DEV Community

Cover image for CompTIA Security+ Exam Objectives (SY0-701): Domain-by-Domain Breakdown
NERDEXAM
NERDEXAM

Posted on • Originally published at nerdexam.com

CompTIA Security+ Exam Objectives (SY0-701): Domain-by-Domain Breakdown

#security #comptia #certification #learning

The CompTIA Security+ SY0-701 exam tests five domains across 90
questions in 90 minutes. CompTIA updated the domain weights when they
retired SY0-601 in mid-2024. Two domains, Security Operations (28%)
and Threats/Vulnerabilities/Mitigations (22%), carry exactly half the
exam weight. The other three domains share the rest. If you study
the official objectives PDF without understanding the weights, you'll
waste 30 to 40 hours on the lower-weight domains and run out of time
on the high-impact ones.

The 90-second answer

Study the high-weight domains first. Security Operations (28%)
and Threats/Vulnerabilities/Mitigations (22%) together account for
50% of the exam. If you can answer 90% of questions in these two
domains, you're already at 45 points out of a passing 750. Combined
with average performance elsewhere, that's the path to a pass.

The traps: General Security Concepts (12%) feels easy because it
covers vocabulary, so candidates skip it during review. Then 5 to 7
questions tripped on technical definitions of things like
"compensating control" or "deterrent vs preventive" cost the exam.
Security Program Management (20%) feels boring (policies, governance,
audit) so candidates skim it. Both are deceptively trap-heavy.

The good news: every SY0-701 question maps to one of these five
domains, and the official objectives PDF lists every sub-objective.
There are no surprises if you actually read it.

What does Domain 1 (General Security Concepts) cover?

Domain 1 covers the foundational vocabulary every security question
relies on, weighted at 12%. Roughly 11 questions on a 90-question
exam. The CIA triad, AAA (authentication, authorization, accounting),
non-repudiation, security controls classifications, change management,
zero trust principles, and basic cryptography fall here.

Specific objectives you'll see on the exam:

Topic What's tested
CIA triad Distinguishing confidentiality, integrity, availability concerns in scenario questions
Security control types Technical vs administrative vs physical; preventive vs detective vs corrective vs compensating vs deterrent
Change management The PMBOK-style process of impact assessment, approval, testing, documentation
Cryptographic solutions PKI, symmetric vs asymmetric, hashing (SHA-256, SHA-3), digital signatures, certificates
Zero trust principles Adaptive identity, threat scope reduction, policy-driven access, control plane vs data plane

This domain is mostly vocabulary memorization. The fastest study
approach is reading Professor Messer's 1.1 through 1.4 videos at 1.5x
speed, then making a one-page summary in your own words. Most
candidates rate this the easiest domain after taking it.

What does Domain 2 (Threats, Vulnerabilities, and Mitigations) cover?

Domain 2 weighs 22% and covers everything attackers do plus how
defenders respond. Roughly 20 questions per exam. Threat actors,
attack surfaces, malware classifications, social engineering, network
attacks, application attacks, vulnerability classifications, indicators
of compromise, and mitigation techniques all fall here.

The sub-objectives that show up most often:

  • Threat actor motivations and capabilities: nation-state vs organized crime vs hacktivist vs insider; you need to map a scenario description to the right threat actor type
  • Attack vectors and attack surfaces: differentiating attack vectors (how) from attack surfaces (where)
  • Malware classifications: virus vs worm vs trojan vs ransomware vs rootkit vs spyware vs keylogger vs logic bomb. Several questions per exam.
  • Social engineering: phishing variants (spear, whaling, vishing, smishing), pretexting, watering hole attacks, business email compromise
  • Network attacks: DDoS variants (volumetric, protocol, application layer), MITM, DNS attacks, wireless attacks, replay attacks
  • Application attacks: SQL injection, XSS (stored vs reflected vs DOM-based), CSRF, directory traversal, buffer overflow, race conditions, malicious code injection
  • Indicators of compromise (IoC): account lockouts, concurrent session usage, blocked content, impossible travel, resource consumption, OOM errors, missing logs
  • Mitigation techniques: segmentation, access control, monitoring, least privilege, defense in depth, hardening

Most candidates lose points here on the indicator-of-compromise
questions and the social engineering variants. The fix is doing 50 to
80 practice questions in this domain specifically before exam day.

What does Domain 3 (Security Architecture) cover?

Domain 3 weighs 18% and covers architectural design choices that
shape security posture. Roughly 16 questions per exam. Network, infra,
application, and cloud security architecture; resilience and recovery
patterns; secure data classification all fall here.

The sub-objectives that show up most:

  • Network security architecture: firewall placement, DMZ design, network segmentation, VLANs, micro-segmentation, screened subnets, east-west vs north-south traffic
  • Cloud security architecture: shared responsibility model (specifically AWS / Azure / GCP variations), serverless vs containers, SaaS-specific concerns, IaC security, hybrid cloud
  • Application security architecture: secure coding practices, input validation, output encoding, parameterized queries, secure defaults, secure libraries
  • Resilience and recovery: high availability designs, fault tolerance, redundancy, backup strategies (3-2-1 rule), RTO/RPO calculations, hot/warm/cold sites
  • Data classification and protection: sensitive data identification, encryption at rest, encryption in transit, DLP, tokenization, data masking, secure data disposal

This domain often surprises candidates because it overlaps with the
CompTIA Cloud+ exam content. If you've done any cloud work,
expect to score higher here than you expect. If you haven't, this is
the domain where simulated labs help most.

What does Domain 4 (Security Operations) cover?

Domain 4 weighs 28%, the highest of any domain. About 25 questions
per exam. Hardening, asset management, vulnerability management,
monitoring, incident response, digital forensics, and identity
management all fall here.

The sub-objectives that show up most:

  • Hardening techniques: secure baselines, configuration management, disabling unnecessary services, default credential changes, patch management, endpoint hardening
  • Vulnerability management: scanning (authenticated vs unauthenticated, internal vs external), CVSS scoring, prioritization by risk, remediation strategies
  • Monitoring and SIEM: log aggregation, correlation rules, alert tuning, dashboards, retention policies, common SIEM platforms (Splunk, Sentinel, Elastic, QRadar)
  • Incident response: NIST 800-61 lifecycle (preparation, detection, containment, eradication, recovery, lessons learned), playbooks, chain of custody, tabletop exercises
  • Digital forensics: evidence preservation, chain of custody, volatile vs non-volatile data, timeline analysis, hash verification, legal holds
  • Identity and access management: SSO, MFA, federation, just-in-time access, privileged access management, identity proofing, account lifecycle
  • Automation and orchestration: SOAR platforms, scripted responses, ticket integration, API-driven workflows

This domain has the most performance-based questions (PBQs). Expect
2 to 3 PBQs that drop you into a simulated SIEM dashboard or ask you
to drag IR phases into the right order. The home-lab investment from
the Security+ study guide
pays off most here.

What does Domain 5 (Security Program Management) cover?

Domain 5 weighs 20%, the second-largest after Operations. About 18
questions per exam. Risk management, governance, audit, vendor risk
management, security awareness, and compliance frameworks all fall
here.

The sub-objectives that show up most:

  • Risk management: risk identification, assessment (qualitative vs quantitative), treatment (accept, avoid, mitigate, transfer), monitoring, risk appetite vs tolerance, risk register
  • Governance: policies, standards, procedures, guidelines, centralized vs decentralized governance, governance structures
  • Compliance frameworks: NIST CSF v2.0, ISO 27001, PCI DSS, GDPR, HIPAA, SOX, CCPA, regional data sovereignty rules
  • Vendor risk management: due diligence, contracts and SLAs, third-party assessments, supply chain attacks, fourth-party risk
  • Audit and assessment: internal vs external audit, attestation reports (SOC 1, SOC 2 Type I vs II, ISO certifications), gap analysis, control testing
  • Security awareness: training programs, phishing simulations, password policies, acceptable use policies, role-based training
  • Privacy considerations: data subject rights, consent management, privacy impact assessments, breach notification timelines

This domain trips technical candidates because it asks process
questions, not technical ones. The framework-mapping questions (NIST
CSF function to a specific control) are where most points get lost.
Spend at least 8 hours on this domain even though it feels
"boring" to technical readers.

How do the domain weights compare to SY0-601?

CompTIA shifted weight toward Security Operations and Security Program
Management when they updated to SY0-701 in mid-2024. The old SY0-601
breakdown was:

Domain SY0-601 weight SY0-701 weight Change
Attacks, Threats, Vulnerabilities 24% 22% -2% (now "Threats, Vulnerabilities, Mitigations")
Architecture and Design 21% 18% -3% (now "Security Architecture")
Implementation 25% merged into Architecture + Operations removed as standalone
Operations and Incident Response 16% 28% +12% (now "Security Operations")
Governance, Risk, Compliance 14% 20% +6% (now "Security Program Management")

The big shift is Security Operations going from 16% to 28%. If you're
using older study material that pre-dates SY0-701, you'll under-prepare
on the most important domain. Verify your course version covers
SY0-701 explicitly before you spend study time on it.

How do I use the domain weights to plan study time?

Allocate study hours proportional to domain weights, with a 1.2x
multiplier for domains where you have weaker hands-on experience. A
realistic 80-hour study budget breaks down like this:

Domain Weight Base hours Adjusted hours (for typical IT admin)
Security Operations 28% 22 24-28 (most candidates need extra lab time)
Threats, Vulnerabilities, Mitigations 22% 18 18-20
Security Program Management 20% 16 18-20 (process-heavy, often skipped)
Security Architecture 18% 14 14-16
General Security Concepts 12% 10 8-10 (vocabulary, fast to learn)

If you're a process-oriented person (project manager, GRC analyst),
flip the multiplier: spend MORE time on Architecture and Operations,
less on Program Management.

The candidates who pass on the first try track their per-domain
practice-question accuracy weekly. Practice tools like NerdExam break
their question banks by domain, so you can see where you're at 85%
and where you're at 60%, then allocate the next week's study time
accordingly.

For practice questions filtered by domain, NerdExam has 1,056
enriched SY0-701 questions with full explanations.
Start practicing Security+ questions to
see the question style before you commit to a study plan.

What's NOT on the SY0-701 exam?

CompTIA explicitly excludes several topics that show up in study
forums but never appear on the real exam:

  • Specific vendor product configuration (no exam questions on "configure Cisco ASA firewall syntax")
  • Programming syntax (you might see PowerShell or Bash pseudo-code in a PBQ but never write code)
  • Deep cryptography math (you need to know SHA-256 exists, not implement it)
  • Specific CVE numbers (you need to know what CVSS is, not memorize CVE-2024-1234)
  • Detailed legal case law (you need to know HIPAA exists and its general scope, not memorize which exception applies in subsection 164.512)
  • Specific tool keyboard shortcuts or menu paths
  • Vendor-specific cloud service names (you need "object storage", not "S3 vs Azure Blob vs GCS")

If a YouTube prep video spends 20 minutes on any of these, switch
videos. The exam doesn't reward that level of detail.

Ready to start? Practice with 1,056 real Security+ SY0-701 questions
on NerdExam or browse the
free per-question explanations.
CompTIA's free exam objectives PDF is also worth downloading first if
you haven't: CompTIA Security+ exam objectives.

Adjacent reading: CompTIA Security+ Study Guide: 10-Week Plan,
Where to actually buy a Security+ voucher,
What is MFA, What is a CVE,
What is Zero Trust.

Top comments (0)