Why Security+ still matters in 2026
Security+ sits at an unusual position in the certification ladder: it requires no prerequisites, yet it carries real professional weight. The U.S. DoD mandates it for IAM Level II roles under Directive 8570. Hiring managers across federal and commercial sectors use it as a baseline filter for entry-level and mid-level security positions. It covers a wide enough range of domains — from cryptography to cloud security to governance — that passing it signals genuine breadth, not just vendor familiarity.
The SY0-601 retired on 31 July 2024. If you are starting your Security+ journey today, you are studying SY0-701 — there is no choice. The changes are significant enough that SY0-601 study materials will actively mislead you in several areas, particularly around domain structure, zero-trust concepts, and automation coverage. Do not study from old materials.
What changed from SY0-601 to SY0-701
CompTIA restructured the exam considerably. The headline change is the reduction from six domains to five, but the content shifts matter more than the count:
- Zero trust is now a first-class concept. SY0-601 mentioned it briefly; SY0-701 examines it in depth. Control plane vs. data plane separation, policy decision points, implicit trust zones — these are exam topics now, not background reading.
- AI and automation threats are explicit objectives. Prompt injection attacks, AI-generated phishing lures (deepfake audio and video), and ML-assisted attack tooling appear in the objectives. Defensive automation — SOAR playbooks and scripted incident response — is covered alongside them.
- OT/ICS/SCADA coverage expanded substantially. The exam expects you to recognize the constraints of operational technology environments: air-gapped networks, legacy protocols like Modbus and DNP3, and why you cannot patch a PLC the way you patch a Windows server.
- Cloud security is integrated throughout, not isolated in a single section. Shared responsibility, misconfiguration risks, Cloud Security Posture Management (CSPM), and serverless attack surfaces appear across multiple domains.
- Governance, Risk & Compliance became “Security Program Management and Oversight” and its weight increased from 14% to 20% — making it the second-largest domain after Security Operations.
The five domains — weights and what to focus on
Domain 1 — General Security Concepts (12%)
The smallest domain, but a weak foundation here undermines everything else. The concepts anchor the entire exam.
- Security control categories and types: Technical vs. managerial vs. operational vs. physical. Preventive vs. detective vs. corrective vs. compensating vs. directive. The exam gives a scenario and asks which control type applies — know the distinctions cold.
- Cryptography fundamentals: Symmetric (AES, 3DES) vs. asymmetric (RSA, ECC). Hash functions: SHA-256 and SHA-3 for integrity; MD5 for “what not to use” scenarios. Digital signatures, certificates, PKI chains of trust, and the role of certificate authorities and CRLs.
- Authentication: MFA factors (something you know, have, are, somewhere, do). TOTP vs. HOTP. Passwordless authentication. Federation protocols: SAML for SSO assertions, OAuth 2.0 for authorization delegation, OpenID Connect for identity on top of OAuth.
Domain 2 — Threats, Vulnerabilities & Mitigations (22%)
The second-heaviest domain. Social engineering, malware classification, and vulnerability management all live here.
- Threat actors and motivations: Nation-state (espionage, disruption), hacktivist (ideology), organized crime (financial), insider (access + motive), script kiddie (opportunistic). The exam uses motivation to help you identify the actor type in scenario questions.
- Social engineering: Phishing, spear phishing, whaling, vishing, smishing, pretexting, baiting, tailgating, watering hole attacks. SY0-701 explicitly adds AI-generated lures: deepfake voice calls and synthetic video impersonation.
- Malware taxonomy: Ransomware (encrypts data, demands payment), RAT (remote control), keylogger (credential theft), rootkit (hides from OS), worm (self-replicating, no host file), Trojan (disguised as legitimate software), fileless malware (runs in memory, no disk artifact), logic bomb (triggered by event or date).
- Vulnerability management: CVSS scoring (Base, Temporal, Environmental). CVE identifiers. Patch management lifecycle. Credentialed vs. non-credentialed scans and why the results differ. The five phases of penetration testing: reconnaissance, scanning, exploitation, post-exploitation, reporting.
Domain 3 — Security Architecture (18%)
Network design, cloud security models, and the infrastructure decisions that define an organization’s attack surface.
- Zero trust architecture: Never trust, always verify. Microsegmentation divides the network into small zones, limiting lateral movement. The policy enforcement point (PEP) enforces access decisions; the policy decision point (PDP) evaluates them. Contrast with the traditional castle-and-moat perimeter model.
- Network security controls: DMZ topology, VLANs for segmentation, east-west vs. north-south traffic inspection. Stateful firewalls vs. next-generation firewalls (application awareness, user identity). IDS (passive, detects and alerts) vs. IPS (inline, detects and blocks). Proxy servers and TLS/SSL inspection.
- Cloud and hybrid environments: IaaS/PaaS/SaaS shared responsibility boundaries — know what the customer controls in each model. CASB enforces security policy for cloud app usage. Infrastructure as Code introduces misconfiguration as a primary attack vector. Serverless functions expand the attack surface through event injection and insecure triggers.
- Resilience and deception: Jump servers and bastion hosts for privileged access. Honeypots and honeynets to detect attacker reconnaissance. Geographic redundancy and disaster recovery site types (hot, warm, cold).
Domain 4 — Security Operations (28%)
The largest domain by weight. This is where incident response, monitoring, identity management, and endpoint security converge.
- Incident response lifecycle: Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned. Know what happens at each phase. Chain of custody and forensic imaging preserve evidence; order-of-volatility determines what to collect first (CPU registers → RAM → swap → disk).
- SIEM and SOAR: SIEM aggregates logs, correlates events, and generates alerts. SOAR executes automated playbooks in response to SIEM alerts, reducing mean time to respond (MTTR). The exam distinguishes them clearly: SIEM detects, SOAR responds automatically.
- Identity and access management: PAM (Privileged Access Management) vaults credentials and enforces just-in-time access. Directory services (LDAP, Active Directory) provide centralized identity stores. SSO and federation reduce password sprawl across applications.
- Endpoint security: EDR continuously monitors endpoint activity and can isolate hosts. XDR extends detection across endpoint, network, and cloud telemetry. Application allow-listing blocks unauthorized execution. MDM enforces device compliance; MAM manages only corporate apps on BYOD devices.
- Data security: DLP prevents unauthorized data exfiltration at the endpoint and network boundary. Data classification tiers (public, internal, confidential, restricted) drive access controls. Tokenization replaces sensitive values with non-sensitive tokens; encryption transforms data mathematically; masking partially obscures values for display.
Domain 5 — Security Program Management & Oversight (20%)
Formerly GRC, now broader. This domain rewards candidates who understand security as a business function, not purely a technical one.
- Risk management: Risk appetite (how much risk is acceptable) vs. risk tolerance (acceptable variance). Risk responses: accept, avoid, transfer (insurance, contractual liability), mitigate. Quantitative analysis: ALE = ARO × SLE. Know these formulas and when to apply qualitative vs. quantitative methods.
- Compliance frameworks: NIST CSF (five functions: Identify, Protect, Detect, Respond, Recover). ISO/IEC 27001 (ISMS standard). SOC 2 (service organization controls for security and availability). HIPAA (healthcare data), GDPR (EU personal data), PCI DSS (payment card data). The exam tests which framework applies to which sector, not deep implementation detail.
- Third-party and supply chain risk: Vendor risk assessments, penetration testing rights (right-to-audit clauses), MSP as a shared risk surface. SY0-701 added explicit supply chain attack coverage following high-profile incidents — understand how compromised software updates propagate through trusted channels.
- Data privacy: Data sovereignty (data governed by the laws of where it physically resides). Right to erasure (GDPR Article 17) and how backup retention policies create compliance tension. Privacy impact assessments (PIAs) before launching new data-processing activities.
SY0-701 opens with performance-based questions (PBQs) — interactive drag-and-drop and simulation scenarios. They cannot be skipped and count toward your score. Practice with PBQ-style exercises before exam day. Budget up to 3 minutes per PBQ, make your best decision, and move on. The remaining multiple-choice questions are where most candidates recover points.
A study plan that works
Most candidates need 4–8 weeks, depending on prior experience. Use domain weights as your time allocation guide. Domain 4 at 28% gets the most hours; Domain 1 at 12% gets the fewest — but do not skip it. A reliable structure: one week per domain in order, then 5–7 days of timed full-length practice exams. Review every wrong answer by tracing it back to the specific exam objective. The goal is not memorizing answers — it is understanding why the correct answer is correct and why each wrong answer is wrong.
On exam day, the 90-minute window is sufficient if you do not stall. Flag questions you are unsure about, keep moving, and return to flagged items after completing the full question set. The passing score of 750 out of 900 is approximately 83% — higher than many candidates expect. Budget your study time accordingly.
Security+ SY0-701 is the gateway to virtually every mid-level security career path: SOC analyst, security engineer, cloud security specialist, and GRC roles. The domains it covers — zero trust, SIEM/SOAR, supply chain risk, and AI-driven threats — map directly to the skills employers list in current job postings. Pairing Security+ with AWS SAA-C03 covers both the infrastructure and security dimensions that cloud-era employers increasingly treat as a baseline package for cloud security roles. Source: CompTIA Security+ official exam page.
Ready to test your Security+ knowledge? We have scenario-based SY0-701 practice questions covering all five domains — timed, randomized, and free.
Start Security+ Practice Questions →