Security+ exam domains are the fastest way to stop studying randomly and start preparing with purpose. If you are aiming for an entry-level cybersecurity role, the exam expects broad practical knowledge across exam domains, cybersecurity topics, study focus areas, and key concepts rather than deep specialization in one tool or vendor stack. Success comes from understanding what each domain is trying to test, how questions are written, and where common traps show up.
Certified Ethical Hacker (CEH) v13
Learn essential ethical hacking skills to identify vulnerabilities, strengthen security measures, and protect organizations from cyber threats effectively
Get this course on Udemy at the lowest price →Quick Answer
CompTIA® Security+™ is an entry-level cybersecurity certification that measures practical security knowledge across five exam domains. As of January 2026, the current exam code is SY0-701, with 90 questions, up to 90 minutes, and a 750/900 passing score. The best prep strategy is domain-based review plus scenario practice, not random memorization.
Definition
CompTIA Security+™ is a foundational cybersecurity certification that validates core security skills across threats, architecture, operations, and governance. It is designed to show that a candidate can recognize security issues, choose practical controls, and respond appropriately in common IT environments.
| Exam Code | SY0-701 |
|---|---|
| Cost | $392 USD as of January 2026 |
| Duration | 90 minutes as of January 2026 |
| Questions | Up to 90 as of January 2026 |
| Passing Score | 750 / 900 as of January 2026 |
| Question Types | Multiple-choice and performance-based questions as of January 2026 |
| Recommended Background | CompTIA A+™ and Network+™ level knowledge as of January 2026 |
| Validity | 3 years as of January 2026 |
That format matters because Security+ is not a trivia test. It mixes definitions, best practices, and troubleshooting logic in scenarios that look like real work: a suspicious email, a failed login pattern, a misconfigured firewall rule, or a cloud permission issue. The exam domains tell you where to focus your study time, and that matters more than any one flashcard deck.
If you are using the Certified Ethical Hacker (CEH) v13 course alongside Security+ prep, the overlap is useful. CEH v13 builds offensive awareness, while Security+ focuses on baseline defensive judgment, controls, and operations. Together, they sharpen the same study focus: recognize the threat, identify the control, and choose the right response.
CompTIA Security+ Exam Overview
The Security+ exam evaluates practical cybersecurity knowledge through a mix of multiple-choice and performance-based questions. Performance-based questions usually ask you to configure, interpret, or respond to a scenario, so you are not just recalling a definition—you are making a decision under realistic constraints. CompTIA explains the current exam objectives and structure on its official certification page at CompTIA Security+.
The best way to study is by exam domains, not by random facts. Each domain clusters related cybersecurity topics, so you build context around why a concept exists, how it connects to other controls, and what a question is really asking. That method is more effective than trying to memorize isolated acronyms without understanding the business or technical use case.
Security+ also tests your troubleshooting mindset. A question may present several technically possible answers, but only one fits the scenario, the risk level, and the policy environment. That means you need three things at once: terminology, concept knowledge, and the ability to choose the safest operational response.
Security exam success is rarely about knowing more words. It is about recognizing the problem fast enough to apply the right control, process, or escalation path.
Practice exams are important because they expose weak spots across the exam domains. One learner may know malware types but miss incident response sequencing. Another may understand encryption but struggle with identity and access questions. A good practice test is not just a score; it is a map of where your study focus should go next.
- Multiple-choice questions check your ability to recognize the best answer from several plausible options.
- Performance-based questions check whether you can apply concepts in a practical setting.
- Domain-based study helps you organize cybersecurity topics into manageable blocks.
- Scenario thinking is critical because many questions combine more than one concept.
- Practice exams reveal whether your weak area is terminology, analysis, or timing.
What Are the Security+ Exam Domains?
The Security+ exam domains are the official content areas CompTIA uses to define what you need to know. They are the blueprint for certification prep, and they are the easiest way to turn a wide subject into focused study sessions. Instead of trying to learn cybersecurity topics in a vacuum, you can map each topic to a domain and learn it in context.
There are five major domains in SY0-701: general security concepts, threats and vulnerabilities, security architecture, security operations, and security program management and oversight. Each domain has a different purpose, but they work together in the same way security teams work together in real life. One domain covers principles, another covers attacks, another covers design, and another covers governance.
That structure matters because exam questions often cross domain boundaries. A phishing question may involve social engineering, authentication, and user training. A cloud question may involve shared responsibility, encryption, and access controls. That is why study focus has to include both key concepts and how they connect.
| Domain focus | Why it matters |
|---|---|
| Security principles | Builds the language used in later scenarios. |
| Threats and vulnerabilities | Helps you identify the problem before choosing a control. |
| Architecture | Shows how security is designed into systems. |
| Operations | Covers monitoring, incident handling, and recovery. |
| Program management | Connects security to policy, compliance, and business control. |
CompTIA’s objective-driven approach is similar to how the NIST Cybersecurity Framework and NIST guidance organize security work: identify, protect, detect, respond, and recover. That is useful for exam prep because it reinforces the fact that Security+ is not a single-topic exam. It is a practical foundation exam.
How Does the Security+ Exam Work?
The Security+ exam works by mixing knowledge recall with application. A question might ask you to identify the correct control, but a better question may ask you to choose what to do first after a log alert or how to reduce risk in a specific environment. That is why the exam domains are more valuable than a memorized glossary.
- Read the scenario carefully. Look for the asset, the threat, the impact, and any constraint such as budget, policy, or downtime.
- Identify the domain. Decide whether the question is really about security concepts, threats, architecture, operations, or governance.
- Eliminate distractors. Several answers may be technically true, but only one fits the situation and priority.
- Choose the most defensible action. Security exams often reward the answer that reduces risk without creating unnecessary side effects.
- Check for the business context. If a question mentions uptime, compliance, or users, that context usually changes the best answer.
This is where study focus matters. If you memorize a term like multifactor authentication, you still need to know when it is the right answer and when it is not enough. If you know what a firewall does, you still need to recognize when the issue is actually segmentation, a missing rule, or a user-awareness problem.
Pro Tip
When a question includes several security topics, answer the one that reduces risk at the right layer. A technical fix is not always the best fix if the problem is process, policy, or user behavior.
Official exam objectives from CompTIA should anchor your certification prep, while Microsoft Learn and vendor documentation can help you see how those concepts show up in real platforms. That combination is useful because Security+ questions often reward understanding, not brand-specific memorization.
Domain One: General Security Concepts
General security concepts are the foundation of the exam and the language used in almost every other domain. If you do not understand confidentiality, integrity, availability, or least privilege, later scenario questions become guesswork instead of analysis. These concepts are also common in real-world security discussions, so they show up in everything from policy documents to incident reports.
Confidentiality is about keeping information from unauthorized access. Integrity means information stays accurate and unaltered unless an authorized process changes it. Availability means authorized users can access systems and data when needed. Security+ uses these terms repeatedly because they drive control selection and incident response decisions.
- Preventive controls stop an event before it happens, such as MFA, firewalls, and segmentation.
- Detective controls identify suspicious activity, such as logs, SIEM alerts, and IDS events.
- Corrective controls fix or reduce damage after an event, such as restoring from backup.
- Deterrent controls discourage bad behavior, such as warning banners and visible cameras.
Zero Trust is an approach that assumes no user or device is trusted by default, even inside the network. That model matters because perimeter-only thinking fails when credentials are stolen or devices are compromised. NIST guidance on Zero Trust and cybersecurity architecture is a useful reference point, especially the official material at NIST.
Authentication, authorization, and accounting are easy to mix up, so the exam leans on them often. Authentication verifies identity. Authorization determines what that identity can access. Accounting tracks what the identity did. Understanding the difference is one of the fastest ways to improve your exam domains study focus.
Key concepts that appear constantly
Risk is the chance that a threat will exploit a vulnerability and cause harm. Attack surface is the total exposure an attacker can target, including users, ports, services, cloud APIs, and physical access. Least privilege means giving users and systems only the access they need, and nothing extra. Defense in depth means layering controls so one failure does not create total compromise.
These are not just definitions. They are the logic behind most security decisions on the job and most questions on the exam. If you understand how these key concepts fit together, the rest of the exam domains become easier to interpret.
Domain Two: Threats, Vulnerabilities, and Mitigations
Threats, vulnerabilities, and mitigations make up the core of Security+ exam domains because they explain how attacks happen and how to reduce their impact. A threat is something that can cause harm, while a vulnerability is a weakness that can be exploited. The distinction matters because the same threat can be far more dangerous when paired with a specific vulnerability.
Common threat categories include malware, phishing, social engineering, and insider threats. Malware covers ransomware, trojans, worms, and spyware. Phishing is especially important because it often combines social engineering with credential theft and malicious links. The first natural mention of the concept is worth linking to the glossary: Phishing.
Attack vectors are the paths attackers use to reach a target. Email is a major vector because it reaches users directly. Web applications are another common vector because input fields, weak authentication, and broken access controls can all be abused. Wireless networks and removable media also remain relevant because they can bypass some perimeter defenses.
- Patching reduces exposure to known vulnerabilities.
- Segmentation limits how far an attacker can move after initial access.
- Training helps users spot social engineering and reporting cues.
- Endpoint protection detects and blocks malicious files or behavior.
- Indicators of compromise help identify when a system may already be affected.
Threat analysis becomes easier when you tie it to real-world reporting. The Verizon Data Breach Investigations Report consistently shows that human behavior, credential abuse, and social engineering remain central causes of incidents. That is exactly why exam questions often use email, login, and user-action scenarios.
One common exam trap is confusing the vulnerability with the threat. For example, weak password reuse is a vulnerability. Credential stuffing is a threat technique that abuses it. If you can separate the two, your study focus becomes sharper and your mitigation choices become more accurate.
Domain Three: Security Architecture
Security architecture is the part of the exam that tests how systems are designed to resist attacks. It is where network layout, access models, cloud decisions, and cryptographic basics come together. If domain one is the language of security, domain three is the blueprint.
Network design and segmentation
Secure network design often includes DMZs, VLANs, subnets, and segmentation. A DMZ places public-facing services in a separated zone so internal systems are not directly exposed. VLANs and subnets divide traffic into smaller groups, which reduces lateral movement and improves control.
This is where the exam checks whether you understand why architecture matters. A web server should not sit flat on the same network as sensitive internal databases. Segmentation reduces the attack surface and supports defense in depth. CIS Benchmarks from the Center for Internet Security are a practical reference for hardened configuration thinking.
Cloud and identity architecture
Cloud architecture questions usually involve shared responsibility, service models, and identity controls. The provider may secure the infrastructure, but the customer still owns configuration, access management, and data protection. That division is a common exam theme because cloud misconfigurations create real risk.
Federation lets one identity system trust another. Single sign-on reduces password sprawl by letting users authenticate once and access multiple services. Multifactor authentication strengthens login security by requiring more than one proof of identity. These controls show up together because they are often used as part of a Zero Trust approach.
Security appliances and cryptography
Firewalls filter network traffic based on rules. Proxies mediate requests between users and resources. Web application firewalls help protect web apps from common attacks. IDS and IPS detect or block suspicious traffic. The exam often asks which control is the best fit for a given traffic or application scenario.
Cryptography questions usually focus on use cases, not abstract math. Hashing supports integrity checks and password storage. Encryption protects confidentiality. Public key infrastructure and certificates support trust, key exchange, and identity verification. For official crypto-related guidance, the OWASP project and vendor documentation are useful references for real implementation patterns.
| Control type | Typical exam clue |
|---|---|
| WAF | Protecting web application traffic |
| IPS | Blocking malicious packets or patterns inline |
| SSO | Reducing repeated logins across services |
| PKI | Establishing certificate-based trust |
Domain Four: Security Operations
Security operations covers the daily work of monitoring, responding, recovering, and verifying that defenses are functioning. This domain is where Security+ becomes very practical. Questions often ask what happens first, what evidence matters, or how to recover while preserving business continuity.
Core operational tasks include log review, alert triage, incident response, and vulnerability management. A security analyst might review authentication logs for brute-force attempts, investigate endpoint alerts, or validate whether a patch was actually deployed. These are the kinds of cyber security topics that connect exam study focus to real work.
Incident response and forensics
The incident response lifecycle usually includes preparation, detection and analysis, containment, eradication, recovery, and lessons learned. The order matters because the exam may ask whether you should isolate a system, preserve evidence, or restore a service first. The right answer often depends on whether the question is asking about operations or forensics.
Digital forensics is the process of collecting and analyzing evidence in a way that preserves integrity and admissibility. Chain of custody documents who handled evidence, when, and why. If evidence handling is done badly, the investigation can become unreliable even if the technical analysis is correct.
Backups and recovery
Backup strategy questions often involve full backups, incremental backups, restoration speed, and retention requirements. Recovery planning includes backup testing, recovery time objectives, and recovery point objectives. Security+ expects you to understand that the best backup is not the one that is easiest to create; it is the one you can actually restore under pressure.
Vulnerability management is a repeatable workflow: discover assets, scan for weaknesses, prioritize findings, remediate, and verify. That workflow is important because patching alone does not solve every issue. Some findings require configuration changes, compensating controls, or temporary risk acceptance.
For operational context, the Cybersecurity and Infrastructure Security Agency (CISA) publishes practical guidance on alerts, incident response, and vulnerability remediation. That makes it a useful reference for understanding what real operational security looks like outside the exam.
Warning
Do not treat incident response as a memorization exercise. On the exam, the best answer often depends on whether the priority is containment, evidence preservation, or restoring availability.
Domain Five: Security Program Management and Oversight
Security program management and oversight covers governance, documentation, awareness, risk decisions, and compliance. This is the domain many candidates underprepare for because it looks less technical than the others. That is a mistake. Security jobs fail or succeed as much on process and policy as on tools.
Governance starts with the difference between policies, standards, procedures, and guidelines. A policy states what must be done. A standard defines required specifics. A procedure explains how to do the work. A guideline gives recommended flexibility. If you know those distinctions, you can answer exam scenarios involving documentation and accountability more accurately.
Training, vendors, and compliance
Security awareness training is a key risk-reduction tool because many incidents start with human action. User training helps reduce successful phishing, improper data handling, and unsafe device use. That is not just theory; it is a practical control that supports the rest of the security stack.
Vendor risk management matters because third parties can introduce weaknesses through software, support access, data handling, or contractual gaps. The exam may ask how to reduce third-party risk, and the best answer is often a mix of due diligence, contract language, access restrictions, and monitoring.
Compliance and privacy concepts also appear in this domain. You do not need to be a lawyer to do well on Security+, but you do need to recognize when a scenario involves regulatory exposure, data classification, retention, or breach reporting concerns. For broader workforce and governance framing, the NICE Workforce Framework is a strong source for understanding security roles and responsibilities.
Documentation, asset management, and change management matter because they reduce chaos. If you cannot track what assets exist, what changed, or who approved it, you cannot manage risk effectively. That is why governance topics show up in exam scenarios that look technical at first glance.
What Security+ Topics Show Up Everywhere?
Some Security+ topics cross multiple domains, and that is where many candidates lose points. Risk-based decision-making is one of the biggest recurring ideas. The exam repeatedly asks you to weigh impact, likelihood, and business needs before acting. A secure answer is not always the most aggressive answer.
Ports, protocols, and network services also appear everywhere because they are tied to architecture, operations, and threats. You do not need to memorize every port ever used in IT, but you do need to know the common ones well enough to interpret a question quickly. If a scenario mentions DNS, HTTP, HTTPS, RDP, SSH, or SMB, the protocol often points to the right control or troubleshooting path.
- Wireless security questions often involve WPA2, WPA3, rogue access points, and evil twin attacks.
- Remote access questions often involve VPNs, split tunneling, MFA, and secure gateways.
- Cryptography questions often ask about use cases such as confidentiality, integrity, and certificate trust.
- Incident response questions often combine logs, containment, recovery, and notification steps.
- Access control questions often blend identity, authorization, and policy enforcement.
These cross-domain themes are also emphasized in industry research such as the IBM Cost of a Data Breach Report, which consistently shows that speed of detection, containment, and coordinated response strongly affect outcomes. That aligns well with Security+ exam logic: the correct answer is usually the one that reduces risk in the real world, not just in a textbook.
High-priority study focus should always include key concepts that move between domains. If you can explain why a VLAN matters, why MFA matters, why a hash is different from encryption, and why a policy matters, you are not just preparing for an exam. You are building the mental model the exam is trying to measure.
How Should You Study the Security+ Exam Domains?
The best certification prep strategy is to start with your weakest domain and use practice tests to guide review. That approach prevents false confidence. Many candidates spend too much time on topics they already understand and too little time on the ones that cost them points.
Flashcards are helpful, but only if they support recall of terminology, acronyms, attack types, and control categories. Flashcards alone will not prepare you for performance-based questions. Pair them with scenario review so your study focus stays connected to actual decision-making.
- Take a baseline practice exam. Identify weak domains and weak question styles.
- Review one domain at a time. Build depth before moving on.
- Create short recall cards. Focus on terms, ports, attacks, and control names.
- Practice scenarios. Ask what the best action is, not just what the term means.
- Retest under time pressure. Timed practice reveals whether you can think clearly under exam conditions.
The most effective way to study key concepts is to connect them to a real use case. For example, instead of remembering “least privilege” as a phrase, think of a help desk account that only needs password reset rights and nothing else. Instead of memorizing “segmentation,” picture a guest Wi-Fi network isolated from internal servers. That is the kind of practical framing Security+ rewards.
ITU Online IT Training’s Certified Ethical Hacker v13 course can help reinforce the attack side of those scenarios, especially when you are trying to understand how a vulnerability turns into an exploit path. Security+ asks you to recognize and respond; CEH v13 helps you think like the attacker so the defensive answer makes more sense.
Pro Tip
When you miss a practice question, write down the exact reason. Was it a terminology gap, a domain confusion, or a scenario-reading problem? Fixing the cause matters more than memorizing the correct option.
What Mistakes Hurt Security+ Scores the Most?
The biggest mistake is memorizing tools without understanding when to use them. If you know what a firewall is but cannot tell when segmentation, a proxy, or a WAF is the better answer, you will miss scenario questions. Security+ domains reward judgment, not tool name recognition.
Another common mistake is confusing similar terms. Hashing and encryption are the classic pair, but there are many others: authentication versus authorization, risk versus vulnerability, preventive versus detective controls. Those terms look close, but the exam often uses the difference as the core of the question.
- Rushing scenario questions causes candidates to miss critical clues like downtime, policy, or data sensitivity.
- Ignoring governance topics leaves points on the table in policy and oversight questions.
- Over-focusing on technical controls causes you to miss training, documentation, and compliance answers.
- Skipping review means you repeat the same mistakes on the actual exam.
Another problem is picking a technically correct answer instead of the best answer. That distinction matters. A question may include two valid controls, but only one fits the scope, priority, or operational constraint in the scenario. That is why the exam domains must be studied as decision frameworks, not just lists of facts.
If you want a broader job-market view, the U.S. Bureau of Labor Statistics reports strong demand for information security analysts, which is one reason Security+ is so widely used as an early-career benchmark. The certification prep should match that reality: practical, structured, and focused on everyday decision-making.
Key Takeaway
- Security+ exam domains are the fastest way to organize certification prep and focus on the right cybersecurity topics.
- The exam measures both knowledge and application, so practice exams are essential for finding weak study focus areas.
- General security concepts, threats and vulnerabilities, architecture, operations, and program management all appear in realistic scenarios.
- Cross-domain topics like risk, segmentation, MFA, cryptography, and incident response show up repeatedly and deserve extra review.
- The best answer on the exam is often the most defensible operational choice, not just the one that sounds technically correct.
Certified Ethical Hacker (CEH) v13
Learn essential ethical hacking skills to identify vulnerabilities, strengthen security measures, and protect organizations from cyber threats effectively
Get this course on Udemy at the lowest price →Conclusion
Security+ exam domains are more than a study outline. They are the structure of the exam, the structure of the job, and the structure of practical cybersecurity thinking. When you understand what each domain is trying to measure, you stop guessing and start answering questions with intent.
Focused certification prep works because it turns broad cybersecurity topics into a manageable study plan. You review the key concepts that matter most, practice scenario questions, and go back to the weak spots until the logic becomes automatic. That is how strong candidates build confidence before exam day.
Use the domains to guide your study focus, use practice tests to expose gaps, and use real-world examples to make the material stick. If you are building your foundation for a cybersecurity career, Security+ is not the finish line. It is the platform you use to grow into more advanced roles, including the skills reinforced in ITU Online IT Training’s CEH v13 path.
CompTIA®, Security+™, A+™, and Network+™ are trademarks of CompTIA, Inc.