Security+ is the most widely held security certification in the world — over 700,000 people hold it. That breadth makes it both its strength and its criticism. It doesn't certify expertise in any specific security domain. What it certifies is foundational security competence: enough to function in an IT security role, enough to satisfy DoD 8570 compliance requirements, and enough to serve as a credible baseline for deeper specialization.
Understanding what Security+ actually validates — and what it doesn't — helps you decide whether it belongs in your certification plan and how to pass it efficiently.
What Makes Security+ Different
Security+ sits in a unique position: it's vendor-neutral (no Cisco, Microsoft, or AWS-specific content), it's recognized by the US Department of Defense as meeting the Baseline IAT Level II and CSSP Analyst requirements under Directive 8570, and it's the single most-mentioned entry-level security certification in general IT job postings.
The current version is SY0-701, launched November 2023.
| Domain | Weight |
|---|---|
| General Security Concepts | 12% |
| Threats, Vulnerabilities, and Mitigations | 22% |
| Security Architecture | 18% |
| Security Operations | 28% |
| Security Program Management and Oversight | 20% |
Security Operations at 28% is the largest domain and reflects a deliberate shift in the current version — SY0-701 is more operationally focused than its predecessors.
What Changed in SY0-701
The SY0-701 update in 2023 was more significant than typical minor revisions. Key shifts:
Added or expanded:
- Zero trust architecture (now a distinct coverage area, not a passing mention)
- Cloud security (IaaS/PaaS/SaaS security controls, cloud-specific threats)
- Operational Technology (OT) and ICS/SCADA security
- Artificial intelligence threats (deepfakes, AI-enhanced phishing, AI-based attacks)
- Supply chain risk management at greater depth
Reduced or removed:
- Some legacy cryptography concepts (older cipher modes)
- Certain legacy network architecture topics
Candidates with SY0-601 materials need to download the SY0-701 exam objectives PDF and verify coverage. The AI-enhanced threats and OT/SCADA sections are gaps in all pre-2023 materials.
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
This domain is the heart of Security+ knowledge — and the area where candidates most commonly confuse similar terms.
Threat Actor Categories
| Category | Motivation | Sophistication |
|---|---|---|
| Nation-state | Espionage, sabotage, influence | Very high |
| Organized crime | Financial | High |
| Hacktivism | Ideology, political | Variable |
| Insider threat | Various (disgruntled, financial) | Variable (has access) |
| Script kiddie | Recognition, curiosity | Low |
| Competitor | Business advantage | Variable |
Nation-state vs APT: Advanced Persistent Threats (APTs) are long-term, targeted attacks — most associated with nation-state actors but not exclusively. The "persistent" means months or years of access, not a single intrusion.
Vulnerability Types
The exam tests specific vulnerability categories:
Application vulnerabilities:
- SQL injection: unsanitized input passes SQL commands to a database. Mitigation: parameterized queries, input validation.
- XSS (Cross-Site Scripting): malicious scripts injected into web pages viewed by other users. Stored XSS (persists in database) vs Reflected XSS (in URL parameter).
- CSRF (Cross-Site Request Forgery): forces authenticated user to execute unintended actions. Mitigation: CSRF tokens.
- Buffer overflow: writes data beyond allocated memory buffer. Can enable code execution.
- Race condition: behavior depends on timing of multiple operations — can be exploited when the timing isn't properly controlled.
Zero-day: vulnerability unknown to the vendor, no patch available. High value in exploit markets.
CVE: Common Vulnerabilities and Exposures — the standardized identifier for publicly disclosed vulnerabilities. CVE-2021-44228 is Log4Shell. Candidates should know what CVE means, not memorize specific numbers.
Domain 3: Security Architecture (18%)
Architecture questions test whether you can select appropriate security controls for specific scenarios.
Defense in Depth
Network segmentation: dividing a network into zones with different trust levels and controlling traffic between them. DMZ (Demilitarized Zone) separates internet-facing servers from internal networks. Microsegmentation extends this inside the data center.
Zero trust architecture: no implicit trust based on network location. Every access request is authenticated and authorized regardless of whether it comes from inside or outside the network perimeter. Key principles:
- Verify explicitly (authenticate and authorize every request)
- Use least privilege access (minimum necessary permissions)
- Assume breach (design systems assuming attackers are already inside)
Deception technologies:
- Honeypot: decoy system that attracts attackers, records their activity
- Honeynet: network of honeypots
- Honeypot placement: should look valuable but contain no real assets
Cryptography
The exam tests cryptographic concepts at a conceptual level:
Symmetric vs asymmetric:
- Symmetric (AES, 3DES): same key for encryption and decryption. Fast. Key distribution problem.
- Asymmetric (RSA, ECC): public/private key pair. Solves key distribution. Slow — used to exchange symmetric session keys.
- Hybrid approach: asymmetric to exchange keys, symmetric for bulk data (how TLS works)
Hashing: one-way function producing a fixed-length output from any input. Used for integrity verification, password storage (salted hashes), digital signatures. MD5 and SHA-1 are considered weak (collision vulnerabilities). SHA-256 and SHA-3 are current standards.
PKI and certificates: Certificate Authorities (CAs) issue digital certificates binding a public key to an identity. The exam tests the chain of trust, certificate revocation (CRL and OCSP), and common certificate types (DV, OV, EV, wildcard, SAN).
Domain 4: Security Operations (28%)
The largest domain tests operational security tasks — the work of security analysts and engineers in daily practice.
"SY0-701 shifted Security+ from a knowledge exam to an applied exam. The Security Operations domain doesn't ask 'what is an IDS?' — it asks 'a SOC analyst sees 50 failed login attempts from one IP followed by a successful login. What should they do?' That's applied incident response knowledge, not definition recall." — Jason Dion, CompTIA instructor and author
Incident Response
Incident response phases (NIST SP 800-61):
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
The exam tests which phase specific actions belong to. Isolating a compromised machine from the network is Containment. Running a forensic disk image is Detection and Analysis. Patching the vulnerability that enabled the breach is Eradication.
Evidence handling: chain of custody documentation, write blockers for disk imaging, hashing to verify integrity. The exam tests these concepts at a process level.
Identity and Access Management
Authentication factors:
- Something you know: password, PIN
- Something you have: smart card, hardware token, phone (TOTP)
- Something you are: biometrics (fingerprint, retina, facial recognition)
- Somewhere you are: location-based (GPS, network location)
MFA: requires two or more different factor types. Password + SMS code = MFA (knowledge + possession). Two passwords = not MFA (same factor type).
Privileged Access Management (PAM): controls access to privileged accounts. Just-in-time access, session recording, password vaulting. Reduces risk from insider threats and credential theft.
Single Sign-On (SSO): authenticate once, access multiple systems. SAML (Security Assertion Markup Language) is the protocol most commonly tested — enables SSO between different organizations' systems (federated identity).
Domain 5: Security Program Management and Oversight (20%)
This domain tests compliance, risk management, and governance frameworks.
Risk management fundamentals:
- Risk = Threat × Vulnerability × Impact
- Risk responses: Accept (tolerate), Avoid (eliminate activity), Transfer (insurance, contracts), Mitigate (reduce likelihood or impact)
- Risk appetite: how much risk an organization is willing to accept
- Residual risk: risk that remains after controls are applied
Compliance frameworks tested:
- NIST CSF: voluntary framework for critical infrastructure cybersecurity
- ISO 27001: international standard for information security management systems
- PCI DSS: payment card industry data security standard (relevant for anyone handling credit card data)
- HIPAA: US healthcare data privacy regulation
- GDPR: EU data protection regulation
Privacy concepts: PII (Personally Identifiable Information), PHI (Protected Health Information), data minimization, data retention policies, right to be forgotten (GDPR).
Study Approach for SY0-701
The most efficient path: Jason Dion's Security+ course on Udemy or Professor Messer's free video course → CompTIA's free domain questions or Dion's practice exams → exam booking when consistently at 80%+.
What candidates underestimate: the breadth. Security+ covers threats, architecture, cryptography, compliance, incident response, and identity all in one exam. No single topic is deep, but the breadth creates gaps when candidates study some domains thoroughly and skim others.
Common failure pattern: strong on the technical content (threats, cryptography), weak on the governance and compliance content (risk management, frameworks, privacy). The Security Program Management domain at 20% is where technically-oriented candidates lose points.
Practice exam target: 80% on Dion or Professor Messer practice exams consistently before booking. Security+ passes at 750/900.
SY0-701 Domain Weights and What Changed
The SY0-701 exam is weighted differently from SY0-601. Understanding what shifted explains where to concentrate study time:
| Domain | SY0-601 Weight | SY0-701 Weight | Direction |
|---|---|---|---|
| Threats, Attacks, and Vulnerabilities | 24% | 22% (now Domain 2) | Slightly reduced |
| Architecture and Design | 21% | 18% (now Domain 3) | Reduced |
| Implementation | 25% | (absorbed into Operations) | Removed as separate domain |
| Operations and Incident Response | 16% | 28% (now Domain 4) | Significantly increased |
| Governance, Risk, and Compliance | 14% | 20% (now Domain 5) | Increased |
| General Security Concepts | N/A | 12% (new Domain 1) | New domain |
The most consequential change: Operations and Incident Response jumped from 16% to 28%. CompTIA explicitly shifted SY0-701 to emphasize applied security work over theoretical knowledge. This is reflected in question style — SY0-701 presents more scenarios and fewer definitional questions than SY0-601.
The "Security Program Management and Oversight" domain (20%) is where technically strong candidates most commonly lose points. This domain tests:
- Risk management frameworks and calculation (quantitative vs qualitative risk analysis, ALE = SLE x ARO)
- Regulatory compliance requirements (HIPAA, PCI DSS, GDPR, NIST CSF, ISO 27001)
- Data classification schemes and governance policies
- Third-party risk management and vendor assessment
- Business continuity and disaster recovery planning concepts
- Privacy regulations: GDPR rights (right to erasure, data portability), CCPA, PIPEDA
- Security metrics and KPIs (MTTR, MTTD, MTTF, RTO, RPO)
Candidates who focus only on the technical content and skim Domain 5 consistently report that governance questions are where they lost exam points. Budget Domain 5 a proportional 20% of your study time regardless of your technical background.
SY0-701 Specific Topic Areas by Domain
Domain 1: General Security Concepts (12%)
This domain is new in SY0-701 and covers foundational terms that were previously scattered across other domains:
- Basic cryptographic concepts: symmetric vs asymmetric, hashing, PKI
- Security controls by category: technical, managerial, operational, physical
- Security controls by type: preventive, detective, corrective, deterrent, compensating
- Authentication concepts: MFA factors, SSO protocols (SAML, OAuth, OIDC)
- Non-repudiation and how digital signatures achieve it
Common failure point: candidates who studied SY0-601 may have these concepts spread across multiple domains. SY0-701 centralizes them in Domain 1 — make sure your study materials cover them explicitly.
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
Beyond the threat actor and vulnerability content covered earlier in this article, SY0-701 specifically tests:
- Indicators of compromise (IOC) vs indicators of attack (IOA)
- AI-enhanced attack techniques: deepfakes for social engineering, AI-generated phishing content
- Supply chain attacks: SolarWinds-style, third-party library compromise (Log4Shell)
- OT/ICS/SCADA environments: specific vulnerabilities of operational technology networks, why standard IT security tools don't apply directly
Domain 4: Security Operations (28%)
The largest domain covers the day-to-day work of security professionals:
- Security alert triage and prioritization
- Log analysis and SIEM usage concepts (not vendor-specific configuration)
- Vulnerability scanning vs penetration testing (when to use each, who performs them)
- Identity and access management operations: provisioning, deprovisioning, access reviews
- Mobile device management (MDM) and BYOD security policies
- Application security testing: SAST, DAST, SCA, and when each is appropriate
Security+ Salary Data by Role
Security+ is a floor credential that enables entry into security roles. Salary ranges for holders, broken down by common job function:
| Role | Entry (0-2 years) | Mid (3-5 years) | Experienced (6+ years) |
|---|---|---|---|
| Security analyst (SOC) | $55,000-$75,000 | $80,000-$105,000 | $110,000-$140,000 |
| Information security specialist | $60,000-$80,000 | $85,000-$110,000 | $115,000-$145,000 |
| IT security administrator | $58,000-$78,000 | $82,000-$108,000 | $108,000-$138,000 |
| Network security engineer | $65,000-$88,000 | $92,000-$120,000 | $125,000-$160,000 |
| Security compliance analyst | $55,000-$72,000 | $78,000-$100,000 | $100,000-$130,000 |
| Penetration tester (with Security+) | $70,000-$95,000 | $100,000-$135,000 | $140,000-$175,000 |
These ranges reflect US national averages. Geographic premium applies in metropolitan areas: San Francisco, New York, Washington DC, and Seattle pay 20-35% above national averages. Government and defense contractor roles in the DC metro area are especially well compensated for Security+ holders due to DoD 8570/8140 compliance requirements.
Security+ alone is unlikely to drive top-of-range compensation — it's a qualification threshold. The actual salary driver is the experience and additional certifications layered on top of it. Security+ holders who add CySA+ or CCSP within two years of certification see significantly faster compensation growth than those who stop at Security+.
Employer Types That Require Security+
Security+ appears in job requirements for reasons that vary significantly by employer type:
US Federal Government and Contractors (DoD 8570/8140) This is the highest-volume Security+ requirement. DoD Directive 8570 mandates that all personnel performing Information Assurance (IA) functions hold approved baseline certifications. Security+ satisfies the IAT Level II and CSSP Analyst baseline requirements. Any IT role at a defense contractor — Lockheed Martin, Raytheon, Booz Allen Hamilton, SAIC, Leidos, General Dynamics — that involves handling DoD information systems typically requires Security+. Federal agencies with security-sensitive IT roles (DoD, DHS, VA, NSA) have similar requirements.
Healthcare HIPAA compliance requirements create demand for security-credentialed staff. Healthcare IT departments increasingly require Security+ for information security roles because it demonstrates baseline knowledge of privacy regulations and access controls without requiring deep technical specialization.
Financial Services Banks, credit unions, and financial services firms subject to PCI DSS or SOX compliance use Security+ as a baseline filter for security operations roles. It's rarely sufficient alone — CISSP or CISM is expected at higher levels — but Security+ provides the entry threshold.
State and Local Government Many state governments have adopted Security+ requirements for information security roles. Some state contracts with IT service providers also pass the requirement through to vendor staff.
Managed Security Service Providers (MSSPs) MSSPs — organizations that provide outsourced security monitoring and response — commonly require Security+ for SOC analyst roles. It's the standard baseline credential for L1 and L2 SOC work.
Practice Exam Provider Comparison
| Provider | Cost | Questions | Updated for 701 | Quality |
|---|---|---|---|---|
| Jason Dion (Udemy) | $20-40 | 500+ | Yes | Excellent — closest to real exam difficulty and style |
| Professor Messer | $30-40 | 300+ | Yes | Good — matches free video content |
| CompTIA official (CertMaster Practice) | $99/year | 200+ | Yes | Good — directly from exam author; expensive |
| Darril Gibson (Get Certified Get Ahead) | $30-40 | 400+ | Yes (701 edition) | Good — detailed explanations, solid foundation |
| Boson ExSim | $80-100 | 500+ | Yes | Very good — more difficult than real exam |
Recommendation: Dion's practice exams on Udemy (frequently on sale for $15-20) combined with Professor Messer's free video course covers both content delivery and exam-style question practice without high cost. Add Boson ExSim if you want harder questions to build margin.
Score target: 80% consistently before booking. Security+ passes at 750/900. Passing 80% on Dion's practice exams provides reasonable margin for the real exam. Candidates consistently scoring below 75% on practice should continue studying; candidates consistently at 85%+ are likely ready.
Why Security+ Is Required for Entry-Level Security Jobs
The DoD 8570 compliance requirement creates a baseline demand that makes Security+ essentially mandatory for government-adjacent security work. But why does it appear in private sector entry-level security roles as well?
The underlying reason is risk reduction in hiring. Security roles require trust — a candidate with Security+ has demonstrated at minimum that they know common threat types, basic cryptographic concepts, network security fundamentals, and compliance frameworks. The credential signals that a candidate won't introduce obvious errors from ignorance. For a manager hiring a SOC analyst who will access sensitive monitoring systems, Security+ provides evidence of intentional preparation.
It also creates a filterable signal. When 200 candidates apply for a security analyst role, requiring Security+ reduces the pool to candidates who made a deliberate career investment in security. This filtering effect benefits Security+ holders even when the exam content isn't directly tested on the job.
The practical result: entry-level security roles without Security+ listed in requirements often add a preference or implicit expectation. Candidates applying without it compete against candidates who have it, and hiring managers in a competitive market have an easy tie-breaker.
Recommended Study Schedule for SY0-701
A focused 8-week study plan for candidates with general IT experience:
| Week | Focus | Activities |
|---|---|---|
| 1 | Domain 1 + Domain 2 fundamentals | Professor Messer videos + Microsoft Learn modules; complete knowledge checks |
| 2 | Domain 2 threats and vulnerabilities in depth | Dion videos; build threat actor comparison chart |
| 3 | Domain 3: Security Architecture | Focus on cryptography, zero trust, network security architecture |
| 4 | Domain 4: Security Operations part 1 | Incident response phases; identity and access management |
| 5 | Domain 4: Security Operations part 2 | Vulnerability management; security tooling |
| 6 | Domain 5: Security Program Management | Risk frameworks, compliance requirements, privacy |
| 7 | Full practice exams + gap review | Two full timed practice exams; review every wrong answer |
| 8 | Final review + exam booking | Practice assessment at 80%+; book within this week |
Candidates with no IT background: add 4 weeks before this schedule for foundational IT concepts. Security+ assumes basic understanding of networking, operating systems, and IT administration concepts. Without that foundation, the first two weeks of this plan are too compressed.
Candidates with network+ or significant IT experience: this schedule can compress to 6 weeks with discipline. Domain 3 and 4 content overlaps with Network+ security concepts — you can move faster through familiar areas and spend more time on Domain 5 governance content.
See also: CompTIA CySA+: the certification for SOC and threat intelligence roles, CompTIA A+ Core 1 and Core 2: what actually changed in the current version
References
- CompTIA. SY0-701 CompTIA Security+ Exam Objectives. CompTIA, 2023. https://www.comptia.org/certifications/security
- Dion, Jason. CompTIA Security+ (SY0-701) Complete Course and Practice Exam. Udemy, 2024. (Most popular Security+ preparation course, consistently updated)
- Messer, James. CompTIA SY0-701 Security+ Training Course. professormesser.com, 2024. (Free comprehensive video course matched to SY0-701 objectives)
- Chapple, Mike, and David Seidl. CompTIA Security+ Study Guide: Exam SY0-701. Sybex, 2024. ISBN: 978-1394211432. (Official CompTIA study guide)
- CompTIA. DoD 8570 Approved Baseline Certifications — Security+ IAT Level II. CompTIA, 2024. https://www.comptia.org/certifications/which-certification/should-i-get-comptia-security/security-dod-8570
- NIST. Computer Security Incident Handling Guide (SP 800-61). NIST, 2012. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final (Core reference for incident response phases tested on Security+)
Frequently Asked Questions
Is CompTIA Security+ worth getting in 2024?
Yes, for three reasons: it's DoD 8570 approved (required for many government/defense IT roles), it appears in more entry-level security job postings than any other certification, and it provides a validated foundation before specializing into cloud security, penetration testing, or SOC operations.
What is the difference between SY0-701 and SY0-601?
SY0-701 (launched November 2023) added zero trust architecture as a distinct topic, cloud security controls, OT/ICS/SCADA security, AI-enhanced threat coverage, and deeper supply chain risk management. Security Operations was expanded to 28% of the exam. Candidates with SY0-601 materials have coverage gaps in these areas.
How long does Security+ preparation take?
Candidates with IT experience (A+, Network+, or similar work experience) typically need 8-10 weeks. Complete beginners need 14-18 weeks. The breadth of Security+ — covering threats, architecture, cryptography, incident response, identity, and compliance simultaneously — is the main challenge, not depth.
Does Security+ require A+ and Network+ first?
No. CompTIA recommends Network+ knowledge before Security+, but doesn't enforce it. Candidates with IT work experience often skip A+ and Network+ and go directly to Security+. The Security+ exam does assume basic networking knowledge (ports, protocols, TCP/IP), which Network+ covers formally.
What is the Security+ passing score and how many questions are on the exam?
750 out of 900. The exam has a maximum of 90 questions (multiple choice and performance-based) with a 90-minute time limit. Performance-based questions appear first and require simulated security tasks — budget 10-15 minutes for PBQs and manage the remaining time for multiple choice.