budgets, support plans, then practice exams and weak-area cleanup

Most people who fail skip week 3. Security and Compliance is the second-heaviest
domain at 30%, and the shared responsibility model alone shows up in several
questions.

What does the CLF-C02 cost?

The exam itself is $100 USD plus any local taxes. Beyond that, real total cost
depends on your study path:

Component	Range	Notes
Exam fee	$100	One attempt. Retake is another $100 if you fail.
Study course	$0 to $20	AWS Skill Builder has a free official course; Stephane Maarek or Neal Davis on Udemy run ~$15 during sales
Practice questions	$0 to $30	NerdExam has 893 CLF-C02 questions if you want a free option
AWS lab costs	$0	Free tier covers everything you'd touch for this cert
Books or whitepapers	$0	AWS Cloud Adoption Framework and Well-Architected PDFs are free
Total realistic spend	$100 to $150	Cheapest viable path: $100 (exam only)

AWS offers a 50% retake voucher if you fail your first attempt, but only if you
book the retake within 14 days. AWS also runs free digital training through
Skill Builder, and the AWS Educate program offers exam vouchers to eligible
students, so check before paying full price.

What salary can you expect after passing?

CLF-C02 is a door-opener, not a salary multiplier. It signals cloud literacy for
entry roles and adjacent positions, but it doesn't carry the earning power of the
associate and professional certs. 2026 US salary data from job boards shows:

Entry-level cloud support or associate roles: $65,000 to $85,000
Cloud-adjacent roles (sales engineering, project coordination, recruiting): $75,000 to $95,000
National average for CLF-C02 holders early in a cloud career: roughly $85,000
With CLF-C02 plus 2 to 3 years experience: $95,000 to $120,000, usually after adding an associate cert

The honest framing: CLF-C02 helps you get the interview and clear an HR keyword
filter, but it rarely moves a salary number on its own. The real jump comes when
you pair it with hands-on work and follow up with SAA-C03 or a developer cert.
Treat CLF-C02 as the cheapest, fastest way to prove you belong in cloud
conversations, then climb from there.

What study resources actually work?

Candidates who pass on the first attempt tend to use a small, simple stack:

One video course for breadth. AWS Skill Builder's official Cloud Practitioner Essentials course is free; Stephane Maarek's Udemy course (around $15 on sale) is the community favorite for a slightly faster pace
The AWS Cloud Adoption Framework and Well-Architected overview (free PDFs, short reads that map directly to the Cloud Concepts domain)
The shared responsibility model diagram, printed and memorized. It is the single highest-yield page for this exam
At least 200 practice questions to learn the service-identification style and find your weak domains
One full-length timed practice exam in your final few days. If you score above 80%, you're ready. CLF-C02 doesn't need two or three full mocks the way the associate exams do

Skip the bootcamps. A $300 course for a $100 foundational exam is poor value.
Skip the printed books, which go stale as AWS renames and adds services. Reddit's
r/AWSCertifications has current crowd-sourced advice on which free resources are
working this quarter.

For the practice question portion, NerdExam has 893 enriched CLF-C02 questions
with full explanations. Start practicing CLF-C02 questions
to see the question style before you commit to a study plan. The free question
explanations show you the service-matching pattern the exam expects, which is the
exact skill CLF-C02 rewards.

Who should NOT take CLF-C02?

The cert is wrong for these candidates:

You are	Take instead
An engineer with real AWS production experience	AWS Solutions Architect Associate (SAA-C03) directly
A developer building on AWS	AWS Certified Developer Associate (DVA-C02)
A SysOps or operations admin	AWS Certified SysOps Administrator (SOA-C02)
Already holding any AWS associate cert	Skip CLF-C02 entirely. It's foundational and adds nothing on top
Working primarily in Azure or GCP	The matching Azure (AZ-900) or Google (Cloud Digital Leader) fundamentals cert. Don't context-switch unless your job requires AWS

The risk with CLF-C02 is spending money to prove something you've already
outgrown. If you can already explain the core services from memory, the exam is
a formality that won't change how hiring managers see you. Foundational means
foundational. Use it as a starting line, not a destination.

What's next after CLF-C02?

Once CLF-C02 is in hand, the path forward is clear:

Architect track: AWS Solutions Architect Associate (SAA-C03). The natural, highest-value next step and the cert most cloud job postings actually ask for. Most people move here within 3 to 6 months of CLF-C02
Developer track: AWS Certified Developer Associate (DVA-C02) if you write application code that runs on AWS
Operations track: AWS Certified SysOps Administrator (SOA-C02) if you run and monitor infrastructure
Multi-cloud literacy: Azure Fundamentals (AZ-900) or Google Cloud Digital Leader if your organization runs more than one cloud

Most people take 1 to 4 months between CLF-C02 and an associate cert. Use that
time to get real hands-on practice in a free-tier account. CLF-C02 proves you
know the words. The associate certs prove you can build, and that's where the
salary lives.

Ready to start? Practice with real CLF-C02 questions on NerdExam
or browse the free per-question explanations.
The AWS Cloud Practitioner Essentials course is also worth working through first:
start it on AWS Skill Builder.

CompTIA Security+ Study Guide: A 10-Week Plan for SY0-701

NERDEXAM — Mon, 08 Jun 2026 14:01:58 +0000

The CompTIA Security+ SY0-701 exam is the most popular entry-level
cybersecurity certification and one of the most-cited credentials in
DoD 8140 baseline job postings. Pass at 750 out of 900. 90 questions in
90 minutes. $404 USD per attempt. Most candidates need 8 to 12 weeks of
focused study to pass on the first try. This guide is the actual
week-by-week plan, the resources that work, and the exam-day mistakes
that cost people their voucher.

The 90-second answer

Plan 10 weeks at 8 to 10 hours per week. Professor Messer's free
YouTube series carries the instruction. NerdExam covers the practice
questions. A printed exam objectives document is your single source of
truth for scope. That's the entire stack. Total cash spend if you
self-fund: $404 for the voucher.

Add Mike Chapple's Sybex book if you prefer reading to watching.
Add CertMaster Labs ($175) if you have zero hands-on security
experience. Skip the $300 bootcamps. They compress 10 weeks of
material into 1 week of cramming and the retention rate is terrible.

The first-attempt pass rate among candidates who score 80%+ on three
full timed practice exams (90 questions, 90 minutes, no breaks) is
roughly 90%. The pass rate among candidates who skip practice exams is
roughly 50%. Practice exams are the single most useful activity in
this plan and the easiest to skip.

How long should I study for Security+?

Most candidates need 8 to 12 weeks at 8 to 10 hours per week. The
honest variance comes from prior experience, not study material
quality.

Your background	Realistic study window
2+ years IT admin experience, no security focus	8 to 10 weeks
Active sysadmin or net admin role	6 to 8 weeks
Network+ certified, some security exposure	6 to 8 weeks
Career changer with no IT background	14 to 18 weeks; consider Network+ first
Active SOC analyst or security engineer	4 to 6 weeks for refresher only
College student studying cybersecurity	10 to 14 weeks

The biggest predictor of pass-on-first-try is hands-on time, not study
hours. Two candidates with the same 80 hours of study will see very
different scores if one of them did command-line work (nmap, Wireshark
captures, SSH key generation) and the other watched videos. Build at
least 20 hours of lab time into the 10-week plan.

What's actually tested on Security+ SY0-701?

Security+ SY0-701 tests five domains. CompTIA updated the weights when
they retired SY0-601 in mid-2024. Every question maps to one domain.

Domain	Weight	What it covers
General Security Concepts	12%	CIA triad, AAA, change management, cryptographic solutions, zero trust
Threats, Vulnerabilities, and Mitigations	22%	Threat actors, attack surfaces, malware classification, vuln analysis, indicators of compromise
Security Architecture	18%	Network, infra, application, and cloud security architecture; resilience and recovery
Security Operations	28%	Hardening, asset management, vuln management, monitoring, incident response, forensics
Security Program Management and Oversight	20%	Risk, governance, audit, vendor assessment, security awareness, compliance

Two domains carry 50% of the weight: Security Operations (28%) and
Threats / Vulnerabilities / Mitigations (22%). Spend the most study
time there and the math works in your favor.

The exam mix is roughly 75% multiple-choice and 25% performance-based
questions (PBQs). PBQs are simulated environments where you might be
asked to drag firewall rules into the right order, classify network
traffic from a Wireshark snippet, or identify the attack from a syslog
sample. PBQs are time-expensive and stress-inducing. Plan to skip them
on the first pass and return when you've answered the easier MCQs.

How do I structure a 10-week study plan?

The 10-week structure below tracks the official exam objectives in
roughly the order CompTIA presents them, with the heaviest-weight
domains getting extra time. Hours assume 8 to 10 hours per week.

Week	Focus	Deliverable
1	General security concepts, CIA, AAA, change management	Watch Messer 1.1-1.4, write a 1-page CIA summary in your own words
2	Cryptographic solutions, PKI, hashing, key exchange	Generate an RSA key pair, sign and verify a file with openssl, document the steps
3	Threat actors, attack surfaces, social engineering	Map a phishing email's red flags. Read CISA's Known Exploited Vulnerabilities catalog.
4	Malware classification, indicators of compromise	Capture a process tree on your own machine. Identify 3 normal vs 3 suspicious patterns.
5	Network and infra security architecture, zero trust	Build a home lab firewall (pfSense or OPNsense in a VM). Configure two zones.
6	Application and cloud security architecture	Walk through OWASP Top 10. Run a SQL injection demo on a deliberately vulnerable app.
7	Security operations: hardening, monitoring, incident response	Set up Splunk Free or Wazuh. Ingest your own VM logs. Build 2 alert rules.
8	Forensics, automation, vendor management	Take 2 full practice exams under timed conditions. Score honestly.
9	Risk, governance, audit, compliance frameworks	Map NIST CSF v2.0 functions to specific Azure or AWS services.
10	Practice exams + weak-area cleanup	Take 3 timed practice exams. Postpone exam if you're not at 80%+.

The single biggest miss in self-study plans is skipping week 8 lab
work for incident response. Roughly a quarter of SY0-701 questions
expect you to know what a real alert looks like, what triage steps
follow, and what evidence preservation requires. Reading about it
doesn't stick. Configuring Splunk or Wazuh does.

If you fall behind in any week, push schedule by 1 week rather than
compressing material. Compressed material doesn't retain. The exam
asks you to recognize patterns under time pressure, not regurgitate
facts.

Which Security+ study resources are worth using?

The candidates who pass on the first attempt use a consistent stack
of free and low-cost resources. Anything beyond this stack is
optional.

Professor Messer's SY0-701 video series (free, ~50 hours of YouTube videos). The community gold standard. Watch at 1.25x playback for first pass, real-time for review.
CompTIA Security+ SY0-701 exam objectives PDF (free, 24 pages). Print it. Highlight every sub-objective as you cover it. Don't trust any study material that doesn't map to this document.
Mike Chapple "CompTIA Security+ Study Guide: SY0-701" ($40 Sybex book). Strong supplement if you prefer reading. Skip if Messer's videos work for you.
A practice question bank with 800+ questions for pacing and weak-area discovery
CertMaster Labs SY0-701 ($175). Worth it if you have zero security hands-on experience. Skip if you've ever configured a firewall, run nmap, or read Wireshark output.
3 full-length timed practice exams in weeks 8 and 10. Take them on a Saturday morning, treat them like the real exam, score honestly. If you're below 80%, postpone the real exam.

Skip the $300 bootcamps. They compress 10 weeks into 5 days and the
material doesn't stick. Skip the $80 mobile flashcard apps unless
you're a flashcard person already; the time is better spent on
practice questions with explanations.

For the practice question portion, NerdExam has 1,056 enriched
SY0-701 questions with full explanations covering all five domains.
Start practicing Security+ questions to
see the question style before you commit to the full plan. The
explanations show the reasoning pattern the exam expects, which is
harder to learn from videos than from doing the questions.

How do I practice for the performance-based questions?

PBQs require hands-on configuration, not memorization. The fastest
way to prepare is to build a small home lab and practice the same
five scenarios that CompTIA cycles through on every exam version.

The five PBQ scenarios you should drill before exam day:

Firewall rule ordering: given a set of rules and a desired policy, drag the rules into the right order. Practice in pfSense or OPNsense in a VM.
Log analysis: identify the attack from a 10 to 20 line syslog or Wireshark snippet. Practice with Wireshark sample captures and sample Splunk logs.
Cryptography selection: pick the right algorithm for a given use case (data at rest, data in transit, integrity verification).
Wireless security configuration: configure WPA3 vs WPA2-PSK vs Enterprise auth correctly for a stated scenario.
Incident response sequencing: drag the IR phases into the right order for a stated breach scenario (NIST 800-61 sequence).

The home lab to support this fits on any modern laptop. A free
VirtualBox installation, two Linux VMs (one Ubuntu, one Kali), a
pfSense VM as the firewall between them, and a Windows 10 evaluation
VM as a Windows attack target. Total hardware cost: zero. Build time:
about 4 hours.

CertMaster Labs replicates a similar environment in-browser at $175
if you'd rather not build it yourself. The decision usually comes
down to whether you'll re-use the home lab after Security+ (Net+,
SY0-701 to CySA+ to Pentest+, or self-directed security learning).
The candidates who go on to a security analyst role get more value
from owning the lab. The candidates who just want the cert get more
value from CertMaster Labs.

What are the biggest exam-day mistakes?

Most Security+ failures happen because of pacing or PBQ mismanagement,
not because of knowledge gaps. The same 4 mistakes show up in
post-mortems on Reddit's r/CompTIA every week:

Spending 8+ minutes on the first PBQ. The exam often opens with one. People panic, over-invest, and run out of time on the easier MCQs at the end. Skip every PBQ on the first pass. Flag them. Return after answering all MCQs.
Reading every question word-by-word. 90 questions in 90 minutes is 1 minute average. Reading 200-word questions twice eats your buffer. Read once, decide, move on.
Second-guessing 10+ answers. Statistically, your first answer is right 75% of the time. Don't change answers unless you spot a clear word you misread.
Skipping the timed practice exams. Candidates who never time themselves discover their pace problem on exam day. By then it's too late.

A practical pre-exam check: take a 90-question practice exam under
real conditions in week 9 (no breaks, no notes, no internet). If you
score 750+ in 75 minutes or less, book the real exam within 7 days.
If you score 700 to 749, study weak areas one more week. If you score
below 700, postpone by 2 to 3 weeks. The voucher fee is too high to
gamble with.

What's next after Security+?

Once Security+ is in hand, three paths open up depending on what you
want from your career:

Analyst track: CySA+ (CompTIA Cybersecurity Analyst). The natural follow-on. Focuses on SIEM operations, threat hunting, and vulnerability management. Most analysts do this within 6 to 12 months of Security+.
Offensive security track: Pentest+ (CompTIA Pentest+) or OSCP. Pentest+ stays in the CompTIA ecosystem; OSCP is the gold standard but takes 6 to 9 months of study.
Cloud security track: AWS Certified Security Specialty or Azure AZ-500 (Security Engineer). Pairs well with Security+ for cloud-focused security analyst roles.

Most people take 6 to 12 months between Security+ and their next
cert. Use that time to ship real production security work in a SOC,
GRC, or pentest role. The cert pays off when hiring managers see it
alongside actual experience, not when it's the only line on your
resume.

Ready to start? Practice with 1,056 real Security+ SY0-701 questions
on NerdExam or browse the
free per-question explanations.
CompTIA's free exam objectives PDF is also worth downloading first if
you haven't: CompTIA Security+ exam objectives.

Adjacent reading: Where to actually buy a Security+ voucher and
which discounts work,
What is MFA, What is Zero Trust,
What is a CVE, and
7 most common reasons people fail IT certification exams.

CompTIA Security+ Exam Voucher: Cost, Discounts, and Where to Buy

NERDEXAM — Sun, 07 Jun 2026 14:02:01 +0000

The CompTIA Security+ SY0-701 exam voucher costs $404 USD direct from
CompTIA. That's the sticker price. Almost nobody pays it. Bundled
vouchers from Total Seminars, ITPro.TV, and Get Certified Get Ahead
drop the effective cost to $280 to $300 when bought with study material.
Student discounts shave another 10%. Military gets the voucher free
through the COOL program. Cash-paying retail buyers are the only people
paying $404, and there's no good reason to be one.

The 90-second answer

Buy the voucher direct from CompTIA if your employer is paying or
you need a fast turnaround. The full $404 fee gets you the voucher
within minutes via email and the longest validity window (12 months).

Buy a voucher bundle from Total Seminars or Get Certified Get Ahead
if you're self-funding. The bundle includes study material plus a
voucher for $280 to $300 total. The voucher is identical to the one
you'd buy from CompTIA. You get a discount because CompTIA wholesales
vouchers to publishers and they pass on part of the margin.

Skip eBay vouchers, Reddit DMs, and "I have an extra voucher" offers
from strangers. Most of them are stolen, refunded, or already
redeemed. Pearson VUE has flagged accounts and revoked seats for buyers
who used compromised vouchers, and CompTIA doesn't refund when that
happens.

How much does the Security+ exam actually cost?

The Security+ SY0-701 exam costs $404 USD purchased directly from
CompTIA's online store. The price increased from $370 in 2023. Outside
the US, the price varies by region but typically stays within $390 to
$420 USD-equivalent. Pearson VUE adds local tax at checkout for
testing-center delivery.

The full cost breakdown for a typical self-funded candidate:

Component	Range	Notes
Exam voucher (direct CompTIA)	$404	One attempt. Voucher valid 12 months.
Voucher (bundled with study material)	$280 to $310	Same voucher, packaged with a course or book
CompTIA CertMaster Practice	$159	Optional. Adaptive practice from CompTIA.
Professor Messer course	$0	Free YouTube series. The default starter for most candidates.
Mike Chapple book (Sybex)	$40	Solid printed reference. Skip if you do CertMaster.
Practice exam access (NerdExam)	$0	1,056 SY0-701 questions with explanations.
Retake voucher	$0 to $404	Free if you bought a CompTIA bundle. Otherwise full price.
Realistic self-funded total	$280 to $500	Cheapest viable path: voucher bundle plus free resources.

The cheapest path that actually works is: Total Seminars voucher bundle
at $280, Professor Messer YouTube videos for instruction, and free
NerdExam practice questions. That stack passes the exam if you put in
8 to 10 weeks. Adding $200 of paid material on top of that doesn't
move the pass rate much.

What's the cheapest way to get a Security+ voucher?

The cheapest legitimate Security+ voucher is the Total Seminars
voucher bundle at approximately $280, sold via the CompTIA-affiliated
training partner channel. It includes the voucher plus a short course.
The voucher itself is identical to the direct-from-CompTIA voucher.

The realistic ranking of voucher sources from cheapest to most
expensive:

Get Certified Get Ahead bundle: ~$280 with their study guide
Total Seminars bundle: ~$295 with their Udemy course
CompTIA Marketplace academic bundle: ~$315 with CertMaster Learn
CompTIA Marketplace standard bundle: ~$350 with CertMaster Practice
Direct from CompTIA: $404
eBay / Reddit "spare voucher" sellers: varies, often $200 to $250 but high risk of fraud (see the section below)

Be aware that "bundle" pricing changes whenever CompTIA runs a
promotion. Check the bundle price the day you buy. If the bundle costs
more than direct purchase, just buy direct.

Are CompTIA Marketplace bundles worth it?

The CompTIA Marketplace bundles are worth it only if you actually use
the CertMaster product. CertMaster Learn and CertMaster Practice are
solid tools but they retail for $159 to $359. The bundle pricing
effectively gives you both the voucher and the tool for less than the
voucher alone at retail.

The catch is most candidates don't finish CertMaster. The product is
designed for slow, methodical learning. If you prefer Professor
Messer's faster video pace or a printed book, you'll buy the bundle,
log into CertMaster twice, and never use it again. The math breaks the
moment you stop touching the tool.

The bundles worth buying:

CertMaster Practice + voucher at $350: skip if you already have another adaptive practice tool or 800+ practice questions elsewhere
CertMaster Labs + voucher at $400: worth it for hands-on candidates who learn by doing, not reading
CertMaster Learn + voucher at $440: roughly equivalent to a Udemy course plus the voucher; skip if you already have a video course

The third-party bundle from Total Seminars at $295 beats every CompTIA
Marketplace option on pure cost if you don't care about CertMaster.

Can my employer pay for Security+?

Most US employers in IT, defense, and federal contracting will pay for
Security+ because it appears on DoD 8570 and DoD 8140 baseline lists
for over 40 cybersecurity job roles. If your role is government-adjacent
or you handle CUI (Controlled Unclassified Information), the employer
typically has a budget line item for it.

What to ask for, in this order:

Voucher reimbursement if you've already passed and paid out of pocket. Most companies reimburse after a passing score is verified.
Pre-paid voucher through the company's training partner account. Many companies have CompTIA accounts with discounted bulk vouchers.
Combined tuition + voucher reimbursement if you also took a course (most tuition assistance policies cap at $5,250 annually, tax-free under IRS §127).

Bring the official cost ($404), the bundle alternative ($280-$310),
and a short note on why the cert matters for your specific role. The
DoD 8570 mapping is the strongest argument if you work in a federal
contracting role.

If you're self-funded and US-based, the exam fee is potentially
tax-deductible as a job-related expense under IRS §162 if it maintains
or improves skills required in your current job. Talk to your tax
preparer; "improving career prospects" is not deductible but
"maintaining existing job skills" is.

Do military and student discounts apply?

Active-duty US military can get the Security+ voucher free through the
Air Force COOL, Navy COOL, Army COOL, or DANTES programs. Veterans can
use GI Bill benefits to cover the voucher cost at approved test
delivery centers. Spouses of active-duty members qualify under MyCAA
if pursuing IT careers.

Verified students get a 10% discount through the CompTIA Marketplace
academic store, applied to the bundle price. The discount stacks with
some seasonal promotions but not with employer-paid voucher accounts.
Verification happens through SheerID and requires a .edu email or a
matched institution document.

The discounts that DO NOT exist, despite many forum threads claiming
otherwise:

"First-time taker" discount (doesn't exist)
"Tech industry employee" generic discount (doesn't exist)
"Career changer" discount (doesn't exist)
25% off codes from random YouTubers (the channel link is usually just an affiliate URL with no real discount on top of the bundle)

Don't waste time hunting for a code that beats the Total Seminars
bundle. The bundle floor is roughly $280, and the only path lower than
that is military-free or stolen.

What's the catch with cheap eBay or Reddit vouchers?

Cheap eBay and Reddit Security+ vouchers usually fall into one of three
categories: stolen, already redeemed, or sold by someone planning to
charge back the original purchase. All three end with Pearson VUE
canceling your exam appointment, often hours before the test, with no
recourse to recover your money.

The fraud pattern most candidates fall into:

Find a voucher on Reddit or eBay for $200
Pay via PayPal Friends and Family (no buyer protection)
Receive a voucher code that works at registration
Book an exam appointment 1 to 2 weeks out
Voucher gets revoked when the original buyer charges back
Show up to the test center, learn the seat is gone

CompTIA doesn't replace canceled exam seats for fraud cases. You lose
both the $200 you paid the scammer and the test date you scheduled.
Most people then buy a real voucher at full price and start over.

The only safe third-party vouchers are bundles from named training
partners with CompTIA Authorized Partner status. If the seller isn't a
listed partner on CompTIA's site, treat the voucher as fraudulent.

How long does a Security+ voucher stay valid?

A CompTIA Security+ voucher purchased direct or through an Authorized
Partner stays valid for 12 months from the date of purchase. You must
schedule and complete the exam within that window or the voucher
expires with no refund and no extension.

Bundled vouchers sometimes have shorter validity (90 or 180 days)
depending on the partner's contract with CompTIA. Read the partner
terms before buying. Total Seminars and Get Certified Get Ahead
typically include 12-month validity; some smaller partners use 6-month
validity to pressure faster turnaround.

If you bought a voucher and realize you won't make the deadline:

CompTIA does not extend or refund expired vouchers
You can occasionally transfer a voucher to another person before expiration (one transfer maximum, no fee, requires written request)
Pearson VUE will let you reschedule a booked exam up to 24 hours before the appointment without penalty
After the 24-hour mark, rescheduling costs $25 to $50 depending on region

The cleanest move if your deadline is slipping: schedule an exam date
inside the validity window even if you're not ready, then reschedule
later. The booked appointment locks in the voucher consumption record.

What about the retake voucher?

CompTIA does not sell a discounted retake voucher. If you fail
Security+, the second attempt costs the same $404 (or the bundle price
again). The only way to get a discounted retake is to buy a bundle
that includes one upfront, like the CompTIA Marketplace
"Voucher + Retake" package at approximately $479.

CompTIA's retake policy:

24-hour wait between attempts 1 and 2
14-day wait between attempts 2 and 3
14-day wait between attempts 3 and 4 and beyond
No limit on total attempts

Most candidates don't need a retake voucher in advance. The Security+
pass rate for prepared candidates (who scored 75% or higher on
practice exams in the final week) is around 85%. If you're under that
benchmark, postpone the exam rather than buying retake insurance.

A practical pre-exam test: take a full timed practice exam under real
conditions (90 questions, 90 minutes, no breaks). If you score 750 or
higher, book the real exam within 7 days. If you score 700 to 749,
study one more week. If you score below 700, postpone by 2 to 3 weeks.

The candidates who actually use the retake voucher are the ones who
booked the real exam without doing a timed practice run. The retake
insurance ends up being a vote of low confidence rather than a smart
hedge.

Where do you actually buy a Security+ voucher?

The right buying decision depends on three things: who's paying, how
fast you need it, and whether you want bundled study material.

Use this decision matrix:

Your situation	Where to buy	Effective cost
Employer-funded, need it today	Direct from CompTIA Marketplace	$404
Self-funded, need study material too	Total Seminars or Get Certified Get Ahead bundle	$280 to $310
Self-funded, already have a course	Total Seminars voucher-only bundle	~$280
Active-duty US military	COOL program (free)	$0
Verified student	CompTIA Marketplace academic bundle	$315 (with 10% off)
Veteran with GI Bill benefits	VA-approved testing center	$0 (after benefits)
First-time CompTIA candidate, wants safety net	CompTIA Marketplace voucher + retake bundle	~$479

The cheapest legitimate voucher is the Total Seminars bundle at $280
to $295. Add free Professor Messer videos, free NerdExam practice
questions, and you have a complete study stack under $300.

Ready to start? Browse NerdExam's free Security+ SY0-701 practice
questions to see the question style before
you commit to a voucher. The 1,056 enriched questions cover all five
SY0-701 domains, and the explanations show the reasoning pattern the
exam expects. Practicing 200 to 300 questions before you buy the
voucher means you'll know whether you're 4 weeks or 12 weeks from
ready.

Adjacent reading: the
CompTIA Security+ SY0-701 study guide,
What is MFA and why does the Security+ exam ask
about it constantly,
What is Zero Trust, and
7 most common reasons people fail IT certification exams.

CompTIA Security+ Exam Objectives (SY0-701): Domain-by-Domain Breakdown

NERDEXAM — Sat, 06 Jun 2026 14:01:33 +0000

The CompTIA Security+ SY0-701 exam tests five domains across 90
questions in 90 minutes. CompTIA updated the domain weights when they
retired SY0-601 in mid-2024. Two domains, Security Operations (28%)
and Threats/Vulnerabilities/Mitigations (22%), carry exactly half the
exam weight. The other three domains share the rest. If you study
the official objectives PDF without understanding the weights, you'll
waste 30 to 40 hours on the lower-weight domains and run out of time
on the high-impact ones.

The 90-second answer

Study the high-weight domains first. Security Operations (28%)
and Threats/Vulnerabilities/Mitigations (22%) together account for
50% of the exam. If you can answer 90% of questions in these two
domains, you're already at 45 points out of a passing 750. Combined
with average performance elsewhere, that's the path to a pass.

The traps: General Security Concepts (12%) feels easy because it
covers vocabulary, so candidates skip it during review. Then 5 to 7
questions tripped on technical definitions of things like
"compensating control" or "deterrent vs preventive" cost the exam.
Security Program Management (20%) feels boring (policies, governance,
audit) so candidates skim it. Both are deceptively trap-heavy.

The good news: every SY0-701 question maps to one of these five
domains, and the official objectives PDF lists every sub-objective.
There are no surprises if you actually read it.

What does Domain 1 (General Security Concepts) cover?

Domain 1 covers the foundational vocabulary every security question
relies on, weighted at 12%. Roughly 11 questions on a 90-question
exam. The CIA triad, AAA (authentication, authorization, accounting),
non-repudiation, security controls classifications, change management,
zero trust principles, and basic cryptography fall here.

Specific objectives you'll see on the exam:

Topic	What's tested
CIA triad	Distinguishing confidentiality, integrity, availability concerns in scenario questions
Security control types	Technical vs administrative vs physical; preventive vs detective vs corrective vs compensating vs deterrent
Change management	The PMBOK-style process of impact assessment, approval, testing, documentation
Cryptographic solutions	PKI, symmetric vs asymmetric, hashing (SHA-256, SHA-3), digital signatures, certificates
Zero trust principles	Adaptive identity, threat scope reduction, policy-driven access, control plane vs data plane

This domain is mostly vocabulary memorization. The fastest study
approach is reading Professor Messer's 1.1 through 1.4 videos at 1.5x
speed, then making a one-page summary in your own words. Most
candidates rate this the easiest domain after taking it.

What does Domain 2 (Threats, Vulnerabilities, and Mitigations) cover?

Domain 2 weighs 22% and covers everything attackers do plus how
defenders respond. Roughly 20 questions per exam. Threat actors,
attack surfaces, malware classifications, social engineering, network
attacks, application attacks, vulnerability classifications, indicators
of compromise, and mitigation techniques all fall here.

The sub-objectives that show up most often:

Threat actor motivations and capabilities: nation-state vs organized crime vs hacktivist vs insider; you need to map a scenario description to the right threat actor type
Attack vectors and attack surfaces: differentiating attack vectors (how) from attack surfaces (where)
Malware classifications: virus vs worm vs trojan vs ransomware vs rootkit vs spyware vs keylogger vs logic bomb. Several questions per exam.
Social engineering: phishing variants (spear, whaling, vishing, smishing), pretexting, watering hole attacks, business email compromise
Network attacks: DDoS variants (volumetric, protocol, application layer), MITM, DNS attacks, wireless attacks, replay attacks
Application attacks: SQL injection, XSS (stored vs reflected vs DOM-based), CSRF, directory traversal, buffer overflow, race conditions, malicious code injection
Indicators of compromise (IoC): account lockouts, concurrent session usage, blocked content, impossible travel, resource consumption, OOM errors, missing logs
Mitigation techniques: segmentation, access control, monitoring, least privilege, defense in depth, hardening

Most candidates lose points here on the indicator-of-compromise
questions and the social engineering variants. The fix is doing 50 to
80 practice questions in this domain specifically before exam day.

What does Domain 3 (Security Architecture) cover?

Domain 3 weighs 18% and covers architectural design choices that
shape security posture. Roughly 16 questions per exam. Network, infra,
application, and cloud security architecture; resilience and recovery
patterns; secure data classification all fall here.

The sub-objectives that show up most:

Network security architecture: firewall placement, DMZ design, network segmentation, VLANs, micro-segmentation, screened subnets, east-west vs north-south traffic
Cloud security architecture: shared responsibility model (specifically AWS / Azure / GCP variations), serverless vs containers, SaaS-specific concerns, IaC security, hybrid cloud
Application security architecture: secure coding practices, input validation, output encoding, parameterized queries, secure defaults, secure libraries
Resilience and recovery: high availability designs, fault tolerance, redundancy, backup strategies (3-2-1 rule), RTO/RPO calculations, hot/warm/cold sites
Data classification and protection: sensitive data identification, encryption at rest, encryption in transit, DLP, tokenization, data masking, secure data disposal

This domain often surprises candidates because it overlaps with the
CompTIA Cloud+ exam content. If you've done any cloud work,
expect to score higher here than you expect. If you haven't, this is
the domain where simulated labs help most.

What does Domain 4 (Security Operations) cover?

Domain 4 weighs 28%, the highest of any domain. About 25 questions
per exam. Hardening, asset management, vulnerability management,
monitoring, incident response, digital forensics, and identity
management all fall here.

The sub-objectives that show up most:

Hardening techniques: secure baselines, configuration management, disabling unnecessary services, default credential changes, patch management, endpoint hardening
Vulnerability management: scanning (authenticated vs unauthenticated, internal vs external), CVSS scoring, prioritization by risk, remediation strategies
Monitoring and SIEM: log aggregation, correlation rules, alert tuning, dashboards, retention policies, common SIEM platforms (Splunk, Sentinel, Elastic, QRadar)
Incident response: NIST 800-61 lifecycle (preparation, detection, containment, eradication, recovery, lessons learned), playbooks, chain of custody, tabletop exercises
Digital forensics: evidence preservation, chain of custody, volatile vs non-volatile data, timeline analysis, hash verification, legal holds
Identity and access management: SSO, MFA, federation, just-in-time access, privileged access management, identity proofing, account lifecycle
Automation and orchestration: SOAR platforms, scripted responses, ticket integration, API-driven workflows

This domain has the most performance-based questions (PBQs). Expect
2 to 3 PBQs that drop you into a simulated SIEM dashboard or ask you
to drag IR phases into the right order. The home-lab investment from
the Security+ study guide
pays off most here.

What does Domain 5 (Security Program Management) cover?

Domain 5 weighs 20%, the second-largest after Operations. About 18
questions per exam. Risk management, governance, audit, vendor risk
management, security awareness, and compliance frameworks all fall
here.

The sub-objectives that show up most:

Risk management: risk identification, assessment (qualitative vs quantitative), treatment (accept, avoid, mitigate, transfer), monitoring, risk appetite vs tolerance, risk register
Governance: policies, standards, procedures, guidelines, centralized vs decentralized governance, governance structures
Compliance frameworks: NIST CSF v2.0, ISO 27001, PCI DSS, GDPR, HIPAA, SOX, CCPA, regional data sovereignty rules
Vendor risk management: due diligence, contracts and SLAs, third-party assessments, supply chain attacks, fourth-party risk
Audit and assessment: internal vs external audit, attestation reports (SOC 1, SOC 2 Type I vs II, ISO certifications), gap analysis, control testing
Security awareness: training programs, phishing simulations, password policies, acceptable use policies, role-based training
Privacy considerations: data subject rights, consent management, privacy impact assessments, breach notification timelines

This domain trips technical candidates because it asks process
questions, not technical ones. The framework-mapping questions (NIST
CSF function to a specific control) are where most points get lost.
Spend at least 8 hours on this domain even though it feels
"boring" to technical readers.

How do the domain weights compare to SY0-601?

CompTIA shifted weight toward Security Operations and Security Program
Management when they updated to SY0-701 in mid-2024. The old SY0-601
breakdown was:

Domain	SY0-601 weight	SY0-701 weight	Change
Attacks, Threats, Vulnerabilities	24%	22%	-2% (now "Threats, Vulnerabilities, Mitigations")
Architecture and Design	21%	18%	-3% (now "Security Architecture")
Implementation	25%	merged into Architecture + Operations	removed as standalone
Operations and Incident Response	16%	28%	+12% (now "Security Operations")
Governance, Risk, Compliance	14%	20%	+6% (now "Security Program Management")

The big shift is Security Operations going from 16% to 28%. If you're
using older study material that pre-dates SY0-701, you'll under-prepare
on the most important domain. Verify your course version covers
SY0-701 explicitly before you spend study time on it.

How do I use the domain weights to plan study time?

Allocate study hours proportional to domain weights, with a 1.2x
multiplier for domains where you have weaker hands-on experience. A
realistic 80-hour study budget breaks down like this:

Domain	Weight	Base hours	Adjusted hours (for typical IT admin)
Security Operations	28%	22	24-28 (most candidates need extra lab time)
Threats, Vulnerabilities, Mitigations	22%	18	18-20
Security Program Management	20%	16	18-20 (process-heavy, often skipped)
Security Architecture	18%	14	14-16
General Security Concepts	12%	10	8-10 (vocabulary, fast to learn)

If you're a process-oriented person (project manager, GRC analyst),
flip the multiplier: spend MORE time on Architecture and Operations,
less on Program Management.

The candidates who pass on the first try track their per-domain
practice-question accuracy weekly. Practice tools like NerdExam break
their question banks by domain, so you can see where you're at 85%
and where you're at 60%, then allocate the next week's study time
accordingly.

For practice questions filtered by domain, NerdExam has 1,056
enriched SY0-701 questions with full explanations.
Start practicing Security+ questions to
see the question style before you commit to a study plan.

What's NOT on the SY0-701 exam?

CompTIA explicitly excludes several topics that show up in study
forums but never appear on the real exam:

Specific vendor product configuration (no exam questions on "configure Cisco ASA firewall syntax")
Programming syntax (you might see PowerShell or Bash pseudo-code in a PBQ but never write code)
Deep cryptography math (you need to know SHA-256 exists, not implement it)
Specific CVE numbers (you need to know what CVSS is, not memorize CVE-2024-1234)
Detailed legal case law (you need to know HIPAA exists and its general scope, not memorize which exception applies in subsection 164.512)
Specific tool keyboard shortcuts or menu paths
Vendor-specific cloud service names (you need "object storage", not "S3 vs Azure Blob vs GCS")

If a YouTube prep video spends 20 minutes on any of these, switch
videos. The exam doesn't reward that level of detail.

Adjacent reading: CompTIA Security+ Study Guide: 10-Week Plan,
Where to actually buy a Security+ voucher,
What is MFA, What is a CVE,
What is Zero Trust.

AZ-900 vs AZ-104: Which Azure Certification Should You Take First?

NERDEXAM — Fri, 05 Jun 2026 14:01:09 +0000

If you're starting your Microsoft Azure certification journey, the first
question is almost always the same: should you take AZ-900 or AZ-104 first?
The short answer is AZ-900 if you're new to cloud, AZ-104 if you already
know cloud fundamentals from another platform. The longer answer matters
because each exam tests very different skills, costs different money, and
opens different doors.

The 60-second answer

AZ-900 (Microsoft Azure Fundamentals) is a 60-minute, entry-level exam covering cloud concepts, core Azure services, security, governance, and pricing. It costs $99 USD. No hands-on Azure experience required.
AZ-104 (Microsoft Azure Administrator) is a 120-150 minute, role-based exam covering identity, governance, storage, virtual networking, compute, and monitoring. It costs $165 USD. Microsoft recommends six months of hands-on Azure administration experience.

If you've never touched Azure (or any cloud), start with AZ-900. If you've
been administering AWS, GCP, or on-prem infrastructure for a year or more,
you can skip directly to AZ-104.

What AZ-900 actually tests

AZ-900 is a knowledge-recognition exam. Most questions ask things like "Which
Azure service would you use to..." or "What is the benefit of...". You don't
need to write any commands, understand specific syntax, or solve scenarios.

The exam is split into four domains:

Cloud concepts (25-30%): what cloud is, IaaS vs PaaS vs SaaS, public vs private vs hybrid, and the high-availability/scalability/elasticity/ reliability/predictability/security/governance/manageability vocabulary.
Azure architecture and services (35-40%): core services like Virtual Machines, Storage Accounts, Virtual Networks, Azure SQL, App Service, and the Azure CLI/portal/PowerShell tools.
Azure management and governance (30-35%): cost management, policies, Resource Groups, locks, and the Azure Trust Center.

Most candidates pass AZ-900 with 1-2 weeks of study, especially if they
have any IT background. It's a confidence builder more than a technical
gate.

What AZ-104 actually tests

AZ-104 is a working-administrator exam. You need to understand not just
what an Azure service does, but how to configure it, when to use it,
and what breaks if you misconfigure it.

The exam covers five domains:

Identity and governance (20-25%): Microsoft Entra ID (formerly Azure AD), users, groups, RBAC, conditional access, subscriptions, and resource tagging.
Storage (15-20%): storage accounts, blob storage, file shares, redundancy options, lifecycle management, and Azure Files.
Compute (20-25%): virtual machines, scale sets, availability sets, containers (ACI/AKS basics), and App Service plans.
Virtual networking (15-20%): VNets, subnets, network security groups, Azure Firewall, VPN gateways, ExpressRoute, and load balancers.
Monitoring and backup (10-15%): Azure Monitor, Log Analytics, alerts, backup policies, and Site Recovery.

AZ-104 has scenario questions, drag-and-drop sequencing, and
case-study-style multi-part problems. Most candidates need 6-12 weeks of
study with hands-on lab time.

The decision matrix

Your situation	Take first
Brand new to cloud	AZ-900
Used Azure casually (some VMs, some storage)	AZ-900 then AZ-104
Working admin on AWS or GCP	AZ-104 directly
On-prem sysadmin (Windows Server, Hyper-V, Active Directory)	AZ-104 directly
Manager/PM who needs to understand cloud	AZ-900 only
Developer who wants to deploy to Azure	AZ-900 then AZ-204 (not AZ-104)
Architect designing cloud systems	AZ-104 then AZ-305

Why most people start with AZ-900 anyway

Even if you have cloud experience and could pass AZ-104 directly, AZ-900 is
worth considering for three reasons:

Vendor-specific vocabulary. AWS calls it a Security Group; Azure calls it a Network Security Group. AWS has IAM Roles; Azure has Managed Identities. AZ-900 teaches you the Azure-specific names so you don't stumble in AZ-104 questions.
Confidence and momentum. Passing AZ-900 in 2 weeks builds momentum for the harder AZ-104 study cycle. People who skip AZ-900 sometimes stall on AZ-104 because the jump feels too steep.
Resume signal. Two certifications look better than one for early- career roles. AZ-900 + AZ-104 signals "structured learner who finishes what they start."

When skipping AZ-900 makes sense

Skip directly to AZ-104 if all three are true:

You have 12+ months of hands-on cloud or infrastructure work.
You're confident with vocabulary like "RBAC", "subnet", "encryption at rest", "high availability", and "disaster recovery".
You have time pressure (a job requirement, a promotion deadline, or a bootcamp finish line).

For everyone else, AZ-900 first is the better path. The $99 exam cost and
2-week study window are a small investment for the confidence and
foundational vocabulary AZ-900 builds.

What's next after AZ-104?

AZ-104 unlocks several specialty paths:

AZ-305 (Azure Solutions Architect Expert): the architect track. Adds designing identity, infrastructure, data storage, and business continuity solutions.
AZ-204 (Azure Developer): for developers building on Azure. Covers Functions, App Service, Cosmos DB, and Azure DevOps.
AZ-500 (Azure Security Engineer): for security-focused administrators. Deeper coverage of identity, platform protection, and security operations.
AZ-700 (Azure Network Engineer): networking specialty - VPN gateways, ExpressRoute, hybrid connectivity, application delivery.

Most administrators take AZ-104 then AZ-305 within 6-12 months to round out
the architect path. The AZ-104 + AZ-305 combination is one of the highest-
demand cert pairings in cloud hiring today.

Key takeaway

Start with AZ-900 unless you have substantial cloud experience and time
pressure. AZ-900 builds the vocabulary and confidence; AZ-104 is where
your career-relevant cloud administration credential begins. Practice with
real AZ-900 exam questions and
AZ-104 exam questions on NerdExam.

AZ-104 Study Guide: A 12-Week Plan for Microsoft Azure Administrator

NERDEXAM — Thu, 04 Jun 2026 14:02:23 +0000

The Microsoft AZ-104 Azure Administrator exam is the most popular
role-based Azure certification and the credential most cloud-admin
job postings list as required. Pass at 700 out of 1000. 40 to 60
questions in 100 minutes. $165 USD per attempt. Most candidates need
8 to 12 weeks of focused study to pass on the first try. This guide
is the actual week-by-week plan, the resources that work, and the
exam-day mistakes that cost people their voucher.

The 90-second answer

Plan 12 weeks at 8 to 10 hours per week. Microsoft Learn's
official AZ-104 path covers everything the exam tests, and it's free.
Add a $15 Udemy course (Scott Duffy or Tim Warner) for breadth, a free
Azure subscription for hands-on labs, and 400+ practice questions for
pacing. Total cash spend if self-funded: $165 for the voucher plus
maybe $50 for paid practice questions if you want them.

Skip the $300 bootcamps. They compress 12 weeks of material into
1 week of cramming and the retention rate is terrible. Add John
Savill's free YouTube videos as a supplement for deeper coverage of
networking and identity (Microsoft's weakest documentation areas).

The first-attempt pass rate among candidates who score 80%+ on three
full timed practice exams in the final two weeks is roughly 88%. The
pass rate among candidates who skip timed practice exams entirely is
roughly 55%. Timed practice exams are the highest-impact study
activity by a wide margin.

How long should I study for AZ-104?

Most candidates need 8 to 12 weeks at 8 to 10 hours per week. Variance
comes from prior cloud experience, not study material quality.

Your background	Realistic study window
6+ months Azure admin experience	6 to 8 weeks
AZ-900 passed, 3 months Azure	8 to 10 weeks
AWS Solutions Architect (SAA-C03) holder	8 to 10 weeks for vocabulary translation
Active sysadmin, no Azure	10 to 12 weeks; start with AZ-900
Career changer, no IT background	16 to 20 weeks; consider AZ-900 first
Active Azure architect	4 to 6 weeks for refresher only

The biggest predictor of pass-on-first-try is hands-on portal time,
not study hours. Two candidates with the same 80 hours of study will
see very different scores if one of them built 5 to 8 small projects
in their Azure account and the other watched 30 hours of course
videos. Build at least 30 hours of lab time into the 12-week plan.

What's actually tested on AZ-104?

AZ-104 tests five domains. Microsoft updated the weights for the 2026
version. Every question maps to one domain.

Domain	Weight	What it covers
Manage Azure identities and governance	20-25%	Microsoft Entra ID, RBAC, subscriptions, management groups, tags, policies
Implement and manage storage	15-20%	Storage accounts, blob containers, Azure Files, lifecycle management, AzCopy
Deploy and manage Azure compute resources	20-25%	VMs, scale sets, app services, container instances, ARM/Bicep templates
Implement and manage virtual networking	15-20%	VNets, subnets, NSGs, load balancers, VPN gateway, peering, DNS
Monitor and maintain Azure resources	10-15%	Azure Monitor, Log Analytics, alerts, backup, site recovery

Two domains carry 40 to 50% of the weight: Identity/Governance and
Compute. Allocate study hours proportionally. The 10 to 15% Monitoring
domain is often skipped but the questions there are usually scenario-
heavy, so don't write it off.

Exam mix is roughly 60% multiple-choice, 30% drag-and-drop / order
sequencing, and 10% performance-based questions (PBQs) that drop you
into a simulated Azure portal. PBQs eat 5 to 8 minutes each, so plan
to flag them on the first pass and return after answering all MCQs.

How do I structure a 12-week study plan?

The 12-week structure below tracks the official exam objectives in
roughly Microsoft Learn's path order, with the heaviest-weight
domains getting extra time. Hours assume 8 to 10 hours per week.

Week	Focus	Deliverable
1	Subscriptions, management groups, tags, governance basics	Build a 3-tier subscription hierarchy with policies and tags
2	Microsoft Entra ID, users, groups, devices	Create users via portal + CLI + PowerShell. Configure conditional access.
3	RBAC, custom roles, scope inheritance	Build a custom role that allows read-only on one resource group
4	Storage accounts, blob containers, lifecycle management	Create storage account with hot/cool/archive tiers + lifecycle rules
5	Azure Files, AzCopy, Storage Explorer, replication	Mount Azure Files on a VM, configure GRS replication
6	VMs, images, availability sets, scale sets	Build a VM scale set behind a load balancer in a custom VNet
7	App services, container instances, deployment slots	Deploy a containerized app to App Service with staging slot
8	Virtual networks, subnets, NSGs, peering	Build two peered VNets with NSG rules controlling traffic
9	Load balancers, application gateway, VPN gateway	Configure a point-to-site VPN to your home machine
10	Azure Monitor, Log Analytics, alerts, action groups	Build alert rule for VM CPU > 80%, route to action group
11	Azure Backup, Site Recovery, ARM/Bicep templates	Configure VM backup policy, write a Bicep template that recreates a resource group
12	Practice exams + weak-area cleanup	Take 3 timed practice exams. Postpone real exam if not at 80%.

The single biggest miss in self-study plans is skipping the
identity-and-governance weeks (1 through 3). Roughly 20 to 25% of
the exam is on these topics, and they're conceptually different from
AWS IAM if you're coming from that background. Spend the time even
if it feels slower than the technical weeks.

If you fall behind in any week, push the schedule by 1 week rather
than compressing material. Compressed material doesn't retain. The
exam asks you to recognize patterns under time pressure, not
regurgitate facts.

Which AZ-104 resources are worth using?

The candidates who pass on the first attempt use a consistent stack
of free and low-cost resources. Anything beyond this stack is
optional.

Microsoft Learn's official AZ-104 learning path (free, ~30 hours of modules). The closest match to exam phrasing because Microsoft writes both the modules and the questions.
Microsoft Learn's AZ-104 exam page (free, lists current objectives + sample questions). Print and highlight the objectives as you cover them.
One video course for breadth: Scott Duffy's "AZ-104: Microsoft Azure Administrator Exam Prep" on Udemy at $15 on sale is the community favorite. John Savill's free YouTube videos are equally good but less organized.
A free Azure subscription ($200 of services for 30 days plus pay-as-you-go thereafter). Set a $10 billing alert immediately to avoid surprises.
At least 400 practice questions before exam day for pacing
Three full-length timed practice exams in weeks 11 and 12. Take them on a Saturday morning, treat them like the real exam, score honestly. If you're below 80% on the third one, postpone.

Skip the books. Azure changes too fast for printed material to stay
current. The Tim Warner book is the closest exception but expects 6+
months of Azure experience. Skip the $80 mobile flashcard apps unless
you already use flashcards; the time is better spent on practice
questions with explanations.

For practice questions, NerdExam has 703 enriched AZ-104 questions
with full explanations covering all five domains.
Start practicing AZ-104 questions to see
the question style before you commit to the full plan. The
explanations show the reasoning pattern the exam expects, which is
harder to learn from videos than from doing the questions.

How do I practice for the AZ-104 performance-based questions?

PBQs require hands-on configuration in a simulated Azure portal, not
memorization. The fastest way to prepare is to build the same five
scenarios that Microsoft cycles through on every exam version
directly in your free Azure subscription.

The five PBQ scenarios you should drill before exam day:

Storage account configuration: create a storage account with specific tier, replication, and lifecycle rules from a stated requirement
VM deployment: deploy a VM with specific size, availability options, networking, and disk encryption settings
NSG rule ordering: given a set of network security group rules and a desired policy, drag the rules into the right priority order
RBAC assignment: pick the correct built-in role (or build a custom role) for a stated permission requirement
Backup policy configuration: configure VM backup with specific retention, instant recovery snapshots, and replication

The home-lab requirement is trivial: a free Azure subscription gives
you $200 of services for 30 days, which is more than enough to build
each scenario twice. After the 30 days expire, pay-as-you-go for
low-cost resources (B-series VMs, standard storage) costs $5 to $15
per month. Total cost over 12 weeks: $15 to $45.

The candidates who skip hands-on labs and rely on simulation tools
typically score 100 to 150 points lower on PBQ-heavy exams. Don't
skip the labs.

What are the biggest AZ-104 exam-day mistakes?

Most AZ-104 failures come from pacing or PBQ mismanagement, not
knowledge gaps. The same 4 mistakes show up in post-mortems on
Reddit's r/AzureCertification every week:

Spending 10+ minutes on the first PBQ. The exam often opens with one. People panic, over-invest, and run out of time on the easier MCQs at the end. Skip every PBQ on the first pass. Flag them. Return after answering all MCQs.
Mis-reading case studies. AZ-104 case studies have 4 to 6 paragraphs of company context, then 5 to 8 questions. Most candidates re-read the context for every question, eating 20+ minutes. Read the context ONCE, take quick notes, then answer the questions from your notes.
Second-guessing 10+ answers. Statistically, your first answer is right 75% of the time. Don't change answers unless you spot a clear word you misread.
Skipping the timed practice exams. Candidates who never time themselves discover their pace problem on exam day. By then it's too late.

A practical pre-exam check: take a 50-question practice exam under
real conditions in week 11 (no breaks, no notes, no internet,
100-minute timer). If you score 800+ in 90 minutes or less, book the
real exam within 7 days. If you score 700 to 799, study weak areas
one more week. If you score below 700, postpone by 2 to 3 weeks. The
voucher fee is too high to gamble with.

What's next after AZ-104?

Once AZ-104 is in hand, three paths open up depending on what you
want from your career:

Architect track: AZ-305 (Solutions Architect Expert). The natural follow-on. Most architects do this within 12 to 18 months of AZ-104. Expect 16 to 20 weeks of study.
Specialty track: AZ-500 (Security Engineer), AZ-700 (Network Engineer), or DP-203 (Data Engineer). Pairs well with AZ-104 for senior roles in those domains.
Cross-cloud track: Add AWS (SAA-C03) or GCP (Associate Cloud Engineer). Enterprise multi-cloud roles pay 20 to 30% premium.

Most people take 12 to 24 months between AZ-104 and their next cert.
Use that time to ship real production Azure work. The cert pays off
when hiring managers see it alongside actual experience, not when
it's the only line on your resume.

Ready to start? Practice with 703 real AZ-104 questions on NerdExam
or browse the free per-question explanations.
Microsoft Learn's free AZ-104 learning path is also worth starting
first if you haven't: Microsoft Learn AZ-104 path.

Adjacent reading: AZ-104 overview: what's actually tested,
AZ-900 vs AZ-104: which to take first,
What is IAM and how Azure RBAC compares,
What is a VPC and how Azure VNets compare.

AWS Solutions Architect Professional (SAP-C02): What's Actually Tested

NERDEXAM — Wed, 03 Jun 2026 15:56:34 +0000

The AWS Certified Solutions Architect Professional (SAP-C02) is the
natural step after SAA-C03 and the credential most senior AWS roles
expect on a resume. It costs $300, runs 180 minutes, has 75 questions,
and requires 750 out of 1000 to pass. Most candidates need 14 to 20
weeks of focused study even with SAA-C03 already in hand. The questions
are heavy on enterprise scenarios, multi-account architectures, and
cost-vs-resilience trade-offs. You don't memorize services for this
one; you weigh combinations of services against business requirements
under time pressure.

The 90-second answer

Take SAP-C02 if you've passed SAA-C03, you have 2+ years of
hands-on AWS production experience, and you're targeting senior or
staff Solutions Architect roles, technical lead positions, or
consulting engagements at $180K and up. The cert pays off when paired
with real multi-account or cross-region production work.

Skip SAP-C02 if SAA-C03 is still recent (within 3-6 months) and
you haven't shipped anything at scale yet. Pro-level questions assume
you've done the work; the cert won't compensate for missing experience.
The most common failure pattern is candidates who passed SAA-C03 in
8 weeks rushing into SAP-C02 with the same plan and failing.

What does SAP-C02 actually test?

SAP-C02 tests four domains. The weights changed when AWS retired the
SAP-C01 version in 2023. Every question maps to one of them.

Domain	Weight	What it covers
Design Solutions for Organizational Complexity	26%	Multi-account strategies, cross-region designs, AWS Organizations, SCPs, networking topology, federated identity
Design for New Solutions	29%	Greenfield architecture for compute, storage, database, networking, security; choosing the right service combinations
Continuous Improvement for Existing Solutions	25%	Performance optimization, cost reduction, operational excellence, monitoring, automation, troubleshooting
Accelerate Workload Migration and Modernization	20%	Application portfolio analysis, migration strategies (6Rs), database migration, refactoring, hybrid architectures

The exam is heavy on enterprise context. A typical question describes
a company with 200 AWS accounts, hybrid connectivity to two data
centers, and stringent compliance requirements, then asks for the
correct combination of services to solve a specific problem. You're
not picking THE answer; you're picking the LEAST WRONG answer that
meets every stated constraint.

If you've ever heard "this question has 700 words and four right
answers, pick the best one for the budget mentioned in paragraph
three," you've heard someone describe SAP-C02.

How hard is SAP-C02?

SAP-C02 is a difficulty 5 out of 5 in community surveys despite AWS
listing it as 3. Significantly harder than SAA-C03. Comparable to
Google Cloud Professional Cloud Architect. Easier than the CCIE
written, much harder than CISSP. Community pass rate for first-time
takers who studied 16+ weeks lands around 60 to 65%.

The hard part isn't the AWS services. The hard part is:

75 questions in 180 minutes = 2 minutes 24 seconds per question
Questions average 200 to 400 words with multi-paragraph scenarios
You have to map enterprise jargon ("RPO of 4 hours", "the CIO wants to consolidate billing") to specific AWS services and combinations
Most questions are "pick TWO" or "pick THREE" with no partial credit
Time pressure compounds with reading load; many candidates run out of time on the last 10 questions

The most common failure pattern: candidate finishes SAA-C03 with 850,
buys a SAP-C02 course, watches it for 8 weeks, walks in confident,
hits question 5 (a 4-paragraph scenario about disaster recovery
across three regions with custom RPO/RTO targets), spends 7 minutes
parsing it, never recovers pacing. Final score: 680.

The fix is reading practice. Take 5 to 10 full practice exams BEFORE
you book the real one. Get your average per-question time under
2 minutes 20 seconds. If you can't, postpone.

How long should you study for SAP-C02?

AWS recommends 2+ years of hands-on AWS architecture experience before
attempting SAP-C02. That's the floor, not the ceiling. For actual
study time on top of that experience:

With SAA-C03 + 2 years AWS production work: 12 to 14 weeks at 10 to 12 hours per week
With SAA-C03 + 1 year experience: 16 to 20 weeks; consider shipping more production work first
No SAA-C03: take SAA-C03 first. Going straight to SAP-C02 without the associate version is possible but adds 4 to 6 weeks
Specialty cert holder (Security, Networking, Database) + SAA-C03: 10 to 12 weeks, mostly on the cross-domain integration questions

A realistic week-by-week pace for a 14-week study plan looks like:

Weeks 1-2: AWS Organizations, multi-account patterns, Control Tower, AWS Single Sign-On, federated identity
Weeks 3-4: Cross-region networking, Transit Gateway, Direct Connect, VPN architectures, Route 53 routing policies
Weeks 5-6: Disaster recovery patterns (pilot light, warm standby, multi-site), backup strategies, RPO/RTO calculations
Weeks 7-8: Compute selection at scale (EC2 families, Spot, Savings Plans, Lambda concurrency, Fargate), application Load Balancer vs Network Load Balancer trade-offs
Weeks 9-10: Storage tiering (S3 lifecycle, intelligent tiering, Glacier), database selection (RDS, Aurora, DynamoDB, Redshift trade-offs), Caching strategies
Weeks 11-12: Migration strategies (the 6Rs), Database Migration Service, Server Migration Service, hybrid cloud, AWS Outposts
Week 13: Practice exam #1, weak-area analysis
Week 14: Practice exam #2 and #3, final pacing drills, exam-day logistics

Skipping the migration domain (weeks 11-12) is the most common cause
of failure. It's only 20% of the exam by weight but most candidates
have zero production migration experience, so they need extra study
time there.

What does SAP-C02 cost?

The exam itself is $300 USD plus any local taxes. Beyond that, real
total cost depends on what study path you take:

Component	Range	Notes
Exam fee	$300	One attempt. Retake is another $300 if you fail.
Study course	$0 to $50	Stephane Maarek on Udemy at ~$15 during sales, Adrian Cantrill deeper but pricier
Practice questions	$0 to $80	NerdExam has 872 SAP-C02 questions free; Tutorials Dojo $30
AWS lab costs	$50 to $250	Multi-account labs in a real AWS Org get expensive fast
Books or whitepapers	$0	AWS Well-Architected + whitepapers are free, mandatory reading
Realistic total	$350 to $700	Cheapest viable path: $300 (exam) + Maarek course + free resources

AWS offers a 50% retake voucher if you fail, but only if you book the
retake within 14 days. AWS also occasionally drops 50% vouchers for
completing Skill Builder learning plans tied to specific cert tracks.

What study resources actually work?

The candidates who pass SAP-C02 on the first attempt use a consistent
stack:

One deep video course (Adrian Cantrill's SAP-C02 course is the community gold standard at ~$30/month subscription, covers everything; Stephane Maarek's is shorter and works as a faster refresh)
The mandatory AWS whitepapers: Well-Architected Framework (re-read), the 5 Well-Architected pillar whitepapers, Disaster Recovery of Workloads on AWS, AWS Multiple Account Security Strategy
A real AWS Organization with 3+ accounts for hands-on practice. You cannot fake this; the exam asks specific cross-account questions
At least 700 practice questions before exam day. Tutorials Dojo's official practice tests are widely cited; NerdExam has 872 enriched SAP-C02 questions for free
Three full-length timed practice exams in the final 3 weeks. 75 questions, 180 minutes, no breaks. If you're below 75% on the third one, postpone the real exam by 2 to 3 weeks

Skip the books. The AWS service catalog moves faster than printed
material can keep up. Skip the $500 bootcamps; they compress the
material in ways that don't survive contact with the exam's reading
load.

For practice questions, NerdExam has 872 enriched SAP-C02 questions
with full explanations. Start practicing SAP-C02 questions
to see the question style before you commit to a study plan. The
question explanations show the reasoning pattern the exam expects,
which is harder to learn from courses than from doing the questions.

What salary can you expect after passing SAP-C02?

Solutions Architect Professional is one of the highest-paying senior
cloud certs. 2026 salary data from US job boards shows:

National average for Senior Solutions Architect (AWS): $175,000 to $215,000
Top US metros (Seattle, Bay Area, NYC, DC): $210,000 to $270,000
Remote senior architect roles: $170,000 to $210,000 base
Staff or principal level with SAP-C02 + 5+ years experience: $250,000+ at FAANG-tier companies plus equity
AWS Premier Tier Partner consultants: $180 to $300 per hour contract rates

The cert alone doesn't deliver these numbers. You also need real
multi-account, multi-region AWS production experience and ideally a
specialty cert (Security or Networking pairs best). But SAP-C02 is
the credential most often required in senior architect job postings,
which makes it the right next cert after SAA-C03 if you're targeting
those roles.

A practical negotiation tip: SAP-C02 is the cert most often used in
the "we'll pay X% more if you have this" conversation. Internal
promotions with a fresh SAP-C02 historically clear 12 to 20% base
bumps. External moves with SAP-C02 plus 2+ years AWS production work
clear 25 to 40%.

Who should NOT take SAP-C02?

The cert is wrong for these candidates:

You are	Take instead
Just passed SAA-C03, less than 1 year experience	Build production work first, retry SAP-C02 in 12 months
A DevOps engineer	DevOps Engineer Professional (DOP-C02)
A security specialist	Security Specialty (SCS-C02) after SAA-C03
Focused on a single AWS service category	The matching specialty cert (Networking, Database, ML, Data Engineering)
Working primarily in Azure or GCP	The matching Azure (AZ-305) or Google (Professional Cloud Architect) pro cert
Looking for a guaranteed pay bump	A senior role at a multi-cloud company; cert alone won't deliver it

SAP-C02 is the credential for people who have already shipped
production work. Take it after the work, not before.

What's next after SAP-C02?

Once SAP-C02 is in hand, three paths open up:

Specialty stack: Add Security (SCS-C02), Networking (ANS-C01), or Database (DBS-C01). The Security + SAP-C02 combination is the best-paying duo in cloud right now
Multi-cloud track: Add Azure (AZ-305 Professional) or GCP (Professional Cloud Architect). Enterprise consulting rates jump 20 to 30% for verified multi-cloud architects
Leadership track: Stop chasing certs and start shipping at scale. After SAP-C02 the marginal value of each new cert drops fast; the marginal value of leading a real cloud migration or platform rebuild rises

Most senior architects don't take another cert for 18 to 36 months
after SAP-C02. The cert pays off when hiring managers see it alongside
production work at scale, not when you stack it with three more.

Ready to start? Practice with real SAP-C02 questions on NerdExam
or browse the free per-question explanations.
The AWS Well-Architected Framework is also mandatory reading if you
haven't done it recently:
download the whitepaper here.

Adjacent reading: SAA-C03 overview if you haven't passed it yet,
What is IAM and why it matters for senior AWS roles,
What is a VPC.

The 7 Most Common Reasons People Fail IT Certification Exams

NERDEXAM — Tue, 02 Jun 2026 14:34:17 +0000

Most candidates who fail an IT certification exam knew the material. They
had studied, they had taken practice tests, and they could explain the
concepts to a friend. They still failed. The reasons cluster into seven
patterns that show up across AWS, Azure, GCP, Cisco, CompTIA, and Microsoft
certifications. Knowing these patterns is half the work of avoiding them.

1. Memorizing answer letters instead of understanding concepts

The single most common failure pattern is candidates who study with practice
tests and memorize "the answer is B" without understanding why. Real exam
questions reword the same concepts and shuffle the answer order. If you
know "the AZ-900 question about Azure Functions has answer B", you fail
when the live exam shuffles the letters.

The fix: for every practice question, write out why the correct
answer is correct AND why each wrong answer is wrong. If you can't do
this in plain language, you don't know the concept yet. This habit alone
moves most candidates from a 65% practice test score to an 85% real-exam
score.

2. Running out of time on scenario questions

Scenario questions on AZ-104, AWS Solutions
Architect, CCNA, and CISSP exams routinely take 3-5
minutes each because they're 200+ words of context
followed by a multi-part problem. Candidates who don't budget time end up
spending 7 minutes on the first scenario question and then panic-clicking
the last 30 questions.

The fix: in your final week of practice, do at least three full-length
timed practice tests at the official exam length. Calculate your minutes-
per-question budget (e.g., 150 minutes / 60 questions = 2.5 minutes per
question). When a scenario hits 4 minutes, mark it for review and move on.
You can come back; you can't rewind.

3. Reading questions for keywords instead of constraints

A common trap: you see "Azure Functions" in the question and pattern-match
to your prep notes about Functions. But the actual constraint is "must run
for 30 minutes" - which Functions cannot do (the Consumption plan caps at
10 minutes). The right answer was Container Apps or App Service, not
Functions.

The fix: every exam question has at least one constraint that
narrows the answer space. Underline (mentally) the words "must", "cannot",
"requires", "minimum", "maximum", "as little as possible", "within X
seconds", and "compliance". The constraints, not the keywords, drive the
answer.

4. Trusting prior version knowledge on updated exams

Cloud vendors silently update exam blueprints. The AWS Solutions Architect
Associate has had four versions in five years. Azure exams roll new
features quarterly. If your study materials are 18 months old, 10-15% of
the questions cover services that didn't exist when those materials were
written, OR services that were retired.

The fix: before scheduling the exam, check the official exam guide PDF
for the current blueprint. Cross-reference your study notes against the
current objectives. Pay particular attention to any objective marked "new"
or that wasn't on the previous version. NerdExam tracks current exam
objectives and refreshes question banks as vendors update.

5. Skipping hands-on practice

This applies most to AZ-104, AWS SAA, AWS DevOps Engineer,
CKA, and CKAD exams that include
scenario or lab questions. Candidates who only read
documentation often fail because they don't know the actual click paths,
default values, or error messages. Reading "Azure RBAC has built-in roles"
is different from logging into the portal and assigning the Reader role to
a specific resource group.

The fix: every cert vendor provides a free tier or sandbox. Use it.
For each exam objective, do the thing once. If you've never created an
Azure VM, you'll struggle with VM-related questions even if you've read
all the documentation. 4-6 hours of hands-on time per week, in your final
month, makes a measurable difference.

6. Taking the exam with low sleep or high anxiety

Performance under stress is real. Candidates who sleep four hours the night
before, drink two coffees, and arrive at the testing center 90 minutes
early to "review one more time" perform measurably worse than candidates
who slept eight hours, ate a normal breakfast, and arrived 15 minutes
early.

The fix: treat the exam day like a marathon race day. Two days before:
finish all real studying. Day before: light review only, normal sleep.
Day of: normal breakfast, arrive 30 minutes early (not 90), bring water
if allowed. The exam is 60-180 minutes; your body needs to be steady, not
keyed up.

7. Not reading the full question or all the answer choices

Especially on PSI/Pearson VUE timed exams, candidates rush. They read the
first sentence of the question, see one obvious answer choice, and click
without reading the other three. Then they miss that the question said
"select two" or "which is NOT correct" or "which is the most cost-
effective".

The fix: force yourself to read every question stem twice and every
answer option once. Yes, even when you "know" the answer. The 10 seconds
this costs per question (10 seconds x 60 questions = 10 minutes) saves you
from the careless misses that drop a strong candidate from 78% to 68%.

The meta-pattern

Five of these seven failure modes are about test-taking tactics, not
subject knowledge. Most candidates over-invest in re-reading material
and under-invest in practicing the actual skill of taking the exam.

If you've done 200 hours of reading and 0 hours of timed full-length
practice, you're in the failure zone. Flip the ratio: in your final 4
weeks, spend at least 50% of study time on timed practice questions and
the analysis afterward.

Practice with real exam questions across 130+ vendors at
NerdExam. Every question includes
expert-verified explanations and community-discussed answers - the format
that turns practice tests into real preparation.

AZ-104 Microsoft Azure Administrator: What's Actually Tested

NERDEXAM — Sat, 30 May 2026 12:32:00 +0000

The AZ-104 (Microsoft Azure Administrator) exam is the most popular
role-based Azure certification and one of the most useful credentials
for landing a cloud admin or junior engineer role. It costs $165 USD,
runs 100 minutes, has 40 to 60 questions, and requires 700 out of 1000
to pass. Most candidates need 8 to 12 weeks of focused study. Questions
are scenario-based with frequent drag-and-drop sequencing and case
studies. If you have 6 months of hands-on Azure work, you can pass
without a course. If you don't, budget the full 12 weeks and do real
labs.

The 90-second answer

Take AZ-104 if you've been administering Azure resources for at
least 6 months, you're comfortable with the Azure portal plus CLI or
PowerShell, and you want a credential most cloud-hiring managers
recognize. It's the right cert for sysadmins, IT support staff, and
junior engineers moving into cloud roles paying $95K to $135K.

Skip AZ-104 if you've never touched the Azure portal. Start with
AZ-900 (Microsoft Azure Fundamentals) first to build vocabulary. Going
straight from zero Azure experience to AZ-104 usually means a failed
first attempt and another $165. The exam assumes you know what a
storage account, NSG, and resource group are; it doesn't teach you.

What does AZ-104 actually test?

AZ-104 tests five domains, with weights Microsoft updated for the
current 2026 version. Every question maps to one of them.

Domain	Weight	What it covers
Manage Azure identities and governance	20-25%	Microsoft Entra ID, RBAC, subscriptions, management groups, tags, policies
Implement and manage storage	15-20%	Storage accounts, blob containers, Azure Files, lifecycle management, AzCopy
Deploy and manage Azure compute resources	20-25%	VMs, scale sets, app services, container instances, ARM/Bicep templates
Implement and manage virtual networking	15-20%	VNets, subnets, NSGs, load balancers, VPN gateway, peering, DNS
Monitor and maintain Azure resources	10-15%	Azure Monitor, Log Analytics, alerts, backup, site recovery

The exam is heavy on the Azure portal interface and equally heavy on
Azure CLI and PowerShell syntax. A typical question presents a
scenario ("a company needs to give read-only access to billing data
for the finance team without granting access to other subscription
resources") and asks which RBAC role or set of commands solves it.

Drag-and-drop sequencing questions show up in every exam. You'll get a
list of steps for, say, configuring a VNet peering with a custom route
table, and you have to put them in the right order. Get one step
wrong and you lose the whole question. There's no partial credit.

The other common format is the case study, where you read a 4 to 6
paragraph company scenario and then answer 5 to 8 questions about it
in sequence. Case studies typically eat 20 to 25 minutes of your 100
minutes if you're not pacing carefully.

How hard is AZ-104?

AZ-104 is a difficulty 3 out of 5. Harder than AZ-900 (Fundamentals)
or AWS Cloud Practitioner, much easier than AZ-305 (Solutions
Architect Expert). Microsoft doesn't publish official pass rates, but
community surveys put first-attempt pass rate around 65 to 70% for
candidates who studied at least 8 weeks.

The hard part isn't the Azure services. The hard part is the question
style:

Long case studies (4 to 6 paragraphs) you have to parse for the actual requirement
Drag-and-drop sequencing where four of five steps look right and one is subtly wrong
"Pick three" multi-select questions with no partial credit
CLI and PowerShell syntax that has to be exactly right (commas, parameter names, capitalization)
Time pressure: 40 to 60 questions in 100 minutes works out to ~2 minutes each, but case studies eat into the buffer

The most common failure pattern: candidate watches an Azure course on
Udemy, never opens the actual Azure portal, walks into the exam, hits
the first PowerShell-syntax question, freezes, guesses, and the score
spirals from there. The fix is hands-on lab work starting week 1, not
week 8.

How long should you study for AZ-104?

Microsoft recommends 6 months of hands-on Azure experience before
taking AZ-104. That's the baseline assumption built into question
difficulty. For actual study time on top of that experience:

With 6+ months Azure experience: 6 to 8 weeks at 8 to 10 hours per week
Coming from AZ-900 + 3 months experience: 8 to 10 weeks
No Azure experience, AWS background: 8 to 12 weeks, focused on Microsoft's vocabulary and Entra ID
No cloud experience at all: 14 to 16 weeks, and you should take AZ-900 first before AZ-104 anyway

The biggest waste of study time is watching course videos without
opening the Azure portal. Build at least 4 small projects in your
Azure account: a storage account with three tiers (hot/cool/archive)
plus lifecycle rules, a VM scale set behind a load balancer in a custom
VNet, a peered VNet with a VPN gateway, and a Log Analytics workspace
collecting from one VM. That hands-on work makes case-study questions
click.

A realistic week-by-week pace for an 8-week study plan:

Week 1: Subscriptions, management groups, Entra ID, RBAC fundamentals
Week 2: Storage accounts, blob containers, Azure Files, AzCopy
Week 3: VMs, images, availability sets, scale sets
Week 4: Virtual networks, subnets, NSGs, peering
Week 5: Load balancers, application gateway, VPN gateway, ExpressRoute basics
Week 6: ARM templates, Bicep, deployment slots, app services
Week 7: Azure Monitor, Log Analytics, Azure Backup, Site Recovery
Week 8: Full practice exams, weak-area cleanup, pacing drills

Most failures happen because candidates skip weeks 1 and 4. Identity
plus networking accounts for roughly 40% of AZ-104 questions when you
read the domain breakdown carefully.

What does AZ-104 cost?

The exam itself is $165 USD plus any local taxes. Beyond that, real
total cost depends on what study path you take:

Component	Range	Notes
Exam fee	$165	One attempt. Retake is another $165 if you fail.
Microsoft Learn modules	$0	Free, official, surprisingly good for AZ-104
Udemy course (Scott Duffy, Tim Warner)	$15 to $30	On sale at $15 most months
Practice questions	$0 to $100	NerdExam has 703 enriched AZ-104 questions free
Azure lab costs	$30 to $80	Free tier covers $200 of services for 30 days; expect $20/month after
MeasureUp practice exam (official)	$89	Optional. Same publisher as the real exam, used in last week.
Realistic total spend	$180 to $400	Cheapest viable path: $165 (exam only, free Microsoft Learn)

Microsoft offers an occasional 50% discount voucher via the Microsoft
Learn Cloud Skills Challenge. The challenge typically runs twice per
year and requires completing a training path before the voucher
unlocks. The voucher cuts the exam fee from $165 to $82.50. If a
challenge is running when you're ready to book, it's the easiest
discount in the certification world.

Microsoft does not offer a retake voucher discount. Failing AZ-104 once
costs you $165 to try again. Microsoft Learn has a 24-hour wait
between attempt 1 and 2, then 14-day waits between subsequent
attempts.

What study resources actually work?

The candidates who pass AZ-104 on the first attempt use a consistent
stack:

Microsoft Learn's official AZ-104 learning path (free, ~30 hours of modules). This is the closest match to exam phrasing because Microsoft writes both the modules and the questions
One video course for breadth (Scott Duffy's "AZ-104: Microsoft Azure Administrator Exam Prep" on Udemy is the community favorite at around $15 on sale; John Savill's free YouTube videos are equally good but less organized)
A free Azure account ($200 of free services for 30 days, then pay-as-you-go for low-cost resources). Set a $10 billing alert immediately to avoid surprises.
At least 400 practice questions before exam day to build pacing
One full-length timed practice exam in the final week. Take it on a Saturday morning, treat it like the real exam, score honestly. If you're below 75%, postpone the real exam by 2 weeks.

Skip the books. Azure changes too fast for printed material to stay
current. The Tim Warner book is the closest exception but expects 6+
months of Azure experience already. Skip the $300 bootcamps.
Microsoft Learn plus a $15 Udemy course covers the same ground.

For practice questions, NerdExam has 703 enriched AZ-104 questions
with full explanations. Start practicing AZ-104 questions
to see the question style before you commit to a study plan. The
question explanations alone show you the reasoning pattern the exam
expects, which is harder to learn from courses than from doing the
questions.

What salary can you expect after passing AZ-104?

Azure Administrator is one of the highest-paying mid-level cloud
certs. 2026 salary data from US job boards shows:

National average for Azure Administrator: $95,000 to $125,000
Top US metros (Seattle, NYC, DC): $130,000 to $155,000
Remote-friendly mid-level roles: $105,000 to $130,000 base
With 3+ years experience plus AZ-104: $145,000+ at enterprise Microsoft shops

The cert alone doesn't deliver these numbers. You also need real Azure
experience and ideally a second specialty (security, networking, or
DevOps). But AZ-104 is the credential most often required in Azure
admin and junior cloud engineer job postings, which makes it the right
mid-level cert to chase.

A practical negotiation tip: if you pass AZ-104 while currently
employed at a Microsoft shop, ask your manager about a salary band
adjustment before annual review cycle. Companies running heavy Azure
workloads typically have policies for post-cert compensation reviews,
but the policy rarely triggers automatically. Internal moves with a
fresh AZ-104 historically clear 7 to 12% base bumps. External moves
with a fresh AZ-104 plus 1+ year of Azure production work clear 18 to
30%.

Who should NOT take AZ-104?

The cert is wrong for these candidates:

You are	Take instead
New to cloud entirely	AZ-900 (Azure Fundamentals) first
A developer building on Azure	AZ-204 (Azure Developer Associate)
Targeting an architect role	AZ-305 (Solutions Architect Expert) after AZ-104
A security-first cloud engineer	AZ-500 (Azure Security Engineer) after AZ-104
Working primarily in AWS or GCP	The matching AWS (SAA-C03) or Google (Associate Cloud Engineer) cert
A data engineer	DP-203 (Azure Data Engineer) or AZ-104 second

The cert path matters more than the individual cert. Picking AZ-104
when your role uses AWS wastes 3 months. Azure hiring managers don't
penalize people for not having AZ-104; they penalize people for not
understanding the services.

What's next after AZ-104?

Once AZ-104 is in hand, three paths open up depending on what you
want:

Architect track: AZ-305 (Solutions Architect Expert). The natural follow-on. Most architects do this within 12 to 18 months of AZ-104.
Specialty track: AZ-500 (Security Engineer), AZ-700 (Network Engineer), or DP-203 (Data Engineer). Pairs well with AZ-104 for senior roles in those domains.
Multi-cloud track: Add AWS (SAA-C03) or GCP (Associate Cloud Engineer). Companies running multi-cloud workloads pay a premium for this combination.

Ready to start? Practice with real AZ-104 questions on NerdExam
or browse the free per-question explanations.
Microsoft Learn's free AZ-104 learning path is also worth starting
first if you haven't:
Microsoft Learn AZ-104 path.

Adjacent reading: What is IAM and why it matters for Azure
administrators,
What is a VPC and how Azure's VNet compares, and
AZ-900 vs AZ-104: which to take first.

AWS Certified Solutions Architect Associate (SAA-C03): What's Actually Tested

NERDEXAM — Fri, 29 May 2026 16:04:50 +0000

The AWS Certified Solutions Architect Associate (SAA-C03) is the most popular
AWS cert and one of the most useful credentials in cloud hiring. The exam is
$150, runs 130 minutes, has 65 questions, and requires 720 out of 1000 to
pass. Most candidates need 8 to 12 weeks of focused study. The questions are
almost entirely scenario-based, not memorization. If you have a year of
hands-on AWS experience, you can pass without a course. If you don't,
budget the full 12 weeks and do real labs.

The 90-second answer

Take SAA-C03 if you've been working with AWS for at least 6 to 12 months,
you're comfortable with EC2, S3, VPC, RDS, and IAM, and you want a credential
that hiring managers actually recognize. It's the best entry-point AWS cert
for anyone targeting cloud roles paying $130K and up.

Skip SAA-C03 if you've never used AWS in production. Start with AWS
Cloud Practitioner (CLF-C02) first to build vocabulary and confidence. Going
straight to SAA-C03 from zero AWS experience usually means a failed first
attempt and another $150.

What does the SAA-C03 actually test?

SAA-C03 tests four domains, with weights that haven't changed since the
exam launched in 2022. Every question maps to one of them.

Domain	Weight	What it covers
Design Secure Architectures	30%	IAM, encryption, security groups, NACLs, KMS, compliance
Design Resilient Architectures	26%	Multi-AZ, multi-region, backups, decoupled architectures (SQS, SNS)
Design High-Performing Architectures	24%	Compute selection, caching, content delivery (CloudFront), database tuning
Design Cost-Optimized Architectures	20%	Storage tiers (S3 lifecycle), Reserved Instances, Savings Plans, right-sizing

The exam is heavy on tradeoffs. A typical question describes a scenario
("a company runs a workload that needs sub-millisecond latency across three
regions") and asks which AWS services to combine. You're picking the
cheapest option that meets the requirements, not just the "right" answer.

If you've ever heard "this question has four right answers, pick the best
one," you've heard someone describe SAA-C03.

How hard is the SAA-C03?

SAA-C03 is a difficulty 3 out of 5. Harder than AWS Cloud Practitioner
(CLF-C02), much easier than AWS Solutions Architect Professional (SAP-C02).
Pass rate is not officially published, but community surveys put it
around 70% for first-time takers who studied at least 6 weeks.

The hard part isn't the AWS services. The hard part is the question style:

Long scenarios (3 to 5 paragraphs) you have to parse for the actual requirement
Four answer choices that are all technically valid, but only one is optimal for cost or performance
Time pressure: 65 questions in 130 minutes is exactly 2 minutes per question, with no buffer to review
"Pick TWO" multi-select questions where partial credit doesn't exist

People who fail SAA-C03 usually fail because they ran out of time, not
because they didn't know the services. Pace matters as much as content.

The most common failure pattern looks like this: candidate spends 8 weeks
on a course, never times themselves on practice questions, walks into the
exam confident, hits question 30 at the 90-minute mark, panics, guesses
the last 35 questions. Final score: 680. Build pacing in week 3, not
week 8. Take at least one full timed practice exam by the end of week 4.

How long should you study for SAA-C03?

AWS recommends 1 year of hands-on experience before taking SAA-C03. That's
the baseline assumption built into question difficulty. For actual study
time on top of that experience:

With 1+ year AWS experience: 4 to 6 weeks at 8 to 10 hours per week
With 6 to 12 months AWS experience: 8 to 10 weeks at 8 to 10 hours per week
No AWS experience: 14 to 16 weeks, and you should take CLF-C02 first anyway
Transferring from Azure or GCP cert: 6 to 8 weeks, mostly to learn AWS-specific service names and the Well-Architected Framework

The biggest waste of study time is watching course videos without doing
labs. Build at least 3 small projects in your AWS account: a static site on
S3 plus CloudFront, a Multi-AZ RDS database with a Lambda function in front,
and a VPC with public and private subnets connecting two EC2 instances.
That hands-on work makes scenario questions click.

A realistic week-by-week pace for an 8-week study plan looks like:

Week 1: IAM, organizations, accounts, billing fundamentals
Week 2: VPC, subnets, routing, security groups, NACLs
Week 3: EC2 families, AMIs, Auto Scaling, Elastic Load Balancing
Week 4: S3 deeply (lifecycle, encryption, replication, intelligent tiering)
Week 5: RDS, DynamoDB, ElastiCache, decoupling with SQS and SNS
Week 6: CloudFront, Route 53, hybrid networking (Direct Connect, VPN)
Week 7: Security services (KMS, GuardDuty, Macie) + monitoring (CloudWatch)
Week 8: Practice exams, weak-area cleanup, exam-day pacing drills

Most failures happen because candidates skip weeks 1 and 2. IAM and VPC
together account for roughly 35% of SAA-C03 questions when you read the
domain breakdown carefully.

What does the SAA-C03 cost?

The exam itself is $150 USD plus any local taxes. Beyond that, real total
cost depends on what study path you take:

Component	Range	Notes
Exam fee	$150	One attempt. Retake is another $150 if you fail.
Study course	$0 to $150	Stephane Maarek or Neal Davis on Udemy at ~$15 during sales
Practice questions	$0 to $50	NerdExam has 824 SAA-C03 questions if you want a free option
AWS lab costs	$20 to $100	Free tier covers most; expect ~$30/month if you push beyond it
Books or whitepapers	$0	AWS Well-Architected Framework PDF is free
Total realistic spend	$150 to $400	Cheapest viable path: $150 (exam only)

AWS offers a 50% retake voucher if you fail your first attempt, but only
if you book the retake within 14 days. AWS also occasionally drops 50%
vouchers for completing Skill Builder learning plans.

What salary can you expect after passing?

Solutions Architect Associate is one of the highest-paying entry-level
cloud certs. 2026 salary data from US job boards shows:

National average for AWS Solutions Architect: $145,000 to $165,000
Top US metros (Cupertino, Berkeley, Bellevue): $168,000 to $175,000
Remote-friendly mid-level roles: $130,000 to $150,000 base
With 3+ years experience plus SAA-C03: $180,000+ at FAANG-tier companies

The cert alone doesn't deliver these numbers. You also need real AWS
experience and ideally a second specialty (security, networking, or
data). But SAA-C03 is the credential most often required in cloud
architect job postings, which makes it the right first cert to chase.

A practical negotiation tip: if you pass SAA-C03 while currently employed,
ask your manager about a salary band adjustment before your annual review
cycle. Companies that fund the exam fee typically have policies for
post-cert compensation reviews, but the policy rarely triggers
automatically. You have to ask. Internal moves with a fresh cert
historically clear 8 to 15% base bumps. External moves with a fresh cert
plus 1+ year of AWS production work clear 20 to 35%.

What study resources actually work?

The candidates who pass on the first attempt use a consistent stack:

One video course for breadth (Stephane Maarek's "Ultimate AWS Certified Solutions Architect Associate" on Udemy is the community favorite at around $15 on sale; Adrian Cantrill's course goes deeper but costs more and takes longer)
AWS Well-Architected Framework whitepaper (free, ~80 pages, read it twice). Also worth: the AWS Security Pillar and AWS Reliability Pillar whitepapers
A free AWS account for hands-on labs (set a $5 billing alert immediately to avoid surprise charges)
At least 500 practice questions before exam day to build pacing
Two full-length timed practice exams in the final week. Take them on a Saturday morning, treat them like the real exam, score honestly. If you're below 75% on the second one, postpone the real exam.

Skip the books. They're outdated faster than the AWS console changes.
Skip the $300 bootcamps. The free Skill Builder content from AWS plus a
$15 Udemy course covers the same ground. Reddit's r/AWSCertifications
has the most current crowd-sourced advice on which study resources are
working this quarter.

For the practice question portion, NerdExam has 824 enriched SAA-C03
questions with full explanations. Start practicing SAA-C03 questions
to see the question style before you commit to a study plan. The free
question explanations alone show you the reasoning pattern the exam
expects, which is harder to learn from courses than from doing the
questions.

Who should NOT take SAA-C03?

The cert is wrong for these candidates:

You are	Take instead
New to cloud entirely	AWS Cloud Practitioner (CLF-C02) first
A developer building on AWS	AWS Certified Developer Associate (DVA-C02)
A SysOps admin	AWS Certified SysOps Administrator (SOA-C02)
Targeting an architect role with 3+ years experience	Skip SAA-C03, take Solutions Architect Professional (SAP-C02)
Working primarily in Azure or GCP	The matching Azure (AZ-104) or Google (Associate Cloud Engineer) cert. Don't context-switch unless your job requires it.

The cert path matters more than the individual cert. Picking SAA-C03 when
your role uses Azure wastes 3 months. AWS hiring managers don't penalize
people for not having SAA-C03; they penalize people for not understanding
the services.

What's next after SAA-C03?

Once SAA-C03 is in hand, three paths open up depending on what you want:

Architect track: Solutions Architect Professional (SAP-C02). Bigger, harder, and the natural follow-on. Most architects do this within 12 to 18 months of SAA-C03.
Specialty track: AWS Certified Security (SCS-C02), Networking (ANS-C01), or Database (DBS-C01). Pairs well with SAA-C03 for senior roles in those domains.
Multi-cloud track: Add Azure (AZ-104) or GCP (Associate Cloud Engineer). Companies running multi-cloud workloads pay a premium for this combination.

Most people take 12 to 24 months between SAA-C03 and their next cert.
Use that time to ship real production AWS work. The cert pays off when
hiring managers see it alongside actual experience, not when it's the
only line on your resume.

Ready to start? Practice with real SAA-C03 questions on NerdExam
or browse the free per-question explanations.
The AWS Well-Architected Framework is also worth reading first if you
haven't: download the whitepaper here.

Adjacent reading: What is IAM and why it matters for AWS architects,
What is a VPC.