The CompTIA Security+ (SY0-701) is the most widely recognised entry-level security certification in the industry. It's DoD 8570/8140 approved, listed on thousands of job postings, and — unlike most vendor certifications — it proves security fundamentals that transfer across platforms and employers.
It's also harder than most candidates expect.
Not because the content is obscure, but because the exam tests judgment, not just knowledge. This guide covers what you actually need to do to pass it in 2026.
What the SY0-701 exam looks like
90 questions maximum. 90-minute time limit. Passing score: 750 out of 900.
Question types include:
- Multiple choice (single and multiple answer)
- Performance-based questions (PBQs) — drag-and-drop, matching, and scenario simulations
The PBQs appear at the start of the exam and take longer than multiple choice. Most candidates find them the most demanding part. If you've never practised working through a scenario-based security question under time pressure, PBQs will feel unfamiliar on exam day.
Five domains:
| Domain | Weight |
|---|---|
| General Security Concepts | 12% |
| Threats, Vulnerabilities & Mitigations | 22% |
| Security Architecture | 18% |
| Security Operations | 28% |
| Security Program Management & Oversight | 20% |
Security Operations carries the most marks and is the most scenario-heavy. It's also where candidates most commonly drop points.
Why people fail Security+
Ask anyone who's failed SY0-701 and the pattern is consistent: they knew the definitions but couldn't answer the questions.
Security+ questions are deliberately worded to test application, not recall. A question won't ask you to define a buffer overflow. It'll describe an application behaviour and ask what type of attack is most likely occurring — with four plausible options where two sound reasonable.
The second trap is time. 90 questions in 90 minutes sounds comfortable until you hit a PBQ that takes four minutes to work through. Candidates who haven't practised pacing often find themselves rushing through the final 20 questions.
The five areas that decide your result
1. Threats, Vulnerabilities & Mitigations (22%)
The largest scorable domain. You need to know attack types cold — phishing variants (spear phishing, whaling, vishing, smishing), malware categories (ransomware, RATs, rootkits, keyloggers), social engineering techniques, and injection attacks. More importantly, you need to know how to identify them from a scenario description, not just define them.
2. Security Operations (28%)
The exam's heaviest domain by weight. Covers identity and access management, incident response procedures, log analysis, vulnerability scanning, and endpoint security. IAM in particular — understanding authentication types, MFA factors, privilege escalation, and PAM — generates a high volume of questions.
3. Security Architecture (18%)
Network segmentation, VPNs, zero trust principles, cloud security models (IaaS, PaaS, SaaS), and infrastructure hardening. The architecture domain requires you to choose the right control for a given scenario, not just list what controls exist.
4. Security Program Management & Oversight (20%)
Risk management (likelihood × impact), compliance frameworks (GDPR, HIPAA, PCI-DSS), data classification, and third-party risk. Many candidates under-prepare this domain because it feels like memorisation — but the exam asks you to apply frameworks to real scenarios, which requires understanding not just the names.
5. General Security Concepts (12%)
Cryptography fundamentals (symmetric vs asymmetric, hashing, PKI, digital signatures), authentication protocols, and security controls. Smaller domain but foundational — weak cryptography knowledge affects questions across multiple other domains.
The study approach that works
Start with the heaviest domain first. Security Operations is 28% of the exam. Most study guides cover it in the middle. Cover it first so you have the most time to reinforce it.
Practise identifying, not defining. For every concept you learn, ask: "If I saw this in a scenario, what clues would tell me this is the answer?" Ransomware encrypts files and demands payment. A RAT provides remote access without the user's knowledge. Buffer overflows corrupt adjacent memory. Train yourself to recognise the fingerprint, not just the definition.
Do PBQ practice specifically. Performance-based questions need their own preparation. Work through drag-and-drop and scenario simulations so the format doesn't slow you down on exam day. Several free PBQ practice sets exist online — use them.
Track your domain accuracy, not your total score. If you're scoring 75% overall but 55% on Security Operations, every extra hour on the domains you already know is wasted. Know your weak domain and drill it specifically.
Aim to answer in 60 seconds per question. With PBQs taking longer, your multiple choice pace needs to be fast. If you find yourself spending two minutes on a single MCQ, mark it and move on.
Which resources actually help
Mike Chapple & David Seidl's CompTIA Security+ Study Guide — the most thorough written resource. Covers every objective methodically. Good for building conceptual foundation before you start drilling questions.
Professor Messer's Security+ Course — free on YouTube. Well-structured, covers SY0-701 objectives clearly. Better for visual learners and as a supplement to the textbook.
Jason Dion's practice exams (Udemy) — high-quality, scenario-heavy questions that match the exam's style well. Not a substitute for concept understanding, but a good gauge of readiness.
Hands-on labs — TryHackMe and Hack The Box both have Security+ aligned content. If you can set up a basic network, perform a port scan, and read a Wireshark capture, you'll be more confident in the Operations domain than someone who only read about it.
The week before the exam
By this point your weak domains should be identified and largely closed.
Run two full timed practice exams — 90 questions, 90 minutes, no pausing. Look at where you're slow, not just where you're wrong. Then spend the final days reviewing your worst-performing domain specifically rather than re-reading material you already know.
Don't try to learn new concepts in the final 48 hours. If it isn't in your head by then, cramming it in won't help under exam pressure. Focus on consolidating what you already know.
Sleep before the exam. Memory consolidation happens during sleep. A rested brain retrieves faster than a tired one, and retrieval speed matters at question 70 of 90.
On exam day
- PBQs appear first. Don't panic if they're harder than expected — they always are. Work through them methodically and flag anything you want to revisit.
- For "select all that apply" questions: treat each option as true/false independently. Don't assume there are exactly two correct answers.
- For scenario questions: identify the primary concern in the scenario before reading the options. Then eliminate answers that don't address it directly.
- Don't second-guess confident answers. Your first instinct on a question you know is usually right.
How long does it take?
With some IT background: 6–8 weeks of consistent study (1 hour daily).
Starting from scratch: 10–12 weeks.
The Security+ is achievable on the first attempt for almost anyone who prepares deliberately. The candidates who struggle are usually the ones who spent too long watching videos and not long enough answering questions — passive consumption feels like studying but doesn't build the judgment the exam tests.
Start practising earlier than feels comfortable. Track your domain scores. Fix your weakest areas before exam day finds them for you.
Find your weak domains before the exam does
ExamCoach gives you adaptive Security+ practice questions across all five SY0-701 domains — mapped to your accuracy by topic after every session, so you always know where to spend your next study hour.
Free to start. No credit card.
Start your Security+ Daily Quiz →
ExamCoach covers CompTIA Security+, AWS CLF-C02, CCNA, AZ-104, AZ-305, CISSP, CFA Level 1, and more.