All certsCompTIA Security+ CompTIA CySA+ CompTIA PenTest+ › Study guide

CompTIA Security+ (SY0-701) Study Guide

Everything on the exam, in one place: the five domains and their weights, a four-week study plan, a readiness checklist you can tick off, and cryptography / protocol / access-control cheat sheets — with explained, sourced sample questions throughout.

~14 min read Current SY0-701 exam code Sourced to official objectives
Start a practice test Jump to cheat sheet

Exam at a glance

The CompTIA Security+ (SY0-701) validates the core skills to assess risk, secure systems and networks, respond to incidents, and operate within a governance framework. Here are the numbers that shape how you should study.

Questions
90 max
Time limit
90 minutes
Passing score
750 / 100–900
Question types
MCQ + PBQs

Because there can be up to 90 questions in 90 minutes, pacing matters — that's roughly a minute per item, and the performance-based questions (simulations and drag-and-drop) eat more time than a multiple-choice question. The exam is weighted across five domains, and Security Operations (28%) and Threats, Vulnerabilities & Mitigations (22%) together make up half the exam, so they deserve the most study time.

Domains & weighting

General Security Concepts Domain 112% Threats, Vulnerabilities & Mitigations Domain 222% Security Architecture Domain 318% Security Operations Domain 428% Security Program Management Domain 520%
Where to spend your hours: a sensible split mirrors the weights — most time on Security Operations and Threats/Vulnerabilities, least on General Security Concepts (the smallest slice, though its vocabulary underpins every other domain).

The five domains

What each domain covers, plus one explained, sourced sample question pulled straight from our question bank so you can see the depth the exam expects. Expand a domain to dig in.

1General Security ConceptsThe vocabulary — controls, CIA, cryptography, zero trust12%
CIA triad & AAAControl types (technical/managerial/operational/physical)Control functions (preventive/detective/corrective…)Zero trustCryptography (symmetric/asymmetric/hashing)PKI & certificatesDigital signaturesChange management
SAMPLE · DOMAIN 1 → 1.4 CRYPTOGRAPHIC SOLUTIONS Verified · 2 sources

A developer signs a software update by hashing the package and signing the hash with their private key. A recipient wants to confirm both that the file was not altered and that it genuinely came from the developer. Which property does this signing process primarily provide?

AIntegrity and non-repudiation of the updateA digital signature hashes the data for integrity and signs that hash with the private key, so only the holder could have produced it, giving non-repudiation.Correct
BConfidentiality of the update contentsThis confuses signing with encrypting the payload; the package body remains readable, so signing the hash does not hide the data.Confuses confidentiality
CAvailability of the update serverAvailability concerns uptime and access to resources, which a signature does nothing to guarantee — a CIA pillar unrelated to signing.Wrong CIA pillar
DSymmetric key exchange between the partiesSigning uses an asymmetric private/public key pair, not a shared secret; no symmetric session key is negotiated by this process.Wrong key model
NIST FIPS 186-5 — Digital Signature Standard · NIST CSRC Glossary (a signature provides authenticity, integrity, and non-repudiation — not confidentiality).
Drill General Security Concepts
2Threats, Vulnerabilities & MitigationsThe attacks — actors, vectors, malware, and how to mitigate22%
Threat actors & motivationsAttack vectors & social engineeringMalware typesApplication attacks (injection, XSS)Network attacks (on-path, DDoS)Vulnerability typesIndicators of compromiseMitigation techniques (hardening, segmentation)
SAMPLE · DOMAIN 2 → 2.1 THREAT ACTORS & MOTIVATIONS Verified · 2 sources

A security analyst reviews an intrusion in which attackers defaced the company's public website with political slogans and leaked internal emails to embarrass executives, demanding no payment. Which motivation best characterizes this threat actor?

AFinancial gain pursued through extortion of the breached organizationThis misreads the incident as ransomware or extortion, but the attackers demanded no money and instead sought public embarrassment.Wrong motive
BCorporate espionage to quietly steal trade secrets for rivalsEspionage relies on stealth to exfiltrate secrets undetected, yet here the attackers publicized the data loudly — the opposite of covert IP theft.Not espionage
CPhilosophical or political beliefs driving an ideological protestDefacing sites with slogans and leaking data to shame leadership while seeking no profit is the textbook hacktivist pattern, motivated by ideology.Correct
DThrill-seeking by an unskilled recreational script-using amateurUnskilled thrill-seekers act for excitement without a cause, but the deliberate political messaging here signals a purposeful ideological agenda.Not thrill
CISA Advisory AA25-343A (hacktivists characterized by political/ideological motivation) · SY0-701 Obj 2.1 lists "philosophical/political beliefs" as a distinct motivation.
Drill Threats & Vulnerabilities
3Security ArchitectureThe design — models, data protection, resilience18%
Architecture models (cloud, on-prem, zero trust)Secure network designSegmentation & microsegmentationData classification & statesEncryption at rest/in transitResilience & recovery (RPO/RTO)High availabilityBackups
SAMPLE · DOMAIN 3 → 3.1 ARCHITECTURE MODELS Verified · 2 sources

A bank is replacing its perimeter-based model with zero trust. Architects want every resource request authenticated and authorized on its own, independent of the requester's network location. Which component most directly enforces this per-request evaluation?

AAn implicit trust zone derived from internal corporate IP address rangesTrusting hosts merely because they sit inside an IP range is the implicit-trust assumption zero trust explicitly removes.Implicit trust
BA policy decision point that evaluates each request before access is grantedThe policy decision point, paired with an enforcement point, evaluates identity, device, and context for every request — the defining mechanism of zero trust.Correct
CA single sign-on token minted once at login for the whole sessionA one-time session token grants standing access without re-evaluation, contradicting zero trust's "verify continuously" requirement.Standing access
DA flat internal network protected by one hardened perimeter firewallA flat network behind a single perimeter is the castle-and-moat model zero trust replaces; it can't decide on individual east-west requests.Perimeter model
NIST SP 800-207, Zero Trust Architecture (the PDP/PE makes the per-request access decision; no implicit trust by network location).
Drill Security Architecture
4Security OperationsThe day-to-day — hardening, monitoring, IAM, incident response28%
Secure baselines & hardeningAsset managementVulnerability managementMonitoring (SIEM, SNMP, logs)Identity & access managementAutomation & orchestrationIncident responseDigital forensics
SAMPLE · DOMAIN 4 → 4.1 SECURE BASELINES & HARDENING Verified · 2 sources

A systems administrator must deploy 200 new Windows workstations that all enforce the same approved registry, service, and password settings before going live. Which approach best establishes and consistently enforces this secure baseline?

AManually configure each workstation and document the steps in a runbookManual per-host configuration is error prone and does not guarantee consistency at scale, defeating the purpose of a uniform baseline.Not scalable
BApply a Group Policy security template aligned to a CIS Benchmark across all hostsA security template or GPO derived from an established benchmark codifies the approved settings and enforces them uniformly across every joined host.Correct
CRun a vulnerability scan on each host and patch any findings that appearScanning finds missing patches and flaws but does not define or push the approved configuration settings a baseline requires.Wrong control
DEnable host-based firewalls and rely on default vendor settingsDefault vendor settings are exactly what hardening replaces; firewalls alone do not enforce the registry and service baseline needed here.Insufficient
CIS Benchmarks — prescriptive secure configuration baselines · Microsoft Learn (CIS Benchmarks enforced on AD domain-joined Windows via Group Policy).
Drill Security Operations
5Security Program Management & OversightThe governance — policies, risk, third parties, compliance20%
Governance (policies/standards/procedures)Risk management & assessmentRisk register & appetiteThird-party / vendor riskCompliance & auditsPrivacy & data rolesSecurity awarenessAgreements (SLA, MOU, BPA)
SAMPLE · DOMAIN 5 → 5.1 GOVERNANCE Verified · 2 sources

A security team wants to publish a mandatory, high-level document that states management's intent that all company data be encrypted, without specifying which algorithms or key lengths to use. Which governance artifact best fits this need?

AA procedure detailing each encryption stepA procedure gives prescriptive step-by-step instructions for a task, which is far more granular than a high-level statement of management intent.Too detailed
BA guideline offering optional recommendationsA guideline provides discretionary, non-mandatory advice, but the requirement here is explicitly mandatory management intent.Not mandatory
CA policy expressing mandatory management intentA policy is the high-level, mandatory document that communicates management's intent and direction without dictating specific technical implementation details.Correct
DA standard fixing specific algorithms and key sizesA standard specifies the mandatory technical details such as algorithms and key lengths, which is precisely what this document is meant to omit.Too specific
NIST CSRC Glossary — "security policy" vs "guideline" · ISO/IEC 27002:2022 (policy → standard → procedure hierarchy).
Drill Program Management

A 4-week study plan

A realistic schedule at roughly 10–12 hours per week. Adjust to your experience — but keep the heaviest weeks on Security Operations and Threats/Vulnerabilities, since they're the biggest slices of the exam.

Week 1
General Security Concepts (Domain 1)

Control types and functions, the CIA triad and AAA, and cryptography until symmetric vs asymmetric vs hashing — and what each provides — feels automatic. This vocabulary underpins every other domain.

Week 2
Threats & Architecture (Domains 2–3)

Threat actors and motivations, malware and attack types, then secure design: zero trust, segmentation, data protection, and resilience (RPO/RTO, HA, backups).

Week 3
Security Operations & Governance (Domains 4–5)

The biggest domain: hardening and baselines, monitoring (SIEM/logs), IAM, and incident response — then governance, risk management, and third-party risk. Practice reading scenario → correct control.

Week 4
Full tests & weak-spot drilling

Take full practice tests under timed conditions, use the per-domain breakdown to find weak areas, and re-drill them. Keep the last days light.

Learn the concept, not the letter. The exam rewards applying ideas to scenarios. When you miss a question, read why each wrong option is wrong — that's where the real learning is.

Readiness checklist

Tick off each topic as it clicks. Your progress is saved in this browser, so you can come back to it.

Your readiness0 / 0

Domain 1 · General Security Concepts

Domain 2 · Threats, Vulnerabilities & Mitigations

Domain 3 · Security Architecture

Domain 4 · Security Operations

Domain 5 · Security Program Management & Oversight

Saved only in your browser — nothing leaves this device.

Cheat sheet

The reference tables worth memorizing cold — cryptography, secure protocols, and access-control models. Bookmark this.

Cryptography essentials

TypeExamplesProvides
SymmetricAES (128/192/256), ChaCha20Confidentiality — fast bulk encryption with one shared key
AsymmetricRSA, ECC, Diffie-HellmanKey exchange, signatures — public/private key pair
HashingSHA-256, SHA-3Integrity — one-way, fixed-length digest
HMACHMAC-SHA-256Integrity + authenticity — keyed hash
Digital signatureHash + sign with private keyIntegrity, authenticity, non-repudiation
Password hashingbcrypt, PBKDF2, Argon2Slow, salted hashing to resist brute force
Map the goal to the tool: confidentiality → encryption, integrity → hashing, authenticity + non-repudiation → digital signature. Encryption hides data; hashing proves it wasn't changed.

Secure vs insecure protocols

InsecureSecure replacementPort
HTTP 80HTTPS (TLS)443
Telnet 23SSH22
FTP 20/21SFTP / FTPS22 / 989/990
SNMP v1/v2c 161SNMPv3 (auth + priv)161
LDAP 389LDAPS636
SMTP 25SMTP + STARTTLS / SMTPS587 / 465
DNS 53DNS over TLS / DNSSEC853

Access-control models

ModelHow access is decidedTypical use
DAC — DiscretionaryThe resource owner sets permissionsMost file systems / OSes
MAC — MandatorySystem enforces labels/clearance; no owner discretionHigh-security (e.g. SELinux, military)
RBAC — Role-basedPermissions assigned to roles, users to rolesMost enterprises — scalable
ABAC — Attribute-basedPolicy evaluates attributes (user, resource, context)Fine-grained, dynamic access
Rule-basedGlobal rules/ACLs (e.g. time-of-day, firewall)Condition-driven enforcement

The CIA triad & AAA

TermMeaning
ConfidentialityOnly authorized parties can read the data (encryption, access control)
IntegrityData is not altered without detection (hashing, signatures)
AvailabilitySystems and data are accessible when needed (HA, backups, DDoS defense)
AuthenticationProving who you are (passwords, MFA, biometrics)
AuthorizationWhat you're allowed to do once authenticated
AccountingLogging and auditing what was done

Frequently asked questions

How many questions is the exam, and how long?
Up to 90 questions in 90 minutes — about a minute each. Expect multiple-choice (single and multiple response) plus performance-based questions (simulations and drag-and-drop), which take longer, so manage your pace.
What's the passing score?
750 on a scale of 100–900. It's a scaled score, not a simple percentage, so treat ~85% on practice tests as a confident range rather than an exact cut line.
How long should I study?
With roughly 9–12 months of security or networking experience (CompTIA suggests Network+ first), most candidates need 5–8 weeks of focused study. The 4-week plan above assumes about 10–12 hours per week.
How hard is the Security+?
It's an entry-level cybersecurity exam, but it covers broad ground. The parts most people find hardest — cryptography concepts, the volume of acronyms, and choosing the right control for a scenario — reward hands-on practice over memorization, which is exactly what these practice tests are built for.
Are these practice questions real exam questions?
No — and that's deliberate. Every question is original, written against the public SY0-701 objectives and checked against primary sources. Real exam content is under CompTIA's NDA; using leaked "dumps" can get your certification revoked.
How this guide is sourced. Domain names and weights, the question count, time limit, passing score, and question formats are taken from CompTIA's publicly published SY0-701 exam objectives and official exam details. Every sample question is drawn from our question bank and checked against primary references (NIST, CISA, CIS, and ISO), with the source shown on each. This is an independent study resource — certpracticelab is not affiliated with or endorsed by CompTIA.
  • CompTIA — Security+ (SY0-701) certification & exam details · comptia.org
  • NIST — Computer Security Resource Center glossary & publications · csrc.nist.gov

You've reviewed the map — now find your weak spots.

Take a free, explained practice test and see exactly which domains need more work.

Start a practice test